Profisafe update - Pete Brown

What is

PROFIsafe and

how does it

work?

Pete Brown

Siemens I CS

Pete Brown / PROFIsafe

What do we mean by “Safety”

“The condition of being safe; freedom from danger, risk, or injury.”

In the UK (and Europe) this can cover many areas and industries, for example:

Supply of Machinery (Safety) Regulations

Electromagnetic Compatibility Regulations

Electrical Equipment (Safety) Regulations

Pressure Equipment Regulations

Simple Pressure Vessels (Safety) Regulations

Equipment and Protective Systems Intended for Use in Potentially Explosive Atmospheres

Regulations

Lifts Regulations

Medical Devices Regulations

Gas Appliances (Safety) Regulations

Important: It is essential to have some

form of risk assessment / risk analysis

e.g. HAZAN / HAZID / HAZOP / RA to

ISO 12100


PROFIsafe – The Vision 3


Profibus DP

Standard-Host/PLC

F-Gate- way

other

Safety-

Bus

Repeater

Standard-I/O

Master-Slave

Assignment

F-Field-

Device

DP/PA

Coexistence of standard and failsafe communication

F-Host/FPLC

Standard-I/O

F-I/O

Engineering Tool

PG/ES with secure access e.g. Firewall

TCP/IP

F = Failsafe

F-Sensor F-Actuator

Cyclic Communication 4


F-Host / FPLC

Laserscanner Standard-I/O F-I/O Drive with integrated

Safety

1:1 Communication relationship

between master and slave 1

2

Bus cycle

PROFIsafe – ISO/OSI Model 5


"Black Channel": ASICs, Links, Cables, etc. Not safety relevant

"PROFIsafe": Safety critical communications systems: Addressing, Watch Dog Timers, Sequencing, Signature, etc.

Safety relevant, Not part of the PROFIsafe: Safety I/O / Safety Control Systems

Non safety critical functions, e.g. diagnostics

Standard-

I /O Standard Control

1

2

7

1

2

7

1

2

7

1

2

7

1

2

7

Safety Input

Safety Control

Safety Output

Safety-Layer Safety-Layer Safety-Layer

e.g.. Diagnostics

PROFIsafe – Add-on Strategy 6


Standard engineering

tool STEP 7

Standard CPU

Standard PROFIBUS DP

Standard Remote I/O

Failsafe engineering Tool

Distributed Safety

Failsafe I/O Modules

PROFIsafe

Failsafe Application Program F-Hardware

PROFIsafe - Program 7


Coexistence of standard program and safety-related program on one CPU.

Changes to the standard program have no effect on the integrity of the safety-related

program section.

Standard program

Safety program

Standard program

PROFIsafe – Coded Processing 8


Time redundancy and diversity replace complete redundancy

Time redundancy Time

Diverse Operation

Operation

Coding Comparison

Diverse Operators

Operators

Diverse Output

Output

Stop by D ≠ /C

D = /C

C A, B

/A, /B

OR

AND

PROFIsafe - Basics 9


“B

lac

k c

ha

nn

el"

PROFIsafe

layer PROFIsafe

layer

Standard

data

Fail-safe

data

Standard

bus

protocol

Standard

data

Fail-safe

data

Standard

bus

protocol

PROFIBUS

PROFINET

First standard of communication in accordance with safety standard IEC 61508.

PROFIsafe supports safe communication for the open standard PROFIBUS and

PROFINET.

The PROFIsafe meets possible faults like address error, delay, data loss with Serial numeration of PROFIsafe-telegram Time monitoring Authenticity monitoring Optimized CRC-checking

PROFIsafe supports standard- and failsafe Communication by one medium

PROFIsafe - Checks 10


Failure type:

Remedy: Consecutive Number

Time Out with Receipt

Codename for Sender and

Receiver

Data Consistency

Check

Repetition

Deletion

Insertion

Resequencing

Data Corruption

Delay

Masquerade (standard message mimics failsafe)

Revolving memory failure within switches

Overview:

Possible Errors

and detection

mechanism

PROFIsafe safety PDU 11


S S S S

Standard PROFINET IO messages

F Input/Output Data Status /

Control Byte CRC2

across F I/O data, Status or

Control Byte, F-Parameter,

and Vconsnr_h

Max. 12 / 123 Bytes 1 Byte 3/4 Bytes *) *) 3 Bytes for a max. of 12 Byte F I/O data 4 Byte for a max. of 123 Bytes F I/O data

PROFIsafe container =

Safety PDU

Extended Consecutive Number (24 Bit) 12


CRC1

.

3 Bytes

(F-Device) Consecutive

Number (not trans-

mitted) 0,1...0FFFFFFh

F Input data Status Byte CRC2

across F Input data, Status Byte, F-Parameter,

and Vconsnr_d

Max. 12 / 123 Bytes 1 Byte 3 / 4 Bytes

Vconsnr_d

3 Bytes

Change Toggle_d

01or 10

when incre-

mented

include Vconsnr_d

within CRC2 calculation

(see calculation details)

Reset R_cons_nr

(Bit 2 of the

Control Byte)

1

Increment Toggle_h

(Bit 5 of the

Control Byte)

24/32 Bit CRC

Signature

24 Bit consecutive number

Synchronization via "Toggle Bit"

Example:

PROFIsafe - Backplane 13

Author / Title of the presentation

Which protocol must be supported ?

IO-

C

F

D

O

Actuator

PROFINET

-IO

Device

F

D

I

F

D

O

Sensor

PROFIBUS.

PROFIBUS Device Modular Device

Local bus

F-

Host

PROFINET-

PROFIBUS

Link

Encapsulation

Encapsulation

Encapsulation

F-DI Fail-safe digital input

F-DO Fail-safe digital output

IO-C PROFINET IO-Controller

PROFINET SWITCH

PROFIsafe - Versions 14


PROFIsafe V2

Slave used in

Protocol with

8Bit-Counter

(= PROFIsafe

V1 mode)

Protocol with

24Bit-Counter

(= PROFIsafe

V2 mode)

PROFIBUS

network only mandatory mandatory

PROFINET

network only - mandatory

PROFIBUS /

PROFINET

network

mandatory mandatory

Goal: 100% compatibility

A PROFIsafe slave which supports the v2 mode must be able to replace an older version of this

PROFIsafe slave which only supports the v1 mode without the need of any adaption

PROFIsafe - Versions 15


DP Master

PROFINET – PROFIsafe V2

PROFIBUS – PROFIsafe V1 or V2

DP Slave V2

I/O-Device V2

DP Slave V1

DP Slave V1

Proxy

Only

DP Slave V2

V1 = PROFIsafe Profil V1

V2 = PROFIsafe Profil V2

Handling

Functional

Safety

Modern

Requirements and

Best Practice

1

6

Pete Brown / Handling Functional Safety

‘Drivers’ for Safety

Legislation: “I need to do something.…..but what?”

Fear: “What are my responsibilities and am I doing enough…. Or too much?”

Compliance: “Can I prove I have done as much as is reasonably practicable”

Operational Efficiency: “Can I produce products safely with maximum

efficiency?”

Cost: “Am I getting the best return on my investment” (FFI)

Support: “I want advice based on solutions not products”

17


Legislation / HASAWA 1974

It shall be the duty of every employer to conduct his undertaking in such a way as to ensure, so far as is

reasonably practicable, that persons not in his employment who may be affected thereby are not thereby

exposed to risks to their health and safety.

It shall be the duty of any person who designs, manufactures, imports or supplies any article for use at

work –

(a) to ensure, so far is reasonably practicable, that the article is so designed and constructed as to be safe and

without risks to health when properly used;

(b) to carry out or arrange for the carrying out of such testing and examination as may be necessary for the

performance of the duty imposed on him by the preceding paragraph;

(c) to take such steps as are necessary to secure that there will be available in connection with the use of the

article at work adequate information about the use for which it is designed and has been tested, and about

any conditions necessary to ensure that, when put to that use, it will be safe and without risks to health.

18


Legislation / HASAWA 1974

No person shall intentionally or recklessly interfere with or misuse anything

provided in the interests of health, safety or welfare in pursuance of any of the

relevant statutory provisions.

19


Legislation / MOHASAWR 1999

Every employer shall make a suitable and sufficient assessment of –

(a) The risks to the health and safety of his employees to which they are exposed

whilst they are at work ; and

(b) The risks to the health and safety of persons not in his employment arising out

of or in connection with the conduct by him of his undertaking.

Every employer shall make and give effect to such arrangements as are

appropriate, having regard to the nature of his activities and the size of his

undertaking, for the effective planning, organisation, control, monitoring and

review of the preventative and protective measures.

Where the employer employs five or more employees, he shall record the

arrangements referred to above.

20


Legislation / General

SCR The Offshore Installations (Safety Case) Regulations PFEER The Offshore Installations (Prevention of Fire and Explosion, and

Emergency Response) Regulations COMAH Control of Major Accident Hazards Regulations DSEAR Dangerous Substances and Explosive Atmospheres Regulations

Machinery Directive, Low Voltage Directive, EMC Directive Consumer Protection Act 1987 New for 2015! COMAH – HSE ECI Delivery Guide

What defines the minimum we should do?:

Harmonized Standards

Approved Code of Practice

International Standards

21


Forseeable mis-use

IT security

Unexpected start-up

Fault masking

What is Functional Safety? 22


Functional safety is part of the overall safety that depends on a system or equipment

operating correctly in response to its inputs. Functional safety is achieved when every

specified safety function is carried out and the level of performance required of each

safety function is met.

Functional safety relies on active systems.

Safety achieved by measures that rely on passive systems is not functional safety.

Reactor

Basic Process Control

System (BPCS)

Inputs Outputs

Safety Instrumented

System (SIS)

Inputs Outputs

Systematic Failures

Definition of a systematic failure:

failure related in a deterministic way to a certain cause, which can

only be eliminated by a modification of the design or of the

manufacturing process, operational procedures,

documentation or other relevant factors

Examples of systematic failures include human error in:

The safety requirement specification;

The design, manufacture, installation or operation of the hardware;

The design and / or implementation of the software.

23


‘Best Practice’ 24


IEC 61508

IEC 62061 ISO 13849

EN 954 ( until 2011 )

IEC 61511

Process

Industry Manufacturing Industry

Fo

cu

s

Pro

du

ct

Ma

nu

fac

ture

Fo

cu

s

Inte

gra

tio

n

Relevant good

practice

Harmonized

standards

Basic Lifecycle Concept 25


Functional Safety

Control of dangerous

failures during

operation through

Robust Design

Control and avoidance

of systematic failures

through Robust

Processes

Safety Lifecycle Requirement

Engineering / Design

System Architecture

Failure Probability

Planning / Processes

Safety Management

Verification / Responsibilities

Verification and Validation

Verification (in general) =

“Are you making it right?"

Verification is the process used to evaluate whether or not a system

complies with regulations / specifications / conditions imposed at the start

of a phase.

Validation (in general) =

"Are you making the right thing?“

Validation is the process of establishing evidence (including functional

testing) that provides a high degree of assurance that a system

accomplishes its intended requirements (Fit for purpose).

26


Simplified Safety Lifecycle 27


Hazard and Risk Assessment

Design and Engineering

Installation, Validation and Start-up

Operation and Maintenance

Modernisation and Upgrade

Veri

ficati

on

Any questions? Peter Brown

Functional Safety Specialist

Siemens Customer Services

Mobile: 07808 825551

Email: [email protected]


Profisafe update - Pete Brown

Engineering

Transcript of Profisafe update - Pete Brown