Professional Documents
Culture Documents
Disaster
protection
Disaster protection
Collection
basin Passive protection
Overpressure
valve, rupture Active protection
disc
Plant
personnel
Process alarm
Process control
intervenes
system
Basic
Process
automation value Normal activity
Changed process
layout
Other measures for risk
minimization
Acceptable risk
“Zero risk” is not feasible
IEC61508
IEC 61508 serves as the basic standard and basis for safety standardization.
It covers all areas where electrical, electronic or PLC systems are used to realize safety-related
protection functions.
IEC61511
There are sector-specific standards based on IEC 61508, such as IEC 61511 for
the process industry or IEC 61513 for the nuclear industry
These sector standards are important for planners and operators of
corresponding plants.
SFF =
∑ λ + ∑λ S DD
∑λ + ∑λ + ∑λ S DD DU
In this context:
Hardware fault tolerance N = N + 1 hardware fault may
result in the loss of the
relevant safety function.
Example:
Redundant channels of a control unit with mutual monitoring have
a hardware fault tolerance of N = 1.
IEC 61508
HFT = 0
SFF > 99%
Specification 44.1%
Safety-Lifecycle
Analysis
Competence
of persons
Specifications
Failure root causes
+
Design &
Safety- Implementation
Management
Installation &
Commissioning
+
Technical Operation &
Maintenance
Requirements
Changes after
Commissioning
§ Add-on of the quality management system with § Design and tracking safety activities in respective
interests / needs of functional safety project
§ Arrangement of responsibilities § Project safety manager
§ Standard operation procedures (S.O.P.) § Safety plan
§ Templates § Verification and validation
§ Qualification § Independent assessment
Probability of
Safety failure on demand Risk Reduction
Integrity Level (PFD) Factor = 1/PFD
per year
(Demand mode of operation)
SIS: A combination of sensors, logic modules (e.g. controls) and actuators which detect
abnormal operating conditions and return the plant AUTOMATICALLY to a safe state
again.
PT
1B
I/P
FT
Reactor
W3 W1 Effect
W2 Ca Minor injury
Ca X1 a Cb Major, irreversible injury
or death of one person
Cc Death of several persons
Pa X2 1 a
Fa Cd Death of very many
persons
Cb Pb
Pa
X3 2 1 a Frequency and duration
Fb Fa Seldom to often
Pb
Cc Fa X4 3 2 1 Fb Frequent to constant
Fb Pa
Pb Danger prevention
Cd Fa X5 4 3 2 Pa Possible under
Pa
Fb cert. circum.
Pb X6 Pb Nearly impossible
b 4 3
Probability of occurrence
Safety Integrity W1 Very low
Levels SIL W2 Low
a = no special safety requirements W3 Relatively high
b = individual safety system insufficient
Fire & Gas Applications (F & G), Fire Detection and Fire Alarm Systems
• According to EN 54, NFPA 72
Examples:
• Siemens S5-110F
• HIMA H50
• Triconex Tricon
• August Systems
• ICS Triplex Regent
Examples:
• Siemens S5-95F
• Moore Quadlog
• Honeywell FSC
• HIMA H41/H51
• Yokogawa Prosafe-PLC
Examples:
• Siemens S7-400FH
• Emerson DeltaV SIS
• Yokogawa ProSafe-RS
• ABB 800xA
• Honeywell Safety Manager
• HIMA HIMax
O
O
D
ID
A
IA
D
I
O
O
D
ID
IA
D
A
I
SIMATIC Safety FMRTM Safety Fieldbus with
A
(2005) CPU 410
I
Matrix (2004) Redundant Ring (2006)
PROFINET
(2013)
Safety Matrix
S7 300F/400F PROFIsafe QUADLOG
(1999)
(2002) S7-400FH PROFIsafe (1995)
(1999)
SIMATIC S5-110F
(1980) SIMATIC S5
S5--95F
SIMATIC S5-115F
Unrestricted / © Siemens AG 2017. All Rights Reserved. (1988) (1994)
Page 29 2017-05-19 Thomas Bartsch
Safety Integrated for Process Automation
The fully integrated safety solution
INTERFACED
DCS Gateway SIS
ENG HMI
INTEGRATED
DCS SIS
ENG HMI
COMMON
DCS SIS
INTERFACED Gateway
DCS Gateway SIS
SIMATIC PCS 7
ENG HMI SIMATIC S7-400FH
ES & OS
INTEGRATED
DCS SIS
Safety functions to detect errors and handle errors are included in:
• F-CPU
• PROFIsafe communication
• F-I/O modules
• Field Devices
Standard
Fail-safe
CPU
application
F-HW program
Standard Fail-safe
Remote I/O I/O module
Standard PROFIsafe
PROFIBUS DP
A, B C
Operators Operation Output
AND
Time redundancy
Time
Diagnostic
Harware Fault Tolerance (HFT) circuit
Safe Failure Fraction (SFF)
2oo2 of (1oo1D)
Unrestricted / © Siemens AG 2017. All Rights Reserved.
Page 43 2017-05-19 Thomas Bartsch
General System Design
F-I/O modules
Non-Redundant Setup
• Single or dual sensors for inputs
• Redundant circuitry within I/O modules
• Redundant output circuits
• With one controller up to SIL 3
• HFT = 0; SFF > 99% Input module Controller module Output module
• According IEC 61508-2, Table 3 Input circuit CPU CPU
Output .
CPU circuit .
Diagnostic circuit Diagnostic circuit
.
Main switch .
Diagnostic
Input circuit CPU circuit CPU
Fully-Redundant Setup
Structure like 2oo4 Systems,
but with higher availability
Controller module
CPU
Input module Output module
Diagnostic
Input circuit CPU circuit
CPU
Output ..
circuit
Diagnostic circuit Diagnostic circuit
Main
..
Input circuit CPU CPU switch
CPU
1oo2D
1oo1D for SIL2
Diagnostic
1oo2D for SIL3 circuit
2oo(1oo1D)
2oo3 - Voting
Diagnostic circuit
CPU
Output ..
Input circuit CPU CPU circuit
Diagnostic circuit
Diagnostic circuit Main
..
Input circuit CPU CPU switch
3oo(1oo1D)
Unrestricted / © Siemens AG 2017. All Rights Reserved.
Page 47 2017-05-19 Thomas Bartsch
Safety Integrated für die Prozessautomatisierung
Die vollständig integrierte Sicherheitslösung
CPU 410-5H
Time Stamping
• Accuracy of 30 ms with F-Modules
• Accuracy of 1 ms with standard modules
One engineering system for process control and process safety application
• Reduces training and uses the available knowledge
è The configuration of the safety programs can be done on the one hand
with CFC or on the other hand with Safety Matrix
F block library
with TÜV-
certified blocks
PROFIsafe is an application layer (profile) that describes the communications between fail-
safe devices
Supports safe communication over open standard buses PROFIBUS (DP, PA) and PROFINET
TUV Certified
• IEC 61508 SIL 3
• EN 954-1 Cat 4
e.g. diagnosis
7 7 7 7 7
2 2 2 2 2
1 1 1 1 1
“Black channel": ASICs, links, cables, etc. are not safety relevant
Non-safety critical functions, e.g. diagnosis
"PROFIsafe": Components of the safety critical communications systems:
addressing, watchdog timers, sequencing, signature, etc.
Safety-relevant but not part of the Profisafe profile:
Safety I/O and the safety control systems
Encapsulation
DP DP
F- – –
Host M M
PROFIBUS DP PROFIBUS DP
Sensor Sensor
Local bus
Retry X
Loss x x
Insertion x x x
Wrong sequence x
Data corruption x
Delay x
FIFO error x
S S S S S S
Sender- across
based F-data
counter and
F-parameter
PROFIBUS
• Wellknow Fieldbus Solution
• Open Standard
• First Fieldbus with Safety Instruments
PCS 7 OS server
Weighing systems
PROFIBUS PA
IE/PB-Link AFD
Complete integration of SIMOCODE
SIMOCODE PN PROFIBUS DP
PA-Coupler AFDiS
PAC 3200/4200 PN
SINAMICS PN
Failsafe communication between AS 400
Controller
DO
DI
AI
AI
DO
AI
DI
AI
2oo3
1oo2D
AI
1oo3 3oo3
Unrestricted / © Siemens AG 2017. All Rights Reserved.
Page 68 2017-05-19 Thomas Bartsch
Flexible Modular Redundancy (FMR)
based on PROFIBUS DP
DO
DO
DI
AI
DO
DO
DI
AI
DI
DO
DO
DI
AI
DI
AI
Dual
DO
DO
DI
AI
DI
AI
Simplex
AI
Triple
û
Dual
û û û
DO
DO
DI
AI
ûû
DO
AI
DI
AI
Triple
DO
DI
AI
AI
DO
AI
DI
AI
2oo3
1oo2D
AI
1oo3 3oo3
Unrestricted / © Siemens AG 2017. All Rights Reserved.
Page 74 2017-05-19 Thomas Bartsch
Flexible Modular Redundancy (FMR)
Highest Flexibility
• Separate or combine safety and standard application in one CPU
• Use redundancy for safety only where it is needed
• Parallel use of PROFIsafe on PROFIBUS or PROFINET
Cost reducing
• Use redundancy only where you need it for safety or availability
• Parallel use of PROFIsafe on PROFIBUS or PROFINET
Ordercode:
ST-WSFSP
ST-WSPUP
ST-PCS7SAF
SFSP
• Realization Phase
• Design and Engineering of Safety Instrumented System
• Design and Development of other Means of Risk Reduction
• Installation, Commissioning & Validation
• Operation Phase
• Operation & Maintenance
• Modification
• Decommissioning
• Development of the Safety Requirement Specification (SRS) for the Safety Instrumented
System
• Configuration of the Safety Functions with the Cause & Effects Method
• Automatic TÜV-certified Creation of the Safety Logic from the Cause & Effect matrix
• Supports Operation Functions like Bypass, Reset, Override and Parameter Changes
Certificates
Additonal Information
Industrial Security
• Becomes more and more important
• Plants are connected to the office network
• Plants are connected to the Internet
What is needed
• Concepts to ensure the plant
• Especially safety systems
… The BPCS and SIS both use PLCs to operate different aspects
of the loading station with the SIS using a special functional safety
PLC (FS-PLC) rated for use in safety systems.
OS OS
Client Client
OS SIS BPCS
Engineering Engineering
Stations Stations
Level 2 OS
Industrial Ethernet, terminal bus
server
PA link PA link
PROFIBUS PA PROFIBUS PA
Level 0
OS OS
Client Client
OS SIS BPCS
Engineering Engineering
Stations Stations
Level 2 OS
Industrial Ethernet, terminal bus
server
PA link PA link
PROFIBUS PA PROFIBUS PA
Level 0
OS OS
Client Client
OS SIS BPCS
Engineering Engineering
Stations Stations
Level 2 OS
Industrial Ethernet, terminal bus
server
PA link PA link
PROFIBUS PA PROFIBUS PA
Level 0
Front
Firewall
Level 3
Back MES
Firewall
SIS OS OS
Engineering Client Client Engineering
Stations Stations
Level 2
Industrial Ethernet, terminal bus
OS
server
Scalance S
Level 1 Safety-related
automation systems
Fault-tolerant
automation system
S7-400 F/FH S7-400H
ET 200M,
standard and
F modules ET 200M,
standard
ET 200M, modules
F modules
Level 0 ET 200iSP ET 200iSP
Zone 1 Zone 1
Front
Firewall
Level 3
Back MES
Firewall
OS OS
Client Client Engineering
Stations SIS / BPCS
Level 2
Industrial Ethernet, terminal bus
OS
server
Scalance S
Level 1 Safety-related
automation systems
Fault-tolerant
automation system
S7-400 F/FH S7-400H
ET 200M,
standard and
F modules ET 200M,
standard
ET 200M, modules
F modules
Level 0 ET 200iSP ET 200iSP
Zone 1 Zone 1
Terminal Bus
redundant
Level 2 Server
System Bus
AS SIS AS BPCS
Level 1
Features
• Siemens (DF and PD) is the first manufacturer achieving
TÜV certification of product life cycle process based on
IEC 62443-4-1
• PD PA AE is the first manufacturer achieving TÜV
certification based on IEC 62443-3-3 for SIMATIC PCS 7
Key Benefits
• Product development is compliant with current IACS
Security Standards
• SIMATIC PCS 7 is compliant with current IACS Security
Standards
siemens.com/process-safety