Application programming
Independence and integrity
Demonstration of independence
and integrity versus level of
complexity
© Bertrand Ricque 2009
1
What is independence demonstration
1. Demonstrating that existing interlocks don’t generate adverse effects
– i.e. demonstrating that unwanted states don’t emerge

At SIF level

But also at SIS level
2. Demonstrating that interlocks don’t exist
– i.e. demonstrating that no evolution of external variables have an
impact on a considered variable

Techniques and methods are identical for both
– Equations
– Carnaugh tables, excel spreadsheets
– Emulation and simulation
– Formal proof

These techniques are more or less complex and adapted to different
cases, depending on the complexity of the logic
2
© Bertrand Ricque 2009
Example 1 - Simple case

In this classical configuration a normally closed output
depends on the status of normally energised inputs

The output equation is O = (A+B).C.D

An unwanted state is O = 1 while C=0, or D=0 or
(AandB) = 0
3
© Bertrand Ricque 2009
Example 1 - Simple case

Carnaugh table: the small quantity of
variables allows building the table
and checking that the unwanted state
never occurs

Simulation: it is possible to simulate
one by one the 13 interesting
combinations and check that the
output remains at 0.

Equation: it is possible to solve the
equation f(A,B,C,D)= 0

Sensitivity to programming style
remains manageable
A
B
C
D
O
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
1
1
0
0
0
0
0
1
0
0
1
0
1
0
0
0
1
1
0
0
1
1
1
0
0
0
0
0
1
0
1
0
0
1
0
0
1
0
1
0
1
1
0
1
0
0
0
1
1
0
1
0
1
1
1
0
1
1
1
1
4
© Bertrand Ricque 2009
1
1
1
1
1
Example 2 – complex case

The actuator is an MOV and involves the following signals:
– With the field









Thermal protection status : THP = 1 = normal
Manual mode override : MO = 0 = override
Local mode override : LO = 0 = override
Auto mode override : AO = 0 = override
Open command : OC = 0 = command
Close command : CC = 0 = command
Stop command : SC = 0 = command
Open feedback : OF = 0 = opened
Close feedback : CF = 0 = closed
– Interlocks







Availability : AV = 0 = Available
Open authorisation : OA = 0 = authorised
Close authorisation : CA = 0 = authorised
Stop authorisation : SA = 0 = authorised
Automatic open : AO = 0 =command present
Automatic close : AC = 0 =command present
Automatic stop : AS = 0 =command present
– Interface to higher level logic









Priority open request : POR = 0 = command present
Priority close request : PCR = 0 = command present
Priority stop request : PSR = 0 = command present
Load shedding : LS = 0 = requested
Return to load open: RSO = 0 requested
Return to load close: RSC = 0 requested
Open override : OO = 0 = override present
Close override : CO = 0 = override present
Stop override : SO = 0 = override present
© Bertrand Ricque 2009
5
Example 2 – complex case
– Intermediate variables













Operating mode : MOD
Command memories : MO1 and MO2
Status memories : ME1 and ME2
Open demand : OD = 0 = present
Close demand : CD = 0 = present
Stop demand : SD = 0 = present
Open timer : OT
Close timer : CT
Stop timer : ST
Open timer alarm : OTA
Close timer alarm : CTA
Stop timer alarm : STA
Error status : ER
– Interface to push buttons






Safety stop : SS = 0 = activated
Mode selector : AUTO = 1 = automatic
Manual open : MO = 0 = command
Manual close : MC = 0 = command
Manual stop : MS = 0 = command
Alarm acknowledgment : AL = 0 = acknowledged

Priorities between the physical inputs are defined

Priorities between the interlocks are defined
© Bertrand Ricque 2009
6
Example 2 - equations



SD = (((MOD . AS + /MOD . MS) . SA
./RSO . RSC + LS) . /POR . /PCR + PSR) .
AV . /LO . /SS . /THP +/OF.(FO + SS +
THP) . /CF
OD = (((MOD . /AS . /SCMD . AOC +
/MOD . /MS . /MC . MO) . AM . /RSC +
RSO ) . /LS . /PCR + POR) . AV . /LO . /SS
. /THP + OF.(5LO + SS + THP) . /CF
CD = (((MOD . /AS . /AOC . ACC + /MOD
. /MS . /MO . MC) . AM . /RSO + RSC) .
/LS . /POR + PCR) . AV . /LO . /SS . /THP
+ CF.(LO + SS + THP) . /OF

MO2 = MO1 . OC

ME1 = OF + CF

ME2 = ME1 . OF

STA = ST . (MO1 . ME1 + /MO1 . /ME1)

CTA = CT . (MO2 . ME2 + /MO2 . /ME2)

OTA = OT . (MO2 . ME2 + /MO2 . /ME2)

ER = STA + CTA + OTA +THP + SS + LO

MOD = (/AUTO . /AO) + MO + LO + ER

SC = SD + CD . OF + OD . CF

ST = Time(SC)

OC = OD . ST

OT = Time(OC)

CC = CD . ST

CT = Time(CC)

MO1 = OC + CC
7
© Bertrand Ricque 2009
Memories and commands
ME2
OF
ME1
CF
MO2
OD
OC
MO1
ST
SC
Stop timer
CD
CC
SD
SC
8
© Bertrand Ricque 2009
Error status and timer alarms
MO1
ME1
SC
ST
STA
Stop timer
OC
OT
OTA
MO2
Open timer
THP
ME2
CC
CT
ER
SS
CTA
LO
Close timer
9
© Bertrand Ricque 2009
Stop demand
RSO
AS
MOD
RSC
SA
LS
PCR
POR
PSR
AV
THP
SD
SS
LO
OF
CF
10
© Bertrand Ricque 2009
Example 2 - demonstration

The unwanted states have to be identified

Examples are
– Absence of simultaneous open and close command
– Absence of combinations of inputs preventing the
expected output change
11
© Bertrand Ricque 2009
Example 2 - demonstration

The structure of the logic has the following characteristics
and consequences
– 28 inputs (268 435 456 combinations) and 3 outputs

Impossible to emulate manually
– Is not static (includes “implicit” flip-flops)

Carnaugh tables are useless

Behaviour is sensitive to the programming style

Static simulation is useless without taking in account
– The order of input changes
– The number of calculation cycles
– Impossible with Excel
– Formal proof becomes unavoidable
12
© Bertrand Ricque 2009