M580 Safety Configuration

Chapter 3 - Introduction to the Safety ePAC 91 e. Go to the Security Tab, click Unlock Security button. This will disable all Cybersecurity features during the project development state. f. Validate the changes. 3. Setup CPU to Automatic start in Run a. From the Project Browser, double click the Configuration item. b. Double click on the Safety CPU. c. Check box to select Automatic start in Run as shown below: d. Validate the changes. Configuration Training

92 Chapter 3 - Introduction to the Safety ePAC 4. Create the Remote drop without any I/O modules a. From the Project Browser, double-click the EIO Bus item. b. Double-click the Bus place holder c. Select the correct Ethernet Rack and Drop End Communicator to match the simulator. Click the OK button. Remember to select the correct Drop End Communicator to support Safety ePAC. The Drop is created and the CRA is added by default. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 93 5. Add the Power Supply to the Rack. a. Double click on the power supply slots. Hints & Tips As a rule of thumb in Safety ePAC application, all Safety Remote I/O drops MUST install with Safety power supply modules. b. Select the appropriate Power Supply. If redundant power supply modules are used, install two units onto the rack. Click the OK button. c. The power supply module(s) added to the Rack: Configuration Training

94 Chapter 3 - Introduction to the Safety ePAC 6. Connect the hardware for a daisy chain loop a. Take a short Blue patch cable and connect the ETH2 port from the Safety ePAC CPU to the ETH3 on the BME CRA 312 10. b. In the same manner, loop back by connecting the ETH3 of the Safety ePAC CPU to the ETH2 of the BME CRA 312 10 with another short Blue patch cable. c. Observe the LEDs behaviour of both Safety ePAC and CRA. Hints & Tips The short Blue patch cables will be used for the Main Ring connections throughout this course. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 95 7. Configure the IP Address for the drop. a. Open the Ethernet Port properties of M580 CPU from PLC Bus. b. Click the IP Config tab. c. Click the link to Update CRA IP address configuration. The network manager will open. d. By default the new drop has been added and should be set to IP Address A + 1, if this is not the case change it accordingly. It should be: 192.168.11.X2. e. Validate the configuration . f. Using a screwdriver, set the role name of the CRA. As there is only 1 CRA configured, the role name is BMECRA_001 which means that 001 has to be set on the rotary switches. g. Power cycle CRA every time rotary switch positions are changed. 8. Build and transfer the application a. Build the application. b. Rectify any error(s). c. Save the application as M580_Safety.stu. d. Connect a USB cable to the M580 Safety CPU. Note: If using a Virtual Machine, make sure the VM has focus before connecting the USB cable as this should enable the USB connection in the Virtual Machine. Configuration Training

96 Chapter 3 - Introduction to the Safety ePAC e. Transfer and Run the application. f. Make sure the RUN LED on the front panel display of the CPU is lit. g. Rectify any error(s). 9. Update Real-Time clock of the Safety CPU a. Make sure EcoStruxure™ Control Expert V15 for Safety is connected to the Safety CPU. From the hardware configuration screen, Double-click on the Safety CPU. b. Click Animation tab c. Click \"Update PC → PLC\" button to update the real-time clock of the Safety CPU. Note: Due to M580 Safety, with CPU firmware 3.10 or earlier, it is using BLACK CHANNEL to synch with CRA modules, CPU time MUST be set with correct valid date/time, even if it is configured as an NTP Server or NTP Client. The reason is the Safety I/O modules will STOP to operate on Remote I/O drop some hours after a power cycle, because the CPU time restart in year 1970 and CRA modules might be in its current date and time. When more than 2 seconds discrepancy, the SafeCom RTC will keep their previous values. With CPU firmware 3.20 or later, the safe time synchronization is based on an internal and \"monotonic\" time clock. The safe communication DOES NOT need NTP time synchronization as the CPU is sharing its safe time with all its local and remote IOs. The BM•CRA31210 must have a firmware 2.60 or later in order to work. It is a good practice to update the CPU real-time clock. d. When done, Save the application and disconnect from the CPU. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 97 SIL 3 POWER SUPPLY MODULES All standard power supply modules supported for the M580 CPU CANNOT be used with Safety ePAC CPU as they are Type 2 non-interfering modules. All safety power supply module can work with all M580 CPU models, including the Safety ePAC CPU: ➢ BMX CPS 4002S – 100..240Vac ➢ BMX CPS 4022S – 24..48Vdc ➢ BMX CPS 3522S – 125Vdc All above safety power supply modules can be mixed on a same rack and can be coming from different voltage source. The only different between non-safety and Safety power supply module is the TÜV Rheinland certification. The power supply circuitry has been reviewed and verified by the TÜV Rheinland and certified that it will not compromise any safety functions when used in safety applications. The backplane output voltage, 24Vdc, will never exceed 30Vdc, in order to be compliant with safety configuration up to level SIL 3. This function provides two independent and different protection systems to detect over voltage to reach 30Vdc. The power supply safety function is active on both Master and Slave power supply modules on the backplane. Below shows the general characteristics of the safety power supply: Note: The Safety power supply module is TÜV Rheinland certified. Because it presents a negligible dangerous failure rate (<1% of the SIL3 target), it is not included in SIL calculations for the safety loop. As a consequence, neither PFH nor PFD are provided for the module. The CPU and I/O detect the power supply errors, therefore the power supply does not contribute to the PFD/PFH values. Configuration Training

98 Chapter 3 - Introduction to the Safety ePAC REDUNDANCY PRINCIPLE For redundancy requirements, two power supply modules will be used in the Redundant Power Supply Backplanes. Existing BMX CPS module cannot be used on this redundant power supply racks. A micro controller manages the communication between the two power supply modules and with the CPU via the Ethernet backplane. It provides advanced diagnostics, over-voltage detection and to determine which power supply module is to be in the role of MASTER. ➢ Delivers 40W for 24Vdc and 15W for 3.3Vdc on the backplanes ➢ Protection circuit to prevent backplane voltage from exceeding 30Vdc (validated by TÜV) ➢ Compatible with single power supply racks (BMX and BME) but works as a standard standalone power supply module ➢ Required dual power supply Ethernet backplane rack for installing two power supply modules for redundancy ➢ Can be installed in local or remote drop rack ➢ Compatible with all M580 CPUs, including Safety ePAC CPU Note: As a rule of thumb, in any safety applications, all Safety remote I/O drops SHOULD be powered by Safety power supply module. Highly recommended to HAVE Safety CPU and Coprocessor powered by the Safety power supply module. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 99 DISPLAY PANEL Description of the LEDs on the Display Panel: ACTIVE ON - Module is on MASTER mode OFF - Module is on SLAVE mode OK ON - All output voltage working correctly; Reset button not active OFF - 24Vdc & 3.3Vdc not O.K; Reset button active RD ON - 24Vdc & 3.3Vdc are O.K.; Reset button not active (Redundancy) OFF - One of power supply module stopped operating; Reset button active Note: During module auto-testing mode, ACTIVE and RD display will blink. At the initial power-up, the \"MASTER” is located at the left most of the backplane. ALARM RELAY TERMINAL BLOCK Description of the Alarm Relay terminal block: ➢ Contact type: Normally open ➢ Rated: 24Vdc 2A; 240Vac 2A ➢ Plug terminal block 2 points with screw flange Table of Relay action: Relay Contact Closed Open All below function fulfill: Any below function abnormals: • 24Vdc - O.K. • 24Vdc - not O.K. • 3.3Vdc - O.K. • 3.3Vdc - not O.K. • CPU no blocking error • CPU blocking error • PLC in RUN mode • PLC in STOP mode • RESET button NOT active • RESET button active Configuration Training

100 Chapter 3 - Introduction to the Safety ePAC RESET BUTTON Reset signal is generated by the button will: ➢ activate the backplane reset signal which forces a reset of the CPU module ➢ generates an initialization sequence of all modules with a COLD START status ➢ forces the ALARM relay contact to open state ➢ forces the \"OK\" LED to be switched off HAZARD OF ELECTRIC SHOCK Do not touch the Reset button directly. Use an insulated tool to press the Reset button. Failure to follow these instructions can result in death, serious injury, or equipment damage. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 101 CHARACTERISTICS - EXAMPLE FOR BMX CPS 4002S The function of the Safety Power Supply module is to convert the primary AC power line into two non-interfering output voltages distributed through the backplane to supply all the modules: ➢ a 24Vdc; 1.67A; 40W ➢ a 3.3Vdc; 4.5A; 15W Below shows the characteristics of the BMX CPS 4002S modules: Input characteristics 100...240Vrms Nominal Voltage 85...132Vrms Voltage range 170...264Vrms Frequency range Masked input power outages 47...63Hz Typical Input apparent Power Max 10ms @100Vrms - 15% & Typical input current @200Vrms -15% Inrush Current Peak 130VA @25°C I²t 1.1Arms @115Vrms @ first start-up (for rating external fuse) 0.55Arms @230Vrms It 30Arms @115Vrms (for rating external breaker) 60Arms @230Vrms Integrated Protection 1A2s @115Vrms 4A2s @230Vrms Output Characteristics 0.1As @115Vrms 0.15As @230Vrms MAX 3V3_BAC output current Internal non-accessible fuse located on L input MAX 24V_BAC output current 4.5A (15W) MAX Total output power 1.67A (40W) Protection Overload Short-circuit 40W only on 24 bac Overvoltage Yes - Disjunction Yes - Disjunction Yes - Disjunction Configuration Training

102 Chapter 3 - Introduction to the Safety ePAC MASTER / SLAVE MANAGEMENT Each power supply module, in master or slave mode, always checks the 24Vdc and 3.3Vdc voltage levels. If one of these measurements is out of range, the module is declared abnormal and a signal for the other module to take over. ➢ After an initial power-up, the power supply module on left most of the backplane will take the role of the MASTER. ➢ When an error is detected in the MASTER, the SLAVE takes the role of master and keeps this state even the MASTER is replaced by a new one. If a new power-up occurs, the current master keeps this role and the other will be in slave mode. HAZARD OF ELECTRIC SHOCK The Power Supply Module CANNOT be hot swapped, i.e. they must be powered OFF when they are plugged in the backplane or when they are extracted from the backplane. It is allowed to plug an UNPOWERED power supply module onto a rack that is powered by the other power supply module BUT NOT ALLOWED to mount or extract a live connected power supply module. Failure to follow these instructions can result in death, serious injury, or equipment damage. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 103 DIAGNOSTICS EFB The Safety Power Supply, in redundant operation, will have commands (PWS_CMD) and diagnostics (PWS_DIAG) features only accessible in the MAST task (non-safety program area) with the EcoStruxure™ Control Expert V15 for Safety Elementary Function Blocks: ➢ Ambient temperature, Voltage and Current on 3.3Vdc and 24Vdc, ➢ Operating time as master or slave since last power-on ➢ Operating time as master or slave since manufacturing ➢ Remaining time before preventive maintenance ➢ and many more … A micro controller manages the communication between the two power supply modules and with the CPU (or eCRA), via the Redundant PWS Ethernet Backplane. It provide advanced diagnostics and determines which power supply module is to be MASTER. The power delivery is hardwired in such a way that the firmware cannot inadvertently switch off both supplies. Configuration Training

104 Chapter 3 - Introduction to the Safety ePAC POWER SUPPLY MAINTENANCE LIBRARY The Power Supply Maintenance Library has advanced diagnostics Elementary Function Blocks (EFB) for redundant power supplies that installed in: ➢ An Ethernet main rack that contains a M580 CPU, or ➢ A Remote Drop rack with an Ethernet backplane. These advanced diagnostics cannot be executed on a BMX extension rack with an X-bus backplane. It will not work in an Ethernet remote drop scanned by a Quantum CPU. The advanced diagnostics EFBs are: ➢ PWS_DIAG - Redundant Power Supply Diagnostics ➢ PWS_CMD - Redundant Power Supply Control Note: Redundant power supplies function is available on M580 CPUs with OS firmware V2.10 or later. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 105 PWS_DIAG - DIAGNOSTICS The PWS_DIAG function block is used to read the status of redundant power supplies in main local rack or remote drop rack with an Ethernet backplane. Note: The IP_ADDRESS pin parameter value will depend on the location of the redundant power supplies: Local CPU rack: Leave the parameter empty, use a variable with an empty string, or enter the IP address of the CPU. Remote Drop rack: Enter the IP address of the communication adapter of the rack that contains the power supply module . The diagnostic information of the power supply will be interpreted with data type of “PWS_DIAG_DDT”. Configuration Training

106 Chapter 3 - Introduction to the Safety ePAC EXAMPLE OF USE - PWS_DIAG The example below shows a simple logic used to retrieve the diagnostic information from the two redundant power supplies using the PWS_DIAG function block. The graphical part is an extract of the Operator Screen. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 107 PWS_CMD - CONTROL The PWS_CMD function block is used to command the redundant power supplies in a M580 ePAC main local or remote drop rack with an Ethernet backplane. The PWS_CMD function block provides the following command: ➢ Swap MASTER and SLAVE role of the power supply ➢ Retrieve the status of the redundant power supply ➢ Clear the diagnostic counters The function block command is via DDT type with \"PWS_CMD_DDT\". When the command code = 2, the results outcome from the function block can be extracted from DATA pin via DDT type with \"PWS_DATA_DDT\". The left and right PWS DDT type will have the same structure as PWS_DIAG - Diagnostics (page 105). When the command code = 1 or 3, the DATA pin needs to be declared as UINT. Note: The IP_ADDRESS pin parameter value will depend on the location of the redundant power supplies: Local CPU rack: Leave the parameter empty, use a variable with an empty string, or enter the IP address of the CPU. Remote Drop rack: Enter the IP address of the communication adapter of the rack that contains the power supply module . Configuration Training

108 Chapter 3 - Introduction to the Safety ePAC EXAMPLE OF USE - PWS_CMD (GET DIAGNOSTICS) The example below shows a simple logic used to retrieve the diagnostic information from the two redundant power supplies using the PWS_CMD function block. The graphical part is an extract of the Operator Screen. EXAMPLE OF USE - PWS_CMD (SWAP COMMAND) The example below shows a simple logic to send command to switch MASTER or SLAVE role between the two redundant power supplies using the PWS_CMD function block. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 109 CYBERSECURITY IN SAFETY Cybersecurity is a branch of network administration that addresses attacks on or by computer systems and through computer networks that can result in accidental or intentional disruptions. The objective of cybersecurity is to provide increased levels of protection for information and physical assets from theft, corruption, misuse, or accidents while maintaining access for their intended users. Cybersecurity is an ongoing process that encompasses procedures, policies, software, and hardware. AUTOMATION SOLUTIONS Cybersecurity for automation solutions is a concept that has been getting increased attention over the last decade. In the past, security was not a major concern because automation systems utilised proprietary components and were isolated from other networks within the business. Today, many automation systems are comprised of commercial off the shelf components, including Ethernet networking and Windows operating systems. In addition, legacy products are being updated to operate in these new network environments. The consequence is that formerly closed systems are suddenly connected to open enterprise networks and the Internet, exposing improperly protected systems to modern IT threats or Cyber Attacks. Configuration Training

110 Chapter 3 - Introduction to the Safety ePAC CYBER ATTACK PROFILE Cyber attacks to the control network system can come from a number of sources: ➢ Internal (employees, vendors and contractors) o Accidental events o Inappropriate employee/contractor behaviour o Disgruntled employees/contractor ➢ External opportunistic (non-directed): o Script kiddies o Recreational hackers o Virus writers ➢ External deliberate (directed): o Criminal groups o Activists o Terrorists o Agencies of foreign states The intent of the cyber attacks on a control system is to: ➢ Disrupt the production process by blocking or delaying the flow of information. ➢ Damage, disable, shutdown equipment to negatively impact production or the environment. ➢ Modify or disable safety systems to cause intentional harm or death. Most cyber attacks that penetrate the control network system originate from the enterprise system followed by the internet and trusted third parties. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 111 CHALLENGES WITH FUNCTIONAL SAFETY AND CYBERSECURITY Industrial control systems are designed for safe operation. Extensive hazard analyse are conducted and safety systems are deployed to limit the impact of operator errors, device failures, and control malfunctions. Cyber attacks add new, non-deterministic challenges that need to be considered in all of these efforts. Most of the standard automation networks have introduced safety profiles for use over their standard network. These Safety Profiles allow safe and standard components to rely on the same network. Now, the combination of automated control and functional safety on the same network helps to eliminate the redundant cost and effort associated with separate standard and safety networks. In continuous process industries, the safety networks are traditionally proprietary, and are often separated from control networks. Such industries still prefer to operate in peer to peer safety networks, exchanging interlock signals and critical data between safety systems. Network segregation can help avoid network overload, which can cause degradation in data transfer speeds, also working as a cyber secure method. Cybersecurity shall be another important subject of dealing with risk management in industrial control system. There is no safety without security. If a security risk exists via interfaces or integration, the integrity of Functional Safety is in jeopardy. ➢ Security is a key underpinning element of the system’s availability and integrity, which is related to PFD, if the system is not protected against unauthorized changes, malicious or otherwise, then the logic solver PFD is degraded to values above vendor-published Logic Solver PFD data. Safety and Security deserve similar consideration as key drivers to manage and reduce adverse events. ➢ Avoiding impacts on Health, Safety and the Environment while maintaining production and in compliance with local and global regulations. Safety and Security focus on different problems, causes and consequences. ➢ It is no longer possible to be truly safe without also being secure. Configuration Training

112 Chapter 3 - Introduction to the Safety ePAC ACHILLES SECURITY The main Cybersecurity feature implemented in the M580 is the inclusion of functionality that achieves the Achilles Level 2 Resilience requirements. ABOUT ACHILLES Achilles® Communications Certification provides an industry leading benchmark for the secure development of the applications, devices and systems found in critical infrastructure. The certification process presents device manufacturers with an independently verified result to communicate their product security to customers, while providing the operators of control systems with the most complete, accurate, and trustworthy information possible about the network resilience of their deployed products. Four types of products can be Achilles™ Certified: ➢ Embedded Devices: o A special purpose device running embedded software designed to directly monitor, control or actuate an industrial process. ➢ Host-based Devices: o A general-purpose device running an operating system capable of hosting one or more applications, data stores or functions. ➢ Control Applications: o Software programs executing on the infrastructure (embedded, host and network devices) that are used to interface with the process. ➢ Network Components: o A device that moves data from one device to another or restricts the flow of data, but does not directly interact with a control process. LEVEL 2 TESTS The system is intensively tested under Ethernet services & protocols such ARP, ICMP, TCP, UDP, IP... When the Achilles Level 2 option is Enabled, extra checks are carried out to ensure the robustness of the M580. For example, an Ethernet packet sent with garbage data should not cause any problem to the M580 as there is a level of resilience built into the M580 to prevent this type of behaviour from affecting the running of the processor. In the same way, if too many Ethernet packets are sent, also known as a broadcast storm, the M580 should recover and continue to work when the broadcast storm has disappeared. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 113 CYBERSECURITY IN CONTROLLERS EcoStruxure™ Control Expert V15 for Safety extends the Cybersecurity protection to the Safety ePAC and M340 PLCs. The M580 and M340 controllers are the most advanced PACs ever provided by Schneider Electric in terms of Cybersecurity. The programmer can close portals that are not being used to prevent unauthorised entry just the M580 CPU does. With this new security, Schneider Electric provides the highest level of protection against various cyber attacks. Others pending certifications include: ➢ CITSEC - Chinese Infrastructure & Energy market ➢ CSPN - French Infrastructure & Energy market ➢ EDSA Level1 - Embedded Device Security Assurance targeting Oil & Gas market ➢ and many more... The ISASecure® designation ensures that IACS products conform to industry consensus Cybersecurity standards such as ISA/IEC 62443, providing confidence to users of ISASecure products and systems and creating product differentiation for suppliers conforming to the ISASecure specification. The Safety ePAC controller is Achilles Level 2 certified and ISA/IEC 62443 compliant. ➢ http://www.isasecure.org/en-US/News-Events/Schneider-Electric-Achieves- ISASecure-Security-De Configuration Training

114 Chapter 3 - Introduction to the Safety ePAC SECURING SERVICES Along with the Achilles Level 2 implementation, a key feature of the M580 is the ability to prevent certain Ethernet based services from running. The majority of settings are located on the CPU Embedded Ethernet port Security tab: Hints & Tips The Schneider Electric recommendation is to Disable all unused Services. SAFETY PROGRAMMING SOFTWARE The EcoStruxure™ Control Expert V15 for Safety programming tool is certified compliant with the requirements of IEC 61508 for managing safety applications with Safety ePAC. This safety programming software tool, which is NOT part of the safety loop: ➢ Allows programming of standard and/or non-safety Unity controller ➢ Provides a set of specific verification and protection function blocks to facilitate the creation and debugging of safety projects ➢ Will provides a secure environment for the Safety ePAC PASSWORD MANAGEMENT Password management is one of the fundamental tools of device hardening, which is the process of configuring a device against communication-based threats. Schneider Electric recommends the following password management guidelines: ➢ Enable password authentication on all email and Web servers, CPUs, and Ethernet interface modules. ➢ Change all default passwords immediately after installation, including: o user & application accounts on OS, SCADA, HMI, and other systems o scripts and source code o network control equipment o devices with user accounts o FTP servers Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 115 PASSWORDS IN ECOSTRUXURE™ CONTROL EXPERT V15 FOR SAFETY When creating a safety or non-safety part of the application in the EcoStruxure™ Control Expert V15 for Safety, Schneider Electric recommend creating passwords for both process and safety application. Guidelines for creating a strong password are to choose a password that contains alphanumeric characters, and is case-sensitive. EcoStruxure™ Control Expert V15 for Safety encrypts the password, and stores it in the application: ➢ Choose a password that contains a minimum of 8 characters. ➢ Choose a password that is difficult to guess. ➢ The password should combine upper and lower case letters, digits, and special characters. When you open an existing application the Application Password dialog box opens. Note that this is for the non-safety part of the application. Type your password, and click OK. To get access to the safety part of the application, user has to deactivate the protection by unchecked the protection (from the Program & Safety Protection tab) and enter the current password from the project properties menu. The activation of the Safe Area Password and the implementation of user rights created in the Security Editor are mutually exclusive security functions. Note: The Safe Area Password function exists for EcoStruxure™ Control Expert V15 for Safety with v14.0 and higher, for M580 Safety CPUs with firmware v2.8 and higher. Configuration Training

116 Chapter 3 - Introduction to the Safety ePAC AUTO-LOCK With EcoStruxure™ Control Expert V15 for Safety it is possible to Auto-Lock the non-safety part of the application based upon a time period. This means that after the allocated Auto-Lock timeout is exceeded the application will time out and prompt the user to login again. ECOSTRUXURE™ CONTROL EXPERT V15 FOR SAFETY PROJECT PROTECTION The properties of the project (in Project & Controller Protection tab) display a dialog to manage the Application password. Access to Application password is restricted by access rights. A new application is created with an empty password. It is possible to change it at any time even in on-line mode. The new password will take effect on the next connection. LOSS OF PASSWORD If user forget the safety and non-safety Application Password, press SHIFT–F2, and the system will provide user with a number. A grayed number is displayed in the right side of the Password dialog box. ➢ Call Schneider Electric Support and provide them this number. ➢ Receive the generated Password from Schneider Electric Support. ➢ Enter this Password. ➢ Click Build -> Build Changes. ➢ Save the Application. Note: The Password is a temporary Password, available as long as you do not modify the Application. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 117 Activity 2 - PASSWORD MANAGEMENT In this activity: • implement an application password within EcoStruxure™ Control Expert V15 for Safety. • prove the application password feature. • implement the Auto-Lock functionality. Note: For this exercise the Simulator Mode within EcoStruxure™ Control Expert V15 for Safety will be used. Please disconnect from and turn off the physical simulator / PAC now. If you are unsure how to achieve this, please ask the instructor. 1. Open the Project Properties and create an Application Password. a. Open the Project Properties by right clicking on the Root of the Application in the Project Browser. Select Properties from the popup menu: b. Select the Project & Controller Protection tab: Configuration Training

118 Chapter 3 - Introduction to the Safety ePAC c. From the Application section. Click the Change Password... button. The Modify Password dialog appears. d. Enter the password automation into both fields. Click OK: e. The user is returned to the Project & Controller Protection tab: f. Enable the Auto-lock function, by selecting the tick box, leave the default of 10 minutes. Click Apply: g. Build, Connect & Transfer the application to the Simulator. h. Save and Close the application. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 119 2. Test the Password Management settings: a. Re-open the previous application within EcoStruxure™ Control Expert V15 for Safety. This time the user will be prompted to enter the application password created in step (iv) of the previous exercise: b. EcoStruxure™ Control Expert V15 for Safety will open the application if the correct password is entered. Close the application again. c. Connect directly to the PLC without opening the application. This time the user will be prompted for the PLC Application Password. Enter the correct password. Click OK: d. Without the password, the user is unable to connect to the PLC. e. Transfer the application from the PLC to the PC. f. Save the application as \"M580_SIM.stu\". Configuration Training

120 Chapter 3 - Introduction to the Safety ePAC INTEGRITY CHECKS The integrity check feature in Redundant M580 Safety running on an authorized PC helps prevent Redundant M580 Safety files from being changed via a virus / malware through the Internet. The integrity check feature concerns the following components: ➢ DLLs ➢ Redundant M580 Safety Hardware Catalog ➢ Libset and object files of EFBs ➢ DTMs Redundant M580 Safety automatically performs an integrity check when you first open an application. Beyond the first check, Redundant M580 Safety will automatically run the integrity check periodically. It is also possible to run the Integrity Check manually. EVENTS LOGGING The EcoStruxure™ Control Expert V15 for Safety can log actions to an event viewer or an encrypted xml log file. This allows it to be used for applications where a high degree of traceability is required. The information can also be stored in a Syslog database, which gives industry standard logging for changes made in EcoStruxure™ Control Expert V15 for Safety. In the Security Editor Tool, if the security is enabled allows logging user events in the Event Viewer of Windows operating system. Log feature is enabled when the audit parameter is checked for EcoStruxure™ Control Expert V15 for Safety software in the policies tab of the Security Editor. EcoStruxure™ Control Expert V15 for Safety will do a logging of events to the Windows event log (log file located on the computer). The Safety ePAC is also able to log events to a syslog server. It can log DTM and module events as well as attempts to log into the controller. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 121 SAFETY WITH SECURITY EDITOR TOOL The Security Editor tool must be setup to limit the access of the safety part of the application to standard users. Only users identified as safety users can modify the safety part of the application. This access security concerns the terminal on which the software is installed and not the project, which has its own protection. The security editor is used to define software users and their access rights. It also allows you to define actions which are protected (username and password) and which are stored in the log file. In Security Editor tool, the predefined users for safety accesses are: ➢ safety_user_Adjust with profile Safety_Adjust ➢ safety_user_Debug with profile Safety_Debug ➢ safety_user_Operate with profile Safety_Operate ➢ safety_user_Program with profile Safety_Program If security is enabled, this will allow logging user events into the Event Viewer of Windows operating system. The Log feature will be enabled when the audit parameter is checked. For other profiles, access rights are updated to distinguish users having hand in the process part of the application from users granted to interfere with the safety part of the application. Configuration Training

122 Chapter 3 - Introduction to the Safety ePAC Activity 3 - SECURITY EDITOR In this activity: • Setup access right for programming in Process area • Setup access right for programming in Safety area. 1. Start Security Editor. a. From the Windows Start Menu, launch Security Editor tool. b. A dialog login box appeared as shown: Enter Username and Password. The default login for username is supervisor with no password. 2. Create one profile for Process user a. For this exercise, we will use predefine profile in the Security Editor tool. Click on Users tab and select user_Program from the User(s) list: b. May sure EcoStruxure™ Control Expert V15 for Safety in the Profile section is selected. c. Click Add button to create a new user. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 123 d. Enter the parameters as shown below: Enter User Name as ProcessUser and Password as 123456 Select from list \"With the following attributes\" as user_Program e. When finished, click OK button. f. The new user is created and displayed in the User(s) list as shown: Configuration Training

124 Chapter 3 - Introduction to the Safety ePAC 3. Create one profile for Safety user a. For this exercise, we will use predefine profile in the Security Editor tool. Click on Users tab and select safety_user_Program from the User(s) list as shown below: b. Select Product to be EcoStruxure™ Control Expert V15 for Safety under the Profile section. c. Click Add button to create a new user. d. Enter the following parameters as shown below: Enter User Name as SafetyUser and Password as 123456 Select from list with the following attributes as safety_user_Program e. When finished, click OK button. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 125 f. The new user is created and displayed in the User(s) list as shown: 4. Setup EcoStruxure™ Control Expert V15 for Safety to launch a login prompt a. Click on Policies tab b. Select the policy product to be EcoStruxure™ Control Expert V15 for Safety c. Select Security on, mandatory login from the Login section d. When done, click OK button e. Click YES button to save any changes. Configuration Training

126 Chapter 3 - Introduction to the Safety ePAC 5. Launch EcoStruxure™ Control Expert V15 for Safety to test the two different type of users' policy a. From Windows Start Menu, launch EcoStruxure™ Control Expert V15 for Safety. b. A dialog login box appeared as shown: c. Enter User Name as ProcessUser and Password as 123456 d. Open any existing Safety project e. Create a new variable or section in the MAST task area f. Create a new variable or section in the SAFE task area g. Observe and compare both results. What has happened? ____________________________________________________ ____________________________________________________ h. Close EcoStruxure™ Control Expert V15 for Safety and DO NOT save project i. Launch the EcoStruxure™ Control Expert V15 for Safety again j. This time Enter User Name as SafetyUser and Password as 123456 k. Open previous M580 Safety application l. Create a new variable or section in the MAST task area m. Create a new variable or section in the SAFE task area n. Observe and compare both results. What has happened? ____________________________________________________ ____________________________________________________ Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 127 SUMMARY This chapter gave you an understanding of the Safety ePAC used in process and machinery safety. QUESTIONS The following questions will help to check understanding of the topics covered in this chapter: ➢ What are the main key features of Safety ePAC? ➢ Why do we need 2 different processor modules for Safety ePAC controller? ➢ Which CPU references needed to order for a Safety SIL 3 application? ➢ What are the different modes of operation for Safety ePAC? ➢ Can we use the Safety Power Supply module, BMX CPS 4002S, with other M580 CPUs? ➢ Why do we need Cybersecurity in Safety? Configuration Training



Chapter 4 - Safety System Design Consideration 129 Chapter 4 - SAFETY SYSTEM DESIGN CONSIDERATION A Safety ePAC system provides safe and deterministic services to remote I/O drops and to individual safety and non-interfering I/O modules. Distributed equipment does not have the same level of determinism, but it can participate on a remote I/O network without disrupting the determinism of the RIO modules and the safety loops. When designing a network for safety, it is important to have a clear understanding of its topology's uses and limitations. The design should provide room for growth and meet the defined safety and security requirements. In order to achieve both safety and determinism, the remote I/O network follows a set of simple rules that are explained in this chapter. CONTENTS: Safety ePAC in EcoStruxure™ Plant Hybrid Architecture ..........................................130 Safety Local I/O Implementation ................................................................................135 Safety Remote I/O Implementation ............................................................................137 Safety Daisy Chain Loop Architecture........................................................................143 Device Integration.......................................................................................................151 Safety and Non-Safety Memories...............................................................................156 Process Safety Time ..................................................................................................165 Configuration Training

130 Chapter 4 - Safety System Design Consideration SAFETY EPAC IN ECOSTRUXURE™ PLANT HYBRID ARCHITECTURE The Safety ePAC is a TÜV Rheinland certified SIL 3 / PL e controller provides reliability and performance with the availability to integrate Remote and Distributed I/Os over the Ethernet network based on the EtherNet/IP technology with reliable CIP object model. Its also able to integrate safety functions into standard process. A single Safety ePAC controller that ensures that the two systems in charge of Safety and Process Control are separated and independent with different hardware resources in a common engineering environment. Figure below shows an example of an EcoStruxure™ Plant system architecture with the Safety ePAC as a global automation solution: Plant Hybrid Architecture Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 131 SAFETY ARCHITECTURE INTEROPERABILITY The Safety ePAC provides safety industries market for both process and machinery safety. It ensures that the two systems in charge of safety and process control are separated and independent with different hardware resources in a common engineering environment. With the integration of Remote and Distributed I/Os over the Ethernet network, this single controller will provide seamless transparency connections into the system network. ➢ Openness - Fieldbus integration in drops - Other expert and third party modules - Possibility to mix safety and non-safety modules in the same rack - Compatibility with all existing X80 family ➢ Transparent - Configuration and monitoring from anywhere via the Ethernet network Configuration Training

132 Chapter 4 - Safety System Design Consideration DIFFERENT TYPES OF I/O In an Automation architecture, the heart of a system is a PAC. Information coming from the field (sensors, push buttons, etc.) and commands sent to the devices (motor control, variable speed drive references, etc.) are often linked to the PAC via digital or analog inputs and outputs. These inputs and outputs are physically connected through wiring between field devices and input and output modules. These modules can be located in different positions: Locally, Remotely, or Distributed. LOCAL I/O Local I/O consists of input and output modules that are located in the local rack of the PAC. The internal backplane is used as a medium of communication. This structure can achieve very high performances in terms of response time. I/O modules located on Extension racks are also considered as Local I/O. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 133 M580 REMOTE I/O The M580 Remote I/O offer provides reliability and performance with the availability to integrate Distributed Remote I/O drops over the Ethernet network. The system uses EtherNet/IP technology based on the reliable CIP object model. The figure below shows an example of a architecture system with M580 as a global automation solution: Configuration Training

134 Chapter 4 - Safety System Design Consideration DISTRIBUTED I/O To achieve greater distances and flexibility, Distributed I/O is a reasonable option. Distributed I/O consists of input and output modules, but also specific modules (to better integrate devices) located on an island which communicate with the PAC over a fieldbus or network. Due to the fieldbus communication over the network, Distributed I/O has a limitation in terms of performance depending on the medium used between them and the PAC. X80 I/O MODULES The Safety ePAC system uses: ➢ X80 non-interfering I/O modules, which are used in an M340 system. ➢ Current and future Ethernet-based eX80 non-interfering I/O modules, which are used in current M580 system. ➢ The X80 Safety I/O modules. ➢ Validated non-interfering modules from Schneider Electric Technology Partner Program (TPP). The Safety I/O modules can be installed in either Ethernet Backplane (BME XBP) or existing X-Bus backplane (BMX XBP). ➢ Support hot swap feature ➢ Safety ePAC CPU with firmware ≤ V3.10 MUST be configured as an NTP Server or an NTP Client when use in Safety Remote I/O network; otherwise modules will not work ➢ Safety ePAC CPU with firmware ≥ 3.20 uses “monotonic” time clock and does not need NTP service. In order to work properly, the BM*CRA31210 must be upgraded with firmware ≥ 2.60 The Safety ePAC controller works as a standalone PAC system with X80 as its safety and non-interfering local and remote I/O modules drops. The Ethernet remote I/O drop rack can only support one extension rack of x80 I/O modules via X-Bus connection (use of Ethernet rack is possible via X-Bus connection). Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 135 SAFETY LOCAL I/O IMPLEMENTATION X-BUS CONNECTION The Safety ePAC CPU supports up to 8 local racks, using existing M340 modules and its accessories. Only 8 BMX backplane racks of 4, 6, 8 or 12 slots are supported. Premium rack extensions are NOT supported. List of supported X-Bus backplanes: Description Reference Number 4 slots backplane 6 slots backplane BMX XBP 0400 8 slots backplane BMX XBP 0600 12 slots backplane BMX XBP 0800 BMX XBP 1200 EXTENSION RACK RULES Below are the configuration rules to follow: ➢ If an Ethernet backplane is used as an extension rack, Ethernet modules will NOT start as they are not on a Rack 0 ➢ Up to 7 extension racks are supported ➢ Premium extension racks are NOT supported ➢ The Safety ePAC CPU supports up to 8 local racks of 4, 6, 8, 10 or 12 slots ➢ The Ethernet RI/O drop rack can only support one extension rack of x80 I/O modules via X-Bus connection (use of Ethernet rack is possible via X-Bus connection) ➢ To extend the configuration using additional racks, users must use a bus extender module (BMX XBE 1000) and X-Bus cables ➢ The backplane extender will be plugged on the right side dedicated connector of the backplane. It won’t occupy any module slot ➢ The XBE extender module is NOT hot-swappable in accordance with M340 existing functionality ➢ Each backplane has to include a power supply module and can support up to 12 modules depending on the rack type Configuration Training

136 Chapter 4 - Safety System Design Consideration BMX XBE 1000 The controller rack extender module makes it possible to connect a maximum of 4 to 8 racks, depending on the CPU type, distributed along a maximum length of 30 meters. The racks are daisy chained together via the extension modules. A typical system consists of: ➢ A rack extender module (BMX XBE 1000) in each rack ➢ Extension cable: BMX XBC xxxK (total length must not exceed 30m) ➢ A power supply module in each rack ➢ One CPU for the complete system ➢ Two line terminators, TSX on the first rack and TLY on the last TSX TLY EX line terminators are provided in pairs marked A/ and /B. They must be fitted with a terminator A/ at one end and a terminator /B at the other end. HAZARD OF ELECTRIC SHOCK Disconnect all power sources before installing the module. Failure to follow these instructions will result in death, serious injury, or equipment damage. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 137 SAFETY REMOTE I/O IMPLEMENTATION EMBEDDED RIO SCANNER SERVICE The Safety ePAC CPU has the RIO Scanner Service embedded within them to allow deterministic I/O exchanges, and are able to communicate with the non-interfering X80 RIO drops on an Ethernet network. The 2 DEVICE NETWORK ports support a wired star, daisy chain loop or ring architecture. The daisy chain loop or ring starts on one Ethernet RIO port and terminates in the other Ethernet port. Services provided by the CPU on the RIO ports: ➢ RSTP to enable all remote I/O devices located on the ring to recover from a communication disruption within 50ms ➢ Configuration of IP parameters on up to 23 remote I/O devices per drop ➢ Devices and drops diagnostics The communication between the CPU and the I/O is designed as a \"BLACK CHANNEL\". The protocol checks or manages detected errors such as detected transmission errors, omissions, insertions, wrong order, delays, incorrect addresses, and masquerade bits, and retransmissions. Therefore, the non-interfering modules such as backplanes, fibre optic repeaters, remote I/O adapters can be used inside the safety loop without impact on the PFD and PFH evaluations. Refer to Black Channel for I/O Communication (page 262) for more information. Note: If Safety ePAC CPU is not configured as either an NTP Server or as an NTP Client, the Safety I/O modules on Mx80 remote I/O rack will not work. Configuration Training

138 Chapter 4 - Safety System Design Consideration REQUIREMENTS FOR SAFETY EPAC DESIGN There are some requirements in the Safety ePAC configuration: ➢ A Safety remote drop needs a eCRA / CRA 31210 communication module with a firmware version of 2.30 and higher, allowing the safety Black Channel communication with Safety I/O modules. ➢ On a safety rack: only Safety SIL compliant and Type 1 non-interfering modules are allowed (Type of Non-interfering Modules (page 139)). ➢ Remote I/O drop is allowed as safety rack ➢ Extension racks are allowed - Local I/O network supports up to 8 racks - Each Remote I/O drop network can only allowed one extension rack ➢ Premium racks extension are NOT supported ➢ Safety I/O modules cannot be addressed in non-safety area and any located variables or STATE RAM addresses (Only Device DDTs are used) ➢ The Safety ePAC CPU must configured as either an NTP Server or an NTP Client in order for the Safety I/O modules on Remote I/O rack to work correctly Due to Safety ePAC using BLACK CHANNEL to synchronize with CRA modules, CPU time MUST be set with correct valid date/time, even if it is configured as an NTP Server or NTP Client. Safety ePAC CPU with ➢ Firmware ≥ 3.20 uses “monotonic” time clock and does not need NTP service. In order to work properly, the BM*CRA31210 module must be upgraded to firmware ≥ 2.60. ➢ Firmware ≤ 3.10 must set and update CPU clock even if it is configured as an NTP server - The reason is the Safety I/O modules will STOP to operate on Remote I/O drop some hours after a power cycle, because the CPU time restart in year 1970 and remote drop adapters, CRA modules, might be in its current date and time. - When more than 2 seconds discrepancy, the SafeCom RTC will keep their previous values. - If the time is updated/changed with more than 2s, then the SafeCom RTC (real time clock) synchronization with the NTP RTC will be stopped. - To diagnose - In the IO DDDT T_SAFE_COM_DBG_IN.M_NTP_SYNC = 1: the module is synchronized with the NTP server. - Tips to force CPU time synchronize with CRA modules, set system words, %SW128 from #1AE5 to #E51A. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 139 DEFINITION A “Non-interfering” module is an “in-rack” module that allowed to be plugged into a rack which is part of the safety system. Customer has to ensure that data linked to “non- interfering” modules are only used for non-safety related parts of the system. The \"non-interfering\" modules will have to fulfill some requirements : ➢ Logical independence with safety function execution; cannot interfere with the safety functions ➢ EMC independence with safety function execution ➢ Modules have to be tested and to be compliant with: - IEC 61131-2 standard - EC16326-3-1 standard (modules does not have to interfere dangerously to the safety loop) ➢ Electrical independence: Cannot generate on the backplane lines a dangerous voltage (higher than 30V) which would become dangerous for safety modules In practice, we consider that if the \"non-interfering\" module is electrically isolated from the process, it fulfills the requirement. NON-INTERFERING MODULES The Safety ePAC will be able to execute \"standard\" application programs and \"safety\" application programs in one single controller, allowing to use in the system \"standard\" I/O modules. These modules, not safety related, have to be “non-interfering”, i.e. they cannot interfere to the safety function. To allow standard I/O modules to be used in safety application, these modules, not safety related, have to be certified as “non-interfering”: ➢ Can be part of the safety system ➢ Have no direct access to the safety logic of the I/O modules ➢ Cannot interfere to the safety function execution ➢ Ensure data linked are only used for non-safety related parts of the system Configuration Training

140 Chapter 4 - Safety System Design Consideration TYPE OF NON-INTERFERING MODULES There are 2 type of categories of non-interfering modules ➢ TYPE 1: - Modules that can be installed in same rack together with the Safety CPU and Safety I/O modules ➢ TYPE 2: - Modules that CANNOT be installed in same rack with the Safety CPU and Safety I/O modules Refer to Safety Manuals for the correct x80 I/O module's PV version for using as TYPE 1 non-interfering modules. Note: Modules from Schneider Electric Technology Partner Program (TPP) are TYPE 2 and has to be validated by Schneider Electric for used in Safety. See Also: Refer to Safety Manuals for a full list of approved non-interfering modules. Modicon M580 Safety