Siemens SIMATIC S7 Functional Safety Manual page 117

Reintegration of a fail-safe signal module
A channel or module can be reintegrated after successful diagnostics determine that a fault
has cleared.
You can configure reintegration as automatic or manual. You can make this selection on a
per channel or module basis in the Device Configuration. Communication errors must always
be manually acknowledged.
Channels that you select to be automatically reintegrated are immediately reintegrated when
the fault has cleared.
Channels that you select to be manually reintegrated can be acknowledged in your program
after the fault has cleared.
The "ACK_REQ" bit for that module goes true to signal that reintegration is possible. After
the "ACK_REQ" bit is true, your program can set the "ACK_REI" bit to allow the reintegration
of all channels in that module that are ready to be reintegrated.
You can also acknowledge all faults in an F-runtime group using the "ACK_REI_GLOB" input
of the "ACK_GL" instruction.
Some fatal diagnostic errors require a power cycle with successful diagnostics to reintegrate.
Reintegration after high stress events
High temperature, high voltage, and excessive current stress can damage electronics,
reducing the reliability while components continue to work apparently as expected.
Passivation does not remove the potentially damaging effects of high ambient temperature
or high applied voltage. Relays and solid state switch outputs can be damaged by high
currents prior to protective device activations. The PFD and PFH reliability calculations
assume the fail-safe SM is operated within its specified operating parameters. When an SM
has passivated due to a high stress event, even though it apparently works correctly and
passes all diagnostics, the probability of a future dangerous failure may be increased.
It is possible to reintegrate a channel or module while some fault is still present that is not
readily detected by the module diagnostics.
Reintegration of a faulty system can result in unexpected machine or process operation,
which may cause death or serious injury to personnel, and/or damage to equipment.
After any reported fault, the steps outlined in this chapter and in safety standards applicable
to your system should be followed to assure that the fault is completely understood and
corrected before reintegration.
For an exact list of faults for the SMs, refer to "Fault types, causes, and corrective measures"
(Page 125).
At reintegration, the following occurs:
● For a fail-safe DI SM, the process values pending at the fail-safe inputs are provided for
the safety program.
● For a fail-safe DQ SM, the output values provided in the safety program are again
transferred to the fail-safe outputs.
S7-1200 Functional Safety Manual
Manual, 02/2015, A5E03470344-AA
WARNING
Fail-Safe signal module (SM) diagnostics
6.1 Reactions to faults
117