Upload
judah-greene
View
57
Download
0
Embed Size (px)
DESCRIPTION
Siemens Safety Systems. NTNU 14.03.2011, Arnt Olav Sveen. Historikk og bakgrunn. Applikasjoner. Krav i IEC61508. Løsninger. Basis for løsninger. Kontroller / sentralsystem. Inngangs og utgangs moduler. Human - Machine Interface. Programvare /programmering. Kommunikasjon / nettverk. - PowerPoint PPT Presentation
Citation preview
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.1
A.O.Sveen, NTNU 2011
Siemens Safety Systems.NTNU 14.03.2011, Arnt Olav Sveen
Løsninger
Applikasjoner
» Kontroller / sentralsystem
» Kommunikasjon / nettverk
» Human - Machine Interface
» Inngangs og utgangs moduler
» Programvare /programmering
Historikk og bakgrunn
» Basis for løsninger
Krav i IEC61508
» Hjemmesikkerhetssystem
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.2
A.O.Sveen, NTNU 2011
Siemens Safety Systems.
The prevention of accidents should not be considered a question of legislation, but instead our responsibility to fellow beings and economic sense
(Werner von Siemens in 1880)
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.3
A.O.Sveen, NTNU 2011
History of Siemens Safety Systems
SIMATIC S5-110F(1980) SIMATIC S5-
115F(1988)
SIMATIC S5-SIMATIC S5-95F95F
(1994)(1994)
QUADLOG(1995)
Distributed SafetyS7 151F/315F/317F/416F
(2002/2003)
S7 F SystemsS7-400FH / PROFIsafe
(1999)
Safety Matrix(1999)
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.4
A.O.Sveen, NTNU 2011
Siemens Safety Systems.
First large safety project 1985, Oseberg Feltsenter
To day nearly 30% of installed safety systems in Norwegian part of the North Sea, and numerous deliveries world wide.
First solutions, Simatic PLC's with additional hardware, 2 PLC's running independently.
To-day a full range of S7 F, TÜV verified systems
Work procedures according to IEC61508, SINTEF verified, and a full scope of function blocks and typicals
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.5
A.O.Sveen, NTNU 2011
•Stena Don 2000•Statfjord A 2000•Snorre B 2000•Huldra 2000•Oseberg South 2000•Embla 2000•Oseberg Gas 1999•Troll C 1999 •Statfjord B 1998•Visund 1998 •Eldfisk WIP 1999•Oseberg East 1997
•Petrojarl Foinhaven 1996•Njord A & B 1995 •Statfjord C 1995•Vigdis 1995•Ekofisk 1995 •Eldfisk alpha 1993•Brage 1992•Embla 1991•Snorre TLP 1990 •Oseberg A 1988•Oseberg B 1987
Siemens Safety Systems applications are based on long experience
Siemens Safety Systems, traditional systems.
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.6
A.O.Sveen, NTNU 2011
Siemens Safety Systems, S7, PCS7 HULDRA (Norway) 2000 MAERSK XL1 /XL2 (worlds largest jack up’s, built in Korea) 2002 EKOFISK 2/7A 2002 Visund 2006-2011
Halfdan 5 platforms (Denmark/built in Singapore and Holland) 2003-2011 Al Shaheen (28 platforms in Qatar) 2003- 2010 White Rose FPSO (Canada/ built in Canada/Korea/Abu Dhabi/USA) 2005
P50, Albacore Leste FPSO (Brazil) , PRA 1 2005-2007 FPSOcean 1 (China) 2007-2009 Santa Fe (USA, 2 drilling Rigs) 2004 Oseberg Field-centre (Norway) (113 off S7 400/400FH , 35000 I/O) 2005 -2007 Statfjord A/B/C ESD and F&G 2004-2007 Sevan SSP300-1, 2 and 3 2005-2008 Deep Sea Driller 1and 2 2007-2011 Blackford Dolphin 2006-2008 Snorre TLP 2006-2011 Tor 2011 Yme (upgrade) 2011
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.7
A.O.Sveen, NTNU 2011
Safety Systems ApplicationsHva er et sikkerhetssystem (SIS)?
Hvor griper det inn i enulykkesutvikling, og forhåpentligvis stanser
den?Plantpersonnelintervenes
Safety system(automatic)
Basicautomation
Overpressure valve, rupturedisc
Collectionbasin
Active protection
Passive protection
Disaster protectionDisasterprotection
Safety InstrumentedSystem (SIS)
Processvalue
Process alarm
Normal activity
Process controlsystem
Safetyshutdown
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.8
A.O.Sveen, NTNU 2011
Safety Systems ApplicationsHva er et sikkerhetssystem (SIS)?
Low level
I / P
Reactor
PT1A
PT1B
FT
Basic Process Control System
(BPCS) Inputs Outputs
Safety Instrumented System (SIS)
Inputs Outputs
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.9
A.O.Sveen, NTNU 2011
Safety Systems ApplicationsOg hva er “Equipment Under Control”, EUC?
PressurizedVessel
AS 414 FAS 417 F
ET 200M
IM 153 SafetyModule
F-I/O Modules
PROF
IBUS
-DP
StandardI/O Modules
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.10
A.O.Sveen, NTNU 2011
Safety Systems ApplicationsPurpose
Risk reduction by safety systems, SIS
EUCrisk
EUCrisk
TolerableRisk
TolerableRisk
ResidualRisk
ResidualRisk
Necessary Risk Reduction
Actual Risk Reduction
Risk reduction achieved by all safety-systemsRisk reduction achieved by all safety-systems
From IEC 61508:
Increasing Risk
Hensikten med å innføre et sikkerhetssystem, er å få risikoen ned til et akseptabelt nivå.
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.11
A.O.Sveen, NTNU 2011
Safety Systems ApplicationsWhat is Risk? Who decides what is acceptable risk?
Examples of fatality risk figures Road accident 100cpm 1.0x10-4/yr 1 av 100 (ved levetid 100 år)
Car accident 150cpm 1.5x10-4/yr 1,5 av 100 Accident at work 10cpm 1.0x10-5/yr 1 av 1000 Falling Aircraft 0.02 cpm 2.0x10-8/yr 2 av 1000 000 Lightning strike 0.1cpm 1.0x10-7/yr 1 av 100 000 Insect/Snake bite 0.1cpm 1.0x10-7/yr 1 av 100 000 Smoking 20 per day 5000 cpm 5.0x10-3/yr 1 av 2
cpm = chances per million of the population (per year)
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.12
A.O.Sveen, NTNU 2011
Safety Systems Applications
Likel
ihoo
d
Consequence
Tolerable Risk Region
Unacceptable Risk Region
Hazard #1Containment Dike
Control System
Operator Intervention
Safety Instrumented Function
SIL1
SIL2
SIL3
Risk reduction by safety systems, SIS
Risikoreduksjonen er større ved et høyere SIL
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.13
A.O.Sveen, NTNU 2011
Safety Systems Applications
What is Safe state?
Can the Safety System bring the area or equipment to a safe state?
How?
What is required? Power Plant
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.14
A.O.Sveen, NTNU 2011
Safety Systems Applications
Some of the Safety Systems Applications ESD, Emergency Shutdown F&G, Fire & Gas Detection, Fire-fighting Process Shutdown Fire-pump Logic Ballast Control Blow-down Riser release / Anchor Release Fire Dampers, Active Smoke Control HIPPS, High Integrity Pressure Protection System
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.15
A.O.Sveen, NTNU 2011
Safety SystemsTopology for total platform control system including safety
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.16
A.O.Sveen, NTNU 2011
SIEM
ENS
S7-400FH (SIL3 , and redundant)
PR OFIBU S/ProfiSafe (S IL3) Indu strial E th ern et 100 M bit
F&G ESD Wide ScreenO verv iew
E thernet 100 M bit
S oftware is im plem en ted according to p ro ced ure, SIL 3
SIEM
ENS
Indu strial E th ern et 100 M bit
Ethernet 100 M bit
Co m m u nication to other no des S IL3
Co m m an ds fro m O S to S IL 3
PROFIB US/ProfiSafe (SIL3)
P ROFIB US/ProfiSafe (SIL3)
S IL 2
Fire & Gas Topology (sample)
Power
Fire Brig. recvd.
Fire vent. activ.
Fire ext.. acktivated
0
ALARM
?
C
987
654
321
Silence buzzer
Silence sounders
Reset
More Alarms
Prewarning
Early warning
System fault
Function disabled
Test
Fault
Self Verify
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.17
A.O.Sveen, NTNU 2011
F&G System Topology (the different modules)
PROFIBUS or Profisafe (SIL3)
RadioRadio
SIE
ME
NS
SIE
ME
NS
S7-400F(SIL3)
S7-400F(SIL3)
S7-400FH (SIL3, and redundant)
PROFIBUS or Profisafe (SIL3)
I/O modulesSIL 2/3
F&G Matrix
PROFIBUS/PROFISAFESIL3 and redundant
Redundant, optical,100 Mbit Industrial Ethernet
Remote Control(Veslefrikk)
Redundant, servers,each withdual powersupplies andmulti CPU's(tolerabable for CPU errors)
Redundant, operator stations,each withdual powersupplies andmulti CPU's(tolerabable for CPU errors)
Output modulesF-SM's, SIL 2/3redundantor redundant ouput configuration verified by SINTEF (SIL2/3)
Analogue inputs(each SIl1) invotingone of many (total is SIL2)
I/O modulesSIL 2/3
F&G Matrix
PROFIBUS/PROFISAFE, SIL3optical and redundant
Note:Separate bus sytems are used for interface to matrixes to avoid common mode failurres with field I/O
Autronica protocol
Autronica protocol
Hardwired alarm
Autronica fire panel
Fire Area (1of n gives alarm)
Fail Safe I/O Modules
High Available & Fail Safe CPU’s
Redundant Integrated Safety & Process Network
Addressable Fire Detection Systems
Redundant Communications Interface
Redundant Fail Safe Communications – SIL3 (Profisafe)
Redundant Safety Servers
Redundant Operator Stations
F&G Matrix
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.18
A.O.Sveen, NTNU 2011
ESD Topology (sample)SI
EMEN
S
S7-400F(SIL3)
S7-400FH (SIL3, and redundant)
PROFIBUS/ProfiSafe (SIL3)
ESD Matrix.
Controller Cabinet
Operator Stations
Industrial Ethernet 100 Mbit
F&G ESD Wide ScreenOverview
Ethernet 100 Mbit
Redundant Safety Servers
(built in redundancy and auto-repair)
Software is implemented according to procedure, SIL 3
EngineeringStation
S7-400F(SIL3)
SIEM
ENS
Industrial Ethernet 100 Mbit
Ethernet 100 Mbit
Communication to other nodes SIL3
Commands from OS to SIL3
RemoteInput / Output modules, F-SM SIL2/3or ET200M SIL0/1
Hardware design according to procedure, SIL 3
Remote "fail safe"Input /output modulesF-SM's, SIL 2/3
Field Termination Cabinet
PROFIBUS/ProfiSafe (SIL3)
PROFIBUS/ProfiSafe (SIL3)
RemoteInput / Output modules, IS1or ET200M SIL0/1
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.19
A.O.Sveen, NTNU 2011
PSD Topology (sample)SI
EMEN
S
S7-400F(SIL3)
Controller Cabinet
Operator Stations
Industrial Ethernet 100 Mbit
Redundant Servers
Software is implemented according to procedure, SIL 3
EngineeringStation
S7-400F(SIL3)
SIEM
ENS
Industrial Ethernet 100 Mbit
Ethernet 100 Mbit
Communication to other nodes SIL3
Commands from OS to SIL3
Hardware design according to procedure, SIL 3
Remote ET200iSor"fail safe"Input /output modulesF-SM's, SIL 2/3
Field Termination Cabinetor Junction Box
PROFIBUS/ProfiSafe (SIL3)
RemoteInput / Output modules, IS1or ET200M SIL0/1
Ethernet 100 Mbit
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.20
A.O.Sveen, NTNU 2011
Marine Control System (SIL 3)SI
EMEN
S
S7-400F(SIL3)
ACPU
S7-400FH (SIL3, and redundant) Controller Cabinet B
Operator Stations
Industrial Ethernet 100 Mbit
Redundant Servers
Software is implemented according to procedure, SIL 3
EngineeringStation
S7-400F(SIL3)
B CPU
SIEM
ENS
Industrial Ethernet 100 Mbit
Ethernet 100 Mbit
Communication to other nodes SIL3
Commands from OS to SIL3
Hardware design according to procedure, SIL 3
Remote "fail safe"Input /output modulesF-SM's, SIL 2/3
Field Termination Cabinetor Junction Box
PROFIBUS/ProfiSafe (SIL3)
RemoteInput / Output modules, IS1or ET200M SIL0/1
Controller Cabinet A
Synchronization link
Manual Ballast Functions
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.21
A.O.Sveen, NTNU 2011
Subsea PSD solution and HIPPS, both SIL3
Supplier Document Review
Accepted
SCSSV
PMV
PWV
HIPPS 1 HIPPS 2
Choke
Titanium Pipe/enclosure
Titanium Pipe/enclosure
SSIV
ESD, S7-400F, SIL3
Remote F-SM, SIL3
PRO
FISA
FE ,S
IL3
Topside
Subsea
(Remote I/O)
PSD, S7-400F, SIL2/3 PCS, S7-400
RIO (F.SM.)
Hydraulic Supply
Bleed Hydraulic (SIL 3)
PSD Remote I/O Simatic S7F-SM (SIL3)
Twisted Pair Fiber Optic Cable Umbilical with center line
1
2
3
X x=Number of connection`s
5
Profibus DP/ProfiSafe (SIL3)
Hydraulic 6 Riser (Stigerør)
EV
PSV
HPU
Production
T
PRO
FBU
S
PRO
FISA
FE ,S
IL3
Remote F-SM, SIL3
4-20 mA
P T P T
4-20 mA
Slot no. 1
Slot no. 2-4
P T
T
P T
TP T
P TP T
P T
P T
S5 95F/S7 300F
Subsea HIPPS/SIL 3
P T
P T
RF-Modem
Profibus DP(to topside modem)19.2 Kbits
RF- Modem
T
4-20 mA
P T
RF-Modem
RF-Modem 183 Kbits
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.22
A.O.Sveen, NTNU 2011
IEC 61508
The safety level is applicable for: The total solution All the projects lifecycles
The system solution covers EUC, including HMI HW engineering, construction and testing
By use of standard hardware set-up With special modules approved by TÜV
Software Function blocks (basic blocks approved by TÜV) Protocols and drivers approved by TÜV Application program (according to procedure)
Maintenance procedures Operation and Modification Procedures
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.23
A.O.Sveen, NTNU 2011
IEC 61508, Quality Assurance and a few direct requirements
Software safety validation
9.6
Safety functions requirements specification
Safety integrity requirements specification
9.1
9.1.1 9.1.2
Software safety requirements specification
To box 12 in figure 2 of part 1
Software safety validation planning
Software design and development
9.39.2
9.4 Software operation and modification procedures
9.5PE integration (hardware/software)
To box 14 in figure 2 of part 1
E/E/PES safety
lifecycle(see figure 2)
Software safety lifecycle
10 11
NOTE 1 Activities relating to verification, management of functional safety and functional safety assessment are not shown for reasons of clarity but are relevent to all overall, E/E/PES and software safety lifecycle phases.
NOTE 2 The phases represented by boxes 10 and 11 are outside the scope of this standard.
NOTE 3 Parts 2 and 3 deal with box 9 (realisation) but they also deal, where relevant, with the programmable electronic (hardware and software) aspects of boxes 13, 14 and 15.
Concept1
Overall scopedefinition2
Hazard and risk analysis3
Overall safety requirements4
Safety requirements allocation 5
Back to appropriate overall safety lifecycle
phase
Overall safety validation13
Overall operation,maintenance and repair
Overall modification and retrofit14 15
Decommissioningor disposal16
Safety-relatedsystems:E/E/PES
Realisation(see E/E/PES
safetylifecycle)
9 Safety-relatedsystems:
other technology
Realisation
Overall installationand commissioning12
8
Overall planningOveralI
operation andmaintenance
planning
OveralI installation andcommissioning
planning
Overallsafety
validationplanning
6 7 8
External risk reduction facilities
Realisation
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.24
A.O.Sveen, NTNU 2011
IEC 61508, Implementation according to proven procedures.
Safety requirements shall be specified, and the requirements shall be traceable through all engineering phases.
Internal procedures for development of software according to IEC61508
Procedures developed in co-operation with SINTEF Tele and Data.– specification– planning– implementation– verification– validation– modifications.
Internal procedures for hardware design and production according to IEC61508
Made on the same structure as the SINTEF verified SW procedure.
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.25
A.O.Sveen, NTNU 2011
Basically three requirements1. Quality assurance (98% of IEC61508)
2. Requirement to availability of safety function (PFD requirement, Probability of Failure on Demand)
3. Requirement to safe failure fraction (SFF requirment, Safe Failure Fraction)
Basic principles to fulfil IEC61508
Answers to the requirements1. Work methology, procedures, qualified workers
2. Equipment quality, redundancy, second resort, diagnostics
3. Fail to safe design, diagnostics
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.26
A.O.Sveen, NTNU 2011
Diagnostics / feedbackDiagnostics will give possibility to repair dangerius errors before an emergency situation, hence improving PFD and SFF.
Increased diagnostics also give room for estension of test interval, hence saving cost.
Feedback will give opportunity to use second shotdown possibility in case of first possibility failing, hence increasig PFD and SFF.
Diagnostics, feedback and redundancy
Redundancy / second shutdown fasilityMore than one shutown fasility, and all are activated at same time, or second fasilities are used as result of feedback when first is faling, will give improved SFF and PFD.
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.27
A.O.Sveen, NTNU 2011
Risk Graph
Risk Determination (one of several methods)
:
S1
F1
F2
F1
F2
A1
A2
A1
A2
S2
S3
S4
P3-
1
1
2
3
3
4
4
-
1
1
2
3
3
3
4
-
-
-
1
1
2
3
3
P2 P1S: Severity of injury/damage 1:small injury,
minor environmental damage2:serious irreversible injury of many people involved or a death
temporary serious environmental damage3:death of many people
long-term serious environmental damage4:catastrophic results, many deaths
F: Frequency and/or exposure time to hazard1:seldom - quite often2:frequent - continous
A: Avoiding hazard1:possible2:not possible
P: Probability of Occurrence1:very low2:low3:relatively high
How to find Required Safety Integrated Level (SIL) of the Safety System
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.28
A.O.Sveen, NTNU 2011
S7-400F/FHby Siemens
Safety Integrity Levels, direct requirement IEC61508
Requirement Class (AK)
DIN V 19250
Safety Integrity
Level (SIL)IEC 61508
Probability of failure on demand per h
(constant operation) (IEC 61508)
Probability of failure on demand (on
demand operation) (IEC 61508)
Control CategoryEN 954-1
AK 1 --- -- -- B
AK 2 and 3 SIL 1 10-5 to 10-6 10-1 to 10-2 1 and 2
AK 4 SIL 2 10-6 to 10-5 10-2 to 10-3 3
AK 5 and 6 SIL 3 10-7 to 10-8 10-3 to 10-4 4
AK 7 and 8 SIL 4 10-8 to 10-9 10-4 to 10-x ---
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.29
A.O.Sveen, NTNU 2011
Safety Integrity Levels, direct requirement IEC61508
IEC61508 requires higher “fail safe fraction” for “intelligent” components
Safe failure fraction
Hardware fault tolerance
0 1 2
< 60 % SIL1 SIL2 SIL3
60 % - 90 % SIL2 SIL3 SIL4
90 % - 99 % SIL3 SIL4 SIL4
> 99 % SIL3 SIL4 SIL4
Hardware safety integrity: architectural constraints on type B safety-related subsystems
Safe failure fraction
Hardware fault tolerance
0 1 2
< 60 % not allowed SIL1 SIL2
60 % - 90 % SIL1 SIL2 SIL3
90 % - 99 % SIL2 SIL3 SIL4
> 99 %
SIL3 SIL4 SIL4
Hardware safety integrity: architectural constraints on type A safety-related subsystems
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.30
A.O.Sveen, NTNU 2011
Safety Integrity Levels, PFD calculation
AIPROFISAFE
CPU DOPROFISAFE
ESV
4-20 mA
Gas detector
Control valveF&G loop with Gas detector and control valve.
F&G loop with Gas detector and control valve.
Safety reliability Block diagram:
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.31
A.O.Sveen, NTNU 2011
Safety Control System, SIMATIC S7 – 300/400 F/FH
Safety Controller S7 FH
Certified up to SIL 3
Redundant systems
S7-412-3H *)768kB
100 F-I/Os
S7-414-4H *)2.8MB
600 F-I/Os
S7-317F-2DP1MB
500 F-I/OsS7-315F-2DP
192kB300 F-I/Os
S7-417-4H *)30MB
3000 F-I/Os
S7-319F-2DP1.4MB
1000 F-I/Os
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.32
A.O.Sveen, NTNU 2011
Components S7-400F/FH
High available System S7-417FH as a basis CPU 417-4H with TÜV certified basis SW/HW (SIL3) TÜV certified failsafe logic SW blocks (SIL3)
Engineering /Hardware Configuration/Programming Configuration of the S7-400F-Hardware with Standard HW-Config. Graphical Engineering (programming) with Standard CFC (Continuous Function Chart) Coexistence of Standard- and F-Applications (SIL3) in one CPU
Connection to the Process Devices Failsafe I/O modules (SIL1 - 3) PROFIsafe (extra safety layer to Profibus) (SIL3) to ensure failsafe communication via Profibus-DP
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.33
A.O.Sveen, NTNU 2011
Basic principle “Protected F-Islands”
Safety-relateduser program
CPUoperating system
Standard user programs
CPUhardware
Safety-related frame
Any faults inother modules, environmental
factors
FailsafeI/O
modules
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.34
A.O.Sveen, NTNU 2011
S7 400F F/H system - modularity,
PCStandard Engineering Software
Standard-ProfibusDP
F-Application Program
F-Programming Tool
F-I/O’s (ET200M)
ProfiSafe Protocol
RUN-PRUN
STOPCM
RES
RUN-PRUN
STOPCM
RES
Standard-CPU 417-4H
Standard I/O’s (ET200M)
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.35
A.O.Sveen, NTNU 2011
S7-400HRedundancy Principle
CCPPUU
DDEE
DDAA
AAEE
AAAA
PPSS
CCPP
CCPPUU
DDEE
DDAA
AAEE
AAAA
CCPP
PPSS
PROCESSPROCESS
Synchronization,information
and status exchange
IIMM
DDEE
AAEE
AAAA
DDAA
IIMM
FFMM
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.36
A.O.Sveen, NTNU 2011
I/O ConfigurationSwitching of master by use of redundant Profibus
Profibus-DP
IM
IM
Bus module
Active backplane bus
IO with active backplane bus performing the switchover
L+L+
Redundant IM 153-2
Target:Reduce common mode faultsfor the switch-over to a minimum Achieved by:
Very simple component doesthe switchover
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.37
A.O.Sveen, NTNU 2011
Redundant S7-400HA Synchronization Procedure is required
Par
t. P
LC A
Par
t. P
LC B
Cycle synchronization
Par
t.-P
LC A
Par
t. P
LC B
Time synchronization Command synchron.
Par
t. P
LC A
Par
t. P
LC B
Par
t. P
LC A
Par
t. P
LC B
Without synchronization
(Siemens Patent)
Synchronization of all commands whose execution would trigger different
states in both partial PLCs
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.38
A.O.Sveen, NTNU 2011
Flexible Set-up‘sTogether, the listed principles result in a flexible set-up
redundant S7-400FH redundant PROFIBUS-DP F-E/A Moduls SIL3, AK6
redundant S7-400FH redundant PROFIBUS-DP redundant F-E/A Moduls SIL3, AK6
S7-400F PROFIBUS-DP F-E/A Moduls SIL 3, AK6
Fail Safe Fail Safe and High Availability
AS 414 FAS 417 F
ET 200M
IM 153
SafetyModule
F-I/O Modules
PRO
FIB
US
-DP
StandardI/O Modules
PRO
FIB
US
-DP
ET 200M
2 xIM 153-2
SafetyModule
F-I/O Modules
AS 414 FAS 417 F
StandardI/O Modules
PRO
FIB
US-
DP
ET 200M
F-I/O Modulesredundant
AS 414 FAS 417 F
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.39
A.O.Sveen, NTNU 2011
AI DI DO DO
Flexible Modular Redundancy ™
Make any component redundant
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.40
A.O.Sveen, NTNU 2011
AI DI DO
Flexible Modular Redundancy ™
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.41
A.O.Sveen, NTNU 2011
AI DI DO DO
AI DI
Flexible Modular Redundancy ™
Physically separate redundant resources
Make any component redundant
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.42
A.O.Sveen, NTNU 2011
AI
Triple
Simplex
DI DO DO
AI DI AI DO
AIDual
Flexible Modular Redundancy ™
Physically separate redundant resources
Mix and match redundancy
Make any component redundant
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.43
A.O.Sveen, NTNU 2011
AI
Triple
Simplex
DI DO DO
AI DI AI DO
AIDual
Physically separate redundant resources
Mix and match redundancy
Tolerate multiple faults with no impact on safety Safety is not dependant on redundancy; all
components are SIL3-capable Redundancy only for availability; No degraded
mode
Flexible Modular Redundancy ™
Make any component redundant
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.44
A.O.Sveen, NTNU 2011
Flexible Set-up‘s
Multiple Fault Tolerant Fieldbus architecture allows system to tolerate
multiple faults without interruption I/O redundancy independent of CPU redundancy
All components rated for SIL3 No degraded mode Safety not dependent on redundancyAI DI DO DOAI
AI DI
DO DOAIAI
2oo3 PT1oo2 Valves
2oo3
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.45
A.O.Sveen, NTNU 2011
Alternative setup by othersFail Safe and High Availability due to 2oo3 HW voting
Sample from Triconex design
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.46
A.O.Sveen, NTNU 2011
Input and output modules to SIL 3, 2 and 1
RUN-PRUN
STOPCMRES F-SM´sStandard SM´sRUN-PRUN
STOPCMRES
ET 200 M F-SM, Fail Safe Modules
ET200 iSP, zone 1 Small granularity modules for Zone 1, SIL3
ET200 S Small granularity modules can cover SIL1 to SIL3
SIL3, 2 or 1dependant on configuration (TÜV) – SIL 3 also in single configuration for most modules– SIL 3 with single or redundant bus connection
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.47
A.O.Sveen, NTNU 2011
Architecture S7-300 Fail Safe Modules (sample)
Microcontroller
Outputdriver
Dual-portRAM
Bus interface
Seconddisconnection facility
L+
F-Digital Output, with built in redundancy, self verification and degrading
Microcontroller
Output VSupply
If ”Output driver” fails to bringoutput to safe state, ”0”, the microcontroller does, based on the read back, order the ”Seconddisconnection facility” to shut the card down
Read back
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.48
A.O.Sveen, NTNU 2011
S7-300 Fail Safe Modules
Redundant microcontroller in each IO module Safety Integrated Level
1oo1 evaluation, SIL 2, AK 4 1oo2 evaluation, SIL 3, AK 6, internal in module
Diagnose of internal and external errors mutual function checking of the microcontrollers input or output test branching of the input signals to both microcontrollers discrepancy analysis of the redundant input signals readback of the output signals and discrepancy analysis
Second disconnection facility in the case of outputs Communication with CPU via Profisafe
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.49
A.O.Sveen, NTNU 2011
S7-300 Fail Safe I/O Modules
Samples of modules available
SM326F, DI DC24V 24 x SIL2, 12 x SIL3, with diagnostics interrupt
SM326F, DI NAMUR [EEx ib] 8 x SIL2, 4 x SIL3 with diagnostics interrupt
SM326F, DO DC24V/2A 10 x SIL3, current source, diagnostics interrupt
SM336F, AI 4-20mA 6 x SIL2 or 3, with diagnostics interrupt
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.50
A.O.Sveen, NTNU 2011
Fail Safe I/O ModulesLibrary for interfaces to field devices
SAFETY INPUTS AND OUTPUTS, S7 400F WITH SAFETY I/O MODULES, F-SM’S
AI-41F Safe analogue input, 4-20 mA, 2 Wire, SIL 2.AI-43F Safe analogue input, 4-20 mA, 3 Wire, SIL 2, current sourceAI-44F Safe analogue input, 4-20 mA, 3 Wire, SIL 2, high power consumpt.AI-50F Safe high available analogue input, 4-20 mA, 2 Wire, 2 oo 3.AI-51F Safe analogue input, 4-20 mA, 2 wire, to digital, SIL 2AI-IS-41F Safe analogue input, 4-20 mA, EEx(i)(a) , 2 Wire, SIL 2.AI-IS-51F Safe analogue input, EEx ib IIC, 4-20 mA, to digital, SIL 2DI-41F Safe digital input, SIL 2DI-42F Safe high available, digital input, SIL 2DI-44F Safe digital input from clean contact / NAMUR, SIL2DI-IS-41F Safe, EEx ib IIC, digital input from clean contact / NAMUR, SIL2DI-IS-46F Safe, high available, EEx ib IIC, double clean contact/ NAMUR, SIL2 /DI-IS-46F Safe, EEx ib IIC, double clean contact /NAMUR, SIL3.DO-41F Safe, digital output, 24 V DC, 2A, SIL2 / 3DO-41FR Safe digital output, SIL 2 with relay, SIL2DO-RE-45F Safe, high available, digital output, 24 V DC, 2A, SIL2 /3DO-46F Safe, digital output with manual release, 24 V DC, 2A, SIL2 /3DI-MA-41F Safe, high available digital input from pushbutton, SIL 3DI-MA-42F Safe, high available digital input from pushbutton, SIL 2DI-MA-43F Safe, digital input from pushbutton, SIL 3DI-MA-44F Safe, digital input from pushbutton, SIL 2DI-MA-45F Safe, high available digital input from pushbutton, SIL 3DI-MA-46F Safe, high available digital input from pushbutton, SIL 2DI-MA-47F Safe digital input from pushbutton (with LED), open contact, SIL 2DI-MA-48F Safe digital input from pushbutton (without LED), open contact, SIL 2DI-MA-49F Safe digital input from pushbutton, NAMUR, SIL 2DO-MA-41F Safe digital output to LED / LAMP, SIL2/3DO-MA-42F Safe digital output to two LED / LAMP, SIL 2/3DO-MA-43F Safe digital output to LED in fire fighting release pushbutton, SIL 2
POWER DISTRIBUTION
L + 24 VDC
L- 0V
Hardware Typecircuit code DO-RE-45F
6ES7 326-2BF00-0AB0
1M
1L+
3
4
2A
ch 0
21
22
FIELD TERMINATION CABINETFIELD
TERMINAL RAILFIELD
EQUIPMENT
10 DO, SAFE
Main Switch
Read back
JUNCTIONBOX
OVERRIDE
ESD MATRIX
L- 0V
L+ 24 VDC
DO-MA-41
0 V distrib.
L+
M
6ES7 321-1BL00-0AA0DI 32 ch
16A10A
2L+172L+183L+373L+38
3M392M202M19
3M40
6ES7 326-2BF00-0AB0
1M
1L+
3
4
21
22
10 DO, SAFE
Main Switch
Read back
2L+172L+183L+373L+38
3M392M202M19
3M400 V distrib.
16A
Library with standard, pre-verified instrument interfaces
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.51
A.O.Sveen, NTNU 2011
Man må ofte ting i sammenheng før en oppdager at det kan være spesielle feilsituasjoner
Fail Safe I/O ModulesDevelopment of interfaces to field devices
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.52
A.O.Sveen, NTNU 2011
Det er utrolig hvor lite komplisert det skal være før noe kan gå galt (eksempel på bruk av kretsen fra foregående slide)
Fail Safe I/O ModulesDevelopment of interfaces to field devices
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.53
A.O.Sveen, NTNU 2011
Man - Machine interface for daily use are the Operator Stations (but Bill Gates deliver no SIL3 solutions)
Operator interface to SIL3
Operator Stations with commands to SIL3 High end servers and operator stations, with redundancy and extensive diagnosis Special TÜV approved procedure for safe commands from operator stations to
F-area (safe island) for SIL3 commands to controller.
CAP solutions ensures HMI interface to SIL3 LED elements connected to SIL3 remote I/O Necessary information for an emergency situation Necessary input elements to put the process to safe state
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.54
A.O.Sveen, NTNU 2011
CAP or Matrix / Mimic to SIL3, simple and hardwired
Simple solutions Pushbuttons lamps and switches are lifting and maintaining the SILfor the total HMI
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.55
A.O.Sveen, NTNU 2011
CPU-Software Architecture
F-User ProgramF-Control
BlocksF-User BlocksStandard-
UserProgram
Standard-Operating System
F-Standard-blocks
F -System-blocks
Communications Self tests
Programexecution
Safety-relevant sections of the operating system
Safety-relevantSystem Func. Calls
Safety-relevantSelf tests
F-Access protection
Programexecution
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.56
A.O.Sveen, NTNU 2011
S7-F Concept, Double processing in diverse environments
Multi-channel storage of safety-critical data in instance DBs in the CPU, e.g. as word-oriented complement COMPMulti-channel processing of the safety function in F-FBs by SP7-ASIC of the CPU Standard operation on DATA Multi-channel operation on COMP
CPU-internal comparison in the output driver to improve error locating Error handling: disable outputs and stop CPU
CPU-external comparison in receiver(F-output modules and processing F-CPUs)Error handling: safe substitute values and error message
DATA0
DATA1
COMPFFFFH
COMP0H
CRC
DATA COMP
Comparison
Comparison
DataSafety-relatedmessage
Bit-AND inbit arithmetic
logic unitWord-OR
in ALU
ConvertCopy
Instead of redundancy of HW , Siemens Safety System runs redundant SW on same HW.
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.57
A.O.Sveen, NTNU 2011
Time redundancy and instruction diverse processing
Operands
Encoding
DiversityOperands
Operation
DiversityOperation
Result
DiversityResult
Comparison Stop
TimeTime redundancy
A, B (Bool)
/A, /B (Word)
C
D = /C
At D /C
AND
OR
Time redundancy and Diversity instead of hardware redundancy
S7-F Program ConceptExtensive comparision and monitoring
Logical program execution and data flow monitoring Bool and Word Operations processed in different parts of the CPU 2 independent hardware timer
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.58
A.O.Sveen, NTNU 2011
ProgrammingGraphical programming CFC acc. to IEC 1131
CFC
F-Library
Certified (TÜV)function blocks
Links are structs
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.59
A.O.Sveen, NTNU 2011
Simplified ESD Program Overview, sample
CFC
F_MB_ESD
G_MB_ESD
FBCRBCFUCRUCR
Fail-safe program part
Standard program part
Additional I/O diagnostic data (optional)
ACK REQ
YGR
ESD INPUT:Q - Used for normally de-energized inputsQN - Used for normally energized inputs
Symbolic address
QUALITY
Operator Station
FBCRBCFUCRUCR
FBBFU
FE
RX
X
FBERBEFUERUE
BB
BU
A
Y
OPERATORS' FIELD DEVICE
F_LB
XS
X
RX
BXBXS
G_SB_ESD
Module driver
Channel driver
Y YN
BY
QUALITY
VALUE
F_M_DOCHADDR
Module driver
YROYGRBCHBCL
YF
ACK_REQ
Channel driver
F_CH_DO
IACK_REI
QBAD
VALUE
QUALITYACK_REQ
CHADDR
PAHHPWH
FE
PLAT
X
RX Y
F_SBI
RXPCYCLE
Y1
X1NX1
NX2X2
X3
X8
NX3
NX8
X4NX4
F_M_AIModule driver
Symbolic address
OS part
F_M_DO
CHADDR
F_CH_DO
IACK_REI
VALUE
QUALITYACK_REQ
Insrtance data block numberfor LB-utilities (optional)
MB-ESD
U B RInput Status
From OS
From field
B
X
MA-ESD
U B R
B
Status Ext. Alarm HH
SB-ESD
U B SD OVROutput status
HW Override
Coincidence
Disable Reset
X
X
LB
Bin Bout R
Blocked from OSFrom ESD Function
To ESD Function
B
PNLAT
FBXSFBYXFE
Y
YX
BBXSBBYX
FBXSCRBXSCFBYXCRBYXCR
Y
YBOCYBONC
Matrix indicator LED's
RDACRDDCR
RX
LSC
RXD
X
BLSOSBRXDOS
BPDY
RDAERDDELSE
"0" "1"
Override from Matrix Override-switch via F-SM
Ovrr. feedback
RDAERDDELSE
RDACRDDCRLSC
PALLPWL
F_M_DIx
Module driverCHADDR
F_CH_DICHADDR
QNQQBAD
Channel driver
VALUE
OPERATORS' FIELD DEVICE
Fault annunciation
XF
BX
FEBBOPBUOP
YABBOSBUOS
B
FBERBEFUERUE
F_CH_DICHADDR
QNQQBAD
Channel driver
VALUE
ACK REQQUALITY
Q_DATA
From driver FU, parameter Q_DATAFrom driver FBB, parameter Q_DATA
Additional diagnostic data (optional)
BLSOSBRXDOS
XF
PNLATPDY Y
YN
RXRXD
X
BLSOSBRXDOS
BPDY
RDAERDDELSE
RDACRDDCRLSC
ESD System Configuration, SIL3
F_CH_DICHADDR
QNQQBAD
VALUE
ACK REQQ_DATA
XO
BUBOBC
XOCXGLXGHFeedback
from normal I/O
"0"YBOF
YBOCYBONC
XO
XBOCXOC
XBOF YBOF
CHADDRQBAD
F_SB_ESD
F_SB_ESD
F_OR4
IN1OUT
IN2
F_OR4
IN1OUT
IN2
FBXSERBXSEFBYXERBYXE
STATUS INDICATION LED's
PNLAT
F_LB
XS
X
RX
BXBXS
FBXSFBYXFE
YYX
BBXSBBYX
FBXSCRBXSCFBYXCRBYXCR
FBXSERBXSEFBYXERBYXE
PNLAT
F_LB
XS
X
RX
BXBXS
FBXSFBYXFE
YYX
BBXSBBYX
FBXSCRBXSCFBYXCRBYXCR
FBXSERBXSEFBYXERBYXE
PNLAT
BBlocked from FieldFrom ESD Function
To ESD Function
BB
B
X
ESD Function Status X
AOS 03.07.2001
YGR
G_LB
FBXSERBXSEFBYXERBYXE
FBXSCRBXSCFBYXCRBYXCR
Channel driver
FUFBB
F_MA_ESD
FBCRBCFUCRUCR
OPERATORS' FIELD DEVICE
From G_MA_ESD To G_MA_ESDFBERBEFUERUE
AHHALL
BUOS
BHHBWH
BWLBLL
Fault annunciation
ACK REQQUALITY
To G_MA_ESD
BBOS
VAHHVWHVALLVWL
Status collection for G_LB_ESD (optional)
F_MA_ESD
To F_MA_ESD
From F_MA_ESD
ACK REQQUALITY
XF
V_DATA
FBCRBCFUCRUCR
FBERBEFUERUE
YGR Status collection for G_LB (optional)
From F_CH_AI
From driver FU, parameter Q_DATAFrom driver FBB, parameter Q_DATA
From driver FE , param ete r Q_D ATA
Additional I/O diagnostic data (optional)
FE
BBOPBUOP
B
From OS
From field
MA-ESD
From driver, block from other function, Q_DATAFrom driver, block to other function, Q_DATA
Fr om driver FE , param ete r Q _DA TA FE
BBXSOPBBYXOP
BCBBCUBEBBEOBCB Status from
LB-utilities (optional)
BBOSBUOS
BXBXS
Y
BBXSOSBBYXOS
BBXSOSBBYXOS
STATUS INDICATION LED's
BBXSOSBBYXOS
BBXSOSBBYXOS
F_CH_AICHADDR
V
VALUE
QUALITY
OVHRANGEOVLRANGE
ACK NEC
VHRANGEVLRANGE
QBAD
ACK REQV_DATA
"0"
CHADDR
PLRPLH
XBONC
PNLATPDY
XO
XBOCXOC
XBOFXBONC
BUBB STATUS INDICATION LED's
Y
BUOS
BHHBWH
BWLBLL
BBOS
VAHHVWHVALLVWL
HMIOS skjerm
Normal program
Safe program
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.60
A.O.Sveen, NTNU 2011
Engineering toolProgram Protection
CFC
Enabling of theFailsafe functionof the CPU 417-4Hor 414-4H
Read/Write protectionwith password
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.61
A.O.Sveen, NTNU 2011
Program protectionProgram Signature
CFC
Signature of F-Programfor TÜV Certification.Program taken out of CPU cannot be downloaded unless carrying the correct signature
The signature is generated by the programming tool, and is changed after every change of the program
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.62
A.O.Sveen, NTNU 2011
ProgrammingComparison of existing and changed program
CFC
Comparison of differentF-program versionsDeviations shall be checked before download of change
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.63
A.O.Sveen, NTNU 2011
Hardware ConfigurationCPU Parameters
Safety-relevant parameters
Set up protection level
Activate safety operation
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.64
A.O.Sveen, NTNU 2011
Hardware ConfigurationF-DO Parameters
Safety-relevant parameters
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.65
A.O.Sveen, NTNU 2011
Enabling of the failsafe functionSignal evaluation:1oo1 (SIL 2) 1oo2 (SIL 3)
EngineeringFailsafe I/O Modules, diagnostics is set due to SIL
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.66
A.O.Sveen, NTNU 2011
Communication concepts to SIL3 /2/1
PROFIBUS DP / ProfiSafe for communication to approved ProfiSafe equipment, SIL3 / 2.
F-SM remote I/O modules Other S7 400F or S7 300F nodes
Drivers for Ethernet communication to S7 F nodes, SIL3. Drivers for communication on Ethernet between safety programs in S7 nodes.
Communication from OS to safety program to SIL3 Special routine and function blocks for verified command from OS to F-area (safe island).
Combination of PROFIBUS DP /PROFIBUS PA to SIL 2/3
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.67
A.O.Sveen, NTNU 2011
High Available Communication (not required to achieve SIL)
Redundant optical ringbus
S7-400H S7-400H
Single controller
PS
PS
CPU
CPU
CP
CP
CP
CP
CPU
CPU
PS
PS
Bus
Bus
Redundancy replacement diagram:
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.68
A.O.Sveen, NTNU 2011
SIMATIC ET 200M
B+B
Redundant system withSIMATIC S7-400FH
AI DI DO DOAI
AI DI
DO AOAI
B+B
Redundant Ring
Safety Communications
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.69
A.O.Sveen, NTNU 2011
enabling enabling failsafe fieldbusfailsafe fieldbusapplications ....applications ....
Basic concepts for communication to SIL3 and SIL2
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.70
A.O.Sveen, NTNU 2011
Standard-I /O
StandardControl
1
2
7
1
2
7
1
2
7
1
2
7
1
2
7
„Black/Gray Channel": ASICs, Links, Cables, etc. are not safety relevant
"ProfiSafe": Parts of the safety critical communications systems: Adressing, Watch Dog Timers,Sequenzing, Signatur, etc.
Safety relevant, but not part of the ProfiSafe-Profils: Safety I/O and the Safety Control Systems
SafetyInput
SafetyControl
SafetyOutput
Safety-LayerSafety-LayerSafety-Layer
e.g.. Diagnostics Program
Non safety critical functions, like e.g. diagnosis
Basic concepts for communication to SIL3 and SIL2Add required safety layer to a standard protocol
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.71
A.O.Sveen, NTNU 2011
The measures must be executed and monitored inside one failsafe unit
Failure type:
Remedy: SequenceNumber
Time Outwith Receipt
Codename forSender and
Receiver
Data Consistency
Check
Repetition
Deletion
Insertion
Resequencing
Data Corruption
Delay
Masquerade (standard message mimics failsafe)
XXXX
XXX
X XX
XX X
Failure Types and remedial Measures ...Failure Types and remedial Measures ...
XFIFO failure within Router
Basic concepts for communication to SIL3 and SIL2Content of required safety layer must cover possible failures
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.72
A.O.Sveen, NTNU 2011
S S S S S S
Standard-Message
SD LE LEr SD DA SA FC FCS ED
68H ... ... 68H ... .... ... ... 16H
Synctime
33 TBit
Data Unit = Standard-or Failsafe-Data
1... 244 Bytes
TBit = Clock-Bit = 1 / BaudrateSD = Start Delimiter (here SD2, var. Data Length)LE = Length of DataLEr = Repeated LoD, not in FCSDA = Destination AddressSA = Source Address FC = Function Code (Type of Message)
LE
Data Unit = Failsafe-Data max. 244 Bytes
FCS = Frame Checking Sequence (across data within LE)
ED = End DelimiterSB = Start-BitZB0...7 = Character-BitPB = (even) Parity BitEB = Stop-Bit
SB ZB0
ZB1
ZB2
ZB3
ZB4
ZB5
ZB6
ZB7
PB EB
1 Cell = 11 Bit
Standard Profibus DP MessageStandard Profibus DP Message ... ...
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.73
A.O.Sveen, NTNU 2011
S S S S S S
Standard-Message-Frame (user telegram)
Max. 244 Bytes DP-Data
F-I/O-Data Status /Controlbyte
CRCSequenceNumber
acrossF-Data
andF-Parameter
Sender based
Counter
Max. 12 / 122 Bytes 1 Byte 2/4 Bytes *)1 Byte
Standard-I/O-Data
(240/238 - F-Data)
*) 2 Byte for a max. of 12 Byte F I/O data 4 Byte for a max. of 122 Byte F I/O data
... ... and a ProfiSafe Message ...and a ProfiSafe Message ...((the extra layer included in the user telegram)the extra layer included in the user telegram)
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.74
A.O.Sveen, NTNU 2011
PROFIBUS PA Fieldbus solution to SIL 1/2/3.
CPU 417H
CP443-5EDP Master
IM 157Link
CPU 417H
CP443-5EDP Master
IM 157Link
DP
PA slavePT....
IM 157Kobler
DP
PA
EX sone
ProfiSafe PA, TÜV certified SIL 2/ 3 (2007)
SINTEF Study "Evaluation of PROFIBUS PA against SIL1 / 2 requirements (2000).
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.75
A.O.Sveen, NTNU 2011
PROFIBUS PA with PROFISafeRedundancy
Ring architecture with Active Field DistributorPR
OFI
BU
S D
P
M
AFDActive Field Distributor
AFD AFD AFD
PROFIBUS PA
IM 157, redundant
DP/PA coupler, redundant (M = master)
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.76
A.O.Sveen, NTNU 2011
PROFIBUS PA with PROFISafeVoting
PRO
FIB
US
DP
2oo3
1oo2
S7-400FH
DP/PA Coupler, redundant
IM 157, redundant
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.77
A.O.Sveen, NTNU 2011
Fail-safe CPU – CPU Communication
The safety-oriented CPU-CPU communication viaS7 connections with the send/receive blocks:
F_SENDBO/F_RCVBO Transfer of 20 F_BOOL F_SENDR/F_RCVBRTransfer of 20 F_REAL
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.78
A.O.Sveen, NTNU 2011
logic operations Bin. O ActuatorSensor Bin. IAnal. I
15 %1 %
100 %, total figure for allowed PFD (Probability of Failure on Demand)
Safety Control Loops andSafety Control Loops andResidual Error (PFD) Probability....Residual Error (PFD) Probability....
e.g. Safety Integrity Level (SIL) 3 : 10e.g. Safety Integrity Level (SIL) 3 : 10-7 -7 / h/ h(Share of ProfiSafe: 1% = 10(Share of ProfiSafe: 1% = 10-9 -9 / h)/ h)
logic operations Bin. O ActuatorSensor Bin. IAnal. I
within one PLC
1 % (Profisafe share of total for SIL3)
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.79
A.O.Sveen, NTNU 2011
Andre SAS krav for et typisk nettverk, Safety / SecurityTypisk SAS nettverks arkitektur
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.80
A.O.Sveen, NTNU 2011
Standarder, anbefalinger ISO 27000 / ISO 27001 / ISO 27002 ISA S99 OLF-104 OLF-110 OLF-123 ISA Security Compliance Institue: ISA Secure INL Security Lab (Idaho National Lab)
LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security )
Andre SAS krav for et typisk nettverk, Safety / SecurityMange standarder, forsvar i dybden
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.81
A.O.Sveen, NTNU 2011
Ganske mye utstyr / SW for security i et komplett anlegg
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.82
A.O.Sveen, NTNU 2011
Vil du ha SIL3 på din egen PCVi starter med en standard PC og en programpakke + litt safe I/O
StandardPROFIBUS DP
orPROFINET IO
StandardProgramming-
SoftwareSTEP 7
StandardRemote I/O
Failsafe Programming-
ToolDistributed Safety
FailsafeI/O Modules
PROFIsafe
Failsafe ApplicationProgram
F Soft PLC
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.83
A.O.Sveen, NTNU 2011
Først må du sjekke om din PC er egnet for formåletSå kan du laste nødvendig SW, og sette inn snitt for PROFIbus
Tar 20-30 min Har den en timer, RTC på Interupt 8? (normalt ok)
Last SW
Win AC RTX F er installert på Windows XP Prof / eller er ”embedded”
Koden løper på en ekstra ”realtime kernel, IntervalZero RTX”
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.84
A.O.Sveen, NTNU 2011
Coded Processing Time redundancy and diversity instead of structural redundancy
DiversOperation
Operation
Coding Comparison
DiversOperators
Operators
DiversOutput
Output
Stopby D ≠ /C
D = /C
CA, B
/A, /B
OR
AND
Time redundancyTime
Baserer seg på tidligere omtalte prinsipper
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.85
A.O.Sveen, NTNU 2011
zc = xc + yc + 1zf = xf + yf
Data xf Coded xc
F-DI
F-CPU
F-DOPlus Minus
uP Left uP Right
PSF Input Driver
F-CTRL 1
F-CTRL2
F FBs STEP 7
F-Coded FBs
PSF Output Driver
uP Left uP Right
PROFIsafe telegramCRCData
PROFIsafe telegramCRCData
Wrong CRC-> PROFIsafe Stop or-> CPU Stop
Bad
Baserer seg på tidligere omtalte prinsipper
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.86
A.O.Sveen, NTNU 2011
WinAC RTX F
Ditt eget Moholt SIL3 anlegg
S o l u t i o n s f o r O i l & G a sS o l u t i o n s f o r O i l & G a s 100.87
A.O.Sveen, NTNU 2011
Tusen Takk for at Dere gadd høre på!
Arnt Olav Sveen
For mer info se: www.siemens.com/process-safetywww.siemens.com/safety-matrix
First with Integrated Control & Safety First with Flexible, Scalable, Distributed Architecture First Safety Lifecycle Management Tool - Safety Matrix First and Only Fully Integrated Safety Fieldbus First and Only SIL3, zone 1 I/O First and Only SIL3 on your own PC