ESD thru MODBUS??

P

Thread Starter

PANDU

Hi all

I would like to take your idea about my issue.

One of my panel is provided with MODBUS RS485 communication. and one the signals from that panel supposed to trip the plant i.e works as ESD. Now my question is, is it ok to carry a shutdown command thru MODBUS??

my opinion is NO as MODBUS communication is slow hence it should not be? anybody agree / disagree with me

please discuss n provide your valuable inputs

Rgds,
pandu
 
B

bob peterson

I am not sure the speed of Modbus is the only issue. How reliable is it and how hard is it to detect comm failures are two issues.

--
Bob
 
Speed, in fact, would ONLY be an issue if the actual deterministic speed to transfer the signal between systems is slow enough such the event you are trying to protect against might occur. If the ESD event is, say, temperature based, and the rate of change is slow, the speed would probably NOT be an issue. I would say that speed is certainly something to evaluate, but Modbus can't simply be ruled out because of speed. A good rule of thumb is that the speed should be such that the ESD signal will be sent 2 or 3 times before the protective action is required to be taken.

Remember that the Modbus speed will depend greatly on the quantity and type (boolean/integer) of data being sent. If you can limit the data set you can speed up the communication rate. If the device has more than one port, you could send critical data over a "fast" interface, and everything else through the secondary interface. I would bet that you could have a Modbus interface with a three or four data points that is as fast as 50 msec.

Moving on from speed, if using Modbus you should have a loss of communication set of logic. I would set the ESD to look at something that continually changes in the device, such as the device clock second hand value. If that is not available, I would go so far as to create an up-counter in the device. Something that keeps changing. Then in the ESD system look at the rate of change of that clock/counter. The logic needs to be able to handle a reset to zero and not hang up if the value stops at zero. When the rate of change approaches zero, determine what action to take. Alarm for X time, then follow up with an emergency shut down after Y time would be an example.

Some additional considerations would be the infrastructure. The more stuff you have (media converters) the lower the reliability will be. If you must have something that is powered up, consider the power source and monitoring of that source, along with what action to take. If you have redundancy, monitoring of the backup system is critical. If you don't monitor the backup, the MTTR will be such that all of the added complexity did not help much at all in terms of overall reliability.

Another would be security. If the Modbus interface allows someone to reconfigure the ESD from the end device, that needs to be mitigated.

For those that think that a simple single discrete signal between the two systems is the best, I would disagree. If energize/close to trip, you then need to monitor the control power. What if the control power is sensed as being bad when it is not? You would probably have voted the system to a safe state. If de-energize/open to trip, a loose wire will take you off. Nothing is that simple. My personal favorite is actually three 4-20ma analog inputs for each signal, with independent primary devices. But to convince people to pay for that is another problem.

In closing, using Modbus, as long as the data transfer time is acceptable for the application, and there is logic that takes appropriate action on loss of communication, and the communication infrastructure is solid, and the system is secure, you should have a safe system.
 
L

Lynn August Linse

I would take it into a slightly different direction. Certified SIL 'safety systems' have been built from CANBus and Rockwell protocols. They all work on the watchdog time-out principle which says "use data comm to 'suppress' ESD, not initiate it." So what makes them safe is fail-safe timers, which say 'if no update, then ESD/shutdown.'

So Modbus for ESD would be fine if the Modbus was PREVENTING the ESD system from shutting down. If the Modbus fails, the ESD system kicks in.

If you are trusting Modbus to actually initiate the ESD, then I would agree with you that Modbus is not up to the task. One could imagine a simple failure (a loose RS-485 wire!) which 100% disables the ability to use Modbus to activate ESD.
 
As it is ESD it would be preferable if the signals are "hardwired" rather than soft signals if the signals are very very critical to the plant and process to have a safe shutdown...
 
> In closing, using Modbus, as long as the data transfer time is acceptable for the application,
> and there is logic that takes appropriate action on loss of communication, and the
> communication infrastructure is solid, and the system is secure, you <b>~should~</b> have a safe system.

I agree, but unfortunately "should" in an ESD system isn't really good enough. If something goes wrong and you find yourself in court trying to defend your actions, then I'd be very uncomfortable trying to defend a critical signal being transferred over a Modbus serial link. Use a hardwired signal.
 
> In closing, using Modbus, as long as the data transfer time is acceptable for
> the application, and there is logic that takes appropriate action on loss of
> communication, and the communication infrastructure is solid, and the system
> is secure, you should have a safe system.

For heavy industries - Oil & Gas - Failure of communication might be catastrophic since it will lead to have complete loss of plant inventory in few second. My question is - from reliability side - is there a standard like API, or similar giving the rules on how and where communication can be used to transfer ESD signals. I've a case for communication failure in LNG industry that causes a massive loss.
 
R
I think you need to define what you mean by ESD

If it's a SIL rated system, No you cannot use Modbus SIL rated

It is however OK to stop and start something in a SIL rated ESD system by Modbus e.g. a pump but all the safety trips must be wired into the ESD system

In other words the operator can stop and start via Modbus but the emergency stop should be hardwired to the ESD system or perhaps directly to the starter.
 
R
>I don't think so speed is the only
>issue it can be another thing like :-
>comm failures

Comms is CRC16 protected on Modbus so its safe.
It is a Master and many slaves topology, and RS485 can become transmit blocked. If a blocked comms system can become a dangerous failure, then I would not recomend RS485.

CANbus is a better bet really.
 
Top