The TS Series TRUNKSAFE system from MooreHawke, a division of Moore Industries, provides a cost-effective, reliable method for maintaining continuous communication between a control system and instruments on a FOUNDATION fieldbus H1 segment. In the event of a failure on a fieldbus segment, TRUNKSAFE makes it possible for the control system to switch immediately and automatically to a redundant path. This helps prevent the loss of a complete segment, the shutdown of associated plant or equipment, and potential catastrophic process failures.
With other fieldbus products, the only way to build a redundant system is to duplicate the entire segment completely, including H1 interfaces, power supplies, device couplers, fieldbus instruments, wiring from instruments to the couplers, and the fieldbus cables. Unfortunately, control system vendors have no way to determine if a segment has failed. In most cases, a control system can detect the loss of power to an H1 interface, or it can detect when field devices become disconnected; but it cannot detect a segment failure beyond its H1 card. Therefore, conventional redundant fieldbus systems sometimes use complex software voting schemes that determine – by analyzing instrument signals (or the lack thereof) – that the segment has failed.
A TRUNKSAFE segment consists of two TPS200 Advanced Power Conditioners, a fieldbus cable from each power conditioner, and a TS200 Fault Tolerant Device Coupler, currently available for a maximum of either six or 10 field devices. The TRUNKSAFE Power Conditioners each feed the parallel, redundant “legs” of fieldbus cable, which meet at the TRUNKSAFE Device Coupler. When a cable failure in either leg occurs, the TRUNKSAFE system shuts off power to the failed leg, letting the redundant power conditioner keep power to the remaining healthy leg. The control system detects loss of power at the H1 card on the failed leg and automatically switches to its backup H1 card.
The TRUNKSAFE system also provides a hard-wired alarm to alert plant operators to the cable fault and LEDs indicate exactly which cable and what type of fault has occurred. When the failed segment has been repaired and normal cable integrity restored, the previously disconnected H1 card is automatically allowed access to the segment once more.
In other words, any segment configured with TRUNKSAFE automatically maintains normal operation and communications without any changes to the control system hardware or software.
An existing, non-redundant fieldbus segment can be upgraded to a redundant system simply by adding an extra H1 card, two TRUNKSAFE power conditioners, an extra fieldbus cable, and replacing the existing coupler with a TRUNKSAFE Device Coupler. In some cases, fieldbus segments on plant-critical applications are already equipped with duplicated H1 cards, power conditioners, and two cables; in this case, the system can be upgraded to fully automatic operation by installing TRUNKSAFE power conditioners and replacing the device coupler with a TRUNKSAFE Device Coupler.
Implementing a TRUNKSAFE system requires no hardware or software modifications to the control system. Each TRUNKSAFE segment is a conventional fieldbus configuration in all respects, except that it has two fieldbus cables. Switchover during a fault and reset afterward are fully automatic, requiring no action by maintenance or operations personnel.
BACKGROUNDER: REDUNDANT FIELDBUSES
A FOUNDATION fieldbus system allows up to 32 devices to be connected to a control system via a single twisted-pair cable, thus saving end users enormous amounts of money in cabling and installation costs. That single cable provides both power and communications, and enables comprehensive device diagnostics, advanced control functions in the field, peer-to-peer communications among instruments, standalone operation that can continue if the control system fails, and many other benefits.
Fieldbus has one major problem: If the twisted-pair cable fails on a FOUNDATION fieldbus segment, it can “take down” all of those devices at one time. Not only is the fieldbus segment lost to the control system, devices on the segment can no longer talk to each other. Although fieldbus instruments can continue to operate if the control system fails, any cable fault (open or short-circuit) will completely stop all connected devices.
This problem is especially serious on plant-critical segments, where the failure of a segment may adversely affect plant or process applications, lead to costly process shutdowns, cause a hazardous condition, or release materials to the environment.
No provision is made within the FOUNDATION fieldbus standard for redundant segment communications. Various fieldbus vendors, including major process control companies, have developed redundant fieldbus schemes that involve complete duplication of all equipment – including H1 interfaces, power supplies, fieldbus cables, device couplers, and fieldbus instruments – plus complex software voting schemes.
A “voting scheme” is needed because most control systems cannot tell when a fieldbus segment fails. They can only detect if the H1 interface itself fails, or if a particular fieldbus device fails. If the H1 interface remains powered, the control system has to determine, by analyzing instrument signals (or the lack thereof), that the segment has failed.
Needless to say, such redundancy schemes are expensive, complex, and can be hard to maintain. A catastrophic process failure could result while the control system is determining what’s wrong.
The prospect of losing an entire critical segment often makes end users wary of fieldbus. If a segment contains “process-critical” instruments, they generally limit the number of instruments per segment to only a few, or spread critical instruments over multiple redundant segments.
MooreHawke, a division of Moore Industries, has solved the redundancy problem.
MooreHawke’s TRUNKSAFE redundant fieldbus system makes it possible to disconnect a failed H1 card or a failed cable automatically within milliseconds while maintaining normal operations on a second parallel cable, thus eliminating all single point failures within that segment.
TRUNKSAFE consists of dual, redundant TPS200 Advanced Fieldbus Power Conditioners (one for each leg of the segment), two fieldbus cables, and a TRUNKSAFE TS200 fail-safe Device Coupler.
The TRUNKSAFE Advanced Power Conditioners are located on DIN Carriers for up to four segments at a time; optional Diagnostics Modules provide detailed performance information to a DCS via an RS485 link, as well as module-mounted LEDs. TRUNKSAFE Device Couplers accommodate six or 10 fieldbus instruments.
Each TRUNKSAFE Advanced Power Conditioner handles one leg of the segment; it connects to one H1 card within the DCS and a field cable to the TRUNKSAFE Device Coupler. The installer routes the fieldbus cables separately, so that the same incident (a careless forklift driver, for example) does not take both cables out at the same time.
If a fault occurs on either cable, the Advanced Power Conditioner on the affected leg immediately cuts power to that leg and its H1 interface, which forces the DCS to switch to the alternative H1 card. The TRUNKSAFE Device Couplers can be driven by either trunk and automatically switch on their internal terminators to maintain normal communications if one trunk loses power. This all takes place fully automatically and within a few milliseconds.
With TRUNKSAFE, it may not be necessary to duplicate all fieldbus instruments in a critical segment. An end user may decide to duplicate an instrument if the device itself is prone to failure, but it is no longer necessary to duplicate instruments for protection against a trunk failure.
It is also possible to provide redundancy for up to 32 devices, by using multiple TRUNKSAFE Device Couplers in series, as with any other conventional fieldbus segment. However, such a solution requires software logic in the control system.
If, for example, the primary segment fails somewhere beyond the first device coupler, the primary segment will remain powered up to the break, while the redundant segment will power all devices after the break. This means that some field instruments will be connected to the primary H1 interface while the remainder will be connected to the secondary H1. All field devices will still be functional, but the control system needs logic to determine this situation, or must switch to the backup H1 segment until the problem is repaired.
The cost of a fully redundant TRUNKSAFE fieldbus system is only slightly more than a standard MooreHawke fieldbus system, and far less than that of a fully duplicated system. In fact, the availability of an inexpensive, fully fault-tolerant FF system now makes it possible for end users to provide redundancy on more than just process-critical loops.