STN HiAv V2.0
STN HiAv V2.0
STN HiAv V2.0
Disclaimer
This document is not comprehensive for any systems using the given architecture and does not absolve users of their duty to uphold the safety requirements for the equipment used in their systems or compliance with both national or international safety laws and regulations. Readers are considered to already know how to use the products described in this document. This document does not replace any specific product documentation.
Development Environment
PlantStruxure, the Process Automation System from Schneider Electric, is a collaborative system that allows industrial and infrastructure companies to meet their automation needs while also addressing growing energy management requirements. Within a single environment, measured energy and process data can be analyzed to yield a holistically optimized plant.
Table of Contents
4. Conclusion ..........................................................................77
4.1. Benefits....................................................................................................................................................... 78 4.2. More Detailed RAMS Investigation ........................................................................................................... 79
5. Appendix .............................................................................81
5.1. Glossary ..................................................................................................................................................... 81 5.2. Standards ................................................................................................................................................... 87
1.2. Introduction
Increasingly, process applications require a high availability automation system. Before deciding to implement a high availability automation system in your installation, you need to consider the following key questions: What security level is needed? This concerns the security of both persons and hardware. For instance, the complete start/stop sequences that manage the kiln in a cement plant include a key condition: the most powerful equipment must be the last to start and stop. What is the criticality of the process? This point concerns all the processes that involve a reaction (mechanical, chemical, etc.). Consider the example of the kiln again. To avoid its destruction, the complete stop sequence includes a slow cooling of the constituent material. Another typical example is the biological treatment in a wastewater plant, which cannot be stopped every day. What is the environmental criticality? Consider the example of an automation system in a tunnel. PACs (default and redundant) would be installed on both sides of the tunnel as a safety precaution in case of a fire. Furthermore, the system may be subjected to harsh environmental factors such as vibration, extreme temperatures, shock and so on. Which other particular circumstances does the system need to address? This last area includes additional questions such as: Does the system really need redundancy if the electrical network becomes inoperative in a specific layer of the installation? What is the criticality of the data in the event of a loss of communication?
As shown in the following chapters, redundancy is a convenient means of elevating global system reliability and availability. The High Availability of a Process Automation System, in terms of redundancy, can be addressed at different levels of the architecture: Single or redundant I/O modules (depending on sensor/actuator redundancy). Depending on the I/O handling philosophy (for example conventional remote I/O stations, or I/O islands distributed on Ethernet), different scenarios can be applied: dual communication medium I/O bus or self-healing ring, single or dual. Programmable controller CPU redundancy (Hot Standby PAC station). Communication network and ports redundancy. SCADA system - dedicated approaches with multiple operator station locations and resource redundancy capabilities.
10
11
12
MUT qualifies the average duration of the system being in an operational state. MDT: Mean Down Time
MDT qualifies the average duration of the system not being in an operational state. It comprises the different portions of time required to detect the reason for the nonoperation state, fix it, and restore the system to its operational state. MTBF: Mean Time Between Failure
MTBF is defined by the MIL-HDBK-338 standard as follows: "A basic measure of reliability for repairable items. The mean number of life units during which all parts of the item perform within their specified limits, during a particular measurement interval under stated conditions." Thus, for repairable systems, MTBF is a metric commonly used to appraise Reliability, and corresponds to the average time interval (normally specified in hours) between two consecutive occurrences of inoperative states. Put simply: MTBF = MUT + MDT MTBF can be calculated (provisional reliability) using data books such as UTE C80810 (RDF2000), MIL HDBK-217F, FIDES, RDF 93, or BELLCORE. Other inputs include field feedback, laboratory testing, or demonstrated MTBF (Operational Reliability), or a combination of these. Remember that MTBF only applies to repairable systems.
13
MTTF is the mean time before the occurrence of the first failure. MTTF (and MTBF by extension) is often confused with useful life, even though these two concepts are not related in any way. For example, a battery may have a useful life of 4 hours and have a MTTF of 100,000 hours. These figures indicate that for a population of 100,000 batteries, there will be approximately one battery failure every hour (defective batteries being replaced).
Consider a repairable system with an exponential distribution Reliability and a constant Failure Rate (), MTTF = 1 / . Mean Down Time is usually very low compared to Mean Up Time. This equivalence is extended to MTBF, assimilated to MTTF, resulting in the following relationship: MTBF = 1 / . This relationship is widely used in additional calculations. Example: Given the MTBF of a communication adapter, 618,191 hours, what is the probability for that module to operate without failure for 5 years? Calculate the module Reliability over a 5-year time period: R(t) = e -t = e -t / MTBF a) Divide 5 years, that is 8,760 * 5 = 43,800 hours, by the given MTBF: 43,800 / 618,191 = 0.07085 b) Then raise e to the power of the negative value of that number: e -.07085 = .9316 Thus, there is a 93.16% probability that the communication module will not fail over a 5-year period.
Typically used as the Failure Rate measurement for non-repairable electronic components, FIT is the number of failures in one billion hours. FIT= 109 / MTBF or MTBF= 109 / FIT
14
2.3.3. Maintainability
Definition Maintainability refers to the ability of a system to be maintained in an operational state. This, once again, relates to probability. Maintainability corresponds to the probability for an inoperative system being repaired in a given time interval. If design considerations may impact the maintainability of a system, then the maintenance organization will also have a major impact on its maintainability. Having the right number of people trained to observe and react with the proper methods, tools and spare parts are considerations that usually depend more on the customer organization than on the automation system architecture. Mathematics Basics Equipment shall be maintainable on-site by trained personnel according to the maintenance strategy. A common metric named Maintainability, M(t), gives the probability that a required given active maintenance operation can be accomplished within a given time interval. The relationship between Maintainability and repair is similar to the relationship between reliability and failure, with the Repair Rate (t) defined in a way analogous to the Failure Rate. When this Repair Rate is considered as a constant, it implies an exponential distribution for Maintainability: M(t) = e -t. The maintainability of a given equipment is reflected in MTTR, which is usually considered as the sum of the individual times required for administrative, transport and repair times.
15
16
Downtime includes here all repair time (corrective and preventative maintenance time), administrative time and logistic time. The following curve shows an example of asymptotic behavior:
Intrinsic (or Inherent) Availability: Ai Intrinsic Availability does not include administrative time and logistic time, and usually does not include preventative maintenance time, either. This is primarily a function of the basic equipment/system design.
Ai = MTBF MTBF + MTTR
We will consider Intrinsic Availability in our Availability calculations. Operational Availability Operational Availability corresponds to the probability that an item will operate satisfactorily at a given point in time when used in an actual or realistic operating and support environment.
A0 = Uptime Operating Cycle
Operational Availability includes logistics time, ready time, and waiting or administrative downtime and both preventative and corrective maintenance downtime. This is the availability that the customer actually experiences. It is essentially the a posteriori availability based on actual events that happened to the system.
17
For example, a system that has a five-nine availability rating means that the system is 99.999 % available, with a system downtime of approximately 5.26 minutes per year.
2.3.5. Reliability
Definition A fundamental associated metric is Reliability. Return to the example of your telephone line. If we consider that the wired network is very old, having suffered from many years without proper maintenance, it may frequently be out of order. Even if the current maintenance team is doing his best to repair it within a minimum time, it can be said to have poor reliability if, for example, it has experienced 10 losses of communication during the last year. Notice that Reliability necessarily refers to a given time interval, typically one year. Therefore, Reliability will account for the absence of shutdown of a considered system in operation over a given time interval. As with Availability, we consider Reliability in terms of perspective (a prediction), and within the domain of probability. Mathematics Basics Fortunately, in many situations, a detected disruption does not necessarily mean the end of a devices life. This is usually the case with the automation and control systems being discussed, which are repairable entities. As a result, the ability to 18
19
Although Availability is a function of Reliability, it is possible for a system with poor Reliability to achieve high Availability. For example, consider that a system averages 4 failures a year, and for each failure, this system can be restored with an average outage time of 1 minute. Over the specified period of time, MTBF is 131,400 minutes (4 minutes of downtime out of 525,600 minutes per year). In that one-year period: Reliability R(t) = e -t = e - 4 = 1.83%, very poor Reliability (Inherent) Availability A i = very good Availability
MTBF MTBF + MTTR = 131 400 131 400 + 1 = 99.99924% ,
Higher Reliability reduces the frequency of inoperative states, while increasing overall Availability. There is a difference between Hardware MTBF and System MTBF. The mean time between hardware component failures occurring on an I/O module, for example, is referred to as the Hardware MTBF. Mean time between failures occurring on a system considered as a whole, a PAC configuration for example, is referred to as the System MTBF. As will be demonstrated, hardware component redundancy provides an increase in the overall system MTBF, even though the individual components MTBF remains the same.
20
POWER SUPPLY
MODULE A
MODULE B
MODULE C
MODULE D
We make the assumption that one of the 5 modules (1 power supply and 4 other modules) that populate the PAC rack becomes inoperative. As a consequence, the entire rack is affected, as it is no longer 100% capable of performing its assigned mission regardless of which module is inoperative. Thus, each of the 5 modules is considered as a participant member of a 5-part series. Note: When considering Reliability, two components are described as in series if both are necessary to perform a given function.
21
We now assume that the PAC rack contains redundant power supply modules, in addition to the 4 other modules. If one power supply becomes inoperative, then the other supplies power for the entire rack. These 2 power supplies would be considered as a parallel sub-system, in turn coupled in series with the sequence of the 4 other modules. Note: Two components are in parallel, from a reliability standpoint, when the system works if at least one of the two components operates properly. In this example, Power Supply 1 and 2 are said to be in active redundancy. The redundancy would be described as passive if one of the parallel components is turned on only if the other is inoperative, for example in the case of auxiliary power generators.
22
That is
Consider a system with 10 elements, each of them required for the proper operation of the system, for example a 10 modules rack. To determine RS(t), the Reliability of that system over a given time interval t, if each of the considered elements shows an individual Reliability Ri(t) of 0.99:
10 R S (t) = R i (t) = (0.99) x (0.99) x (0.99) . . . (0.99) = (0.99)10 = 0.9044 i=1
Thus, the targeted system Reliability is 90.44%. Example 2: Consider two elements with the following Failure Rates:
Element 1 1 = 120.10-6h-1
Element 2 2 = 180.10-6h-1
23
Thus the targeted system Reliability over the considered time period is 74.08%. Availability Serial system Availability is equal to the product of the individual elements Availability.
n A S = A1 . A 2 . A 3 .... .A n = A i i=1
where:
As= system (asymptotic) availability Ai = Individual element (asymptotic) availability n = Total number of elements on the serial system
24
This calculation applies the equations given by basic probability analysis. To do this calculation, a spreadsheet was developed. These are the figures applied in the spreadsheet: Failure Rate: = 1/MTBF Reliability: R(t) = e -t Total serial systems Failure Rate
n = S i i =1
Total MTBF serial systems = 1 / s Availability = MTBF/ MTBF+ MTTR Unavailability = 1 Availability Unavailability over years: Unavailability hours (one year = 8460 hours) The following table shows the method to perform the calculation: Step 1 2 3 Action Perform the calculation of the standalone populated CPU rack. Perform the calculation of a distributed island. Based on the serial structure, add up the results from Steps 1 and 2.
Note: A common variant of in-rack I/O module stations are I/O islands distributed on an Ethernet communication network. Schneider Electric offers a versatile family named Advantys STB, which can be used to define such architectures. Step 1: Calculation linked to the standalone CPU rack. The following figures represent the standalone CPU rack:
25
Step 2: Calculation linked to the STB island. The following figures represent the distributed I/O on STB island:
26
Note: The highlighted values were calculated in the two previous steps.
Considering the results of this serial system (Rack # 1+ Islands # 1 ... #4), Reliability over one year is approximately 82 % (the probability that this system will encounter one failure during one year is approximately 18%). System MTBF itself is approximately 44,000 hours (about 5 years) Considering the Availability, with a 8-hour Mean Time To Repair (which is a typical figure with a proper logistics and maintenance organization), the system would achieve a 3-nines Availability, an average probability of approximately 95 minutes downtime per year.
27
....
n n x Qn (t ) ] = 1 Qi (t ) = 1 1 Ri (t ) i =1 i =1
Ri = Probability of non-failure of an individual parallelized element Qi = Probability of failure of an individual parallelized element n = Total number of parallelized elements Example: Considering two elements with the following Failure Rates:
R1 (1,000 h) = e 1t = e 120 x 10
x 103 x 10
3
= 0.8869 = 0.8353
R2 (1,000 h) = e 2t = e 180 x 10
AS = 1 [ (1 A1 ) . (1 A2 ) . ... . (1 An ) ] = 1 (1 Ai )
i =1
where:
As= system (asymptotic) availability Ai = Individual element (asymptotic) availability n = Total number of elements on the serial system
29
The formulas are the same as the ones used in the previous calculation example, except for the calculation of the Reliability of a parallel system, which is as follows:
Rs (t ) = 1 [ Q1 (t ) x Q2 (t ) x Q3 (t ) x
....
n n x Qn (t ) ] = 1 Qi (t ) = 1 1 Ri (t ) i =1 i =1
This formula is used to consider the power supply subsystem. The following table shows the method to perform the calculation: Step 1 2 Action Perform the calculation of the redundant power supplies sub-system Perform the calculation for the local CPU rack with its redundant power supplies 3 4 Perform the calculation of a distributed island Concatenate the results from Steps 2 and 3
Note: The previous results from the serial analysis regarding the calculation linked to the distributed islands are reused.
30
Step 2: Calculation of the local CPU rack with its redundant power supplies. The following figure show the local CPU rack:
31
Step 4: Calculation of the entire installation. The following screenshot is the spreadsheet corresponding to the entire analysis:
Looking at the results of this system, it should be noted that the enhancement brought by the power supply modules redundancy only makes sense if doing a comparison between single and redundant power supply figures. So, Power Supply MTBF itself would increase from 485,873 hours (approximately 55 years) to 27,434,080 hours (approximately 3131 years).
Note: The previous examples cover the PAC station only. To extend the calculation to an entire system, the MTBF of the network components and the SCADA systems (PC, servers) must be taken into account.
32
This table indicates that even though the very high availability of Part Y was used, the overall availability of the system was reduced by the low availability of Part X. It is generally accepted that "a chain is as strong as its weakest link". However, in this instance, the chain is actually weaker than its weakest link. Parallel System The above computations indicate that the combined availability of two components in parallel is always higher than the availability of its individual components. The following table gives an example of combined availability in a parallel system: Component X Two X components operating in parallel Three X components operating in parallel 99.9999% (6-nines) 31 seconds /year ! Availability 99% (2-nines) 99.99% (4-nines) Downtime 3.65 days/year 52 minutes/year
This indicates that even though a very low availability Part X was used, the overall availability of the system is much higher. Thus, redundancy provides a powerful mechanism for making a highly reliable system from low reliability components
33
34
Ethernet
Ethernet
PAC
PAC
PAC
Ethernet
Profibus DP Ethernet
This system architecture drawing above shows the various layers where redundancy capabilities have to be proposed:
Operating and Monitoring System Control Network Control System Field Network
35
Data acquisition Graphics (displays and user interfaces) Events and alarms (including time-stamping) Measurements and trends Recipes Reports
In addition, any current SCADA package provides access to a treatment/calculation module (openness module), allowing users to edit program code (IML/CML, Cicode, Script VB, etc.). Note: This model is applicable for a single station, including small applications. The synthesis between the stakes and the key features will help to determine the most appropriate redundant solution. Stakes Considering the previously defined key features, stakes when designing a SCADA system include: Risk Analysis Linked to the previous stakes, the risk analysis is essential to defining the redundancy level. Consider the events the SCADA system will face, that is the risk, in terms of: Inoperative hardware Inoperative power supply Environmental events (natural disaster, fire, etc.) 36 Is a changeover possible? Does a time limit exist? What are the critical data? Has cost reduction been considered?
Customer Expectations Data loss without importance Data loss allowed Data must not be lost
The table below explains the redundancy levels: Redundancy Level No redundancy Cold Standby State of the standby system No standby system The standby system is only powered up if the default system becomes inoperative. Warm Standby The standby system switches from normal to backup mode. Hot Standby The Standby system runs together with the default system. Switchover performance Not applicable Several minutes Large amount of lost data Several seconds Small amount of lost data Several milliseconds No lost data
37
Display Client
The Vijeo Citect functional organization corresponds directly to a Client/Server philosophy. An example of a Client/Server topology is shown in the diagram on the left: a single display client operator station with a single I/O server in charge of device data
I/O Server
(PAC) communication.
I/O Device
Vijeo Citect architecture is a combination of several operational entities that handle Alarms, Trends and Reports. In addition, this functional architecture includes at least one I/O server. The I/O server acts as a client to the peripheral devices (PAC) and as a server to Alarms, Trends and Reports (ATR) entities. ATR and I/O server(s) act either as a client or as a server, depending on the designated relationship. The default mechanism linking these clients and servers is based on a publisher/subscriber relation. As shown in the following screenshot, because of its client/server model, Vijeo Citect can create a dedicated server, depending on the application requirements: for example for ATR or for I/O server:
Display Clients
I/O Server Alarm Server Report Server Trend Server I/O Devices
An example of redundancy is a complete duplication of the first server. Basically, if a system becomes inoperative, for example Server A, Server B would retain the job and respond to the service requests made by the clients.
38
I/O Devices
held by different hardware. The first level of redundancy duplicates the I/O server, as shown in the illustration. In this case, a Standby server is maintained in parallel to the Primary server. In the event of a detected interruption in the hardware, the Standby server will assume control of the communication with the devices according to the priority allocation. When the primary server is
I/O Servers
I/O Device
automatically returns control back to the primary server. This is done by synchronization from the operating standby server and allowing the clients to reconnect. With this system, you can use redundant I/O servers to share the normal operational processing load. This would allow higher performance as the I/O servers would be running in parallel when servicing the I/O devices. An I/O Device can be hosted by one or several I/O servers but is accessed by one single I/O server at a time. If the Primary I/O Server fails to access the I/O Device, active path is allotted to the first Standby server and so on.
39
designated pairs of devices, Primary and Standby. This device redundancy does not rely on a PAC Hot Standby mechanism: Primary and Standby
1 2
3 4
devices are assumed to be concurrently acting on the same process, but no assumption is made concerning the
I/O Device
Seen from the I/O server, this redundancy offers access only to an alternate device in case the first device becomes inoperative. The I/O device is an extension of I/O device redundancy, providing for more than one Standby I/O device. Depending on the user configuration, a given order of priority applies when an I/O server (potentially a redundant one) needs to switch to a Standby I/O device. For example, in the figure above, a single I/O Device is seen as 4 different devices from the SCADA system, the Device 1 is set up as the Primary and the other ones as Standby. Thus, it is possible to affect different priority to the standby devices. In our example, I/O Device 3 would be allotted the highest priority, then I/O Device 2, then finally I/O Device 4. In those conditions, in the case of a detected interruption occurring on Primary I/O Device 1, a switchover would take place, with I/O Server 2 handling communications, and with Standby I/O Device 3. If an interruption is then detected on I/O Device 3, a new switchover would take place, with I/O Server 1 handling communications, with Standby I/O Device 2. Finally, if there is an interruption on I/O Device 2, yet another switchover would take place, with I/O Server 2 handling communications, with Standby I/O Device 4.
Data path redundancy does not involve alternative device(s), but alternative data paths between the I/O server and connected I/O devices. Thus, if one data path becomes inoperative, the other is used. Note: Vijeo Citect reconnects through the primary data path when it is
I/O Device
40
I/O Device
Display Clients
I/O LAN 2
Alarm
Report
Trend
Standby Servers
41
I/O Device
The alarm servers perform parallel data read from I/O server and parallel alarms processing. If the primary server fails, the standby alarm server starts to log alarms to devices. When an alarm server first starts up, it tries to establish a connection to the redundant alarm server. If it can connect, it transfers the dynamic alarm data from the running server to the other alarm server. If the connection cannot be established, the alarm server opens the save file and restore data from the file. The Alarm On/Off status is not exchanged between servers. Information is transmitted from Primary to Standby alarm server when operator acts on alarms (for example, acknowledge, disable, enable, add comments and so on). On startup, all Clients try to establish a connection with Primary alarm server, if the connection cannot be established, another attempt takes place, trying to reach Standby alarm server. If Primary alarm server responds and is available, any client connected to Standby alarm server remains connected
42
43
Server
Primary I/O Server
Server
Primary Trend Server Primary Alarm Server Primary Report Server
Server
Standby Trend Server Standby Alarm Server Standby Report Server
Client
Display Client
Server
Standby I/O Server
Client
Display Client
Cluster
The cluster concept offers a response to a typical scenario of a system separated into several sites, with each of these sites controlled by local operators and supported by local redundant servers. The clustering model can concurrently address an additional level of management that requires all sites across the system to be monitored simultaneously from a central control room. With this scenario, each site is represented by a separate cluster, grouping its primary and standby servers. Clients on each site are interested only in the local cluster, whereas clients in the central control room are able to view all clusters. Based on cluster design, each site can then be addressed independently within its own cluster. As a result, deployment of a control room scenario is fairly straightforward, with the control room itself only needing display clients.
- Alarm 1 - Trend 1
- Report 1 - I/O 1
Primary 1 Cluster 1
Standby 1 & 2
Primary 2 Cluster 2
44
3.1.11. Conclusion
The following illustration shows a complete installation. Redundant solutions previously discussed can be identified: Scada Clients
Data Servers
Control Network
Targeted Devices
PAC
PAC
45
There are different features needed to increase the resilience of a redundant network: Manageable switches - Support redundancy management protocol - Able to find and use an alternate path to access a target device - Clever enough to avoid creating loops - Generally offer a redundant DC power supply input Network topology - Ring (single or dual) - Daisy chaining loop - Mesh Network Redundancy Management Protocols - Rapid Spanning Tree (RSTP) - Ring management protocols (MRP, HYPERring)
46
From the project and the plant analyses, identify the different functional areas and the communication between them. The following diagram shows the result of such an analysis applied on a water treatment plant.
Mechanical Treatment
Sludge
Biological Treatment
47
Note: These different topologies can be mixed to define the plant network diagram.
48
In automation architecture, ring (and dual ring) topologies are the most commonly used to increase the availability of a system. Mesh architecture is less used in process applications; therefore we will not discuss it in detail. All these topologies are feasible using Schneider Electric ConneXium switches. Ring and Multiple Ring Principles In a ring topology, four events can occur that would lead to a loss of communication: 1) Broken ring line 2) Inoperative ring switch 3) Inoperative ended-line devices 4) Inoperative ended-line devices switch The following diagram illustrates these four occurrences:
49
Consider an Ethernet loop designed with a RM switch. In normal conditions, this RM switch will RM open the loop which prevents Ethernet frames from circulating endlessly in a loop.
PAC PAC
If a break occurs, the Redundancy Manager RM switch reacts immediately and closes the Ethernet loop, bringing the network back to full operating condition.
PAC PAC
Hot-Standby PACs
Topological factors may lead to consideration of a network layout aggregating satellite rings or segments around a backbone network (itself designed as a ring or as a segment).
50
Ring coupling capabilities increase the level of networking availability by allowing different paths to access targeted devices. New generation Schneider ConneXium switches authorize different architectures based on dual ring. A unique switch is able to couple two Ethernet rings, extending the capabilities of the Ethernet architecture.
51
RM
Main link
RM
Backbone Ring
Redundant link
Ring
PAC
Two Switches Coupling The following illustration shows this architecture, where 1 port of each of the 2 ring switches is connected 1 port of each of the 2 backbone switches. Two different paths are available to link the 2 rings: one primary link and one redundant link, blocking traffic during normal operation. When primary link becomes inoperable, redundant link is activated. When primary link becomes functional again, redundant link is blocked for normal operation. During operation, Homothetic switches exchange control packets to inform each other about their operational state. The protocols available for this architecture are: HIPER-Ring, MRP and Fast HIPERRing.
RM
Main link
RM
Backbone
Redundant link
Ring
PAC
52
As seen on the figure below, this architecture is built with one Ring Manager (RM) switch on the Primary Ring and a pair of Sub-Ring Managers (SRM) switches for each Sub-Ring.
SRM 1 RM
Primary Ring
Sub-Ring
SRM 2
Primary Ring
Sub-Ring SRM 3
Sub-Ring SRM 4
53
Primary Ring
Sub-Ring SRM 2
Sub-Ring SRM 3
Independently from the management protocol, the Ring Manager switch normally opens the Primary Ring. It closes it in case of a Ring discontinuity, and automatically reopens when the situation is fixed The Sub-Ring Manager switches operate in a default/backup mode: the second one blocking the frames circulation in normal mode. The Backup Sub-Ring manager switch takes the lead when the default one fails. It automatically returns to standby mode when default manager is back Dual Ring
This architecture allows a significant increase of the level of Availability. The implementation of such topology implies:
Servers with dual communication cards PAC with two Ethernet modules I/O devices with two Ethernet interfaces
The protocols used for both rings can be chosen from: MRP, HIPER-Ring, Fast HIPER-Ring. Note that in such a design, a SCADA I/O server has to be equipped with
54
HIPERRing Structure
MRP
RSTP
Mesh Ring Tree
802.1W 802.1D
Ring
Ring
IEC 62439
Ring
Proprietary
Licenced
Proprietary
(Mesh)
50 switches in a ring 80 ms @ 50 sw
50 switches in a ring 80 ms @ 50 sw
50 switches in a ring 25 ms @ 50 sw
39 Hops
<1s
(1)
3/500 ms
@ 50 sw
2/500 ms
@ 50 sw
< 30 s
55
802.1t-2001 and IEEE 802.1w standards). Based on STP, RSTP introduces some additional parameters that must be entered during the switch configuration. These parameters are used by the RSTP protocol during the path selection process. Because of these, the reconfiguration time is much faster than with STP (typically less than one second).
The TCSESM ConneXium switches allow good performance of RSTP management with a detection time of 15 ms and a propagation time of 15 ms for each switch. For a 6-switches configuration, the recovery time is about 105 ms. HIPER-Ring (Version 1)
RM HIPER-Ring
Version 1 of the HIPER-Ring networking strategy has been available for approximately 10 years. It applies to a Self Healing Ring networking layout. Such a ring structure may include up to 50 switches. When configuring a Connexium TCS ESM switch for HIPER-Ring V1, the user is asked to choose between a maximum Standard Recovery Time, which is 500 ms, and a maximum Accelerated Recovery Time, which is 300 ms. As a result, if an issue occurs on a link cable or on
56
RM MRP
MRP is an IEC 62439 industry standard protocol based on HIPER-ring. Therefore, all switch manufacturers can implement MRP if they so choose. This allows a mix of different manufacturers in an MRP configuration. Schneiders switches support a selectable maximum recovery time of 200ms or 500ms and a 50-switch maximum ring configuration. TCESM switches also support redundant coupling of MRP rings. MRP rings can easily be used instead of HIPER-Ring. MRP requires that all switches are configured via Web pages and allows for recovery times of 200ms or 500ms. Additionally, the I/O network can be a MRP redundant network and the control network HIPER-Ring, or vice versa.
57
3.2.4. Selection
To conclude the communication level section, the following table presents all the communication protocols to help you select the most appropriate installation for your High Availability solution:
Solution HIPER-Ring
Comments If a recovery time of 500 ms is acceptable, then no switch redundancy configuration is needed. Dip switches have to be set up only.
New installation
MRP
All switches are configured via Web pages. Installation with one MRM (Media Ring Manager) and X MRCs (Media Ring Client).
RSTP
We recommend MRP or RSTP for High Availability with dual ring, and FAST HIPER-Ring for high performance.
58
1. The type of architecture is shared. A Primary unit executes the program, with a Standby unit ready but not executing the program (apart from the first section of it). By default, these two units contain an identical application program. 2. The units are synchronized. The Standby unit is aligned with the Primary unit. Also, on each scan, the Primary unit transfers its "database to the Standby unit, that is, the application variables (located or not located) and internal data. The entire database is transferred, except the "Non-Transfer Table", which is a sequence of Memory Words (%MW). The benefit of this transfer is that, in case of a switchover, the new Primary unit will continue to handle the process, starting with updated variables and data values. This is referred to as a "bumpless" switchover. 3. The Hot Standby redundancy mechanism is controlled via the "Command Register" (accessed thru %SW60 system word); reciprocally, this Hot Standby redundancy mechanism is monitored via the "Status Register" (accessed thru %SW61 system word). As a result, as long as the application creates links between these system words and located memory words, any HMI can receive feedback regarding Hot Standby system operating conditions, and, if necessary, address these operating conditions.
59
The following table presents the available configurations with either a Quantum or Premium PAC:
In Rack & Remote I/O Quantum PAC Premium PAC Configuration 1 Configuration 2 Distributed I/O Ethernet Profibus Configuration 3 Configuration 5 Configuration 6 Not Applicable
Note: A sixth configuration may be considered which combines all other configurations listed above
60
61
Depending on the selected I/O Bus technology, a specific layout may result in enhanced availability. Dual Coaxial Cable Coaxial cable can be installed with either a single or redundant design. With a redundant design, communications are duplicated on both channels, providing a massive communication redundancy. Either the remote I/O processor or remote I/O adapters are equipped with a pair of connectors, with each connector attached to a separate coaxial distribution.
62
PAC
The Primary unit acquires its inputs, executes the logic, and updates its outputs. As a result of cyclical Primary to
Standby data transfer, the Standby unit provides local outputs that are the image of the outputs decided on the Primary unit. In case of a switchover, the control takeover executed by the new Primary unit occurs in a bumpless fashion. The module population of a Premium CPU rack, in a Hot Standby configuration, is very similar to that of a standalone PAC Note: Counting, motion, weighing and safety modules are not accepted. On the communication side, except for Modbus modules TSX SCY 11 601/21 601, only currently available Ethernet TCP/IP modules are accepted. Also, the EtherNet/IP adapter (TSX ETC 100) is not compatible with Premium Hot Standby in Step 1. Two types of CPU modules are available: TSX H57 24M and TSX H57 44M, which differ mainly in memory and communication resources.
63
PAC
CPU Sync Link
This Ethernet configuration is detailed in the following section. Redundant Device Implementation In-rack I/O module implementation on Premium Hot Standby corresponds by default to a massive redundancy layout: each input and each output has a
PAC
physical connection on both units. Redundant sensors and actuators do not require additional hardware. For a simple transfer of information to both sides of the outputs, the application must define and
implement rules for selecting and treating the proper input signals. In addition to information transfer, the application must address diagnostic requirements.
64
PAC
devices are used to handle the associated wiring requirements. Any given sensor signal, either digital or analog, passes through such a dedicated device, which replicates it and passes it on to homothetic input channels. Reciprocally, any given pair of homothetic output signals, either digital or analog, are provided to a dedicated device that selects and transfers the proper signal (i.e. the one taken on
65
The I/O Scanner service may also be used to implement data exchanges with any type of equipment, including another PAC, provided that equipment can behave as a Modbus/TCP server, and respond to multiple word access requests. Ethernet I/O scanner service is compatible with a Hot Standby implementation, whether Premium or Quantum. The I/O Scanner is active only on the Primary unit. In case of a controlled switchover, Ethernet TCP/IP connections handled by the former Primary unit are properly closed, and new ones are reopened once the new Primary gains control. In case of a sudden switchover, resulting, for example, from a power cut, the former Primary may not be able to close the connections it had opened. These connections will be closed after expiration of a Keep Alive timeout. In case of a switchover, proper communications will typically recover after one initial cycle of I/O scanning.
66
exchanges, and accepts FDT/DTM Asset Management System data flow through its local Ethernet port.
Quantum + PTQ
Profibus DP Profibus PA
Advantys STB
The Profibus network is set up with Configuration Builder software, which supplies the Unity Pro application program with data structures corresponding to cyclic data exchanges and diagnostic information. The Configuration Builder can also be
configured to pass Unity Pro a set of DFBs, allowing easy implementation of acyclic operations. Each Quantum PAC can accept up to 6 of these DP Master modules (each of them handling its own PROFIBUS network). Also, the PTQ PDPM V1 Master Module is compatible with a Quantum Hot Standby implementation. Only the Master Module in the Primary unit is active on the PROFIBUS network; the Master Module on the Standby unit stays in a dormant state unless awakened by a switchover.
67
PAC Primary
PAC Standby
With a smart device such as PROFIBUS Remote Master, an I/O Scanner stream is handled by the PAC application (M340, Premium or Quantum) and forwarded to Remote Master via Ethernet TCP/IP. In turn, Remote Master handles the corresponding cyclic exchanges with the devices populating the PROFIBUS network. Remote Master can also handle acyclic data exchanges.
The PROFIBUS network is configured with Unity Pro, which also acts as an FDT container, able to host manufacturer device DTMs. In addition, Remote Master offers a comDTM to work with third party FDT/DTM Asset Management Systems. Automatic symbol generation provides Unity Pro with data structures corresponding to data exchanges and diagnostic information. A set of DFBs is delivered that allows an easy implementation of acyclic operations. Remote Master is compatible with a Quantum or Premium Hot Standby implementation.
68
69
500 ms + 1 initial cycle of I/O scanning 500 ms + 1 MAST task cycle 500 ms + the time required by the client to reestablish its connection with the server (1) 500 ms + the time required by the client to reestablish its connection with the server (1)
The time required by the client to reestablish its connection with the server
(1)
(1)
The time the client requires to reconnect with the server depends on the client communication loss
timeout settings.
3.3.9. Selection
To conclude the Control level section, the table below presents the four main criteria to help you select the most appropriate configuration for your high availability solution:
Openness
71
72
73
PAC
The chain can receive up to 32 devices. This topology is tipically used when the interaction of all devices is linked, and the loss of 1 device will require the process to pause.
PAC
Without redundancy management protocol In this case, the loop is handled by a Manageable Connexium switch, featuring Ring Manager capability, used as a HIPER-ring redundancy manager.
74
4-Conclusion
The current recovery times can take up to 30s. With RSTP embedded in all daisy chain devices The use of RSTP protocol allows improved capabilities:
Max. 15ms detection Max. 15ms propagation No disturbances during the recovery period
The figure below illustrates the example of the Modicon M340 Ethernet module with an embedded 4-port switch. Two ports support RSTP to ensure redundant architecture.
The recovery time for a 10-device chain is approximately 165 ms. The first daisy-chainable devices Schneider Electric plans to offer are: Advantys STB dual port Ethernet communication adapter (STB NIP 2311) Advantys ETB IP67 dual port Ethernet Motor controller TeSys T Variable speed drive ATV 61/71 (VW3A3310D) PROFIBUS DP V1 Remote Master ETG 30xx Factorycast gateway
75
4-Conclusion
3.4.3. Conclusion
This chapter has covered functional and architectural redundancy aspects, from the Information Management level to the Control level, and up through the Communication Infrastructure level.
76
4-Conclusion
4. Conclusion
This section summarizes the main characteristics and properties of Availability for Collaborative Control automation architectures. Chapter 1 demonstrated that Availability is dependent not only on Reliability, but also on Maintenance as it is provided to a given system. The first level of contribution, Reliability, is primarily a function of the system design and components. Component and device manufacturers thus have a direct but not exclusive influence on system Availability. The second level of contribution, Maintenance and Logistics, is totally dependent on end customer behavior. Chapter 2 presented some simple Reliability and Availability calculation examples, and demonstrated that beyond basic use cases, dedicated skills and tools are required to extract figures from real cases. Chapter 3 explored a central focus of this document, Redundancy, and its application at the Information Management level, Control System level and Communication Infrastructure level. This final chapter summarizes the customer benefits of Schneider Electric High Availability solutions, as well as additional information and references.
77
78
4-Conclusion
Communication Infrastructure Level Whether utilized as a process network or as a Fieldbus network, currently available active network components can easily participate in an automatically reconfigured network. With continuous enhancements, HIPER-Ring strategy not only offers simplicity, but also a level of performance compatible with a high-reactivity demand. Control System Level The IP address automatic switch" for a SCADA application communicating through Ethernet is an important feature of Schneider Electric PACs. In addition to simplifying the design of the SCADA application implementation, which may reduce delays and costs, this feature also contributes to reducing the payload of a communication context exchange on a PAC switchover.
79
4-Conclusion
80
5-Appendix
5. Appendix
5.1. Glossary
Note: The references in brackets refer to standards, which are specified at the end of this glossary. 1) Active Redundancy Redundancy where the different means required to accomplish a given function are present simultaneously [5] 2) Availability Ability of an item to be in a state to perform a required function under given conditions, at a given instant in time or over a given time interval, assuming that the required external resources are provided [IEV 191-02-05] (performance) [2] 3) Common Mode Failure Failure that affects all redundant elements for a given function at the same time. [2] 4) Complete failure Failure which results in the complete inability of an item to perform all required functions. [IEV 191-04-20] [2] 5) Dependability Collective term used to describe availability performance and its influencing factors: reliability performance, maintainability performance and maintenance support performance [IEV 191-02-03] [2] Note: Dependability is used only for general descriptions in non-quantitative terms. 6) Dormant A state in which an item is able to function but is not required to function. Not to be confused with downtime. [4] 7) Downtime Time during which an item is in an operational inventory but is not in condition to perform its required function. [4] 8) Failure Termination of the ability of an item to perform a required function [IEV 191-04-01] [2] Note 1: After failure, the item detects a fault. Note 2: "Failure" is an event, as distinguished from "fault," which is a state. 81
5-Appendix
9) Failure Analysis The act of determining the physical failure mechanism resulting in the functional failure of a component or piece of equipment [1] 10) Failure Mode and Effects Analysis (FMEA) Procedure for analyzing each potential failure mode in a product to determine the results or effects on the product. When the analysis is extended to classify each potential failure mode according to its severity and probability of occurrence, it is called a Failure Mode, Effects and Criticality Analysis (FMECA). [6] 11) Failure Rate Total number of failures within an item population, divided by the total number of life units expended by that population during a particular measurement period under stated conditions. [4] 12) Fault State of an item characterized by its inability to perform a required function, excluding this inability during preventive maintenance or other planned actions, or due to lack of external resources [IEV 191-05-01] [2] Note: A fault is often the result of a failure of the item itself, but may exist without prior failure. 13) Fault- tolerance Ability to tolerate and accommodate a fault with or without performance degradation 14) Fault Tree Analysis (FTA) Method used to evaluate reliability of engineering systems. FTA is concerned with fault events. A fault tree may be described as a logical representation of the relationship of primary or basic fault events that lead to the occurrence of a specified undesirable fault event known as the top event. A fault tree is depicted using a tree structure with logic gates such as AND and OR [7] See diagram on the following page.
82
5-Appendix
15) Hidden Failure A failure that is not detectable by or evident to the operating crew. [1] 16) Inherent Availability (Intrinsic Availability) : Ai A measure of availability that includes only the effects of an item design and its application, and does not account for effects of the operational and support environment. Sometimes referred to as "intrinsic" availability. [4] 17) Integrity Reliability of data which is being processed or stored. 18) Maintainability Probability that an item can be retained in, or restored to, a specified condition when maintenance is performed by personnel having specified skill levels, using prescribed procedures and resources, at each prescribed level of maintenance and repair. [4] 19) Markov Method A Markov process is a mathematical model that is useful in the study of the availability of complex systems. The basic concepts of the Markov process are those of the state of the system (for example operating, non-operating) and state of transition (from operating to non-operating due to failure, or from non-operating to operating due to repair). [4] See illustration on next page.
83
5-Appendix
Markov Graph illustration [2] 20) MDT: Mean Downtime Average time a system is unavailable for use due to a failure. Time includes the actual repair time plus all delay time associated with a repair person arriving with the appropriate replacement parts. [4] 21) MOBF: Mean Operating Time Between Failure Expected operating time between failures [IEV 191-12-09] [2] 22) MTBF: Mean Time Between Failure A basic measure of reliability for repairable items. The mean number of life units during which all parts of the item perform within their specified limits, during a particular measurement interval under stated conditions. [4] 23) MTTF : Mean Time To Failure A basic measure of reliability for non-repairable items. The total number of life units of an item population divided by the number of failures within that population, during a particular measurement interval under stated conditions. [4] Note: Used with repairable items, MTTFF stands for Mean Time To First Failure 24) MTTR : Mean Time To Repair A basic measure of Maintainability. The sum of corrective maintenance times at any specific level of repair, divided by the total number of failures within an item repaired at that level, during a particular interval under stated conditions. [4] 25) MTTR : Mean Time To Recovery Expectation of the time to recovery [IEV 191-13-08] [2]
84
5-Appendix
26) Non-Detectable Failure Failure at the component, equipment, subsystem or system (product) level that is identifiable by analysis but cannot be identified through periodic testing or revealed by an alarm or an indication of an anomaly. [4] 27) Redundancy Existence in an item of two or more means of performing a required function [IEV 191-15-01] [2] Note: In this standard, the existence of more than one path (consisting of links and switches) between end nodes. Existence of more than one means for accomplishing a given function. Each means of accomplishing the function need not necessarily be identical. The two basic types of redundancy are Active and Standby. [4] 28) Reliability Ability of an item to perform a required function under given conditions for a given time interval [IEV 191-02-06] [2] Note 1: It is generally assumed that an item is in a state to perform this required function at the beginning of the time interval. Note 2: The term reliability is also used as a measure of reliability performance (see IEV 191-12-01). 29) Repairability Probability that a failed item will be restored to operable condition within a specified time of active repair [4] 30) Serviceability Relative ease with which an item can be serviced (i.e. kept in operating condition). [4] 31) Standby Redundancy Redundancy whereby a part of the means for performing a required function is intended to operate, while the remaining part(s) of the means are inoperative until needed [IEV 19-5-03] [2] Note: This is also known as dynamic redundancy. Redundancy in which some or all of the redundant items are not operating continuously but are activated only upon failure of the primary item performing the function(s). [4]
85
5-Appendix
32) System Downtime Time interval between the commencement of work on a system (product) malfunction and the time when the system has been repaired and/or checked by the maintenance person, and no further maintenance activity is executed. [4] 33) Total System Downtime Time interval between the reporting of a system (product) malfunction and the time when the system has been repaired and/or checked by the maintenance person, and no further maintenance activity is executed. [4] 34) Unavailability State of an item of being unable to perform its required function [IEV 603-05-05] [2] Note: Unavailability is expressed as the fraction of expected operating life in which an item is not available, for example minutes per year Ratio: downtime/(uptime + downtime) [3] Often expressed as a maximum period of time during which the variable is unavailable, for example 4 hours per month 35) Uptime The element of Active Time during which an item is in condition to perform its required functions. (Increases availability and dependability). [4] [1] Maintenance & Reliability terms - Life Cycle Engineering [2] IEC 62439: High Availability Automation Networks [3] IEEE Std C37.1-2007: Standard for SCADA and Automation System [4] MIL-HDBK-338B - Military Handbook - Electronic Reliability Design Handbook [5] IEC-271-194 [6] The Certified Quality Engineer Handbook - Connie M. Borror, Editor [7] Reliability, Quality and Safety for Engineers - B.S. Dhillon - CRC Press
86
General purpose
IEC 60050 (191):1990 - International Electrotechnical Vocabulary (IEV)
FMEA/FMECA
IEC 60812 (1985) - Analysis techniques for system reliability - Procedures for failure mode and effect analysis (FMEA) MIL-STD 1629A (1980) Procedures for performing a failure mode, effects and criticality analysis
Markov Analysis
IEC 61165 (2006) Application of Markov Techniques
RAMS
IEC 60300-1 (2003) - Dependability management - Part 1: Dependability management systems IEC 62278 (2002) - Railway applications - Specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS)
Functional Safety
IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety related systems (7 parts) IEC 61511 (2003) Functional safety - Safety instrumented systems for the process industry sector.
87
88