Siemens SIMATIC S7 F Manual
  1. Manuals
  2. Brands
  3. Siemens Manuals
  4. Controller
  5. SIMATIC S7 F
  6. Manual
Siemens SIMATIC S7 F Manual

Siemens SIMATIC S7 F Manual

Systems
Hide thumbs
Table of Contents

Advertisement

Quick Links

SIMATIC
Manual
This manual is part of the documentation
package with the order number:
6ES7988-8FA10-8BA0
Edition 02/2003
A5E00085588-03
Important Information -
List of Safety Notes
Contents
Fail-Safe Function Blocks
Appendices
Check Lists
References
Glossary, Index
1
2
3
4
5
6
7
8
A
B

Advertisement

Table of Contents
loading

Related Manuals for Siemens SIMATIC S7 F

Summary of Contents for Siemens SIMATIC S7 F

  • Page 1: Table Of Contents

    Important Information - List of Safety Notes Contents SIMATIC Product Overview Getting Started Programmable Controllers Safety Mechanisms S7 F/FH Systems Configuration Manual Programming Operation and Maintenance Safety Fail-Safe Function Blocks Appendices Check Lists References Glossary, Index This manual is part of the documentation package with the order number: 6ES7988-8FA10-8BA0 Edition 02/2003...
  • Page 2 Trademarks SIMATIC®, SIMATIC HMI® and SIMATIC NET® are registered trademarks of SIEMENS AG. Some of the other designations used in these documents are also registered trademarks; the owner’s rights may be violated if they are used by third parties for their own purposes.
  • Page 3 Important Information Purpose of the Manual The information contained in this manual enables you to configure and program S7 F/FH Systems using S7 F Systems V5.2. Target Group This manual is intended for system planners, configuration engineers and programmers. Knowledge of STEP 7 and CFC is assumed in most areas. Contents This manual describes how to work with the S7 F/FH Systems using S7 F-Systems V5.2 software.

  • Page 4: Programmable Controllers

    Important Information What’s New? The following changes are new in the S7 F Systems V5.2: Topic Chapter New Fail-Safe Blocks Fail-Safe Blocks Introduction to the F_Shutdown Logic Getting Started Support of the new ET 200S failsafe modules to the S7 F/FH Throughout the Systems document...
  • Page 5 Additional Support For any unanswered questions about the use of products presented in this manual, contact your local Siemens representative: http://www.siemens.com/automation/partner Training Center We offer courses to help you get started with the S7 automation system. Contact your regional training center or the central training center in Nuremberg (90327), Federal Republic of Germany.
  • Page 6 Technical Support Local time: 24 hours per day/365 days per year Telephone: +49 (0) 180 5050–222 Fax: +49 (0) 180 5050-223 E-mail: adsupport@ siemens.com GMT: +1:00 Europe/Africa (Nuremberg) United States (Johnson City) Asia/Australia (Beijing) Authorization Technical Support and Technical Support and...
  • Page 7 Service & Support on the Internet In addition to our paper documentation, we also provide all of our technical information on the Internet at: http://www.siemens.com/automation/service&support Here, you will find the following information: • Newsletter providing the latest information on your products •...
  • Page 8 Important Information Fail-Safe Systems viii A5E00085588-03...
  • Page 9 Safety Notes Keep Safety and Standard Functions Separate .............1-19 Public Network Safety F-CPU Communication Not Allowed..........3-12 Safety Rules for Safety Operation ..................4-2 CPU containing safety program must have a password ..........4-3 I/O Group Diagnosis ......................4-5 Modify Variables can cause Shutdown ................4-7 Limiting Access through ES....................4-8 Password Protection......................4-8 Safety Program and CPU Passwords should be different ..........4-9...
  • Page 10 Safety Notes Safety Program can be installed in OB 3x ONLY.............8-8 Do NOT change CRC_IMP input..................8-26 Use F_LIM_R for plausibility check of standards to F-data conversion ......8-35 Reintegration through User Acknowledgement with F_QUITES........8-45 PD_FLAG not to be interconnected................8-56 F_SHUTDN in slowest configured OB................8-74 Fail-Safe Systems A5E00085588-03...

  • Page 11: Product Overview

    Contents Product Overview Overview ......................1-1 Basic Configuration Variants................1-4 Components of an S7 F System ...............1-7 Hardware Components ..................1-8 Software Components..................1-10 Installing the S7 F Systems Optional Package ..........1-11 1.6.1 Getting Started Information Applicable to All Use-Case-Scenarios....1-11 1.6.2 Use-case-scenarios ..................1-12 Working with F-Systems .................1-19 Getting Started Introduction......................2-1 S7 F System - Getting Started ................2-4...

  • Page 12: Configuration

    Contents Configuration Overview ......................4-1 Hardware Configuration and Parameter Assignment ........4-1 CPU Parameter Assignment ................4-3 Parameter Assignment of F-I/Os...............4-4 Configuring Redundant F-I/Os ................4-6 Configuring the Networks and Connections............4-6 Programming Device Functions in STEP 7............4-7 Setting up, Modifying and Cancelling Access Rights........4-8 4.8.1 Setting up Access Rights for the CPU ..............4-8 4.8.2...

  • Page 13: Operation And Maintenance

    Contents Operation and Maintenance Operation and Maintenance of the F-Systems ..........6-1 Rules for Operation ...................6-1 Working with the Safety Program ..............6-2 Changing the Safety Program................6-3 Replacing Software and Hardware Components..........6-4 Uninstalling the S7 F/FH System ..............6-5 Safety Standards, Certificates and Approvals..............7-1 Safety Requirements..................7-4 System Configuration..................7-7 Monitoring Times....................7-8...
  • Page 14 Contents 8.5.5 F_START ......................8-54 F Control Blocks ....................8-55 8.6.1 F_CYC_CO .....................8-56 8.6.2 F_M_DI8......................8-58 8.6.3 F_M_DI24......................8-61 8.6.4 F_M_DO8......................8-64 8.6.5 F_M_DO10......................8-66 8.6.6 F_M_AI6......................8-68 8.6.7 F_PLK ......................8-70 8.6.8 F_PLK_O......................8-71 8.6.9 F_SHUTDN .....................8-72 8.6.10 F_TEST ......................8-77 8.6.11 F_TESTC ......................8-78 8.6.12 F_TESTM ......................8-79 8.6.13 DB_RES ......................8-80 8.6.14 DB_INIT......................8-81 8.6.15...
  • Page 15 Contents 8.13.9 F_LIM_R......................8-123 8.13.10 F_SQRT ......................8-124 8.13.11 F_AVEX_R ....................8-125 8.13.12 F_SMP_AV....................8-127 8.14 Multiplex Blocks ....................8-128 8.14.1 F_MUX2_R....................8-128 8.15 Error Handling ....................8-129 8.15.1 Error Handling of Driver Blocks..............8-130 8.15.2 Error Information at the Outputs of the Driver Blocks ........8-132 8.15.3 Errror Information in the Diagnostic Buffer............8-134 8.15.4 Error Information at the Output RETVAL ............8-140 8.16...
  • Page 16 Contents Fail-Safe Systems A5E00085588-03...

  • Page 17: Product Overview

    Product Overview Overview SIMATIC S7 F/FH Systems The S7 F/FH Programmable Controllers (F-Systems) are used in systems with increased safety requirements. The aim of the S7 F/FH System is to control processes that can immediately be returned to a safe state. In other words, when these processes are suddenly shut down, it represents no danger to either man or the environment.
  • Page 18 Product Overview The safety functions are primarily incorporated in the following components: • In the safety-related user program on the central processing unit • In the fail-safe input/output modules Safety and Availability To increase the availability of the automation system and consequently avoid process downtimes as a result of failures in the F-System, fail-safe systems can be optionally configured for high availability (fault tolerance).
  • Page 19 Product Overview Operator Stations (OS) Central engineering system (ES) Standard Ethernet Industrial Ethernet or PROFIBUS S7 F Sys S7-400H S7 FH Sys S7-400 Standard F-SMs F-SMs F-SMs Standard SMs Standard SMs ET 200M ET 200M ET 200M ET 200M Standard SMs Boiler prot.

  • Page 20: Basic Configuration Variants

    Product Overview Basic Configuration Variants This section describes the two basic configuration variants of F-Systems: • Fail-safe S7 F System • Fail-safe, fault-tolerant S7 FH System S7 F System The S7 F System is a fail-safe automation system consisting of at least the following components: •...
  • Page 21 Product Overview S7 FH System The S7 FH System is a fail-safe, fault-tolerant automation system consisting of at least the following components: • A fault-tolerant S7 400H system (master and standby) running a fail-safe (F) user program • One or more fail-safe inputs/outputs (F-I/Os) in a distributed I/O device (redundancy optional) The following figure shows an example of an S7 FH configuration with a redundant CPU, shared, switched distributed I/O modules connected via a redundant system...
  • Page 22 Product Overview Combination of Standard, Fault-Tolerant and Fail-Safe Components Standard, fault-tolerant (H) and fail-safe (F) components and systems can be used together as follows: • Standard systems, H systems, F Systems and FH Systems can be used together in a single system. •...

  • Page 23: Components Of An S7 F System

    Product Overview Components of an S7 F System The figure below shows the hardware and software components required for the configuration and operation of the S7 F. S7 F programmable controller F user program F run - time license Programming device distributed I/O device (optionally redundant) Optional package...

  • Page 24: Hardware Components

    Product Overview Compatibility of standard and fail-safe components in a programmable logic controller If you use a safety protector in the ET 200M, then you can operate fail-safe signal modules with the S7-300 standard signal modules in an ET 200M even in safety mode in SIL 3.
  • Page 25 Product Overview ET 200M F-I/Os can be used in a single-channel or redundant configuration: Please refer to the manual: Automation System S7-300 Fail-Safe Signal Modules’ For ET 200S: • PM-E F 24 VDC PROFIsafe Power Module • 4/8 F-DI 24 VDC PROFIsafe Digital Electronic Module •...

  • Page 26: Software Components

    Product Overview Software Components The S7 F Systems have the following software components: • S7 F Systems (Programming) • S7 F Configuration Pack (Configuration of the F-I/O’s) • The fail-safe user program (F user program) on the CPU The S7 F Systems Optional Package The S7 F Systems optional package is available for the configuration and programming of the S7 F System.

  • Page 27: Installing The S7 F Systems Optional Package

    Product Overview Installing the S7 F Systems Optional Package Before using an existing project with S7 F Systems V5.2, please read this entire section which provides you with: • getting started information applicable to the three use-case-scenarios described below. • the three use-case-scenarios are as follows, please select the one that best suits your needs: 1.

  • Page 28: Use-Case-Scenarios

    STEP 7’s main help system. Note SIMATIC S7 F Systems V5.0 license also supports V5.2 F-Copy License An F-Copy License permits you to use the CPU as an F-CPU (e.g. to run a Safety Program on it).
  • Page 29 Product Overview Software Requirements The following software packages must be installed on the PC/programming device in order to use, modify, or create projects based on Failsafe Blocks (V1_1) library with S7 F Systems V5.2: • S7 F Systems V5.2 • STEP 7 V5.1.3 or higher •...
  • Page 30 Product Overview Scenario 2: Upgrading Failsafe Blocks (V1_1) Projects to Failsafe Blocks (V1_2) Use this scenario if you wish to: Upgrade current projects based on Failsafe Blocks (V1_1) to the new Failsafe Blocks (V1_2) library contained in S7 F Systems V5.2. You must have the minimum software requirements to allow this.
  • Page 31 Open the library within SIMATIC Manager by choosing File > Open… and press the Browse button. d. Open the folder \SIEMENS\STEP7\S7LIBS and select Failsafe Blocks (V1_2) and press OK. This will open the Failsafe Blocks (V1_2) library. Fail-Safe Systems...
  • Page 32 Product Overview e. Close the library. Go back to step 2.a. 3. Choose the Options > Edit Safety Program menu command. 4. Press the Library Version... Button. 5. Select the Library to which you wish to upgrade to, and press the OK button. 6.
  • Page 33 Product Overview 9. Press the New Version... Button to import. 10. Recompile the program. Important Note You must Import the new Block Type after upgrading the library to insure all blocks are up to date. Failure to Import new block types may result in a failed compile. Important Note Unplaced F-Blocks from the block container are automatically deleted when the safety program is compiled.
  • Page 34 Product Overview Scenario 3: Modifying or Creating Projects Based on Failsafe Blocks (V1_2) Use this scenario if you wish to: Modify or create projects based on Failsafe Blocks (V1_2) library contained in S7 F Systems V5.2. You must have the minimum software requirements to allow this. Software/Firmware Requirements The following software packages must be installed on the PC/Programming Device/Workstation in order to modify or create projects based on Failsafe Blocks...

  • Page 35: Working With F-Systems

    Product Overview Working with F-Systems This section describes the basic procedure for working with fail-safe systems. Only those steps that are relevant to F-Systems and differ from the standard procedure are included. Planning the System Process-dependent planning tasks such as defining a piping and instrumentation diagram, creating a flowchart, creating a measuring point list, defining a structure, etc.
  • Page 36 Product Overview Basic Procedure Configure S7 F/FH hardware Set addresses on the F-I/Os via DIP switches Wire modules according to required circuit program Configure system Parameterize CPU for safety program Parameterize F-I/Os according to safety class and circuit diagram Create Safety Program Place, interconnect, and parameterize F function blocks Generate executable code and load to the CPU of the S7 F/FH Commission the system...
  • Page 37 Product Overview Compiling as a Program To compile the Safety Program, proceed as follows: 1. Carry out a consistency check by choosing the Chart > Check Consistency >Charts as Program menu command. (This step is optional.) 2. Choose the Chart > Compile > Charts as Program menu command. 3.
  • Page 38 Product Overview Fail-Safe Systems 1-22 A5E00085588-03...

  • Page 39: Getting Started

    Getting Started Introduction This introduction uses concrete examples to walk you through the steps required to create a working application, which will enable you to discover how a fail-safe automation system works, and how it behaves in the event of a fault/error. The following two systems will be used as examples to lead you through the initial commissioning phase to an actual working application.
  • Page 40 Getting Started Restart The shutdown logic’s F_SHUTDN RESTART input allows you to restart the Safety Program that has been shutdown. Reintegration of I/O may be necessary after this action. Shutdown The Shutdown logic responds to an internal diagnostic that has detected a failure by disabling either the entire Safety Program (Full Shutdown) or the isolated F-run-time group (Partial Shutdown).
  • Page 41 Getting Started You will then be able to configure a fault-tolerant F-system. Sample Projects Provided Note The sample projects require Step 7 V5.2 and the S7 H Systems Optional Package Version 5.1. You can find two sample projects in step7\Examples: •...

  • Page 42: S7 F System - Getting Started

    Getting Started S7 F System - Getting Started 2.2.1 S7 F System, Setting up the Hardware The following figure shows you an example of a hardware configuration. S7 F programmable controller Single-channel, one-sided ET 200M Distributed I/O Fail-safe signal modules Profibus DP Cable Safety Protector Module...
  • Page 43 Getting Started Connect actuators, or alternatively terminating resistors, to the output module (e.g. between 12 Ω and 3.4 kΩ with 1 watt), or disable group diagnosis for unused channels in the hardware configuration. Interface restrictions between S7-400 CPU and ET 200M I/O The ET 200M components which can be used in safety mode depend on the safety class and the use of a safety protector in the ET 200M configuration: •...

  • Page 44: Configuring The S7 F System

    Getting Started 2.2.2 Configuring the S7 F System The following steps show you how to create a new project and configure the hardware setup described above. Procedure 1. Open SIMATIC Manager, and create a new project called "FProject" using the File >...
  • Page 45 Getting Started 8. Select the CPU, and choose the Edit > Object Properties menu command (or double-click the CPU): The "Properties - CPU 417-4H" dialog box appears: Enter a password for the CPU on the "Protection" tab, and select the "CPU Contains Safety Program"...

  • Page 46: S7 F System, Creating A Fail-Safe User Program

    Getting Started 2.2.3 S7 F System, Creating a Fail-Safe User Program In the following steps you create a fail-safe CFC user program that interconnects the fail-safe inputs with the fail-safe outputs. The Safety Program consists of several charts: • At least one chart for user logic program interconnection (F-Blocks) •...
  • Page 47 Getting Started Inserting F-Blocks 1. Close the Run Sequences either by closing the window within CFC editor, or pressing Control-F11. 2. Insert user logic such as F_ADD_R, F_LIM_R etc… Refer to section Inserting and Interconnecting Fail-Safe Blocks for details. Note 1 The fail-safe blocks of the Failsafe Blocks library are yellow to differentiate them from standard blocks.
  • Page 48 Getting Started 11. Check again in the run-time group overview whether all the F-blocks are in the F-blocks run-time groups as required. Compilation of the Blocks Choose the Chart > Compile > Charts as Program menu command to compile your program. Activate the Generate Module Drivers option. You will be prompted to enter a password for the safety program (see above under Passwords).

  • Page 49: Starting Up The S7 F System

    Getting Started • In a separate chart @F_DbInit contains the DB_INIT function blocks required for performing an F-run-time group coldstart. • All the required error OBs have also been inserted in the block container in SIMATIC Manager. Note The CFC charts with fail-safe blocks are yellow and marked with an "F" to distinguish them from standard charts.

  • Page 50: S7 F System, Monitoring Errors

    Getting Started 2.2.5 S7 F System, Monitoring Errors Removing the Front Connector 1. Remove the front connector of the SM 326F DI24xDC24V. You have triggered an error at the SM 326F DI24xDC24V. The SF LED comes on and the SAFE LED goes out. The EXTF LED of the CPU comes on, but the CPU remains in RUN.

  • Page 51: Fault-Tolerant S7 Fh System - Getting Started

    Getting Started Fault-Tolerant S7 FH System - Getting Started 2.3.1 Fault-Tolerant S7 FH System, Setting Up the Hardware The following figure shows you an example of a hardware configuration. S7 FH programmable controller Single-channel, switched ET 200M Distributed I/O Fail-safe signal modules Redundant DP master systems...
  • Page 52 Getting Started Set the DIL switches for the individual components as follows: • IM153-2 FO PROFIBUS address 3 • SM 326F DI 24 Module address 8 (Only found on the reverse side; only in steps of 8) • SM 326F DO 10 Module address 24 (Only found on the reverse side;...

  • Page 53: Configuring The Fault-Tolerant S7 Fh System

    Getting Started 2.3.2 Configuring the Fault-Tolerant S7 FH System Proceed in the same way as when you configure the S7 F Systems. You create a new project in SIMATIC Manager for the hardware setup described above. Procedure 1. Create a new project called "FHProject". 2.

  • Page 54: Fault-Tolerant S7 Fh System, Creating A Fail-Safe User Program

    Getting Started 10. Insert the input module SM 326FDI24xDC24V in slot 4 of the ET 200M. 11. Assign symbolic names for all the channels. 12. On the "Inputs" tab of the properties dialog box, select "Enable Diagnostic Interrupt" and "Safety Mode" with "1oo1 Evaluation". 13.

  • Page 55: Fault-Tolerant S7 Fh System, Monitoring Errors

    Getting Started 2.3.5 Fault-Tolerant S7 FH System, Monitoring Errors Interruption in the PROFIBUS Connection 1. Remove the PROFIBUS cable from CPU0. The BUS2F LED flashes and the REDF LED lights up on CPU0. The second IM 153-2 is now active, and the first one indicates a bus fault. 2.
  • Page 56 Getting Started Fail-Safe Systems 2-18 A5E00085588-03...

  • Page 57: Safety Mechanisms

    Safety Mechanisms Introduction to the Safety Mechanisms This chapter describes the safety-related mechanisms of the S7 F/FH Systems. This information serves as background knowledge when you configure the F- System and create and test the Safety Program. Only the functions in which the behavior of an S7 F System differs from that of a standard S7 system are described.

  • Page 58: Safety Mode

    Safety Mechanisms Safety Mode The safety-related functions for fault detection and fault reaction are activated in safety mode. • In the F-I/Os • In the Safety Program of the CPU Safety Mode of the F-I/Os When configuring the F-I/Os in HWCONFIG, you can use the "Safety Mode" parameter to set standard mode or safety mode for them, if this feature is supported: •...

  • Page 59: Fault Reactions

    Safety Mechanisms Fault Reactions Safe State The basis of the safety concept is that there must be a safe, neutral position for all process variables. In the case of binary signal modules, this is always the value "0". Fault Reactions in the CPU and Operating System If the CPU detects a fault by means of the hardware (time monitoring) or operating system (self-tests etc.), the Safety Program may become disabled or a switchover may occur if the fault occurs on the master side in a redundant system.

  • Page 60: Startup Of An F-System

    Safety Mechanisms Startup of an F-System Operating Modes of an S7 F/FH Systems The operating modes of an S7 F System differ from the normal ones only in their startup characteristics and behavior in HOLD mode. Otherwise, the system states of the fault-tolerant system and the operating modes of the master CPU and standby CPU occur in an S7 FH System as described in Chapter 4.

  • Page 61: Self-Tests And Command Tests

    Safety Mechanisms Self-Tests and Command Tests Self-Tests Self-tests are carried out in the S7 F/FH system to detect faults. The duration of the cyclic self-tests can be set during configuration (the default is 90 mins). Note Only settings of up to 12 hours are permitted for the S7 F/FH Systems. You cannot modify safety-relevant self-tests for the S7 F/FH Systems with the SFC 90 "H_CTRL".
  • Page 62 Safety Mechanisms When a hazardous fault is detected, the logical program execution check performs the following: • In a non-redundant system or in a situation that is a common cause (e.g. both CPUs encounter fault). The Safety Program will be disabled.* •...

  • Page 63: Fail-Safe User Times

    Safety Mechanisms Fail-Safe User Times Time values generated in the Safety Program with the F_TP, F_TON and F_TOFF blocks are monitored by means of safety mechanisms of the CPU. To do this, two mutually independent time counters are compared. As long as the discrepancy between the two counters is less than 10 ms within a time period of 50 s, the time is considered correct.

  • Page 64: Password Protection For F-Systems

    Safety Mechanisms Password Protection for F-Systems Password protection protects the S7 F/FH Systems from unauthorized access, e.g. from unwanted downloads to the CPU from the engineering system (ES) or the programming device (PG). In addition to the standard password for the CPU, an additional password is also required for S7 F/FH Systems for the Safety Program (F password).

  • Page 65: Safety-Related Communication

    Safety Mechanisms Safety-Related Communication Communication Overview The following figure shows the communication options available to an F-system: Standard or F-CPU F-CPU F-CPU Standard Standard program Standard program F-Programm Safety Program F-CPU F-CPU F-run-time group F-Ablaufgruppe F-Programm Safety Program F-run-time group F-Ablaufgruppe F-Treiber F driver...

  • Page 66: Communication Between The Safety Program And The Standard User Program

    Safety Mechanisms 3.9.1 Communication Between the Safety Program and the Standard User Program The standard and Safety Programs use different data formats. Special conversion blocks must therefore be used for the data exchange. F-CPU Safety Program Non-safety-related Standard program From Block Safety- Related...

  • Page 67: Communication Between F-Run-Time Groups

    Safety Mechanisms 3.9.2 Communication Between F-Run-Time Groups Run-time groups that contain fail-safe blocks are referred to as F-run-time groups. Data transmission between the F-run-time groups of a user program must be safety-related. The fail-safe blocks F_S_BO, F_S_R and F_R_BO, F_R_R are available for safety-related communication between F-run-time groups.

  • Page 68: Safety-Related Communication Between F-Cpus

    Safety Mechanisms See Also Interconnecting F-Driver Blocks and Driver Blocks for F-Signal Modules 3.9.4 Safety-Related Communication Between F-CPUs Communication Options S7 FH Systems S7 FH Systems S7-400FH S7-400FH S7 F Systems S7 F Systems Safety-related communication between CPUs takes place via configured standard or fault-tolerant S7 connections.
  • Page 69 Safety Mechanisms Note Multiproject is a new feature of STEP7 V5.2, with this feature, you do not need to maintain all CPUs in the same project; and you may have several projects in which CPU to CPU communication is shared between them. Communication with Standard CPUs Direct communication between a Safety Program and a standard CPU is not possible.
  • Page 70 Safety Mechanisms Fail-Safe Systems 3-14 A5E00085588-03...

  • Page 71: Configuration

    Configuration Overview This section describes the main differences between the configuration of a fail-safe system and that of a standard S7 system. It also deals with the special features of the programming device functions that you must watch out for when working with a fail-safe system.

  • Page 72: Safety Rules For Safety Operation

    Configuration • Before downloading the Safety Program, you must download the configuration to the CPU. • If you use a safety protector in the ET 200M, then you can operate fail-safe signal modules with the S7-300 standard signal modules in an ET 200M even in safety mode in SIL 3.

  • Page 73: Cpu Parameter Assignment

    Configuration CPU Parameter Assignment Rules for Configuration as an F-CPU Safety Note – CPU containing safety program must have a password The user must comply with the following rules: • The "CPU Contains Safety Program" option must be selected. • A password must always be assigned.

  • Page 74: Parameter Assignment Of F-I/Os

    Configuration Parameter Assignment of F-I/Os Additional options are available for parameter assignment of F-I/Os that are not available for parameter assignment of comparable standard SMs: • You can select between safety mode (different levels to a certain extent) and standard mode. •...

  • Page 75: I/O Group Diagnosis

    Configuration Entering Module Names You can enter a module name for an F-I/O In HWCONFIG. This name is copied for the instance of the associated F module driver (F_Name_x) if the associated F module driver is placed automatically. This enables the link between the F module driver and the F-I/O to be seen and checked more easily.

  • Page 76: Configuring Redundant F-I/Os

    Configuration Configuring Redundant F-I/Os (only in supported modules) Note In the case of redundantly configured modules, you must make sure of the following: • That the two modules are of the same type and have the same parameter assignment. • That the same monitoring time is parameterized for both modules.

  • Page 77: Programming Device Functions In Step 7

    Configuration Programming Device Functions in STEP 7 The same functions are available for working with a fail-safe system in STEP 7 as for a standard S7 system. Safety-Relevant Programming Device Functions Safety-relevant programming device functions are only executed if you have set up access rights for yourself.

  • Page 78: Setting Up, Modifying And Cancelling Access Rights

    Configuration Setting up, Modifying and Cancelling Access Rights 4.8.1 Setting up Access Rights for the CPU To set up access rights for the CPU, proceed as follows: 1. Select the CPU or its S7 program in SIMATIC Manager. 2. Choose the PLC > Access Rights > Setup menu command. In the dialog tab box that appears, locate the protection tab and enter the password assigned during parameter assignment of the CPU.

  • Page 79: Entering/Changing The Password For The Safety Program

    Configuration Changing the Password A password can only be changed by changing the configuration. To do this for the S7 F System, you must switch the CPU to STOP. It is possible to change the password (configuration change) for the S7 FH System without interrupting the process (in RUN mode).

  • Page 80: Cancelling Access Rights For The Safety Program

    Configuration Request for the Password for the Safety Program A dialog box to request the password for the safety program is displayed in the following cases: • Compilation of changes to the Safety Program • Switching safety mode on and off •...

  • Page 81: Configuration In Run

    Configuration Configuration in Run There are process control systems that may not be switched off during operation, e.g. due to the complexity of the automated process, or expensive restart costs. Nevertheless, a change or expansion of the process control system may be required.
  • Page 82 Configuration Adding F-I/O’s via CIR To add a new F-I/O to your System follow these steps: • Configure the new F-I/O within HWCONFIG according to the manual, “How to Modify the System during Operation wth CiR (handle it like a standard module) •...

  • Page 83: Programming

    Programming Overview 5.1.1 Structure of the Safety Program The following figure illustrates the structure of a Safety Program in the programming device/ES and CPU schematically: S7 F System Programming device / ES User STEP 7 project Safety Hardware Program Standard Program Failsafe Blocks V1_2 Standard...

  • Page 84: Blocks Of The Safety Program

    Programming 5.1.2 Blocks of the Safety Program Fail-Safe Blocks A Safety Program can contain the following fail-safe blocks: • Fail-safe blocks that can be inserted by the user (F user blocks) F User Blocks Function F-Driver F_CH_DI Channel driver for the input and output signals of the F-I/Os F_CH_AI F_CH_DO Conversion...
  • Page 85 Programming In addition, fail-safe blocks are also available for standard functions such as arithmetic, logic, multiplexing, etc. You can find a complete list of the fail-safe blocks in Appendix. • F Control blocks are automatically inserted during compilation and are never to be inserted by user.

  • Page 86: Creating Safety Programs

    Programming Creating Safety Programs 5.2.1 Creating a Safety Program - Basic Procedure Prerequisites • The project structure must be created in SIMATIC Manager. The Safety Program must be assigned to an F-capable CPU (e.g. a CPU 417- 4H). • A chart folder must be created for CFC under the S7 program. •...

  • Page 87: Safety Notes For Programming

    Programming 5.2.2 Safety Notes for Programming • A Safety Program can only be compiled to be executable under an F-capable CPU (e.g. CPU 417-4H). • The Safety Program must be created in CFC using special F-Blocks from the Failsafe Blocks library. The name of the library must not be changed. •...
  • Page 88 Programming Notes on Working With CFC Safety Note – Compression Changes Signature Compressing CFC programs changes the overall signature of the program! If the program has to be compressed, carry out the compression before it is accepted. The fail-safe blocks in the Fail-safe Blocks library are highlighted in color in the CFC chart.

  • Page 89: Defining The Program Structure

    Programming 5.2.3 Defining the Program Structure Rules for the Program Structure You must comply with the following rules when you design a user program for the S7 F/FH Systems: • You can combine standard and Safety Program sections within a CPU. •...

  • Page 90: Inserting Cfc Charts

    Programming For Fault-Tolerant Systems In fail-safe and fault-tolerant S7 FH Systems, one or more separate cyclic interrupts with a high priority should be reserved for the Safety Program. This is necessary to prevent time monitoring being initiated in the case of a master/standby switchover.

  • Page 91: Inserting Run-Time Groups

    Programming 5.2.5 Inserting Run-Time Groups (applies to CFC V5.2 only) Rules for the Run-Time Groups of the Safety Program • The F-blocks must not be inserted directly in tasks/OBs; instead, they must be inserted in run-time groups. • A separate CFC chart containing the F_CYC_CO block is required for F cycle time monitoring.

  • Page 92: Inserting And Interconnecting Fail-Safe Blocks

    Programming Inserting and Interconnecting Fail-Safe Blocks 5.3.1 Inserting Fail-Safe Blocks Blocks are inserted in the chart by dragging and dropping them from the F User Blocks folder of the Failsafe Blocks library. Each block can be inserted as often as you want. Note If a block type has already been inserted from the library, it can be inserted more quickly the next time from the "CFC Catalog".

  • Page 93: Automatically Inserted F-Blocks

    Programming 5.3.2 Automatically Inserted F-Blocks When a CFC chart with fail-safe blocks is compiled, the following F-Control blocks are inserted automatically in the Safety Program: • F_SHUTDN • DB_INIT • RTG_LOGIC • FAIL_MSG (part of RTG_LOGIC block type) • DB_RES •...

  • Page 94: Interconnecting And Assigning Parameters To F-Blocks

    Programming 5.3.3 Interconnecting and Assigning Parameters to F-Blocks You can assign parameters to the inputs and outputs of the F-Blocks or interconnect them with other blocks. Rules for Interconnecting F-Blocks Safety Note – Incorrect changes to fail-safe blocks input parameters may result in the Safety Program and its outputs being disabled.
  • Page 95 Programming Recommendation: meaningful names for placed blocks Give each block placed a meaningful name. You can choose any name. Assigning a Value to a Fail-Safe I/O To assign a value to a fail-safe I/O of an F-Block, proceed as follows: 1.

  • Page 96: Defining The Run Sequence

    Programming 5. Close the "Select Structure Element" dialog box. Result: The new value is displayed on the I/O. See Also F-Data Types 5.3.4 Defining the Run Sequence Run-Time Properties The run-time properties of a block define the position of this block in the chronological processing sequence within the overall structure of the PLC.
  • Page 97 Programming F_TESTM: Automatic placement of the F_TESTM block and associated chart in the slowest OB that contains a piece of the failsafe program. F_CYC_CO: Automatic placement of a F_CYC_CO block and associated chart in each OB that contains a piece of the failsafe program. The user will be requested to enter the maximum cycle time (MAX_CYC) at the first compile.

  • Page 98: Interconnecting F-Driver Blocks

    Programming Note Please be aware that by mixing standard and fail-safe run-time groups, you could possibly jeopardize your ‘MAX_CYC’ maximum cycle time. The more logic you add to the other run-time groups in the fail-safe OB3x’s, the greater the chance of encountering a scan overrun if care isn’t taken. Defining the Run Sequence Define the run sequence in CFC in the usual way: 1.
  • Page 99 Programming Example: F-Driver for Digital Input Module SM 326 DI 8xNAMUR F channel driver F module driver F_CH_DI F_M_DI8 Channel 00 CHADDR00 CHADDR TIMEOUT Symb. addr. VALUE CHADDR07 Chan. 00 Logical address LADDR of the module LADDR_R DIAG_1 DIAG_2 F_CH_DI Channel 07 CHADDR Symb.
  • Page 100 Programming Drivers for the F-I/Os in Standard Mode If you use the F-I/Os in standard mode, you can use the standard channel drivers from the PCS 7 Driver Blocks library. Rules for F-Driver Blocks • The VALUE I/O of the F channel driver must be interconnected with the symbolic address of the channel.
  • Page 101 Programming 6. Optional: Interconnect the QBAD output to find out if a substitute value or valid process value is output. Value status (quality code) of the process value 7. Optional: Evaluate the QUALITY output in the standard program or on the OS to obtain or find out the quality code of the process value.
  • Page 102 Programming • At compilation of the Safety Program: In CFC, choose the Chart > Compile > Charts as Program menu command. Select the "Generate Module Drivers" check box in the dialog box. Confirm with OK. Fail-Safe Systems 5-20 A5E00085588-03...
  • Page 103 Programming In both cases, the necessary F module drivers and module diagnostic blocks are automatically inserted into separate CFC charts called @F1, @F2, ... and interconnected. The instances of the F module drivers automatically receive the name you have entered in HWCONFIG for the associated F-I/O (F_Name_x). See the chapter entitled "Parameterization of the F-I/Os".

  • Page 104: During Simulation Of Input Channels The Simulation Value Is Always Available On The Block's Output

    Programming Safety Note – During simulation of Input Channels the Simulation value is always available on the block's output. In the event of an error with digital or analog input channels, if SIM ON=TRUE then simulation values are placed on the block’s output instead of the substitute values. Error Handling and Diagnostics You can find information on the diagnostic outputs of the F driver blocks under: •...
  • Page 105 Programming Configuring Messages The same module diagnostic blocks are used for the F-I/Os as for the standard modules. The following MOD, SUBNET and RACK blocks are inserted automatically when you choose the Options > Charts > Generate Module Drivers menu command: Block Per Fail-safe signal module SM 326F DI 8xNAMUR...

  • Page 106: Passivation And Reintegration Of The Input And Output Channels

    Programming 5.3.6 Passivation and Reintegration of the Input and Output Channels Passivation Passivation means that, in the event of a fault/error, one or more channels of an F- I/O are switched to the safe state. When a channel fault occurs (e.g. sensor defective), only the affected channel is passivated.

  • Page 107: Automatic Reintegration May Not Always Be Possible

    Programming Reintegration After Error Correction Reintegration means: • Valid process values are output again on the output channels of the fail-safe output modules. • The F channel drivers of the fail-safe input modules forward valid process values to the safety program again. After an error/fault is corrected, a channel of a fail-safe module can be reintegrated automatically or after a user acknowledgment.

  • Page 108: Startup Protection To Handle Short Power Failures In The F-I/O

    Programming Safety Note – Startup Protection to handle short power failures in the F-I/O. Following a power failure in the F-I/O that is shorter than the watchdog time set for the F-I/O in HW Config (See Safety Engineering in SIMATIC S7 system description), automatic reintegration can occur, as is the case when ACK NEC = 0, regardless of your setting for ACK NEC.

  • Page 109: Automatic Reintegration Through F_Quites

    Programming User Acknowledgment by Means of OS/ES You can use the F_QUITES block in the following way for fail-safe acknowledgment using a non-fail-safe Engineering System or Operator Station: 1. Insert the F_QUITES block in the run-time group of the F channel driver. 2.

  • Page 110: Programming Startup Protection

    Programming 5.3.7 Programming Startup Protection After startup (cold restart or complete restart (warm restart)), the Safety Program automatically starts up with the initial values . Note When the Safety Program is compiled, additional blocks and calls that must not be changed are inserted automatically at the beginning of the run sequence in OB 100.

  • Page 111: Example: Reintegration After Startup Of The Safety Program

    Programming 5.3.8 Example: Reintegration after Startup of the Safety Program After startup (cold restart or warm restart) the following occurs for a short time: • The substitute value 0 is output from the F channel driver for digital input. • The parameterized substitute value is output from the F channel driver for analog input •...

  • Page 112: Assigning Parameters To The F Cycle Time Monitoring

    Programming 5.3.9 Assigning Parameters to the F Cycle Time Monitoring The F_CYC_CO Block is automatically placed and configured during compilation. If a Task is found to be missing, the F_CYC_CO a Chart and Run-time group will be placed with the F_CYC_CO block. During this compilation and any further compilations where the MAX_CYC parameter is invalid, a dialog box will be presented to request a valid value.

  • Page 113: Interconnecting F Communication Blocks

    Programming 5.3.10 Interconnecting F Communication Blocks You can insert and interconnect the following types of communication blocks in the Safety Program: • Blocks for communication between Safety Programs on different CPUs • Blocks for communication between F-run-time groups • Blocks for communication between the F user program and the standard user program 5.3.10.1 Programming Communication Between Safety Programs on Different CPUs...

  • Page 114: Safety Program Must Be Re-Compiled If S7 Connections Used For Cpu-Cpu Communication Have Changed

    Programming Procedure Proceed as follows: 1. Insert the send block (F_SENDBO/F_SENDR) in the Safety Program from which data is to be transferred. 2. Insert the receive block (F_RCVBO/F_RCVR) in the Safety Program to which data is to be transferred. 3. Assign parameters to the ID inputs with the relevant identifiers of the configured S7 connections.
  • Page 115 Programming Examples: Receive Block: Send Block: Fail-Safe Systems 5-33 A5E00085588-03...
  • Page 116 Programming 5.3.10.2 Programming Communication Between F-Run-Time Groups Within a CPU Rules for Communication Between F-Run-Time Groups • If data has to be exchanged between two F-run-time groups, you cannot interconnect the inputs and outputs directly. Instead, you must use separate fail-safe blocks for these functions.
  • Page 117 Programming Example: Extract from the Chart of the Sender Run-Time Group Example: Extract from the Chart of the Receiving Run-Time Group Fail-Safe Systems 5-35 A5E00085588-03...
  • Page 118 Programming 5.3.10.3 Programming Communication Between the F User Program and the Standard User Program Available F Conversion Blocks The following F conversion blocks are available: Block Description F_BO_FBO Converts from standard BOOL to F_BOOL F_I_FI Converts from standard INT to F_INT F_R_FR Converts from standard REAL to F_REAL F_TI_FTI...

  • Page 119: Use F_Lim_R For Plausibility Check Of Standard To F-Data Conversion

    Programming Procedure Proceed as follows: 1. Insert the F-Blocks of the type F_FBO_BO, F_FR_R, F_FI_I or F_FTI_TI in the charts of the standard user program. 2. Insert the blocks of the type F_BO_FBO, F_I_FI, F_TI_FTI or F_R_FR in the charts of the Safety Program. These blocks can also be found in the Fail-safe Blocks library.
  • Page 120 Programming Example: Converting Standard Data Types to F-Data Types Section from an F chart, showing conversion from REAL to F_REAL Example: Converting F-Data Types to Standard Data Types Section from a standard chart, showing conversion from F_BOOL to BOOL Fail-Safe Systems 5-38 A5E00085588-03...

  • Page 121: Processing Of The Safety Program

    Programming Processing of the Safety Program 5.4.1 Managing Safety Programs The following sections tell you how to do the following: • Deactivating Safety Mode • Activating Safety Mode • Compiling a Safety Program • Creating Fail-Safe Block Types • Downloading a Safety Program •...

  • Page 122: Deactivating Safety Mode

    Programming 5.4.2 Deactivating Safety Mode The Safety Program usually runs on the CPU in safety mode. In other words, all the safety mechanisms for fault detection and fault reactions are activated. It is not possible to change the Safety Program during operation (RUN) when it is in safety mode.
  • Page 123 Programming Procedure 1. Select the CPU or its S7 program in SIMATIC Manager. 2. Choose the Options > Edit Safety Program menu command. 3. Select the online view in the dialog box that appears. 4. Enter the CPU password, if it is requested. 5.

  • Page 124: Activating Safety Mode

    Programming 7. If the password is entered correctly, a further request is made (next step); if the password is invalid, safety mode is not switched off and remains active. 8. Confirm that safety mode is to be deactivated with OK. Result: Safety mode is deactivated.

  • Page 125: Compiling A Safety Program

    Programming 5.4.4 Compiling a Safety Program There are two compilation options: • Compile all the CFC charts as a program. The charts are converted into machine code that you can download to the CPU and run there. • Compile a chart as a block type in order to use it again. Note Use hierarchical CFC charts or create new block types to use existing charts repeatedly.

  • Page 126: Creating Fail-Safe Block Types

    Programming 5.4.5 Creating Fail-Safe Block Types You can create a fail-safe block type that can be reused in other safety programs from the CFC chart of a safety program. Rules for Fail-Safe Block Types To create a new block type with fail-safe blocks, proceed as you would normally. The same rules apply as in the standard case, with the following additional points: •...
  • Page 127 Programming Procedure 1. Create the CFC chart in a separate S7 program assigned to an F-capable CPU. 2. Open the chart you want. 3. Choose the Chart > Compile > Chart as Block menu command. A dialog box for entering the block properties appears. 4.
  • Page 128 Programming Changing a Fail-Safe Block Type Changes to a block type require acceptance. Modified block types must be entered using the Options > Block Types menu command. After using a modified block type, you must recompile the safety program and download it to the CPU. It is not always possible to download the changes in RUN.

  • Page 129: Downloading A Safety Program

    Programming 5.4.6 Downloading a Safety Program After compilation you can download the CFC program to the PLC. Depending on whether or not safety mode is activated, you can download the entire Safety Program or just changes to the Safety Program as follows: Downloading CPU in CPU in RUN, Safety...

  • Page 130: Downloading The Entire Safety Program

    Programming 5.4.7 Downloading the Entire Safety Program Procedure To download the Safety Program to the PLC, proceed as follows: 1. Switch the CPU to STOP mode. 2. Choose the PLC > Download > Entire Program menu command in CFC. Note Before the Safety Program is downloaded, the CPU password is requested if changes are detected in the fail-safe program section.

  • Page 131: Changes To The Safety Program In Run Mode

    Programming 5.4.8 Changes to the Safety Program in RUN Mode You can only make changes to the Safety Program during operation (RUN) if safety mode is deactivated. You have the following options for changing the Safety Program during operation: • Change the CFC charts, and compile and download the changes to the CPU.

  • Page 132: Ob Cycle Times Changes Restricted

    Programming Permissible Changes Below you can find a list of the permissible program changes. These changes can be downloaded when safety mode is deactivated, without the Safety Program going into shutdown mode. The restrictions listed below, however, continue to apply: •...
  • Page 133 Programming Changing the Time Conditions or Monitoring Times This is possible, but you must ensure that such changes don’t initiate any cyclic measures. For example: • Changing the OB cycle time: All monitoring times (F_CYC_CO, F module driver, F communication) must be greater than the new OB cycle time. If this isn’t the case, you must increase these times beforehand and download them before the new OB cycle time is brought in.
  • Page 134 Programming Communication Between Run-Time Groups or CPUs You must proceed in several steps if the communication is to continue in all phases. In one step, only the change for one communication partner can be introduced. Changes must not be downloaded for both partners simultaneously. •...
  • Page 135 Programming • Deletion of run-time groups: If a run-time group is moved to another task, you must not delete the run-time group of the F_CYC_CO in the old task at the same time. If you want to do that in order to delete the old task completely, for example, proceed as follows in two steps: Move, compile and download the run-time group to the new task.

  • Page 136: Downloading Changes

    Programming 5.4.9 Downloading Changes Changes to the Standard Program You can download changes when the CPU is in RUN mode irrespective of whether safety mode is active or not. Note If you make changes to the fail-safe section of the user program, you can’t download changes for the standard section in safety mode either.

  • Page 137: Download Operation Aborted

    Programming Procedure 1. Change the Safety Program and compile it (see "Compiling a Safety Program" 2. If simulation mode is activated, deactivate it (see "Testing a Safety Program Offline with S7-PLCSim"). 3. Deactivate safety mode (see Deactivating Safety Mode). 4. Choose the PLC > Download > Changes Only menu command in CFC. Always respond with "Yes"...

  • Page 138: Testing The Safety Program

    Programming 5.4.10 Testing the Safety Program After compilation and downloading, you can test the program. You can test Safety Programs by switching to test mode in CFC using the Test > Test Mode menu command. In test mode you are connected to the automation system (CPU) online. Rules for Testing Safety Note –...

  • Page 139: Testing A Safety Program Offline With S7-Plcsim

    Programming 5.4.11 Testing a Safety Program Offline with S7-PLCSim It is not always possible to test Safety Programs in a real system. The PLCSim software package is intended to help you test Safety Programs by simulating a CPU on the PC/programming device. 5.4.11.1 Using PLCSim V5.0 (and below) Prerequisite: Copying the Project It is not possible to carry out the offline test with the original project.
  • Page 140 Programming Result: The "Safety Program – S7 Program" dialog box appears. 3. Select the "Password..." button and cancel the access rights for the safety program. This means the password for the safety program will be requested again in the case of operations such as the compilation or downloading of changes to the Safety Program.
  • Page 141 Programming You can find information on working with S7-PLCSim in manual /12/. (Please refer to the references in Appendix B.) To carry out a test, download the Safety Program to the virtual CPU of PLCSim. Changes to the Safety Program can only be downloaded with the whole program when the virtual CPU is in STOP mode.
  • Page 142 Programming Downloading the Safety Program After Simulation Before you download the tested Safety Program to the CPU you must do the following: 1. Switch off the simulation by clicking the "Simulation Off" button in the "Safety Program – S7 Program" dialog box. Result: The blocks from the Fail-safe Blocks: F User Blocks library are copied to the block container.
  • Page 143 Programming What to Remember When You Simulate Safety Programs Safety Note – Simulation Warning This is not a substitute for a function test! If the simulation takes place on a programming device or ES with a physical online connection to the CPU, you must not deactivate safety mode and you must not have access rights by means of the CPU password.

  • Page 144: Changing Fail-Safe Constants In Cfc Test Mode

    Programming 5.4.12 Changing Fail-Safe Constants in CFC Test Mode It is possible in CFC test mode (V5.2 and above) to change fail-safe constants (non-interconnected I/Os of fail-safe blocks) during operation (RUN). In the case of safety programs, this is only permitted when safety mode is deactivated. There are no restrictions on changing standard parameters.
  • Page 145 Programming Changing a Fail-Safe Block I/O 1. Activate test mode for the chart in CFC using the Test > Test Mode menu command. 2. Open the sheet view of the F-Block. 3. Select the block I/O that you want to change, and open Object Properties with a double-click, for example.
  • Page 146 Programming 6. Close the "Select Structure Element" dialog box. If the change is possible, a check box appears with the changed value, which you have to confirm with 7. If the change is not possible, you will receive a message requesting you to eliminate the cause of the error.

  • Page 147: Displaying Information

    Programming 5.4.13 Displaying Information To display information on the Safety Program 1. Select the program folder (e.g. "S7 Program") in SIMATIC Manager. 2. Choose the Options > Edit Safety Program menu command. Result: The "Safety Program – S7 Program" dialog box appears. The following information on the online (on the CPU) or offline (in the programming device/ES) Safety Program is displayed: •...

  • Page 148: Saving Reference Data

    Programming 5.4.14 Saving reference data You can save all the data of a program (charts, parameters, etc.) as reference data in order to use it for comparisons, as required. Procedure To save the reference data of a Safety Program, proceed as follows: 1.

  • Page 149: Comparing Safety Programs

    Programming 5.4.15 Comparing Safety Programs This dialog assists you in comparing two Safety Programs, displaying and printing the differences between them. (See the procedure below entitled Comparing Safety Programs.) Programs available for comparison include the online program in the F-CPU, the current offline program, the previous compilation of the current program, and the saved reference program.
  • Page 150 Programming Compare with: Use this drop-down selection box to choose the second program to compare. If you selected the Program option button above, choose one from the following: • Reference (the last saved reference of this program) • Before Last Generation (the previous compilation of this program) •...
  • Page 151 Programming Result of the Comparison of the Safety Blocks (both programs offline) An indication is given of whether the overall signatures across all blocks are identical or different. Difference Display, Block View: Any blocks whose signatures have changed are displayed, along with the signature of each.
  • Page 152 Programming The differences are described as follows: Text Meaning Deleted Block only exists in the source Added Block only exists in the comparison object Task changed from ’Task1’ to ’Task2’ Block in another task/priority class Run-time group changed from ’Group1’ to Block in another run-time group ’Group2’...
  • Page 153 Programming As with the offline Block View, a window shows any blocks whose signatures differ. View option “Show unconnected F-FB input parameter differences: This option forces a complete comparison of values of constants connected to the inputs of F-Blocks between the online and an offline program, and displays differences in an upper pane in the dialog.
  • Page 154 Programming Fail-Safe Systems 5-72 A5E00085588-03...
  • Page 155 Programming Comparison of Overall Signatures: This group displays attributes for each of the two programs selected for comparison: • Program type (Current program, reference program, Before Last Program, Online Program, Other Project program). • Overall Signature: The identifying overall signature, generated at the most recent compilation.
  • Page 156 Programming What Can You Compare? You can compare the following, irrespective of whether you have selected "Program" or "Reference": Program Compare with Reference (Reference of this program) Before Last Generation (Status before the last generation of this program) Online (Online status of this program) Program (Any offline program) Reference...

  • Page 157: Allowable F Control Block Comparison Changes

    Programming Procedure To compare two Safety Programs, proceed as follows: 1. Select the program folder (e.g. "S7 Program") in SIMATIC Manager. 2. Choose the Options > Edit Safety Program menu command. The "Safety Program – S7 Program" dialog box appears. 3.

  • Page 158: Logging The Safety Program

    Programming Comparison with the Online Safety Program Safety Note – Checking online comparison output When a comparison with the online program is made, it is indicated whether the source, load memory and working memory match up (this enables the detection of impermissible data manipulation to non-interconnected fail-safe input parameters in the working memory).

  • Page 159: Printing The Safety Program

    Programming 5.4.17 Printing the Safety Program To print all the important project data, proceed as follows: 1. Select the program folder (e.g. "S7 Program") in SIMATIC Manager. 2. Choose the Options > Edit Safety Program menu command. The "Safety Program – S7 Program" dialog box appears. 3.
  • Page 160 Programming The overall signature and the date of the last compilation appear in the printout of the fail-safe program, which is important for the on-site acceptance of the Safety Program (e.g. by an outside expert). The overall signature of the compiled Safety Program appears twice in the printout: once in the program information section as a value of the block container and once in the footer as a value from the source (see "Checking the Overall Signatures"...

  • Page 161: Operation And Maintenance

    Operation and Maintenance Operation and Maintenance of the F-Systems The following sections describe: • Rules for the operation of the fail-safe S7 F/FH Systems • How to work with the Safety Program • How to change the Safety Program • How to replace software and hardware components •...

  • Page 162: Working With The Safety Program

    Operation and Maintenance Fiber-Optic Cables Between the Synchronization Modules in the S7-400 FH Safety Note – Duplicate Masters must be avoided In a fail-safe and fault-tolerant S7 FH System, you must prevent both CPUs from being master at the same time, since this may result in hazardous faults. Such a state (the two CPUs are both masters at the same time) can occur if the two fiber-optic cables used to connect the CPUs are removed or interrupted simultaneously when the S7-400 FH is in a redundant configuration.

  • Page 163: Changing The Safety Program

    Operation and Maintenance Changing the Safety Program Rules for Changes to the Safety Program • Changes to fail-safe input parameters are only possible in safety mode by using or downloading changes in the standard user program with the help of conversion blocks F_BO_FBO, F_R_FR, etc.

  • Page 164: Replacing Software And Hardware Components

    Operation and Maintenance See Also You can find additional information on modifying the Safety Program in the following sections: • Deactivating Safety Mode • Changes to the Safety Program in RUN • Downloading Changes • Changing Fail-Safe Constants in CFC Test Mode Replacing Software and Hardware Components Replacing Software Components When you replace software components on your programming device/ES, for...

  • Page 165: Uninstalling The S7 F/Fh System

    If there are special reasons why you require an even longer proof test interval than 10 years, please contact your Siemens advice center. A shorter proof test interval is normally required for sensors and actuators.
  • Page 166 Operation and Maintenance Fail-Safe Systems A5E00085588-03...

  • Page 167: Safety

    Safety Standards, Certificates and Approvals Safety Certification When you order an F-Copy License, a copy of the TÜV certificate for the fail-safe components of the S7 F/FH System will be included with the product. You can obtain additional copies of the certificate, the accompanying report and Annex 1 of the certificate report entitled "Safety-Related Programmable Systems SIMATIC S7-400F and S7-400FH"...
  • Page 168 Safety Standards Relating to Functional Safety The following tables list the standards taken into account when developing the S7 F/FH System. The current statuses and versions of the standards and the currently applicable conditions can be found in the safety certification report. Standard Title/Description DIN V 19250...
  • Page 169 Safety Safety of Machinery Standard Title/Description EN 60204-1 Safety of Machinery - Electrical Equipment of Machines; Part 1: General Requirements EN 954-1 cat. 2 to Safety of Machinery - Safety-Related Parts of Control Systems - Part 1: General Principles for Design Standards and Directives Relating to Other Aspects Standard Title/Description...

  • Page 170: Safety Requirements

    Safety Safety Requirements Standardized Safety Requirements The S7 F/FH System fulfills the following safety requirements: • Requirement classes AK1 to AK6 in accordance with DIN V 19250/VDE 0801 • SIL1 to SIL3 (Safety Integrity Level) in accordance with IEC 61508 •...
  • Page 171 Safety Risk Parameters The risk parameters have the following meaning in accordance with DIN V 19250: Parameters Meaning Extent of injury or damage Minor injuries; minor harmful effects on the environment Serious irreversible injuries of one or more persons or fatality of a person;...
  • Page 172 Safety The following table lists the probability values of individual components of the S7 F/FH Systems: Low Demand Mode of High Demand or Proof test Operation Continuous Mode interval of Operation (Average probability of failure to perform its (Probability of a design function on dangerous failure demand)

  • Page 173: System Configuration

    Safety Example: A safety function is implemented with an S7 FH System. The CPUs and F-SMs involved in the safety function are listed in the table below. These CPUs and F- SMs are used in a redundant configuration. Their proof test interval is 10 years. The F-SMs are in safety mode for SIL 3.

  • Page 174: Monitoring Times

    Safety Monitoring Times 7.4.1 Configuring the Monitoring Times for F/FH Systems Rules for Monitoring Times When you configure the monitoring times, you must take into consideration both the availability and the safety of the F/FH system: • Availability: To ensure that the temporal monitoring is not triggered when there is no error, the monitoring times selected must be sufficiently long.

  • Page 175: Pulse Detection

    Safety Basic Procedure To configure the monitoring times, proceed as follows: 1. Configure the standard or fault-tolerant system. You can find the necessary information in the relevant hardware manuals and online help systems. 2. Configure the specific monitoring times of the F-system with regard to availability: The times should be considerably longer than the minimum monitoring times.

  • Page 176: Calculation Of The Minimum Monitoring Times

    Safety 7.4.2 Calculation of the Minimum Monitoring Times 7.4.2.1 Monitoring the F Cycle Time The monitoring time is assigned parameters at the MAX_CYC input parameter of the F_CYC_CO fail-safe blocks. To ensure monitoring is not triggered when there is no fault, MAX_CYC must be greater than the maximum cycle time TCImax of the relevant cyclic interrupt OB: MAX_CYC >...
  • Page 177 Safety 7.4.2.2 Monitoring Safety-Related Communication Between the F-CPU and F-I/Os PROFIsafe time monitoring is executed in the F-I/Oand F driver with the same PROFIsafe monitoring time. The value is entered in HWCONFIG as the monitoring time of the F-I/O and assigned (monitoring time) and automatically assigned to the F drivers at compilation (TIMEOUT).
  • Page 178 Safety Note To check during operation whether the configured PROFIsafe monitoring times are too short, you can insert in an ET 200M with fail-safe signal modules in safety mode additional fail-safe signal modules in safety mode in which the configured PROFIsafe monitoring time is lower.
  • Page 179 DP buses and place total here. If CiR is not used, enter 0. Finding TUSEND You can download a tool for calculating the TUSEND value from the Internet at: http://www4.ad.siemens.de/view/cs/de/1651770 Contribution ID 1651770 Note To activate the monitoring of the maximum communication delay when the standby in the FH system is updated, you must assign this parameter a value in HWCONFIG (CPU properties, "H Parameters"...

  • Page 180: Acceptance Of An F-System

    Safety Acceptance of an F-System An F system is usually accepted by an independent expert. During acceptance of an F-System you are supported by special functions in SIMATIC Manager. This enables you to: • Compare Safety Programs • Log Safety Programs •...

  • Page 181: Initial Acceptance Of A Safety Program

    Safety 7.5.1 Initial Acceptance of a Safety Program Basic Procedure for the Initial Acceptance of a Safety Program 1. Optional: advance acceptance of the configuration of the F-I/Os 2. Saving the program 3. Checking the printout 4. Downloading the program to the CPU 5.
  • Page 182 Safety F-I/Os that are supposed to have the same safety-relevant module parameters can be copied during configuration. Their safety-relevant module parameters no longer have to be checked individually: It is enough to compare the ’Parameter CRC (without address)’ of the copied F-I/Os with the ’Parameter CRC (without address)’ of the already checked F-I/Os and to check the logical start addresses.
  • Page 183 Safety Configuration • F-I/Os that are supposed to have the same safety-relevant module parameters can be copied during configuration. Their safety-relevant module parameters no longer have to be checked individually: It is enough to compare the ’Parameter CRC (without address)’ of the copied F-I/Os with the ’Parameter CRC (without address)’...
  • Page 184 Safety • The specified I/Os must be checked in the case of the following fail-safe blocks: Fail-Safe Block Description F_CYC_CO MAX_CYC Maximum permissible F cycle time F_SENDBO, F_RCVBO TIMEOUT Monitoring time during communication between F- F_SENDR, F_RCVR CPUs F_R_R, F_R_BO TIMEOUT Monitoring time during communication between F-...
  • Page 185 Safety You can obtain the overall signature of the program and the signatures of the blocks in the CPU by choosing the Options > Edit Safety Program menu command. When a comparison with the online program is made, it is indicated whether the source, load memory and working memory match up (this enables impermissible data manipulation to non-interconnected fail-safe input parameters in the working memory to be detected).

  • Page 186: Acceptance Of Changes To The Safety Program

    Safety 7.5.2 Acceptance of Changes to the Safety Program To accept changes to the Safety Program, proceed as follows: 1. Save the program 2. Compare the new program with the accepted one (see the section entitled "Comparing Safety Programs"). 3. Check the changes in the printout 4.
  • Page 187 Safety Changes to the addresses or symbolic names of signals can be recognized by the change to the ADDR_CODE parameter of the relevant F channel driver (F_CH_xx). Changes to the network configuration in NetPro can be recognized by the change to the CRC_IMP parameter of the relevant F communication blocks (F_RCVxx and F_SENDxx).

  • Page 188: Acceptance Of F-Block Types

    Safety 7.5.3 Acceptance of F-Block Types Initial Acceptance A newly created F-Block type is accepted for the first time in the same way as a Safety Program. The function test of the F-Block type must take place in a different Safety Program to the test environment.

  • Page 189: Fail-Safe Blocks

    Fail-Safe Blocks Overview 8.1.1 Fail-Safe Blocks All the fail-safe blocks are contained in the Failsafe Blocks library in the catalog of libraries If possible, the F-Blocks are assigned to the existing families of standard blocks in the catalog of the blocks used .

  • Page 190: F-Data Types

    Fail-Safe Blocks 8.1.2 F-Data Types Special F-data types in a safety data format are used for fail-safe block I/Os. The safety data format is used to expose data and address corruptions. The F-data types are programmed as structures and appear in the CFC chart with the prefix "ST".
  • Page 191 Fail-Safe Blocks Default The default only specifies the first structural component, DATA. The other two structure elements required for safety are automatically added when CFC charts are compiled. The same applies to the assignment of constants. See Also Blocks for Converting Data Between Standard and Safety Sections Fail-Safe Systems A5E00085588-03...

  • Page 192: Block I/Os

    Fail-Safe Blocks 8.1.3 Block I/Os In the case of fail-safe blocks, there are some points to note concerning the block I/Os: • Although the I/Os EN and ENO appear in the CFC chart, they are neither evaluated nor assigned by the program code of the F-Block and you must not interconnect them.
  • Page 193 Fail-Safe Blocks Signal State 1 or 0 Signal state 1 at the block I/O of the data type BOOL always means that the event described (e.g. error on channel x) is active. Making Block I/Os Visible Proceed as follows: 1. Double-click the block’s header. 2.

  • Page 194: Block Numbers

    Fail-Safe Blocks 8.1.4 Block Numbers Block Number Block Name FC 180 DB_INIT FC 181 FAIL_MSG FC 301 DB_RES FC 303 F_FBO_BO FC 304 F_FR_R FC 305 F_FI_I FC 306 F_FTI_TI FB 301 F_AND4 FB 302 F_OR4 FB 303 F_XOR2 FB 304 F_NOT FB 305 F_2OUT3...

  • Page 195: Fail-Safe Fb Numbers

    Fail-Safe Blocks Block Number Block Name FB 368 F_TI_FTI FB 369 F_I_FI FB 370 F_SENDBO FB 371 F_RCVBO FB 372 F_SENDR FB 373 F_RCVR FB 377 F_CH_DI FB 378 F_CH_DO FB 379 F_CH_AI FB 384 F_M_DI8 FB 385 F_M_DI24 FB 386 F_M_DO10 FB 387 F_M_AI6...

  • Page 196: Installation In Cyclic Interrupt Obs

    Fail-Safe Blocks 8.1.5 Installation in Cyclic Interrupt OBs Safety Note – Safety Program can be installed in OB 3x ONLY Fail-safe blocks can only be installed in a cyclic interrupt OB 3x. Installation in the OB 1 is not permissible. The cycle time of the cyclic interrupt OB is assigned parameters in HWCONFIG (CPU parameters "Cyclic Interrupts, Execution".

  • Page 197: Driver Blocks For F-I/Os

    Fail-Safe Blocks Driver Blocks for F-I/Os To ensure fail-safe data exchange between the Safety Program and F-I/Os, additional safety-related information is also transmitted in addition to the actual user data (process values). The following driver blocks are available for the transfer of user data with a safety protocol: F Channel Drivers Block...

  • Page 198: F_Ch_Di

    Fail-Safe Blocks 8.2.1 F_CH_DI Function The block reads the digital value of the input channel whose symbolic name is linked to the input VALUE from the associated F module driver (F_M_DIx). The F module driver has read the digital value via a safety frame from the digital input module (or possibly a module that is redundant to this one).
  • Page 199 Fail-Safe Blocks Name Data Type Explanation Default Outputs: PASS_OUT F_BOOL Passivation output QBAD F_BOOL 1=process value invalid, value substitution active QSIM F_BOOL 1=simulation active F_BOOL Process value F_BOOL Negating process value Q_DATA BOOL DATA component of the process value (for visualization) QUALITY BYTE Value status (quality code) of...
  • Page 200 Fail-Safe Blocks Startup Characteristics After a startup (cold restart or warm restart), communication must first be established between the F module driver and the digital input module. In this time, the substitute value 0 is output with the quality code (QUALITY) 16#48, and the outputs QBAD = 1 and PASS_OUT = 1 are set as well.

  • Page 201: F_Ch_Do

    Fail-Safe Blocks 8.2.2 F_CH_DO Function The F channel driver makes the process value at the input I available to the associated F module driver (F_M_DOx). The F module driver reads the value from the F channel driver F_CH_DO and writes it via a safety frame to the channel of the digital output module addressed via the output VALUE (and possibly of a module that is redundant to this).
  • Page 202 Fail-Safe Blocks Name Data Type Explanation Default Outputs: PASS_OUT F_BOOL Passivation output QBAD F_BOOL 1=process value invalid, value substitution active QSIM F_BOOL 1=simulation active CHADDR F_WORD Address of the channel in Interconnected the F module driver automatically VALUE BOOL Must be interconnected with the symbolic address of the channel from HWCONFIG across the margin of the...
  • Page 203 Fail-Safe Blocks Substitute Value In the event of communication errors (PROFIsafe) or channel faults (e.g. wire break), in the case of passivation and during a startup (cold or warm restart), the substitute value 0 is made available for the associated F module driver (F_M_DOx).
  • Page 204 Fail-Safe Blocks 8.2.3 F_CH_AI Function The block reads the analog non-linearized value of the input channel whose symbolic name is linked to the input VALUE from the associated F module driver (F_M_AIx). The F module driver has read the non-linearized value via a safety frame from the analog input module (or possibly a module that is redundant to this one).
  • Page 205 Fail-Safe Blocks Name Data Type Explanation Default SIM_ON F_BOOL 1= activate simulation value 0= deactivate simulation value SUBS_ON F_BOOL 1=enable value substitution SUBS_V F_REAL Substitute value PASS_ON F_BOOL 1= activate passivation 0= deactivate passivation ACK_NEC F_BOOL User acknowledgment for reintegration after error 1 = required 0 = not required ACK_REI...

  • Page 206: F_Ch_Ai

    Fail-Safe Blocks Non-Linearized Value Checking Depending on the measurement type and measurement range, there is a rated range of the analog input module, in which the analog signal is converted to a digitized non-linearized value. To this end, there is an overrange and an underrange in which the analog signal can still be converted.
  • Page 207 Fail-Safe Blocks Normal Value The non-linearized value is adapted to its physical size using the input parameters VLRANGE and VHRANGE and the measurement range and measurement type (MODE) set in HWCONFIG. To enable the settings for VLRANGE and VHRANGE to be switched to other block parameters, these are written to the outputs OVLRANGE and OVHRANGE.
  • Page 208 Fail-Safe Blocks Substitute Value/Keep Last Value In the case of an invalid non-linearized value as a result of a communication error (PROFIsafe), channel fault, overflow/underflow or violation of channel fault limits and in the case of passivation, depending on the parameter assignment (input parameter SUBS_ON), a substitute value or the last valid value is output, and the output QBAD = 1 is set.
  • Page 209 Fail-Safe Blocks Error in the Case of Module Redundancy In the event of an error, a switch is made to the analog value of the redundant module. After the error is corrected, there is no switch back; instead, work continues with the last valid analog value. If an error only occurs on one of the redundant modules, automatic reintegration takes place in the F channel driver F_CH_AI after the error is corrected.

  • Page 210: Common Features Of The Driver Blocks

    Fail-Safe Blocks 8.2.4 Common Features of the Driver Blocks F Module Drivers Safety frame Fail-safe data exchange between a Safety Program and an F-I/O occurs via safety frames. In addition to user data (i.e. process values), information on safety is also transferred.
  • Page 211 Fail-Safe Blocks • If a fault occurs on both of the redundant channels: In the case of digital input modules, the substitute value 0 is output on the F channel driver. In the case of digital output modules, the substitute value 0 is sent to both channels.
  • Page 212 Fail-Safe Blocks Error Handling The F module drivers can detect errors as well as respond to errors reported by the module. Each block has several options for signaling and handling errors. F Channel Drivers Installation in Cyclic Interrupt OBs Every F channel driver block must be installed in a cyclic interrupt OB3x. Multiple installation of an instance in different cyclic interrupts is not permissible.

  • Page 213: Blocks For F Communication Between Cpus

    Fail-Safe Blocks Blocks for F Communication Between CPUs To ensure additional safety-related data exchange between Safety Programs on different CPUs, additional fail-safety-related information is also transferred as well as the actual user data. This information and the associated mechanisms remain hidden to the user.

  • Page 214: Do Not Change Crc_Imp Input

    Fail-Safe Blocks RETVAL Parameter Return values (RET_VAL) of the system functions are indicated at the RETVAL parameter of the blocks for F communication. The return values are error codes that give you additional assistance in finding the error (see the section entitled "Error Information at the Output RETVAL").

  • Page 215: F_Sendbo

    Fail-Safe Blocks 8.3.1 F_SENDBO Function This block safely sends 20 data items of the F_BOOL data type to another CPU. The data can be received there by the F_RCVBO block. The data to be sent (e.g. outputs from other blocks) is stored at the inputs SD_BO_xx.
  • Page 216 Fail-Safe Blocks TIMEOUT Parameter The input TIMEOUT cannot be interconnected and must be assigned a constant value. See "Monitoring Safety-Related Communication Between CPUs". Error Handling If a connection partner (recipient) acknowledges receipt via an invalid safety frame (e. g. due to a check value error (CRC) or watchdog error) or does not acknowledge it within the TIMEOUT monitoring time, the outputs ERROR and SUBS_ON are set.

  • Page 217: F_Rcvbo

    Fail-Safe Blocks 8.3.2 F_RCVBO Function This block safely receives 20 data items of the F_BOOL data type sent by the F_SENDBO block from another CPU. The received data is stored at the outputs RD_BO_xx for further processing by other blocks. The data is transferred via safety frames.
  • Page 218 Fail-Safe Blocks TIMEOUT Parameter It can only safely be guaranteed that a signal level to be transferred will be detected on the sender side and transferred to the recipient if it is present for at least as long as the specified monitoring time (TIMEOUT). The input TIMEOUT cannot be interconnected and must be assigned a constant value.

  • Page 219: F_Sendr

    Fail-Safe Blocks 8.3.3 F_SENDR Function This block safely sends 20 data items of the F_REAL data type to another CPU. It can be received there by the F_RCVR block. The data to be sent (e.g. outputs from other blocks) is stored at the inputs SD_R_xx.
  • Page 220 Fail-Safe Blocks TIMEOUT Parameter It can only safely be guaranteed that a signal level to be transferred will be detected on the sender side and transferred to the recipient if it is present for at least as long as the specified monitoring time (TIMEOUT). The input TIMEOUT cannot be interconnected and must be assigned a constant value.

  • Page 221: F_Rcvr

    Fail-Safe Blocks 8.3.4 F_RCVR Function This block safely receives 20 data items of the F_REAL data type sent by the F_SENDR block from another CPU. The received data comes to the outputs RD_R_xx for further processing by other blocks. The data is transferred via safety frames. Startup Characteristics After a startup (cold restart or warm restart), communication must first be established between the communication partners.
  • Page 222 Fail-Safe Blocks TIMEOUT Parameter The input TIMEOUT cannot be interconnected and must be assigned a constant value. See "Monitoring Safety-Related Communication Between CPUs". Error Handling If a connection partner receives an invalid safety frame (e.g.: due to a check value error (CRC) or watchdog error) or doesn’t receive a valid safety frame within the TIMEOUT monitoring time, the outputs ERROR and SUBS_ON are set and the substitute values are output.

  • Page 223: Blocks For Converting Data

    Fail-Safe Blocks Blocks for Converting Data Block Description F_BO_FBO Convert from BOOL to F_BOOL F_I_FI Convert from INT to F_INT F_R_FR Convert from REAL to F_REAL F_TI_FTI Convert from TIME to F_TIME F_FBO_BO Convert from F_BOOL to BOOL F_FI_I Convert from F_INT to INT F_FR_R Convert from F_REAL to REAL F_FR_FI...

  • Page 224: F_Bo_Fbo

    Fail-Safe Blocks 8.4.1 F_BO_FBO Function This block converts the BOOL data type into the corresponding F_BOOL F data type. This enables signals formed in the standard program section to be further processed in the safety program section following a plausibility check. I/Os Name Data Type...

  • Page 225: F_I_Fi

    Fail-Safe Blocks 8.4.2 F_I_FI Function This block converts the INT data type into the corresponding F_INT F data type. This enables signals formed in the standard program section to be processed further in the safety program section following a plausibility check (to be added by the user with F-block F_LIM_I, for example).

  • Page 226: F_R_Fr

    Fail-Safe Blocks 8.4.3 F_R_FR Function This block converts the REAL data type into the corresponding F_REAL F data type. This enables signals formed in the standard program section to be further processed in the safety program section following a plausibility check (to be added in the Safety Program with F-block F_LIM_R, for example).

  • Page 227: F_Ti_Fti

    Fail-Safe Blocks 8.4.4 F_TI_FTI Function This block converts the TIME data type into the corresponding F_TIME F data type. This enables signals formed in the standard program section to be further processed in the safety program section following a plausibility check (to be added by the user with F-block F_LIM_TI, for example).

  • Page 228: F_Fbo_Bo

    Fail-Safe Blocks 8.4.5 F_FBO_BO Function This block converts the F-data type F_BOOL into the standard data type BOOL, since individual structure elements of the F-data type cannot be accessed separately in the CFC chart. This enables signals formed in the Safety Program section to be further processed in the standard program section.

  • Page 229: F_Fi_I

    Fail-Safe Blocks 8.4.6 F_FI_I Function This block converts the F-data type F_INT into the standard data type INT, since individual structure elements of the F-data type cannot be accessed separately in the CFC chart. This enables signals formed in the Safety Program section to be further processed in the standard program section.

  • Page 230: F_Fr_R

    Fail-Safe Blocks 8.4.7 F_FR_R Function This block converts the F-data type F_REAL into the standard data type REAL, since individual structure elements of the F-data type cannot be accessed separately in the CFC chart. This enables signals formed in the Safety Program section to be further processed in the standard program section.

  • Page 231: F_Fr_Fi

    Fail-Safe Blocks 8.4.8 F_FR_FI Function The block converts the F data type F_REAL data type into the F_INT F data type. This enables signals formed within the safety program section to be converted and maintain the safety data format. I/Os Name Data Type Explanation...

  • Page 232: F_Fti_Ti

    Fail-Safe Blocks 8.4.9 F_FTI_TI Function This block converts the F-data type F_TIME into the standard data type TIME, since individual structure elements of the F-data type cannot be accessed separately in the CFC chart. This enables signals formed in the Safety Program section to be further processed in the standard program section.

  • Page 233: F_Quites

    Fail-Safe Blocks 8.4.10 F_QUITES Function This block enables fail-safe acknowledgment from a non-fail-safe ES/OS. This allows reintegration of F-I/Os to be controlled via the ES/OS, for example. An acknowledgment comprises two steps: 1. Changing the input IN to the value 6 2.
  • Page 234 Fail-Safe Blocks Timing Diagram Min. 1s Max. 1min Max. 1min One cycle : Possible time for a signal change I/Os Name Data Type Explanation Default Input: Input variable from the ES Outputs: F_BOOL Output for acknowledgment BOOL Status of the time evaluation Error Handling In the event of an error that is critical to safety, the system function SFC F_CTRL is called.

  • Page 235: F_S_Bo

    Fail-Safe Blocks F-System Blocks Block Description F_S_BO Fail-safe transmission of 10 data items of the data type F_BOOL to another F-run-time group. F_R_BO Fail-safe receipt of 10 data items of the data type F_BOOL from another F-run-time group F_S_R Fail-safe transmission of 5 data items of the data type F_ to another F-run-time group F_R_R Fail-safe receipt of 5 data items of the data type F_REAL from...
  • Page 236 Fail-Safe Blocks 8.5.1 F_S_BO Function This block safely transfers 10 data items of the data type F_BOOL to another F- run-time group. It can be received there by the F_R_BO block. The data to be sent (e.g. outputs from other blocks) is stored at the inputs SD_BO_xx.

  • Page 237: F_R_Bo

    Fail-Safe Blocks 8.5.2 F_R_BO Function This block safely receives 10 data items of the data type F_BOOL sent from another F-run-time group from the F_S_BO block. The received data is stored at the outputs RD_BO_xx for further processing by other blocks. The input S_DB must be connected with the output of the same name of the sending block.
  • Page 238 Fail-Safe Blocks Error Handling In the event of an error that is critical to safety, the system function SFC F_CTRL is called. This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU. For non-redundant systems or a common-cause error occurring in both CPUs, the shutdown logic can be configured to either disable the erred F-run-time group or the entire Safety Program.

  • Page 239: F_S_R

    Fail-Safe Blocks 8.5.3 F_S_R Function This block safely transfers 5 data items of the data type F_REAL to another F-run- time group. It can be received there by the F_R_R block. The data to be sent (e.g. outputs from other blocks) is stored at the inputs SD_R_xx.

  • Page 240: F_R_R

    Fail-Safe Blocks 8.5.4 F_R_R Function This block safely receives 5 data items of the data type F_REAL sent from another F-run-time group from the F_S_R block. The received data comes to the outputs RD_R_xx for further processing by other blocks. The input S_DB must be connected with the output of the same name of the sending block.
  • Page 241 Fail-Safe Blocks Error Handling In the event of an error that is critical to safety, the system function SFC F_CTRL is called. This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU. For non-redundant systems or a common-cause error occurring in both CPUs, the shutdown logic can be configured to either disable the erred F-run-time group or the entire Safety Program.

  • Page 242: F_Start

    Fail-Safe Blocks 8.5.5 F_START Function In the first cycle of the cyclic interrupt cycle after a cold or warm restart, the block indicates by means of a value of 1 at the output COLDSTRT that a startup (cold or warm restart) has been carried out. COLDSTRT remains present until the next call of F_START.

  • Page 243: F Control Blocks

    Fail-Safe Blocks F Control Blocks To ensure that a Safety Program is executable, the F control blocks are necessary to check the program execution time. These F control blocks are automatically inserted and interconnected at compilation of CFC charts. Block Description F_CYC_CO F cycle time monitoring...

  • Page 244: F_Cyc_Co

    Fail-Safe Blocks 8.6.1 F_CYC_CO Function This block monitors the cycle time of its priority class (cyclic interrupt OB 3x) and provides a fail-safe time base for other F blocks. At compilation, the block is inserted automatically into a F-run-time group named @F_CycCo-OB3x, where x is 0 through 8 that correspond to the OB3x containing F-Blocks, that contain the blocks F_TESTC and F_TEST.
  • Page 245 Fail-Safe Blocks Error Information in Diagnostic Buffer Error Code (W#16#...) Description 75DAH Error in the safety data format of the input MAX_CYC or the output DIFF (error due to online modification of the Safety Program or internal CPU fault) Power failure 75E1H Internal CPU fault 75E1H...

  • Page 246: F_M_Di8

    Fail-Safe Blocks 8.6.2 F_M_DI8 Function The F module driver reads the digital values and error information of an 8-channel, fail-safe digital input module and makes the data available to the associated F channel driver (F_CH_DI). If there is a redundant module, the digital values of both modules are evaluated. The F module driver is automatically inserted at the beginning of the run-time group which also contains the associated F channel driver F_CH_DI.
  • Page 247 Fail-Safe Blocks Name Data Type Explanation Default Outputs: CHADDR00 F_WORD Interconnection with the F Interconnected channel driver of channel 0 automatically CHADDR07 F_WORD Interconnection with the F Interconnected channel driver of channel 7 automatically DIAG_1 DWORD Diagnostic information for SM1, see table below DIAG_2 DWORD Diagnostic information for...
  • Page 248 Fail-Safe Blocks Error Handling In the event of an error that is critical to safety, the system function SFC_F_CTRL is called. This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU. For non-redundant systems or a common-cause error occurring in both CPUs, the shutdown logic can be configured to either disable the erred F-run-time group or the entire Safety Program.

  • Page 249: F_M_Di24

    Fail-Safe Blocks 8.6.3 F_M_DI24 Function The F module driver reads the digital values and error information of a 24-channel, fail-safe digital input module and makes the data available to the associated F channel driver (F_CH_DI). If there is a redundant module, the digital values of both modules are evaluated. The F module driver is automatically inserted at the beginning of the run-time group which also contains the associated F channel driver F_CH_DI.
  • Page 250 Fail-Safe Blocks Name Data Type Explanation Default Outputs: CHADDR00 F_WORD Interconnection with the F Interconnected channel driver of channel 0 automatically CHADDR23 F_WORD Interconnection with the F Interconnected channel driver of channel 23 automatically DIAG_1 DWORD Diagnostic information for SM1, see table below DIAG_2 DWORD Diagnostic information for...
  • Page 251 Fail-Safe Blocks Note In byte 0 of DIAG_1/2, the most recent error information remains stored until a new error occurs, even if the error has already gone. Error Handling In the event of an error that is critical to safety, the system function SFC_F_CTRL is called.

  • Page 252: F_M_Do8

    Fail-Safe Blocks 8.6.4 F_M_DO8 Function The F module driver reads the digital output values from the associated F channel drivers (F_CH_DO) and writes them to an 8-channel, fail-safe digital output module. In addition, it reads the error information of the module and makes the data available to the associated F channel driver (F_CH_DO).
  • Page 253 Fail-Safe Blocks Name Data Type Explanation Default Outputs: DIAG_1 DWORD Diagnostic information for SM1, see table below DIAG_2 DWORD Diagnostic information for SM2, see table below PROFIsafe1 F_BOOL Identify failure on a specific PROFIsafe bus PROFIsafe2 F_BOOL Identify failure on a specfic PROFIsafe bus SM1, SM2 –...

  • Page 254: F_M_Do10

    Fail-Safe Blocks Error Information in Diagnostic Buffer Error Code (W#16#...) Description 75DAH Error in the safety data format (error due to online modification of the Safety Program or internal CPU fault) 8.6.5 F_M_DO10 Function The F module driver reads the digital output values from the associated F channel drivers (F_CH_DO) and writes them to a 10-channel, fail-safe digital output module.
  • Page 255 Fail-Safe Blocks Name Data Type Explanation Default Outputs: DIAG_1 DWORD Diagnostic information for SM1, see table below DIAG_2 DWORD Diagnostic information for SM2, see table below PROFIsafe1 F_BOOL Identify failure on a specific PROFIsafe bus PROFIsafe2 F_BOOL Identify failure on a specfic PROFIsafe bus SM1, SM2 –...

  • Page 256: F_M_Ai6

    Fail-Safe Blocks Error Information in Diagnostic Buffer Error Code (W#16#...) Description 75DAH Error in the safety data format (error due to online modification of the Safety Program or internal CPU fault) 8.6.6 F_M_AI6 Function The F module driver reads the analog values (non-linearized values) and error information of a 6-channel, fail-safe analog input module and makes the data available to the associated F channel driver (F_CH_AI).
  • Page 257 Fail-Safe Blocks Name Data Type Explanation Default Outputs: CHADDR00 F_WORD Interconnection with the F Interconnected channel driver of channel 0 automatically CHADDR05 F_WORD Interconnection with the F Interconnected channel driver of channel 5 automatically DIAG_1 DWORD Diagnostic information for SM1, see table below DIAG_2 DWORD Diagnostic information for...

  • Page 258: F_Plk

    Fail-Safe Blocks Error Information in Diagnostic Buffer Error Code (W#16#...) Description 75DAH Error in the safety data format (error due to online modification of the Safety Program or internal CPU fault) 8.6.7 F_PLK Function This block executes, among other things, logical program and data flow control before the output blocks and provides a corresponding enable signal for this.

  • Page 259: F_Plk_O

    Fail-Safe Blocks 8.6.8 F_PLK_O Function This block executes, among other things, logical program and data flow control after the output blocks and provides a corresponding enable signal for this. The block is inserted automatically into each F-run-time group after the output blocks at compilation.

  • Page 260: F_Shutdn

    Fail-Safe Blocks 8.6.9 F_SHUTDN Function The F_SHUTDN function block, which is a standard function block packaged in the Failsafe Blocks library, provides new functionality to control and manage F-run-time group shutdown and reinitialization. The F_SHUTDN function block: • is automatically placed by the compiler in a CFC named @F_ShutDn. •...
  • Page 261 Fail-Safe Blocks Name Data Type Explanation Default SHUTDOWN BOOL Defines the response to a Full (1) detected FAILURE (rising edge). Either a “Partial (isolated F Run-time groups shutdown) or “Full (entire Safety Program shutdown). RQ_FULL BOOL Manual request for entire Safety Program shutdown.

  • Page 262: F_Shutdn In Slowest Configured Ob

    Fail-Safe Blocks Name Data Type Explanation Default NFY_STAT WORD Return of SFB 31 NOTIFY_8P W#16#0000 STAT output. Partial Shutdown Configuration When SHUTDOWN =Partial, the F-run-time groups that have a detected failure will automatically become disabled, not affecting other fault free F-run-time groups. For each F-run-time group with a detected failure, a diagnostic buffer event will be reported indicating that a failure was detected.
  • Page 263 Fail-Safe Blocks functions may take several seconds to complete. Upon completion, the disabled F- run-time groups will become reenabled and if the FULL_SD was TRUE indicating a Safety Program shutdown, this output will be set to FALSE. Note After restarting the Safety Program, reintegration of your I/O may be necessary through the use of the F_QUITES function block.
  • Page 264 Fail-Safe Blocks the block by opening the Blocks folder of your F-Project and select the ALARM_8 block and press F1 for help. Similarly, when a Notify Message is reported, the NFY_XXX outputs will return the status of the NOTIFY_8P SFB call. To obtain help on the NOTIFY_8P error outputs, obtain help for the block by opening the Blocks folder of your F-Project and select the NOTIFY_8P block and press F1 for help.

  • Page 265: F_Test

    Fail-Safe Blocks 8.6.10 F_TEST Function This block executes a command test. At compilation, the block is inserted automatically into a F-run-time group named @F_CycCo-OB3x, where x is 0 through 8 that correspond to the OB3x containing F-Blocks, that contain the blocks F_CYC_CO and F_TESTC. Note A project based on Fail-safe Blocks (V1_1) the user must follow the manual procedure for creating a CFC chart with the F_CYC_CO function block.

  • Page 266: F_Testc

    Fail-Safe Blocks 8.6.11 F_TESTC Function This block checks whether the background self-tests of the CPU have been carried out fully and without errors and that this did not take place more than 24 hours ago. The tests must not be switched off by the SFC 90. At compilation, the block is inserted automatically into a F-run-time group named @F_CycCo-OB3x, where x is 0 through 8 that correspond to the OB3x containing F-Blocks, that contain the blocks F_CYC_CO and F_TEST.

  • Page 267: F_Testm

    Fail-Safe Blocks 8.6.12 F_TESTM Function This block is for activating/deactivating safety mode. At compilation, the block is inserted automatically into a F-run-time group named @F_TestMode. I/Os The block has no visible I/Os. Error Handling None Operation and Monitoring The invisible TEST parameter has the system attribute S7_m_c. It can therefore be monitored directly from an operator interface system (OS).

  • Page 268: Db_Res

    Fail-Safe Blocks 8.6.13 DB_RES Function This block supports the startup characteristics in the event of a cold restart/warm restart of the CPU. The block is inserted automatically at compilation. I/Os The block has no visible I/Os. Fail-Safe Systems 8-80 A5E00085588-03...

  • Page 269: Db_Init

    Fail-Safe Blocks 8.6.14 DB_INIT Function The DB_INIT function, which is a standard function packaged in the Failsafe Blocks library, provides new functionality to initialize F-run-time groups at the direction of the F_SHUTDN function block. The DB_INIT function block is automatically placed by the compiler in a CFC chart named @F_DbInit.

  • Page 270: Fail_Msg

    Fail-Safe Blocks 8.6.15 FAIL_MSG Function This block is used by the RTG_LOGIC block type. The block is inserted automatically at compilation. I/Os The inputs and outputs will not be explained here since this is logic that the system automatically generates. Fail-Safe Systems 8-82 A5E00085588-03...

  • Page 271: Rtg_Logic

    Fail-Safe Blocks 8.6.16 RTG_LOGIC Function The RTG_LOGIC function block, which is a standard function packaged in the Failsafe Blocks library, provides new functionality to interface the F-run-time groups and the shutdown logic. The RTG_LOGIC function block is automatically placed by the compiler in a CFC chart named @F_ShutDn.

  • Page 272: Sfc F_Ctrl

    Fail-Safe Blocks 8.6.17 SFC F_CTRL SFC F_CTRL is a System Function Call in the CPU that is called in the event an internal diagnostic determines there is a failure of the hardware or a diagnostic used to determine timeouts is tripped. SFC F_CTRL is called from function blocks that have diagnostics for such conditions.

  • Page 273: Logic Blocks With The Bool Data Type

    Fail-Safe Blocks Logic Blocks with the BOOL Data Type Block Description F_AND4 AND logic operation on four inputs F_OR4 OR logic operation on four inputs F_XOR2 XOR logic operation on two inputs F_NOT NOT logic operation F_2OUT3 Binary selection 2 out of 3 F_XOUTY Binary selection X out of Y 8.7.1...
  • Page 274 Fail-Safe Blocks I/Os Name Data Type Explanation Default Inputs: F_BOOL Input 1 F_BOOL Input 2 F_BOOL Input 3 F_BOOL Input 4 Output: F_BOOL Output OUTN F_BOOL Negating output Error Handling None Fail-Safe Systems 8-86 A5E00085588-03...

  • Page 275: F_Or4

    Fail-Safe Blocks 8.7.2 F_OR4 Function This block links the inputs by means of OR. The output OUT is 1 if at least one input is 1. If all outputs are 0, the output is 0. The output OUTN corresponds to the negating output OUT.

  • Page 276: F_Xor2

    Fail-Safe Blocks 8.7.3 F_XOR2 Function This block links the inputs by means of XOR (exclusive OR). The output OUT is 1 if exactly one input is 1. The output OUTN corresponds to the negating output OUT. Truth Table OUTN I/Os Name Data Type Explanation...

  • Page 277: F_Not

    Fail-Safe Blocks 8.7.4 F_NOT Function The block inverts the input. Truth Table I/Os Name Data Type Explanation Default Input: F_BOOL Input Output: F_BOOL Output Error Handling None 8.7.5 F_2OUT3 Function This block monitors three binary inputs for signal state 1. The output OUT is 1 if at least two inputs are 1.
  • Page 278 Fail-Safe Blocks I/Os Name Data Type Explanation Default Inputs: F_BOOL Input 1 F_BOOL Input 2 F_BOOL Input 3 Output: F_BOOL Output OUTN F_BOOL Negating output Error Handling None Fail-Safe Systems 8-90 A5E00085588-03...

  • Page 279: F_Xouty

    Fail-Safe Blocks 8.7.6 F_XOUTY Function The block monitors up to 16 binary inputs for signal state 1. The input signals are monitored starting with the input IN1 up to and including the input INY for signal state 1. The number of binary inputs to be monitored can be set with the Y parameter.

  • Page 280: Comparison Blocks For Two Input Values Of The Same Type

    Fail-Safe Blocks Comparison Blocks for Two Input Values of the Same Type Block Description F_LIM_HL Monitoring for upper limit violation of a REAL value F_LIM_LL Monitoring for lower limit violation of a REAL value F_2oo3_R Selects median of 3 REAL values F_1oo2_R Selects between 2 REAL values based on diagnostics 8.8.1...
  • Page 281 Fail-Safe Blocks I/Os Name Data Type Explanation Default Inputs: F_REAL Input variable U_HL F_REAL Upper limit 100.0 F_REAL Hysteresis SUBS_IN F_BOOL Substitute Input Outputs: F_BOOL 1: Upper limit violation F_BOOL Negating output QH U_HL_O REAL Upper limit 100.0 HYS_O REAL Hysteresis Note If, when you create the program, you preset the QH output in CFC the initial value...
  • Page 282 Fail-Safe Blocks 8.8.2 F_LIM_LL Function This block monitors the input variable U for violation of the lower limit (U_LL). A hysteresis can also be specified to avoid fluttering of the output QL in the event of fluctuations in the input value. •...
  • Page 283 Fail-Safe Blocks Note If, when you create the program, you preset the QL output in CFC with the initial value 1, it will remain set after startup (cold restart or warm restart) if U_LL < U <= (U_LL + HYS). It is only reset if U >...

  • Page 284: F_2Oo3_R

    Fail-Safe Blocks 8.8.3 F_2oo3_R Function This block selects the median value from three inputs and places the result at the output. The QBAD output will be set if two or more of the three inputs present a QBAD input. Note This function block is supplied as a block type.
  • Page 285 Fail-Safe Blocks Interaction with Channel Drivers For proper operation of the F_2oo3_R block when the three analog inputs are provided by F_CH_AI channel drivers, it is important to coordinate the configuration parameters of the channel drivers and the F_2oo3_R block. The key is to determine a typical, expected operating value for the values feeding the F_2oo3_R block and set all three channel drivers’...

  • Page 286: F_1Oo2_R

    Fail-Safe Blocks Error Information in Diagnostic Buffer Error Code (W#16#...) Description 0x75D9 Invalid REAL number Error in the safety data format (error due to online modification of the 0x75DA Safety Program or internal CPU fault) 8.8.4 F_1oo2_R Function This block selects its output from one of two inputs based on the QBAD inputs. IN1 will be output unless QBAD1 is set, which selects IN2 as the output.
  • Page 287 Fail-Safe Blocks Interaction with Channel Drivers For proper operation of the F_1oo2_R block when the two analog inputs are provided by F_CH_AI channel drivers, it is important to coordinate the configuration parameters of the channel drivers and the F_1oo2_R block. The key is to determine a typical, expected operating value for the values feeding the F_1oo2_R block and set all two channel drivers’...

  • Page 288: Flip-Flop Blocks

    Fail-Safe Blocks Error Information in Diagnostic Buffer Error Code (W#16#...) Description 0x75D9 Invalid REAL number Error in the safety data format (error due to online modification of the 0x75DA Safety Program or internal CPU fault) Flip-Flop Blocks Block Description F_RS_FF RS flipflop, resetting dominant F_SR_FF SR flipflop, setting dominant...
  • Page 289 Fail-Safe Blocks Note If, when you create the program, you preset the Q output in CFC with the initial value 1, it will remain set after startup (cold restart or warm restart) until the signal state at the R input changes to 1. Note that the initial values of output parameters do not appear in the printout of the CFC chart.

  • Page 290: F_Sr_Ff

    Fail-Safe Blocks 8.9.2 F_SR_FF Function The block executes the function of an SR flipflop (setting dominant). The SR flipflop is set if the signal state at the input R = 0 and at the input S = 1. The flipflop is reset if the input R = 1 and the input S = 0. If the result of the logic operation is 1 at both inputs, the flipflop is set.

  • Page 291: F_Ctud

    Fail-Safe Blocks Error Information in Diagnostic Buffer Error Code (W#16#...) Description 75DAH Error in the safety data format of inputs S and R (error due to online modification of the Safety Program or internal CPU fault) 8.10 IEC Pulse and Counter Blocks Block Description F_CTUD...
  • Page 292 Fail-Safe Blocks I/Os Name Data Type Explanation Default Inputs: F_BOOL Up-counting input F_BOOL Down-counting input F_BOOL Reset input (R dominates over LOAD) LOAD F_BOOL Load input (LOAD dominates over CU and CD) F_INT Preset value Name Data Type Explanation Default Outputs: F_BOOL Status of the up counter...

  • Page 293: F_Tp

    Fail-Safe Blocks 8.10.2 F_TP Function The block generates a pulse with the duration PT at the output Q. The pulse is started by a rising edge at the input IN. The output Q remains set for the duration PT, irrespective of the subsequent pattern of the input signal. The output ET indicates how long the output Q has already been set.
  • Page 294 Fail-Safe Blocks Error Handling In the event of an error that is critical to safety, the system function SFC F_CTRL is called. This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU. For non-redundant systems or a common-cause error occurring in both CPUs, the shutdown logic can be configured to either disable the erred F-run-time group or the entire Safety Program.

  • Page 295: F_Ton

    Fail-Safe Blocks 8.10.3 F_TON Function The block delays a rising edge by the time PT. A rising edge at the input IN results in a rising edge at the output Q after the time PT has elapsed. Q remains set until the input IN changes to 0. If the input IN changes to 0 before PT has elapsed, Q remains at 0.
  • Page 296 Fail-Safe Blocks Error Handling In the event of an error that is critical to safety, the system function SFC F_CTRL is called. This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU. For non-redundant systems or a common-cause error occurring in both CPUs, the shutdown logic can be configured to either disable the erred F-run-time group or the entire Safety Program.

  • Page 297: F_Tof

    Fail-Safe Blocks 8.10.4 F_TOF Function The block delays a falling edge by the time PT. A rising edge at the input IN results in a rising edge at the output Q. A falling edge at IN results in a falling edge at Q after PT has elapsed. If the input IN changes to 1 before PT has elapsed, Q remains on 1.
  • Page 298 Fail-Safe Blocks Error Handling In the event of an error that is critical to safety, the system function SFC F_CTRL is called. This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU. For non-redundant systems or a common-cause error occurring in both CPUs, the shutdown logic can be configured to either disable the erred F-run-time group or the entire Safety Program.

  • Page 299: Pulse Blocks

    Fail-Safe Blocks 8.11 Pulse Blocks Block Description F_F_TRIG Detection of the falling edge F_R_TRIG Detection of the rising edge F_LIM_TI Asymmetrical limiter of TIME values 8.11.1 F_F_TRIG Function The block checks the input variable for the occurrence of a falling edge and indicates at the output whether an edge has been detected.

  • Page 300: F_R_Trig

    Fail-Safe Blocks Error Handling None 8.11.2 F_R_TRIG Function The block checks the input variable for the occurrence of a rising edge and indicates at the output whether an edge has been detected. At a rising edge of the input pulse CLK, the output Q is set to 1 until the next call of the block. Timing Diagram Startup Characteristics If the input CLK has a value of 1 in the first cycle after a cold or warm restart, a...

  • Page 301: F_Lim_Ti

    Fail-Safe Blocks 8.11.3 F_LIM_TI Function This block compares the input variables IN, MAX and MIN. It checks whether IN is within or outside the interval between MIN and MAX. If the lower limit (MIN) of the interval is greater than or equal to the upper limit (MAX), the output OUT = MAX and the outputs OUTU and OUTL are set to 1.

  • Page 302: Arithmetic Blocks With The Int Data Type

    Fail-Safe Blocks 8.12 Arithmetic Blocks with the INT Data Type Block Description F_LIM_I Asymmetrical limiter of INT values 8.12.1 F_LIM_I Function This block compares the input variables IN, MAX and MIN. It checks whether IN is within or outside the interval between MIN and MAX. If the lower limit (MIN) of the interval is greater than or equal to the upper limit (MAX), the output OUT = MAX and the outputs OUTU and OUTL are set to 1.

  • Page 303: Arithmetic Blocks With The Real Data Type

    Fail-Safe Blocks 8.13 Arithmetic Blocks with the REAL Data Type Block Description F_ADD_R Addition of two REAL values F_SUB_R Subtraction of two REAL values F_MUL_R Multiplication of two REAL values F_DIV_R Division of two REAL values F_ABS_R Calculation of the absolute value F_MAX3_R Maximum of three REAL values F_MID3_R...

  • Page 304: F_Sub_R

    Fail-Safe Blocks Error Information in Diagnostic Buffer Error Code (W#16#...) Description 75D9H Invalid REAL number generated by the operation. 8.13.2 F_SUB_R Function This block subtracts the input IN2 from the input IN1 and outputs the difference at the output. OUT = IN1 – IN2 I/Os Name Data Type...

  • Page 305: F_Mul_R

    Fail-Safe Blocks 8.13.3 F_MUL_R Function This block multiplies the inputs and outputs the product at the output. OUT = IN1 * IN2 I/Os Name Data Type Explanation Default Inputs: F_REAL Multiplicand F_REAL Multiplier Output: F_REAL Product Error Handling If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer.

  • Page 306: F_Div_R

    Fail-Safe Blocks 8.13.4 F_DIV_R Function This block divides the input IN1 by the input IN2 and outputs the quotient at the output. OUT = IN1 / IN2 I/Os Name Data Type Explanation Default Inputs: F_REAL Dividend F_REAL Divisor Output: F_REAL Quotient Error Handling If the operation generates an invalid REAL number the event will be recorded in...

  • Page 307: F_Abs_R

    Fail-Safe Blocks 8.13.5 F_ABS_R Function This block outputs the absolute value (amount) of the input at the output. OUT = | IN | I/Os Name Data Type Explanation Default Input: F_REAL Input value Output: F_REAL Absolute value Error Handling None Fail-Safe Systems 8-119 A5E00085588-03...

  • Page 308: F_Max3_R

    Fail-Safe Blocks 8.13.6 F_MAX3_R Function This block compares three inputs and then outputs the maximum value at the output. All the inputs are preset with a value of -3,402823e+38 (largest negative REAL number), so that even a maximum value can be formed from only two inputs.

  • Page 309: F_Mid3_R

    Fail-Safe Blocks 8.13.7 F_MID3_R Function This block compares three inputs and then outputs the median value at the output. OUT = mean value {IN1, IN2, IN3} I/Os Name Data Type Explanation Default Inputs: F_REAL Input variable 1 F_REAL Input variable 2 F_REAL Input variable 3 Output:...

  • Page 310: F_Min3_R

    Fail-Safe Blocks 8.13.8 F_MIN3_R Function This block compares three inputs and then outputs the minimum value at the output. All the inputs are preset with a value of 3,402823e+38 (largest positive REAL number), so that even a minimum value can be formed from only two inputs. OUT = MIN {IN1, IN2, IN3} I/Os Name...

  • Page 311: F_Lim_R

    Fail-Safe Blocks 8.13.9 F_LIM_R Function This block compares the input variables IN, MAX and MIN. It checks whether IN is within or outside the interval between MIN and MAX. If the lower limit (MIN) of the interval is greater than or equal to the upper limit (MAX), the output OUT = MAX and the outputs OUTU and OUTL are set to 1.

  • Page 312: 8.13.10 F_Sqrt

    Fail-Safe Blocks 8.13.10 F_SQRT Function This block calculates the square root of the input and then outputs it at the output. OUT = The input IN must be positive. I/Os Name Data Type Explanation Default Input: F_REAL Radicand Output: F_REAL Root Error Handling If the operation generates an invalid REAL number the event will be recorded in...

  • Page 313: 8.13.11 F_Avex_R

    Fail-Safe Blocks 8.13.11 F_AVEX_R Function This block calculates the mean value from a maximum of nine inputs and then outputs the result at the output. Inputs without a set validity bit are not included in the mean value calculation. At least MIN inputs must be valid, otherwise the output VALIDOUT will be reset.
  • Page 314 Fail-Safe Blocks Error Handling If the operation generates an invalid REAL number the event will be recorded in the Diagnostic Buffer. In the event of an error that is critical to safety, the system function SFC F_CTRL is called. This records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred only on the master CPU.

  • Page 315: 8.13.12 F_Smp_Av

    Fail-Safe Blocks 8.13.12 F_SMP_AV Function This block outputs the mean value of the last N input values at the output. OUT = (INk+INk-1+ ... +INk-N+1) / N INk is the current input value. The number N of input values must fulfill the condition 0 < N < 33. I/Os Name Data Type...

  • Page 316: Multiplex Blocks

    Fail-Safe Blocks 8.14 Multiplex Blocks Block Description F_MUX2_R Multiplexer 1 out of 2 for REAL values 8.14.1 F_MUX2_R Function This block outputs one of the inputs IN0 or IN1, depending on the selection input K, at the output OUT: • K = 0: OUT = IN0 •...

  • Page 317: Error Handling

    Fail-Safe Blocks 8.15 Error Handling Safety-Relevant Errors If safety-relevant errors are detected in fail-safe blocks, the system function SFC F_CTRL is called. SFC F_CTRL records the event in the Diagnostic Buffer and requests a switch to the reserve CPU if the error only occurred on the master CPU. The shutdown logic should be configuration for partial or full shutdown to handle features in non-redundant systems or common cause faults on redundant systems (both CPUs encounter a fault at the same time).

  • Page 318: Error Handling Of Driver Blocks

    Fail-Safe Blocks 8.15.1 Error Handling of Driver Blocks The driver blocks can respond to the following errors: • Communication errors, such as TIMEOUT errors The module has not received a new frame from the CPU or has not responded to it within the configured monitoring time (TIMEOUT). Check value error (CRC): The check sum of the transferred data doesn’t match the check sum supplied.
  • Page 319 Fail-Safe Blocks Error Signaling The following block outputs are activated: • DIAG_1, DIAG_2 at the F_M_xx F module drivers: diagnostic information for the whole SM 1 or SM 2 module • QUALITY at the F_CH_xx F channel drivers: quality code of the process value per channel •...

  • Page 320: Error Information At The Outputs Of The Driver Blocks

    Fail-Safe Blocks 8.15.2 Error Information at the Outputs of the Driver Blocks The following errors are detected at the outputs of the F module drivers (F_M_DI8, F_M_DI24, F_M_DO10, F_M_DO8 and F_M_AI6): Output Cause Remedies DIAG_n Diagnostic information for SM n: Byte 0 •...
  • Page 321 Fail-Safe Blocks Output Cause Remedies n = 1: Diagnostic information for module SM1 n = 2: Diagnostic information for redundant module SM2 Output Cause Remedies Byte 1 (in the case of F_M_DI8 and F_M_DI24 only) • Bit 0: Discrepancy error on channel 0 of Check sensor •...

  • Page 322: Errror Information In The Diagnostic Buffer

    Fail-Safe Blocks 8.15.3 Errror Information in the Diagnostic Buffer The table below contains all the causes for an error entry in the Diagnostic Buffer. Which errors are detected in which block is described for each fail-safe block. The error code and thus the cause of the error can also be obtained. Error Codes in Diagnostic Buffer Invalid Number Error Code (W#16#...) Cause...
  • Page 323 Fail-Safe Blocks Safety Mode Activated/Deactivated Events Reported From Shutdown Logic Error Code (W#16#...) Cause Remedies That Safety Mode was activated. That 73DBH means all the safety mechanisms for fault detection and fault reactions are activated. The Safety Mode is deactivated. The 72DBH safety of the system must be ensured by means of other organizational measures...
  • Page 324 Fail-Safe Blocks Safety Mode Activated/Deactivated Events Reported From Shutdown Logic Full Shutdown of Entire Safety Program Activated– Reported from Shutdown Logic F_SHUTDN Block Error Code (W#16#...) Cause Remedies • 75DEH One or more F-run-time groups have detected a Identify the failure in the critical fault and all F-run-time groups in the Run-time group.
  • Page 325 Fail-Safe Blocks Errors in Runtime Communications – Protocol Fault Error Code (W#16#...) Cause Remedies • This fault results in disabling of the F-run-time Restart the Shutdown logic. 75DCH group that contains the faulted F-FB and -or- possibly disabling of the entire Safety Program •...
  • Page 326 Fail-Safe Blocks Error Code (W#16#...) Cause Remedies • 75E1H Maximum permissible F cycle time exceeded or Restart the Shutdown internal CPU fault logic. -or- • Stop and ColdStart F- CPU. -or- • Full Download of the complete program to F- CPU.
  • Page 327 Fail-Safe Blocks Error Code (W#16#...) Cause Remedies Error Detected in F_TESTC – Background Self-Tests of the CPU Error Code (W#16#...) Cause Remedies Check whether tests of the F- 75E1H Error during self-test of the CPU, or Error due to CPU have been switched off online modification of the Safety Program, or by SFC90 H_CTRL.

  • Page 328: Error Information At The Output Retval

    Fail-Safe Blocks 8.15.4 Error Information at the Output RETVAL The blocks for F communication between CPUs (F_SENDBO, F_RCVBO, F_SENDR and F_RCVR) call the SFBs 8 (USEND) and 9 (URCV) internally. In the event of communication problems, these SFBs indicate the possible causes in their STATUS.

  • Page 329: Run Times

    Fail-Safe Blocks 8.16 Run Times 8.16.1 Run Times of the Fail-Safe Blocks The Principle of Run-Time Measurement In order to obtain practical run times, all the fail-safe blocks were measured with a dynamic circuit. In other words, the stored input variables of the blocks were changed (dynamically) during measurement.
  • Page 330 Fail-Safe Blocks Block Block Function Maximum Run Name Number Time with Dynamically Connected Inputs • F_CH_DO FB 378 F channel driver for digital output • F_CH_AI FB 379 F channel driver for analog input Further Blocks (in Alphabetical Order) F_1oo2_R FB 457 1 out of 2 analog voter block (block type) 5900...
  • Page 331 Fail-Safe Blocks Block Block Function Maximum Run Name Number Time with Dynamically Connected Inputs F_R_R FB 393 Fail-safe receipt of 5 data items of the data type F_REAL from another F-run-time group F_R_TRIG FB 346 Detection of the rising edge F_RCVBO FB 371 Receives F_BOOL data from another CPU...
  • Page 332 Fail-Safe Blocks Fail-Safe Systems 8-144 A5E00085588-03...

  • Page 333: A Check Lists

    Check Lists A.1 Life Cycle of the Fail-Safe Programmable Controllers The following table gives you a summary in the form of a check list of the activities in the life cycle of S7 F/FH Systems as well as the requirements and rules that must be complied with.
  • Page 334 Check Lists Phase Note Refer to Check Configuration of the hardware Rules for F-Systems F-SYS: Sect. 4.2 Verification of the hardware components F-SYS: App. A.2 used on the basis of the check list of the certified modules • Parameter assignment of the CPU contains the F-SYS: Sect.
  • Page 335 Check Lists Phase Note Refer to Check Processing of the Safety Rules for compilation F-SYS: Sect. 5.4.4 Program Rules for downloading F-SYS: Sect. 5.4.7 Rules for testing F-SYS: Sect. 5.4.11, 5.4.12 F-SYS: Sect. 5.4.6 Creating Block Types Installation Hardware setup Rules for installation F SM: Chap.
  • Page 336 Check Lists Commissioning Switching on Rules for commissioning – Standard S7-300 and as in the standard case S7-400(H) Checking of the safety- Rules for parameter F-SYS: Sect. 7.5 related parameters assignment F SM: Chap. 6 and 9 F ET 200S Chap. 4 and 9 Acceptance Rules and notes on...

  • Page 337: A.2 Check List Of The Certified Modules

    Check Lists A.2 Check List of the Certified Modules The fail-safe modules listed in the table below are certified. Please compare the order number and firmware version with those in Annex 1 of the report for the "Safety-Related Programmable Systems SIMATIC S7-400F and S7-400FH"...
  • Page 338 Check Lists Sensors and Actuators The sensors and actuators used in F-systems are not described in this documentation. All the usual sensors and actuators are supported by S7 F/FH Systems and the usual operating modes (single-channel, two-channel, non- equivalent, etc.) can be selected during configuration. Since sensors and actuators are decisive factors to be included in safety considerations, the following check list ought to be of assistance when you configure the F-system with sensors and actuators.

  • Page 339: A.3 Check List Of The Certified F-Blocks

    Check Lists A.3 Check List of the Certified F-Blocks Only the F-Blocks listed below can be used to program the F user program. These blocks are fail-safe and certified. Please compare the signature and initial value signature of these F-Blocks with those in the current Annex 1 of the report for the "Safety-Related Programmable Systems SIMATIC S7-400F and S7-400FH"...
  • Page 340 Check Lists Block Block Function Check Name Number F_LIM_I FB 350 Asymmetrical limiter of INT values F_LIM_LL FB 315 Monitoring of lower limit violation of a REAL value F_LIM_R FB 329 Asymmetrical limiter of REAL values F_LIM_TI FB 345 Asymmetrical limiter of TIME values F_MAX3_R FB 326 Maximum of three REAL values...
  • Page 341 Check Lists Block Block Function Check Name Number F_TESTM FB 400 Switching of Safety Mode on and off F_TI_FTI FB 368 Converts from TIME to F_TIME F_TOF FB 344 Timer off-delay F_TON FB 343 Timer on-delay F_TP FB 342 Timer pulse F_XOR2 FB 303 XOR logic operation on two inputs...

  • Page 342: A.4 Check List Of The Safety Parameters Of The F-Drivers

    Check Lists A.4 Check List of the Safety Parameters of the F-Drivers You must complete the following table at acceptance. The listed safety parameters of the F driver blocks must be compared with the parameters of the F-I/Os from the hardware configuration.

  • Page 343: B References

    ROM. Manuals 9 to 12 are included with the products in electronic form. Some of them can be obtained by choosing the Start > Simatic > Documentation > English menu command. You can download all the manuals from the Internet at: http://www.ad.siemens.de/simatic-cs Fail-Safe Systems A5E00085558-03...
  • Page 344 References Fail-Safe Systems A5E00085558-03...

  • Page 345: Glossary

    Glossary 1oo1 evaluation Type of sensor evaluation: In 1oo1 evaluation, there is one sensor and it is connected to the module via a single channel. 1oo2 evaluation Type of sensor evaluation - In 1oo2 evaluation, the signal states of the inputs are compared internally (equivalence or non-equivalence).
  • Page 346 Glossary 1oo1 evaluation Type of sensor evaluation: In 1oo1 evaluation, there is one sensor and it is connected to the module via a single channel. Discrepancy analysis The discrepancy analysis is used to determine errors in the time sequence of two signals with the same functionality. The discrepancy analysis is started if different levels are detected in two associated input signals.
  • Page 347 Glossary 1oo1 evaluation Type of sensor evaluation: In 1oo1 evaluation, there is one sensor and it is connected to the module via a single channel. Fault tolerance time (i. e. The time in which the effectiveness of the safety equipment can be process safety time) impaired without producing a hazard.
  • Page 348 Glossary 1oo1 evaluation Type of sensor evaluation: In 1oo1 evaluation, there is one sensor and it is connected to the module via a single channel. Redundancy, Availability- Multiple availability of components with the aim of ensuring the Enhancing components continue to function even in the event of hardware faults. Redundancy, Safety- Multiple availability of components with the aim of compensating for Enhancing...
  • Page 349 Glossary 1oo1 evaluation Type of sensor evaluation: In 1oo1 evaluation, there is one sensor and it is connected to the module via a single channel. Safety system A system (including all devices, units and safety circuits) that protects people and the system. This particularly includes systems for flame control, the interruption of fuel infeed and the ventilation of combustion chambers.
  • Page 350 Glossary Fail-Safe Systems Glossary-6 A5E00085588-03...

  • Page 351: Index

    Index Communication between F run-time groups 3-11 Communication between standard and Safety Program s ......5-31 Communication between the CPU Acceptance of an F system ......7-14 and F-I/Os..........3-11 Acceptance of Changes to the Compare Safety Programs ......5-67 Safety Program ........7-20 Comparison Blocks for Two Input Values Acceptance of F block types ......7-22 of the Same Type ........
  • Page 352 Index Driver Blocks for F-I/Os........8-9 F_M_DI24.............8-61 Duration of the repair ........6-4 F_M_DI8............8-58 F_M_DO10...........8-66 F_M_DO8.............8-64 F_MAX3_R..........8-120 F_MID3_R ..........8-121 Error Handling..........8-129 F_MIN3_R ..........8-122 Error Handling of Driver Blocks....8-130 F_MUL_R ...........8-117 Error information at the output RETVAL ..8-140 F_MUX2_R..........8-128 Error information in ACCU 1 after F_NOT............8-89...
  • Page 353 Index Overview............4-1 Overview of fault control measures....3-3 Hardware components ......1-8, 1-9 Hierarchical charts..........5-8 HOLD operating mode ..........3-4 Parameter assignment of F-I/Os....4-4 How to work with the Safety Program ....6-2 Passivating fail-safe output modules ..... 6-5 Passivation ........ 5-24, 5-25, 5-26 Password ........
  • Page 354 Index Rules for F blocks ........5-10 Simulating an Safety Program with Rules for F conversion blocks...... 5-36 S7-PLCSIM..........5-57 Rules for F driver blocks ......5-16 Simulating PROFIsafe nodes ......6-1 Rules for interconnecting F blocks ....5-12 Simulating Safety Programs ......5-57 Rules for operation.........

This manual is also suitable for:

Simatic s7 fh

Table of Contents