Overview of Fail-safe Systems
1.3 Fail-safe Systems in SIMATIC S7
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05
1-3
1.3
1.3
Fail-safe Systems in SIMATIC S7
What fail-safe systems are available in SIMATIC S7?
Two fail-safe systems are available for integrating safety engineering into SIMATIC S7
automation systems:
1. The S7 Distributed Safety system is available to implement safety concepts for machine
and operator protection (e.g., for emergency STOP devices for operation of machine
tools and processing machinery) and the process industry (e.g., for protection functions
for instrumentation and control protective devices and burners).
2. The fail-safe and, in particular, the optional S7 F/FH Systems fault-tolerant automation
system is well-suited for process engineering and oil industry applications.
Fail-safe and Fault-Tolerant S7 FH Systems
To increase availability of an automation system and, thus, to prevent process failures due to
faults in the F-system, fail-safe S7 F Systems can be optionally equipped with a fault-tolerant
feature (S7 FH Systems). Increased availability is achieved through component redundancy
(power supply, central processing unit, communication, and I/O).
Achievable Safety Requirements
S7 Distributed Safety and S7 F/FH Systems F-systems can satisfy the following safety
requirements:
•
Safety class (Safety Integrity Level) SIL1 to SIL3 in accordance with IEC 61508
•
Category 2 to Category 4 in accordance with EN 954-1
Principle of Safety Functions in S7 Distributed Safety and S7 F/FH Systems
Functional safety is implemented principally through safety functions in the software. Safety
functions are executed by S7 Distributed Safety or S7 F/FH Systems to restore or maintain a
safe state in a system when a dangerous event occurs. Safety functions are contained
mainly in the following components:
•
In the safety-related user program (safety program) in the fail-safe CPU (F-CPU)
•
In the fail-safe inputs and outputs (F-I/O)
The F-I/O ensures safe processing of field information (emergency STOP buttons, light
barriers, motor control). They have all of the required hardware and software components for
safe processing, in accordance with the required safety class. The user only programs the
user safety function.
The safety function for the process can be provided through a user safety function or a fault
reaction function. In the event of a fault, if the F-system can no longer execute its actual user
safety function, it executes the fault reaction function; for example, the associated outputs
are deactivated, and the F-CPU switches to STOP mode, if necessary.