Modern DCS systems are major distributed networks with multiple data transmission paths which, in the interests of security and the highest plant availability, are almost always duplicated and made redundant.
This article describes how FOUNDATION fieldbus systems can now incorporate redundancy and fault-tolerance right down to the field layer (FF-H1). The major impact is on project ROI and plant revenues, and only FOUNDATION technology can offer this level of security and benefit to the plant operator.
It is almost ironic; network cables in the benign, well-managed control room environment are almost always made redundant whereas field cables exposed to the harsh and sometimes corrosive environment of the modern industrial plant have to fend for themselves.
Of course, while the field cables carried simple point-to-point communications as 4-20mA, then redundancy wasn’t really a concern in general, and specific devices could be duplicated as required. However, now that the lowest fieldbus physical layer carries data from up to 32 devices, the vulnerability of that cable can constitute a reliability issue, particularly if those devices are safety-related or process-critical.
Conventional fieldbus segment design does not lend itself to any version of fault-tolerance except through complete and wholesale duplication, and in a systems context, that duplication brings with it a requirement for ‘special’ software to implement 1oo2/2oo3 voting schemes and special measures for safe maintenance and device replacement.
In 2007, a new fault-tolerant segment design was released that permits a far higher segment MTBF than conventional designs without any special software in the DCS and for only the additional cost of an extra trunk cable. Working with a major DCS company and a major Oil/Gas company, this package was installed on a set of platforms in the South China Sea simply to mitigate the huge financial risk associated with loss of control. The question is, does this increase in availability really make any significant difference to the economics of the general fieldbus installation?
The answer is not a simple ‘yes’ or ‘no’, because a fault-tolerant system allows a user to make permutations that match the desire for high plant availability against a budget for the systems hardware. These permutations (simplex vs duplex vs fault-tolerant) were simply not possible in previous fieldbus physical layer products.
The standard segment design process takes two controllers (H1 cards), two power conditioners and connects to the field using a single cable. This can be called a duplex segment design. Based on conventional MTBF data books and data from other sources we can evaluate the MTBF of such a segment. Figure 1 shows such a segment and the physical layer components in that configuration give a calculated MTBF of some 50 years.
Some users also admit to the possibility that some FF devices are not that critical to plant operation, and that these devices can be connected via a single controller. If this were to be allowed, a new segment design could be used, called a simplex segment as indicated in figure 2. The physical layer components in that configuration give a calculated MTBF of some 30 years. Regrettably, very few project specifications allow for simplex segments, which may be because most vendors only offer duplex segments.
The fault-tolerant design utilises a unique power conditioner that can detect open-circuit and short-circuit conditions in the field at up to 1000m of standard cable. It is matched to a field wiring hub that can react to the loss of a trunk cable (out of an active pair) by automatically terminating the segment via the remaining cable. (It may be a surprise to many but standard power conditioners do not effectively detect field short-circuits over a couple of hundred metres and, when faced with a remote short-circuit, the standard power conditioner simply tries to drive into what it thinks is a high load, getting progressively hotter and hotter until premature failure).
The fault-tolerant segment design takes two controllers, two advanced power conditioners and a high-integrity wiring hub, but connects to the field with two trunk cables, one per power conditioner. The segment layout is as indicated in Figure 3, and the calculated MTBF is around 350 years. This is a factor of 10x the simplex segment, and 7x the duplex segment, for the cost of an extra cable.
Significantly, this version of fault-tolerance does not depend upon monitoring and switching mechanisms. Both trunks are continuously active as opposed to the alternative ‘one active, one hot spare’ configuration. Designing systems for redundancy using watchdogs and switches is inherently complex and rarely result in improvements in MTBF, since the failure rate of the switch acts against the parallel failure rate of the ‘spare’ trunk.
This version of fault-tolerance meets the requirements of FF Safety Instrumented Systems since there are very few un-revealed faults, and the highly critical ‘Probability of Failure on Demand’ factor is kept low by continuous diagnostics and simple non-destructive testing — unplugging one of the trunk cables annually demonstrates the safety functionality in a similar fashion to partial stroke testing of shutdown/isolation valves.
Segment design costs
For example, let’s base this discussion on a plant with 120 segments, or about 1440 fieldbus instruments, such as flow transmitters, valve controllers, etc. This plant can be described in terms of how many segments are related to control of the plant, and how many are related to simple monitoring. Let’s say that 80 segments are monitoring-only and 40 segments have control.
Of the 40 control segments, let’s say that 12 segments have loops which are process-critical (failure in any of those segments would cause immediate plant shut-down or product that was out of specification and hence unsellable). Segment types and numbers: Monitoring (80), Control-Related (28), Process Critical (12), Total (120).
Let’s assume the following prices for fieldbus equipment:
$590 Power Conditioner
$360 Carrier, 4-segment, Simplex
$480 Carrier, 4-segment, Duplex
$420 Carrier, 4-segment, Fault-Tolerant
$680 Diagnostics Module, Standard
$530 Standard Coupler, 12-spur
$1050 High-Integrity Coupler, 12-spur
$750 Trunk cable
We can now start to compare costs between the conventional design and the new approach.
Conventional segments:
30x $480 Carriers, 4-segment, Duplex (1 per 4 segments)
240x $590 Power Conditioners (2 per segment)
30x $680 Diagnostics Module, Standard (1 per 4 segments)
120x $530 Standard Coupler, 12-spur (1 per segment)
120x $750 Trunk cable (1 per segment)
Total (conventional) $330,119
Simplex segments:
20x $360 Carrier, 4-segment, Simplex (1 per 4 segments)
80x $590 Power Conditioner (1 per segment)
20x $680 Diagnostics Module, Standard (1 per 4 segments)
80x $530 Standard Coupler, 12-spur (1 per segment)
80x $750 Trunk cable (1 per segment)
Duplex segments:
7x $480 Carrier, 4-segment, Duplex (1 per 4 segments)
56x $590 Power Conditioner (2 per segment)
7x $680 Diagnostics Module, Standard (1 per 4 segments)
28x $530 Standard Coupler, 12-spur (1 per segment)
28x $700 Trunk cable (1 per segment)
Fault-tolerant segments:
6x $420 Carrier, 4-segment, Fault-Tolerant (2 per 4 segments)
24x $590 Power Conditioner (2 per segment)
6x $680 Diagnostics Module, Standard (2 per 4 segments)
12x $1050 High-Integrity Coupler, 12-spur (1 per segment)
24x $750 Trunk cable (2 per segment)
Total (new approach) $299,376
The conventional approach for 120 segments takes 240 power conditioners.
The new approach allows savings for the 80 monitoring-only (simplex) segments as these have only one power conditioner. (Of course, the conventional system could also fit single power conditioners but since they still have duplex carriers, two power conditioners are fitted by everyone as a matter of routine.) The duplex segments have dual power conditioners as is common practice, and the fault-tolerant segments also have two power conditioners but physically separated onto different carriers and connected to the field through 2 cables. In total, the new approach has 160 power conditioners.
The net result is that this new approach leads to somewhat lower costs, even when allowing for the additional trunk cable used in the fault-tolerant segment layouts. The savings may be greater still; many end-user specifications restrict process-critical segments (commonly defined as ‘level 1 criticality) to having just one valve and one transmitter in that segment. It seems ridiculous to install a fieldbus segment with just 2 devices, but in the conventional single-trunk configuration, that is deemed necessary to minimise the risk of accidental plant shutdown.
Failure analysis
Since we are comparing a conventional fieldbus physical layer with a fault-tolerant physical layer, we can effectively ignore all other sources of plant stoppage (blocked lines, primary power outage, pump seal failure, etc.) in this analysis. We are concerned only with the cost incurred if a fieldbus power conditioner or segment cable fails.
Let’s assume that the cost of a spurious trip in a plant of this size is $378,050. The spurious trip rate due to the standard fieldbus system is estimated as once every 5 years, and the spurious trip rate resulting from a failure in the fault-tolerant fieldbus system is estimated once every 25 years (we can demonstrate that the fault-tolerant design generates a 10-fold improvement in segment MTBF, so assuming only a 5-fold improvement is conservative).
The annual cost of spurious trips for the conventional plant is $378,050 / 5 years = $75,550/yr. The annual cost of spurious trips for a fault-tolerant plant is $378,050 / 25 years = $15,100/yr. The potential benefit is therefore $60,400/yr (50,000 — 10,000).
Another analysis concerns the cost benefit over the investment lifecycle of any plant, which modern technology has reduced to something like 10 years. In this case, the fault-tolerant system represents a CAPEX saving ($330,683- 299,641= $31,042) which generates $50,555at, say, 5% for 10 years.
Therefore, selecting a fault-tolerant system generates:
CAPEX return: $50,555 (savings in capital expense)
OPEX return: $604,712 (savings in spurious trips)
Total: $655,538 (‘free’ additional income over 10 years)
This is, of course, a very simplified argument made by a systems engineer and not an accountant, and all the assumptions are open to re-interpretation by appropriate financial experts and operations managers. For example, there is no separate accounting of systems design time, maintenance costs, repair times, spares stock holding etc.
Current suppliers of power conditioners frequently sell at massive discounts in order to win market share over their rivals. However, the fault-tolerant system discussed here does not demand any specialised attention over the standard system, nor does it require any additional design & service costs – no special software is required, and the same power conditioner is used throughout.
The only real difference is that the fault-tolerant segments should be tested once a year, typically by unplugging one of the Power Conditioners or its cable, to demonstrate that the segment (& plant) continues to operate even with one failure. This level of testing helps to justify the low Probability of Failure on Demand claimed for the fault-tolerant segments.
Conclusion
It seems very clear that this new approach to segment design does not increase costs over a conventional ‘one-size-fits-all’ design; when the concept is properly applied, it actually costs less.
The resulting improvement in real plant availability creates still greater benefit for the plant operator, and the positive cash flow generated is both dramatic and undisputable. Prospective fieldbus users now have further evidence that Foundation technology will be an advantage for their plant and their management, and the uptake rate for Foundation fieldbus can only increase further, to dominate the landscape for industrial networking and process control.
Contact MooreHawke, a division of Moore Industries-International, Inc;
Mike O’Neill, director
Website: www.miinet.com/moorehawke
Email: moneill@miinet.com