Safety Matrix - Internet
Contents
1. DIAG_V The information in output parameter DIAG_V of effect message block F_SE_AL is stored as follows Bit No Assignment Bit 0 Bit 1 Bit 2 Bit 3 Bit 4 Bit 5 Bit 6 Bit 7 Bit 8 PROFIsafe module failure TAG1 Bit 9 PROFIsafe module failure TAG2 Bit 10 PROFIsafe module failure TAG3 Bit 11 PROFIsafe module failure TAG4 Bit 12 Override timeout pre alarm Bit 13 Bit 14 Bit 15 Bit 16 Bit 17 SDF error error in safety data format Bit 18 Bit 19 Bit 20 Channel fault TAG1 Bit 21 Channel fault TAG2 Bit 22 Channel fault TAG3 Bit 23 Channel fault TAG4 Bit 24 Bad quality TAG1 Bit 25 Bad quality TAG2 Bit 26 Bad quality TAG3 Bit 27 Bad quality TAG4 Bit 28 Override cancelation due to new cause trip Bit 29 Override cancelation due to timeout Bit 30 Bit 31 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 71 Configuring 4 1 Overview of Configuring CH_STATX The information in output parameters CH_STAT1 to 3 of effect message block F_SE_AL is stored as follows Bit No Assignment Bit 0 QBAD Bit 1 QSIM inactive Bit 2 PASS_OUT error Bit 3 ACK_REQ Bit 4 PASS_ON Bit 5 Redundant module present Bit 6 PROFIsafe failure Bit 7 PROFIsafe module failure on redundant module Bit 8 QCHF_LL analog tag only Bit 9 QCHF_HL analog tag only Bit 10 QSUBS Bit 11 Bit 12 Bit 13 Bit 14 Bit 152. You can use the F block F_FBO_SM to create the output parameter channel status CH_STAT for the Safety Matrix This output is required to integrate an F block type as a customer specific F channel driver When creating the block typical pay attention to the position of the F_FBO_SM in the run sequence This block must not be at the top position The following information can be provided to the Safety Matrix by means of the channel status e QBAD of the F channel drivers e QSIM of the F channel drivers e PASS_OUT of the F channel drivers e PROFIsafe error of the module driver Safety Matrix Configuration Manual 02 2010 A5E00265325 03 59 Configuring 4 1 Overview of Configuring Connections of the F block F_FBO_SM Name Data type Description Default Inputs QBAD F_BOOL 1 Process data invalid FALSE QSIM F_BOOL 1 Simulation active FALSE PASS_OUT F_BOOL 1 Passivation because FALSE of error PS_ERR F_BOOL 1 PROFIsafe FALSE communication error Outputs CH_STAT F_WORD Channel status of Safety W 16 0 Matrix 4 1 6 Message configuration 4 1 6 1 Overview for configuring messages Message configuration for Safety Matrix and for individual causes and effects You can configure messages for the entire Safety Matrix as well as messages for individual causes and effects Depending on the configuration the following message blocks are positioned upon transfer to the project 60
3. 8 6 Events and messages Procedure See also 8 6 8 6 1 Double click the desired cause Value column or click the Display tags button in the control bar for the selected cause Click the Range button for the relevant input tag on the Ranges tab of the Display tags dialog box 3 To update the displayed values click the Read button in the View tag range dialog box 4 Select the check box labeled Activate maintenance changes in the View tag range dialog box Enter the desired value for the high or low range boundary in the respective New value field maximum of 7 characters including decimal space and sign Click the Write button for the high or low range boundary Result The data will be written to the relevant F channel drivers by means of a CFC online change For this purpose you are prompted to deactivate safety mode Note Note that safety mode will not be reactivated until you switch out of online mode of the Safety Matrix Secure Wits Page 135 Events and messages The PCS 7alarm logging allows alarms and operation messages triggered by the OS to be logged The event log contains the last 100 messages of the Safety Matrix Messages in the event log of the Safety Matrix Entries in the event log 144 The Safety Matrix administers an event log in which details about the individual events and operations are logged The event log can be output as text in the Sa
4. It is not possible to change from SafetyMatrix Lib V1_3 back to SafetyMatrix Lib V1_2 Configuration Manual 02 2010 A5E00265325 03 41 Installing 2 5 Upgrading to Safety Matrix V6 2 Procedure ao A O N Create a backup copy of the entire S7 project for comparison purposes before you install Safety Matrix V6 2 Install Safety Matrix V6 2 on the ES Install Safety Matrix AS OS Engineering on the ES if necessary Install Safety Matrix Viewer on the ES OS if necessary Open the Safety Matrix and transfer it with the same transfer option settings that you have used for the last work Accept the non critical changes Perform step 5 for all available Safety Matrices Meanwhile other CFC actions are not allowed 7 Compile the SIMATIC project 8 Using the Tools gt Compare Programs menu command in the Safety Matrix Engineering Tool compare the safety program with the backup copy from step 1 Following a successful upgrade the following change is listed for each Safety Matrix No differences found Also compare the safety program with the backup copy To do so click the Compare button in the Customize safety program dialog box in S MATI C Manager Result of the comparison in Step 9 No changes to the safety program Measures after upgrading 42 After a successful eee of the ne Matrix the following measures must be taken 2 as des ribed in section Introd
5. Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Table of contents 8 6 Events and Me SSaQeSsc lt sccctasesdevievaccressetdieein dane aE NEERA EEA RE EATE E 8 6 1 Messages in the event log of the Safety Matrix 0 0 2 eecceeeeeeeeeeeeeeeeeeseeeeeeeseneeeeeseeaeeeseenaees 8 6 2 Operation messages of the Safety Matrix Viewer 8 6 3 PCS 7 alarm signals in the WinCC alarm logging 8 6 4 A S eis a a csancagh ean hvacunsaanadseaancees eanasdeuainnscexsesneaesuansne aa 9 Documentation of a Safety Matrix eccccceeccsceeeeeceeeeeeneeeeeeeeneeeeeeaaaee eee aaaeeeeeaaaaeeeeeaaaeeseeaaeesseeeeesensaees 9 1 Comparing Safety Matrices iavc cis es scieceeenschestentshesed E pesev ia eeesdeanneedeeeeesteieed ts 9 2 Comparing CFC CAIS sasa ieee ead Andee eens aed dee ee 9 3 Configuration report eeeeceeeeeeneeeeeeeeeeeeeeeeaeeeeeeeaeeeeeeeaeeeeeeaaeeeseeaeeeseeaaeeeeeeaeeeeeenaeeesenaeeeeeeaas 9 4 Validation report cccccceccceseceeceeeceeeeeeecececaecceeeeeeeeceaeaeceeeeeeeseceaeaeeeeeeesesecieaeeseeeeeesiaeeeeeeeeeeteed 10 Acceptance test for a Safety Matrix 2 2 eeeeccceeeeceeeeeeeeeeeeseeeeeeeneaeeeeeaaeeeeeaaeeeeeaaaeeesegaaeeeeeseaseeeeeaeeeeees 11 Example parameter assignments ccccssceeeeeeeceeeeeeeeeeeeeeaeeeeeaaaeeseeaaaaeeeeaaaaeeseaaaeeseeaaeeesensaeeseneaees 11 1 Example parameter assignments fOr CAUSES atciccscndccieiesndentecestecgeoscdeewimntanleendeesucertecennctanwaeeed 157
6. A Secure Write transaction is not used for this operation Configuration Manual 02 2010 A5E00265325 03 141 Operator control and monitoring 8 5 Operating Simulate value of a cause or effect tag Procedure 142 You can simulate the value of a cause or effect tag in online mode of the Safety Matrix Engineering Too or from the PCS 7 OS via the Safety Matrix Viewer Note In addition to the initiator and or confirmer permission operators on the PCS 7 OS must have the specified permission level for each operator function to be performed CauseTagSimLevel or EffectTagSimLevel 1 Double click the desired cause effect Value column or click the Display tags button in the control bar for the selected cause effect 2 Select the check box labeled Activate maintenance changes in the Values tab of the Display tags dialog box 3 Click the simulation Start button for the relevant tag Result A Secure Write transaction is started for starting the simulation Either the current pending process data or the configured simulation value is used as the simulation value depending on your configuration 4 If you would like to change the value of the simulated tag enter the desired value for the relevant tag in the Simulation value field maximum of 7 characters including decimal point and sign For analog values also make sure to comply with the range boundaries indicated If you specify the simulation v
7. Inhibit configured M Masking configured B Soft bypass allowed H Hard bypass configured N Non physical I O tag configured tag with prefix P Process data pass through used A Auto acknowledge active cause used T Timed cause configured Configuration Manual 02 2010 A5E00265325 03 79 Configuring 4 2 Editing the properties of the Safety Matrix Size tab 80 Show C E notes Shows the number s of the user notes that are assigned to this cause or effect The comments corresponding to the numbers are displayed in the Notes information area to the right of the intersections Show C E SIL Shows the SIL number Safety Integrity Level that is assigned to this cause or effect Show First Out SIF groups Shows the first out and or safety instrumented function groups SIF to which this cause or effect is assigned The first out group is abbreviated as FO For example FO2 indicates that the cause belongs to first out group FO 2 The numbers of the safety groups appear after the first out group number Example FO3 5 17 44 indicate that this cause belongs to first out group FO 3 and safety related function groups 5 17 and 44 Show reset override tag Shows the reset override tag that is assigned to the effect Shows I O physical address in view tags After clicking the Display tags control bar button in online mode shows the physical I O address together with the symbol in the Display tags
8. e The Safety Matrix is a configuring tool for processes that require safety related reactions to defined conditions e With the Safety Matrix a CFC safety program can be created for S7 F FH Systems according to the rules of a cause effect matrix e The Safety Matrix is an integrated tool for all activities maintenance error handling and change management during operation Safety Matrix Configuration Manual 02 2010 A5E00265325 03 15 Product Overview 1 1 What is the Safety Matrix Use in process control The figure below shows you the possible ways of integrating S7 F FH Systems with the Safety Matrix into you process automation system with PCS 7 Shared Matrix Operator Station OS File cem f PC Safety Matrix PC PC Safety Matrix Central Engineering Editor Viewer Safety Matrix PC Engineering Tool Standard Ethernet Industrial Ethernet or PROFIBUS Nini TTo Toa Server S7 400H S7 400 Standard F SMs F SMs J il Standard SMs F SMs Standard SMs TDN vA THN ET 200M ET 200M ET 200M Fail Safe DP Standard Slave e g laser scanner light array E Fail Safe PA Field Device F I O Module DP PA Coupler ET 200eco Standard Modules ET 200S Ji Standard SMs ET200
9. Advantages e Safety program is unchanged which means a CPU STOP is not necessary e Expanded engineering e Expanded functionality for operator control and monitoring e Use of different versions on one OS is possible Disadvantages e Use of new features is limited e Modified safety program which means a CPU STOP is necessary If you are aes the Safety Matrix to update the Safety oe you ca of the 60 and alarm respon e he Properties dialog of the Safety Matrix Safety Matrix Configuration Manual 02 2010 A5E00265325 03 31 Installing 2 5 Upgrading to Safety Matrix V6 2 2 5 2 Use case 1 Objective Introduction Requirements Consequences 32 Update of the Safety Matrix Engineering Too as well as the Safety Matrix library This use case helps you when migrating from Safety Matrix V5 2 to Safety Matrix V6 2 A project has been compiled and downloaded acceptance tested if necessary This project must contain the Failsafe Blocks V1_2 SP1 or higher of the F Library You can verify this as follows e Open the block folder of the program in the detail view in S IMAT C Manager n the Version Header column 3 1 or higher must be specified for the following F channel drivers F_CH_DI F_CH_DO F_CHAl No changes are allowed to be made offline that have not also been downloaded online e Changing the collective signature e Requires a complete download with C
10. 05 00 lt 04 00 DB_ NUM _D Added EV_ID Deleted Changed system charts If you use the F library Failsafe Blocks V1_2 you will also get the following display in the Changed system charts section In each OB with safety program Block F_CycCo OBxx F_TEST Signature Changed If the comparison results from steps 11 or 12 include entries in addition to those listed you must identify and evaluate the reason for the change taking into account your specific system and make the appropriate adjustments according to your requirements Measures after upgrading After a successful upgrade of the Safety Matrix the following measures must be taken 1 After a successful gt change an be conducted as defined in section ix Page 153 An additional function test is not sala or the listed under steps 11 and 12 as ge 28 in section Introducing the new Safety Matrix block icon into IA PCS 7 OS Page 28 3 Compile and download the OS 4 Download the S7 program to the F CPU Safety Matrix 40 Configuration Manual 02 2010 A5E00265325 03 Installing 2 5 Upgrading to Safety Matrix V6 2 2 5 4 Use case 3 Objective Introduction Requirements Consequences Safety Matrix Update of the Safety Matrix Engineering Tool This user case helps you when migrating from Safety Matrix V6 1 to Safety Matrix V6 2 without update of the Safety Matrix library A project has been compiled and downloade
11. 2 Make sure that the Derive block icons from the plant hierarchy option is selected in the Block icons tab of the object properties for the relevant picture object This is the default setting in PCS 7V7 and higher 3 Highlight the OS object and select Compile in the context menu to compile the OS For PCS 7 lt VT Make sure that the Generate update block icons option is selected in the Compile OS wizard when selecting the data to be compiled and the scope of the compilation This takes place automatically in PCS 7V7 and higher 4 Click the Compile button in the last dialog of the Compile OS wizard 5 Repeat these steps for all projects ak WD O Safety Matrix Configuration Manual 02 2010 A5E00265325 03 43 Installing 2 5 Upgrading to Safety Matrix V6 2 Result Once you have performed these steps your project contains the new Safety Matrix block icon Safety Matrix 44 Configuration Manual 02 2010 A5E00265325 03 Software user interface 3 3 1 Inserting a new Safety Matrix Matrix object In a SIMATIC project the cause effect logic is stored in a Safety Matrix object in which the logic is set up and transferred to a CFC chart in the form of function blocks Each Safety Matrix object supports up to 128 causes and 128 effects with a maximum of 1024 intersections Depending on its memory capacity one F CPU can support several matrices Adding a Safety Matrix object in a project 1 ao
12. File Edit Monitor view Options Window Help SIMATIC SAFETY MATRIX drivers Input Tag Values Func Limit Trip Cause descr JUser Ho 1 User 2 User Furnace Pressure Furnace Pressure 13 Furnace Pressure i 18 Monitor Matrix 28 02 2008 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 137 Operator control and monitoring 8 5 Operating Description of control bar functions Control bar functions View events Function The event log enables the Safety Matrix to store event related information e g based on status changes of a cause and effect A maximum of 100 events are logged in a circular log This ensures that the latest events are always displayed The View events function allows events of the Safety Matrix to be read from the F CPU and displayed in the log window including in the Safety Matrix Viewer See description of the status details for cause and effect with information on which user actions and diagnostic events are recorded User permission required on OS View status The View status button is available if a cause or effect is selected Click this button to open the Cause status or Effect status display window This display window contains information about the selected cause or effect See Chapter Status displays Page 129 j View tags Click the View tags button to display a dialog box in which the values of cause or effect tags can
13. If you click a column in the effect configuration area of the Safety Matrix the context menu provides the following functions for selection according to whether the clicked column is empty or filled Empty column e Change effect the Effect details Effect x dialog box is opened e Add column e Delete column Filled column e Copy effect e Cut effect e Change effect the Effect details Effect x dialog box is opened e Delete effect the effect i e the content of the column is deleted but the column is retained as an empty column Safety Matrix 92 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 4 Configuring the effects e Add column empty column is added and all effects to the right are shifted right one column e Delete column current column is deleted and all effects to the right are shifted left one column Note With Add column the last column of the Safety Matrix is always deleted Therefore make sure that the last column is empty If necessary you must adapt the size of the safety matrix Note If Add column or Delete column is selected the oe Matrix oe Tool automatically selects the Chart Par fer of the Safety Matrix Refer to Chapter Transferring the we on to the ape Page 10 109 Note Add column or Delete column can cause all of the columns to the right to be marked as changed in a subsequent matrix comparison These columns must be tested in an
14. Inters xxxx Added E_ Trip _DB Structure CHAR lt BOOL CYC Deleted Using the menu command Tools gt Compare Programs and the configuration report you can create a document about the unused ports e One section for each F_Effect F FB per Safety Matrix Block MatrixName MatrixName Exx F_Effect Signature Changed Interface Changed xxx lt gt xxx SM_VER Value 16 0003 lt 16 0001 E_ Trip DB Structure CHAR lt BOOL E_Status_DB Structure CHAR lt BOOL DB_GROUP Added MatrixSize Value Not Interconnected lt Interconnected MatrixName MatrixName MatrixName Size The following default parameters for the operation and monitoring or reporting P_OVTM_xx Added DB_NUM Added CYC Deleted e One section for the F_Matctl F FB per Safety Matrix Block MatrixName MatrixName MatrixName F_ Matctl Signature Changed Interface Changed xxx lt gt xxx SM_VER Value 16 0003 lt 16 0001 C_Status_DB Structure CHAR lt BOOL E_ Trip _DB Structure CHAR lt BOOL E_Status_DB Structure CHAR lt BOOL MatrixID Value 16 xxxxxxxx lt 16 xxxxxxxx TIME SWC Added EN SWC Added MatrixSig Value Interconnected MatrixName MatrixSig lt Not Interconnected if necessary Any CB Added Any EB Added Any CW Added Any EW Added CAct_Num Added EAct_Num Added DB_NUM Added IntEvent Added Size Value Not Interconnected lt Interconnected Matrix
15. Period after which a component must be forced to fail safe state that is it is either replaced with an unused component or is proven faultless Switchover from fail safe values 0 to process data reintegration of an F I O module occurs automatically or alternatively only after user acknowledgment at the F Channel driver The reintegration method depends on the following e Cause of passivation of the F I O or channels of the F l O e Parameter assignment for the F Channel driver For an F I O with inputs the process values pending at the fail safe inputs are provided again at the output of the F Channel driver after reintegration For an F I O with outputs the F System again transfers the output values pending at the input of the F Channel driver to the fail safe outputs The S7 PLCS M application enables you to execute and test your S7 program ona simulated automation system on your ES OS Because the simulation takes place entirely in STEP 7 you do not require any hardware CPU F CPU I O The basic principle of the safety concept in gt fail safe systems is the existence of a safe state for all process variables For digital gt F I O the safe state is always the value 0 Safety Integrity Level SIL in accordance with IEC 61508 The higher the Safety Integrity Level the stricter the measures must be to prevent systematic errors and to prevent and remedy hardware failures S7 F Systems can be used in safety mode up
16. SIMATIC project CPU e Compare two Safety Matrices based on generated charts e Monitor Opening the Safety Matrix Editor Select the Start gt Programs gt Siemens gt SafetyMatrix Windows command Creating a new Safety Matrix Select the File gt New menu command A dialog box is displayed prompting you to enter a name for the new Safety Matrix By default the new Safety Matrix is stored in directory C Siemens SafetyMatrix However you can also select another file location Safety Matrix Configuration Manual 02 2010 A5E00265325 03 105 Configuring 4 7 Satety Matrix Editor Opening an existing Safety Matrix 1 Select File gt Open 2 Navigate to the desired Safety Matrix file 3 Select the file and open it Editing a Safety Matrix Once a Safety Matrix is opened for editing configuring is performed in the Safety Matrix Editor in the same way as in the Safety Matrix Engineering Tool Shared use of a Safety Matrix file The entire Safety Matrix is contained in the cause effect matrix file cem You can use the familiar system functions such as Move Copy etc same as in any file The cem file can be made available at a commonly accessible file location or sent to other users via e mail You cannot edit a Safety Matrix file simultaneously from two Safety Matrix Editors See also Importing a cause effect matrix file cem to a PCS 7 project Page 103 Safety Matrix 106 Configuration Manual 02 2010 A
17. Bit 6 3 AND 4 OR 6 For note only Bit 7 Enable AnylnputTrip alarm Bit 8 0 Input trip on tag FALSE Bit 9 1 Input trip on tag TRUE Bit 10 Bit 11 Bit 12 Limit type 0 low 1 high Bit 13 Bit 14 Mutually exclusive tag simulation Bit 15 Cause used Bit 16 Input type Bit 17 1 discrete 2 analog Bit 18 Number of inputs Safety Matrix 64 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 Overview of Configuring Bit No Assignment Bit 19 1 1 input 2 2 inputs Bit 20 3 3 inputs Bit 21 Time Bit 22 0 No time manipulation 1 ON delay 2 OFF delay 3 Timed cause Bit 23 Bit 24 First out alarm group Bit 25 Bit 26 Bit 27 Bit 28 TAG1 External input Bit 29 TAG2 External input Bit 30 TAG3 External input Bit 31 STATE_V The information in output parameter STATE_V of cause message block F_SC_AL is stored as follows Bit No Assignment Bit 0 Bypass active bypass tag or soft bypass Bit 1 Soft bypass active Bit 2 Acknowledged Bit 3 Logic operation result of tags 1 Bit 4 Trip TAG1 Bit 5 Trip TAG2 Bit 6 Trip TAG3 Bit 7 Bit 8 Cause active Bit 9 Time manipulation active Bit 10 Inhibit tag active Bit 11 Hysteresis active Bit 12 TAG1 Simulation Bit 13 TAG2 Simulation Bit 14 TAG3 Simulation Bit 15 Bit 16 Bit 17 Bit 18 Bit 19 Safety Matrix Configuration Ma
18. CONFIG_V STATE_V DWORD Effect status see below Table STATE_V DIAG_V DWORD Effect error see below Table DIAG_V OVERTM_W DINT Configured warning time for override timeout pre alarm in ms a warning is output when this value is exceeded OVERTM_V DINT Configured value for the maximum override time in ms DELAY_V DINT Configured value for the time manipulation for effect activation in ms TAG1_B BOOL Value TAG1 to be generated in the Safety Matrix TAG2_B BOOL Value TAG2 to be generated in the Safety Matrix TAG3_B BOOL Value TAG3 to be generated in the Safety Matrix TAG4_B BOOL Value TAG4 to be generated in the Safety Matrix ACK_REQ BOOL 1 Acknowledgement request for override error ACTIVE BOOL 1 Effect is activated 0 Effect is not activated ANY_BYP BOOL 1 If one of the following bypasses is active Hard bypass soft bypass simulation of a tag OK_RESET BOOL 1 Acknowledgement request for Reset effect OVER_AL BOOL 1 If the configured warning time for override timeout OVERTM_W is exceeded ANY_DIAG BOOL 1 If diagnostic messages exist DIAG_V not 0 CH_STAT1 WORD If the tag is linked to a channel driver the channel status is indicated here TAG1 see below Table CH_STATx CH_STAT2 WORD If the tag is linked to a channel driver the channel status is indicated here TAG2 see below Table CH_STATx CH_STAT3 WORD If the tag is linked to a channel driver the channel status is indicated here TAG3 see below Table
19. Close Print Help 150 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Documentation of a Safety Matrix 9 3 Configuration report 9 3 Configuration report Overall representation of the complete configuration The configuration report contains the complete configuration of the Safety Matrix Creating a configuration report Select the Options gt Reports gt Configuration report menu command The configuration report is displayed in the log window Detailed information The configuration report contains the following information Path to the S7 program to which the Safety Matrix belongs in the component view Detailed information about all causes Detailed information about all effects Detailed information about all intersections List of user notes List of revisions List of safety instrumented function groups SIF List of significant properties of the Safety Matrix including Size number of rows and columns of the Safety Matrix Usage statistics for causes effects intersections number of configured causes effects intersections Paths to Safety Matrix file SIMATIC project S7 program Major and minor revisions File revision Cycle time Task OB Matrix signature Printout of the configuration report Print out the configuration report after completing the Safety Matrix and store it carefully It is an integral component of the documentation for the acceptance te
20. Effect m i 2 janli Inactive 2 4 e i i M TRUE one FALSE e 1 e 4 e 6 Bypass active e 1 e 2 e 3 Alarm Time out when the effect is overridden the alarm is cleared either via an operator input or through a restart of the override timer 2 Override timer runs 5 Output delay timer runs Time lt Maximum override time Time gt Maximum override time e The effect becomes active as a result of an active cause The output delay timer starts After it expires the output tag is also set to FALSE if DTT to TRUE if ETT e 4 The output delay timer can be interrupted by the bypass e 4 5 The output delay timer is only started if the cause has become active or the override timer has been stopped while no bypass was active e Ifthe cause becomes inactive the effect will also become inactive immediately All timers are reset e Arising edge of the reset override tag both starts and stops the override timer e 3 The override timer is stopped as soon as the maximum override time has been reached e 1 Activation of the bypass does not stop the override timer e Ifthe override timer is started and bypass is then activated the override timer can be stopped again by a positive edge of the reset override tag e The override timer cannot be activated if bypass is active Safety Matrix Configuration Manual 02 2010 A5E00265325 03 171 Example parameter assignment
21. further processing of the read driver signals in the CFC in addition to processing in the Safety Matrix For output tags a chart output is created in the nested chart of the matrix logic for further processing of the effect in the CFC in addition to output to the F channel drivers If both the prefix and suffix are specified the suffix will be removed during the transfer Safety Matrix Configuration Manual 02 2010 A5E00265325 03 53 Configuring 4 1 Overview of Configuring e Option Channel driver Used externally prefix If the input output tag was already configured by another Safety Matrix or user logic the transferred Safety Matrix generates an interconnection with the existing F channel driver The Safety Matrix Engineering Tool automatically labels this type of interconnection for example with an existing F channel driver with a prefix in the configuration field of the tag and the Used externally check box is selected Note If during the Safety Matrix transfer the F channel driver of SIMATIC F modules containing the specified tag does not exist the prefix is removed and the tag is treated as the internal Safety Matrix input output tag Likewise the prefix will be added automatically during the transfer if the F channel driver already exists in another Safety Matrix e Option Channel driver Customer specific prefix You can interconnect causes and effects with the signals o
22. if inputs High low Discrete 1 Normal Input tag FALSE For note only Never 2 AND Both input tags FALSE OR One of the two input tags FALSE For note only Never 3 2003 At least two of three input tags FALSE AND All three input tags FALSE OR One of the three input tags FALSE For note only Never Safety Matrix 82 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 3 Configuring the causes Input type Analog Number of inputs 1 Function type Normal Limit type High low High Cause is tripped if the input tag has exceeded the limit The cause becomes inactive again only when the input tag falls below the limit minus hysteresis Low the input tag has fallen below the limit The cause becomes inactive again only when the input tag exceeds the limit plus hysteresis For note only Never AND High both input tags have exceeded the limit The cause becomes inactive again only when one of the two input tags falls below the limit minus hysteresis Low both input tags have fallen below the limit The cause becomes inactive again only when one of the two input tags exceeds the limit plus hysteresis OR High one of the two input tags has exceeded the limit The cause becomes inactive again only when both input tags fall below the limit minus hysteresis Low one of the two input tags ha
23. you can choose whether an alarm is indicated as soon as one of the inputs satisfies the tripping criteria By default the alarm is disabled for discrete inputs and enabled for analog inputs Safety Matrix 160 Configuration Manual 02 2010 A5E00265325 03 Example parameter assignments 11 2 Example parameter assignments for effects 11 2 Example parameter assignments for effects 11 2 1 Reset override Behavior on reset override of an effect as a function of the intersection configuration Reset override is carried out by means of an operator input via the button in online mode of the Safety Matrix Engineering Too or in the Safety Matrix Viewer or by setting and resetting the reset override tag Reset override tag and maximum override time do not affect the effect Reset override of an effect for intersection N Not stored Reset override is not relevant for effects with intersection N Not stored Active Cause BTT o Inactive i i J Active Effect o J e oe Inactive Reset override of an effect for intersection S Stored Active Cause Inactive Reset TRUE override tag l i FALSE Active Effect Inactive e Reset acts on the effect only if the cause has become inactive e Once the cause has become inactive a reset is necessary in order to also deactivate the effect e Arising edge is required for the reset Safety Matrix Configuration Manual 02 2010 A5E00265325 03 161
24. 1 6 Message COMMGQUIALION sais vaverses in S aE a R aAA enna radia E ad 4 1 6 1 Overview for Configuring MESSAGES c ceeeeeeeeeeeeeneeeeeeneeeeeeaaeeeeesaaeeeeesaaeeeeeeaeeeeeeaeeeeeenaeeseeaaas 4 1 6 2 Safety Matrix message block F_MA_AL 0 eeccceeeecceeeeenneeeeeeeneeeeeeaaeeeeeeaaeeeeeeaeeeseeaeeeetenaeeeeeeaes 62 4 1 6 3 Cause message block F SC Ab iiiaae niae iiaii i eead iaaea Ead 63 4 1 6 4 Effect message block F SE Ab sia ietea et ee hee ii ii ite ait iaiia 68 4 1 7 OS WMC ccs acon E R ahaa et abedele sph Ate tabedoee aie tvieded eben tanatowe eae 4 2 Editing the properties of the Safety Matrix sssssesssnnesssnneessnnasnennannannaneenneenannaannnnaatannaaennnnnnnaa 74 4 2 1 Properties dialog box of the Safety Matrix ec ccecceeeeeeeeeeeeeeeeeeeeseeeeeeeseneeeeeseeeaeeeseeaeeeeeeeeees 4 2 2 Adjust diolog BOXES igs cfiisied dt aseeevetee eels eeectens easton neste embers eeete ea eee aageboen eee edoeeelteed 19 4 2 3 Change tracking MENU command essorer 8 4 3 CONMGUFING THE CAUSES sae ciseenes ice ce eendecens eeyacereeence E 8 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 11 Table of contents 12 4 3 1 Overview for configuring the CAUSES ceeceeeeenneeeeeeeneeeeeeaeeeeeeaaeeeseeaaeeeseeaeeeseenaeeeseenaeeeeeeaas 8 4 3 2 Creating changing a cause and the rows for a CAUSE ee eeeeceeeeneeeeeeeneeeceenaeeeeeeaeeeeeenaeeeeeeaas 8 4 3 3 Overview of the Ca
25. 3 2 Menu bar of the Safety Matrix The status bar of the Safety Matrix is different in online and offline modes e In offline mode the status bar contains an area for status display and an area for error display e In online mode the status bar contains an area for status display an area for error display and additionally a date time display Name of Safety Matrix must be unique 3 2 A WARNING Assign a unique name for each Safety Matrix You must assign each Safety Matrix a name that is unique from all others in the system in order to provide adequate security for online communication during a Secure Write transaction Menu bar of the Safety Matrix Overview of menu bar Safety Matrix The menu bar of the Safety Matrix contains the following menu commands e File e Edit e Monitor e View e Options e Window e Help The respective subcommands of the menu commands are explained below Note All menu commands found in the Safety Matrix Engineering Too are listed along with their subcommands For information about restrictions in the range of functions in the Safety afety Matrix Editor Page 105 Matrix Editor see Chapter Configuration Manual 02 2010 A5E00265325 03 47 Software user interface 3 2 Menu bar of the Safety Matrix File menu command You use the commands in this menu to edit a Safety Matrix file before it becomes a Safety Matrix object in S MATIC Manager To u
26. Access protection 1 Active 20 Adding and editing a cause Adding and editing an effect AL_Chart Alarm on any input trip 160 Alarm profiles Adapting colors 8 Configuring 77 Group messages Matrix ALM Any signals from the safety program 53 55 Assignment of functions to user permissions Auto acknowledge active cause 90 160 Cause 20 Alarms 9 Creating changing Options Time lapse diagram for time functions Cause details Alarms 91 Analog parameters Configuring Options Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Cause effect matrix Cause effect matrix file cem file Importing 103 CH_STATx F_SC_AL 67 F_SE_AL Changes in safety program Acceptance test Changing limit 88 Online mode Changing range boundaries Online mode Changing the delta 88 Online mode Changing the hysteresis Online mode Channel drivers 58 Chart Parameters Transfer option Clean up nested chart connections Transfer option 111 Color codes for status display Colors 8 Column for effect Compare Programs CFC charts 148 Safety Matrices cem files 147 Compiling and downloading to the OS Compiling the SIMATIC Project CONFIG_V F_SC_AL 64 F_SE_AL 69 Configuration and data storage Configuration areas of the Safety Matrix user interface Configuration report 151 Confirmer 136 141 Context menu Cause 84 Effect 92 Intersection 100 Continuous Funct
27. CH_STATx CH_STAT4 WORD If the tag is linked to a channel driver the channel status is indicated here TAG4 see below Table CH_STATx ELAP_TM DINT Elapsed time of DELAY_V or OVERTM_V in ms dependent on the active function Bit 9 from output parameter STATE_V TRUE gt DELAY_ Bit 11 from STATE_V TRUE gt OVERTM_ see below Table STATE_V Safety Matrix 68 Configuration Manual 02 2010 A5E00265325 03 Configuring CONFIG_V Safety Matrix Configuration Manual 02 2010 A5E00265325 03 4 1 Overview of Configuring The information in output parameter CONFIG_V of effect message block F_SE_AL is stored as follows Bit No Assignment Bit 0 Bit 1 Activates process data pass through Bit 2 Soft bypass allowed Bit 3 Bit 4 Function type Bit 5 1 Normal Bit6 3 For note only Bit 7 Bit 8 0 If effect active tag FALSE Bit 9 1 If effect active tag TRUE Bit 10 Bit 11 Bit 12 Bit 13 Output delay Bit 14 Bit 15 0 No override timeout pre alarm trip 1 Override timeout pre alarm trip Bit 16 Bit 17 Bit 18 Bit 19 Bit 20 Bit 21 Bit 22 Mutually exclusive tag simulation Bit 23 Effect used Bit 24 Bit 25 Bit 26 Bit 27 Bit 28 TAG1 External output Bit 29 TAG2 External output Bit 30 TAG3 External output Bit 31 TAG4 External output 69 Configuring 4 1 Overview of Configuri
28. Cause x dialog box Highlight bars and intersection tool tip If you click an intersection the corresponding row and column will be highlighted in color and the cause and effect associated with the intersection will be shown in a tool tip Mark live values Highlights the dynamic values in the F CPU These are represented in blue font on the user interface to contrast them with the assigned values Select the View gt Customize gt Layout menu command Open the Size tab If the Safety Matrix no longer contains any empty rows for causes or columns for effects you can increase the number of rows columns in this dialog box Number of causes number of effects The default entry is 16 causes effects this number can be increased to 128 Note If the size of the Safety Matrix has been eha te es Safety Matrix Engineering Tool automatically selects the pti transfer_of the Safety 109 Matrix Refer to section annd the Safety ae to the project Page Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring 4 2 Editing the properties of the Safety Matrix Customize Colors dialog box General tab Select the View gt Customize gt Colors menu command Open the General tab The status of the causes effects and intersections whose assignment is indicated in this dialog box are shown with various colored backgrounds in online mode of the Safety Matrix You can change the color assigned
29. Configuration Manual 02 2010 A5E00265325 03 115 Transferring a Safety Matrix 6 2 F runtime group and run sequence 6 2 F runtime group and run sequence Runtime groups following a transfer When the Safety Matrix is transferred to the project two or three runtime groups are created e The F blocks of all matrices are positioned in the common SafetyMatrixXX F runtime group in which XX stands for the number of the OB specified beforehand This F runtime group contains the transferred code You must not make any changes here Note Make sure also that this F runtime group is not changed by the CFC function Optimize run sequence For this purpose verify that the Optimization of run sequence check box is cleared in the properties dialog box for this F runtime group e A standard runtime group m_SafetyMatrixXX of the respective OB is created for all Safety Matrices and the standard blocks are placed there e A standard runtime group Matrix name is created for each Safety Matrix that has its own F channel drivers Executable sequence Each time the Safety Matrix is transferred an executable sequence within the F runtime group is ensured automatically The run sequence is oriented to the data flow If the run sequence was corrupted e g by a faulty user intervention this is corrected automatically during the next transfer thereby producing an executable sequence again This sequence has the following systematic
30. Example parameter assignments 11 2 Example parameter assignments for effects Reset override of an effect for intersection V Overridable Active Cause Start Stop Start Start Inactive override override override override l I timer timer timer timer I i I l q Reset TRUE override tag FALSE nn Q 1 2 Active Effect Inactive e Gray zone Override timer runs e 1 Time lt Maximum override time e 2 Time gt Maximum override time e 3 Alarm Time out when the effect is overridden the alarm is cleared either via an operator input or through a restart of the override timer e Arising edge of the override tag both starts and stops the override timer e The timer is automatically stopped as soon as the maximum override time has been reached e f the cause becomes inactive the override timer is also stopped Reset override of an effect for intersection R Resettable and overridable Active Cause Start Stop Start Start Inactive override override override override 1 1 timer timer timer timer 1 Reset 1 1 l 1 Reset TRUE override tag i 1 1 1 FALSE 1 I O 1 f 1 1 1 amp I gt 1 i Active Inactive Effect e Gray zone Override timer runs e 1 Time lt Maximum override time e 2 Time gt Maximum override time e 3 Alarm Time out when the effect is overridden the alarm is cleared ei
31. Manual 02 2010 A5E00265325 03 Transfer option PASS_ON Password for F CPU for safety program 10 PCS 7 alarm logging 144 PCS 7 operation list Positioning alarm blocks e Be input tag 54 57 86 Process data pass through 97 98 Process data tag 97 Processcontrollin backup 128 Project structure bi Properties Customize 79 Properties Track changes R Requirements for configuration Reset override a8 Rows for cause Runtime groups following a transfer S Safe state Safety instrumented function groups 22 74 Safety Matrix Acceptance test Alarms Basic chart Basic mode of operation Comparing Copying 45 Exporting 104 Importing 45 Inserting 45 Menu commands Name Object Optional packages Order numbers 185 Index Range of functions Tags Transfer options 109 30 31 Safety Matrix Editor Safety Matrix Viewer Faceplate 123 Faceplates Safety program Comparing 148 SafetyMatrix Lib 38 Secure Write Enable for Secure Write transaction Time for Secure Write transaction Transaction Transaction for 2 Sequence of a transaction for Secure Write SIF 22 Signaling of process relevant events Simulating Mutually exclusive 90 97 Simulating a ta me Simulating a tag Se Mutually ao Ee 90 9 Special circumstances when downloading in the case of single user systems STATE_V F_SC_AL F_SE_AL Status bar Syntax rules
32. Open S IMATIC Manager and select the component view 2 Open the project in S IMATIC Manager 3 4 Right click the S7 program folder and select Insert new object gt Matrix folder A new Navigate to the S7 program folder in the project Safety Matrix folder named Matrices is created in the S7 program Right click the Matrices folder and select the Object properties of the matrix folder 6 On the General tab you can assign a name maximum of 24 characters author Safety Matrix maximum of 40 characters and a comment maximum of 254 characters for the matrix folder Right click the matrix folder and select Insert new object gt Matrix Enter a name up to 24 characters for the Safety Matrix object Make sure that the assigned name is unique from all others in the system This entry is not case sensitive Note To copy a Safety Matrix use the Safety Matrix Engineering Too to save the existing areal Matrix under a N name oe gt 2 as menu command and then import it he procedure outlined in Chapter Page 10 103 Double click the Safety Matrix object in S MA TIC Manager Configuration Manual 02 2010 A5E00265325 03 45 Software user interface 3 1 Inserting a new Safety Matrix Result The Safety Matrix Engineering Tool opens the Safety Matrix The following figure shows the user interface of a Safety Matrix with highlighted configuration and information areas 2 SIMATIC Safe
33. active and when it becomes active is determined by the input tags the function type and the options for the cause The activation of an effect depends on the relationship defined by intersections to the causes and the options for the effect If an effect is active the output tags are set to 0 or 1 depending on the Energize to trip option Category Category as defined by EN 954 01 S7 F Systems can be used in gt safety mode up to Category 4 Cause A cause represents a process event The cause represents the trigger for activating an effect Certain conditions must be fulfilled in order for the cause to become active and thus to trigger an effect defined by an intersection Analog or discrete values can be selected as the input type The values of at least one but no more than three input tags together with the function type represent a cause Channel fault Channel specific fault such as a wire break or a short circuit Safety Matrix Configuration Manual 02 2010 A5E00265325 03 175 Glossary Collective signatures CRC CRC signature Collective signatures uniquely identify a particular state of the gt safety program They are important for the preliminary acceptance test of the safety program e g by experts Cyclic Redundancy Check gt CRC signature The validity of the process data in the gt safety message frame the accuracy of the assigned address references and the safety related parameters
34. and shut off In order to use this function you must assign the individual causes and effects of the safety program to your safety instrumented functions groups For information about how to do this efer to section Cau i tab Page 39 or Effect details Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring Version tab Safety Matrix 4 2 Editing the properties of the Safety Matrix Once you have created the safety instrumented function groups in the General tab of the Properties dialog and assigned options of causes and effects you can display one or more or all safety instrumented function groups Proceed as follows e Click the SIF button and select the safety instrumented function group s that you would like to display The causes and effects of all other safety instrumented function groups will be hidden just the same as those causes and effects that are not assigned to any safety instrumented function group Or e Select the View gt Customize gt Layout menu command and select the Show FO SIF groups check box in the General tab Click OK to confirm The Causes and Effects tables now display the Groups column which shows which first out FO alarm group and which safety instrumented function groups the individual causes and effects are assigned to Matrix cycle time ms This can be used to specify the cycle time of the CPU to which the Safety Matrix is transf
35. can manually create a bypass for maintenance purposes in the viewer or in online mode of the Engineering Tool This check box is cleared by default e Bypass tag To open the Select I O tag dialog box click the I O button Here you can select a Boolean tag as a bypass tag See Chapter Tags of the Page 53 A bypass becomes active for the effect if the value of the bypass tag is TRUE A bypass is normally created for maintenance purposes e g for replacement of a sensor In normal process mode you should use the Override function If bypass is active an effect is deactivated although it should be active based on the other conditions cause intersection Reset override tag To open the Select I O tag dialog box click the I O button Here you can select a Boolean tag as a reset override tag See Chapter Tags of Page 53 The effect can be overridden if intersection types V or R are used or reset if intersection types S or R are used The effect becomes reset if the reset override tag undergoes a FALSE TRUE transition In the case of an override the override status is switched on a FALSE TRUE transition See Chapter Intersection details dialog box Configure tab Page 101 for more details Maximum override time In this entry field you can enter the maximum time in seconds that the effect can remain in override status If the conditions that tripped the effect are still present after expi
36. case you must rename the CFC chart before re importing the matrix file in the S7 program Charts folder and then change the name back NOTICE If you delete the existing CFC chart any interconnections to the CFC chart of the Safety Matrix are also lost Safety Matrix Configuration Manual 02 2010 A5E00265325 03 103 Configuring 4 6 Importing exporting a cause effect matrix file Procedure To import the cem matrix file to a SIMATIC project follow these steps 1 Start SIMATIC Manager 2 Open the project in which the Safety Matrix is to be imported 3 Select the Matrices folder in the S7 program and open the object properties 4 Open the Matrix tab 5 Click the Import CEM button 6 Select the cem file you want to import in the subsequent selection window Result The imported Safety Matrix file appears in the Matrices folder and can be edited transferred compiled and downloaded like other Safety Matrices See also Page 4 6 2 Exporting a cause effect matrix file cem Procedure To export the Safety Matrix to a cem matrix file follow these steps e Select the File gt Save as menu commend in the Safety Matrix Engineering Tool and enter the desired name and file location of the cem file Or Start SIMATIC Manager Open the project in which the Safety Matrix is to be imported Select the matrix to be exported in the Matrices folder in the S7 program and right click Select th
37. changes are being downloaded A WARNING Transfer with Chart Parameters option A transfer with the Chart Parameters option always changes the F system collective signature even if the Safety Matrix configuration was not changed Use imported channel drivers IEA support option External F channel drivers are F channel drivers that were not placed by the Safety Matrix In order for the Safety Matrix to interconnect external F channel drivers as internal channel drivers you must select the Use imported channel drivers IEA support option for the transfer of the Safety Matrix to the project This is necessary in order for the Simulate tag function to also act on these external F channel drivers Likewise reintegration of modules after errors occur that require acknowledgement from the Safety Matrix Viewer or in online mode of the Safety Matrix Engineering Too via the Ack drivers button also incorporates these F channel drivers Clean up nested chart connections option During a transfer with the Clean up nested chart connections option selected connections to the nested chart of the Safety Matrix that are no longer used internally are deleted Note that the links that you have created to these connections of the nested chart of the Safety Matrix will be lost in this process Safety Matrix Configuration Manual 02 2010 A5E00265325 03 111 Transferring a Safety Matrix 6 7 Transferring the Safe
38. clients or on a virtual server system is expressly excluded Safety Matrix Engineering Tool To operate the Safety Matrix Engineering Tool V6 2 you must have installed the following software packages on the ES e Supported operating systems Windows XP SP2 or SP3 Windows 2003 Server SP1 or SP2 each including R2 e Required optional packages S7 F Systems V5 2 SP1 or higher Failsafe Blocks V1_2 or S7 F Systems Lib V1_3 F library For offline testing S7 PLCS M dependent on the installed S7 F Systems version Automation License Manager ALM V3 0 SP1 or higher e For use with PCS 7 PCS 7V6 1 SP3 PCS 7V7 0 SP3 or higher or PCS 7V7 1 HF1 or higher Windows version corresponding to PCS 7version e For use without PCS 7 STEP 7NV5 4 SP3 or higher CFCV7 0 SP1 or higher Safety Matrix Configuration Manual 02 2010 A5E00265325 03 25 Installing 2 2 Installing Safety Matrix Viewer To operate the Safety Matrix Viewer V 6 2 you must have installed the following software packages on the OS e Supported operating systems Windows XP SP2 or SP3 Windows 2003 Server SP1 or SP2 RC2 e PCS 7V6 1 SP3 PCS 7V7 0 SP3 or higher or PCS 7V7 1 HF1 or higher e Automation License Manager ALM V3 0 SP1 or higher With Safety Matrix Viewer 6 2 operator control and monitoring of Safety Matrices of versions V5 2 V6 1 and V6 2 is possible Safety Matrix Editor To operate the Safety Matrix Editor V6 2 you must have inst
39. convenient visual adaptation of the process control system to the task at hand Fail safe systems Fail safe systems F Systems are systems that remain in a gt safe state or immediately switch to another safe state when particular failures occur Fault reaction function F Block type F Blocks F CPU F Cycle time F Data type Safety Matrix gt User safety function F Block types are ready made program sections that can be used in a CFC chart e g fail safe addition block F_LADD_R fail safe multiplexer F_MUX2_R etc Block instances are generated on insertion Any number of block instances can be created by one F Block type The F Block type specifies the characteristics algorithm for all applications of this type The name of the F Block type is specified in the symbol table The following fail safe blocks are designated as F Blocks e Blocks selected by the user from an F Library e Blocks that are automatically added in the gt safety program An F CPU is a central processing unit with fail safe capability that is permitted for use in S7 F Systems For S7 F Systems the F Runtime license allows the user to operate the central processing unit as an F CPU That is a gt safety program can be run on it A gt standard user program can also be run in the F CPU Cyclic interrupt time for OBs with gt F Runtime groups The standard user program and gt safety program use different data formats Safety r
40. display and print out any discrepancies See Chapter Comparing CFC charts Page 148 we Reports e Configuration report creates a report containing the complete Safety Matrix configuration in the log window e Validation report starts a validity check of the Safety Matrix and shows the results in the log window e Last report opens the log window and places the cursor in the last report configuration report validation report event log This information is always overwritten by the latest actions In the active log window select the File gt Save as menu command in order to save the displayed data Configuration Manual 02 2010 A5E00265325 03 49 Software user interface 3 2 Menu bar of the Safety Matrix Window menu command Function Here you will find the customary Windows commands for displaying multiple windows and for displaying the currently opened Safety Matrices Help menu command Command Function Content Opens the content directory of the help system User manual Opens the PDF file of the user manual PDF About Displays version information regarding the Safety Matrix program Safety Matrix 50 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 4 1 Overview of Configuring 4 1 1 Basic procedure for creating the safety program Introduction Based on the well established cause effect method the Safety Matrix allows simple configurati
41. for a cause Procedure for creating changing a cause In the cause configuration area of the Safety Matrix double click a row empty or filled or click the row and select Change cause in the context menu The Cause details Cause x dialog box is opened and you can create or change the cause Context menu in the cause configuration area of the Safety Matrix If you click a row in the cause configuration area of the Safety Matrix the context menu provides the following functions for selection according to whether the clicked row is empty or filled Empty row e Change cause the Cause details Cause x dialog box is opened e Add row e Delete row Filled row e Copy cause e Cut cause e Change cause the Cause details Cause x dialog box is opened e Delete cause the cause i e the content of the row is deleted but the row is retained as an empty row e Add row empty row is added and all causes underneath are shifted down one row e Delete row current row is deleted and all causes underneath are shifted up one row Note With Add row the last row of the Safety Matrix is always deleted Therefore make sure that the last row is empty If necessary you must adapt the size of the safety matrix Note If Add row or Delete row is napintas the Safety ita oe Tool automatically selects the Chart Paramete er option d er of ye 109 Matrix 09 Refer to Chapter Transferring the Safety Matrix
42. gt configured duration of output delay e Gray zone Output delay timer runs e Once the cause has become inactive a reset is necessary in order to also deactivate the effect e Arising edge is required for the reset e Reset has no effect as long as the cause is active or the output delay timer is running e 2 If the cause becomes inactive the output delay timer is not stopped The reset can take place only after the output delay timer has expired 3 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 163 Example parameter assignments 11 2 Example parameter assignments for effects Reset override of an effect with output delay for intersection V Overridable Active Start Stop Start override override override Inactive timer timer timer Reset M E f M M M TRUE r override tag j FALSE Cause Active 1 2 Effect l l l Inactive 4 4 m i a Om i i 1 l ii 1 TRUE Output TAG DTT FALSE e 4 5 6 Output delay timer runs e 1 2 Override timer runs e 1 Time lt Maximum override time e 2 Time gt Maximum override time e 3 Alarm Time out when the effect is overridden the alarm is cleared either via an operator input or through a restart of the override timer e 4 As soon as the effect becomes active the output delay timer starts After it expires the output tag is then also changed e 5 The output delay timer is also started if the override
43. i e it cannot be opened in the CFC Transferring the Safety Matrix to the project After complete configuration of a Safety Matrix it must be saved and transferred to the project before it is compiled and downloaded to the F CPU for execution Transferring the Safety Matrix to a project Safety Matrix 1 2 Select the File gt Transfer menu command Optional In the subsequent dialog box select the Chart Parameters and or Use imported channel drivers IEA support and or Clean up nested chart connections transfer options Click OK to start the transfer operation Assign the generated Safety Matrix basic chart to a hierarchy folder in the plant hierarchy moving from the oan view to the plant view See Process Control System ttp support ASEEN siemens com WW view en 24450116 Configuring Manual section 7 5 10 Perform steps 1 to 3 for each Safety Matrix to be transferred Configuration Manual 02 2010 A5E00265325 03 109 Transferring a Safety Matrix 6 7 Transferring the Safety Matrix to the project Transfer options The Chart Parameters option clears the complete nested chart of the matrix logic MatrixName and creates a new one This option is specified by the Safety Matrix Engineering Tool and cannot be deselected if e The size of the Safety Matrix was changed e A cause row or an effect column was inserted or deleted You also have the option of selecting Chart
44. input of the nested chart of the matrix logic for enabling Se Nrite is se o TR and the time interval is configured See Chapter Properties asia box of the Safety Matrix Page 74 e If operation is by means of the OS you must prevent the OS user interface from being closed as is customary in PCS 7 by blocking the key combination Safety Matrix Configuration Manual 02 2010 A5E00265325 03 133 Operator control and monitoring 8 5 Operating General information Note In Safety Matrix Viewer 6 2 you cannot perform operations that alter the safety program signature which means the values for delta limit and hysteresis cannot be changed The corresponding dialog box is only available in the Safety Matrix Engineering Tool A WARNING The Secure Write functionality allows changes to the safety program to be made during RUN mode As a result the following safety measures are required e Make sure that changes that could compromise plant safety cannot be made You can use the provided EN_SWC input for this purpose for example by controlling it with a key operated switch or on a process specific basis via the safety program e Make sure that only authorized persons can make changes In so doing don t rely exclusively on the configured permissions in the block icon Examples Control the EN_SWC input with a key operated switch Setup access protection at operator stations where the Secure W
45. is created for each preprocessing You can edit these nested charts but they cannot be moved Insertion of the function F 1 x enables you to work exclusively with the preprocessed values in the Safety Matrix Thus for example when simulating you can specify values from the value range of the preprocessed signals The F 1 x function back calculates these and as a result the signals are available at the channel driver in the value range of the channel driver Note The Templates folder of the SafetyMatrix Lib V1_3 contains two preprocessing charts without any internal functionality which you can copy and adapt as needed F channel drivers Integrating F channel drivers into the Safety Matrix 58 Safety Matrix V6 2 offers you different options for integrating F channel drivers into the Safety Matrix The following table presents an overview of the methods you can use to achieve this Channel driver Integration Version type v5 2 v6 1 v6 2 F_CH_AI The F channel drivers are F_CH_DI e Positioned and interconnected in the nested chart X X X F CH DO of the F channel drivers upon transfer an e Positioned in advance with the help of the x x Import Export Assistant and interconnected upon transfer F_CH_BI The F channel drivers are F_CH_BO e Positioned in advance with the help of the X X Import Export Assistant and interconnected upon transfer F_CH The F channel drivers are F_PA e Positioned in a
46. of the Safety Matrix You create users and your own permission levels in the PCS 7 OS with the User Administrator editor Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring 8 5 Operating Activating the OS Activate the runtime system of the PCS 7 OS for example by selecting the File gt Activate menu command in WinCC Explorer Once the WinCC Runtime system is activated the hierarchy levels appear as buttons in the runtime system of the OS Click the button to display the block icons for this level Deactivating the OS Close the Safety Matrix Viewer before deactivating the runtime system of the OS See also Chapter Page 133 8 5 2 Secure Write 8 5 2 1 Transaction for Secure Write What is a transaction for Secure Write You perform a transaction for operation of a Safety Matrix via Secure Write in online mode of the Engineering Tool or on the OS by means of the Safety Matrix faceplate The transaction consists of a sequence of operations that can be performed by one or two operators The transaction must be completed within a time interval specified by the user timeout If the transaction is not completed within this time interval it is automatically canceled Requirements and the F CPU is U Page 119 g downloaded to the OS Page 12 120 nt permissions are set up See Chapter Properties Page 74 dialog of the Safety Matri e The EN_SWC
47. rules 32 alphanumeric characters are permitted See the following sections for more on this Cause details dialog box Configure tab Page Effect details dialog box Configure tab Page If you fail to comply to this rule errors will occur in the log window of the transfer and the message configuration will not be implemented Configuration Manual 02 2010 A5E00265325 03 61 Configuring 4 1 Overview of Configuring 4 1 6 2 Safety Matrix message block F_MA_AL Additional information for further processing Additional information for further processing is available in Safety Matrix message block F_MA_AL in the CFC In addition you can configure functions such as Disable alarms during power up in the CFC Connections of Safety Matrix message block F_MA_AL Name Data type Description Inputs M_Name String 16 Matrix name MSG_LOCK BOOL 1 Disable all alarms Outputs ACK_REQ BOOL Request for acknowledgement of channel drivers SM_CHG BOOL Change in the matrix signature or version information available for one cycle only MatrixSIG DWORD Matrix signature MtxVersion STRING 20 Permanent revision of the Safety Matrix Library MajorRev INT Major revision of configured matrix MinorRev INT Minor revision of configured matrix Any_CA BOOL 1 A cause in the matrix is active 0 No cause is active Any_EA BOOL 1 An effect in the matrix is ac
48. setting for each OB Modified F blocks contain the name of the modified Safety Matrix Identify the changes in the tag pre processing The pre processing of a tag is performed in the chart Matrix name PP_Chart PP_ lt TAG Name gt SPPE the modified Safety Matrices one after the other as follows omparison in the Compare programs dialog box of the Safety Matrix see section omparing CFC charts Page 14 148 pare matrix with gt Matrix menu command see section e 147 omparing Safety Matrices Pag 7 Inspect the changes in the printout Feron ia report for each matrix and inspect it see section Configuration report 151 t Page 151 Check that all information is complete and conforms to the desired configuration For example check the configuration of times and for unintended interconnections 4 Download your modified safety program to the F CPU 5 Perform a function test of your changes Safety Matrix If both comparisons performed in Item 2 yield matching results and list those changes that you have made in the Safety Matrix you only have to test these changes Ifthe two comparisons list additional changes or if the changes identified by the two comparisons differ you must test the entire Safety Matrix Configuration Manual 02 2010 A5E00265325 03 155 Acceptance test for a Safety Matrix Safety Matrix 156 Configuration Manual 02 2010 A5E00265325 03 Example paramete
49. structure Run sequence with preprocessing 1 Input channel driver 2 Preprocessing 3 F blocks of the Safety Matrix 4 Output channel driver Make sure that the run sequence in the blocks used in the pre processing is correct Note You must not change the sequence of the Safety Matrix runtime groups You must not change the sequence of the blocks in the Safety Matrix runtime groups Failure to comply with these instructions will result in an F STOP or a a safety program reaction in a subsequent cycle Safety Matrix 116 Configuration Manual 02 2010 A5E00265325 03 Transferring a Safety Matrix 6 3 6 3 Notes for working with CFC Notes for working with CFC F Blocks appear in the CFC chart highlighted in color They are highlighted in yellow to indicate that a safety program is involved CFC charts and F runtime groups with F Blocks are yellow and marked with an F in order to distinguish them from the charts and runtime groups of the standard user program Optimizing the length of the code area If the following error message appears when compiling in CFC F Maximum code area length max 64 kbytes has been reached you must reduce the size of the F runtime group of the Safety Matrix You have two different configuration options e Move each Safety Matrix to its own F runtime group Proceed as follows Move all blocks of a Safety Matrix basic chart in a newly created F runtime group in the run view o
50. the message block F_MA_AL 1 time for the Safety Matrix the message block F_SC_AL n times for each individual cause the message block F_SE_AL n times for each individual effect There are different alarm profiles for Messages of individual causes There are three pre defined alarm profiles for causes Standard Sequential Energized Messages of individual effects There are two pre defined alarm profiles for effects Standard Sequential Messages of the Safety Matrix Group messages linking of statuses of all message blocks of causes and effects You can configure these alarm profiles as follows Enable individual messages Change message classes Change priorities of message classes Specify the acknowledgement request Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 Overview of Configuring Connections of message blocks Additional information for additional processing is available for the message blocks in the CFC In addition you can configure functions such as Disable alarms during power up in the CFC See the following sections for more on this Safety Matrix message block F_MA_AL Page ause message block F_SC_AL Page ffect message block F_SE_AL Page Syntax rules for message configuration Safety Matrix If messages for causes and effects are configured the respective cause effect description is included in the message text Therefore keep to the syntax
51. to a particular cause For example if three sensors are used to monitor a single process point the value 3 should be selected Function type The Function type defines the conditions under which a cause becomes active An entry in this field is mandatory Note The function type results in a trip command which can be influenced by further settings in the Options tab of the Cause details dialog box Alarm profile An alarm profile is assigned to each cause You can configure the alarm profiles for the causes and effects see section Cause details dialog box Alarms tab Page 91 The alarm profile selection determines the color representation in online mode and if applicable the cause messages issued e Standard Standard alarm profile is set default e Sequential Sequential alarm profile is set e Energized Energized alarm profile is set Configuration Input tag Cause DTT 0 Active 1 Inactive ETT 1 Active 0 Inactive Dependent on the configured function type and the bypass inhibit and time options Refer also to section Overview for configuring the causes Page 82 Configuration Manual 02 2010 A5E00265325 03 87 Configuring 4 3 Configuring the causes 4 3 5 Cause details dialog box Analog parameters tab Analog parameters tab Field Limit Description The value entered in this field is used to define whether the ca
52. to a status or alarm profile and the color of the text Changes made or differences in offline mode are indicated by red text by default Dynamic values are displayed in blue if the Mark live values check box is selected in the Customize Layout dialog box General tab You can also change the assigned text colors With the PCS 7 button you can adopt the PCS 7 color conventions for the Safety Matrix colors The Reset button enables you to restore the default setting of the Safety Matrix A WARNING Assigning colors The assignment of colors must comply with all relevant application specific standards and be appropriate for your application 4 2 3 Change tracking menu command Handling changes You can specify how the Safety Matrix handles changes Select the Tools gt Track changes gt Accept changes menu command The Tracked changes Matrix name dialog box is opened Specify which type of changes you want to accept e Critical changes these are program related changes e g to the number of rows or columns in the Safety Matrix e Noncritical changes these are formal changes e g to user notes or display functions To assist you you are given the opportunity to check the log To do so click the Show details button Saving changes You can specify how changes in the Safety Matrix will be handled when carrying out a Save or Save as operation Select the Tools gt Track changes
53. to ihe T Page 1 Note Add row or Delete row can cause all of the rows underneath to be marked as changed in a subsequent matrix comparison These rows must be tested in an acceptance test To avoid this e Always add additional causes at the end e Cut add copy or delete content only and not whole rows e Avoid changing the size of the Safety Matrix Safety Matrix 84 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 3 Configuring the causes 4 3 3 Overview of the Cause details Cause x dialog box Procedure for configuring a cause In the cause configuration area of the Safety Matrix double click a row empty or filled or click the row and select Change in the context menu The Cause details Cause x dialog box is opened Cause x Each cause is assigned a unique number within the Safety Matrix This assignment occurs automatically on the basis of the selected row The cause number cannot be changed Dialog box for configuring a cause The dialog box for configuring a cause contains the following tabs e Configure e Options e Alarms If you select Analog as the input type in the Configure tab an additional tab is added e Analog parameters Safety Matrix Configuration Manual 02 2010 A5E00265325 03 85 Configuring 4 3 Configuring the causes 4 3 4 Cause details dialog box Configure tab Configure tab Field Descr Description Alphanumeric des
54. xxx lt gt xxx SM_VER Value 16 0003 lt 16 0002 DB_GROUP Added The following default parameters for the operation and monitoring or reporting P_LIMV_xx Added VMODx_ R_yy Added VMODx_B yy Added DB_NUM Added Reserve Deleted e One section for the F_Inters F FB per Safety Matrix Block MatrixName MatrixName Inters F_Inters Signature Changed Interface Changed xxx lt gt xxx SM_VER Value 16 0003 lt 16 0002 Inters xxxx Added Using the menu command Tools gt Compare Programs and the configuration report you can create a document about the unused ports e One section for each F_Effect F FB per Safety Matrix Block MatrixName MatrixName Exx F_Effect Signature Changed Interface Changed xxx lt gt xxx SM_VER Value 16 0003 lt 16 0002 DB GROUP Added The following default parameters for the operation and monitoring or reporting P_OVTM_ xx Added DB_NUM Added Safety Matrix Configuration Manual 02 2010 A5E00265325 03 39 Installing 2 5 Upgrading to Safety Matrix V6 2 e One section for the F_Matctl F FB per Safety Matrix Block MatrixName MatrixName MatrixName F_ Matctl Signature Changed Interface Changed xxx lt gt xxx SM_VER Value 16 0003 lt 16 0002 Any _CB Added Any EB Added Any CW Added Any EW Added CAct_Num Added EAct_Num Added DB_NUM Added IntEvent Added Size Value Not Interconnected lt Interconnected MtxVersion Value
55. 0 A5E00265325 03 Configuring 4 2 Editing the properties of the Safety Matrix Function Description Default user level Effect tag simulation value Permission level for specifying an effect tag simulation 6 value Clear events Permission level for clearing events 5 Driver acknowledgement Permission level for acknowledging reintegrating a channel 5 driver For initiator and confirmer permissions permission level 0 Superuser is the default setting The 2 operator scenario is activated if different permission levels are entered for initiator and confirmer 4 2 2 Note You change the permission level for group acknowledgement of alarm directly in the block icon of the Safety Matrix see section Opening the Safety Matrix Viewer Page 125 Adjust dialog boxes Customize Layout dialog box General tab Safety Matrix Select the View gt Customize gt Layout menu command Open the General tab If you select the check boxes in this tab the settings made for causes C or effects E in the Safety Matrix will be displayed in additional columns shown in the Causes and Effects tables Show C E options Shows the specified options for causes C or effects E The following list explains the abbreviations that may appear in the additionally displayed columns This list is also shown in the information area below the intersections in the Safety Matrix D Delay configured
56. 3 and Transferring the Safety Matrix to the project 109 Page Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring Alarms tab Safety Matrix 4 2 Editing the properties of the Safety Matrix Alarm blocks Refresh time field Here you can specify the time in minutes for the cyclic repetition of bypass and inhibit messages If the message is still pending after this time it is reported in one cycle as outgoing and then again as incoming The default setting for this time is 8 hours If you assign the time as 0 there is no cyclic repetition Positioning of cause and effect check box You must select this check box if you want to enable messages for individual causes and effects F_SC_AL and F_SE_AL message blocks This selection is the requirement for having the Alarms tab displayed in the Pause details or Effect details dialog box where you position th e or effect n Positioning of matrix check box You must select this check box if you want to enable messages for the Safety Matrix message block F_MA_AL Proceed as follows e f necessary assign the message block for the Safety Matrix to a plant hierarchy in the Chart assignment field Click the associated button to open a browser for this purpose e Select the Enable matrix messages check box to enable these messages collectively Click the associated button to open the dialog box for configuring th
57. 5E00265325 03 Access protection Purpose and mode of operation Access protection protects S7 F FH Systems from unauthorized access such as undesirable downloads to the F CPU from the Engineering System ES In addition to the password for the F CPU you need an additional password for the safety program for S7 F FH Systems The table below provides information about the password for the F CPU and the password for the safety program Password assignment Password for F CPU In HW Config during configuration of the F CPU in the Protection tab of the Properties dialog box Password requested when e Downloading the entire S7 program from the Safety Matrix Engineering Tool e Downloading changes in the safety program from the Safety Matrix Engineering Tool Password validity Access permission is valid until it is explicitly canceled using the corresponding function of S MA TIC Managers with the PLC gt Access Permission gt Cancel menu command or until you close the last STEP 7 application Access permission can become invalid if the hardware configuration of the F CPU is changed and downloaded Password assignment Password for safety program In SIMATIC Manager Options gt Edit Safety Program menu command when Password requested Saving critical changes in a Safety Matrix e Transferring a Safety Matrix to the safety program e Compiling changes to the safety program e Downloading changes t
58. Additional information can be obtained from the corresponding F channel driver See also Safety Matrix message block F_MA_AL Page ause message block F_SC_AL Page Safety Matrix 72 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 Overview of Configuring 4 1 7 OS interface Requirements for generating block icons To generate the block icons for the Safety Matrix the message blocks must be configured appropriately and the Safety Matrix must be transferred with the Position alarm blocks option selected e On the Alarms tab of the Properties dialog box for the Safety Matrix see Chapter Properties dialog box of the SL Matrix Page 74 74 e On the Alarm see Chapter e On the Alarm see Chapter e On the Options tab of the Transfer to project dialog box see Chapter Transferring the Safety Matrix to the project Page 109 User permissions The user Hellen such as for alarm acknowledgement i in the PCS 7 OS are configured ies dialog box for the Safety Matrix see Chapter ix Page 74 In V6 2 and higher a permission for group acknowledgement available in the eee icon EN Safety Matrix see Chapter Opening the Safety Matrix jewer Viewer faceplates Page 125 12 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 73 Configuring 4 2 Editing the properties of the Safety Matrix 4 2 4 2 1 Editing the properties of the Safety Matrix P
59. An F Startup is a restart following an F STOP or an F CPU STOP S7F Systems do not distinguish between a cold restart and warm restart of the F CPU Fail safe systems Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Glossary Inactive A cause or effect can be inactive which means that the conditions for activation are not fulfilled Whether or not the cause is inactive is determined by the input tags the function type and the options for the cause The deactivation of an effect depends on the relationship defined by intersections to the causes and the options for the effect If an effect is inactive the output tags are set to 0 or 1 depending on the Energize to trip option Initiator confirmer If the operation of a Safety Matrix is to be transacted by two operators create two users e The initiator starts the Safety Matrix operation via Secure Write This user must have the permission assigned to the InitiatorLevel attribute in the properties for the block icon However the initiator does not have permission to confirm the operation e The confirmer verifies and confirms the operation This user must have the permission assigned to the ConfirmerLevel attribute in the properties for the block icon However the confirmer does not have permission to initiate the operation Intersection Intersections represent the cause and effect connection OS Operator Station OS A configurable operator stati
60. Click the respective block icon to open the Safety Matrix Viewer faceplate with the desired view Safety Matrix block icon 126 The Safety Matrix block icon shows the following information for the Safety Matrix e Technological name of the Safety Matrix message block e Display indicating whether there are active pre alarms for causes e Display indicating whether there are active pre alarms for effects e Display indicating whether there are active causes e Display indicating whether there are active effects e Number of active causes e Number of active effects e Display indicating whether there are causes with bypass e Display indicating whether there are effects with bypass e Number of causes bypassed e Number of effects bypassed e Text for filtering the display for an SIF group if configured e Number of the SIF group if configured e Display indicating whether the configuration was changed e Display indicating whether reintegration of the F channel drivers is required Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring 8 3 Opening the Safety Matrix Viewer faceplates Attributes for filtering the Safety Matrix display You use the SafetyGroupNumber attribute in the MatrixData property to enter the number of the safety instrumented function group SIF group whose assigned causes and effects are to be displayed when the Safety Matrix faceplate is opened All other ca
61. E Status F_StatDB Signature Changed Interface Changed xxx lt gt xxx SM_VER Value 16 0003 lt 16 0001 DB Num Structure CHAR lt BOOL FlowCnt Deleted CYC Deleted e One section for each F_Cause F FB per Safety Matrix Block Matrixname Matrixname Cxx F_ Cause Signature Changed Interface Changed xxx lt gt xxx SM_VER Value 16 0003 lt 16 0001 C_Status_ DB Structure CHAR lt BOOL DB_GROUP Added MatrixSize Value Not Interconnected lt Interconnected MatrixName MatrixName MatrixName Size For each discrete or analog tag of another Safety Matrix prefix used ConnectorName Value MatrixNamel MatrixNamel TAG Name Q lt MatrixName TAG Name or ConnectorName Value MatrixNamel MatrixNamel TAG Name V lt MatrixName TAG Name The following default parameters for the operation and monitoring or reporting P_LIMV_xx Added VMODx_ R_ yy Added VMODx B yy Added HMI Added DB_NUM Added CYC Deleted Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Installing 2 5 Upgrading to Safety Matrix V6 2 e One section for the F_Inters F FB per Safety Matrix Block MatrixName MatrixName Inters F_Inters Signature Changed Interface Changed xxx lt gt xxx SM_VER Value 16 0003 lt 16 0001 C_Status_DB Structure CHAR lt BOOL MatrixSize Value Not Interconnected lt Interconnected MatrixName MatrixName MatrixName Size
62. EW ressesie eenn apana aaa AE eaa a aae et aA aeaa A Ae aeaa naaa daaa aNs 1 1 What is the Safety Matix ic26ceciccetenedepcee se celta dp ctdecteen E ETEA EES 1 2 Optional packages of the Safety Matrix cc ecceceeceeeeceeeeeeeeeeeeeeeeeeeteeeeeeseeeeeeeseeeaeeeseneaeeeseeaaees 1 3 Example view of a Safety Matrix c ccc eeeeee ansians EAA EE ERARA 1 4 Definition Of terms ce eeeeeeeeeeneeee erent ee ee tie eee nn itini eet e ee nE EAEE AEREE 1 5 Overview Of procedure 1 c ccccceeeeeeeceececeeeeesenaaeaeceeeeeeesecaacaeeeeeeesesaaeaeeeeeseseenaeeeeeeseesesanaeeeseess 2 stalling es sede cas vsscsccesecexddsysdeeck lide si ceat hove cciies E lebevexduvexsacvatcetenndcvevenstescaetccvsdhageecsuedceeusvbersteteaess 2 1 Requirements for installation cccccceceeeeeeece eee eeeeeeeecacaeeeeeeeeeeceacaeceeeeeseseccaeaeeeeeersesscieeeeesees 2 2 e a arsa a EEEE 2 3 Uninstalling Safety Matrix V6 2 Components s ssssssssssssnssissrissrinsrrenrrnnrrnntrnntnnntnnernnennenneen 2 4 Introducing the new Safety Matrix block icon into the PCS 7 OS eceeeeeeeeeeenteeeeeeneeeeeeaes 2 5 Upgrading to Safety Matrix V6 2 eissii iiaa asa AS mccain 2 5 1 Overview Of upgrading eceeeeeseeeeeceeeeeeeeeeeeeeeeeeeeeeeeeesaeeeeesaeeeeeseaeeeeesaeeeeeseceeeeeseeeeeeeseeeaeeeseenaees 2 5 2 Use Cose T icecces sandecis aatie cit asdecien duel deen ace cict aude an ache Si gitdagen neces ch eandde dad geste at id ezennaiceeeanted
63. Editing or changing intersections 200 0 cc eeeeeeeeeeeneeeeeeeneeeeeeaeeeeesaeeeeesaaeeeeeeaaeeeeesaeeeeeenaeeeeeaaas 4 5 2 Intersection details dialog box Configure tab 4 6 Importing exporting a cause effect matrix file 2 5 0 ccccissacceadcoscsecscatecncssnscnecninrcceddanascecenstassenineene 103 4 6 1 Importing a cause effect matrix file cem to a PCS 7 project 4 6 2 Exporting a cause effect matrix file COM cccsccceecceceeeeeeeeeeeeeeeceaeeeseaeeeeeeeeeeeeseaeeeeeeeeneeee 4 7 Safety Matrix BQO rierren nnen AE E EEEE EENET ACCESS olol iele i lo a Danena E S EEE T T A E E Transferring a Safety Matrix cceccsceeeessceeeeeeeeeeeeeeaeeeeesaaeeeeeaaaaeesesaaaeeesesaaeeeeeaaaeeesesaaeeeseeaeseeensnaaenees 6 1 Transferring the Safety Matrix to the Project ececceeeeeeeeeeeeeeeeeseeeeeeeseneeeeeseeeeeeeeeeaeeeeennaees 109 6 2 F runtime group and run SCQUENCE cceeeeeeeneee cece eee eeceeeaeceeeeeeesecaaaeceeeeeseseneaeaeeeeeeeseteeaees 116 6 3 Notes for working with CEC sccic 5 scccedesasareeveevncadeeeuspeaeydannseey a A A 117 Compiling and COWNIOAING cccccesssseeeeeeeeeeesseceeneeeeeeeeeseeceeneeeeeeeeessecneeeeeeeeeeeeeeeceeenseeeseeessneeenaaeess 7 1 Compiling and downloading to the F CPU ececcceseeeeeee ener ee anniina S aSa 119 7 2 Compiling and downloading to the Operator Station 2 2 cece eeeeteeeeeeeneeeeeeteeeeeeneeeeees 120 Operator Control ANd MONIOFING cece e
64. FC optional software PCS 7 for Safety Matrix Viewer Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Preface Scope of this documentation Optional package Order number Release number and License higher Safety Matrix Editor optional 6ES7833 1SM42 0YA5 V6 2 Single Trial 1 month package including authorization license Safety Matrix Engineering Tool Full version V6 2 Floating Trial 14 days gpional papkaga 6ES7833 1SM02 0YA5 including authorization license Upgrade version from V5 2 Floating as upgrade or V6 1 Trial 14 days 6ES7833 1SM02 0YE5 Safety Matrix Viewer optional Full version V6 2 Floating Trial 14 days package including authorization license 6ES7833 1SM62 0YA5 Upgrade version from V5 2 or V6 1 6ES7833 1SM62 0YE5 Floating as upgrade Trial 14 days The optional packages of the Safety Matrix are used for the safety life cycle engineering and management of S7 F FH Systems fail safe automation systems and provide support for all phases of the safety life cycle Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Preface What s New e Description of the following important innovations Approvals Revision expansion of the user interface Revision of tag entry Preprocessing for Cause Tags Expanded options for causes pre alarm for analog values mutually exclusive tag simulation Effect Tag as internal reference Expande
65. For message configuration 61 For tag name T Tag with prefix 58 Tag with prefix Tag with prefix 54 57 Tag with prefix Tag with prefix Tag with suffix Tags Analog input tags 82 Any signals from the safety program 53 Customer specific F channel drivers 53 Discrete input tags 8 186 Internal references hapa of Safety Matrix Ba Syntax rules 55 5 Timed cause 89 158 Transaction for Secure Write 22 133 Transfer MA Transferring 1 Transferring changes in a Safety Matrix to the OS Trip on bad quality 160 U Use imported channel drivers Transfer option 111 Validation report rt 152 Validation test 152 View of a a ae in online mode 129 View status W Warning notices Directory 9 WinCC alarm Safety Matrix Configuration Manual 02 2010 A5E00265325 03
66. If a difference is detected intersection of cause x and effect y changed is output x and y refer to the source If an intersection for this pair is not found intersection of cause x and effect y new is output x and y refer to the source All deleted intersections whose cause and effect were not deleted are indicated The differences between the Safety Matrix charts are displayed in a hierarchical format similar to that of Explorer The following figure shows an example comparison In this example the following changes were made in the Safety Matrix The time behavior was changed in Cause 1 Tag 2 has been reassigned in Cause 2 The delay was changed in effect 2 Compare Programs Default_Projekt_Prj SIMATIC H Station 1 CPU 417 4 His PE ram x r Comparable objects Reference Program lt gt Reference v Browse r Reference Saved on 02 13 2008 11 43 03 AM Save Reference r Result of the Comparison B SafetyMatris 5 H Causes H Effects a Matrix 1 Modified New version of matrix Number of version modified Standard part modified J Cause 1 E5 0 Modified Configuration Time Delay before trip lt gt Time Duration 5000 lt gt 0 BM Cause 2 E5 1 E21 3 New EH Cause 2 E5 1 Deleted EBM Effect 2 411 1 Modified Output Delay 5000 lt gt 0 of the Safety Blacks Configuration Delay 1 lt gt Delay 0
67. Initiator only by means of Safety Matrix Viewer on the PCS 7 OS If the operator has initiator permission he can start the transaction in his role as initiator e Secure Write for confirmer only by means of Safety Matrix Viewer on the PCS 7 OS If the operator has confirmer permission he can confirm the transaction in his role as confirmer The operator input does not take effect in the safety program until after this confirmation 8 5 3 Operation of a Safety Matrix 8 5 3 1 Operator inputs using the control bar in online mode and in the Safety Matrix Viewer Dependency of available functions The control bar is available in online mode of the Safety Matrix Engineering Too and in the Safety Matrix Viewer for working with an online Safety Matrix Once a cause or an effect is selected in the Safety Matrix the control bar functions available for the cause or effect are displayed as control bar buttons Control bar functions for which permission does not exist are desensitized The available functions depend on e The selected element e The configuration of the element e The status of the element e The user permission on the PCS 7 OS Safety Matrix 136 Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring 8 5 Operating The following example shows the control bar in the case of a highlighted cause requiring user acknowledgement ACK SIMATIC Safety Matrix Matrix01_ SafetyMatrix Anlage 2
68. Matrix is conducted basically the same as for S7 F FH Operating Manual or the corresponding section in the relevant manual for older versions of S7 F Systems The procedures described there are also valid for the Safety Matrix as a subset of S7 F Systems The manual also contains additional details about each step of the acceptance test The following detailed description includes only those actions that must be carried out additionally for the Safety Matrix Safety Matrix Configuration Manual 02 2010 A5E00265325 03 153 Acceptance test for a Safety Matrix Initial acceptance test of a safety program The following list shows the steps of the S7 F Systems acceptance test Only the Safety Matrix specific additions are listed 1 2 Backup of the STEP 7 project ou lie T o TESTTE ompile_all matrices Page 109 109 and Compiling and and oaned Page 119 Preliminary test of the configuration of the F CPU and F I O optional PRIDE backing up TEP Zproject e EOE a nine a Safety Matrix Check the result of the transfer using the Tools gt Compare Matrix with gt Program menu command There must not be any differences displayed Inspection of the printout fepor F aho report for each matrix and inspect it see section Configuration report 151 t Page 151 Check the printout for the following All information is complete and conforms to the desired configuration For example check the configura
69. Name MatrixName Exx MatrixSize ViewTime Added SWC_AKT Added SecCmdStat Added DurationMin Added Safety Matrix Configuration Manual 02 2010 A5E00265325 03 35 Installing 2 5 Upgrading to Safety Matrix V6 2 Msec Value Interconnected MatrixName Msec lt Not Interconnected MaxMsec Value Interconnected MatrixName MaxMsec lt Not Interconnected MtxVersion Added DB_NUM_D Added TempBufl Value lt 1234567890 TempBuf Value lt 1234567890 EV_ID Deleted ALARM EN Deleted SecureDataVerf Deleted Dummy Deleted Dummy2 Deleted MSG_ERR Deleted MSG STAT Deleted MSG ACK Deleted DIAGSTAT Deleted If the comparison results from steps 11 or 12 include entries in addition to those listed you must identify and evaluate the reason for the change taking into account your specific system and make the appropriate adjustments according to your requirements Measures after upgrading After a successful upgrade of the Safety Matrix the following measures must be taken 1 ie mail id phy Safety ire after upgrading you must interconnect the EN_SWC input harts of the matrix logic MatrixName see section e Page 133 2 Enter the time interval for a transaction for your specific system especially if you want to use the new 2 operator scenario feature on the PCS 7OS This time can be specified by the user on the Parameters tab of the Properties dialog box the defau
70. ONFIG_V DWORD Cause configuration see below Table CONFIG_V STATE_V DWORD Cause status see below Table STATE_V DIAG_V DWORD Cause error see below Table DIAG_V P_LIM_V REAL Configured pre alarm limit for analog values a pre alarm will be issued when this value is exceeded LIMIT_V REAL Configured limit for analog values the analog tag trips when this value is exceeded HYST_V REAL Configured hysteresis for tripping of the analog tag or for canceling the trip DELTA_V REAL Configured permitted discrepancy between the values of the analog tags DELAY_V DINT Value configured for the time delay for tripping of causes in ms TAG1_R REAL Analog value TAG1 to be processed in the Safety Matrix TAG2_R REAL Analog value TAG2 to be processed in the Safety Matrix TAG3_R REAL Analog value TAG3 to be processed in the Safety Matrix VMOD1_R REAL Analog value read in via the module for TAG1 VMOD2_R REAL Analog value read in via the module for TAG2 VMOD3_R REAL Analog value read in via the module for TAG3 TAG1_B BOOL Discrete value TAG1 to be processed in the Safety Matrix TAG2_B BOOL Discrete value TAG2 to be processed in the Safety Matrix TAG3_B BOOL Discrete value TAG3 to be processed in the Safety Matrix VMOD1_B BOOL Value read in via the module for TAG1 VMOD2_B BOOL Value read in via the module for TAG2 VMOD3_B BOOL Value read in via the module for TAG3 TAG_TYPE BOOL Configuration TAG 1 Analog tag 0 Discrete tag ACK_REQ BOOL 1 Ac
71. OS server is connected to the plant bus and processes the process data Operator input during process mode is carried out on the OS clients Note Prior to compiling and downloading to the OS you must assign the CFC chart of the Safety heals ell is eyes sre eee a the mid Matrix to the desired hierarchy folder in the ngineering System h tty ETE er siemens com WWiview en 27002758 Configuring Manual Chapter 7 5 10 Compiling and downloading to the OS A project is downloaded using the central Compile and download objects function in SIMATIC Manager Objects represented in the dialog box correspond to the component view in SIMATIC Manager i e all SIMATIC PC stations that you created in S MA TIC Manager are displayed in this dialog box In this central location you make all necessary settings for compiling and downloading In addition you specify whether you want to compile and download the entire project or individual operator stations in this dialog box Note Compiling an OS with activated WinCC runtime followed by downloading is not supported on a single OS Safety Matrix 120 Configuration Manual 02 2010 A5E00265325 03 Compiling and downloading 7 2 Compiling and downloading to the Operator Station Transferring changes in a Safety Matrix Changes in a Safety Matrix are not automatically transferred to the operator station You can transfer the changes by compiling and downloading to the operator st
72. PU STOP Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Installing Procedure Safety Matrix 10 11 12 2 5 Upgrading to Safety Matrix V6 2 Create a backup copy of the entire S7 project for comparison purposes before you install Safety Matrix V6 2 Install Safety Matrix V6 2 on the ES Install Safety Matrix AS OS Engineering on the ES if necessary Install Safety Matrix Viewer on the ES OS if necessary Right click the Matrices folder in the S7 program folder and select the Object properties of the matrix folder On the Matrix tab of the object properties select the Safety Matrix library SafetyMatrix Lib V1_3 you want to use for this S7 program Confirm the subsequent prompts The blocks will be copied to the S7 program folder Open the Safety Matrix and transfer it with the following transfer option settings Transfer option Use imported channel drivers IEA support cleared Transfer option Chart Parameters selected Transfer option Clean nested chart connections selected Transfer option Position blocks selected along with option Update all Perform step 8 for all available Safety Matrices Meanwhile other CFC actions are not allowed Compile the SIMATIC project Using the Tools gt Compare Programs menu command in the Safety Matrix Engineering Tool compare the safety program with the backup copy from step 1 Following a successfu
73. Parameters for the transfer see below Note The entry Creating the matrix chart in the project in the log window indicates that the transfer was executed with the Chart Parameters transfer option Check this entry based on the parameter assignment Parameters option 110 You can download changes to a running Safety Matrix is you have selected the Parameters option for the transfer This has no effect on the processing of the causes effects and intersections that were not changed Take the following into consideration for the causes and effects that were changed e Saved information e g active timers messages are retained when downloading changes to the F CPU This can result in collisions between the old and new configurations Example If the old effect was active as a stored effect and was reconfigured as not stored this effect can no longer be reset due to the missing reset tags e If this behavior is not desired you must download the changes in two steps First delete the configurations of the causes effects involved and then download Afterwards configure and download the new configuration WARNING Effect on downloading of changes If you have selected the Parameters transfer option you must make sure that none of the collisions mentioned above occur when causes effects are changed In case of doubt select the Chart Parameters transfer option Only select the Parame
74. SIEMENS Preface Product Overview Installing SIMATIC Software user interface Industrial Software Safety Matrix protection Configuration Manual Transferring a Safety Matrix O gt O fo Q 3 8 Z 8 le j S Q 5 fa 2 S a Qa O Q S Y O Oo A OO N m O O 49 s Q E O 5 Q O S o ie S jor 0o monitoring Documentation of a Safety Matrix Acceptance test for a Safety 1 0 Matrix Example parameter assignments _ 02 2010 A5E00265325 03 Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety as well as to prevent damage to property The notices referring to your personal safety are highlighted in the manual by a safety alert symbol notices referring only to property damage have no safety alert symbol These notices shown below are graded according to the degree of danger indicates that death or severe personal injury will result if proper precautions are not taken AAWARNING indicates that death or severe personal injury may result if proper precautions are not taken AXCAUTION with a safety alert symbol indicates that minor personal injury can result if proper precautions are not taken CAUTION without a safety alert symbol indicates that property damage can result if proper precautions are not taken NOTICE indicates th
75. TII Time DO RAVIOR eceania dead nes EEE A E O T E E 111 2 Thibiteein E AA ets cad tan aneee ea paaneaa senate enieatet TERS BYPASS222 2 oeNe else edhe dete E ee ea eae Eee EEa 159 11 1 4 Auto acknowledge active CaUSG osasse issii annn aa aR AA AAEN AAAA KAA ARANA ES TAPON Dad GUAY sestercon selang aae eien e a aN a Ane SAEN ANRE A REA 160 11 16 Alarm onany Input UID si lt 2ss2cecssccesecvars canssa naaa aiana adaa narii date aaia iadaa 11 2 Example parameter assignments for effects ccccccceceeecneeeeeeeceeceeeecaseaeenesnsecsaeeeeeneenas 161 121 RESE VOvVErn deseen eacadedusaneeyteahea desea dneadesudadecssuuacadevuaagdeetialeddexehasdoxyiianadvdeaasdematecdvedaseeeaead 11 22 Res toverride with output delay sisseriissssi saninin aianei ie eiiiai 163 112 3 BY POSS noorse cass iSo eA cal aaa toh ha tod aR ea N Ee a EEE E Eaa 166 11 2 4 Bypass with output delay soisaniersiaa a aiaa RA E E EEA A 11 2 5 Process data pass through and mask enable GOSS AY cerina E T eee Index Safety Matrix Configuration Manual 02 2010 A5E00265325 03 13 Table of contents 14 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Product Overview 1 1 1 What is the Safety Matrix Comprehensive tool for safety life cycle The SIMATIC Safety Matrixis the comprehensive tool for safety life cycle engineering and management of S7 F FH Systems fail safe automation systems and provides support for all phases of the safety life cycle
76. Tool V6 2 1 Start your ES Ensure that no STEP 7 applications are open 2 Insert the product CD for the Safety Matrix Engineering ToolV 6 2 3 Start the SETUP EXE program on the CD 4 Follow the setup program instructions 5 If you are using Safety Matrices ina PCS 7environment select the AS OS Engineering check box Installing Safety Matrix Viewer V6 2 1 Start your ES OS Ensure that no SIMATIC applications are open 2 Insert the product CD of the Safety Matrix Viewer V6 2 3 Start the SETUP EXE program on the CD 4 Follow the setup program instructions Installing Safety Matrix Editor V6 2 1 Start your PC 2 Insert the product CD of the Safety Matrix Editor V6 2 3 Start the SETUP EXE program on the CD 4 Follow the setup program instructions License key usage authorization Documentation Safety Matrix A license key is required for each component of Safety Matrix V6 2 This license key is installed in the same way as for STEP 7 and the optional packages For information on installing and working with license keys refer to the Readme file and the STEP 7 basic help When a component of Safety Matrix V6 2 is installed a shortcut for German and English with the name Safety Matrix Engineering Tool is stored in the respective SIMATIC directory for manuals Start gt SIMATIC gt Documentation Configuration Manual 02 2010 A5E00265325 03 27 Installing 2 3 Uninstalling Safety Matrix
77. V6 2 Components 2 3 Uninstalling Safety Matrix V6 2 Components Uninstalling Safety Matrix V6 2 components Note For uninstalling the Safely Matrix Engineering Tool Viewer 6 2 the same requirements appl described in the PCS 7 V7 0 P onfiguration and Authorization http TETT automation siemens com WW view en 27002558 Use the normal procedure in Windows for uninstalling software Manual 1 In Windows double click the Add or Remove Programs icon in Control Panel to open the dialog box for installing software 2 Select the SIMATIC SafetyMatrix Engineering Tool V6 2 SIMATIC SafetyMatrix AS OS Engineering V6 2 and or SIMATIC SafetyMatrix Viewer V6 2 or SIMATIC SafetyMatrix Editor V6 2 entry in the list of installed software Click the Add Remove button to uninstall the software 2 4 Introducing the new Safety Matrix block icon into the PCS 7 OS Note Safety Matrix Viewer V6 2 contains block icons for Safety Matrix V6 2 and a block icon for Safety Matrix 5 2 or V6 1 This allows you to commonly operate the following Safety Matrix versions on a single OS e V6 2 and V5 2 e V6 2 and V6 1 Converting pictures If you are using PCS7V7 0 or higher you must convert the pictures to the WinCC version you are using Follow the steps outlined below 1 Launch WinCC Explorer for the OS contained in the Safety Matrix project 2 Right click the Graphics Designer entry in WinCC Explorer 3 Sel
78. a cause has more than one input tag the function type for activating the cause must also be taken into consideration The behavior is the same with regard to the output tags If the effect is active the output tags are set to 0 If inactive they are set to 1 Function type The function type combines with the input tags and their options to govern whether and when a cause is active or inactive e Normal one input tag e 2003 three input tags 2 out of 3 tripping criteria must be fulfilled e AND 2 3 input tags all tripping criteria must be fulfilled e OR 2 3 input tags at least one tripping criterion must be fulfilled e For note only Safety Matrix Configuration Manual 02 2010 A5E00265325 03 21 Product Overview 7 4 Definition of terms Bypass Bypass function that is normally used for maintenance purposes e g for checking effect logic replacing a sensor A Boolean tag can be selected or entered as the bypass tag The bypass becomes active if the value of the bypass tag is TRUE In addition to the bypass TAG the soft bypass function can also be allowed Then the operator can set the bypass manually by means of an operator input via Secure Write When a bypass is active a cause or effect cannot become active even though it should be active based on its tripping condition and options Safety instrumented function groups SIF You can create your own safety instrumented function groups for your ap
79. acceptance test To avoid this e Always add additional effects at the end e Cut add copy or delete content only and not whole columns e Avoid changing the size of the Safety Matrix 4 4 3 Overview of the Effect details Effect x dialog box Procedure for configuring an effect In the effect configuration area of the Safety Matrix double click a column empty or filled or click the column and select Change in the context menu The Effect details Effect x dialog box is opened Effect x Each effect is assigned a unique number within the Safety Matrix This assignment occurs automatically on the basis of the selected column The effect number cannot be changed Dialog box for configuring an effect The dialog box for configuring an effect contains the following tabs e Configure e Options e Alarms Safety Matrix Configuration Manual 02 2010 A5E00265325 03 93 Configuring 4 4 Configuring the effects 4 4 4 Effect details dialog box Configure tab Configure tab 94 Field Descr Description Alphanumeric description of the effect which can be up to 32 characters long Entry of the description is mandatory SIL Safety Integrity Level Tag x This field is used for documentation purposes Here you can enter the SIL for this effect as determined during your risk analysis e g according to IEC 61508 An entry in this field is not required No SIL value is e
80. afety Matrix Page 74 Mutually exclusive tag simulation lif you select this option the tag simulation of the effect is mutually exclusive This means that only one tag of an effect can be simulated in each case Configuration Manual 02 2010 A5E00265325 03 97 Configuring 4 4 Configuring the effects Process data pass through Mask 98 This is a concept that allows an externally controlled process tag by a control system to be interconnected with the output logic of the effect The Safety Matrix will disregard the pass through of the process data if the effect becomes active Process data pass through is configured by selecting the Enable process data pass through check box and entering a process data tag for the process tag The pass through is controlled by the active status of the effect see figure below The value of the process data tag is interconnected with the output tags if the effect logic is not active If the effect logic is active the interconnection of the process data tag value with the output tags of the effect is disconnected and the output is controlled by the fail safe values The fail safe value is FALSE for a deenergize to trip DTT output and TRUE for an Energize to trip ETT output Value of process data tag O By masking the effect you can override the effect logic using the process data value as shown in the figure below The override functi
81. afety Matrix Configuration Manual 02 2010 A5E00265325 03 127 Operator control and monitoring 8 4 Monitoring Effect block icon OL tmang Bibi CLEC The effect block icon shows the following information for an effect e Technological name of the effect message block e Shows whether the effect is active red circle e Shows whether there is a pre alarm for the effect yellow circle Shows whether there is a bypass for the effect e Shows whether there is a diagnostic interrupt error for the effect e Shows whether a reset is possible Attributes for setting the display colors The block icon offers you the option of using attributes to change the background and text colors in the display Permission for group acknowledgement in the block icons 8 4 8 4 1 Colors 128 In V6 2 and higher permission for group acknowledgement of alarms and messages is available in the block icons Right click the respective block icon and select the Processcontrolling_backup permission in the Other property to specify the permission level Monitoring Color codes for status display The status of causes intersections and effects are shown in different colors in online mode of the Safety Matrix These 579 are default settings and can be changed see section Adjust dialog boxes Page 79 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring Status displays Di
82. alled the following software packages on your PC e Windows XP SP2 or higher or Windows Server 2003 SP 1 or higher 2 2 Installing Note Installations of older versions of the Safety Matrix components must be uninstalled prior to installing Safety Matrix V6 2 Note For iho of the Safety Matrix Engineering Tool Viewer V6 2 the same requirements appl ribed in the PCS 7 Operating Manual P onfiguration and Authorization http TEA automation siemens com WW view en 27002558 WARNING Check installed version of the Safety Matrix components After installation of the Safety Matrix components verify the respective version via Installed SIMATIC software VersionView Safety Matrix 26 Configuration Manual 02 2010 A5E00265325 03 Installing 2 2 Installing Reading Readme files Important current information regarding the delivered software is available in the Readme files Safety Matrix Engineering Too 6 2 Readme Safety Matrix Viewer V6 2 Readme Safety Matrix Editor V6 2 Readme and Safety Matrix AS OS Engineering Readme You can arrange for the Readme files to be displayed at the end of the corresponding setup program You can also open the Readme files later by selecting Start gt SIMATIC gt Product Information gt English You will find the Readme files in the installation directory of the respective Safety Matrix component Installing Safety Matrix Engineering
83. alue outside the range boundaries a confirmation prompt is displayed to draw your attention to this You can now confirm the setting or cancel the dialog box and enter a new simulation value Note The V_MOD column displays the analog input value received from the F I O available in S7 F Systems Lib V1_3 and higher If communication with the F I O is not possible or if a user acknowledgement has not yet occurred following an error 0 0 is displayed Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring 8 5 Operating 5 Click the Write button for the relevant tag Result A Secure Write transaction is started for writing the values 6 Click the simulation Stop button for the relevant tag to stop the simulation Note You must take the following into consideration when simulating a tag e When the Mutually exclusive tag simulation option is selected only one tag of a cause or effect can be simulated in each case e For internal channel drivers the simulation affects all users of the tag This includes other matrices and each user configured logic that uses this F channel driver e Tags provided with a prefix or suffix are external for this matrix and are only simulated internally in the Safety Matrix i e the simulation pertains only to the functions within the matrix Outside the Safety Matrix only the physical i e not simulated value can be process
84. are ensured by means of a CRC signature contained in the gt safety message frame Deactivated safety mode Deactivated safety mode is the temporary deactivation of gt safety mode for test purposes commissioning etc Whenever safety mode is deactivated the safety of the system must be ensured by other organizational measures such as operation monitoring and manual safety shutdown Deenergize to trip DTT Depassivation Effect Trip if FALSE The cause is active if input tag 0 low active The output tag is 0 if the effect is active This negative logic is the default setting for the inputs and outputs of the Safety Matrix gt Reintegration An effect represents the reaction that the Safety Matrix exerts on the process Certain conditions must be fulfilled in order for the effect to become active and thus to trigger an action in the process by means of its output tags The values of at least one but no more than four discrete output tags define the action to be performed on the process The activation of an effect depends on various factors status of the assigned causes type of intersection specified options for the effect Energize to trip ETT 176 Trip if TRUE The cause is active if input tag 1 high active The output tag is 1 if the effect is active Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Glossary ES Engineering System ES Configuration system that enables
85. associated causes and effects that are typically assigned to a single safety circuit made up of sensors the F CPU and control elements that executes a particular safety function Assignment to an SIF allows filter functions to be used for displaying causes and effects in online mode You must have created the safety instrumented function groups in the General tab of the Properties dialog box for the Safety Matrix before you can assign causes and effects here Pay special attention to the steps in Chapter Properties dialog box of the Safety Matrix Page 74 K Auto acknowledge active cause If the Auto acknowledge active cause check box is selected the cause will be cleared automatically as soon as the tripping condition is no longer satisfied If this check box is not selected the operator must manually clear an active cause This check box is selected by default Note The acknowledgement has no effect on a cause with configured OFF delay or a timed cause Input trip on bad quality If the Input trip on bad quality check box is selected the quality errors signaled by the F channel drivers cause the input tag to report that it is in tripped condition Enable AnylnputTrip alarm If a cause is configured with more than one input tag the user can select whether an alarm is indicated as soon as one of the inputs satisfies the tripping criteria By default this is set up for discrete and analog input types as f
86. at an unintended result or situation can occur if the corresponding information is not taken into account If more than one degree of danger is present the warning notice representing the highest degree of danger will be used A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage Qualified Personnel The product system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation for the specific task in particular its warning notices and safety instructions Qualified personnel are those who based on their training and experience are capable of identifying risks and avoiding potential hazards when working with these products systems Proper use of Siemens products Note the following AAWARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation If products and components from other manufacturers are used these must be recommended or approved by Siemens Proper transport storage installation assembly commissioning operation and maintenance are required to ensure that the products operate safely and without any problems The permissible ambient conditions must be adhered to The information in the relevant documentation must be observed Trademarks All names identified by are registered tra
87. at you can create yourself for example to perform an arithmetic function for converting pressure to temperature The preprocessing chart must have been introduced into the Templates folder within the SafetyMatrix Lib V1_3 and conform to the following rules e Template for analog preprocessing REAL V_IN Input process data V_OUT Output process data SIM_V_IN Input simulation value SIM_V_OUT Output simulation value A comment that begins with SM_REAL must be entered in the properties of the preprocessing chart e Template for discrete preprocessing BOOL Q_IN Input process data Q_OUT Output process data SIM_ILIN Input simulation value SIM_Il_OUT Output simulation value A comment that begins with SM_BOOL must be entered in the properties of the preprocessing chart A preprocessing is possible for input tags with the option Channel driver or Channel driver Customer specific The following figure shows the principle of preprocessing based on an analog input tag Safety Matrix CH_STATx_x SIM_ONx TAGx SIM_x PreProc V_IN CF gt V_OUT SIM_V_IN F x SIM_V_OUT Configuration Manual 02 2010 A5E00265325 03 57 Configuring 4 1 Overview of Configuring 4 1 5 For purposes of the preprocessing a separate nested chart PP_Chart is created in the nested chart of the matrix logic In this PP_Chart a separate nested chart
88. ation Deviations between operator station and F CPU are signaled in red text below the control bar in online mode e Version difference e Matrix difference Special circumstances when downloading in the case of single user systems If the OS and ES are operated on one computer you do not have to perform any download operations because all necessary data are already present See also Detailed oe noone eee re to an OS can be found in the http support meron a siemens ee 6 Configuring Manual Safety Matrix Configuration Manual 02 2010 A5E00265325 03 121 Compiling and downloading 7 2 Compiling and downloading to the Operator Station Safety Matrix 122 Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring 8 8 1 Overview of operator control and monitoring Introduction The Operator control and monitoring functionality of the Safety Matrix allows you to monitor and control the behavior of a Safety Matrix during operation This can take place with the Engineering Tool in online mode as well as with the viewer of a PCS 7 OS Requirements for operator control and monitoring You perform operator control and monitoring on the Engineering Station in online mode of the Safety Matrix Engineering Tool You perform operator control and monitoring on the Operator Station via the Safety Matrix Viewer faceplate The following requirements apply to operator control and monitoring of a Saf
89. atrixName The Safety Matrix Engineering Tool automatically places the following F channel drivers from S7 F Systems into a CFC chart during the transfer e F_CH_DI for discrete cause tags F channel drivers for digital inputs of F I O except fail safe DP standard slaves and PA field devices e F_CH_AI for analog cause tags F channel drivers for analog inputs of F I O except fail safe DP standard slaves and PA field devices e F_CH_DO for effect tags F channel drivers for digital outputs of F I O except fail safe DP standard slaves and PA field devices If you are using fail safe DP standard slaves or fail safe PA field devices in a Safety Matrix place the F channel drivers for them manually and interconnect the F channel drivers with the Safety Matrix using chart connections to the nested chart of the matrix logic The nested chart of the channel drivers has a visible input e The PASS_ON input is interconnected with all internal PASS_ON F channel driver inputs By interconnecting this input you can passivate all F channel drivers of the Safety Matrix e g if you want to enable passivation as a function of particular states in your safety program The invisible chart connections inputs and outputs must not be changed A WARNING Nested chart of the channel drivers You must not rename copy or move the nested chart of the channel drivers MatrixName In addition you must not delete any interconne
90. be viewed To simulate a cause or effect tag however you must have the appropriate user permission Ack cause The Ack cause button is available if the selected cause is active and configured without automatic acknowledgement An acknowledgement prompt is displayed and the cause remains active until the Ack cause button is clicked and the trip conditions that activated the cause are no longer fulfilled CauseAckLevel Clear First Out A color change indicates which cause tripped the associated first out alarm group first This first cause is marked in cyan until the cause and the Clear First Out button are clicked CauseClrFOLevel Bypass The Bypass button prevents a cause or effect from becoming active If a cause or effect is bypassed it will not become active CauseBypLevel EffectBypLevel Clear events The Clear events function clears the event log in the F CPU EventsClearLevel Clear alarm The Clear alarm function becomes active if an effect has been selected that was overridden but has become active again due to one of the following reasons e The configured maximum override time has expired e The effect was tripped again by a new active cause In such cases the relevant effect is indicated by a color change You can undo the color change again with the Clear button EffectClrAlmLevel 138 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Operator contro
91. c procedure for upgrading When Safety MatrixV 5 2 or V6 1 is upgraded to V6 2 the following steps must be carried out in the order given 1 Upgrade the Safety Matrix as described below 2 If necessary upgrade the cae Lib F library as described in the S7 F FH tem fi P http support automation siemens com WW view en 2201072 Operating Manual Programming and 3 If necessary upgrade PCS 7as described in the PCS 7 documentation Use cases for upgrading Migration from Update of Safety Matrix library to Safety Matrix V6 2 Safety Matrix 5 2 Required Page Safety Matrix V6 1 Yes Page Safety Matrix V6 1 No Page Safety MatrixV5 2IV6 1 No Page Safety Matrix Viewer upgrade only Safety Matrix 30 Configuration Manual 02 2010 A5E00265325 03 Installing General notes on upgrading 2 5 Upgrading to Safety Matrix V6 2 After installation of Safety Matrix V6 2 changes to existing Safety Matrices will cause an upgrade This upgrade can be performed with or without an upgrade of the Safety Matrix library See table above If an upgrade with Safety Matrix library update is performed the F CPU must be switched to STOP Variants when upgrading Before upgrading a specific project to Safety Matrix V6 2 you must choose one of these two variants Variant Without update of the Safety Matrix library With update of the Safety Matrix library Consequences
92. charts including interconnection If you use this option you must be aware that overlaps can occur The data saved to the CFC take precedence Range boundaries can only be viewed in the Safety Matrix Editor Input type An input type must be selected for each cause e Discrete The discrete type is a Boolean value TRUE FALSE It is used for limit switches or motor check signals The default setting for the input type is discrete type e Analog An analog input represents a real value e g the value of a temperature sensor or a flow quantity If analog type is selected as the input type additional parameters must be assigned The parameters are assigned in the Analog parameters tab of the Cause details dialog box Energize to trip This is an option for discrete input types and specifies which Boolean condition a trip represents In deenergize to trip applications the input tag represents a trip if it switches to OFF FALSE In energize to trip applications the input tag represents a trip if it switches to ON TRUE By default this check box is not selected i e the default setting is deenergize to trip because the value 0 is regarded as the safe rest position for digital F I O See table below 86 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring 4 3 Configuring the causes Field Number of inputs Description Specify how many tags are assigned
93. cription of the cause A description must be entered mandatory up to 32 characters may be used SIL Safety Integrity Level Tag x This field is used for documentation purposes Here you can enter the SIL for this cause as determined during your risk analysis e g according to IEC 61508 An entry in this field is not required No SIL value is entered by default Specify at least one tag for each cause Refer to section Syntax rules for ag names in the Safety Matrix Page 55 in this regard e button I O To open the Select I O tag dialog box click the I O button See section Tags of the Safety Matrix Page 53 e button The button appears if the Channel driver option was selected in the Select I O tag dialog box Click the button to open the Channel driver dialog e On the Parameter tab you can do the following for F channel drivers that are selected via symbols For analog input tags display and edit the upper and lower range boundaries for the sensors e Inthe Options tab you can Select preprocessing for this input tag by selecting an appropriate e essi hart or ge 53 preprocessing See section Tags prepro na of the Safety Matrix Page 53 Select whether you want to specify a start value for simulation Specify a start value for the simulation of this input tag These parameters can also be edited directly at the F channel drivers in CFC
94. ctions in this chart Note New interconnections must not be added in the nested chart of the channel drivers MatrixName You must not add any internal interconnections to the F channel drivers because these will be deleted again during a subsequent transfer if the Recreate option is set Interconnections to F channel drivers outside the nested chart of the channel drivers are retained Note Blocks in the nested chart of the channel drivers MatrixName must not be changed renamed added or deleted You must not change rename add or delete any blocks in the nested chart of the channel drivers Safety Matrix 114 Configuration Manual 02 2010 A5E00265325 03 Transferring a Safety Matrix 6 7 Transferring the Safety Matrix to the project Nested chart of the matrix logic MatrixName Safety Matrix The nested chart of the matrix logic always has at least two inputs e MatrixSig Contains the Safety Matrix signature e EN_SWC This input F_BOOL can be used to enable and if necessary to disable the Secure Write function for the purpose of making operator inputs either in online mode of the engineering tool or from the PCS 7 OS This takes place by means of a signal that i wired in the CFC prior to compiling enable if signal TRUE See section Secure Write Page 5A The nested chart of the matrix logic always has at least eight inputs e Error Boolean flag indicating that an erro
95. d acceptance tested if necessary This project must contain the Failsafe Blocks V1_2 SP1 or higher of the F Library You can verify this as follows e Open the block folder of the program in the detail view in S MAT C Manager In the Version Header column 3 1 or higher must be specified for the following F channel drivers F_CH_DI F_CH_DO F_CHAIl No changes are allowed to be made offline that have not also been downloaded online e No changes to safety program e No changes to the collective signature Note If you choose this scenario the Safety Matrix will continue using the blocks of version V6 1 and a CPU STOP is not required The software interface corresponds to version V6 2 but the functional scope is still that of version V6 1 with the exception of the following functions which are now available e You can continue to process not only the status of a cause or effect but also the status of an effect tag within the Safety Matrix for an input tag Effect x TAG y See section Cause details dialog box Configure tab Page 86 e In addition you can select and use colors for the status changes of causes effects and intersections see section Adjust dialog boxes Page 79 You can change over to use the SafetyMatrix Lib V1_3 at any time on the Matrix tab of the Object properties of the matrix folder Note that this changeover requires a CPU STOP see section Use case 2 Page 37
96. d or stopped Simulate cause tag Cause number cause description tag number tag name previous value new value Effect bypass Effect number effect description Start and stop effect tag simulation Effect number effect description tag number tag name started or stopped Simulate effect tag Effect number effect description tag number tag name previous value new value Reintegrate driver Acknowledge cause Cause number cause description See also essages in the event log of the Safety Matrix Page 144 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 145 Operator control and monitoring 8 6 Events and messages 8 6 3 PCS 7 alarm signals in the WinCC alarm logging Signaling of all process relevant events All process relevant events can be signaled via a WinCC alarm so that it is possible to use the alarm log to track which events occurred and in what order even after a length of time has passed These alarms appear in WinCC same as any other alarm in the PCS 7 alarm logging When the Loop in Alarm button is actuated the picture containing the block icon of the Safety Matrix that goes with the alarm is opened Click this icon to open the faceplates of the Safety Matrix Viewer Requirements for generating block icons To generate the block icons for the Safety Matrix the message blocks must be configured appropriately and the Safety Matrix must be transferred with the Pos
97. d setting options for channel drivers Inclusion of customer specific F channel drivers Expanded options for effects mutually exclusive tag simulation pre alarm for override timeout Doubling of available Safety Matrix intersections to 1024 Enhanced operator control and monitoring features maintenance changes status colors Adjustable colors Colored representation of individual tags in online mode Revision extension of alarm behavior by means of three new function blocks for alarms F_SC_AL F_SE_AL F_MA_AL and three new Safety Matrix block icons for operator control Selective representation of Safety Matrix in Safety Matrix Viewer individual cause with associated effects individual effect with associated causes Handling of multiple Safety Matrices with different versions in the same PCS 70S The Safety Matrix optional packages are certified for use in safety mode up to e Safety Integrity Level SIL3 according to IEC 61508 e Category 4 according to EN 954 1 e Performance Level PL e according to ISO 13849 1 2006 or EN ISO 13849 1 2008 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 5 Preface Position in the information landscape You will need supplementary documentation for working with the Safety Matrix according to the application This documentation includes references to the supplementary documentation where appropriate For more information refer to the FAQs at http support aut
98. demarks of the Siemens AG The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described Since variance cannot be precluded entirely we cannot guarantee full consistency However the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions Siemens AG A5E00265325 03 Copyright Siemens AG 2010 Industry Sector 02 2010 Technical data subject to change Postfach 48 48 90026 NURNBERG GERMANY Preface Preface Purpose of this documentation The information in this manual enables you to configure S7 F FH Systems fail safe systems using Safety Matrix V6 2 In addition you need the cael manuals System Manual http aem automation siemens EEEE Programming and Operating manual Basic knowledge requirements General basic knowledge of automation engineering is needed to understand this documentation Basic knowledge of the following is also necessary e Fail safe automation systems e S7 400H automation systems e S7 F FH Systems e Distributed I O systems on PROFIBUS DP e STEP 7 PCS 7 basic software particularly Working with S MATIC Manager Hardware configuration with HW Config Communication between CPUs C
99. discrete values can be selected as the input type The values of at least one but no more than three input tags together with the function type represent a cause You can create a maximum of 128 causes Causes are arranged in rows in the Safety Matrix An effect represents the reaction that the Safety Matrix exerts on the process Certain conditions must be fulfilled in order for the effect to become active and thus to trigger an action in the process by means of its output tags The values of at least one but no more than four discrete output tags define the action to be performed on the process The activation of an effect depends on various factors status of the assigned causes type of intersection specified options for the effect You can create a maximum of 128 effects Effects are arranged in columns in the Safety Matrix The Safety Matrix intersections specify which causes trigger the respective effects You can define up to 1024 intersections A cause or effect can be active which means that it has been tripped Whether or not a cause is active and when it becomes active is determined by the input tags the function type and the options for the cause The activation of an effect depends on the relationship defined by intersections to the causes and the options for the effect If an effect is active the output tags are set to 0 or 1 depending on the Energize to trip option Safety Matrix Configuration Manua
100. dvance and integrated using the X Fa customer specific option F typicals but not the explicitly named F_CH_AI F_CH_DI DO F_CH_BI BO Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 Overview of Configuring Customer specific F channel drivers An F block is identified as a customer specific F channel driver when it has been introduced into the safety program and one of the following criteria is met e Itis an F Systems F block of type F_CH but not F_CH_AI F_CH_DI DO F_CH_BI BO F_PA F_Q e Itis an F block type or F block with the following properties F block F_FBO_SM It has an interface as follows Input parameter for turning on the simulation SIM_ON Input parameter for specifying the simulation value SIM_I for discrete tags SIM_V for analog tags Output parameter channel status CH_STAT generate by means of F_ FBO_SM see below Parameter for signal output or input Q for discrete tags V or for analog tags Optional Parameter ACK_REQ and ACK_REI for acknowledgement The F block type contains the F block F_FBO_SM Note If the SIM_V parameter of your custom channel driver is not the REAL data type it will be labeled as Used externally prefix after the transfer If you want to simulate the channel driver anyway you can create an F block type that contains the appropriate data conversion and integrate it into the Safety Matrix
101. e Export source entry aR WN In the subsequent selection window select the desired name and file location for the Safety Matrix to be exported Safety Matrix 104 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 7 Satety Matrix Editor 4 7 Safety Matrix Editor Functionality The Safety Matrix Editoris a subset of the Safety Matrix Engineering Tool Its functionality is limited to configuring a Safety Matrix outside the SIMATIC environment The Safety Matrix Editor supports checking of the cause and effect logic Example For example the initial version of a Safety Matrix can be created on a work station with the Safety Matrix Engineering Tool The logic of the matrix can be saved and used jointly over a network or sent as an e mail to remote colleagues The Safety Matrix Editor allows the editor to open the Safety Matrix and examine it in the same format that it was created in The editor can change the Safety Matrix configuration e g change function types or parameters insert user notes A Safety Matrix can also come from the Safety Matrix Editor Finally the Safety Matrix can be integrated into a SIMATIC project see Chapter mporting exporting a START matrix file Page 103 i Restrictions in the range of functions The following functions of the Safety Matrix Engineering Toolare not included in the Safety Matrix Editor e Transfer to the project e Compile e Download e Compare Safety Matrix with
102. e Tag names and tag properties With the Compare Programs dialog box you can also tell if a safety program was not modified For this purpose compare the safety program with the original program version that you have saved as a reference for example Starting the comparison Select the Tools gt Compare programs menu command The Compare programs dialog box will appear Save Reference button You can use this button to save the current program i e all Safety Matrix charts in the S7 program as a reference This reference represents a subset of the reference program that is created with the Save reference button in the Safety program dialog box of S7 F Systems The reference for the Safety program dialog box in S7 F Systems is saved in a separate file independently of S7 F Systems Program reference Select one of these options to specify whether you want to compare the current program or the reference program Safety Matrix 148 Configuration Manual 02 2010 A5E00265325 03 Documentation of a Safety Matrix 9 2 Comparing CFC charts Compare with Use this drop down list box to specify the second safety program to which you want to compare the safety program you just selected Program Compare with Reference The current program is compared with the last saved reference Other project The current program is compared with another program Use the Browse button to select the offline program Refere
103. e predefined alarm profile for the Safety Matrix There you can Enable individual messages Change message classes Change priorities of message classes Specify the acknowledgement request e Select the Enable group messages check box This links the statuses of all message blocks of causes and effects Click the associated button to open the dialog box for configuring the predefined alarm profile for the group messages There you can Change priorities of message classes Specify the acknowledgement request Configuration Manual 02 2010 A5E00265325 03 77 Configuring 4 2 Editing the properties of the Safety Matrix OS permissions tab On this tab you configure the user permissions i e the assignment of Safety Matrix functions to a permission level in the PCS 7 OS The Safety Matrix Viewer differentiates between e Monitoring functions without access protection i e without assignment to a permission level e Operator control functions with access protection for this purpose a separate permission level can be specified for each process tag block icon instance and each operator control function e Operator roles with access protection for this purpose there are two functions Initiator permission the operator may start an operation Confirmer permission the operator may confirm an operation See also section Initiator and confirmer permissions Page 132 The foll
104. ect Convert pictures in the context menu All pictures are converted 4 Select the following pictures in the Basic data tab to use the OS Project Editor again PG_F_MATCTL PG_F_MA_AL PG_F_SC_AL PG_F_SE_AL PCS 7Typicals_S7FSMTX PDL Safety Matrix 28 Configuration Manual 02 2010 A5E00265325 03 Installing 2 4 Introducing the new Safety Matrix block icon into the PCS 7 OS Introducing pictures into an existing Safety Matrix project To use the new features of the Safety Matrix faceplate in an existing project you must update the project 1 To do so launch WinCC Explorer for the OS contained in the Safety Matrix project 2 Open the OS Project Editor and click OK The project is reconfigured and as a result the new block icon will be adopted 3 Open the Global Script C Editor and select the Options gt Regenerate headers menu command Without update of the Safety Matrix library If you have chosen to use the Safety Matrix without update of the Safety Matrix library perform the following step e In order to introduce the new block icon into existing plant pictures you must recompile the relevant project If necessary configure the desired permissions for the block icons With update of the Safety Matrix library If you have chosen to use the Safety Matrix with update of the Safety Matrix library proceed as follows e In order to introduce the new block icon into existing plant pictures you must recom
105. ed e For the Safety Matrix to interconnect external F channel drivers except customer specific channel drivers with prefix as internal channel drivers you must select the Use imported channel drivers IEA support option for the transfer of the Safety Matrix to the project This is necessary for the Simulate tag function to also act on this external F channel driver Change values for limit hysteresis and delta You can also display and edit the values for limit hysteresis and delta for analog input types in online mode of the Safety Matrix Engineering Tool Procedure 1 Double click the desired cause Limit column 2 To update the displayed values click the Read button on the Values tab of the Display analog parameters Cause x dialog box 3 Select the Activate maintenance changes check box 4 Enter the desired value for limit hysteresis and in case of multiple analog input tags for a cause delta in the respective New value field maximum of 7 characters including decimal point and sign 5 Click the Write button Result A Secure Write transaction is started for writing the values Changing high and low range boundaries You can also display and edit the high and low range boundaries for analog input types currently stored in the CFC chart in online mode of the Safety Matrix Engineering Tool Safety Matrix Configuration Manual 02 2010 A5E00265325 03 143 Operator control and monitoring
106. eeded the configured delta alarm value Input trip alarm For a cause with multiple tags this status indicates that at least one tag has fulfilled the trip condition and requested a trip but the trip has not yet been activated Illegal Config Error during internal diagnostic check of the FB internal error remedy transfer compile and download again if necessary SDF error Indicates that the Safety Matrix has detected an error in X the safety data format in the DB This error always causes the safety program to go to F STOP Ackn cause required Indicates that the cause is kept active until it is X acknowledged by the user and the trip condition is no longer fulfilled TAG x trip pre alarm Indicates that the configured tag meets the condition for X limit pre alarm TAG x trip requested Indicates that the configured tag fulfills the condition for X requesting a trip This status includes the energize to trip setting of the tag Tag x value Indicates the tag status 129 Operator control and monitoring 8 4 Monitoring Effect status descriptions Cause status Description Entry in the event log TAG x bad quality Indicates that the F channel driver of the configured tag is X signaling a quality alarm Tag x simulation active Indicates that the tag is being simulated X Tag x channel failure Indicates that the F channel driver of the configured tag is X
107. elated F Data types are used in the safety program Configuration Manual 02 2010 A5E00265325 03 177 Glossary F I O F Runtime group Group designation for fail safe inputs and outputs available in S MATIC S7 for integration in S7 F Systems among others The following are available for S7 F Systems e ET 200eco fail safe I O modules e S7 300 fail safe signal modules gt F SMs e ET 200pro fail safe modules e Fail safe modules for ET 200S e Fail safe DP standard slaves e Fail safe PA field devices When the gt safety program is created the gt F Blocks cannot be inserted directly into tasks OBs rather they must be inserted into F Runtime groups The gt safety program consists of multiple F Runtime groups F Shutdown groups F SMs F Startup F Systems 178 F Shutdown groups contain one or more gt F Runtime groups F Runtime group communication blocks between the gt F Blocks in various F Runtime groups all of which are assigned to one F Shutdown group are not required If an error is detected in an F Shutdown group this F Shutdown group is shut down Additional F Shutdown groups are shut down according to the configuration of F_SHUTDN 7 300 fail safe signal modules that can be used for safety related operation in gt safety mode as centralized modules in an S7 300 or as distributed modules in the ET 200M distributed I O system F SMs are equipped with integrated gt safety functions
108. eld Click the associated button to open a browser for this purpose e Enable messages Select the Enable messages check box Click the associated button to open the dialog box for configuring the predefined alarm profile for causes and effects selected in the Configure tab There you can e Enable individual messages e Change message classes e Change priorities of message classes e Specify the acknowledgement request F Safety Matrix Configuration Manual 02 2010 A5E00265325 03 or information A djust dialog boxe on a igning a color to an alarm profile for the status display see Chapter Page 79 99 Configuring 4 5 Configuring the intersections 4 5 Configuring the intersections 4 5 1 Editing or changing intersections Editing or changing an intersection Select a valid intersection cell in the intersection of a configured cause and a configured effect Each Safety Matrix supports up to 1024 intersections Procedure for editing changing an intersection In the interface configuration area of the Safety Matrix double click an intersection empty or filled or click the intersection and select Change intersection in the context menu The Intersection details Cause x Effect x dialog box is opened and you can create or change the intersection Context menu in the intersection configuration area of the Safety Matrix If you click an intersection in the intersectio
109. enactecieae 2 5 3 ISo COSG Anrep er errr ger eereret errepee E E errr rere 2 5 4 Use CASE Sicsccccsisccccusssccccuiesscechasaacccebavaccceusudeeecbasbeccevisadccebasaceeesuaeeecbavsedeevitadecenatacccdvnnateecbaviteevaesd 2 5 5 USO CASS e O a a 3 Software USer intemace 03 2206 seees ss taiied tis ateenectedeet aeaaaee Ore aAa iae Naia AA E akaa ana 3 1 Inserting a new Safety Matrix cccccceeccceeceeeeeeeeeeeeeeeeeeeeceeeeneneeeeeneaseeeeneaeceesnsaseceenenseeeeneeeeeeneened 3 2 Menu bar of the Safety Matrix scssi nianna Na aAA a ite teaen datareader ead 4 COMM QUIIAG E E E cel cvvuedtedeeueetebuwscaieins sues levivedinescabich les sventandevds ot evthcandieccasbae eves iaadactvesdeedeeeseded 4 1 Overview of COmnfiQuring cc cccccceceedeectecetececeensececteeedcachcnneduencnedecetcnaceechenadecahcnaeceatenedectinneceesseey 4 1 1 Basic procedure for creating the safety Program cccecccceeeeeeeeeeeeeteeeeeteieeeeeteeeeetaeeeeetnaeeeeeea 4 1 2 Tags of the Safety Matrix oo eeccceeeeeeeeeeeeeeeeeeeeeeaeeeseeeaeeeeeeaaeeeseeeaeeeseeaaeeeeeeaaeeeseeaeeeeeenaeeeeseaas 4 1 3 Syntax rules for tag names in the Safety Matrix ee ccceeeseeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeaeeeseneaeeeseeeaees 4 1 4 PREPOCCSSING bs s sieci vagaees ces neceseapcteeaneasied tet yneed ence siaseea rested sanecdeeeescaedeseesiaeeenasadeneenceeeis sees eee ea 4 1 5 F Chanmell AriVersicceiccccccissseceeessiccecessanccceesusiccensasccecbasineceusuareced E EEEE 3 4
110. ens A omen ee Service amp Support on the Internet In addition to o e ba Internet http TE siemens EE TE a There you will find the following information e is available online in the e Newsletters providing the latest information on your products e A search engine in Service amp Support for locating the documents you need e A forum where users and experts from all over the world exchange ideas e Your local contact person for Industry Automation products is listed in the Contacts database e Information about on site service repairs spare parts and much more is available under Repairs spare parts and consulting Safety Matrix 8 Configuration Manual 02 2010 A5E00265325 03 Preface Important note for maintaining the operational safety of your system Note Systems with safety related characteristics are subject to special operational safety requirements on the part of the operator The supplier is also obliged to comply with special product monitoring measures For this reason we publish a special newsletter containing information on product developments and features that are or could be relevant to operation of safety related systems By subscribing to the relevant newsletter you will httos AU 2 There you can register for the following newsletters e 7 300 S7 300F e 7 400 S7 400H S7 400F FH e Distributed I O e SIMATIC Industrial Software To receive these new
111. erred The desired time in ms can be selected from the available settings in the drop down menu These cycle times are associated with the configured execution times of OB 30 to OB 38 Major revision Displays the number of the major revision The Next revision button allows you to create the next major revision You will be prompted to provide a description for it A time stamp is automatically added to each major revision Minor revision Displays the number of the minor revision The Next revision button allows you to create the next minor revision A time stamp is automatically added to each minor revision The number of the minor revision is reset to zero when the number of the maior re incremented Each time you accept critical changes see section Change tacking menu Page 81 the minor revision is incremented File revision Displays the revision number and the time stamp of the most recently saved Safety Matrix file Matrix signature Displays the current signature of the Safety Matrix Configuration Manual 02 2010 A5E00265325 03 75 Configuring 4 2 Editing the properties of the Safety Matrix File tab Statistics tab Path to matrix file Indicates the file path where the Safety Matrix file cem is stored Path to SIMATIC project Indicates the path to the SIMATIC project to which the Safety Matrix belongs only if a Safety Matrix object exists in SIMATIC Manager for the Safety Matrix o
112. eseeeeeeeeee eset teen eeeeeeeeseeeeeeeeseeeseeeseeeseaeseaeeeneeeeeeseaeaseeseneeeneee 8 1 Overview of operator control ANd MONItOFING 0 0 2 eee eee eeeee eee enee eect eete ee ee taeeeeetaeeeeetaeeeeetnaeeeeee 123 8 2 Starting online mode in the Engineering TOol ccececeeeeeeeeeeeeeeeeeeeeenteeeeesieeeeetaeeeeeeneeeeees 8 3 Opening the Safety Matrix Viewer faceplates 0 ccececeeeeeeeneeeeeeeeeee erence eeenaeeeeetaeeeeetieeeeees 8 4 MO MO MING acts teen ast te ceed E E sii dadenthagussshisaecsafhasaesstieadgvangeadaesinaeensatis 8 8 4 1 Color codes for status display 128 8 4 2 plaus display S e S 8 5 DOMAIN sch satan etree aad 131 8 5 1 Initiator and confirmer PErMISSIONS ccceccseeseceecseenecneeeeeecesecseeeeeeseceeeseeeetaeeeeneseaeenaees 132 8 5 2 OBCE WIS esida aieiaa EE SEE vende dan SEA veseu des KEDA E A A EOE SAET 8 5 2 1 Transaction for Secure WINE scscsssoissii ii aoa AE AEA NA A RE tea 8 5 2 2 Variants of Secure Write occ eeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeesaeeeeeseceeeeeseneeeeeseeeeeeeseeeaeeeeeeaeeeseenaees 8 5 3 Operation of a Safety Matrix c cccccccccccesssseccetscececetseccdcetsseccentaueedcnnduanceetauedecetsgecccetauecdennautcaennses 8 5 3 1 Operator inputs using the control bar in online mode and in the Safety Matrix Viewer 8 5 3 2 Example Reset effect anomia aia aa a a dun vagdtendxataadin unged E Aa aa 8 5 3 3 Maintenance chango Sssods asieran aE A nededeeebndcieancdaee seblucee ntnededeteie
113. essary to inactivate the effect e Activation of the bypass does not stop the override timer e A started override timer can always be stopped again by a positive edge of the reset override tag independent of the bypass status Safety Matrix 168 Configuration Manual 02 2010 AS5E00265325 03 Example parameter assignments 11 2 Example parameter assignments for effects e The override timer cannot be activated if bypass is active e Ifthe cause has become inactive the effect can be reset by a positive edge of the reset override tag e Ifthe cause is inactive the bypass acts on the effect and thus on the output tag as long as the effect has not yet been reset by a positive edge of the reset override tag 11 2 4 Bypass with output delay Behavior during bypass with output delay as a function of the intersection configuration The bypass tag with output delay will be examined below Bypass of an effect with output delay for intersection N Not stored Active Cause Inactive Active TRUE Bypass oH fe l 3 fe inactive FALSE Active Effect j i Inactive Oa 2 l l l i TRUE Output TAG DTT FALSE e 1 2 Output delay timer runs e 3 Bypass active e Ifthe cause becomes inactive the output delay timer is also stopped e 2 Bypass interrupts the output delay timer Thus the output delay can be delayed by an additional time Safety Matrix C
114. ety Matrix On the ES Safety Matrix Engineering Tool e A Safety Matrix is created and transferred to the project e The S7program containing the Safety Matrix program is compiled and downloaded to the F CPU e For operator control The EN_SWC input of the nested chart of the matrix logic MatrixName for enabling Secure Write is set to TRUE On the OS Safety Matrix Viewer e The S7program containing the Safety Matrix program is compiled and downloaded to the F CPU e The user s with the relevant permissions are set up e The configuration of the Safety Matrix faceplates is downloaded to the OS e For operator control The EN_SWC input of the nested chart of the matrix logic MatrixName for enabling Secure Write is set to TRUE e When using OS clients make sure that no default server is set for tags in WinCC Explorer select Server Data in the shortcut menu select Default Server and in the Configure Default Server dialog box select No Default Server for the Tags component Safety Matrix Configuration Manual 02 2010 A5E00265325 03 123 Operator control and monitoring 8 1 Overview of operator control and monitoring Differences between operator control and monitoring on the ES and OS ES Safety Matrix Engineering Tool OS Safety Matrix Viewer Control bar Control bar e No bypass report function on control bar Operator control of Safety Matrix using Secure Operator control of Safety Matrix
115. f customer specific F channel drivers The Safety Matrix Engineering Tool automatically labels this type of interconnection for example with a customer specific F channel driver with a prefix in the configuration field of the tag See also section Customer specific F channel drivers Page 58 e Option Channel driver With preprocessing prefix You can interconnect a preprocessing for discrete and analog input tags The Safety Matrix Engineering Tool automatically labels this type of interconnection i e with a preprocessing with a prefix in the configuration field_of the tag See also section Preprocessing Page 57 Safety Matrix 54 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 Overview of Configuring 4 1 3 Syntax rules for tag names in the Safety Matrix Types of tag names The following types of tag names are possible in the Safety Matrix e Internal Safety Matrix input or output tag Any signals from the safety program Internal references Cause x Effect x Effect x y Customer specific F channel drivers Permissible characters The permitted character set is the range of ASCII characters from 16 20 blank space to 16 7a lower case z Any other entered characters will be ignored In addition the characters 16 2f and 16 5c are ignored NOTICE Ignored characters are discarded at the time they are entered without an error message Immediately upo
116. f the CFC You can assign for example the name of the Safety Matrix as the name of the new F runtime group e If this is not sufficient divide up your large Safety Matrix into several smaller Safety Matrices if possible We always recommend that you move large Safety Matrices to their own F runtime groups Their F channel drivers should be created before the transfer e g with support by the import export wizard and linked using the Use imported channel drivers IEA support transfer option The position of the pre processing can be changed if it is not part of the Safety Matrix runtime group for example for IEA support or custom channel drivers Automatically generated charts Safety Matrix The Safety Matrix chart is an automatically created chart You may not rename move or delete this chart and the nested charts of the following table and nest charts they contain in turn Description Name in the project Nested chart of the matrix MatrixName Nested chart of the channel drivers MatrixName Nested chart of the alarm blocks global AL_Chart Nested chart of the preprocessing PP_Chart Configuration Manual 02 2010 A5E00265325 03 117 Transferring a Safety Matrix 6 3 Notes for working with CFC Safety Matrix 118 Configuration Manual 02 2010 A5E00265325 03 Compiling and downloading vf 7 1 Compiling and downloading to the F CPU Requirements All Safety Matrices of the S7 program
117. fail safe capability is a central processing unit that is approved for use in S7 F FH Systems Configuration Manual 02 2010 A5E00265325 03 7 Preface Additional support If you have further questions about the use of products presented in this manual contact your local Siemens representative Your contact persons are listed in the Internet itp Iwww siemens http www siemens com automation partner A guide to the technical do and systems is JM available in the Internet http TERE siemens ae E ii PPPE will find the online catalog and online ordering system in the Internet f mall automation siemens com Training center We offer courses to help you get started with the S MATIC S7 automation system Contact your regional training center or the central training center in D 90327 Nuremberg Federal Republic of Germany You will find more information in the Internet http www sitrain com H F Competence Center The H F Competence Center in Nuremberg offers special workshops on S MATIC S7 fail safe and fault tolerant automation systems The H F Competence Center can also provide assistance with onsite configuration commissioning and troubleshooting For questions about workshops etc contact hf cc aud siemens com Technical Support To contact Technical Support for all Industry Automation products use the Support Request Web form http www siemens com automation support reques http RE siem
118. fety Matrix Viewer or in the Safety Matrix Engineering Tool The operator can display this buffer in the Safety Matrix Viewer and retrace the last events The event log is a circular buffer with a maximum of 100 entries i e the oldest entries are overwritten The event log cannot be archived by the PCS 7 OS Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring 8 6 Events and messages 8 6 2 Operation messages of the Safety Matrix Viewer If the Safety Matrix Viewer generates an operation message in the PCS 7 operation list it simultaneously enters an event in the event log Entries in the PCS 7 operation list The Safety Matrix Viewer enters the operations in the PCS 7 operation list All operation entries contain the following information Time of the operation Type of operation Reason entered by the operator for the operation output in the Operation column Logged on operator Depending on the type of operation additional information is given which is logged in the Operation column Cause bypass Safety Matrix control functions Additional entries in the Operation column Cause number cause description Reset FO alarm Number of FO alarm group Override effect Effect number effect description Reset effect Effect number effect description Start and stop cause tag simulation Cause number cause description tag number tag name starte
119. ffect the function of the bypass tag They act independently of each other e f Auto acknowledge active cause is not set a manual acknowledgement is necessary to deactivate a cause The bypass tag merely suppresses an activated cause without acknowledging it e In addition to the bypass TAG permission for soft bypass can also be configured The user can then control the bypass via an operator input Safety Matrix Configuration Manual 02 2010 A5E00265325 03 159 Example parameter assignments 11 1 Example parameter assignments for causes 11 1 4 Auto acknowledge active cause Behavior with Auto acknowledge active cause If Auto acknowledge active cause is configured the cause will become inactive automatically as soon as the tripping conditions are no longer satisfied If Auto acknowledge active cause is not configured the operator must manually acknowledge an active cause The cause remains active until it has been acknowledged If an OFF delay or timed cause is configured the configured Auto acknowledge active cause has no effect 11 1 5 Trip on bad quality Behavior in case of bad quality If Trip on bad quality is activated the quality errors signaled by the F channel driver cause the input tag to satisfy the trip condition and the cause to become active depending on the function type 11 1 6 Alarm on any input trip Alarm behavior with multiple input TAGs If a cause is configured with more than one input tag
120. g a cause effect matrix file Importing When Safety Matrices are created and revised it may be necessary to insert the matrix logic developed outside of a SIMATIC project into the S7 program This is referred to as Importing a Safety Matrix A possible example of this would be a generic cause effect matrix for an emergency shutdown that was developed by a corporate research and development department and is to be installed in different locations for integration into a local project Exporting A created Safety Matrix can be checked and further edited on a PC outside of PCS 7or STEP 7 For this purpose you must export your Safety Matrix to a cause effect matrix file cem For example the initial version of a Safety Matrix can be created on a work station with the Safety Matrix Engineering Tool The logic of the Safety Matrix can be saved and sent as an e mail to remote colleagues who can then revise the logic for local conditions 4 6 1 Importing a cause effect matrix file cem to a PCS 7 project Introduction All matrices that were created and edited with the Safety Matrix Editor must be imported to the SIMATIC project in this manner For the transport the Matrix must be available in the format of a cause effect matrix file cem The cem file contains all of the configuration data for a particular Safety Matrix Note It is not possible to re import a matrix file if a CFC chart of the same name already exists In this
121. gt Accept changes automatically with Save or Accept changes automatically with Save As Safety Matrix Configuration Manual 02 2010 A5E00265325 03 81 Configuring 4 3 Configuring the causes 4 3 Configuring the causes 4 3 1 Overview for configuring the causes Introduction Analog and discrete values can be selected as the input type At least one but no more than three values together with the function type represent a cause Discrete input tags Either of the following can be selected for each discrete input tag of a cause e Energize to trip ETT trip if TRUE e Deenergize to trip DTT trip if FALSE The following table assumes that DTT is always specified Thus the input tag is active if it is FALSE In addition the input tags can be checked for quality In case of insufficient quality the cause will be tripped Analog input tags In the case of analog values the input tag is activated in accordance with a limit If this limit is exceeded or fallen below the cause becomes active If multiple analog input tags are used for a cause a delta specified by the user is evaluated If the values differ by more than this delta a delta alarm TagX TagY is tripped In addition the input tags can be checked for quality In case of insufficient quality the cause will be tripped Table 4 1 Mutual dependencies of the cause parameters Input type Number of Function type Limit type Cause is tripped
122. h the most recently saved version of the Safety Matrix Comparison of the current Safety Matrix with the version of the Safety Matrix last transferred to the project Comparison of the current Safety Matrix with the Safety Matrix downloaded to the F CPU Select the Options gt Compare Matrix with menu command and select the required comparison type Matrix You must have opened both Safety Matrices to be compared in the Safety Matrix Engineering Tool Storage The Safety Matrix is compared with its stored version The comparison shows you the changes that you have made to the Safety Matrix since it was last saved Program CPU The result of the comparison shows you whether the following are the same or different Matrix signature Parameter values Causes effects and intersections Configuration Manual 02 2010 A5E00265325 03 147 Documentation of a Safety Matrix 9 2 Comparing CFC charts 9 2 Comparing CFC charts Introduction The Compare programs dialog box allows you to compare all the CFC charts in a chart folder that were created by the Safety Matrix Engineering Too during a transfer operation and to display and print out any discrepancies This comparison is useful during commissioning and for the system acceptance test The result of the comparison shows you whether the following are the same or different e Collective signature e Matrix signatures e Parameter values e Causes effects and intersections
123. hart connection e apostrophe Must not be located at the end of a symbol e at sign Must not be located at the start of a symbol because here it serves to label the tag as an external address Any signals from the safety program Maximum number of characters not including prefix suffix 24 Special syntax rules apply to chart entries in the CFC which in turn also apply to all tags with the prefix or suffix e The name must start with a letter with suffix or with a letter or underscore with prefix e Only letters numbers and underscores are allowed within the name e Underscores must not be used more than once in succession e An underscore must not be used at the start of the name with suffix or at the end of the name Examples of valid chart connection names e TIC4711 e TIC_4711 e 4 321 Examples of invalid chart connection names e 4711 number at start e TIC__543 repeated underscore e TIC_4711_ underscore at end e _TIC_4711 underscore at start with suffix Internal references Cause x Effect x Effect x y Selection of internal references is guided by menus Safety Matrix 56 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 4 4 1 Overview of Configuring Preprocessing Preprocessing of input tags Safety Matrix You can interconnect a preprocessing for discrete and analog input tags Preprocessing involves a CFC chart th
124. have access to the following options for integrating tags into the Safety Matrix Option External connection prefix If a cause or effect will be interconnected with any signal from the safety program you must choose one of the following options when configuring the tag e For input tags causes or for example a bypass tag a chart input is created in the nested chart of the matrix logic for assignment from CFC e For output TAGs effects a chart output is created in the nested chart of the matrix logic for processing the effect TAG in the CFC Option Internal reference Cause x Effect x or Effect x y You can continue to process the status of a cause effect or effect tag within the Safety Matrix at an input tag You must select Cause x or Effect x TAG y for this purpose Option Channel driver internal Safety Matrix input and output tags The Safety Matrix Engineering Tool automatically places F channel drivers of SIMATIC F modules for input and output tags This takes place during the transfer to a CFC chart if F channel drivers of SIMATIC F modules do not exist for the respective F channels e Option Channel driver With monitoring suffix An F channel driver is always created in the nested chart of the channel drivers same as for input and output tags In addition the following occurs For input tags a chart output is created in the nested chart of the channel drivers for
125. he initiator and or confirmer permission users must have the specified permission level for each operator function to be performed You configure the assignment of Safety Matrix functions to a permission level on the OS permissions tab of the Properties iz in the PCS 7 OS see Chapter Properties dialog box of the Safety Matrix Page Setting up user permissions for operators 132 Create the following users based on whether the transaction is to be performed by two operators or by one operator only Operation with two operators If the operation of a Safety Matrix is to be transacted by two operators create two users e The initiator starts the Safety Matrix operation via Secure Write This user must have the permission that is assigned to the Initiator attribute in the properties of the Safety Matrix However the initiator does not have permission to confirm the operation e The confirmer verifies and confirms the operation This user must have the permission that is assigned to the Confirmer attribute in the properties of the Safety Matrix However the confirmer does not have permission to initiate the operation Operation with one operator e If only one operator is to perform all of the transaction steps but the transaction is to be performed with initiator confirmer access protection create a user who has both of the permissions that are assigned to the Initiator and Confirmer attributes in the properties
126. he number of intersections having X as a coefficient Only one XooN assignment is allowed for each effect Only intersections of the same type for example all S or all N can be taken into consideration for assignment according to the majority principle The following figure shows examples of this method of intersection assignment Safety Matrix Configuration Manual 02 2010 A5E00265325 03 101 Configuring 4 5 Configuring the intersections Examples of intersection assignment according to the majority principle 2003 for intersections j 5006 for intersections V Overridable N Not stored Cause descr _ 3004 for intersections J 2002 for intersections S Stored N Not stored Furnace Pressure Note The Safety Matrix offers a convenient method for collectively processing the safety logic If required all effects can be activated simultaneously This is possible by configuring a single cause and interconnecting with all effects through an intersection If this cause becomes active it trips every effect logic including configured time delays ee aie i pear th E oS palates assignment and information on how effects he configured intersection types see Chapter ont i E ames Sa for cee Page 161 K Safety Matrix 102 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 6 Importing exporting a cause effect matrix file 4 6 Importing exportin
127. intout of the current Safety Matrix The Print command is only available in offline mode Print preview Shows a preview of the file that is to be printed out Page setup The Page setup dialog box offers various options for setting up the pages to be printed Recent files The Recent files command provides you with a list of recently opened Safety Matrix files for selection Exit Closes all dialog boxes and exits the program The Exit command is only available in offline mode Edit menu command Command Function Properties The Properties dialog box provides you comprehensive information and possible entries for the general properties of the Safety Matrix See Chapter Properties dialog box of the Safety Matrix Page me Delete all Deletes the entire Safety Matrix including the revision history comments etc In addition the size of the Safety Matrix is reset to 16 causes and 16 effects Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Software user interface Monitor menu command 3 2 Menu bar of the Safety Matrix Command Function Configure The Configure dialog box allows you to specify the duration in seconds of the monitoring cycle i e the cycle time for updating the user interface Monitor On Off Switches online mode on and off View menu command Command Function Customize Opens the Customize Layout and Customize Colors dia
128. ion Chart CFC Notes Control bar functions 131 Critical changes 75 8 Customer specific channel driver Customer specific F channel drivers 53 55 183 Index D Deenergize to trip DTT DIAG_V F_SC_AL 66 F_SE_AL Downloading the SIMATIC project to the F CPU DTT 21 82 E Editing permission levels 78 Editing the properties Customize 81 Effect 96 166 Alarms 99 Creating changing Effect details Alarms Configuring Options EN_SWC Enable AnylnputTrip alarm 90 Energize to trip ETT 21 Entries in the event log 144 ETT 21 Event log Executable sequence 116 Export of a Safety Matrix Exporting Safety Matrix 104 Connections 62 F_SC_AL Connections F_SE_AL Connections 68 Fail safe systems Access protection 107 F channel drivers 53 55 F channel drivers from S7 F Systems Function type 21 Cause 82 87 Effect 94 184 G Group acknowledgement 53 IEA support Transfer option 414 Import of a Safety Matrix 103 Importing Safety Matrix Inactive P1 Information areas of the Safety Matrix user interface IE Inhibit tag Initial acceptance test of a safety program 154 Initiator 136 140 Input and output tags 53 55 Input trip on bad quality 90 Installing Requirements 25 Safety Matrix components 26 Interface assignment according to the majority principle Internal references 53 55 Intersection 100 Editing changing Intersec
129. ioned nor deleted Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Transferring a Safety Matrix 6 7 Transferring the Safety Matrix to the project Transfer of Safety Matrix Safety Matrix When the Safety Matrix is transferred it is checked for configuration errors such as causes without intersections The results of this check are displayed in the log window Use the Show details button to open the log window of the transfer operation If the results of the check are okay the Safety Matrix Engineering Too performs a comparison between the current Safety Matrix and the Safety Matrix stored in the project Any discrepancies are displayed in the log window You are prompted to check the changes before continuing the transfer Result During the transfer a basic CFC chart with the name of the Safety Matrix is created in the SIMATIC project The chart contains a protected nested chart MatrixName which contains the complete Safety Matrix configuration A second nested chart MatrixName contains the automatically created F channel drivers The F channel drivers that were interconnected by means of IEA support are not moved to here The following figure shows the chart generated during the transfer of a Safety Matrix named Matrix 2 Configuration Manual 02 2010 A5E00265325 03 113 Transferring a Safety Matrix 6 7 Transferring the Safety Matrix to the project Nested chart of the channel drivers M
130. ipts the Safety Matrix faceplate must be closed manually before the new user logs on Note If user settings for the block icon of a Safety Matrix are to be retained during a subsequent OS compilation of an existing picture you must clear the Derive block icons from the plant hierarchy option for this WinCC picture Configuration Manual 02 2010 A5E00265325 03 125 Operator control and monitoring 8 3 Opening the Safety Matrix Viewer faceplates Requirements for generating block icons To generate the block icons for the Safety Matrix described below the message blocks must hd configured ope see section essage configuration Page 60 and the Safety x must be erred with the Position alarm 1099 option selected see section 09 Tranetemina the Safety Matrix to the project Page 109 Opening the Safety Matrix Viewer 1 Log on to the OS as a user with the required permissions 2 Open the picture containing the desired Safety Matrix block icons During OS compilation of the Safety Matrix the corresponding block icons are generated for the configured F_MA_AL Safety Matrix 1 time F_SC_AL causes x times and F_SE_AL effects x times message blocks These icons offer different views Specifically View of the entire Safety Matrix View of an individual cause with associated intersections and effects View of an individual effect with associated intersections and causes 3
131. is stopped or 6 the maximum override time is exceeded e f the cause becomes inactive the effect also becomes inactive irrespective of whether the output delay time or the override timer is running at the time e The override tag has no effect as long as the output delay timer is running or the cause is inactive Safety Matrix 164 Configuration Manual 02 2010 A5E00265325 03 Example parameter assignments 11 2 Example parameter assignments for effects Reset override of an effect with output delay for intersection R Resettable and overridable Cause Reset override tag Effect DTT Active Start Stop Start override override override Inactive timer timer timer Reset TRUE FALSE OE l l Active 1 2 I 1 1 T Inactive 4 4 i m 5 m 6 1 i ii i 1 is 1 l TRU E Output TAG FALSE Active Start v Cause Inactive Reset override tag Effect DTT Safety Matrix override T Reset timer TRUE FALSE Active i i j i Inactive m 4 4A ii Li i TRUE Output TAG FALSE 4 1 1 2 3 Alarm Time out when the effect is overridden the alarm is cleared either via an operator input or through a restart of the override timer 5 6 Output delay timer runs 2 Override timer runs Time lt Maximum override time Time gt Maximum override time This intersection forms the combi
132. ition alarm blocks option selected J Safety Matrix ix Page 74 e On the Alar see section e On the Options tab of the Transfer to project dialog box see section Transferring the Safety Matrix to the project Page 109 During OS compilation of the Safety Matrix the corresponding block icons are generated for the configured F_MA_AL Safety Matrix 1 time F_SC_AL causes x times and F_SE_AL effects x times message blocks These icons offer different views Specifically e View of the entire Safety Matrix e View of an individual cause with associated intersections and effects e View of an individual effect with associated intersections and causes See also Section Properties dialog box of the Safety Matrix Page 74 8 6 4 Alarms Alarms of Safety Matrix In online mode the Safety Matrix displays alarms below the control bar in red text e g e Transaction running e Matrix is not being edited e Communication error Safety Matrix 146 Configuration Manual 02 2010 A5E00265325 03 Documentation of a Safety Matrix Q 9 1 Introduction Procedure Safety Matrix Comparing Safety Matrices You can use the Compare Matrix with menu command to compare Safety Matrices on the basis of information that is stored in cem files and to display and print discrepancies Comparison of the current Safety Matrix with another currently opened Safety Matrix Comparison of the current Safety Matrix wit
133. itoring using STEP 7 SIMATIC Manager on a PCS 7 Engineering System ES Safety Matrix Viewer Operator control and monitoring by PCS 7 Online Operational phase means of a faceplate on a PCS 7 Operator operator control and Operator Station OS Station OS monitoring 18 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Product Overview 7 3 Example view of a Safety Matrix 1 3 Example view of a Safety Matrix Example view of a Safety Matrix The following figure shows an example view of a Safety Matrix SIMATIC Safety Matrix Matrix01_ SafetyMatrix SIMATIC 400 1 CPU 414 File Edit Monitor View Options Window Help SIMATIC SAFETY MATRIX All Groups Set Stored MFT Intersection Output Tag Effect descr 5 MFT Cause Func Limit T rip Unit Cause descr Example If Cause 1 becomes active trip if FALSE i e when input tag 0 Effect 1 is tripped and stored Safety Matrix Configuration Manual 02 2010 A5E00265325 03 19 Product Overview 7 4 Definition of terms 1 4 Definition of terms Cause Effect Intersection Active 20 Main terms of the Safety Matrix are explained below A cause represents a process event The cause represents the trigger for activating an effect Certain conditions must be fulfilled in order for the cause to become active and thus to trigger an effect defined by an intersection Analog or
134. knowledgement request FIRSTOUT BOOL First Out alarm 1 If the cause is the first cause in its FO group to be tripped Safety Matrix Configuration Manual 02 2010 A5E00265325 03 63 Configuring 4 1 Overview of Configuring Name Data type Description ACTIVE BOOL 1 Cause has tripped 0 Cause has not tripped ANY_BYP BOOL Bypass active 1 If one of the following bypasses is active Hard bypass soft bypass inhibit simulation of a tag PRE_AL BOOL Pre alarm active 1 If an analog tag of the cause has exceeded the configured pre alarm limit P_LIM_V ANY_DIAG BOOL 1 If diagnostic messages exist DIAG_V not 0 CH_STAT1 WORD If the tag is linked to a channel driver the channel status is indicated here TAG1 see below Table CH_STATx CH_STAT2 WORD If the tag is linked to a channel driver the channel status is indicated here TAG2 see below Table CH_STATx CH_STAT3 WORD If the tag is linked to a channel driver the channel status is indicated here TAG3 see below Table CH_STATx ELAP_TM DINT Time elapsed for time delay DELAY_V in ms CONFIG_V The information in output parameter CONFIG_V of cause message block F_SC_AL is stored as follows Bit No Assignment Bit 0 Input trip on bad quality Bit 1 Bit 2 Soft bypass allowed Bit 3 Auto acknowledge active cause Bit 4 Function type Bit 5 1 Normal 2 2003
135. l 02 2010 A5E00265325 03 Product Overview 7 4 Definition of terms Inactive A cause or effect can be inactive which means that the conditions for activation are not fulfilled Whether or not the cause is inactive is determined by the input tags the function type and the options for the cause The deactivation of an effect depends on the relationship defined by intersections to the causes and the options for the effect If an effect is inactive the output tags are set to 0 or 1 depending on the Energize to trip option Energize to trip ETT Trip if TRUE The cause is active if input tag 1 high active The output tag is 1 if the effect is active A WARNING Safe state for digital F I O The safety concept is based on the existence of a safe state at all process variables For digital F I O this is the value 0 this applies to sensors as well to actuators For this reason you must implement suitable measures such as redundancies in the application Deenergize to trip DTT Trip if FALSE The cause is active if input tag 0 low active The output tag is 0 if the effect is active This negative logic is the default setting for the inputs and outputs of the Safety Matrix By default the input tag activates the cause according to the Deenergize to trip principle which means that a cause becomes active if the input tag is 0 The cause becomes inactive if input tag 1 If
136. l and monitoring 8 5 Operating Control bar functions Reset effect Override effect Function The label on this button is either Reset effect or Override effect depending on the status of the selected effect User permission required on OS e Reset effect If an effect is tripped by an intersection type S stored or R resettable and overridable it remains active even if it is no longer tripped by the cause The effect can be reset if it is no longer tripped To do so click Reset effect This function is only available if a reset is possible for the selected effect indicated in green and a reset override tag is not configured EffectResLevel e Override effect If an effect is tripped by an intersection type V overridable or R resettable and overridable the output tags of the effect can be set to the operating values even though the effect is still pending This is referred to as the override function If this option is provided for the selected function you can use the button to enable the override function provided a reset override tag is not configured Click the Override effect button to disable the effect Note The duration of the override function should not exceed the maximum time specified under options Maximum override time If the time is exceeded an alarm is triggered If another cause that is interconnected with the effect becomes active during the override time the override function s
137. l upgrade the following change is listed for each Safety Matrix Safety Matrix non critically changed New version of matrix SWC Parameter has been modified Also compare the safety program with the backup copy To do so click the Compare button in the Customize safety program dialog box in SIMATIC Manager Configuration Manual 02 2010 A5E00265325 03 33 Installing 2 5 Upgrading to Safety Matrix V6 2 Result of the comparison in Step 12 34 The result of the comparison is a list with three sections Runtime level Chart and Changed system charts Changes in the matrix listed in the Chart section format Matrix name chart Matrix name chart better interpreted with the menu command Tools gt Compare Programs and can therefore be ignored at this point The F Matrices chart is created automatically After a successful upgrade the following changes are listed in the Runtime level section In each OB with safety program Block F_CycCo OBxx F_TEST Signature Changed In each runtime group with Safety Matrix F blocks e One entry per Safety Matrix Block MatrixName MatrixName Libvers F_AND4 Added e One section per Safety Matrix Status_DB Block Matrixname Matrixname C_Status F_StatDB Signature Changed Interface Changed xxx lt gt xxx SM_VER Value 16 0003 lt 16 0001 DB Num Structure CHAR lt BOOL FlowCnt Deleted CYC Deleted Block MatrixName MatrixName
138. log boxes These dialog boxes offer numerous options for adjusting the appearance of the Safet Matrix as well as the information displayed See Chapter Adjust dialog boxe Page 79 ie Update Redraws the current Safety Matrix This function allows you to apply changes or lt F5 gt that were made while the Safety Matrix is open into the symbol table and the safety program In addition this function can be used to adjust the cell width of the cause and effect cells based on the longest entered character string Options menu command Command Function CFC Compiles the SIMATIC project See Chapter Compiling and downloading Page 119 CPU Use this command to download the SIMATIC Ht the automation system 119 See Chapter Compiling and downloading Page 119 Track changes If you select the Accept changes command you will be prompted to check the log file and specify which changes you want to accept critical not critical In addition you can specify whether changes are to be applied automatically during a Save or Save as operation Compare matrix with Use this command to compare the Safety Matrix with other Safety Matrices See Chapter Comparing Safety Matrices Page 147 i Compare programs The Compare programs dialog box allows you to compare all the CFC charts in a chart folder that were created by the Safety Matrix Engineering Tool during a transfer operation and to
139. lt setting is 60 s 3 After a successful u he change an be conducted as defined in section ix Page 153 An additional function test is not er for the ee listed under steps 11 and 12 as described in section Introducing the new Baie E block icon into T PCS 7 OS Page 28 5 Compile and download the OS 6 Download the S7 program to the F CPU Safety Matrix 36 Configuration Manual 02 2010 A5E00265325 03 Installing 2 5 Upgrading to Safety Matrix V6 2 2 5 3 Use case 2 Objective Introduction Requirements Consequences Safety Matrix Update of the Safety Matrix Engineering Toolas well as the Safety Matrix library This use case helps you when migrating from Safety Matrix V6 1 to Safety Matrix V6 2 with a Safety Matrix library update A project has been compiled and downloaded acceptance tested if necessary This project must contain the Failsafe Blocks V1_2 SP1 or higher of the F Library You can verify this as follows e Open the block folder of the program in the detail view in S MA TIC Manager n the Version Header column 3 1 or higher must be specified for the following F channel drivers F_CH_DI F_CH_DO F_CHAl No changes are allowed to be made offline that have not also been downloaded online e Changing the collective signature e Requires a complete download with CPU STOP Configuration Manual 02 2010 A5E00265325 03 37 Installing 2 5 Upgrading
140. mask enable tag are configured Process data pass through is activated Thus the output tag acts according to the following logic Active ettet PL Inactive Process M i M ma TRUE data tag i FALSE i i 1 L 2 Mask enable TRUE Output TAG TRUE e 1 If the effect is not active the value of the process data tag is always switched to the output tags irrespective of the value of the mask enable tag e 2 If the effect is active the value of the process data tag is only switched to the output tags if the mask enable tag is TRUE Safety Matrix 174 Configuration Manual 02 2010 A5E00265325 03 Glossary 2 operator scenario During configuration of the Safety Matrix in the PCS 7 OS you can select a 2 operator scenario 4 eyes principle Two operator roles are defined for this purpose initiator and confirmer e Initiator the operator may start an operation e Confirmer the operator may confirm an operation In addition to the initiator and or confirmer permission users must have the specified permission level for each operator function to be performed Access protection gt Fail safe systems must be protected against dangerous unauthorized access Access protection for F Systems is implemented by assigning two passwords for the gt F CPU and for the gt safety program Active A cause or effect can be active which means that it has been tripped Whether or not a cause is
141. n configuration area of the Safety Matrix the context menu provides the following functions for selection according to whether the clicked intersection is empty or filled Empty intersection of a configured cause and effect Change intersection Insert intersection N Not stored S Stored V Overridable R Resettable and overridable X Not specified For note only XOON Specify X Filled intersection of a configured cause and effect Copy intersection Cut intersection Change intersection Delete intersection N Not stored S Stored V Overridable R Resettable and overridable X Not specified For note only None XOON Specify X Safety Matrix 100 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 5 Configuring the intersections 4 5 2 Intersection details dialog box Configure tab Procedure for editing changing an intersection In the interface configuration area of the Safety Matrix double click an intersection empty or filled or click the intersection and select Change intersection in the context menu The Intersection details Cause x Effect x dialog box is opened and you can create or change the intersection Configure tab Field Description N Not stored Simple pass through function If the cause is active the effect is tripped S Stored If the cause is active the effect is tripped and stored If the effect is no longer tripped the operato
142. n entry you must verify that the tag name was entered correctly Otherwise compilation errors symbol not defined or collisions with existing symbols may occur Both upper case and lower case letters may be entered but the symbols are not case sensitive i e symbols TIC2344 TiC2344 and tic2344 are identical Internal references are an exception see below Internal Safety Matrix input or output tag Maximum number of characters 24 Internal Safety Matrix input output tags are tags that are completely interconnected by the Safety Matrix during the transfer to hart possibly also by means of the Import Export Assistant see section Transferring a Safety Matri Page 109 The following characters are allowed for an internal Safety Matrix tag e Special characters amp lt gt J e Numbers 0123456789 e Upper case letters ABCDEFGHIJKLMNOPQRSTUVWXYZ e Lower case letters abcdefghijklmnopqrstuvwxyz The following special characters must not be used e quotation mark e period e percent sign tilde Safety Matrix Configuration Manual 02 2010 A5E00265325 03 55 Configuring 4 1 Overview of Configuring The following special characters must not be used in certain positions e blank character Must not be located at the start or end of a symbol e number sign Must not be located at the start or end of a symbol because here it serves to label the tag as a c
143. nation of intersection S and V with output delay with the special feature that a reset is not necessary if the override timer is still running 7 when the cause becomes inactive Configuration Manual 02 2010 A5E00265325 03 165 Example parameter assignments 11 2 Example parameter assignments for effects 11 2 3 Bypass Behavior during bypass as a function of the intersection configuration In addition to the reset override tag the bypass tag will now be examined Bypass of an effect for intersection N Not stored ee es Active Cause Inactive i i Active TRUE Bypass i i Inactive FALSE Active Effect Inactive TRUE Output TAG FALSE DTT e Gray zone Bypass active e As soon as the bypass becomes active the effect becomes inactive With intersection N this has a direct effect on the output tag e Ifthe cause becomes inactive the bypass tag no longer acts on the effect or output tag Bypass of an effect for intersection S Stored Active Cause Inactive Reset Reset Reset TRUE override tag f l FALSE I I Active TRUE Bypass i l Inactive FALSE q 1 Effect Inactive l l l TRUE Output TAG i DTT i FALSE e Gray zone Bypass active e Reset has no effect if the cause is active e The reset can take place only when the cause has become inactive e Ifthe cause is inactive the bypass acts on the effect and thus on the ou
144. nce Compare with Current safety program The last saved reference is compared with the current safety program Backward comparison Other project The last saved reference is compared with another program Use the Browse button to select the offline program Browse button Use this button and the Open dialog box to select the offline program of any project to be compared provided you have selected the Other project option under Compare with Start button Click this button to start the comparison Safety Matrix Configuration Manual 02 2010 A5E00265325 03 149 Documentation of a Safety Matrix 9 2 Comparing CFC charts Result The result of the comparison shows whether a cause effect is new or has been changed or deleted For elements from the source for which no element is found in the reference Cause Effect x new is output x refers to the source For elements from the reference for which no element is found in the reference Cause Effect x deleted is output x refers to the source For elements for which a difference is found Cause Effect x changed is output x refers to the source and is determined from the number of the predecessor element Finally the intersections are compared on the basis of the assigned cause effect pairs If an intersection for a cause effect pair is found in the reference this is compared with the corresponding intersection in the source
145. nd 3 Bit 30 Delta alarm TAG3 and 1 Bit 31 Tripping of a tag CH_STATx The information in output parameters CH_STAT1 to 3 of cause message block F_SC_AL is stored as follows Bit No Assignment Bit 0 QBAD Bit 1 QSIM inactive Bit 2 PASS_OUT error Bit 3 ACK_REQ Bit 4 PASS_ON Bit 5 Redundant module present Bit 6 PROFIsafe failure Bit 7 PROFIsafe module failure on redundant module Bit 8 QCHF_LL analog tag only Bit 9 QCHF_HL analog tag only Bit 10 QSUBS Bit 11 Bit 12 Bit 13 Bit 14 Bit 15 Additional information can be obtained from the corresponding F channel driver See also Safety Matrix message block F_MA_AL Page ffect message block F_SE_AL Page Safety Matrix Configuration Manual 02 2010 A5E00265325 03 67 Configuring 4 1 Overview of Configuring 4 1 6 4 Effect message block F_SE_AL Additional information for further processing Additional information for further processing is available in effect message blocks F_SE_AL in the CFC In addition you can configure functions such as Disable alarms during power up in the CFC Connections of effect message block F_SE_AL Name Data type Description Inputs M_Name String 16 Matrix name Number INT Effect number MSG_LOCK BOOL 1 Disable all alarms Outputs CONFIG_V DWORD Effect configuration see below Table
146. ng STATE_V The information in output parameter STATE_V of effect message block F_SE_AL is stored as follows Bit No Bit 0 Assignment Bypass active bypass tag or soft bypass Bit 1 Soft bypass active Bit 2 Process data pass through active Bit 3 Bit 4 Old value reset override tag Bit 5 Bit 6 Override permitted Acknowledgement request for reset Bit 7 Effect interlocked Bit 8 Effect active Bit 9 Time manipulation active Bit 10 Mask enable tag active Bit 11 Override active Bit 12 TAG1 Simulation Bit 13 TAG2 Simulation Bit 14 TAG3 Simulation Bit 15 TAG4 Simulation Bit 16 Bit 17 Bit 18 Bit 19 Bit 20 Bit 21 Bit 22 Bit 23 Effect used Bit 24 Effect not stored is requested Bit 25 Effect stored is requested Bit 26 Effect overridable is requested Bit 27 Effect resettable and overridable is requested Bit 28 Value TAG1 that was generated by the Safety Matrix Bit 29 Value TAG2 that was generated by the Safety Matrix Bit 30 Value TAG3 that was generated by the Safety Matrix Bit 31 Value TAG4 that was generated by the Safety Matrix 70 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 Overview of Configuring
147. nged New version of matrix When using the S7 F Systems Lib V1_3 you will also get a non critical change for each symbolically interconnected TAG in the form VMODx_B R_y Tag name lt gt 0 0 0 Also compare the safety program with the backup copy To do so click the Compare button in the Customize safety program dialog box in S MATIC Manager Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Installing 2 5 Upgrading to Safety Matrix V6 2 Result of the comparison in Step 12 The result of the comparison is a list with three sections Runtime level Chart and Changed system charts Changes in the matrix listed in the Chart section format Matrix name chart Matrix name chart better interpreted with the menu command Tools gt Compare Programs and can therefore be ignored at this point The F Matrices chart is created automatically Runtime level After a successful upgrade the following changes are listed in the Runtime level section In each runtime group with Safety Matrix F blocks e One section per Safety Matrix Status_DB Block MatrixName MatrixName C_Status F_StatDB Signature Changed SM_VER Value 16 0003 lt 16 0002 Block MatrixName MatrixName E Status F_StatDB Signature Changed SM_VER Value 16 0003 lt 16 0002 e One section for each F_Cause F FB per Safety Matrix Block Matrixname Matrixname Cxx F_Cause Signature Changed Interface Changed
148. nline mode in the Engineering Tool Online mode of the Safety Matrix Engineering Tool allows you to monitor the status of a Safety Matrix that has been downloaded to the F CPU Starting and stopping online mode 8 3 Introduction Safety Matrix Select the Monitor gt Monitor On Off menu command to start stop online mode The Safety Matrix Engineering Tool sets up the connection to the Safety Matrix in the F CPU Once the connection is set up the current status of the causes and effects is displayed Opening the Safety Matrix Viewer faceplates During runtime you can start the Safety Matrix Viewer from WinCC The Safety Matrix Viewer represents the Safety Matrix in a visual display corresponding to how it is configured and monitored in the Safety Matrix Engineering Tool The Safety Matrix Viewer displays the overall configuration of a Safety Matrix including causes effects and intersections The configuration cannot be changed The Safety Matrix Viewer enables simultaneous operator control and monitoring of multiple matrices In addition the Safety Matrix Viewer supports simultaneous monitoring of a Safety Matrix on multiple client stations Note In the event of a WinCC user change the Safety Matrix faceplate that is currently open will close automatically and can only be reopened using the permissions of the new user If the Safety Matrix faceplate is opened during a WinCC user change e g due to changes in WinCC scr
149. ntered by default Specify at least one tag for each effect Refer to section Syntax rules for tag ames in the Safety Matrix Page 55 in this regard e button I O o open the Select I O tag dialog box click the I O button See section Tags of the Safety Matrix Page 53 e button The button appears if the Channel driver option was selected in the Select I O tag dialog box Click the button to open the Channel driver dialog e On the Parameter tab you can do the following for F channel drivers that are selected via symbols Specify whether the simulation takes precedence over errors parameter SIM_MOD in F channel driver F_CH_DO e Inthe Options tab you can Select whether you want to specify a start value for simulation Specify a start value for the simulation of this output tag These parameters can also be edited directly at the F channel drivers in CFC charts including interconnection If you use this option you must be aware that overlaps can occur The data saved to the CFC take precedence Action In this field enter a text containing up to 8 characters that describes which action will be initiated when the effect is active for example open This value is used only for display documentation purposes Energize to trip This option for the output tags specifies when the output tag is set to 0 or 1 In deenergize to trip applications the outp
150. nual 02 2010 A5E00265325 03 65 Configuring 4 1 Overview of Configuring DIAG_V 66 Bit No Assignment Bit 20 Positive edge on bit 8 Bit 21 Bit 22 Bit 23 Cause used Bit 24 Bit 25 Bit 26 Bit 27 Bit 28 Value TAG1 to be processed in the Safety Matrix Bit 29 Value TAG2 to be processed in the Safety Matrix Bit 30 Value TAG3 to be processed in the Safety Matrix Bit 31 The information in output parameter DIAG_V of cause message block F_SC_AL is stored as follows Bit No Assignment Bit 0 Bit 1 Bit 2 Bit 3 Bit 4 Configured First Out Alarm Group Bit 5 Bit 6 Bit 7 Bit 8 PROFIsafe module failure TAG1 Bit 9 PROFIsafe module failure TAG2 Bit 10 PROFIsafe module failure TAG3 Bit 11 Bit 12 Pre alarm TAG1 Bit 13 Pre alarm TAG2 Bit 14 Pre alarm TAG3 Bit 15 Bit 16 Incorrect configuration Bit 17 SDF error error in safety data format Bit 18 Configuration changed Bit 19 Bit 20 Channel fault TAG1 Bit 21 Channel fault TAG2 Bit 22 Channel fault TAG3 Bit 23 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 Overview of Configuring Bit No Assignment Bit 24 Bad quality TAG1 Bit 25 Bad quality TAG2 Bit 26 Bad quality TAG3 Bit 27 Bit 28 Delta alarm TAG1 and 2 Bit 29 Delta alarm TAG2 a
151. o a higher level process control system Configuring Configuring 8 Configuring Te Isupport aimee siemens s comiWWiview en 27002558 Operating Manual Guide This documentation describes the use of the Safety Matrix Engineering Tool Safety Matrix Viewer and Safety Matrix Editor optional packages It includes both instructional material and reference material description of possible parameter assignments The following topics are addressed e Configuring the safety program safety related user program for S7 F FH Systems e Transferring compiling and downloading the Safety Matrix e Access protection for the Safety Matrix e Operator control and monitoring in PCS 7 e Support for the system acceptance test Conventions Safety Matrix In this documentation the terms safety engineering and fail safe engineering are used synonymously The same applies to the terms fail safe and F The term configuring used here corresponds to the term programming used in the referenced documentation When S7 F Systems appears in italics it refers to the optional package for the S7 F FH Systems fail safe system The term safety program refers to the fail safe portion of the user program and is used instead of fail safe user program F program etc For purposes of contrast the non safety related user program is referred to as the standard user program F CPU denotes a CPU with fail safe capability An F CPU with
152. o the safety program e Starting the first operation via Secure Write in online mode of the Safety Matrix Engineering Tool e Disabling and enabling safety mode Password validity The access permission lasts for one hour after correct password entry during which time it is reset to another hour after each action requiring a password or until access permission is explicitly canceled in S MATIC Manager Options gt Edit safety program menu command then click the Password button followed by the Cancel access rights button Safety Matrix This access protection is described in detail in the S7 F FH tems Configuring and Programming http support automation siemens com WW view en 2201072 Programming and Operating Manual Configuration Manual 02 2010 A5E00265325 03 107 Access protection Safety Matrix 108 Configuration Manual 02 2010 A5E00265325 03 Transferring a Safety Matrix 6 Introduction Nested chart 6 1 The transfer of a Safety Matrix to the project includes e Saving the Safety Matrix accompanied by a validity check of the configuration e Generation of the F System program logic based on CFC using F blocks from the Safety Matrix block library After the transfer a basic CFC chart containing two nested charts is available for each Safety Matrix e Nested chart of the channel drivers MatrixName e Nested chart of the matrix logic MatrixName This chart is protected
153. od before the cause becomes active e OFF delay This specifies an OFF delay The tripping condition for the cause must not be fulfilled for the time period specified by the OFF delay before the cause becomes inactive e Timed cause If this option is selected for a cause the cause remains active during the time entered in the Time duration field irrespective of whether the tripping condition for the cause remains TRUE the entire time e Duration Here you enter the desired duration for the the ON delay OFF delay or Timed cause settings Bypass Causes can be configured in such a way that the following bypass functions are available Soft bypass allowed If the Soft bypass allowed check box is selected the operator can manually create a bypass for maintenance purposes in the viewer or in online mode of the Engineering Tool This check box is selected by default e Bypass tag To open the Select I O tag dialog box click the I O button Here you can select a Boolean tag as a bypass tag See Chapter Tags of the A bypass becomes active for the cause if the value of the bypass tag is TRUE A bypass is normally created for maintenance purposes When a bypass is active the cause does not become active even though it should be active based on its tripping condition and options Inhibit tag afety Matrix Page 53 To open the Select I O tag dialog box click the I O button Here you can selec
154. ollows e Discrete enabled by default e Analog enabled by default Mutually exclusive tag simulation you select this option the tag simulation of the cause is mutually exclusive This means that only one tag of a cause can be simulated in each case Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring 4 3 Configuring the causes Time lapse diagram for cause time functions Cause active Cause MMA without time function l i Cause active l 1 1 1 l Ji pba Cause Configured duration with ON delay l 1 l l l Cause Configured Ta with OFF delay 1 1 l Cause active Timed Configured duration i cause Refer also to Chapter Overview for eS Lt the causes Page 82 For detailed representa Page 157 how causes ion DaraMe id nmMent ana work see Chapter Example paranreter EE for causes Page 1 4 3 7 Cause details dialog box Alarms tab Requirements To display the Alarms tab the Positioning of cause and effect check box must be selected on the Alarms tab of the Properties dialog box for the Safety Matrix Edit gt Properties menu command See Chapter Properties dialog box of the Safety Matrix Page 74 Alarms tab Field Description Position alarm block Use this check box to position the F_SC_AL message block for this cause e Chart assignment If necessary assign the message block to a plant hie
155. omation siemens com WW view en 26091998 133000 Documentation for S7 F FH Systems Safety Engineering in SIMATIC S7 Brief Description of Relevant Contents he H em onfiaurina and Proaramming http support automation siemens com WW view en 2201072 Programming and Operating Manual describes the configuring and programming of S7 F FH ae fail safe ae with the aid of S7 F oe e A ttp ETI ER siemens s com WWiview en 1117849 Installation anual describes the assemb a and alae 0 400 TA Manual H centra processing units and the tasks required to set up and commission an S7 400H fault tolerant system The Safety Engineering in SIMATIC S7 provides an informational overview of the use installation and mode of operation of the S7 Distributed Safety and S7 F FH Systems fail safe automation systems and describes basic properties and detailed technical information about these fail safe systems STEP 7 manuals s i NOTETAN POE R aia Manual Safety Matrix 6 Configuration Manual 02 2010 A5E00265325 03 Preface Documentation for Brief Description of Relevant Contents STEP 7 Online Help e Describes how to operate the standard tools of STEP 7 e Contains information on configuring and assigning parameters for I Os with HW Config PCS 7 The PCS 7manuals describe operation of the PCS 7 process control system necessary when the S7 F System is integrated int
156. on in which you assign precisely defined reactions effects to event occurrences causes thus specifying the system behavior The Safety Matrix provides comprehensive support for configuring in the form of e Structured user interface e Simple parameter assignment and linking of causes and effects e Automatic checking of the configuration for validity e Automatic placement of the F channel drivers during transfer to a CFC chart e Automatic generation of the F System program logic based on CFC using F blocks from the Safety Matrix library e Revision and change tracking functions for comparing matrices and for support during system acceptance testing Requirements e You must have created a project structure in S MA TIC Manager e You must have assigned your safety program to an F capable central processing unit such as CPU 412 3H CPU 414 4H or CPU 417 4H e The CPU contains safety program option must have been selected for the F CPU anda password must have been assigned for the F CPU e You must have configured the inputs and outputs in HW Config or in the symbol table in SIMATIC Manager The Safety Matrix works with the symbolic names of the entries input tags and outputs output tags of the F modules Safety Matrix Configuration Manual 02 2010 A5E00265325 03 51 Configuring 4 1 Overview of Configuring Basic procedure Proceed as follows to create a safety program 1 After you have specified the program structu
157. on is controlled by the value of the mask enable tag Value of the process data tag Output tags Effect logic O Mask enable tag TRUE X Desas 1 To configure an effect for masking you must enter values for the mask enable tag and process data tag The value of the mask enable tag specifies whether the effect logic or an externally controlled process tag see process data tag will be interconnected with the output tags of the effect Refer also to Chapter Overview for configuring the effects Overview for Overview for configuring the effects the effect Page 92 pe detailed representations E the parameter assignment and information on how effects configured intersection types see Chapter P E T for effects Page 16 161 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring 4 4 Configuring the effects 4 4 6 Effect details dialog box Alarms tab Requirements To display the Alarms tab the Positioning of cause and effect check box must be selected on the Alarms tab of the Properties dialog box for the Safety Matrix Edit gt Properties menu command See Chapter Properties dialog box of the Safety Matrix Page 74 Alarms tab Field Position alarm block Description Use this check box to position the F_SE_AL message block for this effect e Chart assignment If necessary assign the message block to a plant hierarchy in this fi
158. on level Result 8 5 3 3 Introduction Safety Matrix for Reset effect 8 5 Operating You can be logged onto a second OS or onto the same OS as the initiator a A O N change matches the desired operation Open the picture containing the desired Safety Matrix block icon Click the Safety Matrix block icon to open the faceplate Click the Confirm button below the control bar The confirmation dialog box for the transaction is displayed Check whether the specified If so select the Operation was verified and can be activated check box and click Confirm If not you must click the Cancel button If the transaction is finished within the specified time interval the successful operation is apparent in the Safety Matrix based on the status display e g color change In addition the operation by the confirmer is entered in the PCS 7 operation list and in the event log of the Safety Matrix Maintenance changes You can make the following maintenance changes in online mode of the Safety Matrix Engineering Toolor from the PCS 7 OS via the Safety Matrix Viewer Online mode of the Safety Matrix Engineering Tool Simulate value of a cause or effect tag Safety Matrix Viewer Simulate value of a cause or effect tag Change values for limit hysteresis and delta for analog input types Change high and low range boundary of F channel drivers for analog input tags
159. on used to operate and monitor machines and systems Partial shutdown Only the F shutdown group in which the error was detected is shut down Passivation Passivation of digital output channels means that the outputs are de energized Digital input channels are passivated when the inputs transmit a value of 0 to the F CPU by means of the fail safe drivers irrespective of the current process signal Analog input channels are passivated when the inputs transmit a fail safe value or the last valid value to the F CPU by means of the fail safe drivers irrespective of the current process signal Safety Matrix Configuration Manual 02 2010 A5E00265325 03 179 Glossary Process safety time PROFIsafe The process safety time of a process is the time interval during which the process can be left on its own without risk to life and limb of the operating personnel or damage to the environment Within the process safety time any type of F System process control is tolerated That is during this time the gt F System can control its process incorrectly or it can even exercise no control at all The process safety time depends on the process type and must be determined on a case by case basis Safety related bus profile of PROFIBUS DP PA and PROFINET IO for communication between the gt Safety program and the gt F I O in an gt F System Proof test interval Reintegration S7 PLCSIM Safe state Safety class 180
160. onfiguration Manual 02 2010 A5E00265325 03 169 Example parameter assignments 11 2 Example parameter assignments for effects Bypass of an effect with output delay for intersection S Stored Active Cause Inactive Reset Reset if Reset TRUE override wo ifL Of LD COSC FALSE 1 1 l i i 7 E R a z Active TRUE Bypass i 3 3 3 3 3 Inactive FALSE 1 i I I 1 Active Effect j i Inactive E 2 Output TAG DTT FALSE 170 1 2 Output delay timer runs 3 Bypass active The effect becomes active as a result of an active cause The output delay timer starts After it expires the output tag is also set to FALSE if DTT to TRUE if ETT 2 Bypass interrupts the output delay timer Thus the output delay can be delayed by an additional time The output delay timer is only restarted if the cause has become active Once the cause has become inactive the effect must be reset otherwise it remains active and the bypass can be in effect Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Example parameter assignments 11 2 Example parameter assignments for effects Bypass of an effect with output delay for intersection V Overridable Active Cause Start Stop Start override override override Inactive R Y i timer timer timer ese override i TRUE tag C LS Li L f i Active TRUE 1 K6 6 6 6 6 6 Bypass KO FOH O 6 6 6 Inactive FALSE
161. ons for revision management as well as for the documentation of operator inputs and program changes supplement the configuring operational and service functions of the Safety Matrix Achievable Safety Requirements The following safety requirements are met with the Safety Matrix e Up to Safety Integrity Level SIL3 according to IEC 61508 e Up to Category 4 according to EN 954 1 e Up to Performance Level PL e according to ISO 13849 1 2006 or EN ISO 13849 1 2008 1 2 Optional packages and range of functions The Safety Matrix consists of three products that can also be ordered as three separate optional packages Table 1 1 Optional packages of the Safety Matrix Range of functions of the Safety Matrix optional packages Optional package Range of functions Environment Operating Utilization phase mode Safety Matrix Editor Creating and configuring a Safety Stand alone Offline Analysis phase planning Matrix on a PC outside of PCS Zor and configuration STEP 7 including checking the configuration for validity documentation and creation of an importable cem matrix file Safety Matrix Creating importing a cem matrix Engineering Offline online Analysis implementation Engineering Tool file configuring a Safety Matrix System ES and operational phase automatic generation and PCS 7or total safety life cycle downloading of CFC charts STEP 7and including driver blocks to a PCS 7 CFC project operator control and mon
162. owing applies to all functions Permission level 0 means no access protection which means every operator has this permission You create users and your own permission levels in the PCS 7 OS with the User Administrator editor The following table provides an overview of the monitoring and operator control functions and their default permission levels in the Safety Matrix Function Monitoring functions Description Default user level View event log View cause tags View effect tags View cause status View effect status Operator roles Initiator Permission level for initiator 0 Confirmer Permission level for confirmer 0 Operator control functions Cause acknowledgement Permission level for acknowledging a cause 5 Cause bypass Permission level for cause bypass 5 Cause tag simulation on off Permission level for simulating a cause tag 5 Cause tag simulation value Permission level for specifying a cause tag simulation value 5 Clear First Out Alarm cause Permission level for acknowledging cause First Out 5 Clear effect alarm Permission level for clear override alarms 5 Override effect Permission level for override effect 5 Reset effect Permission level for reset effect 5 Effect bypass Permission level for effect bypass 6 Effect tag simulation on off Permission level for simulating an effect tag 6 78 Safety Matrix Configuration Manual 02 201
163. pile the relevant project Note that the PH assignment and the assignment Safety Matrix Engineering Tool see section Properties dialog box of the Safety Matrix Page 74 Recompiling the relevant project 1 To do so start SIMATIC Manager 2 Make sure that the Derive block icons from the plant hierarchy option is selected in the Block icons tab of the object properties for the relevant picture object This is the default setting in PCS Z V7 and higher Note If user settings for the block icon of a Safety Matrix are to be retained during a subsequent OS compilation of an existing picture you must clear the Derive block icons from the plant hierarchy option for this WinCC picture 3 Highlight the OS object and select Compile in the context menu to compile the OS For PCS 7 lt VT Make sure that the Generate update block icons option is selected in the Compile OS wizard when selecting the data to be compiled and the scope of the compilation This takes place automatically in PCS 7V7 and higher 4 Click the Compile button in the last dialog of the Compile OS wizard Safety Matrix Configuration Manual 02 2010 A5E00265325 03 29 Installing 2 5 Upgrading to Safety Matrix V6 2 Result Once you have performed these steps your project contains the new Safety Matrix block icon Repeat these steps for all projects 2 5 Upgrading to Safety Matrix V6 2 2 5 1 Overview of upgrading Basi
164. plication i e by dividing your application into function groups that you can then monitor and change selectively in the Safety Matrix Engineering Tooland Safety Matrix Viewer e g level measurement and shut off In order to use this function you must assign the individual causes and effects of the safety program to your safety instrumented functions groups Then you can display one or more or all safety instrumented function groups Secure Write The Secure Write functionality allows operator inputs to be made to the Safety Matrix This can take place in online mode of the Safety Matrix Engineering Too or from the PCS 7 OS via the Safety Matrix Viewer Transaction for Secure Write You carry out a Secure Write transaction for the purpose of making operator inputs to the Safety Matrix in online mode of the Safety Matrix Engineering Too or from the PCS 7 OS via the Safety Matrix Viewer The transaction consists of a sequence of operations that can be performed by one or two operators The transaction must be completed within a time interval specified by the user timeout If the transaction is not finished before the timeout expires the transaction is automatically canceled Safety Matrix 22 Configuration Manual 02 2010 A5E00265325 03 Product Overview 1 5 Overview of procedure 1 5 Overview of procedure This chapter provides a brief overview of the procedure to be followed when using Safety Matrix components within
165. pro Burner Emergency STOP Boiler Protection Coal Pulverizer In standard mode Safety Matrix 16 Configuration Manual 02 2010 A5E00265325 03 Product Overview 1 1 What is the Safety Matrix Relationship to S7 F Systems A WARNING Warning notices of the S7 F FH Systems Programming and Operating Manual The Safety Matrixis an optional package for S7 F FH Systems You must read understand and comply with all warning notices in the S7 F FH Systems Configuring and Programming Programming and Operating Manual The following table illustrates the relationship between the Safety Matrix and S7 F Systems S7 F Systems Safety Matrix Programming with CFC Intuitive configuring based on the conventional cause effect method CFC as basis charts run time groups run sequence S7 F Systems safety concept CFC documentation Documentation through printouts of the Safety Matrix Basic mode of operation Analysis phase When performing a risk assessment for the system the user can assign events occurring during a process causes to precisely defined reactions effects and thus specify the system behavior The user enters possible process events one or more entries in the Safety Matrix and then configures the events in terms of type number logic combinations possible delays and interlocks and any permitted deviations Next the user defines the reaction
166. r assignments 1 1 11 1 11 1 1 The following chapter contains timing diagrams that describe by way of example the behavior of causes and effects for different configurations Note that a discrete tag with Deenergize to trip DTT was chosen for each of the following examples Example parameter assignments for causes Time behavior Time behavior of a cause ON delay Safety Matrix Only one time behavior setting at a time can be specified for each cause Input TAG TRUE e Gray zone Time is running e 1 ON delay e Delayed activation of the cause e The input tag must be present beyond the ON delay in order for the cause to become active Configuration Manual 02 2010 A5E00265325 03 157 Example parameter assignments 11 1 Example parameter assignments for causes OFF delay Timed cause 158 Input TAG TRUE DTT FALSE ee l 2 e o C u tt z Active Cause Inactive Gray zone Time is running 1 OFF delay 2 OFF delay canceled by a change in the input tag The cause remains active over the configured OFF delay time after the input tag has become TRUE Any configured acknowledgement of the cause does not affect this behavior The timer of the OFF delay is canceled if the input tag has become FALSE again Input TAG TRUE DTT FALSE 1 1 Cause Inactive Gray zone Time is running 1 Time for timed cause If the input tag becomes FALSE the timer of
167. r cannot be activated if bypass is active e Once the cause has become inactive the effect must be reset otherwise it remains active and the bypass can be in effect e Ifthe cause becomes inactive while the override timer is running the effect will not be stored i e it will be become inactive immediately without the need for a reset e If the cause becomes inactive while the output delay timer is running the effect will be stored and will become inactive only when a reset has taken place Safety Matrix 172 Configuration Manual 02 2010 A5E00265325 03 Example parameter assignments 11 2 Example parameter assignments for effects 11 2 5 Process data pass through and mask enable Behavior with Process data pass through and mask enable The effects of the various combinations of the two options on the output tags of the effect are explained in detail below using diagrams Table 11 1 Dependencies between Process data pass through and mask enable Process data pass Mask enable tag Result through Not activated Not configured No effect Not activated Configured See below Configuration of Mask Activated Not configured See below Configuration of Process data pass through Activated Configured See below Configuration of Process data pass through and Mask at the same time Configuration of Mask Process data tag and mask enable tag are configured Process data pass through is not acti
168. r must manually clear it in the Viewer or in online mode of the Engineering Tool or by setting the configured reset override tag to TRUE V Overridable If the cause is active the effect is tripped You can bypass the tripping of the effect by e Manual intervention or e Setting the configured reset override tag to TRUE as long as the effect is still tripped R Resettable and This intersection type is a combination of the S and V types described overridable above The effects interconnected with this intersection type remain active if the associated cause becomes inactive except that e The override function can be used to bypass the effect as long as the cause is active e The effects can be acknowledged if the cause is no longer active X Not specified A connection between the cause and effect is required but the desired intersection type has not yet been specified A connection will not be processed until the intersection type is entered A Safety Matrix with intersection type X cannot be transferred to the CPU For note only A connection between this cause and this effect will not be processed Used only for documentation purposes None There is no connection between this cause and this effect no entry in the intersection This is the default intersection type XOON value 2 15 This enables you to assign causes according to the majority method X is entered by the user and N is determined based on t
169. r permission operators must have the specified permission level for each operator function to be performed EffectResLevel Initiator Start operation 1 Log on to the OS as a user with initiator permission and the specified permission level for Reset effect 2 Open the picture containing the desired Safety Matrix block icon 3 Click the Safety Matrix block icon to open the faceplate 4 Select the effect you want to reset The effect must be displayed in green resettable Click the Reset effect button in the control bar Result The Safety Matrix Viewer sends the command to the Safety Matrix and reads the read back values Time out monitoring for the transaction is started The confirmation dialog box for the transaction is displayed Check whether the specified change matches the desired operation If so select the Operation was verified and can be activated check box and then click Initiate If not you must click the Cancel button Result The transaction for the initiator is now complete and can be continued by a confirmer Note Depending on the operator function to be performed you may be prompted to enter a reason which is recorded together with the event 140 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring Confirmer Confirm operation 1 Log on to the OS as a user with confirmer permission and the specified permissi
170. r representation in online mode and if applicable the effect messages issued e Standard Standard alarm profile is set default e Sequential Sequential alarm profile is set Effect Configuration Output tag Active DTT 0 ETT 1 Inactive DTT 1 0 ETT Refer also to section Overview for configuring the effects Page a For detailed representations of the parameter assignment and information on how effects work especi ing i iderati e configured intersection types see section pecially takina into consideration th xample parameter assignments for effects Page 161 g Configuration Manual 02 2010 A5E00265325 03 95 Configuring 4 4 Configuring the effects 4 4 5 Effect details dialog box Options tab Options tab Field Description Output delay If the Enable check box is selected the outputs are tripped after a certain time delay You specify the duration of the time delay in the Duration entry field To delete a configured output delay you must clear the Enable check box Note The output delay only acts on the output tags of the effect and not on the activation of the effect itself The output delay does not apply to visualization and internal references of the effect Bypass Effects can be configured in such a way that the following bypass functions are available e Soft bypass allowed If the Soft bypass allowed check box is selected the operator
171. r was detected in the safety data format e Alarm Boolean flag indicating that an alarm condition was detected e Any_CA Indicates that at least one of the causes in the Safety Matrix is active e Any_EA Indicates that at least one of the effects in the Safety Matrix is active e CByp_Num Integer value indicating how many causes are currently bypassed e EByp_Num Integer value indicating how many effects are currently bypassed e Msec Current processing time of the Safety Matrix including F channel drivers in the nested chart of the channel drivers MatrixName e MaxMsec Maximum processing time of the Safety Matrix including F channel drivers in the nested chart of the channel drivers MatrixName This output is reset again to 0 on each startup of the Safety Matrix The invisible chart connections inputs and outputs must not be changed Note After the Safety Matrix has been transferred to the project the Tools gt Compare matrix with gt Program function can be used to check whether the project configuration matches the Safety Matrix A WARNING Nested chart of the matrix logic You must not rename delete copy or move the nested chart of the matrix logic MatrixName You may only change visible parameters but not the MatrixSig parameter A WARNING Safety Matrix basic chart You must not change the name of the Safety Matrix basic chart visible in S MATIC Manage
172. rarchy in this field Click the associated button to open a browser for this purpose e Enable messages Select the Enable messages check box Click the associated button to open the dialog box for configuring the predefined alarm profile for causes and effects selected in the Configure tab There you can e Enable individual messages e Change message classes e Change priorities of message classes e Specify the acknowledgement request For information on assigning a color to an alarm profile for the status display see Chapter Adjust dialog boxes Page 79 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 91 Configuring 4 4 Configuring the effects 4 4 Configuring the effects 4 4 1 Overview for configuring the effects Overview The values of at least one but no more than four discrete output tags define the action to be performed on the process The activation of an effect depends on various factors e Type of intersection e Specified options for the effect 4 4 2 Creating changing an effect and the column for an effect Procedure for creating changing an effect In the effect configuration area of the Safety Matrix double click a column empty or filled or click the column and select Change effect in the context menu The Effect details Effect x dialog box is opened and you can create or change the effect Context menu in the effect configuration area of the Safety Matrix
173. ration of the maximum override time the effect becomes active again and an alarm Override Failed Timeout appears If anew cause assigned to this effect becomes active the override function ends immediately the effect becomes active once again and an alarm Override Failed Cause appears The time configured in Maximum override time should not exceed the time period of any condition that the process or system tolerates Override pre alarm time In this input field you can enter the time in seconds after which a pre alarm for reaching the maximum override time is issued The relevant effect tag is stored in the color configured for a pre alarm once this time expires 96 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring Safety Matrix 4 4 Configuring the effects Field Masking or process data pass through Description e Enable process data pass through If you select this check box the effect is configured to pass on the process data A process data tag must be specified for this See description of Process data pass through following this table e Mask enable tag The value of the mask enable tag specifies whether the effect logic or an externally controlled process tag see process data tag is interconnected with the output tags of the effect See description of Mask following this table e Process data tag Denotes an external process tag that is pa
174. re insert a Safety Matrix into the project 2 Insert the following into the Safety Matrix Input tags for causes Output tags for effects 3 Assign parameters for the following Causes Effects Intersections Transfer the Safety Matrix to CFC charts Compile and download the S7 program Test and document the safety program NO oa eA Perform the acceptance test F SIMATIC Safety Matrix Matrix01_ SafetyMatrix SIMATIC 400 1 CPU 414 4 H S 7 Programmi 1 Y File Edit Monitor view Options Window Help SIMATIC SAFETY MATRIX rocess Pass Through Mask Enable ot Specified esult of voting Effect deser a Groups PilotFlame Safety Matrix 52 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 Overview of Configuring 4 1 2 Tags of the Safety Matrix Which tags does the Safety Matrix support The following tags are supported by the Safety Matrix e Input and output tags these form the interface of the Safety Matrix to the F I O The input and output tags incorporate the symbolic names of the inputs and outputs of the SIMATIC F modules configured in the SIMATIC project and the assigned F channel drivers e Any signals from the safety program by means of connections to the nested chart e Status of a cause effect or effect tag by means of internal references e Customer specific F channel drivers ab of the Cause details dialog box see section tab Page 86 you
175. ride failed Cause Indicates that the effect override has been interrupted because a new cause has become active Override failed Timeout Indicates a timeout occurred while overriding the effect lllegal Config Error during internal diagnostic check of the FB internal error remedy transfer compile and download again if necessary Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring 8 5 Operating Effect status Description Entry in the event log SDF error Indicates that the Safety Matrix has detected an error in X the safety data format in the DB This error always causes the safety program to go to F STOP Tag x value Indicates the current status of the output tag TAG x bad quality Indicates that the F channel driver of the configured tag is X signaling a quality alarm Tag x simulation active Indicates that the tag is simulated X Tag x channel failure Indicates that the F channel driver of the configured tag is X signaling a channel failure TAG x PROFIsafe failure Indicates that the F channel driver of the configured tag is X signaling a PROFIBUS failure caused by the module driver Effect override Time Indicates the amount of time remaining for the effect to remaining remain overridden 8 5 Operating Following entry of the password for the safety program in online mode of the Safety Matrix Engineering Tool all control bar function
176. rite function can be performed A WARNING Operating a Safety Matrix Take organizational measures to ensure that only one transaction at a time can be initiated or confirmed for a Safety Matrix A WARNING Secure Write checking correct functioning of the operation You must check the correct functioning of the operation Immediately following an operation the following must be true e The expected response to the operation can be recognized as a change in the status display or e The status for this operation corresponds to the entries in the event log A WARNING Checking a transaction As an operator you may only accept the awaited information If there are inconsistencies you must cancel the transaction You may only confirm the transaction assigned to you organizationally Safety Matrix 134 Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring 8 5 Operating WARNING Checking the technological assignment When opening the faceplate make sure that the technological assignment in the top line is appropriate for the environment in which the block icon was placed In this way you make sure you are operating the correct Safety Matrix WARNING Cancelation of a transaction You must always anticipate the cancelation of a transaction through unforeseeable events e g communication errors the safety of the system must no
177. roperties dialog box of the Safety Matrix Properties dialog box of the Safety Matrix General tab 74 Select the Edit gt Properties menu command The Properties Matrix name dialog box is opened with the General tab displayed Title Enter a title to serve as the Safety Matrix designation This will be displayed in the information area of the Safety Matrix properties Project Enter the name of the project to which the Safety Matrix belongs This will be displayed in the information area of the Safety Matrix properties Description Enter a process related description of the Safety Matrix This will be displayed in the information area of the Safety Matrix properties General notes Enter general comments regarding this specific Safety Matrix Notes These are comments that are displayed in the information area for user notes next to the intersections Up to 32 comments can be entered and each comment may contain up to 63 characters These comments can be linked to specific causes and effects A maximum of four comments can be entered for each cause and effect in the associated Options dialog box Safety instrumented function groups You can create your own safety instrumented function groups for your application here i e by dividing your application into function groups that you can then monitor and change selectively in the Safety Matrix Engineering Tooland Safety Matrix Viewer e g level measurement
178. s 11 2 Example parameter assignments for effects Bypass of an effect with output delay for intersection R Resettable and overridable Because intersection R is a combination of intersections S and V the properties of these intersections are also represented here Active Cause Start Stop Inactive override override Reset timer timer Reset override j f TRUE tag FALSE Active TRUE 3 3 3 3 i 3 3 i Bypass D FO IC 3 l 3 3 Inactive FALSE Active Effect Inactive E 2 3 m i a TRUE utput on FALSE e 1 Override timer runs e 2 Output delay timer runs e 3 Bypass active e The effect becomes active as a result of an active cause The output delay timer starts After it expires the output tag is also set to FALSE if DTT to TRUE if ETT e 2 The output delay timer can be interrupted by the bypass e The output delay timer is only started if the cause has become active or the override timer has been stopped while no bypass was active e Arising edge of the reset override tag both starts and stops the override timer e The override timer is automatically stopped as soon as the maximum override time has been reached e Activation of the bypass does not affect the override timer e If the override timer is started and bypass is then activated the override timer can be stopped again by a positive edge of the reset override tag e The override time
179. s one or more outputs to a particular event The causes and effects are linked by simply clicking the cell at their intersection When the Safety Matrix is saved the configuration is checked for validity The Safety Matrix documents the safety instrumented function groups and the cause effect matrix itself is an important component of the safety program specification Implementation phase The safety program is specified by configuring the cause effect parameters in the Safety Matrix Using these specifications the Safety Matrix automatically generates the F system program logic based on CFC using F blocks from the Safety Matrix library In addition the Safety Matrix provides revision and change tracking as well as functions for comparing matrices and for support during acceptance testing of the system Safety Matrix Configuration Manual 02 2010 A5E00265325 03 17 Product Overview 1 2 Optional packages of the Safety Matrix Operational phase The Engineering Tool of the Safety Matrix and the viewer available on the SIMATIC PCS 7 Operator Station enable operator control and monitoring of the system in safety mode as well The signal status is represented online in the cause effect matrix The operator can display and save initial alarm messages and specify that safety relevant events be recorded Parameter changes for example using bypass reset and override functions are also supported Safety life cycle management functi
180. s are available without restrictions However the functions available in the Safety Matrix Viewer on the PCS 7 OS are dependent on the assignment of functions to a permission level in the block icon and the corresponding configured user permissions in the PCS 7 OS A WARNING Standard operator the Safety Matrix Make sure that a standard operator e g Autologin is not assigned operator permission for Safety Matrix Configuration Manual 02 2010 A5E00265325 03 131 Operator control and monitoring 8 5 Operating 8 5 1 Initiator and confirmer permissions 2 operator scenario Procedure During configuration of the Safety Matrix in the PCS 7 OS you can select a 2 operator scenario 4 eyes principle Two operator roles are defined for this purpose initiator and confirmer You use the corresponding Initiator and Confirmer attributes to specify which permission the PCS 7 OS operator has to have to perform the operator control functions on the Safety Matrix Viewer in the role of initiator or confirmer e Initiator permission the operator may start an operation e Confirmer permission the operator may confirm an operation If the confirmer permission and initiator permission is set to 0 no access protection the 2 operator scenario is not being used In this case individual functions are governed solely by the permission level specified for the respective operator function In addition to t
181. s fallen below the limit The cause becomes inactive again only when both input tags exceed the limit plus hysteresis For note only Never 2003 High at least two of the three input tags have exceeded the limit The cause becomes inactive again only when at least two input tags fall below the limit minus hysteresis Low at least two of the three input tags have fallen below the limit The cause becomes inactive again only when at least two input tags exceed the limit plus hysteresis AND High _all three input tags have exceeded the limit The cause becomes inactive again only when one of the three input tags falls below the limit minus hysteresis Low _all three input tags have fallen below the limit The cause becomes inactive again only when one of the three input tags exceeds the limit plus hysteresis OR High one of the three input tags has exceeded the limit The cause becomes inactive again only when all three input tags fall below the limit minus hysteresis Low one of the three input tags has fallen below the limit The cause becomes inactive again only when all three input tags exceed the limit plus hysteresis For note only Never If DTT is configured for all tags of the cause Safety Matrix Configuration Manual 02 2010 A5E00265325 03 83 Configuring 4 3 Configuring the causes 4 3 2 Creating changing a cause and the rows
182. se the Safety Matrix in S MA TIC Manager you must import the file after editing A WARNING Editing of the Safety Matrix file You must use the Safety Matrix Engineering Tool or the Safety Matrix Editor to edit the cem files Command Function New Opens an empty Safety Matrix named NewMatrix cem as a read only file To assign a file name to the new Safety Matrix use Save Open Displays the Open dialog box for selecting and opening a previously configured Safety Matrix Use this option to open a Safety Matrix for editing Close Closes the current Safety Matrix file You will be prompted to save your changes to the Safety Matrix before closing the file Save Saves the current Safety Matrix as a file When changes to the Safety Matrix are saved the new Safety Matrix will replace the older version If a Safety Matrix is overwritten in a project you will be prompted to check the log file and specify which changes you want to accept critical not critical Likewise you will be prompted to enter the password for the safety program A password is not required if you save the Safety Matrix as a new file Save as Saves the Safety Matrix as a different cem file Transfer Transfers the Safety Matrix to the project See Chapter Transferring a Safety Page 109 Print Opens the Print dialog box The Print dialog box allows you to specify the print settings and to start the pr
183. signaling a channel failure TAG x PROFIsafe failure Indicates that the F channel driver of the configured tag is X signaling a PROFIBUS failure caused by the module driver Effect status Description Entry in the event log Effect active Indicates that all configured criteria are satisfied for the X active status intersection status bypass etc Delay active Indicates that a time delay is active Mask active Indicates that a mask is active X Override active Indicates that an override function is active X N intersections Indicates that an interconnected intersection type N is active S intersections Indicates that an interconnected intersection type S is active V intersections Indicates that an interconnected intersection type V is active R intersections Indicates that an interconnected intersection type R is active Bypass active Indicates that a bypass is active X Soft bypass active Indicates that the current bypass was set by means of an X operator input Pass through active Indicates that Process data pass through is active in the X effect logic Override input Indicates that the effect is currently being overridden OK to override Indicates that the effect is ready to be overridden OK to reset Indicates that the effect is ready to be reset Effect latched Indicates that the effect is latched and must be reset X Pre alarm override Indicates that the effect meets the time pre alarm X condition for the maximum override time Over
184. sletters select the check box Update Warnings index Warning Section Warning notices of the S7 F FH Systems Programming and Operating Manual 1 1 Safe state for digital F l O 1 4 Operation of Safety Matrix 2 1 Check installed version of the Safety Matrix components 2 2 Assign a unique name for each Safety Matrix 3 1 Editing of the Safety Matrix file 3 2 Assigning colors 4 2 2 Effect on downloading of changes 6 1 Transfer with Chart Parameters option 6 1 Nested chart of the channel drivers 6 1 Nested chart of the matrix logic 6 1 Safety Matrix basic chart 6 1 Warning and safety notices in the user manual for Safety Matrix V5 2 8 1 Independent paths to the display 8 1 Standard operator 8 5 The Secure Write functionality allows changes to the safety program to be made during RUN mode 8 5 2 1 Operating a Safety Matrix 8 5 2 1 Secure Write checking correct functioning of the operation 8 5 2 1 Checking a transaction 8 5 2 1 Checking the technological assignment 8 5 2 1 Cancelation of a transaction 8 5 2 1 Reintegration of the F channel drivers 8 5 3 1 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Preface Safety Matrix 10 Configuration Manual 02 2010 A5E00265325 03 Table of contents PROTACE sosie enerne terese sles ap aaae eat Aaa cadets cob E aa aa aoa ap Ea Eaa aae eE aea aa Eana Eaa Aaa NE a AEAEE A EEEa 1 Product OVErVi
185. sms for fault detection and fault reaction are activated In safety mode the safety program cannot be modified during operation Safety mode can be deactivated by the user gt deactivated safety mode Safety program Safety related user program Safety protocol gt Safety message frame Safety related communication Communication used to exchange fail safe data Signature gt Collective signatures Safety Matrix Configuration Manual 02 2010 A5E00265325 03 181 Glossary Standard communication Communication used to exchange non safety related data Standard mode Operating mode of gt F I O in which gt safety related communication by means of gt safety message frames is not possible but rather only gt standard communication Standard user program Non safety related user program User safety function The gt safety function for the process can be provided through a user safety function or a gt fault reaction function The user only has to program the user safety function In the event of a fault in which the gt F System can no longer execute its actual user safety function it will execute the fault reaction function For example the associated outputs are deactivated and the gt F CPU switches to STOP mode if necessary Safety Matrix 182 Configuration Manual 02 2010 A5E00265325 03 Index MatrixName 109 115 2 2 operator scenario 124 A Acceptance test Configuration ER
186. splay status monitoring function in the control bar 8 4 Monitoring The Display status button is available if a cause or effect is selected Click this button to open the Cause status or Effect status display window This display window contains information about the selected cause or effect If a status has a white background this means it is active Cause status descriptions Configuration Manual 02 2010 A5E00265325 03 Cause status Description Entry in the event log Cause active Indicates that all configured criteria are satisfied for the X active status status function logic time delays etc Timed active Indicates that a configured time control is active The active bit is cleared after expiration of the time duration Hysteresis active Indicates that an active cause no longer fulfills its trip condition but is still within the configured dead band Inhibit active Indicates that the inhibit tag is active X Bypass active Indicates that a bypass is active X Soft bypass active Indicates that the current bypass was set by means of an X operator input Trip requested Indicates that the logic operation of the tags is fulfilled according to the function logic The active status of the cause can be influenced by the configured time behavior or bypass inhibit and interlock functions Delta alarm TagX TagY Indicates that the calculated tag difference X Y has exc
187. ssed through to the output of the effect when the effect is not active provided Process data pass through is selected This allows an output from a process data element to be controlled until a tripping condition activates the effect If a mask enable tag is configured and its value TRUE the value of the process data tag is always passed through to the output tags For energize to trip ETT output tags the value of the process data tag is inverted before it is written to the output tags Notes Up to 32 comments can be entered for each Safety Matrix the comments will be displayed in the information area for notes Up to four comments can be assigned to each cause in the Notes fields The number in the box next to each field refers to the associated comment SIF grouping An effect can be assigned to up to four SIF groups i e Safety Instrumented Function groups An SIF group contains associated causes and effects that are typically assigned to a single safety circuit made up of sensors the F CPU and control elements that executes a particular safety function Assignment to an SIF allows filter functions to be used for displaying causes and effects in online mode You must have created the safety instrumented function groups in the General tab of the Properties dialog box for the Safety Matrix before you can assign causes and effects here Pay special attention to the steps in Chapter Properties dialog box of the S
188. st of the safety program and the system Safety Matrix Configuration Manual 02 2010 A5E00265325 03 151 Documentation of a Safety Matrix 9 4 Validation report 9 4 Validation report Validation test of the overall configuration The validation report indicates the result of a validation test of the Safety Matrix configuration in the form of errors and warnings Creating a validation report Select the Options gt Reports gt Validation report menu command The validation report is displayed in the log window Errors and alarms The validation report contains errors and alarms such as e Missing intersection configurations e Effects without reset tags e Multiple effects with the same output tag Printout of the validation report You can save and print out the validation report using the File gt Save as and Print menu commands respectively Safety Matrix 152 Configuration Manual 02 2010 A5E00265325 03 Acceptance test for a Safety Matrix 1 0 Introduction During the system acceptance test all relevant application specific standards must be adhered to as well as the following procedures This also applies to systems that are not subject to acceptance testing For the acceptance test you must consider the systems in the Certification Report As a general rule the acceptance test of an F System is performed by independent experts Acceptance test same as for S7 F FH Systems The acceptance test of a Safety
189. t a Boolean tag as an inhibit tag See Chapter Tags of the The inhibit function is typically used to automatically suppress a cause during automatic startup of a batch process The Inhibit tag is a Boolean tag The cause becomes suppressed if the inhibit tag is TRUE When an inhibit is active the cause does not become active even though it should be active based on its tripping condition and options First out alarm group In online mode the first out alarm function indicates which cause became active first i e cause responsible for tripping The cause that tripped first in each group is highlighted in color A cause can be categorized into any of the 15 different first out alarm groups The first out alarm function is disabled by default To add a cause to a first out alarm group you simply enter the group number in this text field Safety Matrix Configuration Manual 02 2010 A5E00265325 03 89 Configuring 4 3 Configuring the causes 90 Field Notes Description Up to 32 comments can be entered for each Safety Matrix the comments will be displayed in the information area for notes Up to four comments can be assigned to each cause in the User notes fields The number in the box next to each field refers to the associated comment Safety instrumented function SIF groups A cause can be assigned to up to four SIF groups i e Safety Instrumented Function groups An SIF group contains
190. t be endangered as a result Operator roles for Secure Write A transaction can be performed by an individual operator who starts verifies and confirms the operation However a transaction can also be performed by two operators on the OS One operator starts the operation initiator and the second operator checks and confirms it confirmer Sequence of a transaction for Secure Write Safety Matrix A transaction consists of multiple dialog boxes that must be run through one after the other After you have entered inputs into a dialog box there may be a waiting period depending on the utilization of the server or the communication partner for the CPU until the next dialog box is displayed To make this operation more transparent a dialog box is opened at the start of each transaction and remains open until the end of the transaction Additionally this dialog box provides additional information such as the time remaining for the transaction and error messages Configuration Manual 02 2010 A5E00265325 03 135 Operator control and monitoring 8 5 Operating 8 5 2 2 Variants of Secure Write What variants of Secure Write are available Secure Write is available in 3 variants e Full Secure Write in online mode of the Safety Matrix Engineering Tool or from the PCS 7 OS via the Safety Matrix Viewen The operator has both initiator and confirmer permissions and can perform the transaction alone e Secure Write for
191. t only for analog inputs with more than one input tag A diagnostic interrupt is tripped if the input tags differ by at least the amount of the entered delta value To clear a diagnostic alarm these values must lie within the delta range minus the hysteresis If no value or the value 0 is entered for delta no delta evaluation is performed Example If a delta value of 5 0 and a hysteresis of 2 0 is set a diagnostic interrupt is indicated if the values differ by 5 0 or more The values must lie within a range of 3 0 in order for the diagnostic interrupt to be cleared Unit Specifies the unit of measurement of the analog value This specification can be up to 16 characters long and is used solely for documentation purposes Refer also to section Overview for configuring the causes Page S 88 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring 4 3 Configuring the causes 4 3 6 Cause details dialog box Options tab Options tab Field Description Time The causes can be configured in such a way that the time functions described below are taken into consideration See also the time lapse diagram for cause time functions following this table e None All time options for this cause are cleared with this check box None is the default setting e ON delay This specifies an ON delay The tripping condition for the cause must be fulfilled for at least the specified time peri
192. ters transfer option if the changes you activated are traceable Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Transferring a Safety Matrix 6 7 Transferring the Safety Matrix to the project Chart Parameters option If you use the Chart Parameters option to transfer you must take the following into consideration e If you then download changes to this Safety Matrix to the F CPU the Safety Matrix restarts with initial data All saved information e g active timers messages are lost After the initial run the output tags of the newly downloaded Safety Matrix F blocks output the value determined from the Safety Matrix logic If causes effects are coupled back the value of the corresponding tags is FALSE during the initial run if you Reference an effect in a cause Reference another cause with a higher number in a cause The value of the output tags of the Safety Matrix prior to the initial run is FALSE This is only important if these tags are evaluated in the run sequence before the Safety Matrix e While changes are being downloaded to the F CPU processing of the Safety Matrix is interrupted Therefore do not plan any active process control by the Safety Matrix during this time all effects are in not activated state e Afterwards you must download the changes to the OS Similarly any active process control by the Safety Matrix is not possible on this OS while the
193. the PCS 7 automation system Overview of procedure Table 1 2 Overview of procedure Step Required user steps Safety Matrix component See Chapter 1 Inserting a new Safety Matrix Engineering Tool 3 1 2 Editing the properties of the Safety Matrix Engineering Tool Editor 4 2 3 Configuring the functions of the Safety Matrix Engineering Tool Editor 4 Causes 4 3 Effects 4 4 Intersections 4 5 4 Transferring a Safety Matrix Engineering Tool 6 5 Transferring and loading Engineering Tool 7 6 Operator control and monitoring Engineering Tool Viewer 8 7 Documentation of a Safety Matrix Engineering Tool Editor 9 8 Acceptance test for a Safety Matrix Engineering Tool 10 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 23 Product Overview 7 5 Overview of procedure 24 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Installing 2 2 1 Requirements for installation Hardware components For inornmanon on the hardware a of S7 F FH Systems refer to the S7 F FH http T automation siemens com WW view en 2201072 Operating Manual Programming and Software requirements The following software is required to operate the complete range of functions of the Safety Matrix components A WARNING Operation of Safety Matrix You may only operate the Safety Matrix components in the released system environments Operation on terminal server
194. the timed cause is started When the timer expires the cause becomes inactive again irrespective of which status the input tag assumes in the meantime Any configured acknowledgement of the cause does not affect this behavior Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Example parameter assignments 11 1 Example parameter assignments for causes 11 1 2 Inhibit Behavior when a cause is inhibited The inhibit tag is used to suppress the cause during startup in a batch process The cause becomes suppressed i e inactive if the inhibit tag is TRUE Input TAG DTT TRUE l FALSE ith Inhibit tag FALSE l m r 1 Active Cause Inactive Gray zone Cause inhibit is active ON delay OFF delay and timed cause do not affect the function of the inhibit tag They act independently of each other e f Auto acknowledge active cause is not set a manual acknowledgement is necessary to deactivate a cause The inhibit tag merely suppresses an activated cause without acknowledging it 11 1 3 Bypass Behavior during bypass Bypass and inhibit have the same basic functionality They differ only in their use Bypass is used for maintenance purposes The cause becomes active if the value of the bypass tag TRUE Input TAG DTT es a TRUE i i FALSE TE TRUE Bypass tag FALSE 1 I m Active Cause Inactive Gray zone Bypass for cause active ON delay OFF delay and timed cause do not a
195. ther via an operator input or through a restart of the override timer e This intersection forms the combination of intersection S and V with the special feature that a reset is not necessary if the override timer is still running when the cause becomes inactive 4 Safety Matrix 162 Configuration Manual 02 2010 A5E00265325 03 Example parameter assignments 11 2 Example parameter assignments for effects 11 2 2 Reset override with output delay Behavior on reset override with output delay as a function of the intersection configuration The output delay delays the change in the output tags once the effect becomes active Reset override of an effect with output delay for intersection N Not stored Reset override tag and maximum override time do not affect the effect if intersection N Not stored is assigned Active Cause Inactive Active Effect Inactive t 2 I 1 l l TRUE Output TAG FALSE DTT e 1 Time gt configured duration of output delay e Gray zone Output delay timer runs e 2 If the cause becomes inactive the output delay timer is also stopped Reset override of an effect with output delay for intersection S Stored Active Cause F Inactive Reset Reset l t Reset i l TRUE override tag FALSE Active Eriaet L L Inactive i l e 1 TRUE Output TAG DTT FALSE e 1 Time
196. therwise this field is empty Logical path to S7 program Indicates the path to the S7 program to which the Safety Matrix belongs in the component view only if a Safety Matrix object exists in SIMATIC Manager for the Safety Matrix otherwise this field is empty Matrix in plant hierarchy Indicates the path to the Safety Matrix in the plant hierarchy only if a Safety Matrix object exists in the plant hierarchy for the Safety Matrix otherwise this field is empty Contains information regarding the usage statistics Number of causes effects and the intersections Permissions tab Parameter tab 76 Contains information regarding permissions Any missing permissions are displayed here Secure Write The Enable tag field is permanently set to EN_SWC This Boolean input of the nested chart of the Safety Matrix must be used to enable and if necessary to disable the Secure Write function for the purpose of making operator inputs either in online mode of the engineering tool or from the PCS 7 OS This takes place by means of a signal that is wired in the CFC prior to compiling enable if signal TRUE In the Time interval field you specify the time in seconds to be used as the time out time for the Secure Write transaction Note Secure Write is required for operating the Safety Matrix with the Safety Matrix Viewer if Secure Write is not enabled access is read only See sections Secure Write Page 13
197. tion details Configuring 101 L Layout Limit co 88 129 Log window M Maintenance changes Online mode Mask Mask enable 97 173 MatrixName 109 115 117 MatrixSig Measures after upgrading Use case 1 Use case 2 Use case 3 Menu commands Message blocks 77 Monitoring functions Monitoring functions without access protection Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Index Mutual dependencies of the cause parameters N Nested chart Nested chart of the channel drivers Nested chart of the matrix logic Non critical changes 8 O OFF delay 15 ON delay 89 Online communication Online mode Color codes Maintenance changes Starting stopping 125 Status displays 129 Opening the Safety Matrix Viewer Operation messages 144 145 Operation with one operator 132 Operation with two operators 132 Operator control and monitoring 2 operator scenario Control bar functions 131 Dependency of available functions 136 Differences between ES and OS Example 140 Overview of the functions Requirements User permissions Operator control functions Operator control functions with access protection Operator roles Operator roles for Secure Write Operator roles with access protection 78 Optimizing the length of the code area Optional packages OS Bypass 169 Reset override Override Maximum time 96 Pre alarm P Parameters Safety Matrix Configuration
198. tion of times and for unintended interconnections No intersection cause effect pair exists more than once The signatures and initial value signatures of the Safety Matrix F Blocks must match those in Annex 3 of the Certificate Report When the Failsafe Blocks V1_2 F library is used check the signature and initial value signature of the F_TEST F block according to Annex 3 and not according to Annex 1 4 Downloading the S7 program to the F CPU 5 Implementation of a complete function test 154 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Acceptance test for a Safety Matrix Acceptance test of safety program changes The following list shows the steps of the S7 F Systems acceptance test Only the Safety Matrix specific additions are listed 1 Back up your safety program Bete backing u ou must transfer and e TRS ix Page 10 109 and Fiownleading Page Ta Check the result of the transfer using the Tools gt Compare Matrix with gt Program menu command There must not be any differences displayed Compare your new safety program with your accepted safety program Identify the matrices that have been changed using the Compare programs dialog box Safety program dialog box in S7 F Systems The result of the comparison is a list of changed F runtime groups including their F blocks All F blocks of Safety Matrices are contained in a common F runtime group in the default
199. tive 0 No effect is active CAct_Num INT Number of active causes EAct_Num INT Number of active effects Any_CB BOOL 1 A cause in the matrix is bypassed 0 No cause is bypassed Any_EB BOOL 1 An effect in the matrix is bypassed 0 No effect is bypassed CByp_Num INT Number of causes bypassed EByp_Num INT Number of effects bypassed Any_CW BOOL 1 A cause pre alarm is active 0 No cause pre alarm is active Any_EW BOOL 1 An effect pre alarm is active 0 No effect pre alarm is active Msec DINT Current matrix runtime includes the runtime of all matrix blocks and the channel drivers MaxMsec DINT Maximum matrix runtime up to now includes the maximum runtime of all matrix blocks and the channel drivers See also ause message block F_SC_AL Page ffect message block F_SE_AL Page 68 Safety Matrix 62 Configuration Manual 02 2010 A5E00265325 03 Configuring 4 1 Overview of Configuring 4 1 6 3 Cause message block F_SC_AL Additional information for further processing Additional information for further processing is available in cause message blocks F_SC_AL in the CFC In addition you can configure functions such as Disable alarms during power up in the CFC Connections of cause message block F_SC_AL Name Data type Description Inputs M_Name String 16 Matrix name Number INT Cause number MSG_LOCK BOOL 1 Disable all alarms Outputs C
200. to Safety Matrix V6 2 Procedure 38 a A O N Create a backup copy of the entire S7 project for comparison purposes before you install Safety Matrix V6 2 Install Safety Matrix V6 2 on the ES Install Safety Matrix AS OS Engineering on the ES if necessary Install Safety Matrix Viewer on the ES OS if necessary Right click the Matrices folder in the S7 program folder and select the Object properties of the matrix folder On the Matrix tab of the object properties select the Safety Matrix library SafetyMatrix Lib V1_3 you want to use for this S7 program 7 Confirm the subsequent prompts The blocks will be copied to the S7 program folder 8 Open the Safety Matrix and transfer it with the following transfer option settings 10 11 12 Transfer option Use imported channel drivers IEA support cleared Transfer option Chart Parameters selected Transfer option Clean nested chart connections selected Transfer option Position blocks selected along with option Update all Perform step 8 for all available Safety Matrices Meanwhile other CFC actions are not allowed Compile the SIMATIC project Using the Tools gt Compare Programs menu command in the Safety Matrix Engineering Tool compare the safety program with the backup copy from step 1 Following a successful upgrade the following change is listed for each Safety Matrix Safety Matrix non critically cha
201. to be compiled have already been successfully transferred Compiling the SIMATIC Project 1 Make sure that all inputs and outputs of the Safety Matrix are interconnected with the safety program 2 Select the Options gt CFC gt Compile menu command 3 For compilation of the Safety Matrix select the Generate module driver option in the Compile program dialog box 4 After the project has been successfully compiled it can be downloaded to the F CPU Downloading the SIMATIC project to the F CPU Select the Options gt CPU gt Download menu command The matrix logic can now be checked for proper functioning Safety Matrix Configuration Manual 02 2010 A5E00265325 03 119 Compiling and downloading 7 2 Compiling and downloading to the Operator Station 7 2 Compiling and downloading to the Operator Station Requirements To compile and download to the Operator Station the AS OS engineering check box must be selected when the Safety Matrix Engineering Tool V6 2 is installed This ensures a unique Page Bab of the WinCC faceplates to the matrices from the ES See Chapter Installing Page K Configuration and data storage Configuring is performed exclusively in the ES in PCS 7and then downloaded to the OS server All configuration data are managed centrally and stored in the PCS 7 project Project data such as pictures tags and archives are stored on the OS server and made available for the OS clients The
202. to safety class SIL3 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Glossary Safety function Mechanism built into the gt F CPU and gt F I O that allows them to be used in gt fail safe systems In accordance with IEC 61508 Function implemented by a safety device in order to maintain the system in a gt safe state or to place it into a safe state in the event of a particular fault gt user safety function Safety instrumented function groups SIF You can create your own safety instrumented function groups for your application i e by dividing your application into function groups that you can then monitor and change selectively in the Safety Matrix Engineering Tooland Safety Matrix Viewer e g level measurement and shut off In order to use this function you must assign the individual causes and effects of the safety program to your safety instrumented functions groups Then you can display one or more or all safety instrumented function groups Safety message frame In gt safety mode data are transferred between the gt F CPU and gt F I O or between the F CPUs in safety related CPU CPU communication in a safety message frame Safety mode 1 Safety mode is the operating mode of the gt F I O that allows gt safety related communication by means of gt safety message frames 2 Operating mode of the safety program In safety mode of the safety program all safety mechani
203. tops immediately and an alarm is likewise triggered EffectOvrLevel Ack drivers This button allows you to perform the necessary reintegration of the F channel drivers during an F startup after fault elimination DriversAckLevel Display colors You can use this button in the Safety Matrix Viewer to display the color assigned to the status or alarm profile in the Safety Matrix A WARNING Reintegration of the F channel drivers If the safety program specifies re start protection for an F startup after an F CPU STOP process data output is blocked until manually enabled These outputs must not be enabled until it is safe to do so Bypass report function on control bar The Bypass report function on the control bar is only available in the Engineering Tool The Bypass report function creates a list of all causes and effects for which bypasses are set up and all currently simulated tags The results are displayed in the log window See also Page 133 Initiator and confirmer permissions Page 132 Safety Matrix Configuration Manual 02 2010 A5E00265325 03 139 Operator control and monitoring 8 5 Operating 8 5 3 2 Example Reset effect Operation with two operators The transaction on the PCS 7 OS requires two operators having different permissions The sections below describe the necessary transaction steps for the two operators In addition to the initiator and or confirme
204. tput tag as long as the effect has not yet been reset by a positive edge of the reset override tag Safety Matrix 166 Configuration Manual 02 2010 AS5E00265325 03 Example parameter assignments 11 2 Example parameter assignments for effects Bypass of an effect for intersection V Overridable Active Start Stop Start Stop Start Start R Cause override override override override override override timer Inactive timer timer timer timer timer without effect l Reset TRUE i i FALSE I 1 I D g F i Active TRUE B i G l Inactive FALSE 1 1 2 Active Effect l Inactive 1 TRUE Output TAG DTT FALSE e 1 2 Override timer runs e 1 Time lt Maximum override time e 2 e 3 Alarm Time out when the effect is overridden the alarm is cleared either via an operator input or through a restart of the override timer e 4 Bypass active Time gt Maximum override time e Arising edge of the reset override tag both starts and stops the override timer e The timer is automatically stopped as soon as the maximum override time has been reached 3 e f the cause becomes inactive the override timer is also stopped e Activation of the bypass does not stop the override timer e A started override timer can always be stopped again by a positive edge of the reset override tag independent of the bypass status e The override timer cannot be activated if bypass is active Safety Matrix Config
205. ty Matrix Matrix 2 SafetyMatrix SIMATIC 400 1 CPU 414 4 H S7 Programm 1 File Edit Monitor view Options Window Help SIMATIC SAFETY MATRIX Effect descr Control bar area in online mode All Groups yE en Effect configuration area Select SIF groups Ta Input Tag Func Limit Trip Unit Cause descr i User Hotes To ys g 4 5 6 7 8 9 10 11 Cause Intersection 12 User notes configuration area configuration area ba information area 15 16 17 18 asosessosossosssoossidesnossosnossnossedesosssesssssososesssssosossssessocosssosssocosesossso esossasaoseel 19 H H i i 20 Major Revisions Legend Title is R Intersectii 2 Major revision N Not si Intersection type options Safety Matrix information area S Store information area Proje properties Se Y Over information area Ba R Resettable and overridable Log window Another important component of the Safety Matrix user interface is the log window that opens and becomes active for displaying e Configuration report e Validation report e Event log The log window is arranged below the Safety Matrix by default but you can move and resize it as needed If the log window is activated a reduced menu bar is available containing the familiar Windows commands for saving printing arranging windows and help Safety Matrix 46 Configuration Manual 02 2010 A5E00265325 03 Software user interface Status bar
206. ty Matrix to the project Option Position alarm blocks 112 When a transfer is performed with the Position alarm blocks option selected the configured message blocks are positioned in the CFC chart Note If the Positioning check box of the alarm blocks is not selected the existing message blocks are deleted during the transfer and new message blocks are not positioned Messages are not issued and block icons are not created for the OS This also applies if the F_MA_AL Safety Matrix 1 time F_SC_AL causes x times and F_SE_AL effects x times message blocks were correctly configured within the Safety Matrix Requirements for generating block icons To generate the block icon he Sa Matrix the message blocks must be configured appropriately see section Message configuratio Page 60 and the Safety Matrix must be transferred with the Position alarm blocks option selected Additional options In addition you can choose one of three options e Update all recommended The current message block configuration in the Safety Matrix is transferred to the CFC program Message blocks are re positioned those that are no longer used are deleted e Update new Only the newly created message blocks are transferred to the CFC program Message blocks that are no longer used are deleted e Leave unchanged The current configuration of message blocks in the Safety Matrix is ignored Message blocks are neither posit
207. ucing the new Safety Matrix block icon into T PCS 7 OS Page Compile and download the OS Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Installing 2 5 Upgrading to Safety Matrix V6 2 2 5 5 Use case 4 Objective Update of the Safety Matrix Viewer Introduction This use case helps you when migrating from Safety Matrix Viewer V6 0 V6 1 to Safety Matrix Viewer 6 2 Requirements A project has been compiled and downloaded Consequences e No changes to safety program e No changes to the collective signature e OS compilation required Procedure _ Create a backup copy of the entire S7 project for comparison purposes before you install Safety Matrix V6 2 Install Safety Matrix AS OS Engineering on the ES if necessary Install Safety Matrix Viewer on the ES OS as well as the corresponding client Launch WinCC Explorer for the OS contained in the Safety Matrix project Open the OS Project Editor and click OK The project is reconfigured and as a result the new block icon will be adopted Open the Global Script C Editor and select the Options gt Regenerate headers menu command pictures in the section Introducing the new Safety Matrix block icon into the PCS 7 O O8 Page 28 In order to introduce the new block icon into existing plant pictures you must recompile the relevant project If necessary configure the desired permissions for the block icons 1 Start SIMATIC Manager
208. uration Manual 02 2010 A5E00265325 03 167 Example parameter assignments 11 2 Example parameter assignments for effects Bypass of an effect for intersection R Resettable and overridable Active Start Stop Start Start Stop Start r Cause override override override override override override timer Inactive timer timer timer timer timer without effect Reset TRUE ide t overn eo PL FPL FL LIL LL FALSE I 4 4 4 Active TRUE Bypass 1 l ji 7 Inactive FALSE l l 1 Active 1 2 1 Effect Inactive i i TRUE Output TAG DTT FALSE Active Cause Inactive i without effect Reset without effect Reset Reset l TRUE override tag i FALSE Active TRUE Bypass l 4 E 4 l Inactive FALSE Active Effect Inactive TRUE Output TAG DTT FALSE e 1 2 Override timer runs e 4 Bypass active e 1 Time lt Maximum override time e 2 Time gt Maximum override time e 3 Alarm Time out when the effect is overridden the alarm is cleared either via an operator input or through a restart of the override timer e Arising edge of the reset override tag both starts and stops the override timer e The timer is automatically stopped as soon as the maximum override time has been reached 3 e lf the cause becomes inactive the override timer is also stopped e If the cause becomes inactive while the override timer is running a reset is not nec
209. use details Cause x dialog bOX sssessssssresserrssssrrsserrssrirrssrtrrssrrrnssrens 3 4 3 4 Cause details dialog box Configure tab eee eee eeeeeeeeeneeeeeeeneeeeetaeeeeesaeeeeetaeeeeetiaeeeeee 3 4 3 5 Cause details dialog box Analog parameters tab cccceceeeeeeeeceeeeeeeeeeseeeeneeeeeeeeetes 88 4 3 6 Cause details dialog box Options tab 0 eee ceceeeeeeeeeeeneeeeeeeneeeeeeaeeeeeeaaeeeeeeaeeeeeenaeeeeseaas z 4 3 7 Cause details dialog box Alarms tab s sssnnesnssnssissrnssriestrnstrnsrnnstrnntinntnntnnetnnetnnsnneea 4 4 Configuring the eetis s0issiccisiseatiisccecdiveceetrnsascernaneierisliediih AR EERE 5 4 4 1 Overview for configuring the effectS sisisssiiissrsinisrinnidurrasiudisiennidn nnani iiaa aaa K 4 4 2 Creating changing an effect and the column for an effect ueeeeeeeeereseerresrerrrsrerresrrrrssreens c 4 4 3 Overview of the Effect details Effect x dialog DOX sssssesssssrrssssrrsssrrrsstirrssrtrrssrirrssrinrssrenns 4 4 4 Effect details dialog box Configure tab 0 00 eeccceeeeeeeeeeeeeneeeeeeneeeeeeaeeeseeaeeeseeaeeeseenaeeeeeaaas 4 4 5 Effect details dialog box Options tab seseesseseeseeerrsserrssttrrsstirrnsttnrnstinrnnttrnnstennanttnnnnten n 4 4 6 Effect details dialog box Alarms tab ssissssrianinnniinn aiian naian aAA ARAA 4 5 Configuring the INt rsections s nin nananana aeaea ahaaa aE 100 4 5 1
210. use tag satisfies the tripping condition e g the cause tag satisfies the tripping condition if the tag value is less than or equal to or greater than or equal to the entered value depending on the limit type selected Type s This setting specifies whether the limit is an high or low limit If it is a high limit the cause tag satisfies the tripping condition if its value is greater than or equal to the entry value in the Limit field If it is a low limit the cause tag satisfies the tripping condition if its value is less than or equal to the entry value in the Limit field Limit pre alarm A cause tag is provided in the color configured for Pre alarm as soon as the TAG value is less than equal to or greater than equal to this input value depending on the selected limit type To disable this option set the value greater than equal to the limit value Hysteresis The hysteresis specifies a dead band in the range of the limit value that applies if a cause tag no longer satisfies the tripping condition It prevents an input from constantly oscillating between active and inactive The default setting is no hysteresis i e the value 0 Examples If a high limit of 90 0 and a hysteresis of 5 0 are set the cause remains active until the value falls below 85 0 If a low limit of 10 0 and a hysteresis of 2 0 are set the cause remains active until the value rises above 12 0 Delta This field is presen
211. uses and effects are hidden including those that are not assigned to an SIF group You can specify a text for the SafetyGroupDescription attribute so that you can tell from the block icon whether the Safety Matrix display is filtered This text is output in the third line of the block icon which otherwise remains empty The following table provides an overview of the filter properties Designation in Description Default MatrixData property SafetyGroupNumber Numerical default setting of the SIF group 0 all causes and effects in the Safety Matrix are displayed SafetyGroupDescription Textual default setting of the SIF group in the Safety Matrix Attributes for setting the display colors The block icon offers you the option of using attributes to change the background and text colors in the display Cause block icon OL tamam Ab LOT The cause block icon shows the following information for a cause e Technological name of the cause message block e Shows whether the cause is active red circle e Shows whether there is a pre alarm for the cause yellow circle e Shows whether there is a bypass for the cause e Shows whether there is a diagnostic interrupt error for the cause e Shows whether acknowledgement of the First Out alarm is required Attributes for setting the display colors The block icon offers you the option of using attributes to change the background and text colors in the display S
212. using Secure Write transaction in online mode Write transaction via faceplate User permissions and 2 operator scenario are also supported Operator inputs that alter the signature of the program values for delta limit and hysteresis Parameter assignment of high and low range limits of F channel drivers for analog tags Context menus are available Events and messages Events and messages e Event log e Event log e PCS 7alarm and operation messages in the alarm log A WARNING Warning and safety notices in the user manual for Safety Matrix V5 2 If you have not yet transferred the Safety Matrix using the Safety Matrix Engineering Tool V 6 1 or Hee you ber take into consideration al eee and safety notices in the user iip Er EA siemens ene ee User Manual A WARNING Independent paths to the display To introduce safety critical actions e g operations you must use displays on paths that are independent of each other The Safety Matrix offers the status displays and the event log for this purpose The different status display types are not independent of each other nor are the displays in online mode of the Safety Matrix Engineering Tool or the displays in the Safety Matrix Viewer Safety Matrix 124 Configuration Manual 02 2010 A5E00265325 03 Operator control and monitoring 8 2 Introduction 8 2 Starting online mode in the Engineering Tool Starting o
213. ut tag is set to 0 when the effect is active In energize to trip applications the output tag is set to 1 when the effect is active By default this check box is not selected i e the default setting is deenergize to trip because the value 0 is regarded as the safe rest position for digital F I O See table below In the Safety Matrix output tags for which energize to trip is selected are labeled with an asterisk at the end of the output tag Function type The Function type defines the conditions under which an effect becomes active An entry in this field is mandatory e Normal By default all effects and up to four output tags are set to the respective values when the effect becomes active Note The Normal function type results in a tripping command The tripping command can include a time delay before the effect becomes active or it can be blocked or bypassed See also Effect details dialog box Alarms tab Page 99 p e For note only The effect will not be processed Used only for documentation purposes Safety Matrix Configuration Manual 02 2010 A5E00265325 03 Configuring Safety Matrix 4 4 Configuring the effects Alarm profile An alarm profile is assigned to each effect You can configure the alarm profiles for the causes and effects see section Effect details dialog box Field Description ab Page 96 The alarm profile selection determines the colo
214. vated Thus the output tag acts according to the following logic Active Effect A Inactive Process data l TRUE tag FALSE l I Mask enable TRUE tag m 2 1 2 1 t 2 E FALSE TRUE Output TAG DTT FALSE e The value of the mask enable tag specifies whether the effect logic or an externally controlled process tag See process data tag is interconnected with the output tags of the effect e 1 If the mask enable tag is TRUE the value of the process data tag passes over to the output tags e 2 If the mask enable tag is FALSE the effect logic is transferred to the output tags Safety Matrix Configuration Manual 02 2010 A5E00265325 03 173 Example parameter assignments 11 2 Example parameter assignments for effects Configuration of Process data pass through Process data pass through and process data tag configured mask enable tag not configured Active Effect E 1 A Inactive 1 l Process data r 7 TRUE tag i i 1 FALSE 1 1 Output TAG i TRUE DTT FALSE e The process data pass through is controlled by the status of the effect e The value of the process data tag passes over to the output tags if the effect is not active e 1 If the effect is active the output tags are controlled by the status of the effect Configuration of Process data pass through and Mask at the same time Process data tag and
Download Pdf Manuals
Related Search