Cause-and-Effect Matrix Specifications For Interlock
Cause-and-Effect Matrix Specifications For Interlock
based systems
Specifications for
interlock logic in
Industrial controls and
Safety Systems
2
Industrial controls Safety Systems
Supervision
S7
How to specify
PLC
interlock
Control logic?
Profibus Profisafe
Field
3
Main problems with specifications
2. Incomplete specification
Specification
3. Complex specification
Controls expert
4
Specification options for stateless logic (some
examples)
Logic diagram Boolean expression
5
Specification options for stateless logic (some
examples)
Cause and Effect Matrix
Description
N_EISa_Safe{1}[1]
N_EISa_Safe{1}[2]
N_EISa_Safe{1}[3]
StateOfElementsSC{1}
Tag
Description Tag 1 2 3
Assignment of element [n] to safety
SC-S{1}[1] 1 N,A1,A2,A3,A4
chain {i}
Installation of door contact [n] I_EISa_Pos[1] 2 A3,A4
Installation of emergency handle [n] I_EISa_PU[1] 3 A2,A4
Feedback of door contact [n] I_EISa_Pos_Stat[1] 4 A1,A2
Feedback of emergency handle [n] I_EISa_PU_Stat[1] 5 A1,A3
Bypass on element (both door contact
I_EISa_Bypass[1] 6 A2,A3,A4
and emergency handle) [n]
Assignment of element [n] to safety
SC-S{1}[2] 7 N,A1,A2,A3,A4
chain {i}
Installation of door contact [n] I_EISa_Pos[2] 8 A3,A4
Installation of emergency handle [n] I_EISa_PU[2] 9 A2,A4
Feedback of door contact [n] I_EISa_Pos_Stat[2] 10 A1,A2
Feedback of emergency handle [n] I_EISa_PU_Stat[2] 11 A1,A3
Bypass on element (both door contact
I_EISa_Bypass[2] 12 A2,A3,A4
and emergency handle) [n]
Assignment of element [n] to safety
SC-S{1}[3] 13 N,A1,A2,A3,A4
chain {i}
Installation of door contact [n] I_EISa_Pos[3] 14 A3,A4
Installation of emergency handle [n] I_EISa_PU[3] 15 A2,A4
Feedback of door contact [n] I_EISa_Pos_Stat[3] 16 A1,A2
Feedback of emergency handle [n] I_EISa_PU_Stat[3] 17 A3,A1
Bypass on element (both door contact
I_EISa_Bypass[3] 18 A2,A3,A4
and emergency handle) [n] 6
Outline
Case Study
Applicability of CEM
Conclusions
7
Case Study – CERN test bench facility
9
Case Study – Operational specification
Test Types
SCADA
Commands
Process
Inputs
Process
Outputs
10
Case Study – Operational specification
11
Case Study – Safety specification
FMEA risk analysis
• Unambiguous specification
Safety • But no tool support:
Function • Test cases generation
Specification • Verification cases
generation
• Code generation
12
Cause and Effect Matrix (CEM)
• There are many variants of CEMs and the companies adopt the semantics that
best adapt to their processes and engineering practices
13
Cause and Effect Matrix (CEM)
14
Cause and Effect Matrix (CEM)
Variable discretization
15
Cause and Effect Matrix (CEM)
17
Conclusions
CEM pros CEM cons Future directions
• Simple and graphical mechanism • Not appropriate for all • Extension of the CEM semantics
types of processes. Mainly to different activation logics
• Allows a better communication convenient for stateless (rising edges, pulses, etc.)
between control, process and safety interlock logic
experts
• Trivial generation of the PLC code • Certain Boolean logic may • PLC code generation and
be difficult to express in one integration in the development
• Allows automatic generation of test single CEM (auxiliary CEMs cycle of SISs and interlock-based
and verification cases may have to be Included) control systems
18