Energize to Trip Requirement for SIL 3 according to IEC 61511

Similar documents
Generating the Parameters for the Modbus/TCP Communication

Checking of STEP 7 Programs for the Migration of S7-318 to S CPU318 Migration Check. Application description 01/2015

Safe and Fault Tolerant Controllers

Windows firewall settings for X-Tools Server Pro. CMS X-Tools / V / CPU PN/DP. Application description 6/2016



Integral calculation in PCS 7 with "Integral" FB or "TotalL" FB

Moving a Process Historian/ Information Server from Workgroup A to Workgroup B

Library Description 08/2015. HMI Templates. TIA Portal WinCC V13.

X-Tools Loading Profile Files (LPF)

Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address

Safety Applications with the S FC CPU

Setting up time synchronization of Process Historian and Information Server


Key Panel Library / TIA Portal

Configuration of an MRP Ring and a Topology with Two Projects

User Login with RFID Card Reader


Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address. SCALANCE S, SOFTNET Security Client

Transmitting HMI data to an external monitor

Application for Process Automation

STEP 7 function block to control a MICROMASTER 4 or SINAMICS G120/G120D via PROFIBUS DP


Networking a SINUMERIK 828D

SINAMICS G/S: Integrating Warning and Error Messages into STEP 7 V5.x or WinCC flexible

Improving the performance of the Process Historian

SIMATIC PCS 7 Minimal Configuration

Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address

Configuration Control with the S and ET 200SP

Setting up a secure VPN Connection between SCALANCE S and CP x43-1 Adv. Using a static IP Address. SCALANCE S, CP Advanced, CP Advanced

Application example 02/2017. SIMATIC IOT2000 Connection to IBM Watson IoT Platform SIMATIC IOT2040

Monitoring of 24 V load circuits

Configuration of an MRP ring with SIMOCODE and SIMATIC S SIMOCODE pro V PN, SIMATIC S Siemens Industry Online Support

Universal Parameter Server

Applications & Tools. Configuration of Direct Starters with the APL Channel Block FbSwtMMS in SIMATIC PCS 7 SIMATIC PCS 7 V8.0

Configuring the F-I-Device function with the SENDDP and RCVDP blocks.

Block for SIMOTION SCOUT for Monitoring 24V-Branches


Applications & Tools. Configuration Examples for SIMATIC S7-400H with PROFINET. SIMATIC S7-400H as of V6.0. Application Description January 2013

Monitoring of the Feedback Circuit in the Safety Program. Safety Integrated. Siemens Industry Online Support

Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7

Application example 12/2016. SIMATIC IOT2000 OPC UA Client SIMATIC IOT2020, SIMATIC IOT2040

Determination of suitable hardware for the Process Historian 2014 with the PH-HWAdvisor tool

Application Description 03/2014. Detecting PROFINET Topologies and Activating IO Devices.

Application for Process Automation

Check List for Programming Styleguide for S7-1200/S7-1500

Line Contactor Control using the ON/OFF1 Command for SINAMICS G120

Display of SINAMICS Error Messages in Runtime Professional

Monitoring a Protective Door up to PL e / SIL 3 with a Fail-Safe S Controller. SIMATIC Safety Integrated. Siemens Industry Online Support

SINAMICS G120 / G120C / G120D / G120P (with FW >= 4.6) SIMATIC S7-300/400. Short-Documentation 04/2014


Applications & Tools. Calculation examples for safety functions according to EN ISO SINUMERIK 840D sl

SINAMICS V: Speed Control of a V20 with S (TIA Portal) via MODBUS RTU, with HMI

Emergency Stop up to PL e / SIL 3 with a Fail-Safe S Controller. SIMATIC Safety Integrated. Siemens Industry Online Support

PCS 7 Process Visualization on Mobile Devices with RDP

Cover. WinAC Command. User documentation. V1.5 November Applikationen & Tools. Answers for industry.




SINAMICS G/S: Tool for transforming Warning and Error Messages in CSV format


Applications & Tools. System Architectures With SIMATIC PCS 7/OPEN OS SIMATIC PCS 7. Application Description November Answers for industry.

Use and Visualization of IOLink Devices

RAID systems within Industry

Applications & Tools. Communication between WinAC MP and a SIMATIC S7. Application for the PUT and GET Function Blocks of the S7 Communication

I-Device Function in Standard PN Communication SIMATIC S7-CPU, CP, SIMOTION, SINUMERIK. Configuration Example 08/2015

Position Control with SIMATIC S and SINAMICS V90 via IRT PROFINET SINAMICS V90 PROFINET. Application description 03/2016

Applications & Tools. Safety position, standstill and direction detection and monitoring safely limited speed (SLS) on the basis of Distributed Safety

Applikationen & Tools. Network Address Translation (NAT) and Network Port Address Translation (NAPT) SCALANCE W. Application Description July 2009


Tracking the MOP setpoint to another setpoint source to bumplessly changeover the setpoint

Communication between HMI and Frequency Converter. Basic Panel, Comfort Panel, Runtime Advanced, SINAMICS G120. Application Example 04/2016

X-Tools configuration to connect with OPC servers and clients

Check List for Programming Styleguide for S7-1200/S7-1500


Process automation with the SIMATIC PCS 7 CPU 410-5H controller

Setting up 08/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

PCS 7 Configuration Changes in RUN with Active Fieldbus Diagnosis

Setting up a secure VPN Connection between two M812-1 Using a static IP Address

Diagnostics for enabled Configuration Control with S and ET200SP

Applications & Tools. Time-of-Day Synchronization between WinCC Runtime Professional and S7 Controllers. WinCC Runtime Professional

Exchange of large data volumes between S control system and WinCC


Data Storage on Windows Server or NAS Hard Drives

Open user communication to 3rd party control system. STEP 7 (TIA Portal), S7-1200/S7-1500, Allen-Bradley. Library description 01/2015


Setting up 01/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

Applications & Tools. Configuration Control (Options Handling) for ET 200SP and PROFINET SIMATIC S7. Application Description June 2012

Applications & Tools. Technology CPU 317TF-2 DP: Example for determining the Safety Integrity Level (SIL) according to IEC

Display of SINAMICS Fault Messages in WinCC V7.4

Time Synchronization with an HMI Operator Panel and a SIMATIC PLC

Service & Support. Signal Transfer from SIPLUS CMS4000 X-Tools to the SIMATIC PCS 7 Maintenance Station via TCP/IP. SIPLUS CMS4000 X-Tools

Integration of Process Historian / Information Server in a Domain

Applications & Tools. Configuring Electronic Signatures in SIMATIC PCS 7. SIMATIC PCS 7 V8.0 SP1, SIMATIC Logon V 1.5. Application May 2014

Acyclic communication between S and V90PN via PROFINET. Application example 12/

WinCC Runtime Professional S7-Graph Overview and PLC Code Viewer

Sample Blocks for WinCC V7 and STEP 7 (TIA Portal)


Functional Example AS-FE-I-013-V13-EN

Applications & Tools. Configuration of Frequency Converters with the APL Channel Block FbDrive in SIMATIC PCS 7 SIMATIC PCS 7 V8.0

Transcription:

Safety Manual 09/2014 Energize to Trip Requirement for SIL 3 according to IEC 61511 SIMATIC S7-400F/FH http://support.automation.siemens.com/ww/view/en/109106504

Warranty and Liability Warranty and Liability We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ("Produkthaftungsgesetz"), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ("wesentliche Vertragspflichten"). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens Industry Sector. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens' products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.automation.siemens.com. Entry ID: 109106504, V1.0, 09/2014 2

Table of Contents Table of Contents Warranty and Liability... 2 1 Task Definition... 4 2 Solution... 5 2.1 Overview... 5 2.2 Classification of the sections in the overview... 6 2.2.1 Mains power supply 1 and 2 and HMI... 6 2.2.2 H-system with redundant I/O... 7 2.2.3 Connected actuators... 8 2.3 Description of the core functionality... 9 2.4 Hardware and software components... 10 2.4.1 Hardware components... 10 2.4.2 Software components... 11 2.5 Configuration and parameterization... 12 2.5.1 Configuring the F-CPU... 12 2.5.2 Parameterizing the outputs of the F-DO... 13 2.5.3 Safe control of actuators... 14 3 Safety Function... 17 3.1 Triggering of the safety function... 17 3.2 Faults that do not result in the triggering of the safety function... 18 4 Review of Systematic Requirements and Safety Requirements by Means of an FMEA... 19 5 Verification of the achievable SIL 3... 21 6 Summary... 22 7 References... 23 8 History... 23 Entry ID: 109106504, V1.0, 09/2014 3

1 Task Definition 1 Task Definition Safety Integrated is the holistic safety concept for automation and drive technology from Siemens. It is based on the closed-circuit principle. The closed-circuit principle does not require power to perform the safety function (de-energize to trip). However, there are also applications that are based on the open-circuit principle and require power to perform the safety function (energize to trip). Examples of such applications: Ventilation systems Smoke dampers The automation task described here has the following safety-related requirements for a solution: Achievement of SIL 3 according to IEC 61511 Use of the "energize to trip" principle When using Safety Integrated hardware and software based on the "de-energize to trip" principle, additional measures are necessary to meet the above requirements as these requirements are based on the contrasting "energize to trip" principle (see figure below): Figure 1-1 From "de-energize to trip" to "energize to trip" Safety Integrated Hardware Software De-energize to trip Measures Satisfaction of the requirements Energize to trip SIL 3 The description of these measures and verification that SIL 3 according to IEC 61511 is achieved are core elements of this documentation. Note The method can also be applied to IEC 62061. Entry ID: 109106504, V1.0, 09/2014 4

2 Solution 2.1 Overview Diagrammatic representation The diagrammatic representation below shows the most important components of the solution: Figure 2-1 Overview of the most important hardware components L1 N Mains power supply 1 Mains power supply 2 HMI L1 N PowerSupply A Out: 24V 1 PowerSupply B Out: 24V 2 3 S7-400H rack 0 S7-400H rack 1 PROFIBUS DP Redundant ET 200M H-sync line DI PROFIBUS DP Redundant ET 200M K1 Feedback K2 Feedback ETT actuator, e.g. relay, pump safestate= 1 PS Load1 (max. 400V AC) PS Load2 (max. 400V AC) IM153-2 with F-DO10 (station 1, SIL 3) IM153-2 with F-DO10 (station 2, SIL 3) N Note The numbers 1, 2 and 3 refer to statements in chapter 2.2. Within a redundant S7-400H system with fail-safe functionality, a redundant ET 200M I/O device with fail-safe output modules (F-DO) provides the triggering of the safety function. An HMI informs of occurring faults. Note The designation of the CPUs follows the following convention: Each CPU is an H-CPU within an S7-400H H-system. An additional license provides them with additional safety functionality. As this document deals primarily with the safety aspect of the application, each CPU is referred to as an F-CPU. Entry ID: 109106504, V1.0, 09/2014 5

2.2 Classification of the sections in the overview Sections of the overview The overview of the most important hardware components (Figure 2-1) is divided into three sections (dashed border): Table 2-1 Reference to Figure 2-1 No. Explanation Mains power supply 1 and 2 and HMI H-system with redundant I/O Connected actuators The aim of this classification is to facilitate the following description, i.e., which areas are the focuses of this safety manual and which ones are not described in greater detail. The following sections explain these three sections accordingly. 2.2.1 Mains power supply 1 and 2 and HMI Figure 2-2 Mains power supply 1 and 2 and HMI L1 N Mains power supply 1 Mains power supply 2 HMI L1 N PowerSupply A Out: 24V PowerSupply B Out: 24V S7-400H rack 0 S7-400H rack 1 Mains power supply 1 and 2 Ensuring the power supply to maintain the safe state is a systematic requirement according to IEC 61508. Calculated proof for the probability of failure of the power supply is not required. This description assumes that there are two mains power supplies. The absence of interaction is important; i.e., the state (or a state change) of one mains power supply has no effect whatsoever on the other mains power supply. Entry ID: 109106504, V1.0, 09/2014 6

WARNING Death or severe personal injury may result if the systematic requirements are not ensured. The user must ensure that the systematic requirements are met. A description of the compliance with the systematic requirements is not part of this safety manual. The aspects described here start with the interface following PowerSupplies A and B, starting with S7-400H racks 0 and 1. HMI A failure of the power supply has to be output to a permanently manned receiving station. The power supply failure can be signaled acoustically and/or, as shown here, visually via operator control and monitoring equipment (HMI). Ensuring that a message is transmitted is part of the systematic requirement and has to be ensured by the user. 2.2.2 H-system with redundant I/O Figure 2-3 H-system with redundant I/O Systematic requirements S7-400H rack 0 S7-400H rack 1 H-sync line DI PROFIBUS DP PROFIBUS DP Redundant ET 200M Redundant ET 200M IM153-2 with F-DO10 (station 1, SIL 3) IM153-2 with F-DO10 (station 2, SIL 3) Starting with the power supply of the H-system, an FMEA (failure mode and effects analysis) is performed in this section. The objective of the FMEA is to analyze potential failures and assess the behavior of the F-DO as maintaining the safety function is particularly determined by the states of the binary outputs of the F-DO. Entry ID: 109106504, V1.0, 09/2014 7

2.2.3 Connected actuators Figure 2-4 Connected actuators Mains PS 1 (max. 400V AC) Mains PS 2 (max. 400V AC) K1 Feedback Feedback K2 ETT actuator, e.g. relay, pump safe state = 1. Appropriate actuators are controlled using the contactors K1 and K2. The assessment of the actuators is not part of this safety manual. When selecting the actuators, the user has to consider the occurring load currents (see also the "Technical data - F-DO10xDC24V" chapter in \3\). The FMEA addressed in chapter 2.2.2 considers the readback signals of the contactors K1 and K2 retrieved via the auxiliary contacts (indicated in Figure 2-4 by the term "feedback" and illustrated in greater detail in Figure 2-5). N Figure 2-5 Reading back the auxiliary contacts of contactors K1 and K2 H-system with connected I/O section Connected actuators section 24V DC K1 Aux. contacts K2 DI (ET 200M station 1) DI (ET 200M station 2) Feedback signal Entry ID: 109106504, V1.0, 09/2014 8

2.3 Description of the core functionality Note Regarding the F-DO, the following sections contain simplified wording such as: The F-DO is set The F-DO keeps its value, or similar phrases This always refers to the individual outputs of the F-DO that are necessary for triggering the safety function. Concept Triggering the safety function is achieved by at least one F-DO controlling a contactor (TRUE signal to contactor coil). In contrast to the "de-energize to trip" principle where a failure of the power supply would provide a FALSE signal of the F-DO and therefore the safe state, the "energize to trip" principle requires that the power supply of the system be ensured as a TRUE signal for the safe state is required on at least one F-DO. The power supply is ensured by the use of two mains power supplies non-reacting to each other. The power supply failure can be signaled acoustically and/or, as shown here, visually via operator control and monitoring equipment (HMI). When using the "energize to trip" principle, it is mandatory to use F-DOs with diagnostics capability. The special role of the F-DOs The F-DOs with diagnostics capability are the certified SIMATIC component F-DO 10xDC24V/2A, article no. 6ES7326-2BF10-0AB0. For this F-DO, "Keep last valid value" in the event of a fault can be configured as the safety-related setting. Such faults are: Abort of PROFIsafe communication F-CPU stop By integrating the F-DO into a user function (for the application), up to SIL 3 according to IEC 61511 can be achieved. Such an application is practically implemented in a redundant configuration as shown, for example, in \2\. Entry ID: 109106504, V1.0, 09/2014 9

2.4 Hardware and software components Requirements The components used must meet the following requirements: Redundant F-DO10xDC24V/2A PP Redundant control system (S7-400H) Redundant IM 153-2 interface module of the distributed I/O Fail-safe power supply, for example uninterruptible power supply (UPS) Trigger unit (closed-circuit current) must comply with at least SIL 2 or the required safety level Short-circuit-proof wiring Readback contacts (standard connection) for ETT actuators 2.4.1 Hardware components Table 2-2 Central configuration Power supply The safety concept described here can be implemented with the following hardware components: Component Type No. Article no. PS 407, 20A, 120/230V UC, 5V DC/20A 2 6ES7407-0RA01-0AA0 CPU416-5H PN/DP, 16MB F. S7-400H/F/FH 2 6ES7416-5HS06-0AB0 Distributed configuration Power supply PS 307, input: 120/230V AC, output: 24V DC/10A 2 6ES7307-1KA02-0AA0 ET200 M IM 153-2 interface module 2 6ES7153-2BA02-0XB0 F-digital output SM326 F-DO10xDC24V/2A PP 2 6ES7326-2BF10-0AB0 Note Follow the instructions for installing the S7-400. They can be found in the installation manual: \4\. Standards, certificates and approvals can be found in the system description: \8\ Instructions for installing the ET 200M can be found here: \3\ Entry ID: 109106504, V1.0, 09/2014 10

NOTICE Except the F digital output module (6ES7326-2BF10-0AB0), you can also use hardware components similar to the ones listed in the above table. Similar hardware components are the ones listed in the TÜV certificate (certificate number: Z10 09 07 67803 004 Rev 3.19). The certificate can be found here: \7\ However, please note that different hardware components may have different safety-related characteristic values ((SIL CL, PFD). Therefore, for the overall PFD value over the entire safety chain, values can occur that may no longer achieve the desired SIL. Accordingly, the statements also apply to standard components involved in the safety function. Different standard components have different MTBF values and therefore different probabilities of failure. WARNING Due to the "energize to trip" principle used, the power supply of the F- components must be ensured. The load power supplies must meet the requirements of the SIMATIC Safety Modules. 2.4.2 Software components This application is valid for: STEP 7 V5.4 SP4 or higher F Systems V6.0 or higher S7 F Systems Lib V1_3 CFC V6.0 SP2 HF3 or higher When used with PCS7: PCS7 V6.0 SP3 or higher with the STEP 7 and CFC version included. Entry ID: 109106504, V1.0, 09/2014 11

2.5 Configuration and parameterization 2.5.1 Configuring the F-CPU The controller is configured in a redundant and fail-safe manner. The figure below shows the STEP 7 hardware configuration. Safety mode has to be activated in the configuration. Figure 2-6 Configuration example for ETT application Note Instead of the external CP 443-5, you can also use the internal DP interface of the H-CPU. Entry ID: 109106504, V1.0, 09/2014 12

2.5.2 Parameterizing the outputs of the F-DO The actuator is controlled from two fail-safe output modules that are inserted in different ET 200M stations. Due to the installation in different ET 200M stations connected to the redundant control system via a redundant PROFIBUS, the hardware fault tolerance (HFT) is 1. When inserting the modules into the STEP 7 hardware configuration (next figure), the automation system assigns the addresses for the inputs and outputs available on the module. To be able to access the addresses from the logic, symbolic names are assigned to the addresses. Figure 2-7 Example of parameterizing the outputs of the F-DO Entry ID: 109106504, V1.0, 09/2014 13

2.5.3 Safe control of actuators Options Basically, there are two ways to safely control an actuator: Module redundancy Channel redundancy Module redundancy The following section describes module redundancy. For module redundancy, a redundancy partner for a module is defined in the STEP 7 hardware configuration. All settings on the module are automatically transferred to the redundancy partner. In the case described here, module and redundancy partner are the F-DO 10xDC24V/2A that have already been mentioned and are inserted in different stations of the ET 200M. Figure 2-8 Module redundancy of the F-DO10xDC24V For the F-DO, "Keep last valid value" must be set: Entry ID: 109106504, V1.0, 09/2014 14

Figure 2-9 "Keep last valid value" setting Note For outputs that have to be enabled to establish the safe state, it must be ensured that the actuator can be controlled at any time. This requires that the electric circuit be monitored even when the output is not enabled. The F-DO10xDC24V/2A PP (6ES7326-2BF10-0AB0) can test the electric circuit by running a light test. To do this, activate the "Enable light test" function by checking the check box (see Figure 2-9). Unused channels have to be deactivated (unchecked). Safety program The logic of the safety function is implemented in the safety program. To set and reset an output on a redundant module, only one channel driver (F_CH_DO) is placed in the safety program and interconnected with the symbolic name of the output with the lower address. When compiling the CFC, the system detects that a redundant partner exists for the module with the output and interconnects the channel driver with both F output modules (CHADDR and CH_INF with a module and CHADDR_R and CH_INF_R with the redundant partner). Entry ID: 109106504, V1.0, 09/2014 15

Figure 2-10 ETT application F-program Maximum load The maximum permitted load that can be switched by the F-DO10xDC24V/2A is 5W. (See the "Technical data - F-DO10xDC24V" chapter in \3\.) Entry ID: 109106504, V1.0, 09/2014 16

3 Safety Function 3 Safety Function A distinction has to be made between events that cause the triggering of the safety function and fault scenarios of which staff is informed and which have to be cleared but which do not trigger the safety function. 3.1 Triggering of the safety function Events that cause the triggering of the safety function must be programmed in the F-program. At the same, detection of these events is the trigger for triggering the safety function. For example, a sensor (e.g., a smoke detector) can transfer a binary signal to the F-program via the F-DI. In the F-program, the safety function is triggered that results in the setting of the F-DO. This scenario describes the method of operation of the "energize to trip" principle. Figure 3-1 Triggering of the safety function Start F-DI detects sensor signal? Yes F-program evaluates signal No Both F-DOs (6ES7326-2BF10-0AB0) output process values (FALSE) F-program sets F-DO of this station to TRUE Triggering of the safety function to achieve the safe state Simultaneously, the other F-DO is also set to TRUE Message on HMI Entry ID: 109106504, V1.0, 09/2014 17

3 Safety Function 3.2 Faults that do not result in the triggering of the safety function The following faults do not trigger the safety function and are therefore not part of the "energize to trip" principle: Passivation of an F-DO Failure of an F-CPU Failures of the IM 153-2 interface module However, these cases are analyzed within the scope of the FMEA to explain the response of the safety system to these faults. For fault scenarios where an F-DO is passivated, please note the following: NOTICE Hazards can occur due to actuators that start unexpectedly if you implement reintegration of the F-I/O through automatic reintegration. Actuators that start unexpectedly can cause dangerous situations. Preferably use an acknowledgement signal for reintegration. Entry ID: 109106504, V1.0, 09/2014 18

4 Review of Systematic Requirements and Safety Requirements by Means of an FMEA 4 Review of Systematic Requirements and Safety Requirements by Means of an FMEA Note FMEA: Failure Mode and Effects Analysis An FMEA was performed for the items of the following tables. Table 4-1 Failure of the power supply No. Subject Trigger safety function? 1 Partial power supply failure 2 Total power supply failure Information to receiving station? Total failure of safety system? no yes no No longer possible Table 4-2 Short circuit, overvoltage, wire break No. Subject Trigger safety function? Must be ensured by the user (systematic requirement according to IEC 61508) Information to receiving station? yes Total failure of safety system? 1 Short circuit to ground no yes no 2 Overvoltage (on one power supply) 3 Overvoltage (on both power supplies) 4 Wire break (to one actuator) 5 Wire break (to both actuators) no yes no No longer possible Must be ensured by the user (systematic requirement according to IEC 61508) yes no yes no No longer possible yes yes Note This case can be regarded as highly improbable. Note This case can be regarded as highly improbable. This case can be regarded as highly improbable. Entry ID: 109106504, V1.0, 09/2014 19

4 Review of Systematic Requirements and Safety Requirements by Means of an FMEA Table 4-3 Passivation of the F-DO No. Subject Trigger safety function? 1 Both F-DO set to FALSE and one F-DO passivated 2 Both F-DO set to FALSE and passivate both 3 One F-DO set to FALSE and this F-DO is passivated 4 One F-DO set to FALSE and the other F-DO passivated 5 One F-DO set to FALSE and passivate both 6 Both F-DO set to TRUE and one F-DO passivated 7 Both F-DO set to TRUE and passivate both Information to receiving station? Total failure of safety system? no yes no No longer possible Has already been triggered and is maintained Has already been triggered and is maintained Has already been triggered and is maintained Has already been triggered and is maintained Has already been triggered and is maintained Only if the cause is not the failure of both CPUs. yes yes Only if the cause is not the failure of both CPUs. yes Only if the cause is not the failure of both CPUs yes no no no no no Note This case can be regarded as highly improbable. The safety function is maintained due to the parameterization of the F-DO with "Keep last valid value". This case can be regarded as highly improbable. The safety function is maintained due to the parameterization of the F-DO with "Keep last valid value". Entry ID: 109106504, V1.0, 09/2014 20

5 Verification of the achievable SIL 3 5 Verification of the achievable SIL 3 To determine the SIL or verify that SIL 3 according to IEC 61508 can be achieved, the PFD must be calculated. Based on IEC 61508-6, VDI/VDE 2180 Sheet 4 provides approximation formulas that can be used under certain conditions (listed in chapter 6.1 of VDI/VDE 2180 Sheet 4). These requirements are usually met in the process industry. The starting point for calculating the overall PFD (see also Annex B of IEC 61511-2:2003) is the following model where the overall PFD is calculated from the sum of the PFD of the sensor component the PFD of the logic system and the PFD of the actuator component. This document does not assess the sensor and the F-DI. It is assumed that the information that causes the triggering of the safety function exists in the F-CPU as safe information. This safe information can either arrive at the F-CPU via an F-DI or it is generated by the user in the safety program. When looking at the actuators, the interface is on the F-DO. The F-DO is the subject matter, possible actuators (e.g., contactors) are not specified any further and therefore not assessed at this point. Figure 5-1 Considered items of the model Sensor configuration Not considered Logic system with input/output configuration Actuator configuration Considers only F-DO The protective equipment is shown as a subsystem structure. The individual subsystems include the associated components so that the following applies to the calculation of the overall PFD: = + + + + + where,, are not considered here. The, the (TE: transmission error) and the are considered here. Entry ID: 109106504, V1.0, 09/2014 21

6 Summary PFD of the F-CPU Transmission error PFD of the F-DO The of the F-CPU used can be found, for example, in \6\. The probability of dangerous transmission errors for digital communication processes is considered once in the calculation. The following applies to PROFIsafe communication: = 10 Actuator configuration Various wiring architectures are available for the connection of actuators. The of the F-DO used can be found, for example, in \6\. 6 Summary A fail-safe application contains systematic requirements that are the basis for implementing a safety system. These basic requirements must be ensured by the user. In the case discussed here, the "energize to trip" principle is used within the safety concept. It requires power to perform the safety function, which places greater emphasis on the consideration of the power supply as a systematic requirement. Furthermore, other faults are considered that are neither part of a systematic requirement nor part of the "energize to trip" principle, but which should nevertheless be analyzed. All of these three points (once again listed below) are dealt with within the scope of an FMEA. Ensuring the power supply as a systematic requirement The safety system based on the "energize to trip" principle Other fault scenarios All of these three points must be considered independently of each other. The systematic requirements and the "other fault scenarios" are not part of "energize to trip"; however, due to this, they are analyzed in an FMEA. The use of the H-system is also not part of the "energize to trip" principle. There is no redundancy regarding the safety functionality; at any time, only one F-CPU is involved in the process. Only the availability is increased by the H-system. However, availability and safety must always be considered independently of each other. Entry ID: 109106504, V1.0, 09/2014 22

7 References 7 References Table 7-1 Subject \1\ Siemens Industry Online Support \2\ FAQ about the "Keep last valid value" function Title http://support.automation.siemens.com http://support.automation.siemens.com/ww/view/en/65954737 \3\ SIMATIC Manual SIMATIC Automation System S7-300 ET 200M Distributed I/O Device Fail-safe signal modules Installation and Operating Manual http://support.automation.siemens.com/ww/view/en/19026151 \4\ SIMATIC Manual SIMATIC Automation System S7-400 Hardware and Installation Manual http://support.automation.siemens.com/ww/view/en/1117849 \5\ MTBF values for SIMATIC products \6\ PFD values for SIMATIC products \7\ Certificate for SIMATIC S7 F/FH Systems http://support.automation.siemens.com/ww/view/en/16818490 http://support.automation.siemens.com/ww/view/en/27832836 http://support.automation.siemens.com/ww/view/en/48191415 \8\ SIMATIC Manual SIMATIC Automation System S7-400 Configuration and Use System Description http://support.automation.siemens.com/ww/view/en/22586851 8 History Table 8-1 Version Date Modifications V1.0 02/2015 First release Entry ID: 109106504, V1.0, 09/2014 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback