7.3.1 Introduction
As control systems have become more complex the number of installed devices has multiplied, with each device potentially affecting the overall reliability of the system. System failures, whether due to hardware or software problems may cause downtime or compromise safety. To minimise downtime, vendors have developed products and solutions to provide fault tolerant systems by the use of redundant hardware or software.
Hardware solutions include the use of redundant power supplies, redundant processors, redundant I/O modules, multiple HMIs and redundant cabling. Software solutions might include using separate servers to install supposedly identical software or using different versions of software in master and slave controllers or PLCs. The figure below illustrates a typically distributed field station with redundancy built in, and the discussion below describes the different ways redundancy can be achieved. Figure 122 shows a typical arrangement.
Power supply redundancy: In Figure 122 each PSU is fed from a different UPS. These UPS would normally be configured in a redundant fashion with each one being supplied from different sides of the bus. Each PSU is feeding separate PLCs and I/O racks providing complete isolation of supply. One disadvantage of this setup is that the failure of a PSU will cause loss of a PLC and an I/O rack. An alternative power distribution configuration would be to feed the output of both power supplies to each module using decoupling diodes, as shown in Figure 123 to prevent a short circuit in one PSU affecting the other. The diodes should be tested periodically to ensure a hidden failure does not compromise redundancy.
PSU
CPU
PSU
CPUPSU ANALOGUE INPUT DIGITAL INPUT
DIGITAL OUTPUT
ANALOGUE OUTPUT PSU ANALOGUE INPUT DIGITAL INPUT
DIGITAL OUTPUT
Figure 122 – Typical redundant field station
PSU 2
Figure 123 – Redundant power supplies
PLC redundancy: This can be designed in several ways. The most common way is in a master/slave or „hot standby‟ arrangement where status is continuously monitored and data is synchronised between both controllers. On a failure of the master there will be a bumpless transfer to the slave. Only one controller actually outputs to the I/O modules.
An alternative way is to allow both processors to act as peers and, with both controllers outputting data to the I/O modules, voting is carried out using software algorithms and one or other of the signals is used.
I/O module redundancy: Identical racks can be configured to ensure each line of field I/O is duplicated; in this way the total failure of a single rack will not affect the operation.
Although this may give excellent fault tolerance it is expensive and somewhat complicated to implement. A more usual configuration is to split the I/O logically between the racks or I/O modules. Loss of a rack or power supply to a rack may have an effect on the redundancy of the system, and some field I/O will be lost, but the correct mapping of the I/O will ensure fault tolerance is maintained. For example, from Figure 122, if pumps are operating in a duty/standby configuration, control of one pump will be by I/O rack 1 and the other pump by I/O rack 2. Although loss of I/O rack 1 will cause loss of communication with the duty pump, the system can still start the standby pump as a precaution if required. Fail „as set‟ is the preferred failure mode for most propulsion related equipment such as pumps and cooling water valves. Some classification societies require a pulse-to-start, pulse-to-stop control strategy.
Sensor redundancy: Some critical systems may have twin sensors located close together, or even as part of the same unit. When the same action is carried out, if either or both sensors register a signal the sensors can be considered part of the redundancy system. Once again it enhances redundancy if the outputs from the sensors are mapped to different I/O modules.
Data communication redundancy: Data communication redundancy was discussed in the section on network topologies. The favoured solution at this time for the control network is Ethernet in a star/bus topology. It is normally installed as a dual independent system nominally net A and net B. All aspects of the network are duplicated including cabling, switches, Ethernet adapters, network interface cards (NIC). The drawing at Figure 124 illustrates this by showing separate net A and net B cabling to each of the PLCs. Within the communication module on the PLC there will be individual Ethernet interface adapters.
Figure 124 shows a typical DP/VMS control network. The network switches and any medium converters (STP to fibre) are housed in network distribution units (NDU). It can be seen that losing any single node on the network or any active component (like a switch) will not affect the operation of the overall system as communication is still operational on the
Thruster FS – Thruster Field Station Aux FS – Auxiliary Field Station
PMS FS – Power Management Field Station DPC – Dynamic Positioning Controller
Figure 124 – Typical control network
Normally there is no redundant cabling to the field I/O or even between field stations and main units like the generator control panels or MCCs. Communication is normally via a single Modbus or Profibus connection. However, on safety critical systems such as fire and gas, where a fieldbus connects the vendor specific equipment to the VMS system for activation of CO2, closing of dampers and ventilation etc., it is normal to have a dual Profibus link for redundancy purposes.
7.3.2 Alarm and Monitoring
Most DCS vendors provide an alarm and monitoring system as an integral part of their delivery, if not it will be available as an optional extra. The main purpose of the alarm and monitoring system is to give the operators the basic alarm and status information they require to maintain safe and efficient operation of the plant. Information relating to power management, propulsion, ballast control, HVAC, safety systems etc. should all be available.
To provide this data the distributed control system processes information from a multitude of different sources. It is not unusual for a system to interrogate over 2000 separate I/O devices and large vessels may have upwards of 5000 I/O.
Alarms: Built-in diagnostics should ensure that inconsistencies in expected results will be detected and reported. These inconsistencies may be due to faulty field equipment, faulty wiring, logic errors, incorrect configuration etc. The operator is made aware of these anomalies by the use of audio and visual alarms. The audio alarms are normally buzzers at
the VMS operator stations (OS). This is usually a generic alarm that the operator will silence locally at one of the HMI. The audio alarm is accompanied by a visual alarm on a reserved part of the screen at the operator station.
As all operator stations are peers, the visual alarm will show at each station. This is normally a banner alarm with a brief description of the fault and the tag number or I/O module generating the fault. Although different vendors have different systems, the alarm is normally colour coded with separate colours for severity of fault (yellow or red). Safety critical faults may have a different coloured banner.
Alarm printers are provided to give immediate hardcopy reports on alarms and incidents.
Historically these were parallel port dot matrix printers with a continuous form feed output.
In new or upgraded systems these are being superseded by network fed single sheet feed laser printers. This network is usually an Ethernet network connecting each HMI to the printer. This is a separate network from net A and net B, discussed earlier in the control network, and is normally referred to as net C or the „admin net‟. There is no requirement for redundancy in this network as there are no control functions involved.
Monitoring: Continuous monitoring of control functions is carried out by the alarm and monitoring system with all alarms and process events stored in a database within each operator station. Relevant parts of this history log can be called up within user-defined time slices and all alarms and events displayed. The operator can then use a search string to retrieve specific information.
To assist in fault analysis a history station can be provided, where in addition to alarms and process events, selectable vessel management parameters are recorded for a length of time decided by the operator. Information can then be offloaded to external media for in-depth analysis offsite, or fed into a simulator to recreate a specific situation. Software within the operator stations also allow real time trending to be carried out for most power management and propulsion parameters.
1.26kΩ
2.74kΩ
Switch Open: i=6mA Switch Closed: i=19mA
0V 24V
RCU 1
RCU 2 IO Module
Process Station Field IO
Figure 125 – Typical line monitoring circuit
Further monitoring is carried out including line monitoring of discrete inputs. The simplified drawing at Figure 125 shows a basic line monitoring circuit with a single field input to redundant RCUs. The line to the switch is active at 24V. With the switch open the current in the circuit will be 6mA, with the switch closed the current will be 19mA. Any other signal on the line will be incorrect and raise an alarm. It should be noted this circuit is for illustration of the principle only. In a real situation the resistor values would be different to take the resistance of the wire and impedance matching etc. into consideration.
Appendix 1
Abbreviations List
A
ABS American Bureau of Shipping
AC Alternating current
ACB Air circuit breaker
ACCU Automatic control centralised unmanned
AFE Active front end
AHU Air handling unit AHV Anchor handling vessel AMOT Name of valve manufacturer
ANSI American National Standards Institute
ASCII American Standard code for Information Interchange AVR Automatic voltage regulator
B
BA Bus arbiter
BTT Bow tunnel thruster C
CA Certifying authority CAN Controller area network CB Circuit breaker/control breaker
CW Clockwise
CCW Counter clockwise
CD Carrier detect/collision detect
CO2 Carbon dioxide
CoS Chamber of Shipping
CPP Controlled pitch propeller CPU Central processing unit
CR Close relay
CRC Cyclic redundancy check CSMA Carrier sense multiple access
CT Current transformer
D
DBR Dead bus relay
DBSR Dead bus slave relay
DC Direct current
DCS Distributed control system
DG Diesel generator
DGS Diesel generator set
DGPS Differential Global Positioning System
DI Digital input
DNV Det Norske Veritas
DO Diesel oil
DP Decentralised peripheral – when used as Profibus DP
DP Dynamic positioning
DPC Dynamic positioning console/cabinet DPO Dynamic positioning operator DPS Dynamic positioning system
DTE Data terminating equipment DTL Definite time lag
E
E0 E Zero – DNV notation for unmanned machinery space
ECR Engine control room
EG Emergency generator
EGB Electric governor – backup EPD Electrical power distribution
ER Engineroom
ESD Emergency shut down
F
F&G Fire and gas
FIP Factory interface protocol FMEA Failure mode and effect analysis
FMECA Failure modes and effects criticality analysis FMS Factory message specification
FO Fuel oil
FS Field station
FW Fresh water
FWC Fresh water cooling
Fwd Forward
G
GIF Graphics Interchange Format GPS Global Positioning System GSD Generic station description GTO Gate turn off (thyristor) H
HF High frequency
HFO Heavy fuel oil
HMI Human machine interface
HO Heavy oil
HP High pressure
HPP Hydraulic power pack
HPR Hydro-acoustic position reference HPU Hydraulic power unit
HT High temperature
HTFW High temperature fresh water
HV High voltage
HVAC Heating, ventilation and air conditioning
Hz Hertz
I
I> Low set current I>> High set current
I/O Input/Output
IAS Integrated Automation System
ICMS Integrated control and monitoring system ICS Integrated control system
IDMT Inverse definite minimum time
IEC International Electrotechnical Commission IGBT Insulated gate bipolar transistor
IMCA International Marine Contractors Association IMO International Maritime Organization
IP Internet Protocol
IP Industrial protocol
ISM International Safety Management ISO International Standards Organisation J
JB Junction box
JPG JPEG – Joint Photographic Experts Group
JW Jacket water
K
Kbps Kilo bits per second
kN Kilo newton
kV Kilo volt
kVA Kilo volt ampere
kVAr Kilo volt ampere reactive
kW Kilowatt
L
LAL Low level alarms
LCI Load commutated inverter
LCR Inductance (L), capacitance (C), resistance (R) LED Light emitting diode
LHS Left hand side
LO Lub oil
LOA Length over all
LR Lloyd‟s Register
LRC Longitudinal redundancy check
LS Load sharing
LT Low temperature
LTFW Low temperature fresh water
LV Low voltage
M
mA milliAmps
MAC Medium access control
MAP Main alarm panel
MARPOL Marine Pollution (International Convention for the Prevention of Pollution From Ships,)
MAU Medium access unit
MBC Micro biological contamination Mbps Mega bits per second
MCB Miniature circuit breaker MCC Motor control centre MCCB Moulded case circuit breaker MCOS Manual changeover system MCR Maximum continuous rating MDO Marine diesel oil
MFR Multi function relay MGE Main generator engine MGP Multi generator protection MMI Man machine interface MODU Mobile offshore drilling unit MRU Motion reference unit
MSB Main switchboard
MSC Maritime Safety Committee MTC Manual thruster controls
MUX Multiplexer
MVA Mega volt ampere
MVAr Mega volt ampere reactive MVR Manual voltage regulator
MW Megawatt
N
NC Normally closed
NDE Non drive end
NDU Network distribution unit
NIC Network interface connector/card
NO Normally open
NPS Negative phase sequence
NRZ Non return to zero
O
O2 Oxygen
O/C Open circuit
OIM Offshore installation manager OLE Object linking and embedding OLM Optical link module
OPC Object linking and embedding for process control OPLS Oil pressure low shutdown
OS Operator station/outstation OSI Open system interconnection OSV Offshore supply vessel
OT Operator terminal
P
PA Power available
PC Personal computer
PCU Process control unit
PDC Producer/ distributor/ consumer PID Proportional integral and differential PLC Programmable logic controller PMG Permanent magnet generator
PMS Power management system
PS Process station
psi Pounds per square inch
PSU Power supply unit
PWM Pulse width modulation Q
QC Quick closing
QCV Quick closing valve QoS Quality of service R
RAM Random access memory
RCS Remote control system RCU Remote control unit
RHS Right hand side
RMS Route mean squared ROV Remotely operated vehicle
RP Reverse power
RPM Revolutions per minute RTD Resistance temperature device S
s Second(s)
S/C Short circuit
SCADA Supervision control and data acquisition SCR Silicon control rectifier
SLD Single line diagram
SMS Safety management system
Stbd Starboard
STP Shielded twisted pair
SW Sea water
SWBD Switchboard
SWG Standard wire gauge T
TC Thruster controller
TCP/IP Transmission control protocol/internet protocol TDAVR Thyristor divert automatic voltage regulator THD Total harmonic distortion
TMCC Thruster motor control centre TMS Thruster management system
TW Taut wire
U
UHF Ultra high frequency
UMS Unattended machinery space UPS Uninterruptible power supply V
V Volts
VAr Volt ampere reactive VAS Vessel automation system VCB Vacuum circuit breakers VDU Visual display unit
VENT Ventilation
VHF Very high frequency VFD Variable frequency drive VMS Vessel management system VSD Variable speed drive
VT Voltage transformer
W
WCFDI Worst case failure design intent Z
Z Impedance