Automated Logic Validation utilising a Virtualised Reference System

Process Safety Solutions support a number of assets which utilise the Rockwell Automation Trusted TMR Safety Instrumented System product range to provide Emergency Shutdown, Process Shutdown and Fire and Gas systems. These systems are made of a number of Trusted system nodes, working together via software and hardware intertrips, to form combined Safety Systems.

The functionality of these systems is defined by Cause and Effects and Logic Diagrams (Logigrams). The Cause and Effect and Logigram definitions are developed and maintained by Process Safety Solutions (PSS) CERES and LEDA software packages. Both CERES and LEDA are electronic database-based systems which, in addition to generating the relevant drawings, can export a sequence list of Input (Cause) to Output (Effect) relationships, which is utilised by PSS automated validation tool, VESTA.

VESTA allows for the automated validation of a target system by simulating Inputs and monitoring Outputs. Output state changes are compared against those expected by the CERES / LEDA definitions and a report is produced, highlighting successful tests and any discrepancy. All Outputs are monitored during testing to capture any unexpected actions. VESTA is capable of testing direct action effects, time delayed trips, pulse timers and MooN voting.

The below shows an example test report, with a Green X representing an expected effect, a Red X representing an unexpected effect and a Red O representing an expected effect which did not action.

To allow multiple systems/nodes to be validated utilising VESTA, a combined reference system is required. The Trusted system offers an emulated logic solver, known as NT Target, which allows the site application to be loaded into a PC target, utilising the same kernel as the physical Logic Solver. Running multiple NT Targets within a Virtualised environment allows for a full site Safety Instrument System to be simulated.

NT Target enables a single logic solver to be emulated but does not allow for signal transfer between different NT Target instances. To enable data transfer between emulated logic solver nodes, including software and hardwired intertrips, the PSS Digital Twin software tool is utilised. The PSS Digital Twin senses when an Intertrip signal output changes state and writes the same state to the corresponding Intertrip input.

An example four node simulated system is shown below;

Where systems have a combined Cause and Effect / Logigram definition for multiple logic solver nodes, the Virtualised NT Target / PSS Digital Twin reference systems allows for full end to end validation regardless of which node the cause is or which node the effects are.

The following shows a 2oo3 Vote test where each Input signal in a different node. Based on the Cause and Effect definition, each vote combination trips outputs in all four nodes.

Full Cause and Effect / Logigram testing is performed utilising the Virtualised NT Target / PSS Digital Twin reference system annually for each system, with a VESTA validation report created.