2007-05-09

Page: 1

Albert NorbergAB

B AB

, 20

07©

Embedded Automation and Safety in ABB 800xA Control system

Albert Norberg

2007-05-09

Page: 2

AB

B AB

, 20

07©

Albert Norberg

Content

System 800xA overview

Control system properties

Safety certified control system

2007-05-09

Page: 3

AB

B AB

, 20

07©

Albert Norberg

System 800xA

800xA is a large DCS system

Integration with upper business and production systemsOpen, windows based PC platform

Contains a wide range of integrated ABB productsOperator workplace

Engineering workplace

Embedded control systems

Fieldbus devices

Connectivity to 3:rd party control systems

2007-05-09

Page: 4

AB

B AB

, 20

07©

Albert Norberg

800xA Automation System topology

Third partycontrollers,servers etc

Serial, OPCor fieldbus

Field Bus

Firewall

Plant Network / Intranet

Field Bus

Client/server Network

Third party application server

Applicationserver

Aspectserver

Workplaces Enterprise OptimizationSuite

MobileOperator

Connectivityserver

Control Network

AC 800C

Redundant

AC 800M

EngineeringWork place

2007-05-09

Page: 5

AB

B AB

, 20

07©

Albert Norberg

Typical 800xA applications

Steel productionPulp and paper production

Power plants Food industry

2007-05-09

Page: 6

AB

B AB

, 20

07©

Albert Norberg

Typical 800xA applications

Cranes operationPharmaceutical industry

Oil & Gas production Petrochemical industry

2007-05-09

Page: 7

AB

B AB

, 20

07©

Albert Norberg

Control system

Modular Controller hardwareMain CPU based on Motorola Power PCCommunication bus for expansion with several communication interfacesModular I/O system with support for digital, analog input and output

MS Windows based programming tool

IEC 61131-3 Programming toolObject oriented approach

Connectivity server running on PCOPC server for live data and status to Operator workplace

2007-05-09

Page: 8

AB

B AB

, 20

07©

Albert Norberg

Control Builder

Support IEC 61131-3 (standard for programming languages of PLCs)

Concept Program Organization Unit – POU used

Concept Type – Instance used

Type solutions stored in Libraries

Control solution made in Applications

2007-05-09

Page: 9

AB

B AB

, 20

07©

Albert Norberg

Control Builder

Five programming languages:

• Structured Text (ST)– Like Pascal

•Instruction List (IL)– Virtual Assembly

• Sequential Function Chart (SFC)– State machine

• Function Block Diagram (FBD)– Graphical signal flow

• Ladder Diagram (LD)– Graphical relay diagram

2007-05-09

Page: 10

AB

B AB

, 20

07©

Albert Norberg

Control Builder cont.

Applications allocated to controllersIn controllers user defines tasks

Periodic tasksCycle time and priority

Applications can be executed by one or several tasksController can contain one or several applicationsHardware configuration and I/O connections also defined in Control Builder

2007-05-09

Page: 11

AB

B AB

, 20

07©

Albert Norberg

OS threads

Threads using the IO and Communication Framework, Protocol Handlers

Highest priority

Lowest priority

Main thread Subsystems Management

Maintenance HW Related Functions Distribution (MMS programs) Other (e.g. LongJob)

Communication MMS, Fieldbus Foundation (FF-H1),

SattBus, …

Logging Event and Alarm

Time Critical thread (Time Critical IEC 61131-3 Tasks)

Boot thread

Threads inside the IO and Communication Framework

BatchJob thread

Schedule thread Scheduler objects

Watch-dog IEC 61131-3 Tasks System tasks

Idle thread

IO handling threads

Safety Thread (only in a HI controller)

Vxworks RTOS

Prioritized threads

Mutex, semaphores

User defined tasks mapped onto on OS thread

Other OS threads for communication, maintenance etc.

5 – 10 OS threads do the main job

Lots of other threads defined in the system for various services

2007-05-09

Page: 12

AB

B AB

, 20

07©

Albert Norberg

OS threads vs. 1131 tasks

Time Critical 1131-Task

Highest priority

Lowest priority

Schedule thread, 1131-tasks

idle thread

Real-Time OS Windows NT

Batchjob thread

Safety thread

Main thread

Communication sub systems

Alarm & Event

Background Thread

2007-05-09

Page: 13

AB

B AB

, 20

07©

Albert Norberg

OS threads vs. 1131 tasks cont.

Scheduler

Schedule() ScheduleExec ()

ReadyQueue

TimeQueue

Tasks Objects (Scan

Execution List

I/O Table

Execution List

I/O Table

Task Objects

Scheduler Thread

1131

Tas

k Pr

iorit

y

Idle Thread

Test Engine Thread

Time Critical Thread

OS

Thre

ad P

riorit

y

Batchjob Thread

GenericIO Thread

Main Thread

2007-05-09

Page: 14

AB

B AB

, 20

07©

Albert Norberg

1131 task scheduling

Implemented in one threadAllow easy sharing of data structuresMinimize operating system dependency

Built with simple mechanismsCyclic executionUser defined cycle time and priorityScheduled according to priority with defined preemption pointsSupport for latency supervision, load balancing and task abortion

Normally scheduler thread takes 50 – 70 % of CPU capacity

2007-05-09

Page: 15

AB

B AB

, 20

07©

Albert Norberg

Safety certified control system

2007-05-09

Page: 16

AB

B AB

, 20

07©

Albert Norberg

The term Safety

Safety is a common term used for a systems ability to provide service without occurrence of catastrophic failures with consequence on:

Personal

Environment

Equipment

Safety is one aspect of what is sometimes called dependability of a system, where also other aspects are considered, e.g.

Availability (ability to provide service)

Maintainability (ability to undergo repair)

… where some of these aspects are concurrent goals to Safety

2007-05-09

Page: 17

AB

B AB

, 20

07©

Albert Norberg

Certification

Safety certified products are required by a wide range of customers

Safety certified automation is in some applications also required by authorities in many countries

Certification done according to IEC 61508

Certification done by external actor

ABB uses TÜV, German certification body

2007-05-09

Page: 18

AB

B AB

, 20

07©

Albert Norberg

Some examples

Oil & Gas

Petrochemical

Pharmaceutical

Chemical

2007-05-09

Page: 19

AB

B AB

, 20

07©

Albert Norberg

SIL

SIL – Safety integrity level

Concept defined by IEC 61508

Defines the probability for failure on demand for a certain function/component

2007-05-09

Page: 20

AB

B AB

, 20

07©

Albert Norberg

SIL cont.

2007-05-09

Page: 21

AB

B AB

, 20

07©

Albert Norberg

How is required SIL determined

2007-05-09

Page: 22

AB

B AB

, 20

07©

Albert Norberg

How SIL are applied

SIL 0-1

SIL 2

SIL 3

2007-05-09

Page: 23

AB

B AB

, 20

07©

Albert Norberg

800xA provide integrated Process Control and Safety

Operate ITInform IT

Optimize IT Engineer IT

Safety Functions

Control IT

Safety

SafetyFunctions

ControlFunctions

Control ITfor combinedProcess Automationand Safety

Control IT

AutomationFunctions

2007-05-09

Page: 24

AB

B AB

, 20

07©

Albert Norberg

How is IEC 61508 fulfilled

The whole end-user solution must fulfill Safety requirements (IEC 61508 and IEC 61511)

Requirements on all equipment (e.g. sensors, actuators)

Requirements on the design and engineering of the customer application

Requirements on the Control System

The 800xA Control system from ABB provides possibilities to create SIL1, 2 and 3 applications

2007-05-09

Page: 25

AB

B AB

, 20

07©

Albert Norberg

How is IEC 61508 fulfilled cont.

Requirements in IEC 61508 relates to two areasFault avoidance. Avoid introducing errors during development

Fault control. Detect and handle errors during operation

Both areas valid for both Hardware and SoftwareFocus on Software in this presentation

2007-05-09

Page: 26

AB

B AB

, 20

07©

Albert Norberg

Fault avoidance

Requirements on the software development process

Requirements on all phases; requirements, design, implementation and test

Analysis and Design

Detailed Design

Requirements Analysis

Technical Release

PIT

Requirement Specifications (Safety

Requirement Specification , PRS)

Description ofFunction

IntegrationTest Description

PTT Descriptions

Design TestDescription

Customer wish(MRS)

DesignDescription

Requirements Definition

Implementation / Manufacturing

Design Test

FTT / CTTFunctional Type Test Description

PTT

System Test

STT Descriptions

System Requirement Specification

*

1

2

3

4

5

6

7

8

9

10

11

SVT

2007-05-09

Page: 27

AB

B AB

, 20

07©

Albert Norberg

Fault avoidance cont.

Some examples of requirementRequirement and requirement analysis

TractabilityArchitecture descriptions

DesignSemiformal design methods – computer aided design tool. (UML)

ImplementationStatic code analysis. C/C++ not recommended languages for safetyCode analysis tool (PCLint) to define safe subset

TestLow level automatic design testsIntegration testSafety validation test

2007-05-09

Page: 28

AB

B AB

, 20

07©

Albert Norberg

Fault avoidance cont.

SIL 3SIL 2Meet relevant

requirements for non-interference

SIL3

SIL 2SIL 1Meet relevant

requirements for non-interference

SIL2

SIL 1SIL 1Meet relevant

requirements for non-interference

SIL1

SIL of the

Safety Function / safety-related system

C3C2C1

Criticality of the EntitySIL Capabilityof the

component

Requirements different for different SILSIL of a component can be reduced depending on criticality

C3: Safety Critical denotes a function, where a single deviation from the specified function may cause an unsafe situation

C2: Safety Relevant denotes a function, where a single deviation from the specified function cannot cause an unsafe situation, but the combination with a second failure of another software or hardware unit may cause an unsafe situation

C1: Interference Free denotes a function, which is not safety critical or safety relevant, but has interfaces with such functions

2007-05-09

Page: 29

AB

B AB

, 20

07©

Albert Norberg

Fault Control

Based on implementing safety measures in software/hardware to detect and react on errors. E.g.

Checksum calculation of data (CRC calculation)Timer watchdogsSoftware sequence monitoringMemory hardware protection (MMU)Cyclic RAM, Register and CPU instruction testsDuplication of data/algorithms with comparison

Measures implemented in Engineering tool (PC), Target system (Controller) and I/O-boardsMeasures designed to detect both hardware and software failureError reaction in most cases leads to system shutdown

2007-05-09

Page: 30

AB

B AB

, 20

07©

Albert Norberg

Fault Control - SIL2 concept

Control Builder engineering tool performs safe compilation (e.g. CRC protected application source code, compile twice)

The SIL2 application is executed in PM (Internal diagnostic + reporting state SM)

SM supervises the application execution (Acts as watch dog to PM)

The I/O telegrams is built in both PM and SM and the result is checked in I/O modules

PM Processor

Module

Safety I/O

I/O bus

AC800M HI SIL2

SM Safety Module

CB Control Builder

2007-05-09

Page: 31

AB

B AB

, 20

07©

Albert Norberg

Fault Control – SIL3 concept

Safety I/O

AC800M HI SIL3

CB Control Builder

PM Processor

Module

SM Safety Module

I/O bus

Control Builder engineering tool performs safe compilation for both PM and SM

The SIL3 application is executed in PM (with same diagnostics as in SIL2)

SM also executes the SIL3 application (and in addition also acts as watch dog to PM as in SIL2)

The I/O telegrams is built in both PM and SM and the result is checked in I/O modules (same as SIL2)

2007-05-09

Page: 32

AB

B AB

, 20

07©

Albert Norberg

Fault Control – Reduced SIL requirements

SIL2 ControllerThe PM executes the application

The SM supervises the application execution in the PM

SIL3 ControllerThe PM and SM executes the application. Result voted in I/O module.

The SM supervises the application execution in the PM

PM + SM together achieves SIL3Individually the PM and SM software is only required to fulfill SIL2Duplicated structures is common practice when developing systemswith SIL > SIL2Duplication requires avoidance of common cause failures (e.g. different implementation of PM and SM software required)Too difficult to develop according to SIL3

2007-05-09

Page: 33

AB

B AB

, 20

07©

Albert Norberg

Safety versus Availability and Maintainability

A safe system doesn’t lead to availability of the system

In ABB 800xA the availability is solved by:Hardware redundancy

Software quality

Software error handling (avoiding fatal error handling)

In ABB 800xA Maintainability is solved by:Hardware redundancy and Hot replacement

Software online upgrade

2007-05-09

Page: 34

AB

B AB

, 20

07©

Albert Norberg

End