The present invention generally relates to a management system for a plant facility and a method for managing the plant facility.
A plant or a factory (hereinafter collectively referred to as “plant”) commonly utilizes a process automation system (PAS) to implement advanced automatic operations for controlling and managing various types of process data (e.g., pressure, temperature, flow quantity, etc.) in an industrial process.
In particular, the PAS for the plant that produces chemical, oil, or gas related products must meet high standards in terms of availability and reliability. The availability means the capability for the system to continue its operation regardless of occurrences of errors, and the reliability means the capability of detecting errors and stopping the system and/or switching to a backup system for the continuous operation without causing damages to the entire system. In such a production plant, malfunctioning of the PAS may cause not only great losses of materials and resources but severe accidents involving human lives. For example, the malfunctioning may occur when the system improperly output an abnormal value (i.e., a value that indicates an abnormal or invalid state or condition) to a controlled device (e.g., valve) because of an occurrence of an electrical noise. To prevent such malfunctioning and improve the system reliability, various kinds of schemes have been developed.
Recently, as the number of Input/Output (I/O) devices connected to the PAS increases, the importance of the reliability of the controller increases. As a solution to achieve the highly-reliable PAS, several PAS manufacturers or vendors have developed their own controllers for the PAS. One of the conventional solutions for highly-reliable controllers is shown in FIG. 1 (Japanese Laid-Open Patent Application H06-242979), which assures reliable data processing in the PAS by redundant configuration. This scheme, which is called “Pair and Spare” (P&SP), achieves high reliability by a redundant controller and a redundant network. Moreover, each of the controllers has two CPUs and a comparator that compares the values outputted from the two CPUs to detect a mismatch in the data calculation.
On the other hand, it is known that such controllers separately developed by different manufacturers tend to affect interoperability and scalability of the PAS. A plant facility owner or user faces difficulties in expanding or replacing the controllers because of its poor compatibility and high costs. Thus, another approach has also been considered to design the system under “an open architecture,” meaning that the system purely consists of general-purpose or Commercial Off-The-Shelf (COTS) hardware and software. The U.S. Patent Application Publication No. 2016/0065656 proposes such an open architecture platform for the PAS. FIG. 1A of that publication shows a platform including servers, control nodes, and field devices (I/O devices). In such a platform, highly-portable and standardized applications, protocols, and application programming interfaces (APIs) are employed so that the user can develop their system without depending on specific manufacturers. The user can also enjoy the benefits of decreased cost, enhanced scalability, and easiness of updating the system.
However, the open platform approach has disadvantages. The arbitrary combination of hardware and software developed by various manufacturers affects the reliability of core components including the controller and the I/O device as well as the network connection thereof. It is difficult for a system developed under the open architecture to achieve the same level of reliability as the proprietary system developed by the specific manufacturer.
To secure a certain level of the reliability in such a system operating under the open architecture, it is being proposed to limit the total number of I/O devices to be connected to a single controller. In particular, a distributed control node (DCN) is defined for handling an input signal from or an output signal to an I/O device. In this configuration, an error caused in the DCN only affects the single loop consisting of the single input and the single output device, and thereby is prevented from propagating in other control loops.