control and supervision of dtu's electric...

Árni Steinar Kjartansson

Control and supervision of

DTU’s Electric Lab

Bachelor’s Thesis, December 2008

Árni Steinar Kjartansson

Control and supervision of

DTU’s Electric Lab

Bachelor’s thesis, December 2008

2

Control and supervision of DTU’s Electric Lab

This report was drawn up by: Árni Steinar Kjartansson Supervisor(s): Morten Lind, CET, Ørsted•DTU Chresten Træholt, CET, Ørsted•DTU René Arnskov, Balslev

Ørsted•DTU Automation and Control Technical University of Denmark Elektrovej Building 325 2800 Kgs. Lyngby Denmark www.oersted.dtu.dk/cet Tel: (+45) 45 25 35 00 Fax: (+45) 45 88 61 11 E-mail: [email protected]

Release date:

2 Dec 2008

Category:

3 (according to agreement)

Edition:

1st edition

Comments:

This report is part of the requirements to achieve the degree of Diplomingeniør/Bachelor of Engineering at the Technical University of Denmark. This report represents 15 ECTS points.

Rights:

© Árni Steinar Kjartansson, 2008

3

ABSTRACT

The importance of supervisory control and data acquisition systems in modern industry

has become increasingly important over the last decades. A well-designed SCADA

system will increase the quality control, safety and accessibility of today’s automated

processes.

This thesis describes the design of a SCADA prototype system for DTU’s Electric Lab.

A special emphasis will be on operational safety and use of theory in the design of the

graphical representation of the system.

7

TABLE OF CONTENTS

Abstract .......................................................................................................................3

List of figures...............................................................................................................9

1 Introduction ........................................................................................................11

1.1 Background .......................................................................................................11

1.2 Problem formulation..........................................................................................11

2 System components.............................................................................................13

2.1 PLC...................................................................................................................13

2.2 Step 7 ................................................................................................................13

2.3 Simeas Power Meter ..........................................................................................13

2.4 WinCC ..............................................................................................................14

3 System description..............................................................................................15

4 PLC Design .........................................................................................................17

4.1 PLC program.....................................................................................................19

4.2 Integrated Safety design.....................................................................................22

5 Human Machine Interface .................................................................................25

5.1 Guidelines .........................................................................................................25

5.2 Theory...............................................................................................................27

5.3 HMI Design.......................................................................................................32

table of contents

8

6 Conclusion.......................................................................................................... 41

6.1 Results .............................................................................................................. 41

6.2 Further work ..................................................................................................... 42

References ................................................................................................................. 43

PLC Code.................................................................................................................. 44

Wincc pictures .......................................................................................................... 79

9

LIST OF FIGURES

Figure 3-1: System diagram........................................................................................15

Figure 4-1: Risk Assessment. .....................................................................................17

Figure 4-2: Contact feedback......................................................................................18

Figure 4-3: PLC editor overview. ...............................................................................20

Figure 4-4: Cycle time. ...............................................................................................21

Figure 4-5: Safety program call sequence. ..................................................................22

Figure 4-6: FB216 operation flowchart. ......................................................................23

Figure 5-1: Human scanning of a screen. ....................................................................26

Figure 5-2: Situational Awareness Factors. .................................................................28

Figure 5-3: Effect of automation on reliability. ...........................................................31

Figure 5-4: Graphic editor. .........................................................................................32

Figure 5-5: Electric Lab Login....................................................................................33

Figure 5-6: System overview. .....................................................................................34

Figure 5-7: Generator overview. .................................................................................35

Figure 5-8: Cell 10 overview. .....................................................................................35

Figure 5-9: Emergency stop window. .........................................................................36

Figure 5-10: Measure error window............................................................................37

Figure 5-11: Generator current safety. ........................................................................38

Figure 5-12: Rail error. ...............................................................................................38

Figure 5-13: Contact-welding alarm. ..........................................................................39

List of figures

10

11

1 INTRODUCTION

1.1 Background

This project is based on an existing project, designed by Balslev for DTU. The project

came to my attention during an earlier semester as a trainee student at Balslev.

The objective is to renovate and upgrade DTU’s Electric Lab to modern standards.

DTU’s Electric Lab consists of many cells that connect to generators via distributing

rails and interconnect through various cabinets. At the present time the Electric Lab is

operated completely manually and with basic safety features. All experiments carried

out in the cells have to be in close cooperation with a supervisor and the process is both

time consuming and gives the operator a poor overview of the system.

1.2 Problem formulation

The aim of this project is to design a prototype Supervisory Control and Data

Acquisition1 system, where the user can control and supervise the entire system through

a touch screen or a pc. Is it possible to design a SCADA system that can reduce operator

error, increase safety and increase access to information? The aim of this rapport will be

to answer this and other questions.

• Can the entire project be simulated in software without the use of hardware?

• Is it possible to integrate safety features in the system?

• Can theory be used in the design of graphical user interface?

1 SCADA

Introduction

12

System components

13

2 SYSTEM COMPONENTS

This chapter will describe the system components used in the project. Each sub chapter

will explain the individual components in detail.

2.1 PLC

The Programmable Logic Controller2 represents the best solution for industrial

applications in centralized and distributed systems. The PLC is the core of the system. It

contains the logic code for the entire system and is the foundation, for other parts of the

system to interact with. The PLC is completely modular and can be expanded easily.

The PLC used in this project is the Siemens Simatic S7 PLC. This is Siemens latest

PLC and it has been an industry standard for a long time.

2.2 Step 7

Siemens Step 7 is the software used to program and configure the PLC. It is composed

of numerous editors and functions needed to implement any project.

The primary Step 7 software is Step 7 Basic. All configuring and parameterizing is done

in the Basic software. The S7 Graph editor is used to program individual blocks. The S7

PLCSIM software is used to simulate the code in hardware. This simulator has to be

running if other parts of the system are to communicate with the PLC. These three

editors are used to implement the project. There are several other editors included with

the software, but they are not used in this project.

2.3 Simeas Power Meter

The Simeas power meter is designed to be a distributed meter, connected to the PLC via

an industrial bus. Each individual meter can record up to 12 different values. The

system is controlled and supervised using the measurements from this meter.

2 PLC

System components

14

Unfortunately the meter could not be simulated and therefore all measurement values

are read from a variable table.

2.4 WinCC

The human machine interface3 is designed in Siemens WinCC. The communication

between the PLC and the HMI is set up in both Step 7 and WinCC. The graphical

visualization of the system is designed in the graphical designer. Other features include

an alarm editor and user administration editor.

3 HMI

System description

15

3 SYSTEM DESCRIPTION

Figure 3-1: System diagram.

The project is based on the diagram shown in figure 3-1. It consists of three generators

that connect to two cells via distributing rails. A single line in the diagram represents a

three-phase system. The original project consists of four generators, specialised

measuring instruments and over 20 cells. Because of the time restrictions, the original

project is scaled down to the aforementioned size.

Each cell will have a touch screen so the user can operate the system. The supervisor

will have either a touch screen or a control pc with a monitor to operate the system.

Only the supervisor has the right to connect the generator to the rails. Other than this

restriction the users have the same privilege as the supervisor. The user can control

every individual contact in the diagram. The system will be displayed graphically on the

screen, both with an overview of the whole system and individual parts.

The system has many meters located at the generators, rails and cells. The

measurements include voltage, current, power, frequency and phase. These

measurements are used in the PLC to control the system and in the give the user

System description

16

information. The system will contain several safety features, designed to reduce the risk

of accidents and aid the user in the operation of the system.

Because of the time restrictions, only parts of the system needed to test functionality are

implemented. This includes generator one and two, rail A and B, cell 8 with system 1

and cell 10 with system 1 and 2. This includes five contacts. The safety features are

implemented in a single contact to test functionality. This is true of both the Step7 and

WinCC design.

17

4 PLC DESIGN

This chapter will focus on the PLC program and the integrated safety program. Both

parts are programmed with the same software, but the integrated safety part has to fulfil

certain standards that are not applied to the rest of the code and is therefore reviewed

separately.

Before an industrial system is designed it has to go through risk assessment to

determine the level of risk to the user.

The standard used in this project is EN 954-1 (see CD for a PDF file). This standard

applies to the safety of machines where a safety control system is implemented.

Although this system does not contain dangerous machinery that is exposed to the user,

it does expose the user to high voltage up to 2 kV, which is considered lethal. For that

reason the standard EN 954-1 is applied to the system. The starting point for risk

assessment can be seen in figure 4-1.

Figure 4-1: Risk Assessment.

The first decision in the assessment is if there is slight risk to the user (S1), meaning

reversible injury or serious risk to the user (S2), meaning irreversible injury or death.

As mentioned before the exposure to 2 kV means the possibility of death and therefore a

serious risk.

The next decision deals with the exposure time to hazard. If dealing with Short exposure

time (F1), usually meaning less than once per shift or long exposure (F2), meaning more

than once per shift. The Electric Lab contains many cells, so exposure to hazard is both

frequent and long. The last decision addresses the possibility of avoiding or limiting the

hazard. Whether it is possible under specific conditions (P1) or scarcely possible (P2). In

PLC Design

18

this case the user has full control over the system and any attempt to restrict access to

reduce hazard would not benefit the user. As figure 4-1 indicates, this places the system

in risk category 4. According to standard EN 954-1, this requires a fail-safe emergency

Shutdown system with a feedback signal from the contacts.

This also requires that all emergency buttons are connected fail-safe, meaning that

either cutting or shorting the cable, will result in an immediate shut down of the system.

Every contact in the system consists of two serial connected contacts operated

simultaneously. Every time the contacts are opened, a feedback signal shows the

position of the contact. This signal will indicate if a contact has welded shut,

See figure 4-2. If one of the contacts were to weld shut, the other contact would open

the circuit.

Figure 4-2: Contact feedback.

Because a fail-safe emergency Shutdown system is required, special hardware is needed

to fulfill this requirement. Since this project is fully simulated, there is no need for fail-

safe hardware. The simulated CPU has to be able to implement the safety program

needed in this project and the CPU chosen for this project is the fail-safe 315F-2DP

CPU. It is designed for medium to large projects and is more than sufficient for this

project.

PLC Design

19

4.1 PLC program

The PLC program is the foundation of the whole system and contains the most amount

of code. This is because WinCC has a slower cycle time than the PLC and is therefore

not suited for logic operations. For a detailed overview of the PLC code see appendix A.

The Step7 software supports five programming languages. Ladder Logic4, Statement

List5, Function Blocks Diagrams

6, Structured Text

7 and Sequential Function Chart

8.

With the first three being the most used. The preferred language in the automation

industry is FBD. This is because it is the easiest language to read and work with.

Ladder Logic is often used in smaller systems because it is based on the representation

of circuit diagrams and can be read by electricians.

STL is the basic code in Step7 and the most powerful. Its biggest drawback however is

its poor structure, which makes it difficult to read and work with. It is sometimes used

for more complex functions such as multiple jumps. The program is made as object

orientated as possible to ease understanding of the code.

All input signals needed to control the system arrive from the WinCC program to the

PLC. These signals are put into shared memory blocks, and can be written and read by

both Step7 and WinCC. The shared memory blocks are DB2, DB3 and the symbolic

memory. The first two are structured in UDT2 and UDT3, respectively. Measurement

values are simulated in the variable table called measurements.

The PLC code consists of a number of blocks as seen in figure 4-3. The grey blocks are

Regular programming blocks and the yellow blocks belong to the safety program.

The program begins with the Organization Blocks (OB). The OB’s represent the

interface between the operating system and the user program. The OB’s are called by

the operating system once every cycle and control the program execution.

The OB’s are organized into a hierarchy, with OB1 having the highest priority. The

higher priority OB’s can always interrupt the lower priority OB’s.

4 LAD

5 STL

6 FBD

7 ST

8 SFC

PLC Design

20

Figure 4-3: PLC editor overview.

There are two OB’s used in this project. OB1 calls the functions and function blocks

(functions with their own memory block) needed to run the program and OB35 (cyclic

interrupt) calls the safety program. The rest of the OB’s are designed to handle

hardware and communication faults, and because this project is simulated, they are not

needed and will be left empty.

OB1 calls four functions that operate together to control the safety program FC1.

These functions are FB4, FB5, FB6 and FC10.

FB4 compares the current from generator 1 to a preset value slightly less the then

manual safety and switches the generator off the rail by sending a stop signal to FB6.

A bit is set high and read by WinCC, which informs the user of the situation.

FB5 contains the safety features in the program. It prevents more than one generator to

connect to the same rail and warns about a measurement mismatch between the

generator and rail. When a contact is activated in WinCC, the signal goes through FB5

and is sent onward to FB6 if no error occurs.

If a rail error occurs, FB5 stops the contact from closing and sets a bit high that is read

by WinCC. A window in WinCC informs the user of the situation.

The measure error is triggered when either the voltage or frequency on both sides of the

contact is higher then 0, but not equal. If this is the case, the contact is prevented from

closing and a bit set high, which in turn is read by WinCC. This mismatch can

potentially cause failure in equipment and the user has to decide if he wants to activate

PLC Design

21

the contact. A pop up window in WinCC allows the user to close the contact. If he does

the contact activation signal is sent on to FB6 from WinCC.

FB6 is the block that controls the safety program. It receives signals from FB5 and the

safety program. If it gets a contact activation signal from FB5, it will send the signal to

the safety program as long as there is no error signal from the safety program. The stop

signal is received from WinCC. FB6 also contains logic to simulate a welded contact.

For detail see the integrated safety design chapter.

The system functions are functions that are generated by Step7 and deal with internal

processes in the PLC. They cannot be read and should not be removed.

1.4.1 PLC program result

The PLC code functioned as planned. There are some logic operations that could be

written as functions and called in the blocks, but this would only be beneficial if all the

contacts in the system were implemented. To get an accurate cycle time of the program

Would require a connected hardware CPU. The cycle time seen in figure 4-4 was done

without hardware, but still gives a good indication of the cycle time. A cycle time of

10 – 40ms shows that the code is not causing a long cycle time, considering the OB35

cyclic interrupt is called every 50ms.

Figure 4-4: Cycle time.

PLC Design

22

4.2 Integrated Safety design

The safety program starts with the F-CALL function FC1. Once this function is made,

Step7 generates all other internal functions and memory blocks needed to run the safety

program. FC1 is the editor and compiler for the safety program. It shows the safety

program structure and contains it’s own log over changes in the program.

F-CALL(FC1)

Safety Program ”F_PRG”(FB1,DB1)

FB ”F_BACK”(FB216,DB216)





FC”REINTEGRATION”(FC2)

Figure 4-5: Safety program call sequence.

The entry into the safety program is done by calling the F-CALL function FC1 from the

user program. This is done in the cyclic interrupt OB35 and is necessary because the

safety program has to be called and executed at fixed time intervals. Calling it in the

user program could result in irregular and possibly longer intervals between calls.

OB35 also transfers all signals from the user program into memory used exclusively by

the safety program.

FC1 calls the main programming block FB1. This block contains the entire safety

program. FB1 calls the fail-safe feedback block FB216 from the Distributed Safety

library. This block implements the feedback monitoring from the contacts and is called

five times, representing the five contacts that are implemented. FB216 calls it’s own

internal functions and data blocks to operate. FC2 is called last, to re-integrate fail-safe

hardware modules. The operation of FB216 can be seen in figure 4-5.

PLC Design

23

Acknowedgement

Contact OFF

Start

EmergencyStop pressed?


Contact ON



Y

Y

Y

Y

Y

Y

N

N

N

N

N

N

Contact activationSignal ON?

Contact OFF

Contact activationSignal ON?

Y

N

Figure 4-6: FB216 operation flowchart.

Because no hardware is used in this project, the feedback has to be simulated. The

feedback signal comes from FB6 and is triggered manually with a button in WinCC.

FB216 has an input to set the time limit for the feedback. Normally it is set to 100 ms,

but in the first network it is set to 2 s, to allow enough time to trigger manually.

PLC Design

24

Human Machine Interface

25

5 HUMAN MACHINE INTERFACE

In this chapter the theory and design of the HMI for the system will be explained. It is

very important to design a functional and intuitive HMI, as it will likely be in use for a

long time and influence the users of the system.

A properly designed HMI will increase the users situational awareness and thereby

reduce the chance of user error.

5.1 Guidelines

There exist no standards regarding HMI design within industrial automation. Some

guidelines exist for designing HMI, but these guidelines are very limited in their scope

and usually deal only with fundamental issues. Although these guidelines are not theory,

they are a good starting point for designing HMI. The guidelines used in this sub

chapter are taken from Hexatec (2002).

When designing the HMI, it is important to understand how the operator will use it.

Generally, people will scan a screen the same way they read a page in a book. The

scanning starts, in the top left corner and proceeds to the right with two or three scans

down to the bottom right side, as seen in figure 5-1. With this information in mind,

important items should be placed at the top of the page. This includes alarms and all

navigation and execution buttons. The main overview diagram should be placed in the

middle of the screen and the bottom of the screen should be reserved for secondary

function buttons.


26

Figure 5-1: Human scanning of a screen.

The first screen picture after the operator has logged inn, should be an overview picture

of the whole system. From there, the user can navigate into the sub parts of the system.

Important parts of the system should if possible, be displayed graphically. This will give

the operator a better understanding of the system. The background should for the most

part, be without graphics.

Colours play an important part in the system visualization. If used correctly they can

enhance data and performance, while incorrectly they can confuse and overwhelm the

user. The preferred colour convention, following the standard for safety signs

(ISO 3864) defines the following colours:

Red = stop, prohibition, danger.

Yellow = caution, risk of danger.

Green = safe condition.

Blue = mandatory action.

These colours should not be overused for other purposes. This is especially true for red,

which should only be reserved for alarms. Large blocks of bright colours should be

avoided, as they can cause eyestrain.

Background colours must be chosen carefully. White and black may provide good

colour contrast in text, but they produce too much glare on the screen. Light grey is

much better suited as a background colour.

Text should be written in the same font throughout all screen pictures. Avoid too much

upper case and underlined text. The minimum text size should be 12 point.

Text, and especially data should be grouped in areas of the screen. The location of data

should remain consistent in all screen pictures. Avoid displaying unnecessary decimals.

Data should be represented with just enough information. Unnecessary data accuracy

will only reduce user reaction time.


27

For safety reasons, all buttons that activate parts of the system, that are potentially

dangerous, should have a pop-up window that makes the operator confirm his action.

If the screen is accessible to other people, than the operator, then it should require a

logon at the start. This will reduce any accidental or intentional activation.

5.2 Theory

While the guidelines are helpful, they do not address how a HMI should be designed.

The most effective method for designing an HMI system is to implement a user-

centered design. This means to design the system interface around the operator.

Traditionally, systems have been designed from a technological perspective, where the

operator has had to adapt to the system. Although this project will implement a user-

centered design, it must be remembered that this is a very technologically oriented

project and it is expected that the operator will have a technological background.

The foundation of a user-centered design is situational awareness9. SA means simply

being aware of what is happening around you, understanding what the information

means now and in the future. Supporting SA directly supports the cognitive processes of

the operator and thereby enables him to make decisions.

By using certain theory and design principles, a user-centered design can be achieved.

The theory and principles used in this sub chapter are taken from Endsley. M.R (2002).

The principles described in the book cover every thing from simple industrial systems to

complex aviation systems. I have filtered out the theory and principles that are best

suited to industrial SCADA systems. While it is not a definitive list, it will give the

designer the theory and principles needed to design a HMI, without dealing too much

with the psychological aspects behind the human factors.

9 SA


28

2.5.1 Situational Awareness

Figure 5-2: Situational Awareness Factors.

The factors of situational awareness can be seen in Figure 5-2. There are three levels of

SA. First is the perception of elements in the current situation. The Perception of

information can come from visual, auditory or other senses. With the two first being

dominant.

The second level is the comprehension of the situation. This involves integrating all the

information, and prioritizing the information’s importance, relative to the goals. The last

level is the projection of future status. Once the user knows the elements and their

relation to the goals, then he should be able to predict what the elements will do in the

future.

There are many factors that influence the decision making process and reduce SA.

These factors include many human factors such as workload, anxiety, fatigue and other

stress factors. While those factors are important, they are hard to take in account when

designing for SA and will be omitted from this rapport.

Other factors that work against SA can be included in the design phase.


29

Data overload is a significant problem for SA. Too much or too rapid information will

overload the users sensory and cognitive system. Every effort should be taken to reduce

data overload, by either sorting information or changing the way information is

displayed.

Misplaced salience is the case when the user is subjected to too much external stimuli.

When used in moderation, lights, sounds and movement can help in directing the user

towards information. When overused, it can cause the user to be overwhelmed and miss

information.

The last factor is the Out-of-the-loop syndrome. This factor is a bi-product of to much

automation. While automation can reduce excessive workload, it can also lower SA in

some cases. When the later occurs, the user will find him self out of the loop and not

being able to make a decision.

2.5.2 Principles of designing for SA

The principles described below, can be considered universal for designing a user

interface. They deal primarily with the design aspect and not the human aspect of SA.

Principle 1: Organize information around goals.

Information should be organized around the user’s goals, rather than being presented in

a technology oriented way. Information needed for a particular job should be grouped

together and located where it is needed.

Principle 2: Support global SA

When user’s attention is directed to a subset of information, then his global SA is

reduced. Too many windows and menus can distract the user and obscure information.

This can be discouraged through the use of global SA displays.

Principle 3: Use information filtering carefully.

Although information overload is a problem, too little information is even a bigger

problem. Filtering information can deprive the user of global SA. This will force him to

be reactive, as opposed to being proactive and make it difficult to identify developing

situations. Only information that is truly not needed should be eliminated. Less

important information should be made less visible.


30

Principle 4: Reduce complexity.

Systems can quickly become too complicated. When receiving feedback about the

system, the designer will get many suggestions and requests for more features.

Adding too many features should be avoided. Only features that are really needed

should be kept.

Principle 5: Insure logical consistency.

Inconsistencies in the logical functioning of the system dramatically increase

complexity. Differences in information, or logical operations will confuse the user and

reduce reaction time.

Principle 6: Reduce display density.

Excessive display density can confuse the user and increase the time needed to find

information. This is especially true of systems that use many menus and windows.

Although effort should be taken to reduce density, it should not be at the cost of

coherence.

Principle 7: minimize task complexity.

The number of actions needed to perform a single task, should be kept at a minimum. If

the user is required to learn and remember complex series of actions, it will only serve

to add to his cognitive load and increase the chance of error.

Principle 8: Don’t make the user reliant on alarms.

Alarms tend to make people reactive. A better approach is to provide the user with

information needed to be proactive. This could mean for example a warning about a

system component, before that component will cause a full alarm.

Principle 9: Make alarms unambiguous.

Alarms will not be effective if they can be misinterpreted. There must be a clear

difference between an alarm and the normal display. There should be a clear text

explaining the alarm and if necessary other indicators such as sound.

Principle 10: Reduce false alarms.


31

Reducing false alarms is the most important improvement to a system, an engineer can

make. False alarms will reduce SA and overall trust in the system.

The best time for reducing false alarms is shortly after the system has been taken in use.

With the help of the users, alarm limits can be adjusted and the system fine-tuned.

Principle 11: Support rapid global SA in an alarm state.

All the information needed to react to an alarm should be present during an alarm. The

user should not have to wade thru the all the information to find what is needed.

Latching displays that show the alarm should be avoided if it obscures SA relevant

information.

Principle 12: Automate only when necessary.

This is one of the most important principles for an engineer designing a HMI. Too much

automation will increase system complexity, create out-of-the-loop performance

problems and reduce the users decision-making ability. Automation should mainly be

used for routine, repetitive tasks that do not require much input from the user. The

proliferation of automation modes should be avoided, as they will reduce SA and

reaction time. As seen in the hypothetical example in figure 5-3, the reliability of the

system is reduced when the user is not in full control.

Human

machine

Machine Human

Parallel Systems Serial Systems

WorldData

WorldData

Reliability = 1-(1-HR)(1-MR)

Ex. HR = 90% MR = 85%

= 1-(1-.9)(1-.85) = 98%

Reliability = (HR)(MR)

Ex. HR = 90% MR = 85%

= (.9)(.85) = 77%

Figure 5-3: Effect of automation on reliability.

With these guidelines and principles the engineer should be able to design a system that

supports SA.


32

5.3 HMI Design

The HMI is made in Siemens WinCC software. This software is designed to work in

conjunction with Siemens Step7 software. Communications between the two can be

configured for various bus systems. In this project the Siemens MPI bus is used.

Data between WinCC and Step7 is passed on by means of tags. A tag has a data address

and a symbolic name, used in the project. The data address can be an input, output, or

an address in a data block or in the system memory. The tag can be in any data form,

from a single bit to a string. WinCC has two kinds of tags, Process tags, which are used

to communicate between WinCC and Step7 and internal tags, which are used to transfer

data within WinCC. To facilitate object orientated programming, tags can be structured

and grouped together.

The screen is made up of a number of pictures created in the graphics editor. These

pictures are then made dynamic with various editors. The editors include a c editor,

visual basic editor and a tag connection editor. See the editor in figure 5-4.

For all pictures and documentation from WinCC see appendix B.

Figure 5-4: Graphic editor.

The screen in this project is designed for the supervisor, who has the right to activate the

generators. The user screen located at the cells would be a similar version, without the

ability to activate the generators.


33

The screen starts with a login picture, as seen in figure 5-5. The administrator sets the

user name and password. If the user name and password is correct, then the next picture

brought up is the picture titled main.pdl, it is the template for all other pictures on the

screen. From this picture the top, middle and bottom pictures, along with all alarm and

pop-up windows are called.

The top picture is the navigation bar and it is a permanent feature in the screen. It

contains buttons to navigate to other pictures, as well as an alarm log, time and date, the

name of the user logged on and an exit button. The middle picture changes in

accordance to what picture that is chosen. The bottom picture is reserved for secondary

function buttons. In this design it contains buttons to test the system, such as emergency

stop and welding simulation.

Figure 5-5: Electric Lab Login.

Every object in the pictures that reacts to a tag or action has to be programmed. The

navigation buttons in the top picture are programmed in the c editor to replace the

middle picture with the desired picture. The buttons used to switch the generators and

cells are programmed in c code and either set or reset the tags controlling the contacts.

All objects that change shape or color are programmed to read the status of a particular

tag. The measurement windows in the generator and cell pictures read a variable table

address in Step7.


34

Figure 5-6: System overview.

The first picture to appear after the user has logged in is the overview picture, see figure

5-6. From this picture, the user can see every part of the system. The rails light up when

a generator or cell is connected. This shows which generator or cell is connected to the

rails and increases the users SA. The user can navigate through the system by pressing

on the navigation buttons in the top bar or by pressing on the figures in the picture.

When in the generator or cell pictures, only the navigation buttons in the top are used to

navigate.

The generator overview picture shown in figure 5-7 is only accessible to the supervisor.

From this picture the generators can be switched on to the rails. A measurement window

placed above each generator show its values. The rail values are displayed on the right

side of the rails. When the ON button is pressed, the button and the rail change to a

brighter colour, indicating which generator and rail are turned on.

The cell pictures are identical for the two, implemented cells, see cell 10 in figure 5-8.

Positions of the rail values are located on the left side of the rails. The cell values are

located above the cell in a more compact version than the rail values. This was

necessary, as the space was limited. Just like in the other pictures, the buttons and lines

light up, indicating a connection.


35

Figure 5-7: Generator overview.

Figure 5-8: Cell 10 overview.


36

The system has several safety features that will override the user. The most important

safety feature in the system is the emergency stop. There are two types of emergency

stops for the system. One in each cell that shuts down that particular cell and a universal

emergency stop, located close to the supervisor that shuts down the entire system. In

this project only the universal emergency stop is implemented. When activated, a

picture will appear with a flashing red frame and a flashing circle indicating the position

of the emergency button in a diagram showing the floor plan, see figure 5-9.

This provides the user with global SA and will ensures a proactive reaction. When the

emergency button has been reset, the user can acknowledge the system and start to

operate it again.

Figure 5-9: Emergency stop window.

Another feature is designed to reduce the chance of damage to the equipment. If a

voltage or frequency mismatch is detected between the generator and rail, a picture will

appear showing the measurements in question and gives the user the option of returning

to the previous picture or switching the generator to the rail. This feature is only

implemented if the generator contact is activated. See figure 5-10.


37

Figure 5-10: Measure error window.

One feature works as a circuit breaker, see figure 5-11. If a generator current exceeds a

preset limit slightly lower than the manual circuit breaker, the generator will be

switched off the rail and a pop-up window will inform the user what has happened. This

will eliminate the need to manually reset a circuit breaker that might be located far from

the user. Once the pop up window has been closed, the contact can be activated again.

Another feature in the system informs the user with a pop up window if an attempt is

made to switch a generator onto a rail that already contains a generator, see figure 5-12.

If this were to happen it would result in damage to the equipment. Once the user closes

the window, he can continue to operate the system.


38

Figure 5-11: Generator current safety.

Figure 5-12: Rail error.


39

The last feature is the contact welding warning. This occurs when a contact has welded

shut. The contact cannot be activated again without an acknowledgement from the user

in the pop-up window. As the instruction text in the window explains, the user is asked

to replace the faulty contact and then acknowledge, to reset the system. If the contact is

not replaced, then the same warning will appear the next time, the contact is activated.

Figure 5-13: Contact-welding alarm.

These safety features in the system are designed to give the user enough information to

deal with the situation without having to search for further information in other pictures.

This supports the users SA and keeps him in control.

The emphasis has been on using the design principles when making the pictures. They

all follow the same form and remain consistent in all pictures. They contain as much

information as possible, while still being coherent and simple.


40

Conclusion

41

6 CONCLUSION

This project has been very interesting. Unlike many earlier projects it does not rely on

designing the system from a mathematical model, but rather from industry standards.

It has given an insight into the process required to design an industrial SCADA system.

This has made the project very realistic.

6.1 Results

The main objective of creating a SCADA prototype for DTU’s Electric Lab has been

successful. The first step of this project was to find out what standards applied to the

system and once the risk assessment had determined the level of safety required, the

design process could start. Because the PLC and HMI operate together, both parts had

to be designed simultaneously. This resulted in a steep learning curve in the beginning,

but once both parts were operational, then the individual parts of both the PLC and HMI

could be tested. Making the graphics active in WinCC proved to be challenging. The

logic that controls when the rails light up lies in the PLC code and creating logic for all

the individual objects that make up the rails would require about 150 tags and a lot of

logic.

Simulating the system without hardware worked quite well. Simulating in real time can

be a bit difficult though as all measurement values have to be manually written in the

variable table. Every safety feature was tested individually and in combination with

other functions.

The integration of safety features in the system was relatively simple. Siemens has

developed its own safety solution that is integrated with the rest of the system. Siemens

have documented their solutions very well, which has made the safety design easy to

implement. While the safety design could be accomplished in many different ways, but

it is necessary to use Siemens integrated safety solutions when using Siemens software

and hardware.

The use of theory in the design of SCADA systems is greatly under-used in the

industry. The Hexatec guidelines are a good summation of the unwritten rules used in

Conclusion

42

the industry and a good place to start when designing a HMI, but they do not provide

the principles needed to design a system.

The use of theory in the HMI design has been quite beneficial in this project. It has

given the project a set of principles to work from. By using these principles, the

designer can avoid making design errors that will likely only be revealed thru feedback

from the user after the system is operational.

6.2 Further work

There are some improvements that can be made to the system, but could not be

implemented because of time restrictions. While there could be many improvements

made to the system, the two improvements below are the most important ones.

The safety features lack a hierarchy structure. They work, as they should from a safety

standpoint, but if two are triggered at the same time the pop up windows appear on to of

each other. Although it’s unlikely that two would be active at the same time, it is a

possibility. By adding some logic in the PLC code, the pop up windows could appear

consecutively with the most important one appearing first.

Another part of the system that could be improved is the way the measurements are

presented in the HMI. They are fixed on the same set of values and the only way the

user can access other values is to change to another picture. This will reduce his SA and

increase the time needed to gather information.

A possible solution would be to give the user control over what values are displayed in

the picture. This could be accomplished by either having buttons in one window where

the user could choose which values are displayed or by having a window where the user

could scroll for the desired values.

43

REFERENCES

[1] Endsley, M. R., Bolté, B and Jones, D. G. (2003). Designing for situational

awareness, an approach to user-centered design. Taylor & Francis, 11 New

fetter lane, London, England.

[2] Hexatec. (2002). Operator screen (HMI), Design guidelines. Orhrelands

Hexam, Northumberland, England.

http://www.hexatec.co.uk/Documents/Operator_Screen_Design.pdf.

[3] Erickson, K. T. (2005). Programmable Logic Controllers: An emphasis on

design and application. Dogwood Valley Press, LLC, 1604 Lincoln Lane Rolla,

MO, USA.

[4] Siemens. (2001). Simatic HMI. Operating and monitoring with WinCC.

http://www.sitrain.com

[5] Siemens. (2004). Simatic S7 Programming.


[6] Siemens. (2004). Communication. S7 Profibus.


PLC Code

44

PLC CODE

The PLC code shown here contains the following blocks. OB1, OB35, FB1, FB4, FB5

and FB6. To reduce the size of the rapport, the rest of the code is placed on the CD.

PLC Code

45

PLC Code

46

PLC Code

47

PLC Code

48

PLC Code

49

PLC Code

50

PLC Code

51

PLC Code

52

PLC Code

53

PLC Code

54

PLC Code

55

PLC Code

56

PLC Code

57

PLC Code

58

PLC Code

59

PLC Code

60

PLC Code

61

PLC Code

62

PLC Code

63

PLC Code

64

PLC Code

65

PLC Code

66

PLC Code

67

PLC Code

68

PLC Code

69

PLC Code

70

PLC Code

71

PLC Code

72

PLC Code

73

PLC Code

74

PLC Code

75

PLC Code

76

PLC Code

77

79

WINCC PICTURES

To reduce the size of the rapport, all WinCC documentation is placed on the CD.

DTU Electrical Engineering

Automation and Control Technical University of Denmark Elektrovej Building 326 DK-2800 Kgs. Lyngby Denmark www.elektro.dtu.dk/English/research/au.aspx Tel: (+45) 45 25 35 50 Fax: (+45) 45 88 12 95 E-mail: [email protected]