Another significant impact of using the integrated approach is removal of a third party interface (connection to a different system). Integrating different systems is always the most difficult part of a control system to implement and maintain because, in many cases, this requires mapping of parameters across gateways and protocols. In addition, typically when something goes wrong at least two vendors are involved — it's always the other supplier's fault, with you, the customer, being stuck in the middle with the unresolved problem.
One advantage of having separate safety and control systems is that changes (addition or removal of new hardware, system software updates, network changes, etc.) to one system don't directly affect the other. Therefore, when it's necessary to do this sort of work or even to conduct the mandated periodic testing of the full safety loop (input, logic solver and output), there's no risk of inadvertently introducing a disturbance to the regulatory control environment.
Regulations increasingly are mandating use of safety systems in smaller facilities for such applications as burner management of furnaces and boilers. This may make a combined system a better fit for such sites, which often have limited staff — because the people responsible for the plant's automation systems will only have to work in a single integrated environment instead of having to learn how to maintain two different systems.
One of the key considerations in obtaining a desirable SIL rating is the time between maintenance and testing (proof test interval); devices that fail more often require increased testing (less time between intervals) to compensate. Diagnostics enable continuously monitoring the health of all components in the system that can communicate digitally with each other including smart field devices.
The majority of smart devices today use HART communications. The safety system logic solver uses the analog signal while the digital signal, which contains maintenance and diagnostic information, normally goes to a separate system linked to asset management software. (HART has limited support for discrete devices and thus only provides sparse information for these types of instruments and output devices.) Because a dedicated asset-management system interprets the diagnostic information, including device status, another link back to the safety system is required for the instrument status — unless the device has been configured to fail high (>20 mA) or low (typically 3.8 mA).
Being all digital, fieldbuses can communicate field device status every update cycle and normally not only indicate OOS (out of service or failed) but also measurement deterioration or uncertainty. Integrated host systems typically share this type of information more easily than standalone designs.
Buses, especially Foundation Fieldbus, have limited support for discrete input/output (solenoids and contact inputs). Foundation Fieldbus was designed for continuous processes, so discrete processes aren't its core strength. It does support several discrete output (on/off) process valves, though. The Fieldbus Foundation recently released a new transducer block for analog output devices (control valves) to enable partial stroke testing — in part because such testing is a critical component of the testing of safety control loops.
In the end, it's still a case-by-case decision, somewhat like deciding whether to use a multipurpose tool like a Swiss army knife or a suite of dedicated tools for each task. Both will get the job done but there are tradeoffs. Only you can decide what level of risk is acceptable in your facility and what approach will work best in your situation.
IAN VERHAPPEN is director and principal consultant of Industrial Automation Networks Inc., Wainwright, AB. E-mail him at email@example.com.