Siemens Safety Systems. NTNU , Arnt Olav Sveen

Transcription

1 Siemens Safety Systems. NTNU , Arnt Olav Sveen l Historikk og bakgrunn l Applikasjoner l Krav i IEC61508 l Løsninger» Generell SIS Basis» Basis system Simatic S7 F» Programvare /programmering» Inngangs og utgangs moduler» Human - Machine Interface» Kommunikasjon / nettverk» Hjemmesikkerhetssystem 100.1

2 Siemens Safety Systems. The prevention of accidents should not be considered a question of legislation, but instead our responsibility to fellow beings and economic sense (Werner von Siemens in 1880) 100.2

3 History of Siemens Electronic Safety Systems Was started together with the start of computers S7 F Systems S7-400FH / PROFIsafe (1999) Distributed Safety S7 151F/315F/317F/416F (2002/2003) Safety Matrix (1999) QUADLOG (1995) SIMATIC S5-110F (1980) SIMATIC S5-115F (1988) SIMATIC S5-95F (1994)

4 Siemens Safety Systems. First large safety project for offshore 1985, Oseberg Feltsenter, safety I/O To day nearly 30% of installed safety systems in Norwegian part of the North Sea, and numerous deliveries world wide. First solutions, Simatic PLC's with additional hardware, 2 PLC's running independently. To-day a full range of S7 F, TÜV verified systems Work procedures according to IEC61508, SINTEF verified, and a full scope of function blocks and typicals 100.4

5 Siemens Safety Systems, Norwegian designed basic system Siemens Safety Systems applications are based on long experience Stena Don 2000 Statfjord A 2000 Snorre B 2000 Huldra 2000 Oseberg South 2000 Embla 2000 Oseberg Gas 1999 Troll C 1999 Statfjord B 1998 Visund 1998 Eldfisk WIP 1999 Oseberg East 1997 Petrojarl Foinhaven 1996 Njord A & B 1995 Statfjord C 1995 Vigdis 1995 Ekofisk 1995 Eldfisk alpha 1993 Brage 1992 Embla 1991 Snorre TLP 1990 Oseberg A 1988 Oseberg B

6 Siemens Safety Systems, S7, PCS7 F l HULDRA (Norway) 2000 l MAERSK XL1 /XL2 (worlds largest jack up s, built in Korea) 2002 l EKOFISK 2/7A 2002 l Visund l Halfdan 5 platforms (Denmark/built in Singapore and Holland) l Al Shaheen (28 platforms in Qatar) l White Rose FPSO (Canada/ built in Canada/Korea/Abu Dhabi/USA) 2005 l P50, Albacore Leste FPSO (Brazil), PRA l FPSOcean 1 (China) l Santa Fe (USA, 2 drilling Rigs) 2004 l Oseberg Field-centre (Norway) (113 off S7 400/400FH, I/O) l Statfjord A/B/C ESD and F&G l Sevan SSP300-1, 2 and l Deep Sea Driller 1and l Blackford Dolphin l Snorre TLP l Tor 2011 l Yme (upgrade) 2011 l ATP Cheviot (UK, Korea) l Deep Sea Driller 3 & 4 (China / Norge) l OCX (Brazil) l GEAD Eldfisk, 5 installations totally

7 Safety Systems Applications Hva er et sikkerhetssystem (SIS)? Disaster protection Disaster protection Hvor griper det inn i en ulykkesutvikling, og forhåpentligvis stanser den? Collection basin Overpressure valve, rupture disc Safety system (automatic) Safety Shutdown alarm Passive protection Active mechanical protection Safety Instrumented System (SIS) Plant personnel intervention Basic automation Process value Process alarm Normal activity Process control system 100.7

8 Safety Systems Applications Hva er et sikkerhetssystem (SIS)? Detect fire, gas leakage, overpressures, over tem. etc Release fire fighting, electrical isolation, shutdown, blow-down (isolate or release energy sources) Safety Instrumented System (SIS) Inputs Outputs Basic Process Control System (BPCS) Inputs Outputs PT 1A PT 1B I / P Reactor FT Low level

9 Safety Systems Applications Og hva er Equipment Under Control, EUC? AS 414 F AS 417 F PROFIBUS-DP ET 200M IM 153 F-I/O Modules Safety Module Standard I/O Modules Pressurized Vessel 100.9

10 Safety Systems Applications Purpose Risk reduction by safety systems, SIS Residual Risk Tolerable Risk From IEC 61508: EUC risk Necessary Risk Reduction Actual Risk Reduction Increasing Risk Risk reduction achieved by all safety-systems Hensikten med å innføre et sikkerhetssystem, er å få risikoen ned til et akseptabelt nivå

11 Safety Systems Applications What is Risk? Who decides what is acceptable risk? What do we accept? Examples of fatality risk figures: l Smoking 20 per day 5000 cpm 5.0x10-3/yr 1 of 2 l Road accident 100cpm 1.0x10-4/yr 1 of 100 (lifetime 100 years) l Car accident 150cpm 1.5x10-4/yr 1,5 of 100 l Accident at work 10cpm 1.0x10-5/yr 1 of 1000 l Falling Aircraft 0.02 cpm 2.0x10-8/yr 2 of (note) l Lightning strike 0.1cpm 1.0x10-7/yr 1 of l Insect/Snake bite 0.1cpm 1.0x10-7/yr 1 of NOTE: Risk per hour the same as for car accident cpm = chances per million of the population (per year) We are always informed when 8 persons are killed by suicide killer in Afghanistan, but we are not informed when 53 persons die traffic accidents in Spain happens every weekend

12 Safety Systems Applications Risk reduction by safety systems, SIS Containment Dike Control System Unacceptable Risk Region Hazard #1 It is often said that the risk reduction by the instrumented safety system is low, compared to the total risk. Risk reduction is decades higher by other means. Likelihood Operator Intervention SIL1 SIL2 Safety Instrumented Function SIL3 If other means reduces the number of causalities from 100 to 1 per year, there is still one left maybe that one person is saved by the instrumented safety system Tolerable Risk Region Consequence Risikoreduksjonen er større ved et høyere SIL

13 Safety Systems Applications What is Safe state? Can the Safety System bring the area or equipment to a safe state? How? What is required? Power Plant

14 Safety Systems Applications Some of the Safety Systems Applications l l l l l l l l l ESD, Emergency Shutdown F&G, Fire & Gas Detection, Fire-fighting Process Shutdown Fire-pump Logic Ballast Control Blow-down Riser release / Anchor Release Fire Dampers, Active Smoke Control HIPPS, High Integrity Pressure Protection System

15 Safety Systems Topology for total platform control system including safety

16 Fire ext.. acktivated Fire vent. activ. Fire Brig. recvd. Power Prewarning Early warning Fault System fault Function disabled Test More Alarms Silence buzzer Silence sounders Reset C? Self Verify Fire & Gas Topology (sample) F&G ESD Wide ScreenOverview Ethernet 100 Mbit Ethernet 100 Mbit Commands from OS to SIL3 PROFIBUS/ ProfiSafe (SIL3) Industrial Ethernet 100 Mbit Industrial Ethernet 100 Mbit Communication to other nodes SIL3 S7-400FH (SIL3, and redundant) SIL 2 ALARM SIEMENS SIEMENS Software is implemented according to procedure, SIL 3 PROFIBUS/ProfiSafe (SIL3) PROFIBUS/ProfiSafe (SIL3)

17 F&G System Topology (the different modules) F&G Matrix Remote Control (Veslefrikk) I/O modules SIL 2/3 PROFIBUS/ PROFISAFE SIL3 and redundant Redundant, operator stations,each with dual powersupplies and multi CPU's (tolerabable for CPU errors) F&G Matrix Radio Note: Separate bus sytems are used for interface to matrixes to avoid common mode failurres with field I/O F&G Matrix Radio Redundant, servers,each with dual powersupplies and multi CPU's (tolerabable for CPU errors) Redundant Operator Stations Redundant Safety Servers Redundant Fail Safe Communications SIL3 (Profisafe) Addressable Fire Detection Systems I/O modules SIL 2/3 PROFIBUS/ PROFISAFE, SIL3 optical and redundant Autronica fire panel Redundant, optical, 100 Mbit Industrial Ethernet Autronica protocol Autronica protocol SIEMENS S7-400FH (SIL3, and redundant) S7-400F(SIL3) S7-400F(SIL3) SIEMENS Redundant Integrated Safety & Process Network High Available & Fail Safe CPU s Redundant Communications Interface Fire Area (1of n gives alarm) Hardwired alarm Analogue inputs (each SIl1) in votingone of many (total is SIL2) PROFIBUS or Profisafe (SIL3) PROFIBUS or Profisafe (SIL3) Output modules F-SM's, SIL 2/3 redundant or redundant ouput configuration verified by SINTEF (SIL2/3) Fail Safe I/O Modules

18 ESD Topology (sample) ESD Matrix. Operator Stations EngineeringStation F&G ESD Wide ScreenOverview Ethernet 100 Mbit Ethernet 100 Mbit Commands from OS to SIL3 Remote Input / Output modules, F-SM SIL2/3 or ET200M SIL0/1 Redundant Safety Servers (built in redundancy and auto-repair) Industrial Ethernet 100 Mbit PROFIBUS/ ProfiSafe (SIL3) S7-400FH (SIL3, and redundant) Industrial Ethernet 100 Mbit Controller Cabinet Communication to other nodes SIL3 Field Termination Cabinet SIEMENS S7-400F(SIL3) S7-400F(SIL3) SIEMENS Software is implemented according to procedure, SIL 3 Hardware design according to procedure, SIL 3 Remote "fail safe" Input /output modules F-SM's, SIL 2/3 Remote Input / Output modules, IS1 or ET200M SIL0/1 PROFIBUS/ProfiSafe (SIL3) PROFIBUS/ProfiSafe (SIL3)

19 PSD Topology (sample) Operator Stations EngineeringStation Ethernet 100 Mbit Ethernet 100 Mbit Commands from OS to SIL3 Redundant Servers Industrial Ethernet 100 Mbit Industrial Ethernet 100 Mbit Communication to other nodes SIL3 SIEMENS S7-400F(SIL3) S7-400F(SIL3) SIEMENS Controller Cabinet Software is implemented according to procedure, SIL 3 Hardware design according to procedure, SIL 3 Remote ET200iS or"fail safe" Input /output modules F-SM's, SIL 2/3 Remote Input / Output modules, IS1 or ET200M SIL0/1 Field Termination Cabinet or Junction Box PROFIBUS/ProfiSafe (SIL3)

20 Marine Safety Control System Operator Stations EngineeringStation Ethernet 100 Mbit Commands from OS to SIL3 Manual Ballast Functions Redundant Servers Communication to other nodes SIL3 Industrial Ethernet 100 Mbit Industrial Ethernet 100 Mbit SIEMENS Controller Cabinet A S7-400F(SIL3) ACPU Remote "fail safe" Input /output modules F-SM's, SIL 2/3 Remote Input / Output modules, IS1 or ET200M SIL0/1 Field Termination Cabinet or Junction Box S7-400FH (SIL3, and redundant) S7-400F(SIL3) B CPU SIEMENS Controller Cabinet B Software is implemented according to procedure, SIL 3 Hardware design according to procedure, SIL 3 PROFIBUS/ProfiSafe (SIL3) Synchronization link

21 Subsea PSD solution and HIPPS, both SIL3 ESD, S7-400F, SIL3 PSD, S7-400F, SIL2/3 PCS, S7-400 X x=number of connection`s PROFISAFE,SIL3 Remote F-SM, SIL3 PROFISAFE,SIL3 Remote F-SM, SIL3 RF-Modem PROFBUS (Remote I/O) RF-Modem 1 Twisted Pair 2 Fiber Optic Cable 3 Umbilical with center line 5 Hydraulic 6 Riser (Stigerør) Bleed Hydraulic (SIL 3) PSV HPU Hydraulic Supply Production Topside EV Subsea PT PT HIPPS 1 HIPPS 2 PT PT PT PT SSIV PT 4-20 ma S5 95F/S7 300F 4-20 ma 4-20 ma PT PT T Choke Slot no. 2-4 RF- Modem Profibus DP(to topside modem) 19.2 Kbits Subsea HIPPS/SIL 3 Titanium Pipe/enclosure PT T PSD Remote I/O Simatic S7 F-SM (SIL3) RIO (F.SM.) PWV PMV PT T RF-Modem Titanium Pipe/enclosure SCSSV Profibus DP/ProfiSafe (SIL3) 183 Kbits Slot no. 1 PT T Supplier Document Review Accepted

22 IEC The safety level is applicable for: l l The total solution All the projects lifecycles The system solution covers EUC, including HMI HW engineering, construction and testing l l Software l l l By use of standard hardware set-up With special modules approved by TÜV Function blocks (basic blocks approved by TÜV) Protocols and drivers approved by TÜV Application program (according to procedure) Maintenance procedures Operation and Modification Procedures

23 IEC 61508, Quality Assurance and a few direct requirements 1 2 Concept Overall scope definition Software safety lifecycle 3 Hazard and risk analysis 9.1 Software safety requirements specification OveralI Overall operation and maintenance planning Overall planning safety validation planning 4 5 OveralI installation and commissioning planning Overall safety requirements Safety requirements allocation 9 Safety-related systems: E/E/PES Realisation (see E/E/PES safety lifecycle) Safety-related systems: other technology Realisation External risk reduction facilities Realisation E/E/PES safety lifecycle (see figure 2) 9.2 Software safety validation planning Safety functions requirements specification 9.3 Software design and development Safety integrity requirements specification 12 Overall installation and commissioning 9.4 PE integration 9.5 Software operation and (hardware/software) modification procedures 13 Overall safety validation Back to appropriate overall safety lifecycle phase Overall operation, maintenance and repair Overall modification and retrofit 9.6 Software safety validation Decommissioning or disposal NOTE 1 Activities relating to verification, management of functional safety and functional safety assessment are not shown for reasons of clarity but are relevent to all overall, E/E/PES and software safety lifecycle phases. NOTE 2 The phases represented by boxes 10 and 11 are outside the scope of this standard. 16 NOTE 3 Parts 2 and 3 deal with box 9 (realisation) but they also deal, where relevant, with the programmable electronic (hardware and software) aspects of boxes 13, 14 and 15. To box 12 in figure 2 of part 1 To box 14 in figure 2 of part

24 IEC 61508, Implementation according to proven procedures. Safety requirements shall be specified, and the requirements shall be traceable through all engineering phases. Internal procedures for development of software according to IEC61508 l Procedures developed in co-operation with SINTEF Tele and Data. specification planning implementation verification validation modifications. Internal procedures for hardware design and production according to IEC61508 l Made on the same structure as the SINTEF verified SW procedure

25 IEC 61508, Implementation by qualified personnel On Hold waiting for training by Tor Onshus

26 Basic principles to fulfill IEC61508 Basically three requirements 1. Quality assurance (98% of IEC61508) 2. Requirement to availability of safety function (PFD requirement, Probability of Failure on Demand) 3. Requirement to safe failure fraction (SFF requirement, Safe Failure Fraction) Answers to the requirements 1. Work methods, procedures, qualified workers 2. Equipment quality, redundancy, second resort, diagnostics 3. Fail to safe design, diagnostics

27 Diagnostics, feedback and redundancy Diagnostics / feedback Diagnostics will give possibility to repair dangerous errors before an emergency situation, hence improving PFD and SFF. Increased diagnostics also give room for extension of test interval, hence saving cost. Feedback will give opportunity to use second shutdown possibility in case of first possibility failing, hence increasing PFD and SFF. Redundancy / second shutdown facility More than one shutdown facility, and all are activated at same time, or second facilities are used as result of feedback when first is failing, will give improved SFF and PFD

28 Risk Determination (one of several methods) How to find Required Safety Integrated Level (SIL) of the Safety System" Risk Graph S1 F1 S2 F2 F1 S3 F2 S4 A1 A2 A1 A2 P P2 P S: Severity of injury/damage 1:small injury, minor environmental damage 2:serious irreversible injury of many people involved or a death temporary serious environmental damage 3:death of many people long-term serious environmental : damage 4:catastrophic results, many deaths F: Frequency and/or exposure time to hazard 1:seldom - quite often 2:frequent - continous A: Avoiding hazard 1:possible 2:not possible P: Probability of Occurrence 1:very low 2:low 3:relatively high

29 Safety Integrity Levels, direct requirement IEC61508 Requirement Class (AK) DIN V Safety Integrity Level (SIL) IEC Probability of failure on demand per h (constant operation) (IEC 61508) Probability of failure on demand (on demand operation) (IEC 61508) Control Category EN AK B AK 2 and 3 SIL to to and 2 AK 4 SIL to to S7-400F/FH" by Siemens AK 5 and 6 AK 7 and 8 SIL 3 SIL to to to to 10 -x

30 Safety Integrity Levels, direct requirement IEC61508 IEC61508 requires higher fail safe fraction for intelligent components Hardware safety integrity: architectural constraints on type A safety-related subsystems Hardware safety integrity: architectural constraints on type B safety-related subsystems Safe failure fraction Hardware fault tolerance Safe failure fraction Hardware fault tolerance < 60 % SIL1 SIL2 SIL3 < 60 % not allowed SIL1 SIL2 60 % - 90 % SIL2 SIL3 SIL4 60 % - 90 % SIL1 SIL2 SIL3 90 % - 99 % SIL3 SIL4 SIL4 90 % - 99 % SIL2 SIL3 SIL4 > 99 % SIL3 SIL4 SIL4 > 99 % SIL3 SIL4 SIL

31 Safety Integrity Levels, PFD calculation F&G loop with Gas detector and control valve. Gas detector 4-20 ma AI PROFISAFE PROFISAFE CPU DO F&G loop with Gas detector and control valve. Control valve ESV Safety reliability Block diagram:"

32 Siemens Simatic PCS7F Safety Control System controllers, SIMATIC S7 300/400 F/FH Redundant systems S H *) 2.8MB 600 F-I/Os S7-319F-2DP 1.4MB 1000 F-I/Os S H *) 30MB 3000 F-I/Os S H *) 768kB 100 F-I/Os S7-317F-2DP 1MB 500 F-I/Os S7-315F-2DP 192kB 300 F-I/Os Solutions S o for l uoilt &i Gas o noffshore s f o r O i l & G a s Certified up to SIL

33 Components S7-400F/FH (Simatic safety system is SW based, and partly HW independent) High available System CPU with F program as a basis CPU 417-4F(H) TÜV certified, including system SW (SIL3) TÜV certified failsafe logic SW blocks (SIL3). Redundant, diverse programs. Method and tool for Engineering / Hardware Configuration / Programming Configuration of the S7-400F-Hardware with Standard HW-Config. Graphical Engineering (programming) with Standard CFC (Continuous Function Chart) Coexistence of Standard- and F-Applications (SIL3) in one CPU (safe island) Connection to the Process Devices PROFIsafe (extra safety layer to Profibus) (SIL3) to ensure failsafe communication via Profibus Process Devices Failsafe I/O modules (SIL1-3) Failsafe process transmitters and actuators (fieldbus devices)

34 And based on additional principle Protected F-Islands CPU operating system CPU hardware Standard user programs Any faults in other modules, environmental factors Safety-related user program Safety-related communication frame Failsafe I/O modules SW based SW based HW/SW based

35 S7 400F F/H system - modularity, PC Standard Engineering Software F-Programming Tool Standard-CPU 417-4H F-Application Program RUN-P RUN STOP CMRES RUN-P RUN STOP CMRES Standard I/O s (ET200M) F-I/O s (ET200M) Standard-ProfibusDP ProfiSafe Protocol

36 CPU-Software Architecture Standard- User Program F-Standardblocks F-User Program F-User Blocks F -Systemblocks F-Control Blocks Program execution Program execution Communications Self tests Standard- Operating System Safety-relevant sections of the operating system F-Access protection Safety-relevant System Func. Calls Safety-relevant Self tests

37 S7-F Concept, Double processing in diverse environments" Instead of redundancy of HW, Siemens Safety System runs redundant SW on same HW. Multi-channel storage of safetycritical data in instance DBs in the CPU, e.g. as word-oriented complement COMP Multi-channel processing of the safety function in F-FBs by SP7-ASIC of the CPU n Standard operation on DATA n Multi-channel operation on COMP 0 DATA FFFF H COMP Bit-AND in bit arithmetic logic unit DATA 1 DATA COMP 0 H COMP Word-OR in ALU CPU-internal comparison in the output driver to improve error locating Error handling: disable outputs and stop CPU CPU-external comparison in receiver (F-output modules and processing F- CPUs) Error handling: safe substitute values and error message Comparison Safety-related message Copy Convert Data CRC Comparison

38 S7-F Program Concept Extensive comparison and monitoring" Time redundancy and Diversity instead of hardware redundancy Operands A, B (Bool) Operation C Result AND Encoding OR Comparison Stop At D /C Diversity Operands /A, /B (Word) Diversity Operation D = /C Diversity Result Time redundancy Time n Time redundancy and instruction diverse processing n Logical program execution and data flow monitoring n Bool and Word Operations processed in different parts of the CPU n 2 independent hardware timer

39 Programming Graphical programming CFC acc. to IEC 1131 F-Library Certified (TÜV) function blocks CFC Links are structs

40 Simplified ESD Program Overview, sample OS part ESD System Configuration, SIL3 HMI OS skjerm MB-ESD U B R Operator Station Input Status X From OS B From field B MA-ESD U B R Status Ext. Alarm HH From OS B From field B MA-ESD LB Bin Bout R ESD Function Status X Blocked from OS From ESD Function To ESD Function Blocked from Field From ESD Function To ESD Function B B B B SB-ESD U B SD OVR Output status X HW Override B Coincidence X Disable Reset X Standard program part F_MA_ESD Normal program Additional I/O diagnostic data (optional) From driver FU, parameter Q_DATA From driver FBB, parameter Q_DATA G_MB_ESD XF BUOP BBOP FE YGR BX QUALITY ACK REQ FBE RBE FUE FBC RUE RBC FUC Y RUC A R BBOS BUOS Additional I/O diagnostic data (optional) From driver FE, parameter Q_DATA From driver FU, parameter Q_DATA From driver FBB, parameter Q_DATA From F_CH_AI From F_MA_ESD Status collection for G_LB_ESD (optional) XF FE BUOP BBOP V_DATA QUALITY ACK REQ PLH PLR FBE RBE FUE RUE BHH BWH BLL BWL VAHH VWH VALL VWL BUOS BBOS Y YGR FBC RBC FUC RUC R Status collection for G_LB (optional) To F_MA_ESD From driver FE, parameter Q_DATA From driver, block from other function, Q_DATA From driver, block to other function, Q_DATA G_LB FE BCB BBYXOP BCU BBXSOP BEB BEO BCB FBXSE YGR RBXSE FBYXE RBYXE BX FBXSC BXS RBXSC BBXSOS FBYXC BBYXOS RBYXC Y R Status from LB-utilities (optional) Insrtance data block number for LB-utilities (optional) Additional diagnostic data (optional) Feedback from normal I/O G_SB_ESD XF YF YRO YGR BCH XGH BCL XGL BU XOC BO XO BC RDAE RDDE LSE BRXDOS BLSOS BY RDAC RDDC VALUE R ACK_REQ LSC QUALITY Safe program CFC Fail-safe program part F_M_DIx CHADDR Module driver Symbolic address AOS Channel driver CHADDR VALUE Channel driver CHADDR VALUE F_CH_DI F_CH_DI Q_DATA QUALITY ACK REQ QN Q QBAD QUALITY ACK REQ QN Q QBAD ESD INPUT: Q - Used for normally de-energized inputs QN - Used for normally energized inputs OPERATORS' FIELD DEVICE Module driver F_M_AI Symbolic address Fault annunciation CHADDR "0" FE F_MB_ESD FBC RBC FUC RUC R X PNLAT FBB FU RX Channel driver CHADDR VHRANGE VLRANGE VALUE ACK NEC F_CH_AI QUALITY V_DATA ACK REQ OVHRANGE OVLRANGE V QBAD FBE RBE FUE RUE A BB BU BBOS BUOS OPERATORS' FIELD DEVICE Y From G_MA_ESD To G_MA_ESD Fault annunciation X X1 NX1 X2 NX2 X3 NX3 X4 NX4 X8 NX8 RX PCYCLE PLAT PAHH PWH PALL PWL RX FE FBB FU F_SBI F_MA_ESD FBC RBC FUC RUC R Y FBE RBE FUE RUE BHH BWH BLL BWL VAHH VWH VALL VWL BUOS BBOS AHH ALL BU BB Y1 Channel driver F_CH_DO I ACK_REI To G_MA_ESD VALUE ACK_REQ QUALITY CHADDR QBAD Module driver F_M_DO CHADDR STATUS INDICATION LED's F_OR4 IN1 IN2 OUT XS X RX FBXS FBYX FE F_LB FBXSC RBXSC FBYXC RBYXC R PNLAT FBXSE RBXSE FBYXE RBYXE BBXSOS BBYXOS BX BXS BBXS BBYX Y YX OPERATORS' FIELD DEVICE XS X RX FBXS FBYX FE F_LB FBXSC RBXSC FBYXC RBYXC R PNLAT FBXSE RBXSE FBYXE RBYXE BBXSOS BBYXOS BX BXS Y BBXS BBYX YX XS X RX FBXS FBYX FE STATUS INDICATION LED's STATUS INDICATION LED's F_LB FBXSC RBXSC FBYXC RBYXC R PNLAT FBXSE RBXSE FBYXE RBYXE BBXSOS BBYXOS BX BXS BBXS BBYX Y YX Override from Matrix Override-switch via F-SM F_CH_DI Y CHADDR Q_DATA ACK REQ VALUE F_OR4 IN1 IN2 OUT QN Q QBAD Ovrr. feedback "1" "0" "0" RDAC RDDC R LSC X RX RXD PNLAT PDY XO XOC XBOC XBONC XBOF F_SB_ESD RDAE RDDE LSE BPDY BLSOS BRXDOS Y YN YBOC YBONC YBOF Channel driver F_CH_DO I ACK_REI RDAC RDDC R LSC X RX RXD PNLAT PDY XO XOC XBOC XBONC XBOF VALUE ACK_REQ QUALITY CHADDR QBAD F_SB_ESD RDAE RDDE LSE BPDY BLSOS BRXDOS Y YN YBOC YBONC YBOF Module driver CHADDR F_M_DO Matrix indicator LED's

41 Engineering tool Program Protection Read/Write protection with password Enabling of the Failsafe function of the CPU 417-4H or 414-4H CFC

42 Program protection Program Signature Signature of F-Program for TÜV Certification. Program taken out of CPU cannot be downloaded unless carrying the correct signature CFC The signature is generated by the programming tool, and is changed after every change of the program

43 Programming Comparison of existing and changed program Comparison of different F-program versions Deviations shall be checked before download of change CFC

44 S7-400H Redundancy Principle ( for increased availability) P S# C P U# D D E# A# A E# A C A# P# Synchronization, information and status exchange P S# C P U# D D E# A# A E# A A# C P# I M I M D E D A A E A A F M PROCESS

45 I/O Configuration Switching of master by use of redundant Profibus Redundant IM Profibus-DP L+ L+ IO with active backplane bus performing the switchover Target: Reduce common mode faults for the switch-over to a minimum IM IM Bus module Active backplane bus Achieved by: Very simple component does the switchover

46 Redundant S7-400H A Synchronization Procedure is required Synchronization of all commands whose execution would trigger different states in both partial PLCs Without synchronization Cycle synchronization Time synchronization Command synchron. Part. PLC A Part. PLC B Part. PLC A Part. PLC B Part.-PLC A Part. PLC B (Siemens Patent) Part. PLC A Part. PLC B

47 Flexible Set-up s Together, the listed principles result in a flexible set-up Fail Safe Fail Safe and High Availability AS 414 F AS 417 F AS 414 F AS 417 F AS 414 F AS 417 F PROFIB US -DP ET 200M IM 153 Safety Module F-I/O Modules PROFIBUS-DP ET 200M 2 x IM F-I/O Modules Safety Module PROFIBUS-DP ET 200M F-I/O Modules redundant Standard I/O Modules Standard I/O Modules S7-400F PROFIBUS-DP F-E/A Moduls SIL 3, AK6 redundant S7-400FH redundant PROFIBUS-DP F-E/A Moduls SIL3, AK6 redundant S7-400FH redundant PROFIBUS-DP redundant F-E/A Moduls SIL3, AK

48 Flexible Modular Redundancy Make any component redundant AI DI DO DO

49 Flexible Modular Redundancy AI DI DO

50 Flexible Modular Redundancy Make any component redundant AI DI AI DI DO DO Physically separate redundant resources

51 Flexible Modular Redundancy Make any component redundant Dual AI DI DO DO Physically separate redundant resources AI DI AI DO Mix and match redundancy Simplex AI Triple

52 Flexible Modular Redundancy Make any component redundant û û AI û DI DO û DO Dual Physically separate redundant resources û û û AI AI Triple DI AI DO Simplex Mix and match redundancy Tolerate multiple faults with no impact on safety Safety is not dependant on redundancy; all components are SIL3-capable Redundancy only for availability; No degraded mode

53 Flexible Set-up s û AI AI û û û DI DO û DO Multiple Fault Tolerant Fieldbus architecture allows system to tolerate multiple faults without interruption I/O redundancy independent of CPU redundancy All components rated for SIL3 No degraded mode Safety not dependent on redundancy û û AI AI DI û DO DO 2oo3 û AI oo2 Valves 2oo3 PT

54 Alternative setup by others Fail Safe and High Availability due to 2oo3 HW voting Sample from Triconex design

55 Input and output modules to SIL 3, 2 and 1 ET 200 M F-SM, Fail Safe Modules l SIL3, 2 or 1dependant on configuration (TÜV) SIL 3 also in single configuration for most modules SIL 3 with single or redundant bus connection ET200 isp, zone 1 l ET200 S l Small granularity modules for Zone 1, SIL3 Small granularity modules can cover SIL1 to SIL3 RUN-P RUN STOP CMRES RUN-P RUN STOP CMRES Standard SM s F-SM s

56 Architecture S7-300 Fail Safe Modules (sample) F-Digital Output, with built in redundancy, self verification and degrading Bus interface Microcontroller Dualport RAM Microcontroller Output driver Second disconnection facility Output L+ Read back V Supply If Output driver fails to bring output to safe state, 0, the microcontroller does, based on the read back, order the Second disconnection facility to shut the card down

57 S7-300 Fail Safe Modules Redundant microcontroller in each IO module Safety Integrated Level 1oo1 evaluation, SIL 2, AK 4 1oo2 evaluation, SIL 3, AK 6, internal in module Diagnose of internal and external errors mutual function checking of the microcontrollers input or output test branching of the input signals to both microcontrollers discrepancy analysis of the redundant input signals readback of the output signals and discrepancy analysis Second disconnection facility in the case of outputs Communication with CPU via Profisafe

58 S7-300 Fail Safe I/O Modules Samples of modules available n SM326F, DI DC24V 24 x SIL2, 12 x SIL3, with diagnostics interrupt n SM326F, DI NAMUR [EEx ib] 8 x SIL2, 4 x SIL3 with diagnostics interrupt n SM326F, DO DC24V/2A 10 x SIL3, current source, diagnostics interrupt n SM336F, AI 4-20mA 6 x SIL2 or 3, with diagnostics interrupt

59 Fail Safe I/O Modules Library for interfaces to field devices L + 24 VDC POWER DISTRIBUTION 10A 16A 16A 2A Library with standard, pre-verified instrument interfaces ESD MATRIX L+ 24 VDC SAFETY INPUTS AND OUTPUTS, S7 400F WITH SAFETY I/O MODULES, F- SM S AI-41F Safe analogue input, 4-20 ma, 2 Wire, SIL 2. AI-43F Safe analogue input, 4-20 ma, 3 Wire, SIL 2, current source AI-44F Safe analogue input, 4-20 ma, 3 Wire, SIL 2, high power consumpt. AI-50F Safe high available analogue input, 4-20 ma, 2 Wire, 2 oo 3. AI-51F Safe analogue input, 4-20 ma, 2 wire, to digital, SIL 2 AI-IS-41F Safe analogue input, 4-20 ma, EEx(i)(a), 2 Wire, SIL 2. AI-IS-51F Safe analogue input, EEx ib IIC, 4-20 ma, to digital, SIL 2 DI-41F Safe digital input, SIL 2 DI-42F Safe high available, digital input, SIL 2 DI-44F Safe digital input from clean contact / NAMUR, SIL2 DI-IS-41F Safe, EEx ib IIC, digital input from clean contact / NAMUR, SIL2 DI-IS-46F Safe, high available, EEx ib IIC, double clean contact/ NAMUR, SIL2 / DI-IS-46F Safe, EEx ib IIC, double clean contact /NAMUR, SIL3. DO-41F Safe, digital output, 24 V DC, 2A, SIL2 / 3 DO-41FR Safe digital output, SIL 2 with relay, SIL2 DO-RE-45F Safe, high available, digital output, 24 V DC, 2A, SIL2 /3 DO-46F Safe, digital output with manual release, 24 V DC, 2A, SIL2 /3 DI-MA-41F Safe, high available digital input from pushbutton, SIL 3 DI-MA-42F Safe, high available digital input from pushbutton, SIL 2 DI-MA-43F Safe, digital input from pushbutton, SIL 3 DI-MA-44F Safe, digital input from pushbutton, SIL 2 DI-MA-45F Safe, high available digital input from pushbutton, SIL 3 DI-MA-46F Safe, high available digital input from pushbutton, SIL 2 DI-MA-47F Safe digital input from pushbutton (with LED), open contact, SIL 2 DI-MA-48F Safe digital input from pushbutton (without LED), open contact, SIL 2 DI-MA-49F Safe digital input from pushbutton, NAMUR, SIL 2 DO-MA-41F Safe digital output to LED / LAMP, SIL2/3 DO-MA-42F Safe digital output to two LED / LAMP, SIL 2/3 DO-MA-43F Safe digital output to LED in fire fighting release pushbutton, SIL FIELD EQUIPMENT FIELD JUNCTION BOX TERMINAL RAIL DO-MA-41 OVERRIDE L- 0V 0 V distrib. 0 V distrib. FIELD TERMINATION CABINET L- 0V Hardware Typecircuit code DO-RE-45F ch ES BL00-0AA0 L+ DI 32 ch M 6ES BF00-0AB0 10 DO, SAFE 1L+ 2L+ 2L+ 3L+ 3L+ 3M 3M 2M 2M 1M Main Switch Read back 6ES BF00-0AB0 10 DO, SAFE 1L+ 2L+ 2L+ 3L+ 3L+ 3M 3M 2M 2M 1M Main Switch Read back

60 Fail Safe I/O Modules Development of interfaces to field devices Man må ofte ting i sammenheng før en oppdager at det kan være spesielle feilsituasjoner

61 Fail Safe I/O Modules Development of interfaces to field devices Det er utrolig hvor lite komplisert det skal være før noe kan gå galt (eksempel på bruk av kretsen fra foregående slide)

62 BESKRIVELSE UTSTYR ALARM ITK SKR HULDRA ITK SKR VFR NAS 0 SKR NAS 0 LIVBÅT 0 NAS 0 HELIDEKK NAS 0 SKR VFR NAS 0 MG 0 NAS 1 SKR NAS 1 SKR VFR 1 GASS I BEGGE GEN. LUFTINNTAK NAS 2 SKR NAS 2 LIVBÅT 2 NAS 2 HELIDEKK NAS 2 HJELPEUTSTYR OMRÅDE 2 GASS I EKSPL. FARLIG OMRÅDE DELUGE AKTIVERT POP SPRAY HELIDEKK AKTIVERT 2 VFR HULDRA LINK NEDE NAS 2 SKR VFR BRANN & GASS NAS 0/NAS 1 VESLEFRIKK 2 NAS 2 MG BRO NAS 2 MG NAS SYSTEM BRANN & GASS MG 2 PSD F&G 79- ES ES ES ES ES ES ES ES ES XS ES ES ES ES ES XS- 2003B 71- XS- 2051B 75- XS- 2051B 86- ES ES EY ES ES XS- 2004B 79- ES XS- 2002B 79- ES BROING BRØNN A01 A02 A03 A04 A05 A06 A07 A08 A09 A10 A11 A12 GASS EKSPORT STIGERØR KONDENSAT EKSPORT STIGERØR SEPARATOR TRYKKAVL. GASS KJØLER TRYKKAVL. GASSLINJE TRYKKAVL. ALARMHO RN KVITTERING AV ALARMER LAMPETE ST ALARM BROING SYSTEMFEIL CPU A SYSTEMFEIL CPU B I/O FEIL SSSV MASTER TILBAKE- STILL TILBAKE- STILL SPENNINGS- BORTFALL TRYKK- AVLASTNING HULDRA BRANN I EKSPL. FARLIG OMRÅDE TRYKK- AVLASTNING VESLEFRIKK TILBAKE- STILL UPS BATTERIER ISOLER UPS 48V DC TELEKOM. ISOLER UPS 230V AC TELEKOM. ISOLER GMDSS TELEKOM. ISOLER UPS 48V DC LOS/PABX ISOLER UPS 230V AC BATTERIER ISOLER KRAN 24V DC BATTERIER ISOLER GEN. 82-EG50A BATTERIER ISOLER GEN. 82-EG50B BATTERIER ISOLER GENERATOR 82-EG50A ISOLER GENERATOR 82-EG50B PSD 27- EY EY EY EY EY EY A/B 85-EY A/B 85-EY EY A/B 85-EY A/B 85-EY EY A 85-EY B 82-EY A 82-EY B ALARM BEMANN./UBEMANN. HULDRA BEMANNET Operator interface to SIL3 Man - Machine interface for daily use are the Operator Stations (but Bill Gates deliver no SIL3 solutions) Operator Stations with commands to SIL3 l l High end servers and operator stations, with redundancy and extensive diagnosis Special TÜV approved procedure for safe commands from operator stations to F-area (safe island) for SIL3 commands to controller. CAP solutions ensures HMI interface to SIL3 l l l LED elements connected to SIL3 remote I/O Necessary information for an emergency situation Necessary input elements to put the process to safe state TAL NAS NAS NAS NAS NAS NAS NAS NAS ITK ITK NØDAVSTENGINGSMATRISE INNGANGER UTGANGER PROSESS ELEKTRO ITK NAS 0 NAS 1 NAS 2 TAL NAS 0 NAS 1 NAS

63 CAP or Matrix / Mimic to SIL3, simple and hardwired INNGANGER NØDAVSTENGINGSMATRISE UTGANGER ITK ITK NAS NAS NAS NAS NAS NAS NAS TAL NAS BESKRIVELSE UTSTYR ALARM ITK SKR HULDRA ITK SKR VFR NAS 0 SKR NAS 0 LIVBÅT 0 NAS 0 HELIDEKK NAS 0 SKR VFR NAS 0 MG 0 NAS 1 SKR NAS 1 SKR VFR 1 GASS I BEGGE GEN. LUFTINNTAK NAS 2 SKR NAS 2 LIVBÅT 2 NAS 2 HELIDEKK NAS 2 HJELPEUTSTYR OMRÅDE 2 GASS I EKSPL. FARLIG OMRÅDE DELUGE AKTIVERT POP SPRAY HELIDEKK AKTIVERT 2 VFR HULDRA LINK NEDE NAS 2 SKR VFR BRANN & GASS NAS 0/NAS 1 VESLEFRIKK 2 NAS 2 MG BRO NAS 2 MG NAS SYSTEM BRANN & GASS MG EY ES ES ES ES ES ES ES ES ES ES ES ES ES ES ES ES ES XS- 2003B 79- ES XS- 2002B 79- ES BROING BRØNN A01 A02 A03 A04 A05 A06 A07 A08 A09 A10 A11 A12 GASS EKSPORT STIGERØR KONDENSAT EKSPORT STIGERØR SEPARATOR TRYKKAVL. GASS KJØLER TRYKKAVL. GASSLINJE TRYKKAVL. PROSESS ALARM BROING SSSV MASTER ITK NAS 0 NAS 1 ALARMHO RN KVITTERING AV ALARMER NAS 0 TILBAKE- STILL TILBAKE- STILL UPS BATTERIER ISOLER UPS 48V DC TELEKOM. ISOLER UPS 230V AC TELEKOM. ISOLER GMDSS TELEKOM. ISOLER UPS 48V DC LOS/PABX ISOLER GEN. 82-EG50A BATTERIER ISOLER GENERATOR 82-EG50A PSD NAS 2 NAS 1 NAS 2 ISOLER UPS 230V AC BATTERIER ISOLER KRAN 24V DC BATTERIER ISOLER GEN. 82-EG50B BATTERIER ISOLER GENERATOR 82-EG50B 70- XS- 2004B 71- XS- 2051B 75- XS- 2051B 86- ES SPENNINGS- BORTFALL TRYKK- AVLASTNING HULDRA BRANN I EKSPL. FARLIG OMRÅDE TRYKK- AVLASTNING VESLEFRIKK TILBAKE- STILL 70- XS EY EY EY EY EY ELEKTRO 85-EY A/B 85-EY A/B 85-EY EY A/B 85-EY A/B 85-EY EY A 85-EY B 82-EY A 82-EY B ALARM TAL BEMANN./UBEMANN. HULDRA BEMANNET Simple solutions Pushbuttons lamps and switches are lifting and maintaining the SIL for the total HMI PSD SYSTEMFEIL CPU A F&G SYSTEMFEIL CPU B I/O FEIL LAMPETE ST

64 Hardware Configuration CPU Parameters Safety-relevant parameters Set up protection level Activate safety operation

65 Hardware Configuration F-DO Parameters Safety-relevant parameters

66 Engineering Failsafe I/O Modules, diagnostics is set due to SIL Enabling of the failsafe function Signal evaluation: 1oo1 (SIL 2) 1oo2 (SIL 3)

67 Communication concepts to SIL3 /2/1 PROFIBUS DP / ProfiSafe for communication to approved ProfiSafe equipment, SIL3 / 2. l l F-SM remote I/O modules Other S7 400F or S7 300F nodes Drivers for Ethernet communication to S7 F nodes, SIL3. l Drivers for communication on Ethernet between safety programs in S7 nodes. Communication from OS to safety program to SIL3 l Special routine and function blocks for verified command from OS to F-area (safe island). Combination of PROFIBUS DP /PROFIBUS PA to SIL 2/

68 High Available Communication (not required to achieve SIL) Dual Redundant communication. Optical ring-bus with communications in both directions S7-400H S7-400H Single controller Redundancy replacement diagram: PS CPU CP Bus CP CPU PS PS CPU CP Bus CP CPU PS

69 Safety Communications B+B B+B Redundant system with SIMATIC S7-400FH SIMATIC ET 200M AI AI DI AI AI DI DO AO DO DO Redundant Ring

70 Basic concepts for communication to SIL3 and SIL enabling failsafe fieldbus applications...

71 Basic concepts for communication to SIL3 and SIL2 Add required safety layer to a standard protocol e.g.. Diagnostics Program Standard- I /O Safety Input Safety-Layer Safety Control Safety-Layer Safety Output Safety-Layer Standard Control Black/Gray Channel": ASICs, Links, Cables, etc. are not safety relevant Non safety critical functions, like e.g. diagnosis "ProfiSafe": Parts of the safety critical communications systems: Adressing, Watch Dog Timers, Sequenzing, Signatur, etc. Safety relevant, but not part of the ProfiSafe-Profils: Safety I/O and the Safety Control Systems

72 Basic concepts for communication to SIL3 and SIL2 Content of required safety layer must cover possible failures Failure Types and remedial Measures... Failure type: Repetition Deletion Remedy: Sequence Number X X Time Out with Receipt X Codename for Sender and Receiver Data Consistency Check Insertion Resequencing Data Corruption X X X X X Delay X Masquerade (standard message mimics failsafe) X X X FIFO failure within Router X The measures must be executed and monitored inside one failsafe unit

73 Standard Profibus DP Message... Standard-Message S S S S S S Sync time 33 TBit SD LE LEr SD DA SA FC Data Unit = Standardor Failsafe-Data FCS ED 68H H Bytes... 16H SB ZB 0 ZB 1 1 Cell = 11 Bit ZB 2 ZB 3 ZB 4 ZB 5 ZB 6 ZB 7 PB EB LE TBit = Clock-Bit = 1 / Baudrate SD = Start Delimiter (here SD2, var. Data Length) LE = Length of Data LEr = Repeated LoD, not in FCS DA = Destination Address SA = Source Address FC = Function Code (Type of Message) Data Unit = Failsafe-Data max. 244 Bytes FCS = Frame Checking Sequence (across data within LE) ED = End Delimiter SB = Start-Bit ZB0...7 = Character-Bit PB = (even) Parity Bit EB = Stop-Bit

74 ... and a ProfiSafe Message... (the extra layer included in the user telegram) Standard-Message-Frame (user telegram) S S S S S S F-I/O-Data Status / Controlbyte Sequence Number CRC Standard- I/O-Data *) 2 Byte for a max. of 12 Byte F I/O data 4 Byte for a max. of 122 Byte F I/O data Max. 244 Bytes DP-Data Sender based Counter across F-Data and F-Parameter Max. 12 / 122 Bytes 1 Byte 1 Byte 2/4 Bytes *) (240/238 - F-Data)

75 PROFIBUS PA Fieldbus solution to SIL 1/2/3. SINTEF Study "Evaluation of PROFIBUS PA against SIL1 / 2 requirements (2000). CPU 417H CP443-5E DP Master DP CPU 417H CP443-5E DP Master DP IM 157 Link IM 157 Link IM 157 Kobler ProfiSafe PA, TÜV certified SIL 2/ 3 (2007) EX sone PA PA slave PT

76 PROFIBUS PA with PROFISafe Redundancy Ring architecture with Active Field Distributor PROFIBUS DP IM 157, redundant M DP/PA coupler, redundant (M = master) Active Field Distributor AFD AFD AFD AFD PROFIBUS PA

77 PROFIBUS PA with PROFISafe Voting S7-400FH PROFIBUS DP DP/PA Coupler, redundant IM 157, redundant 2oo3 1oo

78 Fail-safe CPU CPU Communication The safety-oriented CPU-CPU communication via S7 connections with the send/receive blocks: F_SENDBO/F_RCVBO Transfer of 20 F_BOOL F_SENDR/F_RCVBR Transfer of 20 F_REAL

79 Safety Control Loops and Residual Error (PFD) Probability... within one PLC Sensor Bin. I Anal. I logic operations Bin. O Actuator 100 %, total figure for allowed PFD (Probability of Failure on Demand) Sensor Bin. I Anal. I logic operations Bin. O Actuator 1 % 15 % 1 % (Profisafe share of total for SIL3) e.g. Safety Integrity Level (SIL) 3 : 10-7 / h (Share of ProfiSafe: 1% = 10-9 / h)

80 Andre SAS krav for et typisk nettverk, Safety / Security Typisk SAS nettverks arkitektur

81 Andre SAS krav for et typisk nettverk, Safety / Security Mange standarder, security forsvar i dybden Standarder, anbefalinger ISO / ISO / ISO ISA S99 OLF-104 OLF-110 OLF-123 ISA Security Compliance Institue: ISA Secure INL Security Lab (Idaho National Lab) LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security )

82 Ganske mye utstyr / SW for security i et komplett anlegg

83 Vil du ha SIL3 på din egen PC (Siemens system er SW basert / HW uavhengig) Vi starter med en standard PC og en programpakke + litt safe I/O Standard Programming- Software STEP 7 F Soft PLC Failsafe Programming- Tool Distributed Safety Failsafe Application Program Standard PROFIBUS DP or PROFINET IO Standard Remote I/O PROFIsafe Failsafe I/O Modules

84 Først må du sjekke om din PC er egnet for formålet Så kan du laste nødvendig SW, og sette inn snitt for PROFIbus Tar min Har den en timer, RTC på Interupt 8? (normalt ok) Last SW Win AC RTX F er installert på Windows XP Prof / eller er embedded Koden løper på en ekstra realtime kernel, IntervalZero RTX

85 Baserer seg på tidligere omtalte prinsipper Coded Processing Time redundancy and diversity instead of structural redundancy Operators A, B Operation C Output AND Coding Comparison Stop by D /C OR Divers Operators /A, /B Divers Operation D = /C Divers Output Time redundancy Time

86 Baserer seg på tidligere omtalte prinsipper F-DI up Left up Right PROFIsafe telegram Data Data x f F-CPU z f = x f + y f CRC Coded x c z c = x c + y c + 1 PSF Input Driver F-CTRL 1 F FBs STEP 7 F-Coded FBs Data PROFIsafe telegram F-DO up Left Plus CRC up Right Minus F- CTRL2 PSF Output Driver Bad Wrong CRC -> PROFIsafe Stop or -> CPU Stop

87 Ditt eget Moholt SIL3 anlegg WinAC RTX F

88 Tusen Takk for at Dere gadd høre på! For mer info se: First with Integrated Control & Safety First with Flexible, Scalable, Distributed Architecture First Safety Lifecycle Management Tool - Safety Matrix First and Only Fully Integrated Safety Fieldbus First and Only SIL3, zone 1 I/O First and Only SIL3 on your own PC Arnt A.O.Sveen, Olav Sveen NTNU 2012 arntolav.sveen@siemens.com /