copyright © yokogawa electric corporation this presentation provides reliability data, and...

<ISD-MASP-S02025>Copyright © Yokogawa Electric Corporation<Jan. 2005>

This presentation provides reliability data, and describes the reliability-enhancement technology that slashes the Total Cost of Ownership (TCO) of CENTUM CS3000.

Systems PMK

Reliability enhancement technology slashes TCOTCO of CENTUM CS3000


Contents

Design Concepts and TCO Relation of Reliability to TCOCost of Lost Opportunity/Lost Production Expectations for DCS DCS Design Concepts Reliability Enhancement Strategies Fault Avoidance Fault Tolerance Maintainability Software Reliability Enhancement CENTUM Reliability Data Availability and TCOField data

Conclusions


Basic ConceptsMaximum availability,

long-term non-stop operation

Redundancy Error detection, non-stop control

Tolerate momentary power failure Non-stop control

Online maintenance Online modifications of control algorithms

Excellent builder Tolerant of errors at early stage

Excellent test functions Tolerant of errors at the final-stage

CENTUM CS3000

DCSFeatures

Continuous process control represented by petrochemical plants, batch process control, requires a DCS designed primarily for high reliability and availability. CENTUM CS3000 can offer the ultimate in reliability and availability – it’s the leading choice for applications where interruptions in control may cause large financial losses – and it has both standard and optional redundancy features, making it cost-effective in a wide range of applications.

Design Concepts and TCO


Relation of Reliability to TCO (1)

The following two items greatly affect TCO– Installed cost and engineering time

• Most systems have ability to hold outputs while maintaining controllers

– Stoppage or disturbance due to system hardware/software failure

• Plant stoppage due to failure causes “lost opportunity” losses • Failure analysis and repair costs • Environmental effects, safety hazards affect business image


Relation of Reliability to TCO (2)

Startup

PeriodicMaintenance

Checkup

Expansion

PeriodicMaintenance

Migrate to new systemTrouble Expansion

Hardware installationEngineering costs

Installed Daily maintenance, etc.

Lost opportunity

Hardware installation

Time ->

System Life Cycle

E.g. PC+PLC

Lost opportunity costsover 12 yrs $10-12M lower

With CENTUM system

$10M

$20M

$30M

A cheaper, less-reliablesystem may have highertotal cost of ownershipover its life cycle

TCO Analysis (Ethylene refinery example)

Yokogawahas low-cost,smoothmigrationpath to newsystem

Cost


Cost of Lost Opportunity

Case Study– Ethylene Refinery (* excludes effect on downstream, cost of switchover to other vender)

Lost opportunity cost $200,000/day (startup takes at least 8 days, so approx. $2M)

　Total cost saving $12-14M

2 4 6 8 10 12

PC+PLC

CENTUMCS3000

Periodic checkup

Multiple loops abnormal, but shutdown avoided

Failure-induced shutdown

$16M

$4M

Time

PC+PLC CENTUM Cost Saving Periodic Check 5 times

(every 2 yrs) Twice

(every 4 yrs) $6M

Down Time 16-24 days (2-3 times)

Zero $4-6M


Expectations for DCS

No or minimal plant down time Design objectives – Long (non-stop operation) time continuous operation

Hi availability – Errors create more damage as plant scales get larger

Avoid loss of control (high data integrity)

Robust, redundant, so failure doesn’t affect operation


CENTUM Design Concepts

Basic Reliable-Design Concepts – Reduction in failure rate – Offer flexible redundancy options to match objectives,

application – Redundancy method with low failure rate – Easy repairs


Reliability Enhancement Strategies

Fault avoidance:Fault tolerance:Maintainability:

Design to minimize failures/errors

Design so failures don’t affect operation

Design for quick recovery from failures and maintain applications safely.


Fault Avoidance (1)

Causes of Failures/Errors and Good Design– Many Parts

Fewer Parts (Use ASIC, firmware etc.) – Parts rating, Quality

Select good parts (Evaluation, test, manufacturer feedback, statistics)

– Environmental factors (Temp., Humidity etc.) Cooling, lower power/heat dissipation, environment-proof

– Electrical environmental factors (External Noise etc.) EMC design and evaluation

– Circuit/System Ratings Design std. elimination of the stress de-rating), timing margin

s


Fault Avoidance (2)

Example: Improvement (de-rating) StandardsFailure rate is directly proportional to applied stress– Applied voltage and power ratings of resistors, capacitors,

diodes, transistors, photo devices, ICs, switches, relays. – Stress; voltage, power, temperature

Failure rate

Stress

Rating

Conceptual Diagram

Design standard

Target


Fault Tolerance (1)

Purpose– Minimize disturbance to control – Maintain continuity of sequence control

No outputfrom standby

Online Control Standby

Inputprocessing

Inputprocessing

Arith.calcs.

OS

OS

OS

Inputprocessing

Inputprocessing

Arith.calcs.

OS

OS

OS

Input

Input

Equalize

Equalize

Sync

Sync

Sync

Controlcalcs.

Outputprocessing

OS

Controlcalcs.

Outputprocessing

OS

Output

Sync

OSSync

OS

Special application program not requiredCENTUM-specific high reliability

technology

t


Fault Tolerance (2)

(1) Minimal common (non-redundant) parts• The non-redundant (switchover) part dra-matic

ally affects reliability. A redundant system must be initially designed with this in mind.

(2) Detect errors, prevent invalid output • CENTUM quickly detect errors • CENTUM checks health of standby unit

Common part

Switchover

Error detected

Undetectable error

Online Control Standby

CENTUM features of a fully redundant-CPU System


Fault Tolerance (3)

(3) Control continuity unaffected by switchover• Unlike other PLCs and DCSes, CENTUM fully redundant-CPU requires

no special engineering.• Quick switchover, little disturbance.• No application synchronization

(4) Easy to Maintain• Have maintenance status info.• Can perform hot swap replacement.

CENTUM features of a fully redundant-CPU System


Fault Tolerance (4)

Error Detection (1) – Method

• Check each other: fully redundant-CPU outputs are compared with each other

• Error detection method: Parity check code and Error Correction Code(ECC)

• Threshold check method: 　 watchdog timer; retry count; low voltage detection

Ex: CS3000 CPU card internal configuration

MPU

Cache

Comparator(Two-rail checker)

Memory(ECC)

V-netController

EN-Bus1Controller

EN-Bus2Controller

MPU

Cache


Fault Tolerance (5)

Error Detection (2) – Keyword and Purpose

• Prevent: execution-time check, to prevent wrong output • Correct: minimize undetectable errors;

find where errors occur, and remove causes• Robust: use fault masking to hide effects of failures

(Fault masking; method to suppress effects of failures/transients)

Normal

Normal

CPU self-diagnostics; mistakes error as normal

Error

Error

Disabled

DetectedControl switchover, normal operation (no bad output)

Switchover

Bad

output

Bad

output

Detected

Disabled

Switchover Bad

output

Bad

output

t

Conventionalredundancy

CENTUMpair & spare

Switchover, normal


Fault Tolerance (6)

Technical Features – Synchronizing

Wait for other CPU to finish same instruction No rollback required on control transfer

– Equalizing Copying input data to standby side When switching, control and standby application data are the same

– Fully redundant-CPU processing at OS levelDoes not required application synchronization


Maintainability

Failed part isolated; replace without stopping system– Maintenance info., RMS, strong error detection

Online status display, distinctive (fault-specific) system alarm, printout, internal error data saved, LED shows card status, preventative maintenance data, RMS data acquisition etc.

– Hot swap replacement Online replacement of most components OK (normal for a DCS, but most

PLCs don’t support hot swap replacement – power must be off).

– Designed for easy hot swap Designed to minimize difficult-to-replace parts

Designed to prohibit use of relatively high failure rate parts. (E.g: Compare simple CENTUM backplane with PLC backplane).


Software Reliability Enhancement (1)

Clean room techniques – Create defect-free software by design– Design/coding/test on software-module unit basis

QC system based on 25-yr DCS R&D experience– Four-stage review: Design review for individual functions, overall

operation of product review, test review, final QA inspection review – Statistical prediction of remaining bugs– Test required at development milestones, and min. test man-hour

against development volume has internal std.– Intensive design validation involving company & outside experts, also

service & startup engineers – To pass final QA inspection review must find zero bugs


Software Reliability Enhancement (2)

During Operation – Support safe & reliable on-line maintenance

During Expansion, Modification – User application software should not be affected

by system software upgrades

During Application Development – Powerful, reliable engineering tools (builder)– Application debugging shouldn’t affect plant

(simulation functions for “virtual test” of control system and plant)


CENTUM Reliability Data Our Results impress Fault Tolerance Experts

CENTUM V AvailabilityDuplexed-CPU FCS total runtime based:0.999 999 56

CENTUM-XL Availability0.999 999 89

CENTUM CS/CS 3000 Availability0.999 999 95 (Seven nines)

Yokogawa Total QC (reliable design, manufacturing, quality assurance, service) Definition of system failure: simultaneous failure of two or more loops (WIB definition)

WIB: International Instrument Users’ Associations


Availability and TCO (1)

Availability (down time) directly related to lost opportunity costs – System availability figures will decide purchases

Difference between “7-nines” & “4-nines” availability– Three orders of magnitude (1000x) difference in system failure rat

e



Case Study (1) – Example for CENTUM CS/CS 3000

• Difference between duplexed (7nines) and simplex (4 nines) In general, PLC-based systems are 3 nines

– Plant with 10 FCS and $1,000M annual production (*Including downstream production. $2.7M daily production upstream)

Predicded annual down time (one FCS)

Predicded annual down time (ten FCS)

Predicted annual loss (ten FCS)

System failure (one FCS)

System failure

(ten FCS)

System falure (12 yrs)

Shutdown (12 yrs)

Loss (12 yrs)

7 nines 3.15 sec. 31.5 sec. $1,000 4566 yrs 457yrs 0 times 0 times $0

4 nines 0.876h 8.8h $1M 4.57yrs 0.47yrs 26.3 times 4.4 times over $80M


0.0

10.0

20.0

30.0

40.0

50.0

60.0

1 2 3 4 5 6 7 8 9 10

Years

CS1000

PC+PLC


Crossoverin 3rd year

Initial costof PC+PLCis lower

In 10th year, $135,000 difference(about 3x initial difference in price)

(k $)

Case Study (2) – Compare small systems (CS1000 vs. PC+PLC), 10-yr

period– HMI x2, 32 control loops, 128 monitoring points,

128 DI / 128 DO points


Field Data

Results for CENTUM in a petrochemical plant– 26 CENTUM systems, uptime for 33,000 loops*– CENTUM systems installed starting from 1981

Annual Failure Rate 　 0.29 loops per plant

Comparison with other-company DCS in the same plant – 2 systems (one 6-yrs old, one 9-yrs old) 　– No. of loops approx. 3,200 　 loops

Annual Failure Rate 　 2.86 loops per plant

*: incl. XL


Conclusions

Selecting “highly reliable system” reduces TCOUp time (availability) is a key factor in business efficiencyA truly high-reliability system (1) Has high availability

(Interval between checks can be lengthened, continues operating normally even if failure occurs, and failed parts can be quickly repaired)

(2) No spurious outputs (3) Can expand or modify without plant stoppages

CENTUM is a true high-reliability system, providing world-class availability and data integrity.


Supplement


Progress of CENTUM

CENTUM already provides world-class reliability, and we are working to improve it further.

*1: Including CENTUM CS, CS3000, CS1000 *2:RMS: Remote Maintenance

copyright © yokogawa electric corporation this presentation provides reliability data, and...

Documents

tco slide

tco relation of reliability

centum system

high reliability

new system cost slide

time slide

vender lost opportunity

cost of switchover