How to Fully Benefit from Function Blocks of Foundation Fieldbus for Digital Cascade Control with High System Safety

This paper presents a useful technique for configuring function blocks in Foundation Fieldbus H1 devices to form powerful digital cascade control that can take special action in the event of abnormal conditions. For high system safety, which often contradicts high availability, suggestions on how to fully benefit from standard function blocks with built-in interlock and bumpless transfer functionalities using parameter status are described. Experimental results obtained from a plant model for level-to-flow cascade control by configuring different status options, control options, and input/output options of the function blocks in response to undesired conditions are also included.


Introduction
Consistent trend for networks used in all areas of automation is definitely toward digital communications (1) .Its major advantage is that a great deal of information can be communicated on a single pair of wires forming a multidrop network.However, there is no one-size-fits-all for industrial automation networks.In factory automation, process automation, and building automation networks perform different tasks.Similarly, there are distinct differences between tasks performed for applications in different industry sectors that all have unique features and varying requirements.Foundation Fieldbus (FF) H1 included in the IEC 61158 standard is one of all-digital communication networks designed specifically for field-level interface and device integration in process automation.It replaces conventional analog 4-20 mA and on/off signals for linking transmitters, control valve positioners, analyzers, and on/off valves to distributed control systems (DCS), programmable logic controllers (PLC), and other automation systems (2) .Additionally, the communication is time-synchronized and scheduled to ensure deterministic digital closed-loop control (3) .FF H1 also supports centralized device configuration, diagnostics, and viewing of internal variables.This means that all data about the device on the site are visible from the host in a central control room and can be accessed remotely over the network at any time.It is possible to set new measurement ranges, check on last calibration record, reconfigure and diagnose the device without having to send someone into the field.This was never possible in the past because traditional analog systems could only handle device input/output signals without providing access to intelligence in the field instruments.An analog control system does not access field device diagnostics, and it only accepts process variables from its transmitters and sends out nothing but manipulated variables to the control valve positioners.Configuration would be done using a handheld terminal directly connected to the 4-20 mA device wires at the field.Conventional transmitters and DCS do not have the means to exchange status information because of the limitations of 4-20 mA.
Availability and safety of the system are quite different.In the presence of a fault, the goal of availability is to keep the process running for reducing production losses, whereas the goal of safety is to shut the process down for minimizing the risk of harm to people, environment, and property.A process control system performs control that is traditionally targeted toward a high degree of availability, which is distinct from a safety-related system that is targeted toward a high level of safety.The safety-related system which implements functional safety and provides conformity to the related safety standards such as IEC 61508 and IEC 61511 should be reliable.Its failures should be deal with the required safety integrity level (SIL), which is used to describe system performance.Four levels are defined, with SIL 4 providing the highest reliability and SIL 1 offering the lowest reliability.For control loops that need no SIL-rated shutdown interlocks, plants can use the digital fieldbus technologies to provide safety beyond that found in basic control systems using conventional analog technology.Normally, a transmitter output current below 3.8 mA or above 20.5 mA is determined for indicating a fault and for making the interlocks to allow shutdown action to be taken.In traditional systems, the faults of control valve positioners are difficult to detect because most analog valve positioners do not have actual position feedback to the control room.Undetected faults are very dangerous because the process is not shut down.Moreover, in analog systems, the faults often pass unnoticed, and dangerous control may continue because of an untrue value from a failed transmitter.A device failure indication means that the loop will be shut down.With advanced FF H1 technology, a sensor failure is detected and communicated, which allows a basic PID loop to be shut down (4) .This shutdown logic is built in function blocks located in field devices and only needs to be enabled.Therefore, FF H1 instruments themselves automatically ensure graceful shutdown without the need for a host controller.In addition, FF function blocks provide several options for bringing control to manual or shutting the loop down.With no real-time signal status and data quality of measurement and control variables, there is a heightened risk for surprise shutdowns caused by unforeseen failures to happen.However, there has been no a technical guideline for configuring the FF function blocks used in cascade control for balancing the interests of safety and availability in the open literature.
The aim of this paper is to introduce a technique based on the use of all-digital FF technology for improving the safety of cascade control to a level well above that of a conventional analog system.The proposed technique can be applied as a guideline to fully benefit from FF function blocks that provide powerful functionality as well as to balance the safety and availability for cascade control.This paper is organized in five sections including this introduction.The next section gives a brief overview of the FF-based cascade control strategy.Section 3 describes the proposed technique.Section 4 shows experiment setup and results, and the last section provides conclusion.

Digital Cascade Control Using
Foundation Fieldbus

Powerful Function Blocks
Data handled within FF systems for control strategy are arranged into software modules known as function blocks.The measured or processed parameters in function blocks are composed of two elements; value and status.The status contains additional validation information about the value, which consists of three parts; quality, quality substatus, and limit condition.The quality is the general validity of the value, which indicates that the value is good for control, uncertain, or bad (fault).The FF standard defines how function blocks interact with each other.Thus function blocks can be assigned in devices from different manufacturers and still propagate parameter values and status seamlessly.It is very helpful to refer to the status of parameters when troubleshooting since the status indicates hardware, communication, or other fault.The FF function blocks with features of status propagation, block mode shedding, and cascade initialization mechanism provide not only automatic interlocks and bumpless transfer between blocks but also reset windup protection on the control loop.In addition, the FF devices distinguish between serious problems and less serious problems by indicating 'Bad' and 'Uncertain' status, respectively.The 'Bad' status has higher priority than 'Uncertain'.This makes it possible to balance the interests of safety and availability.

Digital Control Loop Using FF Technology
A control loop utilizing FF technology can be configured as a series of software function blocks located in field devices.The input and output parameters of these blocks can be linked over the network.Parameters for communication between field instruments have been tightly standardized.This enables function blocks in the field devices can use the data from device made by other manufacturers directly without further processing or interpretation.FF-based control loop is, therefore, entirely digital from transmitter to control valve positioner without intermediate analog signals.This eliminates the digital-to-analog (D/A) and analog-to-digital (A/D) conversions required in field instruments and systems using analog 4-20 mA technology.Fewer signal conversions lead to higher resolution and accuracy.FF function blocks provide computation and arithmetic capabilities as well as control system behavior, whenever there is need to calculate or compensate a value in the device.For example, a transmitter can perform process measurement, associated compensation, and totalization.A control valve positioner not only positions the control valve but also performs flow characterization and process loop control.The function blocks commonly used for implementing feedback control loops are analog input (AI) blocks, analog output (AO) blocks, and propoortional/intergral/derivative (PID) blocks.

Cascade Control Strategy Using FF Function Blocks
There are five major steps for creating control strategy using FF technology as illustrated in Fig. 1.A control strategy is built by selecting function blocks and linking them together, so process and manipulated variables can be passed from one block to the next.The blocks are capable to handshake and propagate status along with the values that are passed from one block to another.These functions work across the devices of different manufacturers because of the standardized interoperation of links between the blocks.
Figure 2 shows a function block diagram of cascade control strategy using five function blocks and having six block links.An output of the master PID block (PID1) becomes a setpoint of the slave PID block (PID2).A back-calculation output (BKCAL_OUT), containing both parameter value and status bits, of the downstream block (receiver of forward link) should be linked to a back-calculation input (BKCAL_IN) of the upstream block (source of forward link) to provide a number of useful interlocks and bumpless transfer between blocks.The BKCAL_OUT signal from the slave PID2 block is transmitted to the BKCAL_IN port of the master PID1.If the slave PID2 is not in cascade (CAS) mode, for example in automatic (AUTO) mode or initialization manual (IMAN) mode, or its setpoint source is not in cascade then this signal forces the master PID1 into IMAN mode.The master PID1 block will initiate its output (OUT) to the value on the BKCAL_IN, that is, the same value as in the PID2 setpoint.This prevents windup of the master PID1 if its block output is broken in any way.Consequently, the cascade setpoint input (CAS_IN) of the slave PID2 will be identical to its own setpoint (SP) value.As a result, when the mode in the PID2 is switched back to CAS mode, there will be no bump in the SP value and therefore no bump on the output.Additionally, when the slave PID2 (or the master PID1) is in manual (MAN) mode, its SP value is forced to track its process variable (PV), if the SP tracking option is set.The BKCAL_OUT signal from the AO1 block to is sent back to the BKCAL_IN port of the slave PID2.When the mode of the AO1 block is set to AUTO mode, which is instead of the usual CAS mode, the slave PID2 block is informed through the link between BKCAL_OUT and BKCAL_IN and can thus initialize its output, therefore assuring bumpless transfer when the block is switched from MAN mode to AUTO mode.This same link also forces the slave PID2 into IMAN if the valve position is limited, either in physical or software.This prevents windup of the slave PID2.

Proposed Technique
FF function blocks have many parameters.This is so they are flexible enough to be used in basically any application.In most instances, only a few of the parameters are utilized.Oftentimes, project engineers or users only have to configure the most common parameters, such as the familiar mode, input channel, transducer scale, and linearization type in the AI block as well as the familiar mode, tuning, and setpoint in the PID block, and the familiar mode and output channel in the AO block.For a vast majority of parameter, the defaults values are used.However, some parameters that can be enable or disable affect to important shutdown interlock.For example, a control loop action should be taken on either 'Bad' or 'Uncertain' status data quality.In FF technology, undesired conditions such as communication breakdown or device failure set the 'Bad' status in the associated blocks.For example, in the event of 'Bad' input from the AI block, the PID block generally goes into MAN mode to stop controlling and passes the status to the AO block.This will force the fault-state or fail-safe action to bring the loop to shutdown.The term 'fail-safe' implies fault-tolerant, as opposed to fault-free, operation.This means that a device or system is allowed to fail, but to a known 'safe' state.The fault state action is implemented in the AO block to shut down the basic controls when a failure is detected in somewhere in the loop.For the case of the 'Bad' input, the PID block is optionally set the status option parameter and pass a status to the AO block.This will force the fault state to bring the loop to a shutdown because the control cannot continue without input.
In order to create the cascade control loop that can take special action in the event of abnormal or undesired conditions, the interested parameters of AI1, AI2, PID1, PID2, and AO1 function blocks are given in Table 1.A link output parameter value is propagated together with status to the input parameter of the receiving block to inform whether a value is suitable for control.Status is employed for  A status options (STATUS_OPTS) parameter by which the block behavior can be configured in response to different conditions.Some of the control class function blocks make use of one or more options in the control options (CONTROL_OPTS) parameter, which allow the block behavior to be customized.Most of the output class function blocks such as the AO block use of one or more in the input/output options (IO_OPTS) parameter that make it possible to customize the block behavior.
The interested options for configuring the function blocks in cascade control loop of Fig. 2 are given in Tables 2-5.Some suggestions on how to configure the parameters referred in Table 1 for balancing the interests of safety and availability can be summarized in Table .6.It should be noted that for a majority of the options the default setting is aimed toward the process control availability rather than safety.

Configuring Cascade Control in the DeltaV
In the DeltaV system, the Control Studio application was used to create the control strategy in our study (see Fig. 5).The AI1 and AI2 function blocks were assigned to the LIT_201 and FIT_201 transmitters, The master PID1 and slave PID2 blocks were located in the LIT_201 and LCV_201, respectively, for effective network scheduled communications (5) .The AO function block was located in the LCV_201.Two different conditions (safety vs. availability) from Table 6 were used for configuring the function blocks in order to evaluate the loop occurred in the event of abnormal conditions.Three cases of failure conditions were experimentally tested; failure of FIT_201, failure of LIT_201, and failure of LCV_201.

Experimental Results
The flow transmitter FIT_201 was powered off to mimic the failure of the secondary PV of the AI2 block in the FIT_201.When the controlled variable input (IN) to the slave PID2 block is the algorithm in the PID2 block cannot function.However, it can be bypassed for achieving high degree of available of the process control, which lets the   The experimental results are displayed in 9.In the event of the actuator failure, the AO block goes into the LO mode and is set a 'BAD' status on its BKCAL_OUT.When the slave PID2 block receives this status on its BKCAL_IN, the block goes to IMAN mode (see Fig. 9(b)).This ensures that control using the failed actuator is not attempted and at the same time prevents reset windup.
In order to obtain the true windup protection and bumpless transfer, the 'Use PV for BKCAL_OUT' option in the AO1 block should be enabled.The true valve position is used for the BKCAL_OUT for normal built-in cascade initialization feature.This means that if the cascade has been broken, it can be returned to normal operation without jerking the actual control valve positioner.Additionally, if the control valve reaches either fully closed or fully opened endpoint, the AO1 block will set the corresponding limit in the status element for the BKCAL_OUT parameter.This informs the PID2 block to not push its output further in that direction.This action prevents reset windup in the PID2 block in the same way that feedback from limit switches did in the past using the conventional analog technology.

Conclusion
Function block configuration to form powerful digital cascade control that can take special action in the event of undesired conditions has been described in this paper.From experimental result discussion, it is seen that using FF H1 technology for cascade control is a good idea because it enable some of the features and characteristics previously only found in a full-fledged safety-related system to be used in basic controls.However, for sites that have process units that have been assigned as having hazard or high risk, an approved safety-related system of a suitable requirement class should be utilized.

Figure 3
Figure 3 shows a piping and instrumentation diagram (P&ID) of the level-control plant model used in experiments for actual observation in case study, where FIT_201 (external powered), LCV_201 (bus powered), and LIT_201 (bus powered) are FF H1 devices.Some major details of FF H1 instruments used are summarized in Table A liquid level of Tank-2 is specified as the controlled variable.The FIT_201 and LIT_201 are used to measure the inlet flow and the liquid level of Tank-2, respectively.

Figure 4
Figure 4 displays the FF-based network architecture of the studied system used in experiments for our case study.At FF-HSE host-level network built on Ethernet wiring, there are the DeltaV host workstation, controller, and Fieldbus H1 card.The Fieldbus H1 card functions as a FF HSE/H1 liking device, which buffers messages to take care of the difference in transmission speed between HSE and H1.The DetlaV workstation accesses data through the linking device.At the FF-H1 network, there are field devices installed in the level-control plant model of Fig. 3.

Fig. 5 .
Fig. 5. Screenshot of the DeltaV Control Studio in offline mode to configure test conditions.
(a) Screenshot of DeltaV Studio in online mode (b) Screenshot of DeltaV Operate (RUN) Fig. 6. Results for configuring the blocks for availability in the case of the secondary PV failure.
(a) Screenshot of DeltaV Studio in online mode (b) Screenshot of DeltaV Operate (RUN) Fig. 7. Results for configuring the blocks for safety in the case of the secondary PV failure.master PID1 to control the AO1 block directly as shown in Fig. 6 by enabling the bypass feature by setting the option 'Bypass Enable' in the slave PID2 block.In the case of configuring function blocks for high system safety by deactivating the bypass function in the PID2 block and enabling the option 'Fault State to value' (setting an example of the value of 40%), the results are illustrated in Fig. 7.It is seen that in the event of the 'Bad' IN of the slave PID2 block, the AO1 block goes into local override (LO) mode to shut the loop down, and the fault state value of 40% becomes the setpoint of the AO1 block.The air tube connected to sense the pressure head in Tank2 of the level transmitter LIT_201 was taken off to mimic the failure of the primary PV of the AI1 block in the LIT_201.The results for configuring the function blocks for safety are shown in Fig.8.In the PID1 block, a 'Bad' input from the AI1 block does not become 'Bad' output, it just brings the PID1 block in MAN mode to stop controlling.
(a) Screenshot of DeltaV Studio in online mode (b) Screenshot of DeltaV Operate (RUN) Fig. 8. Results for configuring the blocks for safety in the case of the primary PV failure.The air supply of the control valve positioner was cut off to mimic the failure of the PV of the AO1 block in the LCV_201, which has the air-to-close (fail-open) actuator.
(a) Screenshot of DeltaV Studio in online mode (b) Screenshot of DeltaV Operate (RUN) Fig. 9. Results for configuring the blocks for safety in the case of the air supply failure.

Table 1 .
Interested parameters for improving system safety.

Table 2 .
Interested options for configuring AI1 and AI2.

Table 6 .
Options to balance between safety and availability.
several built-in interlock functions.It is also to provide bumpless transfer and initialization between blocks.