Modelling safety-related control systems

Iain Rennie, Operations Manager (Engineering) at Elite Control Systems, explains the advantages of using software tools to model safety-related control systems and simulate their operation.

Whenever a production or process control system is newly built or modified, rigorous testing is essential to ensure that it performs as expected.

However, testing on a 'live' system is undesirable for a number of reasons.

First, it ties up valuable production facilities and, second, it carries risk.

The risk lies in the fact that an unexpected reaction to an input could lead to wasted raw materials, spoilt part-processed or finished product, damage to the equipment or, worst of all, a hazardous situation that could cause personal injury or damage to the environment.

Of course, for safety-related control systems it is these latter risks that are of most concern.

Not surprisingly, system builders today routinely apply in-house tests on control systems, as well as customer-specified acceptance tests.

For many years control engineers have used switch and lamp boxes to represent the inputs and outputs for the PLC, SCADA or DCS (programmable logic controller, supervisory control and data acquisition, and distributed control system, respectively) but, although this approach is very helpful, it has a number of serious limitations.

For example, setting-up the hardware invariably requires the power supplies, processors, racks, connectors and other system components to be assembled at the test site.

This assembly - and subsequently dismantling - is extremely time-consuming.

Furthermore, running the tests relies on a nimble-fingered test engineer who must follow the test sequence precisely.

After a system has been installed, it is not uncommon for changes to be made to the control system software.

At this stage in the project it is likely that timescales will be tight, which rules out anything but testing on the 'live' system.

Because of the implications of this, testing will almost certainly not be as thorough as the earlier ones performed using switch and lamp boxes.

Modern computing has, thankfully, provided a better alternative.

Complex processes can now be modelled in software and their operation can be dynamically simulated, with software taking the place of the switch and lamp boxes, and automated test routines doing the job of the nimble-fingered test engineer.

Generally there are two approaches to simulating the inputs and outputs (I/O): DDE (dynamic data exchange) through the programming port of the system or, arguably superior, by using a remote I/O driver.

Using this latter technique, only the process I/O image of the system can be written to, which truly reflects the simulation of any I/O that can be connected.

As with the switch and light box method, a test routine needs to be written, but this time it is written for the process simulation package to execute, not the test engineer.

Invariably the tests will therefore be more thorough, as more complex test routines can be programmed with no risk of the test engineer failing to follow the procedure correctly.

Compared with using switch and lamp boxes, software tools such as SST's PICS package can typically save 30 per cent of the overall programming, installation and debugging time, which enables the process to come on stream sooner.

Software problems can be located and corrected 10 or 20 times faster and, importantly, this can be done before they cause delays or cost overruns.

In the case of plant that is being upgraded, process downtime can be minimised by installing the new software only after it has been thoroughly tested and proven off-line.

Meanwhile, the existing software can continue to run, enabling production to be maintained until as late as possible.

Almost any system can be modelled and simulated, ranging from continuous processes to batch processes and discrete manufacturing.

However, safety-related control systems are particularly suitable for simulated testing.

In some cases it may be the safety of the process or plant that is at risk, but it could equally well be the safety of personnel or the environment.

In either situation, the software allows 'unsafe' scenarios to be tested in complete safety, as well as highly complex combinations of events that would be too difficult to test manually using switch and lamp boxes.

A wide range of different processors and I/O types can be modelled dynamically, including redundant arrangements of diverse processors used for safety applications.

Elite has also used PICS to test and validate software developed for the Pilz PSS (programmable safety system) hardware.

Should the control system be upgraded in the future, the software model can likewise be upgraded and thoroughly tested prior to the system going live in the plant.

Because the software model and test routine are both object-orientated, it is very easy to modify existing items in the event of changes being made.

Moreover, for companies such as Elite Control Systems that use PICS for virtually every control system project, the substantial in-house library of objects enables new projects to be programmed extremely quickly.

As well as testing the logic of the software, PICS can be used in conjunction with other packages to enable a 'virtual instrumentation' front-end to be built, so the operator sees an on-screen version of the instruments that will be present in the plant control room.

This enables the ergonomics of the control system to be assessed, and allows training to be undertaken in advance of the installation.

As a result, there is no risk to the actual process or plant during training, and no production time is lost to training activities; as soon as the new control system goes live, it is truly productive.

Ongoing 'refresher' courses can also be undertaken by operators and maintenance engineers, which is especially useful for safety-critical scenarios that do not arise during the normal operation of the plant.

For companies operating competency management schemes in line with the requirements of IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety related systems), plus its European Harmonised equivalent, EN 61508, undertaking training for safety-critical scenarios is almost essential if plant operators are to demonstrate the necessary competencies.

Another aspect of IEC 61508 where PICS plays an important role is in the validation of software for use within E/E/PES control systems.

Rather than incur the cost and time penalties associated with using third-party assessors, Elite has consultants in a Quality/Consultancy department who operate independently from the engineers in the Project department.

The consultants are able to take the control system software written within the Project department and assess it using PICS.

Given the advantages offered by PICS, it might seem surprising that it is not used more widely.

However, the software is not cheap to purchase, which somewhat limits its user base.

Having used the system for a number of years, however, Elite is convinced that PICS is an essential element of the system integration process, especially for safety-related projects and those conforming to the requirements of IEC 61508.

Contact Elite Control Systems now to find out more about the company's system integrator services and Elite's Safety Consultancy services.

Back to top