Detect Operator Workplace disconnection in AC800m
When there is no connection between the operator workplace and the controller then the controller must be able to detect this.
When the operator is blind, red crosses on screen. Then the controller must shutdown the installation.
For instance if OPC services are not running or if no operator is alive.
Is there some kind of watchdog to dectect this in the controller ?
Voted best answer
As far as I know, you can't tell if a workplace is receiving bad data from a controller.
Also if a workplace has bad data from a controller, its probable (or even most likely) that the OPC server has lost contact with the controller as well. In this case, communicating with the controller is probably not possible, or at least very unreliable.
With PNSM and a AO_NET_MON license seat you can let a controller know if a workplace is running or not (however, you can not tell if the workplace is "correct workplace" or Plant Explorer, or if the workplace has the correct process display up on screen or is showing the Startup Display, etc).
1. Create object and IT Asset to monitor a computer process (afwworkplaceapplication.exe) in one or more nodes. Refer to PNSM User's Guides for details.
2. Configure the Property Transfer service to transfer process ID (PID) from IT Asset's Control Connection to the controller. Enable "Substitute value" with a flag value (e.g. -1) that will be written if IT Asset can not read PID off process (=workplace is not running)
3. As long as a workplace is running, the controller will receive its PID. If workplace is closed or station is logged off or shut down the controller will receive "-1" and can react after some timeout.
I assume that you need to have a few operator workplace configured for this supervision, or else a planned or unplanned restart of the workplace process or a malfunction in PNSM monitoring for a single PC might bring down the process.
Afaik there is no buildin function for that purpose.
To check the OPC Connection you can simply send a signal (e.g. a count) to 800xA where you send it back to a different signal. In the controller you have than a watchdog.
Not so easy is it to check if operator clients are alive. Maybe you can use IT assets for the clients and send the status back to your controller.
If you will see the architecture, operator client may not have direct connection to AC800M controller directly incase of non-collapsed network.
OPC DA and OPC AE data is traversed through AC800M Connectivity Server.
Red Crosses due to disconnectivity of the client to client server network is somewhat difficult to communicate to the AC800M controller but connectivity of Client on the network can be detected through PNSM and that the status can be given to the controller which can start the exception procedure to shutdown the process.
Using PNSM OPC services can be monitored as well.
For writing to an OPC Tag you can make use of a Property Transfer Definition:
You put it on the Object you want to write to. Than you define in an expression where the value comes from.
For checking a client node look at "How to indicate node status in graphics" here in this forum, sorry I'm not able to set a link, use the search.
Others have pointed out the difficulty with implementing this - basically the HMI is complex and the possible reasons for failure are extensive and not allways possible to reliably detect in the controller.
So the real question is why you "must" shut down the process if no operator interface is available. If this is a safety related issue then you should understand that the HMI is in no way a SIL rated system. If you require the ability to shut the plant under these circumstances then your safety review should consider what methods are available to shut the plant when the HMI fails but there are no other trip conditions active in the plant. And typically this is going to mean a hard wired stop to your safety shutdown system.
If what you really require is simply an extra layer of security over and above the redundancy offered by multiple servers and multiple operator stations then you could consider local operator panels, like PP800, to allow some visibility and give operators the choice to shut down the plant. But again, these are not substitutes for a safety shutdown system.
And finally, if "no operator is alive" then just detecting whether an 800xaA workplace is running is probably not an effective way of detecting this.
The Property Transfer Definition aspect is very usefull.
I've put a counter in it and I check if the value is changing.
In this way I know if there is a connection and that OPC servers are running.
At this point I don't know that Operator Workplaces are connected. We don't have Asset Management (yet). I supose this is the next step to implement.
To answser some other questions. Shuting down the process is for us the easiest and cheapest solution. We don't have SIL and is not necessary. We can shutdown within seconds and startup within minutes without many consequences, but it must be done in a controlled way.