A unified gateway station and related components increase availability to improve operations and safety
In information technology (IT) security circles, the most important acronym is CIA: confidentiality, integrity, availability. In industrial control security, the corresponding acronym is AIC: availability, integrity, confidentiality. Availability and uptime are critical for process plants and facilities, and are also a key determinant of safety because plants that have poor availability are unsafe. High-availability plants minimize the unplanned shutdowns that can cause serious safety incidents, so both cybersecurity and process safety are dedicated to maximizing availability.
In process plants, and in upstream oil-and-gas applications, such as offshore platforms or subsea wells, there is often a hybrid control system, consisting of a distributed control system (DCS), multiple programmable logic controllers (PLCs) and a supervisory control and data acquisition (SCADA) system with remote controllers.
Because of this, there has been a need for a unified operation and monitoring environment to ensure safety, security and high availability. Unifying these control systems is not always as easy as it may appear, with many plants and platforms having more than one type of control system — such as a DCS and several PLCs. Sometimes a wide variety of controllers from different vendors are used, and, depending on their own specific applications, they are operated and monitored via their own operating stations and software.
When control systems, operation and monitoring systems (including alarm monitoring and safety control systems) are disparate and use different screens, programming systems and functions, the result is an often an inefficient set of systems that decrease the safety of the entire installation.
There has been a need to establish a unified operation and monitoring environment that permits the operator to operate and monitor the controllers on the same screen, despite the differences between types and brands of controllers.
Unified operations, critical redundancy
In response to this need, the concept of a unified gateway station (UGS) has been created for process plants and facilities needing to integrate many subsystems into a unified system. This concept is supported by multiple vendors, with each configuring their systems in a different manner, but in all cases, the required functionality and desired operation is similar.
A UGS is installed between the DCS and all the external controllers. It performs continuous bi-directional communications frame conversion for process data and alarms to the DCS regardless of type or vendor of controller (Figure 1). Using a UGS provides additional SCADA expandability to the DCS without reducing the functionality of the DCS itself.
Figure 1. This diagram shows the typical position of a unified gateway station (UGS) in a control system along with its internal configuration
Because the UGS provides the main interface to all of the control systems, its uptime is critical. This can be provided by using two redundant PCs, which can handle a variety of interfaces and a large number of subsystems. This improves upon the availability of the system because many of the controller subsystems depend on the operation of a single general-purpose PC. A high-availability configuration also prevents data loss and downtime by contributing to long-term stable operation.
Figure 2. A dual-redundant network configuration provides the high availability and reliable connectivity required for a unified gateway station (UGS)
Therefore, a UGS should be designed to be a high-availability connectivity solution (Figure 2). A typical dual-redundant package will consist of two PCs configured as a logical unit to achieve a gateway function for the subsystems. These two units share an identical Vnet/IP address (domain and station numbers), providing other stations with transparent access to the UGS tag data without considering which one of the redundant PCs is active, and which one is on standby. For redundancy, both units are connected using a dual-redundant control network. Only the active station downloads the engineering data, but it synchronizes the standby unit using the dual-redundant control network (Figure 3).
Figure 3. On the left diagram, different operator interfaces are used to monitor different systems. On the right, a unified gateway station (UGS) provides monitoring on the same screens for all the controllers in a plant or facility (HMI = human-machine interface; HIS = human interface station; FCS = field control station)
If failure of the operating side PC occurs, it automatically fails over to the standby PC. Importantly, this switchover takes less than a second, which means the connected Vnet/IP stations and subsystem controllers are not affected. This is so, even when the system is performing sequential control of multiple tasks, as in a batching system. This minimizes the probability of data loss and ensures there is no interruption in control. Thus, high availability has been preserved, and safety-critical functions have not been affected.
As important as high availability is to maintaining plant safety, having a unified operating environment is just as important. As many after-incident reports have shown, operators moving from one operator interface to another tend to make mistakes, which can have serious consequences.
With the UGS concept, the same station, for example the DCS operator interface, can be used to communicate with and monitor all the controllers and subsystems in the control network, regardless of vendor. The UGS provides an I/O driver that solves the differences among protocols of the external controllers by supporting internal DCS communications protocols, IEC61850, OPC-DA, Ethernet/IP, Modbus RTU, Modbus TCP IP and other interfaces. When redundant communication is needed to any controller, it can also be supported, either directly, or by a third-party library from an OPC vendor. The UGS continually monitors the status of communications with external controllers, alerting operators to any issues.
The UGS controls and monitors subsystem communication data by treating it the same as the DCS faceplate blocks. It also allows graphics and trends to be handled as native DCS tags on the operator station (Figure 4).
Figure 4. The unified gateway station (UGS) in this system architecture diagram acts as a gateway between the DCS and the subsystem controllers
Unified alarm monitoring
The UGS translates the function blocks in each controller into native DCS function blocks, and vice versa.
In a DCS, function blocks are often used for alarm monitoring, in the same way as for data operation and monitoring. Monitoring external controllers is done by monitoring alarms generated in the function blocks.
The function blocks of the UGS convert alarms generated in external controllers, and can also detect and generate alarms. The data item faceplate, and the annunciator faceplate, enable alarm monitoring of external controllers that do not have alarm functions. For all alarms, the same standard settings are used, providing consistency among systems. Having a unified alarm-monitoring system for all controllers and all function blocks produces a significant increase in process safety.
Operating at scale
To handle the large data volumes in an entire plant or facility, the UGS should be capable of accommodating a large number of tags, typically up to 100,000 with 450,000 data items, and should be able to connect to hundreds of external controllers. At that size, a UGS can acquire 6,400 data items per second from external controllers and send 640 data items per second to them, and the operator stations can read 6,400 data items per second from and write 640 data items per second to the UGS itself.
A unified set of engineering functions should be part of the UGS, including import functions. With this capability, engineering information defined for the UGS can be maintained as part of a project, the same as for all the other DCS engineering information. A smart import function of the DCS, an OPC Browse command, a CSV import command for general data files in the comma separated values format, and other options should be available to import data. After importing data, tags should be automatically generated. The next step should be the downloading of configuration information to the operator station and the UGS. This two-step process allows the operator station to access the external controllers.
Especially important for oil-and-gas applications is the capability to apply online partial changes. This is also true for sequential operations in process plants. The UGS should therefore be designed to allow online modifications to the screen graphics. Online addition, modification and deletion of external controllers and tags should also be supported. Finally, online switching among import modes, such as smart import, OPC browse command and CSV import, should be supported.
When the configuration of an external controller is modified, or devices connected to the controller are replaced, the connection between the UGS and the controller should be able to be switched on or off by the controller monitor block of the UGS. This prevents a modification or replacement from accidentally affecting the DCS.
Concluding remarks
A UGS increases and improves upon the functionality of a standard DCS system by integrating stand-alone PLCs and SCADA systems into a unified operational interface, which is particularly important for installations with many subsystems. The UGS should provide a simple unified configuration to handle a variety of interfaces and a large number of subsystems using one set of redundant PCs with auto-switchover to preserve operation and data flow. The UGS should be capable of handling large numbers of subsystems and high data volumes, and various protocols — such as Modbus, Ethernet/IP, OPC and IEC 61850 — should be supported for communication with subsystems.
The UGS controls and monitors subsystem communication data by treating each subsystem as a native DCS controller faceplate block, as well as by allowing each subsystem’s graphics and trends to be handled as native DCS tags on the operator station. The DCS operator station can thus perform operational control and alarm monitoring of subsystems exactly as if they were DCS native systems.
A UGS improves process safety by providing a unified operating interface, unified alarm management capability and a high-reliability redundant system to create a robust, high availability platform to improve process safety. ♦
Authors
Wataru Nakagawa is a system product promotion manager at Yokogawa Electric Corp. (2-9-32 Nakacho, Musashino-shi, Tokyo, 180-8750 Japan; Phone: +81-422-52-5500; Fax: +81-422-55-6271; Email: [email protected]; Website www.yokogawa.com/HAtech). He has also worked as a system product manager at Yokogawa Corporation of America. He received his Master of Engineering degree from Waseda University.
Eugene Spiropoulos is the Systems Business consulting manager at Yokogawa Corporation of America (12530 West Airport Blvd., Sugar Land, TX 77478; Phone: +1-281-340-3800; Fax: +1-281-340-3838; Email: [email protected]). He has experience as a global sales consultant for solutions, as well as in process engineering and high-fidelity process simulation in Europe and the Middle East. Eugene holds a post-graduate degree in chemical engineering from The City University of New York.