best practices for managing safety with basic controllers ...€¦ · supplier view operates and...
TRANSCRIPT
Best Practices forManaging Safety withBasic Controllers
usa.siemens.com/digital-factoryUnrestricted © Siemens Industry, Inc. 2019
Unrestricted © Siemens 2019
Jana KocianovaProduct Manager S7-1200/S7-1200F
Siemens Industry, Inc.
RC-US DF FA MK PLC
5300 Triangle Parkway
Norcross, GA 30092-2538, USA
mailto:[email protected]
Unrestricted © Siemens 2019
SAFETY PRACTICES
• Press safety• Safety and Security• SAT – SIMATIC Automation Tool
Unrestricted © Siemens 2019
siemens.com/metalformingUnrestricted © Siemens 2019
Solutions forPress SafetySIMATIC S7 F/P
Unrestricted © Siemens 2019
SIMATIC S7 F/PFeatures and benefits
Reduced period of acceptancetest and validation
+
Reduced engineering timeThrough field-proven and modularfunction blocks
+
Full benefits ofSafety-related featuresCRC Checksum, Know-How-Protection, light test, wire-break,…
+Online-helpActivate directly from TIAPortal (SHIFT+F1)
+Fully documentedManual+ complete, executableexample projects
+
Modular conceptWith multi-instanceprogramming
+
Installation-routinePlug-and-Play into TIA Portal
+
Software based failsafeflexible und certified
+
Full scalabilityAcross all SIMATIC FailsafeControllers(Basic – Advanced - SW-Controller)
+
Unrestricted© Siemens 2019
SIMATIC S7 F/PFailsafe library for the press shop
Failsafe function blocks for implementation of all press safety functions, expert consultingand certification
Examples
Documen-tation
Consulting
Certificate
FailsafeLibrary
Failsafe library consists of more than 40 failsafe, know-how protected function blocks
+
Executable solution examples
Functional solutions for mechanical-, hydraulic- and servo-press
+
Documentation und Online Help
in form of Application examples
Certification following actual international standards +
Consulting by Siemens safety experts via applicationsupport
+
+
SIOS: 48299432
Unrestricted© Siemens 2019
SIMATIC S7 F/PFollowing all terms and standards
DIN EN 62061ƒ Up to SIL3
+
EN ISO 13849-1ƒ Up to PLe and Kat.4
+
EN IEC 61508-3ƒ Up to SIL3
+
2006/42/EGƒ According Machinery Directive
+
GS-HSM-30ƒ Principles of testing…
+
General standards
DIN EN 692• “Machine tools - Mechanical
Presses - Safety”
+
Specific standards
DIN EN 693• Machine tools – Safety – Hydraulic
presses“
+
DIN EN 12622• “Safety of machine tools – Hydraulic press
brakes
+
DIN EN 13736• “Safety of machine tools – Pneumatic
presses”
+
Unrestricted© Siemens 2019
SIMATIC S7 F/PFull scalability across all SIMATIC F-Controller
Advanced ControllerSIMATIC S7-1500F
Syst
empe
rfor
man
ce
Application complexity
Engineered with TIA Portal
Software ControllerSIMATIC S7-1500 F
Distributed ControllerSIMATIC ET 200 CPU F
Basic ControllerSIMATIC S7-1200F
Functionality
Reaction time
Program code
Functionality
Reaction time
Program code
Functionality
Reaction time
Program code
Unrestricted© Siemens 2019
SIMATIC S7 F/PThe right solution for all applications
Results and suggestions
Reaction time F-Module
S7-1200 F, the cost effectivealternative for all stand-alone safetyfunctions – without any functional
restrictions to S7-1500 F
Distributed Failsafe Controller forall flexible press applications in
mid-range press area – additionalspace for standard automation
tasks
High performant S7-1500F for easyintegration and combination of
standard and failsafe functionality –full scalability with distributed IO´s
Clamp-Clampreaction time
Program code
Price
Mechanical press
CPU 1215F
SM1226 F-DI and F-DQ
Mechanical press
CPU 1512P F
ET200SP F-DI and F-DQ
Mechanical press
CPU 1516F
ET200MP F-DI and F-DQ
Unrestricted© Siemens 2019
SIMATIC S7 F/PBe ready for virtual commissioning
Real hardware
ƒ No simulation specific changes inuser program necessary anymore
ƒ PLC SIM for failsafe controllers
ƒ Safety + Standard + MotionControl can be simulated
(S7-1200 F can not be simulated)
Since TIA Portal V15
+ Press safety library V15.0.1
Engineering
SIMATIC S7-PLCSIM
Unrestricted© Siemens 2019
SIMATIC S7 F/POrder and license concept
Classic• First license
6AU1837-0EA10-0DX1(Version V2.x)
• Floating license6AU1837-0EA10-0DX2(Version V2.x)
Upgrade ⇓ TIA Portal• Upgrade license
6AU1837-0EA10-0EX1
Distributed Safety⇓
Safety Advanced
TIA Portal• Basic First license
6AU1837-0EA10-0GX3
Only S7-1200 F
• Advanced First license6AU1837-0EA10-0GX1
ALL F-Controller
• Floating license6AU1837-0EA10-0GX2
• Basic Upgrade licnse6AU1837-0EA10-0EX2
ALL F-Controller
S71200F⇓
S7-1500F
Library, application,manual, certificate,online help
Paper licenserequired perF-PLC
Unrestricted© Siemens 2019
SIMATIC S7 F/PUse Case: Two-Hand-Control with Emergency Stop
How to reach SIL3/PLe with Two-Hand Control at a mechanical press?
Capture Evaluate React
I 12.0
I12.1
2-channel
2-channel
Q 24.0 2-channel
Press Safety valvePSV
Two-Hand-Control incl.Emergency Stop
Unrestricted© Siemens 2019
SIMATIC S7 F/PUse Case: Two-Hand-Control with Emergency Stop
CaptureTwo-Hand-Control
2-channel
2-channel
I 12.0
I12.1
ElectricalElectrical
TagDeclaration
TagDeclaration
F-Moduleconfiguration
F-Moduleconfiguration
Unrestricted© Siemens 2019
SIMATIC S7 F/PUse Case: Two-Hand-Control with Emergency Stop
Evaluate
Evaluate and checktwo-hand signals
Set the command tothe operation mode
selection
Control the presssafety valve
ProgrammingProgramming
Unrestricted© Siemens 2019
SIMATIC S7 F/PUse Case: Two-Hand-Control with Emergency Stop
React
Q 24.0 2-channel
Press Safety valvePSV
ElectricalElectrical
TagDeclaration
TagDeclaration
F-Moduleconfiguration
F-Moduleconfiguration
Unrestricted© Siemens 2019
SIMATIC S7 F/PUse Case: Two-Hand control and reaction
Page 16
How to reach SIL3/PLe with Emergency Stop at a mechanical press?
Capture Evaluate React
I 1.02-channel Q 2x.0 2-channel
Press Safety valvePSV
Emergency Stop
Unrestricted© Siemens 2019
SIMATIC S7 F/PUse Case: Two-Hand control and reaction
CaptureEmergency stop
2-channel I 1.0
ElectricalElectrical
TagDeclaration
TagDeclaration
F-Moduleconfiguration
F-Moduleconfiguration
Unrestricted© Siemens 2019
SIMATIC S7 F/PUse Case: Two-Hand control and reaction
EvaluateSet the command tothe operation mode
selection
Control the presssafety valve
Evaluate and checkemergency stop
signal
ProgrammingProgramming
Unrestricted© Siemens 2019
SIMATIC S7 F/PUse Case: Two-Hand control and reaction
React
Q 24.0 2-channel
Press Safety valvePSV
ElectricalElectrical
TagDeclaration
TagDeclaration
F-Moduleconfiguration
F-Moduleconfiguration
Unrestricted© Siemens 2019
SIMATIC S7 F/PUse Case: Two-Hand-Control with Emergency Stop
How to reach SIL3/PLe with Two-Hand Control at a mechanical press?
Capture Evaluate React Press Safety valvePSV
Two-Hand-Control incl.Emergency Stop
Certified according SIL3/PLe⋅ 2-channel wired to F-DI (Module certified SIL3/PLe)⋅ Safety blocks from Press Safety Library (PLC and F-block certified SIL3/PLe)⋅ 2-channel wired F-DQ (Module certified SIL3/PLe)
Bridging functional safety andcyber security
siemens.com/industrialsecurityUnrestricted © Siemens 2019
Unrestricted© Siemens 2019
Multiple system layers and complementing IT securitymeasures enhance IT security
Defense-in-depth
Siemens CyberSecurity Offerings
Security in medieval times
CampusNetwork
CriticalAssets
Border
IntrusionPrevention
Firewall
Firewall
NetworkSecurity MGT
Modern defense-in-depth IT security
Security threatsdemand continuous action
Unrestricted© Siemens 2019
Questions within the safety community related to security
1. Should security aspects be treated as part of safety?
2. Can safety still protect its integrity, if security mechanisms fail?
3. How can security threats and incidents be quantified?
4. Is a safety case incomplete without consideration of security?
5. Can we trust the security countermeasures?
6. What level of threat should be considered?
Unrestricted© Siemens 2019
Definitions
Security aims to protect assets against adverse impact by(intentional or unintentional) attacks on• Availability• Integrity and / or• Confidentialitythrough preventive and reactive (technical and/or organizational) measures.
Safety means freedom from unacceptable risk(related to physical harm to humans and negative impact to the environment).
Unrestricted© Siemens 2019
Application view
IEC 62443 addresses all stakeholdersfor a holistic protection concept
Supplier view
operates and maintains
Product Supplier
Asset Owner
Service Provider
Industrial Automation and Control System
designs and deploysSystem Integrator
Parts of IEC62443
2-43-2
2-1
2-42-3
3-3
4-13-3
4-2
develops products
Operational policies and procedures
Automation solution
Maintenance policies and procedures
Essential functions
Safety functions Complementaryfunctions
Basic controlfunctions
Unrestricted© Siemens 2019
Where do both worlds connect? - They are so different!
Safety
Impact on:• Physical harm to
humans• Environment
Transparency on:• Methods• Measures• Defects
Rather static field
Foreseeable misuse
Security
Impact on:• Availability• Integrity• Confidentiality
Confidentiality on:• Methods• Measures• Vulnerabilities
Highly dynamic field
Intentional andunintentionalmanipulation
Criminal intent
More items of separation:
• Different experts and methods• Different processes and timelines• Different laws, technical regulations and
standards
Unrestricted© Siemens 2019
Assumption based SIL (Safety Integrity Level)
ƒ A safety risk-assessment containspreconditions related to other riskreduction measures.
ƒ The determined SIL is no measurefor the risk involved.
ƒ Many discussion on „safety“ onlyrelated to the SIL-rated system.
Safety is more thanfunctional safety (SIL)!
ISO 12100
Unrestricted© Siemens 2019
Qualitative example for security preconditions
Attacks on confidentiality and availability aremore likely than on the integrity of the system.
probability of specificallytargeted attack
Attack over common malware, depending in thethreat landscape (target-country, -group or –industry) is more likely to happen.
attack target
attacker competence
possibility of damagelimitation
Attacks with simple means and ressources aremore likely than from a „criminal“ organisation.
Is the attack observable and can there becountermeasures rolled out immediately.
attack over technologyonly
Most attacks are conducted over the humanfactor.
target originInside-attacker or outside-attacker withinsider knowledge.
ƒ These preconditions are oftendisregarded in a discussionobout „Safety/Security“.
ƒ This distorts the view onsecurity.
ƒ These preconditions are verydynamic!
These differences result indifferent risk approaches!
Unrestricted© Siemens 2019
indirect safety relationthrough system
performance(e.g. power supply,
emergency systems)
Is there anything like „Safety related security“?
direct safety relation(e.g. electrical safety)
functionalsafety (SIL)
ƒ The security countermeasures of a plant are derived from thethreat-risk assessment, not from the existance of a safety function.ƒ The security threat-risk assessment addressses possible safety
issues (based on the C I A principles).ƒ It is possible to have a safety relation, only by consideration of
specific attack scenarios.
ƒ The security countermeasures of a plant are derived from thethreat-risk assessment, not from the existance of a safety function.ƒ The security threat-risk assessment addressses possible safety
issues (based on the C I A principles).ƒ It is possible to have a safety relation, only by consideration of
specific attack scenarios.
Unrestricted© Siemens 2019
The definition of “security environment”IEC TR 63069, clause 3.2.5, 4.2, figure 3
ƒ All security countermeasures, derived fromthe threat-risk assessment, establish thesecurity environment.
ƒ Security countermeasures can be providedin functional units of the technical system.
ƒ Any safety investigation is based on theassumption of effective securitycountermeasures.
The “secure” environment is a necessity forthe whole automation solution, to guaranteeits functionality and availability.
Unrestricted© Siemens 2019
VulnerabilitiesIEC TR 63069, Clause 4.2
ƒ A „vulnerability“ should not be understood as an error of thetechnical system, as it could also be introduced into asystem in a later point in time.
ƒ Generally vulnerability means, that there is an attack paththrough the system, which relates to a threat scenario.
This means, e.g:ƒ A safety system is e.g. generally strong against component
errors, which could lead to a dangerous state, but this strength isin the same time a weakness compared to the system availability.
attacker
successful attacks
attack path
safety
availability
Unrestricted© Siemens 2019
The efficient solution for co-engineering(IEC TR 63069, figure 4)
In the frame of the security riskassessment:
ƒ the security preconditions areholistically considered.
ƒ the safety realization isinvestigated related to the threatscenario.
ƒ decisions for the systemrealization are made.
Both domains deliver specificrequirements for the system!
The realization of processes andinteraction is not defined instandards!
Safety Domain
Safety Management
Safety Risk Assessment
related to:
• Physical harm to humans
• Environment
identified Safety Measures
Security Domain
Security Management
Threat-risk assessment
related to:
• Availability
• Integrity
• Confidentialitytaking into account theimpact on Safety
identified Securitycountermeasures
SecurityEnvironment
support by Safety Expert
Standards refer toother domain
Conflict resolution
& compatibility
Safety and SecurityImplementation
SafetyDesign
Unrestricted© Siemens 2019
Answers for the Safety community - related to Security
1. Should security aspects be treated as part of safety?No, security should be considered as its own domain.
2. Can safety still protect its integrity, if security mechanisms fail?No, safety methods do not provide protection against intelligent attacks.
3. How can security threats and incidents be quantified?They cannot be statistically evaluated to provide prognosis for future incidents.
4. Is a safety case incomplete without consideration of security?Security is generally deemed necessary.A safety case can refer to an efficient security environment as a necessary precondition.
5. Can we trust security countermeasures?Yes, if they are related to the investigated threat environment and level of attack.
6. What level of threat should be considered?That is to be determined by parties responsible of the system or application.
Unrestricted© Siemens 2019
siemens.com/simatic-automation-tool
SIMATIC AutomationToolCommissioning – Maintenance - Service
Unrestricted© Siemens 2019
Unrestricted© Siemens 2019
Enhanced hardware support and extensive functionality
SIMATIC Controller incl. safety I/Os SIMATIC HMI Other
MOBY / RFID
New New
Usability• Improved file browsing possibilities• Check the SAT version for updates• Color coding of address and name conflicts
Additional operations:• Show serial number and HW version in
user table• Automatic backup of the event log
entries• Service data in ZIP file
New New
SITOP
incl. T-CPU
New
Unrestricted© Siemens 2019
Versatile application possibilities in the different phases
Commissioning
• Solar park: Initial filling includingaddress adjustments for identicalconrol cabinet configurations asmass operation
Maintanance
• Laser cutting machine:Mechanical adjustment requiresprogram adaption for optimizing.This update can be done withoutthe engineering software
Service
• Sewage treatment plant:Automated collection of servicedata using the API to improve plantperformance and availability
Unrestricted© Siemens 2019
One tool for commissioning, maintenance and service
Hardware supportExtensive support of theSiemens automationportfolio
+Independent of theengineering frameworkIdeal for commissioning,maintenance and servicewithout TIA Portal
+
Mass operationsParallelizing of tasks toreduce time and costs
+ APIOptimal for automation oftasks
+UsabilityEasy to use for TIA andnon-TIA Portal users
+
Unrestricted© Siemens 2019
THANK YOU FOR YOUR ATTENTION!
Jana KocianovaProduct Manager S7-1200/S7-1200F
Siemens Industry, Inc.
RC-US DF FA MK PLC
5300 Triangle Parkway
Norcross, GA 30092-2538, USA
mailto:[email protected]