MURAKAMI Takeshi1 MATSUDA Souichirou1 NISHIDA Jun1 OOSAKO Satoru1
In recent years it has become increasingly common for plants to be provided not only with the control layer of a production control system (DCS, etc.), but also with the protection layer of a safety instrumented system (SIS) to reduce the risk of industrial accidents.
The safety instrumented system is indispensable for avoiding risks to a plant failure. Inevitably, however, the system rarely operates in an actual plant and operators have few chances to use it, so a training system for operators has been strongly awaited. We have therefore developed a simulation environment that offers integrated training through which operators can learn how to handle both DCS and SIS properly in the event of a critical situation.
- Industrial Automation Business Headquarters
In recent years it has become increasingly common for plants to be provided not only with the control layer of a production control system (DCS, etc.), but also with the protection layer of a safety instrumented system (SIS) to reduce the risk of industrial accidents. The safety instrumented system is indispensable for avoiding risks to a plant failure. Inevitably, however, the system rarely operates in an actual plant. We have therefore developed a simulation environment that offers integrated training through which operators can learn how to handle both DCS and SIS properly in the event of a critical situation.
Figure 1 shows an example configuration of an integrated system comprising a Yokogawa ProSafe-RS safety system and CENTUM (CENTUM CS 3000 and CENTUM VP) production control system1.
Figure 1 Example of a ProSafe-RS and CENTUM Integrated Production Control System Configuration
ProSafe-RS INTEGRATED SIMULATION ENVIRONMENT
|Figure 2 ProSafe-RS and CENTUM Integrated
Figure 2 shows a ProSafe-RS and CENTUM integrated simulation environment configuration. A ProSafe-RS safety control station (SCS) simulator, a CENTUM control station (FCS) simulator, and a plant simulator (from Omega Simulation) that can simulate the dynamic characteristics of an actual plant are connected to each other via a communication bus Vnet emulator. This configuration enables the SCS simulator and FCS simulator to perform safety logic operations and control computations based on input data from the plant simulator, and output the results to the plant simulator. The plant simulator changes its internally held pressure, temperature, and other data according to dynamic characteristics equivalent to those of an actual plant. Since the SCS and FCS simulators can be operated and monitored from the CENTUM operation/monitoring station (HIS, or human interface station), these components can be combined to simulate the overall actual operation environment of a plant operation through the use of the DCS, SIS, and HIS for operators.
Since the SCS simulator, FCS simulator, and Vnet communication emulator are implemented on a PC and the internal conditions of the simulators are stored, they can be restored. For example, conditions immediately before a plant failure occurs can be stored and training for handling these critical conditions can be carried out repeatedly. The training simulator includes the DCS and SIS functions, so it is possible to carry out integrated training that otherwise would be impossible in an environment which comprises a combination of simulators from different vendors.
- HIS: CENTUM HIS (existing component)
- Plant simulator: OmegaLand (existing component)
- FCS simulator (existing component)
- SCS simulator (newly developed component)
- Vnet communication emulator (existing component)
When designing an SCS simulator, we reused the FCS simulator software resource that is already available for CENTUM.
Specifically, we took the application execution function (safety logic engine) from the SCS (actual device) and implement it on the FCS simulator (Figure 3).
We used the FCS platform for the SCS (actual device) and partially modified the operating system to meet the safety requirements. Since self-diagnosis of the SCS actual device hardware is out of the scope of simulation, we did not implement these modifications in the "virtual operating system" shown in Figure 3, and instead used the virtual operating system of the FCS simulator as is.
Since the communication device is basically the same in both the FCS and SCS, the "virtual communication device" of the FCS simulator can also be used as is.
For ProSafe-RS, operations are already integrated in the actual device environment, whereas the engineering has not been integrated yet. Each of ProSafe-RS and CENTUM has, therefore, an engineering function with a totally different architecture. To ensure an integrated simulation environment is implemented in these conditions, two different architectures need to work in a coordinated manner. We therefore designed so that the SCS simulator is started from the ProSafe-RS engineering function via the CENTUM test function (Figure 4). This design enables the SCS simulator to be started from both the ProSafe-RS engineering function (SENG) and CENTUM engineering function (System View). That means both the CENTUM engineers and ProSafe-RS engineers can use the SCS and FCS integrated simulation environment. Moreover, since this structure internally uses the CENTUM test function from within the ProSafe-RS engineering function, the operation user interface such as that for starting and stopping the SCS simulator is common with that of CENTUM, thus the operation procedure of the test function has been shared for ProSafe-RS and CENTUM.
The SCS simulator is connected with the HIS and ProSafe-RS engineering function via a Vnet communication emulator that is provided by the CENTUM simulation environment. This enables the performing of an online change download for the SCS simulator, debugging of the application logic design, or the performing of the same operations as those of the actual SCS device from the ProSafe-RS engineering function.
KEY POINTS ON SAFETY STANDARDS CERTIFICATION
|Figure 3 FCS Simulator and SCS Simulator|
ProSafe-RS is a product conforming to the international safety standard IEC61508. The integrated simulation environment described in this paper is software running on a PC. However, to release it as part of ProSafe-RS, the IEC61508 safety certification needs to be obtained. What is important in obtaining the safety certification is to ensure that the safety function (the shutdown logic that is performed in the SCS) is not adversely affected.
Since the integrated simulation environment runs on a PC, no operation in the simulation environment has a direct impact on the SCS actual device.
As previously mentioned, however, the SCS simulator is started by the CENTUM test function. The CENTUM test function acquires the data necessary to execute the SCS simulator from the ProSafe-RS application project database and then calls up the SCS simulator. If the CENTUM software including the test function were to change the ProSafe-RS application project database on a PC, the SCS safety function would be subject to an indirect adverse impact.
To avoid such a risk, we designed so that the CENTUM test function does not directly refer to the ProSafe-RS application project database when it starts the SCS simulator (Figure 5). That means:
- The ProSafe-RS engineering function generates a database for the SCS simulator in the ProSafe-RS application project database.
- The ProSafe-RS engineering function copies the database for the SCS simulator to the CENTUM application project database.
- The ProSafe-RS engineering function starts the SCS simulator via the CENTUM test function.
- The CENTUM test function starts the HIS, Vnet communication emulator, and SCS simulator. When starting the SCS simulator, the test function informs the SCS simulator of the location of the database for the SCS simulator that is located in the CENTUM application project database.
- The SCS simulator refers to the database for the SCS simulator, the location of which is informed by the CENTUM test function, and executes its own control operation.
|Figure 4 Engineering Functions and Simulators|
Thus the CENTUM test function can start the SCS simulator without knowing the existence of the ProSafe-RS application project database, which reduces the possibility of mutual interference.
Another problem concerning the safety standard certification is how to avoid the confusing of operation objects by the operation and monitoring function.
When the CENTUM test function is started, the HIS also starts in simulation mode. A visual means is provided for operators to clearly recognize the simulation mode by, for instance, displaying the window frame in red.
The ProSafe-RS engineering function (SENG) also has a function to operate and monitor the conditions of application logic performed in the SCS. Even when the CENTUM test function is started on the same PC while the SENG operates and monitors the SCS actual device, the operation and monitoring function of the ProSafe-RS SENG continues to communicate with the SCS actual device. That means the same PC is shared by a program running in simulation mode and a program running in actual device mode. When the CENTUM test function is started and the window frame turns red, it looks as if the SCS simulator performs operation and monitoring; however, the ProSafe-RS SENG actually operates and monitors the SCS actual device (Figure 6).
This may cause an error operation signal to be sent to the actual plant. A safety system is required not only to rely on the operation procedure of an engineering PC, but also to be protected automatically against such an event. We designed, therefore, so that the CENTUM test function cannot be started while the ProSafe-RS SENG is communicating with the SCS actual device. This prevents an operation signal from being sent to the SCS actual device accidentally when an operator had intended to operate the SCS simulator.
These safety measures enabled the whole ProSafe-RS product including the SCS test function to obtain the IEC61508 SIL3 certification.
Figure 5 Reduction of Adverse Impact from CENTUM to ProSafe-RS
APPLICATIONS OF ProSafe-RS AND CENTUM INTEGRATED TEST ENVIRONMENT
The integrated simulation environment is useful not only for the purpose of plant training, but also as a test environment for the whole DCS and SIS system. Specifically, when the SCS simulator and FCS simulator communicate with each other, and the overall operation is controlled, all applications can be tested without any actual devices.
Previously, when each shutdown logic was tested to make sure it works correctly, plant error signal patterns had to be input manually for testing. This method is indispensable for testing each logic one by one systematically, but takes a lot of time and effort to verify the validity of the whole logic including the SIS and DCS.
The integrated simulation environment enables the plant simulator to generate error signals equivalent to those of an actual plant and verify the validity of the whole logic linkage including the DCS and SIS without the need to input error signal patterns manually.
Figure 6 Confusion of Operation Objects by Operation and Monitoring Function
The development of this integrated simulation environment will enable total operation training including a control layer and protection layer. These functions will help effectively improve operator skills and allow for training not only for routine operation but also for handling in the event of an accident. Moreover, since user applications in both the control layer and protection layer can be tested in an environment that is separated from the actual plant, engineering efficiency will be improved.
The further development of the simulation environment will make it possible to perform simulation training not only for routine plant operation but also for maintenance of both the production control system and safety instrumented system throughout the plant lifecycle such as plant startup, servicing and repairs, upgrading, and modifications.
- NISHIDA Jun, "Aims and Features of the ProSafe-RS Safety System," Yokogawa Technical Report, No. 40, 2005, pp 35- 38
- ODA Shinji, "Control Functions of CENTUM CS 3000," Yokogawa Technical Report, No. 29, 2000, pp 15-18
- KUMAGAI Hiroshi, WAKASUGI Hiroshi, "CENTUM CS 3000 Operator Training System," Yokogawa Technical Report, No. 31, 2001, pp 22-25
- 'ProSafe' and 'CENTUM' are registered trademarks of Yokogawa Electric Corporation. 'CENTUM VP' is under patent pending. 'OmegaLand' is a registered trademark of Omega Simulation Co., Ltd.
석유 화학 제품, 무기물 또는 중간체를 생산하든 관계없이 화학 회사는 안전하고 호환되는 작업을 유지하면서 적시에 효율적인 방법으로 제품을 제공하는 비용과 마진 압박에 시달리고 있습니다. 또한 화학 회사들은 공급 원료 및 에너지 가격의 변동에 적응하고 가장 수익성 높은 제품 혼합을 시장에 제공해야 합니다.
Yokogawa는 벌크 화학 시장의 자동화 요구 사항을 세계적으로 지원해 왔으며 이 시장에서 인정받는 선두 주자입니다. Yokogawa는 제품, 솔루션 및 업계 전문 기술을 통해 시장 및 생산 요구 사항을 이해하고 플랜트의 수명주기를 통해 안정적이고 비용 효율적인 솔루션을 제공하기 위해 협력합니다.
1970년대 중반, Yokogawa는 EBS 전기 제어 시스템 (EBS Electric Control System)의 출시와 함께 전력 사업에 진출했습니다. 그 이후로 Yokogawa는 전 세계 고객에게 최상의 서비스와 솔루션을 제공하기 위한 기술과 역량의 개발을 꾸준히 지속해 왔습니다.
Yokogawa는 역동적인 글로벌 전력 시장에서 더욱 적극적인 역할을 수행하기 위해 글로벌 전력 솔루션 네트워크를 운영했습니다. 이로 인해 Yokogawa 내에서 보다 긴밀한 팀워크가 가능해져서 글로벌 리소스와 업계 노하우를 하나로 모았습니다. Yokogawa의 전력 산업 전문가들은 각 고객에게 정교한 요구 사항에 가장 적합한 솔루션을 제공하기 위해 협력합니다.
Related Products & Solutions
분산 제어 시스템 (DCS)
Yokogawa는 프로세스 자동화를 위해서 중요한 운영 인프라를 제공합니다. 분산제어시스템(DCS)은 플랜트 또는 산업 공정의 자동화 된 제어 및 운영을 위한 플랫폼입니다. 10,000개 이상의 플랜트에서 고객의 생산 목표 달성하기 위해서 Yokogawa DCS가 적용되었습니다.
안전 계장 시스템 (SIS)
안전 계장 시스템(SIS)은 사람, 환경 및 자산을 보호합니다. Yokogawa의 SIS 및 관련 안전 솔루션은 비상 정지, 화재 및 가스, 버너 관리 및 HIPPS의 애플리케이션에 널리 적용할 수 있습니다.