hallan w. veiga, max h. de queiroz, jean-marie farines

Hallan W. Veiga, Max H. de Queiroz, Jean-Marie Farines Departamento de Automação e Sistemas,

Universidade Federal de Santa Catarina, Florianópolis, BrazilMarcelo L. de Lima

Research & Development Center (CENPES), Petrobras, Brazil

Torino, 18 September 2017 1

FMICS-AVoCS 20172/18

Automation systems in Offshore Oil Platforms:◦ faults can be catastrophic: Safety,

Health and Environmental consequences.

Safety Instrumented Systems◦ Sensors to detect hazardous situations

◦ Actuators to lead the process to a safe state

◦ Programmable Logic Controller (PLC)

errors in PLC programs of SIS:◦ Dangerous failure (DF)

cause and not effect

observed only in critical situations

◦ Safe failures (SF)

Effect and not cause

Bypasses may cause DF

FMICS-AVoCS 2017 3/18

Techniques to develop a valid PLC program:◦ Design methodology based on standards

IEC 61511

O&GI Standards

◦ Formal methods Exponential growth of state-space

Correct mathematical model

◦ Conformance testing Black-box approach

Non-exhaustive

Automation of Test◦ reduce costs, time and human-errors ◦ enhance test coverage


1. Introduction

2. Validation of SIS in the O&GI

3. A Method for Testing SIS

4. Automation of Test

5. Application

6. Conclusion


Cause and Effect Matrix(CEM)◦ Petrobras Standard I-ET-3000.00-1200-800-PGT-006_0


ESD-101 = HSS-101100 or YST-101200

FD-101 = YST-101200 or [HSS-101100 and (UST-101001 or UST-101002 or UST-101003)]

FC-102 = YST-101200(for 10s) or Vote2oo3(UST-10100, UST-101002, UST-101003)

FactoryAcceptance

Test

TestSpecification

Testing

Piping & Instrumentation Diagram

Cause & EffectMatrix

DescriptiveMemorial

PLC Code

PLC

PLC + Instrumentation

FunctionalSpecification

SafetySpecification

PLC LogicSpecification

Programing

Instalation

Compilation

LogicDiagram

ModelCheckin

g

C.Ex.

ModelCheckin

g

C.Ex.

AutomatedTesting

Generation of OraclesGeneration of Test Cases

Cause & Effect Matrix

Verdict

Test Result EvaluationExecution of Test Cases

I.1

I.0

Test Cases

Time Petri Nets

Q.1

Q.0

I.1I.0

Q.1Q.0

PLC


Exhaustive testing is infeasible

◦ grows exponentially with number of causes

◦ more than 1.000 sensors for SIS in offshore platforms

CEG-BOR (Paradkar, Tai and Vouk; 1997)

◦ Cause and Effect Graph for Boolean Operator

◦ only combinations of causes that effectively sensitize an effect

◦ It avoids redundancies and ambiguities for fault detection.

◦ Number of test cases is linear with the number of CEM entries

◦ Effective only for singular expressions

CEG-BOR-MI

◦ Meaning Impact (MI) for nonsingularities

◦ Vote2oo3(A, B, C) = AB + BC + AC


Limited Entry Decision Table:12 test cases from 32 combinations


PASS OK+

DANGEROUS FAILURE

SAFE FAILURE

CAUSE EFFECT

PASS OK-

t1 t2 t3 t4

NOT CAUSE

[T,T] [T,T] [T,T] [T,T]


Diagnostic Module

Timed Module

Logic Module

PASS OK-

DANGEROUS FAILURE

SAFE FAILURE

CAUSE

EFFECT

PASS OK+

t1 t2 t3 t4

t5 t8t6 t7

START

YST-101200

UST-101001*UST-101002 + UST-101002*UST-101003 + UST-101001*UST-101003

FALSEYST-101200

[TEMP]

WAIT

FC-102

n(FC-102)

t22

t21

t17

t18

t19

t20

t13

t14 t15

t16

TESTING

t11 t12

t9

t10

RESET

not(YST-101200)

not(UST-101001*UST-101002 + UST-101002*UST-101003 + UST-101001*UST-101003)

[10,10]

Control Module

Reading & Voting Module


Cause & Effect Matrix Editor

OPC server

PLC simulator or jig test

PLC Programming

Software

Automatic Tester

PLC code

Verdict

Tester

Process engineerProgrammer

XML

PDF


Safety PLC for several subsystems: ◦ electrical, shutdown, fire and gas (F&G), control,

turret and vessel

130 Cause and Effect Matrices (50 x 50)


Method for automating testing of safety PLC◦ CEM organizes a large set of safety specifications

◦ CEG-BOR-MI assures efficient coverage of test cases avoiding the combinatorial complexity

◦ Use of Time Petri Nets facilitates the automation of oracle generation and improves the reliability of verdict

Automated test was successfully applied to a real offshore platform.

The experimental tool is being improved for use in oil and gas industry.

Model-checking the CEM in large PLC code is under research.


hallan w. veiga, max h. de queiroz, jean-marie farines

Documents