2007-05-09
Page: 1
Albert NorbergAB
B AB
, 20
07©
Embedded Automation and Safety in ABB 800xA Control system
Albert Norberg
2007-05-09
Page: 2
AB
B AB
, 20
07©
Albert Norberg
Content
System 800xA overview
Control system properties
Safety certified control system
2007-05-09
Page: 3
AB
B AB
, 20
07©
Albert Norberg
System 800xA
800xA is a large DCS system
Integration with upper business and production systemsOpen, windows based PC platform
Contains a wide range of integrated ABB productsOperator workplace
Engineering workplace
Embedded control systems
Fieldbus devices
Connectivity to 3:rd party control systems
2007-05-09
Page: 4
AB
B AB
, 20
07©
Albert Norberg
800xA Automation System topology
Third partycontrollers,servers etc
Serial, OPCor fieldbus
Field Bus
Firewall
Plant Network / Intranet
Field Bus
Client/server Network
Third party application server
Applicationserver
Aspectserver
Workplaces Enterprise OptimizationSuite
MobileOperator
Connectivityserver
Control Network
AC 800C
Redundant
AC 800M
EngineeringWork place
2007-05-09
Page: 5
AB
B AB
, 20
07©
Albert Norberg
Typical 800xA applications
Steel productionPulp and paper production
Power plants Food industry
2007-05-09
Page: 6
AB
B AB
, 20
07©
Albert Norberg
Typical 800xA applications
Cranes operationPharmaceutical industry
Oil & Gas production Petrochemical industry
2007-05-09
Page: 7
AB
B AB
, 20
07©
Albert Norberg
Control system
Modular Controller hardwareMain CPU based on Motorola Power PCCommunication bus for expansion with several communication interfacesModular I/O system with support for digital, analog input and output
MS Windows based programming tool
IEC 61131-3 Programming toolObject oriented approach
Connectivity server running on PCOPC server for live data and status to Operator workplace
2007-05-09
Page: 8
AB
B AB
, 20
07©
Albert Norberg
Control Builder
Support IEC 61131-3 (standard for programming languages of PLCs)
Concept Program Organization Unit – POU used
Concept Type – Instance used
Type solutions stored in Libraries
Control solution made in Applications
2007-05-09
Page: 9
AB
B AB
, 20
07©
Albert Norberg
Control Builder
Five programming languages:
• Structured Text (ST)– Like Pascal
•Instruction List (IL)– Virtual Assembly
• Sequential Function Chart (SFC)– State machine
• Function Block Diagram (FBD)– Graphical signal flow
• Ladder Diagram (LD)– Graphical relay diagram
2007-05-09
Page: 10
AB
B AB
, 20
07©
Albert Norberg
Control Builder cont.
Applications allocated to controllersIn controllers user defines tasks
Periodic tasksCycle time and priority
Applications can be executed by one or several tasksController can contain one or several applicationsHardware configuration and I/O connections also defined in Control Builder
2007-05-09
Page: 11
AB
B AB
, 20
07©
Albert Norberg
OS threads
Threads using the IO and Communication Framework, Protocol Handlers
Highest priority
Lowest priority
Main thread Subsystems Management
Maintenance HW Related Functions Distribution (MMS programs) Other (e.g. LongJob)
Communication MMS, Fieldbus Foundation (FF-H1),
SattBus, …
Logging Event and Alarm
Time Critical thread (Time Critical IEC 61131-3 Tasks)
Boot thread
Threads inside the IO and Communication Framework
BatchJob thread
Schedule thread Scheduler objects
Watch-dog IEC 61131-3 Tasks System tasks
Idle thread
IO handling threads
Safety Thread (only in a HI controller)
Vxworks RTOS
Prioritized threads
Mutex, semaphores
User defined tasks mapped onto on OS thread
Other OS threads for communication, maintenance etc.
5 – 10 OS threads do the main job
Lots of other threads defined in the system for various services
2007-05-09
Page: 12
AB
B AB
, 20
07©
Albert Norberg
OS threads vs. 1131 tasks
Time Critical 1131-Task
Highest priority
Lowest priority
Schedule thread, 1131-tasks
idle thread
Real-Time OS Windows NT
Batchjob thread
Safety thread
Main thread
Communication sub systems
Alarm & Event
Background Thread
2007-05-09
Page: 13
AB
B AB
, 20
07©
Albert Norberg
OS threads vs. 1131 tasks cont.
Scheduler
Schedule() ScheduleExec ()
ReadyQueue
TimeQueue
Tasks Objects (Scan
Execution List
I/O Table
Execution List
I/O Table
Task Objects
Scheduler Thread
1131
Tas
k Pr
iorit
y
Idle Thread
Test Engine Thread
Time Critical Thread
OS
Thre
ad P
riorit
y
Batchjob Thread
GenericIO Thread
Main Thread
2007-05-09
Page: 14
AB
B AB
, 20
07©
Albert Norberg
1131 task scheduling
Implemented in one threadAllow easy sharing of data structuresMinimize operating system dependency
Built with simple mechanismsCyclic executionUser defined cycle time and priorityScheduled according to priority with defined preemption pointsSupport for latency supervision, load balancing and task abortion
Normally scheduler thread takes 50 – 70 % of CPU capacity
2007-05-09
Page: 15
AB
B AB
, 20
07©
Albert Norberg
Safety certified control system
2007-05-09
Page: 16
AB
B AB
, 20
07©
Albert Norberg
The term Safety
Safety is a common term used for a systems ability to provide service without occurrence of catastrophic failures with consequence on:
Personal
Environment
Equipment
Safety is one aspect of what is sometimes called dependability of a system, where also other aspects are considered, e.g.
Availability (ability to provide service)
Maintainability (ability to undergo repair)
… where some of these aspects are concurrent goals to Safety
2007-05-09
Page: 17
AB
B AB
, 20
07©
Albert Norberg
Certification
Safety certified products are required by a wide range of customers
Safety certified automation is in some applications also required by authorities in many countries
Certification done according to IEC 61508
Certification done by external actor
ABB uses TÜV, German certification body
2007-05-09
Page: 18
AB
B AB
, 20
07©
Albert Norberg
Some examples
Oil & Gas
Petrochemical
Pharmaceutical
Chemical
2007-05-09
Page: 19
AB
B AB
, 20
07©
Albert Norberg
SIL
SIL – Safety integrity level
Concept defined by IEC 61508
Defines the probability for failure on demand for a certain function/component
2007-05-09
Page: 20
AB
B AB
, 20
07©
Albert Norberg
SIL cont.
2007-05-09
Page: 21
AB
B AB
, 20
07©
Albert Norberg
How is required SIL determined
2007-05-09
Page: 22
AB
B AB
, 20
07©
Albert Norberg
How SIL are applied
SIL 0-1
SIL 2
SIL 3
2007-05-09
Page: 23
AB
B AB
, 20
07©
Albert Norberg
800xA provide integrated Process Control and Safety
Operate ITInform IT
Optimize IT Engineer IT
Safety Functions
Control IT
Safety
SafetyFunctions
ControlFunctions
Control ITfor combinedProcess Automationand Safety
Control IT
AutomationFunctions
2007-05-09
Page: 24
AB
B AB
, 20
07©
Albert Norberg
How is IEC 61508 fulfilled
The whole end-user solution must fulfill Safety requirements (IEC 61508 and IEC 61511)
Requirements on all equipment (e.g. sensors, actuators)
Requirements on the design and engineering of the customer application
Requirements on the Control System
The 800xA Control system from ABB provides possibilities to create SIL1, 2 and 3 applications
2007-05-09
Page: 25
AB
B AB
, 20
07©
Albert Norberg
How is IEC 61508 fulfilled cont.
Requirements in IEC 61508 relates to two areasFault avoidance. Avoid introducing errors during development
Fault control. Detect and handle errors during operation
Both areas valid for both Hardware and SoftwareFocus on Software in this presentation
2007-05-09
Page: 26
AB
B AB
, 20
07©
Albert Norberg
Fault avoidance
Requirements on the software development process
Requirements on all phases; requirements, design, implementation and test
Analysis and Design
Detailed Design
Requirements Analysis
Technical Release
PIT
Requirement Specifications (Safety
Requirement Specification , PRS)
Description ofFunction
IntegrationTest Description
PTT Descriptions
Design TestDescription
Customer wish(MRS)
DesignDescription
Requirements Definition
Implementation / Manufacturing
Design Test
FTT / CTTFunctional Type Test Description
PTT
System Test
STT Descriptions
System Requirement Specification
*
1
2
3
4
5
6
7
8
9
10
11
SVT
2007-05-09
Page: 27
AB
B AB
, 20
07©
Albert Norberg
Fault avoidance cont.
Some examples of requirementRequirement and requirement analysis
TractabilityArchitecture descriptions
DesignSemiformal design methods – computer aided design tool. (UML)
ImplementationStatic code analysis. C/C++ not recommended languages for safetyCode analysis tool (PCLint) to define safe subset
TestLow level automatic design testsIntegration testSafety validation test
2007-05-09
Page: 28
AB
B AB
, 20
07©
Albert Norberg
Fault avoidance cont.
SIL 3SIL 2Meet relevant
requirements for non-interference
SIL3
SIL 2SIL 1Meet relevant
requirements for non-interference
SIL2
SIL 1SIL 1Meet relevant
requirements for non-interference
SIL1
SIL of the
Safety Function / safety-related system
C3C2C1
Criticality of the EntitySIL Capabilityof the
component
Requirements different for different SILSIL of a component can be reduced depending on criticality
C3: Safety Critical denotes a function, where a single deviation from the specified function may cause an unsafe situation
C2: Safety Relevant denotes a function, where a single deviation from the specified function cannot cause an unsafe situation, but the combination with a second failure of another software or hardware unit may cause an unsafe situation
C1: Interference Free denotes a function, which is not safety critical or safety relevant, but has interfaces with such functions
2007-05-09
Page: 29
AB
B AB
, 20
07©
Albert Norberg
Fault Control
Based on implementing safety measures in software/hardware to detect and react on errors. E.g.
Checksum calculation of data (CRC calculation)Timer watchdogsSoftware sequence monitoringMemory hardware protection (MMU)Cyclic RAM, Register and CPU instruction testsDuplication of data/algorithms with comparison
Measures implemented in Engineering tool (PC), Target system (Controller) and I/O-boardsMeasures designed to detect both hardware and software failureError reaction in most cases leads to system shutdown
2007-05-09
Page: 30
AB
B AB
, 20
07©
Albert Norberg
Fault Control - SIL2 concept
Control Builder engineering tool performs safe compilation (e.g. CRC protected application source code, compile twice)
The SIL2 application is executed in PM (Internal diagnostic + reporting state SM)
SM supervises the application execution (Acts as watch dog to PM)
The I/O telegrams is built in both PM and SM and the result is checked in I/O modules
PM Processor
Module
Safety I/O
I/O bus
AC800M HI SIL2
SM Safety Module
CB Control Builder
2007-05-09
Page: 31
AB
B AB
, 20
07©
Albert Norberg
Fault Control – SIL3 concept
Safety I/O
AC800M HI SIL3
CB Control Builder
PM Processor
Module
SM Safety Module
I/O bus
Control Builder engineering tool performs safe compilation for both PM and SM
The SIL3 application is executed in PM (with same diagnostics as in SIL2)
SM also executes the SIL3 application (and in addition also acts as watch dog to PM as in SIL2)
The I/O telegrams is built in both PM and SM and the result is checked in I/O modules (same as SIL2)
2007-05-09
Page: 32
AB
B AB
, 20
07©
Albert Norberg
Fault Control – Reduced SIL requirements
SIL2 ControllerThe PM executes the application
The SM supervises the application execution in the PM
SIL3 ControllerThe PM and SM executes the application. Result voted in I/O module.
The SM supervises the application execution in the PM
PM + SM together achieves SIL3Individually the PM and SM software is only required to fulfill SIL2Duplicated structures is common practice when developing systemswith SIL > SIL2Duplication requires avoidance of common cause failures (e.g. different implementation of PM and SM software required)Too difficult to develop according to SIL3
2007-05-09
Page: 33
AB
B AB
, 20
07©
Albert Norberg
Safety versus Availability and Maintainability
A safe system doesn’t lead to availability of the system
In ABB 800xA the availability is solved by:Hardware redundancy
Software quality
Software error handling (avoiding fatal error handling)
In ABB 800xA Maintainability is solved by:Hardware redundancy and Hot replacement
Software online upgrade
2007-05-09
Page: 34
AB
B AB
, 20
07©
Albert Norberg
End
Top Related