Technical Slides Safety Integrated For Process Automation0

Safety Integrated for Process Automation
Unrestricted / © Siemens AG 2017. All Rights Reserved. siemens.com/process-safety

Introduction

The fully integrated safety solution
Functional Safety Management reduces the risk of process related

accidents and ensure maximum safety for:
People Process Environment
Unrestricted / © Siemens AG 2017. All Rights Reserved.

Page 3 2017-05-19 Thomas Bartsch
Safety concept for a plant
Disaster
protection
Disaster protection
Collection
basin Passive protection
Overpressure
valve, rupture Active protection
disc
Safety system Safety Safety Instrumented

(automatic)
shutdown System (SIS)
Plant
personnel
Process alarm
Process control
intervenes
system
Basic
Process
automation value Normal activity

Risk analysis à risk minimization
Risk for a technical facility
Changed process
layout
Other measures for risk
minimization
Risk Safety systems
Acceptable risk
“Zero risk” is not feasible

International safety standards
IEC61508
IEC 61508 serves as the basic standard and basis for safety standardization.
It covers all areas where electrical, electronic or PLC systems are used to realize safety-related
protection functions.
IEC61511
There are sector-specific standards based on IEC 61508, such as IEC 61511 for
the process industry or IEC 61513 for the nuclear industry
These sector standards are important for planners and operators of
corresponding plants.

Architecture and HW reliability
Architectural Parameter: Safe Failure Fraction (SFF)
Failure rates safe

dangerous
• λS (Rate of all “safe” failures) λSU λSD
• λSD (rate of all “safe detected” failures) λDU λDD
• λSU (rate of all “safe undetected” failures)
• λD (Rate of all "dangerous” failures)
• λDD (rate of all “dangerous detected” failures)
• λDU (rate of all “dangerous undetected” failures)
Failure-free operation
SFF =
∑ λ + ∑λ S DD
∑λ + ∑λ + ∑λ S DD DU
SFF = Safe Failure Fraction

Architecture Parameters: Hardware Fault Tolerance (HFT)
Hardware fault tolerance refers to the capability of a hardware unit to continue

performing a required function even under fault conditions
In this context:
Hardware fault tolerance N = N + 1 hardware fault may
result in the loss of the
relevant safety function.
Example:
Redundant channels of a control unit with mutual monitoring have
a hardware fault tolerance of N = 1.

System Architecture "1 out of 1 (1oo1)"
1-channel (Single Channel) System:

This architecture consists of a single channel, which means +
that a single dangerous failure is enough to render the safety-
instrumented function ineffective. HFT = 0
here: “safe”
A means
de-energized
Safe failure: relay contact opens and interrupts

energy supply
Dangerous failure: e.g. contacts welded, interruption of

energy supply impossible

System Architecture "1 out of 2 (1oo2)"
2-channel (Dual Channel) System:

+
Outputs wired in series.
1 out of 2 (1oo2): HFT = 1

The system needs only one channel to perform the safety- here: “safe”
A means
instrumented function. de-energized
à Higher availability of safety

System Architecture “2 out of 2 (2oo2)"
2-channel (Dual Channel) System: +

Outputs wired in parallel.
2 out of 2 (2oo2): HFT = 0

Both channels must be activated to perform the safety- here: “safe”
A means
instrumented function, de-energized
i.e. if one channel fails, the safety-instrumented function
cannot be performed.
à increased operational availability B
à decreased availability of safety

System Architecture “2 out of 3 (2oo3)"
3-channel (Triplicated) System (TMR):

+
At least 2 functioning channels are needed to perform the
safety-instrumented function
à increased operational availability HFT = 1
here: “safe”
A means
If one channel fails, the safety-instrumented function can still de-energized
be performed
à increased availability of safety
B

Zertifizierung gemäß IEC 61508
HFT und SFF in den Safety Standards
IEC 61508
HFT = 0
SFF > 99%
1oo1D, SIMATIC S7-400F = SIL 3
SIMATIC S7-400FH = SIL 3

2oo2 of a 1oo1D system

Failure Analysis of Automation Systems
Specification 44.1%
Changes after Design &

commissioning implementation
20,6% 14.7%
Operation & Installation &
maintenance commissioning
14.7% 5.9%
Note : Based on 34 investigated incidents in the UK
Health and Safety Executive (GB): Out of Control. Why control systems go wrong and how to prevent
failure. HSE Books 1995

Allocation of Failures
Safety-Lifecycle
Analysis
Competence
of persons
Specifications
Failure root causes
+
Design &
Safety- Implementation
Management
Installation &
Commissioning
+
Technical Operation &
Maintenance
Requirements
Changes after
Commissioning

The IEC 61511(ISA S84) Safety Lifecycle

Functional Safety Management
Safety Plan and Safety Requirements Specification
Functional Safety Management (FSM)
Project independent FSM Project dependent FSM
§ Add-on of the quality management system with § Design and tracking safety activities in respective
interests / needs of functional safety project
§ Arrangement of responsibilities § Project safety manager
§ Standard operation procedures (S.O.P.) § Safety plan
§ Templates § Verification and validation
§ Qualification § Independent assessment
Complexity of the documentation is depending on project size and available management

system
Target Safety Integrity Levels
Probability of
Safety failure on demand Risk Reduction
Integrity Level (PFD) Factor = 1/PFD
per year
(Demand mode of operation)
SIL 4 >=10-5 to <10-4 100000 to 10000
SIL 3 >=10-4 to <10-3 10000 to 1000
SIL 2 >=10-3 to <10-2 1000 to 100
SIL 1 >=10-2 to <10-1 100 to 10
SIL: A performance criteria of a SIS, among other things, describes

the probability of failure on demand.
Safety Instrumented System (SIS)
SIS: A combination of sensors, logic modules (e.g. controls) and actuators which detect
abnormal operating conditions and return the plant AUTOMATICALLY to a safe state
again.
Safety Instrumented System (SIS) Basic Process Control System

(BPCS)
Inputs Outputs Inputs Outputs
PT
1B
I/P
FT
Reactor

Safety Instrumented Functions
IEC 61508/11
Considering the complete safety functionality

of loops acc. to IEC 61508:

Evaluation of risk to define the SIL risk chart
W3 W1 Effect
W2 Ca Minor injury
Ca X1 a Cb Major, irreversible injury
or death of one person
Cc Death of several persons
Pa X2 1 a
Fa Cd Death of very many
persons
Cb Pb
Pa
X3 2 1 a Frequency and duration
Fb Fa Seldom to often
Pb
Cc Fa X4 3 2 1 Fb Frequent to constant
Fb Pa
Pb Danger prevention
Cd Fa X5 4 3 2 Pa Possible under
Pa
Fb cert. circum.
Pb X6 Pb Nearly impossible
b 4 3
Probability of occurrence
Safety Integrity W1 Very low
Levels SIL W2 Low
a = no special safety requirements W3 Relatively high
b = individual safety system insufficient

LOPA

Safety Requirement Specification (SRS)
Safety Requirement Specification
Requirements for the safety Requirements for the safety

function integrity
All requirements necessary for the design of

safety-instrumented functions must be specified

Process Safety Applications
Safety applications in the Process Industry
Emergency and Process Shutdown Systems (ESD/PSD)

• According to IEC 61508, IEC 61511, ISA S84 and VDI/VDE 2180
Burner Management Systems (BMS)

• According to EN 230, EN 298 and NFPA 85
Fire & Gas Applications (F & G), Fire Detection and Fire Alarm Systems
• According to EN 54, NFPA 72
Example for PFD calculation

Process Safety Systems
1st Generation introduced in the 1980’s

• Safety PLCs introduced to improve safety and availablity
• PLC vs hardwired safety solutions
• Employ redundancy (1oo2) and voting techniques (2oo3 or TMR) to enhance safety and
availability
• TÜV certified to DIN/VDE standards, Requirement classes (AK1-AK6)
Examples:
• Siemens S5-110F
• HIMA H50
• Triconex Tricon
• August Systems
• ICS Triplex Regent

2nd Generation introduced in the 1990’s
• Safety PLCs won the fight against the hardwired solutions
• Employ high levels of self-diagnostics (D) coupled with redundancy and voting (1oo2D or DMR)
• Later on first 2oo4D or QMR systems
• TÜV certified to DIN/VDE (AK1-AK6) and IEC 61508 (SIL1 – SIL3) standards
• PC-based IEC 61131-3 Programming Tools
Examples:
• Siemens S5-95F
• Moore Quadlog
• Honeywell FSC
• HIMA H41/H51
• Yokogawa Prosafe-PLC

3rd Generation introduced in the early 2000’s

• Employ very high levels of self-diagnostics (D)
• Optional redundancy to achieve high availability
• Highly modular and scalable
• TÜV certified to IEC 61508 (SIL1 – SIL3) standards
• Tight integration with respective DCS systems
Examples:
• Siemens S7-400FH
• Emerson DeltaV SIS
• Yokogawa ProSafe-RS
• ABB 800xA
• Honeywell Safety Manager
• HIMA HIMax

HISTORY of SIEMENS in Process Safety
O
O
D
ID
A
IA
D
I
O
O
D
ID
IA
D
A
I
SIMATIC Safety FMRTM Safety Fieldbus with
A
(2005) CPU 410
I
Matrix (2004) Redundant Ring (2006)
PROFINET
(2013)
Safety Matrix
S7 300F/400F PROFIsafe QUADLOG
(1999)
(2002) S7-400FH PROFIsafe (1995)
(1999)
SIMATIC S5-110F
(1980) SIMATIC S5
S5--95F
SIMATIC S5-115F
Unrestricted / © Siemens AG 2017. All Rights Reserved. (1988) (1994)
Major Trends in Process Safety
• Integrated architecture of process

safety and process control
• Increased Focus on ease-of-use
• Increased Focus on Safety from
Sensor to Actuator
• Increased importance of lifecycle
management and tools
• Increased scalability
• More distributed safety systems
• More flexibility

Siemens Solution

Siemens Trend-Setting Innovation
Integrated Control & Safety
• Totally Integration into SIMATIC PCS 7
• One User-Interface for Engineering, Operation, Diagnosis and HMI
• One platform for safety and none-safety applications
Integrated Safety-Fieldbus Technology

• Failsafe and fault-tolerant communication between CPUs, distributed IOs and safety
field devices
Flexible Modular Redundancy

• Provides scalable, cost effective solutions for your application
Safety Lifecycle Engineering

• Easy programming with CFC and Safety Matrix
• Safety Matrix as Lifecycle Management Tool

Integrated Control & Safety

Levels of Integrated Control and Safety
ENG HMI ENG
INTERFACED
DCS Gateway SIS
ENG HMI
INTEGRATED
DCS SIS
ENG HMI
COMMON
DCS SIS

Levels of Integrated Control and Safety
ENG HMI ENG

SIMATIC S7-400FH
INTERFACED Gateway
DCS Gateway SIS
SIMATIC PCS 7
ENG HMI SIMATIC S7-400FH
ES & OS
INTEGRATED
DCS SIS
SIMATIC PCS ENG

7 HMI
SIMATIC S7-400FH
ES & OS
COMMON
DCS SIS
Std. I/O

Integration Level for Integrated Control and Safety
with S7-400 and PCS 7
Interfaced Engineering for Engineering for

• Seperated systems Safety PLC BPCS
ES/OS
• S7-400F/FH as Safety PLC
• Seperated Engineering station for Safety PLC
• AS-410 for PCS 7 Industrial Ethernet, plant bus Industrial Ethernet, plant bus
• Seperated ES/OS for DCS
Safety PLC BPCS BPCS
No additional programming knowledge required, becaus of the same Engineering
Safety and BPCS fully seperated

Integrated Engineering for

• Seperated Systems BPCS and
Safety PLC
• Common Engineering ES/OS
• Common HMI
Industrial Ethernet, plant bus
Safety PLC BPCS BPCS
Common Engineering for Safety PLC and BPCS

Common Engineering für

• Common System for Safety and BPCS BPCS und
Safety SPS
• Common Engineering ES/OS
• Common HMI
Safety PLC and BPCS Safety PLC and BPCS
Seperated due Safety Integrated Technologiy

Certified up to SIL 3 by TÜV
Reduced Spares inventory
SIMATIC Safety Integrated
Error Detection and Error Containment
Safety functions to detect errors and handle errors are included in:
• F-CPU
• PROFIsafe communication
• F-I/O modules
• Field Devices

The Concept
Standard Fail-safe programming

programming tool
software S7 F Systems
STEP 7
Standard
Fail-safe
CPU
application
F-HW program
Standard Fail-safe
Remote I/O I/O module
Standard PROFIsafe
PROFIBUS DP

Safety Mechanisms: Coded Processing
Time redundancy and multiple channels instead of structural redundancy
A, B C
Operators Operation Output
AND
Coding Comparison Stop

by D ≠ /C
OR
Multi-
Multi-channel Multi-channel
channel
operators /A, /B operation D = /C output
Time redundancy
Time

Neue Technologie stellt Trennung zwischen Safety und Standard sicher
Keine Verwendung von Standardsignalen an Sicherheitsbausteinen möglich
Getrennte Datenbereiche für Sicherheitssignale und Standardsignale
Durchgängige Kennzeichnung von Sicherheitssignalen, gelbe Kennzeichnung

General System Design
CPU S7-400 and CPU 410
Single CPU Controller module

• 1oo1D structure with diverse application software
• SIL 3 according IEC 61508:2000 CPU
• HFT = 0; SFF > 99%
Controller module
Diagnostic
circuit
CPU
1oo1D SIL 3
Diagnostic
Redundant CPU circuit
• 2oo2 of 1oo1D structure with diverse application software
• For shutdown both CPU must be faulty
• SIL 3 according IEC 61508:2000
CPU
Diagnostic
Harware Fault Tolerance (HFT) circuit
Safe Failure Fraction (SFF)
2oo2 of (1oo1D)
General System Design
F-I/O modules
Digital Input Module Input module

• 24 – channel SIL 2 in 1oo1D
Input circuit CPU
• Internal diagnostic Diagnostic circuit
Analog Input Module Input circuit CPU

1oo1D for SIL 2
• Internal 1oo2
• Internal diagnostic 1oo2D for SIL 3 Output module
CPU
Output .
Digital Output Module circuit .
• 10 – channel SIL 3 in 1oo1D Diagnostic circuit
• Each channel is internal 1oo2

.
Main switch .
CPU
• Internal Diagnostic
1oo2D SIL 3

System Design
Non-Redundant Setup
• Single or dual sensors for inputs
• Redundant circuitry within I/O modules
• Redundant output circuits
• With one controller up to SIL 3
• HFT = 0; SFF > 99% Input module Controller module Output module
• According IEC 61508-2, Table 3 Input circuit CPU CPU
Output .
CPU circuit .
Diagnostic circuit Diagnostic circuit
.
Main switch .
Diagnostic
Input circuit CPU circuit CPU
1oo1D for SIL 2 1oo1D SIL 3 1oo2D SIL 3

1oo2D for SIL 3
Harware Fault Tolerance (HFT)
Safe Failure Fraction (SFF)

System Design
Fully-Redundant Setup
Structure like 2oo4 Systems,
but with higher availability
Controller module
CPU
Input module Output module
Diagnostic
Input circuit CPU circuit
CPU
Output ..
circuit
Main
..
Input circuit CPU CPU switch
CPU
1oo2D
1oo1D for SIL2
Diagnostic
1oo2D for SIL3 circuit
2oo(1oo1D)

System Design
2oo3 - Voting
Input circuit CPU CPU

Output ..
CPU circuit
.
Input circuit CPU
Diagnostic circuit
CPU
Main
switch
.
Input circuit CPU
Diagnostic circuit
CPU
Output ..
Input circuit CPU CPU circuit
Diagnostic circuit
Diagnostic circuit Main
..
Input circuit CPU CPU switch
Diagnostic circuit 2oo(1oo1D) 2oo(1oo2D)

Input circuit CPU
3oo(1oo1D)
Safety Integrated für die Prozessautomatisierung
Die vollständig integrierte Sicherheitslösung

Product data overview Controller S7-400
CPU 410-5H

Product data overview ET 200M

Product data overview ET 200M MTAs

Product data overview

ET 200iSP with PROFIBUS connectivity

Time Stamping
• Accuracy of 30 ms with F-Modules
• Accuracy of 1 ms with standard modules

Failsafe Field Instrumentation

http://w3.siemens.com/mcms/sensor-systems/en/Pages/functional-safety-sil.aspx

Common controller platform for process control and process safety

• One hardware for all
One engineering system for process control and process safety application
• Reduces training and uses the available knowledge
User-friendly display of process safety information in PCS 7
Automatic integration of process safety diagnostics into

the operator interface
Direct communication between DCS and SIS

• Less engineering work

SIMATIC S7-400FH with S7 F Systems

Is used for configuring the hardware and safety related process
applications acc. to IEC 61511
• STEP 7 option package for configuring S7-400H Controller with safety
functionality
• Simplifies the documentation of the safety programs, e.g. by administration of
signatures
è The configuration of the safety programs can be done on the one hand
with CFC or on the other hand with Safety Matrix

F User Program
CFC
Generation of the F user program in CFC by selecting

and interconnecting the F library blocks
F block library
with TÜV-
certified blocks

F User Program
Safety Matrix
Cause & Effect Method with automatic CFC generation (TÜV-certified)

Integrated Fieldbus
Process Safety for Process Automation

Safety Integrated with PROFIsafe
PROFIsafe is an application layer (profile) that describes the communications between fail-
safe devices
Originally published in 1999; current version (V2.61) published in August 2014
Supports safe communication over open standard buses PROFIBUS (DP, PA) and PROFINET
TUV Certified
• IEC 61508 SIL 3
• EN 954-1 Cat 4
2.95 Mio nodes

PROFIsafe
OSI Model
e.g. diagnosis
Safety Safety Safety

Standard- Input Control Output Standard
I /O Control
Safety Layer Safety Layer Safety Layer
7 7 7 7 7
2 2 2 2 2
1 1 1 1 1
“Black channel": ASICs, links, cables, etc. are not safety relevant
Non-safety critical functions, e.g. diagnosis
"PROFIsafe": Components of the safety critical communications systems:
addressing, watchdog timers, sequencing, signature, etc.
Safety-relevant but not part of the Profisafe profile:
Safety I/O and the safety control systems

PROFIsafe
Lines of communication
Encapsulation
DP DP
F- – –
Host M M
PROFIBUS DP PROFIBUS DP
Modular Slave Modular Slave

S F F F S F F F
l D A D l D D D
a I I O Encapsulation a I I O Encapsulation
v v
e e
Sensor Sensor
Local bus

PROFIsafe
Error detection measures
Measure Sequence Time expectation w. Identifier for sender Data backup

Error number acknowledgement and receiver CRC
Retry X
Loss x x
Insertion x x x
Wrong sequence x
Data corruption x
Delay x
Linking of safety-oriented and

standard messages (masquerade) x x x
FIFO error x
Measures must be implemented and controlled

in all stations
PROFIsafe
Protocol
Standard message frame
S S S S S S
F I/O data Status / Sequence CRC Standard

control byte number I/O data
Sender- across
based F-data
counter and
F-parameter
Max. 12 / 122 bytes 1 byte 1 byte 2/4 bytes *) (240/238 - F-data)
Max. 244 bytes DP data
*) 2 bytes for a max. of 12 bytes F I/O data

4 bytes for a max. of 122 bytes F I/O data

Integrated Safety Fieldbus
PROFIBUS
• Wellknow Fieldbus Solution
• Open Standard
• First Fieldbus with Safety Instruments
PROFIsafe on PROFIBUS DP / PA and PROFINET

• FMR, high flexibility of choosing the redundancy levels for safety and availability
• One PROFIBUS cable for standard and safety-related communication PROFIsafe is
possible
• Fast system setup and commissioning, due to use existing PROFIBUS
• Safety from the controller through the IO-level to the field level

PROFINET in SIMATIC PCS 7 and Process Safety
PCS 7 V8.1
PCS 7 OS server
Industrial Ethernet, plant bus Second PROFINET IO Controller on

CPU410-5H including PROFIsafe
Fault-tolerant PCS 7
automation systems CPU410-5H
PROFINET, field bus ET 200M PN with PROFIsafe

communication for F-DI, F-DO and F-AI
ET 200M PN Zone 2 Zone 1
ET 200SP PN
Weighing systems
PROFIBUS PA
IE/PB-Link AFD
Complete integration of SIMOCODE
SIMOCODE PN PROFIBUS DP
PA-Coupler AFDiS
PAC 3200/4200 PN
SINAMICS PN
Failsafe communication between AS 400
Controller

Flexible Modular Redundancy

Flexible Modular Redundancy (FMR)
based on PROFIBUS DP
Ultimate flexibility to choose the redundancy levels to
fit each Safety Instrumented Function (SIF)
Mix and Match to meet the goals of the application

DO
DO
DI
AI
AI
2oo2D (Dual 1oo1D)

1oo1D
DO
DO
AI
DI
AI
2oo3
1oo2D
AI
1oo3 3oo3
DO
DO
DI
AI
Make any component redundant

DO
DO
DI
AI

AI
DI
Physically separate redundant resources

DO
DO
DI
AI

DO
AI
DI
AI
Mix and match redundancy

AI

Dual
DO
DO
DI
AI

DO
AI
DI
AI
Simplex
AI
Triple

û
Dual
û û û
DO
DO
DI
AI

ûû
DO
AI
DI
AI

Tolerate multiple faults with no impact on
Simplex
safety
û
AI
Triple

Ultimate flexibility to choose the redundancy levels to
fit each Safety Instrumented Function (SIF)
Mix and Match to meet the goals of the application

DO
DO
DI
AI
AI
2oo2D (Dual 1oo1D)

1oo1D
DO
DO
AI
DI
AI
2oo3
1oo2D
AI
1oo3 3oo3
Safety Integrity Level up to SIL 3 with one controller

• Highest Safety Integrity Level
Highest Flexibility
• Separate or combine safety and standard application in one CPU
• Use redundancy for safety only where it is needed
• Parallel use of PROFIsafe on PROFIBUS or PROFINET
Highest Availability through Multiple Fault Tolerance

• Architecture allows system to tolerate multiple faults
• IO redundancy independent of CPU redundancy
• IO and device redundancy can be matched to maximize availability
Cost reducing
• Use redundancy only where you need it for safety or availability
• Parallel use of PROFIsafe on PROFIBUS or PROFINET

Safety Lifecycle Management


Steps of the Safety Lifecycle
Functional Safety Management according IEC 61511
Siemens can support you
Have a look to our offer

www.siemens.com/processsafety

Functional Safety Management
Process Safety Knowledge is required
Siemens Functional Safety Trainings

Have a look to our trainings at SITRAIN
www.sitrain.com
Ordercode:
ST-WSFSP
ST-WSPUP
ST-PCS7SAF
And become a Siemens Functional

Safety Professional (SFSP)
SFSP

The different phases of the safety Lifecycle

• Analysis Phase
• Identification of Hazards and Risks
• Development of the Safety Requirement Specification for the Safety Instrumented
System
• Allocation of Safety Function to Protective Layers
• Realization Phase
• Design and Engineering of Safety Instrumented System
• Design and Development of other Means of Risk Reduction
• Installation, Commissioning & Validation
• Operation Phase
• Operation & Maintenance
• Modification
• Decommissioning

The Analysis Phase with the Safety Matrix
The Analysis Phase
• The SIMATIC Safety Matrix as Engineering Tool or Editor
• Development of the Safety Requirement Specification (SRS) for the Safety Instrumented
System
• SIMATIC Safety Matrix Editor as tool for the documentation of the

Safety functions for the SRS
• Easy definition with Cause & Effect
• Easy understanding for all involved person

The Realization Phase with the Safety Matrix
The Realization Phase
• The SIMATIC Safety Matrix as Engineering Tool
• Configuration of the Safety Functions with the Cause & Effects Method
• Automatic TÜV-certified Creation of the Safety Logic from the Cause & Effect matrix
• Easy Configuration without special Programming Knowledge

The Operation Phase with the Safety Matrix
The Operation Phase

• Online View of the Signal Status, Cause & Effects
Automatic Integration in PCS 7
• First Alarm Display and Storage
• Supports Operation Functions like Bypass, Reset, Override and Parameter Changes
• Sequence of Event Recording
• Automatic Report of Operation Functions

• Automatic Version Tracking
• Automatic Documentation of Changes

The Safety Matrix
Engineering and Design

• Easy Use due Cause & Effect matrix
• Automatic generation of the safety CFC program for the controller
Operation and Maintenance

• Online View, integrated into PCS 7
• Support Operation functions like Bypass, Reset and Override
• Sequence of Event Recording
• First Alarm Display
Safety Lifecycle Management Tool

• Integrated Version Tracking
• Integrated Documentation of Operator Manipulations
• Integrated Documentation of Changes

Certificates

Certificates
Where I can find the

certificates

Additonal Information

Safety & Security

Safety & Security
Industrial Security
• Becomes more and more important
• Plants are connected to the office network
• Plants are connected to the Internet
What is needed
• Concepts to ensure the plant
• Especially safety systems
Does exist a solution

• IEC 62443
• Working groups like ISA84 are working
on this issue
• Certifications are available

Safety & Security IEC 62443
Part 3-3: System security requirements and security levels

Annex A.2.3 Using Security Levels
… The BPCS and SIS both use PLCs to operate different aspects
of the loading station with the SIS using a special functional safety
PLC (FS-PLC) rated for use in safety systems.
The two PLCs are connected via a non-routable serial or Ethernet

connection using a boundary protection device.
Each of the PLCs is connected to a local switch with an

engineering workstation for programming and HMI for operating.

Safety & Security ISA84 WG9
• ISA84 WG9 Technical report addresses the issue of safety

instrumented system security
• Annex A – Example SIS interfaces to the Enterprise Network
describes a series of example security architectures on how to
implement SIS: Air-gapped, Interfaced, Integrated 1 zone,
Integrated 2 zone
• “The examples are conceptual and not intended as a template
for every system. They are intended to represent different
approaches an end user might elect to implement a SIS”
Ø With PCS 7 Safety Integrated it is possible to set up the

recommended architectures

Safety & Security
ISA84 WG9 – Annex A - Example SIS Interfaces to the Enterprise Network
Air-gapped Interfaced Integrated 2 zone Integrated 1 zone

In this design, the SIS is both logically SIS and BPCS are still connected using the BPCS and SIS systems are fully The SIS and BPCS systems are integrated
and physically isolated from communicating discrete wiring, but they now include a integrated and provide direct, real-time providing greater communication between
with the rest of the zones. direct point-to-point communication connection. communication between the systems. those systems and higher-level systems.

SIMATIC PCS 7
SIS architectures I à Air-gapped
OS OS
Client Client
OS SIS BPCS
Engineering Engineering
Stations Stations
Level 2 OS
Industrial Ethernet, terminal bus
server
Industrial Ethernet, plant bus Industrial Ethernet, plant bus
Level 1 Safety-related Fault-tolerant

automation system automation system
S7-400 F/FH S7-400H
ET 200M,
standard and
F modules ET 200M,
standard
ET 200M, modules
F modules
ET 200iSP ET 200iSP
Zone 1 Zone 1
PA link PA link
PROFIBUS PA PROFIBUS PA
Level 0

SIMATIC PCS 7
SIS architectures II à Interfaced
OS OS
Client Client
OS SIS BPCS
Stations Stations
Level 2 OS
server

S7-400 F/FH S7-400H
ET 200M,
standard and
F modules ET 200M,
standard
ET 200M, modules
F modules
ET 200iSP ET 200iSP
Zone 1 Zone 1
PA link PA link
Level 0

SIMATIC PCS 7
SIS architectures III à Integrated zone 2
OS OS
Client Client
OS SIS BPCS
Stations Stations
Level 2 OS
server

S7-400 F/FH S7-400H
ET 200M,
standard and
F modules ET 200M,
standard
ET 200M, modules
F modules
ET 200iSP ET 200iSP
Zone 1 Zone 1
PA link PA link
Level 0

SIMATIC PCS 7
SIS architectures IV - Integrated 2 zone
Front
Firewall
Level 3
Back MES
Firewall
SIS OS OS
Engineering Client Client Engineering
Stations Stations
Level 2
OS
server
Scalance S
Level 1 Safety-related
automation systems
Fault-tolerant
automation system
S7-400 F/FH S7-400H
ET 200M,
standard and
F modules ET 200M,
standard
ET 200M, modules
F modules
Level 0 ET 200iSP ET 200iSP
Zone 1 Zone 1

SIMATIC PCS 7
SIS architectures V - Integrated 1 zone
Front
Firewall
Level 3
Back MES
Firewall
OS OS
Client Client Engineering
Stations SIS / BPCS
Level 2
OS
server
Scalance S
Level 1 Safety-related
automation systems
Fault-tolerant
automation system
S7-400 F/FH S7-400H
ET 200M,
standard and
F modules ET 200M,
standard
ET 200M, modules
F modules
Level 0 ET 200iSP ET 200iSP
Zone 1 Zone 1

SIMATIC PCS 7
SIS architectures IV
Administrator with all access rights

User with access rights
for the SIS
Engineering Client (ES16) PCS 7 Clients Engineering Server (ES17)
SIS BPCS User with access rights

for the BPCS
Terminal Bus
redundant
Level 2 Server
System Bus
AS SIS AS BPCS
Level 1

SIMATIC PCS 7
SIS architectures
H-CPU V6 : Additional layer of protection with SFC 109 "PROTECT“

For Download / Modify of F-Application:
Engineering Stations
• Password from ES
and
Password
• Release from key switch (or HMI)
&
Release
Set Security Level 12
with Password
and SFC 109 insert
E.g. key switch for
Release

Industrial Security
PCS 7 Compendium F
Update of PCS 7 Compendium F available since 11.2013

http://support.automation.siemens.com/WW/view/en/77507462
§ contains among other enhancements in chapter 4 „System hardening“ a list of
unneeded services that can be disabled on a PC station.

Safety & Security
System Certification

Safety & Security
Zertifizierung
Achilles Level II Certification

• 82 Products
• Controller
• All S7-400 CPUs
• Communication cards
• Network devices certified as firewall

SIMATIC PCS 7 V9.0
Industrial Security TÜV Certification
Features
• Siemens (DF and PD) is the first manufacturer achieving
TÜV certification of product life cycle process based on
IEC 62443-4-1
• PD PA AE is the first manufacturer achieving TÜV
certification based on IEC 62443-3-3 for SIMATIC PCS 7
Key Benefits
• Product development is compliant with current IACS
Security Standards
• SIMATIC PCS 7 is compliant with current IACS Security
Standards

Examples
SIL Verification according to IEC 61508,

IEC 61511 and VDI 2180-4

Thank you for your attention!
siemens.com/process-safety


Technical Slides Safety Integrated For Process Automation0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Technical Slides Safety Integrated For Process Automation0

Uploaded by

Copyright:

Available Formats

Safety Integrated for Process Automation

Safety Integrated for Process Automation

Unrestricted / © Siemens AG 2017. All Rights Reserved. siemens.com/process-safety

Unrestricted / © Siemens AG 2017. All Rights Reserved. siemens.com/process-safety

Functional Safety Management reduces the risk of process related

People Process Environment

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Safety system Safety Safety Instrumented

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Risk for a technical facility

Risk Safety systems

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Failure rates safe

SFF = Safe Failure Fraction

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Hardware fault tolerance refers to the capability of a hardware unit to continue

Unrestricted / © Siemens AG 2017. All Rights Reserved.

1-channel (Single Channel) System:

Safe failure: relay contact opens and interrupts

Dangerous failure: e.g. contacts welded, interruption of

Unrestricted / © Siemens AG 2017. All Rights Reserved.

2-channel (Dual Channel) System:

1 out of 2 (1oo2): HFT = 1

Unrestricted / © Siemens AG 2017. All Rights Reserved.

2-channel (Dual Channel) System: +

2 out of 2 (2oo2): HFT = 0

Unrestricted / © Siemens AG 2017. All Rights Reserved.

3-channel (Triplicated) System (TMR):

Unrestricted / © Siemens AG 2017. All Rights Reserved.

1oo1D, SIMATIC S7-400F = SIL 3

SIMATIC S7-400FH = SIL 3

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Changes after Design &

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Functional Safety Management (FSM)

Project independent FSM Project dependent FSM

Complexity of the documentation is depending on project size and available management

SIL 4 >=10-5 to <10-4 100000 to 10000

SIL 3 >=10-4 to <10-3 10000 to 1000

SIL 2 >=10-3 to <10-2 1000 to 100

SIL 1 >=10-2 to <10-1 100 to 10

SIL: A performance criteria of a SIS, among other things, describes

Safety Instrumented System (SIS) Basic Process Control System

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Considering the complete safety functionality

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Safety Requirement Specification

Requirements for the safety Requirements for the safety

All requirements necessary for the design of

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Safety applications in the Process Industry

Emergency and Process Shutdown Systems (ESD/PSD)

Burner Management Systems (BMS)

Example for PFD calculation

Unrestricted / © Siemens AG 2017. All Rights Reserved.

1st Generation introduced in the 1980’s

Unrestricted / © Siemens AG 2017. All Rights Reserved.

Unrestricted / © Siemens AG 2017. All Rights Reserved.