Wireless communications in safety systems
14 February 2012
The motivating factors for installing wireless sensors are easy to see – simplicity of installation and operational flexibility. However, there are also potential challenges. The main challenges for safe wireless communication are to guarantee a short response time and to immediately detect loss of contact with sensors. Control Engineering Europe reports on a possible solution.
Wireless instruments are most often battery powered which means they are energy constrained and the rate at which they can report process values is limited. For the majority of process monitoring applications, this is not a major obstacle as the process values in question will change relatively slowly. For safety applications, the picture is different. Here, continuous monitoring is necessary and a short response time needs to be guaranteed if a safety critical situation arises. However, the average bandwidth requirement is modest, so the primary problem in designing a wireless safety system is having a guaranteed short latency while not depleting the batteries. In addition, full control of all network message traffic is required, and loss of contact with a device must be identified immediately.
To overcome this issue, GasSecure has developed an optical gas detector, which operates with significantly lower power consumption than other state-of-the-art detector units. This allows for wireless operation with battery life exceeding two years. In addition, it does not need recalibration.
The GS01 detector is intended for both monitoring and safety applications. In safety applications, communication with the controller needs to meet reliability requirements according to SIL2 guidelines as described in IEC 61508 Ed2.0. GasSecure’s wireless communication system, SafeWireless, meets the need for fast response time, power efficiency and full control of network traffic. The detector itself has also been developed according to IEC 61508 Ed2.0 and meets the performance requirements of IEC 60079-29-1.
Simple wireless networks, like WLAN, rely on adequate radio connection between the information source and receiver. However, this connection cannot be assumed, and additional wireless nodes are installed to act as relays. These nodes may also have sensing capability and may, or may not, be battery powered. Having relay nodes in the network has the benefit of creating secondary paths. If the normal path used by a node is obstructed or becomes unavailable, the information source may choose to transmit its data along the secondary path. This leads to immensely stable and predictable networks.
The deployment of a wireless sensor network is simple. The nodes are placed in their desired locations and powered on. Each node will then confer with its neighbours, obtaining an image of the network and the available paths to the network gateway. The network information will include not only what neighbours are available for communication, but also the associated quality of each individual link. The aggregated information is stored in the gateway, which is responsible for scheduling communication opportunities.
Once the network has stabilised, the traffic intensity drops. However, the nodes will continue to update their neighbour link information, including the possible removal or addition of nodes. In this way it becomes adaptable to changes in the topology or of the environment.
There are several communication protocols to choose from in the wireless sensor network area. The gas detector and gateway from GasSecure has been designed to be able to handle WirelessHART and ISA100.11a. While standards ensure interoperability between different vendors of equipment, it is still possible to tailor the gateway to obtain a performance that is optimised for a particular application. One typical parameter to optimise is the number of allowed radio hops in the network. Increasing the number of hops allows networks spanning a large geographical area while increasing both latency of the packets and the processing load on the relay nodes. Similarly, the maximum number of children associated with any node may be configured. A large number enables the formation of dense networks. The flip side is the increased bandwidth demand on the relay node catering for the routing needs of a large number of devices.
Fulfilling SIL2 requirements
For safe communication at SIL2, four error handling mechanisms need to be supported – sequence numbering, timeout in the absence of response, device code name, and data consistency checking – to detect failures of the safety device in terms of packet loss, unacceptable network delay, bit errors or replay attacks.
A safety controller will send a packet equipped with the four above mechanisms. The safety device needs to respond to that packet within the process safety time. If the device does not respond before the safety time elapses, the device is marked as unavailable in the control system. It is fundamental to the operation of all safety systems that the exchange of safe packets is initiated by the controller and that there is a one-to-one correspondence between the packet sent and the packet received. Once the controller receives a response, a new request can be issued.
Several options exist for implementing the four required safety features. The approach, chosen by GasSecure is to base the product on a certified implementation of an open safety protocol – PROFIsafe over PROFINET – due to the widespread use of the latter in process control applications. Other safety protocols may be implemented following the same principles of operation. The communication stack in the three entities can be viewed in Figure 1. The gateway has PROFINET implemented in order to communicate with the controller. It does not need PROFIsafe as this is relevant only to the controller and the device.
The process safety time for hydrocarbon gas detection, as defined by IEC60079-29-1, is 60 seconds. In order for the device to be defined as safe by the control system it needs to respond to safe request packets within this time. Given that wireless packets may get lost in transmission, it is prudent to make several attempts at transmitting the packet within the process safety time. However, there is a trade-off. Frequent downlink transmissions will deplete batteries quickly but have a high probability of getting the message through, while rare transmissions save the batteries and reduce the success probability and thus the availability of the device. A reasonable balance between energy consumption and probability of success is to have three attempts within the process safety time.
GasSecure will provide a response time of five seconds from when gas enters the detector to when the event information is received at the controller. In order to fulfill this requirement, and with three seconds for analysis at the detector, there needs to be opportunities to send uplink packets once every two seconds. Therefore, during setup, the detector requests that bandwidth is set aside for this uplink transmission rate. The transmit opportunity is most often not used by the gas detector, and so will result in only minimum extra power consumption. However, the fact that bandwidth has been reserved meets the latency requirement.
To further optimise the network for the gas detection application, GasSecure limits the number of hops to two and the number of devices per gateway to 25. This gives good geographical coverage and will support reasonably dense networks. At the same time, it will not adversely affect the energy consumption of the devices. It is important to note that although the gateway now has been optimised for the gas detection application, it will still be a regular ISA100.11a gateway able to serve other ISA100.11a devices.
When gas is detected by the device, it needs to quickly report the event. However, downlink safe request packets only arrive once every 20 seconds and there is a one-to-one mapping between request and response. In other words, once the detector has responded to a safe request it is unable to report gas until a new request has been received. This issue has been overcome by delaying the safe response until just before a new request is expected. This keeps the blind time to just two seconds and the detector is always ready to report gas should it be necessary. most uplink packets will be safe responses sent once every 20 seconds, only containing status information in the detector. It will serve primarily as an ‘alive’ signal, indicating to the control system that the detector is operating as it should and that the communication link is open.
It has been estimated that the battery will last for two years of continuous operation under normal conditions. For longer life the time between uplink transmission opportunities can be increased from two to, say, four seconds. This will increase the total detector response time from five to seven seconds. Alternatively, and under the assumption that all GS01s are in close proximity, the topology can be limited to a star network. In such a configuration no GS01 will be called upon to route for others, and can hence spend more time in low power mode.
For non-safety applications, the GS01 can be used in other ISA100.11a networks in parallel with devices from other vendors. Here, the restrictions regarding maximum hop count and number of devices no longer apply.
Contact Details and Archive...
Most Viewed Articles...