ITO Hiroki1 NISHIDA Jun1 OHSAKO Satoru1 YAJIMA Hideharu1
We have developed the online system upgrade function for CENTUM CS FCSs2. This function operates on hardware with a dual-redundant configuration and can upgrade the system software online. The control function only requires the system to pause for two seconds for upgrading. In conjunction with the existing online application data modification function, this function increases the maintainability and availability of DCSs3. If applied to continuous process control, this function can significantly reduce maintenance costs. This paper describes the features, architecture and operations of the function.
FCSs, the control stations in a CENTUM CS system, have already demonstrated that they are highly reliable, effective and maintainable. These advantages are the result of such features as the dual-redundant hardware configuration, the online modification of application data, and so on. Their excellent record in field operation is proof that they achieved this high level of reliability, effectiveness and maintainability.
On the other hand, the costs involved with maintaining these systems are increasing as the scale of plants grows larger and larger these days. Maintenance work is an extremely crucial factor for ensuring the quality and security of plants. Maintenance costs cannot therefore be readily cut.
The online system upgrade function has been developed with this in mind. Considering the close relationship of a plant with a DCS, it is evident that shutting down a DCS for maintenance work will shut down the entire plant. Maintenance work that does not require system shutdown may provide the solution to users' problem of increasing maintenance costs.
Figure 1 Hardware Configuration
Figure 1 illustrates the hardware configuration of an FCS. In order for the online system upgrade function to work, an FCS must have a dual-redundant hardware configuration as shown in the figure.
An FCS in dual-redundant configuration contains two units each of the CPU module and control I/O module. Each CPU module is equipped with a CPU, RAM and ROM—which are sufficient for a single CPU module to implement the required control functions. In addition, the CPU module has capabilities needed for dual-redundant configuration such as sending event messages to the CPU counterpart or reading from or writing into the RAM counterpart.
When the system is in dual-redundant operation, control I/O signals are delivered from only one of the control I/O modules. The control I/O module handling control I/O signals is referred to as the "control-side" module, while the other module is referred to as the "standby-side" module. Should the control-side module shut down for some reason, the standby-side module immediately takes over the control. In other words, an FCS in dual-redundant operation is able to continue control in the event of a module shutdown in the other side, without affecting control.
The online system upgrade function has been realized by taking advantage of the mechanisms needed to implement dual redundancy and the actions that take place when the system is dual-redundant.
For more information on the dual-redundancy configuration of FCSs, see Reference (1) that discusses it in detail.
Figure 2 Software Configuration
Figure 2 illustrates the configuration of software relating to the system upgrade function.
1. How the Online System Upgrade Commands Work
Table 1 Check Items for Online System Upgrading
|Hardware configuration||The FCS must be equipped with the hardware for dual-redundant configuration.|
|Boot function||The function must be the version having the online system upgrade function.|
|System software||The software must be the version having the online system upgrade function.|
|Operating status||The processors in both lines must be online and active.|
|Memory size||The RAM must have a enough free space for the new system software to be loaded.|
To make it possible for users to carry out online system upgrading on their target FCS, the system software upgrade commands that run on an EWS must be started. These commands first determine whether online system upgrading can be applied to the target FCS. Table 1 summarizes the items checked by these commands regarding the target FCS. If all these items pass the checking requirements, the function carries out online system upgrading, following the procedure described in Subsection 5.2. While the upgrading is in process, users are asked if they want to advance to the next step. Thus, users can safely proceed with their work by confirming the condition of the target FCS. If, for some reason, users become unable to continue their work, the function takes interruptive actions appropriate for the current degree of progress in the system upgrading procedure.
2. How the FCS Operates
Figure 3 Schematic Representation of Online System Updating
Figure 3 is the schematic representation of the procedure followed when online system upgrading is carried out, with the focus on the operations of the FCS.
Table 2 Extra Actions Taken During the Startup Sequence after Online System Upgrading
|Wind-up operation*||No wind-up operation is carried out.|
|MAN-mode fallback action**||No MAN-mode fallback action is taken.|
* Denotes an operation mode in which no control I/Os are provided immediately after the start of initialization in order to tune the control parameters.
** Denotes an action in which the control status is forcibly brought to the manual mode as a result of failure detection.
In this paper, we have discussed the features, configurations and operations of the online system upgrade function. We are confident that the inclusion of this additional function will improve the maintainability and serviceability of the CENTUM CS system and help users reduce their maintenance costs. To ensure the problem-free use of this online system upgrade function, users are requested to thoroughly discuss the system with Yokogawa engineers to fully understand the operations of the plant in question before online system upgrading is carried out.
CENTUM CS, Yokogawa's legacy distributed control system, has been widely applied in plants all over the world, providing high reliability since 1993.
Yokogawa Distributed Control Systems (DCS) deliver the industry's highest proven availability, maximizing performance and profitability.