Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers Process Safety Basics Franz Handermann, Siemens Siemens Process Automation Conference (SPACe) 2014, Gurgaon, India
Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers
Process Safety Basics Franz Handermann, Siemens
Siemens Process Automation Conference (SPACe) 2014, Gurgaon, India
Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers
Definition / Basic / Standards
Restricted / © Siemens AG 2014. All Rights Reserved.
IEC61508
IEC61511
There are sector-specific standards based on IEC 61508, such as
IEC 61511 for the process industry
(IEC 61513 for nuclear industry, IEC 62061 for machinery safety).
These sector standards are important for planners and operators
of corresponding plants.
International safety standards
IEC 61508 serves as basic standard and basis for safety standardization . It
covers all areas where electrical, electronic or PLC systems are used to
realize safety-related protection functions.
Introduction - Basics from IEC 61511
Restricted / © Siemens AG 2014. All Rights Reserved.
Introduction - Basics from IEC 61511
International safety standards
PROCESS SECTOR INSTRUMENTED
SYSTEM STANDARDS
PROCESS SECTOR
SOFTWARE
PROCESS SECTOR
HARDWARE
FOLLOW
IEC 61511
USING
HARDWARE
DEVELOPED AND
ACCESSED
ACCORDING TO
IEC 61508
FOLLOW
IEC 61511
USING PROVEN-
IN-USE
HARDWARE
DEVICES
FOLLOW
IEC 61508
DEVELOPING NEW
HARDWARE
DEVICES
FOLLOW
IEC 61508-3
DEVELOPING
EMBEDDED
(SYSTEM)
SOFTWARE
FOLLOW
IEC 61508-3
DEVELOPING
APPLICATION
SOFTWARE USING
FULL
VARIABILITIY
LANGUAGES
FOLLOW
IEC 61511
DEVELOPING
APPLICATION
SOFTWARE USING
LIMITED
VARIABILITY
LANGUAGES OR
FIXED PROGRAMS
Restricted / © Siemens AG 2014. All Rights Reserved.
Introduction - Basics from IEC 61511
International safety standards
PROCESS SECTOR INSTRUMENTED
SYSTEM STANDARDS
• IEC 61511
Safety instrumented
systems designers,
integrators and end users
• IEC 61508
Manufacturers and
supplier of devices
Restricted / © Siemens AG 2014. All Rights Reserved.
Introduction - Basics from IEC 61511
• IEC 61511
Safety instrumented
systems designers,
integrators and users
The BIS is the national Standards Body of India working under
the aegis of Ministry of Consumer Affairs, Food & Public Distribution,
Government of India.
Bureau of Indian Standards (BIS)
• IS 61511
Restricted / © Siemens AG 2014. All Rights Reserved.
Introduction - Basics from IEC 61511
Bureau of Indian Standards (BIS)
• IS 61511
Restricted / © Siemens AG 2014. All Rights Reserved.
Introduction - Basics from IEC 61511
Bureau of Indian Standards (BIS)
Restricted / © Siemens AG 2014. All Rights Reserved.
Aim of Process Safety
• Required reduction of
the process risk, which
is arising from process
conditions which are
caused by unusual
events, to a tolerable
level. Targets of the
protection are:
Environment Personnel Machine Process
Protection: A legal requirement Protection: Makes economic sense
Safe operation of plants and machines. Aim
Hazards caused by malfunctions must be prevented before they arise.
Objective of safety engineering
Restricted / © Siemens AG 2014. All Rights Reserved.
Definition in the Standard:
Safety is the freedom from unacceptable risk of harm.
Risk is the result of multiplication between
the frequency of accidents and their consequences.
Safety Integrity Level, Standards
Restricted / © Siemens AG 2014. All Rights Reserved.
C: Consequence of failure
P: Probability of harm occurrence
Actual risk Tolerable
= C x P risk <
Basis of Hazard and Risk Assessment
Restricted / © Siemens AG 2014. All Rights Reserved.
If the acceptance limit is exceeded, measures must be
taken to achieve or to go below it.
necessary risk reduction
Standards and rules describe measures to
reduce risk to an accepted level.
What to do, if the acceptance limit of risk is exceeded?
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety Integrety Level, Risk Reduction
Requirement
Risk
Risk for a
technical
facility
Acceptable
risk
Remaining
risk
Partial risk
covered by non
technical measures
Partial risk covered by safety measures
Risk
without safety
devices
Electr. safety system
(SIS) Mech. safety system
Neccessary risk reduction
Actual risk reduction
SIS… safety instrumented system
Restricted / © Siemens AG 2014. All Rights Reserved.
Plant
personnel
intervenes
Safety system
(automatic)
Basic
automation
Overpressure valve, rupture disc
Collection basin
Active protection
Passive protection
Disaster protection Disaster protection
Safety Instrumented
System (SIS)
Process value
Process alarm
Normal activity
Process control
system (BPCS)
Safety shutdown
SIS… safety instrumented system
BPCS… basic process control system
Safety concept for a plant
Restricted / © Siemens AG 2014. All Rights Reserved.
Some thoughts about product liability
Causes of Major Incidents - Failure Analysis of Control Systems
Note : Based on 34 investigated incidents in the UK
Health and Safety Executive (GB): Out of Control.
Why control systems go wrong and how to prevent failure.
HSE Books 1995
44,1%
20,6%
14,7%
5,9%
14,7% Design & implementation
Installation & commissioning
Operation & maintenance
Changes after startup
Specification
Restricted / © Siemens AG 2014. All Rights Reserved.
Some thoughts about product liability
Allocation of Failures to Plant Lifecycle
Safety Lifecycle
Competence of persons
Technical Requirements
Safety- Management
+
+
Failure root causes
Plant Lifecycle
Specifications
Design & Implementation
Changes after Commissioning
Installation & Commissioning
Operation & Maintenance
Analysis
Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers
Required Safety Competence Company Cerification in the Solution Partner Program
Restricted / © Siemens AG 2014. All Rights Reserved.
Company Certification
Solution Partner Program
PCS 7 Safety Specialist
Process Safety Certifications
Safety Community PA
Knowledge Exchange
Personnel Certification
Siemens Functional Safety
Professional SFSP (SIS)
SOP…Solution Partner
PA…Process Automation
SIS…Safety Instrumented System
Certified PCS 7 SOP
Safety in the Process Industry
Restricted / © Siemens AG 2014. All Rights Reserved.
Requirement
Certification
Project-
Evaluation
PCS 7
F-Technic
Workshops
Functional
Safety
Workshops
PCS 7 Safety Specialist Company
Quality-
Management /
IEC 61511
Safety Audit KPI
trained Employees
Re-Certification
certified PCS 7 Solution Partner Company
The SIMATIC PCS 7 Solution Partner - PCS 7 Safety Specialist
Restricted / © Siemens AG 2014. All Rights Reserved.
TUEV – Functional Safety
in the Process Industry
2 days (with exam)
Introduction to functional safety
Accident cause and product liability
Overview IEC 61508 / IEC 61511
Functional safety management
Safety lifecycle
- Risk analysis
- Allocation of safety functions to
protection layers
- Safety requirement specifications
- Design and engineering of safety
instrumented functions
- Installation and commissioning
- Operation and maintenance
- Modification (MOC) & Decommissioning
IEC 61511 – Practical Use
2 days
Practical use of the IEC 61511
Typical applications
Safety lifecycle with it steps:
- Hazard and risk assessment
- Allocation of safety functions to
protection layers
- Safety requirements specification
- Design and engineering of safety
instrumented function
- SIF verification (SIL calculation)
PCS 7 Process Safety
3 days (with exam)
Basics from IEC 61511
LOPA (Layer of Protection Analysis)
PFD (Probability of Failure on Demand),
Calculation of an SIF (Safety
Instrumented Function)
System architecture and diagnostics
Overview about F-Hardware
Parameter in HW- Configuration (safety
mode, sensor evaluation, addressing,
monitoring time, H-Parameter)
F-Library system functions
F-Library user functions
Wiring and Voting
Safety Matrix
Calculate and adjust F-times using
S7ftimeb.xls
PCS 7 Refresh –
Focus F-Technic
2 days
Theoretical basics and practical
exercises such as:
Multi-project
HW (fail safe) and net configuration
Technical hierarchy
CFC, SFC, OS engineering
Quality Process Safety
1,5 days
Safety applications
Up-Date safety knowledge
WS FS 14 E 01 WS PU 14 E 01 WS PS 14 E 01 WS REF 14 E 01
WS QS 14 E 01
must workshops
optional
workshop
optional
workshop
The PCS 7 Safety Specialist Solution Partner Program
Workshops and Description
Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers
Required Safety Competence Personal Cerification
Restricted / © Siemens AG 2014. All Rights Reserved.
Company Certification:
Functional Safety certified
Supplier / Contractor
Siemens Solution Partner
PCS 7 Safety Specialist
Personnel Certification:
Project Management with
Functional Safety certified Employee
PA…Process Automation
Safety Project Requirements
of the Market
Siemens Functional Safety
Professional SFSP (SIS)
Siemens Functional Safety
Professional SFSP (SIS)
Siemens Functional Safety
Professional SFSP (SIS)
Siemens Employee
System Integrator
End Customer
Functional Safety
Management FSM
Siemens Functional Safety Specialist for Process Automation: SFSP (SIS)
Restricted / © Siemens AG 2014. All Rights Reserved.
WS TÜV Functional Safety for Process Industry + Exam / Certification
WS PCS 7 Process Safety (F-Technology) + Exam
WS IEC 61511 – Practical Use
SFSE
Certificate
10 Year Experience
Evaluation for SFSE
PCS 7
Business
Knowledge Skills
Project & Technical Skills
Employees Know-How
PCS 7
Business
SFSP Certificate Siemens Functional Safety Professional
Experience Skills
3 Years Experience in Process Safety
2 Project Evaluation
Siemens Functional Safety Expert
Siemens Functional Safety Specialist: Process Automation
Restricted / © Siemens AG 2014. All Rights Reserved.
http://www.tuev-sued.de/rail-en/training-for-automation-sector/functional-safety-certification-program-fscp/certified-people
Siemens Functional Safety Professional (SFSP)
Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers
Safety Management … FSM
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety Integrity Level (SIL)
English: Safety Integrity Level (SIL)
All measures have to be realized in order to achieve the required safety integrity
Determination of the required
safety integrity level out of
the hazard and risk analysis
(e.g. HAZOP)
SIL
Functional Safety
Management
Technical
design measures
(hard- and
software)
Required measures to
achieve the demanded
safety integrity Structured
safety life-cycle
Restricted / © Siemens AG 2014. All Rights Reserved.
Basics from IEC 61511
English: Functional Safety Management (FSM)
Goal: Provision of the organizational general framework for the required safety activities throughout the safety lifecycle
Realization: The realization is made in two steps:
Reference: IEC 61511-1, chapter 5
Management of functional safety
Project independent FSM Project specific FSM
Add-on to the existing quality management system
regarding the needs of functional safety
Planning and follow-up of the safety activities in the
appropriate project
Determination of responsibilities Project Safety Manager
Operating procedures Safety Plan
Templates Verification and validation
Independent assessment
Gaps in many companies due to personnel turnover, changes in the organization (mergers, acquisitions) etc.
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety Integrity Level (SIL)
English: Safety Integrity Level (SIL)
All measures have to be realized in order to achieve the required safety integrity
Determination of the required
safety integrity level out of
the hazard and risk analysis
(e.g. HAZOP)
SIL
Functional Safety
Management
Technical
design measures
(hard- and
software)
Required measures to
achieve the demanded
safety integrity Structured
safety life-cycle
Restricted / © Siemens AG 2014. All Rights Reserved.
The IEC 61511 (ISA S84, IS 61511, DIN EN 61511, VDE 810,…) Safety Lifecycle
Risk Analysis and Protection Layer Design
Sub-clause 8
Allocation of Safety Functions to Safety Instrumented Systems
or other means of risk reduction
Sub-clause 9
Safety Requirements Specification
for the Safety Instrumented
System
Sub-clause 10
Design and Development of
Safety Instrumented System
Sub-clause 11
Design and Development of
other means of Risk Reduction
Sub-clause 9
Installation, Commissioning and Validation
Sub-clause 14
Operation and Maintenance
Sub-clause 15
Modification
Sub-clause 15.4
Decommissioning
Sub-clause 16
Management
of Functional
Safety and
Functional
Safety
Assessment
Sub-clause 5
Safety
Lifecycle
Structure
and
Planning
Sub-clause
6.2
Verification
Sub-clause
7, 12.7
Restricted / © Siemens AG 2014. All Rights Reserved.
Steps in the Analysis Phase
Page 31
Process Hazard Analysis (PHA) / Consequence Analysis
• Safety Standards require all processes to be evaluated for the inherent risk of a
hazardous condition
Layer Of Protection Analysis
• When these risks are identified, various means of protection can be used in
layers to mitigate these risks to an acceptable (tolerable) level
Safety Integrity Level (SIL) Selection
• A level of desired risk reduction can be assigned to each protection layer
Safety Requirements Specification
• Protection layers, safety functions, desired SIL,
etc. must be documented
Safety
Requirements
Specification
Restricted / © Siemens AG 2014. All Rights Reserved.
PHA Example
Process
example
Restricted / © Siemens AG 2014. All Rights Reserved.
PHA Example
Pressure SIF
(detail)
SIF… safety instrumented function
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety Integrety Level
The safety integrity level (SIL) specifies the necessary risk reduction of
safety instrumented functions (SIFs)
Safety Integrity Level
Probability of failure on demand (PFD)
(Demand mode of operation)
Risk reduction factor = 1/PFD
SIL 4
SIL 3
SIL 2
SIL 1
>=10-5 to <10-4
>=10-4 to <10-3
>=10-3 to <10-2
>=10-2 to <10-1
100000 to 10000
10000 to 1000
1000 to 100
100 to 10
Restricted / © Siemens AG 2014. All Rights Reserved.
Steps in the Realization Phase
Page 35
Reliability and Safety Evaluation
• Select technology/ architecture for sensors, logic, and final elements
• Determine test philosophy (e.g. proof test intervals)
• Evaluate SIF to ensure it provides the desired level of risk reduction
SIS Detailed Design
SIS Installation/Commissioning
Restricted / © Siemens AG 2014. All Rights Reserved.
Steps in the Operation Phase
Page 36
Operation/Maintenance Planning
• Establish procedures for operation and maintenance of the SIS; including periodic proof testing
• Must follow manufacturer’s installation and operation guidelines
Pre-startup Safety Assessment
• User must verify the system operates according to the Safety Requirements Specification
Operation
• Startup / Operation
• Maintenance / Periodic Proof Tests
• Bypass & Override Management
Modification
• User must repeat Safety Lifecycle steps when
modifying SIS
Decommissioning
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety lifecycle acc. IEC 61511
Aim:
Avoidance of systematical failures
during design, installation
commissioning, operation and
decommissioning of safety related
functions
Realization:
Structured safety process according
IEC 61511
Risk analysis (e. g. HAZOP)
Allocation of safety functions to protection layers (SIL)
Specification of the safety requirements
(SRS)
Design and engineering of the safety related function
Decommissioning
Modification
Operation and maintenance
Installation, commissioning and validation of the
safety related function
Risk analysis (e. g. HAZOP)
„Interface“ of the process world in the
automation world
Referenz: IEC 61511-1, Kapitel 6
Restricted / © Siemens AG 2014. All Rights Reserved.
Project Stages and Responsibilities according to IEC 61511
The whole responsibility lies according in each project phase with the EPC and end-user
Interdependence of purchaser, contractor, sub-contractor etc. particularly in international business
Scope of supply, limit of supply and responsibilities have to be clearly defined
Changes and
decommis-
sioning
Operation and
maintenance
(incl. proof
tests)
Installation,
commissioning
and validation
Design and
Designverifi-
cation for
each SIF
Specification
of safety
requirements
for each SIF
Verification
Risk analysis
and allocation
of safety
requirements
Each phase in the safety lifecycle must be verified
EPC
Enduser
EPC EPC
PCS supplier
Installer
PCS supplier
End-user EPC
End-user
Verification Verification Validation Verification
2
5
6
3
4
1 Project safety plan
Verification and validation plan,
Functional Safety Assessment
Plan
Safety requirement specification
Engineering guideline
Functional design specification
Test plan
1 2 3 4 5 6
Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers
Technical Requirements
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety Integrity Level (SIL)
English: Safety Integrity Level (SIL)
All measures have to be realized in order to achieve the required safety integrity
Determination of the required
safety integrity level out of
the hazard and risk analysis
(e.g. HAZOP)
SIL
Functional Safety
Management
Technical
design measures
(hard- and
software)
Required measures to
achieve the demanded
safety integrity Structured
safety life-cycle
Restricted / © Siemens AG 2014. All Rights Reserved.
Goal:
• To increase the robustness against random (H/W only) and systematic failures
Realization:
• The realization is made in three steps:
Reference: IEC 61511-1, chapter 11 & 12
• Redundancy requirements
• Structural requirements
e.g. 1 out of 2 sensors
System & H/W architecture
• Requirements to the
probability of failure/
failure rate
System reliability
• Requirements for a
structured V-cycle
S/W development &
implementation process
Technical design measures
Basics from IEC 61511
Restricted / © Siemens AG 2014. All Rights Reserved. SIS … safety instrumented system
Different SIS Architectures
Safety PLC’s use different architectures and
strategies to achieve safety integrity
Different SIS’s have different levels of
inherent fault tolerance
(availability or spurious trip rate)
Safety & Availability are independent issues - not related
Field device voting for safety is independent of
device voting for availability
Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers
Architectures
Restricted / © Siemens AG 2014. All Rights Reserved.
Time redundancy and instruction diverse processing
Time Redundancy and Software Diversity
instead of using two µPs (hardware redundancy)
Logical program execution and data flow monitoring, Diagnostics > 99%
Bool and Word operations processed in different “Processing Units” PU of the SIEMENS ASIC
2 independent hardware timer
Safety mechanisms in the CPU (SIMATIC S7-400 F) - 1oo1D “extended”
Time Time Redundancy
Operands
Encoding
Diversity Operands
Operation
Diversity Operation
Result
Diversity Result
Comparison Stop
A, B (Bool)
/A, /B (Word)
C
D = /C
At D /C
AND
OR
¹
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety
1oo1D up to SIL3 1oo2D up to SIL 3
System Architecture - Central Controller Module
Diagnostic Circuit Diagnostic Circuit
µP
µP
2oo3
µP
2oo3
µP
2oo3
µP
2oo3 up to SIL 3
2oo3
µP
µP
µP
2oo3 up to SIL 3
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety and Availability
2x 1oo1D each
up to SIL3
2x 1oo2D each
up to SIL 3
System Architecture - Central Controller Module
Diagnostic Circuit
µP
µP
2oo3
µP
2oo3
µP
2oo3
µP
2oo3 up to SIL 3
2oo3
µP
µP
µP
2oo3 up to SIL 3
Diagnostic Circuit
µP
µP
often named
2oo4D system
Diagnostic Circuit
Diagnostic Circuit
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety and Availability
2x 1oo1D each
up to SIL3
2x 1oo2D each
up to SIL 3
System Architecture - Central Controller Module
Diagnostic Circuit
µP
µP
2oo3
µP
2oo3
µP
2oo3
µP
2oo3 up to SIL 3
2oo3
µP
µP
µP
2oo3 up to SIL 3 Diagnostic Circuit
µP
µP
Diagnostic Circuit
Diagnostic Circuit
1oo2 with time
limitation up to SIL 3
1oo2 with time
limitation up to SIL3
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety and Availability
2x 1oo1D each
up to SIL3
2x 1oo2D each
up to SIL 3
System Architecture - Central Controller Module
Diagnostic Circuit
µP
µP
2oo3
µP
2oo3
µP
2oo3
µP
2oo3 up to SIL 3
2oo3
µP
µP
µP
2oo3 up to SIL 3 Diagnostic Circuit
µP
µP
Diagnostic Circuit
Diagnostic Circuit
1oo2 with time
limitation up to SIL 3
1oo2 with time
limitation up to SIL3
Restricted / © Siemens AG 2014. All Rights Reserved.
System Structure and Degradation
TÜV cooperation for functional safety
http://www.tuv-fs.com/index.htm
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety and Availability
2x 1oo1D each
up to SIL3
2x 1oo2D each
up to SIL 3
System Architecture - Central Controller Module
Diagnostic Circuit
µP
µP
2oo3
µP
2oo3
µP
2oo3
µP
2oo3 up to SIL 3
2oo3
µP
µP
µP
2oo3 up to SIL 3
Diagnostic Circuit
µP
µP
Diagnostic Circuit
Diagnostic Circuit
100% one fault tolerant architecture in the central controller level
Restricted / © Siemens AG 2014. All Rights Reserved. siemens.com/answers
Architectures of the SIF
Restricted / © Siemens AG 2014. All Rights Reserved.
Single digital sensors in 1oo1D for SIL 2
Single digital and analogue sensors in 1oo2D for SIL 3
Single outputs in 1oo2D for SIL 3
Single controller for SIL 3 (with time redundancy, software diversity and diagnostics >99%)
Input Module Controller Module Output Module
Diagnostic Circuit
Input Circuit
Input Circuit
CPU
CPU
.
.
.
. Main Switch
Diagnostic Circuit
CPU
CPU
Output Circuit
1oo2D for SIL3
1oo1D for SIL2
1oo1D up to SIL3 1oo2D up to SIL 3
System Design SIMATIC S7-400 F
Single Loop – only Safety Related
Diagnostic Circuit
Restricted / © Siemens AG 2014. All Rights Reserved.
Output Module
.
.
.
. Main Switch
Diagnostic Circuit
CPU
CPU
Output Circuit
1oo2D up to SIL 3
System Design SIMATIC S7-400 F
Single Loop – only Safety Related
SIMATIC F-DO with two Output Driver in
series… two Shut Down ways 1oo2,
HFT = 1 full filled the SIL 3 requirements
according the IEC 61511.
Restricted / © Siemens AG 2014. All Rights Reserved.
Single or dual sensors for inputs
Redundant circuitry within I/O modules
Redundant output circuits
One controller up to SIL 3 (with time redundancy, software diversity and diagnostics >99%)
Input Module Controller Module Output Module
Diagnostic Circuit
Input Circuit
Input Circuit
CPU
CPU
.
.
.
. Main Switch
Diagnostic Circuit
CPU
CPU
Output Circuit
1oo2D for SIL3
1oo1D for SIL2
1oo1D up to SIL3 1oo2D up to SIL 3
System Design SIMATIC S7-400 F
Single Loop – only Safety Related
Diagnostic Circuit
Restricted / © Siemens AG 2014. All Rights Reserved.
Diagnostic Circuit
Structure like 2oo4 Systems, with high availability!!!
Input Module Controller Module Output Module
Diagnostic Circuit
Input Circuit
Input Circuit
CPU
CPU
.
.
.
. Main Switch
Diagnostic Circuit
CPU
CPU
Output Circuit
Diagnostic Circuit
Input Circuit
Input Circuit
CPU
CPU
.
.
.
. Main Switch
Diagnostic Circuit
CPU
CPU
Output Circuit
2x (1oo2D for SIL3) 2x (1oo2D) 2x (1oo1D “extended”)
2oo2 of SIL 3 controller
System Design SIMATIC S7-400 FH
Fully-Redundant Setup
Diagnostic Circuit
Restricted / © Siemens AG 2014. All Rights Reserved. µ
P2
µP
3µ
P1
CH
2C
H3
CH
1
vo
tin
g
CM
1C
M3
CM
2
CH
2C
H3
CH
1
PT
x
CH
2C
H3
CH
1
PT
x
CH
2C
H3
CH
1
PT
x
CH
2C
H3
CH
1
vo
tin
g
System Architecture
SIF: “2oo3” Input Loop and “2oo2” Output Loop in a TMR System
Restricted / © Siemens AG 2014. All Rights Reserved.
Input Module Controller Module Output Module
Diagnostic Circuit
Input Circuit
Input Circuit
CPU
CPU
.
.
.
. Main Switch
Diagnostic Circuit
CPU
CPU
Output Circuit
Diagnostic Circuit
Input Circuit
Input Circuit
CPU
CPU
.
.
.
. Main Switch
Diagnostic Circuit
CPU
CPU
Output Circuit
3x (1oo2D)
2x (1oo1D “extended”) 2x (1oo2D) Diagnostic Circuit
Input Circuit
Input Circuit
CPU
CPU
L+
L+
System Architecture
SIF: “2oo3” Input Loop and “2oo2” Output Loop with SIMATIC S7-400 FH
Diagnostic Circuit
Diagnostic Circuit
Restricted / © Siemens AG 2014. All Rights Reserved.
Voting in S7-400FH CPU
Sensor 1
Sensor 2
Sensor 3
F 2oo3 Analog Voter Block (Mid-Select)
F_1oo2_R
Safety Matrix™
the 2oo3 voting for the Sensors
are realized in the CPU
in the user program
Restricted / © Siemens AG 2014. All Rights Reserved.
Flexible Modular Redundancy ©
Siemens provides with the
Flexible Modular Redundancy ™
concept a high level of
flexibility and scalability
for different safety-requirements
for different availability-levels
for plant structure and specific requirements
for the extension of existing systems
AI
DI
DO
DO
AI
AI
DI
DO
DO
AI
AI
Triple
Simplex
Dual
Restricted / © Siemens AG 2014. All Rights Reserved.
Flexible Modular Redundancy ©
IO and Field Device redundancy can be matched to:
• Minimize cost
• Maximize availability
AI
DI
DO
DO
AI
AI
DI
DO
DO
AI
AI
2oo3 PT 1oo2 Valves
Dual
Triple
1oo1 LS Simplex
simplified
Restricted / © Siemens AG 2014. All Rights Reserved.
Safety integrity via diagnostics rather than
voting
All architectures provide SIL 3 safety AND
availability
Fault tolerance is scalable rather than fixed -
mix & match I/O structures
Process availability not always impacted by
SIS availability
Siemens architecture gives you the choice to
pay for the availability you need
Please ask the right requirement
…according the IS 61511 and your plant
SIL3
µP2 µP3µP1
CH2 CH3CH1
CH2 CH3CH1
voting
CM1 CM3CM2
Summary – Differences in Architectures
Restricted / © Siemens AG 2014. All Rights Reserved.
Franz Handermann
Industry IA AS S MP 8
Process Safety Partner Manager
Siemensallee 84
76187 Karlsruhe
Phone: +49 (721) 595-4516
Email: [email protected]
Thank you for your attention!
siemens.com/answers