Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.
1 Introduction Introduction The new controller generation SIMATIC S7-1200 and S7-1500 has an up-to-date system architecture and, together with TIA Portal, offers new and efficient programming and configuration options. If the programming is sloppy, the many options provided by STEP 7 can also produce negative results: ...
Page 5
1 Introduction Programming guideline and styleguide The recommendations given in the programming guideline and the programming styleguide always apply to programming safety programs. Programming Guideline for SIMATIC S7-1200/1500: https://support.industry.siemens.com/cs/ww/en/view/90885040 Programming Styleguide for SIMATIC S7-1200/1500: https://support.industry.siemens.com/cs/ww/en/view/109478084 This document is a supplement to the documents above and deals with special aspects of programming safety programs with STEP 7.
SIMATIC STEP 7 Reaction Time Table or go through various scenarios to select the suitable F-CPU: https://support.industry.siemens.com/cs/ww/en/view/93839056 Figure 2-1: Reaction time wizard of the SIMATIC STEP 7 Reaction Time Table...
Page 7
2 Configuring Fail-Safe Controllers The following figure shows the influence of the safety program's cycle time on the time that is available for processing the standard user program. Figure 2-2: Influence of the safety program's cycle time on the standard user program Note Please note that higher-priority organization blocks (e.g., cyclic interrupt OBs or motion control OBs) can interrupt the safety program in the same way as shown...
2 Configuring Fail-Safe Controllers PROFIsafe address types The PROFIsafe address is used to uniquely address F-I/O and protect standard addressing mechanisms such as IP addresses. Uniqueness is defined differently for F-I/O of PROFIsafe address type 1 and F-I/O of PROFIsafe address type 2. Table 2-1: Differences between the PROFIsafe address types PROFIsafe address type 1 PROFIsafe address type 2...
1 in the CPU properties. Figure 2-3: Defining the address range for F-destination addresses Additional information For more information about PPROFIsafe address types, visit Siemens Industry Online Support: What is the difference between the PROFIsafe address types 1 and 2 in relation to the uniqueness of the PROFIsafe address? https://support.industry.siemens.com/cs/ww/en/view/109479905...
Page 10
2 Configuring Fail-Safe Controllers Figure 2-4: Defining the password for the safety program Once you have logged in with the password for the safety program, you can remove the access rights to the safety program as follows: Log out of Safety Administration ...
2 Configuring Fail-Safe Controllers F-change history F-change history acts like the standard user program's change history. In the project tree, "Common data > Logs", one F-change history is created for each F-CPU. F-change history logs the following: F-collective signature ...
2 Configuring Fail-Safe Controllers Advantages Ensures that the last change was loaded by comparing the online and offline status of the CRC. Which user changed or downloaded the safety program can be tracked in multi-user projects. Matching of online and offline status without an online connection between CPU and PG/PC.
Advantages Protects your know-how across contents of program parts. Accepted blocks cannot be modified. Additional information The following documentation provides instructions for using know-how protection for different scenarios: https://support.industry.siemens.com/cs/ww/en/view/109742314 Safety Programming Guideline Entry ID: 109750255, V1.0, 10/2017...
3 Methods for Safety Programming Methods for Safety Programming Program structures 3.1.1 Defining a program structure Recommendation Modularly divide the program code, e.g., – into subparts for detecting, evaluating, reacting or – plant sections. In the preliminary stages, create a specification for each module (based on the risk assessment requirements).
Page 15
3 Methods for Safety Programming Figure 3-1: Example of a program structure Note The structure shown here is an example. Depending on the size and complexity of the safety program, you can also choose a different structure. In smaller applications, it would, for example, also be possible to implement the logic and actuator control in a shared function block.
3 Methods for Safety Programming 3.1.2 Call levels of F-FBs/F-FCs For standard user programs, the number of call levels is limited depending on the CPU. For safety programs, you can use a maximum of eight call levels. A warning appears when this limit is exceeded and an error message is displayed for pure FC and multi-instance call chains.
Page 17
3 Methods for Safety Programming Figure 3-2: Call sequence in the Main Safety Advantages The CPU always uses the latest values Facilitates orientation in the Main Safety Safety Programming Guideline Entry ID: 109750255, V1.0, 10/2017...
3 Methods for Safety Programming 3.1.4 F-suitable PLC data type For safety programs, too, it is possible to optimally structure data using PLC data types. F-suitable PLC data types have the following features: F-suitable PLC data types are declared and used in the same way as PLC data types.
Page 19
3 Methods for Safety Programming Example Figure 3-3: Access to I/O ranges with F-suitable PLC data types F-I/O F-suitable PLC data type PLC tag Safety Programming Guideline Entry ID: 109750255, V1.0, 10/2017...
3 Methods for Safety Programming Block information and comments General In SIMATIC Safety, the Function Block Diagram (FBD) and Ladder Diagram (LAD) programming languages are available to you. Both languages provide the option to store block and network comments. Comments have no influence on the signature of F-FBs/F-FCs and can therefore also be edited after acceptance.
3 Methods for Safety Programming Functional identifiers of variables Safety often uses the terms 'shutdown' or 'shutdown signals'. In practice, a safety function is described using this terminology: "When a safety door is opened, drive XY must be safely shut down." However, release signals are generally programmed in the technical implementation as a safety program.
3 Methods for Safety Programming True & False Regarding the use of "TRUE" and "FALSE" signals in safety programs, there are two different use cases: Actual parameters on blocks Assignments on operations Actual parameters on blocks For S7-1200/1500 controllers, you can use the Boolean constants "FALSE" for "0" and "TRUE"...
(e.g., edge evaluation, time functions, acknowledgment, etc.). To this end, it is useful to create and reuse modular blocks. Siemens Industry Online Support provides block libraries you can use in your project, for example "LDrvSafe": https://support.industry.siemens.com/cs/ww/en/view/109485794...
3 Methods for Safety Programming 3.5.2 Standardizing actuator control Recommendation Create a separate function block for each actuator type (e.g., contactors, valves, drives, etc.) that combines actuator control and the necessary auxiliary functions. Use this actuator block for other actuators of the same type. Create F-data types for complex actuators.
3 Methods for Safety Programming Programming logic operations Tasks of the blocks Generate release signals to control the safety-related actuators based on the relevant safety functions Link the sensor enables, operating mode enables, etc. to the control signals of the actuators Recommendation ...
3 Methods for Safety Programming Accessing global data Recommendation Connect global data (inputs, outputs, data blocks) at the highest block hierarchy level (Main Safety). Use the block interfaces to pass signals to lower levels. Advantages Modular block concept ...
3 Methods for Safety Programming Data exchange between standard user program and safety program The safety program's task is to execute all the functions that represent a risk- reducing action. All other operational functions and functions for operation and maintenance are part of the standard user program. In practice, information for the diagnostic and signaling concept is also generated in the safety program and operational information is also relevant to the safety program.
3 Methods for Safety Programming Advantages Lean F-runtime group Better overview of the exchanged data Changes of the diagnostic and signaling concept in the standard user program do not affect the safety program's signature Minimized risk of downtimes caused by data corruption due to write access to the safety program ...
3 Methods for Safety Programming 3.9.2 Transferring operational information to the safety program In many applications, it is essential that specific non-safety-related results of logic operations are transferred from the standard user program to the safety program. These are typically operational switch-on conditions (e.g., operational and fail-safe switching of a motor starter) or machine states for mode preselection.
3 Methods for Safety Programming 3.9.4 Transferring HMI signals to the safety program Human-machine interfaces (HMIs) are convenient, essential components in a machine operator's daily work. In order to use this convenience for operator control and monitoring of processes and plants even in safety-related applications, additional measures are required.
Page 32
Communication between the HMI and the CPU is not safe. Transferring safety- related data requires measures that ensure the safe transfer. This application example shows a suitable safety concept: https://support.industry.siemens.com/cs/ww/en/view/67634251 Resetting safety functions For resetting safety functions or acknowledging errors using an HMI, TIA Portal provides the "ACK_OP"...
3 Methods for Safety Programming 3.10 Resetting functional switching Safe actuators are frequently used for functional switching. The relevant safety standards require that resetting the safety function does not trigger a restart of the machine. When the safety function is triggered, functional switching must therefore be reset and a new switch-on signal must be required.
3 Methods for Safety Programming 3.11 Reintegrating fail-safe I/O modules/channels If the F-CPU detects an error relevant to safety, it passivates the relevant fail-safe channel or the entire module. Once the error has been corrected, the passivated channel must be reintegrated (depassivated). As long as a channel is passivated, it uses substitute values.
Page 35
3 Methods for Safety Programming Generate the block in Safety Administration in the settings of the appropriate F- runtime group. Figure 3-17: Generating the block for global evaluation of F-I/Os Safety Programming Guideline Entry ID: 109750255, V1.0, 10/2017...
3 Methods for Safety Programming 3.11.2 Automatic reintegration Depending on whether the respective module supports the "RIOforFA" standard (see Chapter 5), you can implement automatic reintegration in different ways. Automatic reintegration can lead to dangerous situations If automatic reintegration is permissible for a certain process depends on the risk assessment.
3 Methods for Safety Programming 3.11.3 Manual reintegration Global reintegration of all passivated F-modules To reintegrate all passivated F-modules / F-channels of an F-runtime group, use the "ACK_GL" instruction: Figure 3-20: "ACK_GL" instruction Separate reintegration of modules (or of a group of modules) In distributed plants, it may be required that only local reintegration is allowed (e.g., separate command devices on the control cabinet).
4 Optimizing Safety Programs Optimizing Safety Programs Optimizing the compilation duration and runtime Introduction User programming protection by coded processing is an important part of a safety program (see Chapter 5). The objective is to detect any data corruption in the safety program and thus prevent non-safe states.
4 Optimizing Safety Programs Note Depending on the application, it is not always possible to use all the suggestions. However, they show why certain programming methods cause shorter compilation and program runtimes than a non-optimized program. Determining the runtime TIA Portal automatically creates a data block, "RTGxSysInfo", for each F-runtime group.
Page 40
4 Optimizing Safety Programs Recommendation Where possible, avoid jumps in the safety program. Use state machines instead of jumps in FBs with binary logic. Figure 4-3: Avoiding jumps Safety Programming Guideline Entry ID: 109750255, V1.0, 10/2017...
4 Optimizing Safety Programs 4.1.2 Timer blocks Timers are an integral part of a safety program as many of the system functions such as "ESTOP1" internally use these timers. Despite this fact, generating a fail- safe time value requires considerable effort and regeneration for each single timer block.
Page 42
Two drives are safely controlled with the same "LDrvSafe_CtrlT30SinaS" function block. The data is stored in multi-instances with unique names. Figure 4-4: Multi-instances The "LDrvSafe" library for controlling the safety functions of SINAMICS drives is available in Industry Online Support: https://support.industry.siemens.com/cs/ww/en/view/109485794 Safety Programming Guideline Entry ID: 109750255, V1.0, 10/2017...
4 Optimizing Safety Programs Avoiding data corruption The protection mechanisms within the scope of coded processing (see Chapter 5) cyclically analyze the program's execution for data corruption. In case of data corruption, a special system function block triggers an F-STOP of the CPU. The purpose of this mechanism is to detect influences such as EMC, defect components, etc.
Page 44
Read / write standard data Read / write access to the same standard data from the safety program is not allowed. Additional information For more information and causes of data corruption, visit Siemens Industry Online Support: https://support.industry.siemens.com/cs/ww/en/view/19183712 Safety Programming Guideline Entry ID: 109750255, V1.0,...
5 Glossary Glossary Coded processing To meet the normative requirements in terms of redundancy and diversity, all SIMATIC F-CPUs use the "coded processing" principle. In coded processing, the safety program is processed twice by a single processor. To this end, the compiler generates a diverse (encoded) safety program that is referred to as the protection program.
Page 46
STEP 7 Safety Basic and Advanced are STEP 7 option packages that allow you to configure F-CPUs and create a safety program. STEP 7 Safety Basic allows you to configure the fail-safe SIMATIC S7-1200 controllers. STEP 7 Safety Advanced allows you to configure all fail-safe SIMATIC controllers.
Technical Support Siemens Industry’s Technical Support offers you fast and competent support for any technical queries you may have, including numerous tailor-made offerings ranging from basic support to custom support contracts.
Table 6-1: Links and literature Topic Siemens Industry Online Support https://support.industry.siemens.com Link to the entry page of the application example https://support.industry.siemens.com/cs/ww/en/view/109750255 Programming Guideline for SIMATIC S7-1200/1500 https://support.industry.siemens.com/cs/ww/en/view/90885040 Programming Styleguide for SIMATIC S7-1200/1500 https://support.industry.siemens.com/cs/ww/en/view/109478084 SIMATIC Industrial Software SIMATIC Safety – Configuring and Programming https://support.industry.siemens.com/cs/ww/en/view/54110126 Topic page: "Safety Integrated –...