Network Architecture in the Post-DCS Era
Ethernet is the media of choice for the host-level networking. However, it must not be forgotten which protocol shall run on that media. Ethernet alone does not provide interoperability, not even in conjunction with TCP/IP.
There must be a standard application layer protocol such as FOUNDATION(tm) HSE. Also, don't stare yourself blind on Ethernet alone. You must look at the system from a compete network architecture perspective including a field-level and host-level network that in order to be homogenous should use the same application layer protocol. Such is the case for FOUNDATION(tm) Fieldbus H1 and HSE.
FOUNDATION(tm) Fieldbus technology has enabled a new and leaner system architecture that is open and interoperable. This new architecture is lower cost, is more scalable and provides higher safety and availability than a DCS. This new architecture is characterized by having two network levels: the "H1" field-level network and the "HSE" host-level network. The first generation Fieldbus systems used only H1 maintaining a proprietary control-level network whereas a second-generation Fieldbus system using H1 and HSE now are completely open. The H1 network connects multiple field instruments over long distances and also provides power to these instruments all over just two wires. The HSE network connects to the H1 networks through linking devices.
Figure 1 The Smar DFI302 linking device joins FOUNDATION(tm) Fieldbus HSE and H1 in SYSTEM302
The HSE network connects to the linking devices and to host computers. HSE is built on Ethernet media and uses UDP/IP as transport. FOUNDATION(tm) Fieldbus specifies not only the communication protocol, but also a function block diagram programming language to build control strategies. These function blocks can execute in devices on both H1 and HSE networks, although control is typically done decentralized in the field devices to improve the availability of the system. Therefore this architecture is frequently referred to as FCS (Field Control System). Another benefit is that proprietary languages are eliminated. Because in a Fieldbus based system the field instruments are so tightly integrated, they are now considered an integral part of the system. The operator consoles of the system are referred to as the "host".
Inherent fault tolerance
Because shared centralized multiloop controllers associated with DCS are replaced by control distributed into the field devices, the availability of the system is increased because one device controls only a single control loop. In addition to having high fault tolerance, Fieldbus is also very safe because the FOUNDATION(tm) Fieldbus function block programming language includes automatic interlocks that gracefully shut a loop down in case of instrument or communication failure.
HSE is the only open Ethernet based protocol that has an interoperable standard mechanism for redundancy. HSE primarily uses hub-based star-topology with UTP cabling which has the advantage that there is only one device per wire, i.e. at most one device is shut down if the cable is damaged. Already at this point the impact of a fault is limited. For additional fault tolerance redundant networking can be used. This includes redundant wires and redundant hubs providing alternate communication paths for complete network integrity ensuring that a single fault does not cause an overall loss of communication. If part of the primary network fails the secondary is still intact. Redundant Ethernet device pairs and the workstations are connected to both networks. The switchover is totally bumpless and transparent. HSE takes host-level redundancy further than simple media redundancy. In addition to dual networks, HSE devices can also have dual Ethernet ports, and dual redundant pairs of Ethernet devices can also be used. This means that a primary and secondary linking device can both be connected to the same H1 field-level network providing two interfaces and two completely separate communication paths from the H1 Fieldbus to the host. In case of any fault along the primary path, data can still pass through on the secondary path. This ensures that the plant floor data reaches the operator even if one interface fails always providing a window to the process. The primary and secondary linking devices can be physically separated to reduce the risk of common stresses such as a backplane fault. There are several options for redundancy configuration.
Either single port devices with the primary device connected to the primary network and the secondary device connected to the secondary network can be used, or two two-port HSE devices where both the primary and secondary are both connected to the primary and secondary network.
The philosophy of the HSE redundancy is that of "operational transparency and diagnostic visibility" meaning that the control application only sees either the primary or the secondary Ethernet device depending on which one is active, whereas the system diagnostics sees both in order to make sure that even the inactive devices are fully functional and ready to take over at any moment. A wide diagnostic coverage is an integral part of the HSE protocol going far beyond just hardware duplication. Every HSE device, including the host, independently keeps track of the status of the networks and all the devices on it. Because HSE is not only Ethernet media but also has a standard application layer, devices from different manufacturers periodically exchange their view of the network with each other using diagnostic messages which also serve as sign of life indication. Every device has a complete picture of the network to intelligently select which network, device and port to communicate with. Failure detection includes late and lost messages and duplication. Through exhaustive network diagnostics every device knows the health of the primary and secondary as well as communication port A and B of every other device on the network.
Diagnostics in each device detect failure allowing the device to respond to and circumvent these faults as well as notifying the operator. No other standard protocol has this level of redundancy capability. Because the redundancy management is distributed to each device, no centralized "redundancy manager" is required. This way the Achilles heal of centralized architectures are again avoided.
Fibre optic media can be employed to increase tolerance towards electrical noise and ground potential differences further increasing the robustness of the system.
Because the FCS architecture is much leaner with less hardware, it is lower cost already at the time of purchase. Additional savings come from the simpler engineering and installation. For example, one Smar DFI302 linking device used in SYSTEM302 links 64 instruments and is extremely compact, measuring only 14 by 16 cm and weighing only 1.6 kg, yet it includes interface, processor and power supply for all those devices in a single integrated unit. That compares very favourably to a DCS that needs CPU, I/O-subsystem networking, I/O-modules, termination, marshalling and fusing cards, not to mention an entire panel and wiring.
Contrary to the DCS, in a FCS adding a device means adding resources. In the FCS adding instruments means more CPUs, memory and more computing power in the system. Though it is counter intuitive at first, the more you "load" the system the more powerful it gets. Every device added is o