Albert Norberg
2007-05-09 Page: 1
Albert Norberg
2007-05-09 Page: 2
Albert Norberg
Workplaces
Firewall
Connectivity server
Aspect server
Application server
AC 800M
AC 800C
2007-05-09 Page: 3
Albert Norberg
2007-05-09 Page: 4
Albert Norberg
Pharmaceutical industry
2007-05-09 Page: 5
Albert Norberg
Power plants
Food industry
2007-05-09 Page: 6
Petrochemical industry
Control Builder
Support IEC 61131-3 (standard for programming languages of PLCs) Concept Program Organization Unit POU used Concept Type Instance used Type solutions stored in Libraries Control solution made in Applications
2007-05-09 Page: 8
Albert Norberg
Control Builder
Five programming languages: Structured Text (ST) Like Pascal Instruction List (IL) Virtual Assembly Sequential Function Chart (SFC) State machine Function Block Diagram (FBD) Graphical signal flow Ladder Diagram (LD) Graphical relay diagram
2007-05-09 Page: 9 Albert Norberg
Applications can be executed by one or several tasks Controller can contain one or several applications Hardware configuration and I/O connections also defined in Control Builder
2007-05-09 Page: 10
Albert Norberg
OS threads
Vxworks RTOS Prioritized threads Mutex, semaphores User defined tasks mapped onto on OS thread Other OS threads for communication, maintenance etc. 5 10 OS threads do the main job Lots of other threads defined in the system for various services
ABB AB, 2007
Highest priority
Real-Time OS
Time Critical 1131-Task
Windows NT
Lowest priority
2007-05-09 Page: 11
Albert Norberg
Scheduler Thread
OS Thread Priority
Main Thread
GenericIO Thread
Scheduled according to priority with defined preemption points Support for latency supervision, load balancing and task abortion
Batchjob Thread
Idle Thread
Scheduler TimeQueue ReadyQueue
Schedule()
ScheduleExec ()
2007-05-09 Page: 13
Albert Norberg
2007-05-09 Page: 14
Albert Norberg
Safety is one aspect of what is sometimes called dependability of a system, where also other aspects are considered, e.g.
Availability (ability to provide service) Maintainability (ability to undergo repair) where some of these aspects are concurrent goals to Safety
2007-05-09 Page: 15
Albert Norberg
2007-05-09 Page: 16
Albert Norberg
Certification Safety certified products are required by a wide range of customers Safety certified automation is in some applications also required by authorities in many countries Certification done according to IEC 61508 Certification done by external actor ABB uses TV, German certification body
Some examples
2007-05-09 Page: 17
Albert Norberg
2007-05-09 Page: 18
Albert Norberg
SIL SIL Safety integrity level Concept defined by IEC 61508 Defines the probability for failure on demand for a certain function/component
Albert Norberg
ABB AB, 2007
SIL cont.
2007-05-09 Page: 19
2007-05-09 Page: 20
Albert Norberg
SIL 3
SIL 2
SIL 0-1
ABB AB, 2007 ABB AB, 2007
2007-05-09 Page: 21
Albert Norberg
2007-05-09 Page: 22
Albert Norberg
How is IEC 61508 fulfilled The whole end-user solution must fulfill Safety requirements (IEC 61508 and IEC 61511)
Requirements on all equipment (e.g. sensors, actuators) Requirements on the design and engineering of the customer application
Optimize IT
Engineer IT
Control IT Safety
Control IT
The 800xA Control system from ABB provides possibilities to create SIL1, 2 and 3 applications
2007-05-09 Page: 23
Albert Norberg
Safety Functions
Control Functions
Safety Functions
Automation Functions
2007-05-09 Page: 24
Albert Norberg
How is IEC 61508 fulfilled cont. Requirements in IEC 61508 relates to two areas
Fault avoidance. Avoid introducing errors during development Fault control. Detect and handle errors during operation
Fault avoidance Requirements on the software development process Requirements on all phases; requirements, design, implementation and test
11 Technical Release
System Requirement Specification STT Descriptions
10
System Test
PTT
PIT
IntegrationTest Description
2 Requirements Analysis
Description of Function
FTT / CTT
6 Design Test
Implementation/ Manufacturing
2007-05-09 Page: 25
Albert Norberg
2007-05-09 Page: 26
Albert Norberg
Design
Semiformal design methods computer aided design tool. (UML)
C2
C3
Implementation
Static code analysis. C/C++ not recommended languages for safety Code analysis tool (PCLint) to define safe subset
SIL of the Safety Function / safetyrelated system
SIL1
SIL 1
SIL 1
Test
Low level automatic design tests Integration test Safety validation test
SIL2
SIL 1
SIL 2
SIL3
SIL 2
SIL 3
2007-05-09 Page: 27
Albert Norberg
2007-05-09 Page: 28
Albert Norberg
Fault Control
Based on implementing safety measures in software/hardware to detect and react on errors. E.g.
Checksum calculation of data (CRC calculation) Timer watchdogs Software sequence monitoring Memory hardware protection (MMU) Cyclic RAM, Register and CPU instruction tests Duplication of data/algorithms with comparison
Control Builder engineering tool performs safe compilation (e.g. CRC protected application source code, compile twice) The SIL2 application is executed in PM (Internal diagnostic + reporting state SM) SM supervises the application execution (Acts as watch dog to PM) The I/O telegrams is built in both PM and SM and the result is checked in I/O modules
ABB AB, 2007
Control Builder
AC800M HI
SIL2
PM
Processor Module
SM
Safety Module
Measures implemented in Engineering tool (PC), Target system (Controller) and I/O-boards Measures designed to detect both hardware and software failure Error reaction in most cases leads to system shutdown
2007-05-09 Page: 29
Albert Norberg
2007-05-09 Page: 30
Albert Norberg
Control Builder engineering tool performs safe compilation for both PM and SM The SIL3 application is executed in PM (with same diagnostics as in SIL2) SM also executes the SIL3 application (and in addition also acts as watch dog to PM as in SIL2) The I/O telegrams is built in both PM and SM and the result is checked in I/O modules (same as SIL2)
ABB AB, 2007
SIL2 Controller The PM executes the application The SM supervises the application execution in the PM
SIL3 Controller The PM and SM executes the application. Result voted in I/O module. The SM supervises the application execution in the PM
AC800M HI
SIL3
PM
Processor Module
SM
Safety Module
PM + SM together achieves SIL3 Individually the PM and SM software is only required to fulfill SIL2 Duplicated structures is common practice when developing systems with SIL > SIL2 Duplication requires avoidance of common cause failures (e.g. different implementation of PM and SM software required) Too difficult to develop according to SIL3
ABB AB, 2007
2007-05-09 Page: 31
Albert Norberg
2007-05-09 Page: 32
Albert Norberg
Safety versus Availability and Maintainability A safe system doesnt lead to availability of the system In ABB 800xA the availability is solved by:
Hardware redundancy Software quality Software error handling (avoiding fatal error handling)
End
2007-05-09 Page: 33
Albert Norberg
2007-05-09 Page: 34
Albert Norberg