Siemens SIMATIC S7 F Manual page 285

Fail-Safe Blocks
Interaction with Channel Drivers
For proper operation of the F_2oo3_R block when the three analog inputs are
provided by F_CH_AI channel drivers, it is important to coordinate the
configuration parameters of the channel drivers and the F_2oo3_R block. The key
is to determine a typical, expected operating value for the values feeding the
F_2oo3_R block and set all three channel drivers' SUBS_V inputs to a value that is
greater than the expected value by more than the F_2oo3_R block's DELTA input.
The channel drivers' SUBS_ON input must be set to 1 to enable outputting the
SUBS_V value when a channel fault is detected.
If one channel driver detects a failure, that F_CH_AI block will provide the
F_2oo3_R block with both the process value bad indicator (QBAD) and the
substitute value (SUBS_V). The F_2oo3_R block would set the corresponding DIS
output (since the substitute value differs from the F_2oo3_R block's current analog
output by more than DELTA) and select one of the other two analog inputs as the
F_2oo3_R block's analog output.
If two or more channel drivers detect a failure (output their SUBS_V value and set
their QBAD to 1), the F_2oo3_R block's QBAD output will be 1 indicating that the
selected analog output V is no longer valid.
Therefore, a configuration using the F_CH_AI and F_2oo3_R blocks would have
the following connections:
•
The V outputs of the three F_CH_AI connected to the three IN inputs of the
F_2oo3_R
•
The QBAD outputs of the three F_CH_AI connected to the three QBAD inputs
of the F_2oo3_R
•
The SUBS_ON inputs of the three F_CH_AI blocks set to 1
•
The F_2oo3_R block's DELTA input set to the largest acceptable difference
from the expected value
•
The SUBS_V inputs of the three F_CH_AI blocks set larger than the F_2oo3_R
block's DELTA input
•
The F_2oo3_R block's QBAD output connected to program logic to annunciate
2oo3 failure
•
The F_2oo3_R block's three DIS outputs connected to program logic to
annunciate a sensor failure
Error Handling
In the event of an error that is critical to safety, the system function SFC F_CTRL
is called. This records the event in the Diagnostic Buffer and requests a switch to
the reserve CPU if the error occurred only on the master CPU. For non-redundant
systems or a common-cause error occurring in both CPUs, the shutdown logic can
be configured to either disable the erred F-run-time group or the entire Safety
Program.
Fail-Safe Systems
A5E00085588-03
8-97