Br Safetyintegrated En

7/31/2019 Br Safetyintegrated En

1/40

Safety Integrated forProcess Automation

Reliable, Flexible, Easy

Brochure April 2010

Safety Integrated

Answers for Industry.

Siemens AG 2010


2/40

Totally Integrated Automation2

Totally Integrated AutomationSet new productivity standardsfor constant competitive advantages

The optimization of processes improves quality, shortensthe time to market and reduces the total cost of ownership.

To survive in increasingly tougher international competition,today it is more important than ever to consistently tap alloptimization potentials throughout the entire lifecycle of aplant. At the same time, the perfect balance between quality,time and costs is the decisive success factor.

With Totally Integrated Automation (TIA) from Siemens,a seamless offering of perfectly matched products, systems,and solutions for all hierarchy levels of industrial automation,you are optimally equipped for this purpose.

Siemens AG 2010


3/40

Totally Integrated Automation 3

Through the integration of safety functions in TIA, standard

automation (basic process control system) and safety-relatedautomation melt into a uniform complete system. Commonhardware, engineering and management components can beutilized for the automation of continuous and discontinuousprocesses, faster and more precise control procedures andintegrated safety functions.

The result will be considerable savings in investment andoperating costs. In addition, the perfect interplay of all com-ponents makes it possible for you to permanently producemore at the highest quality level.

Contents

text

Safety engineering from Siemens

Process automation with integrated safety . . . . . . . . . 4

Standardized, flexible safety products and

solutions from a reliable partner . . . . . . . . . . . . . . . . . 6

Safety lifecycle management with support fromhighly qualified Solution Partners . . . . . . . . . . . . . . . . 7

Simple control system integration / variablefieldbus communication with integrated safety . . . . . 8

Flexible and scalable fault tolerance /efficient safety lifecycle engineering . . . . . . . . . . . . . 9

Safety Integrated for process automation the comprehensive range of products and services . 10

Integrated control & safety

SIMATIC PCS 7 complete integration of theSafety Instrumented System . . . . . . . . . . . . . . . . . . . 12

Safety Integrated fieldbus technology

Uniform field communicationwith flexible PROFIBUS architectures . . . . . . . . . . . . . 14

PROFIsafe safety-relatedPROFIBUS communication . . . . . . . . . . . . . . . . . . . . . 15

Flexible Modular Redundancy (FMR)

Cost-optimized safety through flexibleand scalable fault tolerance . . . . . . . . . . . . . . . . . . . . 16

Configuration versions with FMR. . . . . . . . . . . . . . . .17

SIMATIC controllers for safety-relatedprocess applications . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Versatile, distributed I/O systems . . . . . . . . . . . . . . . . 21

Direct device interfacing via fieldbuswith high safety and availability. . . . . . . . . . . . . . . . . 25

Safe field instrumentation on the PROFIBUS PA . . . . 26

Safety lifecycle management

Analysis phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Implementation phase . . . . . . . . . . . . . . . . . . . . . . . . 28

Operation and maintenance phase . . . . . . . . . . . . . . 30

Application examplesPartial Stroke Test (PST) . . . . . . . . . . . . . . . . . . . . . . . 31

Applications for protection against excess pressure,fire and gas as well as for burner management. . . . . 33

Reference projects

References in oil & gas and chemical industries . . . . 34

Overview of product and ordering data

Controllers, software components, F modules,terminal modules, distributed I/O system,safety packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Siemens AG 2010


4/40

Safety engineering from Siemens4

Safety engineering from SiemensProcess automation with integrated safety

Safe at all times

In the process industries it is not uncommon to find hazardousprocesses. These hazards may arise from the materials beingprocessed being toxic, flammable or even potentially explo-sive. Alternatively the process itself may be hazardous -involving high pressures, temperatures or exothermic reac-tions. Any of these hazards, if not properly addressed, couldlead to fatalities. When dealing with hazardous processes thesafety of personnel, plant equipment and the environment areof utmost importance but it is also paramount that the sys-tems put in place to ensure safety do not themselves compro-mise the production process through spurious trips.

In order to achieve this combination of safety and fault toler-ance a reliable Safety Instrumented System (SIS) is required,which can bring the plant to a safe state when necessary butwhich can also meet the high availability requirements of theprocess industries

Comprehensive range of Safety Instrumented products

and services

Based on the Safety Instrumented System from Siemens,Safety Integrated for Process Automation is a comprehensiverange of products and services for fail-safe and fault-tolerantapplications in the process industry. A Safety InstrumentedSystem from Siemens will detect and rapidly respond to ab-normal conditions detected anywhere in the plant, criticalsignals from anywhere in the plant are recognized at an earlypoint in time. Various Safety Instrumented System compo-nents are available covering fail-safe instrumentation, fail-safe and fault-tolerant control, and the actuators (e.g. posi-tioners, valves and pumps).

Completely integrated in the standard automation

The SIMATIC S7-400FH controller, with its matching I/O, offersa maximum degree of safety, fault-tolerance and availabilityfor your applications. From a fail-safe transmitter on thePROFIBUS at the field level, for example for pressure, up to theSIMATIC PCS 7 process control system: based on our offering,you can implement efficient and flexible solutions for automa-tion and safety applications in a totally integrated completesystem.

Siemens AG 2010


5/40

Safety engineering from Siemens 5

SIMATIC PCS 7 safety & security

Advanced standardization, open systems and global net-working is unfortunately also associated with increasedcyber crime. Numerous threats result due to malware or un-authorized access, e.g.:

Overloading or failure of networks Espionage and theft of access codes or process data Unauthorized interventions in the process automation Direct sabotage

In order to protect plants containing the SIMATIC PCS 7process control system, Siemens has developed an extremely

effective, holistic safety concept which links together a widerange of security measures which are being continuouslyupgraded.

However, absolute safety cannot be guaranteed even with allthe known security measures. By combining SIMATIC PCS 7 ITsecurity with safety engineering, you can neutralize the ef-fects of cyber crime or limit them to a tolerable degree.

SIMATIC PCS 7 safety and security measures

More information on the Internet atwww.siemens.com/pcs7/it-security

Segmentation

of the plant

(Security

cells)

Network:

subnetworks,

IP addresses,

Name

resolution

Defense-in-depth

security

architecture

ActiveDirectory

domains

work groups

Service access

and remote

maintenance

(VPN, IPSec)

Virusprotection

and

Firewalls

Time-of-day

synchronization

User management

and authorization

management

Windows

security

Patch

management

Production

plant

Siemens AG 2010


6/40


Standardized, flexible safety productsand solutions from a reliable partner

A complex network of

standards and directives ...

As a plant owner, you are obliged by law to guarantee safetyfor people and the environment. To achieve this, all rules,directives and orders must be implemented at the plant loca-tion and best practice must be followed. A hazard and riskanalysis must be carried out if potential hazards exist. Thisthen describes the existing risks, and the current and addi-tional measures to reduce them are defined. The residual riskmust always be below the tolerable level.

Covering analysis, implementation and operation: completedocumentation without any omissions (e.g. safety plan) mustbe provided for the complete lifecycle of a plant. This facili-tates fault diagnostics as well as the repeatability of all pro-cesses, and serves as proof should damage ever occur.

The required availability must also be ensured dependingon the requirements, for example, through Flexible ModularRedundancy (FMR). FMR allows extremely simple implemen-tation of scalable redundancy which allows the required avail-ability to be achieved.

... and a reliable partner which supports you to comply

with all requirements.

For more than 25 years already, Siemens as a reliableindustrial partner has been implementing first-class automa-tion solutions for process safety in a wide range of sectors. Oursolutions feature maximum efficiency, and provide users withsignificant potential savings. And they, of course, comply withthe applicable national and international standards, e.g.IEC 61508 (up to SIL 3) and IEC 61511.

IEC 61508 - basic standard

IEC 61508 defines methods to achieve the functional safety ofproducts. Compliance with it is verified by corresponding cer-tificates. The standard is globally applicable, and serves as thebasis for specifications and for the design and operation ofSafety Instrumented Systems.

IEC 61511 - application-specific standard for the

process industry

IEC 61511 adapts IEC 61508 to the process industry. It repre-

sents best practice for planning, implementing and operatingSafety Instrumented Systems in process plants. An importantrequirement for complying with the standard is the need fordocumentation of all aspects of the complete lifecycle of theplant including changes and additions as part of the Func-tional Safety Management requirements.

Safety Integrity Level (SIL)

IEC 61508 and IEC 61511 define four different safety integritylevels (SIL 1-4). The SIL is a measure of the probability thata specific safety instrumented function (SIF) will operatesuccessfully should a demand occur. A higher SIL levelcorresponds to a greater level of risk reduction. The use ofcertified safety components is helpful in ensuring each SIFmeets its required SIL.

Siemens AG 2010


7/40


Safety lifecycle managementwith support from highly qualified Solution Partners

The safe way to a reliable plant:

Safety lifecycle management

IEC 61511 stipulates the proof of safety for the completesafety loop, covering the sensor, controller and actuator. Notonly the individual products are considered, but the completelifecycle of a plant covering risk analysis, planning, installa-tion and operation up to taking out of operation.

We provide you with support during the complete lifecycle ofyour Safety Instrumented System and offer a comprehensiverange of products, systems and services:

Complete and uniform Safety Instrumented System:controller, engineering with the safety lifecycle tool"Safety Matrix", and fail-safe process instruments

Range of services for all lifecycle phases of a Safety Instru-

mented System including training, documentation and24/7 round-the-clock servicing

More information on this on the Internet atwww.siemens.com/safety-services

The right local support:

Solution Partners

In order to cope with the increasing demands in the safetyengineering sector, Siemens Automation and Drives in addi-tion to its standard service & support is increasingly includ-ing selected "Siemens Solution Partners Automation". Theseare highly qualified partner companies which offer you pro-fessional consulting and support for all relevant safety as-pects. The PCS 7 safety specialists are certified Solution Part-ners for the Safety Integrated for Process Automation sector.They are acquainted with safety engineering in the processindustry, and provide:

Know-how concerning the safety lifecycle of IEC 61511 Knowledge of safety engineering with S7 F Systems and

SIMATIC Safety Matrix

Comprehensive experience in projects with safety applica-tions in the process industry

You can find more information on our partners on theInternet at:www.siemens.com/automation/solutionpartner

The phases of the safety lifecycle

Analysis

Realization

Operation

Hazard and Risk Assessment

Ver

ification

SafetyLifecycl

eStructureandPlanning

ManagementofFunctionalSafetyand

FunctionalSafet

yAssessmentandAuditing

Installation, Commissioning and Validation

Operation and Maintenance

Modification

Decommissioning

Design and Engineering of

Safety Instrumented System (SIS)

Safety Requirements Specification (SRS)

for the Safety Instrumented System (SIS)

Design and Development of

other means of Risk Reduction

Allocation of Safety Functions to Protection Layers

Siemens AG 2010


8/40


Simple control system integration /variable fieldbus communication with integrated safety

Simple integration into control system

Our innovative Safety Instrumented System can be connectedto any digital control system (DCS) when using SIMATICS7-400FH, SIMATIC ET 200M, ET 200S, ET 200pro andET 200eco as well as SITRANS P. The facility for integration inour innovative SIMATIC PCS 7 process control system is uniquein this context. This combination provides shorter engineeringtimes, a better operating performance, savings in the stockingof spare parts, and lower total maintenance costs.

Common interfacing using proven standards

The proven PROFIBUS DP and PROFIBUS PA fieldbus technolo-gy is used when connecting standard and safety-related

I/O modules and devices. Safety-related and standard commu-nication use the same bus medium. This also applies to theinterfacing of fail-safe pressure transmitters, for example theSITRANS P DS III to PROFIBUS PA with PROFIsafe according toSIL 2 (proven in use).

Safety Integrated fieldbus technology with PROFIsafe enablescertified, safety-related communication between controllers,distributed safety I/O and safety-related process instruments.Redundancy or ring structures at all levels of fieldbus commu-nication allow maximum availability.

Advantages at a glance

One engineering system for process control andprocess safety applications

SIMATIC S7-400FH, one common controller platformfor SIMATIC PCS 7 and process safety

Direct and seamless communication between DCSand SIS

Automatic integration of various safety-relatedalarms and messages with time stamping

Siemens AG 2010


9/40


Flexible and scalable fault-tolerance /efficient safety lifecycle engineering

Well thought-out concept for higher availability

The Flexible Modular Redundancy offered by Siemens is aninnovative concept for implementing scalable, cost-effectivesolutions. Multiple fault-tolerance levels can then be imple-mented exactly where they are required for the respectiveapplication.

Significantly simpler engineering throughout the

complete safety lifecycle

The standard and safety programs are generated in the provenSIMATIC Manager with or without SIMATIC PCS 7. This reduc-es training requirements in addition to engineering costs. Youdesign the safety section of the program using the ContinuousFunction Chart (CFC) or the SIMATIC Safety Matrix, the innova-

tive and convenient tool for safety lifecycle engineering andmanagement. To this end, you use TV-certified functionblocks from the library in S7 F Systems.

The SIMATIC Safety Matrix uses the Cause&Effect method tosignificantly reduce the overhead for engineering, commis-sioning and maintenance with automatic compatibility withIEC 61511.

Advantages at a glance

Flexible Modular Redundancy (FMR)

I/O and field device redundancy independent ofCPU redundancy

No time-limited safety operation in event ofcomponent failure (degraded mode)

Selection of redundancy matching the SafetyInstrumented Function (SIF)

Safety not bound to redundancy

SIMATIC Safety Matrix Configuration of safety functions using the

proven Cause&Effect methodology Automatic generation of safety logic in CFC User-friendly display of the Safety Matrix on the

user interface of SIMATIC PCS 7 Simple tracking of modifications Integrated functions for commissioning and

maintenance (safety lifecycle)

Siemens AG 2010


10/40


Safety Integrated for process automation the comprehensive range of products and services

The Safety Instrumented System from Siemens comprises safecontrollers, safe bus systems and I/O as well as the safe instru-mentation, for example for pressure measurements.

With Safety Integrated, we can offer first-class, comprehen-sive and uniform solutions for the process and productionindustries on this basis, and combine these with excellentservices for all life phases of a Safety Instrumented System.

On the basis of our complete range and decades of experi-ence, we can implement first-class automation solutions forprocess safety. Our comprehensive offering includes:

Emergency and process shutdown systems (ESD/PSD)according to IEC 61511, S84

Burner management systems (BMS)according to EN 298, NFPA 85

Fire and gas applications (F&G)according to EN 54, NFPA 72

Siemens AG 2010


11/40


Range of products for the process industry

SIMATIC S7-400FH Fail-safe, fault-tolerant controllers with a redundant or non-redundantdesign (up to SIL 3) for the bottom, mid and top performance ranges

SIMATIC S7-300F Controller with a non-redundant design (up to SIL 3) for implementingstandard and safety-related automation tasks in the bottom and midperformance ranges

PROFIBUS with PROFIsafe For standard and safety-related communication on just one bus cable,certified according to IEC 61508 (SIL 3)

SIMATIC ET 200 ET 200M: Modular I/O system for high channel count applications withsafety-related signal modules: digital input and output modules as well asanalog input modules (up to SIL 3); IP20 degree of protection

ET 200S: Bit-modular I/O with safety-related digital input and output mod-ules as well as safety-related motor starters (up to SIL 3); IP20 degree ofprotection

ET 200pro: Modular, very compact I/O with safety-related digital input andoutput modules (SIL 2/SIL 3), F-switch for switch-off of standard I/O andcontrol of motor switches; IP65/66/67 degree of protection

ET 200eco: Digital block I/O with safety related inputs (SIL 2/SIL 3);

IP65/67 degree of protection

Process instruments/process devices

Safe process instruments/devices on PROFIBUS PA:SITRANS P DS III (SIL 2) pressure transmitters on PROFIBUS PA withPROFIsafe (proven in use SIL 2)

Safe process instruments/devices for connection to ET 200M remote I/Os:Pointek CLS 200/300 analog (SIL 2), Pointek ULS 200 (SIL 1),SITRANS P DS III analog/HART (SIL 2), SITRANS TW series (SIL 1),SIPART PS2, 2/4-wire (SIL 2)

Engineering Engineering of safety functions using Continuous Function Chart (CFC)or SIMATIC Safety Matrix (Cause&Effect matrix) and TV-certified func-

tion blocks (up to SIL 3)

Applications Partial Stroke TestPredefined function blocks and faceplates for online valve test to enablepreventive valve diagnostics without affecting production

Burner librariesLibraries for SIMATIC S7-400FH and S7-300F controllers with TV-certi-fied function blocks for burner management systems

S

Siemens AG 2010


12/40

Integrated control & safety12

Integrated control & safetySIMATIC PCS 7 complete integration of the Safety Instrumented System

Safety Integrated for Process Automation from Siemens

allows the best possible integration of the Safety Instru-mented System into the process control system. With thiscommon integration, the basic process control system (BPCS)and the Safety Instrumented System are based on commonhardware.

The resulting reduction in required space, scope of hardwareand wiring, as well as assembly, installation and engineeringoverheads results in significant cost savings for the completelifecycle of the plant.

Thanks to the innovative concept of Safety Integrated, allother integration levels can also be covered.

A distinction is basically made between the following threeintegration levels:

InterfacedThe BPCS and the Safety Instrumented System are based ondifferent hardware, and are connected together by a gate-way for data exchange. The two systems use separate en-gineering tools.

IntegratedThe BPCS and the Safety Instrumented System are imple-mented in separate hardware, but have a uniform commu-nication system and use a common engineering tool.

CommonThe BPCS and the Safety Instrumented System are com-bined in the process control system. They use commonhardware (controller, fieldbus, I/O). Standard and safety-re-lated programs are executed in parallel and independent ofeach other.

The modularity and flexibility of Safety Integrated permit indi-vidual definition of the degree of integration. For example,you can decide yourself whether you wish to execute the basicprocess control system functions and the safety functions inone controller (automation system) or in separate controllers.

Integration levels of the Safety Instrumented System in theprocess control system

Many advantages of Safety Integrated can already be usedin that this system can be integrated into any open processcontrol system using standardized communication overPROFIBUS. These include:

Processing of standard and safety functions in one S7-400Hcontroller

Standard communication and safety-related commu-nication between controller and distributed I/O overPROFIBUS and PROFIsafe instead of a separate safety bus

Mixed operation of standard and safety-relatedI/O modules in remote I/O stations of the ET 200Mand ET 200S systems

However, the maximum potential of Safety Integrated canonly be utilized through the unique combination with the uni-versal SIMATIC PCS 7 process control system from Siemens.You then profit from further advantages such as:

One engineering system for basic process control system

and safety-related applications Homogenous integration of the safety technology into the

automation system of SIMATIC PCS 7 Integration of the safety-related applications into the con-

venient process visualization on the SIMATIC PCS 7 opera-tor station

Automatic integration of safety-related alarm, event anddiagnostic messages in the process visualization, with timestamping

BPCS SIS

BPCS

BPCS

SIS

SIS

Gateway

ES ESOS

ES OS

ES OS

Interfaced

Integrated

Common

Siemens AG 2010


13/40

Integrated control & safety 13

Basic process control system and Safety Instrumented System combined in the SIMATIC PCS 7 process control system

Uniform data management for basic process controlsystem and safety-related automation, including processvisualization and diagnostics, therefore no complex datamanagement between BPCS and SIS

Integration of safety-related hardware into the SIMATICPCS 7 asset management for diagnostics and preventivemaintenance

The safety system usually communicates over the plant bus(with client/server systems also over a terminal bus if neces-sary) with systems and tools for engineering, process control,plant management, diagnostics and maintenance. In the caseof modern, open process control systems, the plant and termi-nal buses are usually industry-compatible Ethernet LANs.

In the GUI of these systems and tools, the Safety IntegratedSystem is represented by operator-accessible faceplates.

The Safety Integrated System is integrated into the plant bususing rugged Ethernet interface modules in the controllersand Industrial Ethernet Switches such as ESM, OSM orSCALANCEX as suitable for the bus medium used.

The SIMATIC PCS 7 plant bus based on Industrial Ethernetaccording to the IEEE 802.3 standard is often designed as anoptical ring for noise immunity and availability reasons. It canalso be configured as a redundant optical ring if very highavailability demands exist, and this tolerates double faultssuch as the failure of a switch on Ring 1 and a simultaneousopen-circuit in the bus cable of Ring 2.

The terminal bus of SIMATIC PCS 7 can also be distributedbetween two redundant rings which are connected together

using two pairs of SCALANCE X switches with "standby redun-dancy".

TV

TV

ET 200S

Operator

system

High-availability

Fail-safe, fault-tolerant

and high-availability

Standard/

safety-related

Standard/

safety-related

Standard

redundant/non-redundant redundant/non-redundant

redundant/non-redundant

redundant/non-redundant

Standard

Standard

Standard

Engineering

system

Maintenance

station

Siemens AG 2010


14/40

Safety Integrated fieldbus technology14

Safety Integrated fieldbus technologyUniform field communication with flexible PROFIBUS architectures

PROFIBUS transmission systems

Distributed peripherals such as remote I/O stations with theirI/O modules, transmitters, drives, valves or operator terminalscommunicate with the controllers at field level through apowerful real-time bus system. This communication is charac-

terized by

cyclic transmission of process data, and acyclic transmission of alarms, parameters and diagnostics

data.

PROFIBUS is well equipped for these tasks because it enableshigh-speed communication with the intelligent distributedI/Os by means of a communications protocol (PROFIBUS DP) aswell as communication and simultaneous power supply fortransmitters and actuators (PROFIBUS PA). PROFIBUS is simple,rugged and reliable, can be expanded online by further dis-tributed components, and can be used in both standard envi-

ronments and hazardous areas.

In addition, it offers versatile facilities for communication and

line diagnostics, as well as for diagnostics of the intelligentfield devices connected. Furthermore, it is fully integrated intothe global asset management of the SIMATIC PCS 7 processcontrol system.

PROFIBUS supports the coexistence of field devices from dif-ferent vendors in one segment (interoperability) as well as thevendor-independent replacement of devices from within aprofile family.

In addition to all these properties, the following PROFIBUSfunctions are particularly relevant to process automation:

Integration of previously installed HART devices Redundancy Safety-related communication with PROFIsafe up to SIL 3

according to IEC 61508 Time synchronization Time stamping

The PROFIBUS PA fieldbus developed for direct linking of sen-sors and actuators is integrated into the PROFIBUS DP over aredundant or non-redundant router. Using a non-redundantrouter, a PROFIBUS PA of line or tree topology can be imple-mented on a redundant or non-redundant PROFIBUS DP.Higher availability is achieved by the redundant router in

combination with a line or ring topology. A configuration witha redundant router and ring topology is able to tolerate singlefaults such as the failure of a DP/PA coupler or an open-circuitin the bus cable.

PROFIBUS DP (RS 485-iS)

PROFIBUS PA (MBP)

PROFIBUS DP (RS 485)

OLM OLM

Industrial Ethernet

RS 485-iS coupler

Long distances

with fiber-optic

DP/PA link

Automation system

Ex isolation

+ repeater

Siemens AG 2010


15/40

Safety Integrated fieldbus technology 15

PROFIsafe safety-related PROFIBUS communication

The PROFIsafe profile is implemented as an additional soft-ware layer within the devices/systems without modifying thecommunication mechanisms of the standard PROFIBUS.PROFIsafe expands the telegrams by additional informationwith which the PROFIsafe communications partners can

recognize and compensate transmission errors such as delays,incorrect sequences, repetitions, losses, faulty addressing ordata falsification. The fault detection measures listed in thetable are carried out and checked for this purpose in everycommunications partner.

PROFIsafe communication complies with the standards andsafety requirements up to SIL 3.

Further information

For detailed information on PROFIBUS and PROFIsafe, look onthe Internet atwww.siemens.com/profibus

or in the brochure: "PROFIBUS The perfect fit for the processindustry" atwww.siemens.com/simatic/docu

Standard and safety-related data are transmitted over the same bus linewith PROFIsafe. Collision-free communication is possible over a bus systemwith media-independent network components.

PROFIsafe fault detection measures of communications partners

Safety-

related data

Safety-

related data

Standard

bus protocol

Standard

bus protocol

PROFIsafe

layer

PROFIsafe

layer

Standard

data

Standard

data

Measure

Error

Consecutive

number

Time expectation with

acknowledgment

Identification of trans-

mitter and receiver

Data security

CRC

Repetition 4

Loss 4 4

Insertion 4 4 4

Incorrect sequence 4

Data falsification 4

Delay 4

Coupling of safety-related mes-

sages and standard messages(masquerade)

4 4 4

FIFO faults 4

Siemens AG 2010


16/40

Flexible Modular Redundancy16

Flexible Modular RedundancyCost-optimized safety through flexible and scalable fault tolerance

An exceptional feature of Safety Integrated is the Flexible

Modular Redundancy (FMR). Depending on the automa-tion task and safety requirements, this allows the config-

uring engineer to individually define the degree of redun-

dancy for the individual architecture levels comprising

controller, fieldbus and I/O, and to match it to the field

instrumentation. Each component within a level can be

provided with a redundant configuration, and also physi-

cally separated. All components also meet the require-

ments of safety integrity level SIL 3.

You can then implement individual, fault-tolerant architec-

tures exactly tailored to the individual tasks which can tolerateseveral simultaneously occurring faults. As shown in theexample of a plant with ET 200M distributed I/O system, thetotality of the tasks can result in a mixture of different degreesof redundancy within an architecture level (1oo1, 1oo2,2oo3).

Modeling of the reliability has shown that Flexible ModularRedundancy from Siemens provides higher availability levelsthan conventional redundant architectures with a uniformdouble or triple structure. Since FMR only provides redun-dancy where it is actually required, comparatively more attrac-tive and cost-effective safety applications are possible than

with conventional redundancy architectures.

Flexible Modular Redundancy shown by an example of a safety-related, fault-tolerant plant configuration

1oo1 LS

2oo3 PT

Triple Simplex

1oo2 Flow

Dual

S7-400FH controller

Siemens AG 2010


17/40

Flexible Modular Redundancy 17

Configuration versions with FMR

A general distinction is made between two configuration ver-sions covering all architecture levels of a safety-related systembased on Safety Integrated:

Single-channel, non-redundant configuration

Redundant, high-availability and fault-tolerant configura-tion

The two configuration versions are extremely flexible, andoffer a wide design scope with respect to different customerspecific requirements. You can not only combine standard andsafety functions in the I/O area, also at the controller level youare able to combine or separate standard control and safety.The full range of flexibility and scalability is possible with theFlexible Modular Redundancy concept of Siemens.

At the individual architecture levels (controller, fieldbus, I/O)you will have the configuration alternatives shown in thefigure and in the following table depending on the I/O used(remote ET 200M and ET 200S I/O stations or PROFIBUS PAdevices according to profile 3.0).

Configuration versions for safety-related systems shown by example of SIMATIC PCS 7 with S7-400H controllers

ET 200MET 200M

ET 200M

ET 200M

ET 200M

ET 200M

PROFIBUS PA

PROFIBUS PA

PROFIBUS PA

PROFIBUS PA

ET 200S

ET 200S

ET 200M

AS 412F/

AS 414F/

AS 417F

AS 412FH/

AS 414FH/

AS 417FH

AS 412FH/

AS 414FH/

AS 417FH

PROFIBUS DP

F-modulesF-modules

Active field

splitter

Active field distributors

F- and standard modules


Flexible Modular Redundancy

at module or device level


F- and

standard

modules

Standard modules

Standard modules

Module or channel

redundancy over

several separate

stations

DP/PA Link

DP/PA Linkwith redundant

DP/PA couplers

DP/PA Linkwith redundant

DP/PA couplersDP/PA Link

Y-Link

Distributed I/O and

direct fieldbus interfacing

Direct fieldbus interfacingDistributed I/O

Redundant, high-availability

and fault-tolerant configuration

Single-channel,

non-redundant configuration

Siemens AG 2010


18/40


Overview of configuration versions

Single-channel, non-redundant configuration

Controller Single-channel, equipped with one CPU

Fieldbus Distributed I/O(remote I/Os)

Individual, single-channel PROFIBUS DP segment with PROFIsafe

Direct fieldbus interfacing(PA devices)

An individual, single-channel PROFIBUS PA segment is connected to a single-channelPROFIBUS DP segment over a simple router; PROFIsafe is included

Process I/O Distributed I/O(remote I/Os)

Remote ET 200M and ET 200S I/O stations equipped uniformly with standard orF-modules, as well as those with a mixed configuration on a PROFIBUS DP segment


Individual sensors/actuators on a PROFIBUS PA segment with a line or tree topology

Redundant and fault-tolerant configuration

Controller High-availability and fault-tolerant, equipped with two redundant CPUs

Fieldbus Distributed I/O(remote I/Os) Two redundant PROFIBUS DP segments with PROFIsafe

Two redundant PROFIBUS DP segments are reduced by a Y-Link to a single-channelPROFIBUS DP segment; PROFIsafe is included


An individual, single-channel PROFIBUS PA segment (line/tree) is connected to tworedundant PROFIBUS DP segments over a single router; PROFIsafe is included; can beused up to Zone 0 or 1

An individual, single-channel PROFIBUS PA segment (line) is connected to two redundantPROFIBUS DP segments with an Active Field Splitter (AFS); PROFIsafe is included. Auto-matic switching over of PROFIBUS PA segment to the respectively active coupler of theredundant router per AFS; can be used up to Ex Zone 2

A PROFIBUS PA ring is connected to two redundant PROFIBUS DP segments over a redun-dant router; PROFIsafe is included; can be used up to Ex Zone 2

Process I/O Distributed I/O(remote I/Os)

Remote ET 200M I/O stations equipped uniformly with standard or F-modules and thosewith a mixed configuration together on two redundant PROFIBUS segments

FMR is possible at the module or channel level using several, separate remote I/O stations

Remote ET 200S I/O stations equipped uniformly with standard or F-modules and thosewith a mixed configuration on two redundant PROFIBUS segments via a Y-Link


Individual sensors/actuators on a PROFIBUS PA segment with a line or tree topology

FMR possible through grouping of individual devices in different PROFIBUS PA segments

Individual sensor/actuators are integrated in a PROFIBUS PA ring with automatic bus ter-mination over up to 8 AFDs with 4 short-circuit-proof spur line connections

FMR possible through grouping of individual devices on dif ferent AFDs

Siemens AG 2010


19/40


SIMATIC controller for safety-related process applications

Safety-related SIMATIC controllers are used for critical applica-tions in which an incident can result in danger to persons,plant damage or environmental damage. Working togetherwith the safety-related F-modules of the ET 200 distributedI/O systems or directly via fail-safe transmitters connected via

the fieldbus, they detect faults both in the process and theirown internal faults and automatically set the plant to a safestate in the event of a fault.

The SIMATIC S7-412FH, S7-414FH and S7-417FH controllersare ideal for implementing safety-related process automationapplications. These are capable of multitasking, which meansseveral programs can be executed simultaneously in a CPU,whether BPCS (standard) or safety-related applications. Theprograms function without feedback, which means faults inBPCS applications have no effect on safety-related applica-tions and vice versa. Special tasks with very short responsetimes can also be implemented.

SIMATIC S7-300F controllers can also be used for smallerprocess safety applications, e.g. burner controls. These con-trollers are otherwise primarily used in safety-related controlsin the factory automation.

All controllers referred to are TV-certified and comply withthe safety integrity levels up to SIL 3 according to IEC 61508;they are able to process BPCS and safety functions parallel inone CPU. Mutual interference during processing is preventedby ensuring that the BPCS programs and the safety-relatedprograms are kept strictly separate and that the data exchangetakes place via special conversion function blocks. The safetyfunctions are executed twice in different processor sections ofone CPU through redundant, multi-channel command pro-cessing. Potential errors are detected by the system duringthe subsequent comparison of results.

Safety programs being executed on different controllers of a

plant can also carry out safety-related communication witheach other over the Industrial Ethernet plant bus. Possiblecommunications partners are the S7-400FH and S7-300Fcontrollers presented below.

Siemens AG 2010


20/40


S7-400FH and S7-300F controllers

S7-412FH, S7-414FH and S7-417FH controllers

The S7-412FH, S7-414FH and S7-417FH controllers arebased on the hardware of the S7-400H controllers. which isextended by the safety functions in the S7 F Systems software

package. Single-channel (only one CPU) or fault-tolerant(two redundant CPUs) operation is possible depending onthe configuration.

In the context of SIMATIC PCS 7, you can obtain the controllersas preassembled and tested automation systems. Theseproduct bundles usually include components such as racks,CPU, power supply, main memory, memory card andIndustrial Ethernet interface.

They are available in two configuration versions with thefollowing product names:

AS 412F, AS 414F or AS 417F as single station with oneCPU, safety-related

AS 412FH, AS 414FH or AS 417FH as redundant stationwith two redundant CPUs, safety-related and fault-tolerant

The redundant FH systems working according to the1-out-of-2 principle comprise two subsystems of identical de-sign. To achieve optimum EMC, these are electrically isolatedfrom one another, and are synchronized over fiber-optic ca-bles. In the event of a fault, there is a bumpless switchoverfrom the active subsystem to the backup subsystem. The twosubsystems can be present in the same rack, or spatially sepa-rated by up to 10 km. Spatial separation provides additional

safety gains in the case of extreme effects in the local environ-ment of the active subsystem, e.g. by fire.

The redundancy of the FH systems only serves to increaseavailability. It is not relevant to processing of the safety func-tions or the fault detection associated with this.

More information on the Internet:www.siemens.com/fh-cpu

SIMATIC S7-300F controller


The SIMATIC S7-300F controllers have a very rugged and com-pact design. They are only offered in a single-channel versionwith one CPU. Fault-tolerant controllers with redundant CPUsare not available in this series.

Combining the two CPU types S7-315F and S7-317F withdifferent fieldbus interfaces (DP or PN/DP) results in a product

range with four controllers which is rounded off at the top bythe currently most powerful controller S7-319F-3 PN/DP:

S7-315F-2 DP S7-315F-2 PN/DP S7-317F-2 DP S7-317F-2 PN/DP S7-319F-3 PN/DP

Controllers with S7-315F-2 DP or S7-317F-2 DP CPUs areexclusively designed for fieldbus communication usingPROFIBUS DP.

Controllers with S7-315F-2 PN/DP, S7-317F-2 PN/DP orS7-319F-3 PN/DP CPUs additionally support the PROFINETstandard, which has already become established in the factoryautomation.

You can expand the S7-300F CPUs centrally using the safety-related F-modules of the ET 200M I/O system. Distributed ex-pansion is possible with remote I/O stations and safety-relatedF-modules of the ET 200M, ET 200S, ET 200pro and ET 200ecoI/O systems.

More information on the Internet:www.siemens.com/f-cpu

Siemens AG 2010


21/40


Versatile, distributed I/O systems

The distributed I/O systems of the Safety Integrated Systemcan be differentiated as follows:

Modular ET 200M distributed I/O system with IP20 degreeof protection (prime range of remote I/Os for process auto-

mation with SIMATIC PCS 7) Bit-modular ET 200S distributed I/O system with IP20 de-gree of protection

Modular, ET 200pro distributed I/O system with IP65/66/67degree of protection- Multifunctional through versatile module spectrum,

partially with safety engineering- Very compact, robust design with "standing wiring",

supports hot swapping Cost-effective ET 200eco digital block I/O in IP65/67 degree

of protection- Digital I/O modules, also with safety-related inputs- Hot plug-in electronic block replaceable without inter-

rupting power supply and communication

The safety functions of the SIMATIC controllers are perfectlymatched to the safety-related F-modules of these I/O systems.

Any ET 200 station can be configured rapidly and simply usingthe SIMATIC Selection Tool. The tool is familiar with the con-

figuration rules and supports users in the selection of all com-ponents and associated accessories in interactive mode.

The SIMATIC Selection Tool and comprehensive informationon all ET 200 distributed I/O systems are available on theInternet atwww.siemens.com/et200

The ET 200M and ET 200S distributed I/O systems described inthe following are especially relevant for the implementationof safety applications in the process industry.

Safety-related,

distributed I/O systems

ET 200M ET 200S

Device characteristics

For use in hazardous areas Zones 2 and 22; connected sensors/actuators also inZones 1 and 21

Zones 2 and 22 (without motor starter)

Redundancy PROFIBUS interface Module channel (modules in separate stations)

No

Online modification functions Addition of station Addition of I/O modules Programming

Addition of station

Max. number of I/O modules 12 63

Mixing of standard andF-modules

Station-by-station on the PROFIBUS as well as within astation

Station-by-station on the PROFIBUS as well as within astation

Time stamp functionality Yes No

F-modules

DI 12/24 x DC 24 V, 4/8 x NAMUR [EEx ib] 4/8 x 24 V DC

DO 10 x DC 24 V/2 A, 8 x DC 24 V/2 A 4 x 24 V DC/2 A

AI 3/6 x 4 ... 20 mA, 13 bits + sign

3/6 x 0 ... 20 mA or 4 20 mA HART, 15 bits + sign

--

Motor starters -- F-DS1e-x, F-RS1e-x

PROFIBUS

Interface module IM 153-2 HF IM 151-1 HF

Order No. stem 6ES7 153-2BA. 6ES7 151-1BA.

Siemens AG 2010


22/40


ET 200M

Design of ET 200M with isolating module

MTA terminal modules

ET 200M configuration

An ET 200M station can accommodate up to 12 I/O modulesof S7-300 design. Hot swapping is permissible when usingactive bus modules.

The following safety-related F-modules can be used in applica-tions up to SIL 3 and in a station without isolating modulemixable with standard modules without restrictions:

SM 326 F-DI 24 x DC 24 V (6ES7 326-1BK02-.) SM 326 F-DO 10 x DC 24 V, 2 A (6ES7 326-2BF10-.) SM 326 F-DO 8 x DC 24 V, 2 A (6ES7 326-2BF41-.) SM 336 F-AI HART 6 x 0/4 20 mA (6ES7 336-4GE00-.)

If an SM 326 F-DI NAMUR is used in SIL 3 applications, anisolating module is always required for mixed designs withstandard modules.

For SIL 3 applications with other F-modules, an isolatingmodule is also required under the following conditions:

Operation of F-modules as central I/O of S7-300F control-lers

Design of PROFIBUS DP with copper cables Design of PROFIBUS DP with fiber-optic cables and joint

operation of the F and standard modules in an ET 200Mstation

The isolating module protects F-modules against possibleovervoltages in the event of a fault. It is to be arranged to theleft in front of the F-modules in each case. With an active back-plane bus that supports module replacement during opera-tion, it must be plugged onto a special isolation bus module.

MTA terminal modules

Field devices, sensors and actuators can be connected simply,rapidly and reliably to I/O modules of the ET 200M remoteI/O stations using MTA terminal modules (Marshalled Termi-nation Assemblies). MTA versions are available for standardI/O modules as well as for redundant and safety-related

I/O modules.

F-modules

ET 200 rack

only for SIL 3 operation,

SIL 2 also possible

without isolating module

ET 200 rack

Isolating bus submodule

for active

backplane bus

Isolating module for isolation of

standard and F-modules

PROFIBUS

copper connection

PROFIBUS

copper connectionor fiber-optic cable

Isolating

module

IM 153-2

IM 153-2

Preassembled

cable with

front connector

ET 200M

redundant

ET 200M

single

MTA MTA

Siemens AG 2010


23/40


ET 200S

ET 200S configuration

With an ET 200S station, up to 63 I/O modules (powermodules, electronics modules, motor starters and expansionmodules) can be inserted between the interface module and

the terminating module. Further configuration limits are thewidth of up to 2 m, the max. address range of 244 bytes forinput data and the same for output data, as well as the limitingof parameters to a maximum of 244 bytes per station.

Power modules are suitable for configuring the I/O modules inpotential groups. A power module together with its followingI/O modules constitute a potential group in each case, whosescope is limited by the current carrying capacity of the powermodule (up to 10 A depending on the type). The powermodule handles the monitoring and also - depending onthe version - the fusing of the power supply for this potentialgroup.

The first power module must be positioned directly followingthe interface module.

ET 200S configuration

Which power module (PM) is used in each case depends onthe application and the I/O modules used in it. The powermodules listed in the table are relevant to safety-related appli-

cations.

Triggered by a switch-off signal, safety-related ET 200S motorstarters can be selectively switched off by a series-connectedPM-D F PROFIsafe power module. In addition to a circuit-breaker/contactor combination, the ET 200S motor startershave a safe electronic evaluation circuit for fault detection. Ifthe contactor to be switched in the case of an emergency stopfails, the evaluation electronics detect a fault and safely deac-tivates the circuit-breaker in the motor starter.

1) Only AK4/SIL 2 can be achieved when mixing standard and F modules within a potential group.

SIL 3 SIL 2 SIL 3

PM-D F

PROFIsafe

IM 151

High Feature

PM-E

power module

PM-E F

power module Fail-safe

motor starter

Power module Use

Achievable safety

(AK/SIL)

Appropriate

I/O modules

PM-E F pm DC 24 V PROFIsafe

(pm for earth-free loads;ground and earth separated)

Safe shutdown of subsequent standardDO modules DC 24 V

AK4/SIL 2 All non-safety-related standard electronicsmodules DC 24 V

PM-E F pp DC 24 V PROFIsafe

(pp for grounded loads; groundand earth connected together)

PM-E DC 24 V Supply of F-DI modules andF-DO modules

AK4/SIL 2 All electronics modules (safety-related andstandard modules) in the respective voltagerangePM-E

DC 24 ... 48 V/AC 24 ... 230 V

AK6/SIL 31)

PM-D F DC 24 PROFIsafe Safe shutdown of F-motor starters AK6/SIL 3 Safety-related (F) motor starters F-DS1e-xand F-RS1e-x with or without Brake Con-trol xB1 and xB2 expansion modules

AK4/SIL 2 Safety-related (F) motor starters F-DS1e-xand F-RS1e-x with or without BrakeControl xB3 and xB4 expansion modules

Siemens AG 2010


24/40


Process I/Ofor ET 200M

F-AI HART analog input module for ET 200M (6 x 0/4 ... 20 mA)

The F-signal modules of ET 200M (DI/DO/AI) can be used fordiagnostics of both internal and external faults. They carry outself-tests, e.g. for short-circuit or open-circuit, and automati-cally monitor the discrepancy time defined in the parametersettings.

Depending on the version, the input modules support 1oo1

and 1oo2 evaluation on the module. Further evaluations, e.g.2oo3 evaluation for analog inputs, are carried out by the CPU.

The digital output modules enable safe disconnection througha second disconnect path in the event of a faulty output.

SM 336 F-AI HART analog input module

The safety-related SM 336 F-AI HART analog input modulehas 6 inputs for current measurements in the range from 0 to20 mA or 4 to 20 mA, all of which are designed for SIL level 3.In SIL 3 applications, the module can also be used without anisolating module. The compact overall width of 40 mm en-

ables a space and cost saving design with a high packingdensity for F-modules.

The SM 336 F-AI HART is also suitable for HART communica-tion with HART field devices in the measuring range from 4 to20 mA. HART communication can be activated safety-relatedin online mode and switched off.

Digital output module SM 326 F-DO

The safety-related digital output module SM 326 F-DO with10 outputs DC 24 V, 2 A and parameterizable redundancy ex-tends the spectrum of the compact F-modules with an overallwidth of 40 mm. The module can be used in SIL 3 applicationswithout an isolating module and features short responsetimes. It supports the following functions:

Channel-selective passivation Parameterization of a substitute value in the event of a

fault, e.g. "Last valid value" Energized-to-trip diagnostics

Function examples

The function examples "F Systems: Wiring and Voting Archi-

tectures for ET 200M F-AI" and "F Systems: Wiring and VotingArchitectures for ET 200M F-DI and F-DO" show differentpossibilities for reading in, evaluating and outputting safety-related signals. Seewww.siemens.com/process-functional-examples

Safe process instruments and process devices for

connection to ET200 remote I/Os:

Siemens currently offers the following safe process instru-ments/devices for operation on ET 200M remote I/Os:

Detailed information, technical specifications and orderingdata on these devices are available on the Internet at:www.siemens.com/processinstrumentation

Process instrument/

process device

Safety Integrity

Level (SIL)

Pressure measurement

SITRANS P DS III analog/HART SIL 2

Temperature measurement

SITRANS TW series SIL 1

Level measurement

Pointek CLS 200 analog SIL 2

Pointek CLS 300 analog SIL 2

Pointek ULS 200 SIL 1

Position control

SIPART PS2, two-wire version SIL 2

SIPART PS2, four-wire version SIL 2

Siemens AG 2010


25/40


Direct device interfacing via fieldbuswith high safety and availability

Example of previously standard safety-related and fault-tolerantPROFIBUS PA configurations

For plant areas up to hazardous Zone 2, redundant routerstogether with a PROFIBUS PA of ring topology permitcheaper, safety-related and fault-tolerant applicationsthan the previous standard architectures (see figure on left).

The PROFIBUS PA of ring topology is connected to two redun-dant PROFIBUS segments of an S7-400FH controller via theredundant router. Each of the maximum 8 Active FieldDistributors (AFD) in this PROFIBUS PA ring with automaticbus termination has 4 short-circuit-proof spur lines for con-nection to devices.

Safety-related and fault-tolerant architecture based on a PROFIBUS PAring topology

As shown in the figure on the right, safety-related and fault-tolerant applications can be implemented with relatively lowdevice and cable requirements. The configuration of the ringcan also be changed during runtime. Even brief opening-up of

the ring in order to integrate a further AFD is possible withoutproduction failures. The diagnostics integrated in the redun-dant router and the AFDs expands the existing possibilities forcommunication and cable diagnostics, and makes fault locat-ing easier in the event of an open-circuit.

The concept of Flexible Modular Redundancy is thus imple-mented down to the field level.

2oo3 1oo2 1oo2

PROFIBUS

S7-400FH controller

DP/PA Link

PROFIBUS DP

2oo3

1oo2

AFD AFD AFD

S7-400FH controller

DP/PA Link

with redundant DP/PA couplers

Siemens AG 2010


26/40


Safe field instrumentation on the PROFIBUS PA

PROFIBUS PA devices for implementation of

safety shutdowns

The SITRANS P DSIII digital pressure transmitter is the firstcommercially available PROFIBUS PA device for SIL 2 safety

shutdowns conforming to IEC 61508/ IEC 61511-1. To thisend, Siemens has extended its standard measuring equip-ment for pressure, absolute pressure and differential pressureby a PROFIsafe driver.

In a safety application, the pressure transmitter can be con-nected to an FH controller from the SIMATIC S7-400 seriesover PROFIBUS PA and PROFIsafe. Advantages such as directcommunication links and power supply to intrinsically-safedevices, increased information contents and integrity of mea-sured-value transmission are then combined with each other.The digital input of the electropneumatic PROFIBUS PA posi-tioner SIPART PS2 PA can be used for the safe shutdown. With

a redundant, multi-channel design, measuring circuits canalso be implemented up to safety integrity level SIL 3.

The SIMATIC PDM Process Device Manager is used to initiallystart up the SITRANS P DSIII pressure transmitter as a regularPROFIBUS PA device. You subsequently activate the PROFIsafefunctions.

SITRANS P DSIII PROFIsafe pressure transmitter

The device description (DD) required for this device, the safetymanual as well as additional information are available on theInternet at:www.siemens.com/sitransp

Siemens AG 2010


27/40

Safety lifecycle management 27

Safety lifecycle managementAnalysis phase

Safety Instrumented Function (SIF) in the SIS

The safety lifecycle is divided into three phases according toIEC 61511: analysis, realization and operation/maintenance.

Safety lifecycle management always commences in that theprocess concept, the functional safety management plan and

the historical record are examined in order to determineknown or potential safety risks.

In a second step, the results are subject to a risk analysis.The objective is to filter out the non-tolerable risks, to rate theprobability for the occurrence of a hazard, and to estimate thepossible consequences. Various methods are available to thisend, e.g.:

HAZOP Hazard tree analysis Checklists FMEA (Failure Modes and Effects Analysis)

Various tools available on the market effectively support riskanalysis through automation of the described procedures.

The result of the risk analysis is documented in the safety re-quirements specification. This specification forms the basisfor the subsequent plant planning and can be displayed as aCause&Effect matrix.

The probability of a safety-relevant event and its effects canbe reduced by appropriate protection measures (LOPA, Layerof Protection).

A possible protective measure is the use of a Safety Instru-mented System (SIS). The SIS is an independent safety systemcomprising components ranging from sensor over controllerto final element. It is suitable for the following purposes:

Shutdown: a process or plant is automatically driven to asafe state when a predefined condition is violated.

Tolerance: under defined conditions, the plant can still beoperated safely.

Reduction: possible consequences of a safety event areminimized and thus limited.

The achievable risk reduction factor will increase with higherSIL level.

1) Low demand mode of operation

Safety Instrumented System

(SIS)

Reactor

Inputs Outputs Inputs Outputs

Basic Process Control System

(BPCS)

Safety

Integrity Level

Probability of failure on

demand (PFD) per year1)Risk Reduction

Factor

SIL 4 t 10-5 to < 10-4 10 00 to 100 000

SIL 3 t 10-4 to < 10-3 1 000 to 10 000

SIL 2 t 10-3 to < 10-2 100 to 1 000

SIL 1 t 10-2 to < 10-1 10 to 100

Siemens AG 2010


28/40

Safety lifecycle management28

Realization phase

The realization phase is characterized by selection of the tech-nology and architecture, definition of the proof test interval,the design and installation of the SIS, as well as commission-ing.

Siemens provides the F-block library in S7F Systems and theSIMATIC Safety Matrix for configuration and programming ofthe S7-400FH controllers.

S7 F Systems with F-block library and Safety Matrix

The S7 F Systems engineering tool permits parameterizationof the S7-400FH systems and the safety-related F-modulesfrom the ET 200 series.

It supports configuration by means of functions for:

Comparison of safety-related F-programs

Recognition of changes in the F-program using thechecksum

Separation of safety-related and standard functions

Access to the F-functions can be password-protected. TheF-block library integrated in S7 F Systems contains predefinedfunction blocks for generation of safety-related applicationswith the CFC or the SIMATIC Safety Matrix based on it. The cer-tified F-blocks are extremely robust and intercept program-ming errors such as division by zero or out-of-range values.They save the necessity for performing diverse programmingtasks for detecting and reacting to errors.

Engineering of safety-related applications using CFC

SIMATIC Safety Matrix

The SIMATIC Safety Matrix which can be used in addition tothe CFC is an innovative safety lifecycle tool from Siemenswhich can be used for convenient configuration of safety

applications and also for their operation and servicing. Basedon the proven principle of a Cause&Effect matrix, the tool ishighly suitable for processes where defined statuses requirespecific safety reactions.

Safety Matrix: assignment of specific reactions (effects) to occurringevents (causes)

The SIMATIC Safety Matrix not only means that programming

of the safety logic is significantly simpler and more conve-nient, but also much faster than in the conventional manner.During the risk analysis of a plant, the configuration engineercan assign specific reactions (effects) to events (causes) whichmay occur during a process.

The possible process events (inputs) are initially entered in thehorizontal lines of a matrix table comparable to a spreadsheet,and then their type and quantity, logic operations, any delaysand interlocks as well as any tolerable faults are configured.The reactions (outputs) to a particular event are then definedin the vertical columns.

The events and reactions are linked by simply clicking the cellat the intersection point of line and column. Using this proce-dure, the Safety Matrix automatically generates complex,safety-related CFC programs. Configuration engineers requireno special programming knowledge, and can concentratefully on the safety requirements of their plants.

Siemens AG 2010


29/40

Safety lifecycle management 29

Input window for configuration of analog "causes" with process valuepreprocessing

Each input value can be combined with a preprocessing func-tion if necessary without having sacrifice the simulation op-

tion. The preprocessing function is freely configurable.

In addition to the alarms derived from the process value,alarms can also be generated and diagnostic informationcan be provided for each individual cause and effect. Prioritiesand response behavior can be defined in different profiles.The color scheme for the alarms and messages can be adaptedto customer or country specific requirements. The alarm man-agement is supported by collective alarms, alarm prioritiza-tion and individually adjustable acknowledgement.

Advantages of the Safety Matrix in the

realization phase

Simple programming using Cause&Effect method

No programming knowledge required

Preprocessing of input values

Alarm generation and provision of diagnostic infor-mation for each individual cause and effect incl.tag labeling

Prealarm for analog values

Free color selection for alarms and messages

Automatic generation of CFCs including driver blocks

Automatic version tracking

Integral tracking of changes

1-to-1 printout of Cause&Effect matrix

Siemens AG 2010


30/40

Safety lifecycle management30

Operation and maintenance phase

Documentation of changes with the Safety Matrix

The third and final phase of the safety lifecycle comprisesoperation, maintenance and modification of the safety appli-cation as well as plant decommissioning.

With the SIMATIC Safety Matrix Viewer on the SIMATIC PCS 7

Operator Station, the safety application can be operated andobserved simply and intuitively during operation.

The operator has direct access to the relevant data via theviewer. The signal status is displayed online in theCause&Effect matrix.

In addition to the complete display of the matrix, a cause oreffect specific display can also be generated, from which theuser can easily switch back to the complete matrix or to thealarm display.

Safety Matrix Viewer on a SIMATIC PCS 7 operator station

Tag display in online mode with process value, simulation value andactive value

The viewer enables the operator to display and save first upalarm messages as well as record safety-relevant events.Changes in parameters are supported, as are bypass, reset andoverride functions. The process value, simulation value andactive value are always indicated on the tag display.

Safety lifecycle management functions for version manage-ment and for documentation of operator interventions andprogram modifications effectively supplement the configura-tion, operation and servicing functions of the SIMATICSafety Matrix and also the safety lifecycle management.

Advantages of the Safety Matrix in the operation phase

Complete integration in SIMATIC PCS 7

Cause&Effect-dependent matrix and alarm display

Tag display in the alarm

Sequence of event display and saving

First-up alarm display and saving

Integral operating functions such as bypass, reset,override and parameter modification

Automatic saving of operator interventions for thesafety lifecycle management

Automatic version tracking

Automatic documentation of modifications

Siemens AG 2010


31/40

Application examples 31

Application examplesPartial Stroke Test (PST)

Configuration example for the Partial Stroke Test

In order to guarantee that emergency shutdown (ESD) valvesof a Safety Instrumented Function (SIF) also operate fault-freewhen a safety event occurs, their perfect functioning must beregularly checked.

With a plant shutdown, this can be carried out using a FullStroke Test. However, since the valve is completely closedduring this procedure, the test method cannot usually be usedduring process operation.

The Partial Stroke Test is an excellent alternative in this case.During this test, the valve motion is checked by partially open-ing or closing it without stopping the process. The valve strokeis usually 10 to 15%. The length of the partial stroke dependson the process conditions and the required degree of cover-age of the diagnostics function.

By means of Partial Stroke Tests, the time interval betweenthe required Full Stroke Tests can be extended withoutchanging the SIL. When carrying out these tests regularly (e.g.4 times a year), the interval between two Full Stroke Tests canbe extended from one year to two.

The Safety Instrumented System from Siemens already con-tains preconfigured function blocks for automatic executionof the Partial Stroke Test at the defined test intervals. Theseprovide operator alarms and feedbacks on the valve function,

and apply PFD calculations (Probability of Failure on Demand)to determine the time of the next Full Stroke Test.

Ready-to-use faceplates are available for visualization on theoperator system. These permit a fast overview of the valve sta-tus. They display the PST parameters as well as the status ofthe last Partial Stroke Test, and provide information on furtherplanned tests.

S

SIS controller

DP/PA coupler

Pneumatic shutdown valve

Safety

application

F-DO

Safety

InstrumentedFunction

Solenoid valve

Air supplySetpoint for

valve position

Feedback of

valve position

SIPART PS2

valve positioner

Siemens AG 2010


32/40

Application examples32

Partial Stroke Test extends the test interval for the Full Stroke Test from one to two years

Function blocks

F_PST carries out the Partial Stroke Test PST provides the alarms and events for the operator station Option: F_SOLENOID tests the solenoid valve Option: PST_CALC calculates the time of the next

Full Stroke Test

Faceplate for the SIMATIC PCS 7 operator system

PFD (t)

Without PST With PST (4 x year)

Proof Test interval

Time

PFDavg

Proof Test annually = SIL 2 Proof Test every 2 years = SIL 2

Advantages of the Partial Stroke solution from Siemens

Online valve test without interfering with production

Test covering different types of failure

Preventive diagnostics

More flexible tests and longer test intervals

Minimization of duration for bypassing the ESD valveor for process shutdown

Lower failure probability of valve when required

Feedbacks concerning Full Stroke Tests required toretain the SIL

Siemens AG 2010


33/40

Application examples 33

Applications for protection against excess pressure, fire and gasas well as for burner management

High Integrity Pressure Protection System (HIPPS)

The High Integrity Pressure Protection System is the specificapplication of a Safety Instrumented System (SIS) for protec-tion against overpressure. It can be used as an alternative topressure reducers according to API 521 and ASME code 2211,Section VIII, Paragraphs 1 and 2.

On the basis of the Safety Integrated Systems, Siemens hasdeveloped complex HIPPS solutions for various applications incooperation with solution providers:www.siemens.com/process-safety

Burner Management Systems

Burner Management Systems (BMS) are defined according toEN298 and NFPA 85 (2001) as "Control systems for safe com-

bustion, for supporting operating personnel when starting upand shutting down fuel conditioning and firing plants, and forpreventing malfunctions and damage on these plants".

Their wide range extends from very small systems for boilerswith single burners up to very large systems for power plantboilers.

Siemens offers burner libraries as well as complete solutionswith TV-certified function blocks for the SIMATIC S7-400FHand S7-300F controller platforms.

Example of a control cabinet configuration

Fire and gas

Systems for protection against fire and gas play an importantrole in the total protection concept of industrial plants forexploitation, processing and transportation of petroleum,petrochemicals or dangerous gases.

They must reliably detect and signal fires and/or gas leakages,even under adverse conditions such as failure of the mainpower supply. To reduce subsequent damage, they are alsopartially able to automatically initiate appropriate counter-measures such as firefighting or drawing out of a gas. TheSafety Integrated System is certified for this in line with therequired safety standards EN 54 and NFPA 72.

Siemens AG 2010


34/40

Reference projects34

Reference projectsReferences in oil & gas and chemical industries

Whether during power generation, oil and gas exploitation, in

refineries, in the chemical, petrochemical or pharmaceuticalindustries: on the basis of our sound know-how and compre-hensive experience, we have already implemented a largenumber of turnkey process safety solutions. These haveproven themselves in everyday use worldwide.

Energy:

Afam gas purification plant of the Shell Petroleum

Development Company (SPDC) Nigeria

SPDC has installed a gas conditioning plant to guaranteethe quality of gas supply to an existing State owned 270 MWpower station, subject to a sale & purchase agreement with

SPDC, and to an SPDC new build 650 MW power station dueon stream in Mid 2007.

SPDC Nigeria chose the integrated, fault-tolerant andredundant safety and process control system PCS 7 for the190 mmscf/d gas conditioning plant. The system controls allemergency shut downs as well as the fire detection systemand gas leak detection system and has to comply strictly tosafety standards.

The solution

Process control system SIMATIC PCS 7 with SIMATIC SafetyIntegrated

Fault-tolerant and highly available SIMATIC S7-400FH con-troller with two fiber optic cables connected CPUs Type 417-4H, as well as communication processors forthe connection with PROFIBUS and Ethernet

Over two interface modules IM 153-2 High Feature,decentralized I/Os of the periphery system ET 200M areconnected to PROFIBUS: seven I/O lines for measuring fieldsignals out of the Safety Instrumented System, Fire and Gasas well as out of the common process automation

Safety-engineering and Safety Lifecycle Management viaSIMATIC Safety Matrix

Foot print optimized and cost-effective system architecturethanks to Flexible Modular Redundancy

Especially important was the application of the SIMATIC SafetyMatrix. This efficient engineering tool simplifies the designand implementation of the safety relevant application. Fur-thermore it supports important parts of the Safety Lifecycle ofthe system from design and realization through to the oper-ation and maintenance phase.

Afam gas purification plant of the Shell Petroleum Development Company(SPDC) Nigeria

Oil and gas: Modernization of the NETG gas compressor

station in Elten, Germany

The safety requirements applicable to gas compressor stationswhich supply the required transport pressure for pipelines arevery high. Special emphasis is placed on the safety circuits

for temperature and pressure control here. The NETG (Nord-rheinische Erdgastransportleitungsgesellschaft mbH & Co. KG)has selected the SIMATIC PCS 7 as the process control system forits gas compressor station in Elten, which conveys gas to E.ON-Gastransport and RWE-Transportnetz Gas.

The SIMATIC PCS 7 monitors all relevant data: Pressure, tem-perature and speed. The emergency shutdown and the fireand gas warning systems are integrated in the process controlsystem. This enables uniform visualization of the completeprocess automation, including the safety-related parts.

The solution

SIMATIC PCS 7 process control systemwith SIMATIC Safety Integrated

Fault-tolerant, highly availableSIMATIC S7-400FH controllers

Safety-related inputs and outputs viaSIMATIC ET 200M

PROFIBUS PA with PROFIsafe profile SIMATIC Process Device Manager (PDM) for system-wide

parameterization, start-up, diagnostics and maintenanceof intelligent field devices

SITRANS P DS III measuring transducer with PROFIsafe, de-signed for SIL 2, SIL 3 realizable through redundant 2oo3selection

Siemens AG 2010


35/40

Reference projects 35

Bayer in Dormagen, Germany

NETG, E.ON and RWE are very pleased with the results of the

modernization. The expectations associated with integralsafety technology are fully met and even exceeded. Enhancedmonitoring functions and uniform visualization offer consid-erable advantages for the operation and safety of the system.The integrated asset management makes preventive mainte-nance considerably easier and more efficient. This fact isexpressed in shorter downtimes and higher availability.

Chemical industry: production of pesticides at Bayer in

Dormagen, Germany

In their new multipurpose plant in Dormagen, it was particu-larly important for Bayer Crop Science AG to produce a unifor-mity with SIMATIC PCS 7 from the field level up to the ERP level(SAP). Bayer decided in favor of a control system solution withintegral safety technology for 35 process plants, 240 unitsand 4 500 measuring points.

The solution

SIMATIC PCS 7 process control system with SIMATIC SafetyIntegrated

53 SIMATIC S7-400FH controllers 1 000 safety-related inputs and outputs with SIMATIC

ET 200M remote I/Os

Plant configuration

Safety Integrated results in a reduction in engineering costsover the complete lifecycle of the multipurpose plant. Thanksto its high degree of flexibility, production can be adapted tomodified requirements significantly simpler and faster. Main-tenance and modification work has become much more sim-ple as a result of the unit-specific assignment of the control-lers (one controller per plant unit).

Burner management at Aalborg Industries, Australia

Oil and gas:

Burner management at Aalborg Industries, Australia

Floating production storage and offloading plants (FPSOs) canbe used to extract oil or gas from remote deep-sea deposits.Converted crude oil tankers are usually operated for this pur-pose. These FPSO ships must comply with the strict regula-tions and safety standards of the offshore oil and gas industry.This holds especially true for critical FPSO components such asthe boilers.

Because burner management for the boilers is associated withgreat risks, it requires a high level of expertise. In addition, thephysical prerequisites, the required availability and the appli-

cable regulations make special demands on the system plat-form. One reason why the burner management specialists,Aalborg Industries, decided in favor of SIMATIC PCS 7 withS7-400FH controllers from Siemens.

The solution

SIMATIC PCS 7 process control system with SIMATIC SafetyIntegrated

Fault-tolerant, highly available SIMATIC S7-400FH control-lers

Safety-related inputs and outputs via SIMATIC ET 200M PROFIBUS DP with PROFIsafe profile Plant configuration

The burner management from Siemens is able to meet all re-quirements of Aalborg Industries. Under observance of thehigh safety integrity level 3, the safety technology is perfectlyintegrated in the SIMATIC PCS 7 process control system.Flexible Modular Redundancy offers the possibility of tailoringthe level of redundancy to suit the needs of controllers, fieldbuses and I/Os.

Siemens AG 2010


36/40

Overview of product and ordering data36

Overview of product and ordering dataS7-400FH controllers

SIMATIC S7-400FH controllers as AS bundles for SIMATIC PCS 7

In the context of SIMATIC PCS 7, the SIMATIC S7-400FH con-trollers are available as completely assembled and testedAS bundles. By selecting preconfigured ordering units, youcan define the configuration of the AS bundles and their ordernumbers in interactive mode.

A configurator offered in the Industry Mall on the Internet (seewww.siemens.com/industrymall) will support you effectivelyhere. In order to help you when selecting preferred configura-tions, these are listed additively together with their completeorder number.

The ordering units of the AS bundles and the preferred config-urations are also listed in the SIMATIC PCS 7 Catalog ST PCS 7.The ordering data of the individual components are listed inthe Catalogs ST PCS 7 and ST 70. Both catalogs are availableon the Internet at:www.siemens.com/simatic/printmaterial

SIMATIC CPU S7-400H

AS types AS 412F AS 414F AS 417F AS 412FH AS 414FH AS 417FH

Redundancy No, single station with 1 CPU Yes, redundancy station with 2 CPUs (fault-tolerant)

CPU 1 x CPU 412-3H 1 x CPU 414-4H 1 x CPU 417-4H 2 x CPU 412-3H 2 x CPU 414-4H 2 x CPU 417-4H

S7 F systems RT license 4 4 4 4 4 4

Order No. stemAS bundle

Individual components Preassembled, tested

6ES7 654-

7AB0./7BB0.8AB0./8BB0.

6ES7 654-

7BF0./7CF0.8BF0./8CF0.

6ES7 654-

7CN./7DN./7EN.8CN./8DN./8EN.

6ES7 656-

7AB3./7BB3.8AB3./8BB3.

6ES7 656-

7BF./7CF.8BF./8CF.

6ES7 656-

7CN./7DN./7EN.8CN./8DN./8EN.

CPU type CPU 412-3H CPU 414-4H CPU 417-4H

Component of the AS bundle AS 412F (1 x) / AS 412FH (2 x) AS 414F (1 x) / AS 414FH (2 x) AS 417F (1 x) / AS 417FH (2 x)

Technical setup S7-400 with distributed I/O S7-400 with distributed I/O S7-400 with distributed I/O

Load memory, RAM(integrated / memory card)

256 KB / up to 64 MB 256 KB / up to 64 MB 256 KB / up to 64 MB

Main memory Total For program For data

768 KB512 KB256 KB

2.8 MB1.4 MB1.4 MB

30 MB15 MB15 MB

Execution time 75 ns 45 ns 18 ns

Number of F I/Os Approx. 100 Approx. 600 Approx. 3 000

Bit memories 8 KB 8 KB 16 KB

Integrated interfaces Number and type Number of DP segments

1 (MPI/DP)1

2 (MPI / DP and DP)2

2 (MPI / DP and DP)2

Dimensions (WxHxD) in mm 50 x 290 x 219 50 x 290 x 219 50 x 290 x 219

Order No. stem 6ES7 412-3HJ. 6ES7 414-4HM. 6ES7 417-4HT.

Siemens AG 2010


37/40

Overview of product and ordering data 37

S7-300F controllers / software components


1) As SIPLUS component also for extended temperature range -25 to +60 C and corrosive atmosphere/condensation (www.siemens.com/siplus)2) based on the predecessor of the current standard version with 256 KB main memory3) based on the predecessor of the current standard version with 1 MB main memory

Software components for engineering, runtime mode and safety lifecycle management

CPU type

CPU 315F-2

DP

CPU 315F-2

PN/DP

CPU 317F-2

DP

CPU 317F-2

PN/DP

CPU 319F-3

PN/DP

Technical setup S7-300 with distributed I/O or central, safety-related I/O

Main memory 384 KB 512 KB 1 MB 1.5 MB 2.5 MB

Number of F I/Os Approx. 300 Approx. 300 Approx. 500 Approx. 500 Approx. 1 000

Bit memories 2 KB 2 KB 4 KB 4 KB 8 KB

Fieldbus connection PROFIBUS (DP) PROFIBUS (DP),PROFINET (PN)

PROFIBUS (DP) PROFIBUS (DP),PROFINET (PN)

PROFIBUS (DP),PROFINET (PN)

Integrated interfaces Number and type Number of DP segments

2 (MPI and DP)1

2 (DP/MPI and PN)1

2 (DP/MPI and DP)2

2 (DP/MPI and PN)1

3 (DP/MPI, DP, PN)2

Dimensions (W x H x D) in mm 40 x 125 x 130 40 x 125 x 130 80 x 125 x 130 40 x 125 x 130 120 x 125 x 130

Order No. stem Standard version SIPLUS version1)

6ES7 315-6FF.6AG1 315-6FF.

6ES7 315-2FJ.6AG1 315-2FH.2)

6ES7 317-6FF.6AG1 317-6FF.

6ES7 317-2FK.6AG1 317-2FK.3)

6ES7 318-3FL.

Name Order No. stem

S7 F Systems / S7 F Systems upgrade 6ES7 833-1CC02-.

S7 F Systems RT license (part of the AS bundles) 6ES7 833-1CC00-.

Safety Matrix ToolSafety Matrix EditorSafety Matrix Viewer

6ES7 833-1SM0.6ES7 833-1SM4.6ES7 833-1SM6.

Partial Stroke Test function blocks and faceplates Engineering license and RT license for one AS RT license for a further AS

6BQ2 001-0CA.6BQ2 001-0CB.

Burner libraries, function blocks For SIMATIC S7-400FH controllers For SIMATIC S7-300F controllers

9AL3 100-1AA1.9AL3 100-1AD5.

Siemens AG 2010


38/40

Overview of product and ordering data38

ET 200M F signal modulesMTA terminal modules

F signal modules for ET 200M on S7-300F and S7-400FH

MTA terminal modules for the sensor/actuator connection to F modules of the ET 200M

Digital input Digital output Analog input

Module types SM 326F SM 326F NAMUR[EEx ib]

SM 326F SM 336F HART

Max. number ofinputs/outputs

24 (1-channel forSIL 2 sensors)

12 (2-channel forSIL 3 sensors)

electrically isolated ingroups of 12

8 (1-channel)

4 (2-channel)

Isolated by channel

10,electrically isolatedin groups of 5

P/P switching

8,electrically isolatedin groups of 4

P/M switching

6 (1-channel)

3 (2-channel)

15 bits + sign

2-wire or 4-wire con-nection

Max. achievable safetyclass according toIEC 61508/EN 954-1

1-channel/1oo1: SIL 2


(SIL 3 without isolat-ing module)



SIL 3

(SIL 3 without iso-lating module)

SIL 3

(SIL 3 without iso-lating module)

SIL 3(1-channel/1oo1 and2-channel/1oo2)

(SIL 3 without isolat-ing module)

Input or output voltage 24 V DC NAMUR 24 V DC 24 V DC

Input or output current 2 A per channelwith "1" signal

2 A per channelwith "1" signal

4 ... 20 mA or0 ... 20 mA

Short-circuit-proof sen-sor supply

4 for 6 channels each,electrically isolated ingroups of 2

8 for each channel,individually isolated

6 for 1 channel each

Special features Support of 20 ms timestamping (SOE)

Detection of signalsfrom the Ex area

"Keep last validvalue" parameter,channel-selectivepassivation

HART communicationin measuring range4 ... 20 mA

Redundancy mode Channel-discrete Channel-discrete Channel-discrete Channel-discrete

Module and channeldiagnostics

4 4 4 4 4

Dimensions (WxHxD)in mm

80 x 125 x 120 80 x 125 x 120 40 x 125 x 120 80 x 125 x 120 40 x 125 x 120

Order No. stem 6ES7 326-1BK02-. 6ES7 326-1RF. 6ES7 326-2BF10-. 6ES7 326-2BF41-. 6ES7 336-4GE.

Order No.

MTA type Input/output

range

I/O redundancy MTA ET 200M

module

Connection

cable

6 channels F AI HART(safety-related)

4 ... 20 mA(with/without HART) or

0 ... 20 mA(without HART)

4 6ES7 650-1AH61-. 6ES7 336-4GE00-. 6ES7 922

-3BD00-0AU. (3 m)

-3BJ00-0AU. (8 m)

24 channels F DI(safety-related)

24 VDC 4 6ES7 650-1AK11-. 6ES7 326-1BK0.

6ES7 922

-3BD00-0AS. (3 m)-3BJ00-0AS. (8 m)

10 channels F DO(safety-related)

24 V DC, 2 A 4 6ES7 650-1AL11-. 6ES7 326-2BF01-.(from E release 2onwards) or

6ES7 326-2BF10-.

10 channels F DO relays(safety-related)

AC 120 ... 230 V, 5 A;

24 V DC, 5 A

4 6ES7 650-1AM31-. 6ES7 326-2BF01-.(from E release 2onwards) or

6ES7 326-2BF10-.

Siemens AG 2010


39/40

Overview of product and ordering data 39

ET 200S distributed I/O systemSIMATIC PCS 7 safety packages

Power modules and safety-related electronics modules (F modules) for ET 200S on S7-300F and S7-400FH

SIMATIC PCS 7 safety packages

Power modules for electronics modules

Module types PM-E

Application All types of electronics module, including safety-related (4/8 F DI, 4 F DO);limitations through voltage range

Supply voltage 24 V DC/10 A 24 48 V DC; 24 230 V AC; with fuse

Diagnostics Load voltage Load voltage and fuse

Order N

Br Safetyintegrated En

Documents

Transcript of Br Safetyintegrated En