Siemens Safety Systems. NTNU 05.03.2012, Arnt Olav Sveen

Siemens Safety Systems. NTNU 05.03.2012, Arnt Olav Sveen l Historikk og bakgrunn l Applikasjoner l Krav i IEC61508 l Løsninger» Generell SIS Basis» Basis system Simatic S7 F» Programvare /programmering» Inngangs og utgangs moduler» Human - Machine Interface» Kommunikasjon / nettverk» Hjemmesikkerhetssystem 100.1

Siemens Safety Systems. The prevention of accidents should not be considered a question of legislation, but instead our responsibility to fellow beings and economic sense (Werner von Siemens in 1880) 100.2

History of Siemens Electronic Safety Systems Was started together with the start of computers S7 F Systems S7-400FH / PROFIsafe (1999) Distributed Safety S7 151F/315F/317F/416F (2002/2003) Safety Matrix (1999) QUADLOG (1995) 100.3 SIMATIC S5-110F (1980) SIMATIC S5-115F (1988) SIMATIC S5-95F (1994)

Siemens Safety Systems. First large safety project for offshore 1985, Oseberg Feltsenter, 15 000 safety I/O To day nearly 25% of installed safety systems in Norwegian part of the North Sea, and numerous deliveries world wide. First solutions, Simatic PLC's with additional hardware, 2 PLC's running independently. To-day a full range of S7 F, TÜV, SIL3 verified systems Work procedures according to IEC61508, SINTEF verified, and a full scope of function blocks and typicals 100.4

Siemens Safety Systems, Norwegian designed basic system Siemens Safety Systems applications are based on long experience Stena Don 2000 Statfjord A 2000 Snorre B 2000 Huldra 2000 Oseberg South 2000 Embla 2000 Oseberg Gas 1999 Troll C 1999 Statfjord B 1998 Visund 1998 Eldfisk WIP 1999 Oseberg East 1997 Petrojarl Foinhaven 1996 Njord A & B 1995 Statfjord C 1995 Vigdis 1995 Ekofisk 1995 Eldfisk alpha 1993 Brage 1992 Embla 1991 Snorre TLP 1990 Oseberg A 1988 Oseberg B 1987 100.5

Siemens Safety Systems, S7, PCS7 F 100.6 l HULDRA (Norway) 2000 l MAERSK XL1 /XL2 (worlds largest jack up s, built in Korea) 2002 l EKOFISK 2/7A 2002 l Visund 2006-2011 l Halfdan 5 platforms (Denmark/built in Singapore and Holland) 2003-2011 l Al Shaheen (28 platforms in Qatar) 2003-2010 l White Rose FPSO (Canada/ built in Canada/Korea/Abu Dhabi/USA) 2005 l P50, Albacore Leste FPSO (Brazil), PRA 1 2005-2007 l FPSOcean 1 (China) 2007-2009 l Santa Fe (USA, 2 drilling Rigs) 2004 l Oseberg Field-centre (Norway) (113 off S7 400/400FH, 35000 I/O) 2005-2007 l Statfjord A/B/C ESD and F&G 2004-2007 l Sevan SSP300-1, 2 and 3 2005-2008 l Deep Sea Driller 1 and 2 2007-2012 l Blackford Dolphin 2006-2008 l Snorre TLP 2006-2011 l Tor 2011 l Yme (upgrade) 2011 (Void) l ATP Cheviot (UK, Korea) 2011- l Deep Sea Driller 3 & 4 (China / Norge) 2011-2012 l OCX (Brazil) 2011- l GEAD Eldfisk, 5 installations totally 2011- l Heire, (Denmark) 2012 -

Safety Systems Applications Hva er et sikkerhetssystem (SIS)? Disaster protection Disaster protection Hvor griper det inn i en ulykkesutvikling, og forhåpentligvis stanser den? Collection basin Overpressure valve, rupture disc Safety system (automatic) Safety Shutdown alarm Passive protection Active mechanical protection Safety Instrumented System (SIS) Plant personnel intervention Basic automation Process value Process alarm Normal activity Process control system 100.7

Safety Systems Applications Hva er et sikkerhetssystem (SIS)? Detect fire, gas leakage, overpressures, over tem. etc Release fire fighting, electrical isolation, shutdown, blow-down (isolate or release energy sources) Safety Instrumented System (SIS) Inputs Outputs Basic Process Control System (BPCS) Inputs Outputs PT 1A PT 1B I / P Reactor FT 100.8 Low level

Safety Systems Applications Og hva er Equipment Under Control, EUC? AS 414 F AS 417 F PROFIBUS-DP ET 200M IM 153 F-I/O Modules Safety Module Standard I/O Modules Pressurized Vessel 100.9

Safety Systems Applications Purpose Risk reduction by safety systems, SIS Residual Risk Tolerable Risk From IEC 61508: EUC risk Necessary Risk Reduction Actual Risk Reduction Increasing Risk Risk reduction achieved by all safety-systems Hensikten med å innføre et sikkerhetssystem, er å få risikoen ned til et akseptabelt nivå. 100.10

Safety Systems Applications What is Risk? Who decides what is acceptable risk? What do we accept? Examples of fatality risk figures: l Smoking 20 per day 5000 cpm 5.0x10-3/yr 1 of 2 l Road accident 100cpm 1.0x10-4/yr 1 of 100 (lifetime 100 years) l Car accident 150cpm 1.5x10-4/yr 1,5 of 100 l Accident at work 10cpm 1.0x10-5/yr 1 of 1000 l Falling Aircraft 0.02 cpm 2.0x10-8/yr 2 of 1000 000 (note) l Lightning strike 0.1cpm 1.0x10-7/yr 1 of 100 000 l Insect/Snake bite 0.1cpm 1.0x10-7/yr 1 of 100 000 NOTE: Risk per hour the same as for car accident cpm = chances per million of the population (per year) 100.11 We are always informed when 8 persons are killed by suicide killer in Afghanistan, but we are not informed when 53 persons die traffic accidents in Spain happens every weekend

Safety Systems Applications Risk reduction by safety systems, SIS Containment Dike Control System Unacceptable Risk Region Hazard #1 It is often said that the risk reduction by the instrumented safety system is low, compared to the total risk. Risk reduction is decades higher by other means. Likelihood Operator Intervention SIL1 SIL2 Safety Instrumented Function SIL3 If other means reduces the number of causalities from 100 to 1 per year, there is still one left maybe that one person is saved by the instrumented safety system Tolerable Risk Region Consequence Risikoreduksjonen er større ved et høyere SIL 100.12

Safety Systems Applications What is Safe state? Can the Safety System bring the area or equipment to a safe state? How? What is required? Power Plant 100.13

Safety Systems Applications Some of the Safety Systems Applications l l l l l l l l l ESD, Emergency Shutdown F&G, Fire & Gas Detection, Fire-fighting Process Shutdown Fire-pump Logic Ballast Control Blow-down Riser release / Anchor Release Fire Dampers, Active Smoke Control HIPPS, High Integrity Pressure Protection System 100.14

Safety Systems Topology for total platform control system including safety 100.15

Fire ext.. acktivated Fire vent. activ. Fire Brig. recvd. Power Prewarning Early warning Fault System fault Function disabled Test More Alarms Silence buzzer Silence sounders Reset 1 4 7 C? 2 5 8 0 3 6 9 Self Verify Fire & Gas Topology (sample) F&G ESD Wide ScreenOverview Ethernet 100 Mbit Ethernet 100 Mbit Commands from OS to SIL3 PROFIBUS/ ProfiSafe (SIL3) Industrial Ethernet 100 Mbit Industrial Ethernet 100 Mbit Communication to other nodes SIL3 S7-400FH (SIL3, and redundant) SIL 2 ALARM SIEMENS SIEMENS Software is implemented according to procedure, SIL 3 PROFIBUS/ProfiSafe (SIL3) PROFIBUS/ProfiSafe (SIL3) 100.16

F&G System Topology (the different modules) F&G Matrix Remote Control (Veslefrikk) I/O modules SIL 2/3 PROFIBUS/ PROFISAFE SIL3 and redundant Redundant, operator stations,each with dual powersupplies and multi CPU's (tolerabable for CPU errors) F&G Matrix Radio Note: Separate bus sytems are used for interface to matrixes to avoid common mode failurres with field I/O F&G Matrix Radio Redundant, servers,each with dual powersupplies and multi CPU's (tolerabable for CPU errors) Redundant Operator Stations Redundant Safety Servers Redundant Fail Safe Communications SIL3 (Profisafe) Addressable Fire Detection Systems I/O modules SIL 2/3 PROFIBUS/ PROFISAFE, SIL3 optical and redundant Autronica fire panel Redundant, optical, 100 Mbit Industrial Ethernet Autronica protocol Autronica protocol SIEMENS S7-400FH (SIL3, and redundant) S7-400F(SIL3) S7-400F(SIL3) SIEMENS Redundant Integrated Safety & Process Network High Available & Fail Safe CPU s Redundant Communications Interface Fire Area (1of n gives alarm) Hardwired alarm Analogue inputs (each SIl1) in votingone of many (total is SIL2) PROFIBUS or Profisafe (SIL3) PROFIBUS or Profisafe (SIL3) Output modules F-SM's, SIL 2/3 redundant or redundant ouput configuration verified by SINTEF (SIL2/3) Fail Safe I/O Modules 100.17

ESD Topology (sample) ESD Matrix. Operator Stations EngineeringStation F&G ESD Wide ScreenOverview Ethernet 100 Mbit Ethernet 100 Mbit Commands from OS to SIL3 Remote Input / Output modules, F-SM SIL2/3 or ET200M SIL0/1 Redundant Safety Servers (built in redundancy and auto-repair) Industrial Ethernet 100 Mbit PROFIBUS/ ProfiSafe (SIL3) S7-400FH (SIL3, and redundant) Industrial Ethernet 100 Mbit Controller Cabinet Communication to other nodes SIL3 Field Termination Cabinet SIEMENS S7-400F(SIL3) S7-400F(SIL3) SIEMENS Software is implemented according to procedure, SIL 3 Hardware design according to procedure, SIL 3 Remote "fail safe" Input /output modules F-SM's, SIL 2/3 Remote Input / Output modules, IS1 or ET200M SIL0/1 PROFIBUS/ProfiSafe (SIL3) PROFIBUS/ProfiSafe (SIL3) 100.18

PSD Topology (sample) Operator Stations EngineeringStation Ethernet 100 Mbit Ethernet 100 Mbit Commands from OS to SIL3 Redundant Servers Industrial Ethernet 100 Mbit Industrial Ethernet 100 Mbit Communication to other nodes SIL3 SIEMENS S7-400F(SIL3) S7-400F(SIL3) SIEMENS Controller Cabinet Software is implemented according to procedure, SIL 3 Hardware design according to procedure, SIL 3 Remote ET200iS or"fail safe" Input /output modules F-SM's, SIL 2/3 Remote Input / Output modules, IS1 or ET200M SIL0/1 Field Termination Cabinet or Junction Box PROFIBUS/ProfiSafe (SIL3) 100.19

Marine Safety Control System Operator Stations EngineeringStation Ethernet 100 Mbit Commands from OS to SIL3 Manual Ballast Functions Redundant Servers Communication to other nodes SIL3 Industrial Ethernet 100 Mbit Industrial Ethernet 100 Mbit SIEMENS Controller Cabinet A S7-400F(SIL3) ACPU Remote "fail safe" Input /output modules F-SM's, SIL 2/3 Remote Input / Output modules, IS1 or ET200M SIL0/1 Field Termination Cabinet or Junction Box S7-400FH (SIL3, and redundant) S7-400F(SIL3) B CPU SIEMENS Controller Cabinet B Software is implemented according to procedure, SIL 3 Hardware design according to procedure, SIL 3 PROFIBUS/ProfiSafe (SIL3) Synchronization link 100.20

Subsea PSD solution and HIPPS, both SIL3 ESD, S7-400F, SIL3 PSD, S7-400F, SIL2/3 PCS, S7-400 X x=number of connection`s PROFISAFE,SIL3 Remote F-SM, SIL3 PROFISAFE,SIL3 Remote F-SM, SIL3 RF-Modem PROFBUS (Remote I/O) RF-Modem 1 Twisted Pair 2 Fiber Optic Cable 3 Umbilical with center line 5 Hydraulic 6 Riser (Stigerør) Bleed Hydraulic (SIL 3) PSV HPU Hydraulic Supply Production Topside EV Subsea PT PT HIPPS 1 HIPPS 2 PT PT PT PT SSIV PT 4-20 ma S5 95F/S7 300F 4-20 ma 4-20 ma PT PT T Choke Slot no. 2-4 RF- Modem Profibus DP(to topside modem) 19.2 Kbits Subsea HIPPS/SIL 3 Titanium Pipe/enclosure PT T PSD Remote I/O Simatic S7 F-SM (SIL3) RIO (F.SM.) PWV PMV PT T RF-Modem Titanium Pipe/enclosure SCSSV Profibus DP/ProfiSafe (SIL3) 183 Kbits 100.21 Slot no. 1 PT T Supplier Document Review Accepted

IEC 61508 The safety level is applicable for: l l The total solution All the projects lifecycles The system solution covers EUC, including HMI HW engineering, construction and testing l l Software l l l By use of standard hardware set-up With special modules approved by TÜV Function blocks (basic blocks approved by TÜV) Protocols and drivers approved by TÜV Application program (according to procedure) Maintenance procedures Operation and Modification Procedures 100.22

IEC 61508, Quality Assurance and a few direct requirements 1 2 Concept Overall scope definition Software safety lifecycle 3 Hazard and risk analysis 9.1 Software safety requirements specification OveralI Overall 6 7 8 8 operation and maintenance planning Overall planning safety validation planning 4 5 OveralI installation and commissioning planning Overall safety requirements Safety requirements allocation 9 Safety-related systems: E/E/PES Realisation (see E/E/PES safety lifecycle) Safety-related systems: other technology 10 11 Realisation External risk reduction facilities Realisation E/E/PES safety lifecycle (see figure 2) 9.2 Software safety validation planning 9.1.1 Safety functions requirements 9.1.2 specification 9.3 Software design and development Safety integrity requirements specification 12 Overall installation and commissioning 9.4 PE integration 9.5 Software operation and (hardware/software) modification procedures 13 Overall safety validation Back to appropriate overall safety lifecycle phase Overall operation, maintenance and repair 14 15 Overall modification and retrofit 9.6 Software safety validation Decommissioning or disposal NOTE 1 Activities relating to verification, management of functional safety and functional safety assessment are not shown for reasons of clarity but are relevent to all overall, E/E/PES and software safety lifecycle phases. NOTE 2 The phases represented by boxes 10 and 11 are outside the scope of this standard. 16 NOTE 3 Parts 2 and 3 deal with box 9 (realisation) but they also deal, where relevant, with the programmable electronic (hardware and software) aspects of boxes 13, 14 and 15. To box 12 in figure 2 of part 1 To box 14 in figure 2 of part 1 100.23

IEC 61508, Implementation according to proven procedures. Safety requirements shall be specified, and the requirements shall be traceable through all engineering phases. Internal procedures for development of software according to IEC61508 l Procedures developed in co-operation with SINTEF Tele and Data. specification planning implementation verification validation modifications. Internal procedures for hardware design and production according to IEC61508 l Made on the same structure as the SINTEF verified SW procedure. 100.24

Basic principles to fulfill IEC61508 Basically three requirements 1. Quality assurance (98% of IEC61508) 2. Requirement to availability of safety function (PFD requirement, Probability of Failure on Demand) 3. Requirement to safe failure fraction (SFF requirement, Safe Failure Fraction) Answers to the requirements 1. Work methods, procedures, qualified workers 2. Equipment quality, redundancy, second resort, diagnostics 3. Fail to safe design, diagnostics 100.25

Diagnostics, feedback and redundancy Diagnostics / feedback Diagnostics will give possibility to repair dangerous errors before an emergency situation, hence improving PFD and SFF. Increased diagnostics also give room for extension of test interval, hence saving cost. Feedback will give opportunity to use second shutdown possibility in case of first possibility failing, hence increasing PFD and SFF. Redundancy / second shutdown facility More than one shutdown facility, and all are activated at same time, or second facilities are used as result of feedback when first is failing, will give improved SFF and PFD. 100.26

Risk Determination (one of several methods) How to find Required Safety Integrated Level (SIL) of the Safety System" Risk Graph S1 F1 S2 F2 F1 S3 F2 S4 A1 A2 A1 A2 P3-1 1 2 3 3 4 4 P2 P1 - - 1-1 - 2 1 3 1 3 2 3 3 4 3 S: Severity of injury/damage 1:small injury, minor environmental damage 2:serious irreversible injury of many people involved or a death temporary serious environmental damage 3:death of many people long-term serious environmental : damage 4:catastrophic results, many deaths F: Frequency and/or exposure time to hazard 1:seldom - quite often 2:frequent - continous A: Avoiding hazard 1:possible 2:not possible P: Probability of Occurrence 1:very low 2:low 3:relatively high 100.27

Safety Integrity Levels, PFD calculation F&G loop with Gas detector and control valve. Gas detector 4-20 ma AI PROFISAFE PROFISAFE CPU DO F&G loop with Gas detector and control valve. Control valve ESV Safety reliability Block diagram:" 100.28

Siemens Simatic PCS7F Safety Control System controllers, SIMATIC S7 300/400/1500 F/FH Redundant systems S7-414-4H *) 2.8MB 600 F-I/Os S7-319F-2DP 1.4MB 1000 F-I/Os S7-417-4H *) 30MB 3000 F-I/Os S7 1500 S7-412-3H *) 768kB 100 F-I/Os S7-317F-2DP 1MB 500 F-I/Os S7-315F-2DP 192kB 300 F-I/Os Solutions S o for l uoilt &i Gas o noffshore s f o r O i l & G a s Certified up to SIL 3 100.29

Components S7-400F/FH (Simatic safety system is SW based, and partly HW independent) High available System CPU with F program as a basis CPU 417-4F(H) TÜV certified, including system SW (SIL3) TÜV certified failsafe logic SW blocks (SIL3). Redundant, diverse programs. Method and tool for Engineering / Hardware Configuration / Programming Configuration of the S7-400F-Hardware with Standard HW-Config. Graphical Engineering (programming) with Standard CFC (Continuous Function Chart) Coexistence of Standard- and F-Applications (SIL3) in one CPU (safe island) Connection to the Process Devices PROFIsafe (extra safety layer to Profibus) (SIL3) to ensure failsafe communication via Profibus Process Devices Failsafe I/O modules (SIL1-3) Failsafe process transmitters and actuators (fieldbus devices) 100.30

And based on additional principle Protected F-Islands CPU operating system CPU hardware Standard user programs Any faults in other modules, environmental factors Safety-related user program Safety-related communication frame Failsafe I/O modules SW based SW based HW/SW based 100.31

S7 400F F/H system - modularity, PC Standard Engineering Software F-Programming Tool Standard-CPU 417-4H F-Application Program RUN-P RUN STOP CMRES RUN-P RUN STOP CMRES Standard I/O s (ET200M) F-I/O s (ET200M) Standard-ProfibusDP ProfiSafe Protocol 100.32

CPU-Software Architecture Standard- User Program F-Standardblocks F-User Program F-User Blocks F -Systemblocks F-Control Blocks Program execution Program execution Communications Self tests Standard- Operating System Safety-relevant sections of the operating system F-Access protection Safety-relevant System Func. Calls Safety-relevant Self tests 100.33

S7-F Concept, Double processing in diverse environments" Instead of redundancy of HW, Siemens Safety System runs redundant SW on same HW. Multi-channel storage of safetycritical data in instance DBs in the CPU, e.g. as word-oriented complement COMP Multi-channel processing of the safety function in F-FBs by SP7-ASIC of the CPU n Standard operation on DATA n Multi-channel operation on COMP 0 DATA FFFF H COMP Bit-AND in bit arithmetic logic unit DATA 1 DATA COMP 0 H COMP Word-OR in ALU CPU-internal comparison in the output driver to improve error locating Error handling: disable outputs and stop CPU CPU-external comparison in receiver (F-output modules and processing F- CPUs) Error handling: safe substitute values and error message Comparison Safety-related message Copy Convert Data CRC Comparison 100.34

S7-F Program Concept Extensive comparison and monitoring" Time redundancy and Diversity instead of hardware redundancy Operands A, B (Bool) Operation C Result AND Encoding OR Comparison Stop At D /C Diversity Operands /A, /B (Word) Diversity Operation D = /C Diversity Result Time redundancy Time n Time redundancy and instruction diverse processing n Logical program execution and data flow monitoring n Bool and Word Operations processed in different parts of the CPU n 2 independent hardware timer 100.35

Programming Graphical programming CFC acc. to IEC 1131 F-Library Certified (TÜV) function blocks CFC Links are structs 100.36

Simplified ESD Program Overview, sample OS part ESD System Configuration, SIL3 HMI OS skjerm MB-ESD U B R Operator Station Input Status X From OS B From field B MA-ESD U B R Status Ext. Alarm HH From OS B From field B MA-ESD LB Bin Bout R ESD Function Status X Blocked from OS From ESD Function To ESD Function Blocked from Field From ESD Function To ESD Function B B B B SB-ESD U B SD OVR Output status X HW Override B Coincidence X Disable Reset X Standard program part F_MA_ESD Normal program Additional I/O diagnostic data (optional) From driver FU, parameter Q_DATA From driver FBB, parameter Q_DATA G_MB_ESD XF BUOP BBOP FE YGR BX QUALITY ACK REQ FBE RBE FUE FBC RUE RBC FUC Y RUC A R BBOS BUOS Additional I/O diagnostic data (optional) From driver FE, parameter Q_DATA From driver FU, parameter Q_DATA From driver FBB, parameter Q_DATA From F_CH_AI From F_MA_ESD Status collection for G_LB_ESD (optional) XF FE BUOP BBOP V_DATA QUALITY ACK REQ PLH PLR FBE RBE FUE RUE BHH BWH BLL BWL VAHH VWH VALL VWL BUOS BBOS Y YGR FBC RBC FUC RUC R Status collection for G_LB (optional) To F_MA_ESD From driver FE, parameter Q_DATA From driver, block from other function, Q_DATA From driver, block to other function, Q_DATA G_LB FE BCB BBYXOP BCU BBXSOP BEB BEO BCB FBXSE YGR RBXSE FBYXE RBYXE BX FBXSC BXS RBXSC BBXSOS FBYXC BBYXOS RBYXC Y R Status from LB-utilities (optional) Insrtance data block number for LB-utilities (optional) Additional diagnostic data (optional) Feedback from normal I/O G_SB_ESD XF YF YRO YGR BCH XGH BCL XGL BU XOC BO XO BC RDAE RDDE LSE BRXDOS BLSOS BY RDAC RDDC VALUE R ACK_REQ LSC QUALITY Safe program CFC 100.37 Fail-safe program part F_M_DIx CHADDR Module driver Symbolic address AOS 03.07.2001 Channel driver CHADDR VALUE Channel driver CHADDR VALUE F_CH_DI F_CH_DI Q_DATA QUALITY ACK REQ QN Q QBAD QUALITY ACK REQ QN Q QBAD ESD INPUT: Q - Used for normally de-energized inputs QN - Used for normally energized inputs OPERATORS' FIELD DEVICE Module driver F_M_AI Symbolic address Fault annunciation CHADDR "0" FE F_MB_ESD FBC RBC FUC RUC R X PNLAT FBB FU RX Channel driver CHADDR VHRANGE VLRANGE VALUE ACK NEC F_CH_AI QUALITY V_DATA ACK REQ OVHRANGE OVLRANGE V QBAD FBE RBE FUE RUE A BB BU BBOS BUOS OPERATORS' FIELD DEVICE Y From G_MA_ESD To G_MA_ESD Fault annunciation X X1 NX1 X2 NX2 X3 NX3 X4 NX4 X8 NX8 RX PCYCLE PLAT PAHH PWH PALL PWL RX FE FBB FU F_SBI F_MA_ESD FBC RBC FUC RUC R Y FBE RBE FUE RUE BHH BWH BLL BWL VAHH VWH VALL VWL BUOS BBOS AHH ALL BU BB Y1 Channel driver F_CH_DO I ACK_REI To G_MA_ESD VALUE ACK_REQ QUALITY CHADDR QBAD Module driver F_M_DO CHADDR STATUS INDICATION LED's F_OR4 IN1 IN2 OUT XS X RX FBXS FBYX FE F_LB FBXSC RBXSC FBYXC RBYXC R PNLAT FBXSE RBXSE FBYXE RBYXE BBXSOS BBYXOS BX BXS BBXS BBYX Y YX OPERATORS' FIELD DEVICE XS X RX FBXS FBYX FE F_LB FBXSC RBXSC FBYXC RBYXC R PNLAT FBXSE RBXSE FBYXE RBYXE BBXSOS BBYXOS BX BXS Y BBXS BBYX YX XS X RX FBXS FBYX FE STATUS INDICATION LED's STATUS INDICATION LED's F_LB FBXSC RBXSC FBYXC RBYXC R PNLAT FBXSE RBXSE FBYXE RBYXE BBXSOS BBYXOS BX BXS BBXS BBYX Y YX Override from Matrix Override-switch via F-SM F_CH_DI Y CHADDR Q_DATA ACK REQ VALUE F_OR4 IN1 IN2 OUT QN Q QBAD Ovrr. feedback "1" "0" "0" RDAC RDDC R LSC X RX RXD PNLAT PDY XO XOC XBOC XBONC XBOF F_SB_ESD RDAE RDDE LSE BPDY BLSOS BRXDOS Y YN YBOC YBONC YBOF Channel driver F_CH_DO I ACK_REI RDAC RDDC R LSC X RX RXD PNLAT PDY XO XOC XBOC XBONC XBOF VALUE ACK_REQ QUALITY CHADDR QBAD F_SB_ESD RDAE RDDE LSE BPDY BLSOS BRXDOS Y YN YBOC YBONC YBOF Module driver CHADDR F_M_DO Matrix indicator LED's

Engineering tool Program Protection Read/Write protection with password Enabling of the Failsafe function of the CPU 417-4H or 414-4H CFC 100.38

Program protection Program Signature Signature of F-Program for TÜV Certification. Program taken out of CPU cannot be downloaded unless carrying the correct signature CFC The signature is generated by the programming tool, and is changed after every change of the program 100.39

Programming Comparison of existing and changed program Comparison of different F-program versions Deviations shall be checked before download of change CFC 100.40

S7-400H Redundancy Principle ( for increased availability) P S# C P U# D D E# A# A E# A C A# P# Synchronization, information and status exchange P S# C P U# D D E# A# A E# A A# C P# I M I M D E D A A E A A F M PROCESS 100.41

I/O Configuration Switching of master by use of redundant Profibus Redundant IM 153-2 Profibus-DP L+ L+ IO with active backplane bus performing the switchover Target: Reduce common mode faults for the switch-over to a minimum IM IM Bus module Active backplane bus Achieved by: Very simple component does the switchover 100.42

Flexible Modular Redundancy Make any component redundant AI DI DO DO 100.43

Flexible Modular Redundancy AI DI DO 100.44

Flexible Modular Redundancy Make any component redundant AI DI AI DI DO DO Physically separate redundant resources 100.45

Flexible Modular Redundancy Make any component redundant Dual AI DI DO DO Physically separate redundant resources AI DI AI DO Mix and match redundancy Simplex AI 100.46 Triple

Flexible Modular Redundancy Make any component redundant AI DI DO DO Dual Physically separate redundant resources AI AI Triple DI AI DO Simplex Mix and match redundancy Tolerate multiple faults with no impact on safety Safety is not dependant on redundancy; all components are SIL3-capable Redundancy only for availability; No degraded mode 100.47

Flexible Set-up s AI AI DI DO DO Multiple Fault Tolerant Fieldbus architecture allows system to tolerate multiple faults without interruption I/O redundancy independent of CPU redundancy All components rated for SIL3 No degraded mode Safety not dependent on redundancy AI AI DI DO DO 2oo3 AI 100.48 1oo2 Valves 2oo3 PT

Alternative setup by others Fail Safe and High Availability due to 2oo3 HW voting Sample from Triconex design 100.49

Input and output modules to SIL 3, 2 and 1 ET 200 M F-SM, Fail Safe Modules l SIL3, 2 or 1dependant on configuration (TÜV) SIL 3 also in single configuration for most modules SIL 3 with single or redundant bus connection ET200 isp, zone 1 l ET200 SP l Small granularity modules for Zone 1, SIL3 New, Profinet interface, SIL1 to SIL3 RUN-P RUN STOP CMRES RUN-P RUN STOP CMRES Standard SM s F-SM s 100.50

Architecture S7-300 Fail Safe Modules (sample) F-Digital Output, with built in redundancy, self verification and degrading Bus interface Microcontroller Dualport RAM Microcontroller Output driver Second disconnection facility Output L+ Read back V Supply If Output driver fails to bring output to safe state, 0, the microcontroller does, based on the read back, order the Second disconnection facility to shut the card down 100.51

S7-300 Fail Safe Modules Redundant microcontroller in each IO module Safety Integrated Level 1oo1 evaluation, SIL 2, AK 4 1oo2 evaluation, SIL 3, AK 6, internal in module Diagnose of internal and external errors mutual function checking of the microcontrollers input or output test branching of the input signals to both microcontrollers discrepancy analysis of the redundant input signals readback of the output signals and discrepancy analysis Second disconnection facility in the case of outputs Communication with CPU via Profisafe 100.52

S7-300 Fail Safe I/O Modules Samples of modules available n SM326F, DI DC24V 24 x SIL2, 12 x SIL3, with diagnostics interrupt n SM326F, DI NAMUR [EEx ib] 8 x SIL2, 4 x SIL3 with diagnostics interrupt n SM326F, DO DC24V/2A 10 x SIL3, current source, diagnostics interrupt n SM336F, AI 4-20mA 6 x SIL2 or 3, with diagnostics interrupt 100.53

Fail Safe I/O Modules Library for interfaces to field devices L + 24 VDC POWER DISTRIBUTION 10A 16A 16A 2A Library with standard, pre-verified instrument interfaces ESD MATRIX L+ 24 VDC SAFETY INPUTS AND OUTPUTS, S7 400F WITH SAFETY I/O MODULES, F- SM S AI-41F Safe analogue input, 4-20 ma, 2 Wire, SIL 2. AI-43F Safe analogue input, 4-20 ma, 3 Wire, SIL 2, current source AI-44F Safe analogue input, 4-20 ma, 3 Wire, SIL 2, high power consumpt. AI-50F Safe high available analogue input, 4-20 ma, 2 Wire, 2 oo 3. AI-51F Safe analogue input, 4-20 ma, 2 wire, to digital, SIL 2 AI-IS-41F Safe analogue input, 4-20 ma, EEx(i)(a), 2 Wire, SIL 2. AI-IS-51F Safe analogue input, EEx ib IIC, 4-20 ma, to digital, SIL 2 DI-41F Safe digital input, SIL 2 DI-42F Safe high available, digital input, SIL 2 DI-44F Safe digital input from clean contact / NAMUR, SIL2 DI-IS-41F Safe, EEx ib IIC, digital input from clean contact / NAMUR, SIL2 DI-IS-46F Safe, high available, EEx ib IIC, double clean contact/ NAMUR, SIL2 / DI-IS-46F Safe, EEx ib IIC, double clean contact /NAMUR, SIL3. DO-41F Safe, digital output, 24 V DC, 2A, SIL2 / 3 DO-41FR Safe digital output, SIL 2 with relay, SIL2 DO-RE-45F Safe, high available, digital output, 24 V DC, 2A, SIL2 /3 DO-46F Safe, digital output with manual release, 24 V DC, 2A, SIL2 /3 DI-MA-41F Safe, high available digital input from pushbutton, SIL 3 DI-MA-42F Safe, high available digital input from pushbutton, SIL 2 DI-MA-43F Safe, digital input from pushbutton, SIL 3 DI-MA-44F Safe, digital input from pushbutton, SIL 2 DI-MA-45F Safe, high available digital input from pushbutton, SIL 3 DI-MA-46F Safe, high available digital input from pushbutton, SIL 2 DI-MA-47F Safe digital input from pushbutton (with LED), open contact, SIL 2 DI-MA-48F Safe digital input from pushbutton (without LED), open contact, SIL 2 DI-MA-49F Safe digital input from pushbutton, NAMUR, SIL 2 DO-MA-41F Safe digital output to LED / LAMP, SIL2/3 DO-MA-42F Safe digital output to two LED / LAMP, SIL 2/3 DO-MA-43F Safe digital output to LED in fire fighting release pushbutton, SIL 2 100.54 FIELD EQUIPMENT FIELD JUNCTION BOX TERMINAL RAIL DO-MA-41 OVERRIDE L- 0V 0 V distrib. 0 V distrib. FIELD TERMINATION CABINET L- 0V Hardware Typecircuit code DO-RE-45F ch 0 21 17 18 37 38 3 4 40 39 20 19 22 21 17 18 37 38 3 4 40 39 20 19 22 6ES7 321-1BL00-0AA0 L+ DI 32 ch M 6ES7 326-2BF00-0AB0 10 DO, SAFE 1L+ 2L+ 2L+ 3L+ 3L+ 3M 3M 2M 2M 1M Main Switch Read back 6ES7 326-2BF00-0AB0 10 DO, SAFE 1L+ 2L+ 2L+ 3L+ 3L+ 3M 3M 2M 2M 1M Main Switch Read back

Fail Safe I/O Modules Development of interfaces to field devices Man må ofte ting i sammenheng før en oppdager at det kan være spesielle feilsituasjoner 100.55

Fail Safe I/O Modules Development of interfaces to field devices Det er utrolig hvor lite komplisert det skal være før noe kan gå galt (eksempel på bruk av kretsen fra foregående slide) 100.56

BESKRIVELSE UTSTYR ALARM ITK SKR HULDRA ITK SKR VFR NAS 0 SKR NAS 0 LIVBÅT 0 NAS 0 HELIDEKK NAS 0 SKR VFR NAS 0 MG 0 NAS 1 SKR NAS 1 SKR VFR 1 GASS I BEGGE GEN. LUFTINNTAK NAS 2 SKR NAS 2 LIVBÅT 2 NAS 2 HELIDEKK NAS 2 HJELPEUTSTYR OMRÅDE 2 GASS I EKSPL. FARLIG OMRÅDE DELUGE AKTIVERT POP SPRAY HELIDEKK AKTIVERT 2 VFR HULDRA LINK NEDE NAS 2 SKR VFR BRANN & GASS NAS 0/NAS 1 VESLEFRIKK 2 NAS 2 MG BRO NAS 2 MG NAS SYSTEM BRANN & GASS MG 2 PSD F&G 79- ES- 2001 79- ES- 2002 79- ES- 2003 79- ES- 2101 79- ES- 2201 79- ES- 2004 79- ES- 2102 79- ES- 2005 79- ES- 2103 70- XS- 2001 79- ES- 2006 79- ES- 2007 79- ES- 2016 79- ES- 2008 82- ES- 2001 70- XS- 2003B 71- XS- 2051B 75- XS- 2051B 86- ES- 2001 79- ES- 2104 79- EY- 2109 79- ES- 2202 86- ES- 2203 70- XS- 2004B 79- ES- 2009 70- XS- 2002B 79- ES- 2105 BROING BRØNN A01 A02 A03 A04 A05 A06 A07 A08 A09 A10 A11 A12 GASS EKSPORT STIGERØR KONDENSAT EKSPORT STIGERØR SEPARATOR TRYKKAVL. GASS KJØLER TRYKKAVL. GASSLINJE TRYKKAVL. ALARMHO RN KVITTERING AV ALARMER LAMPETE ST ALARM BROING SYSTEMFEIL CPU A SYSTEMFEIL CPU B I/O FEIL SSSV MASTER TILBAKE- STILL TILBAKE- STILL SPENNINGS- BORTFALL TRYKK- AVLASTNING HULDRA BRANN I EKSPL. FARLIG OMRÅDE TRYKK- AVLASTNING VESLEFRIKK TILBAKE- STILL UPS BATTERIER ISOLER UPS 48V DC TELEKOM. ISOLER UPS 230V AC TELEKOM. ISOLER GMDSS TELEKOM. ISOLER UPS 48V DC LOS/PABX ISOLER UPS 230V AC BATTERIER ISOLER KRAN 24V DC BATTERIER ISOLER GEN. 82-EG50A BATTERIER ISOLER GEN. 82-EG50B BATTERIER ISOLER GENERATOR 82-EG50A ISOLER GENERATOR 82-EG50B PSD 27- EY- 2240 21- EY- 2152 20- EY- 2007 24- EY- 2154 27- EY- 2241 85-EY -2004 A/B 85-EY -2043 A/B 85-EY -2006 85-EY -2042 A/B 85-EY -2001 A/B 85-EY -2005 85-EY -2002 A 85-EY -2002 B 82-EY -2002 A 82-EY -2002 B ALARM BEMANN./UBEMANN. HULDRA BEMANNET Operator interface to SIL3 Man - Machine interface for daily use are the Operator Stations (but Bill Gates deliver no SIL3 solutions) Operator Stations with commands to SIL3 l l High end servers and operator stations, with redundancy and extensive diagnosis Special TÜV approved procedure for safe commands from operator stations to F-area (safe island) for SIL3 commands to controller. CAP solutions ensures HMI interface to SIL3 l l l LED elements connected to SIL3 remote I/O Necessary information for an emergency situation Necessary input elements, pushbuttons, to put the process to safe state. Often with direct interface to process. TAL NAS NAS NAS NAS NAS NAS NAS NAS ITK ITK NØDAVSTENGINGSMATRISE INNGANGER UTGANGER PROSESS ELEKTRO ITK NAS 0 NAS 1 NAS 2 TAL NAS 0 NAS 1 NAS 2 100.57