Preparing for problems
Tom Shelley reports on control systems designed to keep going in the teeth of a disaster
Tom Shelley reports on control systems designed to keep going in the teeth of a disaster
A new approach to control system redundancy claims to be more flexible, by backing up only those parts that need to be backed up - and in the manner most appropriate to the potential problems.
It is far cheaper than a duplicated (or triplicated) system, and eliminates those risks that are most likely to occur in a particular situation.
Mitsubishi's Melsec QnPRH is a considerable advance on the Q4AR introduced in 1998. Its units are a quarter of the size of their predecessors, and allow complicated bespoke systems to be built up on a plug-and-play basis.
While it is generally accepted that aircraft should have triple redundancy in their control systems, there is no general approach to how best to provide backup control systems for factories and process plant, unless their operations are potentially hazardous.
The general opinion of Mitsubishi technicians is that the most likely things to go wrong in a factory or plant are power failure and network cables - which are both outside the control cubicle. Hence while the new system offers duplicated CPU systems with up to 10m tracking cable between them, CPU failure is not generally a very common event. In many situations it is would be more beneficial to have one CPU, but take advantage of the ability to have two power supplies - one of which might be powered from the AC mains, and the other from 24VDC. It might also be wise to have a dual network loop, with the loop cables running through different conduits.
To improve loop reliability, Mitsubishi offers an 'optical loop network module with external power supply function' QJ71LP221S-25. This means that if power failure occurs at more than one station in a loop system, stations located between the failed ones will continue the data link.
Even more important than duplicating CPUs is the possible duplicating or even triplicating of critical sensors - especially if they are in positions that are liable to damage. Our understanding is that the Buncefield fuel depot disaster was caused by a faulty "fuel gauge" sensing system in one of the tanks and subsequent failure to shut off the incoming feed of petrol. To help guard against such mishaps, Mitsubishi offers "isolated analogue modules for sensors" with "wire break detection function (Q62DA-FG)".
Installed UK applications of the new system are said to include a coal-fired generating plant with 12 networked QnPRH, banking standby power applications at Canary Wharf, a "Major computer manufacturer power monitoring system", a marine "power security application" and a system ensuring rig stability.
Mitsubishi Electric
Pointers
* The system is based on dual CPUs, power supplies and bases
* It is configured for total data tracking and extensive physical redundancy
* Components are 'hot swappable' and so can be unplugged and replaced without having to shut down the entire system