Presentation is loading. Please wait.

Presentation is loading. Please wait.

Siemens Safety Systems. NTNU , Arnt Olav Sveen

Similar presentations


Presentation on theme: "Siemens Safety Systems. NTNU , Arnt Olav Sveen"— Presentation transcript:

1 Siemens Safety Systems. NTNU 14.03.2011, Arnt Olav Sveen
Historikk og bakgrunn Applikasjoner Krav i IEC61508 Løsninger Basis for løsninger Kontroller / sentralsystem Inngangs og utgangs moduler Human - Machine Interface Programvare /programmering Kommunikasjon / nettverk Hjemmesikkerhetssystem

2 Siemens Safety Systems.
The prevention of accidents should not be considered a question of legislation, but instead our responsibility to fellow beings and economic sense (Werner von Siemens in 1880)

3 History of Siemens Safety Systems
S7 F Systems S7-400FH / PROFIsafe (1999) Distributed Safety S7 151F/315F/317F/416F (2002/2003) Safety Matrix (1999) QUADLOG (1995) Siemens History Our activities are not just recent however, we have a 20+ year history in the programmable safety systems. Where some have claimed to be first with: Integrated Control and Safety Same but Separate Architecture Safety Fieldbus SIL3 on non-redundant modules We have had all of these features in place with our SIMATIC S7 Failsafe System for over 5 years. And we're actually shipping. SIMATIC S5-95F (1994) SIMATIC S5-110F (1980) SIMATIC S5-115F (1988)

4 Siemens Safety Systems.
First large safety project 1985, Oseberg Feltsenter To day nearly 30% of installed safety systems in Norwegian part of the North Sea, and numerous deliveries world wide. First solutions, Simatic PLC's with additional hardware, 2 PLC's running independently. To-day a full range of S7 F, TÜV verified systems Work procedures according to IEC61508, SINTEF verified, and a full scope of function blocks and typicals

5 Siemens Safety Systems, traditional systems.
Siemens Safety Systems applications are based on long experience Stena Don 2000 Statfjord A 2000 Snorre B Huldra 2000 Oseberg South 2000 Embla 2000 Oseberg Gas 1999 Troll C 1999 Statfjord B 1998 Visund 1998 Eldfisk WIP 1999 Oseberg East 1997 Petrojarl Foinhaven 1996 Njord A & B 1995 Statfjord C 1995 Vigdis 1995 Ekofisk 1995 Eldfisk alpha 1993 Brage 1992 Embla 1991 Snorre TLP 1990 Oseberg A 1988 Oseberg B 1987

6 Siemens Safety Systems, S7, PCS7
HULDRA (Norway) MAERSK XL1 /XL2 (worlds largest jack up’s, built in Korea) 2002 EKOFISK 2/7A Visund Halfdan 5 platforms (Denmark/built in Singapore and Holland) Al Shaheen (28 platforms in Qatar) White Rose FPSO (Canada/ built in Canada/Korea/Abu Dhabi/USA) 2005 P50, Albacore Leste FPSO (Brazil) , PRA FPSOcean 1 (China) Santa Fe (USA, 2 drilling Rigs) Oseberg Field-centre (Norway) (113 off S7 400/400FH , I/O) Statfjord A/B/C ESD and F&G Sevan SSP300-1, 2 and Deep Sea Driller 1and Blackford Dolphin Snorre TLP Tor Yme (upgrade)

7 Safety Systems Applications Hva er et sikkerhetssystem (SIS)?
Disaster protection Disaster protection Collection basin Passive protection Hvor griper det inn i en ulykkesutvikling, og forhåpentligvis stanser den? Overpressure valve, rupture disc Active protection Safety shutdown Safety system (automatic) Safety Instrumented System (SIS) Plant personnel intervenes Process control system Process alarm Process value Basic automation Normal activity

8 Safety Systems Applications Hva er et sikkerhetssystem (SIS)?
Safety Instrumented System (SIS) Basic Process Control System (BPCS) Inputs Outputs Inputs Outputs PT 1A PT 1B I / P FT Reactor Low level

9 Safety Systems Applications Og hva er “Equipment Under Control”, EUC?

10 Safety Systems Applications Purpose
Risk reduction by safety systems, SIS Hensikten med å innføre et sikkerhetssystem, er å få risikoen ned til et akseptabelt nivå.

11 Safety Systems Applications What is Risk
Safety Systems Applications What is Risk? Who decides what is acceptable risk? Examples of fatality risk figures Road accident cpm 1.0x10-4/yr av 100 (ved levetid 100 år) Car accident cpm 1.5x10-4/yr 1,5 av 100 Accident at work 10cpm 1.0x10-5/yr 1 av 1000 Falling Aircraft cpm 2.0x10-8/yr 2 av Lightning strike cpm 1.0x10-7/yr 1 av Insect/Snake bite 0.1cpm 1.0x10-7/yr 1 av Smoking 20 per day cpm 5.0x10-3/yr 1 av 2 cpm = chances per million of the population (per year)

12 Safety Systems Applications
Risk reduction by safety systems, SIS Likelihood Consequence Tolerable Risk Region Unacceptable Risk Region Containment Dike Hazard #1 Control System Operator Intervention SIL1 SIL2 Safety Instrumented Function SIL3 Risikoreduksjonen er større ved et høyere SIL

13 Safety Systems Applications
What is Safe state? Can the Safety System bring the area or equipment to a safe state? How? What is required?

14 Safety Systems Applications
Some of the Safety Systems Applications ESD, Emergency Shutdown F&G, Fire & Gas Detection, Fire-fighting Process Shutdown Fire-pump Logic Ballast Control Blow-down Riser release / Anchor Release Fire Dampers, Active Smoke Control HIPPS, High Integrity Pressure Protection System

15 Safety Systems Topology for total platform control system including safety

16 Fire & Gas Topology (sample)

17 F&G System Topology (the different modules)
F&G Matrix Redundant Operator Stations Redundant Safety Servers Redundant Integrated Safety & Process Network Redundant Fail Safe Communications – SIL3 (Profisafe) Addressable Fire Detection Systems High Available & Fail Safe CPU’s Redundant Communications Interface Fail Safe I/O Modules

18 ESD Topology (sample)

19 PSD Topology (sample)

20 Marine Control System (SIL 3)

21 Subsea PSD solution and HIPPS, both SIL3

22 IEC 61508 The safety level is applicable for:
The total solution All the projects lifecycles The system solution covers EUC, including HMI HW engineering, construction and testing By use of standard hardware set-up With special modules approved by TÜV Software Function blocks (basic blocks approved by TÜV) Protocols and drivers approved by TÜV Application program (according to procedure) Maintenance procedures Operation and Modification Procedures IEC dekker ”lifecycle”. IEC61508 dekker EUC (relatert til enkel sløyfe). IEC61508 tar ikke inn over seg at mange sløyfer håndteres av samme enhet. IEC61508 har ikke et klart forhold til operatørinngrep /HMI. Siemens løsning av SIS: Systemet bygges opp av standard sertifiserte moduler, satt opp i et system etter klare retningslinjer. Basis system fra Siemens A&D Applikasjonsorienterte deler er bygd opp av Simens O&G (Norge).

23 IEC 61508, Quality Assurance and a few direct requirements
IEC er nesten bare kvalitetssikring. Bare et par sider inneholder ”konkrete” kvalitetskrav, men det er dem som får det største fokus (veldig ufortjent).

24 IEC 61508, Implementation according to proven procedures.
Safety requirements shall be specified, and the requirements shall be traceable through all engineering phases. Internal procedures for development of software according to IEC61508 Procedures developed in co-operation with SINTEF Tele and Data. specification planning implementation verification validation modifications. Internal procedures for hardware design and production according to IEC61508 Made on the same structure as the SINTEF verified SW procedure.

25 Basic principles to fulfil IEC61508
Basically three requirements Quality assurance (98% of IEC61508) Requirement to availability of safety function (PFD requirement, Probability of Failure on Demand) Requirement to safe failure fraction (SFF requirment, Safe Failure Fraction) Answers to the requirements Work methology, procedures, qualified workers Equipment quality, redundancy, second resort, diagnostics Fail to safe design, diagnostics

26 Diagnostics, feedback and redundancy
Diagnostics will give possibility to repair dangerius errors before an emergency situation, hence improving PFD and SFF. Increased diagnostics also give room for estension of test interval, hence saving cost. Feedback will give opportunity to use second shotdown possibility in case of first possibility failing, hence increasig PFD and SFF. Redundancy / second shutdown fasility More than one shutown fasility, and all are activated at same time, or second fasilities are used as result of feedback when first is faling, will give improved SFF and PFD.

27 Risk Determination (one of several methods)
How to find Required Safety Integrated Level (SIL) of the Safety System Risk Graph S: Severity of injury/damage 1:small injury, minor environmental damage 2:serious irreversible injury of many people involved or a death temporary serious environmental damage 3:death of many people long-term serious environmental damage 4:catastrophic results, many deaths S1 F1 F2 A1 A2 S2 S3 S4 P3 - 1 2 3 4 P2 P1 : F: Frequency and/or exposure time to hazard 1:seldom - quite often 2:frequent - continous A: Avoiding hazard 1:possible 2:not possible P: Probability of Occurrence 1:very low 2:low 3:relatively high

28 Safety Integrity Level (SIL)
Safety Integrity Levels, direct requirement IEC61508 Requirement Class (AK) DIN V 19250 Safety Integrity Level (SIL) IEC 61508 Probability of failure on demand per h (constant operation) (IEC 61508) Probability of failure on demand (on demand operation) (IEC 61508) Control Category EN 954-1 AK 1 --- -- B AK 2 and 3 SIL 1 10-5 to 10-6 10-1 to 10-2 1 and 2 AK 4 SIL 2 10-6 to 10-5 10-2 to 10-3 3 AK 5 and 6 SIL 3 10-7 to 10-8 10-3 to 10-4 4 AK 7 and 8 SIL 4 10-8 to 10-9 10-4 to 10-x S7-400F/FH by Siemens

29 Safety Integrity Levels, direct requirement IEC61508 IEC61508 requires higher “fail safe fraction” for “intelligent” components Hardware safety integrity: architectural constraints on type A safety-related subsystems Hardware safety integrity: architectural constraints on type B safety-related subsystems Safe failure fraction Hardware fault tolerance 1 2 < 60 % SIL1 SIL2 SIL3 60 % - 90 % SIL4 90 % - 99 % > 99 % Safe failure fraction Hardware fault tolerance 1 2 < 60 % not allowed SIL1 SIL2 60 % - 90 % SIL3 90 % - 99 % SIL4 > 99 %

30 Safety reliability Block diagram:
Safety Integrity Levels, PFD calculation Safety reliability Block diagram:

31 Safety Control System, SIMATIC S7 – 300/400 F/FH
Safety Controller S7 FH Safety Control System, SIMATIC S7 – 300/400 F/FH S H *) 30MB 3000 F-I/Os Redundant systems S H *) 2.8MB 600 F-I/Os S H *) 768kB 100 F-I/Os S7-319F-2DP 1.4MB 1000 F-I/Os S7-317F-2DP 1MB 500 F-I/Os S7-315F-2DP 192kB 300 F-I/Os Certified up to SIL 3

32 Components S7-400F/FH High available System S7-417FH as a basis
CPU 417-4H with TÜV certified basis SW/HW (SIL3) TÜV certified failsafe logic SW blocks (SIL3) Engineering /Hardware Configuration/Programming Configuration of the S7-400F-Hardware with Standard HW-Config. Graphical Engineering (programming) with Standard CFC (Continuous Function Chart) Coexistence of Standard- and F-Applications (SIL3) in one CPU Connection to the Process Devices Failsafe I/O modules (SIL1 - 3) PROFIsafe (extra safety layer to Profibus) (SIL3) to ensure failsafe communication via Profibus-DP

33 Basic principle “Protected F-Islands”
CPU hardware Any faults in other modules, environmental factors Standard user programs CPU operating system Safety-related user program Failsafe I/O modules Eine der Schwierigkeit bei der Fehlersicheren Steuerungen ist die Abnahme. Die Größe der Betriebssysteme und deren Realisierungswege machen sie besonders unfreundlich für der Abnehmer. Dazu ist der Vielfalt der Programmiersprachen einen zusätzlichen Beitrag an der Verzögerung des Abnahmesverfahren Sicheren Anwenderprogramm auf Basis der Zeitdiversitäre Redundanz Sichere Übertragung über PROFIBUS über ProfiSafe Sichere Peripherie Baugruppe durch redundanten Aufbau und Selbstest . Safety-related frame

34 S7 400F F/H system - modularity,
PC Standard Engineering Software F-Programming Tool RUN-P RUN STOP CMRES RUN-P RUN STOP CMRES Standard-CPU 417-4H F-Application Program Standard I/O’s (ET200M) F-I/O’s (ET200M) Standard-ProfibusDP ProfiSafe Protocol

35 S7-400H Redundancy Principle
C P U D E D A A E A A C P P S C P U D E D A A E A A P S C P Synchronization, information and status exchange I M D E A F PROCESS

36 I/O Configuration Switching of master by use of redundant Profibus
IO with active backplane bus performing the switchover L+ Redundant IM 153-2 Profibus-DP IM Bus module Active backplane bus Target: Reduce common mode faults for the switch-over to a minimum Achieved by: Very simple component does the switchover 4 8

37 Redundant S7-400H A Synchronization Procedure is required
Synchronization of all commands whose execution would trigger different states in both partial PLCs Part. PLC A Part. PLC B Without synchronization Part. PLC A Part. PLC B Cycle synchronization Part.-PLC A Part. PLC B Time synchronization Command synchron. Part. PLC A Part. PLC B Zum Synchronisieren redundanter Geräte kommen verschiedene Synchronisationsprinzipien zum Einsatz: - ohne Synchronisation (Beispiel Allen Bradley). Eine stoßfreie Umschaltung ist nur in bestimmten Fällen möglich. Der Anwender muß bei Erstellen seiner Programme berücksichtigen, daß das Backup-Gerät unsychronisiert arbeitet. Programme wie z.B. Schrittketten sind sehr kritisch zu programmieren. - die Zyklussynchronisation (Beispiele sind das AG-150H und die meisten Mitbewerber). In der Regel müssen Einschränkungen wie z.B. Verbot von Alarmbearbeitung oder Peripheriedirektzugriffen oder spezielle Programmierung von Timerbefehlen. - die zeitgesteuerte Synchronisation (einige Mitbewerber) - die Befehls- oder Takt Synchronisation (Teleperm, AG-110F) (Siemens Patent)

38 Flexible Set-up‘s Together, the listed principles result in a flexible set-up
Fail Safe Fail Safe and High Availability S7-400F PROFIBUS-DP F-E/A Moduls SIL 3, AK6 redundant S7-400FH redundant PROFIBUS-DP F-E/A Moduls SIL3, AK6 redundant S7-400FH redundant PROFIBUS-DP redundant F-E/A Moduls SIL3, AK6

39 Flexible Modular Redundancy ™
Make any component redundant AI DI DO DO

40 Flexible Modular Redundancy ™
AI DI DO

41 Flexible Modular Redundancy ™
Make any component redundant AI DI DO DO Physically separate redundant resources AI DI

42 Flexible Modular Redundancy ™
Make any component redundant Triple Dual AI DI DO DO Physically separate redundant resources Simplex Mix and match redundancy AI DI AI DO AI

43 Flexible Modular Redundancy ™
Make any component redundant Triple Dual AI DI DO DO Physically separate redundant resources Simplex Mix and match redundancy AI DI AI DO Tolerate multiple faults with no impact on safety Safety is not dependant on redundancy; all components are SIL3-capable Redundancy only for availability; No degraded mode AI

44  Flexible Set-up‘s         2oo3 1oo2 Valves 2oo3 PT
Multiple Fault Tolerant Fieldbus architecture allows system to tolerate multiple faults without interruption I/O redundancy independent of CPU redundancy All components rated for SIL3 No degraded mode Safety not dependent on redundancy AI DI DO AI DI DO 2oo3 AI 2oo3 PT 1oo2 Valves

45 Alternative setup by others Fail Safe and High Availability due to 2oo3 HW voting
Sample from Triconex design

46 Input and output modules to SIL 3, 2 and 1
ET 200 M F-SM, Fail Safe Modules SIL3, 2 or 1dependant on configuration (TÜV) SIL 3 also in single configuration for most modules SIL 3 with single or redundant bus connection ET200 iSP, zone 1 Small granularity modules for Zone 1, SIL3 ET200 S Small granularity modules can cover SIL1 to SIL3 RUN-P RUN STOP CMRES F-SM´s Standard SM´s

47 Architecture S7-300 Fail Safe Modules (sample)
F-Digital Output, with built in redundancy, self verification and degrading Bus interface Microcontroller Dual- port RAM Microcontroller Output driver Second disconnection facility If ”Output driver” fails to bring output to safe state, ”0”, the microcontroller does, based on the read back, order the ”Second disconnection facility” to shut the card down Read back Output VSupply L+

48 S7-300 Fail Safe Modules Redundant microcontroller in each IO module
Safety Integrated Level 1oo1 evaluation, SIL 2, AK 4 1oo2 evaluation, SIL 3, AK 6, internal in module Diagnose of internal and external errors mutual function checking of the microcontrollers input or output test branching of the input signals to both microcontrollers discrepancy analysis of the redundant input signals readback of the output signals and discrepancy analysis Second disconnection facility in the case of outputs Communication with CPU via Profisafe

49 S7-300 Fail Safe I/O Modules
Samples of modules available SM326F, DI DC24V 24 x SIL2, 12 x SIL3, with diagnostics interrupt SM326F, DI NAMUR [EEx ib] 8 x SIL2, 4 x SIL3 with diagnostics interrupt SM326F, DO DC24V/2A 10 x SIL3, current source, diagnostics interrupt SM336F, AI mA 6 x SIL2 or 3, with diagnostics interrupt

50 Library with standard, pre-verified instrument interfaces
Fail Safe I/O Modules Library for interfaces to field devices Library with standard, pre-verified instrument interfaces

51 Fail Safe I/O Modules Development of interfaces to field devices
Man må ofte ting i sammenheng før en oppdager at det kan være spesielle feilsituasjoner

52 Fail Safe I/O Modules Development of interfaces to field devices
Det er utrolig hvor lite komplisert det skal være før noe kan gå galt (eksempel på bruk av kretsen fra foregående slide)

53 Operator interface to SIL3
Man - Machine interface for daily use are the Operator Stations (but Bill Gates deliver no SIL3 solutions) Operator Stations with commands to SIL3 High end servers and operator stations, with redundancy and extensive diagnosis Special TÜV approved procedure for safe commands from operator stations to F-area (safe island) for SIL3 commands to controller. CAP solutions ensures HMI interface to SIL3 LED elements connected to SIL3 remote I/O Necessary information for an emergency situation Necessary input elements to put the process to safe state

54 CAP or Matrix / Mimic to SIL3, simple and hardwired
Simple solutions Pushbuttons lamps and switches are lifting and maintaining the SIL for the total HMI

55 CPU-Software Architecture
F-User Program Standard- User Program F-User Blocks F-Control Blocks F-Standard- blocks F -System- blocks Program execution Program execution Communications Self tests Safety-relevant sections of the operating system Standard- Operating System F-Access protection Safety-relevant System Func. Calls Safety-relevant Self tests

56 S7-F Concept, Double processing in diverse environments
Multi-channel storage of safety-critical data in instance DBs in the CPU, e.g. as word-oriented complement COMP FFFFH 1 0H Instead of redundancy of HW , Siemens Safety System runs redundant SW on same HW. DATA COMP DATA COMP Bit-AND in bit arithmetic logic unit Word-OR in ALU Multi-channel processing of the safety function in F-FBs by SP7-ASIC of the CPU Standard operation on DATA Multi-channel operation on COMP DATA COMP CPU-internal comparison in the output driver to improve error locating Error handling: disable outputs and stop CPU Comparison Copy Convert Zeit diversitäre Redundanz: Zeit Redundanz weil eine bestimmte Funktion zweimal an zwei verschiedenen Zeitpunkte realisiert werden Diversitäre weil die Funktion jedesmal mit diversitäre Anweisungen der CPU Rechner geschrieben werden (positive Logik und negative Logik bei der Und Funktion: pos. Log. durch AND neg. Log. durch OR. Die Sicherheit wird durch den anschliessende Ergebnissvergleich und Signaturvergleich (jeden Datensatz verfügt um einen Signatur) Dieses Konzept wird als encoded processor Verfahren bereits in der Verkehrtechnik (Matra, U-Bahn Lyon) eingesetzt und erreicht dabei SIL4! Safety-related message Data CRC CPU-external comparison in receiver (F-output modules and processing F-CPUs) Error handling: safe substitute values and error message Comparison

57 S7-F Program Concept Extensive comparision and monitoring
Time redundancy and Diversity instead of hardware redundancy A, B (Bool) C Result Operands Operation AND Stop Encoding Comparison At D /C OR Diversity Operands Diversity Operation Diversity Result /A, /B (Word) D = /C Time redundancy Zeit diversitäre Redundanz: Zeit Redundanz weil eine bestimmte Funktion zweimal an zwei verschiedenen Zeitpunkte realisiert werden Diversitäre weil die Funktion jedesmal mit diversitäre Anweisungen der CPU Rechner geschrieben werden (positive Logik und negative Logik bei der Und Funktion: pos. Log. durch AND neg. Log. durch OR. Die Sicherheit wird durch den anschliessende Ergebnissvergleich und Signaturvergleich (jeden Datensatz verfügt um einen Signatur) Dieses Konzept wird als encoded processor Verfahren bereits in der Verkehrtechnik (Matra, U-Bahn Lyon) eingesetzt und erreicht dabei SIL4! Time Time redundancy and instruction diverse processing Logical program execution and data flow monitoring Bool and Word Operations processed in different parts of the CPU 2 independent hardware timer

58 Programming Graphical programming CFC acc. to IEC 1131
F-Library Certified (TÜV) function blocks Verweis auf technischen Folien: Geschützte F-Inseln Zeitdiversitäre Redundanz Mehr Details Links are structs CFC

59 Simplified ESD Program Overview, sample
HMI OS skjerm Normal program Safe program CFC

60 Engineering tool Program Protection
Read/Write protection with password Enabling of the Failsafe function of the CPU 417-4H or 414-4H CFC

61 Program protection Program Signature
Signature of F-Program for TÜV Certification. Program taken out of CPU cannot be downloaded unless carrying the correct signature The signature is generated by the programming tool, and is changed after every change of the program CFC

62 Programming Comparison of existing and changed program
Comparison of different F-program versions Deviations shall be checked before download of change CFC

63 Hardware Configuration CPU Parameters
Safety-relevant parameters Set up protection level Activate safety operation

64 Hardware Configuration F-DO Parameters
Safety-relevant parameters

65 Engineering Failsafe I/O Modules, diagnostics is set due to SIL
Enabling of the failsafe function Signal evaluation: 1oo1 (SIL 2) 1oo2 (SIL 3)

66 Communication concepts to SIL3 /2/1
PROFIBUS DP / ProfiSafe for communication to approved ProfiSafe equipment, SIL3 / 2. F-SM remote I/O modules Other S7 400F or S7 300F nodes Drivers for Ethernet communication to S7 F nodes, SIL3. Drivers for communication on Ethernet between safety programs in S7 nodes. Communication from OS to safety program to SIL3 Special routine and function blocks for verified command from OS to F-area (safe island). Combination of PROFIBUS DP /PROFIBUS PA to SIL 2/3

67 High Available Communication (not required to achieve SIL)
Redundant optical ringbus S7-400H Single controller Redundancy replacement diagram: PS CPU CP Bus

68 Safety Communications
B+B B+B Redundant system with SIMATIC S7-400FH SIMATIC ET 200M AI DI DO Siemens fully subscribes to the concept of integrating the full safety-loop. In fact, in the area of machine safety the trend has been just the opposite. the field devices were always the focus of the loop and the PLC is now just becoming Redundant Ring AI AI DI DO AO

69 enabling failsafe fieldbus applications .... ProfiSafe
Basic concepts for communication to SIL3 and SIL2 ProfiSafe enabling failsafe fieldbus applications ....

70 Basic concepts for communication to SIL3 and SIL2 Add required safety layer to a standard protocol
e.g.. Diagnostics Program Safety Input Safety Control Safety Output Standard- I /O Standard Control Safety-Layer Safety-Layer Safety-Layer 7 7 7 7 7 2 2 2 2 2 1 1 1 1 1 „Black/Gray Channel": ASICs, Links, Cables, etc. are not safety relevant Non safety critical functions, like e.g. diagnosis "ProfiSafe": Parts of the safety critical communications systems: Adressing, Watch Dog Timers, Sequenzing, Signatur, etc. Safety relevant, but not part of the ProfiSafe-Profils: Safety I/O and the Safety Control Systems

71 Failure Types and remedial Measures ...
Basic concepts for communication to SIL3 and SIL2 Content of required safety layer must cover possible failures Failure Types and remedial Measures ... Remedy: Sequence Number Time Out with Receipt Codename for Sender and Receiver Data Consistency Check Failure type: Repetition X X Deletion X Insertion X X X X Resequencing X X Data Corruption X Delay Masquerade (standard message mimics failsafe) X X X FIFO failure within Router X The measures must be executed and monitored inside one failsafe unit

72 Standard Profibus DP Message ...
Standard-Message S S S S S S SD LE LEr SD DA SA FC Data Unit = Standard- or Failsafe-Data FCS ED Sync time 68H ... ... 68H ... .... ... Bytes ... 16H 33 TBit 1 Cell = 11 Bit LE SB ZB ZB 1 ZB 2 ZB 3 ZB 4 ZB 5 ZB 6 ZB 7 PB EB Data Unit = Failsafe-Data max. 244 Bytes FCS = Frame Checking Sequence (across data within LE) ED = End Delimiter SB = Start-Bit ZB0...7 = Character-Bit PB = (even) Parity Bit EB = Stop-Bit TBit = Clock-Bit = 1 / Baudrate SD = Start Delimiter (here SD2, var. Data Length) LE = Length of Data LEr = Repeated LoD, not in FCS DA = Destination Address SA = Source Address FC = Function Code (Type of Message)

73 (the extra layer included in the user telegram)
... and a ProfiSafe Message ... (the extra layer included in the user telegram) Standard-Message-Frame (user telegram) S S S S S S Status / Controlbyte Sequence Number CRC Standard- I/O-Data F-I/O-Data Sender based Counter across F-Data and F-Parameter *) 2 Byte for a max. of 12 Byte F I/O data 4 Byte for a max. of 122 Byte F I/O data Max. 12 / 122 Bytes 1 Byte 1 Byte 2/4 Bytes *) (240/238 - F-Data) Max. 244 Bytes DP-Data

74 PROFIBUS PA Fieldbus solution to SIL 1/2/3.
SINTEF Study "Evaluation of PROFIBUS PA against SIL1 / 2 requirements (2000). ProfiSafe PA, TÜV certified SIL 2/ 3 (2007)

75 PROFIBUS PA with PROFISafe Redundancy
Ring architecture with Active Field Distributor PROFIBUS DP M AFD Active Field Distributor PROFIBUS PA IM 157, redundant DP/PA coupler, redundant (M = master)

76 PROFIBUS PA with PROFISafe Voting
PROFIBUS DP 2oo3 1oo2 S7-400FH DP/PA Coupler, redundant IM 157, redundant

77 Fail-safe CPU – CPU Communication
The safety-oriented CPU-CPU communication via S7 connections with the send/receive blocks: F_SENDBO/F_RCVBO Transfer of 20 F_BOOL F_SENDR/F_RCVBR Transfer of 20 F_REAL

78 Safety Control Loops and
Residual Error (PFD) Probability.... within one PLC Sensor Bin. I Anal. I logic operations Bin. O Actuator 100 %, total figure for allowed PFD (Probability of Failure on Demand) Sensor Bin. I Anal. I logic operations Bin. O Actuator 15 % 1 % 1 % (Profisafe share of total for SIL3) e.g. Safety Integrity Level (SIL) 3 : 10-7 / h (Share of ProfiSafe: 1% = 10-9 / h)

79 Andre SAS krav for et typisk nettverk, Safety / Security Typisk SAS nettverks arkitektur
Work processes are key, technology is just an enabler

80 Standarder, anbefalinger
Andre SAS krav for et typisk nettverk, Safety / Security Mange standarder, forsvar i dybden Standarder, anbefalinger ISO / ISO / ISO 27002 ISA S99 OLF-104 OLF-110 OLF-123 ISA Security Compliance Institue: ISA Secure INL Security Lab (Idaho National Lab) LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security ) Add SIS in the middle Regardless of the age of your control system, in today’s manufacturing environment it is very likely connected to the enterprise and in turn to the Internet. Protecting it means establishing and applying a security infrastructure throughout. We will now touch on some of the key steps for creating a secure infrastructure. First and foremos, any system that secures plant assets should use a “defense in depth” strategy that takes a multilayer approach to keeping the bad guys out. No single security measure is good enough to prevent intrusions. For example many people think that just because they have a firewall, that they are protected. Controlling physical access to the control system goes hand-in-hand with the goal of creating a secure infrastructure. We will now touch on some of the key steps for creating a secure infrastructure. The recommendations shown in the following slides can be and should be applied to whatever system you have in place (no matter what vendor). Specific examples are shown as to how to create a secure architecture using PCS 7. [Time] : 45 seconds

81 Ganske mye utstyr / SW for security i et komplett anlegg
Here list the different components and Subsea Controller Subsea modem Talk about redundancy, store & forward,…

82 Failsafe Programming-
Vil du ha SIL3 på din egen PC Vi starter med en standard PC og en programpakke + litt safe I/O Standard Programming- Software STEP 7 Failsafe Programming- Tool Distributed Safety Failsafe Application Program F Soft PLC Standard PROFIBUS DP or PROFINET IO PROFIsafe Standard Remote I/O Failsafe I/O Modules

83 Først må du sjekke om din PC er egnet for formålet Så kan du laste nødvendig SW, og sette inn snitt for PROFIbus Tar min Har den en timer, RTC på Interupt 8? (normalt ok) Last SW Win AC RTX F er installert på Windows XP Prof / eller er ”embedded” Koden løper på en ekstra ”realtime kernel, IntervalZero RTX”

84 Baserer seg på tidligere omtalte prinsipper
Coded Processing Time redundancy and diversity instead of structural redundancy Divers Operation Operation Coding Comparison Divers Operators Operators Divers Output Output Stop by D ≠ /C D = /C C A, B /A, /B OR AND Time redundancy Time

85 Baserer seg på tidligere omtalte prinsipper
uP Left uP Right F-DI Wrong CRC -> PROFIsafe Stop or -> CPU Stop Bad PROFIsafe telegram CRC Data PSF Input Driver F-CTRL 1 F-CTRL2 F FBs STEP 7 F-Coded FBs PSF Output Driver zc = xc + yc + 1 zf = xf + yf Data xf Coded xc F-CPU PROFIsafe telegram CRC Data Plus Minus uP Left uP Right F-DO

86 Ditt eget Moholt SIL3 anlegg
WinAC RTX F

87 Tusen Takk for at Dere gadd høre på!
For mer info se: First with Integrated Control & Safety First with Flexible, Scalable, Distributed Architecture First Safety Lifecycle Management Tool - Safety Matrix First and Only Fully Integrated Safety Fieldbus First and Only SIL3, zone 1 I/O First and Only SIL3 on your own PC Arnt Olav Sveen


Download ppt "Siemens Safety Systems. NTNU , Arnt Olav Sveen"

Similar presentations


Ads by Google