Siemens SIMATIC S7 F Manual Download Page 9

Page: 9 / 354

Fail-Safe Systems
A5E00085588-03

Safety Notes

Safety Program and its outputs being disabled. .............................................5-12

During simulation of Input Channels the Simulation value is always available

on the block’s output. ......................................................................................5-22

Communication have changed........................................................................5-32

Summary of Contents for SIMATIC S7 F

Page 1: ...ration 4 Programming 5 Operation and Maintenance 6 Safety 7 Fail Safe Function Blocks 8 Appendices Check Lists A References B Glossary Index SIMATIC Programmable Controllers S7 F FH Systems Manual This manual is part of the documentation package with the order number 6ES7988 8FA10 8BA0 Edition 02 2003 A5E00085588 03 ...

Page 2: ...safety related use of the product Warning indicates that death severe personal injury or substantial property damage can result if proper precautions are not taken Caution indicates that minor personal injury can result if proper precautions are not taken Note draws your attention to particularly important information on the product handling the product or to a particular part of the documentation...

Page 3: ... Contents This manual describes how to work with the S7 F FH Systems using S7 F Systems V5 2 software It consists of instructive chapters and reference chapters descriptions of the fail safe function blocks and check lists for acceptance The manual covers the following topics Safety Mechanisms Configuration Programming Maintenance Safety Fail Safe Blocks Scope of the Manual Module Order Number As ...

Page 4: ...to the following levels Requirement classes AK1 to AK6 in accordance with DIN V 19250 DIN V VDE 0801 SIL1 to SIL3 Safety Integrity Level in accordance with IEC 61508 Categories 1 to 4 in accordance with EN 954 1 Place in the Information Landscape This manual is part of the documentation package for the S7 F FH System System Documentation Package Order Number S7 F Systems Safety Engineering in SIMA...

Page 5: ...ons about the use of products presented in this manual contact your local Siemens representative http www siemens com automation partner Training Center We offer courses to help you get started with the S7 automation system Contact your regional training center or the central training center in Nuremberg 90327 Federal Republic of Germany Telephone 49 911 895 3200 http www sitrain com H F Competenc...

Page 6: ...00 a m to 5 00 p m Telephone 49 0 180 5050 222 Fax 49 0 180 5050 223 E mail adsupport siemens com GMT 1 00 United States Johnson City Technical Support and Authorization Local time M F 8 00 a m to 5 00 p m Telephone 1 0 770 740 3505 Fax 1 0 770 740 3699 E mail isd callcenter sea siemens com GMT 5 00 Asia Australia Beijing Technical Support and Authorization Local time M F 8 00 a m to 5 00 p m Tele...

Page 7: ...will find the following information Newsletter providing the latest information on your products Exact documents for your requirements which you can access by performing an online search in Service Support Forum in which users and experts worldwide exchange ideas Your local Automation Drives contact who can be accessed in our Contacts database Information about local service repair and replacement...

Page 8: ...Important Information Fail Safe Systems viii A5E00085588 03 ...

Page 9: ...le 5 25 Startup Protection to handle short power failures in the F I O 5 26 Automatic Reintegration through F_QUITES 5 27 Default MAX_CYC 5 30 Safety Program must be re compiled if S7 connections used for CPU CPU Communication have changed 5 32 Use F_LIM_R for plausibility check of standard to F data conversion 5 37 When Deactivating Safety Mode 5 40 F Blocks outputs always use the preset initial ...

Page 10: ...nstalled in OB 3x ONLY 8 8 Do NOT change CRC_IMP input 8 26 Use F_LIM_R for plausibility check of standards to F data conversion 8 35 Reintegration through User Acknowledgement with F_QUITES 8 45 PD_FLAG not to be interconnected 8 56 F_SHUTDN in slowest configured OB 8 74 ...

Page 11: ...S7 FH System Getting Started 2 13 2 3 1 Fault Tolerant S7 FH System Setting Up the Hardware 2 13 2 3 2 Configuring the Fault Tolerant S7 FH System 2 15 2 3 3 Fault Tolerant S7 FH System Creating a Fail Safe User Program 2 16 2 3 4 Starting Up a Fault Tolerant S7 FH System 2 16 2 3 5 Fault Tolerant S7 FH System Monitoring Errors 2 17 3 Safety Mechanisms 3 1 3 1 Introduction to the Safety Mechanisms...

Page 12: ...ks 5 10 5 3 2 Automatically Inserted F Blocks 5 11 5 3 3 Interconnecting and Assigning Parameters to F Blocks 5 12 5 3 4 Defining the Run Sequence 5 14 5 3 5 Interconnecting F Driver Blocks 5 16 5 3 6 Passivation and Reintegration of the Input and Output Channels 5 24 5 3 7 Programming Startup Protection 5 28 5 3 8 Example Reintegration after Startup of the Safety Program 5 29 5 3 9 Assigning Para...

Page 13: ...hanges to the Safety Program 7 20 7 5 3 Acceptance of F Block Types 7 22 7 5 4 Responsibilities and Qualifications 7 22 8 Fail Safe Blocks 8 1 8 1 Overview 8 1 8 1 1 Fail Safe Blocks 8 1 8 1 2 F Data Types 8 2 8 1 3 Block I Os 8 4 8 1 4 Block Numbers 8 6 8 1 5 Installation in Cyclic Interrupt OBs 8 8 8 2 Driver Blocks for F I Os 8 9 8 2 1 F_CH_DI 8 10 8 2 2 F_CH_DO 8 13 8 2 3 F_CH_AI 8 16 8 2 4 Co...

Page 14: ... 5 F_2OUT3 8 89 8 7 6 F_XOUTY 8 91 8 8 Comparison Blocks for Two Input Values of the Same Type 8 92 8 8 1 F_LIM_HL 8 92 8 8 2 F_LIM_LL 8 94 8 8 3 F_2oo3_R 8 96 8 8 4 F_1oo2_R 8 98 8 9 Flip Flop Blocks 8 100 8 9 1 F_RS_FF 8 100 8 9 2 F_SR_FF 8 102 8 10 IEC Pulse and Counter Blocks 8 103 8 10 1 F_CTUD 8 103 8 10 2 F_TP 8 105 8 10 3 F_TON 8 107 8 10 4 F_TOF 8 109 8 11 Pulse Blocks 8 111 8 11 1 F_F_TR...

Page 15: ...tputs of the Driver Blocks 8 132 8 15 3 Errror Information in the Diagnostic Buffer 8 134 8 15 4 Error Information at the Output RETVAL 8 140 8 16 Run Times 8 141 8 16 1 Run Times of the Fail Safe Blocks 8 141 A Check Lists A 1 A 1 Life Cycle of the Fail Safe Programmable Controllers A 1 A 2 Check List of the Certified Modules A 5 A 3 Check List of the Certified F Blocks A 7 A 4 Check List of the ...

Page 16: ...Contents Fail Safe Systems xvi A5E00085588 03 ...

Page 17: ...ed by means of safety functions primarily in the software Safety functions are executed by the S7 F FH programmable controller in order to return the system to a safe state or keep it in a safe state when a hazardous event occurs The safety function for the process can be executed by means of a user safety function or a fault reaction function If the F System can no longer execute its actual user ...

Page 18: ...wntimes as a result of failures in the F System fail safe systems can be optionally configured for high availability fault tolerance This increased availability can be achieved by means of redundant components power supply central processing unit and communication and I O systems The fail safe and fault tolerant S7 F FH Systems allow production to continue without causing any harm to people or the...

Page 19: ...rd Ethernet Industrial Ethernet or PROFIBUS S7 F Sys S7 400H S7 FH Sys S7 400 Standard F SMs Standard SMs Standard SMs F SMs Boiler prot Emerg stop F SMs ET 200M ET 200M Burner coal mill Central engineering system ES Operator Stations OS ET 200M ET 200M Standard SMs ET 200S ...

Page 20: ...H that can run a fail safe F user program One or more fail safe inputs outputs F I Os in a distributed I O device redundancy optional The following figure shows the hardware and software components of an F System You can expand the configuration with standard S7 400 and S7 300 modules Programmable controller S7 F System ET 200M distributed I O device Fail safe signal modules optionally redundant E...

Page 21: ...s F I Os in a distributed I O device redundancy optional The following figure shows an example of an S7 FH configuration with a redundant CPU shared switched distributed I O modules connected via a redundant system bus Redundant PROFIBUS DP Programmable controller S7 FH System ET 200M distributed I O device Fail safe signal modules optionally redundant ET 200M distributed I O device Standard modul...

Page 22: ... fact that fail safe F fault tolerant H and standard components can be combined has the following advantages You can set up a fully integrated automation system in which you can make use of the innovation of the standard CPUs and at the same time use fail safe components independently of standard components such as FMs or CPs You can configure and program the whole system using standard tools such...

Page 23: ...ith the sensors and actuators in such a way as to ensure that the desired safety level can be achieved Configuring the Hardware The configuration set using HWCONFIG must correspond to the hardware configuration in other words the circuit diagram of the I O system must be reflected in the parameter settings The F capable CPU must be configured Creating the F User Program You create the fail safe us...

Page 24: ... CPU 417 4 H as of V2 0 with an F Copy License is used either individually or as a fault tolerant master standby system The F Copy License permits you to use the CPU as an F CPU i e to run a fail safe user program on it An F capable CPU is a CPU that is approved for use in the S7 F FH It only becomes an F CPU if there is an F user program running on it Otherwise a standard S7 program runs on the C...

Page 25: ... Standard Components The restrictions for fault tolerant systems apply to the use of standard components You will find the restrictions for standard components in safety mode of fail safe signal modules in the safety information in Chapter 3 of the S7 300 Programmable Controller Fail Safe Signal Modules Additional Information You can find detailed descriptions of the hardware components for the S7...

Page 26: ...fe blocks contain fault detection and fault reaction functions as well as functions for programming safety functions In other words they ensure that failures and faults are detected and that an appropriate reaction is initiated that will keep the F system in a safe state or return it to a safe state The user program on the CPU can be made up of safety related sections Safety Program and not safety...

Page 27: ...ting projects based on Failsafe Blocks V1_2 1 6 1 Getting Started Information Applicable to All Use Case Scenarios Installing the Optional Package 1 Start the PC Programming Device Workstation that has the STEP 7 basic software package installed Make sure that there are no open STEP 7 applications 2 Insert the optional package product CD 3 Run the SETUP EXE program on the CD 4 Follow the setup pro...

Page 28: ...he same way as STEP 7 and the optional packages You can find information on how to install and work with the authorization component in the readme file and in STEP 7 s main help system Note SIMATIC S7 F Systems V5 0 license also supports V5 2 F Copy License An F Copy License permits you to use the CPU as an F CPU e g to run a Safety Program on it 1 6 2 Use case scenarios Scenario 1 Compiling Editi...

Page 29: ...g S7 F Systems V5 2 on a New PC to Support Failsafe Blocks V1_1 Projects Use this scenario if you have Purchased a new PC Programming Device Workstation and you wish to use projects based on Failsafe Blocks V1_1 library Software Requirements The following software packages must be installed on the PC programming device in order to use modify or create projects based on Failsafe Blocks V1_1 library...

Page 30: ...ust have the minimum software requirements to allow this Software Firmware Requirements The following software packages must be installed on the PC Programming Device Workstation in order to upgrade projects based on Failsafe Blocks V1_1 library to Failsafe Blocks V1_2 S7 F Systems V5 2 STEP7 V5 2 or higher S7 H Systems Optional Package V5 1 or higher required for S7 FH Systems CFC V5 2 4 CPU S7 4...

Page 31: ... within the Manage dialog box in SIMATIC Manager a Within SIMATIC Manager open the Manage dialog box by choosing File Manage b Verify Failsafe Blocks V1_2 is in the list If it is then go to step 3 c Open the library within SIMATIC Manager by choosing File Open and press the Browse button d Open the folder SIEMENS STEP7 S7LIBS and select Failsafe Blocks V1_2 and press OK This will open the Failsafe...

Page 32: ... a 3 Choose the Options Edit Safety Program menu command 4 Press the Library Version Button 5 Select the Library to which you wish to upgrade to and press the OK button 6 Open a CFC Chart from the Program 7 Choose the Options Block Types menu command 8 Select all blocks in the Charts Folder pane ...

Page 33: ...e after upgrading the library to insure all blocks are up to date Failure to Import new block types may result in a failed compile Important Note Unplaced F Blocks from the block container are automatically deleted when the safety program is compiled Important Note Run time groups containing F Blocks in task OB1 must be moved to OB3x because OB1 is no longer supported ...

Page 34: ...ents to allow this Software Firmware Requirements The following software packages must be installed on the PC Programming Device Workstation in order to modify or create projects based on Failsafe Blocks V1_2 library S7 F Systems V5 2 STEP7 V5 2 or higher S7 H Systems Optional Package V5 1 or higher required for S7 FH Systems CFC V5 2 4 CPU S7 417F FH V3 1 or higher ET 200S fail safe module driver...

Page 35: ...t creating a measuring point list defining a structure etc are not described here When you plan the system specify the required safety functions with the corresponding Safety Integrity Levels SILs From these derive the demands on the components in order to implement the safety functions PLCs sensors actuators These decisions affect other tasks such as hardware installation configuration and progra...

Page 36: ...ize CPU for safety program Parameterize F I Os according to safety class and circuit diagram Create Safety Program Place interconnect and parameterize F function blocks Generate executable code and load to the CPU of the S7 F FH Commission the system Have safety related sections accepted by expert before safety mode is operational Maintain system Replace hardware components Change Safety Program U...

Page 37: ...nges if only the changes are to be compiled 4 If the F module drivers are not yet placed select the Generate Module Drivers check box in the Compile Charts as Program dialog box This automatically inserts and interconnects the required F module drivers in separate charts Fx Result The Safety Program is compiled and can be downloaded to the CPU Safety functions are added to the charts of the Safety...

Page 38: ...Product Overview Fail Safe Systems 1 22 A5E00085588 03 ...

Page 39: ...ocks within it The Step 7 definition of run time groups Run time groups are used to structure tasks The blocks are installed sequentially in the run time groups Run time groups can be activated and deactivated separately If a run time group is deactivated the blocks it contains will no longer be activated Safety Program This is the collection of all F run time groups within the project Force Full ...

Page 40: ...sed to provide information to the shutdown logic and these include F_Init1 F_CycCo OB35 and F_TestMode At the center of the shutdown logic is the F_SHUTDN function block in the F_ShutDn chart The F_SHUTDN block provides you with the following action You can force a manual shutdown of the entire Safety Program or you can restart the shutdown Safety Program You can use the SHUTDOWN input to set eith...

Page 41: ...and the S7 H Systems Optional Package Version 5 1 You can find two sample projects in step7 Examples ZEN32 01_FSystem_Fproj For an F System ZEN32 02_FHSystem_FHProj For a fault tolerant FH System You can use the examples to check the results of similar project sessions described below Passwords The passwords for the projects provided are CPU password anna Safety Program password otto ...

Page 42: ...sisting of 1 mounting rack UR2 H 1 power supply PS 407 10A 1 CPU 417 4H An ET 200M distributed I O device with an active backplane bus consisting of 1 power supply PS307 5A 1 IM 153 2 Bus Interface Module 1 Safety Protector Module 1 fail safe digital input module SM 326F DI 24xDC24V 1 fail safe digital output module SM 326F DO10xDC24V 2A Other accessories PROFIBUS cables and connectors Set the DIL...

Page 43: ...tor in SIL 3 in ET 200M you can use all the available IM 153 2 interface modules and you can set up the PROFIBUS DP with the copper cable as in standard mode If you don t use a safety protector in SIL 3 in ET 200M you must connect the PROFIBUS DP lines the S7 F System and the S7 400H programmable controllers with fiber optic cables as described in the S7 F FH Programmable Controllers Additional In...

Page 44: ...on created you can change the name by double clicking the hardware object or right click the Open Object pop up menu command 4 Insert the individual hardware components of the SIMATIC 400 from the Hardware Catalog window you can open the catalog with View Catalog by dragging and dropping them to the station window 5 First place the UR2 mounting rack from the RACK 400 catalog 6 Insert the standard ...

Page 45: ... module Right click to choose Edit Symbols from the pop up menu and enter symbolic names for all the channels You will need the symbolic names for the channels to create the user program 12 Double click to open the properties dialog box and select Enable Diagnostic Interrupt and Safety Mode with 1oo1 Evaluation on the Inputs tab 13 Insert the output module SM 326F DO10xDC24V 2A from the DO 300 cat...

Page 46: ...nction blocks must be inserted in run time groups Function Blocks have not been placed yet However you can setup a run time group to be the default destination for new F Blocks 1 Within your project in SIMATIC Manager click on the Charts folder 2 Open the F Blocks chart by double clicking on it 3 Open the Run Sequence either by pressing Control F11 or selecting Edit Run Sequence within the CFC Edi...

Page 47: ...odule channels 0 and 1 input value is at the Q output of the F_CH_DI FB 4 Interconnect the VALUE input with the symbolic names for channel 0 e g E24 0 and channel 1 e g E24 1 using the right mouse button and Interconnection to Address 5 Assign a value of 1 to the ACK_NEC input in the event of an error user acknowledgment at ACK_REI is required for reintegration 6 Place two F_CH_DO F channel driver...

Page 48: ...word will be requested on future compiles You will be prompted for MAX_CYC time for every OB3x with a failsafe program After the charts have been compiled the following control blocks are integrated automatically by the S7 F Systems option package In the F CycCo Obxx chart F_CYC_CO F_TEST and F_TESTC for tests In chart F_TestMode the F_TESTM for Test Mode management In chart F_RtgDiagxx the F_PLK ...

Page 49: ... safe blocks are yellow and marked with an F to distinguish them from standard charts Downloading the Program to the CPU Download the CFC charts to the CPU by means of the PLC Download to Module menu command 2 2 4 Starting Up the S7 F System Start the programmable controller by switching the mode selector to RUN P and carrying out a warm restart on the CPU PLC Operating Mode If you apply voltage t...

Page 50: ...e front connector in the SM 326F DI24xDC24V again After a reintegration time of approx 1 minute the SAFE LED comes on again and the SF LED goes out The EXTF LED on the CPU goes out The module is reported as OK in the diagnostic buffer of the CPU In test mode you can still see that the driver block is reporting an error If for example you apply voltage at terminal 5 for input 8 0 the Q output of th...

Page 51: ...us DP Cable Safety Protector Module For this example you need the following hardware components A programmable logic controller consisting of 1 mounting rack UR2 H 2 power supplies PS 407 10A 2 CPU 417 4H 4 synchronization modules 2 fiber optic cables An ET 200M distributed I O device with an active backplane bus consisting of 1 power supply PS307 5A 2 IM 153 2 Bus Interface Modules 1 Safety Prote...

Page 52: ...de depends on the safety class and the use of a safety protector in the ET 200M configuration If you comply with the requirements of safety class SIL 2 or use a safety protector in SIL 3 in ET 200 M you can use the IM 153 2 for S7 F FH Systems or the IM 153 3 only for the S7 FH Systems and you can set up the PROFIBUS DP with the copper cable as in standard mode If you don t use a safety protector ...

Page 53: ...g rack 5 Insert the standard power supply PS 407 10 A in slot 1 6 Place the CPU 417 4H V3 1 in slot 3 and create a subnet Insert two synchronization modules H Sync module at IF1 and IF2 7 Open the properties dialog box of the CPU enter a password for the CPU on the Protection tab and select the CPU Contains Safety Program check box 8 Duplicate the entire mounting rack and connect the CPU to a seco...

Page 54: ...s are generated and stored in the program container 17 Download the hardware configuration to the CPU of rack 0 or CPU0 for short Note that in SIMATIC Manager all the blocks are stored only in CPU0 the upper one of the two 2 3 3 Fault Tolerant S7 FH System Creating a Fail Safe User Program Procedure 1 Create the same fail safe CFC user program as described for the S7 F Systems 2 After the charts h...

Page 55: ... DO10xDC24V 2A with User Acknowledgment 1 Break the connection to your actuator or load resistor for example on channel 0 2 Apply voltage to channel 0 of the input module e g from the terminal Vs Your output should be set now but if the output module reports a fault the SF LED comes on and the channel LED is off 3 Display the diagnostic buffer of the CPU and of the output module by means of Diagno...

Page 56: ...Getting Started Fail Safe Systems 2 18 A5E00085588 03 ...

Page 57: ...bed in the STEP 7 and hardware manuals Which Safety Mechanisms Are Relevant to You The safety related mechanisms in the CPU hardware and operating system are Access protection for F Systems which helps to avoid faults Self tests which help to detect and identify faults The safety related functions for fault detection and fault reaction are mainly located in the Safety Program and in the F I Os The...

Page 58: ...e parameter assignment of the F I Os in the online help system and in the section Configuring Parameter Assignment of F I Os Safety Mode of the Safety Program The Safety Program usually runs on the CPU in safety mode In other words all the safety mechanisms for fault detection and fault reaction are activated It is not possible to change the Safety Program during operation when it is in safety mod...

Page 59: ... failure occurs is disabled leaving other run time groups activated Full and Partial Safety Program Shutdown F_SHUTDN input SHUTDOWN Full and all F run time groups disabled This state can be reversed by two methods restarting the shutdown logic through the RESTART input on the F_SHUTDN block or by stopping the F CPU and forcing a coldstart You can find information on restart behavior startup prote...

Page 60: ...m or Cold Start of the Safety Program additional blocks DB_RES and calls that must not be changed are automatically inserted in the OB 100 and blocks DB_INIT are automatically placed into F_DbInit at compile time Startup Protection A startup of the Safety Program using the initial values can also be triggered by a handling error or an internal error If the process does not permit this a reaction t...

Page 61: ...t result are checked in the Safety Program by an F test block F_TESTC that is inserted automatically when the Safety Program is compiled Command Tests Some commands are tested in the quickest cycle of the Safety Program These command tests are implemented in the F_TEST block which is included automatically when the Safety Program is compiled 3 6 Logical and Timed Based Program Execution Monitoring...

Page 62: ... for OBs with F run time groups is assigned in CFC as an input parameter of the F Block F_CYC_CO An F_CYC_CO F Block must be present in each F cycle i e in each cyclic interrupt OB with F Blocks This Block is placed automatically during compilation In the event of an F cycle time overrun the associated F run time groups will become disabled causing all associated outputs to revert to the safe stat...

Page 63: ...he two counters is less than 10 ms within a time period of 50 s the time is considered correct If the discrepancy is larger a hardware fault is assumed and the Safety Program is disabled The maximum inaccuracy of user times can be calculated on the basis of the following table User Times From To Max Inaccuracy 10 ms 50 s 5 ms 50 s 100 s 10 ms n 50 s n 1 50 s n 1 5 ms The actual inaccuracy is consi...

Page 64: ...ng and deletion of F Blocks from SIMATIC Manager Downloading to the EPROM memory card on the CPU from SIMATIC Manager Memory reset from CFC or SIMATIC Manager Modification of F constants in CFC test mode Password Validity Legitimization is valid without restrictions until explicitly withdrawn via the corresponding SIMATIC Manager function or until all Step 7 applications have been terminated Passw...

Page 65: ...CPU 6 2 Safety Program F run time group F run time group F CPU F I O F driver 1 5 3 4 Safety Program F CPU 6 2 Standard program Legend Safety related Non safety related Number Communication Between And Safety Related 1 Safety Program in F CPU Standard program No 2 Standard program Safety Program No 3 F run time group RTG F run time group RTG Yes 4 Safety Program in F CPU F I O Yes 5 Safety Program...

Page 66: ...y Program for monitoring purposes for example then a block for the conversion of data F_Fdata type_data type must be inserted in CFC to convert the F data types to standard data types These blocks can be found in the Failsafe Blocks User Blocks library The F_Fdata type_data type blocks must be called in the standard user program CFC chart standard run time group If data from the standard user prog...

Page 67: ..._S_BO and F_R_BO or F_S_R and F_R_R is established by means of interconnection in CFC The F_R_BO and F_R_R blocks have inputs to supply substitute values for the ouptuts when a fault is detected e g Timeout See Also Programming Communication Between F Run Time Groups Within a CPU 3 9 3 Communication Between the F CPU and F I Os Safety Related Communication Between the F CPU and F I Os Via PROFIsaf...

Page 68: ...ommunication From To Connection Type Safety Related 1 S7 FH Systems S7 FH Systems S7 connection fault tolerant Yes 2 S7 F FH Systems S7 F Systems S7 connection fault tolerant Yes 3 S7 F Systems S7 F Systems S7 connection Yes The fail safe blocks F_SENDBO and F_RCVBO or F_SENDR F_RCVR are available for safety related communication between safety programs on different F CPUs This means a fixed numbe...

Page 69: ...red between them Communication with Standard CPUs Direct communication between a Safety Program and a standard CPU is not possible Communication can only take place in a standard program on the F CPU after the F data types have been converted into standard data types by means of a conversion block Communication in the standard program uses the standard communication functions See Also Programming ...

Page 70: ...Safety Mechanisms Fail Safe Systems 3 14 A5E00085588 03 ...

Page 71: ...an F System Rules for F Systems In addition to the rules that generally apply to the arrangement of modules in an S7 400 the following conditions must be complied with in the case of an F System Note An ET 200S can contain Fail Safe Modules and Standard Modules In safety mode fail safe signal modules can only be used in an ET 200M with the IM 153 2 FO or a Safety Protector Module Exception The S7 ...

Page 72: ...which can be used in safety mode depends on the safety class and the use of a safety protector in the ET 200M configuration If you comply with the requirements of safety class SIL 2 or use a safety protector in SIL 3 in ET 200M you can use the IM 153 2 for S7 F FH Systems or the IM 153 3 only for the S7 FH Systems and you can set up the PROFIBUS DP with the copper cable as in standard mode If you ...

Page 73: ...elect the CPU Contains Safety Program option on the Protection tab Important Parameters for the CPU in the S7 FH System To prevent time monitoring during a master standby switchover you must configure the OB3x provided for Safety Programs with a priority 15 on the Cyclic Interrupts tab The cyclic interrupt OB of the Safety Program must be configured as a Cyclic Interrupt OB with Special Handling O...

Page 74: ...ans of SFC calls is only possible in standard mode for the F SM It is not possible to change to safety mode in this way You can find more information on the parameter assignment of F I Os in manual 1 refer to the references in Appendix B and in the context sensitive help information in HWCONFIG Symbolic Names Note Enter a symbolic name for each input or output channel of the configured F I Os In t...

Page 75: ...nd off the transmission of channel specific diagnostic messages e g wire break short circuit of the F signal modules to the CPU The group diagnosis can be switched off on unused input or output channels in the interests of availability This results in the following behavior Fail Safe Input Modules If the group diagnoses of the input channels are switched off safe 0 values are also sent to the CPU ...

Page 76: ...e Select the Safety Mode option on the Inputs tab and set any additional parameters 3 Assign parameters to the second module Select the Safety Mode option on the Inputs tab and set the same parameters as for the first module 4 For the second module set the Redundancy 2x option on the Redundancy tab 5 In the Find Redundant Module dialog box select the module you want 6 You can set the discrepancy t...

Page 77: ...the protection level set Downloading of the whole program from CFC or SIMATIC Manager Downloading of Safety Program changes from CFC Downloading and deletion of F Blocks from SIMATIC Manager Downloading to the EPROM memory card on the programming device Memory reset from CFC or SIMATIC Manager Safety Note Modify Variables can cause Shutdown You cannot change variables and values on F Block I Os on...

Page 78: ... people with authorization People with authorization must explicitly cancel the authorization when they exit the ES programming device If this is not rigorously adhered to a screen saver with a password accessible only to authorized people must also be used When the standard program is changed in safety mode access rights should not be obtained using the CPU password because otherwise the Safety P...

Page 79: ...afety Program You must enter the existing password in the Old Password field Use the Cancel Access Rights button to immediately stop the one hour persistence of Access Rights since the last time the password was entered Following this any user must provide the Safety Program Password explicitly for any operation that normally requires it regardless of how much time has passed since the last entry ...

Page 80: ... of the specified actions during a session is more than an hour ago Safety Note Authorized use of Password If access to the ES or programming device is not limited by means of access protection to those individuals authorized to modify Safety Programs the efficacy of the password protection must be ensured by means of the following organizational measures on the ES programming device The password ...

Page 81: ... recalculate the monitoring time by reducing the CiR Synchronization Time To reduce the CiR Synchronization Time you have the following possibilities reduce the amount of input and output bytes of the master system reduce the amount of guaranteed slaves of the master systems to be changed reduce the amount of changing master systems within one CiR event To calculate the safety monitoring times use...

Page 82: ...Deactivating Safety Mode Download your safety program Download your configuration via CiR Activate safety mode see Activating Safety Mode Deleting F I O s via CiR To delete an already existing F I O from your System follow these steps Delete the F I O within HWCONFIG according to the manual How to Modify the System during Operation with CiR handle it like a standard module Modify your safety progr...

Page 83: ...and CPU schematically S7 F System F SMs Standard SMs User STEP 7 project CFC Standard F System F User s Charts Libraries Programming device ES Hardware Failsafe Blocks V1_2 Control Blocks Simulation Blocks User Blocks Standard Program Safety Program The user program in the CPU is usually made up of a standard and a fail safe section The safety functions are programmed in CFC using fail safe blocks...

Page 84: ...d output signals of the F I Os Conversion F_BO_FBO F_I_FI F_R_FR F_TI_FTI Conversion from standard to F data types F_FBO_BO F_FI_I F_FR_R F_FTI_TI Conversion from F to standard data types F_QUITES Fail safe acknowledgment via the ES OS F_FR_FI Conversion from F_REAL to F_INT RTG RTG Communication F_S_BO F_S_R F_R_BO F_R_R Communication between F run time groups CPU CPU Communication F_SENDBO F_SEN...

Page 85: ...data flow monitoring F_TESTC Monitoring of the self tests of the operating system F_TEST Self tests executed in each cyclic interrupt cycle F_TESTM Switching of safety mode on and off F_SHUTDN DB_INIT RTG_LOGIC FAIL_MSG Safety Program shutdown and restart logic blocks Simulation blocks F simulation blocks that are used in the offline simulation of the Safety Program with PLCSim 5 0 PLCSim 5 1 does...

Page 86: ... The hardware components of the project and in particular the CPU and the F signal modules must be configured and assigned parameters Basic Procedure The following basic procedure applies when creating a Safety Program Insert F function blocks Parameterize and interconnect F function blocks Insert CFC charts Compile Safety Program Load Safety Program Test Safety Program Change Safety Program On si...

Page 87: ...of F data types must not be manipulated Control blocks inserted automatically must not be changed Parameters not visible in F blocks and parameters marked as non interconnectable UDA s7_visible s7_link must not be interconnected or parameterized Fail safe blocks must not be manipulated deleted inserted offline or online in the block container Online modifications of the fail safe I Os in SIMATIC M...

Page 88: ...rogram has to be compressed carry out the compression before it is accepted The fail safe blocks in the Fail safe Blocks library are highlighted in color in the CFC chart They are colored yellow to indicate that it is a safety program The CFC charts and run time groups with F Blocks are yellow and marked with an F to differentiate them from the charts and run time groups of the standard program ...

Page 89: ...ble in the safe data format As of about 1000 blocks you have to distribute the Safety Program to several F run time groups otherwise it can t be compiled 110 Run time groups maximum Specifications for the Safety Program When you design a user program for the S7 F FH Systems you must also make the following decisions in addition to what is required for a standard system Which sections of the user p...

Page 90: ...s in the chart folder in the usual way By choosing the Insert S7 Software CFC menu command in SIMATIC Manager By choosing the Chart New menu command in the CFC editor Chart in Chart In order to structure a program according for example to process related aspects you can use a CFC chart within a CFC chart Chart in Chart This enables you to use solutions already in existence as often as you want You...

Page 91: ...during compilation We recommend the following to achieve F cycles of an equal length If F and standard run time groups are combined in a cyclic interrupt OB the F run time groups should be executed before the standard run time groups Note A Failsafe Run time group must keep the default values for the Scan and Offset Run Time Properties as follows Scan 1 Offset 0 It is unsafe to change these values...

Page 92: ...F module drivers Fail safe block s instances must not be placed in multiple F run time groups This may occur due to an F run time group being copied to or inserted in another task You must not use the names of the fail safe blocks for other blocks or rename the fail safe blocks Safety Note Symbol Table Entries for F Blocks cannot be changed The names of the fail safe blocks in the Symbol column of...

Page 93: ...RTG_LOGIC block type DB_RES F_CYC_CO F_PLK F_PLK_O F_TEST F_TESTC F_TESTM The following F module drivers can be inserted automatically through generate module drivers or manually F_M_DI24 F_M_DI8 F_M_AI6 F_M_DO8 F_M_DO10 Safety Note Do not change automatically inserted F Control Blocks The automatically inserted F Control Blocks are visible after compilation You must not delete or change these blo...

Page 94: ...piled By default these I Os are not visible but they can be made visible You must not change the I Os that are supplied automatically You can find out whether an I O is automatically supplied in the block description under Fail Safe Blocks or in the online help system EN ENO I Os of the F blocks and run time group enables must not be interconnected EN must not be assigned the value 0 FALSE We reco...

Page 95: ...fail safe I O of an F Block proceed as follows 1 Open the sheet view of the F Block 2 Select the I O and open Object Properties by double clicking it for example Result The Select Structure Element dialog box appears 3 Double click the first structure element in the Select Structure Element dialog box Result The Properties Inputs Outputs dialog box appears 4 Enter the desired value in the Value te...

Page 96: ...ts at a later date Run Sequence Within a Run time Group Note The run sequence is checked at the beginning of compilation of the Safety Program The following F Blocks are placed in the correct run sequence automatically when the Safety Program is compiled F Control Blocks including F Module Driver Blocks Blocks for F Communication Between CPUs F System Blocks Blocks for Converting Data Between Stan...

Page 97: ...lthough the CFC Editor automatically creates the necessary logic for the user s Safety Program it may not delete it once the user deletes the Safety Program If the user wishes to delete the Safety Program the user may have to manually delete the Safety Program s system level run time groups You may arrange your fail safe user logic in any run time order following the above guidelines You may mix s...

Page 98: ... is required for each input or output channel of an F signal module used Exception Only one F channel driver is required for two redundant channels You must insert the required F channel drivers in the CFC chart F module drivers for PROFIsafe communication between the safety program and the F I Os One F module driver is required for each module You can insert and interconnect the required F module...

Page 99: ... for the digital input module SM 326 DI 24xDC24V and for the analog input module SM 336 AI 6x13Bit normally have the same configuration with the corresponding number of channels Example F Driver for Digital Output Module SM 326 DO 10xDC24V 2A F channel driver F module driver Channel 00 F_CH_DO CHADDR VALUE I Symb addr Chan 00 Module diagnostic F_M_DO10 TIMEOUT LADDR LADDR_R CHADDR00 CHADDR09 DIAG_...

Page 100: ...n the symbol table as reserved or not used Procedure When working with F driver blocks proceed as follows 1 Insert the correct F channel driver for each configured input output channel You only have to insert one F channel driver for each pair of redundant channels 2 Interconnect the VALUE I O in each F channel driver with the symbolic name of the associated channel This step is required for all F...

Page 101: ...the F module drivers F_M_DI8 or F_M_DI24 if you want to evaluate in the standard program whether discrepancy errors have occurred optional see Descriptions of the F Driver Blocks You can use this information to program messages about discrepancy errors to the OS 11 Place and interconnect the F module drivers manually or automatically Note You can read out byte 0 of DIAG_1 DIAG_2 for service purpos...

Page 102: ...ail Safe Systems 5 20 A5E00085588 03 At compilation of the Safety Program In CFC choose the Chart Compile Charts as Program menu command Select the Generate Module Drivers check box in the dialog box Confirm with OK ...

Page 103: ...of redundant modules allocate the logical start address of the second module to the LADDR_R I O in addition We recommend that you use the same instance name for the F module as you used in HWCONFIG for the associated F I O F_Name_x See the chapter entitled Parameterization of the F I Os Simulation Mode For each input channel you can specify a simulation value instead of the current one received fr...

Page 104: ...In the event of an error with digital or analog input channels if SIM ON TRUE then simulation values are placed on the block s output instead of the substitute values Error Handling and Diagnostics You can find information on the diagnostic outputs of the F driver blocks under Error Handling of Driver Blocks Error Information at the Outputs of the Driver Blocks ...

Page 105: ...NAMUR MOD_D1 FB 93 SM 326F DI 24xDC24V MOD_D2 FB 93 SM 336F AI 6x13Bit MOD_D1 FB 93 SM 326F DO 10xDC24V 2A MOD_D1 FB 93 Per DP master system SUBNET FB 106 Per rack RACK FB 107 In contrast to the standard drivers the F driver blocks are not interconnected with the PCS 7 blocks Note Messages about the following are issued from the MOD SUBNET and RACK blocks parameter assignment errors module removed...

Page 106: ...es are forwarded to the safety program regardless of the current process signal The F channel driver of a passivated digital input channel outputs the substitute value 0 with the quality code QUALITY 16 48 and the output QBAD 1 is set Depending on the parameterization at the input SUBS_ON the F channel driver of an analog input channel outputs a substitute value with the quality code QUALITY 16 48...

Page 107: ...caused by setting PASS_ON 1 no user acknowledgment is required for reintegration Automatic Reintegration If the input ACK_NEC is not set after the correction of the fault error with the exception of communication errors reintegration depassivation of the affected channel is carried out automatically In the case of input modules immediately In the case of output modules within minutes due to the ne...

Page 108: ...tion of the F I O after Communication Errors Reintegration After User Acknowledgment If the input ACK_NEC is set the reintegration of the input or output channel does not take place until after a user acknowledgment with a positive edge at the input ACK_REI of the F channel drivers At the output ACK_REQ of the F channel driver a value of 1 indicates that the error has gone and that a user acknowle...

Page 109: ...ntegration through F_QUITES The non safety related input IN of F_QUITES must not be interconnected with a signal or defined by a signal that automatically produces the above mentioned condition change from 6 to 9 within a minute for a fail safe acknowledgment The fail safe acknowledgment can only be produced by means of conscious manual input on the ES OS not automatically in the program Behavior ...

Page 110: ...the initial values are as follows Programming an interlock of the outputs after startup via the passivation inputs PASS_ON at F_CH_DO This entails the COLDSTRT output of the F FB F_START being interconnected with the S input of an SR flipflop F_SR_FF and the Q output of F_SR_FF being interconnected with PASS_ON of F_CH_DO This interlock can then be enabled manually Using a switch that is requested...

Page 111: ...loop you can ensure that all the F channel drivers in a group output substitute values for an identical length of time after startup of the Safety Program with the initial values see also group passivation If you don t want group passivation don t interconnect PASS_OUT outputs with F_OR4 and only use the wait loop via F_START and F_TP If you use group passivation you only need the wait loop via F_...

Page 112: ...default value of the dialog box will be a suggested value Safety Note Default MAX_CYC The default setting for the maximum cycle monitoring time is 3s Please check whether this setting is suitable for your process and if required change it Changing the F Cycle Time After the OB3x cycle times have been changed the Safety Program must be recompiled This is necessary at least if as a result an F_TESTM...

Page 113: ...ks The following fail safe blocks are available for communication between Safety Programs on different CPUs Block Description F_SENDBO F_RCVBO Safe transfer of 20 parameters of the F data type F_BOOL F_SENDR F_RCVR Safe transfer of 20 parameters of the F data type F_REAL This means a fixed number of up to 20 F parameters of the F data type F_BOOL or F_REAL can be safely transferred Prerequisites T...

Page 114: ... inputs of the send and receive blocks with the desired monitoring time You can find information on how to calculate this in the section entitled Configuring the Monitoring Times for S7 F FH Systems Note It can only be guaranteed with fail safety that a signal level to be transferred will be detected on the sender side and transferred to the recipient if it is present for at least as long as the s...

Page 115: ...Programming Fail Safe Systems A5E00085588 03 5 33 Examples Receive Block Send Block ...

Page 116: ...type F_BOOL Procedure 1 Insert an F Block of the type F_S_x F_S_R or F_S_BO in the F run time group from which data is to be transferred 2 Insert an F Block of the type F_R_x F_R_R or F_R_BO in the F run time group to which data is to be transferred 3 Interconnect the SD_R_xx input of the F_S_R or the SD_BO_xx input of the F_S_BO with the send data 4 Interconnect the RD_R_xx outputs of the F_R_R o...

Page 117: ...Programming Fail Safe Systems A5E00085588 03 5 35 Example Extract from the Chart of the Sender Run Time Group Example Extract from the Chart of the Receiving Run Time Group ...

Page 118: ... to standard TIME Rules for F Conversion Blocks If data is to be exchanged between the F and the standard user programs you must not interconnect the inputs and outputs directly Instead you must use separate F conversion blocks from the F library for these functions that can convert to and from the safety data type Please comply with the following rules when you insert and interconnect F conversio...

Page 119: ...nect the inputs and outputs of the standard data type with the same type of signals from the standard user program in each case Safety Note Use F_LIM_R for plausibility check of standard to F data conversion The F_BO_FBO F_I_FI F_TI_FTI and F_R_FR blocks only carry out data conversion This means you must program additional measures for plausibility checks in the Safety Program for example using F_...

Page 120: ...8 03 Example Converting Standard Data Types to F Data Types Section from an F chart showing conversion from REAL to F_REAL Example Converting F Data Types to Standard Data Types Section from a standard chart showing conversion from F_BOOL to BOOL ...

Page 121: ...vating Safety Mode Activating Safety Mode Compiling a Safety Program Creating Fail Safe Block Types Downloading a Safety Program Downloading the Entire Safety Program Changes to the Safety Program in RUN Mode Downloading Changes Testing the Safety Program Displaying Information Saving reference data Comparing Safety Programs Logging the Safety Program Printing the Safety Program ...

Page 122: ...ffects can occur The information on the downloading sequence for download changes in the section entitled Changing the Safety Program in RUN Mode will give you an overview of this Wherever possible the standard program and the Safety Program should only be changed separately and the changes downloaded because otherwise an error could be downloaded at the same time into the standard program and the...

Page 123: ...r Active is displayed in the Safety Mode text box If yes continue to the next step if not terminate the procedure because safety mode is already inactive 6 Click the Safety Mode button and enter the password for the safety program if necessary Note If the validity time of one hour has elapsed the password for the safety program is requested again the next time safety mode is deactivated and is the...

Page 124: ...ct the online view in the dialog box that appears 4 Enter the CPU password if it is requested 5 Check whether Inactive is displayed in the Safety Mode text box If yes continue to the next step if not terminate the procedure because safety mode is already active 6 Click the Safety Mode button 7 Confirm that safety mode is to be activated again with OK Result Safety mode is activated again and Activ...

Page 125: ...anges are detected in fail safe blocks Unplaced F Blocks from the block container are automatically deleted when the safety program is compiled Password Protection During Compilation of the Safety Program If changes to fail safe blocks are detected at compilation the password for the safety program is requested If the password entered is correct the entire Safety Program is compiled or alternative...

Page 126: ...locks must not be used in new block types The system blocks F_S_BO F_S_R F_R_BO F_R_R All control blocks Nesting of newly created fail safe block types is not permitted An output of an F Block must not be connected to two chart I Os The run sequence is not corrected automatically at compilation The sequence defined during creation is retained Note If the run sequence is different to the data flow ...

Page 127: ...block type Select the options Compile for PLC S7 400 and Optimize Code for Downloading Changes in RUN Mode and confirm with OK Result A new block type is created that can be used in safety programs 5 Insert the new block type in a Safety Program and test it there 6 Accept the Safety Program of the new F Block type Using a New Block Type in the Safety Program If you use a fail safe block of a newly...

Page 128: ... the rules for the standard case and the rules for Safety Programs apply to the downloading of changes When you use a new version of the Fail safe Blocks library you must also recompile the F Block type after you have imported the new blocks In this way you ensure that the F Blocks in the Safety Program all have the same library version F Channel Drivers in F Block Types If F channel drivers are u...

Page 129: ...ire Safety Program is downloaded there should be a memory reset of the CPU if it contains an old Safety Program The hardware configuration data of the station is downloaded to the CPU The user program is compiled without error You have access rights to the PLC There is an online connection between the CPU and your programming device ES Rules for Downloading The Safety Program can only be downloade...

Page 130: ...th the overall signature in the accepted printout see Checking the Overall Signatures in the section entitled Initial Acceptance of a Safety Program In the case of S7 FH systems you have to make this comparison for both CPUs Working With Programs on a Memory Card If you use the Safety Program on a memory card remember the following Safety Note Safety Program on Memory Card Before you switch the S7...

Page 131: ...d run time groups or tasks These blocks are downloaded in sequence in such a way that called blocks are available for every phase i e the CPU continues to run For example new run time group FCs are only downloaded when newly called blocks in them have already been downloaded All blocks that are no longer required are deleted during this downloading phase All changed input or output parameters of b...

Page 132: ...ses The monitoring times must be taken into consideration see below Changes to the OB cycle time parameter assignment of the CPU is supported for the S7 400FH with the CPU 417 4H V2 0 and above Movement of run time groups deletion and insertion to new tasks OBs Safety Note OB Cycle Times Changes Restricted You must not change OB cycle times or move run time groups unless the time and speed relatio...

Page 133: ...f the F_CYC_CO is invalid a new value will be requested at compile time Moving run time groups This corresponds to changing the OB cycle time for the run time group to be moved see above Direct changing of monitoring times for F Blocks The monitoring times must fit the OB cycle time In the case of F driver blocks it is not possible to make changes during operation see Impermissible Changes First C...

Page 134: ...n the old one as the source This change can be downloaded and results in a consistent switch to the new data paths Finally the now superfluous interconnection to the old input parameter of the send block can be deleted on the sending side The situation is particularly crucial if a communication partner is replaced i e if communication is supposed to go to another run time group or to another CPU T...

Page 135: ... can only receive the modified parameter assignment in the S7 FH System as well after removal and insertion The F I Os detect a CRC error after the first change has been downloaded and output substitute values Like parameter changes in HWCONFIG changes to the properties of existing CPU CPU connections are not bumpless if properties are modified that go to the network addresses In this case as well...

Page 136: ...d to be a change Safety Note Password Protection Level When the standard program is changed in safety mode access rights should not be obtained using the CPU password because otherwise the Safety Program can also be changed The protection level must instead be set accordingly Changes to the Safety Program You can only download changes to the CPU in RUN mode if safety mode is inactive Note If simul...

Page 137: ...se the Options Edit Safety Program menu command in SIMATIC Manager In the Safety Program S7 Program dialog box activate the Online and Offline options one after another and check whether the overall signatures online and offline match see Checking the Overall Signatures in the section entitled Initial Acceptance of a Safety Program If they match downloading has been successfully completed If not r...

Page 138: ... in CFC test mode and change non interconnected inputs of fail safe blocks Online changes to fail safe outputs and automatically assigned I Os are not permitted and result in a Safety Program disable Safety Note ES changes can change signature When you use the ES changes to non safety related parameters can result in a change to the overall signature of the offline Safety Program This means that t...

Page 139: ...safety mode deactivated transferred to the CPU using Download Changes To make sure that all the changes made in the test project have been made correctly in the original project as well you can use the chart comparison function in the F add on package to compare the original project with the simulation project in SIMATIC Manager via Options Edit Safety Program see Comparing Safety Programs Dependi...

Page 140: ... you want the F Blocks to be replaced by the simulation blocks 6 In the Copy dialog box that appears confirm that individual objects are to be overwritten with Yes or that all objects are to be overwritten with All Result The F Blocks of the Safety Program are overwritten by simulation blocks of the same name from the Failsafe Blocks F Simulation Blocks library Inactive is displayed in the text bo...

Page 141: ...st not have access rights by means of the CPU password When the simulation is switched on all the F Blocks in the offline block container of the program are replaced with a simulation capable version from the Fail safe Blocks F Simulation Blocks library The blocks in this library are only suitable for simulation purposes and must not be downloaded to the CPU These blocks have the same interface as...

Page 142: ...r simulation on the toolbar of SIMATIC Manager or by choosing the Options Simulate Modules menu command PLCSim then processes all the programming device functions such as downloading module status etc instead of the real modules You can find information on working with S7 PLCSim in manual 12 2 The system data must be downloaded to PLCSIM via HWCONFIG 3 When downloading the Safety Program into PLCS...

Page 143: ... the simulation takes place on a programming device or ES with a physical online connection to the CPU you must not deactivate safety mode and you must not have access rights by means of the CPU password The driver blocks do not access the I O Input signals of F input modules can be modified in the process input image PII of PLCSim Communication between CPUs cannot be simulated ...

Page 144: ...RID You must not change output parameters and automatically supplied I Os Prerequisites Before you switch on CFC test mode make sure that the following prerequisites are met The CPU must be in RUN Safety mode of the Safety Program must be deactivated If it is not you will be requested to deactivate safety mode when you try to change the first parameter Note Changing fail safe constants in safety m...

Page 145: ...of the F Block 3 Select the block I O that you want to change and open Object Properties with a double click for example Result The Select Structure Element dialog box appears 4 Double click the DATA structure element in the Select Structure Element dialog box Result The Properties Inputs Outputs dialog box appears 5 Enter the desired value in the Value text box and confirm with OK ...

Page 146: ... is not possible you will receive a message requesting you to eliminate the cause of the error You then have to repeat steps 3 to 6 Result The new value is downloaded to the CPU and displayed at the I O It is not possible to compile and download changes after CFC test mode has been deactivated until safety mode has been activated because all the necessary changes were made when each individual par...

Page 147: ...menu command Result The Safety Program S7 Program dialog box appears The following information on the online on the CPU or offline in the programming device ES Safety Program is displayed A list of all the blocks with signatures and signatures of the initial values Date and signature of the last compilation and the most recently saved reference data An indication of whether the source code load me...

Page 148: ...gram folder e g S7 Program in SIMATIC Manager 2 Choose the Options Edit Safety Program menu command The Safety Program S7 Program dialog box appears 3 Click the Save Reference button You will then be asked again if you want to save the reference data You have two options Confirm with Yes if you want all the information on the blocks of the current project to be saved as reference information Any e...

Page 149: ...ms Programs available for comparison include the online program in the F CPU the current offline program the previous compilation of the current program and the saved reference program This dialog may be used as a tool to indicate that a program has not changed for example when compared to a saved reference program Program Reference Choose one of these option buttons to specify whether the current...

Page 150: ...Project the current offline program Before Last Generation the previous compilation of this program Online this program as currently loaded in the F CPU Other Project any offline program use Browse button to select Browse Button Use this button and the Open dialog box to select the offline program of any project that you want to compare Start Button Click this button to start the comparison View O...

Page 151: ... group information is available Difference Display Chart View The differences between the two charts are displayed in a hierarchical structure as in Explorer All the blocks in this structure are displayed under the assigned task and run time group Information on possible differences is displayed for each block These differences refer to the task run time group in which the block is used the parame...

Page 152: ...B1 to I DB2 Block has another instance DB Run position changed Block in different run position within the run time group Interface changed Number of parameters changed Interconnection changed from Connect1 to Connect2 Interconnection of a parameter changed Result of the Comparison of the Safety Blocks online program If the Compare with field selects the online program only the Block View differenc...

Page 153: ... only used when the overall signatures already match indicating that the offline program has not changed since the last download to the F CPU Checking this option allows the more thorough check for any parameters that may have been changed online by a method other than compile and download View option Filter F System checksums This option suppresses the display of expected differences that will oc...

Page 154: ...Programming Fail Safe Systems 5 72 A5E00085588 03 ...

Page 155: ...NOT IDENTICAL are appended to the caption of this group of windows to indicate clearly whether the overall signatures of the two programs match or differ Print Button Click this button to print the result of the comparison Go to Button When Chart View is selected you may select any block or parameter in the displayed differences window and click this button to go to the block in question in the CF...

Page 156: ...pare with Reference Reference of this program Before Last Generation Status before the last generation of this program Online Online status of this program Program Any offline program Reference Compare with Current project Offline program Before Last Generation Status before the last generation of this program Online Online status of this program Program Any offline program ...

Page 157: ... view You can also see here if the signatures of the F Blocks have changed Safety Note Allowable F Control Block comparison changes At the F_CNT_W input of the F_TESTC block the number of F code blocks FB and run time group FC in working memory is displayed If changes are made to the Safety Program changes to this parameter can be expected in the section of the program that has already been accept...

Page 158: ...ing the Safety Program To request logs on the Safety Program proceed as follows 1 Select the program folder e g S7 Program in SIMATIC Manager 2 Choose the Options Edit Safety Program menu command The Safety Program S7 Program dialog box appears 3 Select the Log button The Logs dialog box appears The following logs are displayed on the individual tabs Consistency check Log of the last consistency c...

Page 159: ... module parameters Chart data all the charts of the program are printed graphically Safety Program data printed report contains Offline Online report status Safety Program name Current Safety Program datestamp and overall signature of Safety Program blocks in the Safety Program block folder Reference program datestamp and overall signature Blocks in the Safety Program as shown in the dialog list b...

Page 160: ...or the on site acceptance of the Safety Program e g by an outside expert The overall signature of the compiled Safety Program appears twice in the printout once in the program information section as a value of the block container and once in the footer as a value from the source see Checking the Overall Signatures in the section entitled Initial Acceptance of a Safety Program ...

Page 161: ... to replace software and hardware components How to uninstall the S7 F FH Systems 6 2 Rules for Operation Below you can find the rules and safety notes for the operation of the S7 F FH Systems PROFIsafe Nodes Safety Note Simulation of PROFIsafe devices not permitted No devices that simulate PROFIsafe nodes can be used on PROFIsafe in safety mode A log analyzer must not for example execute a functi...

Page 162: ...hed back on Take organizational steps to ensure that after a CPU has been replaced both fiber optic cable connections are established before the power supply is switched on You can find information on replacing components in fault tolerant systems in manual 4 Please refer to the references in Appendix B 6 3 Working with the Safety Program You must take into account the following when working with ...

Page 163: ...ges to the Safety Program can be made during operation RUN only if safety mode is deactivated Changing the CFC charts compiling and downloading the changes to the CPU Changing fail safe constants in CFC test mode Changing the Safety Program After making changes to the Safety Program proceed as follows 1 Compile the modified Safety Program 2 Test the Safety Program 3 Check whether the signatures of...

Page 164: ...libraries Compare the overall signature of the newly compiled Safety Program with the overall signature of the accepted Safety Program see Checking the Overall Signatures in the section entitled Initial Acceptance of a Safety Program 2 If the overall signatures are identical the programs are the same 3 If the overall signatures are not identical the program has been changed Proceed in the same way...

Page 165: ...sensors and actuators Passivating Fail Safe Output Modules Passive over the Long Term If a fail safe output module is passivated for an extended period 72h and the fault is not eliminated it is possible for the module to be activated by a second fault thus putting the system in a dangerous state Although the probability of such hardware faults occurring is very slight such unwanted activation of p...

Page 166: ...Operation and Maintenance Fail Safe Systems 6 6 A5E00085588 03 ...

Page 167: ...the accompanying report and Annex 1 of the certificate report entitled Safety Related Programmable Systems SIMATIC S7 400F and S7 400FH on request from Ms Petra Bleicher A D AS RD 423 Fax no 49 9621 80 3146 Note Annex 1 of the certificate report contains permissible version numbers and signatures of fail safe components of the S7 F FH System that have to be checked when the program is accepted The...

Page 168: ...ion in Open Transmission Systems Process Engineering Standard Title Description DIN V 19251 Process and Control Technology MC Protection Equipment Requirements and Measures for Safeguarded Function VDI VDE 2180 1 2 and 5 Safeguarding of Industrial Processing Plants by Means of Process Instrumentation and Control Technology NE 31 NAMUR recommendation Equipment Safety Using Process Instrumentation a...

Page 169: ... 61131 2 Programmable Controllers Equipment Requirements and Tests EN 50178 Electronic Equipment for Use in Power Installations DIN VDE 0110 Insulation Coordination for Equipment within Low Voltage Systems EN 60068 Environmental Testing EN 55011 Limits and Methods of Measurement of Radio Disturbance Characteristics of Industrial Scientific and Medical ISM Radio Frequency Equipment EN 50081 2 Elect...

Page 170: ...IN V 19250 The requirements of the process can be worked out using the risk parameters The requirement class AK to be complied with by the controller can be established using the risk chart This procedure results in an AK requirement class for applications without a product standard Using DIN V VDE 0801 the basic safety requirements can then be established If there is a product standard for an app...

Page 171: ... Safety Integrity Level SIL IEC 61508 defines the probability of failure of a safety function allocated to a safety related system as a target measure Safety integrity level Low Demand Mode of Operation Average probability of failure to perform its design function on demand High Demand or Continuous Mode of Operation Probability of a hazardous failure per hour 4 10 5 to 10 4 10 9 to 10 8 3 10 4 to...

Page 172: ...c Module 1 00 E 05 1 00 E 10 10 years ET 200S PM D F 24VDC PROFIsafe Power Module 1 00 E 05 1 00 E 10 10 years SM 326 DI 24 x DC 24V with diagnostic interrupt 6ES7 326 1BK00 0AB0 1 55E 06 at SIL 2 4 99E 08 at SIL 3 1 77E 11 at SIL 2 5 70E 13 at SIL 3 10 years SM 326 DI 8 x NAMUR with diagnostic interrupt 6ES7 326 1RF00 0AB0 2 74E 06 at SIL 2 4 83E 08 at SIL 3 3 13E 11 at SIL 2 5 51E 13 at SIL 3 10...

Page 173: ... Hour F capable CPU 1 Yes 1 42E 09 SM 326 DO 10 x DC 24V 2A with diagnostic interrupt 6ES7 326 2BF00 0AB0 1 Yes 1 59E 10 SM 326 DI 24 x DC 24V with diagnostic interrupt 6ES7 326 1BK00 0AB0 2 Yes 2 28E 12 Safety related communication 1 00E 09 Total 2 58E 09 7 3 System Configuration The limits for the system configuration of the S7 F FH System are set mainly by the CPU used You can find the relevant...

Page 174: ...eded the monitoring times selected must be sufficiently short Monitoring Times of an F System You must configure the following monitoring times for the F system Parameters of the fail safe blocks Monitoring Block Parameter Monitoring of the F cycle time of the cyclic interrupt OB that contains the safety program F_CYC_CO MAX_CYC Monitoring of safety related communication between F run time groups ...

Page 175: ... should be considerably longer than the minimum monitoring times You can find approximation formulas in the information on calculating the minimum monitoring times or in the Excel table STEP7 S7BIN S7ftimeb xls 3 Use the Excel table STEP7 S7BIN S7ftimeb xls to calculate the maximum response time and check whether the maximum fault tolerance time for the process has been exceeded Safety Note Pulse ...

Page 176: ...e Description Where to Find it TCI Configured cycle time of the cyclic interrupt OB HWCONFIG CPU properties Cyclic Interrupt Execution TP15 Maximum disabling time for priority classes 15 HWCONFIG CPU Properties H Parameters TCiR CiR Synchronization Time From the CiR Object parameters in STEP7 Summarize all CiR Object synchronization times of the simultaneously changing DP buses and place total her...

Page 177: ...upt OB HWCONFIG CPU properties Cyclic Interrupt Execution TCImax Maximum cycle time of the relevant cyclic interrupt OB Monitoring the F Cycle Time section TTR Max target rotation time for the DP master system Properties of the DP master system bus parameters in HWCONFIG TDP_FD Max DP fault detection time Properties of the DP master system bus parameters H Parameters tab in HWCONFIG TDP_SO Max DP ...

Page 178: ... F_RCVR and F_RCVBO when there are no errors the TIMEOUT monitoring time selected must be sufficiently long TIMEOUT T CI F_SEND T CI F_RCV MAX TDelay F_SEND TDelay F_RCV 2 TUSEND MAX MIN TCiR F_SEND 2500 MIN TCiR F_RCV 2500 Note the following Time Description Where to Find it TCI F_SEND Configured cycle time of the cyclic interrupt OB with the call of F_SENDBO or F_SENDR HWCONFIG CPU properties Cy...

Page 179: ...D value from the Internet at http www4 ad siemens de view cs de 1651770 Contribution ID 1651770 Note To activate the monitoring of the maximum communication delay when the standby in the FH system is updated you must assign this parameter a value in HWCONFIG CPU properties H Parameters tab Simultaneous updating in both CPUs is not assumed 7 4 2 4 Monitoring of Safety Related Communication Between ...

Page 180: ...d project in STEP 7 and create a new project for changes When the system is accepted all requirements contained in the report on the certificate that require approval must be taken into account You can archive all data relevant to the acceptance of the F System in SIMATIC Manager File Archive and print it out as required Check Lists for Acceptance You can find the following check lists in the appe...

Page 181: ...nment of the F I Os you can carry out initial acceptance of the configuration of the F I Os The hardware configuration data must be printed out saved and archived along with the whole STEP 7 project Print the Safety Program from SIMATIC Manager using the File Print menu command Select the print range and options as illustrated below to receive a complete printout After a check of the safety releva...

Page 182: ... be printed out and archived together with the STEP 7 project You can find out how to save and archive S7 projects in the basic STEP 7 help system Checking the Printout Print out the whole project as described in the section entitled Printing the Safety Program The printout contains the overall signature as a reference The overall signature appears twice in the printout once in the program informa...

Page 183: ...ed input parameters that are not automatically assigned must be checked in the printout either in the CFC charts or in the section on safety related parameters Input parameters that are not visible in the CFC charts are printed out in the section on safety related parameters If it is easier to check the parameters in the chart than in the section on safety related parameters the parameters should ...

Page 184: ...NEC Acknowledgment required for reintegration F_LIM_HL QH 1 Upper limit violated F_LIM_LL QL 1 Lower limit violated F_RS_FF Q Output F_SR_FF Q Output F_CTUD CV Current count value Switched output parameters are marked with an asterisk on the printout Checking the Signatures Overall signature After the program has been downloaded to the CPU see the sections entitled Downloading the Whole Safety Pro...

Page 185: ...in SIMATIC Manager and activate Online in the dialog box The signature displayed in the dialog box must match the signatures in the accepted printout in the text and in the footer 2 To detect impermissible manipulation e g via test mode in CFC in the working memory of the CPU choose Compare and compare the accepted program with the online program in the dialog box Any manipulated parameters are di...

Page 186: ...m to the CPU 5 Carry out a functional test of the changes When you check the printout and carry out the functional test only the new sections and sections with changes have to be checked To identify these the new program is compared with the accepted program The accepted program must be saved in another project Click Browse and enter the path of the accepted program Changes to the safety relevant ...

Page 187: ...vant F channel driver F_CH_xx Changes to the network configuration in NetPro can be recognized by the change to the CRC_IMP parameter of the relevant F communication blocks F_RCVxx and F_SENDxx You can find rules and information on how to proceed in the case of changes to the Safety Program in the section entitled Operation and Maintenance Modifying the Safety Program ...

Page 188: ...ibilities and Qualifications Safety requirements relating to the system specific use of the S7 F FH Systems can be met by allocating responsibilities as follows The process experts and the operators for the safety concept of the system including the definition of safety relevant and non safety relevant functions The independent expert for the safety related acceptance testing of the system The pla...

Page 189: ...group Fail safe blocks are available in the following block families DRIVER Driver Blocks for F I Os COM_FUNC Blocks for F Communication Between CPUs F_SYSTEM F system blocks CONVERT Blocks for converting data between standard and safety sections F_CTRL F Control Blocks BIT_LGC Logic blocks with the BOOL data type COMPARE Comparison blocks for two input values of the same type FLIPFLOP Flipflop bl...

Page 190: ...LEM parameters You must not change the PAR_ID and COMPLEM components after the Safety Program has been compiled since this might result in serious errors remaining undetected If errors are detected in the safety data format during execution of the Safety Program the Safety Program will be disabled and may require the Safety Program to be recompiled and downloaded to the CPU Possible Data Types The...

Page 191: ...nly specifies the first structural component DATA The other two structure elements required for safety are automatically added when CFC charts are compiled The same applies to the assignment of constants See Also Blocks for Converting Data Between Standard and Safety Sections ...

Page 192: ...s The CRC_IMP CRC_IMP1 and CRC_IMP2 I Os are automatically supplied You must not change them Note You must not change any I Os that have the entry Supplied Automatically in the Default column You can rectify any changes made to I Os that are supplied automatically by recompiling the Safety Program Safety Note Do not change automatically supplied FB inputs Online changes to inputs that are supplied...

Page 193: ...t described e g error on channel x is active Making Block I Os Visible Proceed as follows 1 Double click the block s header 2 Select the Inputs Outputs tab in the Properties dialog box 3 Scroll to the right until the Invisible column appears 4 Right click the Invisible selection cross of the block I O Result The invisible block I O becomes visible in CFC ...

Page 194: ...OT FB 305 F_2OUT3 FB 306 F_XOUTY FB 307 F_RS_FF FB 308 F_SR_FF FB 314 F_LIM_HL FB 315 F_LIM_LL FB 321 F_ADD_R FB 322 F_SUB_R FB 323 F_MUL_R FB 324 F_DIV_R FB 325 F_ABS_R FB 326 F_MAX3_R FB 327 F_MID3_R FB 328 F_MIN3_R FB 329 F_LIM_R FB 330 F_SQRT FB 331 F_AVEX_R FB 332 F_MUX2_R FB 333 F_SMP_AV FB 341 F_CTUD FB 342 F_TP FB 343 F_TON FB 344 F_TOF FB 345 F_LIM_TI FB 346 F_R_TRIG FB 347 F_F_TRIG FB 35...

Page 195: ... FB 385 F_M_DI24 FB 386 F_M_DO10 FB 387 F_M_AI6 FB 388 F_M_DO8 FB 390 F_S_BO FB 391 F_R_BO FB 392 F_S_R FB 393 F_R_R FB 394 F_START FB 395 F_CYC_CO FB 396 F_PLK FB 397 F_PLK_O FB 398 F_TEST FB 399 F_TESTC FB 400 F_TESTM FB 456 F_2oo3_R FB 457 F_1oo2_R FB 458 F_SHUTDN FB 459 RTG_LOGIC FB 461 F_FR_FI Safety Note Fail safe FB numbers Numbers FB396 to FB400 must be kept free The numbers of the fail sa...

Page 196: ... Safety Program can be installed in OB 3x ONLY Fail safe blocks can only be installed in a cyclic interrupt OB 3x Installation in the OB 1 is not permissible The cycle time of the cyclic interrupt OB is assigned parameters in HWCONFIG CPU parameters Cyclic Interrupts Execution See Monitoring the F Cycle Time ...

Page 197: ...nnel Drivers Block Description F_CH_DI F channel driver for digital input F_CH_DO F channel driver for digital output F_CH_AI F channel driver for analog input F Module Drivers Block Description F_M_DI8 F module driver for 8 channel digital input F_M_DI24 F module driver for 24 channel digital input F_M_DO10 F module driver for 10 channel digital output F_M_DO8 F module driver for 8 channel digita...

Page 198: ...g on the parameterization and error type Alternatively a simulation value can be output at the output Q For the process value at the output Q a value status quality code is generated at the output QUALITY that can take on the following states State Quality Code Valid value 16 80 Simulation value 16 60 Substitute value 16 48 I Os Name Data Type Explanation Default Inputs ADDR_CODE DWORD Address cod...

Page 199: ...the output Q with the quality code QUALITY 16 80 Simulation Value A simulation value can be output at the output Q instead of the normal value read from the module When the input parameter SIM_ON 1 the value of the input parameter SIM_I is output with the quality code QUALITY 16 60 and the output QSIM 1 is set In the event of an error the output of the simulation value takes precedence over the ou...

Page 200: ..._CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description...

Page 201: ... For the reintegration of the process value after an error is corrected a user acknowledgment is required depending on the parameterization and error type Alternatively a simulation value can be output at the module output if there is no error For the digital value I output to the module a value status quality code is generated at the QUALITY output that can take on the following states State Qual...

Page 202: ... process value at the input I is made available for the associated F module driver F_M_DOx 16 80 is output as the quality code QUALITY Simulation Value At the output a simulation value can be output instead of the value at the input I e g for hardware tests When the input parameter SIM_ON 1 the value of the input parameter SIM_I is made available to the associated F module driver F_M_DOx 16 80 is ...

Page 203: ...In this time the substitute value 0 is output with the quality code QUALITY 16 48 and the outputs QBAD 1 and PASS_OUT 1 are set as well At ACK_REQ 1 the ACK_REI acknowledgement must follow even if ACK_NEC 0 Error Handling In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve ...

Page 204: ... error is corrected a user acknowledgment is required depending on the parameterization and error type Alternatively a simulation value can be output at the output V For the process value at the output V a value status quality code is generated at the output QUALITY that can take on the following states State Quality Code Valid value 16 80 Simulation value 16 60 Substitute value 16 48 Last valid v...

Page 205: ...ASS_OUT F_BOOL Passivation output 0 QCHF_HL F_BOOL 1 input value in overrange 0 QCHF_LL F_BOOL 1 input value in underrange 0 QBAD F_BOOL 1 process value invalid 0 QSIM F_BOOL 1 simulation active 0 QSUBS F_BOOL 1 value substitution active 0 OVHRANGE F_REAL Upper limit of the process value copy 0 0 OVLRANGE F_REAL Lower limit of the process value copy 0 0 V F_REAL Process value 0 0 V_DATA REAL DATA ...

Page 206: ...dule outputs 16 7FFF overflow as a non linearized value Accordingly the F channel driver F_CH_AI detects an overflow and sets the output QCHF_HL 1 and QBAD 1 NAMUR Limit Value Checking In the NAMUR guidelines for analog signal processing limit values are defined for life zero 4 to 20 mA analog signals where there is a channel fault 3 6 mA analog signal 21 mA By default the above NAMUR limits are s...

Page 207: ...input module is carried out in HWCONFIG and is applied at compilation automatically to the parameter MODE_xx of the associated F module driver F_M_AIx F_CH_AI reads the value from the associated F module driver MODE can take on the following values Measurement Type Measurement Range MODE Decimal Hex 4 wire measuring transducer 4 to 20 mA 515 16 0203 2 wire measuring transducer 4 to 20 mA 771 16 03...

Page 208: ...e QUALITY 16 48 and the output QSUBS 1 is set Startup Characteristics After a startup cold restart or warm restart communication must first be established between the F module driver and the analog input module In this time regardless of the parameter assignment at the input SUBS_ON the substitute value SUBS_V is output with the quality code QUALITY 16 48 and the outputs QBAD 1 QSUBS 1 and PASS_OU...

Page 209: ...he error is corrected there is no switch back instead work continues with the last valid analog value If an error only occurs on one of the redundant modules automatic reintegration takes place in the F channel driver F_CH_AI after the error is corrected Report Characteristics The block has no reporting behavior See Also Common Features of the Driver Blocks Passivation and Reintegration ...

Page 210: ...I 24 x DC 24 V Module redundancy The F module drivers are able to address two redundant signal modules The settings necessary for this are made when parameters are assigned to the modules in HWCONFIG Module redundancy The processing of redundant modules comprises the following functions In the case of problem free operation In the case of digital input modules the input signals are ORed per channe...

Page 211: ...s to increase availability For this purpose the input DISC_ON is assigned automatically and the assigned discrepancy time is stored at the input DISCTIME when CFC charts are compiled In the discrepancy analysis the F module driver compares two corresponding input signals in each case If a discrepancy between the signals lasts longer than the configured discrepancy time it detects a discrepancy err...

Page 212: ...s been installed in more than one cyclic interrupt OB If appropriate a corresponding error message is output All the F channel drivers that belong to a module must be integrated into the same F run time group Startup Characteristics After a startup cold restart or warm restart communication must first be established between the F module driver and the F I O Until this happens substitute values are...

Page 213: ...tion NetPro The I O ID must be assigned parameters on the sending side F_SENDBO F_SENDR and on the receiving side F_RCVBO F_RCVR Via R_ID you can define that a sending and a receiving fail safe block belong together The associated fail safe blocks receive the same value for R_ID The value R_ID is a freely selectable odd number but it must be unique for a sending receiving F block pair Note The val...

Page 214: ...ding the error see the section entitled Error Information at the Output RETVAL CRC_IMP Parameter Safety Note Do NOT change CRC_IMP input Do not make any changes to the CRC_IMP I O because this I O is supplied automatically As a result of online changes to this I O errors can occur during transmission of fail safe data when the Safety Program is executed For example data may be sent to the wrong re...

Page 215: ...e recipient s side before the values sent are output again Startup Characteristics After a startup cold restart or warm restart communication must first be established between the communication partners F_SENDBO indicates this at the SUBS_ON parameter with 1 The recipient F_RCVBO outputs substitute values during this time until communication between F_SENDBO and F_RCVBO has started up via the safe...

Page 216: ...ion between the connection partners is reestablished Note Once communication has been set up without errors compliance with the assigned monitoring time TIMEOUT parameter is checked In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the ma...

Page 217: ...the outputs RD_BO_xx The substitute values can be stored at the inputs SUBBO_xx I Os Name Data Type Explanation Default Inputs ID WORD ID addressing parameter 0000 R_ID DWORD R_ID addressing parameter 00000000 CRC_IMP DWORD Address reference CRC Supplied automatically TIMEOUT F_TIME Monitoring time in ms for vital sign monitoring T 0 ms ACK_REI F_BOOL Acknowledgment for reintegration of process va...

Page 218: ...s been set up without errors compliance with the assigned monitoring time TIMEOUT parameter is checked Communication between the connection partners is reestablished The data received with valid safety frames is not applied to the outputs reintegrated until the input ACK_REI had a rising edge e g via F_QUITES The block sets the output ACK_REQ to indicate that acknowledgment is required In the even...

Page 219: ...ipient s side before the values sent are output again Startup Characteristics After a startup cold restart or warm restart communication must first be established between the communication partners The F_SENDR signals this at the SUBS_ON parameter with 1 The recipient F_RCVR outputs substitute values during this time until communication between F_SENDR and F_RCVR via the safety frame has started u...

Page 220: ...he recipient F_RCVR then outputs substitute values An error code is displayed at the output RETVAL Communication between the connection partners is reestablished Note Once communication has been set up without errors compliance with the assigned monitoring time TIMEOUT parameter is checked In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the...

Page 221: ...he outputs RD_R_xx The substitute values can be applied at the inputs SUBR_xx I Os Name Data Type Explanation Default Inputs ID WORD ID addressing parameter 0000 R_ID DWORD R_ID addressing parameter 00000000 CRC_IMP DWORD Address reference CRC Supplied automatically TIMEOUT F_TIME Monitoring time in ms for vital sign monitoring T 0 ms ACK_REI F_BOOL Acknowledgment for reintegration of process valu...

Page 222: ...cation between the connection partners is reestablished The data received with valid safety frames is not applied to the outputs reintegrated until the input ACK_REI had a rising edge e g via F_QUITES The block sets the output ACK_REQ to indicate that acknowledgment is required In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in th...

Page 223: ... safe acknowledgment via the ES OS Safety Note Use F_LIM_R for plausibility check of standards to F data conversion The F_BO_FBO F_I_FI F_TI_FTI and F_R_FR blocks only carry out data conversion This means you must program additional measures for plausibility checks in the Safety Program for example using F_LIM_R to ensure that only safe operation is possible Plausibility Checking The simplest form...

Page 224: ...pe into the corresponding F_BOOL F data type This enables signals formed in the standard program section to be further processed in the safety program section following a plausibility check I Os Name Data Type Explanation Default Input IN BOOL Input variable 0 Output OUT F_BOOL Output variable 0 Error Handling None ...

Page 225: ...INT F data type This enables signals formed in the standard program section to be processed further in the safety program section following a plausibility check to be added by the user with F block F_LIM_I for example I Os Name Data Type Explanation Default Input IN INT Input variable 0 Output OUT F_INT Output variable 0 Error Handling None ...

Page 226: ...ata type This enables signals formed in the standard program section to be further processed in the safety program section following a plausibility check to be added in the Safety Program with F block F_LIM_R for example I Os Name Data Type Explanation Default Input IN REAL Input variable 0 0 Output OUT F_REAL Output variable 0 0 Error Handling None ...

Page 227: ... data type This enables signals formed in the standard program section to be further processed in the safety program section following a plausibility check to be added by the user with F block F_LIM_TI for example I Os Name Data Type Explanation Default Input IN TIME Input variable T 0 ms Output OUT F_TIME Output variable T 0 ms Error Handling None ...

Page 228: ...ture elements of the F data type cannot be accessed separately in the CFC chart This enables signals formed in the Safety Program section to be further processed in the standard program section This block must be placed in the standard program section I Os Name Data Type Explanation Default Input IN F_BOOL Input variable 0 Output OUT BOOL Output variable 0 Error Handling None ...

Page 229: ...ure elements of the F data type cannot be accessed separately in the CFC chart This enables signals formed in the Safety Program section to be further processed in the standard program section This block must be placed in the standard program section I Os Name Data Type Explanation Default Input IN F_INT Input variable 0 Output OUT INT Output variable 0 Error Handling None ...

Page 230: ...e elements of the F data type cannot be accessed separately in the CFC chart This enables signals formed in the Safety Program section to be further processed in the standard program section This block must be placed in the standard program section I Os Name Data Type Explanation Default Input IN F_REAL Input variable 0 0 Output OUT REAL Output variable 0 0 Error Handling None ...

Page 231: ...e F data type F_REAL data type into the F_INT F data type This enables signals formed within the safety program section to be converted and maintain the safety data format I Os Name Data Type Explanation Default Input IN F_REAL Input variable 0 0 Output OUT F_INT Output variable 0 Error Handling None ...

Page 232: ...elements of the F data type cannot be accessed separately in the CFC chart This enables signals formed in the Safety Program section to be further processed in the standard program section This block must be placed in the standard program section I Os Name Data Type Explanation Default Input IN F_TIME Input variable T 0 ms Output OUT TIME Output variable T 0 ms Error Handling None ...

Page 233: ...n as the input IN has accepted the value 9 or if there has not been a change within a minute Q is reset to 0 Note Because the fail safe output OUT is only set for one cycle a separate F_QUITES is required for each cyclic interrupt If there is only one block for different run time groups in a cyclic interrupt the blocks F_S_BO and F_R_BO must be used for the exchange of data between the run time gr...

Page 234: ...vent in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description 75DAH Error in the safety data fo...

Page 235: ...10 data items of the data type F_BOOL from another F run time group F_S_R Fail safe transmission of 5 data items of the data type F_ to another F run time group F_R_R Fail safe receipt of 5 data items of the data type F_REAL from another F run time group F_START Startup detection cold restart or warm restart Integration in Block Types With the exception of F_START the system blocks must not be int...

Page 236: ...e received there by the F_R_BO block The data to be sent e g outputs from other blocks is stored at the inputs SD_BO_xx The output S_DB must be connected with the input of the same name in the received block I Os Name Data Type Explanation Default Inputs SD_BO_00 F_BOOL Send date 00 0 SD_BO_09 F_BOOL Send data 09 0 Output S_DB F_WORD Separate instance DB no 0 Error Handling None ...

Page 237: ...cation Between F Run Time Groups Startup Characteristics In the first cycle after a cold or warm restart the block outputs the substitute values configured at the SUBBO_xx inputs The output of the substitute values depends on the configured execution times of the cyclic interrupts and occurs as long as the value F_TRUE is at the output SUBS_ON but only until the monitoring time TIMEOUT elapses I O...

Page 238: ...f the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description 75DAH Error in the safety data format of the input TIMEOUT error due to online modification of the Safety...

Page 239: ...be received there by the F_R_R block The data to be sent e g outputs from other blocks is stored at the inputs SD_R_xx The output S_DB must be connected with the input of the same name in the received block I Os Name Data Type Explanation Default Inputs SD_R_00 F_REAL Send date 00 0 SD_R_04 F_REAL Send data 04 0 Output S_DB F_WORD Separate instance DB no 0 Error Handling None ...

Page 240: ...ation Between F Run Time Groups Startup Characteristics In the first cycle after a cold or warm restart the block outputs the substitute values configured at the SUBR_xx inputs The output of the substitute values depends on the configured execution times of the cyclic interrupts and occurs as long as the value F_TRUE is at the output SUBS_ON but only until the monitoring time TIMEOUT elapses I Os ...

Page 241: ...f the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description 75DAH Error in the safety data format of the input TIMEOUT error due to online modification of the Safety...

Page 242: ...ock indicates by means of a value of 1 at the output COLDSTRT that a startup cold or warm restart has been carried out COLDSTRT remains present until the next call of F_START The F_START must be called before the evaluating blocks I Os Name Data Type Explanation Default Output COLDSTRT F_BOOL Startup identifier cold restart or warm restart 1 Error Handling None ...

Page 243: ...e driver for 6 channel analog input F_PLK Program execution monitoring before output blocks F_PLK_O Program execution monitoring after output blocks F_SHUTDN Manage F run time group shutdown and restart in the event shutdown errors occur F_TEST Self test for commands not backed up by diversity F_TESTC Control block for the background self test of the CPU F_TESTM Activate deactivate safety mode DB_...

Page 244: ...nected The invisible output PD_FLAG must not be interconnected I Os Name Data Type Explanation Default Inputs MAX_CYC F_TIME Maximum permissible F cycle time T 0s PD OFF F_BOOL Power Down Monitoring 0 Outputs PD FLAG F_BOOL Power off code 0 DIFF F_DINT Time difference since the last cycle in ms 0 CYC_SQ F_INT Sequence number 0 FAILED BOOL Failure of the OB Indicator 0 Error Handling In the event o...

Page 245: ...Description 75DAH Error in the safety data format of the input MAX_CYC or the output DIFF error due to online modification of the Safety Program or internal CPU fault 75E1H Power failure 75E1H 75E1H Internal CPU fault 75E1H Maximum permissible F cycle time exceeded or internal CPU fault 75E1H Internal CPU fault ...

Page 246: ...G_2 at which error information is output are important I Os Name Data Type Explanation Default Inputs CRC_IMP1 WORD CRC via implicit data SM1 Supplied automatically CRC_IMP2 WORD CRC via implicit data SM2 only when RED 1 Supplied automatically DISC_ON BOOL Carry out discrepancy analysis Supplied automatically DISCTIME DINT Discrepancy time in ms Supplied automatically TIMEOUT F_DINT Monitoring tim...

Page 247: ...yte 0 Byte 0 Bit 0 TIMEOUT error on SM1 Bit 0 TIMEOUT error on SM2 Bit 1 Common error on SM1 Bit 1 Common error on SM2 Bit 2 CRC value watchdog error on SM1 Bit 2 CRC value watchdog error on SM2 Bit 3 Reserved Bit 3 Reserved Bit 4 TIMEOUT error on CPU Bit 4 TIMEOUT error on CPU Bit 5 Watchdog error on CPU Bit 5 Watchdog error on CPU Bit 6 Check value error CRC on CPU Bit 6 Check value error CRC on...

Page 248: ...ch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description 75DAH Error in the safety data format error due to online modification of the Safe...

Page 249: ...G_2 at which error information is output are important I Os Name Data Type Explanation Default Inputs CRC_IMP1 WORD CRC via implicit data SM1 Supplied automatically CRC_IMP2 WORD CRC via implicit data SM2 only when RED 1 Supplied automatically DISC_ON BOOL Carry out discrepancy analysis Supplied automatically DISCTIME DINT Discrepancy time in ms Supplied automatically TIMEOUT F_DINT Monitoring tim...

Page 250: ...n SM1 Bit 1 Common error on SM2 Bit 2 CRC value watchdog error on SM1 Bit 2 CRC value watchdog error on SM2 Bit 3 Reserved Bit 3 Reserved Bit 4 TIMEOUT error on CPU Bit 4 TIMEOUT error on CPU Bit 5 Watchdog error on CPU Bit 5 Watchdog error on CPU Bit 6 Check value error CRC on CPU Bit 6 Check value error CRC on CPU Bit 7 Reserved Bit 7 Reserved Byte 1 Byte 1 Bit 0 Discrepancy error on channel 0 o...

Page 251: ... This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description 75DAH Error in...

Page 252: ... supplied with values The outputs DIAG_1 and DIAG_2 at which error information is output are important I Os Name Data Type Explanation Default Inputs CHADDR00 F_WORD Interconnection with the F channel driver of channel 0 Interconnected automatically CHADDR07 F_WORD Interconnection with the F channel driver of channel 7 Interconnected automatically CRC_IMP1 WORD CRC via implicit data SM1 Supplied a...

Page 253: ...4 TIMEOUT error on CPU Bit 4 TIMEOUT error on CPU Bit 5 Watchdog error on CPU Bit 5 Watchdog error on CPU Bit 6 Check value error CRC on CPU Bit 6 Check value error CRC on CPU Bit 7 Reserved Bit 7 Reserved Byte 1 Byte 1 Reserved Reserved Byte 2 Byte 2 Reserved Reserved Byte 3 Byte 3 Reserved Reserved Note In byte 0 of DIAG_1 2 the most recent error information remains stored until a new error occu...

Page 254: ...channel driver F_CH_DO The I Os of the F module driver are automatically interconnected and supplied with values The outputs DIAG_1 and DIAG_2 at which error information is output are important I Os Name Data Type Explanation Default Inputs CHADDR00 F_WORD Interconnection with the F channel driver of channel 0 Interconnected automatically CHADDR09 F_WORD Interconnection with the F channel driver o...

Page 255: ...4 TIMEOUT error on CPU Bit 4 TIMEOUT error on CPU Bit 5 Watchdog error on CPU Bit 5 Watchdog error on CPU Bit 6 Check value error CRC on CPU Bit 6 Check value error CRC on CPU Bit 7 Reserved Bit 7 Reserved Byte 1 Byte 1 Reserved Reserved Byte 2 Byte 2 Reserved Reserved Byte 3 Byte 3 Reserved Reserved Note In byte 0 of DIAG_1 2 the most recent error information remains stored until a new error occu...

Page 256: ...er F_CH_AI The I Os of the F block driver are automatically interconnected and supplied with values The outputs DIAG_1 and DIAG_2 at which error information is output are important I Os Name Data Type Explanation Default Inputs CRC_IMP1 WORD CRC via implicit data SM1 Supplied automatically CRC_IMP2 WORD CRC via implicit data SM2 only when RED 1 Supplied automatically TIMEOUT F_DINT Monitoring time...

Page 257: ...ation at the Output DIAG_1 2 DIAG_1 DIAG_2 Byte 0 Byte 0 Bit 0 TIMEOUT error on SM1 Bit 0 TIMEOUT error on SM2 Bit 1 Common error on SM1 Bit 1 Common error on SM2 Bit 2 CRC value watchdog error on SM1 Bit 2 CRC value watchdog error on SM2 Bit 3 Reserved Bit 3 Reserved Bit 4 TIMEOUT error on CPU Bit 4 TIMEOUT error on CPU Bit 5 Watchdog error on CPU Bit 5 Watchdog error on CPU Bit 6 Check value err...

Page 258: ... run time group failure indication 0 Error Handling In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either d...

Page 259: ...ror that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Info...

Page 260: ... connected to the DB_INIT functionsstored in the F_DbInit1 is placed in the slowest Organizational Block OB3x in a run time group named F_ShutDn Note No other logic shall be permitted to be placed within the F_ShutDn CFC Connections may only be made to specified inputs and outputs of the F_SHUTDN function block see the table of I Os below Any logic placed within the F_ShutDn CFC will automatically...

Page 261: ... reported are Full Shutdown Partial Shutdown Restart of Shutdown Logic and Safety Mode enabled or disabled 1 Outputs FULL_SD BOOL Entire Safety Program shutdown when TRUE Latched output resettable through RESTART input 0 EN_INIT BOOL Required for Safety Program initialization logic Immediately following the RESTART request EN_INIT will remain TRUE while the function block initialization logic exec...

Page 262: ...t OB34 is 200ms and OB35 is 100ms The consequence of this is that a shutdown for the faster F Run time group may not occur until the next scan of the slowest configured OB in this example OB34 The F Run time group that encounters the detected fault regardless of the SHUTDOWN value will be shutdown Request Safety Program Shutdown Under certain circumstances the user may wish to manually request a c...

Page 263: ...k tripped diagnostic Full Shutdown Outgoing Alarm Message F_SHUTDN block exited the Full Shutdown state because of a user requested restart Partial Shutdown Incoming Alarm Message If the F_SHUTDN function block is configured with RQ_FULL set to FALSE the first detected shutdown F run time group will be alarmed as a FAILURE While there remain shutdown F run time groups subsequent failures of this F...

Page 264: ...as been requested If the RQ_FULL is TRUE and a FAILURE is detected the Safety Program will be disabled through the FULL_SD output and this will also trigger an event indicating a full system shutdown Startup Characteristics The F_SHUTDN function block is intended to be available upon startup with the entire Safety Program enabled Error Information in Diagnostic Buffer Error Code W 16 Description 7...

Page 265: ... Fail safe Blocks V1_2 or higher the manual procedure has been eliminated The user is no longer allowed to manually place the F_CYC_CO function blocks it is now a system function I Os The inputs and outputs will not be explained here since this is logic that the system automatically generates Error Handling In the event of an error that is critical to safety the system function SFC F_CTRL is calle...

Page 266: ...e system automatically generates Error Handling In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disab...

Page 267: ...de active 1 Safety mode inactive Report Characteristics When safety mode is activated deactivated the block issues the message PLC not in safety mode to the OS using SFB 33 ALARM The messages can be switched off via the invisible input EN_MSG 0 MSG_STAT output parameter remains unchanged if a suitable report system is not available The ALARM block is called if message suppression is not activated ...

Page 268: ...ms 8 80 A5E00085588 03 8 6 13 DB_RES Function This block supports the startup characteristics in the event of a cold restart warm restart of the CPU The block is inserted automatically at compilation I Os The block has no visible I Os ...

Page 269: ...tomatically placed by the compiler in a CFC chart named F_DbInit Connections between the DB_INIT function and the shutdown logic are also created automatically Note No other logic shall be permitted to be placed within the F_DbInit CFC Connections may not be made to any inputs or outputs of these blocks Any logic placed within the F_DbInit CFC will automatically be deleted during the compile I Os ...

Page 270: ...085588 03 8 6 15 FAIL_MSG Function This block is used by the RTG_LOGIC block type The block is inserted automatically at compilation I Os The inputs and outputs will not be explained here since this is logic that the system automatically generates ...

Page 271: ...wn logic The RTG_LOGIC function block is automatically placed by the compiler in a CFC chart named F_ShutDn Note No other logic shall be permitted to be placed within the F_ShutDn CFC Connections may not be made to any inputs or outputs of these blocks Any logic placed within the F_ShutDn CFC will automatically be deleted during the compile I Os The inputs and outputs will not be explained here si...

Page 272: ...iagnostic failure to the diagnostic buffer for users to observe as the cause of failure 2 In an S7 F H system to force a switchover if the fault is detected in the master only As you can see from the two purposes above SFC F_CTRL is used for diagnostic purposes and for availability by forcing the CPU with the detected failure to become the reserve CPU SFC F_CTRL is not responsible for any switchov...

Page 273: ...y selection 2 out of 3 F_XOUTY Binary selection X out of Y 8 7 1 F_AND4 Function This block links the inputs by means of AND The output OUT is 1 if all the inputs are 1 Otherwise the output is 0 The output OUTN corresponds to the negating output OUT Truth Table IN1 IN2 IN3 IN4 OUT OUTN 0 0 0 0 0 1 0 0 0 1 0 1 0 0 1 0 0 1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 0 1 0 1 0 1 1 0 0 1 0 1 1 1 0 1 1 0 0 0 0 1 1 0 0...

Page 274: ...tems 8 86 A5E00085588 03 I Os Name Data Type Explanation Default Inputs IN1 F_BOOL Input 1 1 IN2 F_BOOL Input 2 1 IN3 F_BOOL Input 3 1 IN4 F_BOOL Input 4 1 Output OUT F_BOOL Output 1 OUTN F_BOOL Negating output 0 Error Handling None ...

Page 275: ... output OUT Truth Table IN1 IN2 IN3 IN4 OUT OUTN 0 0 0 0 0 1 0 0 0 1 1 0 0 0 1 0 1 0 0 0 1 1 1 0 0 1 0 0 1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1 1 1 1 0 1 0 0 0 1 0 1 0 0 1 1 0 1 0 1 0 1 0 1 0 1 1 1 0 1 1 0 0 1 0 1 1 0 1 1 0 1 1 1 0 1 0 1 1 1 1 1 0 I Os Name Data Type Explanation Default Inputs IN1 F_BOOL Input 1 0 IN2 F_BOOL Input 2 0 IN3 F_BOOL Input 3 0 IN4 F_BOOL Input 4 0 Output OUT F_BOOL Output 0 O...

Page 276: ... OR The output OUT is 1 if exactly one input is 1 The output OUTN corresponds to the negating output OUT Truth Table IN1 IN2 OUT OUTN 0 0 0 1 0 1 1 0 1 0 1 0 1 1 0 1 I Os Name Data Type Explanation Default Inputs IN1 F_BOOL Input 1 0 IN2 F_BOOL Input 2 0 Output OUT F_BOOL Output 0 OUTN F_BOOL Negating output 1 Error Handling None ...

Page 277: ...BOOL Input 0 Output OUT F_BOOL Output 1 Error Handling None 8 7 5 F_2OUT3 Function This block monitors three binary inputs for signal state 1 The output OUT is 1 if at least two inputs are 1 Otherwise the output is 0 The output OUTN corresponds to the negating output OUT Truth Table IN1 IN2 IN3 OUT OUTN 0 0 0 0 1 0 0 1 0 1 0 1 0 0 1 0 1 1 1 0 1 0 0 0 1 1 0 1 1 0 1 1 0 1 0 1 1 1 1 0 ...

Page 278: ...l Safe Systems 8 90 A5E00085588 03 I Os Name Data Type Explanation Default Inputs IN1 F_BOOL Input 1 0 IN2 F_BOOL Input 2 0 IN3 F_BOOL Input 3 0 Output OUT F_BOOL Output 0 OUTN F_BOOL Negating output 1 Error Handling None ...

Page 279: ... F_BOOL Input 1 0 IN2 F_BOOL Input 2 0 IN3 F_BOOL Input 3 0 IN16 F_BOOL Input 16 0 X F_INT Minimum number of inputs with 1 0 X 16 0 Y F_INT Number of inputs to be monitored 0 Y 16 0 Output OUT F_BOOL Output 0 OUTN F_BOOL Negating output 1 Error Handling In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and r...

Page 280: ...r limit the output QH 1 U_HL HYS U U_HL QH remains unchanged in this range U U_HL HYS In the event of violation of the lower limit hysteresis the output QH 0 The limit and hysteresis are also available as non fail safe data at the outputs U_HL_O and HYS_O for further processing in the standard program The hysteresis can be used to avoid fluttering of QH if the input value U fluctuates by the limit...

Page 281: ... in the printout of the CFC chart They must be checked in the printout of the safety program Error Handling In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in bo...

Page 282: ...program The hysteresis can be used to avoid fluttering of QL if the input value U fluctuates by the limit value U_LL If either input variable U U_LL or HYS contains an invalid REAL number the Substitute Input SUBS_IN will be passed directly to the output QL If an invalid REAL number is generated during the calculations involving U U LL and HYS the output QL 1 The output QLN corresponds to the nega...

Page 283: ...em function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code...

Page 284: ... F_REAL Input variable 2 0 0 IN3 F_REAL Input variable 3 0 0 QBAD1 F_BOOL IN1 invalid 0 QBAD2 F_BOOL IN2 invalid 0 QBAD3 F_BOOL IN3 invalid 0 DELTA REAL Allowable difference 0 0 Outputs OUT F_REAL Median value 0 0 QBAD BOOL Invalid median value 0 DIS1 BOOL IN1 DELTA Discrepancy 0 DIS2 BOOL IN2 DELTA Discrepancy 0 DIS3 BOOL IN3 DELTA Discrepancy 0 The block employs a two out of three selection sche...

Page 285: ...rivers detect a failure output their SUBS_V value and set their QBAD to 1 the F_2oo3_R block s QBAD output will be 1 indicating that the selected analog output V is no longer valid Therefore a configuration using the F_CH_AI and F_2oo3_R blocks would have the following connections The V outputs of the three F_CH_AI connected to the three IN inputs of the F_2oo3_R The QBAD outputs of the three F_CH...

Page 286: ...ta Type Explanation Default Inputs IN1 F_REAL Input variable 1 0 0 IN2 F_REAL Input variable 2 0 0 QBAD1 F_BOOL IN1 invalid 0 QBAD2 F_BOOL IN2 invalid 0 DELTA REAL Allowable difference 0 0 Outputs OUT F_REAL Selected value 0 0 QBAD BOOL Invalid selected value 0 DIS1 BOOL IN1 DELTA Discrepancy 0 DIS2 BOOL IN2 DELTA Discrepancy 0 The block employs a one out of two selection scheme and is often used ...

Page 287: ... as its analog output If both channel drivers detect a failure output their SUBS_V value and set their QBAD to 1 the F_1oo2_R block s QBAD output will be 1 indicating that the selected analog output V is no longer valid Therefore a configuration using the F_CH_AI and F_1oo2_R blocks would have the following connections The V outputs of the two F_CH_AI connected to the two IN inputs of the F_1oo2_R...

Page 288: ...nt F_SR_FF SR flipflop setting dominant 8 9 1 F_RS_FF Function The block executes the function of an RS flipflop resetting dominant The RS flipflop is reset if the signal state at the input R 1 and at the input S 0 The flipflop is set if the input R 0 and the input S 1 If the result of the logic operation is 1 at both inputs the flipflop is reset Truth Table R S QN QNn 0 0 Qn 1 QNn 1 0 1 1 0 1 0 0...

Page 289: ...or Handling In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the...

Page 290: ...te the program you preset the Q output in CFC with the initial value 1 it will remain set after startup cold restart or warm restart until the signal state at the R input changes to 1 at input S 0 Note that the initial values of output parameters do not appear in the printout of the CFC chart They must be checked in the printout of the safety program Error Handling In the event of an error that is...

Page 291: ...D and R CU CV is increased by 1 If the count value reaches the upper limit 32 767 it is not increased any further CD CV is decreased by 1 If the count value reaches the lower limit 32 768 it is not decreased any further LOAD 1 CV is preset with the value of the input PV The values at the inputs CU and CD are ignored R 1 CV is reset to 0 The values at the inputs CU CD and LOAD are ignored If in a c...

Page 292: ...cremented or decremented as of this value Note that the initial values of output parameters do not appear in the printout of the CFC chart They must be checked in the printout of the safety program Error Handling In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if th...

Page 293: ...output Q has already been set The maximum value it can adopt is that of the input PT It is reset if the input IN changes to 0 but not before the time PT has elapsed If PT 0 the outputs Q and ET are reset Timing Diagram scasc Q IN PT ET PT PT PT Startup Characteristics In the first cycle after a cold or warm restart or in the case of a first call the timer is reset I Os Name Data Type Explanation D...

Page 294: ...ccurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description 75DAH Error in the safety data format of the inputs PT and IN and the output ET error due to online modification of th...

Page 295: ...e output ET indicates the time that has elapsed since the last rising edge at the input IN but only up to the value of the input PT ET is reset if the input IN changes to 0 If PT 0 the outputs Q and ET are reset Timing Diagram scasc Q IN PT ET PT PT Startup Characteristics In the first cycle after a cold or warm restart or in the case of a first call the timer is reset I Os Name Data Type Explanat...

Page 296: ...ccurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description 75DAH Error in the safety data format of the inputs PT and IN and the output ET error due to online modification of th...

Page 297: ...he output ET indicates the time that has elapsed since the last falling edge at the input IN but only up to the value at the input PT ET is reset if the input IN changes to 1 If PT 0 the outputs Q and ET are reset Timing Diagram Q IN PT ET PT PT Startup Characteristics In the first cycle after a cold or warm restart or in the case of a first call the timer is reset I Os Name Data Type Explanation ...

Page 298: ...ccurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description 75DAH Error in the safety data format of the inputs PT and IN and the output ET error due to online modification of th...

Page 299: ...e input variable for the occurrence of a falling edge and indicates at the output whether an edge has been detected At a falling edge of the input pulse CLK the output Q is set to 1 until the next call of the block Timing Diagram CLK Q Startup Characteristics In the first cycle after a cold or warm restart or in the case of a first call no edge is detected I Os Name Data Type Explanation Default I...

Page 300: ... At a rising edge of the input pulse CLK the output Q is set to 1 until the next call of the block Timing Diagram CLK Q Startup Characteristics If the input CLK has a value of 1 in the first cycle after a cold or warm restart a rising edge is detected and the output Q is set to 1 until the next call of the block I Os Name Data Type Explanation Default Input CLK F_BOOL Input pulse 0 Output Q F_BOOL...

Page 301: ...puts OUTU and OUTL are set to 1 If IN is MAX the upper limit has been violated OUT MAX OUTU 1 and OUTL 0 If IN is MIN the lower limit has been violated OUT MIN OUTU 0 and OUTL 1 If IN is between MIN and MAX OUT IN OUTU 0 and OUTL 0 are set I Os Name Data Type Explanation Default Inputs IN F_TIME Input variable T 0 ms MIN F_TIME Lower limit T 0 ms MAX F_TIME Upper limit T 24d 20h 31m 23s 647ms Outp...

Page 302: ...er than or equal to the upper limit MAX the output OUT MAX and the outputs OUTU and OUTL are set to 1 If IN is MAX the upper limit has been violated OUT MAX OUTU 1 and OUTL 0 If IN is MIN the lower limit has been violated OUT MIN OUTU 0 and OUTL 1 If IN is between MIN and MAX OUT IN OUTU 0 and OUTL 0 are set I Os Name Data Type Explanation Default Inputs IN F_INT Input variable 0 MIN F_INT Lower l...

Page 303: ... Medium of three REAL values F_MIN3_R Minimum of three REAL values F_LIM_R Asymmetrical limiter of REAL values F_SQRT Calculation of the square root F_AVEX_R Mean value of a maximum of nine REAL values F_SMP_AV Sliding mean value 8 13 1 F_ADD_R Function This block adds the inputs and outputs the sum at the output OUT IN1 IN2 I Os Name Data Type Explanation Default Inputs IN1 F_REAL Addend 1 0 0 IN...

Page 304: ...from the input IN1 and outputs the difference at the output OUT IN1 IN2 I Os Name Data Type Explanation Default Inputs IN1 F_REAL Minuend 0 0 IN2 F_REAL Subtrahend 0 0 Output OUT F_REAL Difference 0 0 Error Handling If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer Error Information in Diagnostic Buffer Error Code W 16 Description 75D9H Invalid R...

Page 305: ... Os Name Data Type Explanation Default Inputs IN1 F_REAL Multiplicand 0 0 IN2 F_REAL Multiplier 0 0 Output OUT F_REAL Product 0 0 Error Handling If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer Error Information in Diagnostic Buffer Error Code W 16 Description 75D9H Invalid REAL number generated by the operation ...

Page 306: ...tion Default Inputs IN1 F_REAL Dividend 0 0 IN2 F_REAL Divisor 1 0 Output OUT F_REAL Quotient 0 0 Error Handling If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer Error Information in Diagnostic Buffer Error Code W 16 Description 75D9H Invalid REAL number generated by the operation Note Use the F block F_LIM_R to prevent errors as a result of div...

Page 307: ...588 03 8 119 8 13 5 F_ABS_R Function This block outputs the absolute value amount of the input at the output OUT IN I Os Name Data Type Explanation Default Input IN F_REAL Input value 0 0 Output OUT F_REAL Absolute value 0 0 Error Handling None ...

Page 308: ...from only two inputs OUT MAX IN1 IN2 IN3 I Os Name Data Type Explanation Default Inputs IN1 F_REAL Input variable 1 3 402823e 38 IN2 F_REAL Input variable 2 3 402823e 38 IN3 F_REAL Input variable 3 3 402823e 38 Output OUT F_REAL Maximum value 3 402823e 38 Error Handling If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer Error Information in Diagno...

Page 309: ...ata Type Explanation Default Inputs IN1 F_REAL Input variable 1 0 0 IN2 F_REAL Input variable 2 0 0 IN3 F_REAL Input variable 3 0 0 Output OUT F_REAL Mean value 0 0 Error Handling If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer Error Information in Diagnostic Buffer Error Code W 16 Description 75D9H Invalid REAL number generated by the operatio...

Page 310: ...from only two inputs OUT MIN IN1 IN2 IN3 I Os Name Data Type Explanation Default Inputs IN1 F_REAL Input variable 1 3 402823e 38 IN2 F_REAL Input variable 2 3 402823e 38 IN3 F_REAL Input variable 3 3 402823e 38 Output OUT F_REAL Minimum value 3 402823e 38 Error Handling If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer Error Information in Diagno...

Page 311: ...tput OUT and both OUTH 1 and OUTL 1 I Os Name Data Type Explanation Default Inputs IN F_REAL Input variable 0 0 MIN F_REAL Lower limit 100 0 MAX F_REAL Upper limit 100 0 SUBS_IN F_REAL Substitute Input 0 0 Outputs OUT F_REAL Output variable 0 0 OUTU F_BOOL Upper limit violation 0 OUTL F_BOOL Lower limit violation 0 Error Handling In the event of an error that is critical to safety the system funct...

Page 312: ...UT IN The input IN must be positive I Os Name Data Type Explanation Default Input IN F_REAL Radicand 0 0 Output OUT F_REAL Root 0 0 Error Handling If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer Error Information in Diagnostic Buffer Error Code W 16 Description 75D9H Invalid REAL number generated by the operation ...

Page 313: ... 0 0 IN2 F_REAL Input variable 2 0 0 IN3 F_REAL Input variable 3 0 0 IN4 F_REAL Input variable 4 0 0 IN5 F_REAL Input variable 5 0 0 IN6 F_REAL Input variable 6 0 0 IN7 F_REAL Input variable 7 0 0 IN8 F_REAL Input variable 8 0 0 IN9 F_REAL Input variable 9 0 0 VALIDIN1 F_BOOL IN1 valid 1 VALIDIN2 F_BOOL IN2 valid 1 VALIDIN3 F_BOOL IN3 valid 1 VALIDIN4 F_BOOL IN4 valid 1 VALIDIN5 F_BOOL IN5 valid 1...

Page 314: ...tch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run time group or the entire Safety Program Error Information in Diagnostic Buffer Error Code W 16 Description 75D9H Invalid REAL number generated by the operation 75DAH Error in the safety da...

Page 315: ...the startup are not taken into account Error Handling If the condition 0 N 33 is not fulfilled OUT INk is set If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the...

Page 316: ...Output 0 0 Error Handling In the event of an error that is critical to safety the system function SFC F_CTRL is called This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU For non redundant systems or a common cause error occurring in both CPUs the shutdown logic can be configured to either disable the erred F run tim...

Page 317: ...thout incident If a fail safe block generates an invalid REAL number the system function SFC 65097 WRSYMSG is called to record the event in the Diagnostic Buffer Once generated invalid REAL numbers will be accepted and used by subsequent fail safe blocks without incident Remedy check the values using for example F_LIM_R Error Information in Diagnostic Buffer In the event of an error error informat...

Page 318: ...or sent the expected response to the CPU with the new consecutive number Discrepancy errors in the case of redundant digital input modules Module faults reported by the F I Os Channel faults reported by the F I Os ET 200M only if the Group Diagnosis parameter is set Error Reaction F channel drivers for digital input modules output the substitute value 0 at the outputs F channel drivers for analog ...

Page 319: ... diagnostic messages and possible remedies in the section entitled Error Information at the Outputs of the Driver Blocks Error in the Safety Data Format If an error is detected in the safety data format the system function SFC F_CTRL is called automatically The system function SFC F_CTRL records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only ...

Page 320: ...d them again and carry out a cold restart Switch the voltage off and on at the F I O Check the PROFIBUS connection between the CPU and F I O Read out the module diagnosis Bit 3 Reserved Bit 4 TIMEOUT error on CPU or internal CPU fault Check the PROFIBUS connection between the CPU and F I O Download the configuration from HWCONFIG compile the changes to the Safety Program download them again and ca...

Page 321: ...pancy error on channel 7 of SMn Byte 2 in the case of F_M_DI24 only Bit 0 Discrepancy error on channel 8 of SMn Bit 7 Discrepancy error on channel 15 of SM1 Byte 3 in the case of F_M_DI24 only Bit 0 Discrepancy error on channel 16 of SM1 Bit 7 Discrepancy error on channel 23 of SMn n 1 Diagnostic information for module SM1 n 2 Diagnostic information for redundant module SM2 Note In byte 0 of DIAG_...

Page 322: ...lculations such as infinity This event contains the Instance DB number of the function block that encountered this invalid calculation Use the DB number to identify the function block within the project that has this failure 1 Open the CFC Editor and click on the cross reference button 2 Choose Edit Find and enter DB xxx where xxx is the DB number being reported in the error event Once you identif...

Page 323: ... RTG_LOGIC FBs are in the CFC chart F_ShutDn The number at the end of the RTG_LOGIC FB s Name is the instance DB number finding the F FB with the DB xx reported in event will lead to discovering the Run time Group Name and chart location Identify the cause of the shutdown and resolve the issue You may restart all of the shutdown F run time Groups through the RESTART input of the FB F_SHUTDN locate...

Page 324: ...dies 74DEH The FB F_SHUTDN has completed a re initialization of the whole Safety Program all F run time groups are enabled This would happen after the User causes a 0 1 transition on the RESTART input of the FB F_SHUTDN located in the CFC chart F_ShutDn Safety Program Initialization Start End Reported from Shutdown Logic F_SHUTDN Error Code W 16 Cause Remedies 75DFH This would happen after the Use...

Page 325: ...essing F_CYC_CO internal CPU fault Error processing F_TEST internal CPU fault Error processing F_TESTC internal CPU fault Error due to online modification of the Safety Program or internal CPU fault Restart the Shutdown logic or Stop and ColdStart F CPU or Full Download of the complete program to F CPU or Replace the F CPU Error Detected in F_PLK_O Program Data Flow Control Error After Output Bloc...

Page 326: ... CPU or Increase the cycle time of the OB3x containing your F run time Group experiencing the maximum cycle time exceeded or Move functionality out of the OB3x to another OB3x This includes standard and F Blocks that are running within said F run time the OB3x Error Detected in F_TEST Command Test Error Code W 16 Cause Remedies 75E1H Internal CPU fault Restart the Shutdown logic or Stop and ColdSt...

Page 327: ...he CPU or Error due to online modification of the Safety Program or internal CPU fault Check whether tests of the F CPU have been switched off by SFC90 H_CTRL The tests must not be switched off Insure that the F CPU s Test Cycle Time has been set 12h in CPU s H Parameters properties or Restart the Shutdown logic or Stop and ColdStart F CPU or Full Download of the complete program to F CPU or Repla...

Page 328: ...necting cable 3 ERROR bit of USEND set Communication problems see high byte Check the connection configuration and download it again Check the connecting cable 4 ERROR bit of URCV set Communication problems see high byte Check the connection configuration and download it again Check the connecting cable 5 Check value error CRC or internal error in the sender or recipient CPU or in the CP Check whe...

Page 329: ...CPU one F I O Redundant CPU one F I O One CPU redundant F I O Redundant CPU redundant F I O 465 520 740 814 F_M_DI8 FB 384 F module driver for 8 channel digital input One CPU one F I O Redundant CPU redundant F I O One CPU redundant F I O Redundant CPU redundant F I O 518 570 1046 1155 F_M_DI24 FB 385 F module driver for 24 channel digital input One CPU one F I O Redundant CPU one F I O One CPU re...

Page 330: ...I FB 461 Convert from F_REAL to F_INT 13 F_FR_R FC 304 Convert from F_REAL to REAL 10 F_FTI_TI FC 306 Convert from F_TIME to TIME 10 F_I_FI FB 369 Converts from INT to F_INT 11 F_LIM_HL FB 314 Monitoring of upper limit value violation of a REAL value 24 F_LIM_I FB 350 Asymmetrical limiter of INT values 21 F_LIM_LL FB 315 Monitoring of lower limit violation of a REAL value 24 F_LIM_R FB 329 Asymmet...

Page 331: ...ion of the square root 58 F_SR_FF FB 308 SR flipflop setting dominant 16 F_START FB 394 Startup detection cold restart or warm restart 11 F_SUB_R FB 322 Subtraction of two REAL values 16 F_TEST FB 398 Self test for commands not backed up by diversity 362 F_TESTC FB 399 Control block for the background self test of the CPU 445 F_TESTM FB 400 Switching of Safety Mode on and off 178 F_TI_FTI FB 368 C...

Page 332: ...Fail Safe Blocks Fail Safe Systems 8 144 A5E00085588 03 ...

Page 333: ...afe Modules Check List Phase Note Refer to Check Planning Prerequisite A Safety requirements specification must be available for the planned application Depends on the process Specification of the system architecture Depends on the process Allocation of functions and subfunctions to the system components Depends on the process F SYS Sect 1 7 F SYS Sect 7 3 Selection of the sensors and actuators Re...

Page 334: ...g Verification of the hardware components used on the basis of the check list of the certified F function blocks F SYS Sect 5 2 1 F SYS App A 3 Creation of the CFC charts Rules for the CFC charts of the Safety Program F SYS Sect 5 2 4 Creation of the run time groups Rules for the run time groups of the Safety Program F SYS Sect 5 2 5 Placement and interconnection of the F function blocks Rules for...

Page 335: ...loading Rules for testing Creating Block Types F SYS Sect 5 4 4 F SYS Sect 5 4 7 F SYS Sect 5 4 11 5 4 12 F SYS Sect 5 4 6 Installation Hardware setup Rules for installation Rules for wiring F SM Chap 4 F ET 200S Chap 5 and 6 F SM Chap 4 F ET 200S Chap 5 and 6 Downloading of the fail safe program Rules for downloading F SYS Sect 5 4 7 to 5 4 10 ...

Page 336: ...es to faults errors and events F SYS Sect 8 15 Replacement of hardware components Rules for the replacement of modules F SM Sect 3 6 F ET 200S Sect 6 4 Modifications to the Safety Program Rules for deactivating safety mode Rules for modifying the Safety Program F SYS Sect 5 4 2 F SYS Sect 6 3 Updating of the operating system Rules for the updating of the operating system as in the standard case St...

Page 337: ...3Bit Analog input module 6ES7 336 1HE00 0AB0 PM E F 24 VDC PROFIsafe Power Module 6ES7 138 4CF00 0AB0 4 8 F DI 24 VDC PROFIsafe Digital Electronic Module 6ES7 138 4FA00 0AB0 4 F DO 24 VDC 2 A PROFIsafe Digital Electronic Module 6ES7 138 4FB00 0AB0 PM D F 24 VDC PROFIsafe Power Module 3RK 1903 3BA00 F Copy License Downloading F blocks to an F or FH destination system is only permitted if you have a...

Page 338: ...cluded in safety considerations the following check list ought to be of assistance when you configure the F system with sensors and actuators Demands on Sensors and Actuators Check Are your sensors and actuators of adequate quality and suitable for environments with polluted air and corrosive fumes Do you make use of the possibilities of double redundancy for sensors where appropriate Do you make ...

Page 339: ...386 F module driver for 10 channel digital output F_CH_DI FB 377 F channel driver for digital input F_CH_DO FB 378 F channel driver for digital output F_CH_AI FB 379 F channel driver for analog input Further Blocks in Alphabetical Order F_1oo2_R FB 457 1 out of 2 analog voter block Block Type F_2OUT3 FB 305 Binary selection 2 out of 3 F_2oo3_R FB 456 2 out of 3 analog voter block Bock Type F_ABS_R...

Page 340: ...her F run time group F_R_FR FB 362 Convert from REAL to F_REAL F_R_R FB 393 Fail safe receipt of 5 data items of the data type F_REAL from another F run time group F_R_TRIG FB 346 Detection of the rising edge F_RCVBO FB 371 Receives F_BOOL data from another CPU F_RCVR FB 373 Receives F_REAL data from another CPU F_RS_FF FB 307 RS flipflop resetting dominant F_S_BO FB 390 Fail safe transmission of ...

Page 341: ... Supports the startup characteristics in the event of a cold restart warm restart of the CPU FAIL_MSG FC 181 F run time group shutdown diagnostic error reporting RTG_LOGIC FB 459 F run time group shutdown and restart logic interface Even though these blocks aren t yellow they are safety critical and are placed automatically by the CFC editor The user may not place or remove these blocks Changes ar...

Page 342: ... be compared with the parameters of the F I Os from the hardware configuration F Driver Type Safety Parameter Value Check Call of the F driver block F_M_DI8 F_M_DI24 F_M_AI6 F_M_DO10 or F_M_D08 LADDR LADDR_R TIMEOUT etc Value from the printout of the Safety Program information Example F Driver Type Safety Parameter Value Check F 1 F_M_DI8 TIMEOUT 1000 LADDR 24 LADDR_R 0 F 4 F_M_DI24 TIMEOUT 2000 L...

Page 343: ...7 300 Programmable Controllers Reference Manual 7 ET 200M Distributed I O Device 8 ET 200S Distributed I O System Fail Safe Modules 9 STEP 7 manuals 10 PCS 7 manuals 11 CFC manuals 12 Testing S7 Programs with S7 PLCSIM You can find manuals 2 to 8 in the SIMATIC Electronic Manuals collection on CD ROM Manuals 9 to 12 are included with the products in electronic form Some of them can be obtained by ...

Page 344: ...References Fail Safe Systems B 2 A5E00085558 03 ...

Page 345: ...nnel is automatically depassivated after the problem is eliminated Cyclic redundancy check CRC A test procedure to check the integrity of data By means of a generator polynominal a check sum is formed that is characteristic for the relevant data volume in the sense of being a signature A CRC check sum is formed for example for the process values contained in the safety frame or for the safety rela...

Page 346: ...gurable time for the discrepancy analysis E ES Engineering system F F Abbreviation for fail safe F Copy License Formal permission to use the CPU as an F compatible CPU for S7 F FH systems F CPU F capable CPU containing a safety program F cycle time Cyclic interrupt time for OBs with F run time groups F Data Types Fail safe data types F FBs Fail safe function blocks F I Os Fail safe Input Output mo...

Page 347: ...ault Module wide fault Module faults can be external faults e g no load voltage or internal faults e g processor failure An internal error always requires module replacement Module redundancy An additional identical module is operated redundantly to increase availability O OS Operator station P Passivation Passivation of digital output channels means that the outputs are deenergized Passivation of...

Page 348: ...r between the CPU and the fail safe signal modules Safety function In accordance with IEC 61508 A function implemented by a safety system to ensure that the system is kept in a safe state or brought into a safe state in the event of a problem All of the hardware and software components that are involved in implementing a certain process subfunction Safety integrity level Safety level between 4 and...

Page 349: ...ion chambers If this is achieved with multi channel systems the safety system consists of all the channels and monitoring equipment that contribute to safety Safety related Fail safe Sensor Evaluation There are two types of sensor evaluation 1oo1 evaluation The sensor signal is read once 1oo2 evaluation To increase availability the sensor signal is read in twice from the same module and compared i...

Page 350: ...Glossary Fail Safe Systems Glossary 6 A5E00085588 03 ...

Page 351: ...ommunication between F run time groups 3 11 Communication between standard and Safety Program s 5 31 Communication between the CPU and F I Os 3 11 Compare Safety Programs 5 67 Comparison Blocks for Two Input Values of the Same Type 8 92 Compiling a Safety Program 5 43 COMPLEM component 8 2 Components of an S7 F System 1 7 Configuration and parameter assignment of hardware 4 1 Configuring CIR 4 11 ...

Page 352: ...11 F_FBO_BO 5 36 5 37 8 40 F_FI_I 5 36 5 37 8 41 F_FR_FI 8 43 F_FR_R 5 36 5 37 8 42 F_FTI_TI 5 36 5 37 8 44 F_I_FI 8 37 F_LIM_HL 8 92 F_LIM_I 8 114 F_LIM_LL 8 94 F_LIM_R 8 123 F_LIM_TI 8 113 F_M_AI6 8 68 F_M_DI24 8 61 F_M_DI8 8 58 F_M_DO10 8 66 F_M_DO8 8 64 F_MAX3_R 8 120 F_MID3_R 8 121 F_MIN3_R 8 122 F_MUL_R 8 117 F_MUX2_R 8 128 F_NOT 8 89 F_OR4 8 87 F_PLK 8 70 F_PLK_O 8 71 F_QUITES 8 45 F_R_BO 5...

Page 353: ... requirement mode 7 4 Optional package installing 1 11 1 13 OR logic operation 8 87 Overview 4 1 Overview of fault control measures 3 3 P Parameter assignment of F I Os 4 4 Passivating fail safe output modules 6 5 Passivation 5 24 5 25 5 26 Password 3 8 4 3 5 47 Performance enhancement 5 7 Placing and interconnecting F blocks 5 4 5 5 Plausibility check 6 3 8 35 Plausibility checking 5 36 PLCSim 5 ...

Page 354: ...ated communication between CPUs 3 12 Safety related parameters 7 17 Save reference data 5 66 Self tests 3 5 Sending F_BOOL data 8 27 F_REAL data 8 31 Setting up Access Rights for the CPU 4 8 Setting up the hardware 2 4 SFC F_CTRL 8 84 Simulating an Safety Program with S7 PLCSIM 5 57 Simulating PROFIsafe nodes 6 1 Simulating Safety Programs 5 57 Simulation 5 57 5 58 5 59 5 60 5 61 Simulation blocks...

Search results

Summary of Contents for SIMATIC S7 F

Reviews:

Related manuals for SIMATIC S7 F

Brands by name

Popular brands

Siemens SIMATIC S7 F, Manual

Search results

Summary of Contents for SIMATIC S7 F

Reviews:

Related manuals for SIMATIC S7 F

Brands by name

Popular brands