Manufacturing AUTOMATION

Fieldbus safety: Calculating your safety integrity level

June 15, 2006
By Ian Verhappen

Fieldbus technologies are now becoming the communications choice for many new projects being installed around the world. This indicates an increasing acceptance of digital communications for conventional control.

As a result of this acceptance, more people are inquiring about the use of fieldbus in safety systems. Fortunately, most bus technologies have already developed or are in the process of finalizing a safety version of their fieldbus. In addition, ISA’s S-84 committee is finalizing a technical report on the use of fieldbus for safety systems.

Most organizations, rather than reinventing the wheel, are basing their safety buses on the “black channel” model. A black channel offers many advantages to both the manufacturer and end-user because it is based on the same technology as the conventional bus, but with enhancements to increase the reliability of the signal communications to meet the appropriate safety integrity level (SIL) desired by the bus developers for the targeted industry. In many cases, this is SIL 3, one communications failure every 1,000 years or, if a person has 1,000 devices installed, one device communications failure every year.

By maintaining the underlying bus technology as part of the safety bus, only the user layer of the protocols sees significant changes. The user layer will typically require the addition of software in the device and the communications management software to provide additional levels of cyclic redundancy checking (CRC), end-to-end system integrity and message transmission/arrival sequencing to ensure the required level of communications integrity for each message on the safety network.


The other layers of the OSI model, particularly the physical and data link layers, remain unchanged. This means that the same infrastructure of cable, terminals, terminations and power supplies/conditioners that is in place for the conventional fieldbus installation can be used for the safety fieldbus network. Reusing the expensive infrastructure of these OSI layers means manufacturers can reuse the majority of the code and application specific integrated circuits (ASIC) already developed, and that end-users donít need to learn another system design to engineer safety bus networks.

However, the addition of a Probability of Failure on Demand (PFDavg) factor to the overall PFD calculation used in the SIL system calculations is required. The PFD calculation will be similar to the following:

PFDavg = PFDsensor + PFDsolver + PFDactuator + PFDcomms + …

The fieldbus organizations are only interested in the PFDcomms part of the equation, leaving it to the manufacturers of the various system components to obtain their own SIL rating. The SIL calculation for each of the system components can consist of a number of subcomponents. For example:

PFDcomms = PFDcable + PFDBPS + PFDPC + PFDterm + …

Once again, it will be up to the suppliers of each of these components to obtain the required approvals from organizations such as TÃœV and Exida.

Not surprisingly, it is the field devices, sensors and actuators that are the “weakest link” in the safety chain. This is, in part, because of the harsh conditions they are installed in, and also because they are the components with mechanical moving parts.

Despite this, manufacturers continue to seek ways to improve the reliability of each component of the entire system through such things as increased levels of redundancy, improved diagnostics/maintenance, and designs that are inherently simpler and more reliable.

Redundancy is used to increase overall system reliability by installing a parallel system of sensor, actuator and, in some cases, logic solver, so that if one component fails there is already a back-up in place to confirm the validity of the signal or resulting calculation. Traditional distributed control systems often install redundant I/O cards and control networks for this reason. In the case of fieldbus communications where the fieldbus is part of the network, there is some talk that redundant paths to the field devices may be required.

Another method of increasing the overall SIL rating is to reduce the time period between component testing. Part of the SIL determination is based on how often a system is checked or tested. In the case of fieldbus systems, using the diagnostics in the devices makes it possible to continuously check the health of all components, though this will not verify the operation via actual partial stroking of the actuator. In addition, the new online network diagnostic modules will complement the safety busesí communications checks to improve the overall system rating.

Safety buses are starting to be used in some industries; however, as per the IEC 61508 and 61511 standards, it is often the “proven in use” aspect of any technology that carries credibility with most end-users. Yet, it is these same folks who want to have someone else be the first to do the proving. It’s the chicken and egg paradigm all over again.

Ian Verhappen is an ISA Fellow, ISA certified automation professional, adjunct professor at Tri-State University and director of Industrial Networks at MTL Instruments, a global firm specializing in fieldbus and industrial networking technologies. E-mail him at, or visit his website,

Bus bits

  • The Fieldbus Foundation has just released the FF-901 device description language (DDL) interoperability specification. Supplementing the FF-900 DDL specification, FF-901 supports improved device-to-host interoperability. It provides guidance and directions for creating enhanced device descriptions.
  • Beamex Corporation has released a Foundation Fieldbus calibrator module, the first such product for the industry. This single calibrator can now work with Foundation Fieldbus as well as HART devices.
  • Fieldbus H1 physical layer diagnostic modules using FDT/DTM communications technology are now available from Pepperl+Fuchs. Similar modules are expected from other suppliers in 2007.
  • The HART wireless standard is now being shown as a multi-vendor demonstration using a mesh network technology. The HART Communication Foundation has agreed that its protocol will comply with the ISA-100 final standard. The ISA-100 standard for industrial wireless networking is designed to address the complete architecture from plant-floor sensor to the chairpersonís boardroom.
  • The Fieldbus Foundation released a new and revamped website at At a recent press conference, the foundation also announced two new certification programs – one for fieldbus device manufacturers and the other for a certified training program where participants will provide a uniform level of quality training materials and curriculum.
  • The ISA-100 Industrial Wireless Communications committee met at ISA Expo in Houston and made plans for their 2007 series of working sessions. In addition to the weekly teleconferences, five face-to-face sessions are in the works.

Print this page


Story continue below