best practices for managing safety with basic controllers ...€¦ · supplier view operates and...

Best Practices forManaging Safety withBasic Controllers

usa.siemens.com/digital-factoryUnrestricted © Siemens Industry, Inc. 2019

Unrestricted © Siemens 2019

Jana KocianovaProduct Manager S7-1200/S7-1200F

Siemens Industry, Inc.

RC-US DF FA MK PLC

5300 Triangle Parkway

Norcross, GA 30092-2538, USA

mailto:[email protected]


SAFETY PRACTICES

• Press safety• Safety and Security• SAT – SIMATIC Automation Tool


siemens.com/metalformingUnrestricted © Siemens 2019

Solutions forPress SafetySIMATIC S7 F/P


SIMATIC S7 F/PFeatures and benefits

Reduced period of acceptancetest and validation

+

Reduced engineering timeThrough field-proven and modularfunction blocks

+

Full benefits ofSafety-related featuresCRC Checksum, Know-How-Protection, light test, wire-break,…

+Online-helpActivate directly from TIAPortal (SHIFT+F1)

+Fully documentedManual+ complete, executableexample projects

+

Modular conceptWith multi-instanceprogramming

+

Installation-routinePlug-and-Play into TIA Portal

+

Software based failsafeflexible und certified

+

Full scalabilityAcross all SIMATIC FailsafeControllers(Basic – Advanced - SW-Controller)

+

Unrestricted© Siemens 2019

SIMATIC S7 F/PFailsafe library for the press shop

Failsafe function blocks for implementation of all press safety functions, expert consultingand certification

Examples

Documen-tation

Consulting

Certificate

FailsafeLibrary

Failsafe library consists of more than 40 failsafe, know-how protected function blocks

+

Executable solution examples

Functional solutions for mechanical-, hydraulic- and servo-press

+

Documentation und Online Help

in form of Application examples

Certification following actual international standards +

Consulting by Siemens safety experts via applicationsupport

+

+

SIOS: 48299432


SIMATIC S7 F/PFollowing all terms and standards

DIN EN 62061ƒ Up to SIL3

+

EN ISO 13849-1ƒ Up to PLe and Kat.4

+

EN IEC 61508-3ƒ Up to SIL3

+

2006/42/EGƒ According Machinery Directive

+

GS-HSM-30ƒ Principles of testing…

+

General standards

DIN EN 692• “Machine tools - Mechanical

Presses - Safety”

+

Specific standards

DIN EN 693• Machine tools – Safety – Hydraulic

presses“

+

DIN EN 12622• “Safety of machine tools – Hydraulic press

brakes

+

DIN EN 13736• “Safety of machine tools – Pneumatic

presses”

+


SIMATIC S7 F/PFull scalability across all SIMATIC F-Controller

Advanced ControllerSIMATIC S7-1500F

Syst

empe

rfor

man

ce

Application complexity

Engineered with TIA Portal

Software ControllerSIMATIC S7-1500 F

Distributed ControllerSIMATIC ET 200 CPU F

Basic ControllerSIMATIC S7-1200F

Functionality

Reaction time

Program code

Functionality

Reaction time

Program code

Functionality

Reaction time

Program code


SIMATIC S7 F/PThe right solution for all applications

Results and suggestions

Reaction time F-Module

S7-1200 F, the cost effectivealternative for all stand-alone safetyfunctions – without any functional

restrictions to S7-1500 F

Distributed Failsafe Controller forall flexible press applications in

mid-range press area – additionalspace for standard automation

tasks

High performant S7-1500F for easyintegration and combination of

standard and failsafe functionality –full scalability with distributed IO´s

Clamp-Clampreaction time

Program code

Price

Mechanical press

CPU 1215F

SM1226 F-DI and F-DQ

Mechanical press

CPU 1512P F

ET200SP F-DI and F-DQ

Mechanical press

CPU 1516F

ET200MP F-DI and F-DQ


SIMATIC S7 F/PBe ready for virtual commissioning

Real hardware

ƒ No simulation specific changes inuser program necessary anymore

ƒ PLC SIM for failsafe controllers

ƒ Safety + Standard + MotionControl can be simulated

(S7-1200 F can not be simulated)

Since TIA Portal V15

+ Press safety library V15.0.1

Engineering

SIMATIC S7-PLCSIM


SIMATIC S7 F/POrder and license concept

Classic• First license

6AU1837-0EA10-0DX1(Version V2.x)

• Floating license6AU1837-0EA10-0DX2(Version V2.x)

Upgrade ⇓ TIA Portal• Upgrade license

6AU1837-0EA10-0EX1

Distributed Safety⇓

Safety Advanced

TIA Portal• Basic First license

6AU1837-0EA10-0GX3

Only S7-1200 F

• Advanced First license6AU1837-0EA10-0GX1

ALL F-Controller

• Floating license6AU1837-0EA10-0GX2

• Basic Upgrade licnse6AU1837-0EA10-0EX2

ALL F-Controller

S71200F⇓

S7-1500F

Library, application,manual, certificate,online help

Paper licenserequired perF-PLC


SIMATIC S7 F/PUse Case: Two-Hand-Control with Emergency Stop

How to reach SIL3/PLe with Two-Hand Control at a mechanical press?

Capture Evaluate React

I 12.0

I12.1

2-channel

2-channel

Q 24.0 2-channel

Press Safety valvePSV

Two-Hand-Control incl.Emergency Stop



CaptureTwo-Hand-Control

2-channel

2-channel

I 12.0

I12.1

ElectricalElectrical

TagDeclaration

TagDeclaration

F-Moduleconfiguration




Evaluate

Evaluate and checktwo-hand signals

Set the command tothe operation mode

selection

Control the presssafety valve

ProgrammingProgramming



React

Q 24.0 2-channel



TagDeclaration

TagDeclaration




SIMATIC S7 F/PUse Case: Two-Hand control and reaction

How to reach SIL3/PLe with Emergency Stop at a mechanical press?

Capture Evaluate React

I 1.02-channel Q 2x.0 2-channel


Emergency Stop



CaptureEmergency stop

2-channel I 1.0


TagDeclaration

TagDeclaration





EvaluateSet the command tothe operation mode

selection

Control the presssafety valve

Evaluate and checkemergency stop

signal

ProgrammingProgramming



React

Q 24.0 2-channel



TagDeclaration

TagDeclaration





How to reach SIL3/PLe with Two-Hand Control at a mechanical press?

Capture Evaluate React Press Safety valvePSV

Two-Hand-Control incl.Emergency Stop

Certified according SIL3/PLe⋅ 2-channel wired to F-DI (Module certified SIL3/PLe)⋅ Safety blocks from Press Safety Library (PLC and F-block certified SIL3/PLe)⋅ 2-channel wired F-DQ (Module certified SIL3/PLe)

Bridging functional safety andcyber security

siemens.com/industrialsecurityUnrestricted © Siemens 2019


Multiple system layers and complementing IT securitymeasures enhance IT security

Defense-in-depth

Siemens CyberSecurity Offerings

Security in medieval times

CampusNetwork

CriticalAssets

Border

IntrusionPrevention

Firewall

Firewall

NetworkSecurity MGT

Modern defense-in-depth IT security

Security threatsdemand continuous action


Questions within the safety community related to security

1. Should security aspects be treated as part of safety?

2. Can safety still protect its integrity, if security mechanisms fail?

3. How can security threats and incidents be quantified?

4. Is a safety case incomplete without consideration of security?

5. Can we trust the security countermeasures?

6. What level of threat should be considered?


Definitions

Security aims to protect assets against adverse impact by(intentional or unintentional) attacks on• Availability• Integrity and / or• Confidentialitythrough preventive and reactive (technical and/or organizational) measures.

Safety means freedom from unacceptable risk(related to physical harm to humans and negative impact to the environment).


Application view

IEC 62443 addresses all stakeholdersfor a holistic protection concept

Supplier view

operates and maintains

Product Supplier

Asset Owner

Service Provider

Industrial Automation and Control System

designs and deploysSystem Integrator

Parts of IEC62443

2-43-2

2-1

2-42-3

3-3

4-13-3

4-2

develops products

Operational policies and procedures

Automation solution

Maintenance policies and procedures

Essential functions

Safety functions Complementaryfunctions

Basic controlfunctions


Where do both worlds connect? - They are so different!

Safety

Impact on:• Physical harm to

humans• Environment

Transparency on:• Methods• Measures• Defects

Rather static field

Foreseeable misuse

Security

Impact on:• Availability• Integrity• Confidentiality

Confidentiality on:• Methods• Measures• Vulnerabilities

Highly dynamic field

Intentional andunintentionalmanipulation

Criminal intent

More items of separation:

• Different experts and methods• Different processes and timelines• Different laws, technical regulations and

standards


Assumption based SIL (Safety Integrity Level)

ƒ A safety risk-assessment containspreconditions related to other riskreduction measures.

ƒ The determined SIL is no measurefor the risk involved.

ƒ Many discussion on „safety“ onlyrelated to the SIL-rated system.

Safety is more thanfunctional safety (SIL)!

ISO 12100


Qualitative example for security preconditions

Attacks on confidentiality and availability aremore likely than on the integrity of the system.

probability of specificallytargeted attack

Attack over common malware, depending in thethreat landscape (target-country, -group or –industry) is more likely to happen.

attack target

attacker competence

possibility of damagelimitation

Attacks with simple means and ressources aremore likely than from a „criminal“ organisation.

Is the attack observable and can there becountermeasures rolled out immediately.

attack over technologyonly

Most attacks are conducted over the humanfactor.

target originInside-attacker or outside-attacker withinsider knowledge.

ƒ These preconditions are oftendisregarded in a discussionobout „Safety/Security“.

ƒ This distorts the view onsecurity.

ƒ These preconditions are verydynamic!

These differences result indifferent risk approaches!


indirect safety relationthrough system

performance(e.g. power supply,

emergency systems)

Is there anything like „Safety related security“?

direct safety relation(e.g. electrical safety)

functionalsafety (SIL)

ƒ The security countermeasures of a plant are derived from thethreat-risk assessment, not from the existance of a safety function.ƒ The security threat-risk assessment addressses possible safety

issues (based on the C I A principles).ƒ It is possible to have a safety relation, only by consideration of

specific attack scenarios.

ƒ The security countermeasures of a plant are derived from thethreat-risk assessment, not from the existance of a safety function.ƒ The security threat-risk assessment addressses possible safety

issues (based on the C I A principles).ƒ It is possible to have a safety relation, only by consideration of

specific attack scenarios.


The definition of “security environment”IEC TR 63069, clause 3.2.5, 4.2, figure 3

ƒ All security countermeasures, derived fromthe threat-risk assessment, establish thesecurity environment.

ƒ Security countermeasures can be providedin functional units of the technical system.

ƒ Any safety investigation is based on theassumption of effective securitycountermeasures.

The “secure” environment is a necessity forthe whole automation solution, to guaranteeits functionality and availability.


VulnerabilitiesIEC TR 63069, Clause 4.2

ƒ A „vulnerability“ should not be understood as an error of thetechnical system, as it could also be introduced into asystem in a later point in time.

ƒ Generally vulnerability means, that there is an attack paththrough the system, which relates to a threat scenario.

This means, e.g:ƒ A safety system is e.g. generally strong against component

errors, which could lead to a dangerous state, but this strength isin the same time a weakness compared to the system availability.

attacker

successful attacks

attack path

safety

availability


The efficient solution for co-engineering(IEC TR 63069, figure 4)

In the frame of the security riskassessment:

ƒ the security preconditions areholistically considered.

ƒ the safety realization isinvestigated related to the threatscenario.

ƒ decisions for the systemrealization are made.

Both domains deliver specificrequirements for the system!

The realization of processes andinteraction is not defined instandards!

Safety Domain

Safety Management

Safety Risk Assessment

related to:

• Physical harm to humans

• Environment

identified Safety Measures

Security Domain

Security Management

Threat-risk assessment

related to:

• Availability

• Integrity

• Confidentialitytaking into account theimpact on Safety

identified Securitycountermeasures

SecurityEnvironment

support by Safety Expert

Standards refer toother domain

Conflict resolution

& compatibility

Safety and SecurityImplementation

SafetyDesign


Answers for the Safety community - related to Security

1. Should security aspects be treated as part of safety?No, security should be considered as its own domain.

2. Can safety still protect its integrity, if security mechanisms fail?No, safety methods do not provide protection against intelligent attacks.

3. How can security threats and incidents be quantified?They cannot be statistically evaluated to provide prognosis for future incidents.

4. Is a safety case incomplete without consideration of security?Security is generally deemed necessary.A safety case can refer to an efficient security environment as a necessary precondition.

5. Can we trust security countermeasures?Yes, if they are related to the investigated threat environment and level of attack.

6. What level of threat should be considered?That is to be determined by parties responsible of the system or application.


siemens.com/simatic-automation-tool

SIMATIC AutomationToolCommissioning – Maintenance - Service


Enhanced hardware support and extensive functionality

SIMATIC Controller incl. safety I/Os SIMATIC HMI Other

MOBY / RFID

New New

Usability• Improved file browsing possibilities• Check the SAT version for updates• Color coding of address and name conflicts

Additional operations:• Show serial number and HW version in

user table• Automatic backup of the event log

entries• Service data in ZIP file

New New

SITOP

incl. T-CPU

New


Versatile application possibilities in the different phases

Commissioning

• Solar park: Initial filling includingaddress adjustments for identicalconrol cabinet configurations asmass operation

Maintanance

• Laser cutting machine:Mechanical adjustment requiresprogram adaption for optimizing.This update can be done withoutthe engineering software

Service

• Sewage treatment plant:Automated collection of servicedata using the API to improve plantperformance and availability


One tool for commissioning, maintenance and service

Hardware supportExtensive support of theSiemens automationportfolio

+Independent of theengineering frameworkIdeal for commissioning,maintenance and servicewithout TIA Portal

+

Mass operationsParallelizing of tasks toreduce time and costs

+ APIOptimal for automation oftasks

+UsabilityEasy to use for TIA andnon-TIA Portal users

+


THANK YOU FOR YOUR ATTENTION!

Jana KocianovaProduct Manager S7-1200/S7-1200F

Siemens Industry, Inc.

RC-US DF FA MK PLC

5300 Triangle Parkway

Norcross, GA 30092-2538, USA

mailto:[email protected]

best practices for managing safety with basic controllers ...€¦ · supplier view operates and...

Documents