Safety Mechanisms
Fail-Safe Systems
3-6
A5E00085588-03
When a hazardous fault is detected, the logical program execution check performs
the following:
•
In a non-redundant system or in a situation that is a common cause (e.g. both
CPUs encounter fault). The Safety Program will be disabled.*
•
In a redundant system, if the failure is detected on the master CPU, a switch to
the Standby will occur. If the failure is on a reserve CPU or if the failure is on
both CPUs, a switch will not be performed and a portion or all of the Safety
Program will be disabled.*
*This is configurable by the shutdown logic. If a fault is detected in an F-run-time
group, depending on the configured response in the shutdown logic, the F-run-time
group will be disabled or the entire Safety Program will be disabled and all
associated outputs revert to the safe state.
Time-Based Program Execution Monitoring
Time-based program execution monitoring takes place through monitoring of the F
cycle time by the F_CYC_CO within each OB3x.
•
Monitoring of the F Cycle Time
The maximum F cycle time (cyclic interrupt time for OBs with F-run-time groups) is
assigned in CFC as an input parameter of the F-Block F_CYC_CO. An F_CYC_CO
F-Block must be present in each F cycle (i.e. in each cyclic interrupt OB with F-
Blocks). This Block is placed automatically during compilation.
In the event of an F cycle time overrun, the associated F-run-time groups will
become disabled causing all associated outputs to revert to the safe state.
Live Monitoring During Safety-Related Communication
The Safety Program communicates cyclically with the F-I/Os and with Safety
Programs on other CPUs using special safety protocols. The receivers implement
the fault reaction function in the event of a problem:
•
F output modules switch the outputs off.
•
The fail-safe blocks F_RCVBO and F_RCVR in Safety Programs on other
CPUs output parameterizable substitute values.
•
The fail-safe blocks F_R_BO and F_R_R used for RTG to RTG
communications, output parameterizable substitue values.
After the problem has been eliminated, user acknowledgment on the F channel
driver block or the F-Block F_RCVBO or F_RCVR or a Restart of the Shutdown
Logic is required. The fail-safe blocks F_R_BO and F_R_R, used for RTG to RTG
communications, are automatically reintegrated.
See Also
Interconnecting F Cycle Time Monitoring
F_PLK_O, F_PLK, F_CYC_CO
Summary of Contents for SIMATIC S7 F
Page 8: ...Important Information Fail Safe Systems viii A5E00085588 03 ...
Page 16: ...Contents Fail Safe Systems xvi A5E00085588 03 ...
Page 38: ...Product Overview Fail Safe Systems 1 22 A5E00085588 03 ...
Page 56: ...Getting Started Fail Safe Systems 2 18 A5E00085588 03 ...
Page 70: ...Safety Mechanisms Fail Safe Systems 3 14 A5E00085588 03 ...
Page 115: ...Programming Fail Safe Systems A5E00085588 03 5 33 Examples Receive Block Send Block ...
Page 154: ...Programming Fail Safe Systems 5 72 A5E00085588 03 ...
Page 166: ...Operation and Maintenance Fail Safe Systems 6 6 A5E00085588 03 ...
Page 332: ...Fail Safe Blocks Fail Safe Systems 8 144 A5E00085588 03 ...
Page 344: ...References Fail Safe Systems B 2 A5E00085558 03 ...
Page 350: ...Glossary Fail Safe Systems Glossary 6 A5E00085588 03 ...