Siemens Safety Systems.
NTNU 14.03.2011, Arnt Olav Sveen

Historikk og bakgrunn

Applikasjoner

Krav i IEC61508

Løsninger
» Basis for løsninger
» Kontroller / sentralsystem
» Inngangs og utgangs moduler
» Human - Machine Interface
» Programvare /programmering
» Kommunikasjon / nettverk
» Hjemmesikkerhetssystem
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.1
Siemens Safety Systems.
The prevention of accidents should not be considered
a question of legislation, but instead our
responsibility to fellow beings and economic sense
(Werner von Siemens in 1880)
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.2
History of Siemens Safety Systems
S7 F Systems
Distributed Safety
S7-400FH / PROFIsafe
(1999)
S7 151F/315F/317F/416F
(2002/2003)
Safety Matrix
(1999)
QUADLOG
(1995)
SIMATIC S595F
SIMATIC S5110F
(1980)
(1994)
SIMATIC S5115F
(1988)
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.3
Siemens Safety Systems.

First large safety project 1985, Oseberg Feltsenter

To day nearly 30% of installed safety systems in Norwegian part of
the North Sea, and numerous deliveries world wide.

First solutions, Simatic PLC's with additional hardware, 2 PLC's
running independently.

To-day a full range of S7 F, TÜV verified systems

Work procedures according to IEC61508, SINTEF verified, and a full
scope of function blocks and typicals
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.4
Siemens Safety Systems, traditional systems.
Siemens Safety Systems applications are based on long experience
•
•
•
•
Stena Don
Statfjord A
Snorre B
Huldra
2000
2000
2000
2000
•
•
•
•
•
Oseberg South
Embla
Oseberg Gas
Troll C
Statfjord B
2000
2000
1999
1999
1998
• Visund
• Eldfisk WIP
• Oseberg East
1998
1999
1997
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
• Petrojarl Foinhaven
• Njord A & B
1996
1995
•
•
•
•
•
Statfjord C
Vigdis
Ekofisk
Eldfisk alpha
Brage
1995
1995
1995
1993
1992
•
•
•
•
Embla
Snorre TLP
Oseberg A
Oseberg B
1991
1990
1988
1987
100.5
Siemens Safety Systems, S7, PCS7

HULDRA (Norway)
2000

MAERSK XL1 /XL2 (worlds largest jack up’s, built in Korea)
2002

EKOFISK 2/7A
2002

Visund
2006-2011

Halfdan 5 platforms

Al Shaheen

White Rose FPSO (Canada/ built in Canada/Korea/Abu Dhabi/USA)
2005

P50, Albacore Leste FPSO (Brazil) , PRA 1
2005-2007

FPSOcean 1 (China)
2007-2009

Santa Fe (USA, 2 drilling Rigs)
2004

Oseberg Field-centre
2005 -2007

Statfjord A/B/C ESD and F&G
2004-2007

Sevan SSP300-1, 2 and 3
2005-2008

Deep Sea Driller 1and 2
2007-2011

Blackford Dolphin
2006-2008

Snorre TLP
2006-2011

Tor
2011

Yme (upgrade)
2011
(Denmark/built in Singapore and Holland)
(28 platforms in Qatar)
(Norway) (113 off S7 400/400FH , 35000 I/O)
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
2003-2011
2003- 2010
100.6
Safety Systems Applications
Hva er et sikkerhetssystem (SIS)?
Hvor griper det inn i en
ulykkesutvikling, og
forhåpentligvis stanser
den?
Disaster
protection
Disaster protection
Collection
basin
Passive protection
Overpressure
valve, rupture
disc
Safety system
(automatic)
Active protection
Safety
shutdown
Plant
personnel
intervenes
Basic
automation
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Safety Instrumented
System (SIS)
Process alarm
Process
value
Process control
system
Normal activity
100.7
Safety Systems Applications
Hva er et sikkerhetssystem (SIS)?
Safety Instrumented System (SIS)
Inputs
PT
1A
Outputs
Basic Process Control System
(BPCS)
Inputs
Outputs
PT
1B
I/P
FT
Reactor
Low level
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.8
Safety Systems Applications
Og hva er “Equipment Under Control”, EUC?
PROFIBUS-DP
AS 414 F
AS 417 F
ET 200M
IM 153
F-I/O Modules
Safety
Module
Standard
I/O Modules
Pressurized
Vessel
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.9
Safety Systems Applications
Purpose
Risk reduction by safety systems, SIS
Residual
Residual
Risk
Risk
Tolerable
Tolerable
Risk
Risk
From IEC 61508:
EUC
EUC
risk
risk
Necessary Risk Reduction
Actual Risk Reduction
Increasing
Risk
Risk
Risk reduction
reduction achieved
achieved by
by all
all safety-systems
safety-systems
Hensikten med å innføre et sikkerhetssystem, er å få risikoen ned til et akseptabelt nivå.
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.10
Safety Systems Applications
What is Risk? Who decides what is acceptable risk?
 Examples







of fatality risk figures
Road accident
Car accident
Accident at work
Falling Aircraft
Lightning strike
Insect/Snake bite
Smoking 20 per day
100cpm
150cpm
10cpm
0.02 cpm
0.1cpm
0.1cpm
5000 cpm
1.0x10-4/yr
1.5x10-4/yr
1.0x10-5/yr
2.0x10-8/yr
1.0x10-7/yr
1.0x10-7/yr
5.0x10-3/yr
1 av 100 (ved levetid 100 år)
1,5 av 100
1 av 1000
2 av 1000 000
1 av 100 000
1 av 100 000
1 av 2
cpm = chances per million of the population (per year)
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.11
Safety Systems Applications
Risk reduction by safety systems, SIS
Unacceptable Risk Region
Containment Dike
Hazard #1
Control System
Likelihood
Operator Intervention
SIL1
SIL2
Safety Instrumented Function
SIL3
Tolerable Risk Region
Consequence
Risikoreduksjonen er større ved et høyere SIL
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.12
Safety Systems Applications
What is Safe state?
Can the Safety System bring the area or
equipment to a safe state?
How?
What is required?
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Power Plant
100.13
Safety Systems Applications
Some of the Safety Systems Applications

ESD, Emergency Shutdown

F&G, Fire & Gas Detection, Fire-fighting

Process Shutdown

Fire-pump Logic

Ballast Control

Blow-down

Riser release / Anchor Release

Fire Dampers, Active Smoke Control

HIPPS, High Integrity Pressure Protection System
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.14
Safety Systems
Topology for total platform control system including safety
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.15
Fire & Gas Topology (sample)
F&G ES D
W id e S c r e e n O v e rv ie w
E th e rn e t 1 0 0 M b it
E th e rn e t 1 0 0 M b it
C o m m a n d s fro m O S to S IL 3
In d u s tria l E th e rn et 1 00 M b it
P R O F IB U S /
P r o fiS a fe (S IL 3 )
In d u s tria l E th e rn et 1 00 M b it
C o m m u n ic a tio n to o th e r
n o d e s S IL 3
S 7 -4 0 0 F H (S IL 3 , a n d re d u n d a n t)
A L A RM
Fire ext.. acktivated
S ilence buzzer
Fire Brig. recvd.
M ore Alarms
P rewarning
S ilence sounders
Reset
1
2
3
4
5
6
7
8
9
C
0
E arly warning
Fault
S ystem fault
Function disabled
Test
?
S elf V erify
S IE M E N S
Fire vent. activ.
P ower
S IE M E N S
S IL 2
S o ftw a re is im p le m e n te d
a c c o rd in g to p ro c ed u re , SIL 3
P R O F IB U S /P ro fiS a fe (S IL 3 )
P R O F IB U S /P ro fiS a fe (S IL 3 )
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.16
F&G System Topology (the different modules)
R e m o te C o n tro l
(V e s le frik k)
F & G M a trix
I/O m o d ule s
S IL 2 /3
P R O F IB U S /
P R O F IS A F E
S IL3 a n d re d un d a n t
R e d u nd a n t, o pe ra to r s ta tio n s,e a ch w ith
d u a l p o w er su p p lie s a n d
m u lti C P U 's
(to ler a ba b le fo r C P U e rro rs )
R a d io
Redundant Operator
Stations
R a d io
N o te :
S ep a ra te b u s s yte m s a re u se d
fo r in te rfa c e to m a trix e s to av o id
co m m o n m o d e failu r re s w ith fie ld I/O
F&G Matrix
Redundant Safety
Servers
R e d u nd a n t, se rv e rs,e a ch w ith
d u a l p o w er su p p lie s a n d
m u lti C P U 's
(to ler a ba b le fo r C P U e rro rs )
F & G M a trix
R e d u nd a n t, o ptica l,
1 0 0 M b it In d u str ia l E th e rn e t
S 7 -4 0 0 F H (S IL 3 , a n d re d u n d a n t)
S 7 -4 0 0 F (S IL 3 )
S 7 -4 0 0 F (S IL 3 )
P R O F IB U S /
P R O F IS A F E , S IL3
o p tic al a n d r ed u n d a nt
A u tro n ic a fire p a n e l
A u tro n ic a p ro to co l
A u tro n ic a p ro to co l
S IE M E N S
Addressable Fire
Detection Systems
I/O m o d ule s
S IL 2 /3
S IE M E N S
Redundant Fail Safe
Communications – SIL3
(Profisafe)
Redundant Integrated
Safety & Process
Network
High Available & Fail
Safe CPU’s
P R O F IB U S o r P ro fis a fe (S IL 3 )
Redundant
Communications Interface
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
P R O F IB U S o r P ro fis a fe (S IL 3 )
H a rd w ire d a la rm
F ire A re a (1 o f n
g ive s a la rm )
A na lo g ue inp u ts
(e a ch S Il1 ) in
vo tin g o n e o f
m a ny (to ta l is S IL 2 )
O u tp u t m o d u le s
F - S M 's, S IL 2 /3
re d u n d an t
o r re d u n d an t o u p ut
co n figu r atio n v e rifie d
b y S IN T E F (S IL2 /3 )
Fail Safe I/O
Modules
100.17
ESD Topology (sample)
F&G ESD
W ide S c r e e n O v e rv ie w
O pe ra to r S ta tio n s
ES D
M a tr ix .
E n g in e e r in gS ta tio n
E th e rn e t 1 0 0 M b it
E th e rn e t 1 0 0 M b it
C o m m a n d s fro m O S to S IL 3
R edun dant
S a fe ty S e rv ers
R e m o te
In p ut / O u tpu t
m o du le s , F -S M S IL 2 /3
o r E T2 0 0 M S IL 0 /1
(b uilt in r edu nda nc y an d
au to- rep air)
In d u s trial E th ern e t 1 00 M b it
In d u s trial E th ern e t 1 00 M b it
P R O F IB U S /
P r o fiS a fe (S IL 3 )
C o m m u n ic a tio n to o th e r
n o d e s S IL 3
C o n tro ller C a b in et
S 7 -4 0 0 F H (S IL 3 , a n d re d u n d a n t)
F ield T e rm in atio n C ab in e t
S IE M E N S
S IE M E N S
S 7 -4 0 0 F (S IL 3 )
S o ftw a re is im p lem e n te d
a c c o rd in g to p ro c e d u re , S IL 3
H a rd w a re d e s ig n a c c o rd in g
to p ro c e d u re , S IL 3
R e m o te " fa il s a fe "
In p ut /o u tpu t
m o du le s
F -S M 's , S IL 2 /3
R e m o te
In p ut / O u tpu t
m o du le s , IS 1
o r E T2 0 0 M
S IL0 /1
S 7 -4 0 0 F (S IL 3 )
P R O F IB U S /P ro fiS a fe (S IL3 )
P R O F IB U S /P ro fiS a fe (S IL3 )
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.18
PSD Topology (sample)
O pe ra to r S ta tio n s
E n g in e e r in gS ta tio n
E th e rn e t 1 0 0 M b it
E th e rn e t 1 0 0 M b it
C o m m a n d s fro m O S to S IL 3
Redun dant
S e rv ers
In d u s trial E th ern e t 1 00 M b it
C o m m u n ic a tio n to o th e r
n o d e s S IL 3
In d u s trial E th ern e t 1 00 M b it
F ield T e rm in atio n C ab in e t
o r Ju n ctio n B o x
C o n tro ller C a b in et
S IE M E N S
S IE M E N S
S 7 -4 0 0 F (S IL 3 )
S o ftw a re is im p lem e n te d
a c c o rd in g to p ro c e d u re , S IL 3
H a rd w a re d e s ig n a c c o rd in g
to p ro c e d u re , S IL 3
R e m o te E T 2 0 0 iS
o r" fa il s a fe "
In p ut /o u tpu t
m o du le s
F -S M 's , S IL 2 /3
R e m o te
In p ut / O u tpu t
m o du le s , IS 1
o r E T2 0 0 M
S IL0 /1
S 7 -4 0 0 F (S IL 3 )
P R O F IB U S /P ro fiS a fe (S IL3 )
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.19
Marine Control System (SIL 3)
O pe ra to r S ta tio n s
E n g in e e r in gS ta tio n
E th e rn e t 1 0 0 M b it
C o m m a n d s fro m O S to SIL 3
M a n u a l B a lla s t
F u nc tio n s
R e d u n d a n t S e rv ers
In d u s trial E th ern e t 1 00 M b it
C o m m u n ic a tio n to o th e r
n o d e s S IL 3
In d u s trial E th ern e t 1 00 M b it
F ield T e rm in atio n C ab in e t
o r Ju n ctio n B o x
C o n tro ller C a b in et A
C o n tro ller C a b in et B
S 7 -4 0 0 F H (S IL 3 , a n d re d u n d a n t)
S 7 -4 0 0 F (S IL 3 )
S IE M E N S
ACPU
R e m o te
In p ut / O u tpu t
m o du le s , IS 1
o r E T2 0 0 M
S IL0 /1
R e m o te " fa il s a fe "
In p ut /o u tpu t
m o du le s
F -S M 's , S IL 2 /3
B CPU
S IE M E N S
S 7 -4 0 0 F (S IL 3 )
S o ftw a re is im p lem e n te d
a c c o rd in g to p ro c e d u re , SIL 3
H a rd w a re d e s ig n a c c o rd in g
to p ro c e d u re , SIL 3
P R O F IB U S /P ro fiS a fe (S IL3 )
S y nc hr o niz a tio n lin k
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.20
Subsea PSD solution and HIPPS, both SIL3
P S D , S 7 -4 0 0 F , S IL 2 /3
E S D , S 7 -4 0 0 F , S IL 3
X
P C S , S 7 -4 0 0
1
R e m o te F -S M , S IL 3
R F -M o d e m
PR O F BU S
R e m o te F -S M , S IL 3
PR O F IS A FE ,SIL3
PR O F IS A FE ,SIL3
2
(R e m o te I/O )
x = N u m b e r o f c o n n e c tio n `s
T w is te d P a ir
F ib e r O p tic C a b le
3
U m b ilic a l w it h c e n t e r lin e
5
H y d ra u lic
R is e r (S tig e rø r)
6
R F -M o d e m
B le e d H yd ra u lic ( S IL 3 )
PSV
H PU
H y d r a u lic S u p p ly
P ro d u ctio n
EV
T o pside
S u bse a
P T
P T
H IP P S 1
P T
P T
H IP P S 2
SSIV
P T
P T
4 -2 0 m A
P T
S 5 95 F /S 7 3 0 0F
4 -2 0 m A
P T
R F- M ode m
4 -2 0 m A
P T
P r o f ib u s D P ( t o to p sid e m o d em )
19 .2 K b its
T
S u b se a H IP P S /S IL 3
T ita n iu m P ip e /e n clo su re
C hoke
P T
S lo t n o . 2-4
T
PW V
P S D R e m o te I/O
S im a t ic S 7
F -S M (S IL 3 )
P T
T
R IO (F .S M .)
PM V
P r o fib u s D P /P r o fiS a fe (S IL 3 )
R F -M od em
1 8 3 K b its
T ita n iu m P ip e /e n clo su re
SC SSV
P T
S lo t n o . 1
T
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
S u p p lie r D o c u m e nt R e v ie w
A c c e p te d
100.21
IEC 61508

The safety level is applicable for:



The total solution
All the projects lifecycles
The system solution covers EUC, including HMI
 HW engineering, construction and testing


By use of standard hardware set-up
With special modules approved by TÜV
 Software



Function blocks (basic blocks approved by TÜV)
Protocols and drivers approved by TÜV
Application program (according to procedure)
 Maintenance procedures
 Operation and Modification Procedures
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.22
IEC 61508, Quality Assurance and a few direct requirements
1
C o n ce p t
Software safety lifecycle
O verall s co p e
2
d efin ition
req u ire m e n ts
a llo ca tio n
9
O verall pla nn in g
6
O vera lI
o p eratio n an d
7
O vera ll
sa fety
m ain te n an ce
va lid a tion
p la n n in g
p lan n in g
8
E/E/PES
safety
lifecycle
(see figure 2)
S a fety re q u ire m e nts
S a fety-rela ted
sy ste m s :
10
S a fety-re la ted
sy ste m s:
E /E /P E S
oth er
R e alisa tio n
R e alisa tio n
O veralI
11
co m m is sio n in g
p lan n in g
Safety integrity
requirements
specification
E xte rna l risk
re du c tio n
fac ilitie s
tech n o lo g y
8in sta lla tio n a n d
Software safety requirements
specification
9.1.1 Safety functions 9.1.2
requirements
specification
O ve ra ll s afe ty
4
5
9.1
H a zard an d risk
a n alysis
3
R ea lis atio n
(se e E /E /P E S
9.2
Software safety
validation planning
9.3
Software design
and development
9.4
PE integration
(hardware/software)
9.6
Software safety
validation
safety
lifecycle)
O ve ra ll in sta lla tio n
12
a n d c o m m iss io n in g
13
O vera ll sa fety
valid a tio n
9.5 Software operation and
modification procedures
B a ck to ap p ro p ria te
o v erall safety life cy cle
p h as e
14
16
O ve ra ll o p eratio n ,
m ain te na n ce a n d rep a ir
15
O verall m o d ifica tio n
an d retro fit
D e co m m iss io n in g
o r d is po s al
N O T E 1 A c tivitie s re latin g to v erifica tio n , m an a g e m e n t o f fu n c tio n a l s afe ty an d fu n ctio n al sa fe ty a ss es sm e n t are
n ot sh ow n fo r re aso n s o f clarity bu t are re leve nt to all o verall, E /E /P E S a n d softw a re sa fety lifecycle p ha se s.
NOTE 2
To box 12 in figure 2 of part 1
To box 14
in figure 2
of part 1
T h e ph a ses re prese nte d by bo xes 1 0 a nd 11 a re ou ts ide th e sco pe of th is stan da rd .
N O T E 3 P a rts 2 a nd 3 de al w ith bo x 9 (rea lisatio n) bu t the y a lso d ea l, w he re relevan t, w ith th e p ro gra m m a ble ele ctron ic
(ha rd w are a nd so ftw are) a spe cts o f bo xes 1 3, 14 a nd 15 .
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.23
IEC 61508, Implementation according to proven procedures.

Safety requirements shall be specified, and the
requirements shall be traceable through all engineering
phases.
 Internal procedures for development of software according to
IEC61508

Procedures developed in co-operation with SINTEF Tele and Data.
–
–
–
–
–
–
specification
planning
implementation
verification
validation
modifications.
 Internal procedures for hardware design and production
according to IEC61508

Made on the same structure as the SINTEF verified SW procedure.
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.24
Basic principles to fulfil IEC61508
Basically three requirements
1.
Quality assurance (98% of IEC61508)
2.
Requirement to availability of safety function (PFD requirement, Probability of Failure on Demand)
3.
Requirement to safe failure fraction (SFF requirment, Safe Failure Fraction)
Answers to the requirements
1.
Work methology, procedures, qualified workers
2.
Equipment quality, redundancy, second resort, diagnostics
3.
Fail to safe design, diagnostics
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.25
Diagnostics, feedback and redundancy
Diagnostics / feedback
Diagnostics will give possibility to repair dangerius errors before an emergency situation,
hence improving PFD and SFF.
Increased diagnostics also give room for estension of test interval, hence saving cost.
Feedback will give opportunity to use second shotdown possibility in case of first possibility
failing, hence increasig PFD and SFF.
Redundancy / second shutdown fasility
More than one shutown fasility, and all are activated at same time, or second fasilities are used as result
of feedback when first is faling, will give improved SFF and PFD.
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.26
Risk Determination (one of several methods)
How to find Required Safety Integrated Level (SIL) of the Safety System
S: Severity of injury/damage
Risk Graph
-
-
-
1
1
-
1
1
-
1:small injury,
minor environmental damage
2:serious irreversible injury of many people involved or a death
temporary serious environmental damage
3:death of many people
:
long-term serious environmental
damage
4:catastrophic results, many deaths
2
2
1
F: Frequency and/or exposure time to hazard
3
3
1
P3 P2 P1
S1
A1
F1
A2
S2
A1
F2
A2
F1
S3
3
3
2
4
3
3
4
4
3
F2
S4
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
1:seldom - quite often
2:frequent - continous
A: Avoiding hazard
1:possible
2:not possible
P: Probability of Occurrence
1:very low
2:low
3:relatively high
100.27
Safety Integrity Levels, direct requirement IEC61508
Requirement Class
(AK)
DIN V 19250
Safety
Integrity
Level (SIL)
IEC 61508
Probability of failure
on demand per h
(constant operation)
(IEC 61508)
Probability of failure
on demand (on
demand operation)
(IEC 61508)
Control Category
EN 954-1
AK 1
---
--
--
B
SIL 1
10-5 to 10-6
10-1 to 10-2
1 and 2
SIL 2
10-6 to 10-5
10-2 to 10-3
3
SIL 3
10-7 to 10-8
10-3 to 10-4
4
SIL 4
10-8 to 10-9
10-4 to 10-x
---
AK 2 and 3
AK 4
S7-400F/FH
by Siemens
AK 5 and 6
AK 7 and 8
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.28
Safety Integrity Levels, direct requirement IEC61508
IEC61508 requires higher “fail safe fraction” for “intelligent” components
Hardware safety integrity: architectural
constraints
on type A safety-related subsystems
Safe failure
fraction
Hardware safety integrity:
architectural constraints
on type B safety-related subsystems
Hardware fault tolerance
Safe failure
fraction
0
1
2
< 60 %
not allowed
SIL1
SIL2
SIL4
60 % - 90 %
SIL1
SIL2
SIL3
SIL4
SIL4
90 % - 99 %
SIL2
SIL3
SIL4
SIL4
SIL4
> 99 %
SIL3
SIL4
SIL4
0
1
2
< 60 %
SIL1
SIL2
SIL3
60 % - 90 %
SIL2
SIL3
90 % - 99 %
SIL3
> 99 %
SIL3
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Hardware fault tolerance
100.29
Safety Integrity Levels, PFD calculation
F & G l o o p w i t h G a s d e t ec t o r an d c o n t r o l v a l v e.
4-20 m A
P R O F IS A F E
AI
C ontrol valve
P R O F IS A F E
CPU
DO
G as detector
F & G l o o p w i t h G a s d e t ec t o r an d c o n t r o l v a l v e.
ES V
Safety reliability Block diagram:
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.30
Safety Controller S7 FH
Safety Control System, SIMATIC S7 – 300/400 F/FH
Redundant systems
S7-414-4H *)
2.8MB
600 F-I/Os
S7-319F-2DP
1.4MB
1000 F-I/Os
S7-417-4H *)
30MB
3000 F-I/Os
S7-412-3H *)
768kB
100 F-I/Os
S7-317F-2DP
1MB
500 F-I/Os
S7-315F-2DP
192kB
300 F-I/Os
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Certified up to SIL 3
100.31
Components S7-400F/FH

High available System S7-417FH as a basis
 CPU 417-4H with TÜV certified basis SW/HW (SIL3)
 TÜV certified failsafe logic SW blocks (SIL3)

Engineering /Hardware Configuration/Programming
 Configuration of the S7-400F-Hardware with Standard HW-Config.
 Graphical Engineering (programming) with Standard CFC (Continuous Function Chart)
 Coexistence of Standard- and F-Applications (SIL3) in one CPU

Connection to the Process Devices
 Failsafe I/O modules (SIL1 - 3)
 PROFIsafe (extra safety layer to Profibus) (SIL3) to ensure failsafe communication via Profibus-DP
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.32
Basic principle “Protected F-Islands”
CPU
hardware
CPU
operating system
Standard
user programs
Failsafe
Safety-related
user program
I/O
Safety-related
frame
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Any faults in
other modules,
environmental
factors
modules
100.33
S7 400F F/H system - modularity,
PC
RUN-P
RUN
RUN-P
RUN
CMRES
STOP
CMRES
STOP
Standard Engineering Software
F-Programming
Tool
Standard-CPU 417-4H
F-Application Program
Standard I/O’s (ET200M)
F-I/O’s (ET200M)
Standard-ProfibusDP
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
ProfiSafe Protocol
100.34
S7-400H
Redundancy Principle
PC D D A A C
SP E A E A P
U
Synchronization,
information
and status exchange
PC D D A A C
S P E A E A P
U
I I D D A A F
M M E A E A M
PROCESS
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.35
I/O Configuration
Switching of master by use of redundant Profibus
Redundant IM 153-2
Profibus-DP
L+
L+
IO with active backplane
bus performing the switchover
Bus module
IM
Target:
Reduce common mode faults
for the switch-over to a minimum
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Active
backplane bus
IM
Achieved by:
Very simple component does
the switchover
100.36
Redundant S7-400H
A Synchronization Procedure is required
Synchronization of all commands
whose execution would trigger different
states in both partial PLCs
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
(Siemens Patent)
Part. PLC B
Command synchron.
Part. PLC A
Part. PLC B
Time synchronization
Part.-PLC A
Part. PLC B
Cycle synchronization
Part. PLC A
Part. PLC B
Part. PLC A
Without synchronization
100.37
Flexible Set-up‘s
Together, the listed principles result in a flexible set-up
Fail Safe and High Availability
IM 1 5 3
F -I/O M o d u le s
P R O F IB U S -D P
P R O F IB U S - D P
E T 2 00 M
AS 414 F
AS 417 F
A S 4 14 F
A S 4 17 F
A S 4 14 F
A S 4 17 F
S a fe ty
M o d u le
E T 2 00 M
F -I/O M o d u le s
S a fe ty
2 x
IM 1 53 -2 M o d u le
S t a n d a rd
I/O M o d u le s
PROFIBUS-DP
Fail Safe
ET 200M
F-I/O Modules
redundant
S t an d a rd
I/O M o d u les
 S7-400F
 PROFIBUS-DP
 redundant S7-400FH
 redundant PROFIBUS-DP
 redundant S7-400FH
 redundant PROFIBUS-DP
 F-E/A Moduls
 SIL 3, AK6
 F-E/A Moduls
 SIL3, AK6
 redundant F-E/A Moduls
 SIL3, AK6
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.38
Flexible Modular Redundancy ™
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Make any component redundant
DO
DO
DI
AI

100.39
DO
DI
AI
Flexible Modular Redundancy ™
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.40
Flexible Modular Redundancy ™
Make any component redundant
DO
DO
DI
AI

SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Physically separate redundant resources
DI
AI

100.41
Flexible Modular Redundancy ™
DO
DO
DO
AI
DI
DI
AI
AI

Make any component redundant
Dual

Physically separate redundant resources

Mix and match redundancy
AI
Simplex
Triple
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.42
Flexible Modular Redundancy ™


AI
DO
Simplex

Triple
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Dual

Physically separate redundant resources

Mix and match redundancy

Tolerate multiple faults with no impact on safety
Safety is not dependant on redundancy; all
components are SIL3-capable
Redundancy only for availability; No degraded
mode
DO
DI
DO
AI
AI

DI
AI
  
Make any component redundant


100.43
Flexible Set-up‘s


 Fieldbus architecture allows system to tolerate
multiple faults without interruption
 I/O redundancy independent of CPU redundancy

DO
DO
DO
DO
DI
AI
DI
AI

All components rated for SIL3
 No degraded mode
 Safety not dependent on redundancy
1oo2 Valves
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
2oo3
AI

AI
AI
  

Multiple Fault Tolerant
2oo3 PT
100.44
Alternative setup by others
Fail Safe and High Availability due to 2oo3 HW voting
Sample from Triconex design
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.45
Input and output modules to SIL 3, 2 and 1
 ET 200 M F-SM, Fail Safe Modules

SIL3, 2 or 1dependant on configuration (TÜV)
– SIL 3 also in single configuration for most modules
– SIL 3 with single or redundant bus connection
 ET200 iSP, zone 1

Small granularity modules for Zone 1, SIL3
 ET200 S

RUN-P
RUN
STOP
CMRES
Small granularity modules can cover SIL1 to SIL3
RUN-P
RUN
STOP
CMRES
Standard SM´s
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
F-SM´s
100.46
Architecture S7-300 Fail Safe Modules (sample)
F-Digital Output, with built in redundancy, self verification and degrading
Bus interface
Microcontroller
Output
driver
Dualport
RAM
Microcontroller
Second
disconnection facility
Read back
Output
VSupply
L+
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
If ”Output driver” fails to bring
output to safe state, ”0”, the
microcontroller does, based on
the read back, order the ”Second
disconnection facility” to shut
the card down
100.47
S7-300 Fail Safe Modules

Redundant microcontroller in each IO module

Safety Integrated Level
 1oo1 evaluation, SIL 2, AK 4
 1oo2 evaluation, SIL 3, AK 6, internal in module

Diagnose of internal and external errors
 mutual function checking of the microcontrollers
 input or output test
 branching of the input signals to both microcontrollers
 discrepancy analysis of the redundant input signals
 readback of the output signals and discrepancy analysis

Second disconnection facility in the case of outputs

Communication with CPU via Profisafe
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.48
S7-300 Fail Safe I/O Modules
Samples of modules available
SM326F,
DI DC24V
24 x SIL2, 12 x SIL3, with diagnostics interrupt

SM326F, DI NAMUR [EEx ib]
8 x SIL2, 4 x SIL3 with diagnostics interrupt

SM326F, DO DC24V/2A
10 x SIL3, current source, diagnostics interrupt

SM336F, AI 4-20mA
6 x SIL2 or 3, with diagnostics interrupt
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.49
Fail Safe I/O Modules
Library for interfaces to field devices
L +
24 VD C
P O W E R D IS T R IB U T IO N
Library with standard, pre-verified instrument interfaces
10A
16A
16A
2A
E S D M A T R IX
L+ 24 VDC
D O -M A -4 1
O V E R R ID E
S A F E T Y IN P U T S A N D O U T P U T S , S 7 4 0 0 F W IT H S A F E T Y I/O M O D U L E S , F S M ’S
A I-4 1 F
A I-4 3 F
A I-4 4 F
A I-5 0 F
A I-5 1 F
A I-IS -4 1 F
A I-IS -5 1 F
D I-4 1 F
D I-4 2 F
D I-4 4 F
D I-IS -4 1 F
D I-IS -4 6 F
D I-IS -4 6 F
D O -4 1 F
D O -4 1 F R
D O -R E -4 5 F
D O -4 6 F
D I-M A -4 1 F
D I-M A -4 2 F
D I-M A -4 3 F
D I-M A -4 4 F
D I-M A -4 5 F
D I-M A -4 6 F
D I-M A -4 7 F
D I-M A -4 8 F
D I-M A -4 9 F
D O -M A -4 1 F
D O -M A -4 2 F
D O -M A -4 3 F
S a fe a n a lo g u e in p u t, 4 -2 0 m A , 2 W ire , S IL 2 .
S a fe a n a lo g u e in p u t, 4 -2 0 m A , 3 W ire , S IL 2 , c u rre n t s o u rc e
S a fe a n a lo g u e in p u t, 4 -2 0 m A , 3 W ire , S IL 2 , h ig h p o w e r c o n s u m p t.
S a fe h ig h a va ila b le a n a lo g u e in p u t, 4 -2 0 m A , 2 W ire , 2 o o 3 .
S a fe a n a lo g u e in p u t, 4 -2 0 m A , 2 w ire , to d ig ita l, S IL 2
S a fe a n a lo g u e in p u t, 4 -2 0 m A , E E x (i)(a ) , 2 W ire , S IL 2 .
S a fe a n a lo g u e in p u t, E E x ib IIC , 4 -2 0 m A , to d ig ita l, S IL 2
S a fe d ig ita l in p u t, S IL 2
S a fe h ig h a va ila b le , d ig ita l in p u t, S IL 2
S a fe d ig ita l in p u t fro m c le a n c o n ta c t / N A M U R , S IL 2
S a fe , E E x ib IIC , d ig ita l in p u t fro m c le a n c o n ta c t / N A M U R , S IL 2
S a fe , h ig h a va ila b le , E E x ib IIC , d o u b le c le a n c o n ta c t/ N A M U R , S IL 2 /
S a fe , E E x ib IIC , d o u b le c le a n c o n ta c t /N A M U R , S IL 3 .
S a fe , d ig ita l o u tp u t, 2 4 V D C , 2 A , S IL 2 / 3
S a fe d ig ita l o u tp u t, S IL 2 w ith re la y, S IL 2
S a fe , h ig h a va ila b le , d ig ita l o u tp u t, 2 4 V D C , 2 A , S IL 2 /3
S a fe , d ig ita l o u tp u t w ith m a n u a l re le a s e , 2 4 V D C , 2 A , S IL 2 /3
S a fe , h ig h a va ila b le d ig ita l in p u t fro m p u s h b u tto n , S IL 3
S a fe , h ig h a va ila b le d ig ita l in p u t fro m p u s h b u tto n , S IL 2
S a fe , d ig ita l in p u t fro m p u s h b u tto n , S IL 3
S a fe , d ig ita l in p u t fro m p u s h b u tto n , S IL 2
S a fe , h ig h a va ila b le d ig ita l in p u t fro m p u s h b u tto n , S IL 3
S a fe , h ig h a va ila b le d ig ita l in p u t fro m p u s h b u tto n , S IL 2
S a fe d ig ita l in p u t fro m p u s h b u tto n (w ith L E D ), o p e n c o n ta c t, S IL 2
S a fe d ig ita l in p u t fro m p u s h b u tto n (w ith o u t L E D ), o p e n c o n ta c t, S IL 2
S a fe d ig ita l in p u t fro m p u s h b u tto n , N A M U R , S IL 2
S a fe d ig ita l o u tp u t to L E D / L A M P , S IL 2 /3
S a fe d ig ita l o u tp u t to tw o L E D / L A M P , S IL 2 /3
S a fe d ig ita l o u tp u t to L E D in fire fig h tin g re le a s e p u s h b u tto n , S IL 2
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
6 E S 7 3 21 -1 B L0 0 -0 A A 0
L+
D I 32 ch
L- 0V
M
6 E S 7 3 2 6 -2 B F 0 0 0AB 0
1 0 D O , S A FE
21
17
18
37
F IE LD
E Q U IP M E N T
J U N C T IO N
BO X
T E R M IN A L
R A IL
38
1 L+
2 L+
2 L+
3 L+
3 L+
M a in
S w itch
3
ch 0
4
R ead
back
40
0 V d is trib .
39
20
19
22
3M
3M
2M
2M
1M
6 E S 7 3 2 6 -2 B F 0 0 0AB 0
1 0 D O , S A FE
21
17
18
37
38
1 L+
2 L+
2 L+
3 L+
3 L+
M a in
S w itch
3
4
R ead
back
40
0 V d is trib .
39
20
F IE LD
19
22
F IE LD T E R M IN A TIO N C A B IN E T
3M
3M
2M
2M
1M
L- 0V
H a rd w a re T y p e c irc u it c o d e D O -R E -4 5 F
100.50
Fail Safe I/O Modules
Development of interfaces to field devices
Man må ofte ting i sammenheng før en oppdager at det kan være spesielle feilsituasjoner
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.51
Fail Safe I/O Modules
Development of interfaces to field devices
Det er utrolig hvor lite komplisert det skal være før noe kan gå galt (eksempel på bruk av kretsen fra foregående slide)
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.52
Operator interface to SIL3
 Man - Machine interface for daily use are the Operator
Stations (but Bill Gates deliver no SIL3 solutions)
 Operator Stations with commands to SIL3


High end servers and operator stations, with redundancy and extensive diagnosis
Special TÜV approved procedure for safe commands from operator stations to
F-area (safe island) for SIL3 commands to controller.
 CAP solutions ensures HMI interface to SIL3
ELEKTR O
UPS
A L A R M B R O IN G
ALARM
B A T TE R IE R
IT K
BRØNN
A01
IS O L E R
U P S4 8 V D C
T E LE K O M .
8 5 -E Y
-2 0 0 4
A /B
IT K
A L A R M B R O IN G
79ES2 0 04
IT K
S K RV F R
79ES2 1 02
A02
IS O L E R
U P S2 3 0 V A C
T E LE K O M .
8 5 -E Y
-2 0 4 3
A /B
IS O L E R
GMDSS
T E LE K O M .
8 5 -E Y
-2 0 0 6
N A S0
SKR
79ES2 0 01
79ES2 0 02
N A S0
H E L ID E K K
79ES2 0 03
N A S0
S K RV F R
79ES2 1 01
79ES2 2 01
0
N A S0
L IV B Å T
0
N AS
N AS
A03
N A S0
MG
IS O L E R
U P S4 8 V D C
L O S /P A B X
8 5 -E Y
-2 0 4 2
A /B
A05
IS O L E R
U P S2 3 0 V A C
B A T TE R IE R
8 5 -E Y
-2 0 0 1
A /B
A06
IS O L E R
K R A N2 4 V D C
B A T TE R IE R
8 5 -E Y
-2 0 0 5
A07
IS O L E G
R EN.
8 2 -E G 5 0 A
B A T TE R IE R
8 5 -E Y
-2 0 0 2
A
A08
IS O L E G
R EN.
8 2 -E G 5 0 B
B A T TE R IE R
8 5 -E Y
-2 0 0 2
B
8 2 -E Y
-2 0 0 2
A
8 2 -E Y
-2 0 0 2
B
SS SV
M A S TE R
A04
A09
N AS
N AS
79ES2 0 05
A10
IS O L E R
G E N E R A TO R
8 2 -E G 5 0 A
N A S1
S K RV F R
79ES2 1 03
A11
IS O L E R
G E N E R A TO R
8 2 -E G 5 0 B
GASS
I
B E G GG
EEN.
L U F TIN N TA K
70XS2 0 01
A12
N A S2
SKR
79ES2 0 06
N A S1
SKR
1
N AS

U T S T YR
IT K
S K RH U L D R A
79ES2 0 07
GASS
EKSPORT
S T IG E R Ø R
27EY2 2 40
N A S2
H E L ID E K K
79ES2 0 16
KONDENSAT
EKSPORT
S T IG E R Ø R
21EY2 1 52
N A S2
H J E LP E U T S T Y R
OMRÅDE
79ES2 0 08
S E P A R AT O R
T R Y K KA V L .
20EY2 0 07
GASS
K J Ø LE R
T R Y K KA V L .
24EY2 1 54
G A S S L I N JE
T R Y K KA V L .
27EY2 2 41
S P E N N IN G S B O R T F AL L
DELUGE
A K T IV E R T
P O PS P R A Y
H E L ID E K K
A K T IV E R T
2
N AS
GASS
I
E K S P LF. A R L I G
OMRÅDE
N A S2
S K RV F R
BRANN
& GASS
N A S0 /N A S 1
V E S LE F R I KK
2
N AS
V F RH U L D R A
L IN KN E D E
N A S2
M GN A S
S Y S T EM
82ES2 0 01
70XS2 0 03 B
71XS2 0 51 B
75XS2 0 51 B
86ES2 0 01
IT K
N A S0
N A S1
N A S2
N A S0
N A S1
N A S2
T IL B AK E S T IL L
T IL B AK E S T IL L
T IL B AK E S T IL L
TAL
79ES2 1 04
79EY2 1 09
79ES2 2 02
86ES2 2 03
BRANN
& GASS
MG
70XS2 0 04 B
T R Y K KA V L AS T N ING
HULDRA
79ES2 0 09
BRANN
I
E K S P LF. A R L I G
OMRÅDE
70XS2 0 02 B
T R Y K KA V L AS T N ING
V E S LE F R I KK
79ES2 1 05
2
N AS
N A S2
M GB R O
TA L
PSD
N A S2
L IV B Å T
2

LED elements connected to SIL3 remote I/O
Necessary information for an emergency situation
Necessary input elements to put the process to safe state
UTG AN G E R
PROSESS
B E S K R IV E L S E
2

N Ø D A V S T E N G IN G S M A T R IS E
IN N G A N G E R
ALARM HO
RN
K V IT T E R IN
AV
G
ALARM ER
PSD
S Y S T E M FC
E IPLUA
F&G
S Y S T EM FE
C IPLUB
B E M A N N ./U B E M A N N .
H U LD R A
B E MA N N ET
I/ O F E IL
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
L A M P E TE
ST
100.53
CAP or Matrix / Mimic to SIL3, simple and hardwired
N Ø D A V S T E N G IN G S M A T R IS E
IN N G A N G E R
UTG AN G E R
PROSESS
A L A R M B R O IN G
ELEKTR O
UPS
A L A R M B R O IN G
BRØNN
ALARM
B A T TE R IE R
IT K
S K RH U L D R A
79ES2 0 04
A01
IS O L E R
U P S4 8 V D C
T E LE K O M .
8 5 -E Y
-2 0 0 4
A /B
IT K
S K RV F R
79ES2 1 02
A02
IS O L E R
U P S2 3 0V A C
T E LE K O M .
8 5 -E Y
-2 0 4 3
A /B
A03
IS O L E R
GMDSS
T E LE K O M .
8 5 -E Y
-2 0 0 6
IS O L E R
U P S4 8 V D C
L O S /P A B X
8 5 -E Y
-2 0 4 2
A /B
8 5 -E Y
-2 0 0 1
A /B
N A S0
SKR
79ES2 0 01
SS SV
M A S TE R
A04
A05
IS O L E R
U P S2 3 0V A C
B A T TE R IE R
N A S0
H E L ID E K K
79ES2 0 03
A06
IS O L E R
K R A N2 4 V D C
B A T TE R IE R
8 5 -E Y
-2 0 0 5
N A S0
S K RV F R
79ES2 1 01
A07
IS O L E G
R EN.
8 2 -E G 5 0A
B A T TE R IE R
8 5 -E Y
-2 0 0 2
A
A08
IS O L E G
R EN.
8 2 -E G 5 0B
B A T TE R IE R
8 5 -E Y
-2 0 0 2
B
0
N A S0
L IV B Å T
79ES2 0 02
N A S0
MG
79ES2 2 01
N A S1
SKR
79ES2 0 05
0
N AS
N AS
IT K
U T S T YR
IT K
B E S K R IV E L S E
Simple solutions
Pushbuttons lamps and switches
are lifting and maintaining the SIL
for the total HMI
8 2 -E Y
-2 0 0 2
A
A11
IS O L E R
G E N E R A TO R
8 2 -E G 5 0B
8 2 -E Y
-2 0 0 2
B
GASS
I
B E G GG
EEN.
L U F TIN N TA K
70XS2 0 01
A12
N A S2
SKR
79ES2 0 06
1
IS O L E R
G E N E R A TO R
8 2 -E G 5 0A
79ES2 1 03
79ES2 0 07
GASS
EKSPORT
S T IG E R Ø R
27EY2 2 40
N A S2
H E L ID E K K
79ES2 0 16
KONDENSAT
EKSPORT
S T IG E R Ø R
21EY2 1 52
N A S2
H J E LP E U T S T Y R
OMRÅDE
79ES2 0 08
S E P A R AT O R
T R Y K KA V L .
20EY2 0 07
GASS
K J Ø LE R
T R Y K KA V L .
24EY2 1 54
G A S S LI N JE
T R Y K KA V L .
27EY2 2 41
S P E N N IN G S B O R T F AL L
DELUGE
A K T IV E R T
P O PS P R A Y
H E L ID E K K
A K T IV E R T
2
N AS
GASS
I
E K S P L.
F A R LI G
OMRÅDE
N A S2
S K RV F R
BRANN
& GASS
N A S0 /N A S 1
V E S LE F R I K K
2
N AS
V F RH U L D R A
L IN KN E D E
N A S2
M GN A S
S Y S T EM
82ES2 0 01
70XS2 0 03 B
71XS2 0 51 B
75XS2 0 51 B
86ES2 0 01
IT K
N A S0
N A S1
N A S2
N A S0
N A S1
N A S2
T IL B AK E S T IL L
T IL B AK E S T IL L
T IL B AK E S T IL L
79EY2 1 09
79ES2 2 02
86ES2 2 03
70XS2 0 04 B
T R Y K KA V L AS T N ING
HULDRA
79ES2 0 09
BRANN
I
E K S P L.
F A R LI G
OMRÅDE
70XS2 0 02 B
T R Y K KA V L AS T N ING
V E S LE F R I K K
79ES2 1 05
ALARM HO
RN
K V IT T E R IN
AV
G
ALARM ER
PSD
S Y S T E M FC
E IPLUA
F&G
S Y S T EM FE
C IPLUB
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
I/ O F E IL
L A M P E TE
ST
A.O.Sveen, NTNU 2011
TAL
79ES2 1 04
BRANN
& GASS
MG
2
N AS
N A S2
M GB R O
TA L
PSD
N A S2
L IV B Å T
2
N AS
N AS
A10
N A S1
S K RV F R
2
N AS
A09
B E M A N N ./U B E M A N N .
HU LD RA
B E MA NN ET
100.54
CPU-Software Architecture
F-User Program
StandardUser
Program
F-User Blocks
F-Standardblocks
F-Systemblocks
Program
execution
Communications
StandardOperating System
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
F-Control
Blocks
Program
execution
Self tests
Safety-relevant sections of the operating system
F-Access protection
Safety-relevant
System Func. Calls
Safety-relevant
Self tests
100.55
S7-F Concept,
Double processing in diverse environments
Instead of redundancy of HW ,
Siemens Safety System
runs redundant SW on same HW.
Multi-channel storage of safety-critical data in instance DBs in
the CPU,
e.g. as word-oriented complement COMP
Multi-channel processing of the safety function in F-FBs by
SP7-ASIC of the CPU
 Standard operation on DATA
 Multi-channel operation on COMP
CPU-internal comparison in the output driver to improve
error locating
Error handling: disable outputs and stop CPU


0
FFFFH
1
0H
DATA
COMP
DATA
COMP
Bit-AND in
bit arithmetic
logic unit
Word-OR
in ALU
DATA

Comparison
COMP

Safety-related
message
CPU-external comparison in receiver
(F-output modules and processing F-CPUs)
Error handling: safe substitute values and error message
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011

Copy
Convert
Data
CRC
Comparison
100.56
S7-F Program Concept
Extensive comparision and monitoring
Time redundancy and Diversity instead of hardware redundancy
A, B (Bool)
C
Operation
Operands
Result
AND
Encoding
Comparison
Stop
At D  /C
OR
Diversity
Operands
/A, /B (Word)
Diversity
Operation
Time redundancy




D = /C
Diversity
Result
Time
Time redundancy and instruction diverse processing
Logical program execution and data flow monitoring
Bool and Word Operations processed in different parts of the CPU
2 independent hardware timer
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.57
Programming
Graphical programming CFC acc. to IEC 1131
F-Library
Certified (TÜV)
function blocks
Links are structs
CFC
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.58
Simplified ESD Program Overview, sample
O S p a rt
E S D S y s te m C o n fig u ra tio n , S IL 3
M B -E S D
HMI
OS skjerm
M A -E S D
U B
R
O p e ra t o r S ta t io n
M A -E S D
LB
U B R
S B -E S D
B in B o u t R
U B SD OVR
X
E S D F u n ctio n S ta tu s
In p u t S ta tu s
X
O u tp u t s ta tu s
X
F ro m O S
B
F ro m O S
B
F r om E S D F u n c tio n
B
H W O v e rrid e
B
F ro m fie ld
B
F ro m fie ld
B
T o E S D F u n c tio n
B
C o in cid e n c e
X
D is a b le R e s e t
X
S ta tu s E xt. A la rm H H
B lo ck e d fro m O S
B lo ck e d fro m F ie ld
S ta n d a rd p ro g ra m p a rt
F r om E S D F u n c tio n
B
T o E S D F u n c tio n
B
F_M A_ES D
A d dit iona l I/ O d iag nos tic d ata (o ptio nal )
XF
YG R
FE
BU O P
F r o m d ri v e r F E , p a ra m e te r Q _ D A T A
Fr om dri ver FU , pa ram ete r Q _D A T A
Fr om dri ver FB B , p ara m e ter Q _ D A TA
S t atu s co llec tio n fo r
G _LB (o ptio nal )
BB OP
V _ D A TA
Q U A LITY
Fr om F_ C H _A I
AC K RE Q
PL H
PL R
Normal
program
A d dit iona l I/ O d iag nos tic d ata (o ptio nal )
Fr om dri ver FU , pa ram ete r Q _D A T A
Fr om dri ver FB B , p ara m e ter Q _ D A TA
R UC
G _SB_ES D
To F_ M A _E S D
YF
F r o m d ri v e r F E , p a ra m e te r Q _ D A T A
BHH
XF
Fr om dri ver, blo ck from ot her fun ctio n, Q _D A T A
Fr om dri ver, blo ck to o the r fu nct ion, Q _ D A TA
BW H
BU O P
FE
BB YX OP
BCB
BCU
BB XS OP
BEB
BEO
BLL
BW L
BB OP
FE
YG R
BX
Q U A LITY
BCB
VA HH
VW H
V A LL
VW L
S t atu s co llec tio n fo r
G _LB _E S D (op tion al)
AC K RE Q
FBXS E
YG R
RBX SE
FBYX E
RBY XE
BUO S
FB E
XF
A d dit iona l d iagn os tic d ata (op tio nal)
G _LB
R
FU E
R UE
Fr om F_ M A _E S D
G _M B_ESD
FB C
R BC
FU C
FB E
R BE
BBO S
YR O
YG R
S tatus from
LB -utilities (optional)
Fe ed bac k
fro m
no rm al I/ O
Insrtance data block num ber
for LB -utilities (optional)
FB C
FU E
R UE
R BC
FU C
Y
BO
BC
LSE
BRXDOS
BLSOS
BX
FBXS C
BX S
RBX SC
FBYX C
RBY XC
AC K_ RE Q
R
Q U A LITY
BB XS OS
BB YX OS
R UC
R
BB OS
XO C
XO
RDAE
RDDE
R BE
Y
A
XGH
XGL
BC H
BC L
BU
Y
RDAC
RDDC
BY
V A LU E
R
LSC
BU O S
F a il-s a fe p ro g ra m p a rt
C h a n ne l dr iv e r
F_LB
F_SBI
F _ C H _D I
C HAD DR
C h a n ne l dr iv e r
X1
Q _D A TA
F_M B_ES D
Q U A LITY
F _ C H _D O
N X1
X2
N X2
AC K RE Q
V A LU E
Y1
QN
V A LU E
FB E
Q
QBAD
FE
R BE
FU E
I
ACK _REI
X3
A C K _R E Q
Q U A LITY
N X3
X4
C HAD DR
N X4
Q BAD
M o du le dr iv e r
FBXS C
FBXS E
RBX SC
FBYX C
RBY XC
RBX SE
FBYX E
RBY XE
R
F_M _DO
BB XS OS
P N LA T
C HAD DR
BB YX OS
F_LB
R UE
C h a n ne l dr iv e r
F _ M _ D Ix
F _ C H _D I
C HAD DR
C HAD DR
M o du le dr iv e r
S y m b olic ad dre ss
FUC
RU C
Q U A LITY
R
XS
N X8
A
X
RX
P C Y C LE
BB
RX
FB X S
AC K RE Q
V A LU E
QN
X
Q
QBAD
Safe
program
X8
FBC
RBC
FB Y X
FE
BU
BX
BX S
FBXS C
RBX SC
FBXS E
RBX SE
BB XS
FBYX C
RBY XC
FBYX E
RBY XE
BB YX
Y
R
F_SB_ES D
BB XS OS
BB YX OS
YX
P N LA T
RDAC
RDDC
R
BB OS
Fa ult
an nu ncia tion
BU O S
XS
F_O R4
BX
S T A T U S IN D IC A T IO N LE D 's
F_O R4
LSC
BX S
E S D IN P U T :
Y
Q
- U s e d fo r n o rm a lly d e -e n e rg iz e d in p u ts
Q N - U se d fo r no r m a lly en e rg ize d in p u ts
FU
RX
C h a n ne l dr iv e r
F_M _AI
Fr om G _ M A _E S D
FBC
To G _M A _E S D
RBC
FUC
RU C
F _ C H _A I
CHADDR
C HAD DR
VH RA NG E
VL RA NG E
S y m b olic ad dre ss
V A LU E
"0"
AC K NE C
Q U A LITY
V _ D A TA
R
AC K RE Q
O VH RAN G E
O V LR A N G E
X
PL AT
PA HH
PW H
P A LL
PW L
RX
FE
FB B
O P E R A T O R S ' F IE L D D E V IC E
FU
FB Y X
FE
O UT
Y
BB XS
BB YX
S T A T U S IN D IC A T IO N LE D 's
IN 1
X
RX
IN 2
RXD
PNLAT
PDY
RDAE
RDDE
C h a n ne l dr iv e r
LSE
F _ C H _D O
BPDY
M o du le dr iv e r
V A LU E
I
ACK _REI
BLSOS
A C K _R E Q
F_M _DO
Q U A LITY
C HAD DR
C HAD DR
BRXDOS
Q BAD
Y
YN
FB E
R BE
To G _M A _E S D
XO
YX
O vrr. fee dba ck
F_LB
FU E
R UE
BHH
FBXS C
RBX SC
FBXS E
RBX SE
FBYX C
RBY XC
FBYX E
RBY XE
VA HH
VW H
P N LA T
V A LL
VW L
XOC
XBOC
XBONC
YBOC
YBONC
"0"
XBOF
YBOF
F_SB_ES D
R
BB XS OS
BB YX OS
LSC
O verr ide fro m M atr ix
O verr ide -sw itch via F- S M
X
RX
RDAE
RDDE
LSE
BPDY
RXD
XS
BUO S
BX
BX S
BBO S
X
RX
Y
AHH
ALL
BB XS
BB YX
FB X S
Y
FB Y X
FE
YX
F _ C H _D I
Y
C HAD DR
BLSOS
BRXDOS
Q _D A TA
AC K RE Q
QN
Q
QBAD
V A LU E
BU
BB
"1"
"0"
RDAC
RDDC
R
BW L
Fa ult
an nu ncia tion
FB X S
O P E R A T O R S ' F IE L D D E V IC E
BW H
BLL
V
QBAD
RX
IN 2
F_M A_ES D
M o du le dr iv e r
CFC
IN 1
FB B
O P E R A T O R S ' F IE L D D E V IC E
X
O UT
PN LA T
PNLAT
PDY
XO
XOC
XBOC
XBONC
XBOF
Y
YN
YBOC
YBONC
YBOF
M atrix in dica tor LE D 's
S T A T U S IN D IC A T IO N LE D 's
A O S 0 3 .0 7 .2 0 0 1
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.59
Engineering tool
Program Protection
Read/Write protection
with password
Enabling of the
Failsafe function
of the CPU 417-4H
or 414-4H
CFC
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.60
Program protection
Program Signature
Signature of F-Program
for TÜV Certification.
Program taken out of CPU
cannot be downloaded unless
carrying the correct signature
CFC
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
The signature is generated by
the programming tool, and is
changed after every change of
the program
100.61
Programming
Comparison of existing and changed program
Comparison of different
F-program versions
Deviations shall be checked
before download of change
CFC
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.62
Hardware Configuration
CPU Parameters

Safety-relevant parameters
Set up protection level
Activate safety operation
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.63
Hardware Configuration
F-DO Parameters

Safety-relevant parameters
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.64
Engineering
Failsafe I/O Modules, diagnostics is set due to SIL
Enabling of the failsafe function
Signal evaluation:
1oo1 (SIL 2)
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
1oo2 (SIL 3)
100.65
Communication concepts to SIL3 /2/1
 PROFIBUS DP / ProfiSafe for communication to approved ProfiSafe
equipment, SIL3 / 2.

F-SM remote I/O modules

Other S7 400F or S7 300F nodes
 Drivers for Ethernet communication to S7 F nodes, SIL3.

Drivers for communication on Ethernet between safety programs in S7 nodes.
 Communication from OS to safety program to SIL3

Special routine and function blocks for verified command from OS to F-area (safe island).
 Combination of PROFIBUS DP /PROFIBUS PA to SIL 2/3
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.66
High Available Communication (not required to achieve SIL)
Redundant optical ringbus
S7-400H
S7-400H
Single controller
Redundancy replacement diagram:
PS
CPU
CP
Bus
CP
CPU
PS
PS
CPU
CP
Bus
CP
CPU
PS
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.67
Safety Communications
B+B
B+B
Redundant system with
SIMATIC S7-400FH
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
AO
DO
DO
DO
DI
DI
AI
AI
AI
AI
SIMATIC ET 200M
Redundant Ring
100.68
Basic concepts for communication to SIL3 and SIL2
enabling
failsafe fieldbus
applications ....
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.69
Basic concepts for communication to SIL3 and SIL2
Add required safety layer to a standard protocol
e.g.. Diagnostics Program
Safety
Input
Safety
Control
Safety
Output
Standard
Control
StandardI /O
Safety-Layer
Safety-Layer
Safety-Layer
7
7
7
7
7
2
2
2
2
2
1
1
1
1
1
„Black/Gray Channel": ASICs, Links, Cables, etc. are not safety relevant
Non safety critical functions, like e.g. diagnosis
"ProfiSafe": Parts of the safety critical communications systems: Adressing, Watch Dog Timers,
Sequenzing, Signatur, etc.
Safety relevant, but not part of the ProfiSafe-Profils: Safety I/O and the Safety Control Systems
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.70
Basic concepts for communication to SIL3 and SIL2
Content of required safety layer must cover possible failures
Failure Types and remedial Measures ...
Remedy:
Failure type:
Repetition
Deletion
Insertion
Resequencing
Sequence
Number
X
X
X
X
Time Out
with Receipt
Codename for
Sender and
Receiver
X
X
X
X
Data Corruption
Delay
X
Masquerade (standard
message mimics failsafe)
X
FIFO failure within
Router
X
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Data
Consistency
Check
X
X
The measures must be executed and monitored
inside one failsafe unit
100.71
Standard Profibus DP Message ...
Standard-Message
S
S
S
S
S
S
Sync
time
SD
LE
LEr
SD
DA
SA
FC
Data Unit = Standardor Failsafe-Data
FCS
ED
33 TBit
68H
...
...
68H
...
....
...
1... 244 Bytes
...
16H
1 Cell = 11 Bit
LE
SB
ZB
0
ZB
1
ZB
2
ZB
3
ZB
4
ZB
5
ZB
6
ZB
7
PB
EB
Data Unit
TBit
SD
LE
LEr
DA
SA
FC
= Clock-Bit = 1 / Baudrate
= Start Delimiter (here SD2, var. Data Length)
= Length of Data
= Repeated LoD, not in FCS
= Destination Address
= Source Address
= Function Code (Type of Message)
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
FCS
ED
SB
ZB0...7
PB
EB
= Failsafe-Data
max. 244 Bytes
= Frame Checking Sequence
(across data within LE)
= End Delimiter
= Start-Bit
= Character-Bit
= (even) Parity Bit
= Stop-Bit
100.72
... and a ProfiSafe Message ...
(the extra layer included in the user telegram)
Standard-Message-Frame (user telegram)
S
S
S
S
Status /
Controlbyte
F-I/O-Data
*) 2 Byte for a max. of
12 Byte F I/O data
4 Byte for a max. of
122 Byte F I/O data
S
Max. 12 / 122 Bytes
1 Byte
Sequence
Number
CRC
Sender
based
Counter
across
F-Data
and
F-Parameter
1 Byte
2/4 Bytes *)
S
StandardI/O-Data
(240/238 - F-Data)
Max. 244 Bytes DP-Data
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.73
PROFIBUS PA Fieldbus solution to SIL 1/2/3.
 SINTEF Study "Evaluation of PROFIBUS PA against SIL1 / 2
requirements (2000).
CPU 417H
CPU 417H
C P 4 4 3 -5 E
D P M as te r
C P 4 4 3 -5 E
D P M as te r
DP
DP
IM 1 5 7
L in k
IM 1 5 7
L in k
IM 1 5 7
K o b le r
EX sone
 ProfiSafe PA, TÜV certified SIL 2/ 3 (2007)
PA
P A s la ve
P T ....
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.74
PROFIBUS PA with PROFISafe
Redundancy
Ring architecture with Active Field Distributor
PROFIBUS DP

M
DP/PA coupler, redundant (M = master)
Active Field Distributor
AFD
AFD
AFD
AFD
IM 157, redundant
PROFIBUS PA
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.75
PROFIBUS PA with PROFISafe
Voting
PROFIBUS DP
S7-400FH
DP/PA Coupler, redundant
IM 157, redundant
2oo3
1oo2
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.76
Fail-safe CPU – CPU Communication

The safety-oriented CPU-CPU communication via
S7 connections with the send/receive blocks:
 F_SENDBO/F_RCVBO Transfer of 20 F_BOOL
 F_SENDR/F_RCVBR
Transfer of 20 F_REAL
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.77
Safety Control Loops and
Residual Error (PFD) Probability....
within one PLC
Sensor
Bin. I
Anal. I
logic operations
Bin. O
Actuator
100 %, total figure for allowed PFD (Probability of Failure on Demand)
Sensor
Bin. I
Anal. I
logic operations
Bin. O
Actuator
15 %
1%
1 % (Profisafe share of total for SIL3)
e.g. Safety Integrity Level (SIL) 3 : 10-7 / h
(Share of ProfiSafe: 1% = 10-9 / h)
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.78
Andre SAS krav for et typisk nettverk, Safety / Security
Typisk SAS nettverks arkitektur
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.79
Andre SAS krav for et typisk nettverk, Safety / Security
Mange standarder, forsvar i dybden
Standarder, anbefalinger
 ISO 27000 / ISO 27001 / ISO 27002
 ISA S99
 OLF-104
 OLF-110
 OLF-123
 ISA Security Compliance Institue: ISA Secure
 INL Security Lab (Idaho National Lab)
 LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security )
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.80
Ganske mye utstyr / SW for security i et komplett anlegg
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.81
Vil du ha SIL3 på din egen PC
Vi starter med en standard PC og en programpakke + litt safe I/O
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
Standard
ProgrammingSoftware
STEP 7
Failsafe
ProgrammingTool
Distributed Safety
F Soft PLC
Failsafe
Application
Program
Standard
PROFIBUS DP
or
PROFINET IO
PROFIsafe
Standard
Remote I/O
Failsafe
I/O Modules
100.82
Først må du sjekke om din PC er egnet for formålet
Så kan du laste nødvendig SW, og sette inn snitt for PROFIbus

Tar 20-30 min
Har den en timer, RTC på
Interupt 8? (normalt ok)

Last SW




Win AC RTX F er installert på
Windows XP Prof / eller er
”embedded”
Koden løper på en ekstra ”realtime
kernel, IntervalZero RTX”
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.83
Baserer seg på tidligere omtalte prinsipper


Coded Processing
Time redundancy and diversity instead of structural redundancy
A, B
Operators
Operation
C
Output
AND
Coding
Comparison
Stop
by D ≠ /C
OR
Divers
Operators
/A, /B
Divers
Operation
Time redundancy
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
D = /C
Divers
Output
Time
100.84
Baserer seg på tidligere omtalte prinsipper
F-DI
uP Left
uP Right
PROFIsafe telegram
Data
Data xf
F-CPU
zf = xf + yf
Data
PROFIsafe telegram
F-DO
uP Left
Plus
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
PSF Input
Driver
CRC
Coded xc
zc = xc + yc + 1
F-CTRL
1
F FBs STEP 7
F-Coded FBs
FCTRL2
PSF Output
Driver
CRC
uP Right
Minus
Bad
Wrong CRC
-> PROFIsafe Stop or
-> CPU Stop
100.85
Ditt eget Moholt SIL3 anlegg
WinAC RTX F
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
A.O.Sveen, NTNU 2011
100.86
Tusen Takk for at Dere gadd høre på!
For mer info se:
www.siemens.com/process-safety
www.siemens.com/safety-matrix
 First with Integrated Control & Safety
 First with Flexible, Scalable, Distributed Architecture
 First Safety Lifecycle Management Tool - Safety Matrix
 First and Only Fully Integrated Safety Fieldbus
 First and Only SIL3, zone 1 I/O
 First and Only SIL3 on your own PC
SSo ol ul u
t i t oi no s n fso rf oO ri l O& i Gl a &s G a s
Arnt
Olav Sveen
A.O.Sveen,
NTNU 2011
arntolav.sveen@siemens.com
100.87