Page 1
Security information Preface What's new? SIMATIC Installing the fail-safe system Process Control System PCS 7 Compendium Part B - Advanced PCS 7 ES settings Process Safety (V8.2) Configuring S7F/FH hardware Operating Manual Configuring the safety program Configuration with Safety Matrix Changes, tracking changes, and acceptance Service and support...
Page 2
Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems.
Table of contents Security information ..........................7 Preface ..............................8 What's new? ............................10 Installing the fail-safe system ........................ 11 Software components ......................11 Installation on the PCS 7 engineering station (ES) ..............12 4.2.1 Installing S7 F Systems ......................12 4.2.2 Installing Safety Matrix ......................
Page 4
Table of contents Setting system parameters for F-signal modules ..............43 6.4.1 Operating mode ........................43 6.4.2 PROFIsafe addresses ......................44 6.4.3 Module parameters - general ....................45 6.4.4 Activating channels ........................ 47 6.4.5 Parameter assignment for SM326; DI 8 x NAMUR ............... 50 6.4.6 Parameter assignment for SM326;...
Page 5
Table of contents Passivation and reintegration of input/output channels ............107 7.7.1 Passivation - general ......................107 7.7.2 Group passivation ......................... 108 7.7.3 Reintegration following elimination of errors ................. 109 7.7.4 Automatic reintegration on channel error................109 7.7.5 Programming reintegration following module errors or channel errors requiring acknowledgment ........................
Page 6
Table of contents Changes, tracking changes, and acceptance ..................173 General information ......................173 Preparing for changes ......................174 Changes in CFC........................176 Changes in HW Config ......................177 Downloading changes/Complete downloading ..............178 Tracking changes in the safety program ................178 Printing program data ......................
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks.
● S7 F-Systems ● SIMATIC Safety Matrix Checklists You can download the checklist for the SIMATIC PCS 7 Compendium Part B as a zip file via the "Appendix" button in the Industry Online Support Portal. Compendium Part B - Process Safety (V8.2)
Page 9
● SIMATIC F-Systems V6.1 SP2 ● SIMATIC Safety Matrix V6.2 SP2 SIMATIC PCS 7 in Industry Online Support An overview of the most important technical information and solutions for SIMATIC PCS 7 is available at http://www.siemens.com/industry/onlinesupport/pcs7. SIMATIC PCS 7 documentation Full PCS 7 documentation is available to you free of charge and in multiple languages in PDF format at www.siemens.com/pcs7-documentation.
What's new? The contents of the compendium have been updated in accordance with the new functions and operator input options of SIMATIC PCS 7 V8.2. Changes and extensions were made in the following sections in particular: ● Installing the fail-safe system ●...
All SIMATIC software must be closed during the installation process. Note You can find more information in the following manuals: • S7 F/FH Systems Configuring and Programming (https://support.industry.siemens.com/cs/ww/en/view/101509838) • Industrial Software Safety Matrix (https://support.industry.siemens.com/cs/ww/en/view/100675874) Compendium Part B - Process Safety (V8.2)
– S7 F-ConfigurationPack V5.5 SP11 3. Deactivate the option for the S7 F-Configuration Pack V5.5 SP11 4. Carry out the installation. 5. Download the S7 F Configuration Pack V5.5 SP12 via the Siemens Industry Online Support: – Download S7 F Configuration Pack V5.5 SP12 (https://support.industry.siemens.com/cs/ww/en/view/15208817)
Installing the fail-safe system 4.4 OS client installation OS client installation 4.4.1 Installing S7 F Systems Procedure If you are using SDW or MOS, run SETUP.EXE to start the installation and select the "Runtime" package: The following components are selected for installation in the next dialog: ●...
Advanced PCS 7 ES settings Access protection An S7 F/FH system being operated as a safety system is protected by two passwords: ● The CPU password is configured in the hardware configuration and is intended to protect the CPU against accidental downloading or the wrong program being downloaded. ●...
Advanced PCS 7 ES settings 5.2 CFC settings for compiling and downloading Procedure 1. In the SIMATIC Manager, activate access protection on a selected project node via "Options > Access Protection". The project format is changed the first time access protection is activated. A message appears indicating that the modified project can no longer be edited with older versions of STEP 7 (<...
Page 17
"Maximum length of code area reached (max. 64 KB)" or "Insufficient main memory" appear when the CFC charts are compiled?" (https://support.industry.siemens.com/cs/ww/en/view/771569). 2. In the "Areas Reserved for Other Applications" field, set the value for "FC numbers from:" to 0. The default setting is 60.
● CPU 416H ● CPU 417H ● CPU 410H In the SIMATIC PCS 7 catalog, safety-related automation systems can be configured and ordered as bundles with a single or redundancy station in various designs. Compendium Part B - Process Safety (V8.2)
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) Adapting CPU parameters (single F-system) 6.1.1 Password and access protection In order to activate the safety functions contained in the H-CPU's operating system, you need to enter a password. A prompt appears accordingly on CPU download. The "CPU contains safety program"...
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) As of PCS 7 V8.1, you can encrypt the CPU password assigned by the hardware configuration in the project data management. The increased password security is only relevant for the engineering system. If the check box is selected, the password entered in the data management is stored encrypted.
Page 21
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) Calling of SFC 109 with MODE=12 Setting of protection level 3 without password authorization: This means that you cannot lift the read and write protection set with SFC 109 even when knowing the valid password. If, at the time of the call up of SFC 109 with MODE=12, an authorized connection is present, the calling of SFC 109 for this connection remains without effect.
Page 22
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) Example The following example shows how you can switch between protection level "2" (MODE = 1) and "3" (MODE = 12) of the CPU with a digital input signal (e.g. from a key switch) with SFC 109.
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) When the password prompt appears, disable the "Use password as default for other protected modules/memory cards" function, so that the password is not used by the system for other functions and is prompted again when required. 6.1.3 Cyclic interrupts Parameter assignment...
Page 24
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) Note No reduction ratio or phase offset may be configured for cyclic interrupt OBs with F-program. The flow diagram below demonstrates one method you can use for structuring your program according to process requirements, using the cyclic interrupt OBs. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 25
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) The user program is divided to cyclic interrupt OBs according to the requirements: ● OB – Very fast applications – For example connections, such as Quadlog or Modbus ● OB – Fast F-applications (cyclic interrupt with special treatment) –...
Page 26
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) Example 1: Reconfiguration (no Quadlog connection, no serial communication) Prio Call interval Purpose Comment OB 38 15 10 ms Empty OB 37 17 300 ms Fast F-application OB with special handling OB 36 16 1000 ms F application...
Page 27
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) Example 2: Reconfiguration/migration, for which the hardware present must be connected via serial communication (Modbus) Prio Call interval Purpose Comment OB 38 18 50 ms Serial communication Ex.: Modbus OB 37 17 300 ms Fast F-application OB with special handling...
Page 28
To help you determine the processing times of the individual cyclic interrupt OBs, please refer to the FAQ "How can you calculate the cycle load of the automation system (AS) online?" (https://support.industry.siemens.com/cs/ww/en/view/22000962) As of PCS 7 V7.0 SP1 and an S7-400H CPU with FW 4.5 and higher, the run times for the cyclic interrupt OBs and the complete utilization of the AS may also be read at the CPU_RT block.
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) 6.1.4 Diagnostics/Clock For process data to be compatible for evaluation, all components of the process control system must work with the same time of day so that messages – regardless of the time zone in which they are generated –...
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) 6.1.5 H parameters Self-test (advanced CPU test) The CPU tests the following during the self-test: ● Processor ● Internal memory ● I/O bus If the test detects any faults, they are reported and the CPU goes to STOP. Test cycle time The test cycle time (default setting: 90 minutes) indicates the time taken for a complete background self-test.
Page 31
Configuring S7F/FH hardware 6.1 Adapting CPU parameters (single F-system) Note If you are using redundant standard signal modules, the system will generate two data blocks in the AS: DB 1, with the number specified, and DB 2, with the number following this. Make sure that these blocks are not used twice (e.g.
This ensures that when the next error is detected in troubleshooting mode, the hardware of the previous master CPU is tested. Note To find out which events trigger the TROUBLESHOOTING operating state, please refer to the "SIMATIC S7-400H Fault-tolerant Systems" (https://support.industry.siemens.com/cs/ww/en/view/82478488) manual. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 33
Configuring S7F/FH hardware 6.2 Adapting CPU parameters (fault-tolerant F system) ● H system STOP: The entire H system is set to the STOP system mode. ● Standby CPU STOP: The standby CPU is set to the STOP mode. The master CPU remains in RUN (solo system mode).
Configuring S7F/FH hardware 6.2 Adapting CPU parameters (fault-tolerant F system) 6.2.2 Cyclic interrupt OB with special handling Priority class In order to prevent time monitoring (F-CYC_CO or the monitoring time of modules) from being triggered in the event of a CPU that is starting up in the H system being coupled/updated, you need to set the priority of the cyclic interrupt OBs allocated to the F- program (OB 30 to OB 38) to >...
Note For more information, see manual "SIMATIC S7-400H Fault-tolerant Systems" (https://support.industry.siemens.com/cs/ww/en/view/82478488). If the "Use only calculated values" box is checked (recommended default setting), it will not be possible to enter or modify the monitoring times manually. The best values for the user program can then be determined automatically by clicking the "Calculate..."...
Configuring S7F/FH hardware 6.2 Adapting CPU parameters (fault-tolerant F system) 6.2.4 Calculating monitoring times Calculation You can use this dialog to calculate monitoring times for updating the standby CPU. You need to enter information about your user program for this purpose: ●...
Page 37
You can find information on this in the "How do I set the runtime and time scale of a cyclic interrupt OB?" (https://support.industry.siemens.com/cs/ww/en/view/1023077) FAQ. From PCS 7 V7.0 and higher, and an S7-400H CPU with FW V4.5 and higher, the runtimes for the cyclic interrupt OBs may also be read at the CPU_RT block.
Page 38
Configuring S7F/FH hardware 6.2 Adapting CPU parameters (fault-tolerant F system) Calculation Once all the parameters have been set, the values are calculated by pressing the "Recalculate" button. If the F-signal modules are configured in safety mode in HW Config, the "Max. disabling time for priority classes >...
20% into your setting. Note For more information and corrective measures, see manual "SIMATIC S7-400H Fault- tolerant Systems" (https://support.industry.siemens.com/cs/ww/en/view/82478488). Communications module parameters/Networks The settings for communication modules are explained in Compendium Part A. It may be advisable to operate the F-I/O on a separate DP master system when there are numerous nodes or nodes with low transmission speeds.
Page 40
Configuring S7F/FH hardware 6.3 Communications module parameters/Networks Requirements for using PROFINET with F Systems The PROFIsafe version V2 required for fail-safe communication via PROFINET is available in F Systems as of V6.0. The following components are required to use PROFINET with F Systems: Recommended software requirements: ●...
Page 41
Configuring S7F/FH hardware 6.3 Communications module parameters/Networks Example Fail-safe signal modules on Fail-safe signal modules on Fail-safe signal modules on PROFINET IO PROFINET IO PROFINET IO as well as on as well as in the downstream PROFIBUS PROFIBUS DP* DP* via IE/PB Link * PROFIsafe V1 mode possible * PROFIsafe V2 mode required Fail-safe signal modules on PROFINET IO...
Page 42
Configuring S7F/FH hardware 6.3 Communications module parameters/Networks Fail-safe signal modules on PROFINET IO as well as in the downstream PROFIBUS DP* via IE/PB Link in combination with signal modules on PROFIBUS DP * PROFIsafe V2 mode required Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Setting system parameters for F-signal modules Similar to standard modules, F-signal modules are configured in HW Config. This requires the corresponding F-Configuration Pack. Unused channels can be added during operation, provided that, during first commissioning, they have been activated in HW Config and equipped with resistors in order to suppress channel faults.
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.2 PROFIsafe addresses F source and destination addresses The PROFIsafe addresses (F_SOURCE_ADD, F_DEST_ADD) are used to uniquely identify the source and destination during PROFIsafe communication. The F_DEST_ADD uniquely identifies the PROFIsafe destination (the module). The F_DEST_ADD must, therefore, be unique across both the network and the station.
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.3 Module parameters - general Diagnostic interrupt To enable the PCS 7 driver blocks to report interrupts, the diagnostic interrupt for the F signal module must always be activated in safety mode. Various error events, which the fail-safe signal module can define using its diagnostics function, trigger a diagnostics interrupt.
Page 46
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Group diagnostics If you check this box for a specific channel, a channel-specific event (a wire break, for example) will trigger an error reaction in the safety program (the substitute value is activated on the the channel driver and QBAD is set).
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.4 Activating channels Due to the structure of fail-safe signal modules, it is not possible to make changes to their hardware configuration or to download them without the module being passivated. Passivating output modules involves establishing a safe state on all outputs, while passivating input modules involves the input drivers outputting the value 0.
Page 48
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules SM326; F-DO 10 x DC 24V/2A PP (6ES7 326-2BF10-0AB0) ● Determine module parameters ● Activate group diagnostics for the channel ● To simulate an actuator, interconnect output with a resistor (e.g. 2.7 kilohms) downstream of the ground connection M326;...
Page 49
Note You can find more information on activating channels during operation in the "Programming with F/FH systems - Changing parameters on fail-safe I/Os" (https://support.industry.siemens.com/cs/ww/en/view/21382997) FAQ. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.5 Parameter assignment for SM326; DI 8 x NAMUR Sensor evaluation ● 1oo1 (1v1) evaluation A sensor connected to the F signal module via a single channel ● 1oo2 (2v2) evaluation ...
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Discrepancy time Where "1oo1 evaluation" is concerned, the value displayed is not relevant. The discrepancy analysis is used for fail-safe inputs in order to detect errors from the temporal characteristic of two signals with identical functionality. The discrepancy analysis is started if different levels are determined for two associated input signals.
Page 52
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Short-circuit test You can use this parameter to activate short-circuit detection for the F signal module. The short-circuit test can only be activated for sensors that are supplied by the F signal module.
Page 53
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Discrepancy behavior For "discrepancy behavior", parameterize the value provided to the safety program in the F CPU during the discrepancy between the two affected input channels – i.e. during running discrepancy time.
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.7 Parameter assignment for SM326; DO 10 x DC 24V/2A (6ES7326-2BF01-0AB0) On fail-safe output modules, the required safety class is achieved by injecting test signals. Deactivating the light test For the purpose of the test, 1-signals are connected to the output while the output is inactive (output signal "0").
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.8 Parameter assignment for SM326; F-DO 10 x DC 24V/2A PP (6ES7326-2BF10-0AB0) Figure 6-1 Maximum test time With the parameter "maximum test time(s)", you determine the time within which the light and dark tests are to be conducted (in all combinations) for the whole module.
Page 56
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Light test activated The module conducts complete bit pattern tests within the configured maximum test time. If the output is active in the "good condition", a dark test is always conducted. If the output is not active in the "good condition", activate the light test with this parameter.
Page 57
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Maximum dark test readback time Dark periods arise during deactivation tests and the complete bit pattern test. In this process, a test signal is connected to the output from the fail-safe output module while the output is active ("1"...
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.9 Parameter assignment for SM326; F-DO 8 x DC24 V/2A PM The module can only be used in safety mode, not redundantly. For the purpose of switching an actuator, each module is provided with one switch in the plus line (P switch) and one in the minus line (M switch).
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.10 Assigning parameters for the SM336; AI 6 x 13Bit Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 60
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Sensor evaluation (analog inputs) ● 1oo2 evaluation 1 sensor connected to the module via a single-channel redundant connection (voting on module). The module has 6 redundant SIL 3-compatible channels. Safety class SIL3 can be achieved here: Type of sensor interconnection (analog inputs) When safety mode is activated 1 or 2 sensors can be configured per input channel.
Page 61
For more information, please refer to the following FAQ: "How can process signals that are less than 4 mA be used with a 4 to 20 mA analog input module (F technology)?" (https://support.industry.siemens.com/cs/ww/en/view/23707365). Compendium Part B - Process Safety (V8.2)
Note For details of possible types of interconnection, please refer to the FAQ titled "Wiring & Voting Architectures for ET 200M F-AIs". (https://support.industry.siemens.com/cs/ww/en/view/24690377) 6.4.11 Assigning parameters for the SM336; F-AI 6 x 0/4...20mA HART Diagnostic interrupt The diagnostic interrupt for the F signal module must always be activated in safety mode.
Page 63
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules HART gate This enables HART communication with the transducers to be controlled. ON/OFF switches HART communication on or off for the entire module, in a safety-related manner. If "Can be switched"...
Page 64
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Discrepancy handling (analog inputs) In the processing industry, no evaluation is generally performed between 2 signals on the module. 1oo1 is set for sensor evaluation. This makes all the signals available in the user program, where they can be linked in 1oo2 or 2oo3, depending on what is required.
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.12 Parameter assignment for EM 8 F-DI NAMUR Ex Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 66
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Reintegration following a discrepancy error You use this parameter to determine when a discrepancy error is considered lifted and, therefore, when a reintegration of the affected input channels is possible. You can choose between the following parameter options: ●...
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules 6.4.13 Parameter assignment for EM 4 F-DO Ex 17.4V/40mA "Maximum test time" parameter With the parameter "maximum test time(s)", you determine the time within which the light and dark tests are to be conducted (in all combinations) for the whole module. After this time elapses the tests are repeated.
Page 68
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Parallel interconnection To improve performance you can connect two digital outputs of the module for an actuator in parallel (channel coupling). This increase in performance is only permitted on the same module and between the following channels: ●...
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules Overload If you use the parameter "overload" in addition to the parameter "short-circuit level", the following will result: ● In the range between employing the current limiting (the inflection point on the output curve) up to the reaching of the short-circuit level, an "overload"...
Page 70
Configuring S7F/FH hardware 6.4 Setting system parameters for F-signal modules HART Fast Mode The electronic module is HART Fast Mode-capable and supports the processing of HART commands as an SHC (Successive HART Command) sequence. If a HART command is detected by the electronic module with a set SHC bit for a channel, the complete HART command processing is reserved for approx.
Page 71
(6ES7 138-7FA00-0AB0) are not supported by the PCS7 channel driver blocks. You can find more information in the manual "SIMATIC Distributed I/O Distributed I/O device ET 200iSP – Fail-safe module" (https://support.industry.siemens.com/cs/ww/en/view/47357221). Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring S7F/FH hardware 6.5 Configuring redundant F-signal modules Configuring redundant F-signal modules You can use the fail-safe signal modules S7-300 (F signal modules) – with the exception of the F-DO 8 x DC 24V/2A PM – redundantly in one or several different ET 200Ms. Where F signal modules configured with redundancy are concerned, please note the following: ●...
Configuring S7F/FH hardware 6.5 Configuring redundant F-signal modules 7. Check the default discrepancy time for redundant, fail-safe digital input modules. 8. Create a symbol for the lower I/O address and interconnect the channel driver with this address. If you are operating a HART device on a channel of a redundant module, you also need to follow the steps outlined below: 1.
② ET 200M singular ③ Prefabricated cable with front connector ④ Note For more information, please refer to the "ET 200M Marshalled Termination Assemblies Remote I/O Modules" (https://support.industry.siemens.com/cs/ww/en/view/22091986) FAQ. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Note You can find details on possible types of interconnection in the following documents: • Wiring & Voting Architectures for ET 200M F-AIs (https://support.industry.siemens.com/cs/ww/en/view/24690377) • F systems: "Wiring and Voting" architectures for ET200M F-DIs und F-DOs (https://support.industry.siemens.com/cs/ww/en/view/37236961) 1oo2 voting of fail-safe input signals can be implemented in both the F signal module and the user program.
Page 76
Configuring S7F/FH hardware 6.7 "Wiring and Voting" architectures for ET 200M SIL 3 by means of voting in module Note Suitable sensors are required to achieve this SIL3 wiring. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring S7F/FH hardware 6.7 "Wiring and Voting" architectures for ET 200M 6.7.2 2oo3 Voting with F-AI 2-out-of-3 selection uses three sensors and, for example, three F-AI modules. In the example, each sensor is wired to channel 0 of an F-AI module. The individual signals are then evaluated in the user program.
Configuring the safety program Introduction Fail-safe user program Use the F-blocks supplied in a library with the S7 F-Systems optional package to create a fail-safe user program (F program or safety program) with the CFC editor. Note The figure is available in its original size as appendix to the manual in the ZIP download of the checklists.
Page 79
Configuring the safety program 7.1 Introduction During compilation, specific functions for detecting and reacting to errors are automatically added to the F-program. The S7 F-System optional package also features functions for comparing F-programs and providing support for the acceptance and approval procedure for F-programs, such as functions for generating a signature via the F-program which can be used to detect changes to functions and parameters.
Configuring the safety program 7.2 Creating the safety program Creating the safety program Requirements ● You must have created a project structure in the SIMATIC Manager. ● Prior to programming, you must have configured the hardware components of your project, in particular the F-CPU and the F-signal modules, for safety mode. ●...
Configuring the safety program 7.2 Creating the safety program 7.2.1 Defining the program structure In addition to considering the standard scenario, you need to answer the following questions when drafting a safety program: ● Which parts of the user program need to be fail-safe? ●...
Configuring the safety program 7.2 Creating the safety program 7.2.2 Creating CFC charts Inserting CFC charts Individual CFC charts are added to the chart folder or plant hierarchy (PH) in the same way as for standard user programs: ● In the chart container "Insert New Object > CFC" in the SIMATIC Manager ●...
Page 83
Configuring the safety program 7.2 Creating the safety program In terms of programming, the F data types are implemented as structures in which only the "DATA" component is ever relevant for the user. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring the safety program 7.2 Creating the safety program Example: Structural element F_Real VHRANGE [STRUCT]"HIGH RANGE OF PROCESS VALUE" You can change the structure comment to whatever you wish. If you wish to change the value (default) of a block connection with an F data type, you may only change the DATA component.
Page 85
Configuring the safety program 7.2 Creating the safety program 4. F channel drivers for outputs 5. Placed automatically: – F block F_PLK – F block F_PSG_M – F module driver for F-signal modules with outputs or with inputs and outputs –...
Configuring the safety program 7.2 Creating the safety program 7.2.5 F-runtime groups During the programming of the safety program, F-blocks cannot be inserted directly into tasks (cyclic interrupt OBs). When a new CFC chart is created in PCS 7, the system will automatically generate a runtime group of the same name, into which the F-blocks placed in the corresponding CFC chart can then be inserted.
Page 87
Configuring the safety program 7.2 Creating the safety program Runtime groups of an F-program The F-program is divided into several runtime groups, as shown in the table below. Note xx = Number of the cyclic interrupt OB y = Consecutive numbering if several shutdown groups exist in a single cyclic interrupt OB Chart F blocks @F_ShutDn_xx...
Page 88
Configuring the safety program 7.2 Creating the safety program Rules for F-runtime groups in the safety program ● We recommend that you proceed as follows in order to make the lengths of the F-cycles as uniform as possible: If you mix F-and standard runtime groups in a cyclic interrupt OB, you must execute the F-runtime groups before the standard runtime groups.
Configuring the safety program 7.2 Creating the safety program 7.2.6 F-shutdown groups An F-shutdown group is a self-contained unit in your safety program. It contains user logic which is executed or shut down simultaneously. The F-shutdown group contains one or a number of F-runtime groups which are assigned to a common cyclic interrupt OB.
Page 90
Configuring the safety program 7.2 Creating the safety program Programming data exchange between F-shutdown groups If you wish to exchange data between two F-shutdown groups, you are not permitted to interconnect the inputs and outputs directly. You need to use the following F-system blocks for data exchange between ...
Page 91
Configuring the safety program 7.2 Creating the safety program Extract from a chart for shutdown group 1 with send block: The connection to shutdown group 2 is established by linking output S_DB of block F_S_BO_1 in shutdown group 1 with input S_DB on block F_R_BO_1 in shutdown group 2. Extract from a chart for shutdown group 2 with receive block: See also Monitoring times and system response times (Page 133)
Configuring the safety program 7.2 Creating the safety program 7.2.7 Data exchange between the F user program and standard user program The standard program and the F-program use different data formats. Accordingly, special conversion blocks have to be used for data exchange. Converting F-data types to standard data types If you need the standard user program to process data from the F-program further (for monitoring on the PCS 7 OS, for example), a block for F_FDatatype_Datatype data...
Configuring the safety program 7.2 Creating the safety program PCS 7 blocks such as MonAnL, MonDiL, EventMESSAGE and their associated faceplates and process symbols are used to visualize fail-safe analog values and status messages as well as system states and operating states. If parameters cannot be directly further interconnected due to the safety data format, the conversion blocks described above can be used.
Page 94
Configuring the safety program 7.2 Creating the safety program You can use this entry in the diagnostic buffer to identify the F block with the invalid floating- point number (NaN). If you are not able to prevent these events from occurring in your safety program, you will need to decide, on the basis of your application, whether you wish to respond to them in your safety program.
You can find a detailed description of the F blocks in the help for the blocks, as well as in the "S7 F/FH Systems – Configuring and Programming" (https://support.industry.siemens.com/cs/ww/en/view/101509838) manual. Configuring fail-safe AS-AS communication Like standard communication, safety-related communication between the safety programs of F CPUs via S7 connections is implemented using connection tables in NetPro.
You can find instructions about how to create a specified communication connection between two multiprojects in the FAQ "How can data be sent with PCS 7 to an H-CPU which was not created in the same multiproject?" (https://support.industry.siemens.com/cs/ww/en/view/43033406). Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring the safety program 7.3 Configuring fail-safe AS-AS communication 7.3.2 Configuring F-communications blocks The following fail-safe blocks are available for communication between safety programs on various CPUs: Block Description F_SENDBO/F_RCVBO Safe transmission of 20 F_BOOL data type parameters F_SENDR/F_RCVR: Safe transmission of 20 F_REAL data type parameters F_SDS_BO Fail-safe sending of 32 F_BOOL data type objects to another F-CPU (F Systems V6.0 and high-...
Page 98
Configuring the safety program 7.3 Configuring fail-safe AS-AS communication Procedure Follow the steps outlined below: 1. Add the send block (F_SENDBO/F_SENDR) to the safety program from which data is to be transmitted. 2. Add the receive block (F_RCVBO/F_RCVR) to the safety program to which data is to be transmitted.
Page 99
Configuring the safety program 7.3 Configuring fail-safe AS-AS communication Note If the R_ID is not an uneven number, the following error message will appear when the CFC charts are compiled: "Module/connection with address/R_ID 16#0002/16#00000004 is being used by more than one block. [Assign a module/connection with this address/R_ID to no more than one block and use only uneven R_IDs.]"...
Configuring the safety program 7.4 F-STOP F-STOP In the event of an F-STOP, either the entire F program (full shutdown) or just the F -shutdown group in which the error occurred (partial shutdown) is shut down. All F-runtime groups in an F-shutdown group are shut down at the same time.
Configuring the safety program 7.4 F-STOP 7.4.3 Parameter assignment for shutdown behavior From S7 F Systems V6.0 with S7 F Systems Lib V1_3 and higher, the shutdown behavior in the event of an F-STOP is defined in the "Safety Program" dialog using the "Shutdown behavior"...
Configuring the safety program 7.4 F-STOP All F shutdown groups associated with a safety program are shut down the first time an error is detected in an F shutdown group. If you change the shutdown behavior, you must recompile the F program. This applies even if you have changed the shutdown behavior online in CFC.
If no errors are detected, the F CPU reconnects. Note You can find more information in the manual titled "SIMATIC Fault-tolerant Systems S7- 400H" (https://support.industry.siemens.com/cs/ww/en/view/82478488). If an error is detected, the previous master goes into FAULT mode (all LEDs on the affected CPU flash).
Configuring the safety program 7.5 F startup and (re)start protection Error in both F CPUs: The safety program goes into F-STOP immediately. 7.4.6 Exiting an F-STOP Run an F-startup as described in the following chapter. F startup and (re)start protection 7.5.1 F-startup S7 F-systems do not make a distinction between a CPU cold restart and a CPU warm...
F-output signals by resetting the flip-flop using the F-acknowledgment function (F_QUITES block). Note For more options when programming (re)start protection, please refer to the "SIMATIC Industrial Software S7 F/FH Systems – Configuring and Programming" (https://support.industry.siemens.com/cs/ww/en/view/101509838) manual. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring the safety program 7.6 I/O access via F driver blocks I/O access via F driver blocks In S7 F-systems, F-signal modules are accessed via F -driver blocks and not via the process image. For this purpose, the following driver blocks are used in the program: ●...
Configuring the safety program 7.7 Passivation and reintegration of input/output channels Passivation and reintegration of input/output channels 7.7.1 Passivation - general Passivation means that in the event of an error, one or a number of channels on an F signal module are switched to a safe state.
Configuring the safety program 7.7 Passivation and reintegration of input/output channels 7.7.2 Group passivation If, during passivation of an F-I/O or a channel of an F-I/O, you wish to activate passivation of other F-I/Os, you can use the PASS_OUT output/PASS_ON input to perform group passivation of related F-I/Os.
Configuring the safety program 7.7 Passivation and reintegration of input/output channels 7.7.3 Reintegration following elimination of errors Reintegration means: ● Valid process values start to be output again at the output channels of the fail-safe output modules. ● The F-channel drivers associated with the fail-safe input modules resume the forwarding of valid process values to the safety program.
Configuring the safety program 7.7 Passivation and reintegration of input/output channels 7.7.5 Programming reintegration following module errors or channel errors requiring acknowledgment A value of 1 at the ACK_REQ output of the F-channel driver indicates that the error has been eliminated and user acknowledgment for reintegration is possible.
Page 111
Configuring the safety program 7.7 Passivation and reintegration of input/output channels How to program user acknowledgment via an OS 1. Add the F_QUITES F-block to your safety program. You can access the acknowledgment signal for evaluation for user acknowledgments at the output OUT of F_QUITES. 2.
Page 112
Configuring the safety program 7.7 Passivation and reintegration of input/output channels If an acknowledgment prompt is pending (ACK_REQ=1) the acknowledge field (yellow) and the "reset (6)" button will appear on the OS. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 113
Configuring the safety program 7.7 Passivation and reintegration of input/output channels Procedure 1. Press the first acknowledge button, "reset (6)", to write the value 6 to the "IN" input of the F_QUITES block. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 114
Configuring the safety program 7.7 Passivation and reintegration of input/output channels The second acknowledge button, "reset (9)", appears if the "Q" output of the F_QUITES block has been set. This output remains set for 60 seconds. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 115
Configuring the safety program 7.7 Passivation and reintegration of input/output channels 2. Press the second acknowledge button, "reset (9)", to write the value 9 to the "IN" input of the F_QUITES block. The "OUT" output of F_QUITES is set to 1 for one cycle and the F-channel drivers are reintegrated.
Page 116
Configuring the safety program 7.7 Passivation and reintegration of input/output channels Result If the value 6 is written to the "IN" input of the F_QUITES block, followed by the value 9 within 60 seconds, the "OUT" output of F_QUITES is set to 1 for one cycle. The F-channel drivers connected to this output (at the "ACK_REI"...
Configuring the safety program 7.8 Compiling the F-program Compiling the F-program If an S7 program contains charts with F blocks, these will be compiled when the CFC charts are compiled. Measures for eliminating errors will also be expanded and additional safety- relevant checks carried out.
Configuring the safety program 7.8 Compiling the F-program 7.8.2 Parameterizing the maximum F cycle monitoring time The F-CPU runs F-cycle time monitoring for every cyclic interrupt OB containing F-runtime groups. The first time the F-program is compiled, for each cyclic interrupt OB which contains an F-program you will be prompted to enter a value for the maximum cycle time (MAX_CYC) that may elapse between two calls of this cyclic interrupt OB.
Configuring the safety program 7.8 Compiling the F-program 7.8.3 Compiling the S7 program During compilation, the S7 program is automatically expanded to include diagnostics drivers (contained in the @ system charts) and F-specific parts. F system blocks are stored in @F_xxxx charts. Note Placements, interconnections, and parameter assignments for F-system blocks completed automatically during the compilation process must not be changed.
Page 120
Configuring the safety program 7.8 Compiling the F-program Note The CFC charts and runtime groups with fail-safe blocks appear in yellow and are marked "F" to distinguish them from standard charts. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring the safety program 7.9 Safety mode and downloading the safety program Safety mode and downloading the safety program Safety mode of the safety program in the F-CPU can be temporarily deactivated and reactivated. This enables you to make changes to the safety program in RUN mode. 7.9.1 Information on safety mode An S7-400 F/FH system containing a fail-safe program automatically goes into safety mode...
Page 122
Configuring the safety program 7.9 Safety mode and downloading the safety program Preconditions for deactivating safety mode ● The CPU must be in the RUN state (mode switch in RUN or RUN-P). ● Safety mode must be activated. Procedure 1. Select the CPU or its S7 program in the SIMATIC Manager. 2.
Configuring the safety program 7.9 Safety mode and downloading the safety program Please note the following when deactivating safety mode Manual intervention in the safety mode of fail-safe systems requires particular care and attention. ● Any changes must be made in accordance with current change management guidelines. ●...
Configuring the safety program 7.9 Safety mode and downloading the safety program 7.9.4 Downloading the safety program After compilation, you can download the program. Depending on whether safety mode is activated or deactivated, you can download program changes as follows: Download AS in STOP AS in RUN...
Page 125
Configuring the safety program 7.9 Safety mode and downloading the safety program Procedure To download the safety program, select the menu command "CPU > Download > Entire program" in the CFC editor. This will set the F CPU to STOP. To download changes made to the safety program, select the menu command "CPU >...
Configuring the safety program 7.10 Operating and changing safety-related parameters on a PCS 7 OS 7.10 Operating and changing safety-related parameters on a PCS 7 OS Changes to fail-safe parameters on a PCS 7 OS can be made using the following options: ●...
Page 127
Configuring the safety program 7.10 Operating and changing safety-related parameters on a PCS 7 OS Operator types for SDW A transaction can only be performed by an individual operator who initiates, checks, and confirms the change. However, one transaction can be performed by two operators. The first operator initiates the change (initiator) and the second re-enters, checks, and confirms the value (confirmer).
Page 128
For more details on SDW, please refer to the "SIMATIC Industrial Software S7 F/FH Systems – Configuring and Programming" (https://support.industry.siemens.com/cs/ww/en/view/101509838) manual. For more information on the structure of the @@PCS7Typicals.CFG file, refer to the WinCC Information System (Start > Simatic > WinCC > WinCC Information System in the contents under Options >...
Configuring the safety program 7.10 Operating and changing safety-related parameters on a PCS 7 OS 7.10.2 F_QUITES Using the "F_QUITES" F block, the OS can generate fail-safe pulses in the F program of the automation system. You can find an application example for F_QUITES in "Implementing F user acknowledgment in the OS", in Section Programming reintegration following module errors or channel errors requiring acknowledgment (Page 110).
Page 130
Configuring the safety program 7.10 Operating and changing safety-related parameters on a PCS 7 OS Operator types for MOS A transaction can only be performed by an individual operator who initiates, checks, and confirms the change. However, one transaction can be performed by two operators. The first operator initiates the change (initiator) and the second re-enters, checks, and confirms the value (confirmer).
Page 131
Configuring the safety program 7.10 Operating and changing safety-related parameters on a PCS 7 OS At the "MODE" input of the "SWC_MOS" block, it is determined whether all three BOOL values can be activated at the same time ("Norestrictions"), or if just one ("MutualExclBypass") BOOL value can be activated in each case.
Page 132
Configuring the safety program 7.10 Operating and changing safety-related parameters on a PCS 7 OS The CFC chart in this example shows how a REAL value is entered as a simulation value for an "F_CH_AI" block with the MOS function. The first BOOL value is used for the switchover of the "F_CH_AI"...
The Excel file "s7ftimea.xlsm" is used for the purpose of calculating the monitoring and response times below. You can find this file on the Internet by pointing your browser to the following link: (https://support.industry.siemens.com/cs/ww/en/view/22557362) The Excel file consists of the following sheets: ●...
Configuring the safety program 7.11 Monitoring times and system response times ● min. F-specific monitoring times This sheet contains formulae for calculating minimum values: – MAX_CYC Maximum time between 2 calls of the cyclic interrupt OB with F-program – PROFIsafe monitoring time Maximum time between 2 frames from the master to the F-I/O.
Page 135
PCS 7 Asset Management. Note You can find additional information on "CPU_RT" in the section "Family: @System" of the "SIMATIC Process Control System PCS 7 Basic Library" (https://support.industry.siemens.com/cs/ww/en/view/109738089) manual. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring the safety program 7.11 Monitoring times and system response times 7.11.2 Calculating the F-cycle monitoring time (for block F_CYC_CO) The F-CPU runs execution time monitoring for every cyclic interrupt OB (OB 30 - OB 38) containing F-runtime groups. Procedure The first time the F-program is compiled, you will be prompted to enter a value for the maximum cycle time (MAX_CYC) which may elapse between two calls to this cyclic interrupt OB.
Page 137
Configuring the safety program 7.11 Monitoring times and system response times To prevent monitoring from being triggered when no errors are present, MAX_CYC must be set higher than the T calculated for the corresponding cyclic interrupt OB. CImax ● For non-redundant S7 F/FH systems: –...
Page 138
Configuring the safety program 7.11 Monitoring times and system response times Parameter T is the same as the "Max. disabling time for priority classes > 15" parameter from the H parameters of the CPU. If the cyclic interrupt OB in which the F_CYC_CO block is called has been entered as a "cyclic interrupt OB with special handling", set "Yes"...
Page 139
CiR function activated, in the "Properties" dialog of the CiR object created. Note For more information on CiR, refer to the "SIMATIC STEP7 V5.5 Modifying the System during Operation via CiR" (https://support.industry.siemens.com/cs/ww/en/view/45531308) manual. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring the safety program 7.11 Monitoring times and system response times 7.11.3 Communication monitoring time for F CPU/F signal modules Time monitoring of PROFIsafe or PROFINET communication is implemented in the F -signal modules and in the F-CPU using F-module drivers. The value is entered while assigning parameters for the F-signal modules in HW Config ...
Page 141
Configuring the safety program 7.11 Monitoring times and system response times The F-monitoring time must be calculated for the relevant variant of each F-signal module type or each device, and the values for the cyclic interrupt OB must be calculated as well. To do this, select the appropriate configuration variant and enter the parameters in the corresponding line.
Page 142
Configuring the safety program 7.11 Monitoring times and system response times When Profinet IO is used, the following PROFINET network parameters are required Watchdog time of PROFINET IO devices. This can be found in the "IO cycle" tab in the properties of the PROFINET IO device. If no watchdog time is specified for the IO device, use three times the update time from the properties of the PROFINET IO system.
Page 143
Configuring the safety program 7.11 Monitoring times and system response times parameter TR7TR1/TR2 DP_FD DP_SO You can find the parameters in the properties of the PROFIBUS DP or PA master system by double-clicking the bus line. In HW Config, the following screens from which the relevant values can be taken are shown: Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 144
Configuring the safety program 7.11 Monitoring times and system response times parameter SLAVE_SO depends on the IM used. SLAVE_SO DP master system ET 200M with IM 153 Switchover time Configuration -2AA02 70 ms Any configuration SLAVE_SO -2AB01 30 ms Without F, FM, or HART modules -2Bx00 30 ms Any configuration...
Page 145
Configuring the safety program 7.11 Monitoring times and system response times parameter DPPA_L_DLY ● Additional delay time with a DP/PA coupler in a singular system ● Or additional delay time and switchover time due to a DP/PA link in the redundant system Precondition Switchover time Switchover time with unchanged PA configuration...
Page 146
The table is only intended as an example and does not include all ET 200iSP modules. You need to add the modules used as required. Existing standard modules in ET 200iSP must also be taken into account (see the manual "SIMATIC Distributed I/O ET 200iSP" (https://support.industry.siemens.com/cs/ww/en/view/98821323)). Electronics module Number of I/O bytes Number of modules Total I/O bytes 4 F-AI HART.
Page 147
Configuring the safety program 7.11 Monitoring times and system response times parameter You can find the maximum acknowledgment time of the F-signal modules in the corresponding data sheet for the I/O module concerned. The following table shows the max. acknowledgment time of selected F-signal groups: Module Acknowledgment time in safety mode SM326;...
Page 148
Configuring the safety program 7.11 Monitoring times and system response times Module Acknowledgment time in safety mode EM 4 F-DO Ex 17.4V/40mA Max. 59 ms 6ES7138-7FD00-0AB0 EM 4 F-AI Ex HART Typ. response time (when no errors present) = conversion cycle time × •...
Configuring the safety program 7.11 Monitoring times and system response times 7.11.4 Monitoring time for safety-related communication between F-CPUs Introduction Time monitoring of fail-safe communication between 2 F-CPUs is implemented in the send and receive blocks F_SENDR and F_RCVR or F_SENDBO and F_RCVBO with the same TIMEOUT monitoring time, which needs to be configured on both the send and receive blocks.
Page 150
Configuring the safety program 7.11 Monitoring times and system response times parameters Delay1/Delay2 You can find these parameters in the H parameters within the CPU properties. The value should be taken from the transmitting or receiving CPU. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuring the safety program 7.11 Monitoring times and system response times 7.11.5 Monitoring communication between F-shutdown groups Time monitoring is implemented in the F_R_BO or F_R_R F FBs and configured at the "TIMEOUT" input parameter of the receive block. To prevent time monitoring from being triggered when no errors are present, the TIMEOUT monitoring time must be set to a value which is at least equal to the higher of the two maximum cyclic interrupt cycle times of F_S_R or F_S_BO and F_R_R or F_R_BO.
Configuring the safety program 7.11 Monitoring times and system response times 7.11.6 Response times of safety functions Definition of response time The response time is the time between the detection of an input signal and the changing of a linked output signal. The actual response time is always between a minimum and a maximum response time.
Page 153
Configuring the safety program 7.11 Monitoring times and system response times Input/Output Depending on the hardware configuration of the system, 5 variants are possible here. In terms of the input and output, the variants are exactly the same, with the sole exception that the blocks for the output are in the reverse sequence to those for the input.
Page 154
Configuring the safety program 7.11 Monitoring times and system response times parameter You set the discrepancy time when 1oo2 (2v2) has been selected in the hardware configuration of the F-signal module. Enter 0 if: ● No 1oo2 (2v2) evaluation is performed on the module. ●...
Page 155
Whether errors are present or not, the maximum response times depend on the type of module, and can be obtained from the following manuals: • SIMATIC Automation System S7-300 ET 200M Distributed I/O Device Fail-safe Signal Modules (https://support.industry.siemens.com/cs/ww/en/view/19026151) • Distributed I/O Distributed I/O device ET 200iSP – Fail-safe Module (https://support.industry.siemens.com/cs/ww/en/view/47357221)
Page 156
Configuring the safety program 7.11 Monitoring times and system response times F signal module WCDT OFDT With 1oo2 (2v2): = 2 × conversion cycle time × filter + 2 × conversion cycle time + discrepancy time E.g.: Interference frequency 50 Hz, •...
Page 157
Configuring the safety program 7.11 Monitoring times and system response times F signal module WCDT OFDT Response time with 1oo1 evaluation (operation with and without errors) • Response time = Internal processing time + Input delay + {Time for sensor test + start- up time of the sensor after sensor test}2) Response time at 1oo2 (2v2) evaluation with discrepancy behavior = "provide 0 value"...
Page 158
Configuring the safety program 7.11 Monitoring times and system response times F signal module WCDT OFDT Example calculation of the response time of EM 8 F-DI Ex NAMUR: Parameter assignment: • – 1oo2 (2v2) evaluation (equivalent or non-equivalent) – Discrepancy behavior: Provide last valid value –...
Page 159
Configuring the safety program 7.11 Monitoring times and system response times Other parameters The remaining parameters have been discussed in the preceding sections of this section. Processing in the 1st CPU / processing in the 2nd CPU The processing in the 2nd CPU is optional. It involves the same variants as in the 1st. CPU. There are 2 different variants: ●...
Note You can find information on creating and configuring a Safety Matrix in the "SIMATIC Industrial Software Safety Matrix" (https://support.industry.siemens.com/cs/ww/en/view/100675874) manual. Versioning A Safety Matrix is determined by its version number, file version, and signature. Each time the matrix is saved, the file version changes along with the minor version number depending on the change made.
Page 161
Configuration with Safety Matrix 8.1 Creating and configuring a Safety Matrix Operator input The operation of the Safety Matrix must be enabled in the CFC by a "1" signal at the EN_SWC input. This can be done by logic or interconnection to the input channel driver of a key switch.
Configuration with Safety Matrix 8.2 Documenting a Safety Matrix Documenting a Safety Matrix A Safety Matrix is documented via menu item "Options > Reports > Configuration Report". This displays all of the configurations in the matrix in a text file; they can then be printed or saved in this format.
Page 163
Configuration with Safety Matrix 8.3 Organizing matrices into different shutdown groups The starting point is the existing program, including the first matrix to have been compiled. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 164
Configuration with Safety Matrix 8.3 Organizing matrices into different shutdown groups Inserting a new matrix in a new shutdown group. To insert a new matrix and assign it to a new shutdown group, proceed as outlined below. 1. Create a new matrix and, in the Safety Matrix engineering tool, for the matrix cycle time select a cyclic interrupt OB that is not in use and into which no matrices have yet been inserted.
Page 165
Configuration with Safety Matrix 8.3 Organizing matrices into different shutdown groups 4. Place the F_PSG_M block in the matrix chart to create the required shutdown group. Make sure to insert it at the end of the new matrix runtime group. 5.
Page 166
Configuration with Safety Matrix 8.3 Organizing matrices into different shutdown groups 7. Compile the S7 program. The compiler will create the newly generated shutdown group and the additional runtime groups @F_IN_<OBNr>_xx and @F_OUT_<OBNr>_xx. Note Please note that if the matrix CFC shutdown groups are subsequently moved or the safety program is subsequently divided into shutdown groups, the amount of additional effort may be considerable in terms of the change configuration work involved.
Configuration with Safety Matrix 8.4 Duplicating matrices Duplicating matrices In order to keep the same selected settings, such as SIF assignments (safety instrumented function groups), in another matrix, it is possible to duplicate the matrix template. To do this, proceed as follows: 1.
Page 168
Configuration with Safety Matrix 8.4 Duplicating matrices 3. To import a template file of this kind, open the object properties of the matrix folder and go to the "Matrix" tab. You can use the "Import CEM" button to add the saved matrix template to a matrix folder.
Configuration with Safety Matrix 8.5 User authorizations for the Safety Matrix Viewer User authorizations for the Safety Matrix Viewer In the properties of the Safety Matrix in the Safety Matrix Engineering Tool, you can set up a separate user authorization for each action and assign it to selected users. Here, it is also possible to enter the authorization level for the initiator and confirmer for each OS operation.
Page 170
Configuration with Safety Matrix 8.5 User authorizations for the Safety Matrix Viewer Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Configuration with Safety Matrix 8.6 Interconnections between the matrix and safety program Interconnections between the matrix and safety program When establishing interconnections between the matrix and the remainder of the safety program, you must ensure that the interconnected blocks are all in the same shutdown group, or that the right communication blocks have been installed between the shutdown groups.
● @PCS7Typicals_S7FSMTX.PDL The converted images should subsequently be stored in the root directory of the installation. You can find this in the installation directory of the Siemens software under: C:\...\Siemens\WinCC\Options\PDL\Faceplatedesigner_V6\ You can find further information in the section "Inserting the new safety matrix block icon in the PCS 7 OS"...
Changes, tracking changes, and acceptance General information Operational procedures During maintenance work in or while making changes to a plant, the operational procedures must be followed at all times. Before changes can be made to safety-related parts of the plant or functions, a risk assessment relating to the change itself and how it is to be made must be carried out, particularly if it is to be made during operation.
Changes, tracking changes, and acceptance 9.2 Preparing for changes Preparing for changes Offline/online comparison Before each CFC change, make sure that the offline and online programs are identical. ● To do this, open a chart from the AS in the CFC editor and switch to online mode. ●...
Page 175
Changes, tracking changes, and acceptance 9.2 Preparing for changes CPU utilization Before making any changes, check the CPU utilization with regard to memory and cycle time. You can query how much memory has been allocated using the "Module Information..." function in the CPU. ●...
Changes, tracking changes, and acceptance 9.3 Changes in CFC Checking the hardware before downloading Before downloading the changes - and in particular, before downloading hardware configuration changes with HCiR - make sure that no errors are present in the system. ●...
Changes, tracking changes, and acceptance 9.4 Changes in HW Config Function test To test your functions, you can use S7-PLCSIM or, depending on your PCS 7 version, you can download your program to a real test AS. Use the "Load to test AS" function in both cases.
Changes, tracking changes, and acceptance 9.5 Downloading changes/Complete downloading Downloading changes/Complete downloading Standard program In an S7-400 F/FH system with a safety and standard program, changes can be made in the standard program in exactly the same way as with a standard system. However, since the fail-safe program may also be affected by a program error in the standard program (e.g.
Page 179
Changes, tracking changes, and acceptance 9.6 Tracking changes in the safety program Program comparison The "Version Cross Manager" can be used for the entire program as a tool for comparing two program versions, as well as for comparing the current project with a backed-up version of it.
Page 180
Changes, tracking changes, and acceptance 9.6 Tracking changes in the safety program ● Chart view Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
Page 181
Changes, tracking changes, and acceptance 9.6 Tracking changes in the safety program Using the "Compare with" drop-down list box, you can determine which programs you intend to compare. ● If you have activated the "Program" option button, you will be able to select one of the following programs here: Reference Last reference saved for this program...
Changes, tracking changes, and acceptance 9.7 Printing program data The signatures shown in the "Edit Safety Program" window do not need to match the signature in the AS. It may, for example, be possible that the most recent changes were compiled, but not downloaded and checked.
Page 183
Changes, tracking changes, and acceptance 9.7 Printing program data Activate the options shown above to print the safety program and the hardware. Before the hardware is printed, another dialog appears: Here, select the "All", "Module description", and "Address list" options. Compendium Part B - Process Safety (V8.2) Operating Manual, 07/2016, A5E35031794-AB...
You can find information on acceptance of a plant, changes, or F block types in the "SIMATIC Industrial Software S7 F/FH Systems - Configuring and Programming" (https://support.industry.siemens.com/cs/ww/en/view/101509838) manual. Two checklists are available for system documentation purposes: ● "Process Safety – Configuration" checklist This list is used for documenting the system design and the software and hardware settings of the automation system in use.
Industry Online Support App The "Siemens Industry Online Support" app provides you with optimal support even when you are on the go. The app is available for Apple iOS, Android and Windows Phone: https://support.industry.siemens.com/cs/ww/en/sc/2067...
Page 186
If you have any questions or need support, please contact your local representative, who will put you in contact with the responsible service center. You can find your contact partner in the contact database: www.siemens.com/yourcontact. Compendium Part B - Process Safety (V8.2)