Fieldbus is the name of a family of industrial computer network protocols used for real-time distributed control, now standardized as IEC61158. A complex automated industrial system, for example a fuel refinery, usually needs an organized hierarchy of controller systems to function. In this hierarchy there is a Human Machine Interface (HMI) at the top, where an operator can monitor or operate the system. This is typically linked to a middle layer of programmable logic controllers (PLC) via a non time critical communications system (e.g. Ethernet). At the bottom of the control chain is the Fieldbus, which links the PLCs to the components which actually do the work such as sensors, actuators, electric motors, console lights, switches, valves and contactors. The Fieldbus is a two wire combined power and data network comprising one or more segments, each of which comprise a trunk with a number of spurs attached thereto. The network provides both power and communications to the field components on the spurs.
The various components of the system communicate with one another using the Fieldbus IEC61158-2 communications protocol, which is a Manchester encoding system. Data telegrams are transmitted either on dedicated communications circuits, or on the same electrical circuits as the power to drive the field instruments. The data telegrams serve to control and to monitor and diagnose the field instruments in use.
The IEC61158-2 Fieldbus communication protocol, along with other similar data systems such as DSL, Ethernet, HART and so on, and those which will eventually replace IEC61158-2 Fieldbus, comprise a set of discrete physical layer limits within which the communications signals, and the hardware which hosts them, must operate. These physical layer limits include aspects of the signalling, including the data shape and timing rules. IEC61158-2 Fieldbus communications allow for retries should a particular data telegram from a device fail as a result of a fault occurring somewhere on the segment. A typical system will be configured such that a particular number of retries will be attempted until a failure status is determined, and communications with a device suspended. The spur upon which the device is supported may also be de energised or isolated until it can be inspected. If a device is configured to send a data telegram once every second, as a part of the routine communications cycle shared with all the other devices on a particular segment, and the system is set up to allow 5 retries, then if a fault which disrupts the data telegrams persists for longer than 5 seconds the communications will cease, causing the loss of the device to the system. Depending on the number of instruments on the segment, and the number of retries, this time period could be longer, or much shorter. If a segment has only one spur, it's device might be prompted for a data telegram once every tenth of a second, in which case a fault persisting for more than half a second will result in a communications failure.
Fieldbus is often used in Intrinsically Safe environments, for example combustible atmospheres, and in particular gas group classification IIC, Hydrogen and Acetylene, and below, for example gas group IIB and IIA, for gas and/or dust. In a typical combined two wire Fieldbus electrical power and communications circuit there is a power supply, an Intrinsic Safety barrier of some kind, a trunk section leading out into the field, and a number of device couplers with separate spurs connected thereto, on which the field instruments are mounted. The trunk and the spurs together form the segment. The Intrinsic Safety barrier divides the circuit into an Intrinsically Safe side and a non-Intrinsically Safe side. The power supply, the PLCs and other systems like physical layer diagnostic modules which measure physical layer attributes of the electrical circuit and the network hardware, and in part the physical software or protocol being used, are located in the non-Intrinsically Safe side of the circuit, usually in a control room. The trunk, the device couplers, the spurs and the field instruments are located in the Intrinsically Safe side, out in the field.
Intrinsic Safety can be achieved in a number of known ways, from simply limiting the power so open or short circuits cannot form combustible arcs, to using active monitoring and isolating systems which allow higher power levels and act to isolate the power supply from open or short circuits to prevent combustible arcs.
In addition, it is also common to use current limiting protection electronics within active device couplers, which act to either fully isolate or limit the current in a particular spur if a short circuit occurs thereon. Current limiting devices like this comprise a series semiconductor element and a current sense/drive circuit. The circuit monitors the current on the spur, and if it reaches a trip level as a result of a short circuit occurring on the spur the semiconductor is switched to limit the current, and to prevent the fault from affecting the rest of the segment. The circuit either works in a rectangular way and goes to a high impedance to limit the current to the trip level itself and holds it there for a particular period of time, or it works in a foldback way and limits the current to a lower level, thereby effectively isolating the spur from the rest of the segment. Such actions obviously prevent any data telegrams being sent from the device on the spur.
Spur short circuits can occur for example when there is an inadvertent cable make, or if a device itself fails to a short circuit state, which could result from electronic component failure or even flooding of the instrument enclosure. The current limiting electronics prevent any such faults from short circuiting the trunk. Short circuits can also occur when a device is disconnected or when errors occur during routine maintenance and calibration, so the current limiting electronics acts as a safeguard and allows for routine work to be carried out on an active spur without the danger of it affecting other parts of the circuit. The current range of two wire IEC61158 Fieldbus spur current limiting protection electronics within active device couplers includes the Segment Protector® and Spur Guard® products. These particular current limiting devices are slightly limited in their operation, because they can only provide protection against a low ohmic DC faults. Therefore, the applicant's co-pending patent application WO2011148127 discloses an improved device which monitors for a much larger number of physical layer faults, and when these are detected applies a deliberate shunt short circuit to the spur. In this way the current limiter is forced into action to handle this contrived “fault”, and does not remain inactive.
The kind of faults handled by these current limiting devices by their nature disrupt the data communications on the spur. A short circuit on a spur for example will prevent a data telegram being sent successfully from a device. However, a short duration fault of this kind can actually be handled by a Fieldbus' data telegram retry mechanism, because if it clears before the end of the retry cycle then a data telegram will be sent successfully. The retry mechanism can also accommodate intermittent faults up to a point, provided they do not occur in quick enough succession throughout the duration of the retry mechanism to disrupt every attempt to send a data telegram. However, if the spur protection electronics applied to a spur simply isolates it when any fault is detected, this will obviously prevent any data communications from being successful. This is particular issue with the device in the applicant's co-pending patent application WO2011148127, because it also generates a deliberate short circuit in response to other kinds of possibly non-data disruptive faults, which obviously results in the spur being fully or partially isolated more often, and the data communications prevented.