engineering with profisafe - peter brown

Engineering

with PROFIsafe

Pete BrownSiemens Customer Services

Pete Brown / PROFIsafe

What do we mean by “Safety”

“The condition of being safe; freedom from danger, risk, or injury.”

In the UK (and Europe) this can cover many areas and industries, for example:

Supply of Machinery (Safety) Regulations

Electromagnetic Compatibility Regulations

Electrical Equipment (Safety) Regulations

Pressure Equipment Regulations

Simple Pressure Vessels (Safety) Regulations

Equipment and Protective Systems Intended for Use in Potentially Explosive Atmospheres

Regulations

Lifts Regulations

Medical Devices Regulations

Gas Appliances (Safety) Regulations

Pete Brown / Engineering with PROFIsafe

Important: It is essential to have some form of risk assessment / risk analysise.g. HAZAN / HAZID / HAZOP / RA to ISO 12100

Legislation / HASAWA 1974

It shall be the duty of every employer to conduct his undertaking in such a way as to ensure, so far as is

reasonably practicable, that persons not in his employment who may be affected thereby are not thereby

exposed to risks to their health and safety.

It shall be the duty of any person who designs, manufactures, imports or supplies any article for use at

work –

(a) to ensure, so far is reasonably practicable, that the article is so designed and constructed as to be safe and

without risks to health when properly used;

(b) to carry out or arrange for the carrying out of such testing and examination as may be necessary for the

performance of the duty imposed on him by the preceding paragraph;

(c) to take such steps as are necessary to secure that there will be available in connection with the use of the

article at work adequate information about the use for which it is designed and has been tested, and about

any conditions necessary to ensure that, when put to that use, it will be safe and without risks to health.

3


Legislation / General

The Management of Health and Safety at Work RegulationsSCR The Offshore Installations (Safety Case) RegulationsPFEER The Offshore Installations (Prevention of Fire and Explosion, and

Emergency Response) RegulationsCOMAH Control of Major Accident Hazards RegulationsDSEAR Dangerous Substances and Explosive Atmospheres Regulations

Machinery Directive, Low Voltage Directive, EMC DirectiveConsumer Protection Act 1987

New for 2015! COMAH – HSE ECI Delivery Guide

What defines the minimum we should do?:Harmonized StandardsApproved Code of PracticeInternational Standards

4


Forseeable mis-useIT security

Unexpected start-upFault masking

Expectations for Safety-Related controls

As Low As Reasonably Practicable (ALARP)So Far As Is Reasonably Practicable (SFAIRP)

What do these terms mean?What do these terms for Automation & Control

5


What does this

mean for

Automation

Engineers

Functional Safety

‘Best Practice’7


IEC 61508

IEC 62061 ISO 13849

EN 954(until 2011)

IEC 61511

ProcessIndustry Manufacturing Industry

Focu

sPr

oduc

t Man

ufac

ture

Focu

sIn

tegr

atio

n

Relevant goodpractice

Harmonizedstandards

Basic Lifecycle Concept8

Pete Brown / Handling Functional Safety

Functional Safety

Control of dangerous failures during

operation through Robust Design

Control and avoidance of systematic failures

through Robust Processes

Safety Lifecycle Requirement

Engineering / DesignSystem ArchitectureFailure Probability

Planning / ProcessesSafety Management

Verification / Responsibilities

How does

PROFIsafe

help?

Modern Requirements and Best Practice

9

Pete Brown / Handling Functional Safety

PROFIsafe – The Vision10


Profibus DP

Standard-Host/PLC

F-Gate-way

otherSafety-

Bus

Repeater

Standard-I/O

Master-Slave Assignment

F-Field-Device

DP/PA

Coexistence of standard and failsafe communication

F-Host/FPLC

Standard-I/O

F-I/O

Engineering Tool

PG/ES withsecure accesse.g. Firewall

TCP/IP

F = Failsafe

F-Sensor F-Actuator

Safety-related Controls11


PROFIBUS DP

Standard-I/O(DP-Slave)

Standard-Host/PLC(DP-Master , class1)

Standard-I/O(DP-Slave)

Proprietary safety busses Conventional safety technologye.g. PNOZ, 3TK

DiagnosisDiagnosisStandard

Functional safety

Relais

Safety PLC Safety I/OWiring?

Flexibility?

Seamlessengineering?

Space?

Cyclic Communication12


F-Host / FPLC

Laserscanner Standard-I/O F-I/O Drive with integratedSafety

1:1 Communication relationship between master and slave1

2

Bus cycle

PROFIsafe – ISO/OSI Model13


"Black Channel": ASICs, Links, Cables, etc. Not safety relevant

"PROFIsafe": Safety critical communications systems: Addressing, Watch Dog Timers,Sequencing, Signature, etc.

Safety relevant, Not part of the PROFIsafe: Safety I/O / Safety Control Systems

Non safety critical functions, e.g. diagnostics

Standard-I /O

StandardControl

1

2

7

1

2

7

1

2

7

1

2

7

1

2

7

SafetyInput

SafetyControl

SafetyOutput

Safety-LayerSafety-LayerSafety-Layer

e.g.. Diagnostics

PROFIsafe – Add-on Strategy14


Standardengineering

toolSTEP 7

StandardCPU

StandardPROFIBUS DP

StandardRemote I/O

Failsafe engineeringTool

Distributed Safety

FailsafeI/O Modules

PROFIsafe

Failsafe ApplicationProgramF-Hardware

PROFIsafe - Program15


Coexistence of standard program and safety-related program on one CPU.Changes to the standard program have no effect on the integrity of the safety-related program section.

Standard program

Safety program

Standard program

PROFIsafe – Coded Processing16


Time redundancy and diversity replace complete redundancy

Time redundancyTime

DiverseOperation

Operation

Coding Comparison

DiverseOperators

Operators

DiverseOutput

Output

Stopby D /C

D = /C

CA, B

/A, /B

OR

AND

PROFIsafe - Basics17


“Black channel"

PROFIsafelayer

PROFIsafelayer

Standarddata

Fail-safedata

Standardbusprotocol

Standarddata

Fail-safedata

Standardbus

protocol

PROFIBUS

PROFINET

First standard of communication in accordance with safety standard IEC 61508.PROFIsafe supports safe communication for the open standard PROFIBUS and PROFINET.

The PROFIsafe meets possible faults like address error, delay, data loss withSerial numeration of PROFIsafe-telegramTime monitoringAuthenticity monitoringOptimized CRC-checking

PROFIsafe supports standard- and failsafe Communication by one medium

PROFIsafe - Checks18


Failure type:

Remedy: ConsecutiveNumber

Time Outwith Receipt

Codename forSender and

Receiver

Data Consistency

Check

Repetition

Deletion

Insertion

Resequencing

Data Corruption

Delay

Masquerade (standard message mimics failsafe)

Revolving memory failure within switches

Overview: Possible Errors and detection mechanism

PROFIsafe safety PDU19


S S S S

Standard PROFINET IO messages

F Input/Output Data Status /Control Byte CRC2

acrossF I/O data, Status or

Control Byte, F-Parameter,

and Vconsnr_h

Max. 12 / 123 Bytes 1 Byte 3/4 Bytes *) *) 3 Bytes for a max. of12 Byte F I/O data4 Byte for a max. of123 Bytes F I/O data

PROFIsafe container =Safety PDU

Wireless Communication20


Industrial Ethernet Backbone Industrial Ethernet Backbone

Automated Guided

Vehicle (AGV)

Separated PLCnetwork on rotatingand moving parts

Mobile commissioningand diagnosis

AccessPoint

AccessPoint

Access Point

Client Client

Wireless Communication21


Wirelesstransmission(WLAN, Bluetooth)

No special safety certificationPROFIsafe approved for BEP up to 10-2 Data Security to be assured by the wireless components "Stationary" Applications (well-defined locations and movements): No constraints and special assessments as long as two points are connected via wireless components. Mobile deployment of wireless components in most cases can only be accepted under certain contraints (e.g. unambiguous allocation of E-Stop to the hazardous final element). Thus, an emergency stop button at a mobile operator panel with WLAN transmission is not automatically permitted even if the transmission is correct from a safety point of view (which is true for PROFIsafe). Wireless and PROFIsafe is not a question of safety but a question of availability. Currently, only a maximum of one nuisance trip per work shift (= SIL monitor time = 10h) is permitted at a BEP of 10-2.(BEP = Bit error probability)

Security for

Industrial

Automation

Considering the PROFINET Security Guideline

Cyber Security

What Cyber Security legislation applies?What is the current state of the market?

Centre for the Protection of National Infrastructure (CPNI)The Network and Information Security (NIS) Directive“Providers of essential services”

Confidentiality, Integrity, Availability (CIA)Availability, Integrity, Confidentiality (AIC)People, Environment, Asset, Reputation (PEAR)


Industrial IT Security24

DCS/SCADA*

*DCS: Distributed Control SystemSCADA: Supervisory Control and Data Acquisition

Potential Attack

Plant SecurityPhysical Security• Physical access to facilities and equipment

Policies & Procedures• Security management processes• Operational Guidelines• Business Continuity Management & Disaster Recovery

Network SecuritySecurity Zones & DMZ• Secure architecture based on network segmentationFirewalls and VPN• Implementation of Firewalls as the only access point to a security cell

System IntegritySystem Hardening• Adapting system to be secure by defaultUser Account Management• Access control based on user rights and privilegesPatch Management• Regular implementation of patches and updatesMalware Detection and Prevention• Anti Virus and Whitelisting


PROFINET Security Concept

The PROFINET Security ConceptFrom the PROFINET Security Guideline

Network Architecture – Security ZonesTrust Concept – within ZonesPerimeter Defence – Firewall/VPNProvision of Confidentiality and IntegrityTransparent Integration of Firewalls

25


Secure Automation Cells (Zones)26


Complete plant security

Secure automation cells

Internet

Methods for Network Security

Security issues and vulnerabilities need to be addressedThere are many methodsHow can we address these vulnerabilities using these techniques:

FirewallProtect against unauthorized accessVLAN (Virtual Local Area Network)Logical network that operates on the basis of a physical networkDMZ (De-Militarized Zone)Exchange data with external partners via safe areasVPN (Virtual Private Network)Secure tunnel between authenticated users

What is the minimum we should be doing today?

27

National InfrastructureIT security RA

Assess Safety FunctionsIEC 62443 / Zoning


Any questions? Peter BrownProduct SpecialistSiemens Customer ServicesMobile: 07808 825551Email: [email protected]