C13 – Profibus and Profinet network design - Andy Verwer, VTC

PROFIBUS and
PROFINET
System Design
Andy Verwer,
Verwer Training &
Consultancy Ltd
UK PITC
PROFIBUS &
PROFINET UK
Conference,
Stratford-upon-Avon
23/24 June 2015

PROFIBUS & PROFINET System Design, Andy VerwerPROFIBUS & PROFINET Conference, June 2015
System Design
What do we mean by System Design?
• We are talking here about Network Design, i.e. PROFIBUS,
PROFINET, and the integration of other technologies such
as standard Ethernet, AS‐i, IO‐Link etc.
• Choosing and putting together a collection of available
parts to achieve the desired automation functions,
performance, reliably and at the minimum cost.
It should be simple:
1. Understand the desired functions.
2. Understand where costs are incurred.
3. Understand what makes systems reliable/unreliable.
4. Select suitable parts.
5. Assemble according to the specifications.

System Costs
Most system designers and project managers look at the
project procurement, installation and deployment costs when
they price a job.
However, the costs of an automation system spread over the
life cycle of the plant and should include maintenance, fault‐
finding and health‐checking.
Perhaps most important is the cost in terms of loss of
production should faults develop during the lifetime of the
plant. Spending a little more at procurement time can repay
many times over.
Also good fault tolerant design need not be more expensive.
Sometimes fault tolerance can be achieved at no additional
cost.
3

Life cycle costs
4
The procurement,
installation and
commissioning
costs are only
incurred at the start
of the project.
Costs from device
failures increase as
equipment gets
older.
When system
overhaul is
undertaken this can
partially reset the
increasing cost of
failures.
System
overhaul

Control System Design
Control system design normally proceeds by building on the
experience obtained from previous designs.
But, designs which are based on badly designed systems will be
bad!
Only by using experience from operations and maintenance
staff can we develop good system designs.
In my experience it is rare for such feedback mechanisms to be
present. Particularly when design is carried out by sub‐
contractors.
Designers must know about mistakes that have been made in
the past.
Feedback from operations and maintenance is essential.
The contract liability threat and accompanying blame culture is
often responsible for preventing this feedback.

System Costs
Maximising plant availability is critical in reducing the total
costs of the system. It is essential that the System Designer
understands:
That minimising plant down time when faults inevitably
occur (i.e. maximising plant availability) is a key
requirement.
The impact of the network layout on plant reliability.
That the incorporation of network health checking and
fault finding facilities are essential.
How to appropriately use features such as redundancy and
network monitoring and rapid fault location and repair to
improve plant availability.
6

7
Introduction
The parts of a control system
will fail whilst in service.
The consequences of failures
are often predictable, but the
failures themselves are
unpredictable.
The design of a reliable
control system is not simple.
… and should be
accompanied by analysis of
how parts fail and of the
consequences of these
failures.

Minimising the failure footprint
There are three basic ways to minimise the impact of faults:
• Make failures less likely – Minimise failure frequency.
• Restrict the effects of any failures that will inevitably occur.
• Provide for rapid fault detection or performance degradation,
rapid location and rapid repair – Minimise failure duration.
A good network design will minimise the effect on production
when inevitable failures occur.
We can speak of minimising the “failure footprint”.
Fault
frequency
Fault
effect
Fault
duration

Understand and implement the design and installation rules.
Improve reliability ‐ use of well tested (certified) and reliable
devices, connectors and network components.
For PROFIBUS use the lowest possible bit rate that gives the
required performance.
1. Make failures less likely – Minimise failure frequency.

2. Restrict the effects of any failures that will inevitably occur –
Minimise failure extent.
Well thought out network layout and design.
Think about using:
 Separate networks or different masters (distributed control),
 Different segments (segmentation),
 Dealing with common cause failures.

3. Provide for rapid fault detection or performance
degradation, rapid location and rapid repair –
Minimise failure duration.
 Provide facilities in the design for rapid fault diagnosis and fault
location.
 Provide in the design for hot device swapping without
reconfiguration.
 Use designs that allow for a quick fix.
 Provide redundancy when appropriate. Needs to be well thought
out!
 Use standardised, vendor independent solutions rather than being
locked into manufacturer specific solutions.

Techniques for minimising fault impact
Pluggable devices that can be removed/replaced without
impinging on network operation.
Appropriate network design and segmentation so that physical
layer faults allow critical plant operation to continue in the
event of failure or device replacement.
Layout for rapid troubleshooting and fault isolation.
Use appropriate solutions for redundancy.
For PROFIBUS systems use:
connector systems and layouts that do not break the bus
or loose termination when disconnected.
Termination solutions that allow devices to be removed or
replaced.

Reliability and availability
Reliability is a measure of how a component, assembly or
system will perform its intended function, without failure, for
the required duration when installed and operated correctly in
a specified environment.
Availability is a measure of reliability indicating the fraction of
time in which a device or system is expected to operate
correctly.
It is important to remember that reliability is a statistical
measure: it will not predict when a particular device will fail,
only the expected failure rate based on average performance
of a batch of test devices or on past performance.
13

Some definitions
Mean Time Between Failures (MTBF) is the expected or
average time that a device will be free of failure.
Typical MTBF for a well designed and manufactured electronic
device might be 10 to 20 years.
Mean Time To Repair (MTTR), is the time taken to repair a
failed device.
In an operational system, MTTR generally means time to
detect the failure, diagnose and locate the problem and
replace the failed part.
14

Availability
Availability can be calculated from MTBF and MTTR:
MTTRMTBF
MTBF
ty,Availabili

A
Remember that availability is a statistical measure and
represents an average probability of being in operation.
There is little point in trying to be accurate with these figures
since actual failures are unpredictable.
Availability is typically specified in “nines notation”. For
example 3‐nines availability corresponds to 99.9%
availability. A 5‐nines availability corresponds to 99.999%
availability.

Availability, A D = (1‐A) Downtime
0.9 = 90% (1‐nine) 0.1 (10‐1) 36.5 days/year
0.99 = 99% (2‐nines) 0.01 (10‐2) 3.7 days/year
99.9% (3‐nines) 0.001 (10‐3) 8.8 hours/year
99.99% (4‐nines) 0.0001 (10‐4) 53 minutes/year
99.999% (5‐nines) 0.00001 (10‐5) 5 minutes/year
99.9999% (6‐nines) 0.000001 (10‐6) 5 minutes/10years
99.99999% (7‐nines) 0.0000001 (10‐7) Not feasible!
99.999999% (8‐nines) 0.00000001 (10‐8) Impossible!
Downtime is an alternative way of understanding the
availability:
MTTRMTBF
MMTR
AD

 )1(Downtime,
Availability and Downtime

Availability/Downtime
Note that the availability of a device can be improved by
decreasing the MTTR.
This can be accomplished in several ways:
Faster detection and location of faults. (Accomplished by
diagnostic reporting facilities, availability of fault finding
tools and training of maintenance personnel).
Faster repair of the fault. (Accomplished by availability of
spares and all of the above).
Fault tolerant design.

Example
Consider a remote IO unit with a MTBF of 10 years.
When the device fails, it could take several days to
recognise, diagnose and locate the fault and then, if not
held as a spare part, several more days to obtain a
replacement. The MTTR could be one week, giving an
availability of:
998.0
73650
3650
736510
36510








MTTRMTBF
MTBF
A
I.e. ~3‐nines availability, or a downtime of about 16 hours/year.
Consider the availability when the MTTR is reduced to ½ day:
0.99986
5.036510
36510



A
The availability is now ~4‐nines and the downtime has
reduced to about 1hour/year.

Reliability modelling and analysis
The system designer must understand the methods of
modelling and analysis of reliability and availability in systems.
In particular how system availability can be predicted from the
individual parts.
Also understand how standby systems, redundant solutions
and common cause failures impact the overall system
reliability.
We often find that redundancy is inappropriately used and
sometimes results in no real improvement in system
availability.
Careful network layout can have a major effect on the fault
footprint and significantly improve the overall availability of
the plant.
19

Standby and redundant systems
Often, we see standby systems used to improve the plant
availability.
Here we have two or more devices working in parallel.
Should a fault occur in the operational device then the standby
device can be started.
The switch over can be manually activated or can be
automatic. The switching time should be considered when
estimating the overall system availability.
This scheme is called a “one out of two” (1oo2) system.
This scheme achieves high availability because the system
function is maintained whilst repairing the failed device.

Example
Consider a cooling system for a process:
The pumps can be operated as a duty/standby pair.
Should the pressure fall or the temperature go high then
the standby pump can be automatically started.
The effective MTTR for the system is the expected time to
detect a failure and for the standby pump to get up to
speed, a fraction of the real MTTR, or perhaps even zero.
Pump B
Pump A
Cooling water
ProcessPS
Non return
valves
TS

Standby and redundant systems
We may think that the availability of such 1oo2 systems where
the switchover time is negligible might be 100%, but this is not
correct, since whilst one pump is failed, the redundancy is no
longer provided. There is still a chance that the second device
might fail.
It is important that the system designer understands how to
analyse the system availability when standby or redundant
solutions are considered.
Component 1
Availability, A1
Component 2
Availability, A2
Redundant solutions effectively
have availability of the two
redundant paths in parallel so that
the system can function even
when one path fails.

Common Cause Failures
Even when we have what appears to be a fully redundant
system, there will always be certain failures that will cause
both redundant routes to fail at the same time.
Examples of such common cause failures include:
• Power supply failure, blackout, brownout etc.
• Common source interference, lightning strikes etc.
• Mechanical failure, drive shaft fracture, jamming etc.
• Process failure, pipe burst, blockages etc.
Redundant
device
Redundant
device
Common
cause failure
In terms of the reliability
model, any common cause
failure is effectively in series
with the redundant paths,
bypassing the redundancy.

Multiple Master/Controller Systems
Multiple PROFIBUS masters or PROFINET controllers with
automatic duty‐standby switching are available from a number
of suppliers.
These can drive different networks to provide redundancy
down to the field level. However, separate power supply and
network cable routing are advisable to minimise common‐
cause failures.
Sometimes dual slaves can be used in the field with a simple
“wired‐OR” voting system driving the final actuator or
connecting two redundant sensors.
However, more often we find such redundant controllers are
using the same field devices and actuators.

Redundancy solutions for PROFIBUS
Solutions for redundant PROFIBUS cabling are available from
many manufacturers:
Siemens Y‐Link
PROCENTEC ProfiHubs
ABB Redundancy
Link Module
Moor‐Hawke
Redundancy for PA
COMbricks modules

Slave with
integrated
redundancy
Y
Slave 4
Slave
3A
Slave
3B
Mechanically
combined outputs
Redundant
slaves
Wired OR
outputs
Slave
2A
Slave
2B
Y
Redundant
masters
Master
B
Y
Redundancy solutions for PROFIBUS
Properly designed redundant
solutions can provide robustness
against a wide selection of faults
and conditions.
26
Master
A
Redundant cables
PSU A
PSU B
Redundant
power
supplies
Y
Slave
1
Redundant
links or hubs
Y

PROFINET system layout
PROFINET systems can be laid out in a number of ways:
27
Star and tree topologies
using switches:
Line topology using two‐port devices:
Or a combination of both.
Switches

PROFINET system layout
There is a clear advantage of the star topology in terms of
system availability in that any device can be replaced without
affecting the other devices.
However, the system cost will be significantly greater because
of the number of switches required.
The line topology is much lower cost, because separate
switches are not required.
But removal or replacement of any device will cause all
downstream devices to fail.
28

PROFINET and Redundancy
One of the big advantages of PROFINET is that it incorporates
a specification for media redundancy.
The standardised Media Redundancy Protocol (MRP) provides
manufacturer independent redundancy which can be used
over copper or fibre cables.
PROFINET redundancy can provide:
• Controller redundancy.
• Transmission media and switch redundancy.
• IO device redundancy.
Redundant PROFINET systems are relatively easy to implement
and can be used across different manufacturers.

PROFINET redundancy solutions
30
Standardised Media Redundancy Protocol (MRP) can be used
on PROFINET systems to give media redundancy.
IO Controller
with MRP
IO Devices
with MRP
Switch
with
MRP
IO Device
without MRP
But the system must still be properly designed, considering
all possible failures and their likelihood. Common cause
failures must be properly dealt with.

Other ways to improve availability
The careful design of networked systems can improve their
availability.
In particular by organising the system so that selected parts of
the system can be independently shut down for maintenance
without affecting the remaining production.
A simple example of this is seen with streamed production.
31
A stream can be taken out of service without affecting the
other stream.
But only if the system design allows this.
Process 1 Process 2 Process 3
Stream A
Process 1 Process 2 Process 3
Stream B

Automation Islands or Units
The concept of dividing the plant into Automation Islands or
Automation Units is well established.
Each automation unit is considered as being functionally
separated from the rest of the plant so allowing it to operate
(and to be shut down) independently.
A good network design will facilitate the isolation of these
automation units using:
• Different controllers;
• Different networks or subnetworks;
• Segmentation.
Careful choice of various architectures for automation units is
a key stage in the design process which can impact on the
overall reliability and maintainability of the control system.
32

Who needs training and why?
People who are involved with network installation
33
Commissioning and maintenance personnel
a) Need to know the wiring/layout rules and
reasons for them.
b) Need to know how to use diagnostic tools to
identify faults and locate problems.
c) Need to be able to health check systems and
verify network quality.
a) Need to know the wiring/layout rules
and reasons for them.
b) Need to be able to make up and test
cables, connectors and devices.

Who needs training and why?
System designers and people involved in the specification,
procurement and management of a control system project
34
Device developers and designers
b) Need to understand the protocol and
profiles and what these offer.
b) Need to understand the impact of design
decisions on the reliability and
availability of the plant.
c) Must be familiar with drawing and
documentation standards.
d) Need to understand the whole life cycle
costs involved in a project.

PI Certified training
PI Certified training currently incorporates the following
internationally accredited courses:
• Certified PROFIBUS Installer course (1‐day)
• Certified PROFIBUS Engineer course (3½‐days)
• Certified PROFINET Installer course (1‐day)
• Certified PROFINET Engineer course (3½‐day)
The Certified Installer is widely accepted as the minimum
standard for anyone involved at a technical level with
PROFIBUS or PROFINET.
The Engineer course provides in‐depth treatment of the
protocol and profiles. Useful for developers and for more
difficult problems.
35

Certified System Design courses
This year we started to run certified PROFIBUS System design
courses in the UK. These courses are currently accredited within
the UK by the UK PROFIBUS Group.
The objectives and learning outcomes for these courses have
been developed by an international team of experienced trainers
and consultants over a period of three years.
The UK water industry in particular has been asking for this
certified designer training so that they can ensure that sub‐
contract design is carried out by suitably trained staff.
The courses have been run by VTC and will soon also be available
from MMU.
The course has been accepted in principle by PI and it is expected
that international accreditation will be approved within a few
months.
Certified PROFINET system design courses are also planned.
36

C13 – Profibus and Profinet network design - Andy Verwer, VTC

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to C13 – Profibus and Profinet network design - Andy Verwer, VTC

Similar to C13 – Profibus and Profinet network design - Andy Verwer, VTC (20)

More from PROFIBUS and PROFINET InternationaI - PI UK

More from PROFIBUS and PROFINET InternationaI - PI UK (20)

Recently uploaded

Recently uploaded (20)

C13 – Profibus and Profinet network design - Andy Verwer, VTC