Brief Summary of Last Lecture Formal verification Types: deductive (theorem proving) and algorithmic (model checking) ields proof that a (formal) specification is fulfilled Formalization of specs e.g. in Computational Tree Logic (CTL) Time not quantitative but temporal (temporal logic) 10 basic operators (all combinations of 2 path and 5 temporal quantifiers) Model checking of timed automata: general approach Problem: infinite state space Idea: abstract from the continuous dynamics Extended states of TA: combination of discrete states and clock regions Region automaton: finite-state representation of the TA that bisimulates the TA with respect to verification specifications. Model checking on the finite-state region automaton Iterative reachability computation 1
Chapter VIII: Systematic Procedures for Logic Control Projects VIII.1 Industrial Approach to Logic Control VIII.2 Classification of Safety 2
Approach of BASF to Safety-Related Control esign Checks esign Steps Function Checks Check the Specification Check the Concept Safety Analysis Specification for the Safety Unit esign of the Safety Unit Check of Hardware Modules Check of the complete control function Check of single control functions Check the Realization Realization BASF approach combines AMUR recommendation E 58 (execution of process control projects subject to qualification) with elements of IEC 61511 (functional safety for the process industries) (AMUR: ormenaussschuss Mess- und Regelungstechnik) 3
General V-Model according to E 58 esign Qualification 1 2 process oriented description user requirements (operational req., organization) preliminary engineering (plant concept, qualification plan) 3 basic engineering, functional specification detail engineering 4 (technical details, assembly plan) based on based on based on performance qualification operational qualification 7 installation qualification 6 8 5 Implementation (orders, assembly, software development & testing) Validation = ocumented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specs & quality. Qualification = ocumented verification that equipment (plant & automation system) is appropriate for the designated function. 4
E 58 Stage 1: User requirement specification Input: Collect all available information from the user! planned plant capacity, rough flow chart, process description (e.g.: fill T1 up to desired level drain into T2 heat up T2 drain T2). know-how from other plants and literature general regulations (e.g. company principles for validation) master validation plan Activities: developing alternatives, developing requirements determining boundary conditions, site survey determining project organization and responsibilities (who, what, when) Output documents: Operational Requirements Specification (description of site and infrastructure, definition of tasks, detailed process description, process flow chart, relevant regulations and laws depth of automation, materials, nominal pressures, safety and availability requirements, etc.) document on project organization and responsibilities record of general provisions that have to be observed Feed Tank 1 (dosing) Tank 2 (heating) Feed T1 V3 V1 V2 T2 M V4 LIS+ 1 LIS- 2 TIS+ 3 5
E 58 Stage 2: Pre-engineering (plant concept) Input documents: output of stage 1 Activities: eveloping alternative plant concepts 1st safety discussions & efficiency calculation Setting up a rough automation plan ecision in favour of one plant & automation concept Setting up the control system qualification plan Rough control concept: measurements Sequential control Safety control Plant requested actions actions Output documents: Plant & Automation Concept (with definitions relating to: variables, tag id system, product quality, modes of operation, specific conditions, availability, safety, flexibility, maintenance, information structures, process visualizations, future expansion, ) Control system qualification plan containing definitions relating to: scope (which systems are to be included?) and depth of the qualification, change control, freezing points, responsibilities, basis for all qualification tasks! 6
E 58 Stage 3: Basic Engineering Activities: 1. Specifying control functions: efining all tasks relevant to automation in P+I flow charts Performing the main safety inspection Fail safe positions (e.g. of valves) Requirements specification for trips and interlocks Complete P+I flow charts Preparing function diagrams, defining control system tasks Performing quality risk analysis (what influences product quality?) Classifying hardware and software into: Approved and tested typicals / project-specific typicals / special functions 2. Procuring missing process related data 3. etermining technical implementation etermining equipment (e.g. how many PLCs) and functions Verifying completeness of requirement specs, no contradictions? Generating the Operational Qualification test plan (for stage 7) 7
E 58 Stage 3: Basic Engineering Output ocuments: Project execution plan Final P+I flow chart with all relevant information Specification of all control functions Final control system requirement / functional specification (including: feedback control, sequential control, trips, interlocks, user interface, equipment, interfaces to other systems, required supplies, function diagrams) List of control functions relevant to safety and quality Record of the quality risk analysis List of project-specific typicals & special functions these have to be tested extensively! Feed T1 V3 V1 FI 4 V2 T2 V4 M LIS+ 1 LIS- 2 US 5 TIS+ 3 8
Requirements vs. Functional Specification Requirements Specification ( Lastenheft, I 69905 / VE 3694): definition of what has to be designed and for what purpose (textual description) Content: general project information objectives description of the plant / process, and the operation to be established constraints, area of use, available resources hardware requirements (plant structure, equipment, interfaces, power supply,...) administration (available data, documentation, schedule, budget,...) Functional Specification ( Pflichtenheft, I 69905 / VE 3694): how is the requirement specification realized in detail (textual + graphical description) Additional content: concept for the automation structure specification of components of the structure: sensors, actuators, control units control goals, required functionality project organization 9
Types of Goals (compare to lecture 1): Control Goals Goal attainment (sequence control): realize sequences of plant states / steps Safety-related control (trips, interlocks, etc.): avoid dangerous plant states or operator inputs; react to malfunctions; initiate shutdown procedures important: completeness formulated for the plant / process / operator not a static list (modifications possible during design and operation) Typical initial description (taken from BASF): Requirements table o. Function (verbal) SIL Condition Limit value Action Comment Checking Status........................ 27 if T-limit reached, switch off heater and drain tank 2 vessel in reaction mode 360 K set H to off and V10=1 accuracy for T: ± 2K........................ SIL - Safety integrity level (see VIII.2) checked, June 23 10
Example for Requirements Table o. Function (verbal) SIL Condition Limit value Action Comment Checking Status 1 Start filling T1, if T1 is empty and process is active 2 Fill T1 up to desired level given by LIS1+ 1 LIS2-=1 H1=active 1 T1-filling-mode LIS1+ =0 Activate T1-filling-mode V1=open V2=closed 3 Stop filling T1, if LIS1+ is reached 1 LIS1+=1 eactivate T1-filling-mode 4 Start draining T1 into T2, if T1 is filled and T2 is empty 1 LIS1+=1 LIS6-=1 Activate T2-filling-mode 21a um. integration of FI4 3 T1-filling-mode Q4=integr(FI4) 21b Prevent overflow of T1, if LIS1+ is broken by integrating flow rate FI4 3 Q4 Z- 100 l V1 = closed Alarm: LIS1+ failed 21c Reset volume Q4, if T1 empty 3 LIS2- = 1 Q4:=0 11
E 58 Stage 4: etail Engineering Activities: 1. etermining instrumentation devices Specifying of equipment Inquiries to suppliers etermining type / manufacturer Checking equipment against the requirements spec. 2. Specifying the control system Allocating control functions to the devices in accordance with plant structure Requesting deliveries etermining devices acc. to type (e.g. PLCs) and manufacturer efining display and operating functions Access authorization, inspection concept, data backup 3. Generating loop diagrams Linking of standard modules Checking loop function diagrams for completeness / plausibility 4. Preparing assembly documents 12
Manual esign Procedure (1) (1) etermine complete specification: S = {S 1,... S p } requirements table (2) istribution of S to selected control devices (per device: S d S) (3) Identify signal exchange between each device and the connected interfaces (plant inputs, operator commands, signals from other devices, outputs) (4) efine input, output (and global) variables and their value sets: y d, u U, d d d ( g G ) d d (5) Analysis of the control task: break down S d into a hierarchical structure reflecting the interdependencies of specifications in S d : top level second level... S 1 : emergency shutdown S 2 : production sequence (each specification S i S d should formulate a single control unit; refinement may be necessary ) 13
Manual esign Procedure (2) (6) For each unit: (a) Assign to a POU (programs, function blocks, functions) (b) Select most appropriate control language (7) If the functionality of a unit is available in a library: instantiate function (block); else: design the program or function (8) esign steps: (i) identify the plant states x k and plant outputs y k that are relevant for the specification S i (ii) for any y k, determine an appropriate controller state z k (iii) assign a suitable control action u k U to the controller state z k Specification S i control unit state z k Control Unit plant output y k control output u k = f C (y k, z k,...) Plant plant state x k 14
Example: Safety Control PLC for safety control Inputs Trips and Interlocks Outputs Requests from sequential controller Plant sensor signals Scaling and supervision of inputs Function 1: Prevent overflow of T1 Function 2: Prevent overflow of T2 Function 3: Switch off heating from SFC Fun 1 Fun 2 & V1 Actuator signals Scaled signals (physical units) Binary release signals 15
Activities: E 58 Stages 5 to 8: Implementation and Qualification 1. Procurement of equipment and services, confirming delivery Issuing orders for supplies and services Checking goods received Passing delivery on to building site Setting up and checking the control system Checking the function and documentation of package units 2. Configuring Software Preparing system-specific function diagrams Configuring control functions, display and operating functions, recipe functions Structuring software Coding approved and tested 3. Preparing and monitoring assembly ( Installation Qualification) Checking installed plant in accordance with IQ test plan 4. Functional Tests ( Operational Qualification) Checking installed plant in accordance with OQ test plan Output ocuments: lots of documentation 16
VIII.2: Classification of Safety Fault Classification fault without effect on safety function with effect on safety function active fault passive fault safe: safety function not affected safe: safety function is initiated critical: safety function is blocked unnoticed 17
Hazard Classification C : frequency of the occurrence of a hazard : consequence of the hazard is divided into three aspects: F P W : frequency of exposure : possibility of avoiding the resulting hazard : probability of the undesired condition (without safety system) efinition of the risk R: R = C = F P W C 18
amage Classification C : consequence C1 Minor injury, recoverable F P W C2 Serious or permanent injury to one or more persons. Single death C3 eath of up to five people C4 More than five deaths : frequency of exposure F1 Persons present in the danger area <10% of the time (over 1d period) F2 Persons present in the danger area > 10% of the time : possibility of avoiding the resulting hazard P1 Possible to avoid danger (conditions to be noted) P2 o reasonable possibility to avoid danger : probability of the undesired condition (without safety systems) W1 Undesired condition occurs < once in ten years W2 < once per year W3 > once per year C: consequence of the hazard; F: frequency of exposure; P: possibility of avoiding the resulting hazard; W: probability of the undesired condition (without safety system) 19
Risk Graph Safety Integrity Level (SIL) W3 W2 W1 C1 C2 F1 F2 P1 P2 P1 P2 SIL1 SIL2 SIL2 SIL3 SIL1 SIL1 SIL2 SIL2 SIL1 SIL1 SIL2 no PC safety procedure: safety-at-work procedures C3 C4 F1 F2 SIL3 SIL4 SIL3 SIL3 SIL4 SIL2 SIL3 SIL3 process control safety procedures not sufficient 20
Quantitative Reliability Requirements Safety Integrity Level (SIL) Probability of Failure on emand (PF) Availability Mean time between failure (MTBF) [a] 1 10-2 <= PF < 10-1 0.9 0.99 10-100 2 10-3 <= PF < 10-2 0.99 0.999 100-1000 3 10-4 <= PF < 10-3 0.999 0.9999 1000-10000 4 10-5 <= PF < 10-4 0.9999 0.99999 10000-100000 Requirement: reliable fault rate data for process control components 21
Improvement of the Availability of Safety Systems Measures for the increase of availability: Automatic function test Failures that are not self-signaling and not observable, may only be detected by (automatic) testing. Use of the Fail-Safe-principle All those failures that have been specified, e.g. interruption of the strip conductor, short-circuit, emergency power breakdown lead to one predefined state of the system. Use of redundant structures A multi-channel implementation from the sensor to the actuator, where the disruption of one or more channels as a result of a passive error, does not prevent the function of a safety system. ifferentiate: homogeneous und inhomogeneous redundance 22
Redundant Structures (1) m v n n number of independent channels m of which must respond to release the safety system 1v1 Availability 2v2 1v2 Safety 3v3 2v3 1v3 4v4 3v4 2v4 1v4 Conflict of interest! 23
Redundant Structures (2) TIZA+ 2 Redundancy TIZA+ 1 (homogeneous redundancy) often applied due to the preferred usage of devices which have been approved in practice. TIZA+ 2 PIZA+ 1 iversity (inhomogeneous redundancy) prevents symmetric failures, which simultaneously affect multiple channels 24