S5-115F Manual
Reliability, Availability and Safety of Electronic Control Systems
PLC redundancy
There are hierarchical systems in which a higher-level S5-115F generates centralized enable
functions for all lower-level S5-115Fs. Failure of this higher-level PLC would lead to a shutdown of
the whole system. Redundancy of the SINEC L1 LAN and of the higher-level S5-115F with enable
functions solves this problem.
For this purpose, the Enable signals of both Enable PLCs are sent on the SINEC L1 LAN and ORed in
the destination S5-115Fs.
9.3
Safety of Electronic Control Systems
The S5-115F is designed so that a hardware failure will not constitute a danger.
There must be two paths, connected in series, for switching off safety-related actuators.The failure
of one is tolerable, provided the defect is detected within the second error occurrence time so that
any further defects will not affect the cutout ability.
Special attention must be given to hidden errors not detected within the safety time. They do not
constitute any danger provided they occur singly. However, they must be detected within the
second error occurrence time in order to prevent error bursts leading to dangerous states. All error
responses lead to the safe quiescent state.
9.3.1
Safe Inputs
Safe inputs are implemented with ”safe” two-channel input modules.
If permanently failsafe sensors are available for the relevant process signals, one sensor branched
to two input modules will be sufficient. Otherwise, two valid sensors are used which are each
connected to one input module of a subunit.
A comparison check is made on the dual-channel inputs once per cycle or, in the case of direct
access, during access. Nonidentical inputs are subjected to a discrepancy analysis. In the case of
binary inputs, the discrepancy must disappear at the latest then the individual discrepancy time
has elapsed. In the case of analog inputs, the system must return to within a tolerable deviation at
the latest after the unified discrepancy time has elapsed.
This measure is sufficient for input variables which change frequently during operation
(intermittent). These are binary variables, which change status several times during the second
error occurrence time, and analog variables, which cover the relevant range several times during
the second error occurrence time.
Input variable comparison is not sufficient in the case of input variables which change
infrequently. These variables must be changed artificially by the supplementary PLC test. Check-
back modules are required for this purpose ( 10.9.5).
The active sensor signal is interrupted in the case of binary inputs, and two programmable check
values are injected in the case of analog input. This procedure results in analog inputs which are
safeguarded at two values and can be used for safety-related limit value processing.
The sensors must be designed so that
•
a zero signal will occur in the event of a wire break or power failure
•
0 is the status for the safe quiescent state.
(Example: the emergency switch requires the emergency ”0” position and the ”ON” operation
switch requires an active signal with ”1” level).
EWA 4NEB 811 6148-02
9-5