Siemens SIMATIC S7 Functional Safety Manual page 12

Product overview
1.1 Overview
Principles of safety functions in SIMATIC Safety
You implement functional safety using the hardware and firmware of the fail-safe CPUs and
signal modules (SM) in conjunction with the safety program downloaded by the software
(ES). The SIMATIC Safety system executes the safety function to bring the system to a safe
state or maintain a safe state in case of a dangerous event.
The fail-safe SMs ensure the safe processing of field information (for example, sensors for
emergency OFF pushbuttons and light barriers and actuators for motor control). The fail-safe
SMs have the required hardware and software components for safe processing, in
accordance with the required Safety Integrity Level (SIL).
You provide the safety function for the process through the application program that you
create or by the reaction of the fail-safe system to a fault. In the event of an error, if the fail-
safe system can no longer execute its actual user safety function, it executes the fault
reaction function (for example, the fail-safe system shuts down the associated outputs).
Example of user safety function
If an object interrupts the beam of a light curtain, the fail-safe system stops the motion in the
area protected by the light curtain (user safety function):
● The light curtain provides a "1" signal, perhaps redundantly, to say the light beam is not
broken or "0" to say the light beam is broken.
● The fail-safe digital input signal module (SM) acquires the signal from the light curtain and
provides the state to the fail-safe CPU through a safe communication protocol.
Redundant processors with mutual diagnostics in the fail-safe digital input SM provide a
high assurance that a "1" is provided only when correct and faults result in a "0" being
provided.
● The fail-safe CPU executes your user program for normal control of the motion and
includes your programmed safety logic that says a "1" from the light curtain is required to
enable the motion. Your programmed safety logic is encoded by the Engineering System
in redundant logic steps that gives a high assurance that any fault in CPU execution
results in an identified discrepancy and an output of "0". If the CPU fails to receive
verifiable communication from the fail-safe digital input SM in a required time, the fail-safe
CPU replaces the signal from the fail-safe digital input SM with "0".
● The fail-safe CPU delivers the results of the safety logic to the fail-safe digital output SM
through the safe communication protocol. A "1" signal from your safety logic enables
motion by turning an output channel ON, or a "0" turns the output channel OFF.
Redundant processors with mutual diagnostics in the fail-safe digital output SM provide a
high assurance that redundant output switches (series relay contacts or P/M 24VDC solid
state switches) are turned ON only when this is correct and at least one output switch
turns OFF if a fault occurs. If the fail-safe digital output SM fails to receive verifiable
communication from the fail-safe CPU in a required time, the fail-safe digital output SM
replaces the signal from the fail-safe CPU with "0" and turns outputs OFF.
12
S7-1200 Functional Safety Manual
Manual, 02/2015, A5E03470344-AA