During my 15 years in the control system business I have seen total lock out of a multiple operator stations on a plant DCS once and heard about perhaps three times. I am wondering if the use "third party" PCs and industry standard ethernet is increasing this unacceptable event. Please let me know if you have had any issues with total loss of process view using any of the modern DCSs, i.e., DeltaV, PlantSCAPE, ControlIT etc.

 

I have gone close to losing all operator screens once. We have a ABB Conductor NT 4.0 system for viewing an ABB Infi90 control system in a continuous pulp digestor plant. The cause was a faulty network device that was effecting a network hub. The actual root cause was bad quality power to the network device.

We lost all operator stations. But we had one server up and operating, which could be used as an operator station. That has always been regarded as the fall back position.

I'm not a big fan of the redundent server config of the Conductor NT system. With the Conductor VMS (OpenVMS) operator stations we had three standalone consoles. It means more work to keep them in sync but also if one dies it doesn't effect the others. Because the Conductor NT server HAS to communicate via the network to the clients this introduces another point of failure.

Other better DCS has redundent networks (usually fibre) that makes the situation bearable.

--
Chris Jennings
Elect/Control Engineer
Australian Paper Maryvale

 

I don't know if my story was one of your four known incidents, except we called it DCS lockup. It occurred in a mid-west refinery.

Conversion to an upgraded DCS had been completed on this day. On a success-high management decided to also commission a co-generation unit. Unfortunately its synchronizer had not been properly checked-out. Upon closure with power grid, the co-gen unit tripped off-line. Almost simultaneously the utility connection was lost. Th consequent alarm load was so great that the DCS locked up. The emergency generator started and
instrument load rode thru disturbance. Unfortunately with loss of utility the control room went dark.

Fortunately, boilers had not yet been converted to DCS. One board operator jumped over DCS console, placed 3-boilers into manual, and was able to keep them on line with others lighting his boards with flashlights. Alarm noise was deafening. Instrument techs actually cut audible device wiring. After one hour, all non-employees were directed out of the plant. Fortunately, with steam availability and diesel-driven cooling water pumps, plant recovered. The only incident involving human distress... an employee was trapped in a coker elevator.

Regards,
Phil Corso, PE
(Boca Raton, FL)
[[email protected]]
{[email protected]}

 

Ethernet has been used in DCS for many many years. It appears to me it is not new.

Since the visibility of the entire plant rests on the Ethernet, it should be redundant. In its simplest form this is through a ring topology.

Ideally, there should be two redundant and completely independent networks with separated wires and switches etc. The devices, servers and workstations need redundant Ethernet ports. This of course requires that the application layer protocol support complete LAN redundancy. The FOUNDATION(tm) HSE Fieldbus as used in the Smar SYSTEM302 is a good example.

It is also a good idea to use industrial grade gear, i.e. industrial temperature range and redundant power supply.

Jonas Berge
==================
[email protected]
www.smar.com

 

I have seen pneumatic instruments
ELECTRONIC INSTRUMENTS
MICROPROCESSOR BASED
DCS -MOTOROLA BASED-VERSA DOS OS
PLC/MMI- OS2
PLC/MMI- NT
DCS- NT.

The day customer demanded for OPEN system,they
have invited unstability for themselves,earlier
standards were very vigrous but now the basic
Standard we have set is UNSTABILITY & lost
the right for asking better system
Still there are beetter system available.

 

Dear Forum Members,

The Loosing of the Operator Screens were happened in our unit more than ten times , because of the Conductor NT redundeant Server .
The redundant server dies it self due to heavy memory leakage , and also paralley it kills the primary server and clients.
The crashing of the system was very frequent older versons of the Conductor NT.
It is lucky that we did not stop the Factory for this loosing Operator Interface Stations, because the Back Bone of the Control System which is BAILEY INFI90, which was rugged, and the factory run with out Operator Interface station three Hours. And also the Boiler also run for three Hours. Bailey INFI90 loop and its MFPs and networking devices are very rugged and reliable, and also infi90 is quite reliable.

Taking consideration of the Control System OIS Reliabilty, we split the existing network in to two parts. Both the databases were same, both the trends were same, both the graphics were same. Both the servers connected to the different ICI units in different control rooms and different UPS systems.
Basically Conductor NT itself will create more network traffic on the between the Client and server. The incresed traffic will reduce the band width on the networking hubs will cause ocassinally on the clients, clints inform you that suitable server not found.
And also Hubs were not intelligent devices, the broadcatsed messages will go to each and every port of the hub and then it goes to each and every port of the computer, and will ask this information belongs to you, these are also create exceess trafic and reduced band width.
To avoid this problem on the ethernet we replaced the Networking HUBS by Networking switches. Switches are intelligent devices, and the message will directly go to the concerened computer rather than going to each and every port like hubs.
This intelligent device will reduce the networking traffic, and incresing the network Band width.

After doing this modications to the Conductor NT, we were not faced any problems, and system is quite reliable,

(only the draw back is you need to do the Modifications like adding tags, adding trends, and building the graphics on the both the conductor NT servers. But i feel this is the best way to prevent the loosing the screens and run away through out the control rooms for start and stopiing of the Computers. And also You need to restart the windows loaded machine at least once in six weeks if we not separate this may happen either server)

Conductor NT ver 4.0 is free from memory Leakage , and its service already fixes the Encountered Problems like crash Worng system login etc.

regards,
ravindra
[email protected]

 

Some DCS supplier's such as Yokogawa have overcome most of these problems by firstly recommending reliable p.c's such as HP or Dell, but mainly by providing dual redundant proprietry comms protocol via co-ax or fibre optic. This eliminates probable failure due to Ethernet.
Also, database is identical in all HMI, so not reliant on a server.
More info on www.yokogawa.com ( CS3000 )