Fail-Safe Signal Module (Sm) Applications - Siemens SIMATIC S7 Functional Safety Manual

Fail-Safe signal module (SM) applications

This chapter presents typical application examples for connection of functional safety input
and output channels, with a statement of the safety performance (SIL/Category/PL) that is
possible for each example.
The PLC system typically contributes only a small part of the total probability of dangerous
failure. The probability of dangerous failures of the sensors and actuators will typically be far
larger than the PFH/PFD of the PLC system. Faults in the wiring system can also be a
substantial contributor.
To achieve a targeted level of safety performance for each safety function, you must:
● Choose an appropriate architecture
● Choose sensors and actuators that are appropriately rated
● Provide a safety program that meets the requirements of the safety function
● Provide diagnostics and proof tests to maintain the ratings of the sensors and actuators
● Use wiring installation practices, diagnostics, and proof tests to assure wiring integrity
● Control operating and maintenance procedures for the lifetime of the installation
The S7-1200 Fail-Safe system provides a high level of internal diagnostic coverage.
Diagnostic coverage of your external circuits, sensors, and actuators depends on your
design choices using features of the PLC system and other measures.
The PFH/PFD of each S7-1200 fail-safe component is stated assuming no field proof test
within the lifetime of the product. Sensors and actuators typically require regular proof tests
to maintain an expected level of safety performance.
The reaction time of each safety function depends on the reaction time of each component,
including the sensor, the PLC system, and the actuator. "Fail-Safe response times"
(Page 197) gives further information on delay times through the PLC components. You must
choose PLC parameters and external component reaction times to achieve a total safety
reaction time goal.
In addition to total delay from safety demand input to safe actuator response, you must
consider these additional time-related factors. Refer to "Fail-Safe response times"
(Page 197) for exact information:
● To be assured of a safety response, a safety demand signal from the input sensor must
last long enough to be seen by the safety program. Your configured filter time,
discrepancy resolution time, short circuit test duration, and F-monitoring times all
contribute to this time.
S7-1200 Functional Safety Manual
Manual, 02/2015, A5E03470344-AA
3
65