A supplement to PLANT ENGINEERING and Control Engineering magazines

Dont let price stand in the way of making a machine or process as safe as possible
It could cost you a lot more in the long run. But you dont need to overpay to get reliable, high-performance safety devices that conform to all the latest standards. Our prices on safety relays, switches and light curtains mean you can do even more to protect whats important. Safety relays protect people and machines.
Single and dual channel safety relays for E-stop and safety gate applications Two-hand Control units for positive protection Light curtain controller modules are used in conjunction with light curtains for monitoring/control

JUST A FEW PRICES ON SAFETY DEVICES

Product Description
Safety light curtain with 30mm resolution 24VDC, sender and receiver pair (sold separately) 0.25 to 12 meter operating distance, 279mm protective height, safety category 4

AutomationDirect
Price/Part Number

Safety switches with key or hinge interlocks, limit switches and cable pull switches give precise, quick action.
Visible operation Immunity to electromagnetic disturbances Electrically separated contacts with positive opening operation on N.C. contacts Actuation speeds of 0.5 m/s (max) to 0.01 m/s (minimum) IEC 947-5-1, EN 60947-5-1, UL 508, CSA C22.2 No 14 approvals

YBB-30S4-0250-G012 (sender) YBB-30R4-0250-G012 (receiver)

$250.00 $275.00 $12.75 AP2R11X11

Safety limit switch, pull-reset action, plunger actuator, 30mm plastic body, 1/2 NPT Safety relay module, single channel, for E-stop circuits, 24 VDC, 2 N.O. contacts

LG5924-02-61-24

$88.00

AutomationDirect prices are U.S. published prices as of March 2011. Prices subject to change without notice.

Safety light curtains in finger (14mm) or hand (30mm) protection resolutions

Protective height: Operating distance:
14mm resolution - 142 to 1045mm 30mm resolution - 279 to 1827mm 14mm resolution - up to 3.5 mches 30mm resolution - up to 12 mches

www.automationdirect.com/safety

Double PNP outputs M12 quick-disconnect models (order cable separately) IP65 rated; Type 4 and Category 4 PL e

www.automationdirect.com Go online or call to get complete information, request your free catalog, or place an order.

1-800-633-0405

Contents
A5 Upgrading legacy I/O systems
When its time to modernize, choosing the best I/O strategy and supplier is critical for both new and upgrade projects.

A8 Can you depend on that sensor?

An instrumentation device that is supposed to keep your process from erupting during an upset may sit there for years if there is no emergency. Will it work when the time comes? Safety sensors can help you sleep better.

A5

A12 Using Modbus for process control and automation

Part 2 of 2. One of the oldest communication protocols is also the most popular, and for good reason. You should get to know Modbus.

A8

C OMME N T
Doing a job when lives depend on it

Peter Welander
E di to r

here is much about our modern environment that is or can be dangerous. Traffic accidents, plane crashes, building fires, and all sorts of other things can threaten life and limb. Much of the time we depend on rational humans to behave in safe ways, like stopping at red lights and not driving a car on the sidewalk. Obviously, there are conspicuous failures of these assumptions and people suffer. We also rely on more mechanical protections. When I step on an elevator, I assume the control system will not allow the car to plunge into the basement. My automobile, even though it is a Toyota, restrains itself from random acceleration, at least heretofore. Keeping a manufacturing environment safe, particularly a process plant like a refinery with explosive and flammable products (the technical description is a boomable plant), requires a comprehensive program of equipment design, sound construction, proper hardware selection, consistent maintenance, effective control strategy and implementation, security, good work practices, and personnel training. In an earlier life, your correspondent was visiting a plant that produced cyanide in mind-

boggling quantities. Before entering the plant to see the specific application, my colleague and I had to undergo training on what we should do in an emergency. It gave us pause to consider how close we were to very deadly products, yet the operators were willing to work there every day, and they did not seem particularly preoccupied with the situation. Thats faith.

Safe sensing
This month we have a major discussion on safety sensors, and exactly what that qualification connotes. Safety is not a process variable in and of itself (Well, maybe it could be, but thats a topic for another article.), but it has to do with measuring the same normal variables (e.g., pressure, temperature, flow, and level) and using that data in a special way. Safety systems are not built on the assumption that devices and systems do not fail. On the contrary, safety system designers assume that anything can fail. They examine every component of a larger system, whether its a component on a transmitter circuit board, or a node in a network, and ask, What happens if this stops working? Can we still secure the process?

Applied Automation

February 2012 A3

COMME NT
Thats a particularly valid question for a safety sensor because it may sit in place for years on a well-regulated process without having to trigger an alarm. Then one day something goes haywire, and its showtime. Will it tell the process to shut down, or has the mechanism rusted solid? Is there adequate provision in its design to prevent that? The article discusses what goes into the design and testing of a safety sensor, including all the different types of failure analysis. While this is a critical process, it is important to recognize the fact that the best sensor cant do its job in a poorly performing network. If the safety sensor measuring pressure on a vessel cant tell the relief valve to open because a faulty network cant deliver the message, the system will cascade to the next layer of protection, or the vessel may rupture. In many respects, safety system designers make no assumptions about a networks ability to deliver messages. The logic solver, which is the device that receives the message from a safety sensor, is normally programmed to look for a status update at a regular interval. If that update doesnt come, the logic solver should trip the system. If the network is unreliable, the greater problem will likely be false alarms. This is one reason that safety-related networks are traditionally hardwired. Lost production due to false trips is really annoying, and tends to make operators bypass the system, which is very dangerous.

If you cant make it work it aint worth jack!

ProSoft Technology is focused on industrial communication. Whether you need in-chassis protocol interfaces, gateways, or wireless communication, we can help increase your automation performance, raise productivity, decrease downtime and reduce costs. Our excellent, world-wide technical support is unparalleled in the industry, available to help you in every time-zone, from pre-sales to set-up, and throughout the life of the product. So when you get to the end of your rope, just give us a call!

Depends on solid networks

To others who are more forward thinking, hardwiring is doing it the hard way, which brings us to our other two discussions of networks and I/O. More modern I/O methods offer many advantages over the old-fashioned ways. While Ethernet and fieldbus networks typically offer some wiring savings, the greater value proposition is often in their troubleshooting and diagnostic capabilities. When applied properly, industrial networking systems can provide reliability as good as or better than hardwiring, plus they can reduce operating costs. Traditional terminations are a weakness of old systems, which is why newer equipment uses more sophisticated connections, as illustrated on the cover. While these may be more cost intensive for the hardware, they can save on installation time and maintenance. Moreover, the cost of lost production due to an unplanned shutdown caused by a network failure can quickly eclipse the cost of more reliable terminal blocks and wiring devices.

We can make it work!

Where Automation Connects +1-661-716-5100 www.prosoft-technology.com

A S I A PA C I F I C | A F R I C A | E U R O P E | M I D D L E E A S T | L AT I N A M E R I C A | N O R T H A M E R I C A

A4 February 2012 Applied Automation

i n dustrial networks

Upgrading Legacy I/O Systems

When its time to modernize, choosing the best I/O strategy and supplier is critical for both new and upgrade projects.

Once an OEM or end user committed to a particular I/O network standard, it was often bound to a certain group of ompanies that vendors for the foreseeable design and build future. If the application required machines and communication with a device on robots often face a different network, a gateway the problem of device was the normal solution. upgrading the These devices were expensive I/O on one or more of their and hard to program, making machines. Even end users it very difficult for users to intefind that legacy I/O, which grate machines or robots manumay have been used successfully for years, may need to be Figure 1: A modern I/O solution, such as this inline module, factured by different companies into an operating whole such as replaced because the vendor has the flexibility to communicate via wired or wireless a packaging line. has gone out of business or no data links. Photos courtesy Phoenix Contact While PLC manufacturers longer supports the hardware. were fighting for market share, In other cases, an OEM or user Ethernet was becoming the standard in office networks, may want to change control systems, I/O networks, or and Ethernet soon migrated to the factory floor. PLC vendors for cost, safety, customer preference, quality, or manufacturers adapted their serial networks to run on performance reasons. Ethernet, opening up the ability to run multiple protocols Modern I/O modules (Figure 1) often support Ethernet on a single Ethernet network. Today, Ethernet-based I/O connections, wireless communications, advanced diagnosnetworks (Figure 2) are replacing older proprietary nettics, remote diagnostics over the Internet, on-board intelworks. PLC vendors still maintain individual protocols, but ligence, multiple inputs and outputs, and a host of other most concentrate their effort on Ethernet-based communifeatures that cant be found in older systems. Whatever cation and can thus share the same Ethernet network. the driving reasons, upgrading I/O on a machine or manuThis allows manufacturers to use standard Ethernet facturing line is not a simple task, as many factors have to functions for overall control of industrial networks. Precise be considered before selecting an I/O system. delivery of data to and from multiple I/O devices can be From hardwiring to Ethernet controlled with transmission protocols like Multicast, and general network segmentation can be controlled through The first PLCs transmitted all remote I/O signals to the use of a VLAN (virtual local area network). Other and from the main processor via hardwiring, as no digital Ethernet standards, such as rapid spanning tree protocol, networks existed at the time. Serial networksbased on can be used to create redundancy within the network, RS-232, RS-422, and RS-485came along and transwhile not affecting the PLC manufacturers I/O communiformed the plant floor, because they drastically reduced cations. These types of protocols are employed on the netwiring requirements. With a serial network, multiple devicwork through the use of a managed Ethernet switch. es could be plugged into a single twisted pair. Today, a machine builder is faced with myriad choices Soon, most PLC manufacturers came out with their own of networks including Modbus TCP, EtherNet/IP, Profinet, versions of serial networks such as Modbus, which is still DeviceNet, Profibus DP, InterBus, Mechatrolink, CANopen, widely used. EtherCAT, CC-Link, and more. And wireless options are Some of these serial networks became de facto stanavailable for almost all these networks. dards, including Profibus DP, InterBus, and DeviceNet. When upgrading I/O, a machine builder or user has to These networks and others usually started out as propriask: etary protocols backed by one or more vendors, and were 1. What I/O network do I want, or does my controller dicthen were opened up to allow any manufacturer to create tate the choice? compatible devices. Most of these networks worked well, 2. How many vendors make products for that network? but they werent compatible with each other.

Jason Haldeman

Applied Automation

February 2012 A5

i n dustrial networks
PLCs software, as opposed to the I/O hardware. For OEMs with a choice, modular I/O is an excellent way to upgrade a machine or robot, or to build a new one. With modular I/Oavailable from several suppliersanalog and digital input and output devices, signal conditioners, network interfaces, power supplies, terminal strips, and all the other components needed for a machine are network-independent. If, for example, an OEM sells to a company in Germany, modular I/O will work with Profibus DP, the preferred network for many European firms. If the same machine or robot is being sold to a company that wants a Rockwell Automation PLC, then the I/O will work with DeviceNet. The machine uses the same I/O devices, but each is connected to the I/O network with bus couplers, so only the couplers need to be changed on the I/O station.

Figure 2: Ethernet-based I/O connects to a PLC or industrial PC over a standard Ethernet cable, providing high-speed access to sensors and control devices.

Machine vs. cabinet-mount

3. Do I want to be bound to one group of vendors for the foreseeable future? Machines can have dozens of sensors and control devices such as proximity switches, encoders, load cells, pressure and temperature sensors, relays, motor starters, and indicator lights. These sensors and control devices are mounted on the machine itself, and must be wired to the discrete and analog I/O. These I/O devices can be mounted in a cabinet or on the machine. For machines that will be sold internationally, typical choices are IP20-rated devices for mounting in a control cabinet, IP67 devices for mounting directly on the machine, or a combination of both. The IP rating is based

PC vs. PLC
The next factor to be considered in an upgrade is the control system. Although PLCs continue to dominate machine control, industrial PCs are making inroads. If youre keeping the same PLC during the I/O upgrade on a machine, then you probably wont have to reprogram the control logic, but you may have to reconfigure it for the newer I/O. Do you have access to the code that changes the I/O configuration? Without that code, or a readily available patch from the PLC vendor, you may not be able to connect newer I/O to the older PLC, and older model PLCs may not support newer I/O networks even from the same vendor. One solution may be to upgrade the PLC to a newer model in the same familyone that supports both your control logic program and the new upgraded I/O. The upgraded PLC should support its own newer I/O, but it may not support all of the options that you need. Fortunately, several I/O suppliers offer modules that work with many networks. Unfortunately, not every supplier covers every network, so an OEM may have to mix and match products from multiple suppliers. For example, if a machine or robot needs a strain gage/load cell converter, the OEM must make sure one is available from the preferred supplier.

Figure 3: IP20 I/O mounts in a NEMA or IP-rated cabinet.

Modular vs. proprietary

Being locked into a single PLC vendor poses many problems, not the least of which is the potential for excessive module costs. In some cases, customers demand a certain brand of PLC. But in many cases, an OEM has freedom to choose the controller, either a PLC or a PC. Even when the customer specifies a certain PLC brand, the OEM can often choose the I/O. Thats because the OEMs customer is primarily concerned with providing operating support for the on standard IEC 60529, which rates the degrees of protection against dust, contact, and water. IP20 is equivalent to NEMA 1, and IP67 is equivalent to NEMA 6. With cabinet-mounted IP20 systems (Figure 3), sensors and control devices are wired to I/O devices mounted in a NEMA or IP-rated control cabinet. The cabinet can also hold power supplies, power conditioning equipment, air conditioning, HMI screens, Ethernet switches, and I/O racks. The I/O devices or racks connect to any Ethernet-

A6 February 2012

Applied Automation

Advantages of Ethernet-based modular I/O

based network via bus couplers. IP67 devices (Figure 4) have greater protection against dirt and water, and can be mounted directly on the machine or robot without the need for an enclosure. Each station has a built-in Ethernet connection. IP67 devices cost more than IP20, but total costs are often less because theres no need to buy a cabinet with its additional installation costs. In many cases, an OEM can buy pre-made cables to run from sensors to I/O devices, further reducing installation and wiring costs. When deciding whether to use IP20 or IP67 equipment, make sure you can obtain the I/O devices you need, as vendors typically offer fewer IP67-rated options compared to IP20. This may force you to mix and match devices, so make sure the I/O vendor supports this capability. Works with most brands of PLC Works with industrial PCs Supports the widest range of networks When using a different controller, only the bus couplers change 5. OEMs arent locked into a single vendor 6. Supports wired and wireless communications, and 7. Supports IP20 and IP67 mounting options 1. 2. 3. 4.

Going wireless
Wireless I/O is gaining momentum in machine and robot control. While serial and Ethernet networks took decades to develop, wireless has made giant strides in just a few years. Many OEMs are still wary of wireless, just as they werent too sure about Ethernet when it was initially introduced for real-time control applications. Wireless I/O can be used for applications that traditionally required slip rings and drag chains that are difficult to wire; to replace highly-flexible cables that are prone to breaking; and in temporary installations, such as components that are being integrated into a permanent system. For robots in particular, wireless I/O can be very advantageous. The most obvious advantages of wireless I/O are the elimination of costs for running wires from the machine to the controller, and the simplicity of the installation overallwhich could result in lower maintenance and diagnostic costs. Were a long way from the completely wireless machine, but as industry gains more confidence with wireless, applications will continue to grow. Wireless I/O devices are generally available in both IP20 and IP67 versions.

Figure 4: IP67 devices are protected against dirt and water, and can be mounted directly on a machine or robot.

Diagnostics
One of the primary advantages of modern I/O devices is built-in diagnostics. I/O devices can transmit information such as short circuits, overloads, temperature extremes, status, and other diagnostic data, making it possible to pinpoint problems quickly and reduce machine downtime. For example, in DeviceNet systems, faults are transmitted as diagnostic alarms with associated parameters classifying them as major or minor. The parameters can contain either I/O-specific error codes or network-specific error codes. If the fault is generated in the remote I/O station, additional information can be supplied by the vender through diagnostics in the process data channel. Wear indicators or similar information for diagnostics can be signaled via two maintenance request priority levels. Standard Microsoft Windows software, such as Internet Explorer, can be used to diagnose network problems. For example, Phoenix Contacts Ethernet I/O has a built-in Web interface, allowing a user to view device status and

configuration information through Web pages. Another major development in machine control is remote access, where the OEM can diagnose problems from a PC, laptop, or even a cell phone thousands of miles away. An engineer simply gets on the cloud and connects to the remote machine or robot to view and change data in the controller and I/O. Using built-in diagnostics makes this task even easier, because a remote engineer can quickly identify problems such as short circuits or overloads in the I/O. For all of these reasons, machine builders and users are updating their legacy I/O systems, getting away from proprietary networks, and moving into the modern world of Ethernet-based communications. In an ideal world, all the sensors, control devices, and controllers would be interchangeable to meet various customer requirementsand so would the I/O hardware and networks. Ideally, an OEM or integrator should be able to install Profibus-based I/O on a machine when the customer wants a Siemens PLC, and the next day build the same machine with an Allen-Bradley PLC and DeviceNet. In practice, this is possible only if you select your I/O strategy and supplier carefully, making sure that all needed capabilities are supported in a cost-effective manner. Jason Haldeman is a product marketing lead specialist for Phoenix Contact. For more information, visit www.phoenixcontact.com

Applied Automation

February 2012 A7

safe ty systems

Can You Depend on that Sensor?

An instrumentation device that is supposed to keep your process from erupting during an upset may sit there for years if there is no emergency. Will it work when the time comes? Safety sensors can help you sleep better.
William Goble, PhD
functional safety is not the same as electrical safety or hazardous area safety. This standard is not concerned with shock hazards, burn hazards, or ou wont have to look far explosive atmospheres; rather, it covto find examples of autoers the correct operation of a device mation component fail(reliability) and, perhaps most imporures in critical situations tantly, how a device fails. Two differwith catastrophic results. ent types of failures are covered: ranSeveral Toyota owners Figure 1: Safety integrity levels and the dom failures and systematic failures. reported experiencing problems with associated SIL capability. The two main goals of the stantheir anti-lock braking system causdard are clear-cut. The first is correct ing their cars to speed up when not operationa device must be sufficiently reliable. Reliability expected. There were many contributing causes to the Deepwater Horizon spill, but a major one was the failure of requires protection against both random and systematic failures. A random failure is defined as a failure, occurthe blowout preventer. Safety sensors can help maximize safety and reliability by minimizing critical failures and help ring at a random time, which results from one or more of the possible degradation mechanisms in the hardware. ensure that safety is not compromised in the event of a Systematic failures are defined in IEC 61508 as a failure, failure. related in a deterministic way to a certain cause, which What is a safety sensor? can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, Many understand the term as suggesting an instrumendocumentation, or other relevant factors. The standard tation device used to measure process conditions that protects against systematic failures by could be potentially dangerous. The having hundreds of requirements for device is typically a part of an equipWhen an instrumentation the design, test, and manufacturing ment set for a safety instrumented sensor has been assessed and processes. These requirements reflect function (SIF) which also includes a the best engineering practices known to logic solver and final element. The meets the requirements of avoid design mistakes and manufacturSIF is part of a safety instrumented ing faults. system (SIS), whose purpose is to IEC 61508, it is common to The second main goal is that the drive a process to a safe state or to label it as a safety sensor or device must fail in a predictable manallow it to move forward when spener. A quantitative failure-mode analysis cific conditions are present. Examples safety-certified instrument. is done for random failures with pubof safety-sensor products include a lished numbers for each failure mode. pressure transmitter, temperature These numbers provide a safety-system designer with transmitter, gas detector, level transmitter, flow transmitter, the information needed to determine if a safety sensor is flame detector, acoustic detector, or even proximity switch. sufficiently reliable when used in combination with a logic These common items are recognizable but do not differsolver and final control element to meet the required safety entiate between an ordinary process sensor and a safety integrity level (SIL). This task called SIL verification. sensor. So what is the difference? There are four different levels of safety integrity defined The standard for design and development by IEC 61508 (Figure 1). The requirements for each safety of safety sensors integrity level are different. SIL 1 represents the lowest level. Each safety integrity level is intended to represent an order of magnitude improvement in safety and reliability IEC 61508 is a multi-industry international standard that and thus carries with it more stringent requirements. The covers functional safety of automatic systems. The term

A8 February 2012

Applied Automation

Figure 2. Tool for designing safety instrumented functions (including SIL verification) based on FMEDA data.

requirements for a SIL 3 certification are much tougher than for SIL 2 certification, and those for SIL 2 certification are tougher than those for SIL 1. When an instrumentation sensor has been assessed by a competent, third-party agency and meets the requirements of IEC 61508, it is common to label it as a safety sensor or safety-certified instrument. The 2010 version of IEC 61508 introduced the term systematic capability, which indicates the best-case safety performance that the device can provide when it is applied per its safety manual. Certified devices can have a systematic capability rating from one to four that matches the SIL level of a SIF in which it may be used.

Complex electronics in a field-device transmitter makes for a lengthy analysis process requiring lots of hand work.

Failure mode analysis

Minimizing the impact of random failures can best be evaluated with a quantitative failure rate and failure mode analysis, as required by IEC 61508. The best technique is called a failure modes, effects, and diagnostic analysis (FMEDA). An FMEDA requires each component in a device (resistor, transistor, capacitor, etc.) to be examined individually to evaluate its failure modes and their impact on the operation of the device. The ability of any selfdiagnostic to detect the failure is evaluated, and the cumulative impact of all component failures is calculated. This produces a set of numbers for a devicea failure rate for each failure mode. These numbers are then used by system designers to meet the targeted and required SIL levels for each SIF. The FMEDA process is quite detailed and systematic, often identifying design problems that can be fixed to improve the design safety and reliability. As part of the certification, the number and type of product field failure data are analyzed as a function of the total accumulated operating hours. This observed failure rate can then be compared to the calculated failure rate in the FMEDA. If the values are comparable, this helps demonstrate the product development and quality process is effective.

Should you choose a safety sensor for your SIS?

The process industry-specific functional safety standard is IEC 61511 (ISA 84.00.01-2004). This standard requires that equipment used in a SIS be carefully selected and justified. While all sensor devices must be evaluated for any specific application, choosing equipment that meets the requirements of IEC 61508 is a common way to justify sufficient safety integrity performance. If not using safetycertified sensors, IEC 61511 allows an end user to perform his or her own proven-in-use justification. With a provenin-use justification, the burden is placed on the end user to audit the vendors design and quality assurance processes, to review manufacturer documentation of failure modes and failure rates, as well as to gather evidence of

Applied Automation

February 2012 A9

safe ty systems
concept was in its developing stages. While several PLC products were IEC 61508 safety certified, there were fewer sensor devices at that time. The E+H Liquiphant Fail-Safe, a tuning-fork level switch, was safety certified per the German VDE0801/A1 standard in 1996. The first safety-certified sensor per IEC 61508 was the 345 pressure transmitter from Moore Products in 1998. Over time, additional sensor devices passed the tough requirements with strong growth, which began in 2006. Today there are a number of safety-certified sensor devices for almost any process variable from every major instrumentation manufacturer. Figure 3 shows a cumulative count of the number of safety-sensor devices. A list of safety-certified devices, including sensors, is maintained on the Safety Automation Equipment List (www.sael-online.com). This list is updated regularly as new certifications are added from a variety of competent certification agencies, while obsolete products are removed.

Figure 3: The offering of certified sensors continues to grow.

Developing safer products

suitability by documenting the operating history in similar Developing products compliant with IEC 61508 is a applications in other plants. rigorous and demanding process. Roughly 70% of the SIS designers choose safety certified sensors rather approximately 330 requirements for device-safety certificathan doing a proven-in-use justification for a number of tion involve the design and test process. The clear objecreasons, including: tive of this level of attention is design quality. It is interestn Assuring that the product has high design reliability ing to note that a majority of the requirements (about 200) and safety relate to the software development process. Why is this? n Avoiding the burden of vendor design and manufacturRemember that software was prohibited from safety appliing audits cations by regulation in many countries n Reducing effort and cost for safethrough the late 1990s. There is software Roughly 70% of the ty-system design (SIL verification) paranoia in the nuclear industry that is still approximately 330 n Reducing risk and potential liability so strong that new custom designs implefrom application of the product mented purely with hardware are conrequirements for devicen Regulatory agency preferences or tinually being developed even when welldemands IEC 61508 certified products, safety certification involve proven alternatives exist. The software and engineering requirements of IEC 61508 the design and test n Avoiding the recording of operatare quite strong for SIL 3 capability, and process. The clear objecing hours and analysis of all repairs most consider this appropriate as it seems and failures. tive of this level of atten- so easy to write software without sufficient Without complete plant maintenance testing. Yet some question the need for all tion is design quality. records, especially proof-test-as-found this attention of software engineering in a condition records, a designer would simple sensor device. This thing is called a have difficulty providing documented trouble-free operating smart pressure transmitter, but could the software really history from his or her plants. As a proven-in-use justibe that complicated? Some ask, Could this pressure fication means taking responsibility for the reliability and transmitter that fits in my hand possibly be as complex as safety of a sensor, high-quality data is important. Some the rack of equipment in the safety PLC cabinet? will prefer to avoid the burden of vendor auditing and the No one questioned the need for safety certification of documentation of those audits. Beyond just the safety PLC products in the late 1990s. The PLC software designs integrity issue, other process operators specify safety senwere somewhat complex and appropriately perceived as sors to get the assurance of high levels of design quality such. One design example had software with two primary and reliability. There are regulations in some countries that execution tasks: logic solving and communications. A indicate safety-certified products must be used in certain rough idea of design complexity is given by the size of applications. the processor and memory. A 1990s safety PLC did logic solving with a 16-bit microprocessor with four megabytes Certification of device manufacturers of memory. In the 2010s many sensor designs are much more complicated than the old PLCs. Todays sensor When the functional safety standards were written in designs use multitasking operating systems with 32-bit the late 1990s and early 2000s, the safety certification

A10 February 2012

Applied Automation

microprocessors and larger memories. The sensor devices take full advantage of this processing power to provide high-speed statistical analysis of the process variable, much better automatic self-diagnostics, and more features. Given that the complexity of the new 2010-era designs is even greater than the safety PLC of 1999, the importance of software engineering quality is greater than ever.

No safety without security

According to IEC 61508, if a security threat is seen as being reasonably foreseeable, then a security-threats analysis should be carried out. If security threats are identified, a vulnerability analysis should be undertaken in order to specify security requirements to be incorporated into the design. The ISA Security Compliance Institute (ISCI) has developed a program for security testing and certification of critical control system products with an Ethernet connection, such as PLCs, digital-protective relays, communication modules, and even sensor devices. The program, called ISA Secure, utilizes test specifications and protocols developed from publicly available sources such as the ISA-99 industry standard. With the occurrence of the Stuxnet virus, and the potential of Stuxnet-like attacks in the future, there has certainly been great attention drawn to the importance of control-system cyber security. Thus cyber security has become part of the safety certification process in some certification bodies.

Failure analysis starts with single components but also looks at various combinations as well as diagnostic capabilities.

Certifying the certifiers

The IEC 61508 functional-safety standard requires a level of independence in the assessment of functional safety that varies according to the SIL level. However, it does not require any specific accreditation, even for SIL 3 or SIL 4, as is required in the electrical safety standards. The IEC 61511 standard even uses the words meets the requirements of IEC 61508 rather than using the term certified. Therefore, we can conclude that anyone could perform a functional safety evaluation of a sensor device per IEC 61508. As a practical matter, IEC 61508 is a large, complex document. The technical depth required to understand the issues is quite high, and this is recognized by the market. Therefore, purchasing specifications of major end-user companies routinely contain language indicating the competency required or even which specific certification agencies are accepted. While self-certification by a manufacturer is not prohibited by the standard, few have followed this path as they recognize the market demand for an accredited test laboratory/certification body with the technical skills beyond traditional electrical safety. Certification agency accreditation is done per IEC Guide 65 (EN45011), which has requirements for the operation of a product certification program, and ISO 17025, which has requirements for a test laboratory. Technical competency is evaluated for each area of certification (e.g., functional safety, cyber security, electrical safety, etc.). Accreditation is done by an organization in each country that is govern-

mental or quasi-governmental. In the U.S., for example, accreditation is done by the American National Standards Institute (ANSI).

Path forward
It is not hard to imagine functional safety certification becoming a standard part of sensor devices. Hazardous area approval was an option in the early days of electrical safety standards. Today it is difficult to buy any field device without a hazardous area rating. As more and more devices are achieving functional safety certification, more manufacturers are making functional safety a standard part of the product development process. Functional safety will likely be a standard attribute of sensor devices in the future. This is indicated by one advertising campaign for a pressure transmitter product recently that said, Safety is not an option. Every device produced has the rating. This should provide a good return on investment as design quality improves and fewer mysterious field failures occur. William Goble, PhD, is principal engineer and director of the functional safety certification group at exida, an accredited certification body. His doctorate is in quantitative reliability and safety analysis of automation systems.

Online:
Find more information about safety sensors at: www.exida.com/certification See a list of safety-certified sensors, logic solvers, final control elements, and more at: www.sael-online.com

Applied Automation

February 2012 A11

ne twork ing

Using Modbus for Process Control and Automation

One of the oldest digital communication protocols is also the most popular, and for good reason. You should get to know Modbus. Part 2 of 2.

Jim McConahay

the current, it also has the ability to send multiple digital pieces of information via the HART data stream. Both process variable data and digital data can be transmitted by ne particular challenge for legacy plants is the HART slave or transmitter. This data can be used to to find an inexpensive and convenient way monitor the health of instruments or used by the process to take advantage of installed HART (highcontrol system or asset management system to optimize way addressable remote transducer) smart processes, assist in providing tighter control, or prevent devices. HART is a digital protocol that was unexpected process hiccups. In some cases, existing designed to allow transmitters to transmit plants may have hundreds of HART-enabled instruments. digital data and an analog signal simultaneously over traUnfortunately, for one reason or another, many plants have ditional plant-installed copper twisted pair, and many if not never exploited the capabilities of HART. most 4-20 mA field devices available include it. Users can In todays world of asset management, remote diagconfigure, interrogate, and diagnose transmitters locally or nostics, and advanced control, many plants would like to remotely via any point along the twisted pair. HART slaves extract that digital information, but their control system and can be wired in a point-to-point or multi-drop configuraexisting wiring cant accommodate it. The control system tion. In the more common point-to-point configuration, the may not be set up or have the capability to extract HART HART transmitter varies the current on the analog loop to data from the analog loop. A HART instrument can send represent the desired process variable. While it is possible up to four process variables via the HART signal: PV to monitor the digital HART data only, in a point-to-point (primary variable), SV (secondary variable), TV (tertiary configuration, it is rarely done. As the transmitter controls variable), and FV (fourth variable). Additionally, there are various bits and bytes of status data that can also be transmitted. However, if the control system cannot read the (MASTER) WLM Wireless Link NCS NET Concentrator additional process variable data Module System or any of the other diagnostic and status information from the digital HART signal, then that data goes to waste. Customers have a range of options to get this HART data, even Control or MODBUS in legacy and mature plants. Some Readout System DCS companies offer new upgraded analog I/O cards that have the (REMOTE) ability to pick off this HART data.
Module Number

WLM Wireless Link Module

NCS NET Concentrator System

Module Number

MODBUS

Distributed Field Devices

Modbus via wireless uses the same concepts as a wired network with the radio signal replacing the twisted-pair cable. There are possible complications due to encrypting practices, but these are critical for effective cyber security.

A12 February 2012

Applied Automation

However, these cards usually cost three to five times as much as the traditional analog I/O cards. Additionally, there are HART mux (multiplexer) bricks that can be installed on existing analog loops that have RS422 and RS485 outputs to asset management systems or DCSs. Again, these I/O mux bricks can be cost prohibitive. An optional route, using a HART to Modbus converter, can be cost effective and allows the flexibility of monitoring just a few or many loops at reasonable costs. With a HART interface module that supports Modbus RTU, all the HART data can be brought to the control system simply and cost effectively. An interface module is a smart device that acts like HART master on the front end and Modbus RTU slave on the back end. It can extract all of the digital HART data from the 4-20 mA signal without placing a burden on the loop. It then provides a display, and various possible other outputs. When a Modbus output option is selected, the HART data is digitally mapped to an internal Modbus memory map where it can then be polled by a PLC or DCS that is acting as the Modbus RTU Master. By multi-dropping various interface modules devices via RS485, this essentially becomes a scaled-down asset management system for a fraction of the cost.

Are you looking for an online tool to save time, reduce errors, and increase prots?

Wireless Modbus
A Modbus network can be set up fairly easily to work over a wireless link. Essentially, all the wireless link does is replace the twisted-pair cables with a transmitter/receiver at each end of the network. Many wireless radio manufacturers support the Modbus protocol. However, due to some encryption schemes and time delays that radios and modems use, it is important to consult with your wireless vendor before making the assumption that it is supported. Obviously the major advantage of wireless Modbus is the cost savings in wiring infrastructure. Signals that are needed from tank farms, well heads, and various other remote locations have historically been cost prohibitive to monitor and control. Fortunately, Modbus via wireless is transparent to the control system or host, and the slave. Like the systems described previously for legacy plants, the host system doesnt even know that a wireless Modbus network exists, because it doesnt have to deal with it. When a master makes a request to a slave and the packets arrive at the transmitting radio, that radio will usually re-order the packets and encrypt them before transmission. Once the RF (radio frequency) packets are received by the slave radio, it de-encrypts them and puts them back in order to represent a valid Modbus packet. Assuming that the packet has not been damaged or corrupted, it will then be sent to the destined slave. The slave will respond back to the master and the process starts again. Sometimes it is important to pay special attention to a Modbus communication parameter called timeout. Timeout is the amount of time that the master will wait for

Steam DesignPro from Spirax Sarco, Inc is your solution. Steam DesignPro has been created as a visual design tool for engineering and modeling HVAC steam systems. Youll nd everything at your ngertips to do your job better including:

Automated engineering calculations and design tasks on-the-y Easy functionality using a drag-and-drop method Eliminate common mistakes Decrease design time reuse work from job to job Minimal training required

Download Steam DesignPro now at www.spiraxsarco.com/us and/ or capture this QR code with a QR scan app on your smart phone for more information.

1-800-883-4411

spiraxsarco.com/us

Applied Automation

February 2012 A13

ne twork ing
companies that offer chassis-style slide-in communication cards and stand-alone gateways. Unlike Modbus RTU and Modbus ASCII, Modbus TCP allows multiple masters to poll the same slave device simultaneously. This is allowed because multiple messages can be sent, buffered, and delivered without the requirement of token passing or total bus control, which is often the case with many RS485 and RS422 protocols.

Individual loop controller units with Modbus output

Modbus RTU RS485

Control in the field

So far, weve only dealt with simple Modbus data acquisition systems. It is also possible to install control devices in the field that will communicate to the central control system via Modbus. Some concentrators mentioned earlier also have a CPU and real-time control kernel that can be programmed to perform control functions, such as PID, on/ off control, local alarming, complex math equations, diagnostics, and alarm monitoring. Because it has PLC-type logic, PID-type control functions, and advanced computing capabilities, a sophisticated concentrator can often eliminate the need for a PLC, industrial computer, or a small DCS for a fraction of the price. While Modbus doesnt have the capabilities of other protocols like Foundation fieldbus, Profibus, and CIP, when combined with the right devices, it can often fit the need for many applications where local control is desired. PID controllers were originally stand-alone noncommunicating devices. As PLCs and DCSs got smarter, so did the controllers. Today, many end users still prefer the direct readout and simple-to-program style of the single loop controller. Digital communication protocols like Modbus may have added a little more life to these once standalone instruments. By multi-dropping controllers you can now create your own small distributed control system.

HMI/SCADA (Modbus master)

Modbus can support deployment of distributed controllers, which can improve determinism and reduce central processing loads.

a response from a slave before attempting a re-transmission. Depending on how well the radio is communicating, packets can be delayed, causing an unnecessary amount of retries and re-transmits. With todays FHSS (frequencyhopping spread spectrum) radios, most of these parameters can be massaged for efficient transfer of packets. However, proper radio site surveys that include signal strength and spectrum noise analysis can often prevent many communication hiccups.

A universal interface
While the modern control world continues to grapple with advanced concepts such as fieldbus and mesh networks, the simplicity of Modbus and its ease of implementation over so many communication media allow it to remain the most widely supported and implemented industrial protocol in the world. When users of existing legacy control systems discover the need to expand field instrumentation or add remote controllers, they very often turn to Modbus as a simple solution to complex problems. Moreover, when there is a need to connect an exotic device to a control system, using the devices Modbus interface often proves to be easiest method. Although it is one of the oldest communication methods, it is also the most popularfor very good reasons. Its easy to use, reliable, inexpensive, and connects to almost every sensing and control device in the control industry. Jim McConahay is a senior field applications engineer for Moore Industries-International. www.miinet.com

Modbus over Ethernet

Modbus TCP is often referred to as Modbus over Ethernet since for all practical purposes it is simply Modbus packets encapsulated in standard TCP/IP packets. This enables Modbus TCP devices to connect and communicate over existing Ethernet and fiber networks, which can support many more addresses than RS485, the use of multiple Masters, and speeds in the gigabit range. While Modbus RTU has a limitation of 247 nodes per network, Modbus TCP networks can have as many slaves as the physical layer can handle. Often this number is somewhere around 1,024. Ethernets rapid adoption within process control and other automation applications has allowed Modbus TCP to grow rapidly to become the most widely used industrial protocol over Ethernet. Although PLC vendors of all sizes have adopted their own proprietary protocols over Ethernet, almost all of them support Modbus TCP. And for those PLC vendors who dont currently support Modbus TCP, there are many

A14 February 2012

Applied Automation

WOW nice package!

We have the perfect package to fight contamination in washdown applications: 304 stainless steel bevel or inline gear reducer: 95.5%97% efficiency C-face or IEC input PTFE seals on output shaft smooth body minimizes particle/bacteria collection highly resistant to most acids, alkalis and corrosion 304 stainless steel C-face motor: ncapsulated stator + epoxy rotor e potted wire entrance inside conduit box patented oil/water resistant breather vent Movitrac LTE-B inverter: P66/NEMA 4X enclosure I SBus (CAN based) communicates with PLC single or three-phase input

seweurodrive.com

2012 Siemens Industry, Inc.

SIMATIC ET 200SP

Simple to use. Smaller in size. Stronger in performance.

A new generation of distributed periphery Increase the efficiency of processes and the productivity of a plant the distributed periphery SIMATIC ET 200SP supports plant engineers and operators in meeting these challenges. The sophisticated concept of the system offers significant benefits for you. The easy use of the SIMATIC ET 200SP is apparent in the clear arrangement and easy installation of the modules, the clear labeling system, the tool-free wiring, and the efficient engineering. The compact design of SIMATIC ET 200SP ensures maximum economy in the switching cabinet: 64 modules with 64x16 signals can be accommodated on one meter. The observance of the standardized bending radii is ensured as well. The strong performance of the system results from the communication via PROFINET, the leading Ethernet standard of automation. The back panel bus of SIMATIC ET 200SP is synchronous and ensures highest precision and fastest data transfer. You profit from maximum energy efficiency thanks to the integration of PROFIenergy. Available May 2012. Discover all highlights and details of the SIMATIC ET 200SP in 3D:

www.usa.siemens.com/et200sp