Árni Steinar Kjartansson

Control and supervision of DTU’s Electric Lab

Bachelor’s Thesis, December 2008

Árni Steinar Kjartansson

Control and supervision of DTU’s Electric Lab

Bachelor’s thesis, December 2008

Control and supervision of DTU’s Electric Lab

This report was drawn up by: Árni Steinar Kjartansson Supervisor(s): Morten Lind, CET, Ørsted•DTU Chresten Træholt, CET, Ørsted•DTU René Arnskov, Balslev

Ørsted•DTU Automation and Control Technical University of Denmark Elektrovej Building 325 2800 Kgs. Lyngby Denmark www.oersted.dtu.dk/cet Tel: (+45) 45 25 35 00 Fax: (+45) 45 88 61 11 E-mail: [email protected]

Release date:

2 Dec 2008

Category:

3 (according to agreement)

Edition:

1st edition

Comments:

This report is part of the requirements to achieve the degree of Diplomingeniør/Bachelor of Engineering at the Technical University of Denmark. This report represents 15 ECTS points.

Rights:

© Árni Steinar Kjartansson, 2008

2

ABSTRACT The importance of supervisory control and data acquisition systems in modern industry has become increasingly important over the last decades. A well-designed SCADA system will increase the quality control, safety and accessibility of today’s automated processes. This thesis describes the design of a SCADA prototype system for DTU’s Electric Lab. A special emphasis will be on operational safety and use of theory in the design of the graphical representation of the system.

3

5

TABLE OF CONTENTS Abstract .......................................................................................................................3 List of figures...............................................................................................................9

1

Introduction ........................................................................................................11

1.1 Background .......................................................................................................11 1.2 Problem formulation..........................................................................................11

2

System components.............................................................................................13

2.1 PLC ...................................................................................................................13 2.2 Step 7 ................................................................................................................13 2.3 Simeas Power Meter ..........................................................................................13 2.4 WinCC ..............................................................................................................14

3

System description..............................................................................................15

4

PLC Design .........................................................................................................17

4.1 PLC program .....................................................................................................19 4.2 Integrated Safety design.....................................................................................22

5

Human Machine Interface .................................................................................25

5.1 Guidelines .........................................................................................................25 5.2 Theory...............................................................................................................27 5.3 HMI Design.......................................................................................................32

7

table of contents

6

Conclusion.......................................................................................................... 41

6.1 Results .............................................................................................................. 41 6.2 Further work ..................................................................................................... 42 References ................................................................................................................. 43 PLC Code.................................................................................................................. 44 Wincc pictures .......................................................................................................... 79

8

LIST OF FIGURES Figure 3-1: System diagram........................................................................................ 15 Figure 4-1: Risk Assessment. ..................................................................................... 17 Figure 4-2: Contact feedback...................................................................................... 18 Figure 4-3: PLC editor overview. ............................................................................... 20 Figure 4-4: Cycle time. ............................................................................................... 21 Figure 4-5: Safety program call sequence. .................................................................. 22 Figure 4-6: FB216 operation flowchart. ...................................................................... 23 Figure 5-1: Human scanning of a screen. .................................................................... 26 Figure 5-2: Situational Awareness Factors.................................................................. 28 Figure 5-3: Effect of automation on reliability. ........................................................... 31 Figure 5-4: Graphic editor. ......................................................................................... 32 Figure 5-5: Electric Lab Login.................................................................................... 33 Figure 5-6: System overview. ..................................................................................... 34 Figure 5-7: Generator overview. ................................................................................. 35 Figure 5-8: Cell 10 overview. ..................................................................................... 35 Figure 5-9: Emergency stop window. ......................................................................... 36 Figure 5-10: Measure error window............................................................................ 37 Figure 5-11: Generator current safety. ........................................................................ 38 Figure 5-12: Rail error. ............................................................................................... 38 Figure 5-13: Contact-welding alarm. .......................................................................... 39

9

List of figures

10

1 INTRODUCTION 1.1 Background This project is based on an existing project, designed by Balslev for DTU. The project came to my attention during an earlier semester as a trainee student at Balslev. The objective is to renovate and upgrade DTU’s Electric Lab to modern standards. DTU’s Electric Lab consists of many cells that connect to generators via distributing rails and interconnect through various cabinets. At the present time the Electric Lab is operated completely manually and with basic safety features. All experiments carried out in the cells have to be in close cooperation with a supervisor and the process is both time consuming and gives the operator a poor overview of the system.

1.2 Problem formulation The aim of this project is to design a prototype Supervisory Control and Data Acquisition1 system, where the user can control and supervise the entire system through a touch screen or a pc. Is it possible to design a SCADA system that can reduce operator error, increase safety and increase access to information? The aim of this rapport will be to answer this and other questions. •

Can the entire project be simulated in software without the use of hardware?

•

Is it possible to integrate safety features in the system?

•

Can theory be used in the design of graphical user interface?

1

SCADA

11

Introduction

12

System components

2 SYSTEM COMPONENTS This chapter will describe the system components used in the project. Each sub chapter will explain the individual components in detail.

2.1 PLC The Programmable Logic Controller2 represents the best solution for industrial applications in centralized and distributed systems. The PLC is the core of the system. It contains the logic code for the entire system and is the foundation, for other parts of the system to interact with. The PLC is completely modular and can be expanded easily. The PLC used in this project is the Siemens Simatic S7 PLC. This is Siemens latest PLC and it has been an industry standard for a long time.

2.2 Step 7 Siemens Step 7 is the software used to program and configure the PLC. It is composed of numerous editors and functions needed to implement any project. The primary Step 7 software is Step 7 Basic. All configuring and parameterizing is done in the Basic software. The S7 Graph editor is used to program individual blocks. The S7 PLCSIM software is used to simulate the code in hardware. This simulator has to be running if other parts of the system are to communicate with the PLC. These three editors are used to implement the project. There are several other editors included with the software, but they are not used in this project.

2.3 Simeas Power Meter The Simeas power meter is designed to be a distributed meter, connected to the PLC via an industrial bus. Each individual meter can record up to 12 different values. The system is controlled and supervised using the measurements from this meter.

2

PLC

13

System components

Unfortunately the meter could not be simulated and therefore all measurement values are read from a variable table.

2.4 WinCC The human machine interface3 is designed in Siemens WinCC. The communication between the PLC and the HMI is set up in both Step 7 and WinCC. The graphical visualization of the system is designed in the graphical designer. Other features include an alarm editor and user administration editor.

3

HMI

14

System description

3 SYSTEM DESCRIPTION

Figure 3-1: System diagram. The project is based on the diagram shown in figure 3-1. It consists of three generators that connect to two cells via distributing rails. A single line in the diagram represents a three-phase system. The original project consists of four generators, specialised measuring instruments and over 20 cells. Because of the time restrictions, the original project is scaled down to the aforementioned size. Each cell will have a touch screen so the user can operate the system. The supervisor will have either a touch screen or a control pc with a monitor to operate the system. Only the supervisor has the right to connect the generator to the rails. Other than this restriction the users have the same privilege as the supervisor. The user can control every individual contact in the diagram. The system will be displayed graphically on the screen, both with an overview of the whole system and individual parts. The system has many meters located at the generators, rails and cells. The measurements include voltage, current, power, frequency and phase. These measurements are used in the PLC to control the system and in the give the user

15

System description

information. The system will contain several safety features, designed to reduce the risk of accidents and aid the user in the operation of the system. Because of the time restrictions, only parts of the system needed to test functionality are implemented. This includes generator one and two, rail A and B, cell 8 with system 1 and cell 10 with system 1 and 2. This includes five contacts. The safety features are implemented in a single contact to test functionality. This is true of both the Step7 and WinCC design.

16

4 PLC DESIGN This chapter will focus on the PLC program and the integrated safety program. Both parts are programmed with the same software, but the integrated safety part has to fulfil certain standards that are not applied to the rest of the code and is therefore reviewed separately. Before an industrial system is designed it has to go through risk assessment to determine the level of risk to the user. The standard used in this project is EN 954-1 (see CD for a PDF file). This standard applies to the safety of machines where a safety control system is implemented. Although this system does not contain dangerous machinery that is exposed to the user, it does expose the user to high voltage up to 2 kV, which is considered lethal. For that reason the standard EN 954-1 is applied to the system. The starting point for risk assessment can be seen in figure 4-1.

Figure 4-1: Risk Assessment. The first decision in the assessment is if there is slight risk to the user (S1), meaning reversible injury or serious risk to the user (S2), meaning irreversible injury or death. As mentioned before the exposure to 2 kV means the possibility of death and therefore a serious risk. The next decision deals with the exposure time to hazard. If dealing with Short exposure time (F1), usually meaning less than once per shift or long exposure (F2), meaning more than once per shift. The Electric Lab contains many cells, so exposure to hazard is both frequent and long. The last decision addresses the possibility of avoiding or limiting the hazard. Whether it is possible under specific conditions (P1) or scarcely possible (P2). In

17

PLC Design

this case the user has full control over the system and any attempt to restrict access to reduce hazard would not benefit the user. As figure 4-1 indicates, this places the system in risk category 4. According to standard EN 954-1, this requires a fail-safe emergency Shutdown system with a feedback signal from the contacts. This also requires that all emergency buttons are connected fail-safe, meaning that either cutting or shorting the cable, will result in an immediate shut down of the system. Every contact in the system consists of two serial connected contacts operated simultaneously. Every time the contacts are opened, a feedback signal shows the position of the contact. This signal will indicate if a contact has welded shut, See figure 4-2. If one of the contacts were to weld shut, the other contact would open the circuit.

Figure 4-2: Contact feedback. Because a fail-safe emergency Shutdown system is required, special hardware is needed to fulfill this requirement. Since this project is fully simulated, there is no need for failsafe hardware. The simulated CPU has to be able to implement the safety program needed in this project and the CPU chosen for this project is the fail-safe 315F-2DP CPU. It is designed for medium to large projects and is more than sufficient for this project.

18

PLC Design

4.1 PLC program The PLC program is the foundation of the whole system and contains the most amount of code. This is because WinCC has a slower cycle time than the PLC and is therefore not suited for logic operations. For a detailed overview of the PLC code see appendix A. The Step7 software supports five programming languages. Ladder Logic4, Statement List5, Function Blocks Diagrams6, Structured Text7 and Sequential Function Chart8. With the first three being the most used. The preferred language in the automation industry is FBD. This is because it is the easiest language to read and work with. Ladder Logic is often used in smaller systems because it is based on the representation of circuit diagrams and can be read by electricians. STL is the basic code in Step7 and the most powerful. Its biggest drawback however is its poor structure, which makes it difficult to read and work with. It is sometimes used for more complex functions such as multiple jumps. The program is made as object orientated as possible to ease understanding of the code. All input signals needed to control the system arrive from the WinCC program to the PLC. These signals are put into shared memory blocks, and can be written and read by both Step7 and WinCC. The shared memory blocks are DB2, DB3 and the symbolic memory. The first two are structured in UDT2 and UDT3, respectively. Measurement values are simulated in the variable table called measurements. The PLC code consists of a number of blocks as seen in figure 4-3. The grey blocks are Regular programming blocks and the yellow blocks belong to the safety program. The program begins with the Organization Blocks (OB). The OB’s represent the interface between the operating system and the user program. The OB’s are called by the operating system once every cycle and control the program execution. The OB’s are organized into a hierarchy, with OB1 having the highest priority. The higher priority OB’s can always interrupt the lower priority OB’s.

4

LAD STL 6 FBD 7 ST 8 SFC 5

19

PLC Design

Figure 4-3: PLC editor overview. There are two OB’s used in this project. OB1 calls the functions and function blocks (functions with their own memory block) needed to run the program and OB35 (cyclic interrupt) calls the safety program. The rest of the OB’s are designed to handle hardware and communication faults, and because this project is simulated, they are not needed and will be left empty. OB1 calls four functions that operate together to control the safety program FC1. These functions are FB4, FB5, FB6 and FC10. FB4 compares the current from generator 1 to a preset value slightly less the then manual safety and switches the generator off the rail by sending a stop signal to FB6. A bit is set high and read by WinCC, which informs the user of the situation. FB5 contains the safety features in the program. It prevents more than one generator to connect to the same rail and warns about a measurement mismatch between the generator and rail. When a contact is activated in WinCC, the signal goes through FB5 and is sent onward to FB6 if no error occurs. If a rail error occurs, FB5 stops the contact from closing and sets a bit high that is read by WinCC. A window in WinCC informs the user of the situation. The measure error is triggered when either the voltage or frequency on both sides of the contact is higher then 0, but not equal. If this is the case, the contact is prevented from closing and a bit set high, which in turn is read by WinCC. This mismatch can potentially cause failure in equipment and the user has to decide if he wants to activate

20

PLC Design

the contact. A pop up window in WinCC allows the user to close the contact. If he does the contact activation signal is sent on to FB6 from WinCC. FB6 is the block that controls the safety program. It receives signals from FB5 and the safety program. If it gets a contact activation signal from FB5, it will send the signal to the safety program as long as there is no error signal from the safety program. The stop signal is received from WinCC. FB6 also contains logic to simulate a welded contact. For detail see the integrated safety design chapter. The system functions are functions that are generated by Step7 and deal with internal processes in the PLC. They cannot be read and should not be removed.

1.4.1 PLC program result The PLC code functioned as planned. There are some logic operations that could be written as functions and called in the blocks, but this would only be beneficial if all the contacts in the system were implemented. To get an accurate cycle time of the program Would require a connected hardware CPU. The cycle time seen in figure 4-4 was done without hardware, but still gives a good indication of the cycle time. A cycle time of 10 – 40ms shows that the code is not causing a long cycle time, considering the OB35 cyclic interrupt is called every 50ms.

Figure 4-4: Cycle time.

21

PLC Design

4.2 Integrated Safety design The safety program starts with the F-CALL function FC1. Once this function is made, Step7 generates all other internal functions and memory blocks needed to run the safety program. FC1 is the editor and compiler for the safety program. It shows the safety program structure and contains it’s own log over changes in the program. F-CALL (FC1)

Safety Program ”F_PRG” (FB1,DB1)

FB ”F_BACK” (FB216,DB216)

FB ”F_BACK” (FB216,DB217)

FB ”F_BACK” (FB216,DB218)

FB ”F_BACK” (FB216,DB219)

FB ”F_BACK” (FB216,DB220)

FC”REINTEGRATION” (FC2)

Figure 4-5: Safety program call sequence. The entry into the safety program is done by calling the F-CALL function FC1 from the user program. This is done in the cyclic interrupt OB35 and is necessary because the safety program has to be called and executed at fixed time intervals. Calling it in the user program could result in irregular and possibly longer intervals between calls. OB35 also transfers all signals from the user program into memory used exclusively by the safety program. FC1 calls the main programming block FB1. This block contains the entire safety program. FB1 calls the fail-safe feedback block FB216 from the Distributed Safety library. This block implements the feedback monitoring from the contacts and is called five times, representing the five contacts that are implemented. FB216 calls it’s own internal functions and data blocks to operate. FC2 is called last, to re-integrate fail-safe hardware modules. The operation of FB216 can be seen in figure 4-5.

22

PLC Design

Start

Contact OFF

Emergency Stop pressed?

Y

N

Acknowedgement

N

Y Emergency Stop pressed?

Y

N Contact activation Signal ON?

N

Y

Contact OFF

Emergency Stop pressed?

Y

N Contact ON

N

Contact activation Signal ON?

Y Y

Emergency Stop pressed?

N

Figure 4-6: FB216 operation flowchart. Because no hardware is used in this project, the feedback has to be simulated. The feedback signal comes from FB6 and is triggered manually with a button in WinCC. FB216 has an input to set the time limit for the feedback. Normally it is set to 100 ms, but in the first network it is set to 2 s, to allow enough time to trigger manually.

23

PLC Design

24

Human Machine Interface

5 HUMAN MACHINE INTERFACE In this chapter the theory and design of the HMI for the system will be explained. It is very important to design a functional and intuitive HMI, as it will likely be in use for a long time and influence the users of the system. A properly designed HMI will increase the users situational awareness and thereby reduce the chance of user error.

5.1 Guidelines There exist no standards regarding HMI design within industrial automation. Some guidelines exist for designing HMI, but these guidelines are very limited in their scope and usually deal only with fundamental issues. Although these guidelines are not theory, they are a good starting point for designing HMI. The guidelines used in this sub chapter are taken from Hexatec (2002). When designing the HMI, it is important to understand how the operator will use it. Generally, people will scan a screen the same way they read a page in a book. The scanning starts, in the top left corner and proceeds to the right with two or three scans down to the bottom right side, as seen in figure 5-1. With this information in mind, important items should be placed at the top of the page. This includes alarms and all navigation and execution buttons. The main overview diagram should be placed in the middle of the screen and the bottom of the screen should be reserved for secondary function buttons.

25

Human Machine Interface

Figure 5-1: Human scanning of a screen. The first screen picture after the operator has logged inn, should be an overview picture of the whole system. From there, the user can navigate into the sub parts of the system. Important parts of the system should if possible, be displayed graphically. This will give the operator a better understanding of the system. The background should for the most part, be without graphics. Colours play an important part in the system visualization. If used correctly they can enhance data and performance, while incorrectly they can confuse and overwhelm the user. The preferred colour convention, following the standard for safety signs (ISO 3864) defines the following colours: Red Yellow Green Blue

= stop, prohibition, danger. = caution, risk of danger. = safe condition. = mandatory action.

These colours should not be overused for other purposes. This is especially true for red, which should only be reserved for alarms. Large blocks of bright colours should be avoided, as they can cause eyestrain. Background colours must be chosen carefully. White and black may provide good colour contrast in text, but they produce too much glare on the screen. Light grey is much better suited as a background colour. Text should be written in the same font throughout all screen pictures. Avoid too much upper case and underlined text. The minimum text size should be 12 point. Text, and especially data should be grouped in areas of the screen. The location of data should remain consistent in all screen pictures. Avoid displaying unnecessary decimals. Data should be represented with just enough information. Unnecessary data accuracy will only reduce user reaction time.

26

Human Machine Interface

For safety reasons, all buttons that activate parts of the system, that are potentially dangerous, should have a pop-up window that makes the operator confirm his action. If the screen is accessible to other people, than the operator, then it should require a logon at the start. This will reduce any accidental or intentional activation.

5.2 Theory While the guidelines are helpful, they do not address how a HMI should be designed. The most effective method for designing an HMI system is to implement a usercentered design. This means to design the system interface around the operator. Traditionally, systems have been designed from a technological perspective, where the operator has had to adapt to the system. Although this project will implement a usercentered design, it must be remembered that this is a very technologically oriented project and it is expected that the operator will have a technological background. The foundation of a user-centered design is situational awareness9. SA means simply being aware of what is happening around you, understanding what the information means now and in the future. Supporting SA directly supports the cognitive processes of the operator and thereby enables him to make decisions. By using certain theory and design principles, a user-centered design can be achieved. The theory and principles used in this sub chapter are taken from Endsley. M.R (2002). The principles described in the book cover every thing from simple industrial systems to complex aviation systems. I have filtered out the theory and principles that are best suited to industrial SCADA systems. While it is not a definitive list, it will give the designer the theory and principles needed to design a HMI, without dealing too much with the psychological aspects behind the human factors.

9

SA

27

Human Machine Interface

2.5.1 Situational Awareness

Figure 5-2: Situational Awareness Factors. The factors of situational awareness can be seen in Figure 5-2. There are three levels of SA. First is the perception of elements in the current situation. The Perception of information can come from visual, auditory or other senses. With the two first being dominant. The second level is the comprehension of the situation. This involves integrating all the information, and prioritizing the information’s importance, relative to the goals. The last level is the projection of future status. Once the user knows the elements and their relation to the goals, then he should be able to predict what the elements will do in the future. There are many factors that influence the decision making process and reduce SA. These factors include many human factors such as workload, anxiety, fatigue and other stress factors. While those factors are important, they are hard to take in account when designing for SA and will be omitted from this rapport. Other factors that work against SA can be included in the design phase.

28

Human Machine Interface

Data overload is a significant problem for SA. Too much or too rapid information will overload the users sensory and cognitive system. Every effort should be taken to reduce data overload, by either sorting information or changing the way information is displayed. Misplaced salience is the case when the user is subjected to too much external stimuli. When used in moderation, lights, sounds and movement can help in directing the user towards information. When overused, it can cause the user to be overwhelmed and miss information. The last factor is the Out-of-the-loop syndrome. This factor is a bi-product of to much automation. While automation can reduce excessive workload, it can also lower SA in some cases. When the later occurs, the user will find him self out of the loop and not being able to make a decision.

2.5.2 Principles of designing for SA The principles described below, can be considered universal for designing a user interface. They deal primarily with the design aspect and not the human aspect of SA. Principle 1: Organize information around goals. Information should be organized around the user’s goals, rather than being presented in a technology oriented way. Information needed for a particular job should be grouped together and located where it is needed. Principle 2: Support global SA When user’s attention is directed to a subset of information, then his global SA is reduced. Too many windows and menus can distract the user and obscure information. This can be discouraged through the use of global SA displays. Principle 3: Use information filtering carefully. Although information overload is a problem, too little information is even a bigger problem. Filtering information can deprive the user of global SA. This will force him to be reactive, as opposed to being proactive and make it difficult to identify developing situations. Only information that is truly not needed should be eliminated. Less important information should be made less visible.

29

Human Machine Interface

Principle 4: Reduce complexity. Systems can quickly become too complicated. When receiving feedback about the system, the designer will get many suggestions and requests for more features. Adding too many features should be avoided. Only features that are really needed should be kept. Principle 5: Insure logical consistency. Inconsistencies in the logical functioning of the system dramatically increase complexity. Differences in information, or logical operations will confuse the user and reduce reaction time. Principle 6: Reduce display density. Excessive display density can confuse the user and increase the time needed to find information. This is especially true of systems that use many menus and windows. Although effort should be taken to reduce density, it should not be at the cost of coherence. Principle 7: minimize task complexity. The number of actions needed to perform a single task, should be kept at a minimum. If the user is required to learn and remember complex series of actions, it will only serve to add to his cognitive load and increase the chance of error. Principle 8: Don’t make the user reliant on alarms. Alarms tend to make people reactive. A better approach is to provide the user with information needed to be proactive. This could mean for example a warning about a system component, before that component will cause a full alarm. Principle 9: Make alarms unambiguous. Alarms will not be effective if they can be misinterpreted. There must be a clear difference between an alarm and the normal display. There should be a clear text explaining the alarm and if necessary other indicators such as sound. Principle 10: Reduce false alarms.

30

Human Machine Interface

Reducing false alarms is the most important improvement to a system, an engineer can make. False alarms will reduce SA and overall trust in the system. The best time for reducing false alarms is shortly after the system has been taken in use. With the help of the users, alarm limits can be adjusted and the system fine-tuned. Principle 11: Support rapid global SA in an alarm state. All the information needed to react to an alarm should be present during an alarm. The user should not have to wade thru the all the information to find what is needed. Latching displays that show the alarm should be avoided if it obscures SA relevant information. Principle 12: Automate only when necessary. This is one of the most important principles for an engineer designing a HMI. Too much automation will increase system complexity, create out-of-the-loop performance problems and reduce the users decision-making ability. Automation should mainly be used for routine, repetitive tasks that do not require much input from the user. The proliferation of automation modes should be avoided, as they will reduce SA and reaction time. As seen in the hypothetical example in figure 5-3, the reliability of the system is reduced when the user is not in full control.

Serial Systems

Parallel Systems

Human World Data

World Data

Machine

Human

machine

Reliability = 1-(1-HR)(1-MR)

Reliability = (HR)(MR)

Ex. HR = 90% MR = 85%

Ex. HR = 90% MR = 85%

= 1-(1-.9)(1-.85) = 98%

= (.9)(.85) = 77%

Figure 5-3: Effect of automation on reliability. With these guidelines and principles the engineer should be able to design a system that supports SA.

31

Human Machine Interface

5.3 HMI Design The HMI is made in Siemens WinCC software. This software is designed to work in conjunction with Siemens Step7 software. Communications between the two can be configured for various bus systems. In this project the Siemens MPI bus is used. Data between WinCC and Step7 is passed on by means of tags. A tag has a data address and a symbolic name, used in the project. The data address can be an input, output, or an address in a data block or in the system memory. The tag can be in any data form, from a single bit to a string. WinCC has two kinds of tags, Process tags, which are used to communicate between WinCC and Step7 and internal tags, which are used to transfer data within WinCC. To facilitate object orientated programming, tags can be structured and grouped together. The screen is made up of a number of pictures created in the graphics editor. These pictures are then made dynamic with various editors. The editors include a c editor, visual basic editor and a tag connection editor. See the editor in figure 5-4. For all pictures and documentation from WinCC see appendix B.

Figure 5-4: Graphic editor. The screen in this project is designed for the supervisor, who has the right to activate the generators. The user screen located at the cells would be a similar version, without the ability to activate the generators.

32

Human Machine Interface

The screen starts with a login picture, as seen in figure 5-5. The administrator sets the user name and password. If the user name and password is correct, then the next picture brought up is the picture titled main.pdl, it is the template for all other pictures on the screen. From this picture the top, middle and bottom pictures, along with all alarm and pop-up windows are called. The top picture is the navigation bar and it is a permanent feature in the screen. It contains buttons to navigate to other pictures, as well as an alarm log, time and date, the name of the user logged on and an exit button. The middle picture changes in accordance to what picture that is chosen. The bottom picture is reserved for secondary function buttons. In this design it contains buttons to test the system, such as emergency stop and welding simulation.

Figure 5-5: Electric Lab Login. Every object in the pictures that reacts to a tag or action has to be programmed. The navigation buttons in the top picture are programmed in the c editor to replace the middle picture with the desired picture. The buttons used to switch the generators and cells are programmed in c code and either set or reset the tags controlling the contacts. All objects that change shape or color are programmed to read the status of a particular tag. The measurement windows in the generator and cell pictures read a variable table address in Step7.

33

Human Machine Interface

Figure 5-6: System overview. The first picture to appear after the user has logged in is the overview picture, see figure 5-6. From this picture, the user can see every part of the system. The rails light up when a generator or cell is connected. This shows which generator or cell is connected to the rails and increases the users SA. The user can navigate through the system by pressing on the navigation buttons in the top bar or by pressing on the figures in the picture. When in the generator or cell pictures, only the navigation buttons in the top are used to navigate. The generator overview picture shown in figure 5-7 is only accessible to the supervisor. From this picture the generators can be switched on to the rails. A measurement window placed above each generator show its values. The rail values are displayed on the right side of the rails. When the ON button is pressed, the button and the rail change to a brighter colour, indicating which generator and rail are turned on. The cell pictures are identical for the two, implemented cells, see cell 10 in figure 5-8. Positions of the rail values are located on the left side of the rails. The cell values are located above the cell in a more compact version than the rail values. This was necessary, as the space was limited. Just like in the other pictures, the buttons and lines light up, indicating a connection.

34

Human Machine Interface

Figure 5-7: Generator overview.

Figure 5-8: Cell 10 overview.

35

Human Machine Interface

The system has several safety features that will override the user. The most important safety feature in the system is the emergency stop. There are two types of emergency stops for the system. One in each cell that shuts down that particular cell and a universal emergency stop, located close to the supervisor that shuts down the entire system. In this project only the universal emergency stop is implemented. When activated, a picture will appear with a flashing red frame and a flashing circle indicating the position of the emergency button in a diagram showing the floor plan, see figure 5-9. This provides the user with global SA and will ensures a proactive reaction. When the emergency button has been reset, the user can acknowledge the system and start to operate it again.

Figure 5-9: Emergency stop window. Another feature is designed to reduce the chance of damage to the equipment. If a voltage or frequency mismatch is detected between the generator and rail, a picture will appear showing the measurements in question and gives the user the option of returning to the previous picture or switching the generator to the rail. This feature is only implemented if the generator contact is activated. See figure 5-10.

36

Human Machine Interface

Figure 5-10: Measure error window. One feature works as a circuit breaker, see figure 5-11. If a generator current exceeds a preset limit slightly lower than the manual circuit breaker, the generator will be switched off the rail and a pop-up window will inform the user what has happened. This will eliminate the need to manually reset a circuit breaker that might be located far from the user. Once the pop up window has been closed, the contact can be activated again. Another feature in the system informs the user with a pop up window if an attempt is made to switch a generator onto a rail that already contains a generator, see figure 5-12. If this were to happen it would result in damage to the equipment. Once the user closes the window, he can continue to operate the system.

37

Human Machine Interface

Figure 5-11: Generator current safety.

Figure 5-12: Rail error.

38

Human Machine Interface

The last feature is the contact welding warning. This occurs when a contact has welded shut. The contact cannot be activated again without an acknowledgement from the user in the pop-up window. As the instruction text in the window explains, the user is asked to replace the faulty contact and then acknowledge, to reset the system. If the contact is not replaced, then the same warning will appear the next time, the contact is activated.

Figure 5-13: Contact-welding alarm. These safety features in the system are designed to give the user enough information to deal with the situation without having to search for further information in other pictures. This supports the users SA and keeps him in control. The emphasis has been on using the design principles when making the pictures. They all follow the same form and remain consistent in all pictures. They contain as much information as possible, while still being coherent and simple.

39

Human Machine Interface

40

Conclusion

6 CONCLUSION This project has been very interesting. Unlike many earlier projects it does not rely on designing the system from a mathematical model, but rather from industry standards. It has given an insight into the process required to design an industrial SCADA system. This has made the project very realistic.

6.1 Results The main objective of creating a SCADA prototype for DTU’s Electric Lab has been successful. The first step of this project was to find out what standards applied to the system and once the risk assessment had determined the level of safety required, the design process could start. Because the PLC and HMI operate together, both parts had to be designed simultaneously. This resulted in a steep learning curve in the beginning, but once both parts were operational, then the individual parts of both the PLC and HMI could be tested. Making the graphics active in WinCC proved to be challenging. The logic that controls when the rails light up lies in the PLC code and creating logic for all the individual objects that make up the rails would require about 150 tags and a lot of logic. Simulating the system without hardware worked quite well. Simulating in real time can be a bit difficult though as all measurement values have to be manually written in the variable table. Every safety feature was tested individually and in combination with other functions. The integration of safety features in the system was relatively simple. Siemens has developed its own safety solution that is integrated with the rest of the system. Siemens have documented their solutions very well, which has made the safety design easy to implement. While the safety design could be accomplished in many different ways, but it is necessary to use Siemens integrated safety solutions when using Siemens software and hardware. The use of theory in the design of SCADA systems is greatly under-used in the industry. The Hexatec guidelines are a good summation of the unwritten rules used in

41

Conclusion

the industry and a good place to start when designing a HMI, but they do not provide the principles needed to design a system. The use of theory in the HMI design has been quite beneficial in this project. It has given the project a set of principles to work from. By using these principles, the designer can avoid making design errors that will likely only be revealed thru feedback from the user after the system is operational.

6.2 Further work There are some improvements that can be made to the system, but could not be implemented because of time restrictions. While there could be many improvements made to the system, the two improvements below are the most important ones. The safety features lack a hierarchy structure. They work, as they should from a safety standpoint, but if two are triggered at the same time the pop up windows appear on to of each other. Although it’s unlikely that two would be active at the same time, it is a possibility. By adding some logic in the PLC code, the pop up windows could appear consecutively with the most important one appearing first. Another part of the system that could be improved is the way the measurements are presented in the HMI. They are fixed on the same set of values and the only way the user can access other values is to change to another picture. This will reduce his SA and increase the time needed to gather information. A possible solution would be to give the user control over what values are displayed in the picture. This could be accomplished by either having buttons in one window where the user could choose which values are displayed or by having a window where the user could scroll for the desired values.

42

REFERENCES [1]

Endsley, M. R., Bolté, B and Jones, D. G. (2003). Designing for situational awareness, an approach to user-centered design. Taylor & Francis, 11 New fetter lane, London, England.

[2]

Hexatec. (2002). Operator screen (HMI), Design guidelines. Orhrelands Hexam, Northumberland, England. http://www.hexatec.co.uk/Documents/Operator_Screen_Design.pdf.

[3]

Erickson, K. T. (2005). Programmable Logic Controllers: An emphasis on design and application. Dogwood Valley Press, LLC, 1604 Lincoln Lane Rolla, MO, USA.

[4]

Siemens. (2001). Simatic HMI. Operating and monitoring with WinCC. http://www.sitrain.com

[5]

Siemens. (2004). Simatic S7 Programming. http://www.sitrain.com

[6]

Siemens. (2004). Communication. S7 Profibus. http://www.sitrain.com

43

PLC Code

PLC CODE

The PLC code shown here contains the following blocks. OB1, OB35, FB1, FB4, FB5 and FB6. To reduce the size of the rapport, the rest of the code is placed on the CD.

44

PLC Code

45

PLC Code

46

PLC Code

47

PLC Code

48

PLC Code

49

PLC Code

50

PLC Code

51

PLC Code

52

PLC Code

53

PLC Code

54

PLC Code

55

PLC Code

56

PLC Code

57

PLC Code

58

PLC Code

59

PLC Code

60

PLC Code

61

PLC Code

62

PLC Code

63

PLC Code

64

PLC Code

65

PLC Code

66

PLC Code

67

PLC Code

68

PLC Code

69

PLC Code

70

PLC Code

71

PLC Code

72

PLC Code

73

PLC Code

74

PLC Code

75

PLC Code

76

PLC Code

77

WINCC PICTURES

To reduce the size of the rapport, all WinCC documentation is placed on the CD.

79

DTU Electrical Engineering Automation and Control Technical University of Denmark Elektrovej Building 326 DK-2800 Kgs. Lyngby Denmark www.elektro.dtu.dk/English/research/au.aspx Tel: (+45) 45 25 35 50 Fax: (+45) 45 88 12 95 E-mail: [email protected]