ABB in Safety Systems 800Xa High Integrity – February 2014

Luis Duran – ABB Safety Product Group ABB in Safety Systems 800xA High Integrity – February 2014

§ ABB in Safety

§ 800xA High Integrity Overview

§ Integrated System Engineering and Operations

§ Independent High Integrity

§ Application Examples

§ Reference Projects

§ Summary

§ First safety system delivered offshore to the North Sea in 1979

§ Pioneering engineering efforts

§ Close collaboration between ABB and end-users

§ Long customer relationships with close technical support and system evolution

§ Installed base continuously evolved and migrated to maximize customer value and minimize risk

“ For an ocean of safety § Support throughout system life-cycle experience you can from installation to de- trust...” commissioning

Safety Execution Center (SEC) TUV Certified SEC

1975 1980 1985 1990 1995 2000 2005 2010+ s t

c 1979 - Statfjord 1984 – First integrated 1993 – First integrated 2005 – First 2007 – Largest HI e j

o B safety MP200 based safety Safeguard 3000 safety installations with system to date (13 r

P system goes systems goes online at system goes online at Safeguard and 000 IOs) goes y

e online Gulfaks A platform Sleipner A platform HI in parallel online K

2005 – 800xA 2008 – 800xA High Integrity High Integrity s t

c (SIL2) (SIL3) u d o r 1979– Triguard 2002 – Plantguard P

1983 – Safeguard 9000 1993 – Safeguard 3000 1997 – Safeguard 400

Field Instrumentation SIL rated Instrumentation Actuators SIS Systems Proof Testing Support TUV Certified TRAMs Flexible and Scalable Proof test period System 800xA Maintenance Lifecycle Support

Alarm Management Installed Systems Benchmarking Review EEMUA 191 SIL assessment Training Benchmarking Support

SIL Determination IEC61508/IEC61511 Analysis Compliance TRAC Compliance Management Training Mentoring

§ ABB in Safety

§ 800xA High Integrity Overview

§ Integrated System Engineering and Operations

§ Independent High Integrity

§ Application Examples

§ Reference Projects

§ Summary

PRESCRIPTIVE STANDARDS 1995 2005 l

a 1995 1999 n IEC SC 65 IEC 61508 o

i Draft t a n

r 2003

e 1993 IEC 61511 t ISO 10418 n I

y DIN VDE 0801 1991 n a m r

e DIN 1989 G VDE 19250 1st Generation Systems

K 1987

U HSE PES

OHSA CFR 1992 1910.119 A

S 1995 ANSI/ISA 1996 U ISA dS84.01 2004 Draft S84.01 1974 ANSI/ISA API RP14C S84.00.01 (IEC 61511 Mod) h a g h e l a u p l b n o l r o e o A a s o n d r p r

e PERFORMANCE STANDARDS a b e e o v s x p i h h e i a l B C P P F S , , , , , , 4 6 8 9 4 6 8 8 8 8 7 7 9 9 9 9 9 9 1 1 1 1 1 1

• Duplex • Triplex • Quad (Bi-Duplex) • 1oo2D • 2oo3 • 2oo4D

§ 2nd generation systems..

§ Were developed and certified in accordance to standards (i.e. IEC 61508)

§ Provide additional software diagnostics to help identify latent faults

§ However, they still …

§ Rely on redundancy for safety as well as availability

§ Focus on identical paths and voting for Safety (hardware fault tolerance)

§ Do not use diversity to eliminate common cause issues

§ A few are certified to IEC61508 Edition 2, but not all

§ © ABB Group

§ February 6, 2014 | Slide 13

Product Safety Development Department Safety Manual Certificate Safety Certificate

§ TÜV Product Service, has certified all product components on the 800xA Safety offering

§ © ABB Group

§ February 6, 2014 | Slide 14

Also NFPA certified for F&G and BMS

SIL3 Certified

§ Newer systems (i.e. SIL 3 800xA High CB PM AC800M HI SIL3 SIL3 Integrity controller) has parallel processing paths based on diverse technology

§ Integrity voting between paths SM Safety I/O SIL3 § Built in active software diagnostics

§ Controller and Safety Module developed HFT SFF (%) 0 1 by diverse (different) teams (Vasteras and < 60 SIL 1 Malmo, Sweden) and tested by a third 60 - 90 SIL 1 SIL 2 team (Oslo, Norway) by people with 90 - 99 SIL 2 SIL 3 different backgrounds > 99 SIL 3 SIL 4 § The two channel architecture meets SIL3 requirements for hardware fault detection 1oo1D 1oo2D and reaction IEC61508-2 Table 3

Parallel diverse execution allows a hardware fault CEX Bus ModuleBus tolerance of 1 for SIL3 I/O-Data+CRC I/O-Data+CRC applications I/O-Data I/O-Data I/O-Data HFT = 1 (SIL 3 Execution) . .

1131 1131 c c e e SIL3 SIL3 x x SFF Hardware fault tolerance E E e e s s

r r 0 1 2 e e v v i i < 60 % Not allowed SIL 1 SIL 2

Superv. Logic Superv. Logic D D

Safety Module Processing Module 60 % - < 90 % SIL 1 SIL 2 SIL 3

SM PM Safety I/O 90 % - < 99 % SIL 2 SIL 3 SIL 4

≥ 99 % SIL 3 SIL 4 SIL 4

IEC 61508-2, Table 3

§ Engineering tool automatically limits user configuration choices to ensure integrity

§ Safety functions protect and control download to the process and runtime environment

§ Download is prevented unless all SIL requirements are met

§ Embedded firewall mechanisms include:

§ CRC protection on different levels

§ Double code generation with comparison

§ Compiler with revalidation

§ Concept developed for systematic safety integrity compliance for elements and sub-systems § Replaces the term: “effectiveness against systematic failure” § Measure on a scale 1-4 that the systematic safety integrity of an element fulfills the given safety function § Considering the instructions stated in the safety manual

Source: IEC 61508

Reports the differences between the project running in the controller and the project in the Control Builder M Presented before download to the controller Changes may be rejected (in which case the download is cancelled) Each difference report is saved and stored automatically and can be reviewed at any time This, together with audit trail functionality and more, provides a well documented and traceable history

§ Safety:

Freedom from unacceptable risk of physical injury or of damage to the health of people, either directly or indirectly as a result of damage to property or to the environment.

IEC 61508

§ Security:

Preventing intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in industrial automation and control systems

ANSI/ISA–99.00.01–2007 © ABB 06 February 2014 | Slide 20 Safety Engineering on common Client/Server Network Physical Access Control on SM811

§ Reset All Forces – Enable a quick reset of all forces in the controller

§ Access Enable – Activates the access enable function

§ Hot insert – Initiates hot insertion of SM811 (in redundant configuration)

§ Force Indicator – Active if one or more signals are in force

§ System Alarm Indicator – Active if there are one or more system alarms

C C

P P

“Reset all forces” Hot Insert Force System Indicator Alarm

§ Provides functions for protection of SIL classified applications in AC800M HI § © ABB Group Controllers § February 6, 2014 | Slide 22 § SIL Access Control and Authorization

§ Force Control / Override Control / Bypass Management

§ Confirmed Online Write / Confirmed Operation

§ Embedded firewalls and confirmation procedures protect the SIL application from inadvertent / accidental control actions

§ Users can be assigned with different permissions according to their responsibilities

§ Users can be assigned access from specific stations

§ Restriction of access to the SIS (operation and engineering)

§ High flexibility r r r r e e s s o o t t s s e e y y a a e t e t n n r r i i c c e e e e f g f g o o p p r a r n a n P O S O P E S E

Operate PCS X

Operate SSS X X

Engineer PCS X

Engineer SSS X

§ Safety Application runs on the Safety Controller and functionally independent of the Aspect Server

§ Aspect Server in Oil & Gas application are redundant

§ Engineering data is stored on a protected section of the Aspect Server

§ Safety engineering data is protected

§ Access is limited to those users with the appropriate access permission

§ Backup is handled on a regular basis

§ Malware protection

§ Audit Trail capabilities

§ SIL3 certified (IEC 61508) Communication Concepts

§ Access Control with Physical Key switch Controlling configuration changes

§ SIL3 Peer-to-peer (Controller to Controller)

§ Safe Online Write (Operator Workplace to Controller)

§ Safe Project Download (Engineering Workstation to Controller)

§ Use of Inter-Application Communication (IAC) is now certified for communications between safety applications

§ Reduces engineering effort

§ Reduces controller load

§ Improves performance by 15% for split applications or significant peer to peer communications (over MMS)

§ Excellent alternative for large 3BUS095709 SIL IAC Datasheet or distributed safety applications (ex. Oil and Gas Platforms and FPSO.)

§ When operating a SIL application, all operations on writeable OPC properties must be confirmed by the operator. (IEC61508 / IEC61511)

§ Provides operators with a visual feedback and requires them to confirm the operation before execution

§ For example, forcing or bypassing a safety measure

§ Similar functionality in other safety systems requires extensive custom programming

§ Part of all SIL classified control modules and function blocks in 800xA © ABB Group February 6, 2014 | Slide 27 800xA 5.1 Feature Pack 4 Integrated Safety – Remote Safe Online Write

Remote § TUV certified method for VPN System Safe Online Write (SOW) Tunnel between multiple systems

§ Confirmed Online Write from a remote station via secure (VPN) connection

§ For use with Multi-System Integration with High Integrity Safety Systems

§ Documented in 800xA Safety Manual (3BNP004865) Target § NOTE: This method is also System used for Independent High Integrity when connected to any non-800xA HMI

§ TUV certified engineering environment for safety applications § Easy SIF configuration § Supports Low to High SIL Communications SDValve is a SIL3 certified Function Block from standard library SupervisionBasicLib § A ”Lower SIL” communication variable is indicated by different color and “Expected SIL”. TUV certified, easy to Communication variable of same or higher SIL configure, engineering Variablesenvironment (local) for safety applications!!

§ New More Powerful Safety Controller

§ PM867/SM812

§ SIL3 certified

§ Execution performance: 1.5x of the PM865/SM811 HI Controller

§ Twice the memory of the PM865 (32MB -> 64MB)

§ Form factor same as PM865/SM811 HI Controller

§ Number of SIL IO points: 450

§ Release end of 2014

High-end: PM867/SM812

PM865/SM811 PM865A/SM811A

Small HI: PM855/SM811

2014 2015 2016 2017 2018+

§ ABB in Safety

§ 800xA High Integrity Overview

§ Integrated System Engineering and Operations

§ Independent High Integrity

§ Application Examples

§ Reference Projects

§ Summary

Centralized Same operations Historian and interface and Data Archiving Plant-wide engineering Sequence of Events

Common system therefore reduced spare parts, training Process control etc… and safety in the same HI controller ProcessCentralized control and safetyHistorian running and in separateData Archiving controllers

Common,Centralized integrated assetHistorian management and Datastrategy Archiving

§ Integrated control and safety system implementations enable end-users to fully leverage the capabilities on the BPCS (800xA) § Information Management

§ Reporting

§ Alarm Management

§ Sequence Of Events

§ Asset Optimization

§ Engineering

Integration must be designed to§ avoidEtc Common Cause Failures

Monitor the Process and respond to Abnormal Conditions

§ Alarms, Events, Audit Trail, and SOE displays for root cause analysis

§ Real-time information

§ Standard functionality for inhibiting of specific safety functions

§ Status supervision of Safety System Elements

§ Flexible Report Creation and Scheduling

§ Valve Leak Test, Verification, Automatic Shutdown Reporting, SIL status

Advantages Challenges Lower engineering & Increased risk of common lifecycle cost cause failures Lower training & Need careful design to maintenance expenses ensure that BPCS failure does not affect SIS Easier time synchronization Greater management challenges Improved asset & event management

All personnel involved with safety systems shall be sufficiently competent … …and follow an appropriate

Source: ARC TheFunctional Coming Wave of Safety Safety Systems Management Migration System

§ Potential common cause are analyzed and minimized during the design phase by the product development team and independently reviewed by the assessor during the certification of the product

§ Access control is implemented as a standard off-the shelf TUV Certificate feature including write protection and bypassing and override mechanism

§ Integrated testing is performed during the design validation and verification test, which includes also Network Security as part of the test protocol

§ Version control, compatibility and interoperability testing are all part of the release procedure

TUV Technical Report

§ ABB in Safety

§ 800xA High Integrity Overview

§ Integrated System Engineering and Operations

§ Independent High Integrity

§ Application Examples

§ Reference Projects

§ Summary

§ HI Hardware

§ TUV certified SIL 3 controller (single)

§ 24 VDC DC I/O and 4-20 ma Analog inputs

§ Control Builder Safety

§ IEC1131 languages

§ Access control and override control

§ Certified Libraries

§ Safety and Supervision

§ Application (F&G, BMS)

§ Connectivity and Interfacing

§ ABB Control systems

§ 3rd party software and Small Independent HI system with engineering and DCS control systems

§ Available protocols… § Safety Peer to Peer

§ Modbus TCP

§ RS232

§ OPC

§ ABB protocols

§ ..to connect to.. § AC800M HI controllers

§ Process panels

§ ABB or 3rd party DCS & PLC

§ 3rd party HMI software

§ ABB in Safety

§ 800xA High Integrity Overview

§ Integrated System Engineering and Operations

§ Independent High Integrity

§ Application Examples

§ Reference Projects

§ Summary

SIF execution

10 10 Logic Solver HH Alarm! ESD

LSW

XV2 Separator

ESD1

LSW

XV3 Shutdown Executed

HVAC

Addressable Fire Sprinkler detection loop

Gas Processing

Operator Operator Workplace Workplace Emergency Off Pushbutton

AC800M HI AC800M

BMS DCS Controller Controller

§ Sequence control

§ Fuel block valves proved closed

§ Absence of flame proved

§ Pre-purge flow proved

§ Pre-purge timer complete

§ Shutdowns/trips

§ Loss of flame

§ Loss of combustion air

§ Low fuel pressure

§ High fuel pressure

§ Loss of actuating energy

§ Power failure

§ ABB in Safety

§ 800xA High Integrity Overview

§ Integrated System Engineering and Operations

§ Independent High Integrity

§ Application Examples

§ Reference Projects

§ Summary

Customer: Statoil Site: Troll A Platform Application: ESD (SIL3) Size: 2 Controllers / 550 IO Operational: June 2009 The Troll A platform is a condeep offshore natural gas platform in the Troll gas field. It is the tallest construction that has ever been moved to another position, relative to the surface of the Earth, and is among the largest and most complex engineering projects in history.

Customer: Dong Naturgas Site: Nybro Gas Storage Application: ESD (SIL3) Operational: August 2009

The Nybro storage facility receives and handles gas produced in fields in the Danish sector of the North Sea

Customer: Spectra Energy Site: Canada Application: HIPPS (SIL3) Size: 1 controller Operational: August 2009

The 800xA High Integrity system has been implemented as a High Integrity Pressure Protection System (HIPPS) at a gas processing facility.

§ Experience § Expertise § 30 years in Safety § Hundreds of CFSE‘s § Market acceptance globally

§ Technology § Safety Execution § Diverse and flexible Centers (SEC) architecture § Global Consulting § TUV certified for SIL3 § Lifecycle Support with single controller § Hazops and SIL § Redundancy for assessments availability § Functional Safety § Combined control and safety option Management System

§ Product offerings for § SRS development entire SIS loop § Training

§ Safety Channel on Process Automation YouTube site

§ ABB’s Power of Integration Knowledge Center

§ Safety eGuides on Control Engineering

§ Safety Conferences and webcast