Content

Albert Norberg

ABB AB, 2007

2007-05-09

Embedded
Automation and
Safety in ABB 800xA
Control system

ABB AB, 2007

Albert Norberg

Page: 1

System 800xA overview

Control system properties

Safety certified control system

2007-05-09

Albert Norberg

Page: 2

800xA Automation System topology

System 800xA

Plant Network / Intranet

800xA is a large DCS system

Integration with upper business and production systems

Workplaces

Enterprise Optimization
Suite
Third party
application
server

Firewall

Mobile
Operator

Client/server Network

Connectivity
server

Contains a wide range of integrated ABB products

Operator workplace

Engineering workplace

Embedded control systems

Fieldbus devices

Connectivity to 3:rd party control systems

2007-05-09
Page: 3

Albert Norberg

Aspect
server

Application
server

Engineering
Work place

Control Network
AC 800M

Serial, OPC
or fieldbus

Field Bus

Third party
controllers,
servers etc

2007-05-09
Page: 4

AC 800C

Redundant
Field Bus

ABB AB, 2007

ABB AB, 2007

Open, windows based PC platform

Albert Norberg

Typical 800xA applications

Typical 800xA applications

Pulp and paper production

Cranes operation

2007-05-09

Food industry

Albert Norberg

ABB AB, 2007

Power plants

ABB AB, 2007

Steel production

Page: 5

Control system

Main CPU based on Motorola Power PC

Communication bus for expansion with

several communication interfaces

Modular I/O system with support for

digital, analog input and output

MS Windows based programming

tool

IEC 61131-3 Programming tool

Object oriented approach

Connectivity server running on PC

ABB AB, 2007

Albert Norberg

Page: 6

Modular Controller hardware

2007-05-09
Page: 7

OPC server for live data and status to

Operator workplace
Albert Norberg

ABB AB, 2007

2007-05-09

Petrochemical industry

Control Builder

Oil & Gas production

Pharmaceutical industry

2007-05-09
Page: 8

Albert Norberg

Support IEC 61131-3

(standard for programming
languages of PLCs)

Concept Program
Organization Unit POU used

Concept Type Instance

used

Type solutions stored in

Libraries

Control solution made in

Applications

Control Builder

Control Builder cont.

Applications allocated to
controllers
In controllers user defines
tasks

Five programming languages:

Structured Text (ST)
Like Pascal

Instruction List (IL)

Virtual Assembly

Applications can be executed

by one or several tasks
Controller can contain one or
several applications
Hardware configuration and
I/O connections also defined
in Control Builder

Sequential Function Chart

(SFC)
State machine

Albert Norberg

ABB AB, 2007

2007-05-09

ABB AB, 2007

Function Block Diagram

(FBD)
Graphical signal flow
Ladder Diagram (LD)
Graphical relay diagram

Page: 9

OS threads

2007-05-09

Albert Norberg

Page: 10

OS threads vs. 1131 tasks

Vxworks RTOS

Highest priority

Highest priority
Boot thread

Prioritized threads

IO handling threads

Real-Time OS
Time Critical 1131-Task

Schedule thread

User defined tasks mapped

onto on OS thread

Other OS threads for

communication, maintenance
etc.

Windows NT

Time Critical thread (Time Critical IEC 61131-3 Tasks)

Mutex, semaphores

Periodic tasks
Cycle time and priority

Scheduler objects

Watch-dog
IEC 61131-3 Tasks
System tasks

Schedule thread, 1131-tasks

Safety Thread (only in a HI controller)

Main thread
Maintenance
HW Related Functions
Distribution (MMS programs)
Other (e.g. LongJob)

5 10 OS threads do the main

job

Subsystems Management
Communication
MMS,
Fieldbus Foundation (FF-H1),
SattBus,

Safety thread

Logging
Event and Alarm

Background Thread
Main thread

Alarm & Event

Threads inside the IO and Communication Framework

Communication sub systems

Lots of other threads defined in

the system for various services

Threads using the IO and Communication Framework, Protocol Handlers

BatchJob thread

Page: 11

Albert Norberg

ABB AB, 2007

2007-05-09

Batchjob thread

ABB AB, 2007

Idle thread
Lowest priority

idle thread
Lowest priority
2007-05-09
Page: 12

Albert Norberg

OS threads vs. 1131 tasks cont.

1131 task scheduling

Time Critical Thread

1131 Task Priority

OS Thread Priority

Scheduler Thread

Test Engine Thread

Main Thread

GenericIO Thread

Execution
List
Execution
List

Batchjob Thread

I/O
I/O
Tasks Objects
Table(Scan
Table
Task Objects

Implemented in one thread

Allow easy sharing of data structures

Minimize operating system dependency

Built with simple mechanisms

Cyclic execution

User defined cycle time and priority

Scheduled according to priority with defined preemption points

Support for latency supervision, load balancing and task

abortion

Idle Thread
Scheduler
TimeQueue

ReadyQueue

Albert Norberg

ABB AB, 2007

2007-05-09

ScheduleExec ()

ABB AB, 2007

Schedule()

Page: 13

Safety certified control system

2007-05-09

The term Safety

ABB AB, 2007

Albert Norberg

ABB AB, 2007

Page: 15

Albert Norberg

Page: 14

2007-05-09

Normally scheduler thread takes 50 70 % of CPU

capacity

Safety is a common term used for a systems ability to provide

service without occurrence of catastrophic failures with
consequence on:

Personal

Environment

Equipment

Safety is one aspect of what is sometimes called dependability of a

system, where also other aspects are considered, e.g.

Availability (ability to provide service)

Maintainability (ability to undergo repair)

where some of these aspects are concurrent goals to Safety

2007-05-09
Page: 16

Albert Norberg

Safety certified products are required by a wide range of

customers

Safety certified automation is in some applications also

required by authorities in many countries

Certification done according to IEC 61508

Certification done by external actor

ABB uses TV, German certification body

2007-05-09

Albert Norberg

ABB AB, 2007

Some examples

ABB AB, 2007

Certification

Page: 17

SIL Safety integrity level

Concept defined by IEC 61508

Defines the probability for failure on demand for a

certain function/component

Page: 19

Albert Norberg

ABB AB, 2007

2007-05-09

Albert Norberg

Page: 18

SIL cont.

ABB AB, 2007

SIL

2007-05-09

2007-05-09
Page: 20

Albert Norberg

Oil & Gas

Petrochemical

Pharmaceutical

Chemical

How is required SIL determined

How SIL are applied

SIL 3

SIL 2

ABB AB, 2007

2007-05-09

Albert Norberg

ABB AB, 2007

SIL 0-1

Page: 21

800xA provide integrated Process Control and Safety

Inform IT

2007-05-09
Page: 23

Control
Functions
Albert Norberg

Control IT
Safety

Safety Functions

Control IT

The whole end-user solution must fulfill Safety

requirements (IEC 61508 and IEC 61511)

Requirements on all equipment (e.g. sensors, actuators)

Requirements on the design and engineering of the customer

application

Requirements on the Control System

The 800xA Control system from ABB provides

possibilities to create SIL1, 2 and 3 applications

Automation
Functions
ABB AB, 2007

ABB AB, 2007

Safety
Functions

Engineer IT

IT

Control IT
for combined
Process Automation
and Safety

Albert Norberg

Page: 22

How is IEC 61508 fulfilled

Operate

Optimize IT

2007-05-09

2007-05-09
Page: 24

Albert Norberg

How is IEC 61508 fulfilled cont.

Fault avoidance

Requirements in IEC 61508 relates to two areas

Fault avoidance. Avoid introducing errors during development

Fault control. Detect and handle errors during operation

Requirements on the software development process

Requirements on all phases; requirements, design,

implementation and test
11

Both areas valid for both Hardware and Software

STT
Descriptions

System Requirement
Specification

10

Technical
Release

System
Test

Customer wish
(MRS )

Focus on Software in this presentation

SVT
1

PTT
Descriptions

Requirements
Definition

PTT

Requirement
Specifications (Safety
Requirement Specification ,
PRS)

PIT

IntegrationTest
Description

2 Requirements
Analysis

Functional Type
Test Description

FTT / CTT

Description of
Function

Analysis and
Design
Detailed
4
Design

Design Test
Description

6 Design Test

Albert Norberg

ABB AB, 2007

2007-05-09

ABB AB, 2007

Design
Description

Page: 25

Fault avoidance cont.

Requirements different for different SIL

SIL of a component can be reduced depending on criticality

SIL Capability
of the
component

Static code analysis. C/C++ not recommended languages for safety

Code analysis tool (PCLint) to define safe subset

SIL of
the
Safety
Function
/ safetyrelated
system

Test

Page: 27

Albert Norberg

ABB AB, 2007

2007-05-09

ABB AB, 2007

Low level automatic design tests

Integration test
Safety validation test

2007-05-09
Page: 28

Criticality of the Entity

C1

C2

C3

SIL1

Meet relevant
requirements for
non-interference

SIL 1

SIL 1

SIL2

Meet relevant
requirements for
non-interference

SIL 1

SIL 2

SIL3

Meet relevant
requirements for
non-interference

SIL 2

SIL 3

Semiformal design methods computer aided design tool. (UML)

Implementation

Tractability
Architecture descriptions

Design

Albert Norberg

Page: 26

Requirement and requirement analysis

2007-05-09

Implementation/ Manufacturing

Fault avoidance cont.

Some examples of requirement

Albert Norberg

C3: Safety Critical denotes a

function, where a single
deviation from the specified
function may cause an unsafe
situation
C2: Safety Relevant denotes a
function, where a single
deviation from the specified
function cannot cause an
unsafe situation, but the
combination with a second
failure of another software or
hardware unit may cause an
unsafe situation
C1: Interference Free denotes a
function, which is not safety
critical or safety relevant, but
has interfaces with such
functions

Fault Control

Fault Control - SIL2 concept

CB

Based on implementing safety measures in software/hardware to

detect and react on errors. E.g.

Checksum calculation of data (CRC calculation)

Timer watchdogs
Software sequence monitoring
Memory hardware protection (MMU)
Cyclic RAM, Register and CPU instruction tests
Duplication of data/algorithms with comparison

ABB AB, 2007

2007-05-09

Albert Norberg

ABB AB, 2007

Measures implemented in Engineering tool (PC), Target system

(Controller) and I/O-boards
Measures designed to detect both hardware and software failure
Error reaction in most cases leads to system shutdown

Page: 29

Fault Control SIL3 concept

Control
Builder

Control Builder engineering tool

performs safe compilation (e.g.
CRC protected application source
code, compile twice)

The SIL2 application is executed in

PM (Internal diagnostic + reporting
state SM)

SM supervises the application

execution (Acts as watch dog to
PM)

The I/O telegrams is built in both

PM and SM and the result is
checked in I/O modules

2007-05-09

AC800M HI
SIL2

PM

SM

Processor
Module

Safety
Module

I/O bus
Safety I/O

Albert Norberg

Page: 30

Fault Control Reduced SIL requirements

CB

ABB AB, 2007

The SIL3 application is executed in

PM (with same diagnostics as in
SIL2)
SM also executes the SIL3
application (and in addition also
acts as watch dog to PM as in
SIL2)
The I/O telegrams is built in both
PM and SM and the result is
checked in I/O modules (same as
SIL2)

2007-05-09
Page: 31

Albert Norberg

SIL3 Controller

SIL2 Controller

The PM executes the application

The SM supervises the

application execution in the PM

AC800M HI
SIL3

PM

SM

Processor
Module

Safety
Module

I/O bus

Safety I/O

ABB AB, 2007

Control
Builder

Control Builder engineering tool

performs safe compilation for both
PM and SM

The PM and SM executes the

application. Result voted in I/O
module.

The SM supervises the

application execution in the PM

PM + SM together achieves SIL3

Individually the PM and SM software is only required to fulfill SIL2
Duplicated structures is common practice when developing systems
with SIL > SIL2
Duplication requires avoidance of common cause failures (e.g.
different implementation of PM and SM software required)
Too difficult to develop according to SIL3

2007-05-09
Page: 32

Albert Norberg

Safety versus Availability and Maintainability

A safe system doesnt lead to availability of the system

In ABB 800xA the availability is solved by:

Hardware redundancy

Software quality

Software error handling (avoiding fatal error handling)

Hardware redundancy and Hot replacement

Software online upgrade

2007-05-09
Page: 33

Albert Norberg

ABB AB, 2007

In ABB 800xA Maintainability is solved by:

ABB AB, 2007

End

2007-05-09
Page: 34

Albert Norberg