Siemens Safety Systems. NTNU 14.03.2011, Arnt Olav Sveen

S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.1

A.O.Sveen, NTNU 2011

Siemens Safety Systems.NTNU 14.03.2011, Arnt Olav Sveen

Løsninger

Applikasjoner

» Kontroller / sentralsystem

» Kommunikasjon / nettverk

» Human - Machine Interface

» Inngangs og utgangs moduler

» Programvare /programmering

Historikk og bakgrunn

» Basis for løsninger

Krav i IEC61508

» Hjemmesikkerhetssystem



Siemens Safety Systems.

The prevention of accidents should not be considered a question of legislation, but instead our responsibility to fellow beings and economic sense

(Werner von Siemens in 1880)



History of Siemens Safety Systems

SIMATIC S5-110F(1980) SIMATIC S5-

115F(1988)

SIMATIC S5-SIMATIC S5-95F95F

(1994)(1994)

QUADLOG(1995)

Distributed SafetyS7 151F/315F/317F/416F

(2002/2003)

S7 F SystemsS7-400FH / PROFIsafe

(1999)

Safety Matrix(1999)



Siemens Safety Systems.

First large safety project 1985, Oseberg Feltsenter

To day nearly 30% of installed safety systems in Norwegian part of the North Sea, and numerous deliveries world wide.

First solutions, Simatic PLC's with additional hardware, 2 PLC's running independently.

To-day a full range of S7 F, TÜV verified systems

Work procedures according to IEC61508, SINTEF verified, and a full scope of function blocks and typicals



•Stena Don 2000•Statfjord A 2000•Snorre B 2000•Huldra 2000•Oseberg South 2000•Embla 2000•Oseberg Gas 1999•Troll C 1999 •Statfjord B 1998•Visund 1998 •Eldfisk WIP 1999•Oseberg East 1997

•Petrojarl Foinhaven 1996•Njord A & B 1995 •Statfjord C 1995•Vigdis 1995•Ekofisk 1995 •Eldfisk alpha 1993•Brage 1992•Embla 1991•Snorre TLP 1990 •Oseberg A 1988•Oseberg B 1987

Siemens Safety Systems applications are based on long experience

Siemens Safety Systems, traditional systems.



Siemens Safety Systems, S7, PCS7 HULDRA (Norway) 2000 MAERSK XL1 /XL2 (worlds largest jack up’s, built in Korea) 2002 EKOFISK 2/7A 2002 Visund 2006-2011

Halfdan 5 platforms (Denmark/built in Singapore and Holland) 2003-2011 Al Shaheen (28 platforms in Qatar) 2003- 2010 White Rose FPSO (Canada/ built in Canada/Korea/Abu Dhabi/USA) 2005

P50, Albacore Leste FPSO (Brazil) , PRA 1 2005-2007 FPSOcean 1 (China) 2007-2009 Santa Fe (USA, 2 drilling Rigs) 2004 Oseberg Field-centre (Norway) (113 off S7 400/400FH , 35000 I/O) 2005 -2007 Statfjord A/B/C ESD and F&G 2004-2007 Sevan SSP300-1, 2 and 3 2005-2008 Deep Sea Driller 1and 2 2007-2011 Blackford Dolphin 2006-2008 Snorre TLP 2006-2011 Tor 2011 Yme (upgrade) 2011



Safety Systems ApplicationsHva er et sikkerhetssystem (SIS)?

Hvor griper det inn i enulykkesutvikling, og forhåpentligvis stanser

den?Plantpersonnelintervenes

Safety system(automatic)

Basicautomation

Overpressure valve, rupturedisc

Collectionbasin

Active protection

Passive protection

Disaster protectionDisasterprotection

Safety InstrumentedSystem (SIS)

Processvalue

Process alarm

Normal activity

Process controlsystem

Safetyshutdown



Safety Systems ApplicationsHva er et sikkerhetssystem (SIS)?

Low level

I / P

Reactor

PT1A

PT1B

FT

Basic Process Control System

(BPCS) Inputs Outputs

Safety Instrumented System (SIS)

Inputs Outputs



Safety Systems ApplicationsOg hva er “Equipment Under Control”, EUC?

PressurizedVessel

AS 414 FAS 417 F

ET 200M

IM 153 SafetyModule

F-I/O Modules

PROF

IBUS

-DP

StandardI/O Modules



Safety Systems ApplicationsPurpose

Risk reduction by safety systems, SIS

EUCrisk

EUCrisk

TolerableRisk

TolerableRisk

ResidualRisk

ResidualRisk

Necessary Risk Reduction

Actual Risk Reduction

Risk reduction achieved by all safety-systemsRisk reduction achieved by all safety-systems

From IEC 61508:

Increasing Risk

Hensikten med å innføre et sikkerhetssystem, er å få risikoen ned til et akseptabelt nivå.



Safety Systems ApplicationsWhat is Risk? Who decides what is acceptable risk?

Examples of fatality risk figures Road accident 100cpm 1.0x10-4/yr 1 av 100 (ved levetid 100 år)

Car accident 150cpm 1.5x10-4/yr 1,5 av 100 Accident at work 10cpm 1.0x10-5/yr 1 av 1000 Falling Aircraft 0.02 cpm 2.0x10-8/yr 2 av 1000 000 Lightning strike 0.1cpm 1.0x10-7/yr 1 av 100 000 Insect/Snake bite 0.1cpm 1.0x10-7/yr 1 av 100 000 Smoking 20 per day 5000 cpm 5.0x10-3/yr 1 av 2

cpm = chances per million of the population (per year)



Safety Systems Applications

Likel

ihoo

d

Consequence

Tolerable Risk Region

Unacceptable Risk Region

Hazard #1Containment Dike

Control System

Operator Intervention

Safety Instrumented Function

SIL1

SIL2

SIL3

Risk reduction by safety systems, SIS

Risikoreduksjonen er større ved et høyere SIL




What is Safe state?

Can the Safety System bring the area or equipment to a safe state?

How?

What is required? Power Plant




Some of the Safety Systems Applications ESD, Emergency Shutdown F&G, Fire & Gas Detection, Fire-fighting Process Shutdown Fire-pump Logic Ballast Control Blow-down Riser release / Anchor Release Fire Dampers, Active Smoke Control HIPPS, High Integrity Pressure Protection System



Safety SystemsTopology for total platform control system including safety



SIEM

ENS

S7-400FH (SIL3 , and redundant)

PR OFIBU S/ProfiSafe (S IL3) Indu strial E th ern et 100 M bit

F&G ESD Wide ScreenO verv iew

E thernet 100 M bit

S oftware is im plem en ted according to p ro ced ure, SIL 3

SIEM

ENS

Indu strial E th ern et 100 M bit

Ethernet 100 M bit

Co m m u nication to other no des S IL3

Co m m an ds fro m O S to S IL 3

PROFIB US/ProfiSafe (SIL3)

P ROFIB US/ProfiSafe (SIL3)

S IL 2

Fire & Gas Topology (sample)

Power

Fire Brig. recvd.

Fire vent. activ.

Fire ext.. acktivated

0

ALARM

?

C

987

654

321

Silence buzzer

Silence sounders

Reset

More Alarms

Prewarning

Early warning

System fault

Function disabled

Test

Fault

Self Verify



F&G System Topology (the different modules)

PROFIBUS or Profisafe (SIL3)

RadioRadio

SIE

ME

NS

SIE

ME

NS

S7-400F(SIL3)

S7-400F(SIL3)

S7-400FH (SIL3, and redundant)

PROFIBUS or Profisafe (SIL3)

I/O modulesSIL 2/3

F&G Matrix

PROFIBUS/PROFISAFESIL3 and redundant

Redundant, optical,100 Mbit Industrial Ethernet

Remote Control(Veslefrikk)

Redundant, servers,each withdual powersupplies andmulti CPU's(tolerabable for CPU errors)

Redundant, operator stations,each withdual powersupplies andmulti CPU's(tolerabable for CPU errors)

Output modulesF-SM's, SIL 2/3redundantor redundant ouput configuration verified by SINTEF (SIL2/3)

Analogue inputs(each SIl1) invotingone of many (total is SIL2)

I/O modulesSIL 2/3

F&G Matrix

PROFIBUS/PROFISAFE, SIL3optical and redundant

Note:Separate bus sytems are used for interface to matrixes to avoid common mode failurres with field I/O

Autronica protocol

Autronica protocol

Hardwired alarm

Autronica fire panel

Fire Area (1of n gives alarm)

Fail Safe I/O Modules

High Available & Fail Safe CPU’s

Redundant Integrated Safety & Process Network

Addressable Fire Detection Systems

Redundant Communications Interface

Redundant Fail Safe Communications – SIL3 (Profisafe)

Redundant Safety Servers

Redundant Operator Stations

F&G Matrix



ESD Topology (sample)SI

EMEN

S

S7-400F(SIL3)

S7-400FH (SIL3, and redundant)

PROFIBUS/ProfiSafe (SIL3)

ESD Matrix.

Controller Cabinet

Operator Stations

Industrial Ethernet 100 Mbit

F&G ESD Wide ScreenOverview

Ethernet 100 Mbit

Redundant Safety Servers

(built in redundancy and auto-repair)

Software is implemented according to procedure, SIL 3

EngineeringStation

S7-400F(SIL3)

SIEM

ENS


Ethernet 100 Mbit

Communication to other nodes SIL3

Commands from OS to SIL3

RemoteInput / Output modules, F-SM SIL2/3or ET200M SIL0/1

Hardware design according to procedure, SIL 3

Remote "fail safe"Input /output modulesF-SM's, SIL 2/3

Field Termination Cabinet



RemoteInput / Output modules, IS1or ET200M SIL0/1



PSD Topology (sample)SI

EMEN

S

S7-400F(SIL3)

Controller Cabinet

Operator Stations


Redundant Servers


EngineeringStation

S7-400F(SIL3)

SIEM

ENS


Ethernet 100 Mbit




Remote ET200iSor"fail safe"Input /output modulesF-SM's, SIL 2/3

Field Termination Cabinetor Junction Box



Ethernet 100 Mbit



Marine Control System (SIL 3)SI

EMEN

S

S7-400F(SIL3)

ACPU

S7-400FH (SIL3, and redundant) Controller Cabinet B

Operator Stations


Redundant Servers


EngineeringStation

S7-400F(SIL3)

B CPU

SIEM

ENS


Ethernet 100 Mbit




Remote "fail safe"Input /output modulesF-SM's, SIL 2/3

Field Termination Cabinetor Junction Box



Controller Cabinet A

Synchronization link

Manual Ballast Functions



Subsea PSD solution and HIPPS, both SIL3

Supplier Document Review

Accepted

SCSSV

PMV

PWV

HIPPS 1 HIPPS 2

Choke

Titanium Pipe/enclosure

Titanium Pipe/enclosure

SSIV

ESD, S7-400F, SIL3

Remote F-SM, SIL3

PRO

FISA

FE ,S

IL3

Topside

Subsea

(Remote I/O)

PSD, S7-400F, SIL2/3 PCS, S7-400

RIO (F.SM.)

Hydraulic Supply

Bleed Hydraulic (SIL 3)

PSD Remote I/O Simatic S7F-SM (SIL3)

Twisted Pair Fiber Optic Cable Umbilical with center line

1

2

3

X x=Number of connection`s

5

Profibus DP/ProfiSafe (SIL3)

Hydraulic 6 Riser (Stigerør)

EV

PSV

HPU

Production

T

PRO

FBU

S

PRO

FISA

FE ,S

IL3

Remote F-SM, SIL3

4-20 mA

P T P T

4-20 mA

Slot no. 1

Slot no. 2-4

P T

T

P T

TP T

P TP T

P T

P T

S5 95F/S7 300F

Subsea HIPPS/SIL 3

P T

P T

RF-Modem

Profibus DP(to topside modem)19.2 Kbits

RF- Modem

T

4-20 mA

P T

RF-Modem

RF-Modem 183 Kbits



IEC 61508

The safety level is applicable for: The total solution All the projects lifecycles

The system solution covers EUC, including HMI HW engineering, construction and testing

By use of standard hardware set-up With special modules approved by TÜV

Software Function blocks (basic blocks approved by TÜV) Protocols and drivers approved by TÜV Application program (according to procedure)

Maintenance procedures Operation and Modification Procedures



IEC 61508, Quality Assurance and a few direct requirements

Software safety validation

9.6

Safety functions requirements specification

Safety integrity requirements specification

9.1

9.1.1 9.1.2

Software safety requirements specification

To box 12 in figure 2 of part 1

Software safety validation planning

Software design and development

9.39.2

9.4 Software operation and modification procedures

9.5PE integration (hardware/software)

To box 14 in figure 2 of part 1

E/E/PES safety

lifecycle(see figure 2)

Software safety lifecycle

10 11

NOTE 1 Activities relating to verification, management of functional safety and functional safety assessment are not shown for reasons of clarity but are relevent to all overall, E/E/PES and software safety lifecycle phases.

NOTE 2 The phases represented by boxes 10 and 11 are outside the scope of this standard.

NOTE 3 Parts 2 and 3 deal with box 9 (realisation) but they also deal, where relevant, with the programmable electronic (hardware and software) aspects of boxes 13, 14 and 15.

Concept1

Overall scopedefinition2

Hazard and risk analysis3

Overall safety requirements4

Safety requirements allocation 5

Back to appropriate overall safety lifecycle

phase

Overall safety validation13

Overall operation,maintenance and repair

Overall modification and retrofit14 15

Decommissioningor disposal16

Safety-relatedsystems:E/E/PES

Realisation(see E/E/PES

safetylifecycle)

9 Safety-relatedsystems:

other technology

Realisation

Overall installationand commissioning12

8

Overall planningOveralI

operation andmaintenance

planning

OveralI installation andcommissioning

planning

Overallsafety

validationplanning

6 7 8

External risk reduction facilities

Realisation



IEC 61508, Implementation according to proven procedures.

Safety requirements shall be specified, and the requirements shall be traceable through all engineering phases.

Internal procedures for development of software according to IEC61508

Procedures developed in co-operation with SINTEF Tele and Data.– specification– planning– implementation– verification– validation– modifications.

Internal procedures for hardware design and production according to IEC61508

Made on the same structure as the SINTEF verified SW procedure.



Basically three requirements1. Quality assurance (98% of IEC61508)

2. Requirement to availability of safety function (PFD requirement, Probability of Failure on Demand)

3. Requirement to safe failure fraction (SFF requirment, Safe Failure Fraction)

Basic principles to fulfil IEC61508

Answers to the requirements1. Work methology, procedures, qualified workers

2. Equipment quality, redundancy, second resort, diagnostics

3. Fail to safe design, diagnostics



Diagnostics / feedbackDiagnostics will give possibility to repair dangerius errors before an emergency situation, hence improving PFD and SFF.

Increased diagnostics also give room for estension of test interval, hence saving cost.

Feedback will give opportunity to use second shotdown possibility in case of first possibility failing, hence increasig PFD and SFF.

Diagnostics, feedback and redundancy

Redundancy / second shutdown fasilityMore than one shutown fasility, and all are activated at same time, or second fasilities are used as result of feedback when first is faling, will give improved SFF and PFD.



Risk Graph

Risk Determination (one of several methods)

:

S1

F1

F2

F1

F2

A1

A2

A1

A2

S2

S3

S4

P3-

1

1

2

3

3

4

4

-

1

1

2

3

3

3

4

-

-

-

1

1

2

3

3

P2 P1S: Severity of injury/damage 1:small injury,

minor environmental damage2:serious irreversible injury of many people involved or a death

temporary serious environmental damage3:death of many people

long-term serious environmental damage4:catastrophic results, many deaths

F: Frequency and/or exposure time to hazard1:seldom - quite often2:frequent - continous

A: Avoiding hazard1:possible2:not possible

P: Probability of Occurrence1:very low2:low3:relatively high

How to find Required Safety Integrated Level (SIL) of the Safety System



S7-400F/FHby Siemens

Safety Integrity Levels, direct requirement IEC61508

Requirement Class (AK)

DIN V 19250

Safety Integrity

Level (SIL)IEC 61508

Probability of failure on demand per h

(constant operation) (IEC 61508)

Probability of failure on demand (on

demand operation) (IEC 61508)

Control CategoryEN 954-1

AK 1 --- -- -- B

AK 2 and 3 SIL 1 10-5 to 10-6 10-1 to 10-2 1 and 2

AK 4 SIL 2 10-6 to 10-5 10-2 to 10-3 3

AK 5 and 6 SIL 3 10-7 to 10-8 10-3 to 10-4 4

AK 7 and 8 SIL 4 10-8 to 10-9 10-4 to 10-x ---



Safety Integrity Levels, direct requirement IEC61508

IEC61508 requires higher “fail safe fraction” for “intelligent” components

Safe failure fraction

Hardware fault tolerance

0 1 2

< 60 % SIL1 SIL2 SIL3

60 % - 90 % SIL2 SIL3 SIL4

90 % - 99 % SIL3 SIL4 SIL4

> 99 % SIL3 SIL4 SIL4

Hardware safety integrity: architectural constraints on type B safety-related subsystems

Safe failure fraction

Hardware fault tolerance

0 1 2

< 60 % not allowed SIL1 SIL2

60 % - 90 % SIL1 SIL2 SIL3

90 % - 99 % SIL2 SIL3 SIL4

> 99 %

SIL3 SIL4 SIL4

Hardware safety integrity: architectural constraints on type A safety-related subsystems



Safety Integrity Levels, PFD calculation

AIPROFISAFE

CPU DOPROFISAFE

ESV

4-20 mA

Gas detector

Control valveF&G loop with Gas detector and control valve.

F&G loop with Gas detector and control valve.

Safety reliability Block diagram:



Safety Control System, SIMATIC S7 – 300/400 F/FH

Safety Controller S7 FH

Certified up to SIL 3

Redundant systems

S7-412-3H *)768kB

100 F-I/Os

S7-414-4H *)2.8MB

600 F-I/Os

S7-317F-2DP1MB

500 F-I/OsS7-315F-2DP

192kB300 F-I/Os

S7-417-4H *)30MB

3000 F-I/Os

S7-319F-2DP1.4MB

1000 F-I/Os



Components S7-400F/FH

High available System S7-417FH as a basis CPU 417-4H with TÜV certified basis SW/HW (SIL3) TÜV certified failsafe logic SW blocks (SIL3)

Engineering /Hardware Configuration/Programming Configuration of the S7-400F-Hardware with Standard HW-Config. Graphical Engineering (programming) with Standard CFC (Continuous Function Chart) Coexistence of Standard- and F-Applications (SIL3) in one CPU

Connection to the Process Devices Failsafe I/O modules (SIL1 - 3) PROFIsafe (extra safety layer to Profibus) (SIL3) to ensure failsafe communication via Profibus-DP



Basic principle “Protected F-Islands”

Safety-relateduser program

CPUoperating system

Standard user programs

CPUhardware

Safety-related frame

Any faults inother modules, environmental

factors

FailsafeI/O

modules



S7 400F F/H system - modularity,

PCStandard Engineering Software

Standard-ProfibusDP

F-Application Program

F-Programming Tool

F-I/O’s (ET200M)

ProfiSafe Protocol

RUN-PRUN

STOPCM

RES

RUN-PRUN

STOPCM

RES

Standard-CPU 417-4H

Standard I/O’s (ET200M)



S7-400HRedundancy Principle

CCPPUU

DDEE

DDAA

AAEE

AAAA

PPSS

CCPP

CCPPUU

DDEE

DDAA

AAEE

AAAA

CCPP

PPSS

PROCESSPROCESS

Synchronization,information

and status exchange

IIMM

DDEE

AAEE

AAAA

DDAA

IIMM

FFMM



I/O ConfigurationSwitching of master by use of redundant Profibus

Profibus-DP

IM

IM

Bus module

Active backplane bus

IO with active backplane bus performing the switchover

L+L+

Redundant IM 153-2

Target:Reduce common mode faultsfor the switch-over to a minimum Achieved by:

Very simple component doesthe switchover



Redundant S7-400HA Synchronization Procedure is required

Par

t. P

LC A

Par

t. P

LC B

Cycle synchronization

Par

t.-P

LC A

Par

t. P

LC B

Time synchronization Command synchron.

Par

t. P

LC A

Par

t. P

LC B

Par

t. P

LC A

Par

t. P

LC B

Without synchronization

(Siemens Patent)

Synchronization of all commands whose execution would trigger different

states in both partial PLCs



Flexible Set-up‘sTogether, the listed principles result in a flexible set-up

redundant S7-400FH redundant PROFIBUS-DP F-E/A Moduls SIL3, AK6

redundant S7-400FH redundant PROFIBUS-DP redundant F-E/A Moduls SIL3, AK6

S7-400F PROFIBUS-DP F-E/A Moduls SIL 3, AK6

Fail Safe Fail Safe and High Availability

AS 414 FAS 417 F

ET 200M

IM 153

SafetyModule

F-I/O Modules

PRO

FIB

US

-DP

StandardI/O Modules

PRO

FIB

US

-DP

ET 200M

2 xIM 153-2

SafetyModule

F-I/O Modules

AS 414 FAS 417 F

StandardI/O Modules

PRO

FIB

US-

DP

ET 200M

F-I/O Modulesredundant

AS 414 FAS 417 F



AI DI DO DO

Flexible Modular Redundancy ™

Make any component redundant



AI DI DO




AI DI DO DO

AI DI


Physically separate redundant resources




AI

Triple

Simplex

DI DO DO

AI DI AI DO

AIDual



Mix and match redundancy




AI

Triple

Simplex

DI DO DO

AI DI AI DO

AIDual


Mix and match redundancy

Tolerate multiple faults with no impact on safety Safety is not dependant on redundancy; all

components are SIL3-capable Redundancy only for availability; No degraded

mode





Flexible Set-up‘s

Multiple Fault Tolerant Fieldbus architecture allows system to tolerate

multiple faults without interruption I/O redundancy independent of CPU redundancy

All components rated for SIL3 No degraded mode Safety not dependent on redundancyAI DI DO DOAI

AI DI

DO DOAIAI

2oo3 PT1oo2 Valves

2oo3



Alternative setup by othersFail Safe and High Availability due to 2oo3 HW voting

Sample from Triconex design



Input and output modules to SIL 3, 2 and 1

RUN-PRUN

STOPCMRES F-SM´sStandard SM´sRUN-PRUN

STOPCMRES

ET 200 M F-SM, Fail Safe Modules

ET200 iSP, zone 1 Small granularity modules for Zone 1, SIL3

ET200 S Small granularity modules can cover SIL1 to SIL3

SIL3, 2 or 1dependant on configuration (TÜV) – SIL 3 also in single configuration for most modules– SIL 3 with single or redundant bus connection



Architecture S7-300 Fail Safe Modules (sample)

Microcontroller

Outputdriver

Dual-portRAM

Bus interface

Seconddisconnection facility

L+

F-Digital Output, with built in redundancy, self verification and degrading

Microcontroller

Output VSupply

If ”Output driver” fails to bringoutput to safe state, ”0”, the microcontroller does, based on the read back, order the ”Seconddisconnection facility” to shut the card down

Read back



S7-300 Fail Safe Modules

Redundant microcontroller in each IO module Safety Integrated Level

1oo1 evaluation, SIL 2, AK 4 1oo2 evaluation, SIL 3, AK 6, internal in module

Diagnose of internal and external errors mutual function checking of the microcontrollers input or output test branching of the input signals to both microcontrollers discrepancy analysis of the redundant input signals readback of the output signals and discrepancy analysis

Second disconnection facility in the case of outputs Communication with CPU via Profisafe



S7-300 Fail Safe I/O Modules

Samples of modules available

SM326F, DI DC24V 24 x SIL2, 12 x SIL3, with diagnostics interrupt

SM326F, DI NAMUR [EEx ib] 8 x SIL2, 4 x SIL3 with diagnostics interrupt

SM326F, DO DC24V/2A 10 x SIL3, current source, diagnostics interrupt

SM336F, AI 4-20mA 6 x SIL2 or 3, with diagnostics interrupt



Fail Safe I/O ModulesLibrary for interfaces to field devices

SAFETY INPUTS AND OUTPUTS, S7 400F WITH SAFETY I/O MODULES, F-SM’S

AI-41F Safe analogue input, 4-20 mA, 2 Wire, SIL 2.AI-43F Safe analogue input, 4-20 mA, 3 Wire, SIL 2, current sourceAI-44F Safe analogue input, 4-20 mA, 3 Wire, SIL 2, high power consumpt.AI-50F Safe high available analogue input, 4-20 mA, 2 Wire, 2 oo 3.AI-51F Safe analogue input, 4-20 mA, 2 wire, to digital, SIL 2AI-IS-41F Safe analogue input, 4-20 mA, EEx(i)(a) , 2 Wire, SIL 2.AI-IS-51F Safe analogue input, EEx ib IIC, 4-20 mA, to digital, SIL 2DI-41F Safe digital input, SIL 2DI-42F Safe high available, digital input, SIL 2DI-44F Safe digital input from clean contact / NAMUR, SIL2DI-IS-41F Safe, EEx ib IIC, digital input from clean contact / NAMUR, SIL2DI-IS-46F Safe, high available, EEx ib IIC, double clean contact/ NAMUR, SIL2 /DI-IS-46F Safe, EEx ib IIC, double clean contact /NAMUR, SIL3.DO-41F Safe, digital output, 24 V DC, 2A, SIL2 / 3DO-41FR Safe digital output, SIL 2 with relay, SIL2DO-RE-45F Safe, high available, digital output, 24 V DC, 2A, SIL2 /3DO-46F Safe, digital output with manual release, 24 V DC, 2A, SIL2 /3DI-MA-41F Safe, high available digital input from pushbutton, SIL 3DI-MA-42F Safe, high available digital input from pushbutton, SIL 2DI-MA-43F Safe, digital input from pushbutton, SIL 3DI-MA-44F Safe, digital input from pushbutton, SIL 2DI-MA-45F Safe, high available digital input from pushbutton, SIL 3DI-MA-46F Safe, high available digital input from pushbutton, SIL 2DI-MA-47F Safe digital input from pushbutton (with LED), open contact, SIL 2DI-MA-48F Safe digital input from pushbutton (without LED), open contact, SIL 2DI-MA-49F Safe digital input from pushbutton, NAMUR, SIL 2DO-MA-41F Safe digital output to LED / LAMP, SIL2/3DO-MA-42F Safe digital output to two LED / LAMP, SIL 2/3DO-MA-43F Safe digital output to LED in fire fighting release pushbutton, SIL 2

POWER DISTRIBUTION

L + 24 VDC

L- 0V

Hardware Typecircuit code DO-RE-45F

6ES7 326-2BF00-0AB0

1M

1L+

3

4

2A

ch 0

21

22

FIELD TERMINATION CABINETFIELD

TERMINAL RAILFIELD

EQUIPMENT

10 DO, SAFE

Main Switch

Read back

JUNCTIONBOX

OVERRIDE

ESD MATRIX

L- 0V

L+ 24 VDC

DO-MA-41

0 V distrib.

L+

M

6ES7 321-1BL00-0AA0DI 32 ch

16A10A

2L+172L+183L+373L+38

3M392M202M19

3M40

6ES7 326-2BF00-0AB0

1M

1L+

3

4

21

22

10 DO, SAFE

Main Switch

Read back

2L+172L+183L+373L+38

3M392M202M19

3M400 V distrib.

16A

Library with standard, pre-verified instrument interfaces



Man må ofte ting i sammenheng før en oppdager at det kan være spesielle feilsituasjoner

Fail Safe I/O ModulesDevelopment of interfaces to field devices



Det er utrolig hvor lite komplisert det skal være før noe kan gå galt (eksempel på bruk av kretsen fra foregående slide)

Fail Safe I/O ModulesDevelopment of interfaces to field devices



Man - Machine interface for daily use are the Operator Stations (but Bill Gates deliver no SIL3 solutions)

Operator interface to SIL3

Operator Stations with commands to SIL3 High end servers and operator stations, with redundancy and extensive diagnosis Special TÜV approved procedure for safe commands from operator stations to

F-area (safe island) for SIL3 commands to controller.

CAP solutions ensures HMI interface to SIL3 LED elements connected to SIL3 remote I/O Necessary information for an emergency situation Necessary input elements to put the process to safe state



CAP or Matrix / Mimic to SIL3, simple and hardwired

Simple solutions Pushbuttons lamps and switches are lifting and maintaining the SILfor the total HMI



CPU-Software Architecture

F-User ProgramF-Control

BlocksF-User BlocksStandard-

UserProgram

Standard-Operating System

F-Standard-blocks

F -System-blocks

Communications Self tests

Programexecution

Safety-relevant sections of the operating system

Safety-relevantSystem Func. Calls

Safety-relevantSelf tests

F-Access protection

Programexecution



S7-F Concept, Double processing in diverse environments

Multi-channel storage of safety-critical data in instance DBs in the CPU, e.g. as word-oriented complement COMPMulti-channel processing of the safety function in F-FBs by SP7-ASIC of the CPU Standard operation on DATA Multi-channel operation on COMP

CPU-internal comparison in the output driver to improve error locating Error handling: disable outputs and stop CPU

CPU-external comparison in receiver(F-output modules and processing F-CPUs)Error handling: safe substitute values and error message

DATA0

DATA1

COMPFFFFH

COMP0H

CRC

DATA COMP

Comparison

Comparison

DataSafety-relatedmessage

Bit-AND inbit arithmetic

logic unitWord-OR

in ALU

ConvertCopy

Instead of redundancy of HW , Siemens Safety System runs redundant SW on same HW.



Time redundancy and instruction diverse processing

Operands

Encoding

DiversityOperands

Operation

DiversityOperation

Result

DiversityResult

Comparison Stop

TimeTime redundancy

A, B (Bool)

/A, /B (Word)

C

D = /C

At D /C

AND

OR

Time redundancy and Diversity instead of hardware redundancy

S7-F Program ConceptExtensive comparision and monitoring

Logical program execution and data flow monitoring Bool and Word Operations processed in different parts of the CPU 2 independent hardware timer



ProgrammingGraphical programming CFC acc. to IEC 1131

CFC

F-Library

Certified (TÜV)function blocks

Links are structs



Simplified ESD Program Overview, sample

CFC

F_MB_ESD

G_MB_ESD

FBCRBCFUCRUCR

Fail-safe program part

Standard program part

Additional I/O diagnostic data (optional)

ACK REQ

YGR

ESD INPUT:Q - Used for normally de-energized inputsQN - Used for normally energized inputs

Symbolic address

QUALITY

Operator Station

FBCRBCFUCRUCR

FBBFU

FE

RX

X

FBERBEFUERUE

BB

BU

A

Y

OPERATORS' FIELD DEVICE

F_LB

XS

X

RX

BXBXS

G_SB_ESD

Module driver

Channel driver

Y YN

BY

QUALITY

VALUE

F_M_DOCHADDR

Module driver

YROYGRBCHBCL

YF

ACK_REQ

Channel driver

F_CH_DO

IACK_REI

QBAD

VALUE

QUALITYACK_REQ

CHADDR

PAHHPWH

FE

PLAT

X

RX Y

F_SBI

RXPCYCLE

Y1

X1NX1

NX2X2

X3

X8

NX3

NX8

X4NX4

F_M_AIModule driver

Symbolic address

OS part

F_M_DO

CHADDR

F_CH_DO

IACK_REI

VALUE

QUALITYACK_REQ

Insrtance data block numberfor LB-utilities (optional)

MB-ESD

U B RInput Status

From OS

From field

B

X

MA-ESD

U B R

B

Status Ext. Alarm HH

SB-ESD

U B SD OVROutput status

HW Override

Coincidence

Disable Reset

X

X

LB

Bin Bout R

Blocked from OSFrom ESD Function

To ESD Function

B

PNLAT

FBXSFBYXFE

Y

YX

BBXSBBYX

FBXSCRBXSCFBYXCRBYXCR

Y

YBOCYBONC

Matrix indicator LED's

RDACRDDCR

RX

LSC

RXD

X

BLSOSBRXDOS

BPDY

RDAERDDELSE

"0" "1"

Override from Matrix Override-switch via F-SM

Ovrr. feedback

RDAERDDELSE

RDACRDDCRLSC

PALLPWL

F_M_DIx

Module driverCHADDR

F_CH_DICHADDR

QNQQBAD

Channel driver

VALUE


Fault annunciation

XF

BX

FEBBOPBUOP

YABBOSBUOS

B

FBERBEFUERUE

F_CH_DICHADDR

QNQQBAD

Channel driver

VALUE

ACK REQQUALITY

Q_DATA

From driver FU, parameter Q_DATAFrom driver FBB, parameter Q_DATA

Additional diagnostic data (optional)

BLSOSBRXDOS

XF

PNLATPDY Y

YN

RXRXD

X

BLSOSBRXDOS

BPDY

RDAERDDELSE

RDACRDDCRLSC

ESD System Configuration, SIL3

F_CH_DICHADDR

QNQQBAD

VALUE

ACK REQQ_DATA

XO

BUBOBC

XOCXGLXGHFeedback

from normal I/O

"0"YBOF

YBOCYBONC

XO

XBOCXOC

XBOF YBOF

CHADDRQBAD

F_SB_ESD

F_SB_ESD

F_OR4

IN1OUT

IN2

F_OR4

IN1OUT

IN2

FBXSERBXSEFBYXERBYXE

STATUS INDICATION LED's

PNLAT

F_LB

XS

X

RX

BXBXS

FBXSFBYXFE

YYX

BBXSBBYX



PNLAT

F_LB

XS

X

RX

BXBXS

FBXSFBYXFE

YYX

BBXSBBYX



PNLAT

BBlocked from FieldFrom ESD Function

To ESD Function

BB

B

X

ESD Function Status X

AOS 03.07.2001

YGR

G_LB



Channel driver

FUFBB

F_MA_ESD

FBCRBCFUCRUCR


From G_MA_ESD To G_MA_ESDFBERBEFUERUE

AHHALL

BUOS

BHHBWH

BWLBLL

Fault annunciation

ACK REQQUALITY

To G_MA_ESD

BBOS

VAHHVWHVALLVWL

Status collection for G_LB_ESD (optional)

F_MA_ESD

To F_MA_ESD

From F_MA_ESD

ACK REQQUALITY

XF

V_DATA

FBCRBCFUCRUCR

FBERBEFUERUE

YGR Status collection for G_LB (optional)

From F_CH_AI

From driver FU, parameter Q_DATAFrom driver FBB, parameter Q_DATA

From driver FE , param ete r Q_D ATA

Additional I/O diagnostic data (optional)

FE

BBOPBUOP

B

From OS

From field

MA-ESD

From driver, block from other function, Q_DATAFrom driver, block to other function, Q_DATA

Fr om driver FE , param ete r Q _DA TA FE

BBXSOPBBYXOP

BCBBCUBEBBEOBCB Status from

LB-utilities (optional)

BBOSBUOS

BXBXS

Y

BBXSOSBBYXOS

BBXSOSBBYXOS

STATUS INDICATION LED's

BBXSOSBBYXOS

BBXSOSBBYXOS

F_CH_AICHADDR

V

VALUE

QUALITY

OVHRANGEOVLRANGE

ACK NEC

VHRANGEVLRANGE

QBAD

ACK REQV_DATA

"0"

CHADDR

PLRPLH

XBONC

PNLATPDY

XO

XBOCXOC

XBOFXBONC

BUBB STATUS INDICATION LED's

Y

BUOS

BHHBWH

BWLBLL

BBOS

VAHHVWHVALLVWL

HMIOS skjerm

Normal program

Safe program



Engineering toolProgram Protection

CFC

Enabling of theFailsafe functionof the CPU 417-4Hor 414-4H

Read/Write protectionwith password



Program protectionProgram Signature

CFC

Signature of F-Programfor TÜV Certification.Program taken out of CPU cannot be downloaded unless carrying the correct signature

The signature is generated by the programming tool, and is changed after every change of the program



ProgrammingComparison of existing and changed program

CFC

Comparison of differentF-program versionsDeviations shall be checked before download of change



Hardware ConfigurationCPU Parameters

Safety-relevant parameters

Set up protection level

Activate safety operation



Hardware ConfigurationF-DO Parameters

Safety-relevant parameters



Enabling of the failsafe functionSignal evaluation:1oo1 (SIL 2) 1oo2 (SIL 3)

EngineeringFailsafe I/O Modules, diagnostics is set due to SIL



Communication concepts to SIL3 /2/1

PROFIBUS DP / ProfiSafe for communication to approved ProfiSafe equipment, SIL3 / 2.

F-SM remote I/O modules Other S7 400F or S7 300F nodes

Drivers for Ethernet communication to S7 F nodes, SIL3. Drivers for communication on Ethernet between safety programs in S7 nodes.

Communication from OS to safety program to SIL3 Special routine and function blocks for verified command from OS to F-area (safe island).

Combination of PROFIBUS DP /PROFIBUS PA to SIL 2/3



High Available Communication (not required to achieve SIL)

Redundant optical ringbus

S7-400H S7-400H

Single controller

PS

PS

CPU

CPU

CP

CP

CP

CP

CPU

CPU

PS

PS

Bus

Bus

Redundancy replacement diagram:



SIMATIC ET 200M

B+B

Redundant system withSIMATIC S7-400FH

AI DI DO DOAI

AI DI

DO AOAI

B+B

Redundant Ring

Safety Communications



enabling enabling failsafe fieldbusfailsafe fieldbusapplications ....applications ....

Basic concepts for communication to SIL3 and SIL2



Standard-I /O

StandardControl

1

2

7

1

2

7

1

2

7

1

2

7

1

2

7

„Black/Gray Channel": ASICs, Links, Cables, etc. are not safety relevant

"ProfiSafe": Parts of the safety critical communications systems: Adressing, Watch Dog Timers,Sequenzing, Signatur, etc.

Safety relevant, but not part of the ProfiSafe-Profils: Safety I/O and the Safety Control Systems

SafetyInput

SafetyControl

SafetyOutput

Safety-LayerSafety-LayerSafety-Layer

e.g.. Diagnostics Program

Non safety critical functions, like e.g. diagnosis

Basic concepts for communication to SIL3 and SIL2Add required safety layer to a standard protocol



The measures must be executed and monitored inside one failsafe unit

Failure type:

Remedy: SequenceNumber

Time Outwith Receipt

Codename forSender and

Receiver

Data Consistency

Check

Repetition

Deletion

Insertion

Resequencing

Data Corruption

Delay

Masquerade (standard message mimics failsafe)

XXXX

XXX

X XX

XX X

Failure Types and remedial Measures ...Failure Types and remedial Measures ...

XFIFO failure within Router

Basic concepts for communication to SIL3 and SIL2Content of required safety layer must cover possible failures



S S S S S S

Standard-Message

SD LE LEr SD DA SA FC FCS ED

68H ... ... 68H ... .... ... ... 16H

Synctime

33 TBit

Data Unit = Standard-or Failsafe-Data

1... 244 Bytes

TBit = Clock-Bit = 1 / BaudrateSD = Start Delimiter (here SD2, var. Data Length)LE = Length of DataLEr = Repeated LoD, not in FCSDA = Destination AddressSA = Source Address FC = Function Code (Type of Message)

LE

Data Unit = Failsafe-Data max. 244 Bytes

FCS = Frame Checking Sequence (across data within LE)

ED = End DelimiterSB = Start-BitZB0...7 = Character-BitPB = (even) Parity BitEB = Stop-Bit

SB ZB0

ZB1

ZB2

ZB3

ZB4

ZB5

ZB6

ZB7

PB EB

1 Cell = 11 Bit

Standard Profibus DP MessageStandard Profibus DP Message ... ...



S S S S S S

Standard-Message-Frame (user telegram)

Max. 244 Bytes DP-Data

F-I/O-Data Status /Controlbyte

CRCSequenceNumber

acrossF-Data

andF-Parameter

Sender based

Counter

Max. 12 / 122 Bytes 1 Byte 2/4 Bytes *)1 Byte

Standard-I/O-Data

(240/238 - F-Data)

*) 2 Byte for a max. of 12 Byte F I/O data 4 Byte for a max. of 122 Byte F I/O data

... ... and a ProfiSafe Message ...and a ProfiSafe Message ...((the extra layer included in the user telegram)the extra layer included in the user telegram)



PROFIBUS PA Fieldbus solution to SIL 1/2/3.

CPU 417H

CP443-5EDP Master

IM 157Link

CPU 417H

CP443-5EDP Master

IM 157Link

DP

PA slavePT....

IM 157Kobler

DP

PA

EX sone

ProfiSafe PA, TÜV certified SIL 2/ 3 (2007)

SINTEF Study "Evaluation of PROFIBUS PA against SIL1 / 2 requirements (2000).



PROFIBUS PA with PROFISafeRedundancy

Ring architecture with Active Field DistributorPR

OFI

BU

S D

P

M

AFDActive Field Distributor

AFD AFD AFD

PROFIBUS PA

IM 157, redundant

DP/PA coupler, redundant (M = master)



PROFIBUS PA with PROFISafeVoting

PRO

FIB

US

DP

2oo3

1oo2

S7-400FH

DP/PA Coupler, redundant

IM 157, redundant



Fail-safe CPU – CPU Communication

The safety-oriented CPU-CPU communication viaS7 connections with the send/receive blocks:

F_SENDBO/F_RCVBO Transfer of 20 F_BOOL F_SENDR/F_RCVBRTransfer of 20 F_REAL



logic operations Bin. O ActuatorSensor Bin. IAnal. I

15 %1 %

100 %, total figure for allowed PFD (Probability of Failure on Demand)

Safety Control Loops andSafety Control Loops andResidual Error (PFD) Probability....Residual Error (PFD) Probability....

e.g. Safety Integrity Level (SIL) 3 : 10e.g. Safety Integrity Level (SIL) 3 : 10-7 -7 / h/ h(Share of ProfiSafe: 1% = 10(Share of ProfiSafe: 1% = 10-9 -9 / h)/ h)

logic operations Bin. O ActuatorSensor Bin. IAnal. I

within one PLC

1 % (Profisafe share of total for SIL3)



Andre SAS krav for et typisk nettverk, Safety / SecurityTypisk SAS nettverks arkitektur



Standarder, anbefalinger ISO 27000 / ISO 27001 / ISO 27002 ISA S99 OLF-104 OLF-110 OLF-123 ISA Security Compliance Institue: ISA Secure INL Security Lab (Idaho National Lab)

LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security )

Andre SAS krav for et typisk nettverk, Safety / SecurityMange standarder, forsvar i dybden



Ganske mye utstyr / SW for security i et komplett anlegg



Vil du ha SIL3 på din egen PCVi starter med en standard PC og en programpakke + litt safe I/O

StandardPROFIBUS DP

orPROFINET IO

StandardProgramming-

SoftwareSTEP 7

StandardRemote I/O

Failsafe Programming-

ToolDistributed Safety

FailsafeI/O Modules

PROFIsafe

Failsafe ApplicationProgram

F Soft PLC



Først må du sjekke om din PC er egnet for formåletSå kan du laste nødvendig SW, og sette inn snitt for PROFIbus

Tar 20-30 min Har den en timer, RTC på Interupt 8? (normalt ok)

Last SW

Win AC RTX F er installert på Windows XP Prof / eller er ”embedded”

Koden løper på en ekstra ”realtime kernel, IntervalZero RTX”



Coded Processing Time redundancy and diversity instead of structural redundancy

DiversOperation

Operation

Coding Comparison

DiversOperators

Operators

DiversOutput

Output

Stopby D ≠ /C

D = /C

CA, B

/A, /B

OR

AND

Time redundancyTime

Baserer seg på tidligere omtalte prinsipper



zc = xc + yc + 1zf = xf + yf

Data xf Coded xc

F-DI

F-CPU

F-DOPlus Minus

uP Left uP Right

PSF Input Driver

F-CTRL 1

F-CTRL2

F FBs STEP 7

F-Coded FBs

PSF Output Driver

uP Left uP Right

PROFIsafe telegramCRCData

PROFIsafe telegramCRCData

Wrong CRC-> PROFIsafe Stop or-> CPU Stop

Bad

Baserer seg på tidligere omtalte prinsipper



WinAC RTX F

Ditt eget Moholt SIL3 anlegg



Tusen Takk for at Dere gadd høre på!

Arnt Olav Sveen

[email protected]

For mer info se: www.siemens.com/process-safetywww.siemens.com/safety-matrix

First with Integrated Control & Safety First with Flexible, Scalable, Distributed Architecture First Safety Lifecycle Management Tool - Safety Matrix First and Only Fully Integrated Safety Fieldbus First and Only SIL3, zone 1 I/O First and Only SIL3 on your own PC

http://www.siemens.com/process-safety

http://www.siemens.com/safety-matrix

Siemens Safety Systems. NTNU 14.03.2011, Arnt Olav Sveen

Documents

Transcript of Siemens Safety Systems. NTNU 14.03.2011, Arnt Olav Sveen