Siemens SIMATIC S7 Functional Safety Manual page 118

Fail-Safe signal module (SM) diagnostics
6.1 Reactions to faults
Safety repair time
The repair time used for PFH and PFD calculations is 100 hours.
Passivation is designed to provide the safe state of the safety function in the event of a
single fault. While a channel is passivated and energy is still available to the channel, there
is a possibility that additional faults can cause a dangerous failure of the safety function. You
should respond to passivations by repairing the fault or taking the passivated channel out of
service in less than 100 hours to preserve the safety integrity level of your system.
Deactivated fail-safe I/O is not being diagnosed, and is subject to dangerous failure without
warning.
If any channel passivation persists for 100 hours, the entire module is passivated and can
only be recovered through power cycle.
If a repair within 100 hours is not possible, passivated fail-safe outputs should be taken out
of service by physically disconnecting or opening circuits so that faults in the fail-safe SM
cannot apply energy to the load. To remove input channels from service in an operating PLC
system, references to any passivated fail-safe inputs must be removed from any operating
CPU Safety program logic that can result in activation of a safety function output.
Do not depend on channel or module passivation to maintain safe state for more than 100
hours.
Do not depend on deactivation or unconfiguration to maintain safe state in any
circumstances.
Additional information on passivation and reintegration
For further information about fail-safe SM access, refer to the SIMATIC, Industrial Software,
SIMATIC Safety - Configuring and Programming, Programming and Operating Manual
(http://support.automation.siemens.com/WW/view/en/54110126/0/en).
118
S7-1200 Functional Safety Manual
Manual, 02/2015, A5E03470344-AA