Siemens SIMATIC S7 User guide
SIMATIC Safety Engineering in SIMATIC S7
_
_____________
_
_____________
_
_____________
_
_____________
_
_____________
_
_____________
_
_____________
_
_____________
Preface
Overview of Fail-safe
Systems 1
Configurations and Help with
Selection 2
Communication Options 3
Safety in F-Systems 4
Achievable Safety Classes
with F-I/O 5
Configuring F-Systems 6
Programming F-Systems 7
Monitoring and Response
Times of F-Systems A
SIMATIC
Safety Engineering in SIMATIC S7
System Manual
04/2006
A5E00109529-05
Safety Guidelines
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
Danger
indicates that death or severe personal injury will result if proper precautions are not taken.
Warning
indicates that death or severe personal injury may result if proper precautions are not taken.
Caution
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.
Caution
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.
Notice
indicates that an unintended result or situation can occur if the corresponding information is not taken into
account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The device/system may only be set up and used in conjunction with this documentation. Commissioning and
operation of a device/system may only be performed by qualified personnel. Within the context of the safety notes
in this documentation qualified persons are defined as persons who are authorized to commission, ground and
label devices, systems and circuits in accordance with established safety practices and standards.
Prescribed Usage
Note the following:
Warning
This device may only be used for the applications described in the catalog or the technical description and only in
connection with devices or components from other manufacturers which have been approved or recommended
by Siemens. Correct, reliable operation of the product requires proper transport, storage, positioning and
assembly as well as careful operation and maintenance.
Trademarks
All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in this
publication may be trademarks whose use by third parties for their own purposes could violate the rights of the
owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Siemens AG
Automation and Drives
Postfach 48 48
90437 NÜRNBERG
GERMANY
Order No.: A5E00109529-05
Edition 04/2006
Copyright © Siemens AG 2005.
Technical data subject to change
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05 iii
Preface
Purpose of System Description
This system description provides an overview of the S7 Distributed Safety and S7 F/FH
Systems fail-safe automation systems. It identifies the similarities and differences between
S7 Distributed Safety and S7 F/FH Systems and presents detailed technical information
applicable to both S7 Distributed Safety and S7 F/FH Systems.
The system description helps you to decide which fail-safe system is best suited for your
automation task. It is intended as starting information for decision makers and as a source of
technical information on S7 Distributed Safety and S7 F/FH Systems fail-safe automation
systems for service and commissioning personnel (e.g., detailed information on monitoring
and response times of S7 Distributed Safety and S7 F/FH Systems is provided in the
appendix).
Scope of System Description
This system description applies to the S7 Distributed Safety, S7 F Systems, and S7 FH
Systems fail-safe systems.
In addition, this system description addresses integration of the following
fail-safe I/O devices in S7 Distributed Safety and S7 F/FH Systems:
• S7-300 fail-safe signal modules
• ET 200S fail-safe modules
• ET 200pro fail-safe modules
• ET 200eco fail-safe I/O module
• Fail-safe DP standard slaves / I/O standard devices
Preface
Safety Engineering in SIMATIC S7
iv System Manual, 04/2006, A5E00109529-05
What's New?
The following table summarizes the most important technical changes in the add-on
packages
S7 Distributed Safety V 5.4
and
S7 F Systems V5.2 SP2
and higher. These
changes have been taken into account in this system description.
Change Affects: Technical Change
S7 Distributed
Safety
S7 F/FH
Systems
Support for PROFINET IO with:
• CPU 416F-2 (6ES7 416-2FK04-0AB0) as of firmware
version V 4.1 with CP 443-1 Advanced
• CPU 315F-2 PN/DP
• CPU 317F-2 PN/DP
• ET 200S fail-safe modules
• ET 200pro fail-safe modules
• Fail-safe I/O standard devices
x -
Safety-related CPU-CPU communication has been expanded to
include I-slave-slave communication
x -
Channel-specific passivation when channel errors occur:
• S7-300 fail-safe signal modules
• ET 200S fail-safe modules
• ET 200pro fail-safe modules
• ET 200eco fail-safe I/O module
x -
New F-library blocks - x
Safety Data Write - x
ET 200pro fail-safe modules x -
Fail-safe I/O standard devices x -
Preface
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05 v
Position in the Information Landscape
Depending on your application, you will need the documentation listed below when working
with S7 Distributed Safety or S7 F/FH Systems:
This system description makes reference to these documents where appropriate.
Documentation Brief Description of Relevant Contents
• The
Programmable Controllers S7 F/FH Systems
manual
describes the tasks required to create and commission an
S7 F/FH Systems fail-safe system.
For the fail-safe system S7
F/FH Systems
• The
S7-400 Hardware and Installation
installation manual
describes the assembly and wiring of S7-400 systems.
• The
Automation System S7-400H Fault-Tolerant Systems
manual describes the CPU 41x-H central modules and the tasks
required to create and commission an S7-400H fault-tolerant
system.
• The
CFC for S7 Continuous Function Chart
manual/online help
provides a description of programming with CFC.
The following elements are described in the
S7 Distributed Safety,
Configuring and Programming
operator manual and online help:
• Configuration of the F-CPU and the F-I/O
• Programming of the F-CPU in F-FBD or F-LAD
For the fail-safe system S7
Distributed Safety
Depending on which F-CPU you are using, you will need the
following documentation:
• The operating manual
S7-300, CPU 31xC and CPU 31x:
Installation
describes the installation and wiring of S7-300
systems.
• The
CPU 31xC and CPU 31x, Technical Data
product manual
describes the CPUs 315-2 DP and PN/DP and CPUs 317-2 DP
and PN/DP.
• The
Automation System S7-400 Hardware and Installation
installation manual describes the assembly and wiring of S7-400
systems.
• The
Automation System S7-400 CPU Specifications
reference
manual describes CPU 416-2.
• The
ET 200S IM 151-7 CPU Interface Module
manual describes
the IM 151-7 CPU.
• Each F-CPU that can be used has its own product information.
The product information only describes the deviations from the
respective standard CPUs.
Automation System S7-300
Fail-safe Signal Modules
manual
Describes the hardware of the S7-300 fail-safe signal modules
(including installation, wiring, and technical specifications)
ET 200S Distributed I/O
System Fail-Safe Modules
operating instructions
Describes the hardware of the ET 200S fail-safe modules (including
installation, wiring, and technical specifications)
ET 200pro Distributed I/O
Device Fail-Safe Modules
operating instructions
Describes the hardware of the ET 200pro fail-safe modules
(including installation, wiring, and technical specifications)
ET 200eco Distributed I/O
Station Fail-safe Signal
Module
manual
Describes the hardware of the ET 200eco fail-safe signal module
(including installation, wiring, and technical specifications)
Preface
Safety Engineering in SIMATIC S7
vi System Manual, 04/2006, A5E00109529-05
Documentation Brief Description of Relevant Contents
STEP 7
manuals • The
Configuring Hardware and Communication Connections with
STEP 7 V5.x
manual describes how to operate the
STEP 7
standard tools.
• The
LAD for S7-300/400
manual describes the standard Ladder
Diagram programming language in
STEP 7
.
• The
FBD for S7-300/400
manual describes the standard Function
Block Diagram programming language in
STEP 7
.
• The
System Software for S7-300/400 System and Standard
Functions
reference manual describes functions for distributed
I/O access and diagnostics for distributed I/O/CPU.
• The
Programming with STEP 7 V 5.x
manual describes the
procedure for programming with
STEP 7
.
STEP 7
online help • Describes the operation of
STEP 7
standard tools
• Contains information about how to configure and assign
parameters for modules and intelligent slaves with
HW Config
• Contains a description of the FBD and LAD programming
languages
PROFINET System
Description
system manual
• Describes the basics for PROFINET IO
PCS 7
manuals • Describe operation of the
PCS 7
process control system
(necessary when the F-system is integrated in a higher-level
control system)
The complete collection of SIMATIC S7 documentation is available on CD-ROM.
Guide
The following topics are covered in the system description:
• Overview of fail-safe automation systems in general, and in SIMATIC S7, in particular
• Comparison of system performance of S7 Distributed Safety and
S7 F/FH Systems
• Description of the configuration variants for S7 Distributed Safety and S7 F/FH Systems
• Information to help you decide which F-system represents the best solution for your
requirements
• Comparison of the similarities and differences between the communication options for
S7 Distributed Safety and S7 F/FH Systems
• Overview of the safety mechanisms in S7 Distributed Safety and S7 F/FH Systems that
are apparent to the user
• Standards upon which the S7 Distributed Safety and S7 F/FH Systems F-systems are
based
• Overview of configuring S7 Distributed Safety and S7 F/FH Systems
• Overview of programming S7 Distributed Safety and S7 F/FH Systems
Configuring and programming are described in more detail in the respective programming
and configuration manuals for S7 Distributed Safety and S7 F/FH Systems.
• Configuration of F-related monitoring times for F-systems
• Calculating the maximum response time of the safety functions in S7 Distributed Safety
and S7 F/FH systems
Preface
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05 vii
Conventions
The terms "safety engineering" and "fail-safe engineering" are used synonymously in this
system description. The same applies to the terms "fail-safe" and "F-".
"Safety program" refers to the fail-safe portion of the user program and is used instead of
"fail-safe user program," "F-program," etc.
"
S7 Distributed Safety
" and "
S7 F System
" in italics refer to the add-on packages for
"S7 Distributed Safety" and
"S7 F/FH Systems".
Additional Support
For any unanswered questions about the use of products presented in this manual, contact
your local Siemens representative:
http://www.siemens.com/automation/partner
Training Center
We offer courses to help you get started with the S7 automation system. Contact your
regional training center or the central training center in D-90327 Nuremberg, Federal
Republic of Germany.
Phone: +49 (911) 895-3200
http://www.sitrain.com
H/F Competence Center
The H/F Competence Center in Nuremberg offers special workshops on SIMATIC S7 fail-
safe and fault-tolerant automation systems. The H/F Competence Center can also provide
assistance with onsite configuration, commissioning, and troubleshooting.
Phone: +49 (911) 895-4759
Fax: +49 (911) 895-5193
For questions about workshops, etc., contact: [email protected]
Technical Support
Technical support is available for all A&D products
• using the Web form for a support request
http://www.siemens.de/automation/support-request
• Phone: + 49 180 5050 222
• Fax: + 49 180 5050 223
You can find additional information about our technical support at
http://www.siemens.de/automation/service
Preface
Safety Engineering in SIMATIC S7
viii System Manual, 04/2006, A5E00109529-05
Service & Support on the Internet
In addition to our documentation, we offer our complete knowledge base on the Internet at:
http://www.siemens.com/automation/service&support
There, you will find the following information:
• Newsletters providing the latest information on your products
• Relevant documentation for your application via the search function in Service & Support
• A forum where users and experts from all over the world exchange ideas
• Our contacts database where you can find your local Automation & Drives representative
• Information on local service, repairs, and replacement parts and much more can be found
under "Services."
Important Information for Preserving the Operational Safety of your System
Note
The operators of systems with safety-related characteristics must adhere to operational
safety requirements. The supplier is also obliged to comply with certain actions when
monitoring the product. To keep you informed, a special newsletter is therefore available
containing information on product developments and properties that are important (or
potentially important) for operating systems where safety is an issue. By subscribing to the
appropriate newsletter, you will ensure that you are always up-to-date and able to make
changes to your system, when necessary. Go to the Internet address
http://my.ad.siemens.de/myAnD/guiThemes2Select.asp?subjectID=2&lang=de
and register for the following newsletters:
• SIMATIC S7-300
• SIMATIC S7-400
• Distributed I/O
• SIMATIC Industrial Software
Select the "Updates" check box for each newsletter.
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05 ix
Table of contents
Preface ......................................................................................................................................................iii
1 Overview of Fail-safe Systems ............................................................................................................... 1-1
1.1 Introduction ................................................................................................................................ 1-1
1.2 Safety Integrated - the Integrated Safety Concept by Siemens ................................................ 1-2
1.3 Fail-safe Systems in SIMATIC S7.............................................................................................. 1-3
1.3.1 Areas of Application of S7 Distributed Safety and S7 F/FH Systems........................................ 1-5
1.3.2 Performance Characteristics of S7 Distributed Safety and S7 F/FH Systems .......................... 1-7
1.4 Components of S7 Distributed Safety and S7 F/FH Systems ................................................. 1-10
1.4.1 Hardware Components ............................................................................................................ 1-11
1.4.2 Software Components ............................................................................................................. 1-15
1.5 Guide to Working with F-Systems............................................................................................ 1-17
2 Configurations and Help with Selection .................................................................................................. 2-1
2.1 Introduction ................................................................................................................................ 2-1
2.2 Configuration of F-Systems ....................................................................................................... 2-2
2.2.1 S7 Distributed Safety Fail-safe System ..................................................................................... 2-2
2.2.2 S7 F Systems Fail-safe System................................................................................................. 2-5
2.2.3 S7 FH Systems Fail-safe and Fault-Tolerant System................................................................ 2-6
2.2.4 Coexistence of Standard and Fail-safe Components ................................................................ 2-7
2.3 Configuration Variants for Fail-safe Systems According to Availability Requirements.............. 2-9
2.3.1 Single-channel I/O (S7 Distributed Safety).............................................................................. 2-10
2.3.2 Single-channel I/O (S7 F Systems).......................................................................................... 2-15
2.3.3 Single-channel Switched I/O (S7 FH Systems only)................................................................ 2-18
2.3.4 Redundant Switched I/O (S7 FH Systems Only) ..................................................................... 2-20
2.4 S7 Distributed Safety or S7 F/FH Systems – Selection Guide ................................................ 2-22
3 Communication Options ......................................................................................................................... 3-1
3.1 Introduction ................................................................................................................................ 3-1
3.2 Overview of Safety-Related Communication ............................................................................. 3-2
3.3 Communication between Standard User Program and Safety Program................................... 3-3
3.3.1 Communication between Standard User Program and Safety Program in
S7 Distributed Safety ................................................................................................................. 3-4
3.3.2 Communication between Standard User Program and Safety Program in
S7 F/FH Systems....................................................................................................................... 3-4
3.4 Communication between F-Runtime Groups............................................................................. 3-5
3.5 Communication between F-CPU and F-I/O ............................................................................... 3-6
3.5.1 Safety-Related Communication ................................................................................................. 3-6
3.5.2 Accessing F-I/O in S7 Distributed Safety................................................................................... 3-7
3.5.3 Safety-Related I-Slave-Slave Communication in Distributed Safety ......................................... 3-8
3.5.4 Accessing F-I/O in S7 F/FH Systems ...................................................................................... 3-10
3.5.5 Standard Communication ........................................................................................................ 3-11
Table of contents
Safety Engineering in SIMATIC S7
x System Manual, 04/2006, A5E00109529-05
3.6 Safety-Related CPU-CPU Communication.............................................................................. 3-13
3.6.1 S7 Distributed Safety: Safety-related Master-Master Communication .................................... 3-13
3.6.2 S7 Distributed Safety: Safety-related Master-I-Slave Communication .................................... 3-15
3.6.3 S7 Distributed Safety: Safety-Related I-Slave-I-Slave Communication .................................. 3-16
3.6.4 S7 Distributed Safety: Safety-Related Communication via S7 Connections ........................... 3-18
3.6.5 S7 F/FH Systems: Safety-Related Communication via S7 Connections................................. 3-20
4 Safety in F-Systems................................................................................................................................ 4-1
4.1 Introduction ................................................................................................................................ 4-1
4.2 Safety Mode ............................................................................................................................... 4-3
4.3 Fault Reactions .......................................................................................................................... 4-5
4.4 Restart of F-System ................................................................................................................... 4-6
4.5 Password Protection for F-Systems........................................................................................... 4-7
4.6 Acceptance Test of System ....................................................................................................... 4-7
4.7 Standards and Approvals........................................................................................................... 4-8
4.8 Safety Requirements................................................................................................................ 4-12
5 Achievable Safety Classes with F-I/O..................................................................................................... 5-1
5.1 Introduction ................................................................................................................................ 5-1
5.2 Safety Functions for Achieving Safety Classes for F-I/O with Inputs ........................................ 5-2
5.2.1 1oo1 Evaluation for F-I/O with Digital Inputs.............................................................................. 5-3
5.2.2 1oo2 Evaluation for F-I/O with Inputs......................................................................................... 5-5
5.3 Safety Functions for Achieving Safety Classes for F-I/O with Outputs.................................... 5-12
6 Configuring F-Systems ........................................................................................................................... 6-1
6.1 Introduction ................................................................................................................................ 6-1
6.2 Configuring the F-CPU............................................................................................................... 6-2
6.3 Configuring the F-I/O.................................................................................................................. 6-4
6.4 Configuring Fail-safe DP Standard Slaves and Fail-safe I/O Standard Devices....................... 6-5
7 Programming F-Systems ........................................................................................................................ 7-1
7.1 Introduction ................................................................................................................................ 7-1
7.2 Programming Languages for F-Systems ................................................................................... 7-3
7.3 Structure of the Safety Program in S7 Distributed Safety.......................................................... 7-4
7.4 Structure of Safety Program in S7 F/FH Systems ..................................................................... 7-9
A Monitoring and Response Times of F-Systems ......................................................................................A-1
A.1 Introduction ................................................................................................................................A-1
A.2 Configuring the Monitoring Times ..............................................................................................A-2
A.3 F-Related Monitoring Times for S7 Distributed Safety ..............................................................A-3
A.3.1 Minimum Monitoring Time for F-Cycle Time..............................................................................A-4
A.3.2 Minimum Monitoring Time for Safety-related Communication between the F-CPU and
F-I/O or between I-Slave and Slave via PROFIBUS DP............................................................A-5
A.3.3 Minimum Monitoring Time for Safety-Related Master-Master Communication.........................A-6
A.3.4 Minimum Monitoring Time for Safety-Related Master-I-Slave Communication.........................A-7
A.3.5 Minimum Monitoring Time for Safety-Related I-Slave-I-Slave Communication.........................A-7
A.3.6 Minimum Monitoring Time for Safety-Related Communication via S7 Connections .................A-7
A.3.7 Monitoring Time for Safety-Related Communication between F-Runtime Groups....................A-8
Table of contents
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05 xi
A.4 F-Related Monitoring Times for S7 F/FH Systems.................................................................... A-8
A.4.1 Minimum Monitoring Time for F-Cycle Time..............................................................................A-9
A.4.2 Minimum Monitoring Time for Safety-Related Communication between F-CPU and
F-I/O .........................................................................................................................................A-11
A.4.3 Minimum Monitoring Time for Safety-Related Communication between F-CPUs...................A-13
A.4.4 Minimum Monitoring Time for Safety-Related Communication between F-Runtime Groups..A-14
A.5 Response Times of Safety Functions ......................................................................................A-15
Glossary ..................................................................................................................................... Glossary-1
Index................................................................................................................................................ Index-1
Tables
Table 1-1 Performance Characteristics of F-Systems ............................................................................... 1-7
Table 1-2 Memory Configuration of F-CPUs.............................................................................................. 1-9
Table 1-3 Hardware Components ............................................................................................................ 1-11
Table 1-4 Use of Interface Modules with ET 200S Fail-safe Modules..................................................... 1-13
Table 1-5 Optional Packages for Configuration and Programming ......................................................... 1-15
Table 1-6 Programming Languages......................................................................................................... 1-16
Table 1-7 Sequence of Steps Ranging from Selection of Hardware to Maintenance of F-Systems ....... 1-18
Table 2-1 Configuration Options for Fail-safe Systems According to Availability...................................... 2-9
Table 2-2 Selection Citeria for an F-system............................................................................................. 2-22
Table 3-1 Communication Options............................................................................................................. 3-2
Table 3-2 Accessing F-I/O in S7 Distributed Safety................................................................................... 3-7
Table 3-3 Overview of Communication between F-CPUs ....................................................................... 3-13
Table 3-4 Safety-Related CPU-CPU Communication.............................................................................. 3-20
Table 4-1 Meaning of the risk parameters in accordance with IEC 61508-5 ........................................... 4-13
Table 4-2 Safety Integrity Level in Accordance with IEC 61508.............................................................. 4-13
Table 4-3 Probability Values for Individual Components of S7 Distributed Safety and
S7 F/FH Systems..................................................................................................................... 4-15
Table 4-4 Calculation Example for the Contribution of the F-System to the Failure Probability
of a Safety Function ................................................................................................................. 4-16
Table 5-1 Achievable Safety Classes for F-I/O with Digital Inputs ............................................................ 5-2
Table 5-2 Achievable Safety Classes for F-I/O with Analog Inputs ........................................................... 5-2
Table 5-3 Achievable Safety Classes for F-I/O with Outputs................................................................... 5-12
Table 7-1 Fail-safe Blocks of an F-Runtime Group.................................................................................... 7-6
Table 7-2 Fail-safe Blocks of the Distributed Safety F-Library (V1)........................................................... 7-7
Table 7-3 Fail-safe Blocks of Failsafe Blocks F-Library (V1_2)............................................................... 7-10
Table of contents
Safety Engineering in SIMATIC S7
xii System Manual, 04/2006, A5E00109529-05
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05 1-1
Overview of Fail-safe Systems 1
1.1 1.1 Introduction
Objective of Safety Engineering
The objective of safety engineering is to minimize danger to humans and the environment as
much as possible through use of safety-oriented technical installations without restricting
industrial production and the use of machines and chemical products any more than
necessary.
What are Fail-safe Automation Systems?
Fail-safe automation systems (F-systems) are used to control processes that can achieve a
safe state immediately as a result of a shutdown. That is, F-systems control processes in
which an immediate shutdown does not endanger humans or the environment.
Fail-safe systems go beyond conventional safety engineering to enable far-reaching
intelligent systems that extend all the way to the electrical drives and measuring systems.
F-systems are used in systems with advanced safety requirements. Improved fault detection
and localization in F-systems through detailed diagnostic information enables production to
be resumed quickly following a safety-related interruption.
Overview
This chapter provides an introduction to safety engineering in SIMATIC S7.
S7 Distributed Safety and S7 F/FH Systems are introduced along with their areas of
application. The important similarities and differences between the two fail-safe systems are
also presented.
In the last part of the chapter, we introduce the user to the basic procedure to be followed
when working with the fail-safe systems S7 Distributed Safety and S7 F/FH Systems.
Overview of Fail-safe Systems
1.2 Safety Integrated - the Integrated Safety Concept by Siemens
Safety Engineering in SIMATIC S7
1-2 System Manual, 04/2006, A5E00109529-05
1.2 1.2 Safety Integrated - the Integrated Safety Concept by Siemens
Safety Integrated
Safety Integrated is the integrated safety concept for automation and drives by Siemens.
Proven technologies and systems from automation engineering are used for safety
engineering. Safety Integrated covers the entire chain of safety from sensors and actuators
down to the controller, including safety-related communication over standard field buses.
In addition to their functional tasks, drives and controllers also take on safety tasks. A
particular feature of Safety Integrated is that is ensures not only reliable safety, but also a
high level of flexibility and productivity.
Safety-Related Input and Output Signals
Safety-related input and output signals form the interface to the process. This enables, for
example, direct connection of single-channel and two-channel I/O signals from devices such
as emergency STOP buttons or light barriers. Safety-related signals are redundantly
combined internally. Safety-related input signals are read redundantly (e.g., 2 times) and
compared. The unified read result is passed on to the central processing unit in a fail-safe
manner for further processing. Safety-related actuators are driven based on redundant
ANDing without any additional action on the part of the user. Interconnection of the inputs
and outputs is also greatly simplified.
This eliminates the need for some of the individually mounted hardware switching devices,
resulting in a simplified control cabinet design.
Fail-safe Distributed I/O Systems
Implementation of fail-safe distributed I/O systems enables conventional safety engineering
designs to be replaced by PROFIBUS DP components. This includes replacement of
switching devices for emergency STOP, protective door monitors, two-hand operation, etc.
Advantages of Integrating Safety Engineering into Standard Automation Systems
Integration of safety engineering into standard automation systems has the following
important advantages:
• An automation system with integrated fail-safe engineering is more flexible than
electromechanical solutions.
• Integration entails less complicated wiring solutions.
• Integration requires less engineering effort, as standard engineering tools are used for
configuring and programming.
• Only one CPU is required, as safety-related sections of the program can be executed
alongside standard sections in the CPU.
• Simple communication between safety-related and standard program components.
Overview of Fail-safe Systems
1.3 Fail-safe Systems in SIMATIC S7
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05 1-3
1.3 1.3 Fail-safe Systems in SIMATIC S7
What fail-safe systems are available in SIMATIC S7?
Two fail-safe systems are available for integrating safety engineering into SIMATIC S7
automation systems:
1. The S7 Distributed Safety system is available to implement safety concepts for machine
and operator protection (e.g., for emergency STOP devices for operation of machine
tools and processing machinery) and the process industry (e.g., for protection functions
for instrumentation and control protective devices and burners).
2. The fail-safe and, in particular, the optional S7 F/FH Systems fault-tolerant automation
system is well-suited for process engineering and oil industry applications.
Fail-safe and Fault-Tolerant S7 FH Systems
To increase availability of an automation system and, thus, to prevent process failures due to
faults in the F-system, fail-safe S7 F Systems can be optionally equipped with a fault-tolerant
feature (S7 FH Systems). Increased availability is achieved through component redundancy
(power supply, central processing unit, communication, and I/O).
Achievable Safety Requirements
S7 Distributed Safety and S7 F/FH Systems F-systems can satisfy the following safety
requirements:
• Safety class (Safety Integrity Level) SIL1 to SIL3 in accordance with IEC 61508
• Category 2 to Category 4 in accordance with EN 954-1
Principle of Safety Functions in S7 Distributed Safety and S7 F/FH Systems
Functional safety is implemented principally through safety functions in the software. Safety
functions are executed by S7 Distributed Safety or S7 F/FH Systems to restore or maintain a
safe state in a system when a dangerous event occurs. Safety functions are contained
mainly in the following components:
• In the safety-related user program (safety program) in the fail-safe CPU (F-CPU)
• In the fail-safe inputs and outputs (F-I/O)
The F-I/O ensures safe processing of field information (emergency STOP buttons, light
barriers, motor control). They have all of the required hardware and software components for
safe processing, in accordance with the required safety class. The user only programs the
user safety function.
The safety function for the process can be provided through a user safety function or a fault
reaction function. In the event of a fault, if the F-system can no longer execute its actual user
safety function, it executes the fault reaction function; for example, the associated outputs
are deactivated, and the F-CPU switches to STOP mode, if necessary.
Overview of Fail-safe Systems
1.3 Fail-safe Systems in SIMATIC S7
Safety Engineering in SIMATIC S7
1-4 System Manual, 04/2006, A5E00109529-05
Example of User Safety Functions and Fault Reaction Functions
In the event of overpressure, the F-system opens a valve (user safety function). If a
dangerous fault occurs in the F-CPU, all outputs are deactivated (fault reaction function),
whereby the valve is opened and the other actuators also attain a safe state. If the F-system
is intact, only the valve would be opened.
PROFIBUS DP or PROFINET IO with PROFIsafe Bus Profile
Safe communication between the safety program in the F-CPU and the fail-safe inputs and
outputs takes place via the "standard" PROFIBUS DP or "standard" PROFINET IO with
superimposed PROFIsafe safety profile.
The user data of the safety function plus the safety measures are transmitted within a
standard data frame.
Advantages:
• Because both standard and safety-related communication takes place on the standard
PROFIBUS DP or standard PROFINET IO, no additional hardware components are
required.
• Safety-related communication tasks can be solved without resorting to previous
conventional solutions (such as permanent wiring of emergency stop devices) or special
buses. This enables safety-related distributed applications, for example in automobile
chassis construction with presses and robots, burner management, passenger
transportation on cable railway, and process automation.
• Fail-safe DP standard slaves can be integrated in S7 Distributed Safety and S7 F/FH
Systems F-systems (sensors/actuators with bus capability and safety devices of
PROFIBUS partner companies that are DP standard slaves with PROFIsafe capability).
• Fail-safe I/O standard devices can be integrated in S7 Distributed Safety F-systems
(sensors/actuators with bus capability and safety devices of PROFIBUS partner
companies that are I/O standard devices with PROFIsafe capability).
Overview of Fail-safe Systems
1.3 Fail-safe Systems in SIMATIC S7
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05 1-5
1.3.1 Areas of Application of S7 Distributed Safety and S7 F/FH Systems
Use of S7 Distributed Safety
The primary uses of S7 Distributed Safety fail-safe systems are for machine and operator
protection (e.g., for emergency STOP devices for operation of machine tools and processing
machinery) and the process control industry (e.g., for protection functions for instrumentation
and control protective devices and burners).
Integration options for S7 Distributed Safety fail-safe systems at the plant automation level
are shown below.
PROFIBUS
PC
ET 200S
ET 200M
ET 200M
ET 200S
F-SMs
ET 200S
ET 200S
ET 200pro
ET 200S
F-SMs
ET 200M
ET 200pro
ET 200eco
2SHUDWRUVWDWLRQ26
)PRGXOHV
)PRGXOHV
)DLOVDIH,2PRGXOH
)DLOVDIH,2PRGXOHV
6WDQGDUGPRGXOHV
)DLOVDIH,2PRGXOHV
6WDQGDUGPRGXOHV
6WDQGDUG60V
)PRGXOHV
6'LVWULEXWHG6DIHW\
ZLWK&38)
(PHUJHQF\2))
&RDOPLOO
(PHUJHQF\2))
%RLOHUSURWHFWLRQ
(PHUJHQF\2))
%XUQHUV
6'LVWULEXWHG6DIHW\
ZLWK&38)31'3
6'LVWULEXWHG6DIHW\
ZLWK,0)&38
)60V
Figure 1-1 Use of S7 Distributed Safety
Overview of Fail-safe Systems
1.3 Fail-safe Systems in SIMATIC S7
Safety Engineering in SIMATIC S7
1-6 System Manual, 04/2006, A5E00109529-05
Use of S7 F/FH Systems
S7 F/FH Systems fail-safe systems are used primarily in process engineering and
instrumentation and control applications in which a safe state can be attained by disabling
the fail-safe outputs.
Integration options for S7 F Systems and
S7 FH Systems in process automation systems using PCS 7 are shown below.
PC
PC
• • •
PC PC
ET 200M
ET 200M ET 200M
ET 200S ET 200S
S7-400H
ET 200eco
)60V)60V
)60V)60V
2SHUDWRUVWDWLRQV26
&HQWUDOHQJLQHHULQJ(6
,QGXVWULDO(WKHUQHWRU352),%86
)DLOVDIH,2PRGXOH
LQVWDQGDUGPRGH
6WDQGDUGPRGXOHV
6WDQGDUG60V
6WDQGDUG60V
6WDQGDUG60V
)PRGXOHV
(PHUJHQF\2))
%RLOHUSURWHFWLRQ
%XUQHUV
&RDOPLOO
Figure 1-2 Use of S7 F/FH Systems
Overview of Fail-safe Systems
1.3 Fail-safe Systems in SIMATIC S7
Safety Engineering in SIMATIC S7
System Manual, 04/2006, A5E00109529-05 1-7
1.3.2 Performance Characteristics of S7 Distributed Safety and S7 F/FH Systems
Common Characteristics of S7 Distributed Safety and S7 F/FH Systems
S7 Distributed Safety and S7 F/FH Systems have the following important characteristics in
common:
• Integration in S7-300 or S7-400 automation systems; the automation task determines the
system design, and fail-safe engineering is integrated into the system
• Execution of standard control functions and protection functions on the same system
(standard system with fail-safe capability, which eliminates the need for dedicated fail-
safe solutions)
• Connection of distributed I/O via PROFIBUS DP with PROFIsafe
• Use of standard PROFIBUS components (copper and fiber-optic cable technology)
• Configuration integrated in
STEP 7
, same as for standard automation systems
• Creation of safety program using standard programming languages of
STEP 7
• Flexible adaptation to the task requirements by providing a wide range of fail-safe I/O
Comparison of System Performance of S7 Distributed Safety and
S7 F/FH Systems
The following table identifies the differences between the fail-safe systems with regard to
important performance characteristics.
Table 1-1 Performance Characteristics of F-Systems
Performance Characteristic S7 Distributed Safety S7 F/FH Systems
Achievable safety classes SIL3/Category 4 SIL3/Category 4
Fault tolerance feature
available
No Yes
Development stage Fail-safe system Fail-safe system
Fail-safe and fault-tolerant system
Connection of fail-safe I/O • Centralized and decentralized
via PROFIBUS DP
• Distributed via PROFINET IO
(ET 200S and ET 200pro
F-modules)
• Distributed via PROFIBUS DP
Minimum response time of
F-system (dependent on
configuration)
50 ms 100 ms
Typical response time of
F-system
100 ms to 200 ms 200 ms to 500 ms
Overview of Fail-safe Systems
1.3 Fail-safe Systems in SIMATIC S7
Safety Engineering in SIMATIC S7
1-8 System Manual, 04/2006, A5E00109529-05
Performance Characteristic S7 Distributed Safety S7 F/FH Systems
Communication Safety-related master-master
communication
Safety-related master-I-slave
communication
Safety-related I-slave-I-slave
communication
Safety-related I-slave-slave
communication
Safety-related communication via
S7 connections (Industrial
Ethernet only)
Safety-related communication via
S7 connections (via PROFIBUS,
MPI, Industrial Ethernet, etc.)
Creation of safety program In standard LAD or FBD
languages in
STEP 7
In CFC (optional software for
STEP 7
)
via safety matrix
Modification of safety
program in the F-CPU in
RUN mode
Currently possible in deactivated
safety mode, however, transition
to safety mode possible only by
switching the F-CPU to STOP
mode
Currently possible in deactivated
safety mode or via Safety Data
Write; change of operating mode
of F-CPU not required for
transition to safety mode
Fault reactions in the safety
program
Passivation of channels or F-I/O
F-CPU in STOP mode
Passivation of channels or F-I/O
F-CPU does not go to STOP
mode; instead, the safety
program or faulty F-runtime group
is shut down
Main areas of application Operator and machine protection
Burner control
Instrumentation and control and
process industries
(can be integrated in the
PCS 7 process control system)
Other manuals for SIMATIC S7
13
Table of contents
Other Siemens Controllers manuals
Siemens
Siemens SINAMICS S120 User guide
Siemens
Siemens Stratos Outstation Guide
Siemens
Siemens SIMOTION C230-2 User manual
Siemens
Siemens SIRIUS 3SE5000-0A Series User manual
Siemens
Siemens RWD32 User manual
Siemens
Siemens SIMATIC 500 User manual
Siemens
Siemens Powermite 599 MT Series Owner's manual
Siemens
Siemens SINUMERIK 840D sl Owner's manual
Siemens
Siemens SIMATIC IPC427C User manual
Siemens
Siemens Sirius 3RA6 User guide
Siemens
Siemens SFA21/18 User manual
Siemens
Siemens SIRIUS 3RA2110 Series User manual
Siemens
Siemens LOGO! User manual
Siemens
Siemens RMH760 User manual
Siemens
Siemens 3VT9500-3MN00 User manual
Siemens
Siemens SIMATIC Ident Parts list manual
Siemens
Siemens RWB27 Timeswitch User manual
Siemens
Siemens 72G Series User manual
Siemens
Siemens RVP360 Operator's manual
Siemens
Siemens LME39 Series Operator's manual
