background image

 

Overview of Fail-safe Systems 

 

1.5 Guide to Working with F-Systems 

Safety Engineering in SIMATIC S7  
System Manual, 04/2006, A5E00109529-05 

1-17

 

1.5 

1.5 

Guide to Working with F-Systems 

Introduction 

This section describes the basic procedure for working with fail-safe systems. Only the 

relevant steps for F-systems that differ from the standard procedure are presented.  
Planning tasks that depend on the process, such as creating a flowchart or process tag list, 

defining a structure, etc., are not described here. 

Example Projects 

You will find introductory example projects for configuration and programming of: 

• 

S7 Distributed Safety in 

S7 Distributed Safety Getting Started 

• 

S7 Distributed Safety in 

S7 Distributed Safety Configuring and Programming manual 

• 

S7 F/FH Systems in 

Programmable Controllers S7 F/FH manual 

• 

S7 F/FH Systems in 

step7\Examples directory 

Planning a System 

When planning a system, the planner specifies the applicable safety class (SIL/Category) for 

each required safety function based on a risk assessment. This is then used to determine 

the component requirements for implementing the safety functions (programmable logic 

controllers, sensors, actuators). These decisions influence additional activities such as 

hardware design, configuration, and programming.  

 

 

Note 
A functional division of standard and safety functions is important for planning. 

 

Summary of Contents for SIMATIC S7

Page 1: ...____________ Preface Overview of Fail safe Systems 1 Configurations and Help with Selection 2 Communication Options 3 Safety in F Systems 4 Achievable Safety Classes with F I O 5 Configuring F Systems 6 Programming F Systems 7 Monitoring and Response Times of F Systems A SIMATIC Safety Engineering in SIMATIC S7 System Manual 04 2006 A5E00109529 05 ...

Page 2: ...mmissioning and operation of a device system may only be performed by qualified personnel Within the context of the safety notes in this documentation qualified persons are defined as persons who are authorized to commission ground and label devices systems and circuits in accordance with established safety practices and standards Prescribed Usage Note the following Warning This device may only be...

Page 3: ...ing information for decision makers and as a source of technical information on S7 Distributed Safety and S7 F FH Systems fail safe automation systems for service and commissioning personnel e g detailed information on monitoring and response times of S7 Distributed Safety and S7 F FH Systems is provided in the appendix Scope of System Description This system description applies to the S7 Distribu...

Page 4: ...or PROFINET IO with CPU 416F 2 6ES7 416 2FK04 0AB0 as of firmware version V 4 1 with CP 443 1 Advanced CPU 315F 2 PN DP CPU 317F 2 PN DP ET 200S fail safe modules ET 200pro fail safe modules Fail safe I O standard devices x Safety related CPU CPU communication has been expanded to include I slave slave communication x Channel specific passivation when channel errors occur S7 300 fail safe signal m...

Page 5: ...you will need the following documentation The operating manual S7 300 CPU 31xC and CPU 31x Installation describes the installation and wiring of S7 300 systems The CPU 31xC and CPU 31x Technical Data product manual describes the CPUs 315 2 DP and PN DP and CPUs 317 2 DP and PN DP The Automation System S7 400 Hardware and Installation installation manual describes the assembly and wiring of S7 400 ...

Page 6: ...m necessary when the F system is integrated in a higher level control system The complete collection of SIMATIC S7 documentation is available on CD ROM Guide The following topics are covered in the system description Overview of fail safe automation systems in general and in SIMATIC S7 in particular Comparison of system performance of S7 Distributed Safety and S7 F FH Systems Description of the co...

Page 7: ...er courses to help you get started with the S7 automation system Contact your regional training center or the central training center in D 90327 Nuremberg Federal Republic of Germany Phone 49 911 895 3200 http www sitrain com H F Competence Center The H F Competence Center in Nuremberg offers special workshops on SIMATIC S7 fail safe and fault tolerant automation systems The H F Competence Center ...

Page 8: ...s Important Information for Preserving the Operational Safety of your System Note The operators of systems with safety related characteristics must adhere to operational safety requirements The supplier is also obliged to comply with certain actions when monitoring the product To keep you informed a special newsletter is therefore available containing information on product developments and proper...

Page 9: ...l safe Components 2 7 2 3 Configuration Variants for Fail safe Systems According to Availability Requirements 2 9 2 3 1 Single channel I O S7 Distributed Safety 2 10 2 3 2 Single channel I O S7 F Systems 2 15 2 3 3 Single channel Switched I O S7 FH Systems only 2 18 2 3 4 Redundant Switched I O S7 FH Systems Only 2 20 2 4 S7 Distributed Safety or S7 F FH Systems Selection Guide 2 22 3 Communicatio...

Page 10: ...s for Achieving Safety Classes for F I O with Outputs 5 12 6 Configuring F Systems 6 1 6 1 Introduction 6 1 6 2 Configuring the F CPU 6 2 6 3 Configuring the F I O 6 4 6 4 Configuring Fail safe DP Standard Slaves and Fail safe I O Standard Devices 6 5 7 Programming F Systems 7 1 7 1 Introduction 7 1 7 2 Programming Languages for F Systems 7 3 7 3 Structure of the Safety Program in S7 Distributed S...

Page 11: ...to Maintenance of F Systems 1 18 Table 2 1 Configuration Options for Fail safe Systems According to Availability 2 9 Table 2 2 Selection Citeria for an F system 2 22 Table 3 1 Communication Options 3 2 Table 3 2 Accessing F I O in S7 Distributed Safety 3 7 Table 3 3 Overview of Communication between F CPUs 3 13 Table 3 4 Safety Related CPU CPU Communication 3 20 Table 4 1 Meaning of the risk param...

Page 12: ...Table of contents Safety Engineering in SIMATIC S7 xii System Manual 04 2006 A5E00109529 05 ...

Page 13: ...ger humans or the environment Fail safe systems go beyond conventional safety engineering to enable far reaching intelligent systems that extend all the way to the electrical drives and measuring systems F systems are used in systems with advanced safety requirements Improved fault detection and localization in F systems through detailed diagnostic information enables production to be resumed quic...

Page 14: ...2 times and compared The unified read result is passed on to the central processing unit in a fail safe manner for further processing Safety related actuators are driven based on redundant ANDing without any additional action on the part of the user Interconnection of the inputs and outputs is also greatly simplified This eliminates the need for some of the individually mounted hardware switching ...

Page 15: ... I O Achievable Safety Requirements S7 Distributed Safety and S7 F FH Systems F systems can satisfy the following safety requirements Safety class Safety Integrity Level SIL1 to SIL3 in accordance with IEC 61508 Category 2 to Category 4 in accordance with EN 954 1 Principle of Safety Functions in S7 Distributed Safety and S7 F FH Systems Functional safety is implemented principally through safety ...

Page 16: ...in a standard data frame Advantages Because both standard and safety related communication takes place on the standard PROFIBUS DP or standard PROFINET IO no additional hardware components are required Safety related communication tasks can be solved without resorting to previous conventional solutions such as permanent wiring of emergency stop devices or special buses This enables safety related ...

Page 17: ... e g for protection functions for instrumentation and control protective devices and burners Integration options for S7 Distributed Safety fail safe systems at the plant automation level are shown below PROFIBUS PC ET 200S ET 200M ET 200M ET 200S F SMs ET 200S ET 200S ET 200pro ET 200S F SMs ET 200M ET 200pro ET 200eco 2SHUDWRU VWDWLRQ 26 PRGXOHV PRGXOHV DLO VDIH 2 PRGXOH DLO VDIH 2 PRGXOHV 6WDQGD...

Page 18: ...state can be attained by disabling the fail safe outputs Integration options for S7 F Systems and S7 FH Systems in process automation systems using PCS 7 are shown below PC PC PC PC ET 200M ET 200M ET 200M ET 200S ET 200S S7 400H ET 200eco 60V 60V 60V 60V 2SHUDWRU VWDWLRQV 26 HQWUDO HQJLQHHULQJ 6 QGXVWULDO WKHUQHW RU 352 86 DLO VDIH 2 PRGXOH LQ VWDQGDUG PRGH 6WDQGDUG PRGXOHV 6WDQGDUG 60V 6WDQGDUG ...

Page 19: ...nology Configuration integrated in STEP 7 same as for standard automation systems Creation of safety program using standard programming languages of STEP 7 Flexible adaptation to the task requirements by providing a wide range of fail safe I O Comparison of System Performance of S7 Distributed Safety and S7 F FH Systems The following table identifies the differences between the fail safe systems w...

Page 20: ... languages in STEP 7 In CFC optional software for STEP 7 via safety matrix Modification of safety program in the F CPU in RUN mode Currently possible in deactivated safety mode however transition to safety mode possible only by switching the F CPU to STOP mode Currently possible in deactivated safety mode or via Safety Data Write change of operating mode of F CPU not required for transition to saf...

Page 21: ... Distributed Safety CPU 416F 2 6ES7 416 2FK04 0AB0 1 4 Mbytes for program 1 4 Mbytes for data CPU 414 4H 6ES7 414 4HJ00 0AB0 384 Kbytes for program 384 Kbytes for data CPU 414 4H 6ES7 414 4HJ04 0AB0 700 Kbytes for program 700 Kbytes for data CPU 417 4H 6ES7 417 4HL00 0AB0 6ES7 417 4HL01 0AB0 2 Mbytes for program can be expanded to 10 Mbytes 2 Mbytes for data can be expanded to 10 Mbytes S7 F FH Sy...

Page 22: ...ware components have to be combined Wiring Fail safe I O The user wires the F I O to the sensors and actuators so as to be able to achieve the required safety class Configuring Hardware The user configures the F CPU and the F I O in STEP 7 HW Config This configuration must match the hardware configuration that is the circuit diagram of the F I O must reflect the parameter settings Creating Safety ...

Page 23: ...S7 F FH Systems CPU 414 4H CPU 417 4H each with F runtime license F signal modules in ET 200M decentralized configuration F electronic modules in ET 200S DP slave with an IM 151 1 HIGH FEATURE ET 200eco fail safe I O module Fail safe DP standard slaves In addition the F system can be expanded using standard components of the S7 300 and S7 400 F CPU A CPU with fail safe capability is a central proc...

Page 24: ...ilable Fail safe digital input modules SM 326 DI 8 NAMUR with diagnostic interrupt SM 326 DI 24 24 VDC with diagnostic interrupt Fail safe digital output modules SM 326 DO 10 24 VDC 2 A with diagnostic interrupt SM 326 DO 8 24 VDC 2 A with diagnostic interrupt Fail safe analog input module SM 336 AI 6 13 bits with diagnostic interrupt F SMs can also be used as standard SMs with standard CPUs in st...

Page 25: ... digital electronic module F modules can not be used with standard CPUs in standard applications Interface Modules for ET 200S with Fail safe Modules One interface module is required for each ET 200S The F system determines which interface module can be used Table 1 4 Use of Interface Modules with ET 200S Fail safe Modules Interface Module Order Number or higher Applicable Optional Package in ET 2...

Page 26: ...il safe DP standard slaves are standard slaves that are operated on PROFIBUS with the DP protocol and the PROFIsafe bus profile Their behavior must comply with IEC 61784 1 2002 Ed1 CP 3 1 and the PROFIsafe bus profile Fail safe DP standard slaves that are used in a mixed configurations on PROFIBUS DP and PROFINET IO after IE PB links must support the PROFIsafe bus profile in the V2 mode A GSD file...

Page 27: ...wn in the following table Table 1 5 Optional Packages for Configuration and Programming Optional Package Order Number For F System Scope S7 Distributed Safety 6ES7 833 1FC02 0YX0 S7 Distributed Safety Configuration and programming software with F block library for IM 151 7 F CPU CPU 315F 2 DP CPU 315F 2 PN DP CPU 317F 2 DP CPU 317F 2 PN DP CPU 416F 2 ET 200S F modules ET 200pro F modules ET 200eco...

Page 28: ...H Systems CFC Use of optional CFC software in STEP 7 Special F blocks in the Failsafe Blocks F library must be used Creating a Safety Program for S7 Distributed Safety The user creates safety programs with F FBD or F LAD in fail safe FBs and FCs The F library provided contains F application blocks that the user can incorporate into his safety program The user also has the option of creating his ow...

Page 29: ...iguration and programming of S7 Distributed Safety in S7 Distributed Safety Getting Started S7 Distributed Safety in S7 Distributed Safety Configuring and Programming manual S7 F FH Systems in Programmable Controllers S7 F FH manual S7 F FH Systems in step7 Examples directory Planning a System When planning a system the planner specifies the applicable safety class SIL Category for each required s...

Page 30: ... Fail safe Modules ET 200pro ET 200pro Fail safe Modules ET 200eco ET 200eco Fail safe I O Module F SMs S7 300 Fail safe Signal Modules 3 Set up hardware Set the PROFIsafe addresses on the ET 200S ET 200pro ET 200eco and S7 300 F SMs via switch Install modules Wire modules according to required wiring diagram ET 200S ET 200S Fail safe Modules ET 200pro ET 200pro Fail safe Modules ET 200eco ET 200e...

Page 31: ...he availability requirements of the F system In the last part of the chapter we present the main criteria used by customers to determine which fail safe system S7 Distributed Safety S7 F Systems or S7 FH Systems is right for their automation task Additional Information For detailed information on the F I O refer to Automation System S7 300 Fail safe Signal Modules manual ET 200S Distributed I O Sy...

Page 32: ... with fail safe capability such as CPU 315F 2 DP on which a safety program is executed Fail safe I O for example Fail safe signal modules F SMs in a centralized configuration with CPU 315F 2 DP Fail safe signal modules F SMs in an ET 200M distributed I O system Fail safe modules in an ET 200S distributed I O system Fail safe modules in an ET 200pro distributed I O device ET 200eco fail safe I O mo...

Page 33: ...the fail safe I O in the centralized configuration and in the DP slaves The F system can be expanded with additional fail safe I O any number of standard DP slaves and standard modules PROFIBUS DP 352 86 RU WKHUQHW 3URJUDPPLQJ GHYLFH 2SHUDWRU VWDWLRQ 6 VWHP YLVXDOL DWLRQ 6 VWDWLRQ ZLWK 38 3 DQG IDLO VDIH VLJQDO PRGXOHV LVWULEXWHG 7 0 2 ZLWK IDLO VDIH VLJQDO PRGXOHV LVWULEXWHG 7 SUR ZLWK IDLO VDIH ...

Page 34: ...th the IM 151 7 F CPU in ET 200S The IM 151 7 F CPU acts as an intelligent preprocessing device I slave The F system can be expanded with additional fail safe I O any number of standard DP slaves and standard modules 352 86 3 352 86 RU WKHUQHW 3URJUDPPLQJ GHYLFH 2SHUDWRU VWDWLRQ 6 VWHP YLVXDOL DWLRQ 6 VWDWLRQ ZLWK 38 DQG VWDQGDUG PRGXOHV LVWULEXWHG 2 7 6 ZLWK 0 38 IDLO VDIH DQG VWDQGDUG PRGXOHV Fi...

Page 35: ...HP YLVXDOL DWLRQ 6 VWDWLRQ ZLWK 38 31 3 DQG IDLO VDIH VLJQDO PRGXOHV LVWULEXWHG 7 SUR 2 ZLWK IDLO VDIH PRGXOHV LVWULEXWHG 7 6 2 ZLWK IDLO VDIH DQG VWDQGDUG PRGXOHV Figure 2 3 Example 3 F System S7 Distributed Safety with PROFINET IO 2 2 2 S7 F Systems Fail safe System Components of S7 F Systems S7 F Systems refers to a fail safe automation system consisting of at least the following components A c...

Page 36: ... WKHUQHW 3URJUDPPLQJ GHYLFH 2SHUDWRU VWDWLRQ 6 VWHP YLVXDOL DWLRQ 6 VWDWLRQ ZLWK 38 DQG VWDQGDUG PRGXOHV LVWULEXWHG 7 0 2 ZLWK IDLO VDIH VLJQDO PRGXOHV DLO VDIH 3 VWDQGDUG VODYH IRU H DPSOH ODVHU VFDQQHU OLJKW DUUD 7 HFR IDLOVDIH 2 PRGXOH LVWULEXWHG 7 6 2 ZLWK PRGXOHV DQG VWDQGDUG PRGXOHV Figure 2 4 S7 F Systems Fail safe System 2 2 3 S7 FH Systems Fail safe and Fault Tolerant System Components of...

Page 37: ...WLRQ LVWULEXWHG 7 0 2 ZLWK VWDQGDUG 0RGXOHV UHGXQGDQW RSWLRQ Figure 2 5 S7 FH Systems Fail safe System 2 2 4 Coexistence of Standard and Fail safe Components Coexistence Is Possible Standard fault tolerant H and fail safe F components and systems can be used in combination as follows Standard systems H systems F systems and FH systems can coexist in a system In an F system Distributed I O devices ...

Page 38: ...n measures for standard components are sufficient see the manuals for the F CPU and F I O you are using Applications with safety class SIL3 Category 4 require certain measures beyond physical contact protection to prevent hazardous overvoltages of F circuits via the power supply and backplane bus even in the event of a fault Therefore the following are provided for protection from backplane bus in...

Page 39: ... Safety and S7 F Systems cannot be increased by using the SW Redundancy software package Configuration Options in Safety Mode Fail safe systems can be configured three different ways as follows Table 2 1 Configuration Options for Fail safe Systems According to Availability System Configuration Option Description Availability S7 Distributed Safety S7 F Systems Single channel I O Single channel and ...

Page 40: ... with a copper cable or a fiber optic cable The F I O is not redundant Centralized Configuration of S7 Distributed Safety Centralized configuration of S7 Distributed Safety requires the following elements One CPU 31xF 2 DP or CPU 31xF 2 PN DP F SMs and if necessary standard SMs Safety protector required for SIL3 Category 4 applications only Configuration Example of S7 Distributed Safety Single cha...

Page 41: ...US DP with Copper Cable The following are required for distributed configuration with copper cable One CPU 416F 2 CPU 31xF 2 DP CPU 31xF 2 PN DP or IM 151 7 F CPU One PROFIBUS DP line Fail safe I O for example One ET 200M with IM153 2 F SMs and if necessary standard SMs safety protector required for SIL3 Category 4 applications only One ET 200S with IM 151 1 HIGH FEATURE or IM 151 7 F CPU fail saf...

Page 42: ...7 Distributed Safety with Single channel I O PROFIBUS DP Copper Cable Distributed Configuration of S7 Distributed Safety and PROFIBUS DP with Fiber optic Cable The following are required to configure PROFIBUS DP with fiber optic cables One CPU 416F 2 CPU 31xF 2 DP CPU 31xF 2 PN DP or IM 151 7 F CPU One PROFIBUS DP line Fail safe I O for example One ET 200M with IM153 2 FO F SMs and if necessary st...

Page 43: ... PRGXOHV Figure 2 9 S7 Distributed Safety with Single channel I O PROFIBUS DP Fiber optic Cable Distributed Configuration of S7 Distributed Safety and PROFINET IO The following are required to set up PROFINET IO One CPU 31xF 2 PN DP or CPU 416F 2 as of firmware version V 4 1 with CP 443 1 Advanced One PROFINET IO line Fail safe I O for PROFINET IO for example One ET 200pro with IM 154 4 PN HIGH FE...

Page 44: ...HO GLVWULEXWHG 2 6 VWDWLRQ ZLWK 38 31 3 7 SUR VLQJOH FKDQQHO GLVWULEXWHG 2 DLO VDIH 2 VWDQGDUG GHYLFH Figure 2 10 S7 Distributed Safety with Single channel I O PROFINET IO Limits of Availability with Single channel I O In the event of a fault the I O are no longer available The F I O is passivated Possible fault causes Failure of F I O Failure of interface module in an ET 200M ET 200S or ET 200pro...

Page 45: ... depends on whether PROFIBUS DP is configured with copper cable or fiber optic cable The F I O is not redundant S7 F Systems and PROFIBUS DP with Copper Cable The following are required to configure PROFIBUS DP with copper cable One CPU 414 4H or CPU 417 4H One PROFIBUS DP line Fail safe I O for example One ET 200M with IM153 2 F SMs and if necessary standard SMs safety protector required for SIL3...

Page 46: ...QQHO GLVWULEXWHG 2 7 HFR VLQJOH FKDQQHO GLVWULEXWHG 2 Figure 2 11 S7 F Systems with Single channel I O Copper Cable S7 F Systems and PROFIBUS DP with Fiber optic Cable The following are required to configure PROFIBUS DP with fiber optic cables One CPU 414 4H or CPU 417 4H One PROFIBUS DP line Fail safe I O for example One ET 200M with IM153 2 FO F SMs and if necessary standard SMs safety protector...

Page 47: ...RGXOHV 6DIHW SURWHFWRUV LI UHTXLUHG DLO VDIH PRGXOHV 7 0 VLQJOH FKDQQHO GLVWULEXWHG 2 7 6 VLQJOH FKDQQHO GLVWULEXWHG 2 6 VWDWLRQ ZLWK 38 Figure 2 12 S7 F Systems with Single channel I O Fiber optic Cable Limits of Availability with Single channel I O In the event of a fault the I O are no longer available The F I O is passivated Possible fault causes Failure of F I O Failure of interface module in...

Page 48: ...PROFIBUS DP with Copper Cable The following are required to configure PROFIBUS DP with copper cable Two CPU 414 4H or CPU 417 4H Two PROFIBUS DP lines One ET 200M with two redundant IM153 2 modules each with a PROFIBUS DP interface Four bus connectors for connecting the two F CPUs and the two IM153 2 or IM153 3 modules to PROFIBUS DP Non redundant fail safe signal modules and if necessary standard...

Page 49: ... VDIH VLJQDO PRGXOHV 6DIHW SURWHFWRUV LI UHTXLUHG 2 0 2 7 LI UHTXLUHG 6LQJOH KDQQHO 6ZLWFKHG LVWULEXWHG 2 7 0 Figure 2 13 S7 FH Systems with Single channel Switched I O Limits of Availability with Single channel Switched I O Switched I O are no longer available to the process in case of Failure of the fail safe signal module relevant fail safe signal module is passivated Failure of the entire ET 2...

Page 50: ...ndant S7 FH Systems and PROFIBUS DP with Copper Cable The following are required to configure PROFIBUS DP with copper cable Two CPU 414 4H or CPU 417 4H Two PROFIBUS DP lines Two ET 200M with two redundant IM153 2 or IM153 3 modules each Six bus connectors for connecting the two F CPUs and the four IM153 2 or IM 153 3 modules to PROFIBUS DP Redundant fail safe signal modules and if necessary stand...

Page 51: ...ZLWK WZR 38 2 0 2 7 LI UHTXLUHG 6DIHW SURWHFWRUV LI UHTXLUHG 5HGXQGDQW 6ZLWFKHG LVWULEXWHG 2 7 0V 5HGXQGDQW IDLOVDIH VLJQDO PRGXOHV Figure 2 14 S7 FH Systems with Redundant Switched I O Availability with Redundant Switched I O The I O are still available to the process in case of Failure of a fail safe redundant signal module Failure of an IM153 2 3 2 FO in both ET 200Ms Failure of an entire ET 20...

Page 52: ...iguration with CPU 315F 2 DP for example F electronic modules in ET 200S Fail safe electronic modules in ET 200pro ET 200eco fail safe I O module Fail safe DP standard slaves F signal modules in ET 200M F electronic modules in ET 200S ET 200eco fail safe I O module Fail safe DP standard slaves Applicable F I O on PROFINET IO F electronic modules in ET 200S Fail safe electronic modules in ET 200pro...

Page 53: ...ic interference Safety classes SIL2 Category 3 and SIL3 Category 4 can be achieved System Configuration of F System The limits for the system configuration of a fail safe system are determined mainly by the F CPU used The memory configuration for all applicable F CPUs is available in the Memory Configuration of F CPUs table in Performance Characteristics of S7 Distributed Safety and S7 F FH System...

Page 54: ...Configurations and Help with Selection 2 4 S7 Distributed Safety or S7 F FH Systems Selection Guide Safety Engineering in SIMATIC S7 2 24 System Manual 04 2006 A5E00109529 05 ...

Page 55: ...can take place between standard user programs exactly the same as in standard S7 300 and S7 400 automation systems and is not presented in this chapter You will find a description in the STEP 7 manuals and in the hardware manuals for each CPU The user employs fail safe blocks to some extent for safety related communication F blocks and their handling are described in detail in the following refere...

Page 56: ...le 3 1 Communication Options No Communication Between And Safety Related See Section 1 Safety program in F CPU Standard user program in F CPU No Communication between Standard User Program and Safety Program 2 Standard user program in F CPU Safety program in F CPU No Communication between Standard User Program and Safety Program 3 F runtime group F runtime group Yes Communication between F Runtime...

Page 57: ... cannot be processed in the safety program unless they are subject to a validity check The in plant safety experts are responsible for ensuring this and implementing the validity check In case of doubt these data must be generated by a safety program Differences between S7 Distributed Safety and S7 F FH Systems In S7 Distributed Safety data are exchanged between the safety program and the standard...

Page 58: ...gnals from the standard I O can be read using the process input image PII Because these data are unsafe the user must perform additional process specific validity checks in the safety program to ensure that no hazardous situations can arise To facilitate the validity check all signals from the standard user program that are evaluated in the safety program are included when the safety program is pr...

Page 59: ...am CFC F runtime group 3 4 3 4 Communication between F Runtime Groups F Runtime Groups S7 Distributed Safety An F runtime group is a logical construct made of several related F blocks S7 F FH Systems Runtime groups containing fail safe blocks are called F runtime groups Communication Overview 38 6DIHW SURJUDP UXQWLPH JURXS UXQWLPH JURXS 6DIHW UHODWHG Figure 3 3 Communication between F Runtime grou...

Page 60: ...ia the process image PII and PIQ The I O cannot be accessed directly The process input image is updated at the beginning of the F runtime group before the F program block is executed The process output image is updated at the end of the F runtime group after the F program block is executed The actual communication between the F CPU process image and the F I O to update the process image occurs in ...

Page 61: ...s to certain variables for F I O communication in the F I O DB 3 Create the F CALL call block for safety program S7 Distributed Safety provides for the connection of the F I O to the safety program in the F CALL The F CALL block cannot be edited by the user 4 Create the safety program with accesses to the process image See section below 5 Call Edit Safety Program dialog in SIMATIC Manager and defi...

Page 62: ...ormation For a detailed description of the F I O DB variables and how to initialize and evaluate them refer to the S7 Distributed Safety Configuring and Programming manual See also Structure of the Safety Program in S7 Distributed Safety Page 7 4 3 5 3 Safety Related I Slave Slave Communication in S7 Distributed Safety Introduction In S7 Distributed Safety safety related I slave slave communicatio...

Page 63: ...I O can only be accessed from one F runtime group Required User Steps The user performs the following steps for safety related I slave slave communication 1 Configure I slave and slave in HW Config 2 Configure the DP master system in HW Config 3 Connect the I slave to the slave 4 Set the address areas for data exchange in HW Config in the Object Properties dialog of the I slave 5 Once the safety p...

Page 64: ...tomatically positioned and interconnected in the safety program F Channel Drivers F channel drivers provide process data in a safe data format They must be positioned and interconnected in the safety program by the user Required User Steps The user must perform the following steps to connect the F I O 1 Select appropriate F channel drivers from the Failsafe Blocks F library and position them in th...

Page 65: ...service information type of fault Additional Information For a detailed description of the variables and how to initialize and evaluate them refer to the Programmable Controllers S7 F FH manual 3 5 5 Standard Communication Communication Overview 38 2 60V 6WDQGDUG XVHU SURJUDP 6WDQGDUG FRPPXQLFDWLRQ Figure 3 6 Standard Communication between CPU and F I O Standard Communication Standard Mode F I O c...

Page 66: ...safety As in standard mode diagnostic data record transfers are used to transfer this information to the F CPU and enter it in the diagnostic buffer of the F CPU and F SMs acyclically Diagnostic data can be read out by the user with STEP 7 as follows From the diagnostic buffer of the F CPU and F SMs As slave diagnostics of the ET 200S ET 200pro and ET 200eco fail safe modules In the standard user ...

Page 67: ...n between PROFIBUS DP DP master DP master PROFIBUS DP DP master I slave PROFIBUS DP I slave I slave PROFINET IO I O Controller I O Devices S7 Distributed Safety Industrial Ethernet configured S7 connections Not relevant S7 F FH Systems Via PROFIBUS MPI Industrial Ethernet etc Configured standard or fault tolerant S7 connections Not relevant 3 6 1 S7 Distributed Safety Safety related Master Master ...

Page 68: ...safe data of data types BOOL and INT in a fail safe manner Required User Steps The user performs the following steps for safety related master master communication 1 Set up hardware with a DP DP coupler 2 Configure the DP DP coupler in HW Config 3 Call F_SENDDP and F_RCVDP from the Distributed Safety F library in the safety program of the respective F CPU 4 Assign parameters for F_SENDDPs and F_RC...

Page 69: ... Safety related communication takes place with the aid of two fail safe application blocks the F_SENDDP block for sending data and the F_RCVDP block for receiving data These blocks are called by the user in the respective safety program of the F CPU They can be used to transfer a fixed number of fail safe data of data types BOOL and INT in a fail safe manner Required User Steps The user should car...

Page 70: ...tion between the safety programs of the F CPUs for I slaves takes place in standard mode via data exchange Communication Overview 352 86 3 B6 1 3 B5 9 3 B5 9 3 B6 1 3 VODYH VODYH 6DIHW SURJUDP 6DIHW UHODWHG 6DIHW SURJUDP 38 VXFK DV 0 38 38 H J 38 3 Figure 3 9 S7 Distributed Safety Safety Related I Slave I Slave Communication I Slave I Slave Communication Safety related communication takes place wi...

Page 71: ...er 4 Set the address areas for data exchange in HW Config 5 Call F_SENDDP and F_RCVDP from the Distributed Safety F library in the safety programs of the F CPUs for the relevant I slaves 6 Assign parameters for F_SENDDPs and F_RCVDPs 7 Once the safety programs have been created compile and download them to the appropriate F CPU Additional Information For detailed information on configuring and pro...

Page 72: ... fail safe application blocks the F_SENDS7 block for sending data and the F_RCVS7 block for receiving data These blocks are called by the user in the respective safety program of the F CPU Using these fail safe application blocks a user defined amount of fail safe data of data types BOOL INT WORD or TIME can be transferred in a fail safe manner The fail safe data are applied to F DBs F communicati...

Page 73: ...nication via S7 connections can take place to and from the following CPUs CPU 315F 2 PN DP only via PN interface of the CPU CPU 317F 2 PN DP only via PN interface of the CPU CPU 416F 2 as of firmware version V 4 0 Additional Information You can find information on configuring S7 connections in the STEP 7 online help For detailed information on configuring and programming safety related communicati...

Page 74: ... 6 6 VWHPV Figure 3 11 S7 F FH Systems Communication between F CPUs Table 3 4 Safety Related CPU CPU Communication Number Communication From To Connection Type Safety Related 1 S7 FH Systems S7 FH Systems S7 connection fault tolerant Yes 2 S7 F FH Systems S7 F Systems S7 connection fault tolerant Yes 3 S7 F Systems S7 F Systems S7 connection Yes Communication via S7 Connections Safety related comm...

Page 75: ... safe blocks for CPU CPU communication from the Fail safe Blocks F library and then interconnect and assign parameters for them 3 Once the safety programs have been created compile and download them to the appropriate F CPU Additional Information You can find information on configuring the possible connection types in the STEP 7 online help For detailed information on configuring and programming s...

Page 76: ...Communication Options 3 6 Safety Related CPU CPU Communication Safety Engineering in SIMATIC S7 3 22 System Manual 04 2006 A5E00109529 05 ...

Page 77: ...r F systems Differences between S7 Distributed Safety and S7 F FH Systems are individually noted An overview of the standards approvals and safety requirements met by S7 Distributed Safety and S7 F FH Systems is presented in Standards and Approvals Additional Information The configuring and programming manuals for S7 Distributed Safety and S7 F FH systems present information on working with the sa...

Page 78: ...or fault detection and fault reaction are contained mainly in the safety program and the F I O These functions are implemented by suitable fail safe blocks and supported by the hardware and operating system of the F CPU Access Protection Access to F systems is protected by assigning passwords for the F CPU and the safety program Access protection is described in more detail in the following manual...

Page 79: ...y program cannot be modified during operation in safety mode Safety mode of the safety program in the F CPU can be deactivated and reactivated occasionally So called deactivated safety mode enables the safety program to be tested online and changed as needed while the F CPU is in RUN mode For S7 Distributed Safety you can switch back to safety mode only after an operating mode change from RUN to S...

Page 80: ...oring time If a valid sequence number is not detected within the monitoring time the F I O is passivated CRC Cyclic Redundancy Check Signature A CRC signature contained in the safety message frame protects the validity of the process data in the safety message frame the accuracy of the assigned address references and the safety relevant parameters If a CRC signature error occurs during communicati...

Page 81: ...is not affected by the shutdown Once faults are eliminated the safety program or F run time group must be restarted This restart is implemented after user acknowledgment in the F_SHUTDN block Passivation of F I O Channels of an F I O I O faults or communication errors cause the affected F I O or channels of the F I O to be passivated the F CPU does not go to STOP mode Once faults are eliminated th...

Page 82: ...cks This occurs analogously to a cold restart As a result saved error information is lost The F system automatically reintegrates the F I O In contrast to the standard user program restart OBs OB 100 to OB 102 cannot be used in the safety program Restart Protection A data handling error or an internal fault can also trigger a safety program restart with the values from the load memory If your proc...

Page 83: ...program Accordingly a dialog box is displayed automatically when the safety program is compiled the first time 4 6 4 6 Acceptance Test of System Who Performs the Acceptance Test As a general rule the acceptance test is performed by independent experts Support when Preparing for Acceptance Test When a system undergoes an acceptance test all standards relevant to the specific application must be che...

Page 84: ...m SIMATIC S7 Distributed Safety and Safety Related Programmable Systems SIMATIC S7 F FH Systems formerly S7 400F and S7 400FH are available upon request from Ms Petra Bleicher A D AS RD ST Type Test Fax No 49 9621 80 3146 e mail petra bleicher siemens com Note Annex 1 of the Report on the Certificate contains permissible version numbers and signatures for fail safe components of S7 Distributed Saf...

Page 85: ...afety of Electrical Electronic Programmable Electronic Safety Related Systems EN 50159 1 Railway Applications Communication Signaling and Processing Systems Part 1 Safety Related Communication in Closed Transmission Systems EN 50159 2 Railway Applications Communication Signaling and Processing Systems Part 2 Safety Related Communication in Open Transmission Systems UL 1998 Standard for Software in...

Page 86: ...Code For S7 F FH systems only NFPA 85 Boiler and Combustion Systems Hazard Code Machine Safety Standard Guideli ne Title Comments 98 37 EC European Machinery Directive EN 60204 1 Safety of Machinery Electrical Equipment of Machines Part 1 General Requirements EN 954 1 Cat 2 to 4 Safety of Machinery Safety Related Parts of Control Systems Part 1 General Principles for Design EN 954 2 Safety of Mach...

Page 87: ... 336 EEC EN 50178 Electronic Equipment for Use in Power Installations EN 60068 Environmental Testing EN 55011 Limits and Methods of Measurement of Radio Disturbance Characteristics of Industrial Scientific and Medical ISM Radio Frequency Equipment revoked EN 50081 2 Electromagnetic Compatibility Generic Emission Standard Part 2 Industrial Environment revoked EN 50082 2 Electromagnetic Compatibilit...

Page 88: ...1508 5 The qualitative methods of the risk graphs enable the safety integrity level for a safety related system to be determined based on knowledge of the risk factors involved 3 3 3 3 3 3 3 3 D D D E 6 Figure 4 1 Risk Graphs in Accordance with IEC 61508 5 S Starting point of the analysis for risk reduction C Risk parameter for the effect F Risk parameter for the frequency and exposure time P Risk...

Page 89: ...ous Possibility of avoiding dangerous occurrence P PA Possible under certain circumstances PB Almost impossible Probability of the undesirable event W W1 Very low W2 Low W3 Relatively high Safety Integrity Level in Accordance with IEC 61508 For each Safety Integrity Level SIL IEC 61508 defines the target measure to be the probability of failure of a safety function assigned to a fail safe system T...

Page 90: ...ion functions are implemented together in S7 Distributed Safety or S7 F FH Systems operation is in high demand mode or continuous mode Risk Analysis in Accordance with IEC 61508 As shown in the following figure an F system prevents potential dangers or reduces them to a tolerable level through appropriate organizational and technical measures 5HVLGXDO FWXDO 5LVN 5HGXFWLRQ 5HTXLUHG 5LVN 5HGXFWLRQ 5...

Page 91: ...05 1 09 E 09 10 years CPU 317F 2 DP 6ES7 317 6FF00 0AB0 4 76 E 05 1 09 E 09 10 years CPU 317F 2 PN DP 6ES7 317 2FJ10 0AB0 4 76 E 05 1 09 E 09 10 years CPU 416 2 6ES7 416 2FK02 0AB0 6ES7 416 2FK04 0AB0 4 76 E 05 1 09 E 09 10 years F CPUs for S7 F FH Systems CPU 414 4H 6ES7 414 4HJ00 0AB0 6ES7 414 4HJ04 0AB0 1 24E 04 1 88E 04 1 42 E 09 4 29E 09 10 years 10 years CPU 417 4H 6ES7 417 4HL00 0AB0 6ES7 4...

Page 92: ...n be involved with one safety function as well The failure probability of a safety function is calculated by adding the contribution of the F system to the contribution of the sensors and actuators involved in the safety function Calculation Example A safety function is implemented using an S7 FH Systems F system The F CPUs and F SMs indicated in the following table are involved in the safety func...

Page 93: ...anual For ET 200S fail safe modules ET 200S Distributed I O System Fail safe Modules manual For ET 200pro fail safe modules ET 200pro Distributed I O Device Fail safe Modules manual For the ET 200eco fail safe module ET 200eco Distributed I O Station Fail safe I O Module manual Achieving the Safety Class for F I O with Inputs The required safety class is achieved for F I O with inputs as follows I...

Page 94: ...a 1oo2 sensor evaluation is always performed in safety mode The required safety class is achieved with or without redundancy of the sensors Table 5 2 Achievable Safety Classes for F I O with Analog Inputs Safety Class In accordance with IEC 61508 In accordance with EN 954 1 Sensor Evaluation Required SIL2 Category 3 1oo2 evaluation single channel sensor SIL3 Category 4 1oo2 evaluation redundant se...

Page 95: ...stem S7 300 Fail safe Signal Modules manual show several options for wiring sensors to F SMs 1oo1 Evaluation In the case of 1oo1 evaluation a nonredundant sensor is connected via one channel to the F module Burner Management Applications in Accordance with VDE 0116 and EN 298 If sensors that afford safety via one channel in accordance with VDE 0116 and EN 298 are used S7 300 F SMs ET 200S and ET 2...

Page 96: ...to two F DI in S7 FH Systems Example One Sensor Connected via One Channel to Two F DIs High Availability SIL2 Category 3 The following figure presents the wiring diagram for 1oo1 sensor evaluation of a sensor connected to two SM 326 DI 24 24 VDC modules The sensor is supplied externally This wiring enables SIL2 Category 3 and high availability to be achieved SIL2 Category 3 can only be achieved if...

Page 97: ...ection presents examples for wiring of sensors to provide a better understanding of 1oo2 evaluation The examples taken from the Automation System S7 300 Fail safe Signal Modules manual show several options for wiring sensors to F SMs 1oo2 Evaluation In the case of 1oo2 evaluation two input channels are occupied either by one two channel sensor or by two single channel sensors The input signals are...

Page 98: ... diagram for an SM 326 DI 24 24 VDC with 1oo2 sensor evaluation The sensor is supplied by the F I O SIL3 Category 4 can only be achieved if a suitably qualified sensor is used 0 9V 60 9 OHIW KDQQHOV WR ULJKW KDQQHOV WR Figure 5 4 Example Wiring Diagram for One Sensor Connected via One Channel to One F DI 1oo2 Example One Single channel Sensor Connected via Two Channel to One F DI SIL3 Category 4 T...

Page 99: ... Wiring Diagram for One Non equivalent Sensor Connected Non equivalently via Two Channels to one F DI 1oo2 1oo2 Evaluation with High Availability for S7 FH Systems only To achieve high availability one sensor can be connected to two F DI or two sensors can be connected redundantly to two F DI in S7 FH Systems Example One Two channel Sensor Connected to Two F DIs High Availability SIL3 Category 4 T...

Page 100: ...he F I O This wiring enables SIL2 Category 4 and high availability to be achieved SIL3 Category 4 can only be achieved if a suitably qualified sensor is used 0 9V 0 9V 60 9 60 9 OHIW KDQQHOV WR ULJKW KDQQHOV WR OHIW KDQQHOV WR ULJKW KDQQHOV WR 0HDVXUHPHQW RI WKH VDPH SURFHVV GDWD ZLWK PHFKDQLFDOO LQVXODWHG VHQVRUV Figure 5 8 Example Wiring Diagram for Two Redundant Single channel Sensors Connected...

Page 101: ...F AI SIL2 Category 3 The following figure presents the wiring diagram for an SM 336 AI 6 13 bit with 4 mA to 20 mA current measurement range and 2 wire transducer output The sensor is supplied by the F I O This wiring enables SIL2 Category 3 to be achieved 0 0 09 96 0 0 9 0 09 0 0 1 0 09 0 0 09 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 3 0 60 ELWV ZLUH WUDQVGXFHU Figure 5 9 Example Wiring Diagram for On...

Page 102: ...ent range and 2 wire transducer output The sensor is supplied by the F I O This wiring enables SIL3 Category 4 to be achieved 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 09 96 0 0 9 09 0 1 0 09 0 0 09 0 0 0 0 0 0 0 ZLUH WUDQVGXFHU 60 ELWV ZLUH WUDQVGXFHU 0HDVXUHPHQW RI WKH VDPH SURFHVV GDWD ZLWK PHFKDQLFDOO LQVXODWHG VHQVRUV Figure 5 10 Example Wiring Diagram for Two Redundant Sensors Connected via Two Chan...

Page 103: ...rrent measurement range and 2 wire transducer output The sensor is supplied by the F I O This wiring enables SIL2 Category 4 and high availability to be achieved 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 09 96 0 0 9 0 09 0 0 1 0 09 0 0 09 0 0 0 0 0 0 09 96 0 0 9 0 09 0 0 1 0 09 0 0 09 0 0 0 0 0 60 ELWV 60 ELWV ZLUH WUDQVGXFHU 0HDVXUHPHQW RI WKH VDPH SURFHVV GDWD ZLWK PHFKDQ...

Page 104: ...t respond to this and remains switched on Light Period Light periods occur during complete bit pattern tests This involves test related 1 signals being fed to the output by the F I O with outputs while the output is deactivated output signal 0 The output is then switched on briefly light period A sufficiently slow actuator does not respond to this and remains deactivated Light periods occur with t...

Page 105: ...afe I O module Fail safe S7 300 signal modules for centralized configuration near the F CPU or decentralized configuration in ET 200M Fail safe DP standard slaves standard I O devices Overview This chapter provides an overview for configuring the components of an F system Minor differences between S7 Distributed Safety and S7 F FH Systems are individually noted Additional Information You can find ...

Page 106: ...tab for F properties called F Parameters this tab is not included for S7 F FH systems Example of Configuring an F CPU for S7 Distributed Safety The F Parameters tab for a CPU 315F 2 DP is shown below S7 Distributed Safety automatically assigns the PROFIsafe addresses The Base for PROFIsafe addresses information is required for internal management of the PROFIsafe addresses of the F system PROFIsaf...

Page 107: ...Configuring F Systems 6 2 Configuring the F CPU Safety Engineering in SIMATIC S7 System Manual 04 2006 A5E00109529 05 6 3 ...

Page 108: ...ou can access the configuration dialog by selecting the Edit Object Properties menu command or by double clicking the F I O Example of Configuring F I O The Parameter tab for a 4 8 F DI 24 VDC PROFIsafe fail safe module is shown below The values in the shaded fields are automatically assigned by the optional software The values in the non shaded fields can be changed by the user The parameters are...

Page 109: ...Safety the standard devices must be on the PROFINET IO and support the PROFIsafe bus profile in V2 mode Configuration with GSD GSDML Files As is the case in a standard system the basis for configuring fail safe DP standard slaves standard I O devices is the specification of the device in the GSD GSDML file Generic Station Description Generic Station Description Markup Language All the properties o...

Page 110: ...e relevant tab for a fail safe DP standard slave is shown below as an example The parameter texts specified in the GSD file are contained in the PROFIsafe tab under Parameter name and the current value for each parameter is included under Value This value can be modified by clicking Change value The parameters are explained in the context sensitive online help for the tab and in the S7 Distributed...

Page 111: ...escribes the program structure and the elements of the safety program The structure of the safety programs is described separately for S7 Distributed Safety and S7 F FH Systems since there are fundamental differences in programming of the two systems Additional Information The procedure for programming the safety program is described in detail in the following manuals For S7 Distributed Safety S7 ...

Page 112: ...G 6DIHW 6 6 VWHPV 67 RU LVWULEXWHG 6DIHW 9 V VWHP EORFNV FRQWURO EORFNV VLPXODWLRQ EORFNV XVHU EORFNV DLO VDIH EORFNV DSSOLFDWLRQ EORFNV 8VHU SURJUDP 67 3 SURMHFW DUGZDUH FRQILJXUDWLRQ DQJXDJH HGLWRU OLEUDULHV OLEUDU XVWRP OLEUDU 6DIHW SURJUDP 6DIHW SURJUDP 6WDQGDUG 2 2 6DIHW SURJUDP LQ RU 6WDQGDUG XVHU SURJUDP 6WDQGDUG XVHU SURJUDP 6WDQGDUG XVHU SURJUDP Figure 7 1 Schematic Structure of a STEP 7 ...

Page 113: ... triggered so that the F system either stops in the safe state or goes to a safe state S7 Distributed Safety F FBD and F LAD Programming Languages The F FBD and F LAD programming languages correspond in principle to the standard FBD LAD languages The standard FBD LAD Editor in STEP 7 is used for programming The primary difference between the F FBD and F LAD programming languages and their standard...

Page 114: ...s that are automatically added F SBs automatically generated F blocks and the F shared DB 5 9 3 6 1 3 SSOLFDWLRQ ORFNV 6 VWHP ORFNV 6 V VKDUHG 2 6DIHW SURJUDP UXQWLPH JURXS 3 DVVLJQPHQW WR E XVHU H J 2 38 38 FRPPXQLFDWLRQ 38 38 FRPPXQLFDWLRQ B6 1 3 V B6 1 6 V FDOO RSWLRQDO B5 9 3 V B5 96 V FDOO RSWLRQDO FDOO E XVHU FDOOHG DXWRPDWLFDOO GHVFULEH UHDG IURP OLEUDU FNQRZOHGJH PHQW 7LPHUV DQG FRXQWHUV 5...

Page 115: ... resumes Structure of the Safety Program in F Runtime Groups To make it easier to handle a safety program is formed from one or two F runtime groups An F runtime group is a logical construct made of several related F blocks An F runtime group in the safety program for S7 Distributed Safety consists of One F CALL F call block One F program block an F FB F FC assigned to the F CALL Additional F FBs ...

Page 116: ...y function using F FBD or F LAD The starting point for F programming is the F program block The F PB is an F FC or F FB with instance DB that becomes the F PB when assigned to the F CALL The user can perform the following in the F PB Program the safety program with F FBD or F LAD Call other created F FBs F FCs for structuring the safety program Insert F blocks of the F Application Blocks block con...

Page 117: ...s Safety related CPU CPU communication F application blocks for safety related CPU CPU communication F_RCVDP and F_RCVS7 for receiving data in safety related CPU CPU communication F_SENDDP and F_SENDS7 for sending data in safety related CPU CPU communication Acknowledgment F application block F_ACK_OP for a fail safe acknowledgment using an operator control and monitoring system Timers and counter...

Page 118: ...am from the user s safety program The user must not insert F system blocks from the F System Blocks block container in an F PB F FB F FC Likewise the user must not modify rename or delete the F system blocks in the Distributed Safety F library V1 or the block container of the user project F system blocks F shared DB Fail safe data block that contains all of the global data of the safety program an...

Page 119: ...WLFDOO LQVHUWHG EORFNV XVHU EORFNV 5HDG PDGH EORFNV IRU 2 LQWHUIDFLQJ FRPPXQLFDWLRQ GDWD FRQYHUVLRQ HWF Figure 7 3 Components of Safety Program in S7 F FH Systems Description of Program Structure The safety program contains F runtime groups and charts assigned to them The charts contain F blocks including their parameter assignment and interconnection The F runtime groups are inserted by the user ...

Page 120: ...f Failsafe Blocks F Library V1_2 The Failsafe Blocks F library V1_2 contains the following block containers F user blocks F control blocks F simulation blocks The F blocks contained in the block containers are shown in the table below Table 7 3 Fail safe Blocks of Failsafe Blocks F Library V1_2 Block Container Contains F Blocks Function Block container containing the F blocks that the user can pla...

Page 121: ...blocks F_CYC_CO F_M_AI6 F_M_DI24 F_M_DI8 F_M_DO10 F_M_DO8 F_PLK F_PLK_O F_SHUTDN F_CHG_WS Block container containing F blocks that are called and inserted by S7 F Systems when the safety program is compiled in order to generate an executable safety program from the user s safety program The user must not insert F blocks of the F control block in the safety program Likewise the F blocks must not be...

Page 122: ...Programming F Systems 7 4 Structure of Safety Program in S7 F FH Systems Safety Engineering in SIMATIC S7 7 12 System Manual 04 2006 A5E00109529 05 ...

Page 123: ...m response time of a safety function Support for Calculations To assist you in approximating the F specific minimum monitoring times and maximum response times for your F system Microsoft Excel files are available for each F system as follows For S7 Distributed Safety an Excel calculation file is available in the Internet at http support automation siemens com WW view en 11669702 133100 For S7 F F...

Page 124: ...s selected must be sufficiently long Safety To ensure that the process safety time is not exceeded the monitoring times selected must be sufficiently short Warning In order for pulses to be reliably detected the time interval between two signal changes pulse duration must be greater than the corresponding monitoring time General Procedure for Configuring Monitoring Times Use the following procedur...

Page 125: ...or Safety Related Master Master Communication Safety related master I slave communication F_SENDDP F_RCVDP TIMEOUT TIMEOUT Minimum Monitoring Time for Safety Related Master I Slave Communication Safety related I slave I slave communication F_SENDDP F_RCVDP TIMEOUT TIMEOUT Minimum Monitoring Time for Safety Related I Slave I Slave Communication Safety related communication via S7 connections F_SEND...

Page 126: ...nchronization time of the F CPU is the sum of the CiR synchronization times for all DP master systems that are to be changed simultaneously The CiR synchronization time of a DP master system is displayed in HW Config in the Properties dialog for the relevant CiR object Upper limit of CiR synchronization time The default value for the upper limit is 1 s You can increase or decrease this value accor...

Page 127: ...HW Config Object properties for DP master system Bus parameters TSlave Only relevant for distributed F I O in ET 200M ET 200S and ET 200pro Maximum response time of distributed I O system that is maximum delay by the IM and its backplane bus Refer to the manuals for F I O to learn about how to calculate these times TACK Maximum acknowledgment time of F I O for F SMs in safety mode You can find thi...

Page 128: ...ion of Times Time Definition Reference TCI F_SENDDP Maximum cycle time of the OB with the call of F_SENDDP Minimum Monitoring Time for F Cycle Time TCI F_RCVDP Maximum cycle time of the OB with the call of F_RCVDP Minimum Monitoring Time for F Cycle Time TDP_DLY F_SENDDP Additional DP time delay of a PROFIBUS CP communications processor on the side of F_SENDDP In HW Config Object properties for CP...

Page 129: ... DP time delay of a PROFIBUS CP communications processor Object Properties of CP Operating Mode tab in HW Config TTR Maximum target rotation time for the DP master system In HW Config Object Properties for DP master system Bus parameters A 3 5 Minimum Monitoring Time for Safety Related I Slave I Slave Communication The information provided in Minimum Monitoring Time for Safety Related Master I Sla...

Page 130: ...time interrupt OB that contains the safety program F_CYC_CO MAX_CYC Minimum Monitoring Time for F Cycle Time Safety related communication between F CPU and F I O via PROFIsafe PROFIsafe monitoring time Object properties dialog in HW Config Monitoring time Minimum Monitoring Time for Safety Related Communication between F CPU and F I O Safety related communication between F CPUs F_RCVR F_RCVBO F_SE...

Page 131: ...s the maximum disabling time for priority classes 15 TP15 must also be taken into account when updating Extending the Maximum Cycle Time Using CiR If Configuration in RUN CiR is used the maximum cycle time is extended by the lesser of the following two values CiR synchronization time of F CPU The CiR synchronization time of the F CPU is the sum of the CiR synchronization times for all DP master sy...

Page 132: ...rmulas Time Interrupt OB with Special Handling A time interrupt OB with special handling is an H parameter of the F CPU in S7 FH Systems This parameter includes the number of the time interrupt OB that is called specially when the operating system updates the reserve once all interrupts are disabled In general the number entered is the highest priority time interrupt OB to which F blocks of the sa...

Page 133: ...onal DP time delay of a PROFIBUS CP communications processor In HW Config Object properties for CP Operating Mode tab TTR Maximum target rotation time for the DP master system In HW Config Object properties for the DP master system Bus parameters TSlave Only relevant for distributed F I O in ET 200M ET 200S and ET 200pro Maximum response time of distributed I O system that is maximum delay by the ...

Page 134: ... and the monitoring time for safety message frame exceeded diagnostic is signaled you have fallen below the minimum possible PROFIsafe monitoring time 7 Increase the monitoring time for the added F I O just to the point where it no longer fails This monitoring time corresponds approximately to the minimum possible monitoring time Conditions The F I O to be inserted and the F I O whose PROFIsafe mo...

Page 135: ..._RCV Configured cycle time of the time interrupt OB with the call of F_RCVBO or F_RCVR In HW Config Object properties for CPU Time interrupt Type TDelay F_SEND Maximum communication delay when updating the reserve in the FH System with the call of F_SENDBO or F_SENDR In HW Config Object properties for sender CPU H parameters tab TDelay F_RCV Maximum communication delay when updating the reserve in...

Page 136: ...ion between F Runtime Groups TIMEOUT Parameter in F_R_BO or F_R_R Time monitoring takes place in F blocks F_R_BO or F_R_R and is assigned in the TIMEOUT input parameter To ensure that time monitoring does not respond when no faults are present the selected TIMEOUT monitoring time must be at least as large as the greater of the two maximum time interrupt cycle times for F_S_R or F_S_BO and F_R_R or...

Page 137: ...ts own without causing injury to operating personnel or damage to the environment Within the process safety time any type of F system process control is tolerated That is during this time the F system can control its process incorrectly or it can even exercise no control at all The process safety time of a process depends on the process type and must be determined on a case by case basis Procedure...

Page 138: ...Monitoring and Response Times of F Systems A 5 Response Times of Safety Functions Safety Engineering in SIMATIC S7 A 16 System Manual 04 2006 A5E00109529 05 ...

Page 139: ...ngerous unauthorized access Access protection for F systems is implemented through assignment of two passwords for the F CPU and the safety program Actuators Actuators can be power relays or contactors for switching on loads or they can be loads themselves for example directly controlled solenoid valves Automatically Generated F Blocks S7 Distributed Safety These F blocks are generated automatical...

Page 140: ...curs in the F I O all channels of the F I O are passivated CiR CiR Configuration in RUN refers to a system modification during operation A system modification in RUN mode by means of CiR enables configuration changes to be made in RUN mode in portions of the system with distributed I O The process is thereby halted for a brief assignable time period The process inputs retain their last value durin...

Page 141: ... two signals with the same functionality The discrepancy analysis starts when different levels when checking for non equivalence the same level are detected for two related input signals A check is made to determine whether the difference when checking for non equivalence the match has disappeared after expiration of a specified time known as the discrepancy time If not this means that a discrepan...

Page 142: ...or must comply with IEC 61784 1 2002 Ed1 CP 3 1 and the PROFIsafe bus profile A GSD file is used to configure fail safe DP standard slaves Fail safe I O Module A fail safe I O module is an ET 200eco I O module that can be used for safety related operation in safety mode in S7 Distributed Safety or S7 F FH Systems fail safe systems This I O module is equipped with integrated safety functions These ...

Page 143: ...ion time is the time between the occurrence of any fault in any F I O and a safe reaction at the associated fail safe output For inputs The maximum fault reaction time is the time between the occurrence of the fault and the safe response on the backplane bus For digital outputs The maximum fault reaction time is the time between the occurrence of the fault and the safe response at the digital outp...

Page 144: ...Safety related F data types are used in the safety program F DBs S7 Distributed Safety Optional fail safe data blocks that can be read and written to within the entire safety program F Driver Block The F driver block is used for inputting outputting AS values from to the F I O It forms the software interface to the process converts the physical values to process data and vice versa and also provid...

Page 145: ...afety program or that he can or must write to For reintegration of the F I O following communication errors F I O faults or channel faults If the F I O must be passivated as a result of particular states of the safety program for example group passivation For reassigning parameters of fail safe DP standard slaves In order to evaluate whether fail safe values or process data are output F LAD F FBD ...

Page 146: ...ditional information needed by the F system When the safety program is compiled the F shared DB is automatically inserted and expanded Using the symbolic name of the F shared DB F_GLOBDB the user can evaluate certain data from the safety program in the standard user program F Simulation Blocks S7 F FH Systems Block container of the Failsafe Blocks library that contains simulation blocks During off...

Page 147: ...serve switchover is triggered when the master goes to STOP mode That is the system switches from the master CPU to the reserve CPU MSR Instrumentation and control technology Non equivalent Sensor A non equivalent sensor is a reversing switch that is connected via two channels to two inputs of an F I O in fail safe systems for 1oo2 evaluation of sensor signals OBT Optical Bus Terminal OBT Equipment...

Page 148: ...nvironment Within the process safety time any type of F system process control is tolerated That is during this time the F system can control its process incorrectly or it can even exercise no control at all The process safety time depends on the process type and must be determined on a case by case basis PROFINET IO Within the framework of PROFINET PROFINET IO is a communication concept for the i...

Page 149: ...for use in an industrial setting A programming device PG is fully equipped for programming SIMATIC automation systems Proof test Interval The proof test interval is the time period after which a component must be put into fail safe state That is it is replaced by an unused component or it is proven to be completely fault free Redundancy Availability enhancing Availability enhancing redundancy refe...

Page 150: ...integration of the F I O In contrast to the standard user program the startup OBs OB 100 to 102 cannot be used in the safety program S7 PLCSIM S7 PLCSIM allows you to test and edit your program in a simulated automation system on your programming device or PC Since the simulation takes place completely in STEP 7 you do not need any hardware CPU I O Safe State The basic principle of the safety conc...

Page 151: ...gram cannot be modified during operation Safety mode can be deactivated by the user deactivated safety mode Safety Program The safety program is a safety related user program Safety Protector The safety protector protects the F SMs from possible overvoltages in the event of a fault The safety protector must be used for SIL3 Cat 4 applications Generally when PROFIBUS DP is configured with copper ca...

Page 152: ...fault the system switches over to the other F CPU In the event of a fault the F I O is no longer available Standard Communication Standard communication is communication used to exchange non safety related data Standard Mode In standard mode of F I O safety related communication using safety message frames is not possible only standard communication is possible in this operating mode S7 300 F SMs ...

Page 153: ...e safety program to ensure that dangerous conditions cannot arise when data are transferred from a standard user program to a safety program WinCC WinCC is an industry and technology neutral system for visualization and control tasks in production and process automation WinCC offers industry standard function modules for graphics representation messaging archiving and logging functions WinCC ensur...

Page 154: ...Glossary Safety Engineering in SIMATIC S7 Glossary 16 System Manual 04 2006 A5E00109529 05 ...

Page 155: ...6 3 4 7 3 Chart see CFC 7 9 CiR A 4 A 9 Coexistence of fail safe and standard components 2 7 Cold restart 4 6 Collection vi Combining of fail safe and standard components 2 7 Communication between F CPU and F I O 3 6 between F CPUs 1 8 3 13 between F runtime groups 3 5 between standard user program and safety program 3 3 between standard user programs 3 1 F blocks for S7 F FH systems 7 11 Monitori...

Page 156: ...cy time 5 5 Distributed I O Fail safe 1 2 Distributed Safety Library 7 3 7 7 Documentation Additional v Documentation packages Order number v DP master 2 3 2 6 2 7 DP slave 2 3 2 6 2 7 DP see Distributed I O 1 2 DP DP coupler 3 13 E EM 4 8 F DI 24 VDC Configuring 6 4 Emergency STOP devices 1 5 Error acknowledgment 3 8 3 11 ET 200M 1 12 Restrictions 1 13 ET 200pro Fail safe modules 1 14 ET 200S Fai...

Page 157: ...ibrary see Library 3 10 F module driver 3 10 F modules ET 200pro 1 14 ET 200S 1 13 1 14 3 11 F PB 7 6 F program block see F PB 7 6 F runtime group 3 5 7 4 7 5 7 9 Maximum cycle time A 8 F runtime license 1 11 F shared DB 3 3 3 4 7 8 F simulation blocks 7 11 F SM 1 12 Restrictions 1 13 F system Available 1 3 Communication options see Communication 3 2 Components 1 10 Configuring 2 1 6 1 Monitoring ...

Page 158: ...A 9 S7 Distributed Safety A 3 S7 F FH Systems A 8 Safety related master master communication A 6 N Network template see Application template 7 7 Networks Public 3 18 3 20 Non equivalence 5 5 Non equivalent sensor 5 7 O OB 1 7 5 7 9 OB 100 4 6 OB 102 4 6 OB 30 to OB 38 Time interrupt OB 7 9 OB 35 Time interrupt OB 7 5 Operating mode change see RUN 4 3 Operating modes of F system 4 6 Operating syste...

Page 159: ...on 2 2 Configuration example 2 3 Distributed configuration 2 11 2 13 F related monitoring times A 3 Probability of failure of components 4 15 PROFIBUS DP 2 11 PROFINET IO 2 13 Program structure 7 4 S7 connections A 7 System performance 1 7 S7 F Systems 1 15 Components 2 5 Configuration 2 5 Configuration example 2 6 S7 F FH Systems 1 3 Area of application 1 6 F related monitoring times A 8 Probabil...

Page 160: ...3 Sequence of steps for working with F systems 1 18 Service vii Service information 3 8 3 11 SFC 59 3 12 Signals Safety related 1 2 Single channel I O 2 9 2 10 2 15 Limits of availability 2 14 2 17 Single channel sensor 5 2 Single channel switched I O 2 9 2 18 Limits of availability 2 19 Slave diagnostics 3 12 Software components of F system 1 15 Software redundancy Software package 2 9 Standard m...

Page 161: ...out this questionnaire and return it to me by Fax e mail or by post We are giving out three presents every month in a raffle among the senders Which present would you like to have SIMATIC Manual Collection Automation Value Card Laser pointer Dr Thomas Rubach Head of Information Documentation General Questions 1 Are you familiar with the SIMATIC Manual Collection yes no 2 Have you ever downloaded m...

Page 162: ...rch search Which search method do you prefer Table of contents Index Full text search others Which supplements improvements would you like in order to help you find the required information quickly 3 Your judgement of the document as regards content How satisfied are you with this document Totally satisfied not very satisfied Very satisfied not satisfied Satisfied Were able to find the required in...

Reviews: