What do we mean by “Safety”
“The condition of being safe; freedom from danger, risk, or injury.”
In the UK (and Europe) this can cover many areas and industries, for example:
Supply of Machinery (Safety) Regulations
Electromagnetic Compatibility Regulations
Electrical Equipment (Safety) Regulations
Pressure Equipment Regulations
Simple Pressure Vessels (Safety) Regulations
Equipment and Protective Systems Intended for Use in Potentially Explosive Atmospheres
Regulations
Lifts Regulations
Medical Devices Regulations
Gas Appliances (Safety) Regulations
2. What do we mean by “Safety”
“The condition of being safe; freedom from danger, risk, or injury.”
In the UK (and Europe) this can cover many areas and industries, for example:
Supply of Machinery (Safety) Regulations
Electromagnetic Compatibility Regulations
Electrical Equipment (Safety) Regulations
Pressure Equipment Regulations
Simple Pressure Vessels (Safety) Regulations
Equipment and Protective Systems Intended for Use in Potentially Explosive Atmospheres
Regulations
Lifts Regulations
Medical Devices Regulations
Gas Appliances (Safety) Regulations
Pete Brown / Engineering with PROFIsafe
Important: It is essential to have some
form of risk assessment / risk analysis
e.g. HAZAN / HAZID / HAZOP / RA to
ISO 12100
3. Legislation / HASAWA 1974
It shall be the duty of every employer to conduct his undertaking in such a way as to ensure, so far as is
reasonably practicable, that persons not in his employment who may be affected thereby are not thereby
exposed to risks to their health and safety.
It shall be the duty of any person who designs, manufactures, imports or supplies any article for use at
work –
(a) to ensure, so far is reasonably practicable, that the article is so designed and constructed as to be safe and
without risks to health when properly used;
(b) to carry out or arrange for the carrying out of such testing and examination as may be necessary for the
performance of the duty imposed on him by the preceding paragraph;
(c) to take such steps as are necessary to secure that there will be available in connection with the use of the
article at work adequate information about the use for which it is designed and has been tested, and about
any conditions necessary to ensure that, when put to that use, it will be safe and without risks to health.
3
Pete Brown / Engineering with PROFIsafe
4. Legislation / General
The Management of Health and Safety at Work Regulations
SCR The Offshore Installations (Safety Case) Regulations
PFEER The Offshore Installations (Prevention of Fire and Explosion, and
Emergency Response) Regulations
COMAH Control of Major Accident Hazards Regulations
DSEAR Dangerous Substances and Explosive Atmospheres Regulations
Machinery Directive, Low Voltage Directive, EMC Directive
Consumer Protection Act 1987
New for 2015! COMAH – HSE ECI Delivery Guide
What defines the minimum we should do?:
Harmonized Standards
Approved Code of Practice
International Standards
4
Pete Brown / Engineering with PROFIsafe
Forseeable mis-use
IT security
Unexpected start-up
Fault masking
5. Expectations for Safety-Related controls
As Low As Reasonably Practicable (ALARP)
So Far As Is Reasonably Practicable (SFAIRP)
What do these terms mean?
What do these terms for Automation & Control
5
Pete Brown / Engineering with PROFIsafe
7. ‘Best Practice’
7
Pete Brown / Engineering with PROFIsafe
IEC 61508
IEC 62061 ISO 13849
EN954
(until 2011)
IEC 61511
Process
Industry Manufacturing Industry
Focus
ProductManufacture
Focus
Integration
Relevant good
practice
Harmonized
standards
8. Basic Lifecycle Concept
8
Pete Brown / Handling Functional Safety
Functional Safety
Control of dangerous
failures during
operation through
Robust Design
Control and avoidance
of systematic failures
through Robust
Processes
Safety Lifecycle Requirement
Engineering / Design
System Architecture
Failure Probability
Planning / Processes
Safety Management
Verification / Responsibilities
10. PROFIsafe – The Vision
10
Pete Brown / Engineering with PROFIsafe
Profibus DP
Standard-Host/PLC
F-Gate-
way
other
Safety-
Bus
Repeater
Standard-I/O
Master-Slave
Assignment
F-Field-
Device
DP/PA
Coexistence of standard and failsafe communication
F-Host/FPLC
Standard-I/O
F-I/O
Engineering Tool
PG/ES with
secure access
e.g. Firewall
TCP/IP
F = Failsafe
F-Sensor F-Actuator
12. Cyclic Communication
12
Pete Brown / Engineering with PROFIsafe
F-Host / FPLC
Laserscanner Standard-I/O F-I/O Drive with integrated
Safety
1:1 Communication relationship
between master and slave1
2
Bus cycle
13. PROFIsafe – ISO/OSI Model
13
Pete Brown / Engineering with PROFIsafe
"Black Channel": ASICs, Links, Cables, etc. Not safety relevant
"PROFIsafe": Safety critical communications systems: Addressing, Watch Dog Timers,
Sequencing, Signature, etc.
Safety relevant, Not part of the PROFIsafe: Safety I/O / Safety Control Systems
Non safety critical functions, e.g. diagnostics
Standard-
I /O
Standard
Control
1
2
7
1
2
7
1
2
7
1
2
7
1
2
7
Safety
Input
Safety
Control
Safety
Output
Safety-LayerSafety-LayerSafety-Layer
e.g.. Diagnostics
14. PROFIsafe – Add-on Strategy
14
Pete Brown / Engineering with PROFIsafe
Standard
engineering
tool
STEP 7
Standard
CPU
Standard
PROFIBUS DP
Standard
Remote I/O
Failsafe engineering
Tool
Distributed Safety
Failsafe
I/O Modules
PROFIsafe
Failsafe
Application
ProgramF-Hardware
15. PROFIsafe - Program
15
Pete Brown / Engineering with PROFIsafe
Coexistence of standard program and safety-related program on one CPU.
Changes to the standard program have no effect on the integrity of the safety-related
program section.
Standard program
Safety program
Standard program
16. PROFIsafe – Coded Processing
16
Pete Brown / Engineering with PROFIsafe
Time redundancy and diversity replace complete redundancy
Time redundancy
Time
Diverse
Operation
Operation
Coding Comparison
Diverse
Operators
Operators
Diverse
Output
Output
Stop
by D /C
D = /C
CA, B
/A, /B
OR
AND
17. PROFIsafe - Basics
17
Pete Brown / Engineering with PROFIsafe
“Blackchannel"
PROFIsafe
layer
PROFIsafe
layer
Standard
data
Fail-safe
data
Standard
bus
protocol
Standard
data
Fail-safe
data
Standard
bus
protocol
PROFIBUS
PROFINET
First standard of communication in accordance with safety standard IEC 61508.
PROFIsafe supports safe communication for the open standard PROFIBUS and
PROFINET.
The PROFIsafe meets possible faults like address error, delay, data loss with
Serial numeration of PROFIsafe-telegram
Time monitoring
Authenticity monitoring
Optimized CRC-checking
PROFIsafe supports standard- and failsafe
Communication by one medium
18. PROFIsafe - Checks
18
Pete Brown / Engineering with PROFIsafe
Failure type:
Remedy: Consecutive
Number
Time Out
with Receipt
Codename for
Sender and
Receiver
Data
Consistency
Check
Repetition
Deletion
Insertion
Resequencing
Data Corruption
Delay
Masquerade (standard
message mimics failsafe)
Revolving memory failure
within switches
Overview:
Possible Errors
and detection
mechanism
19. PROFIsafe safety PDU
19
Pete Brown / Engineering with PROFIsafe
S S S S
Standard PROFINET IO messages
F Input/Output Data Status /
Control Byte
CRC2
across
F I/O data, Status or
Control Byte,
F-Parameter,
and Vconsnr_h
Max. 12 / 123 Bytes 1 Byte 3/4 Bytes *) *) 3 Bytes for a max. of
12 Byte F I/O data
4 Byte for a max. of
123 Bytes F I/O data
PROFIsafe container =
Safety PDU
20. Wireless Communication
20
Pete Brown / Engineering with PROFIsafe
Industrial Ethernet Backbone Industrial Ethernet Backbone
Automated
Guided
Vehicle (AGV)
Separated PLC
network on rotating
and moving parts
Mobile commissioning
and diagnosis
Access
Point
Access
Point
Access
Point
Client Client
21. Wireless Communication
21
Pete Brown / Engineering with PROFIsafe
Wireless
transmission
(WLAN, Bluetooth)
No special safety certification
PROFIsafe approved for BEP up to 10-2
Data Security to be assured by the wireless components
"Stationary" Applications (well-defined locations and movements): No constraints and special
assessments as long as two points are connected via wireless components.
Mobile deployment of wireless components in most cases can only be accepted under certain
contraints (e.g. unambiguous allocation of E-Stop to the hazardous final element). Thus, an
emergency stop button at a mobile operator panel with WLAN transmission is not automatically
permitted even if the transmission is correct from a safety point of view (which is true for PROFIsafe).
Wireless and PROFIsafe is not a question of safety but a question of availability. Currently, only a
maximum of one nuisance trip per work shift (= SIL monitor time = 10h) is permitted at a BEP of 10-2.
(BEP = Bit error probability)
23. Cyber Security
What Cyber Security legislation applies?
What is the current state of the market?
Centre for the Protection of National Infrastructure (CPNI)
The Network and Information Security (NIS) Directive
“Providers of essential services”
Confidentiality, Integrity, Availability (CIA)
Availability, Integrity, Confidentiality (AIC)
People, Environment, Asset, Reputation (PEAR)
Pete Brown / Engineering with PROFIsafe
24. Industrial IT Security
24
DCS/
SCADA*
*DCS: Distributed Control System
SCADA: Supervisory Control and Data Acquisition
Potential
Attack
Plant Security
Physical Security
• Physical access to facilities and equipment
Policies & Procedures
• Security management processes
• Operational Guidelines
• Business Continuity Management &
Disaster Recovery
Network Security
Security Zones & DMZ
• Secure architecture based on network segmentation
Firewalls and VPN
• Implementationof Firewalls as the only access
point to a security cell
System Integrity
System Hardening
• Adapting system to be secure by default
User Account Management
• Access control based on user rights and
privileges
Patch Management
• Regular implementation of patches and updates
Malware Detection and Prevention
• Anti Virus and Whitelisting
Pete Brown / Engineering with PROFIsafe
25. PROFINET Security Concept
The PROFINET Security Concept
From the PROFINET Security Guideline
Network Architecture – Security Zones
Trust Concept – within Zones
Perimeter Defence – Firewall/VPN
Provision of Confidentiality and Integrity
Transparent Integration of Firewalls
25
Pete Brown / Engineering with PROFIsafe
26. Secure Automation Cells (Zones)
26
Pete Brown / Engineering with PROFIsafe
Complete plant security
Secure automation cells
Internet
27. Methods for Network Security
Security issues and vulnerabilities need to be addressed
There are many methods
How can we address these vulnerabilities using these techniques:
Firewall
Protect against unauthorized access
VLAN (Virtual Local Area Network)
Logical network that operates on the basis of a physical network
DMZ (De-Militarized Zone)
Exchange data with external partners via safe areas
VPN (Virtual Private Network)
Secure tunnel between authenticated users
What is the minimum we should be doing today?
27
National Infrastructure
IT security RA
Assess Safety Functions
IEC 62443 / Zoning
Pete Brown / Engineering with PROFIsafe
28. Any questions? Peter Brown
Product Specialist
Siemens Customer Services
Mobile: 07808 825551
Email: brown.peter@siemens.com