Siemens 2012

S o l u t i o n s f o r O i l & G a s Solutions for Oil & Gas Offshore 100.1

A.O.Sveen, NTNU 2012

Siemens Safety Systems. NTNU 05.03.2012, Arnt Olav Sveen

l  Løsninger

l  Applikasjoner

»  Basis system Simatic S7 F

»  Kommunikasjon / nettverk

»  Human - Machine Interface

»  Inngangs og utgangs moduler

»  Programvare /programmering

l  Historikk og bakgrunn

»  Generell SIS Basis

l  Krav i IEC61508

»  Hjemmesikkerhetssystem



Siemens Safety Systems.

The prevention of accidents should not be considered a question of legislation, but instead our responsibility to fellow beings and economic sense

(Werner von Siemens in 1880)



History of Siemens Electronic Safety Systems Was started together with the start of computers

SIMATIC S5-110F

(1980)

SIMATIC S5-115F

(1988)

SIMATIC S5-95F (1994)

QUADLOG (1995)

Distributed Safety S7 151F/315F/317F/416F

(2002/2003)

S7 F Systems S7-400FH / PROFIsafe

(1999)

Safety Matrix (1999)



Siemens Safety Systems.

  First large safety project for offshore 1985, Oseberg Feltsenter, 15 000 safety I/O

  To day nearly 30% of installed safety systems in Norwegian part of the North Sea, and numerous deliveries world wide.

  First solutions, Simatic PLC's with additional hardware, 2 PLC's running independently.

  To-day a full range of S7 F, TÜV verified systems

  Work procedures according to IEC61508, SINTEF verified, and a full scope of function blocks and typicals



•  Stena Don 2000 •  Statfjord A 2000 •  Snorre B 2000 •  Huldra 2000 •  Oseberg South 2000 •  Embla 2000 •  Oseberg Gas 1999 •  Troll C 1999 •  Statfjord B 1998 •  Visund 1998 •  Eldfisk WIP 1999 •  Oseberg East 1997

•  Petrojarl Foinhaven 1996 •  Njord A & B 1995 •  Statfjord C 1995 •  Vigdis 1995 •  Ekofisk 1995 •  Eldfisk alpha 1993 •  Brage 1992 •  Embla 1991 •  Snorre TLP 1990 •  Oseberg A 1988 •  Oseberg B 1987

Siemens Safety Systems applications are based on long experience

Siemens Safety Systems, Norwegian designed basic system



Siemens Safety Systems, S7, PCS7 F

l  HULDRA (Norway) 2000

l  MAERSK XL1 /XL2 (worlds largest jack up’s, built in Korea) 2002 l  EKOFISK 2/7A 2002

l  Visund 2006-2011

l  Halfdan 5 platforms (Denmark/built in Singapore and Holland) 2003-2011

l  Al Shaheen (28 platforms in Qatar) 2003- 2010

l  White Rose FPSO (Canada/ built in Canada/Korea/Abu Dhabi/USA) 2005

l  P50, Albacore Leste FPSO (Brazil) , PRA 1 2005-2007

l  FPSOcean 1 (China) 2007-2009

l  Santa Fe (USA, 2 drilling Rigs) 2004

l  Oseberg Field-centre (Norway) (113 off S7 400/400FH , 35000 I/O) 2005 -2007 l  Statfjord A/B/C ESD and F&G 2004-2007

l  Sevan SSP300-1, 2 and 3 2005-2008

l  Deep Sea Driller 1and 2 2007-2011

l  Blackford Dolphin 2006-2008

l  Snorre TLP 2006-2011 l  Tor 2011

l  Yme (upgrade) 2011

l  ATP Cheviot (UK , Korea) 2011-

l  Deep Sea Driller 3 & 4 (China / Norge) 2011-

l  OCX (Brazil) 2011- l  GEAD Eldfisk, 5 installations totally 2011 -



Safety Systems Applications Hva er et sikkerhetssystem (SIS)?

Hvor griper det inn i en ulykkesutvikling, og

forhåpentligvis stanser den?

Plant personnel intervention

Safety system (automatic)

Basic automation

Overpressure valve, rupture disc

Collection basin

Active mechanical protection

Passive protection

Disaster protection Disaster protection

Safety Instrumented System (SIS)

Process value

Process alarm

Normal activity

Process control system

Safety Shutdown alarm



Safety Systems Applications Hva er et sikkerhetssystem (SIS)?

Low level

I / P

Reactor

PT 1A

PT 1B

FT

Basic Process Control System (BPCS)

Inputs Outputs

Safety Instrumented System (SIS)

Inputs Outputs

Detect fire, gas leakage, overpressures, over tem. etc Release fire fighting, electrical isolation,

shutdown, blow-down (isolate or release energy sources)



Safety Systems Applications Og hva er “Equipment Under Control”, EUC?

PressurizedVessel

AS 414 FAS 417 F

ET 200M

IM 153 SafetyModule

F-I/O Modules

PROFIBUS-DP

StandardI/OModules



Safety Systems Applications Purpose

Risk reduction by safety systems, SIS

EUCrisk

EUCrisk

TolerableRisk

TolerableRisk

ResidualRisk

ResidualRisk

Necessary Risk Reduction

Actual Risk Reduction

Risk reduction achieved by all safety-systemsRisk reduction achieved by all safety-systems

From IEC 61508:

Increasing Risk

Hensikten med å innføre et sikkerhetssystem, er å få risikoen ned til et akseptabelt nivå.



Safety Systems Applications What is Risk? Who decides what is acceptable risk?

What do we accept? Examples of fatality risk figures:

l  Smoking 20 per day 5000 cpm 5.0x10-3/yr 1 of 2 l  Road accident 100cpm 1.0x10-4/yr 1 of 100 (lifetime 100 years)

l  Car accident 150cpm 1.5x10-4/yr 1,5 of 100 l  Accident at work 10cpm 1.0x10-5/yr 1 of 1000 l  Falling Aircraft 0.02 cpm 2.0x10-8/yr 2 of 1000 000 (note) l  Lightning strike 0.1cpm 1.0x10-7/yr 1 of 100 000 l  Insect/Snake bite 0.1cpm 1.0x10-7/yr 1 of 100 000

NOTE: Risk per hour the same as for car accident

cpm = chances per million of the population (per year)

We are always informed when 8 persons are killed by suicide killer in Afghanistan, but we are not informed when 53 persons die traffic accidents in Spain……………… happens every weekend



Safety Systems Applications Li

kelih

ood

Consequence

Tolerable Risk Region

Unacceptable Risk Region

Hazard #1 Containment Dike

Control System

Operator Intervention

Safety Instrumented Function

SIL1

SIL2

SIL3

Risk reduction by safety systems, SIS

Risikoreduksjonen er større ved et høyere SIL

It is often said that the risk reduction by the instrumented safety system is low, compared to the total risk. Risk reduction is decades higher by other means. If other means reduces the number of causalities from 100 to 1 per year, there is still one left ……maybe that one person is saved by the instrumented safety system



Safety Systems Applications

What is Safe state?

Can the Safety System bring the area or equipment to a safe state?

How?

What is required? Power Plant



Safety Systems Applications

Some of the Safety Systems Applications l  ESD, Emergency Shutdown

l  F&G, Fire & Gas Detection, Fire-fighting

l  Process Shutdown

l  Fire-pump Logic

l  Ballast Control

l  Blow-down

l  Riser release / Anchor Release

l  Fire Dampers, Active Smoke Control

l  HIPPS, High Integrity Pressure Protection System



Safety Systems Topology for total platform control system including safety



SIEM

ENS

S7-400FH (SIL3, and redundant)

PROFIBUS/ProfiSafe (SIL3) Industrial Ethernet 100 Mbit

F&G ESD Wide ScreenOverview

Ethernet 100 Mbit

Software is implemented according to procedure, SIL 3

SIEM

ENS

Industrial Ethernet 100 Mbit

Ethernet 100 Mbit

Communication to other nodes SIL3

Commands from OS to SIL3

PROFIBUS/ProfiSafe (SIL3)


SIL 2

Fire & Gas Topology (sample)

Power

Fire Brig. recvd.

Fire vent. activ.

Fire ext.. acktivated

0

A L A RM

?

C

987

654321

Silence buzzer

Silence sounders

Reset

More Alarms

Prewarning

Early warning

System fault

Function disabled

Test

Fault

Self Verify



F&G System Topology (the different modules)

PROFIBUS or Profisafe (SIL3)

RadioRadio

SIEM

ENS

SIEM

ENS

S7-400F(SIL3)

S7-400F(SIL3)


PROFIBUS or Profisafe (SIL3)

I/O modulesSIL 2/3

F&G Matrix

PROFIBUS/PROFISAFESIL3 and redundant

Redundant, optical,100 Mbit Industrial Ethernet

Remote Control(Veslefrikk)

Redundant, servers,each withdual powersupplies andmulti CPU's(tolerabable for CPU errors)

Redundant, operator stations,each withdual powersupplies andmulti CPU's(tolerabable for CPU errors)

Output modulesF-SM's, SIL 2/3redundantor redundant ouput configuration verified by SINTEF (SIL2/3)

Analogue inputs(each SIl1) invotingone of many (total is SIL2)

I/O modulesSIL 2/3

F&G Matrix

PROFIBUS/PROFISAFE, SIL3optical and redundant

Note:Separate bus sytems are used for interface to matrixes to avoid common mode failurres with field I/O

Autronica protocolAutronica protocol

Hardwired alarm

Autronica fire panel

Fire Area (1of n gives alarm)

Fail Safe I/O Modules

High Available & Fail Safe CPU’s

Redundant Integrated Safety & Process Network

Addressable Fire Detection Systems

Redundant Communications Interface

Redundant Fail Safe Communications – SIL3 (Profisafe)

Redundant Safety Servers

Redundant Operator Stations

F&G Matrix



ESD Topology (sample) SI

EMEN

S

S7-400F(SIL3)



ESD Matrix.

Controller Cabinet

Operator Stations


F&G ESD Wide ScreenOverview

Ethernet 100 Mbit

Redundant Safety Servers

(built in redundancy and auto-repair)


EngineeringStation

S7-400F(SIL3)

SIEM

ENS


Ethernet 100 Mbit



RemoteInput / Output modules, F-SM SIL2/3or ET200M SIL0/1

Hardware design according to procedure, SIL 3

Remote "fail safe"Input /output modulesF-SM's, SIL 2/3

Field Termination Cabinet



RemoteInput / Output modules, IS1or ET200M SIL0/1



PSD Topology (sample)

SIEM

ENS

S7-400F(SIL3)

Controller Cabinet

Operator Stations


Redundant Servers


EngineeringStation

S7-400F(SIL3)

SIEM

ENS


Ethernet 100 Mbit




Remote ET200iSor"fail safe"Input /output modulesF-SM's, SIL 2/3

Field Termination Cabinetor Junction Box



Ethernet 100 Mbit



Marine Safety Control System SI

EMEN

S

S7-400F(SIL3)

ACPU

S7-400FH (SIL3, and redundant) Controller Cabinet B

Operator Stations


Redundant Servers


EngineeringStation

S7-400F(SIL3)

B CPU

SIEM

ENS


Ethernet 100 Mbit




Remote "fail safe"Input /output modulesF-SM's, SIL 2/3

Field Termination Cabinetor Junction Box



Controller Cabinet A

Synchronization link

Manual Ballast Functions



Subsea PSD solution and HIPPS, both SIL3

Supplier Document ReviewAccepted

SCSSV

PMV

PWV

HIPPS 1 HIPPS 2

Choke

Titanium Pipe/enclosure

Titanium Pipe/enclosure

SSIV

ESD, S7-400F, SIL3

Remote F-SM, SIL3

PROF

ISAF

E ,S

IL3

Topside

Subsea

(Remote I/O)

PSD, S7-400F, SIL2/3 PCS, S7-400

RIO (F.SM.)

Hydraulic Supply

Bleed Hydraulic (SIL 3)

PSD Remote I/O Simatic S7F-SM (SIL3)

Twisted Pair Fiber Optic Cable Umbilical with center line

1

23

X x=Number of connection`s

5

Profibus DP/ProfiSafe (SIL3)

Hydraulic 6 Riser (Stigerør)

EV

PSV

HPU

Production

T

PROF

BUS

PROF

ISAF

E ,S

IL3

Remote F-SM, SIL3

4-20 mA

P T P T

4-20 mA

Slot no. 1

Slot no. 2-4

P T

T

P T

TP T

P TP T

P T

P T

S5 95F/S7 300F

Subsea HIPPS/SIL 3

P T

P T

RF-Modem

Profibus DP(to topside modem)19.2 Kbits

RF- Modem

T

4-20 mA

P T

RF-Modem

RF-Modem 183 Kbits



IEC 61508

  The safety level is applicable for: l  The total solution l  All the projects lifecycles

  The system solution covers EUC, including HMI   HW engineering, construction and testing

l  By use of standard hardware set-up l  With special modules approved by TÜV

  Software l  Function blocks (basic blocks approved by TÜV) l  Protocols and drivers approved by TÜV l  Application program (according to procedure)

  Maintenance procedures   Operation and Modification Procedures



IEC 61508, Quality Assurance and a few direct requirements

Software safety validation

9.6

Safety functions requirements specification

Safety integrity requirements specification

9.1

9.1.1 9.1.2

Software safety requirements specification

To box 12 in figure 2 of part 1

Software safety validation planning

Software design and development

9.39.2

9.4 Software operation and modification procedures

9.5PE integration (hardware/software)

To box 14 in figure 2 of part 1

E/E/PES safety

lifecycle(see figure 2)

Software safety lifecycle

10 11

NOTE 1 Activities relating to verification, management of functional safety and functional safety assessment are not shown for reasons of clarity but are relevent to all overall, E/E/PES and software safety lifecycle phases.

NOTE 2 The phases represented by boxes 10 and 11 are outside the scope of this standard.

NOTE 3 Parts 2 and 3 deal with box 9 (realisation) but they also deal, where relevant, with the programmable electronic (hardware and software) aspects of boxes 13, 14 and 15.

Concept1

Overall scopedefinition2

Hazard and risk analysis3

Overall safety requirements4

Safety requirements allocation 5

Back to appropriate overall safety lifecycle

phase

Overall safety validation13

Overall operation,maintenance and repair

Overall modification and retrofit14 15

Decommissioningor disposal16

Safety-relatedsystems:E/E/PES

Realisation(see E/E/PES

safetylifecycle)

9 Safety-relatedsystems:

other technology

Realisation

Overall installationand commissioning12

8

Overall planningOveralI

operation andmaintenance

planning

OveralI installation andcommissioning

planning

Overallsafety

validationplanning

6 7 8

External risk reduction facilities

Realisation



IEC 61508, Implementation according to proven procedures.

  Safety requirements shall be specified, and the requirements shall be traceable through all engineering phases.   Internal procedures for development of software according to

IEC61508 l  Procedures developed in co-operation with SINTEF Tele and Data.

–  specification –  planning –  implementation –  verification –  validation –  modifications.

  Internal procedures for hardware design and production according to IEC61508

l  Made on the same structure as the SINTEF verified SW procedure.



IEC 61508, Implementation by qualified personnel

On Hold ……waiting for training by Tor Onshus.



Basically three requirements 1.  Quality assurance (98% of IEC61508)

2.  Requirement to availability of safety function (PFD requirement, Probability of Failure on Demand)

3.  Requirement to safe failure fraction (SFF requirement, Safe Failure Fraction)

Basic principles to fulfill IEC61508

Answers to the requirements 1.  Work methods, procedures, qualified workers

2.  Equipment quality, redundancy, second resort, diagnostics

3.  Fail to safe design, diagnostics



Diagnostics / feedback Diagnostics will give possibility to repair dangerous errors before an emergency situation, hence improving PFD and SFF. Increased diagnostics also give room for extension of test interval, hence saving cost. Feedback will give opportunity to use second shutdown possibility in case of first possibility failing, hence increasing PFD and SFF.

Diagnostics, feedback and redundancy

Redundancy / second shutdown facility More than one shutdown facility, and all are activated at same time, or second facilities are used as

result of feedback when first is failing, will give improved SFF and PFD.



Risk Graph

Risk Determination (one of several methods)

:

S1

F1

F2

F1 F2

A1 A2 A1 A2

S2

S3

S4

P3 -

1

1

2

3

3

4

4

-

1

1

2

3

3

3

4

-

-

-

1

1

2

3

3

P2 P1 S: Severity of injury/damage 1:small injury,

minor environmental damage 2:serious irreversible injury of many people involved or a death

temporary serious environmental damage 3:death of many people

long-term serious environmental damage 4:catastrophic results, many deaths

F: Frequency and/or exposure time to hazard 1:seldom - quite often 2:frequent - continous A: Avoiding hazard 1:possible 2:not possible P: Probability of Occurrence 1:very low 2:low 3:relatively high

How to find Required Safety Integrated Level (SIL) of the Safety System"



S7-400F/FH"by Siemens

Safety Integrity Levels, direct requirement IEC61508

Requirement Class (AK)

DIN V 19250

Safety Integrity Level

(SIL) IEC 61508

Probability of failure on demand per h

(constant operation) (IEC 61508)

Probability of failure on demand (on demand operation) (IEC 61508)

Control Category EN 954-1

AK 1

---

--

--

B

AK 2 and 3

SIL 1

10-5 to 10-6

10-1 to 10-2

1 and 2

AK 4

SIL 2

10-6 to 10-5

10-2 to 10-3

3

AK 5 and 6

SIL 3

10-7 to 10-8

10-3 to 10-4

4

AK 7 and 8

SIL 4

10-8 to 10-9

10-4 to 10-x

---



Safety Integrity Levels, direct requirement IEC61508

IEC61508 requires higher “fail safe fraction” for “intelligent” components

Safe failure fraction

Hardware fault tolerance

0

1

2

< 60 %

SIL1

SIL2

SIL3

60 % - 90 %

SIL2

SIL3

SIL4

90 % - 99 %

SIL3

SIL4

SIL4

> 99 %

SIL3

SIL4

SIL4

Hardware safety integrity: architectural constraints on type B safety-related subsystems

Safe failure fraction

Hardware fault tolerance

0

1

2

< 60 %

not allowed

SIL1

SIL2

60 % - 90 %

SIL1

SIL2

SIL3

90 % - 99 %

SIL2

SIL3

SIL4

> 99 %

SIL3

SIL4

SIL4

Hardware safety integrity: architectural constraints on type A safety-related subsystems



Safety Integrity Levels, PFD calculation

AIPROFISAFE

CPU DOPROFISAFE

ESV

4-20 mA

Gas detector

Control valveF&G loop with Gas detector and control valve.

F&G loop with Gas detector and control valve.

Safety reliability Block diagram:"



Safety Control System controllers, SIMATIC S7 – 300/400 F/FH

Siemens Simatic PCS7F

Certified up to SIL 3

Redundant systems

S7-412-3H *) 768kB

100 F-I/Os

S7-414-4H *) 2.8MB

600 F-I/Os

S7-317F-2DP 1MB

500 F-I/Os S7-315F-2DP

192kB 300 F-I/Os

S7-417-4H *) 30MB

3000 F-I/Os

S7-319F-2DP 1.4MB

1000 F-I/Os



Components S7-400F/FH (Simatic safety system is SW based, and partly HW independent)

  High available System CPU with F program as a basis   CPU 417-4F(H) TÜV certified, including system SW (SIL3)   TÜV certified failsafe logic SW blocks (SIL3). Redundant, diverse programs.

  Method and tool for Engineering / Hardware Configuration / Programming   Configuration of the S7-400F-Hardware with Standard HW-Config.   Graphical Engineering (programming) with Standard CFC (Continuous Function Chart)   Coexistence of Standard- and F-Applications (SIL3) in one CPU (safe island)

  Connection to the Process Devices   PROFIsafe (extra safety layer to Profibus) (SIL3) to ensure failsafe communication via Profibus

  Process Devices   Failsafe I/O modules (SIL1 - 3)   Failsafe process transmitters and actuators (fieldbus devices)



And based on additional principle “Protected F-Islands”

Safety-related user program

CPU operating system

Standard user programs

CPU hardware

Safety-related communication frame

Any faults in other modules, environmental

factors

Failsafe

I/O modules

SW based SW based HW/SW based



S7 400F F/H system - modularity,

PC Standard Engineering Software

Standard-ProfibusDP

F-Application Program

F-Programming Tool

F-I/O’s (ET200M)

ProfiSafe Protocol

RU

N-P RUN

STO

P CM

RE

S

RU

N-P RUN

STO

P CM

RE

S

Standard-CPU 417-4H

Standard I/O’s (ET200M)



CPU-Software Architecture

F-User Program F-Control

Blocks F-User Blocks Standard-

User Program

Standard- Operating System

F-Standard- blocks

F -System- blocks

Communications Self tests

Program execution

Safety-relevant sections of the operating system

Safety-relevant System Func. Calls

Safety-relevant Self tests

F-Access protection

Program execution



S7-F Concept, Double processing in diverse environments"

Multi-channel storage of safety-critical data in instance DBs in the CPU, e.g. as word-oriented complement COMP

Multi-channel processing of the safety function in F-FBs by SP7-ASIC of the CPU n  Standard operation on DATA n  Multi-channel operation on COMP

CPU-internal comparison in the output driver to improve error locating Error handling: disable outputs and stop CPU

CPU-external comparison in receiver (F-output modules and processing F-CPUs) Error handling: safe substitute values and error message

DATA 0

DATA 1

COMP FFFFH

COMP 0H

CRC

DATA COMP

Comparison

Comparison

Data Safety-related message

�

�

� �

�

Bit-AND in bit arithmetic

logic unit Word-OR

in ALU

Convert Copy

Instead of redundancy of HW , Siemens Safety System runs redundant SW on same HW.



n  Time redundancy and instruction diverse processing

Operands

Encoding

Diversity Operands

Operation

Diversity Operation

Result

Diversity Result

Comparison Stop

Time Time redundancy

A, B (Bool)

/A, /B (Word)

C

D = /C

At D ≠ /C

AND

OR

Time redundancy and Diversity instead of hardware redundancy

S7-F Program Concept Extensive comparison and monitoring"

n  Logical program execution and data flow monitoring n  Bool and Word Operations processed in different parts of the CPU n  2 independent hardware timer



Programming Graphical programming CFC acc. to IEC 1131

CFC

F-Library

Certified (TÜV) function blocks

Links are structs



Simplified ESD Program Overview, sample

CFC

F_MB_ESD

G_MB_ESD

FBCRBCFUCRUCR

Fail-safe program part

Standard program part

Additional I/O diagnostic data (optional)

ACK REQ

YGR

ESD INPUT:Q - Used for normally de-energized inputsQN - Used for normally energized inputs

Symbolic address

QUALITY

Operator Station

FBCRBCFUCRUCR

FBBFU

FE

RX

X

FBERBEFUERUE

BB

BU

A

Y

OPERATORS' FIELD DEVICE

F_LB

XS

X

RX

BXBXS

G_SB_ESD

Module driver

Channel driver

Y YN

BY

QUALITY

VALUE

F_M_DOCHADDR

Module driver

YROYGRBCHBCL

YF

ACK_REQ

Channel driver

F_CH_DO

IACK_REI

QBAD

VALUE

QUALITYACK_REQ

CHADDR

PAHHPWH

FE

PLAT

X

RX Y

F_SBI

RXPCYCLE

Y1

X1NX1

NX2X2

X3

X8

NX3

NX8

X4NX4

F_M_AIModule driver

Symbolic address

OS part

F_M_DO

CHADDR

F_CH_DO

IACK_REI

VALUE

QUALITYACK_REQ

Insrtance data block numberfor LB-utilities (optional)

MB-ESD

U B RInput Status

From OS

From field

B

X

MA-ESD

U B R

B

Status Ext. Alarm HH

SB-ESD

U B SD OVROutput status

HW Override

Coincidence

Disable Reset

X

X

LB

Bin Bout R

Blocked from OSFrom ESD Function

To ESD Function

B

PNLAT

FBXSFBYXFE

Y

YX

BBXSBBYX

FBXSCRBXSCFBYXCRBYXCR

Y

YBOCYBONC

Matrix indicator LED's

RDACRDDCR

RX

LSC

RXD

X

BLSOSBRXDOS

BPDY

RDAERDDELSE

"0" "1"

Override from Matrix Override-switch via F-SM

Ovrr. feedback

RDAERDDELSE

RDACRDDCRLSC

PALLPWL

F_M_DIx

Module driverCHADDR

F_CH_DICHADDR

QNQQBAD

Channel driver

VALUE


Fault annunciation

XF

BX

FEBBOPBUOP

YABBOSBUOS

B

FBERBEFUERUE

F_CH_DICHADDR

QNQQBAD

Channel driver

VALUE

ACK REQQUALITY

Q_DATA

From driver FU, parameter Q_DATAFrom driver FBB, parameter Q_DATA

Additional diagnostic data (optional)

BLSOSBRXDOS

XF

PNLATPDY Y

YN

RXRXD

X

BLSOSBRXDOS

BPDY

RDAERDDELSE

RDACRDDCRLSC

ESD System Configuration, SIL3

F_CH_DICHADDR

QNQQBAD

VALUE

ACK REQQ_DATA

XO

BUBOBC

XOCXGLXGHFeedback

from normal I/O

"0" YBOF

YBOCYBONC

XO

XBOCXOC

XBOF YBOF

CHADDRQBAD

F_SB_ESD

F_SB_ESD

F_OR4

IN1OUT

IN2

F_OR4

IN1OUT

IN2

FBXSERBXSEFBYXERBYXE

STATUS INDICATION LED's

PNLAT

F_LB

XS

X

RX

BXBXS

FBXSFBYXFE

YYX

BBXSBBYX



PNLAT

F_LB

XS

X

RX

BXBXS

FBXSFBYXFE

YYX

BBXSBBYX



PNLAT

BBlocked from FieldFrom ESD Function

To ESD Function

BB

B

X

ESD Function Status X

AOS 03.07.2001

YGR

G_LB



Channel driver

FUFBB

F_MA_ESD

FBCRBCFUCRUCR


From G_MA_ESD To G_MA_ESDFBERBEFUERUE

AHHALL

BUOS

BHHBWH

BWLBLL

Fault annunciation

ACK REQQUALITY

To G_MA_ESD

BBOS

VAHHVWHVALLVWL

Status collection for G_LB_ESD (optional)

F_MA_ESD

To F_MA_ESD

From F_MA_ESD

ACK REQQUALITY

XF

V_DATA

FBCRBCFUCRUCR

FBERBEFUERUE

YGR Status collection for G_LB (optional)

From F_CH_AI

From driver FU, parameter Q_DATAFrom driver FBB, parameter Q_DATA

From driver FE , pa ram ete r Q _D ATA

Additional I/O diagnostic data (optional)

FE

BBOPBUOP

B

From OS

From field

MA-ESD

From driver, block from other function, Q_DATAFrom driver, block to other function, Q_DATA

From driver FE , pa ram ete r Q _D ATA FE

BBXSOPBBYXOP

BCBBCUBEBBEOBCB Status from

LB-utilities (optional)

BBOSBUOS

BXBXS

Y

BBXSOSBBYXOS

BBXSOSBBYXOS

STATUS INDICATION LED's

BBXSOSBBYXOS

BBXSOSBBYXOS

F_CH_AICHADDR

V

VALUE

QUALITY

OVHRANGEOVLRANGE

ACK NEC

VHRANGEVLRANGE

QBAD

ACK REQV_DATA

"0"

CHADDR

PLRPLH

XBONC

PNLATPDY

XO

XBOCXOC

XBOFXBONC

BUBB STATUS INDICATION LED's

Y

BUOS

BHHBWH

BWLBLL

BBOS

VAHHVWHVALLVWL

HMI OS skjerm

Normal program

Safe program



Engineering tool Program Protection

CFC

Enabling of the Failsafe function of the CPU 417-4H or 414-4H

Read/Write protection with password



Program protection Program Signature

CFC

Signature of F-Program for TÜV Certification. Program taken out of CPU cannot be downloaded unless carrying the correct signature

The signature is generated by the programming tool, and is changed after every change of the program



Programming Comparison of existing and changed program

CFC

Comparison of different F-program versions Deviations shall be checked before download of change



S7-400H Redundancy Principle ( for increased availability)

C PU#

D E#

D A#

AE#

AA#

PS#

C P#

C PU#

D E#

D A#

AE#

AA#

C P#

PS#

PROCESS

Synchronization, information

and status exchange

I M

D E

A E

A A

D A

I M

F M



I/O Configuration Switching of master by use of redundant Profibus

Profibus-DP

IM

IM

Bus module

Active backplane bus

IO with active backplane bus performing the switchover

L+ L+

Redundant IM 153-2

Target: Reduce common mode faults for the switch-over to a minimum

Achieved by: Very simple component does the switchover



Redundant S7-400H A Synchronization Procedure is required

Par

t. P

LC A

Par

t. P

LC B

Cycle synchronization

Par

t.-P

LC A

Par

t. P

LC B

Time synchronization Command synchron.

Par

t. P

LC A

Par

t. P

LC B

Par

t. P

LC A

Par

t. P

LC B

Without synchronization

(Siemens Patent)

Synchronization of all commands whose execution would trigger different

states in both partial PLCs



Flexible Set-up‘s Together, the listed principles result in a flexible set-up

  redundant S7-400FH   redundant PROFIBUS-DP   F-E/A Moduls   SIL3, AK6

  redundant S7-400FH   redundant PROFIBUS-DP   redundant F-E/A Moduls   SIL3, AK6

  S7-400F   PROFIBUS-DP   F-E/A Moduls   SIL 3, AK6

Fail Safe Fail Safe and High Availability

AS 414 FAS 417 F

ET 200M

IM 153

SafetyModule

F-I/O Modules

PR

OF

IBU

S-D

P

StandardI/O Modules

PRO

FIB

US

-DP

ET 200M

2 xIM 153-2

SafetyModule

F-I/O Modules

AS 414 FAS 417 F

StandardI/O Modules

PROF

IBUS-D

P ET 200M

F-I/O Modulesredundant

AS 414 FAS 417 F



AI

DI

DO

DO

Flexible Modular Redundancy ™

  Make any component redundant



AI

DI

DO




AI

DI

DO

DO

AI

DI


  Physically separate redundant resources




AI

Triple

Simplex

DI

DO

DO

AI

DI

AI

DO

AI

Dual



  Mix and match redundancy




AI

Triple

Simplex

DI

DO

DO

AI

DI

AI

DO

AI

Dual


  Mix and match redundancy

  Tolerate multiple faults with no impact on safety   Safety is not dependant on redundancy; all

components are SIL3-capable   Redundancy only for availability; No degraded

mode

û û

û

û

û

û

û





Flexible Set-up‘s

  Multiple Fault Tolerant   Fieldbus architecture allows system to tolerate

multiple faults without interruption   I/O redundancy independent of CPU redundancy

  All components rated for SIL3   No degraded mode   Safety not dependent on redundancy A

I

DI

DO

DO

AI

AI

DI

DO

DO

AI

AI

û

û û

û

û û

û

û

û

2oo3 PT 1oo2 Valves

2oo3



Alternative setup by others Fail Safe and High Availability due to 2oo3 HW voting

Sample from Triconex design



Input and output modules to SIL 3, 2 and 1

RUN-P RUN STOP CMRES F-SM´s Standard SM´s RUN-P RUN

STOP CMRES

  ET 200 M F-SM, Fail Safe Modules

  ET200 iSP, zone 1 l  Small granularity modules for Zone 1, SIL3

  ET200 S l  Small granularity modules can cover SIL1 to SIL3

l  SIL3, 2 or 1dependant on configuration (TÜV) –  SIL 3 also in single configuration for most modules –  SIL 3 with single or redundant bus connection



Architecture S7-300 Fail Safe Modules (sample)

Microcontroller

Output driver

Dual- port RAM

Bus interface

Second disconnection facility

L+

F-Digital Output, with built in redundancy, self verification and degrading

Microcontroller

Output VSupply

If ”Output driver” fails to bring output to safe state, ”0”, the microcontroller does, based on the read back, order the ”Second disconnection facility” to shut the card down

Read back



S7-300 Fail Safe Modules

  Redundant microcontroller in each IO module   Safety Integrated Level

  1oo1 evaluation, SIL 2, AK 4   1oo2 evaluation, SIL 3, AK 6, internal in module

  Diagnose of internal and external errors   mutual function checking of the microcontrollers   input or output test   branching of the input signals to both microcontrollers   discrepancy analysis of the redundant input signals   readback of the output signals and discrepancy analysis

  Second disconnection facility in the case of outputs   Communication with CPU via Profisafe



S7-300 Fail Safe I/O Modules

Samples of modules available

n SM326F, DI DC24V 24 x SIL2, 12 x SIL3, with diagnostics interrupt

n  SM326F, DI NAMUR [EEx ib] 8 x SIL2, 4 x SIL3 with diagnostics interrupt

n  SM326F, DO DC24V/2A 10 x SIL3, current source, diagnostics interrupt

n  SM336F, AI 4-20mA 6 x SIL2 or 3, with diagnostics interrupt



Fail Safe I/O Modules Library for interfaces to field devices

SAFETY INPUTS AND OUTPUTS, S7 400F WITH SAFETY I/O MODULES, F-SM’S

AI-41F Safe analogue input, 4-20 mA, 2 Wire, SIL 2.AI-43F Safe analogue input, 4-20 mA, 3 Wire, SIL 2, current sourceAI-44F Safe analogue input, 4-20 mA, 3 Wire, SIL 2, high power consumpt.AI-50F Safe high available analogue input, 4-20 mA, 2 Wire, 2 oo 3.AI-51F Safe analogue input, 4-20 mA, 2 wire, to digital, SIL 2AI-IS-41F Safe analogue input, 4-20 mA, EEx(i)(a) , 2 Wire, SIL 2.AI-IS-51F Safe analogue input, EEx ib IIC, 4-20 mA, to digital, SIL 2DI-41F Safe digital input, SIL 2DI-42F Safe high available, digital input, SIL 2DI-44F Safe digital input from clean contact / NAMUR, SIL2DI-IS-41F Safe, EEx ib IIC, digital input from clean contact / NAMUR, SIL2DI-IS-46F Safe, high available, EEx ib IIC, double clean contact/ NAMUR, SIL2 /DI-IS-46F Safe, EEx ib IIC, double clean contact /NAMUR, SIL3.DO-41F Safe, digital output, 24 V DC, 2A, SIL2 / 3DO-41FR Safe digital output, SIL 2 with relay, SIL2DO-RE-45F Safe, high available, digital output, 24 V DC, 2A, SIL2 /3DO-46F Safe, digital output with manual release, 24 V DC, 2A, SIL2 /3DI-MA-41F Safe, high available digital input from pushbutton, SIL 3DI-MA-42F Safe, high available digital input from pushbutton, SIL 2DI-MA-43F Safe, digital input from pushbutton, SIL 3DI-MA-44F Safe, digital input from pushbutton, SIL 2DI-MA-45F Safe, high available digital input from pushbutton, SIL 3DI-MA-46F Safe, high available digital input from pushbutton, SIL 2DI-MA-47F Safe digital input from pushbutton (with LED), open contact, SIL 2DI-MA-48F Safe digital input from pushbutton (without LED), open contact, SIL 2DI-MA-49F Safe digital input from pushbutton, NAMUR, SIL 2DO-MA-41F Safe digital output to LED / LAMP, SIL2/3DO-MA-42F Safe digital output to two LED / LAMP, SIL 2/3DO-MA-43F Safe digital output to LED in fire fighting release pushbutton, SIL 2

POWER DISTRIBUTION

L + 24 VDC

L- 0V

Hardware Typecircuit code DO-RE-45F

6ES7 326-2BF00-0AB0

1M

1L+

3

4

2A

ch 0

21

22

FIELD TERMINATION CABINETFIELD

TERMINAL RAILFIELD

EQUIPMENT

10 DO, SAFE

Main Switch

Read back

JUNCTIONBOX

OVERRIDE

ESD MATRIX

L- 0V

L+ 24 VDC

DO-MA-41

0 V distrib.

L+

M

6ES7 321-1BL00-0AA0DI 32 ch

16A10A

2L+172L+183L+373L+38

3M392M202M19

3M40

6ES7 326-2BF00-0AB0

1M

1L+

3

4

21

22

10 DO, SAFE

Main Switch

Read back

2L+172L+183L+373L+38

3M392M202M19

3M400 V distrib.

16A

Library with standard, pre-verified instrument interfaces



Man må ofte ting i sammenheng før en oppdager at det kan være spesielle feilsituasjoner

Fail Safe I/O Modules Development of interfaces to field devices



Det er utrolig hvor lite komplisert det skal være før noe kan gå galt (eksempel på bruk av kretsen fra foregående slide)

Fail Safe I/O Modules Development of interfaces to field devices



  Man - Machine interface for daily use are the Operator Stations (but Bill Gates deliver no SIL3 solutions)

Operator interface to SIL3

NØDAVSTENGINGSMATRISEINNGANGER UTGANGER

BESKRIVELSE UTSTYR ALARMBATTERIER

ALARMUPSBRØNN ALARM

A01

A12

A11

A10

A09

A08

A07

A05

A06

A02

A03

A0479-ES-200179-ES-200279-ES-200379-ES-210179-ES-2201

79-ES-200479-ES-2102

79-ES-200579-ES-2103

79-EY-2109

79-ES-200679-ES-2007

79-ES-2008

79-ES-2104

79-ES-2202

79-ES-2016

86-ES-2203

82-ES-2001

79-ES-2009

79-ES-2105

70-XS-2002B

70-XS-2003B

70-XS-2004B

71-XS-2051B75-XS-2051B86-ES-2001

NAS 0SKR

NAS 0LIVBÅT

NAS 0HELIDEKK

NAS 0SKR VFR

NAS 0MG

ITKSKR HULDRA

ITKSKR VFR

NAS 1SKR

NAS 1SKR VFR

NAS 2SKR

NAS 2LIVBÅT

NAS 2SKR VFR

NAS 2MG BRO

NAS 2HELIDEKK

VFR HULDRALINK NEDE

SPENNINGS-BORTFALL

BRANN & GASSMG

DELUGEAKTIVERT

BRANN & GASSNAS 0/NAS 1VESLEFRIKK

NAS 2HJELPEUTSTYROMRÅDE

NAS 2MG NASSYSTEM

TRYKK-AVLASTNINGHULDRA

TRYKK-AVLASTNINGVESLEFRIKK

BRANN IEKSPL. FARLIGOMRÅDE

GASS IEKSPL. FARLIGOMRÅDE

POP SPRAYHELIDEKKAKTIVERT

PSD

F&G

NAS

0

ITK

ITK

NAS

1

TAL

NAS

2

NAS

2

NAS

2

NAS

2

NAS

2

NAS

0

GASSEKSPORTSTIGERØRKONDENSATEKSPORTSTIGERØR

GASSLINJETRYKKAVL.

SEPARATORTRYKKAVL.

GASS KJØLERTRYKKAVL.

ISOLERUPS 48V DCTELEKOM.ISOLERUPS 230V ACTELEKOM.ISOLERGMDSSTELEKOM.ISOLERUPS 48V DCLOS/PABX

ISOLER GEN.82-EG50ABATTERIER

ISOLERGENERATOR82-EG50A

PSD

ITK NAS 0 NAS 1

NAS 0

TALNAS 2

NAS 1 NAS 2

BEMANN./UBEMANN.

BROING BROING

SSSVMASTER

PROSESS ELEKTRO

TILBAKE-STILL

70-XS-2001

GASS IBEGGE GEN.LUFTINNTAK

LAMPETEST

ALARMHORN

KVITTERING AVALARMER

SYSTEMFEIL CPU A

SYSTEMFEIL CPU B

I/O FEIL

85-EY-2004A/B85-EY-2043A/B

85-EY-2006

85-EY-2042A/B

ISOLERUPS 230V ACBATTERIER

85-EY-2001A/B

ISOLERKRAN 24V DCBATTERIER

85-EY-2005

ISOLER GEN.82-EG50BBATTERIER

82-EY-2002A

ISOLERGENERATOR82-EG50B

82-EY-2002B

27-EY-224021-EY-215220-EY-200724-EY-215427-EY-2241

HULDRABEMANNET

85-EY-2002A85-EY-2002B

TILBAKE-STILL

TILBAKE-STILL

  Operator Stations with commands to SIL3

l  High end servers and operator stations, with redundancy and extensive diagnosis l  Special TÜV approved procedure for safe commands from operator stations to

F-area (safe island) for SIL3 commands to controller.

  CAP solutions ensures HMI interface to SIL3 l  LED elements connected to SIL3 remote I/O l  Necessary information for an emergency situation l  Necessary input elements to put the process to safe state



CAP or Matrix / Mimic to SIL3, simple and hardwired

NØDAVSTENGINGSMATRISEINNGANGER UTGANGER

BESKRIVELSE UTSTYR ALARMBATTERIER

ALARMUPSBRØNN ALARM

A01

A12

A11

A10

A09

A08

A07

A05

A06

A02

A03

A0479-ES-200179-ES-200279-ES-200379-ES-210179-ES-2201

79-ES-200479-ES-2102

79-ES-200579-ES-2103

79-EY-2109

79-ES-200679-ES-2007

79-ES-2008

79-ES-2104

79-ES-2202

79-ES-2016

86-ES-2203

82-ES-2001

79-ES-2009

79-ES-2105

70-XS-2002B

70-XS-2003B

70-XS-2004B

71-XS-2051B75-XS-2051B86-ES-2001

NAS 0SKR

NAS 0LIVBÅT

NAS 0HELIDEKK

NAS 0SKR VFR

NAS 0MG

ITKSKR HULDRA

ITKSKR VFR

NAS 1SKR

NAS 1SKR VFR

NAS 2SKR

NAS 2LIVBÅT

NAS 2SKR VFR

NAS 2MG BRO

NAS 2HELIDEKK

VFR HULDRALINK NEDE

SPENNINGS-BORTFALL

BRANN & GASSMG

DELUGEAKTIVERT

BRANN & GASSNAS 0/NAS 1VESLEFRIKK

NAS 2HJELPEUTSTYROMRÅDE

NAS 2MG NASSYSTEM

TRYKK-AVLASTNINGHULDRA

TRYKK-AVLASTNINGVESLEFRIKK

BRANN IEKSPL. FARLIGOMRÅDE

GASS IEKSPL. FARLIGOMRÅDE

POP SPRAYHELIDEKKAKTIVERT

PSD

F&G

NAS

0

ITK

ITK

NAS

1

TAL

NAS

2

NAS

2

NAS

2

NAS

2

NAS

2

NAS

0

GASSEKSPORTSTIGERØRKONDENSATEKSPORTSTIGERØR

GASSLINJETRYKKAVL.

SEPARATORTRYKKAVL.

GASS KJØLERTRYKKAVL.

ISOLERUPS 48V DCTELEKOM.ISOLERUPS 230V ACTELEKOM.ISOLERGMDSSTELEKOM.ISOLERUPS 48V DCLOS/PABX

ISOLER GEN.82-EG50ABATTERIER

ISOLERGENERATOR82-EG50A

PSD

ITK NAS 0 NAS 1

NAS 0

TALNAS 2

NAS 1 NAS 2

BEMANN./UBEMANN.

BROING BROING

SSSVMASTER

PROSESS ELEKTRO

TILBAKE-STILL

70-XS-2001

GASS IBEGGE GEN.LUFTINNTAK

LAMPETEST

ALARMHORN

KVITTERING AVALARMER

SYSTEMFEIL CPU A

SYSTEMFEIL CPU B

I/O FEIL

85-EY-2004A/B85-EY-2043A/B

85-EY-2006

85-EY-2042A/B

ISOLERUPS 230V ACBATTERIER

85-EY-2001A/B

ISOLERKRAN 24V DCBATTERIER

85-EY-2005

ISOLER GEN.82-EG50BBATTERIER

82-EY-2002A

ISOLERGENERATOR82-EG50B

82-EY-2002B

27-EY-224021-EY-215220-EY-200724-EY-215427-EY-2241

HULDRABEMANNET

85-EY-2002A85-EY-2002B

TILBAKE-STILL

TILBAKE-STILL

Simple solutions Pushbuttons lamps and switches are lifting and maintaining the SIL for the total HMI



Hardware Configuration CPU Parameters

  Safety-relevant parameters

Set up protection level

Activate safety operation



Hardware Configuration F-DO Parameters

  Safety-relevant parameters



Enabling of the failsafe function Signal evaluation: 1oo1 (SIL 2) 1oo2 (SIL 3)

Engineering Failsafe I/O Modules, diagnostics is set due to SIL



Communication concepts to SIL3 /2/1

  PROFIBUS DP / ProfiSafe for communication to approved ProfiSafe equipment, SIL3 / 2.

l  F-SM remote I/O modules l  Other S7 400F or S7 300F nodes

  Drivers for Ethernet communication to S7 F nodes, SIL3. l  Drivers for communication on Ethernet between safety programs in S7 nodes.

  Communication from OS to safety program to SIL3 l  Special routine and function blocks for verified command from OS to F-area (safe island).

  Combination of PROFIBUS DP /PROFIBUS PA to SIL 2/3



High Available Communication (not required to achieve SIL)

Dual Redundant communication. Optical ring-bus with communications in both directions

S7-400H S7-400H

Single controller

PS

PS

CPU

CPU

CP

CP

CP

CP

CPU

CPU

PS

PS

Bus

Bus

Redundancy replacement diagram:



SIMATIC ET 200M

B+B

Redundant system with SIMATIC S7-400FH

AI

DI

DO

DO

AI

AI

DI

DO

AO

AI

B+B

Redundant Ring

Safety Communications



enabling failsafe fieldbus applications ....

Basic concepts for communication to SIL3 and SIL2



Standard-

I /O Standard Control

1

2

7

1

2

7

1

2

7

1

2

7

1

2

7

„Black/Gray Channel": ASICs, Links, Cables, etc. are not safety relevant

"ProfiSafe": Parts of the safety critical communications systems: Adressing, Watch Dog Timers, Sequenzing, Signatur, etc.

Safety relevant, but not part of the ProfiSafe-Profils: Safety I/O and the Safety Control Systems

Safety Input

Safety Control

Safety Output

Safety-Layer Safety-Layer Safety-Layer

e.g.. Diagnostics Program

Non safety critical functions, like e.g. diagnosis

Basic concepts for communication to SIL3 and SIL2 Add required safety layer to a standard protocol



The measures must be executed and monitored inside one failsafe unit

Failure type:

Remedy: Sequence Number

Time Out with Receipt

Codename for Sender and

Receiver

Data Consistency

Check

Repetition

Deletion

Insertion

Resequencing

Data Corruption

Delay

Masquerade (standard message mimics failsafe)

X X X X

X X X

X X X

X X X

Failure Types and remedial Measures ...

X FIFO failure within Router

Basic concepts for communication to SIL3 and SIL2 Content of required safety layer must cover possible failures



S S S S S S

Standard-Message

SD LE LEr SD DA SA FC FCS ED

68H ... ... 68H ... .... ... ... 16H

Sync time

33 TBit

Data Unit = Standard- or Failsafe-Data

1... 244 Bytes

TBit = Clock-Bit = 1 / Baudrate SD = Start Delimiter (here SD2, var. Data Length) LE = Length of Data LEr = Repeated LoD, not in FCS DA = Destination Address SA = Source Address FC = Function Code (Type of Message)

LE

Data Unit = Failsafe-Data max. 244 Bytes

FCS = Frame Checking Sequence (across data within LE)

ED = End Delimiter SB = Start-Bit ZB0...7 = Character-Bit PB = (even) Parity Bit EB = Stop-Bit

SB ZB 0

ZB 1

ZB 2

ZB 3

ZB 4

ZB 5

ZB 6

ZB 7

PB

EB

1 Cell = 11 Bit

Standard Profibus DP Message ...



S S S S S S

Standard-Message-Frame (user telegram)

Max. 244 Bytes DP-Data

F-I/O-Data Status / Controlbyte

CRC Sequence Number

across F-Data

and F-Parameter

Sender based

Counter

Max. 12 / 122 Bytes 1 Byte 2/4 Bytes *) 1 Byte

Standard- I/O-Data

(240/238 - F-Data)

*) 2 Byte for a max. of 12 Byte F I/O data 4 Byte for a max. of 122 Byte F I/O data

... and a ProfiSafe Message ... (the extra layer included in the user telegram)



PROFIBUS PA Fieldbus solution to SIL 1/2/3.

CPU 417H

CP443-5EDP Master

IM 157Link

CPU 417H

CP443-5EDP Master

IM 157Link

DP

PA slavePT....

IM 157Kobler

DP

PA

EX sone

  ProfiSafe PA, TÜV certified SIL 2/ 3 (2007)

  SINTEF Study "Evaluation of PROFIBUS PA against SIL1 / 2 requirements (2000).



PROFIBUS PA with PROFISafe Redundancy

  Ring architecture with Active Field Distributor PR

OFI

BU

S D

P

M

AFD

Active Field Distributor

AFD AFD AFD

PROFIBUS PA

IM 157, redundant

DP/PA coupler, redundant (M = master)



PROFIBUS PA with PROFISafe Voting

PRO

FIB

US

DP

2oo3

1oo2

S7-400FH

DP/PA Coupler, redundant

IM 157, redundant



Fail-safe CPU – CPU Communication

  The safety-oriented CPU-CPU communication via S7 connections with the send/receive blocks:   F_SENDBO/F_RCVBO Transfer of 20 F_BOOL   F_SENDR/F_RCVBR Transfer of 20 F_REAL



logic operations Bin. O Actuator Sensor Bin. I Anal. I

15 % 1 %

100 %, total figure for allowed PFD (Probability of Failure on Demand)

Safety Control Loops and Residual Error (PFD) Probability....

e.g. Safety Integrity Level (SIL) 3 : 10-7 / h (Share of ProfiSafe: 1% = 10-9 / h)

logic operations Bin. O Actuator Sensor Bin. I Anal. I

within one PLC

1 % (Profisafe share of total for SIL3)



Andre SAS krav for et typisk nettverk, Safety / Security Typisk SAS nettverks arkitektur



Standarder, anbefalinger �  ISO 27000 / ISO 27001 / ISO 27002 �  ISA S99

�  OLF-104 �  OLF-110 �  OLF-123 �  ISA Security Compliance Institue: ISA Secure �  INL Security Lab (Idaho National Lab)

�  LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security )

Andre SAS krav for et typisk nettverk, Safety / Security Mange standarder, ”security” forsvar i dybden



Ganske mye utstyr / SW for security i et komplett anlegg



Vil du ha SIL3 på din egen PC (Siemens system er SW basert / HW uavhengig)

Vi starter med en standard PC og en programpakke + litt safe I/O

Standard PROFIBUS DP

or PROFINET IO

Standard Programming-

Software STEP 7

Standard Remote I/O

Failsafe Programming-

Tool Distributed Safety

Failsafe I/O Modules

PROFIsafe

Failsafe Application Program

F Soft PLC



Først må du sjekke om din PC er egnet for formålet Så kan du laste nødvendig SW, og sette inn snitt for PROFIbus

  Tar 20-30 min   Har den en timer, RTC på   Interupt 8? (normalt ok)

  Last SW

  Win AC RTX F er installert på Windows XP Prof / eller er ”embedded”

  Koden løper på en ekstra ”realtime kernel, IntervalZero RTX”



  Coded Processing   Time redundancy and diversity instead of structural redundancy

Divers Operation

Operation

Coding Comparison

Divers Operators

Operators

Divers Output

Output

Stop by D ≠ /C

D = /C

C A, B

/A, /B

OR

AND

Time redundancy Time

Baserer seg på tidligere omtalte prinsipper



zc = xc + yc + 1 zf = xf + yf

Data xf Coded xc

F-DI

F-CPU

F-DO Plus Minus

uP Left uP Right

PSF Input Driver

F-CTRL 1

F-CTRL2

F FBs STEP 7

F-Coded FBs

PSF Output Driver

uP Left uP Right

PROFIsafe telegram CRC Data

PROFIsafe telegram CRC Data

Wrong CRC -> PROFIsafe Stop or -> CPU Stop

Bad

Baserer seg på tidligere omtalte prinsipper



WinAC RTX F

Ditt eget Moholt SIL3 anlegg



Tusen Takk for at Dere gadd høre på!

Arnt Olav Sveen

[email protected] / 93048718

For mer info se: www.siemens.com/process-safety www.siemens.com/safety-matrix

  First with Integrated Control & Safety   First with Flexible, Scalable, Distributed Architecture   First Safety Lifecycle Management Tool - Safety Matrix   First and Only Fully Integrated Safety Fieldbus   First and Only SIL3, zone 1 I/O   First and Only SIL3 on your own PC

Siemens 2012

Documents

Transcript of Siemens 2012