Cause & Effect Chartsftp.gongkong.com/UploadFile/datum/2012-3/... · © 2011 infoteam Software AG | Am Bauhof 9 | 91088 Bubenreuth | Germany | Phone +49 9131 78000 | Fax +49 9131

1 © 2011 infoteam Software AG | Am Bauhof 9 | 91088 Bubenreuth | Germany | Phone +49 9131 78000 | Fax +49 9131 780050 | www.infoteam.de | V 2.4

Cause & Effect Charts for protection systems compliant with IEC 61508 SIL-3

Dr. Wolfgang Brendel


History of Cause & Effect Matrix

Cause &Effect

Established specification method

Recommended NORSOK standard

Describe emergency shutdown systems

Used for safety-related functions in

process industry

oil and gas industry

chemical industry

pharmaceutical industry

But currently mostly used as

documentation tool like MS Excel


Motivation for Cause & Effect Matrix

Define safety-related functions in tables

Unambiguous and easy to understand syntax

Dedect design errors by rigorous semantics

Avoid manual translation

Traditional from C&E to Function Blocks

No information lost by interpretation

From specification to executable code by validated compiler

Analysis == SRS == Implementation == Documentation

Test and Validation support

Test coverage for all potential causes and effects

Visual detection of unreachable conditions

Reduce effort for safety-related application software


Assertions in Safety Applications

Cause and Effect proven as adequate and efficient

Intuitive

easy transformation of

automation problem into

Cause and Effect matrix

Fast

very few steps necessary

to implement matrix

Proven in Use

predestined for safety related development


The Method of Cause & Effect Computation

Safety related applications

with Cause and Effect matrix

CAUSE

Pre-processing safety related

sensors as inputs within causes

INTERSECTION

Define safety related functionality

in Modal logic 模态逻辑

EFFECT

Post-processing step

to modify safety related actors with timing


CAUSE Specification

Causes indicate safety critical situations of a system

Inputs of a cause can be 1..4

PLC input variables (sensors)

internal variables

Activation conditions for

BOOL, SAFEBOOL:

energize to trip (ETT),

de-energize to trip (DTT)

REAL, INT:

high or low level limitation

Logical combinations AND, OR, XOR

Timing function according to IEC 61131 TON, TOF, TP


CAUSE Processing

CauseVariable State

InputVariable ( Sensor 1)

Activation Condition

Internal Cause

Output

Function AND , OR ,

XOR …

Timing

CauseVariable State

InputVariable ( Sensor i)


»bypass and force for commissioning and maintenance

»synchronized execution of logical operations


EFFECT Definition

effects describe the safety related actions inside a system

outputs of an effect can be

PLC output variables (actors)

internal variables

Effect definition consists of

conjunction of causes XooM

timing functions TON, TOFF, TP

Activation condition

for 1..4 output tags

BOOL, SAFEBOOL:

energize to trip (ETT),

de-energize to trip (DTT)


EFFECT Processing

»output tags can be used as inputs

to specify sequences

(e.g. shutdown)

Operation

( XooM )

Internal

Effect

State

Output variable (actor 1)


Timing

Output variable (actor j)



Cause & effect chart specification: intersection

Defines the relation between causes and effects

Connection types

N – not stored,

if the activation condition of a

cause becomes false the

connected effect is deactivated

S – stored ,

if the activation condition of a

cause becomes false the effect

remains activated (highest priority)

R – Reset

Reset a stored effect (lowest priority)

Empty – no relation between cause and effect


Cause & effect chart specification: general

CauseVariable

State

InputVariable

( Sensor 1)

Activation

Condition

Internal Cause

Output

Function

AND ,

OR ,

XOR …

Timing

CauseVariable

State

InputVariable

( Sensor i)

Activation

Condition

CauseVariable

State

InputVariable

( Sensor 1)

Activation

Condition

Internal Cause

Output

Function

AND ,

OR ,

XOR …

Timing

CauseVariable

State

InputVariable

( Sensor i)

Activation

Condition

Operation

( XooM )

Internal

Effect

State

Output variable

Activation

Condition

Timing

Output variable

(actor j)

Activation

Condition

»general processing in one PLC cycle

1. read input process image

2. cause processing

3. intersection processing

4. effect processing

5. write output process image


How Cause & Effect supplements IEC 61131-3

Cause & Effect Matrix

Function Block Diagrams


Example: Overflow Protection

1. Pipes and Instrumentations Diagram P&ID describes the plant

2. Safety requirements specification

specifies the hazards

SIL and safe state

3. Specification of the safety function

detection of the dangerous situation

safety related actions to avoid accidents

diagnostics of measures taken

4. Implementation

HW: safety-related PLC

SW: C&E charts

5. Test and validation


Overflow protection (1)

1. P&ID

» arrangement to blend substances 1 and 2

while the tank buffers the alloy for the next

processing steps

» to convey material 1 a pump is necessary

» Material 2 flows because of the incline,

the pump delivers constant pressure

» unpressurized tanks

2. Safety requirements

» tank contains the toxic alloy

» avoid overflow of tank using

process control

» hazard analysis results in SIL 3 (IEC 61511)



3. Design specification of the safety function

» 1oo2 installation on sensor side and on actor side because of SIL 3 requirement

3.1 fill level measurement

» pressure sensor L31

» proximity sensor LH30 with two adjustable limits

» diagnosis: LH30 lower limit and dedicated pressure of L31 must be correlated

3.2 stop feeding of substance1 and 2

» two actors in both flows

» substance1: pump P1 and valve V1

» substance2: valves V2 and V3

» P1 and V2 process and protection function, diagnosis during operation

» V2 and V3 protection function, diagnosis part of the safety function



4. implementation

4.1 hardware

sensors

» no self-diagnosis

» comparison between values of

both sensors in software

actors

» no self-diagnosis

» V2 and V3 checked by the operator

» check initiated by software


Overflow protection (4): One C&E says it all!

4.2 software

safety function:

» cause: HighLimit_B3

» effect: StopFlow_C1

StopFlow_C2

Stop_P2

sensor diagnostic:

» cause: Check_LH30_L31


StopFlow_C2

Stop_P2

Sensor_NOK

actor diagnostic:

» cause: Check_V1_V3


Confirm_Check

4.3 Non-technical measures


C&E Editor – an infoteam Software product

»SIL Claim Level 3

»Certified by TÜV SÜD

»FSM and docs May 2011

»Product expected IV.Q 2011

»Complete set of documentation

»Safety Concept

»Safety Plan

»V&V Plan

»Risk Analysis

»…

»Assessment Protocols

»Certificate


.. We‘re ready to take the next step with you!

Your contact:

JIANG Yunhao

infoteam Software (Beijing) Co., Ltd.

www.infoteam.com.cn

Documents

Cause & Effect Chartsftp.gongkong.com/UploadFile/datum/2012-3/... · © 2011 infoteam Software AG | Am Bauhof 9 | 91088 Bubenreuth | Germany | Phone +49 9131 78000 | Fax +49 9131