Validating Software in Commercial Smart Transmitter for Safety-Critical Applications

Gopinath Karmakar, Ashutosh Kabra, Jose Joseph and R. K. Patil
Bhabha Atomic Research Centre
Mumbai, India

Abstract

Industries, including nuclear industries, depend on the transmitters (for monitoring process parameters) that are available in the market from reputed manufacturers. This work aims at answering the question of how to validate and qualify a smart transmitter, containing pre-developed software (PDS) in it, for its suitability in safety-critical application when there is no access to the software development process documentation.

The answer lies in the feasibility of exhaustive black box testing with inputs that covers the entire input set. We have argued over the feasibility of validating a commercial smart transmitter, by means of testing only and established our claim with the test results carried out on a commercial Off-The-Shelf Smart Temperature Transmitter. The key point of the whole argument is taking advantage of the resolution of the ADC (Analog to Digital Converter) that makes the set of test inputs a finite one and yet exhaustive.

1. INTRODUCTION

It is a fact that conventional analog electronic transmitters will soon become a thing of past as it is getting replaced by the Smart Transmitters. Nuclear industries depend on the transmitters that are available in the market from the reputed manufacturer viz. Rosemount, Honeywell, Endress-Hauser etc. It is the long history of industrial use and its performance and the reliability of analog electronics that gave us confidence to use conventional transmitters in nuclear applications. But, a Smart transmitter is a microprocessor or microcontroller-based system and it contains software. Therefore, the question is how we can evaluate a smart transmitter, which contains pre-developed software in it, for its suitability in safety/safety-related application when there is neither any access to the documentation pertaining to the software development process nor to the source code?

In this paper, we propose a method so that an exhaustive yet finite number of test cases can be generated to evaluate the capability of the transmitter to meet the functional and performance requirement demanded from it for safety applications.

It may be noted that in this paper the discussion is mainly on smart temperature transmitter and our validation technique has been applied on a COTS (Commercial Off-The-Shelf) smart temperature transmitter, for which the test results have been reported. But, same methodology will be applicable for pressure transmitter also, as the software in a smart transmitter will only see the output of the ADC (Analog-to-Digital Converter) inside the transmitter and is unaware of the type of field input (temperature, pressure etc.) that causes the ADC to generate output.

2. REVIEWING A SMART TRANSMITTER

Smart transmitters, like any conventional analog electronic transmitters, takes the process parameters like temperature, pressure etc. as inputs (through transducers), convert them into standard 4-20mA signal, and transmit it to plant control and monitoring systems. A Smart Transmitter is a microprocessor/microcontroller based system, which has the facility of configuration of various parameters and provides digital communication mainly with HART (Highway Addressable Remote Transducer) protocol. All adjustments and operational settings are implemented through Smart Hand-Held Field Interface or remotely wired communicator.

We have studied a range of smart temperature transmitter manufactured by the market leaders that includes [1], [2], [3] and concluded that the basic operation is same for smart transmitters of all makes.

Figure 1 shows the functional block diagram of a smart temperature transmitter. The temperature sensor (thermocouple, RTD etc.) output is fed to the transmitter as input. The Analog-to-Digital Converter (ADC) in it converts the analog (mV or ohm) signal into digital one. The software running in the microcontroller uses this raw digital input data to generate digital output. Digital-to-Analog Converter (DAC) at the output stage converts the digital output into 4-20 mA analog output. A number of configuration parameters like, LRV (Lower Range Value), URV (upper Range Value), engineering units, zero-point adjustment, pattern/type of input filtering etc. are configured before use.

Figure 1: Smart temperature transmitter block diagram

After studying the material architecture [4] according to IEC 60770-3, applicable to smart transmitters and the technical documents from Honeywell, Rosemount and Endress+Hauser, statechart modeling the dynamic behavior of smart transmitter is presented in Figure 2.

It is admitted that there is no way to generate a detailed statechart for the software inside a commercial transmitter. But, the first level of statechart can be inferred. The statechart presented here is based on the following facts.

Basic functionality involves reading sensor input, processing and generating output, which constitutes the states for functional requirement.
Communication request comes asynchronously and therefore it calls for a state concurrent to the input processing.
All transmitters come with a facility for test. This test state is an independent state and activated on the event of test demand. In this state, the transmitter stops performing its normal function as depicted in PROCESSING state in Figure 2.

Therefore, it is evident from the statechart that the state of the software can only be changed by i) Sensor Input, ii) Test input or iii) Configuration data via communication.

Figure 2: Statechart of a smart temperature transmitter

3. COTS SMART TRANSMITTER AND SAFETY APPLICATIONS

A smart transmitter has software in it. Therefore, the immediate and obvious reaction of the nuclear Control and Instrumentation (C&I) community is that Commercial Off-The Shelf (COTS) software cannot be used in safety/safety-critical application and the argument goes like this.

The vendor will not do the software qualification for a single customer, who would not buy in huge quantities.
The SDLC (Software Development Life-Cycle) documents are not accessible, leave alone source code, to assess the quality of the software, at user end.
We cannot depend on testing, because 100% testing is not possible as theoretically, it can call for infinite number of test cases.

In this paper, we discuss, whether, a single-input-single-output system like a smart transmitter can be qualified by testing alone. In the following sections, we will discuss that exhaustive testing can be performed even with finite number of test cases.

4. FINITE TEST CASES

From, the functional block diagram (Figure 1) of the smart temperature transmitter, it is easy to conclude that though actual field input is a continuous analog signal, the input values that will be seen by the processor in the transmitter is limited by the resolution of the ADC. Therefore, the effective set of sensor input values is a finite one

Notations:

I_lo : Lowest value of input
I_hi : Highest value of input
r : ADC resolution (no. of bits)
W : Set of whole numbers

So, taking advantage of the resolution of ADC we can claim that no. of test cases required to test all possible inputs are N=2^r and for the ADC to detect two consecutive discrete inputs as different ones, the required step difference is

δ = (I_hi - I_lo ) / (N-1)

Therefore, over the entire range [I_lo-,I_hi], the input values (I) that need to be considered for testing are I (Ilo+ k*δ) where k W and k <= N-1 Any input value that lies within two consecutive discrete values I and I+δ will produce either the digital code for I or I+δ in the ADC and hence, we need not test the transmitter for an infinite input set.

5. EFFECT OF ADC ERRORS

The effect of ADC errors viz. a) Differential non-linearity (DNL), b) Integral Non-Linearity (INL), c) Offset and Gain errors, and d) Temperature Drift has been studied [5]. It is found that ADC errors (a, b, c) have their fixed values and they do not change with time. Therefore, if any particular transmitter passes the tests with the finite test input set (Section 4), we need not worry about these hardware errors including temperature drift, when the environmental temperature is maintained within specified limits.

6. FIXED CONFIGURATION DATA

For a particular application the following configuration data are set to fixed values for the particular transmitter involved.

Range Value (Zero/Span): Zero/span adjustment are configured once to fixed values
Engineering Units: Parameters for engineering conversion, configured once to fixed values.
Damping/ Filtering: The pattern/type of damping/filtering is configured once.
Linearization techniques may vary, but, it is either fixed for a transmitter, or set to a fixed table.
Zero point Adjustment

Therefore, before putting the transmitter into test, the above parameters can be configured for their fixed values, using hand-held configurator.

7. EFFECT OF ADDITIONAL SOFTWARE MODULES

Effect of the software modules that perform additional functions are discussed in this section.

7.1 Diagnostics

Smart transmitters usually provide diagnostics in two modes viz. automatic self-diagnostics and on-demand device test.

Self-diagnostics is carried out automatically and repeated periodically. Therefore, its affect will be validated during the test carried out with the finite input set mentioned in Section 4.

On-demand diagnostics is carried out using digital communicators, which can be barred during operation.

7.2 LCD Display

LCD display is one-way display message to the LCD. All possible combinations of messages can be tested, as it will be a finite number of tests.

7.3 Digital Communication

This paper has not considered the effect of digital communication module, because digital communication will be used only for writing/updating configuration data. Once configured, the transmitter will be put under validation test and communication can be administratively prevented by disconnecting the communication cable.

8. SUMMARY

To summarize the above discussions, it can be stated that once a Smart Temperature transmitter is configured for all its parameters before use and the digital communication is barred by not allowing any physical communication connection, the software functionality is reduced only to reading a single field input signal and processing it to generate 4-20 mA output.

Therefore, once a transmitter is configured and we are equipped with a finite set of test input data that will fully cover its single-input single-output transformation process carried out by the software, i.e., there will be no unpredictable states in the transmitter software, which may invoke a software module whose response is unpredictable and not covered by testing.

9. TEST SET-UP

To validate a temperature transmitter, we developed a set-up and generated test results to establish our claim. The block diagram of the test set-up is given in Figure 3.

Figure 3: Test setup

For test input generation, Temperature Simulator (MCIH Intcal TM-10) has been used to give precise resistance input to the transmitter under test (MOORE XTCTM Series 343).The transmitter was configured using HART communication device for its range and output type before putting it to testing. The digital communication device was removed after configuration.

We simulated Pt100 RTD having an input range of 18.56Ω (-2000C) to 390.40Ω (8500C). For a 12-bit ADC, the input resolution of the transmitter will be

(390.40 Ω - 18.56 Ω)/212 = 0.09 Ω

Because of the ADC resolution of 0.09 Ω, the transmitter will only be able to detect change in input if it is ≥ 0.09 Ω.

We generated the test input set separated by 0.05 Ω and recorded the transmitter output continuously in a digital recorder (EUROTHERM Chessell 5000 Series) and the recorded data was accessed by a PC station for analysis.

Table 1.Test data

Date	Time	Sim. Input (Ω)	Transmitter Output (4-20mA)
8/19/2010	17:13:15	115.65	8.19
8/19/2010	17:13:30	115.70	8.19
8/19/2010	17:13:45	115.75	8.19
8/19/2010	17:14:00	115.80	8.19
8/19/2010	17:14:15	115.85	8.19
8/19/2010	17:14:30	115.90	8.20
8/19/2010	17:14:45	115.95	8.20
8/19/2010	17:15:00	116.00	8.20
8/19/2010	17:15:15	116.05	8.20
8/19/2010	17:15:30	116.10	8.20
8/19/2010	17:15:45	116.15	8.21
8/19/2010	17:16:00	116.20	8.21
8/19/2010	17:16:15	116.25	8.21
8/19/2010	17:16:30	116.30	8.21
8/19/2010	17:16:45	116.35	8.22
8/19/2010	17:17:00	116.40	8.22
8/19/2010	17:17:15	116.45	8.22
8/19/2010	17:17:30	116.50	8.22
8/19/2010	17:17:45	116.55	8.23
8/19/2010	17:18:00	116.60	8.23
8/19/2010	17:18:15	116.65	8.23
8/19/2010	17:18:30	116.70	8.23
8/19/2010	17:18:45	116.75	8.24
8/19/2010	17:19:00	116.80	8.24
8/19/2010	17:19:15	116.85	8.24
8/19/2010	17:19:30	116.90	8.24
8/19/2010	17:19:45	116.95	8.24
8/19/2010	17:20:00	117.00	8.25
8/19/2010	17:20:15	117.05	8.25
8/19/2010	17:20:30	117.10	8.25
8/19/2010	17:20:45	117.15	8.25
8/19/2010	17:21:00	117.20	8.25
8/19/2010	17:21:15	117.25	8.26
8/19/2010	17:21:30	117.30	8.26

The excerpts from the test data in Table 1 shows that the output remains unchanged when input values lie within two consecutive discrete values separated by the resolution (0.09Ω) of the 12 bit ADC (for Pt100 RTD input range 18.56Ω to 390.40Ω). This test data assures that the transmitter under test gives output as per the requirement specification.

The result of the test set for an input range of 0ºC-850ºC is shown in the form of chart in Figure 4. From this chart we can conclude that the transmitter under test will produce output as expected by design for the entire input range for which it will be used. It may be noted that it is assumed that all the configuration data like LRV, URV, engineering units, zero-point adjustment, pattern/type of input filtering etc. will not be altered by the user once configured and tested. The transmitter should be tested again if user wants to change any configuration data.

Figure 4: Temperature Transmitter output for simulated Pt100 sensor

10. INDUSTRIAL APPLICATION

For industrial use, the smart transmitter validation test must be automated and should be time and cost-effective. To meet the requirement of automated testing, the temperature simulator shown in Figure 3 must be programmable. The programmability is required to generate test inputs with a fixed time-interval between two successive inputs, without manual intervention. Time interval between two successive inputs will depend on the update time of the transmitter under test, and it should be more than the update time specified.

A test setup requires only a programmable and temperature simulator (a standard laboratory product available from multiple vendors), a digital recorder and a PC, which does not involve very high cost. Further, a transmitter with 12-bit ADC and a typical update time of 500 mSec can be tested exhaustively using our technique in less than 45 minutes.

11. CONCLUSION

It has been established that exhaustive testing is feasible for a single-input-single-output device like smart temperature transmitter. Presently, the test has been carried out manually but it can be automated by using programmable temperature input simulator. The same principal is applicable for other type of transmitters like pressure, level etc for validation of third party software in it.

ACKNOWLEDGEMENTS

We thankfully acknowledge Shri G.P. Srivastava, Director, E&I Group, Shri B.B.Biswas, Head, RCnD and Shri Jose Joseph, Head, CSES, RCnD, Bhabha Atomic Research Centre, for giving us the opportunity to work on this project. Our sincere thanks go to Dr. A.P.Tiwari, Head, RCSDS for his encouragement and support and to Shri Ranjit Kumar for his painstaking effort in carrying out the testing. We also thank Shri P.R.Patil, Head, PIDS, RCnD and Shri VIkas Kaushik, SO/F, for the valuable technical discussions, we had with them.

REFERENCES

[1]. STT 3000, Series STT250 Smart Temperature Transmitter Operator Manual, Issue 7 – 12/00, EN1I-6190, Honeywell.

[2]. Model 3144 and 3244MV Smart Temperature Transmitter Manual, Rosemount Measurement.

[3]. Functional Safety Manual iTEMP® HART® TMT112 with a 4…20mA output signal Temperature Transmitter, Endress+Hauser.

[4]. F. Brissaud et al., “Dependability Issues for Intelligent Transmitters and Reliability Pattern Proposal”, Information Control Problems in Manufacturing INCOM 2009”, Moscow, 2009

[5]. G. Gauffet and J. P. Keradec, “Incidence of the Resolution and the Differential Non Linearity of a A/D Converter on High Dynamic Signal Measurement Experimental Characterization”, Conference record of the instrumentation and measurement technology conference, IMTC/1992, New York, May 12-14, 1992.