Content System 800xA overview Control system properties

Albert Norberg

Embedded Automation and Safety in ABB 800xA Control system

Safety certified control system

ABB AB, 2007

2007-05-09 Page: 1

Albert Norberg

ABB AB, 2007

2007-05-09 Page: 2

Albert Norberg

System 800xA 800xA is a large DCS system

800xA Automation System topology

Plant Network / Intranet

Workplaces
Firewall

Enterprise Optimization Suite

Third party application server Mobile Operator

Integration with upper business and production systems

Client/server Network

Open, windows based PC platform

Contains a wide range of integrated ABB products

Operator workplace Engineering workplace Embedded control systems Fieldbus devices Connectivity to 3:rd party control systems
Third party controllers, servers etc Serial, OPC or fieldbus Field Bus Control Network

Connectivity server

Aspect server

Application server

Engineering Work place

AC 800M

AC 800C

Redundant Field Bus

ABB AB, 2007

2007-05-09 Page: 3

Albert Norberg

ABB AB, 2007

2007-05-09 Page: 4

Albert Norberg

Typical 800xA applications

Typical 800xA applications

Pulp and paper production Steel production Cranes operation

Pharmaceutical industry

ABB AB, 2007

2007-05-09 Page: 5

Albert Norberg

ABB AB, 2007

Power plants

Food industry
2007-05-09 Page: 6

Oil & Gas production

Albert Norberg

Petrochemical industry

Control system Modular Controller hardware

Main CPU based on Motorola Power PC Communication bus for expansion with several communication interfaces Modular I/O system with support for digital, analog input and output

Control Builder
Support IEC 61131-3 (standard for programming languages of PLCs) Concept Program Organization Unit POU used Concept Type Instance used Type solutions stored in Libraries Control solution made in Applications

MS Windows based programming tool

IEC 61131-3 Programming tool Object oriented approach

Connectivity server running on PC

ABB AB, 2007 ABB AB, 2007

OPC server for live data and status to Operator workplace

2007-05-09 Page: 7 Albert Norberg

2007-05-09 Page: 8

Albert Norberg

Control Builder
Five programming languages: Structured Text (ST) Like Pascal Instruction List (IL) Virtual Assembly Sequential Function Chart (SFC) State machine Function Block Diagram (FBD) Graphical signal flow Ladder Diagram (LD) Graphical relay diagram
2007-05-09 Page: 9 Albert Norberg

Control Builder cont.

Applications allocated to controllers In controllers user defines tasks
Periodic tasks Cycle time and priority

Applications can be executed by one or several tasks Controller can contain one or several applications Hardware configuration and I/O connections also defined in Control Builder

ABB AB, 2007

ABB AB, 2007

2007-05-09 Page: 10

Albert Norberg

OS threads
Vxworks RTOS Prioritized threads Mutex, semaphores User defined tasks mapped onto on OS thread Other OS threads for communication, maintenance etc. 5 10 OS threads do the main job Lots of other threads defined in the system for various services
ABB AB, 2007

Highest priority

OS threads vs. 1131 tasks

Highest priority
Boot thread IO handling threads Time Critical thread (Time Critical IEC 61131-3 Tasks) Schedule thread Scheduler objects Watch-dog IEC 61131-3 Tasks System tasks Safety Thread (only in a HI controller) Main thread Maintenance HW Related Functions Distribution (MMS programs) Other (e.g. LongJob) Subsystems Management Communication MMS, Fieldbus Foundation (FF-H1), SattBus, Logging Event and Alarm

Real-Time OS
Time Critical 1131-Task

Windows NT

Schedule thread, 1131-tasks

Safety thread Background Thread Main thread Alarm & Event

Threads inside the IO and Communication Framework

Communication sub systems

Threads using the IO and Communication Framework, Protocol Handlers BatchJob thread Idle thread
ABB AB, 2007

Batchjob thread idle thread

Lowest priority
2007-05-09 Page: 12 Albert Norberg

Lowest priority

2007-05-09 Page: 11

Albert Norberg

OS threads vs. 1131 tasks cont.

Time Critical Thread

1131 task scheduling Implemented in one thread

Allow easy sharing of data structures Minimize operating system dependency

Scheduler Thread

1131 Task Priority

OS Thread Priority

Built with simple mechanisms

Cyclic execution User defined cycle time and priority
Execution List Execution List I/O I/O Tasks Objects (Scan Table Table Task Objects

Test Engine Thread

Main Thread

GenericIO Thread

Scheduled according to priority with defined preemption points Support for latency supervision, load balancing and task abortion

Batchjob Thread

Idle Thread
Scheduler TimeQueue ReadyQueue

Schedule()

ScheduleExec ()

Normally scheduler thread takes 50 70 % of CPU capacity

ABB AB, 2007

ABB AB, 2007

2007-05-09 Page: 13

Albert Norberg

2007-05-09 Page: 14

Albert Norberg

Safety certified control system

The term Safety

Safety is a common term used for a systems ability to provide service without occurrence of catastrophic failures with consequence on:
Personal Environment Equipment

Safety is one aspect of what is sometimes called dependability of a system, where also other aspects are considered, e.g.
Availability (ability to provide service) Maintainability (ability to undergo repair) where some of these aspects are concurrent goals to Safety

ABB AB, 2007

2007-05-09 Page: 15

Albert Norberg

ABB AB, 2007

2007-05-09 Page: 16

Albert Norberg

Certification Safety certified products are required by a wide range of customers Safety certified automation is in some applications also required by authorities in many countries Certification done according to IEC 61508 Certification done by external actor ABB uses TV, German certification body

Some examples

Oil & Gas Petrochemical Pharmaceutical Chemical

ABB AB, 2007

2007-05-09 Page: 17

Albert Norberg

ABB AB, 2007

2007-05-09 Page: 18

Albert Norberg

SIL SIL Safety integrity level Concept defined by IEC 61508 Defines the probability for failure on demand for a certain function/component

Albert Norberg
ABB AB, 2007

SIL cont.

ABB AB, 2007

2007-05-09 Page: 19

2007-05-09 Page: 20

Albert Norberg

How is required SIL determined

How SIL are applied

SIL 3

SIL 2

SIL 0-1
ABB AB, 2007 ABB AB, 2007

2007-05-09 Page: 21

Albert Norberg

2007-05-09 Page: 22

Albert Norberg

800xA provide integrated Process Control and Safety

Inform IT Operate
IT

How is IEC 61508 fulfilled The whole end-user solution must fulfill Safety requirements (IEC 61508 and IEC 61511)
Requirements on all equipment (e.g. sensors, actuators) Requirements on the design and engineering of the customer application

Optimize IT

Engineer IT

Control IT for combined Process Automation and Safety

Control IT Safety

Control IT

Requirements on the Control System

The 800xA Control system from ABB provides possibilities to create SIL1, 2 and 3 applications

ABB AB, 2007

2007-05-09 Page: 23

Albert Norberg

ABB AB, 2007

Safety Functions

Control Functions

Safety Functions

Automation Functions

2007-05-09 Page: 24

Albert Norberg

How is IEC 61508 fulfilled cont. Requirements in IEC 61508 relates to two areas
Fault avoidance. Avoid introducing errors during development Fault control. Detect and handle errors during operation

Fault avoidance Requirements on the software development process Requirements on all phases; requirements, design, implementation and test
11 Technical Release
System Requirement Specification STT Descriptions

Both areas valid for both Hardware and Software

Focus on Software in this presentation

10

System Test

Customer wish (MRS )

SVT 1 Requirements Definition

Requirement Specifications (Safety Requirement Specification , PRS) PTT Descriptions

PTT

PIT

IntegrationTest Description

2 Requirements Analysis
Description of Function

Functional Type Test Description

FTT / CTT

Analysis and Design Detailed 4 Design

Design Description

Design Test Description

6 Design Test

ABB AB, 2007

ABB AB, 2007

Implementation/ Manufacturing

2007-05-09 Page: 25

Albert Norberg

2007-05-09 Page: 26

Albert Norberg

Fault avoidance cont.

Some examples of requirement
Requirement and requirement analysis
Tractability Architecture descriptions

Fault avoidance cont.

Requirements different for different SIL SIL of a component can be reduced depending on criticality
SIL Capability of the component Criticality of the Entity C1
Meet relevant requirements for non-interference C3: Safety Critical denotes a function, where a single deviation from the specified function may cause an unsafe situation C2: Safety Relevant denotes a function, where a single deviation from the specified function cannot cause an unsafe situation, but the combination with a second failure of another software or hardware unit may cause an unsafe situation C1: Interference Free denotes a function, which is not safety critical or safety relevant, but has interfaces with such functions

Design
Semiformal design methods computer aided design tool. (UML)

C2

C3

Implementation
Static code analysis. C/C++ not recommended languages for safety Code analysis tool (PCLint) to define safe subset
SIL of the Safety Function / safetyrelated system

SIL1

SIL 1

SIL 1

Test
Low level automatic design tests Integration test Safety validation test

SIL2

Meet relevant requirements for non-interference

SIL 1

SIL 2

SIL3

Meet relevant requirements for non-interference

SIL 2

SIL 3

ABB AB, 2007

2007-05-09 Page: 27

Albert Norberg

ABB AB, 2007

2007-05-09 Page: 28

Albert Norberg

Fault Control
Based on implementing safety measures in software/hardware to detect and react on errors. E.g.
Checksum calculation of data (CRC calculation) Timer watchdogs Software sequence monitoring Memory hardware protection (MMU) Cyclic RAM, Register and CPU instruction tests Duplication of data/algorithms with comparison

Fault Control - SIL2 concept

CB

Control Builder engineering tool performs safe compilation (e.g. CRC protected application source code, compile twice) The SIL2 application is executed in PM (Internal diagnostic + reporting state SM) SM supervises the application execution (Acts as watch dog to PM) The I/O telegrams is built in both PM and SM and the result is checked in I/O modules
ABB AB, 2007

Control Builder

AC800M HI
SIL2

PM
Processor Module

SM
Safety Module

Measures implemented in Engineering tool (PC), Target system (Controller) and I/O-boards Measures designed to detect both hardware and software failure Error reaction in most cases leads to system shutdown

I/O bus Safety I/O

ABB AB, 2007

2007-05-09 Page: 29

Albert Norberg

2007-05-09 Page: 30

Albert Norberg

Fault Control SIL3 concept

CB

Fault Control Reduced SIL requirements

Control Builder

Control Builder engineering tool performs safe compilation for both PM and SM The SIL3 application is executed in PM (with same diagnostics as in SIL2) SM also executes the SIL3 application (and in addition also acts as watch dog to PM as in SIL2) The I/O telegrams is built in both PM and SM and the result is checked in I/O modules (same as SIL2)
ABB AB, 2007

SIL2 Controller The PM executes the application The SM supervises the application execution in the PM

SIL3 Controller The PM and SM executes the application. Result voted in I/O module. The SM supervises the application execution in the PM

AC800M HI
SIL3

PM
Processor Module

SM
Safety Module

I/O bus Safety I/O

PM + SM together achieves SIL3 Individually the PM and SM software is only required to fulfill SIL2 Duplicated structures is common practice when developing systems with SIL > SIL2 Duplication requires avoidance of common cause failures (e.g. different implementation of PM and SM software required) Too difficult to develop according to SIL3
ABB AB, 2007

2007-05-09 Page: 31

Albert Norberg

2007-05-09 Page: 32

Albert Norberg

Safety versus Availability and Maintainability A safe system doesnt lead to availability of the system In ABB 800xA the availability is solved by:
Hardware redundancy Software quality Software error handling (avoiding fatal error handling)

End

In ABB 800xA Maintainability is solved by:

Hardware redundancy and Hot replacement Software online upgrade

ABB AB, 2007

2007-05-09 Page: 33

Albert Norberg

ABB AB, 2007

2007-05-09 Page: 34

Albert Norberg