Siemens Safety Engineering in SIMATIC S7.pdf

8/18/2019 Siemens Safety Engineering in SIMATIC S7.pdf

1/162

SIMATIC Safety Engineering in SIMATIC S7

______________ ______________

______________

______________

______________ ______________

______________

______________

Preface

Overview of Fail-safe

Systems

1

Configurations and Help with

Selection

2

Comm unication O ptions

3

Safety in F-Systems

4

Achievable Safety Classes

with F-I/O

5

Configuring F-Systems

6

Programming F-Systems

7

Monitoring and Response

Times of F-Systems

A

SIMATIC

Safety Engineering in SIMATIC S7

System M anual

08/2005

A5E00109529-04


2/162

afety Guidelines

This manual contains notices you have to observe in order to ensure your personal safety, as well as to preventdamage to property. The notices referring to your personal safety are highlighted in the manual by a safety alertsymbol, notices referring only to property damage have no safety alert symbol. These notices shown below aregraded according to the degree of danger.

Danger

indicates that death or severe personal injury will result if proper precautions are not taken.

Warning

indicates that death or severe personal injury may result if proper precautions are not taken.

Caution

with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

Caution

without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

Notice

indicates that an unintended result or situation can occur if the corresponding information is not taken intoaccount.

If more than one degree of danger is present, the warning notice representing the highest degree of danger willbe used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating toproperty damage.

Qualified Personnel

The device/system may only be set up and used in conjunction with this documentation. Commissioning andoperation of a device/system may only be performed by qualified personnel. Within the context of the safety notesin this documentation qualified persons are defined as persons who are authorized to commission, ground andlabel devices, systems and circuits in accordance with established safety practices and standards.

Prescribed U sage

Note the following:

Warning

This device may only be used for the applications described in the catalog or the technical description and only inconnection with devices or components from other manufacturers which have been approved or recommendedby Siemens. Correct, reliable operation of the product requires proper transport, storage, positioning andassembly as well as careful operation and maintenance.

Trademarks

All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in thispublication may be trademarks whose use by third parties for their own purposes could violate the rights of the

owner.

Disclaimer o f Liability

We have reviewed the contents of this publication to ensure consistency with the hardware and softwaredescribed. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, theinformation in this publication is reviewed regularly and any necessary corrections are included in subsequenteditions.

Siemens AG

Automation and DrivesPostfach 48 4890437 NÜRNBERGGERMANY

Order No.: A5E00109529-04

Edition 08/2005

Copyright © Siemens AG 2005.

Technical data subject to change


3/162

Safety Engineering in SIMATIC S7System Manual, 08/2005, A5E00109529-04 iii

Preface

Purpose of System Description

This system description provides an overview of the S7 Distributed Safety and S7 F/FHSystems fail-safe automation systems. It identifies the similarities and differences betweenS7 Distributed Safety and S7 F/FH Systems and presents detailed technical informationapplicable to both S7 Distributed Safety and S7 F/FH Systems.

The system description helps you to decide which fail-safe system is best suited for yourautomation task. It is intended as starting information for decision makers and as a source oftechnical information on S7 Distributed Safety and S7 F/FH Systems fail-safe automationsystems for service and commissioning personnel (e.g., detailed information on monitoringand response times of S7 Distributed Safety and S7 F/FH Systems is provided in theappendix).

Scope of System Description

This system description applies to the S7 Distributed Safety, S7 F Systems, and S7 FHSystems fail-safe systems.

In addition, this system description addresses integration of the following

fail-safe I/O devices in S7 Distributed Safety and S7 F/FH Systems:• S7-300 fail-safe signal modules

• ET 200S fail-safe modules

• ET 200pro fail-safe modules

• ET 200eco fail-safe I/O module

• Fail-safe DP standard slaves / I/O standard devices


4/162

Preface

Safety Engineering in SIMATIC S7iv System Manual, 08/2005, A5E00109529-04

What's New?

The following table summarizes the most important technical changes in the add-onpackages S7 Distributed Safety V 5.4 and S7 F Systems V5.2 SP2 and higher. Thesechanges have been taken into account in this system description.

Change Affects:echnical Change

S7 Distributed

Safety

S7 F/FH

Systems

Support for PROFINET IO with:

• CPU 416F-2 (6ES7 416-2FK04-0AB0) as of firmwareversion V 4.1 with CP 443-1 Advanced

• CPU 315F-2 PN/DP




•

Fail-safe I/O standard devices

x -

Safety-related CPU-CPU communication has been expanded toinclude I-slave-slave communication

x -

Channel-specific passivation when channel errors occur:

• S7-300 fail-safe signal modules




x -

New F-library blocks - x

Safety Data Write - x

ET 200pro fail-safe modules x -

Fail-safe I/O standard devices x -


5/162

Preface

Safety Engineering in SIMATIC S7System Manual, 08/2005, A5E00109529-04 v

Position in the Information Landscape

Depending on your application, you will need the documentation listed below when workingwith S7 Distributed Safety or S7 F/FH Systems:

This system description makes reference to these documents where appropriate.

Docum entation Brief Description of Relevant Contents

• The Programmable Controllers S7 F/FH Systems manualdescribes the tasks required to create and commission anS7 F/FH Systems fail-safe system.

For the fail-safe system S7F/FH Systems

• The S7-400 Hardware and Installation installation manualdescribes the assembly and wiring of S7-400 systems.

• The Automation System S7-400H Fault-Tolerant Systems manual describes the CPU 41x-H central modules and the tasksrequired to create and commission an S7-400H fault-tolerantsystem.

• The CFC for S7 Continuous Function Chart manual/online help

provides a description of programming with CFC.The following elements are described in the S7 Distributed Safety,Configuring and Programming operator manual and online help:

• Configuration of the F-CPU and the F-I/O

• Programming of the F-CPU in F-FBD or F-LAD

For the fail-safe system S7Distributed Safety

Depending on which F-CPU you are using, you will need thefollowing documentation:

• The operating manual S7-300, CPU 31xC and CPU 31x:Installation describes the installation and wiring of S7-300systems.

• The CPU 31xC and CPU 31x, Technical Data product manualdescribes the CPUs 315-2 DP and PN/DP and CPUs 317-2 DP

and PN/DP.• The Automation System S7-400 Hardware and Installation

installation manual describes the assembly and wiring of S7-400systems.

• The Automation System S7-400 CPU Specifications referencemanual describes CPU 416-2.

• The ET 200S IM 151-7 CPU Interface Module manual describesthe IM 151-7 CPU.

• Each F-CPU that can be used has its own product information.The product information only describes the deviations from therespective standard CPUs.

Automation System S7-300

Fail-safe Signal Modules

manual

Describes the hardware of the S7-300 fail-safe signal modules(including installation, wiring, and technical specifications)

ET 200S Distributed I/O

System Fail-Safe Modules operating instructions

Describes the hardware of the ET 200S fail-safe modules (includinginstallation, wiring, and technical specifications)

ET 200pro Distributed I/O

Device Fail-Safe Modules operating instructions

Describes the hardware of the ET 200pro fail-safe modules(including installation, wiring, and technical specifications)

ET 200eco Distributed I/O

Station Fail-safe Signal

Module manual

Describes the hardware of the ET 200eco fail-safe signal module(including installation, wiring, and technical specifications)


6/162

Preface

Safety Engineering in SIMATIC S7vi System Manual, 08/2005, A5E00109529-04

Docum entation Brief Description of Relevant Contents

STEP 7 manuals• The Configuring Hardware and Communication Connections with

STEP 7 V5.x manual describes how to operate the STEP 7 standard tools.

•

The LAD for S7-300/400 manual describes the standard LadderDiagram programming language in STEP 7 .

• The FBD for S7-300/400 manual describes the standard FunctionBlock Diagram programming language in STEP 7 .

• The System Software for S7-300/400 System and StandardFunctions reference manual describes functions for distributedI/O access and diagnostics for distributed I/O/CPU.

• The Programming with STEP 7 V 5.x manual describes theprocedure for programming with STEP 7 .

STEP 7 online help • Describes the operation of STEP 7 standard tools

• Contains information about how to configure and assignparameters for modules and intelligent slaves with HW Config

• Contains a description of the FBD and LAD programming

languagesPROFINET System

Description system manual• Describes the basics for PROFINET IO

PCS 7 manuals • Describe operation of the PCS 7 process control system(necessary when the F-system is integrated in a higher-levelcontrol system)

The complete collection of SIMATIC S7 documentation is available on CD-ROM.

Guide

The following topics are covered in the system description:

• Overview of fail-safe automation systems in general, and in SIMATIC S7, in particular• Comparison of system performance of S7 Distributed Safety and

S7 F/FH Systems

• Description of the configuration variants for S7 Distributed Safety and S7 F/FH Systems

• Information to help you decide which F-system represents the best solution for yourrequirements

• Comparison of the similarities and differences between the communication options forS7 Distributed Safety and S7 F/FH Systems

• Overview of the safety mechanisms in S7 Distributed Safety and S7 F/FH Systems thatare apparent to the user

• Standards upon which the S7 Distributed Safety and S7 F/FH Systems F-systems arebased

• Overview of configuring S7 Distributed Safety and S7 F/FH Systems

• Overview of programming S7 Distributed Safety and S7 F/FH Systems

Configuring and programming are described in more detail in the respective programmingand configuration manuals for S7 Distributed Safety and S7 F/FH Systems.

• Configuration of F-related monitoring times for F-systems

• Calculating the maximum response time of the safety functions in S7 Distributed Safetyand S7 F/FH systems


7/162

Preface

Safety Engineering in SIMATIC S7System Manual, 08/2005, A5E00109529-04 vii

Conventions

The terms "safety engineering" and "fail-safe engineering" are used synonymously in thissystem description. The same applies to the terms "fail-safe" and "F-".

"Safety program" refers to the fail-safe portion of the user program and is used instead of"fail-safe user program," "F-program," etc.

"S7 Distributed Safety " and "S7 F System " in italics refer to the add-on packages for"S7 Distributed Safety" and"S7 F/FH Systems".

Additional Support

For any unanswered questions about the use of products presented in this manual, contactyour local Siemens representative:

ht t p: / / www. s i emens. com/ aut omat i on/ par t ner

Training Center

We offer courses to help you get started with the S7 automation system. Contact yourregional training center or the central training center in D-90327 Nuremberg, FederalRepublic of Germany.

Phone: +49 (911) 895-3200

ht t p: / / www. si t r ai n. com

H/F Competence Center

The H/F Competence Center in Nuremberg offers special workshops on SIMATIC S7 fail-

safe and fault-tolerant automation systems. The H/F Competence Center can also provideassistance with onsite configuration, commissioning, and troubleshooting.

Phone: +49 (911) 895-4759

Fax: +49 (911) 895-5193

For questions about workshops, etc., contact: hf - cc @nbgm. si emens. com

Technical Support

Technical support is available for all A&D products

• using the Web form for a support requesthttp://www.siemens.de/automation/support-request

• Phone: + 49 180 5050 222

• Fax: + 49 180 5050 223

You can find additional information about our technical support athttp://www.siemens.de/automation/service

http://www.siemens.com/automation/partnerhttp://www.sitrain.com/http://www.siemens.de/automation/support-requesthttp://www.siemens.de/automation/support-requesthttp://www.siemens.de/automation/servicehttp://www.siemens.de/automation/servicehttp://www.siemens.de/automation/support-requesthttp://www.sitrain.com/http://www.siemens.com/automation/partner


8/162

Preface

Safety Engineering in SIMATIC S7viii System Manual, 08/2005, A5E00109529-04

Service Support on the Internet

In addition to our documentation, we offer our complete knowledge base on the Internet at:

ht t p: / / www. s i emens. com/ aut omat i on/ ser vi ce&suppor t

There, you will find the following information:• Newsletters providing the latest information on your products

• Relevant documentation for your application via the search function in Service & Support

• A forum where users and experts from all over the world exchange ideas

• Our contacts database where you can find your local Automation & Drives representative

• Information on local service, repairs, and replacement parts and much more can be foundunder "Services."

Important Information for Preserving the Operational Safety of your System

Note

The operators of systems with safety-related characteristics must adhere to operationalsafety requirements. The supplier is also obliged to comply with certain actions whenmonitoring the product. To keep you informed, a special newsletter is therefore availablecontaining information on product developments and properties that are important (orpotentially important) for operating systems where safety is an issue. By subscribing to theappropriate newsletter, you will ensure that you are always up-to-date and able to makechanges to your system, when necessary. Go to the Internet addresshttp://my.ad.siemens.de/myAnD/guiThemes2Select.asp?subjectID=2&lang=de

and register for the following newsletters:

• SIMATIC S7-300• SIMATIC S7-400

• Distributed I/O

• SIMATIC Industrial Software

Select the "Updates" check box for each newsletter.

http://www.siemens.com/automation/service&supporthttp://my.ad.siemens.de/myAnD/guiThemes2Select.asp?subjectID=2&lang=dehttp://my.ad.siemens.de/myAnD/guiThemes2Select.asp?subjectID=2&lang=dehttp://my.ad.siemens.de/myAnD/guiThemes2Select.asp?subjectID=2&lang=dehttp://www.siemens.com/automation/service&support


9/162


System Manual, 08/2005, A5E00109529-04 ix

Table of contents

Pre face ...................................................................................................................................................... iii

1 Ov erview of Fail safe System s ............................................................................................................... 1 1

1.1 Introduction ................................................................................................................................ 1-1

1.2 Safety Integrated - the Integrated Safety Concept by Siemens ................................................ 1-2

1.3 Fail-safe Systems in SIMATIC S7.............................................................................................. 1-31.3.1 Areas of Application of S7 Distributed Safety and S7 F/FH Systems........................................ 1-5

1.3.2 Performance Characteristics of S7 Distributed Safety and S7 F/FH Systems.......................... 1-7

1.4 Components of S7 Distributed Safety and S7 F/FH Systems ................................................. 1-101.4.1 Hardware Components ............................................................................................................ 1-111.4.2 Software Components ............................................................................................................. 1-15

1.5 Guide to Working with F-Systems............................................................................................ 1-17

2 Configura tions and He lp with Se lection .................................................................................................. 2 1

2.1 Introduction ................................................................................................................................ 2-1

2.2 Configuration of F-Systems ....................................................................................................... 2-22.2.1 S7 Distributed Safety Fail-safe System ..................................................................................... 2-22.2.2 S7 F Systems Fail-safe System................................................................................................. 2-5

2.2.3 S7 FH Systems Fail-safe and Fault-Tolerant System................................................................ 2-62.2.4 Coexistence of Standard and Fail-safe Components ................................................................ 2-7

2.3 Configuration Variants for Fail-safe Systems According to Availability Requirements.............. 2-92.3.1 Single-channel I/O (S7 Distributed Safety).............................................................................. 2-102.3.2 Single-channel I/O (S7 F Systems).......................................................................................... 2-152.3.3 Single-channel Switched I/O (S7 FH Systems only)................................................................ 2-182.3.4 Redundant Switched I/O (S7 FH Systems Only)..................................................................... 2-20

2.4 S7 Distributed Safety or S7 F/FH Systems – Selection Guide ................................................ 2-22

3 Co mm unica tion Op tions ......................................................................................................................... 3 1

3.1 Introduction ................................................................................................................................ 3-1

3.2 Overview of Safety-Related Communication............................................................................. 3-2

3.3 Communication between Standard User Program and Safety Program................................... 3-33.3.1 Communication between Standard User Program and Safety Program in

S7 Distributed Safety ................................................................................................................. 3-43.3.2 Communication between Standard User Program and Safety Program in

S7 F/FH Systems....................................................................................................................... 3-4

3.4 Communication between F-Runtime Groups............................................................................. 3-5

3.5 Communication between F-CPU and F-I/O............................................................................... 3-63.5.1 Safety-Related Communication ................................................................................................. 3-63.5.2 Accessing F-I/O in S7 Distributed Safety................................................................................... 3-73.5.3 Safety-Related I-Slave-Slave Communication in Distributed Safety ......................................... 3-83.5.4 Accessing F-I/O in S7 F/FH Systems ...................................................................................... 3-103.5.5 Standard Communication ........................................................................................................ 3-11


10/162

Table of contents

Safety Engineering in SIMATIC S7x System Manual, 08/2005, A5E00109529-04

3.6 Safety-Related CPU-CPU Communication.............................................................................. 3-133.6.1 S7 Distributed Safety: Safety-related Master-Master Communication ....................................3-13 3.6.2 S7 Distributed Safety: Safety-related Master-I-Slave Communication .................................... 3-15 3.6.3 S7 Distributed Safety: Safety-Related I-Slave-I-Slave Communication .................................. 3-16 3.6.4 S7 Distributed Safety: Safety-Related Communication via S7 Connections ........................... 3-18

3.6.5 S7 F/FH Systems: Safety-Related Communication via S7 Connections................................. 3-20

4 Safe ty in F-Sy stem s................................................................................................................................ 4-1

4.1 Introduction ................................................................................................................................ 4-1

4.2 Safety Mode ............................................................................................................................... 4-3

4.3 Fault Reactions .......................................................................................................................... 4-5

4.4 Restart of F-System ................................................................................................................... 4-6

4.5 Password Protection for F-Systems........................................................................................... 4-7

4.6 Acceptance Test of System ....................................................................................................... 4-7

4.7 Standards and Approvals........................................................................................................... 4-8

4.8 Safety Requirements................................................................................................................ 4-12

5 Achie vable Safe ty Classes with F-I/O ..................................................................................................... 5-1

5.1 Introduction ................................................................................................................................ 5-1

5.2 Safety Functions for Achieving Safety Classes for F-I/O with Inputs ........................................5-2 5.2.1 1oo1 Evaluation for F-I/O with Digital Inputs.............................................................................. 5-3 5.2.2 1oo2 Evaluation for F-I/O with Inputs......................................................................................... 5-5

5.3 Safety Functions for Achieving Safety Classes for F-I/O with Outputs.................................... 5-12

6 Configuring F-Sy stems ........................................................................................................................... 6-1

6.1 Introduction ................................................................................................................................ 6-1

6.2 Configuring the F-CPU............................................................................................................... 6-2

6.3 Configuring the F-I/O.................................................................................................................. 6-4

6.4 Configuring Fail-safe DP Standard Slaves and Fail-safe I/O Standard Devices ....................... 6-5

7 Prog ram ming F-Sy stem s ........................................................................................................................ 7-1

7.1 Introduction ................................................................................................................................ 7-1

7.2 Programming Languages for F-Systems ................................................................................... 7-3

7.3 Structure of the Safety Program in S7 Distributed Safety..........................................................7-4

7.4 Structure of Safety Program in S7 F/FH Systems ..................................................................... 7-9

A Mo nitoring and Respon se Time s of F-Sy stem s ......................................................................................A-1

A.1 Introduction ................................................................................................................................A-1

A.2 Configuring the Monitoring Times ..............................................................................................A-2

A.3 F-Related Monitoring Times for S7 Distributed Safety ..............................................................A-3A.3.1 Minimum Monitoring Time for F-Cycle Time..............................................................................A-4A.3.2 Minimum Monitoring Time for Safety-related Communication between the F-CPU and

F-I/O or between I-Slave and Slave via PROFIBUS DP............................................................A-5A.3.3 Minimum Monitoring Time for Safety-Related Master-Master Communication .........................A-6A.3.4 Minimum Monitoring Time for Safety-Related Master-I-Slave Communication.........................A-7A.3.5 Minimum Monitoring Time for Safety-Related I-Slave-I-Slave Communication.........................A-7A.3.6 Minimum Monitoring Time for Safety-Related Communication via S7 Connections .................A-7A.3.7 Monitoring Time for Safety-Related Communication between F-Runtime Groups....................A-8


11/162

Table of contents

Safety Engineering in SIMATIC S7System Manual, 08/2005, A5E00109529-04 xi

A.4 F-Related Monitoring Times for S7 F/FH Systems....................................................................A-8A.4.1 Minimum Monitoring Time for F-Cycle Time..............................................................................A-9A.4.2 Minimum Monitoring Time for Safety-Related Communication between F-CPU and

F-I/O.........................................................................................................................................A-11A.4.3 Minimum Monitoring Time for Safety-Related Communication between F-CPUs...................A-13

A.4.4 Minimum Monitoring Time for Safety-Related Communication between F-Runtime Groups.. A-14

A.5 Response Times of Safety Functions ......................................................................................A-15

Glossary ..................................................................................................................................... Glossary-1

Inde x................................................................................................................................................ Index-1

Tables

Table 1-1 Performance Characteristics of F-Systems ............................................................................... 1-7

Table 1-2 Memory Configuration of F-CPUs.............................................................................................. 1-9

Table 1-3 Hardware Components ............................................................................................................ 1-11Table 1-4 Use of Interface Modules with ET 200S Fail-safe Modules..................................................... 1-13

Table 1-5 Optional Packages for Configuration and Programming ......................................................... 1-15

Table 1-6 Programming Languages......................................................................................................... 1-16

Table 1-7 Sequence of Steps Ranging from Selection of Hardware to Maintenance of F-Systems ....... 1-18

Table 2-1 Configuration Options for Fail-safe Systems According to Availability ...................................... 2-9

Table 2-2 Selection Citeria for an F-system............................................................................................. 2-22

Table 3-1 Communication Options............................................................................................................. 3-2

Table 3-2 Accessing F-I/O in S7 Distributed Safety................................................................................... 3-7

Table 3-3 Overview of Communication between F-CPUs ....................................................................... 3-13

Table 3-4 Safety-Related CPU-CPU Communication.............................................................................. 3-20

Table 4-1 Meaning of the risk parameters in accordance with IEC 61508-5 ........................................... 4-13

Table 4-2 Safety Integrity Level in Accordance with IEC 61508.............................................................. 4-13

Table 4-3 Probability Values for Individual Components of S7 Distributed Safety andS7 F/FH Systems..................................................................................................................... 4-15

Table 4-4 Calculation Example for the Contribution of the F-System to the Failure Probabilityof a Safety Function................................................................................................................. 4-16

Table 5-1 Achievable Safety Classes for F-I/O with Digital Inputs ............................................................ 5-2

Table 5-2 Achievable Safety Classes for F-I/O with Analog Inputs ........................................................... 5-2Table 5-3 Achievable Safety Classes for F-I/O with Outputs................................................................... 5-12

Table 7-1 Fail-safe Blocks of an F-Runtime Group.................................................................................... 7-6

Table 7-2 Fail-safe Blocks of the Distributed Safety F-Library (V1)........................................................... 7-7

Table 7-3 Fail-safe Blocks of Failsafe Blocks F-Library (V1_2) ............................................................... 7-10


12/162

Table of contents

Safety Engineering in SIMATIC S7xii System Manual, 08/2005, A5E00109529-04


13/162

Safety Engineering in SIMATIC S7System Manual, 08/2005, A5E00109529-04 1-1

Overview o f Fail-safe Systems

1

1.1

1.1

Introduction

Objective of Safety Eng ineering

The objective of safety engineering is to minimize danger to humans and the environment asmuch as possible through use of safety-oriented technical installations without restrictingindustrial production and the use of machines and chemical products any more thannecessary.

What are Fail-safe Automation Systems?

Fail-safe automation systems (F-systems) are used to control processes that can achieve asafe state immediately as a result of a shutdown. That is, F-systems control processes inwhich an immediate shutdown does not endanger humans or the environment.

Fail-safe systems go beyond conventional safety engineering to enable far-reachingintelligent systems that extend all the way to the electrical drives and measuring systems.

F-systems are used in systems with advanced safety requirements. Improved fault detectionand localization in F-systems through detailed diagnostic information enables production tobe resumed quickly following a safety-related interruption.

Overview

This chapter provides an introduction to safety engineering in SIMATIC S7.S7 Distributed Safety and S7 F/FH Systems are introduced along with their areas ofapplication. The important similarities and differences between the two fail-safe systems arealso presented.In the last part of the chapter, we introduce the user to the basic procedure to be followedwhen working with the fail-safe systems S7 Distributed Safety and S7 F/FH Systems.


14/162

Overview of Fail-safe Systems

1.2 Safety Integrated - the Integrated Safety Concept by Siemens

Safety Engineering in SIMATIC S71-2 System Manual, 08/2005, A5E00109529-04

1.2 1.2Safety Integrated - the Integrated Sa fety Concept by Siemens

Safety Integrated

Safety Integrated is the integrated safety concept for automation and drives by Siemens.

Proven technologies and systems from automation engineering are used for safetyengineering. Safety Integrated covers the entire chain of safety from sensors and actuatorsdown to the controller, including safety-related communication over standard field buses.

In addition to their functional tasks, drives and controllers also take on safety tasks. Aparticular feature of Safety Integrated is that is ensures not only reliable safety, but also ahigh level of flexibility and productivity.

Safety-Related Input and Output Signals

Safety-related input and output signals form the interface to the process. This enables, forexample, direct connection of single-channel and two-channel I/O signals from devices suchas emergency STOP buttons or light barriers. Safety-related signals are redundantlycombined internally. Safety-related input signals are read redundantly (e.g., 2 times) andcompared. The unified read result is passed on to the central processing unit in a fail-safemanner for further processing. Safety-related actuators are driven based on redundantANDing without any additional action on the part of the user. Interconnection of the inputsand outputs is also greatly simplified.This eliminates the need for some of the individually mounted hardware switching devices,resulting in a simplified control cabinet design.

Fail-safe D istributed I/O S ystems

Implementation of fail-safe distributed I/O systems enables conventional safety engineeringdesigns to be replaced by PROFIBUS DP components. This includes replacement ofswitching devices for emergency STOP, protective door monitors, two-hand operation, etc.

Advantages of Integrating Safety Engineering into Standard Automa tion Systems

Integration of safety engineering into standard automation systems has the followingimportant advantages:

• An automation system with integrated fail-safe engineering is more flexible thanelectromechanical solutions.

• Integration entails less complicated wiring solutions.

• Integration requires less engineering effort, as standard engineering tools are used forconfiguring and programming.

• Only one CPU is required, as safety-related sections of the program can be executedalongside standard sections in the CPU.

• Simple communication between safety-related and standard program components.


15/162


1.3 Fail-safe Systems in SIMATIC S7


1.3 1.3Fail-safe Systems in SIMATIC S7

What fail-safe systems are available in SIMATIC S 7?

Two fail-safe systems are available for integrating safety engineering into SIMATIC S7automation systems:

1. The S7 D istributed Safety system is available to implement safety concepts for machineand operator protection (e.g., for emergency STOP devices for operation of machinetools and processing machinery) and the process industry (e.g., for protection functionsfor instrumentation and control protective devices and burners).

2. The fail-safe and, in particular, the optionalS7 F/FH Systems

fault-tolerant automationsystem is well-suited for process engineering and oil industry applications.

Fail-safe and Fault-Tolerant S7 FH System s

To increase availability of an automation system and, thus, to prevent process failures due tofaults in the F-system, fail-safe S7 F Systems can be optionally equipped with a fault-tolerantfeature (S7 FH Systems). Increased availability is achieved through component redundancy(power supply, central processing unit, communication, and I/O).

Achievable Safety Requirements

S7 Distributed Safety and S7 F/FH Systems F-systems can satisfy the following safetyrequirements:

• Safety class (Safety Integrity Level) SIL1 to SIL3 in accordance with IEC 61508

• Category 2 to Category 4 in accordance with EN 954-1

Principle of Safety Functions in S7 Distributed Safety and S 7 F/FH Systems

Functional safety is implemented principally through safety functions in the software. Safetyfunctions are executed by S7 Distributed Safety or S7 F/FH Systems to restore or maintain asafe state in a system when a dangerous event occurs. Safety functions are containedmainly in the following components:

• In the safety-related user program (safety program) in the fail-safe CPU (F-CPU)

• In the fail-safe inputs and outputs (F-I/O)

The F-I/O ensures safe processing of field information (emergency STOP buttons, lightbarriers, motor control). They have all of the required hardware and software components forsafe processing, in accordance with the required safety class. The user only programs theuser safety function.

The safety function for the process can be provided through a user safety function or a faultreaction function. In the event of a fault, if the F-system can no longer execute its actual usersafety function, it executes the fault reaction function; for example, the associated outputsare deactivated, and the F-CPU switches to STOP mode, if necessary.


16/162




Exam ple of User Safety Functions and Fault Reaction Functions

In the event of overpressure, the F-system opens a valve (user safety function). If a

dangerous fault occurs in the F-CPU, all outputs are deactivated (fault reaction function),whereby the valve is opened and the other actuators also attain a safe state. If the F-systemis intact, only the valve would be opened.

PROFIBUS DP or PR OFINET IO with PROFIsafe Bus Profile

Safe communication between the safety program in the F-CPU and the fail-safe inputs andoutputs takes place via the "standard" PROFIBUS DP or "standard" PROFINET IO withsuperimposed PROFIsafe safety profile.The user data of the safety function plus the safety measures are transmitted within astandard data frame.

Advantages:

• Because both standard and safety-related communication takes place on the standardPROFIBUS DP or standard PROFINET IO, no additional hardware components arerequired.

• Safety-related communication tasks can be solved without resorting to previousconventional solutions (such as permanent wiring of emergency stop devices) or specialbuses. This enables safety-related distributed applications, for example in automobilechassis construction with presses and robots, burner management, passengertransportation on cable railway, and process automation.

• Fail-safe DP standard slaves can be integrated in S7 Distributed Safety and S7 F/FHSystems F-systems (sensors/actuators with bus capability and safety devices ofPROFIBUS partner companies that are DP standard slaves with PROFIsafe capability).

•

Fail-safe I/O standard devices can be integrated in S7 Distributed Safety F-systems(sensors/actuators with bus capability and safety devices of PROFIBUS partnercompanies that are I/O standard devices with PROFIsafe capability).


17/162




1.3.1 Areas of Application of S7 Distributed Safety and S7 F/FH System s

Use of S 7 Distributed Safety

The primary uses of S7 Distributed Safety fail-safe systems are for machine and operatorprotection (e.g., for emergency STOP devices for operation of machine tools and processingmachinery) and the process control industry (e.g., for protection functions for instrumentationand control protective devices and burners).

Integration options for S7 Distributed Safety fail-safe systems at the plant automation levelare shown below.

PROFIBUS

PC

ET 200SET 200M

ET 200M

ET 200S

F-SMs

ET 200S

ET 200S

ET 200pro

ET 200S

F-SMs

ET 200M

ET 200pro

ET 200eco

Figure 1-1 Use of S7 Distributed Safety


18/162




Use of S7 F/FH Systems

S7 F/FH Systems fail-safe systems are used primarily in process engineering and

instrumentation and control applications in which a safe state can be attained by disablingthe fail-safe outputs.

Integration options for S7 F Systems andS7 FH Systems in process automation systems using PCS 7 are shown below.

PC

PC

• •

PC PC

ET 200M

ET 200M ET 200M

ET 200S ET 200S

S7-400H

ET 200eco

Figure 1-2 Use of S7 F/FH Systems


19/162




1.3.2 Performance Characteristics of S7 Distributed Safety and S7 F/FH System s

Com mon C haracteristics of S7 Distributed Safety and S7 F/FH Systems

S7 Distributed Safety and S7 F/FH Systems have the following important characteristics incommon:

• Integration in S7-300 or S7-400 automation systems; the automation task determines thesystem design, and fail-safe engineering is integrated into the system

• Execution of standard control functions and protection functions on the same system(standard system with fail-safe capability, which eliminates the need for dedicated fail-safe solutions)

• Connection of distributed I/O via PROFIBUS DP with PROFIsafe

• Use of standard PROFIBUS components (copper and fiber-optic cable technology)

• Configuration integrated in STEP 7 , same as for standard automation systems

• Creation of safety program using standard programming languages of STEP 7

• Flexible adaptation to the task requirements by providing a wide range of fail-safe I/O

Com parison of System Performance of S7 Distributed Safety and

S7 F/FH Systems

The following table identifies the differences between the fail-safe systems with regard toimportant performance characteristics.

Table 1-1 Performance Characteristics of F-Systems

Performance Characteristic S7 Distributed Safety S7 F/FH Systems

Achievable safety classes SIL3/Category 4 SIL3/Category 4

Fault tolerance featureavailable

No Yes

Development stage Fail-safe system Fail-safe system

Fail-safe and fault-tolerant system

Connection of fail-safe I/O • Centralized and decentralizedvia PROFIBUS DP

• Distributed via PROFINET IO(ET 200S and ET 200pro

F-modules)

• Distributed via PROFIBUS DP

Minimum response time ofF-system (dependent onconfiguration)

50 ms 100 ms

Typical response time ofF-system

100 ms to 200 ms 200 ms to 500 ms


20/162




Performance Characteristic S7 Distributed Safety S7 F/FH Systems

Communication Safety-related master-mastercommunication

Safety-related master-I-slavecommunication

Safety-related I-slave-I-slavecommunication

Safety-related I-slave-slavecommunication

Safety-related communication viaS7 connections (IndustrialEthernet only)

Safety-related communication viaS7 connections (via PROFIBUS,MPI, Industrial Ethernet, etc.)

Creation of safety program In standard LAD or FBDlanguages in STEP 7

In CFC (optional software forSTEP 7 )

via safety matrixModification of safetyprogram in the F-CPU inRUN mode

Currently possible in deactivatedsafety mode, however, transitionto safety mode possible only byswitching the F-CPU to STOPmode

Currently possible in deactivatedsafety mode or via Safety DataWrite; change of operating modeof F-CPU not required fortransition to safety mode

Fault reactions in the safetyprogram

Passivation of channels or F-I/O

F-CPU in STOP mode

Passivation of channels or F-I/O

F-CPU does not go to STOPmode; instead, the safetyprogram or faulty F-runtime groupis shut down

Main areas of application Operator and machine protection

Burner control

Instrumentation and control andprocess industries

(can be integrated in thePCS 7 process control system)


21/162




Table 1-2 Memory Configuration of F-CPUs

F-System Applicable

F-CPU

Memory configuration (RAM)

IM 151-7 F-CPU

(6ES7 151-7FA01-0AB0)

96 Kbytes (of which 64 Kbytes is forstandard user program)

CPU 315F-2 DP

(6ES7 315-6FF01-0AB0)

192 Kbytes

CPU 315F-2 PN/DP

(6ES7 315-2FH10-0AB0)

192 Kbytes

CPU 317F-2 DP

(6ES7 317-6FF00-0AB0)

512 Kbytes

CPU 317F-2 PN/DP

(6ES7 317-2FJ10-0AB0)

512 Kbytes

CPU 416F-2(6ES7 416-2FK02-0AB0)

800 Kbytes for program +

800 Kbytes for data

S7 Distributed Safety

CPU 416F-2(6ES7 416-2FK04-0AB0)

1.4 Mbytes for program +

1.4 Mbytes for data

CPU 414-4H

(6ES7 414-4HJ00-0AB0)


384 Kbytes for data

CPU 414-4H

(6ES7 414-4HJ04-0AB0)


700 Kbytes for data

CPU 417-4H

(6ES7 417-4HL00-0AB0)

(6ES7 417-4HL01-0AB0)

2 Mbytes for program, can be expandedto 10 Mbytes + 2 Mbytes for data, can

be expanded to 10 Mbytes

S7 F/FH Systems

CPU 417-4H

(6ES7 417-4HL04-0AB0)

10 Mbytes for program +

10 Mbytes for data

Support for PROFINET IO (as of

S7 Distributed Safety V 5 4

):

The following F-CPUs and F-I/O support PROFINET IO:



• CPU 416F-2 (6ES7 416-2FK04-0AB0) as of firmware version V 4.1 with

CP 443-1 Advanced• ET 200S fail-safe modules


• Fail-safe I/O standard devices


22/162


1.4 Components of S7 Distributed Safety and S7 F/FH Systems


1.4 1.4Com ponents of S7 Distributed Safety and S7 F/FH Systems

Hardware and Software Components of F-Systems

An overview of the hardware and software components required for configuring andoperating S7 Distributed Safety and S7 F/FH Systems F-systems is shown below.

Figure 1-3 Overview of Hardware and Software Components of an F-System

Interaction of Compo nents

To configure a fail-safe system, certain software and hardware components have to becombined.

Wiring Fail-safe I/O

The user wires the F-I/O to the sensors and actuators so as to be able to achieve therequired safety class.

Configuring Hardware

The user configures the F-CPU and the F-I/O in STEP 7HW Config . This configuration must match the hardware configuration; that is, the circuitdiagram of the F-I/O must reflect the parameter settings.

Creating Safety Program

The user creates the safety program using a programming language in STEP 7.

For S7 Distributed Safety

, the user creates fail-safe blocks in F-FBD or F-LAD. Theassociated F-block library provides fail-safe blocks that the user can use in his safetyprogram. For the most part, the F-I/O is linked in the background without user involvement.

For S7 F/FH Systems

, the user assigns parameters for the fail-safe blocks of the associatedF-block library and interconnects them in CFC. Special F-driver blocksare available to link the F-I/O. These driver blocks must also be parameterized andinterconnected.

For both F-systems, safety checks are performed and additional F-blocks for fault detectionare incorporated automatically when the executable safety program is compiled.


23/162




1.4.1 Hardware Components

Components

An F-system consists in part of hardware components that fulfill particular safetyrequirements:

Table 1-3 Hardware Components

F-System F-CPU Fail-safe I/O

S7

Distributed

Safety

• IM 151-7 F-CPU

• CPU 315F-2 DP


• CPU 317F-2 DP

• CPU 317F-2 PN/DP• CPU 416F-2

• F-signal modules in ET 200M (decentralizedconfiguration)

• F-signal modules in S7-300 station (localconfiguration with a CPU 3xxF)

•

F-electronic modules in ET 200S (DP master orintelligent DP slave with an IM 151-7 F-CPU )

• F-electronic modules in ET 200S (DP slave with an IM151-1 HIGH FEATURE)

• F-electronic modules in ET 200S (PROFINET IOdevice with 151-3 PN HIGH FEATURE)

• ET 200pro F-modules


• Fail-safe DP standard slaves


S7 F/FH

Systems • CPU 414-4H

• CPU 417-4H

(each with F-runtimelicense)

• F-signal modules in ET 200M (decentralizedconfiguration)

• F-electronic modules in ET 200S (DP slave with an IM151-1 HIGH FEATURE)



In addition, the F-system can be expanded using standard components of the S7-300 andS7-400.

F-CPU

A CPU with fail-safe capability is a central processing unit that is approved for use in S7Distributed Safety and S7 F/FH Systems.

For S7 F/FH systems

, the F-runtime license allows the central processing unit to be used asan F-CPU. That is, a safety program can be run on it.

For S7 Distributed Safety

, an F-runtime license is not required.

A standard user program can also be run in the F-CPU.It is possible for a standard program and a safety program to coexist because unintentionalinterference of the safety program by the standard user program can be prevented.

Safety-related portions of the user program must be password-protected againstunauthorized access in the F-CPU and the programming device or ES. In addition, the F-CPU applies highly effective measures to detect and eliminate faults.


24/162




1-12 System Manual, 08/2005, A5E00109529-04

Warning

You can use the following F-CPUs in S7 Distributed Safety : IM 151-7 F-CPU, CPU 315F-2

DP, CPU 315F-2 PN/DP, CPU 317F-2 DP, CPU 317F-2 PN/DP and CPU 416F-2. Note thatthese F-CPUs cannot be used in S7 F/FH Systems.

You can use the following F-CPUs in S7 F/FH Systems : CPU 414-4H and CPU 417-4H.Note that these F-CPUs can not be used in S7 Distributed Safety.

Fail safe I/O

The following fail-safe I/O are available:

For S7 Distributed Safety and S7 F/FH Systems:

• S7-300 fail-safe signal modules (F-SMs)

• ET 200S fail-safe power and electronic modules (ET 200S F-modules)

• ET 200eco fail-safe I/O module (ET 200eco F-module)


For S7 Distributed Safety:

• ET 200pro fail-safe electronic modules

• Fail-safe I/O standard device

S7 300 Fail safe Signal Modules

The following fail-safe signal modules (F-SMs) are available:

• Fail-safe digital input modules:

– SM 326; DI 8 ☓ NAMUR, with diagnostic interrupt

– SM 326; DI 24 ☓ 24 VDC, with diagnostic interrupt

• Fail-safe digital output modules:

– SM 326; DO 10 ☓ 24 VDC/2 A, with diagnostic interrupt

– SM 326; DO 8 ☓ 24 VDC/2 A, with diagnostic interrupt

• Fail-safe analog input module: SM 336; AI 6 ☓ 13 bits, with diagnostic interrupt

F-SMs can also be used as standard SMs with standard CPUs in standard applications.

From a user standpoint, the F-SMs can be distinguished from most standard SMs in thatthey have diagnostic interrupt capability.

In S7 Distributed Safety , the F-SMs can be operated as decentralized modules in ET 200Mand as centralized modules in an S7-300 station.

In S7 F/FH Systems , the F-SMs can generally be operated only in the ET 200M distributedI/O system.

Exception: The SM 326; DO 8 ☓ DC 24V/2A can only be operated as a fail-safe signalmodule. You can, however, installed it centrally with all F-CPUs of the S7-300 spectrum with:

• CPU 315F-2 DP (6ES7 315-6FF01-0AB0) beginning with firmware version V 2.0.9 and

• CPU 315F-2 DP (6ES7 317-6FF00-0AB0) beginning with firmware version V 2.1.4.

The module can be operated in a distributed configuration in in S7 Distributed Safety.


25/162




System Manual, 08/2005, A5E00109529-04 1-13

Restrictions on the Use of S 7-300 Standard SM s

The restrictions for fault-tolerant systems are applicable to the use of S7-300 standard SMs

in S7 F/FH Systems (see Automation System S7-400H Fault-Tolerant Systems manual).For the restrictions for S7-300 standard SMs in safety mode of F-SMs, refer to the Automation System S7-300 Fail-safe Signal Modules manual.

ET 20 0S Fail-safe Electronic Modules

The following fail-safe electronic modules (F-modules) are available in ET 200S:

• PM-E F pm 24 VDC PROFIsafe power module with 2 additional fail-safe digital outputs

• PM-E F pp 24 VDC PROFIsafe power module

• PM-D F 24 VDC PROFIsafe power module

• 4/8 F-DO 24 VDC PROFIsafe digital electronic module• 4 F-DO 24 VDC/2 A PROFIsafe digital electronic module

F-modules can no t be used with standard CPUs in standard applications.

Interface M odules for ET 200S w ith Fail-safe Modules

One interface module is required for each ET 200S. The F-system determines whichinterface module can be used:

Table 1-4 Use of Interface Modules with ET 200S Fail-safe Modules

Interface Modu le Order Num ber or higher) Applicable Optional Packag e

in ET 200S

Version or

higher)

S7 Distributed Safety V5.1IM 151-1 HIGH

FEATURE

6ES7 151-1BA00-0AB0

6ES7 151-1BA01-0AB0S7 F Systems V5.2

IM 151-7 F-CPU 6ES7 151-7FA01-0AB0 S7 Distributed Safety V5.2

IM 151-3 PN HIGH

FEATURE

6ES7 151-3AB00-0AB0 S7 Distributed Safety V 5.4

Note

Unlike IM 151-1 HIGH FEATURE, for example, the IM 151-7 F-CPU is an intelligentpreprocessing device (intelligent DP slave) and can also be used as a DP master. An IM151-7 F/CPU can therefore exercise full and, if necessary, independent control over atechnological functional unit and can be used as a stand-alone CPU or F-CPU. The IM 151-7F-CPU represents an addition to the line of F-CPUs for S7 Distributed Safety.


26/162




ET 200p ro Fail-safe Modules

The following fail-safe electronic modules (F-modules for short) are available for an

ET 200pro:• 8/16 F-DI DC24V PROFIsafe Digital Electronic Module

• 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module

ET 200eco Fa il-safe I/O Module

The following fail-safe I/O modules (F-modules) are available in ET 200eco:

• 4/8 F-DI 24 VDC PROFIsafe

Fail-safe DP S tandard Slaves

Fail-safe DP standard slaves are standard slaves that are operated on PROFIBUS with theDP protocol and the PROFIsafe bus profile. Their behavior must comply with IEC 61784-1:2002 Ed1 CP 3/1 and the PROFIsafe bus profile.

Fail-safe DP standard slaves that are used in a mixed configurations on PROFIBUS DP andPROFINET IO after IE/PB links, must support the PROFIsafe bus profile in the V2 mode.

A GSD file is used to configure fail-safe DP standard slaves.

Fail-safe IO Standard Devices

Fail-safe I/O standard slaves are standard devices that are operated on PROFINET with theI/O protocol and the PROFIsafe (V2 mode) bus profile. They must behave in accordance

with IEC 61784-1:2002 Ed1 CP 3/3 and the PROFIsafe bus profile (V2 MODE). A GSDMLfile is used to configure them.


27/162




1.4.2 Software Com ponents

Introduction

The software components of an F-system include the following:

• Optional package on the programming device or ES for configuring and programming theF-system

• Safety program in the F-CPU

You also need the STEP 7 basic software on the programming device or ES for configuringand programming the standard automation system.

Für ForS7 F/FH systems

, you also need the CFC and S7-SCL add-on software for STEP 7 and, when applicable, PCS 7 .

Optional Packages for Configuring and Programm ing F-Systems

The two optional packages are available for configuring and programming F-systems asshown in the following table.

Table 1-5 Optional Packages for Configuration and Programming

Optional Package Order Number For F-System Scope

S7 Distributed

Safety 6ES7 833-1FC02-0YX0

S7 Distributed

Safety Configuration and programming softwarewith F-block library for:

• IM 151-7 F-CPU, CPU 315F-2 DP,CPU 315F-2 PN/DP, CPU 317F-2 DP,CPU 317F-2 PN/DP, CPU 416F-2

• ET 200S F-modules

• ET 200pro F-modules

• ET 200eco F-module

• S7-300 F-SMs



S7 F Systems 6ES7 833-1CC00-0YX0

S7 F/FH

Systems Configuration and programming softwarewith F-block library for:

• CPU 414-4H, CPU 417-4H

• ET 200S F-modules

• ET 200eco F-module• S7-300 F-SMs


The user receives the following with these optional packages:

• Support for configuring the F-I/O in STEP 7 with HW Config .

• F-library with fail-safe blocks for creating safety programs

• Support for creating the safety program and integrating fault detection functions in thesafety program


28/162




Programming Language

Different programming languages are used to create safety programs:

Table 1-6 Programming Languages

F-System Programming

Language

Description

S7

Distributed

Safety

F-LAD, F-FBD • The primary difference between the F-LAD and F-FBDprogramming languages and the standard LAD and FBDlanguages in STEP 7 lies in the limitations in the instruction setand data types.

• F-application blocks from the Distributed Safety F-library orcustom F-libraries can be used.

S7 F/FH

Systems CFC • Use of optional CFC software in STEP 7

• Special F-blocks in the Failsafe Blocks F-library must be used.

Creating a Safety Program for S7 Distributed Safety

The user creates safety programs with F-FBD or F-LAD in fail-safe FBs and FCs. TheF-library provided contains F-application blocks that the user can incorporate into his safetyprogram.

The user also has the option of creating his own F-libraries for S7 Distributed Safety (customF-libraries).

Creating a Safety Program for S7 F/FH Systems

The user creates safety programs with CFC by interconnecting fail-safe blocks in theF-library provided with the S7 F Systems optional package.

Additional Information

For detailed information on configuring S7 Distributed Safety and S7 F/FH Systems, refer to"Configuring F-Systems" . Programming of F-systems is described in "ProgrammingF-Systems" .


29/162


1.5 Guide to Working with F-Systems


1.5 1.5Guide to Working with F-Systems

Introduction

This section describes the basic procedure for working with fail-safe systems. Only therelevant steps for F-systems that differ from the standard procedure are presented.

Planning tasks that depend on the process, such as creating a flowchart or process tag list,defining a structure, etc., are not described here.

Examp le Projects

You will find introductory example projects for configuration and programming of:

• S7 Distributed Safety in S7 Distributed Safety Getting Started

• S7 Distributed Safety in S7 Distributed Safety Configuring and Programming manual

• S7 F/FH Systems in Programmable Controllers S7 F/FH manual

• S7 F/FH Systems in step7\Examples directory

Planning a System

When planning a system, the planner specifies the applicable safety class (SIL/Category) foreach required safety function based on a risk assessment. This is then used to determinethe component requirements for implementing the safety functions (programmable logiccontrollers, sensors, actuators). These decisions influence additional activities such ashardware design, configuration, and programming.

Note

A functional division of standard and safety functions is important for planning.


30/162


1.5 Guide to Working with F-Systems


Sequence of Steps R anging from Selection of Com ponents to Maintenance of F-Systems

The following table provides references to manuals for obtaining information. The relevantproduct information sheets provide additional information on the F-CPUs.

Table 1-7 Sequence of Steps Ranging from Selection of Hardware to Maintenance of F-Systems

Step Procedure Reference

1.

Plan system:

• Specify safety functions with appropriate safety

classes (SIL/Category).• Specify S7 Distributed Safety, S7 F Systems,

or S7 FH Systems; select hardware andsoftware components.

Safety Engineering system description,"Overview of Fail-safe Systems" sectionProduct catalog

2.

Configure hardware in STEP 7:

• Configure F-CPU and assign parameters for

safety program.• Configure and assign parameters for fail-safe

I/O (F-SMs, F-modules) according to safetyclass and wiring diagram.

• Integrate and assign parameters for fail-safeDP standard slaves and I/O standard devices.

Safety Engineering system description,"Configuring F-Systems" sectionS7 Distributed Safety: S7 DistributedSafety, Configuring and Programming

S7 F/FH Systems: S7 F/FH AutomationSystems ET 200S: ET 200S, Fail-safe Modules ET 200pro: ET 200pro, Fail-safeModules ET 200eco: ET 200eco, Fail-safe I/OModule F-SMs S7-300, Fail-safe SignalModules

3. Set up hardware:• Set the PROFIsafe addresses on the ET 200S,

ET 200pro, ET 200eco, and S7-300 F-SMs viaswitch.

• Install modules.• Wire modules according to required wiring

diagram.

ET 200S: ET 200S, Fail-safe Modules ET 200pro: ET 200pro, Fail-safeModules ET 200eco: ET 200eco, Fail-safe I/OModule F-SMs S7-300, Fail-safe SignalModules

4.

Create safety program in STEP 7:

• Create F-blocks or select them from F-library;

position, interconnect, and assign parametersfor F-blocks.

• Compile safety program and download it to theF-CPU.

• Test safety program.• If necessary, modify safety program.• Document configuration and safety program.

Safety Engineering system description,"Programming F-Systems" sectionS7 Distributed Safety: S7 DistributedSafety, Configuring and Programming S7 F/FH Systems: S7 F/FH AutomationSystems

5. Commission system: • If necessary, arrange for acceptance testing of

safety-related parts by the relevant authoritiesbefore starting safety mode.

• Commission system.

S7 Distributed Safety: S7 DistributedSafety, Configuring and Programming S7 F/FH Systems: S7 F/FH AutomationSystems

6.

Perform system maintenance:

• Replace hardware and software components.• Update operating system.• Uninstall F-system.

S7 Distributed Safety: S7 DistributedSafety, Configuring and Programming S7 F/FH Systems: S7 F/FH AutomationSystems

See also

Introduction (Page 6-1)


31/162


32/162

Configurations and Help with Selection

2.2 Configuration of F-Systems


2.2 2.2Configuration of F-Systems

Basic Configurations

This chapter describes the three basic configurations for F-systems:

• S7 Distributed Safety fail-safe system

• S7 F Systems fail-safe system

• S7 FH Systems fail-safe and fault-tolerant system

2.2.1 S7 Distributed Safety Fail-safe System

Com ponents of S7 Distributed Safety System

S7 Distributed Safety

refers to a fail-safe automation system consisting of at least thefollowing components:

• A central processing unit with fail-safe capability, such as CPU 315F-2 DP, on which asafety program is executed

• Fail-safe I/O, for example:

– Fail-safe signal modules (F-SMs) in a centralized configuration with CPU 315F-2 DP

– Fail-safe signal modules (F-SMs) in an ET 200M distributed I/O system

– Fail-safe modules in an ET 200S distributed I/O system – Fail-safe modules in an ET 200pro distributed I/O device

– ET 200eco fail-safe I/O module

– Fail-safe DP standard slaves/standard I/O devices

Warning

You can use the following F-CPUs in S7 D istributed Safety : IM 151-7 F-CPU, CPU 315F-2 DP, CPU 315F-2 PN/DP, CPU 317F-2 DP, CPU 317F-2 PN/DP and CPU 416F-2. Notethat these F-CPUs

cannot

be used in S7 F/FH Systems.

You can use the following F-CPUs in S7 F/FH Systems: CPU 414-4H and CPU 417-4H.Note that these F-CPUs cannot

be used in S7 Distributed Safety.


33/162




Configuration Exam ples for S7 Distributed Safety F-System s

The following figures illustrate three examples of S7 Distributed Safety F-systems.

Example 1 for PROFIBUS DP:The S7-300 station with CPU 315F-2 DP is the DP master.The F-CPU exchanges safety-related data with the fail-safe I/O in the centralizedconfiguration and in the DP slaves.

The F-system can be expanded with additional fail-safe I/O, any number of "standard" DPslaves and standard modules.

PROFIBUS DP

Figure 2-1 Example 1: F-System S7 Distributed Safety with PROFIBUS DP


34/162




Example 2 for PROFIBUS DP:

The S7-400 station with CPU 416F-2 is the DP master. TheF-CPU exchanges safety-related data with the IM 151-7 F-CPU in ET 200S.The IM 151-7 F-CPU acts as an intelligent preprocessing device (I-slave).

The F-system can be expanded with additional fail-safe I/O, any number of "standard" DPslaves and standard modules.

Figure 2-2 Example 2: F-System S7 Distributed Safety with PROFIBUS DP


35/162




Example 3 for PROFINET IO:

The S7-300 station with CPU 315F-2 PN/DP is the I/Ocontroller The F-CPU exchanges safety-relevant data with the fail-safe modules ofET 200pro, ET 200S and fail-safe I/O standard devices.

The fail-safe system can be expanded by any number of "standard" I/O devices.

PROFINET IO

Figure 2-3 Example 3: F-System S7 Distributed Safety with PROFINET IO

2.2.2 S7 F System s Fail-safe System

Components of S7 F Systems

S7 F Systems

refers to a fail-safe automation system consisting of at least the followingcomponents:

• A central processing unit with fail-safe capability, such as CPU 417-4 H with an F-runtime

license, on which a safety program is executed• Fail-safe I/O, for example:

– Fail-safe signal modules (F-SMs) in an ET 200M distributed I/O system (with optionalredundancy)

– Fail-safe modules in an ET 200S distributed I/O system


– Fail-safe DP standard slaves


36/162




Configuration Exam ple for an S7 F Systems F-System

The following figure illustrates an example of an S7 F Systems F-system.

The S7-400 station with CPU 417-4H is the DP master. The F-CPU exchanges safety-related data with the fail-safe I/O in the DP slaves. The F-system can be expanded withadditional fail-safe I/O, any number of "standard" DP slaves and standard modules.

Figure 2-4 S7 F Systems Fail-safe System

2.2.3 S7 FH System s Fail-safe and Fault-Tolerant System

Components of S7 FH Systems

S7 FH Systems refers to a fail-safe and fault-tolerant automation system consisting of atleast the following components:

• S7-400H fault-tolerant system (master and standby) on which a safety program isexecuted

• Fail-safe signal modules (F-SMs) in an ET 200M distributed I/O system as switched I/O(with optional redundancy)


37/162




Configuration Exam ple for an S7 FH Systems F-System

The following figure illustrates an example of an S7 FH Systems system with redundant F-

CPU and shared, switched distributed I/O, as well as connection to a redundant system bus.

Figure 2-5 S7 FH Systems Fail-safe System

2.2.4 Coexistence of Standard and Fail-safe Com ponents

Coexistence Is Possible

Standard, fault-tolerant (H-), and fail-safe (F-) components and systems can be used incombination as follows:

•

Standard systems, H-systems, F-systems, and FH systems can coexist in a system .• In an F-system :

– Distributed I/O devices and systems can be operated with standard and fail-safe I/O,such as ET 200S, ET 200pro and ET 200eco.

– S7-300 standard and fail-safe signal modules can be operated in safety mode both ascentralized modules (in S7 Distributed Safety only) and as decentralized modules inET 200M.

• In an F-system or FH-system, a standard user program can be executed along with thesafety program.


38/162




Advantages

Coexistence of F-components, H-components, and standard components has the followingadvantages:

• It is possible to configure a totally integrated automation system that takes advantage ofstandard CPU innovation. At the same time, fail-safe components are implementedindependently of standard components such as FMs or CPs. The entire system isconfigured and programmed with standard tools such as HW Config , FBD, LAD, or CFC.

• The coexistence of standard and fail-safe program parts in one F-CPU reduces the costof acceptance tests because program parts not required to be fail-safe can be swappedout to the standard user program. This reduces the size of the safety program, that is, thepart of the program that must pass an acceptance test.

Maintenance costs can also be reduced if as many functions as possible are moved tothe standard user program, since the standard user program can be modified duringoperation.

Boundary C onditions for Coexistence

Warning

For applications with safety classSIL2/Category 3

and lower, physical contact protectionmeasures for standard components are sufficient (see the manuals for the F-CPU and F-I/Oyou are using).

Applications with safety class SIL3/Category 4 require certain measures beyond physicalcontact protection to prevent hazardous overvoltages of F-circuits via the power supply andbackplane bus, even in the event of a fault. Therefore, the following are provided forprotection from backplane bus influence:

• Safety protector for centralized and decentralized configuration of S7-300 F-SMs• For S7 F/FH Systems, PROFIBUS DP with fiber-optic cable design

• ET 200S fail-safe modules and ET 200eco fail-safe I/O module exhibit a 250 VAC isolationinternally.

To protect against influence by the power supply, configuration rules for power supplies,standard I/O, and fail-safe I/O are available (see Fail-safe I/O manuals ).

Rules for Using the S afety Protector

The safety protector protects the F-SMs from possible overvoltages in the event of a fault.

Warning

The safety protector must be used for SIL3/Category 4 applications:• Generally, when the F-SMs are used as centralized modules in an S7-300

• Generally, when PROFIBUS DP is configured with copper cable

• When PROFIBUS DP is configured with fiber-optic cable and combined operation of standard andfail-safe SMs in one ET 200M is required

For a detailed description of the safety protector, refer to the Automation System S7-300Fail-safe Signal Modules manual.


39/162


2.3 Configuration Variants for Fail-safe Systems According to Availability Requirements


2.3 2.3Configuration Variants for Fail-safe Systems A ccording to Availability

Requirements

Options for Increasing Availability

To increase availability of an automation system and, thus, to prevent process failures due tofaults in the F-system, S7 F Systems fail-safe systems can be configured optionally as fault-tolerant systems (S7 FH Systems). This increased availability can be achieved bycomponent redundancy (F-CPU, communication connections, and F-I/O).

For S7 F Systems, availability can be increased without fault-tolerant configuration. Fail-safesignal modules (F-SMs) can be used redundantly in one ET 200M or in several ET 200Ms.

The following section includes a description of how to achieve increased availability throughredundancy of the F-CPU and F-I/O in S7 FH Systems.

Note

Availability of the fail-safe CPUs in S7 Distributed Safety and S7 F Systems cannot beincreased by using the "SW Redundancy" software package.

Configuration Op tions in Safety Mode

Fail-safe systems can be configured three different ways, as follows:

Table 2-1 Configuration Options for Fail-safe Systems According to Availability

System Configuration

Option

Description Availability

S7Distributed

Safety

S7 FSystems

• Single-channelI/O

Single-channel and fail-safe (F-CPU and F-I/Oare not redundant)

Standardavailability

• Single-channelswitched I/O

Single-channel switched and fail-safe (F-CPUis redundant, F-I/O is not redundant; in the

event of a fault, the system switches over tothe other F-CPU)

Increasedavailability

S7 FHSystems

• Redundantswitched I/O

Multichannel and fail-safe (F-CPU, PROFIBUSDP, and F-I/O are redundant)

Highestavailability

Typical configuration examples are presented below. A different level of availability ofprocess data is achieved for each configuration variant.

Additional Information about Increased Availability

Communication between F-CPUs in S7 FH Systems is described in the Safety-Related CPU- CPU Communication section of this manual. For information about S7-400H fault-tolerantsystems, refer to the Automation System S7-400H Fault-Tolerant Systems manual.


40/162


41/162




Configuration Exam ple of S7 D istributed Safety: Single-channel I/O (Stand-alone IM 151-7 F-CPU )

Figure 2-7 S7 Distributed Safety with Single-channel I/O (Stand-Alone IM 151-7 F-CPU)

Distributed Configuration of S7 Distributed Safety and PRO FIBUS DP w ith Copper Cable

The following are required for distributed configuration with copper cable:

• One CPU 416F-2, CPU 31xF-2 DP, CPU 31xF-2 PN/DP or IM 151-7 F-CPU

• One PROFIBUS DP line


– One ET 200M with:IM153-2, F-SMs, and, if necessary, standard SMs,safety protector (required for SIL3/Category 4 applications only)

– One ET 200S with:IM 151-1 HIGH FEATURE or IM 151-7 F-CPU,fail-safe modules, and, if necessary, ET 200S standard modules

– One ET 200pro with:IM 154-2 HIGH FEATURE,fail-safe modules, and, if necessary, ET 200pro standard modules


– Fail-safe DP standard slaves

• Bus connector for connecting the F-CPU and fail-safe I/O to the PROFIBUS DP


42/162




Configuration E xample of S7 Distributed Sa fety: Single-channel I/O (Distributed Configuration with

Copper Cable)

PROFIBUS DP

Figure 2-8 S7 Distributed Safety with Single-channel I/O (PROFIBUS DP, Copper Cable)

Distributed Configuration of S7 D istributed Safety and PRO FIBUS DP w ith Fiber-optic Cable

The following are required to configure PROFIBUS DP with fiber-optic cables:

• One CPU 416F-2, CPU 31xF-2 DP, CPU 31xF-2 PN/DP or IM 151-7 F-CPU

• One PROFIBUS DP line


– One ET 200M with:IM153-2 FO, F-SMs, and, if necessary, standard SMs,safety protector (required for SIL3/Category 4 applications only if F-SMs and standardSMs are used together in an ET 200M)

– One ET 200S with:IM 151-1 HIGH FEATURE or IM 151-7 F-CPU,fail-safe modules, and, if necessary, ET 200S standard modules

– One ET 200pro with:IM 154-2 HIGH FEATURE,fail-safe modules, and, if necessary, ET 200pro standard modules

• Components for connecting the F-CPU and fail-safe I/O to the fiber-optic cable, forexample, OLM/OBT


43/162




Configuration E xample of S7 Distributed Safety: Single-channel I/O (Distributed Configuration with

Fiber-optic Cable)

OLM/OBT

OLM/OBT

PROFIBUS DP

Figure 2-9 S7 Distributed Safety with Single-channel I/O (PROFIBUS DP, Fiber-optic Cable)

Distributed Configuration of S7 Distributed Safety and PR OFINE T IO

The following are required to set up PROFINET IO:

• One CPU 31xF-2 PN/DP or CPU 416F-2 (as of firmware version V 4.1) with CP 443-1Advanced

• One PROFINET IO line

• Fail-safe I/O for PROFINET IO, for example:

– One ET 200pro with:

IM 154-4 PN HIGH FEATURE

Fail-safe modules and ET 200pro standard modules, if necessary

– One ET 200S with:

IM 151-3 PN HIGH FEATUREFail-safe modules and ET 200S standard modules, if necessary


• Components for configuring PROFINET

– Passive network components (cables, plugs)

– Active network components (switches, routers, etc.) if necessary


44/162




Configuration Exam ple of S7 Distributed Safety and PRO FINET IO

PROFINET IO

Figure 2-10 S7 Distributed Safety with Single-channel I/O (PROFINET IO)

Limits of Availability with Single-channel I/O

In the event of a fault, the I/O are no longer available. The F-I/O is passivated.Possible fault causes:

• Failure of F-I/O

• Failure of interface module in an ET 200M, ET 200S or ET 200pro

• Failure of the entire ET 200M, ET 200S, ET 200pro or ET 200eco

• Fai

Siemens Safety Engineering in SIMATIC S7.pdf

Documents

Transcript of Siemens Safety Engineering in SIMATIC S7.pdf