HIMA HIMatrix F2 DO 16 01 User manual
HIMatrix
Safety-Related Controller
F2 DO 16 02 Manual
HIMA Paul Hildebrandt GmbH + Co KG
Industrial Automation
Rev. 2.00 HI 800 139 E
HI 800 139 E Rev. 2.00 (1334)
All HIMA products mentioned in this manual are protected by the HIMA trade-mark. Unless noted otherwise,
this also applies to other manufacturers and their respective products referred to herein.
HIMax®, HIMatrix®, SILworX®, XMR®and FlexSILon®are registered trademarks of HIMA Paul Hildebrandt
GmbH + Co KG.
All of the instructions and technical specifications in this manual have been written with great care and
effective quality assurance measures have been implemented to ensure their validity. For questions, please
contact HIMA directly. HIMA appreciates any suggestion on which information should be included in the
manual.
Equipment subject to change without notice. HIMA also reserves the right to modify the written material
without prior notice.
For further information, refer to the HIMA DVD and our website at http://www.hima.de and
http://www.hima.com.
© Copyright 2013, HIMA Paul Hildebrandt GmbH + Co KG
All rights reserved
Contact
HIMA contact details:
HIMA Paul Hildebrandt GmbH + Co KG
P.O. Box 1261
68777 Brühl, Germany
Phone: +49 6202 709-0
Fax: +49 6202 709-107
Type of change
Revision
index
Revisions
technical editorial
1.00 Added: Configuration with SILworX X X
1.01 Deleted: Chapter Monitoring the Temperature State integrated in
the system manual
X
2.00 Added: F2 DO 16 024, SIL 4 certified according to EN 50126,
EN 50128 and EN 50129, Chapters 3.4.1 and 4.1.3
Revised: Chapters 3.1 and 3.5
X X
F2 DO 16 02 Table of Contents
HI 800 139 E Rev. 2.00 Page 3 of 42
Table of Contents
1Introduction 5
1.1 Structure and Use of this Manual 5
1.2 Target Audience 6
1.3 Formatting Conventions 7
1.3.1 Safety Notes 7
1.3.2 Operating Tips 8
2Safety 9
2.1 Intended Use 9
2.1.1 Environmental Requirements 9
2.1.2 ESD Protective Measures 9
2.2 Residual Risk 10
2.3 Safety Precautions 10
2.4 Emergency Information 10
3Product Description 11
3.1 Safety Function 11
3.2 Equipment, Scope of Delivery 12
3.2.1 IP Address and System ID (SRS) 12
3.3 Type Label 13
3.4 Structure 14
3.4.1 Safety-Related Relay Outputs 15
3.4.1.1 Burner Control Applications 15
3.4.1.2 General Safety Applications 16
3.4.2 LED Indicators 17
3.4.2.1 Operating Voltage LED 17
3.4.2.2 System LEDs 17
3.4.2.3 Communication LEDs 18
3.4.2.4 I/O LEDs 18
3.4.3 Communication 19
3.4.3.1 Connections for Ethernet Communication 19
3.4.3.2 Network Ports Used for Ethernet Communication 19
3.4.4 Reset Key 20
3.5 Product Data 21
3.6 Certified HIMatrix F2 DO 16 02 23
4Start-up 24
4.1 Installation and Mounting 24
4.1.1 Connecting the Digital Outputs 24
4.1.2 Cable Plugs 25
4.1.3 Mounting the F2 DO 16 02 in Zone 2 26
4.2 Configuration 27
Table of Contents F2 DO 16 02
Page 4 of 42 HI 800 139 E Rev. 2.00
4.3 Configuring the Remote I/O with SILworX 27
4.3.1 Parameters and Error Codes for the Output 27
4.3.2 Digital Outputs for F2 DO 16 02 27
4.3.2.1 Tab: Module 28
4.3.2.2 Tab: DO 16: Channels 29
4.4 Configuring the Module with ELOP II Factory 30
4.4.1 Configuring the Outputs 30
4.4.2 Signals and Error Codes for the Output 30
4.4.3 Digital Outputs for F2 DO 16 02 31
5Operation 32
5.1 Handling 32
5.2 Diagnosis 32
6Maintenance 33
6.1 Faults 33
6.2 Maintenance Measures 33
6.2.1 Loading the Operating System 33
6.2.2 Proof Test 33
7Decommissioning 34
8Transport 35
9Disposal 36
Appendix 37
Glossary 37
Index of Figures 38
Index of Tables 39
Index 40
F2 DO 16 02 1 Introduction
HI 800 139 E Rev. 2.00 Page 5 of 42
1 Introduction
This manual describes the technical characteristics of the device and its use. It provides
information on how to install, start up and configure the module.
1.1 Structure and Use of this Manual
The content of this manual is part of the hardware description of the HIMatrix programmable
electronic system.
This manual is organized in the following main chapters:
Introduction
Safety
Product Description
Start-up
Operation
Maintenance
Decommissioning
Transport
Disposal
HIMatrix remote I/Os are available for the programming tools SILworX and ELOP II Factory.
Which programming tool can be used, depends on the processor operating system of the
HIMatrix remote I/O, refer to the following table:
Programming tool Processor operating system
SILworX CPU OS V7 and higher
ELOP II Factory CPU OS up to V6.x
Table 1: Programming Tools for HIMatrix Remote I/Os
In the manual, the differences are specified by using:
Separated chapters
Tables differentiating among the versions
iProjects created with ELOP II Factory cannot be edited with SILworX, and vice versa!
iCompact controllers and remote I/Os are referred to as devices.
1 Introduction F2 DO 16 02
Page 6 of 42 HI 800 139 E Rev. 2.00
Additionally, the following documents must be taken into account:
Name Content Document number
HIMatrix System Manual
Compact Systems
Hardware description of the HIMatrix
compact systems
HI 800 141 E
HIMatrix System Manual
Modular System F60
Hardware description of the HIMatrix
modular system
HI 800 191 E
HIMatrix Safety Manual Safety functions of the HIMatrix system HI 800 023 E
HIMatrix Safety Manual for
Railway Applications
Safety functions of the HIMatrix system
using the HIMatrix in railway
applications
HI 800 437 E
SILworX Online Help Instructions on how to use SILworX -
ELOP II Factory
Online Help
Instructions on how to use ELOP II
Factory, Ethernet IP protocol
-
SILworX First Steps Introduction to SILworX using the
HIMax system as an example
HI 801 103 E
ELOP II Factory First Steps Introduction to ELOP II Factory HI 800 006 E
Table 2: Additional Relevant Documents
The latest manuals can be downloaded from the HIMA website at www.hima.com. The revision
index on the footer can be used to compare the current version of existing manuals with the
Internet edition.
1.2 Target Audience
This document addresses system planners, configuration engineers, programmers of
automation devices and personnel authorized to implement, operate and maintain the modules
and systems. Specialized knowledge of safety-related automation systems is required.
F2 DO 16 02 1 Introduction
HI 800 139 E Rev. 2.00 Page 7 of 42
1.3 Formatting Conventions
To ensure improved readability and comprehensibility, the following fonts are used in this
document:
Bold To highlight important parts.
Names of buttons, menu functions and tabs that can be clicked and used
in the programming tool.
Italics For parameters and system variables
Courier Literal user inputs
RUN Operating state are designated by capitals
Chapter 1.2.3 Cross references are hyperlinks even though they are not particularly
marked. When the cursor hovers over a hyperlink, it changes its shape.
Click the hyperlink to jump to the corresponding position.
Safety notes and operating tips are particularly marked.
1.3.1 Safety Notes
The safety notes are represented as described below.
These notes must absolutely be observed to reduce the risk to a minimum. The content is
structured as follows:
Signal word: warning, caution, notice
Type and source of risk
Consequences arising from non-observance
Risk prevention
The signal words have the following meanings:
Warning indicates hazardous situation which, if not avoided, could result in death or serious
injury.
Caution indicates hazardous situation which, if not avoided, could result in minor or modest
injury.
Notice indicates a hazardous situation which, if not avoided, could result in property damage.
NOTE
Type and source of damage!
Damage prevention
SIGNAL WORD
Type and source of risk!
Consequences arising from non-observance
Risk prevention
1 Introduction F2 DO 16 02
Page 8 of 42 HI 800 139 E Rev. 2.00
1.3.2 Operating Tips
Additional information is structured as presented in the following example:
iThe text corresponding to the additional information is located here.
Useful tips and tricks appear as follows:
TIP The tip text is located here.
F2 DO 16 02 2 Safety
HI 800 139 E Rev. 2.00 Page 9 of 42
2 Safety
All safety information, notes and instructions specified in this document must be strictly
observed. The product may only be used if all guidelines and safety instructions are adhered to.
This product is operated with SELV or PELV. No imminent risk results from the product itself.
The use in Ex-zone is permitted if additional measures are taken.
2.1 Intended Use
HIMatrix components are designed for assembling safety-related controller systems.
When using the components in the HIMatrix system, comply with the following general
requirements.
2.1.1 Environmental Requirements
Requirement type Range of values 1)
Protection class Protection class II in accordance with IEC/EN 61131-2
Ambient temperature 0...+60 °C
Storage temperature -40...+85 °C
Pollution Pollution degree II in accordance with IEC/EN 61131-2
Altitude < 2000 m
Housing Standard: IP20
Supply voltage 24 VDC
1) The values specified in the technical data apply and are decisive for devices with extended
environmental requirements.
Table 3: Environmental Requirements
Exposing the HIMatrix system to environmental conditions other than those specified in this
manual can cause the HIMatrix system to malfunction.
2.1.2 ESD Protective Measures
Only personnel with knowledge of ESD protective measures may modify or extend the system
or replace devices.
NOTE
Device damage due to electrostatic discharge!
When performing the work, make sure that the workspace is free of static, and wear
an ESD wrist strap.
If not used, ensure that the device is protected from electrostatic discharge, e.g., by
storing it in its packaging.
2 Safety F2 DO 16 02
Page 10 of 42 HI 800 139 E Rev. 2.00
2.2 Residual Risk
No imminent risk results from a HIMatrix system itself.
Residual risk may result from:
Faults related to engineering
Faults related to the user program
Faults related to the wiring
2.3 Safety Precautions
Observe all local safety requirements and use the protective equipment required on site.
2.4 Emergency Information
A HIMatrix system is a part of the safety equipment of a site. If a device or a module fails, the
system enters the safe state.
In case of emergency, no action that may prevent the HIMatrix systems from operating safely is
permitted.
F2 DO 16 02 3 Product Description
HI 800 139 E Rev. 2.00 Page 11 of 42
3 Product Description
The safety-related F2 DO 16 02 remote I/O is a compact system in a metal housing with 16
safety-related relay outputs.
The remote I/O is available in various model variants for SILworX and ELOP II Factory, see
Table 4.
Remote I/Os are connected to individual HIMax or HIMatrix controllers via safeethernet. They
are used to extend the I/O level, but are not able to run any user program by themselves.
The remote I/O is suitable for mounting in Ex-zone 2, see Chapter 4.1.3.
The device has been certified by the TÜV for safety-related applications up to SIL 3 (IEC 61508,
IEC 61511 and IEC 62061), Cat. 4 and PL e (EN ISO 13849-1) and SIL 4 (EN 50126, EN 50128
and EN 50129).
Further safety standards, application standards and test standards are specified in the
certificates available on the HIMA website.
3.1 Safety Function
The safety function meets the integrity requirements described in the corresponding test
standards.
The remote I/O is equipped with safety-related relay outputs. These outputs are safely assigned
their values by the connected controller via safeethernet.
The remote I/O is designed in accordance with the de-energize to trip principle. If a system fault
occurs, all relay outputs are set to the de-energized safe state. If a channel fault occurs, only the
affected channel is de-energized.
In both cases, the FAULT LED is lit. In addition, reactions in the user program can be triggered
using error codes.
The remote I/O can also be used in energized to trip applications. To this end, the relay output
is switched on to perform a safety function (energize to trip).
All instructions on how to use the remote I/O specified in the safety manual must be observed.
3 Product Description F2 DO 16 02
Page 12 of 42 HI 800 139 E Rev. 2.00
3.2 Equipment, Scope of Delivery
The following table specifies the available remote I/O variants:
Designation Description
F2 DO 16 02 Remote I/O (16 relay outputs up to 30 VAC/ 60 VDC),
Operating temperature: 0...+60 °C,
for ELOP II Factory programming tool
F2 DO 16 02
SILworX
Remote I/O (16 relay outputs up to 30 VAC/ 60 VDC),
Operating temperature: 0...+60 °C,
for SILworX programming tool
Table 4: Available Variants
3.2.1 IP Address and System ID (SRS)
A transparent label is delivered with the device to allow one to note the IP address and the
system ID (SRS for system rack slot) after a change.
IP___.___.___.___SRS____.__.__
Default value for IP address: 192.168.0.99
Default value for SRS: 60 000.200.0 (SILworX)
60 000.0.0 (ELOP II Factory)
The label must be affixed such that the ventilation slots in the housing are not obstructed.
Refer to the First Steps manual of the programming tool for more information on how to modify
the IP address and the system ID.
F2 DO 16 02 3 Product Description
HI 800 139 E Rev. 2.00 Page 13 of 42
3.3 Type Label
The type plate contains the following details:
Product name
Bar code (1D or 2D code)
Part no.
Production year
Hardware revision index (HW Rev.)
Firmware revision index (FW Rev.)
Operating voltage
Mark of conformity
Figure 1: Sample Type Label
3 Product Description F2 DO 16 02
Page 14 of 42 HI 800 139 E Rev. 2.00
3.4 Structure
This chapter describes the layout and function of the remote I/Os, and their communication via
safeethernet.
DO
16 / 02
2
Figure 2: Front View
16 Safety-Related Relay Outputs
Safety-Related Processor System (CPU)
Switch
Watchdog
Figure 3: Block Diagram
F2 DO 16 02 3 Product Description
HI 800 139 E Rev. 2.00 Page 15 of 42
3.4.1 Safety-Related Relay Outputs
The remote I/O is equipped with 16 safety-related relay outputs. Each relay output is switched
via three relays connected in series. One relay is a standard relay, whereas the two other relays
are safety relays with forcibly guided contacts (EN 50205).
All 16 relay outputs are electrically safely separated from one another and from the power
supply of the device. For safe separation, the air and creeping distances are designed in
accordance with IEC 61131-2 for overvoltage class II up to 300 V.
The relay outputs are connected with numbered cable plugs. To facilitate the assignment of the
individual relay outputs, an identical number is located on the front plate of the remote I/O, see
Chapter 4.1.1.
The terminal connections and the housing comply with IP20 protection requirements. With
higher requirements, the F2 DO 16 02 must be mounted in an enclosure with suitable type of
protection.
If voltages other than SELV and PELV are connected, cables with suitable insulation must be
used.
The state of each relay output is signaled by an individual LED, see Chapter 3.4.2.
3.4.1.1 Burner Control Applications
For burner control applications, an internal fuse is used to limit the relay outputs switching
current to 60 % (3.15 A) of the maximum permissible value in accordance with EN 298 and
EN 50156-1 (VDE 0116). The relay outputs can be used for safety shutdowns, i.e., to shutdown
the entire fuel supply.
If burner control applications require a reduced switching current (AC/DC) than the limited
switching current (3.15 A), an external pre-fuse must be switched into the circuit.
The relays in use comply with the contact lifetime required for burner control applications:
mechanical ≥3 x 106switching operations
electrical ≥250 000 switching operations
3 Product Description F2 DO 16 02
Page 16 of 42 HI 800 139 E Rev. 2.00
3.4.1.2 General Safety Applications
The instructions specified in Figure 4 and in Table 13 must be observed for general safety
applications:
The maximum permissible number of switching operations.
The maximum permissible switching currents (up to 3.15 A), voltage and power.
Figure 4: Contact Lifetime AC
F2 DO 16 02 3 Product Description
HI 800 139 E Rev. 2.00 Page 17 of 42
3.4.2 LED Indicators
The light-emitting diodes (LEDs) indicate the operating state of the remote I/O. The LEDs are
classified as follows:
Operating voltage LED
System LEDs
Communication LEDs
I/O LEDs
3.4.2.1 Operating Voltage LED
LED Color Status Description
On 24 VDC operating voltage present24 VDC Green
Off No operating voltage
Table 5: Operating Voltage LED
3.4.2.2 System LEDs
While the system is being booted, all LEDs are lit simultaneously.
LED Color Status Description
On Device in RUN, normal operation
Blinking Device in STOP
A new operating system is being loaded.
RUN Green
Off The device is not in the RUN state.
On The device is in the ERROR STOP state.
Internal fault detected by self-tests, e.g., hardware faults or cycle time
overrun.
The processor system can only be restarted with a command from the
PADT (reboot).
Blinking If ERROR blinks and all others LEDs are lit simultaneously, the boot
loader has detected an operating system fault in the flash memory and
waits for a new operating system to be loaded.
ERROR Red
Off No faults detected.
On A new configuration is being loaded into the device.
Blinking The device switches from INIT to STOP
A new operating system is being loaded into the flash ROM.
PROG Yellow
Off No configuration or operating system is being loaded.
FORCE Yellow Off The FORCE LED of a remote I/O is not functioning. The FORCE LED of
the associated controller serves to signal the forcing of a remote I/O.
On The loaded configuration is not valid.
The new operating system is corrupted (after OS download).
Blinking Fault while loading a new operating system
One or multiple I/O faults occurred.
FAULT Yellow
Off None of the described faults occurred.
Blinking Operating system emergency loader active.OSL Yellow
Off Operating system emergency loader inactive.
Blinking OS and OSL binary defective or hardware fault, INIT_FAIL.BL Yellow
Off None of the described faults occurred.
Table 6: System LEDs
3 Product Description F2 DO 16 02
Page 18 of 42 HI 800 139 E Rev. 2.00
3.4.2.3 Communication LEDs
All RJ-45 connectors are provided with a small green and a yellow LEDs. The LEDs signal the
following states:
LED Status Description
On Full duplex operation
Blinking Collision
Green
Off Half duplex operation, no collision
On Connection available
Blinking Interface activity
Yellow
Off No connection available
Table 7: Ethernet Indicators
3.4.2.4 I/O LEDs
LED Color Status Description
On The related channel is active (energized).DO 1…16 Yellow
Off The related channel is inactive (de-energized).
Table 8: I/O LEDs
F2 DO 16 02 3 Product Description
HI 800 139 E Rev. 2.00 Page 19 of 42
3.4.3 Communication
The remote I/O communicates with the associated controller via safeethernet.
3.4.3.1 Connections for Ethernet Communication
Property Description
Port 2 x RJ-45
Transfer standard 10BASE-T/100BASE-Tx, half and full duplex
Auto negotiation Yes
Auto crossover Yes
IP address Freely configurable1)
Subnet Mask Freely configurable1)
Supported protocols Safety-related: safeethernet
Standard protocols: Programming and debugging tool
(PADT), SNTP
1) The general rules valid for assigning IP address and subnet masks must be adhered to.
Table 9: Ethernet Interfaces Properties
The two RJ-45 connectors with integrated LEDs are located on the bottom left-hand side of the
housing. Refer to Chapter 3.4.2.3 for a description of the LEDs' function.
The connection parameters are read based on the MAC address (media access control
address) defined during manufacturing.
The MAC address for the remote I/O is specified on a label located above the two RJ-45
connectors (1 and 2).
Figure 5: Sample MAC Address Label
The remote I/O is equipped with an integrated switch for Ethernet communication. For further
information on the integrated switch and safeethernet, refer to Chapter Communication of the
system manual for compact systems (HI 800 141 E).
3.4.3.2 Network Ports Used for Ethernet Communication
UDP ports Use
8000 Programming and operation with the programing tool
8001 Configuration of the remote I/O using the PES (ELOP II Factory)
8004 Configuration of the remote I/O using the PES (SILworX)
6010 safeethernet
123 SNTP (time synchronization between PES and remote I/O, PES and external
devices)
Table 10: Network Ports in Use
3 Product Description F2 DO 16 02
Page 20 of 42 HI 800 139 E Rev. 2.00
3.4.4 Reset Key
The remote I/O is equipped with a reset key. The key is only required if the user name or
password for administrator access is not known. If only the IP address set for the remote I/O
does not match the PADT (PC), the connection can be established with a Route add entry on
the PC.
The key can be accessed through a small round hole located approximately 5 cm from the
upper left-hand side of the housing. The key is engaged using a suitable pin made of insulating
material to avoid short-circuits within the remote I/O.
The reset is only effective if the remote I/O is rebooted (switched off and on) while the key is
simultaneously engaged for at least 20 s. Engaging the key during operation has no effect.
Properties and behavior of the remote I/IO after a reboot with engaged reset key:
Connection parameters (IP address and system ID) are set to the default values.
All accounts are deactivated except for the administrator default account with empty
password.
After a new reboot without the reset key engaged, the connection parameters (IP address and
system ID) and accounts become effective:
Those configured by the user.
Those valid prior to rebooting with the reset key engaged, if no changes were performed.
Other manuals for HIMatrix F2 DO 16 01
3
Table of contents
