engineering with profisafe - peter brown
TRANSCRIPT
Engineering
with PROFIsafe
Pete BrownSiemens Customer Services
Pete Brown / PROFIsafe
What do we mean by “Safety”
“The condition of being safe; freedom from danger, risk, or injury.”
In the UK (and Europe) this can cover many areas and industries, for example:
Supply of Machinery (Safety) Regulations
Electromagnetic Compatibility Regulations
Electrical Equipment (Safety) Regulations
Pressure Equipment Regulations
Simple Pressure Vessels (Safety) Regulations
Equipment and Protective Systems Intended for Use in Potentially Explosive Atmospheres
Regulations
Lifts Regulations
Medical Devices Regulations
Gas Appliances (Safety) Regulations
Pete Brown / Engineering with PROFIsafe
Important: It is essential to have some form of risk assessment / risk analysise.g. HAZAN / HAZID / HAZOP / RA to ISO 12100
Legislation / HASAWA 1974
It shall be the duty of every employer to conduct his undertaking in such a way as to ensure, so far as is
reasonably practicable, that persons not in his employment who may be affected thereby are not thereby
exposed to risks to their health and safety.
It shall be the duty of any person who designs, manufactures, imports or supplies any article for use at
work –
(a) to ensure, so far is reasonably practicable, that the article is so designed and constructed as to be safe and
without risks to health when properly used;
(b) to carry out or arrange for the carrying out of such testing and examination as may be necessary for the
performance of the duty imposed on him by the preceding paragraph;
(c) to take such steps as are necessary to secure that there will be available in connection with the use of the
article at work adequate information about the use for which it is designed and has been tested, and about
any conditions necessary to ensure that, when put to that use, it will be safe and without risks to health.
3
Pete Brown / Engineering with PROFIsafe
Legislation / General
The Management of Health and Safety at Work RegulationsSCR The Offshore Installations (Safety Case) RegulationsPFEER The Offshore Installations (Prevention of Fire and Explosion, and
Emergency Response) RegulationsCOMAH Control of Major Accident Hazards RegulationsDSEAR Dangerous Substances and Explosive Atmospheres Regulations
Machinery Directive, Low Voltage Directive, EMC DirectiveConsumer Protection Act 1987
New for 2015! COMAH – HSE ECI Delivery Guide
What defines the minimum we should do?:Harmonized StandardsApproved Code of PracticeInternational Standards
4
Pete Brown / Engineering with PROFIsafe
Forseeable mis-useIT security
Unexpected start-upFault masking
Expectations for Safety-Related controls
As Low As Reasonably Practicable (ALARP)So Far As Is Reasonably Practicable (SFAIRP)
What do these terms mean?What do these terms for Automation & Control
5
Pete Brown / Engineering with PROFIsafe
What does this
mean for
Automation
Engineers
Functional Safety
‘Best Practice’7
Pete Brown / Engineering with PROFIsafe
IEC 61508
IEC 62061 ISO 13849
EN 954(until 2011)
IEC 61511
ProcessIndustry Manufacturing Industry
Focu
sPr
oduc
t Man
ufac
ture
Focu
sIn
tegr
atio
n
Relevant goodpractice
Harmonizedstandards
Basic Lifecycle Concept8
Pete Brown / Handling Functional Safety
Functional Safety
Control of dangerous failures during
operation through Robust Design
Control and avoidance of systematic failures
through Robust Processes
Safety Lifecycle Requirement
Engineering / DesignSystem ArchitectureFailure Probability
Planning / ProcessesSafety Management
Verification / Responsibilities
How does
PROFIsafe
help?
Modern Requirements and Best Practice
9
Pete Brown / Handling Functional Safety
PROFIsafe – The Vision10
Pete Brown / Engineering with PROFIsafe
Profibus DP
Standard-Host/PLC
F-Gate-way
otherSafety-
Bus
Repeater
Standard-I/O
Master-Slave Assignment
F-Field-Device
DP/PA
Coexistence of standard and failsafe communication
F-Host/FPLC
Standard-I/O
F-I/O
Engineering Tool
PG/ES withsecure accesse.g. Firewall
TCP/IP
F = Failsafe
F-Sensor F-Actuator
Safety-related Controls11
Pete Brown / Engineering with PROFIsafe
PROFIBUS DP
Standard-I/O(DP-Slave)
Standard-Host/PLC(DP-Master , class1)
Standard-I/O(DP-Slave)
Proprietary safety busses Conventional safety technologye.g. PNOZ, 3TK
DiagnosisDiagnosisStandard
Functional safety
Relais
Safety PLC Safety I/OWiring?
Flexibility?
Seamlessengineering?
Space?
Cyclic Communication12
Pete Brown / Engineering with PROFIsafe
F-Host / FPLC
Laserscanner Standard-I/O F-I/O Drive with integratedSafety
1:1 Communication relationship between master and slave1
2
Bus cycle
PROFIsafe – ISO/OSI Model13
Pete Brown / Engineering with PROFIsafe
"Black Channel": ASICs, Links, Cables, etc. Not safety relevant
"PROFIsafe": Safety critical communications systems: Addressing, Watch Dog Timers,Sequencing, Signature, etc.
Safety relevant, Not part of the PROFIsafe: Safety I/O / Safety Control Systems
Non safety critical functions, e.g. diagnostics
Standard-I /O
StandardControl
1
2
7
1
2
7
1
2
7
1
2
7
1
2
7
SafetyInput
SafetyControl
SafetyOutput
Safety-LayerSafety-LayerSafety-Layer
e.g.. Diagnostics
PROFIsafe – Add-on Strategy14
Pete Brown / Engineering with PROFIsafe
Standardengineering
toolSTEP 7
StandardCPU
StandardPROFIBUS DP
StandardRemote I/O
Failsafe engineeringTool
Distributed Safety
FailsafeI/O Modules
PROFIsafe
Failsafe ApplicationProgramF-Hardware
PROFIsafe - Program15
Pete Brown / Engineering with PROFIsafe
Coexistence of standard program and safety-related program on one CPU.Changes to the standard program have no effect on the integrity of the safety-related program section.
Standard program
Safety program
Standard program
PROFIsafe – Coded Processing16
Pete Brown / Engineering with PROFIsafe
Time redundancy and diversity replace complete redundancy
Time redundancyTime
DiverseOperation
Operation
Coding Comparison
DiverseOperators
Operators
DiverseOutput
Output
Stopby D /C
D = /C
CA, B
/A, /B
OR
AND
PROFIsafe - Basics17
Pete Brown / Engineering with PROFIsafe
“Black channel"
PROFIsafelayer
PROFIsafelayer
Standarddata
Fail-safedata
Standardbusprotocol
Standarddata
Fail-safedata
Standardbus
protocol
PROFIBUS
PROFINET
First standard of communication in accordance with safety standard IEC 61508.PROFIsafe supports safe communication for the open standard PROFIBUS and PROFINET.
The PROFIsafe meets possible faults like address error, delay, data loss withSerial numeration of PROFIsafe-telegramTime monitoringAuthenticity monitoringOptimized CRC-checking
PROFIsafe supports standard- and failsafe Communication by one medium
PROFIsafe - Checks18
Pete Brown / Engineering with PROFIsafe
Failure type:
Remedy: ConsecutiveNumber
Time Outwith Receipt
Codename forSender and
Receiver
Data Consistency
Check
Repetition
Deletion
Insertion
Resequencing
Data Corruption
Delay
Masquerade (standard message mimics failsafe)
Revolving memory failure within switches
Overview: Possible Errors and detection mechanism
PROFIsafe safety PDU19
Pete Brown / Engineering with PROFIsafe
S S S S
Standard PROFINET IO messages
F Input/Output Data Status /Control Byte CRC2
acrossF I/O data, Status or
Control Byte, F-Parameter,
and Vconsnr_h
Max. 12 / 123 Bytes 1 Byte 3/4 Bytes *) *) 3 Bytes for a max. of12 Byte F I/O data4 Byte for a max. of123 Bytes F I/O data
PROFIsafe container =Safety PDU
Wireless Communication20
Pete Brown / Engineering with PROFIsafe
Industrial Ethernet Backbone Industrial Ethernet Backbone
Automated Guided
Vehicle (AGV)
Separated PLCnetwork on rotatingand moving parts
Mobile commissioningand diagnosis
AccessPoint
AccessPoint
Access Point
Client Client
Wireless Communication21
Pete Brown / Engineering with PROFIsafe
Wirelesstransmission(WLAN, Bluetooth)
No special safety certificationPROFIsafe approved for BEP up to 10-2 Data Security to be assured by the wireless components "Stationary" Applications (well-defined locations and movements): No constraints and special assessments as long as two points are connected via wireless components. Mobile deployment of wireless components in most cases can only be accepted under certain contraints (e.g. unambiguous allocation of E-Stop to the hazardous final element). Thus, an emergency stop button at a mobile operator panel with WLAN transmission is not automatically permitted even if the transmission is correct from a safety point of view (which is true for PROFIsafe). Wireless and PROFIsafe is not a question of safety but a question of availability. Currently, only a maximum of one nuisance trip per work shift (= SIL monitor time = 10h) is permitted at a BEP of 10-2.(BEP = Bit error probability)
Security for
Industrial
Automation
Considering the PROFINET Security Guideline
Cyber Security
What Cyber Security legislation applies?What is the current state of the market?
Centre for the Protection of National Infrastructure (CPNI)The Network and Information Security (NIS) Directive“Providers of essential services”
Confidentiality, Integrity, Availability (CIA)Availability, Integrity, Confidentiality (AIC)People, Environment, Asset, Reputation (PEAR)
Pete Brown / Engineering with PROFIsafe
Industrial IT Security24
DCS/SCADA*
*DCS: Distributed Control SystemSCADA: Supervisory Control and Data Acquisition
Potential Attack
Plant SecurityPhysical Security• Physical access to facilities and equipment
Policies & Procedures• Security management processes• Operational Guidelines• Business Continuity Management & Disaster Recovery
Network SecuritySecurity Zones & DMZ• Secure architecture based on network segmentationFirewalls and VPN• Implementation of Firewalls as the only access point to a security cell
System IntegritySystem Hardening• Adapting system to be secure by defaultUser Account Management• Access control based on user rights and privilegesPatch Management• Regular implementation of patches and updatesMalware Detection and Prevention• Anti Virus and Whitelisting
Pete Brown / Engineering with PROFIsafe
PROFINET Security Concept
The PROFINET Security ConceptFrom the PROFINET Security Guideline
Network Architecture – Security ZonesTrust Concept – within ZonesPerimeter Defence – Firewall/VPNProvision of Confidentiality and IntegrityTransparent Integration of Firewalls
25
Pete Brown / Engineering with PROFIsafe
Secure Automation Cells (Zones)26
Pete Brown / Engineering with PROFIsafe
Complete plant security
Secure automation cells
Internet
Methods for Network Security
Security issues and vulnerabilities need to be addressedThere are many methodsHow can we address these vulnerabilities using these techniques:
FirewallProtect against unauthorized accessVLAN (Virtual Local Area Network)Logical network that operates on the basis of a physical networkDMZ (De-Militarized Zone)Exchange data with external partners via safe areasVPN (Virtual Private Network)Secure tunnel between authenticated users
What is the minimum we should be doing today?
27
National InfrastructureIT security RA
Assess Safety FunctionsIEC 62443 / Zoning
Pete Brown / Engineering with PROFIsafe
Any questions? Peter BrownProduct SpecialistSiemens Customer ServicesMobile: 07808 825551Email: [email protected]