WO2016103229A1 - Procédé de validation d'une logique de sécurité dans un processus industriel - Google Patents

Procédé de validation d'une logique de sécurité dans un processus industriel Download PDF

Info

Publication number
WO2016103229A1
WO2016103229A1 PCT/IB2015/059975 IB2015059975W WO2016103229A1 WO 2016103229 A1 WO2016103229 A1 WO 2016103229A1 IB 2015059975 W IB2015059975 W IB 2015059975W WO 2016103229 A1 WO2016103229 A1 WO 2016103229A1
Authority
WO
WIPO (PCT)
Prior art keywords
safety logic
safety
cause
controller
logic
Prior art date
Application number
PCT/IB2015/059975
Other languages
English (en)
Inventor
Prashant Kumar PISSEY
Original Assignee
Abb Technology Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abb Technology Ltd. filed Critical Abb Technology Ltd.
Publication of WO2016103229A1 publication Critical patent/WO2016103229A1/fr

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0275Fault isolation and identification, e.g. classify fault; estimate cause or root of failure
    • G05B23/0278Qualitative, e.g. if-then rules; Fuzzy logic; Lookup tables; Symptomatic search; FMEA
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/10Plc systems
    • G05B2219/14Plc safety
    • G05B2219/14006Safety, monitoring in general
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25118Matrix to connect sensor to corresponding actuator

Definitions

  • the present invention relates to managing safety applications in industrial processes.
  • a CEM maps one or more causes with one or more effects.
  • a cause is an event or an alarm detected through a sensor(s) that monitors a parameter associated with an industrial process.
  • An effect is an action(s) initiated in response to detecting a cause for mitigating risks.
  • a developer receives a CEM as input from an Engineering, Procurement and Construction (EPC) or other contractor.
  • the developer generates a safety logic based on the CEM.
  • the safety logic can create an automated link between input signals received from one or more sensors (e.g. field devices), and output signals to be sent to one or more devices (e.g. motors).
  • the developer manually verifies the developed application.
  • the developer may write a few test cases for the verification. Manually verifying the developed application has scope of errors. Also, the test cases used may not be accurate or sufficient for the verification.
  • An aspect of the invention provides a method for verifying a safety logic in an industrial process.
  • the safety logic is executed by a controller (or by multiple controllers) of a control system of an industrial process, wherein the safety logic corresponds to a predefined cause and effect matrix.
  • the controller executes the safety logic by controlling one or more devices associated with the industrial process.
  • the controller controls the one or more devices based on one or more input signals received from one or more sensors, wherein the one or more sensors monitor one or more parameters of the industrial process.
  • the method comprises loading data corresponding to the safety logic from one of the controller and a tool used for generating the safety logic.
  • the method also comprises determining from the data, a relationship between a plurality of causes and a corresponding plurality of effects.
  • each cause of the plurality of causes is linked with a corresponding input signal from a corresponding sensor of the one or more sensors.
  • each effect of the plurality of effects is linked with a corresponding device of the one or more devices.
  • the method comprises reconstructing a cause and effect matrix implemented by the safety logic based on the relationship between the plurality of causes and the corresponding plurality of effects. Thereafter, the method comprises comparing the reconstructed cause and effect matrix with the predefined cause and effect matrix to determine one or more inconsistencies in the safety logic for verifying the safety logic. The one or more inconsistencies may be used for regenerating the safety logic.
  • Fig. 1 is a simplified representation of a system for generating and verifying a safety logic
  • Fig. 2 is a flowchart of a method for verifying the safety logic.
  • Fig. 1 is a simplified representation of a system 100 for generating and verifying a safety logic.
  • safety logic refers to functional safety as per one or more standards associated with industrial automation.
  • An example of such standard is IEC 61508.
  • system 100 has a diagnostic tool 102, a safety tool 104, and a controller 106.
  • Diagnostic tool 102 provides various diagnostic features such as, but not limited to, reconstructing a Cause and Effect Matrix (CEM) from the safety logic, verifying the safety logic based on a the reconstructed CEM and a predefined CEM and regenerating safety logic according to the verification.
  • diagnostic tool 102 can also, perform simulations, and generate test cases and reports.
  • Diagnostic tool 102 may be provided as a separate tool, or may be integrated with a control system (of which controller 106 is a part of). Further, diagnostic tool 102 may have one or multiple modules for performing one or more of the diagnostic features. For example, diagnostic tool 102 may have a data loading module, a data processing module, a simulation module, a restructuring module and so forth.
  • Diagnostic tool 102 takes inputs from safety tool 104 and / or controller 106 for performing one or more diagnostic features.
  • a cause and effect matrix 108 (CEM 108) is also available with diagnostic tool 102.
  • CEM 108 may be provided during engineering phase for generating the safety logic. It should be noted that CEM 108 may change with time. This may be due to change in requirements, standards, systems and equipment and so forth. Accordingly, the safety logic may have to be regenerated.
  • Safety tool 104 enables generating one or more safety logic that is to be executed by controller 106 (or in multiple controllers). For instance, safety tool 104 may be an editor that enables a developer to generate a safety logic based on a CEM.
  • the developer can provide a CEM as input (e.g. CEM data in a raw format).
  • the developer may also provide additional information (e.g. environment / other constraints not mentioned / covered in the CEM). All the inputs (i.e. CEM data and developer provided inputs) are converted by the editor automatically to a functional block diagram code (or safety logic).
  • the safety logic is configured in a standard language (e.g. provided by IEC 61131-3).
  • Controller 106 which is part of a control system (not shown in figures), is configured to execute the safety logic that is generated using safety tool 104.
  • the controller execute the safety logic by controlling one or more devices (e.g. devices 112a, 112b, 112c etc.) associated with an industrial process that is managed using the control system.
  • the controller controls the one or more devices based on one or more input signals received from one or more sensors (e.g. sensors 110a, 110b, 110c etc.).
  • the one or more sensors monitor one or more parameters of the industrial process such as heat, pressure, flow rate and so forth (depending on the industial process).
  • the configuration of controller 106 may be performed during engineering or commissioning or thereafter.
  • the configuration involves creating links between different inputs (e.g. signals from sensors) and outputs (e.g. control of devices).
  • one or more sensors e.g. temperature, pressure sensors etc.
  • controller 106 may take certain actions (one or more corresponding effects) by operating certain devices (e.g. cooler, actuator etc.).
  • Such actions may be taken to avert risks or potential hazards.
  • One way of performing such a configuration of controller 106 is to download the safety logic (functional block diagram code) into controller 106 (e.g. in a memory of controller 106). Such download may be performed after compiling the safety logic into executable code for the controller 106 (e.g. controller being programmable).
  • the safety logic may be first compiled into an intermediate code and then compiled into the native executable code for controller 106.
  • Fig. 2 illustrates a flowchart of a method for verifying a safety logic.
  • the method is implemented by diagnostic tool 102.
  • the safety logic is generated using a tool (e.g. safety tool 104) and executed by a controller(s) (e.g. controller 106).
  • the safety logic is expected to correspond to a predefined Cause and Effect Matrix (CEM).
  • CEM Cause and Effect Matrix
  • the predefined CEM may be provided as an input by an Engineering, Procurement and Construction (EPC) or other contractor.
  • EPC Engineering, Procurement and Construction
  • data corresponding to the safety logic is loaded.
  • the data may be loaded from the safety tool.
  • the data may be loaded from the controller.
  • the data may be in the form of a configuration file or executable script or compiled code.
  • the data corresponding to the safety logic may be retrieved from either the tool (in one read) or from the multiple controllers.
  • a relationship between a plurality of causes and a corresponding plurality of effects is determined.
  • the data is analyzed. Such analysis may require the data to be parsed (e.g. based on the nature of data), for identifying which portions of the data correspond to causes, and which portions correspond to effects. The analysis may depend on the tool used for generating the logic, and other factors such as development language.
  • Each cause of the plurality of causes is typically linked with a corresponding input signal (or signals) from a corresponding sensor (or sensors) of the one or more sensors.
  • each effect of the plurality of effects is linked with a corresponding device (or devices) of the one or more devices.
  • a CEM implemented by the safety logic is reconstructed.
  • the term 'reconstructed' refers to creating the CEM in the diagnostic tool from the loaded data.
  • the step is a reconstruction.
  • This CEM is reconstructed (hereafter also referred as reconstructed CEM) based on the relationship between the plurality of causes and the corresponding plurality of effects identified at 204.
  • the reconstructed CEM may have a number of rows (corresponding to causes) and a number of columns (corresponding to events). Further, the reconstructed CEM may have properties (e.g. format) similar to that of the predefined CEM.
  • the reconstructed CEM is compared with the predefined CEM to determine one or more inconsistencies in the safety logic. This may be for performing one or more diagnosis. For instance, this may be performed for verifying the safety logic.
  • the method comprises regenerating the safety logic based on the one or more inconsistencies.
  • the regeneration may be performed at the diagnostic tool and/or the safety tool. This step involves approval as per the safety process / standard.
  • the step of regenerating the safety logic may comprise redefining (or updating) the predefined CEM based on the one or more inconsistencies.
  • the step of regenerating the safety logic may also comprise performing a simulation(s) to predict accuracy of the regenerated safety logic.
  • the step of regenerating the safety logic may comprise defining one or more test cases based on the one or more inconsistencies. A visual representation of the regenerated safety logic may also be generated for the verification.
  • diagnostic tool 102 may perform one or more steps of the method described herein.
  • the data may be loaded at diagnostic tool 102 through a data loading module, the data may be processed (e.g. steps 204, 206, 208 and/or 210) at a processing module, a matrix generation module and/or a safety logic module.
  • the method and diagnostic tool described herein can be used for performing different diagnoses and/or taking corresponding actions.
  • a safety engineer can use the diagnostic tool to extract data from the tool or from the controller itself.
  • the diagnostic tool may perform a read only operation at this point in time, so as to not disturb the safety logic or normal working of the safety logic (or safety application) or the controller.
  • a developer or safety engineer can generate a detailed report using the diagnostic tool.
  • the report can include details on the number of causes, effects, function blocks, Input/Ouput variables and other information used in designing the safety logic.
  • the diagnostic tool may also be used to animate the causes, and soft signals which trigger effects. Simulation features of the tool can be used to demonstrate the working of the safety logic.
  • the simulation can support different libraries used in designing safety systems / applications.
  • the diagnostic tool may also assist the developer or safety engineer in writing and executing the unit test cases to verify the correctness and working of the safety logic and report any logical errors or warnings.
  • the invention provides an improved method and tool for verifying safety logic in industrial processes.

Abstract

L'invention concerne un procédé destiné à valider une logique de sécurité exécutée par une commande d'un système de commande de processus industriel, la logique de sécurité correspondant à une matrice prédéfinie de causes et d'effets (CE). La commande exécute la logique de sécurité en commandant un ou plusieurs dispositifs d'après un ou plusieurs signaux d'entrée reçus en provenance d'un ou plusieurs capteurs. Le procédé comporte l'étape consistant à charger des données correspondant à la logique de sécurité soit en provenance de la commande, soit en provenance d'un outil utilisé pour générer la logique de sécurité. Le procédé comporte également les étapes consistant à déterminer une relation entre une pluralité de causes et une pluralité correspondante d'effets à partir des données, et à reconstituer une matrice de causes et d'effets mise en œuvre par la logique de sécurité d'après la relation. La matrice reconstituée de causes et d'effets est comparée à la matrice prédéfinie de causes et d'effets pour déterminer une ou plusieurs incohérences dans la logique de sécurité afin de valider la logique de sécurité.
PCT/IB2015/059975 2014-12-24 2015-12-24 Procédé de validation d'une logique de sécurité dans un processus industriel WO2016103229A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN6541CH2014 2014-12-24
IN6541/CHE/2014 2014-12-24

Publications (1)

Publication Number Publication Date
WO2016103229A1 true WO2016103229A1 (fr) 2016-06-30

Family

ID=55174682

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2015/059975 WO2016103229A1 (fr) 2014-12-24 2015-12-24 Procédé de validation d'une logique de sécurité dans un processus industriel

Country Status (1)

Country Link
WO (1) WO2016103229A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018151866A (ja) * 2017-03-13 2018-09-27 オムロン株式会社 評価システム、安全コントローラ、評価プログラム、および、評価方法
CN112462729A (zh) * 2019-09-09 2021-03-09 贝克休斯油田作业有限责任公司 用于保护监测系统的影子功能

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6448982B1 (en) * 1998-04-23 2002-09-10 Siemens Energy & Automation, Inc. System for graphically generating logic for a cause and effects matrix

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6448982B1 (en) * 1998-04-23 2002-09-10 Siemens Energy & Automation, Inc. System for graphically generating logic for a cause and effects matrix

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
H AN ET AL: "Automated Cause & Effect Analysis for Process Plants", AIDIC CONFERENCE SERIES, 10 June 2009 (2009-06-10), pages 9 - 18, XP055251232, ISBN: 978-88-95608-10-5, Retrieved from the Internet <URL:http://www.aidic.it/acos/09/09/002.pdf> [retrieved on 20160218], DOI: 10.3303/ACOS0909002 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018151866A (ja) * 2017-03-13 2018-09-27 オムロン株式会社 評価システム、安全コントローラ、評価プログラム、および、評価方法
CN112462729A (zh) * 2019-09-09 2021-03-09 贝克休斯油田作业有限责任公司 用于保护监测系统的影子功能
CN112462729B (zh) * 2019-09-09 2023-12-19 贝克休斯油田作业有限责任公司 用于保护监测系统的影子功能

Similar Documents

Publication Publication Date Title
JP6621204B2 (ja) 安全重視ソフトウェア開発のためのモデルベース技術および過程のためのシステムおよび方法
US10915422B2 (en) Automatic setting of multitasking configurations for a code-checking system
EP3314340B1 (fr) Contextualisation de commande et raisonnement concernant la commande
EP3101547A1 (fr) Système de commande, procédé, programme et dispositif de traitement d&#39;informations
JP6096414B2 (ja) バッチ構成を試験するための方法、装置、およびプログラム
US10503146B2 (en) Control system, control device, and control method
US20120246612A1 (en) System and method for verification and validation of redundancy software in plc systems
CN103279418B (zh) 一种组态控制信息的测试方法和装置
JP2009512951A (ja) システムの行動における故障の影響をモデル化する方法
US9342441B2 (en) Methodology and tool support for test organization and migration for embedded software
EP2386954A1 (fr) Procédé de détection automatique d&#39;erreurs et vérification de logiciel
KR101178186B1 (ko) Pc 기반 시스템에서 피엘씨 신호 패턴을 이용하여 다수의 설비로 구성된 자동화 라인의 비정상 상태 알람 방법.
US10997344B2 (en) ECU simulation device
Wotawa et al. Quality assurance methodologies for automated driving.
Reijnen et al. Synthesized fault-tolerant supervisory controllers, with an application to a rotating bridge
WO2016103229A1 (fr) Procédé de validation d&#39;une logique de sécurité dans un processus industriel
JP5680514B2 (ja) 自己診断機能を備えたコンピュータ、ソフトウェア作成方法、およびソフトウェア作成装置
CN111078444B (zh) 用于故障行为的安全分析的系统和方法
US20150046138A1 (en) Vehicular simulation test generation
US9733628B2 (en) System and method for advanced process control
Schamp et al. Virtual commissioning of industrial control systems-a 3D digital model approach
US20210406161A1 (en) Method and computer program for testing a technical system
JP6290147B2 (ja) 制御機器プログラムコードを作成するコンピュータ実装方法および関連するメッセージ管理システム
US20150205271A1 (en) Automated reconfiguration of a discrete event control loop
US10488835B2 (en) Method for configuring a tester equipped for testing an electronic control unit

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15825966

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15825966

Country of ref document: EP

Kind code of ref document: A1