Brief Summary of Last Lecture. Model checking of timed automata: general approach

Similar documents
Modular Logic Controllers for Machining Systems: Formal Representation and Analysis using Petri Nets

9. Verification, Validation, Testing

PROCESS DRECRIPTION CLASSIFICATION OF PROCESS ENGINEERING SYSTEMS PLANT DESCRIPTION. Industry Automation and Drive Technologies - SCE

Safety in the Matrix. Siemens AG All rights reserved.

AUTOMATIC VERIFICATION OF SAFETY INSTRUMENTED SYSTEM IN CHEMICAL PROCESSES

World Journal of Pharmaceutical Research SJIF Impact Factor 5.990

AP1000 European 21. Construction Verification Process Design Control Document

Reliability of Safety-Critical Systems Chapter 2. Concepts and requirements

Disciplined Software Testing Practices

FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY CHAPTER G: INSTRUMENTATION AND CONTROL

SIMATIC BATCH. Automation of batch processes with SIMATIC BATCH

Critical Systems Specification. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 1

Robotics and ISA 88 Batch Control Standard - Opportunities and Challenges

Objectives. Dependability requirements. Topics covered. Stages of risk-based analysis. Risk-driven specification. Critical Systems Specification

SERIES 92/93 SAFETY MANUAL PNEUMATIC ACTUATOR. The High Performance Company

Dependability requirements. Risk-driven specification. Objectives. Stages of risk-based analysis. Topics covered. Critical Systems Specification

Spectrum PowerCC Energy Control The Control System for Industrial Networks


Short description Unit Template Gas Fired Steam Boiler. SIMATIC PCS 7 V9.0 SP1 / SIS compact V9.0 SP1. Siemens Industry Online Support

Case study of the use of Simatic Batch at Ursus Breweries, Timisoara

Compliance driven Integrated circuit development based on ISO26262

Certificating a safety related part of a control system

City of San Mateo Clean Water Program Programmable Logic Controller (PLC) and Human Machine Interface (HMI) Programming Services

CIM and Business Processes

CONTINUOUS POWER-TIE CONFIGURATION

Tel (+49) , Fax (+49) ,

Automatic Vehicle Identification System (AVI) Training Manual

Application Overview. System 800xA Application Libraries ProBase Library

Secure energy supply Energy Automation for Airports

FUNCTIONAL SAFETY CERTIFICATE. IQ3 Valve Actuator manufactured by

Oracle. SCM Cloud Using Order Promising. Release 13 (update 17D)

Implement Effective Computer System Validation. Noelia Ortiz, MME, CSSGB, CQA

Software Safety and Certification

IE Code IE Competency Title Credit OAC Ref.

Using Auto-Generated Diagnostic Trees for Verification of Operational Procedures in Software-Hardware Systems

Implementing a control application on an FPGA Platform

Verification and Validation of Embedded Systems The good, the bad, the ordinary

Project QMS and Quality by Design Activities

HOW TO AVOID FAILURES-(FMEA and/or FTA)

Nuclear I&C Systems Basics. The role of Instrumentation and Control Systems in Nuclear Power Plants, and their Characteristics

Deterministic Modeling and Qualifiable Ada Code Generation for Safety-Critical Projects

Establishing Requirements for Exception Handling Herbert Hecht SoHaR Incorporated

THE PROCESS APPROACH IN ISO 9001:2015

Session Nine: Functional Safety Gap Analysis and Filling the Gaps

FLOTATION CONTROL & OPTIMISATION

Results of the IEC Functional Safety Assessment HART transparent repeater. PR electronics

FUNCTIONAL SAFETY CERTIFICATE

IEC KHBO, Hobufonds SAFESYS ing. Alexander Dekeyser ing. Kurt Lintermans

Use of PSA to Support the Safety Management of Nuclear Power Plants

Models in Engineering Glossary

Lecture 2: Software Quality Factors, Models and Standards. Software Quality Assurance (INSE 6260/4-UU) Winter 2016

ABSTRACT. The Guidelines Section C is related to the classification and grading approach of NSQ100 (Chapters & 4.1.3).

CS 313 High Integrity Systems/ CS M13 Critical Systems

The effect of diagnostic and periodic proof testing on the availability of programmable safety systems

SIL SAFETY MANUAL. Turnex Pneumatic Actuators. Experience In Motion. NAF Turnex Pneumatic Actuators NFENDS A4 02/15 FCD NFENDS A4 05/15

IEC Functional Safety Assessment

Introduction to Systems Analysis and Design

Software Quality Engineering Courses Offered by The Westfall Team


CSC313 High Integrity Systems/CSCM13 Critical Systems CSC313 High Integrity Systems/ CSCM13 Critical Systems

Work Plan and IV&V Methodology

Software Quality Engineering Courses Offered by The Westfall Team

Safety cannot rely on testing

Lectures 2 & 3. Software Processes. Software Engineering, COMP201 Slide 1

Safety Manual In Accordance with IEC 61508

Software Processes. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 4 Slide 1

This document describes the overall software development process of microcontroller software during all phases of the Company Name product life cycle.

Probabilistic Risk Assessment and Management in the Nuclear Industry: Overview and Applications

Quality Assurance for Systems Engineering (INSE 6280/2-WW)

A specific application in the oil-refining industry performed during the preliminary engineering phase

BCS THE CHARTERED INSTITUTE FOR IT. BCS HIGHER EDUCATION QUALIFICATIONS BCS Level 6 Professional Graduate Diploma in IT SOFTWARE ENGINEERING 2

MODULE 1 LECTURE NOTES 2 MODELING OF WATER RESOURCES SYSTEMS

A Formal Approach in the Implementation of a Safety System for Automatic Control of Platform Doors

Automated Black Box Testing Using High Level Abstraction SUMMARY 1 INTRODUCTION. 1.1 Background

Architectural Considerations for Validation of Run-Time Application Control Capabilities for Real-Time Systems

A. The purpose of this section is to specify Division 23 responsibilities in the commissioning process.

Optimal alignment between Processes, Organisation & Technology. Senior Specialist Leif Poulsen, MSc, PhD, Automation & IT, NNE Pharmaplan A/S

Emerson Digital Twin: A Key Technology for Digital Transformation

Session Seven Functional safety and ageing assets

IMATIC PDM. Version 6.0 SP1

Introduction and Revision of IEC 61508

Automated System Validation By: Daniel P. Olivier & Curtis M. Egan

Centerwide System Level Procedure

For the Medical Device Industry

International Safety Standards Designing the Future

Logic Control / Steuerungstechnik SoSe 2018

Software Processes. Objectives. Topics covered. The software process. Waterfall model. Generic software process models

Virtual Commissioning in the Digital Enterprise Presented by: Thomas Hoffman Manufacturing in America March 14-15, 2018

Accident Sequence Analysis. Workshop Information IAEA Workshop

Advisory Circular. Date: DRAFT Initiated by: AIR-110

Objectives. The software process. Topics covered. Waterfall model. Generic software process models. Software Processes

Absolute Energy Raters Commissioning Plan Outline Template

Identify Risks. 3. Emergent Identification: There should be provision to identify risks at any time during the project.

ROUND LAKE AREA SCHOOLS DISTRICT 116: LIMITED COMMISSIONING GUIDELINES INTRODUCTION

Topics covered. Software process models Process iteration Process activities The Rational Unified Process Computer-aided software engineering

CIS 890: High-Assurance Systems

ida Certification Services IEC Functional Safety Assessment Project: Series 327 Solenoid Valves Customer: ASCO Numatics

á1058ñ ANALYTICAL INSTRUMENT QUALIFICATION

Advanced Information and Control Software Packages for the MICREX-NX

on behalf of TÜV INTERCERT GmbH Group of TÜV Saarland

Transcription:

Brief Summary of Last Lecture Formal verification Types: deductive (theorem proving) and algorithmic (model checking) ields proof that a (formal) specification is fulfilled Formalization of specs e.g. in Computational Tree Logic (CTL) Time not quantitative but temporal (temporal logic) 10 basic operators (all combinations of 2 path and 5 temporal quantifiers) Model checking of timed automata: general approach Problem: infinite state space Idea: abstract from the continuous dynamics Extended states of TA: combination of discrete states and clock regions Region automaton: finite-state representation of the TA that bisimulates the TA with respect to verification specifications. Model checking on the finite-state region automaton Iterative reachability computation 1

Chapter VIII: Systematic Procedures for Logic Control Projects VIII.1 Industrial Approach to Logic Control VIII.2 Classification of Safety 2

Approach of BASF to Safety-Related Control esign Checks esign Steps Function Checks Check the Specification Check the Concept Safety Analysis Specification for the Safety Unit esign of the Safety Unit Check of Hardware Modules Check of the complete control function Check of single control functions Check the Realization Realization BASF approach combines AMUR recommendation E 58 (execution of process control projects subject to qualification) with elements of IEC 61511 (functional safety for the process industries) (AMUR: ormenaussschuss Mess- und Regelungstechnik) 3

General V-Model according to E 58 esign Qualification 1 2 process oriented description user requirements (operational req., organization) preliminary engineering (plant concept, qualification plan) 3 basic engineering, functional specification detail engineering 4 (technical details, assembly plan) based on based on based on performance qualification operational qualification 7 installation qualification 6 8 5 Implementation (orders, assembly, software development & testing) Validation = ocumented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specs & quality. Qualification = ocumented verification that equipment (plant & automation system) is appropriate for the designated function. 4

E 58 Stage 1: User requirement specification Input: Collect all available information from the user! planned plant capacity, rough flow chart, process description (e.g.: fill T1 up to desired level drain into T2 heat up T2 drain T2). know-how from other plants and literature general regulations (e.g. company principles for validation) master validation plan Activities: developing alternatives, developing requirements determining boundary conditions, site survey determining project organization and responsibilities (who, what, when) Output documents: Operational Requirements Specification (description of site and infrastructure, definition of tasks, detailed process description, process flow chart, relevant regulations and laws depth of automation, materials, nominal pressures, safety and availability requirements, etc.) document on project organization and responsibilities record of general provisions that have to be observed Feed Tank 1 (dosing) Tank 2 (heating) Feed T1 V3 V1 V2 T2 M V4 LIS+ 1 LIS- 2 TIS+ 3 5

E 58 Stage 2: Pre-engineering (plant concept) Input documents: output of stage 1 Activities: eveloping alternative plant concepts 1st safety discussions & efficiency calculation Setting up a rough automation plan ecision in favour of one plant & automation concept Setting up the control system qualification plan Rough control concept: measurements Sequential control Safety control Plant requested actions actions Output documents: Plant & Automation Concept (with definitions relating to: variables, tag id system, product quality, modes of operation, specific conditions, availability, safety, flexibility, maintenance, information structures, process visualizations, future expansion, ) Control system qualification plan containing definitions relating to: scope (which systems are to be included?) and depth of the qualification, change control, freezing points, responsibilities, basis for all qualification tasks! 6

E 58 Stage 3: Basic Engineering Activities: 1. Specifying control functions: efining all tasks relevant to automation in P+I flow charts Performing the main safety inspection Fail safe positions (e.g. of valves) Requirements specification for trips and interlocks Complete P+I flow charts Preparing function diagrams, defining control system tasks Performing quality risk analysis (what influences product quality?) Classifying hardware and software into: Approved and tested typicals / project-specific typicals / special functions 2. Procuring missing process related data 3. etermining technical implementation etermining equipment (e.g. how many PLCs) and functions Verifying completeness of requirement specs, no contradictions? Generating the Operational Qualification test plan (for stage 7) 7

E 58 Stage 3: Basic Engineering Output ocuments: Project execution plan Final P+I flow chart with all relevant information Specification of all control functions Final control system requirement / functional specification (including: feedback control, sequential control, trips, interlocks, user interface, equipment, interfaces to other systems, required supplies, function diagrams) List of control functions relevant to safety and quality Record of the quality risk analysis List of project-specific typicals & special functions these have to be tested extensively! Feed T1 V3 V1 FI 4 V2 T2 V4 M LIS+ 1 LIS- 2 US 5 TIS+ 3 8

Requirements vs. Functional Specification Requirements Specification ( Lastenheft, I 69905 / VE 3694): definition of what has to be designed and for what purpose (textual description) Content: general project information objectives description of the plant / process, and the operation to be established constraints, area of use, available resources hardware requirements (plant structure, equipment, interfaces, power supply,...) administration (available data, documentation, schedule, budget,...) Functional Specification ( Pflichtenheft, I 69905 / VE 3694): how is the requirement specification realized in detail (textual + graphical description) Additional content: concept for the automation structure specification of components of the structure: sensors, actuators, control units control goals, required functionality project organization 9

Types of Goals (compare to lecture 1): Control Goals Goal attainment (sequence control): realize sequences of plant states / steps Safety-related control (trips, interlocks, etc.): avoid dangerous plant states or operator inputs; react to malfunctions; initiate shutdown procedures important: completeness formulated for the plant / process / operator not a static list (modifications possible during design and operation) Typical initial description (taken from BASF): Requirements table o. Function (verbal) SIL Condition Limit value Action Comment Checking Status........................ 27 if T-limit reached, switch off heater and drain tank 2 vessel in reaction mode 360 K set H to off and V10=1 accuracy for T: ± 2K........................ SIL - Safety integrity level (see VIII.2) checked, June 23 10

Example for Requirements Table o. Function (verbal) SIL Condition Limit value Action Comment Checking Status 1 Start filling T1, if T1 is empty and process is active 2 Fill T1 up to desired level given by LIS1+ 1 LIS2-=1 H1=active 1 T1-filling-mode LIS1+ =0 Activate T1-filling-mode V1=open V2=closed 3 Stop filling T1, if LIS1+ is reached 1 LIS1+=1 eactivate T1-filling-mode 4 Start draining T1 into T2, if T1 is filled and T2 is empty 1 LIS1+=1 LIS6-=1 Activate T2-filling-mode 21a um. integration of FI4 3 T1-filling-mode Q4=integr(FI4) 21b Prevent overflow of T1, if LIS1+ is broken by integrating flow rate FI4 3 Q4 Z- 100 l V1 = closed Alarm: LIS1+ failed 21c Reset volume Q4, if T1 empty 3 LIS2- = 1 Q4:=0 11

E 58 Stage 4: etail Engineering Activities: 1. etermining instrumentation devices Specifying of equipment Inquiries to suppliers etermining type / manufacturer Checking equipment against the requirements spec. 2. Specifying the control system Allocating control functions to the devices in accordance with plant structure Requesting deliveries etermining devices acc. to type (e.g. PLCs) and manufacturer efining display and operating functions Access authorization, inspection concept, data backup 3. Generating loop diagrams Linking of standard modules Checking loop function diagrams for completeness / plausibility 4. Preparing assembly documents 12

Manual esign Procedure (1) (1) etermine complete specification: S = {S 1,... S p } requirements table (2) istribution of S to selected control devices (per device: S d S) (3) Identify signal exchange between each device and the connected interfaces (plant inputs, operator commands, signals from other devices, outputs) (4) efine input, output (and global) variables and their value sets: y d, u U, d d d ( g G ) d d (5) Analysis of the control task: break down S d into a hierarchical structure reflecting the interdependencies of specifications in S d : top level second level... S 1 : emergency shutdown S 2 : production sequence (each specification S i S d should formulate a single control unit; refinement may be necessary ) 13

Manual esign Procedure (2) (6) For each unit: (a) Assign to a POU (programs, function blocks, functions) (b) Select most appropriate control language (7) If the functionality of a unit is available in a library: instantiate function (block); else: design the program or function (8) esign steps: (i) identify the plant states x k and plant outputs y k that are relevant for the specification S i (ii) for any y k, determine an appropriate controller state z k (iii) assign a suitable control action u k U to the controller state z k Specification S i control unit state z k Control Unit plant output y k control output u k = f C (y k, z k,...) Plant plant state x k 14

Example: Safety Control PLC for safety control Inputs Trips and Interlocks Outputs Requests from sequential controller Plant sensor signals Scaling and supervision of inputs Function 1: Prevent overflow of T1 Function 2: Prevent overflow of T2 Function 3: Switch off heating from SFC Fun 1 Fun 2 & V1 Actuator signals Scaled signals (physical units) Binary release signals 15

Activities: E 58 Stages 5 to 8: Implementation and Qualification 1. Procurement of equipment and services, confirming delivery Issuing orders for supplies and services Checking goods received Passing delivery on to building site Setting up and checking the control system Checking the function and documentation of package units 2. Configuring Software Preparing system-specific function diagrams Configuring control functions, display and operating functions, recipe functions Structuring software Coding approved and tested 3. Preparing and monitoring assembly ( Installation Qualification) Checking installed plant in accordance with IQ test plan 4. Functional Tests ( Operational Qualification) Checking installed plant in accordance with OQ test plan Output ocuments: lots of documentation 16

VIII.2: Classification of Safety Fault Classification fault without effect on safety function with effect on safety function active fault passive fault safe: safety function not affected safe: safety function is initiated critical: safety function is blocked unnoticed 17

Hazard Classification C : frequency of the occurrence of a hazard : consequence of the hazard is divided into three aspects: F P W : frequency of exposure : possibility of avoiding the resulting hazard : probability of the undesired condition (without safety system) efinition of the risk R: R = C = F P W C 18

amage Classification C : consequence C1 Minor injury, recoverable F P W C2 Serious or permanent injury to one or more persons. Single death C3 eath of up to five people C4 More than five deaths : frequency of exposure F1 Persons present in the danger area <10% of the time (over 1d period) F2 Persons present in the danger area > 10% of the time : possibility of avoiding the resulting hazard P1 Possible to avoid danger (conditions to be noted) P2 o reasonable possibility to avoid danger : probability of the undesired condition (without safety systems) W1 Undesired condition occurs < once in ten years W2 < once per year W3 > once per year C: consequence of the hazard; F: frequency of exposure; P: possibility of avoiding the resulting hazard; W: probability of the undesired condition (without safety system) 19

Risk Graph Safety Integrity Level (SIL) W3 W2 W1 C1 C2 F1 F2 P1 P2 P1 P2 SIL1 SIL2 SIL2 SIL3 SIL1 SIL1 SIL2 SIL2 SIL1 SIL1 SIL2 no PC safety procedure: safety-at-work procedures C3 C4 F1 F2 SIL3 SIL4 SIL3 SIL3 SIL4 SIL2 SIL3 SIL3 process control safety procedures not sufficient 20

Quantitative Reliability Requirements Safety Integrity Level (SIL) Probability of Failure on emand (PF) Availability Mean time between failure (MTBF) [a] 1 10-2 <= PF < 10-1 0.9 0.99 10-100 2 10-3 <= PF < 10-2 0.99 0.999 100-1000 3 10-4 <= PF < 10-3 0.999 0.9999 1000-10000 4 10-5 <= PF < 10-4 0.9999 0.99999 10000-100000 Requirement: reliable fault rate data for process control components 21

Improvement of the Availability of Safety Systems Measures for the increase of availability: Automatic function test Failures that are not self-signaling and not observable, may only be detected by (automatic) testing. Use of the Fail-Safe-principle All those failures that have been specified, e.g. interruption of the strip conductor, short-circuit, emergency power breakdown lead to one predefined state of the system. Use of redundant structures A multi-channel implementation from the sensor to the actuator, where the disruption of one or more channels as a result of a passive error, does not prevent the function of a safety system. ifferentiate: homogeneous und inhomogeneous redundance 22

Redundant Structures (1) m v n n number of independent channels m of which must respond to release the safety system 1v1 Availability 2v2 1v2 Safety 3v3 2v3 1v3 4v4 3v4 2v4 1v4 Conflict of interest! 23

Redundant Structures (2) TIZA+ 2 Redundancy TIZA+ 1 (homogeneous redundancy) often applied due to the preferred usage of devices which have been approved in practice. TIZA+ 2 PIZA+ 1 iversity (inhomogeneous redundancy) prevents symmetric failures, which simultaneously affect multiple channels 24

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback