S7 Distributed Safety - configuring and - Service, Support
Contents
1. Position switch 2 deactivated OPEN CLOSE L_o Position Safety door switch 1 deacti vated F DI vst IN1 pi vs2 IN2 DI Safety door closed F DI vst IN1 DI VS2 IN2 DI 238 Position switch 2 activated S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Startup Characteristics After an F system startup enable signal Q is reset to 0 The acknowledgment for the enable takes place according to the parameter assignment at inputs OPEN_NEC and ACK_NEC e When OPEN_NEC 0 an automatic acknowledgement occurs independently of ACK_NEC as soon as the two inputs IN1 and IN2 assume signal state 1 for the first time following reintegration of the associated F I O safety door is closed When OPEN_NEC 1 or if at least one of the IN1 and IN2 inputs still has a signal state of 0 after reintegration of the associated F l O an automatic acknowledgment occurs according to ACK_NEC or you have to use a rising edge at input ACK for the enable Prior to acknowledgment inputs IN1 and IN2 both have to assume a signal state of 0 safety door has been completely opened followed by a signal state of 1 safety door is closed A WARNING Variable OPEN_NEC must not be assigned a value of 0 unless an automatic restart of the affected pro2. Principle of operation This F application block implements two hand monitoring If momentary contact switches IN1 and IN2 are activated within the permissible discrepancy time DISCTIME lt 500 ms IN1 IN2 1 synchronous activation output signal Q is set to 1 If the time difference between activation of momentary contact switch IN1 and momentary contact switch IN2 is greater than DISCTIME then the momentary contact switches must be released and reactivated Q is reset to 0 as soon as one of the momentary contact switches is released IN1 IN2 0 Enable signal Q can be reset to 1 only if the other momentary contact switch has been released and if both switches are then reactivated within the discrepancy time Enable signal Q can never be set to 1 if the discrepancy time is set to values less than 0 or greater than 500 ms The F application block supports requirements in accordance with EN 574 S7 Distributed Safety configuring and programming 200 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Note Only one signal per momentary contact switch can be evaluated in the F application block With suitable configuration type of sensor interconnection 2 channel nonequivalent discrepancy monitoring of the NC and NO contacts of the IN1 and IN2 momentary contact switches is performed directly by the F I O with inputs The NO contact must be wired in such a
3. Note You must use addresses within the process image for the local addresses because communication is taking place with real F I O S7 Distributed Safety configuring and programming 164 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 5 Safety Related Slave Slave Communication 8 5 2 Configuring Safety Related I Slave Slave Communication Requirements You have created a project in STEP 7 Procedure for Configuring I Slave Slave Communication In this section we demonstrate how to configure the address areas of the above figure as an example 1 2 3 Create a station in your project in SIMA TIC Manager for example an S7 300 station Assign an F CPU to this station from the hardware catalog in HW Config Configure this CPU as a DP slave in HW Config in the Operating Mode tab of the object properties for the DP interface of the CPU Create another station and assign a standard CPU or F CPU see steps 1 and 2 Configure this CPU as a DP master in HW Config in the Operating Mode tab of the object properties for the DP interface of the CPU Inthe hardware catalog select an IM 151 HIGH FEATURE order no 6ES7 151 1BA01 0AB0 or higher and place it on the DP master system Assign a power module a 4 8 F DI module and a 4 F DO module to the IM using a drag and drop operation Inthe hardware catalog under Config
4. Principle of operation This F application block forms an edge controlled down counter with functionality based on IEC counter SFB 1 CTD The counter counts down 1 at a rising edge relative to the last F application block call at input CD When the counter value reaches the lower limit of 32 768 it no longer counts down For every additional rising edge at input CD no counter action takes place Signal state 1 at inout LOAD causes the counter to be preset to preset value PV This occurs irrespective of the value at input CD Output Q displays whether the current counter value is less than or equal to zero The functionality of this F application block is in accordance with IEC 61131 3 Startup Characteristics The instances of F_CTD are reset in the first cycle following startup of the F system resulting in e CV 0 e Q 0 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 189 F Libraries 9 1 Distributed Safety F library V1 9 1 2 5 Connections 190 FB 183 F_CTUD Count Up and Down Parameter Data Type Description Default Inputs CU BOOL Count up input 0 CD BOOL Count down input 0 R BOOL Reset input R prevails over LOAD 0 LOAD BOOL Load input LOAD prevails over CU and CD 0 PV INT Default value the counter is preset to PV if 0 signal state 1 is present at input LOAD Outputs QU BOOL Status of up co
5. t lt TIME_MAX ACK 4YSY 1 MUTING a a Q FAULT ACK_REQ Schematic Sequence of Muting Procedure with Reflection Light Barriers 206 If reflection light barriers are used as muting sensors they are generally arranged diagonally In general this arrangement of reflection light barriers as muting sensors requires only two light barriers and only MS_11 and MS_12 are interconnected The sequence is similar to that of the muting procedure with four multiple sensors Step 3 is omitted In step 4 replace MS_21 and MS_22 with MS_11 and MS_12 respectively m Sender Danger MS_11 E E x zone Ya m Pig In e alnan Pai os a oo 7 MS_12 Receiver S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Restart Inhibit upon Interruption of Light Curtain If MUTING Is Not Active When Errors Occur and During F System Startup Enable signal Q cannot be set to 1 or becomes O if e Light curtain is interrupted e g by a person or material transport while the MUTING function is not active e The muting lamp monitoring function responds at input QBAD_MUT e Sensor pair 1 MS_11 and MS_12 or sensor pair 2 MS_21 and MS_22 is not activated or deactivated during discrepancy time DISCTIM1 or DISCTIM2 respectively e The MUTING function is active longer than the max
6. 1 2 Hardware and Software Components S7 Distributed Safety Optional Package Safety Program 16 This documentation describes the S7 Distributed Safety V5 4 SP4 optional package S7 Distributed Safety is the configuration and programming software for the S7 Distributed Safety fail safe system With S7 Distributed Safety you receive the following e Support for configuring the F I O in STEP 7 using HW Config e Support for creating the safety program and integrating error detection functions into the safety program e F library containing fail safe application blocks that you can use in your safety program Moreover S7 Distributed Safety offers functions for comparing safety programs and for assisting you with the system acceptance test You create a safety program with the FBD LAD Editor in STEP 7 You program fail safe FBs and FCs in the F FBD or F LAD programming languages and create fail safe DBs in the F DB programming language The supplied Distributed Safety F library V1 provides fail safe application blocks that you can use in your safety program Safety checks are automatically performed and additional fail safe blocks for error detection and fault reaction are inserted when the safety program is compiled This ensures that failures and errors are detected and appropriate reactions are triggered to maintain the F system in the safe state or bring it to a safe state In addition to the safety program a standard user pro
7. F_TP Timing Diagrams IN ET PT Startup Characteristics The instances of F_TP are reset in the first cycle following a startup of the F system resulting in e ET 0 e Q 0 See also Overview of F application blocks Page 183 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 193 F Libraries 9 1 Distributed Safety F library V1 9 1 2 7 FB 185 F_TON Create ON Delay Connections Parameter Data Type Description Default Inputs IN BOOL Start input 0 PT TIME Time by which the rising edge at input IN is T 0 ms delayed with PT gt 0 Outputs Q BOOL Time status 0 ET TIME Elapsed time T 0 ms Principle of operation This F application block delays a rising edge by time PT this functionality is based on IEC TIMER SFB 4 TON A rising edge at input IN results in a rising edge at output Q once time PT has elapsed Q remains set until input IN changes to 0 If input IN changes to 0 before time PT has elapsed then output Q remains at 0 Output ET supplies the time that has passed since the last rising edge at input IN not to exceed the value at input PT ET is reset if input IN changes to 0 A WARNING When using an F application block with time processing take the following timing imprecision sources into account when determining your response times e Known timing imprecision based on standard
8. ama These six bits are The bit positions now lost available are filled with zeros S7 Distributed Safety configuring and programming 256 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 9 1 2 22 FC 175 F_SHR_W Shift Right 16 Bits Connections Parameter Datatype Description Default Inputs IN WORD Value that is shifted N INT Shift number Outputs OUT WORD Result of shift operation Principle of Operation This F application block shifts the content of the bits of the value transferred at input IN to the right bit by bit The bit locations that are freed up during the shift operation are filled with zeros Shift number N indicates by how many bits the content is to be shifted The result of the shift instruction is provided at output OUT Output OUT is always 0 when 15 lt N lt 255 Note that when N lt 0 or N gt 255 is specified only the low byte of the value transferred at input N is evaluated as a shift number N 6 places gt OUT o oo o oo1o0o 1011 i 10 1 o0o10101 OUT The bit positions now These six bits are available are filled with lost zeros S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 257 F Libraries 9 1 Distributed Safety F library V1 9 1 2 23 FC 176 F_BO_W Convert 16 Data Elements of Data
9. 1 Compile the safety program in the Safety Program dialog 2 Use the Safety Program dialog to download the complete safety program to the F CPU in STOP mode and activate safety mode by switching the F CPU from STOP to RUN mode 3 Follow the steps described in Chapter Safety Program Acceptance Test See also Configuring the F CPU Page 26 Creating F Blocks in F FBD F LAD Page 77 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 289 Compiling and commissioning a safety program 10 7 Modifying the Safety Program 10 7 2 Comparing Safety Programs Criteria for Comparing Safety Programs You can compare two safety programs according to the following criteria e Collective signature of all F blocks with F attribute in the block container e Parameters of individual F blocks e Signatures of individual F blocks You can compare the signatures of F blocks to identify modified or deleted F blocks Comparable Safety Programs You can compare a safety program with the following e Online safety program online version of this safety program e Offline safety program any offline safety program e Online safety program any online safety program e A safety program on a memory card e A safety program of a reached station S7 Distributed Safety configuring and programming 290 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissionin
10. 247 F Libraries 9 1 Distributed Safety F library V1 Additional Information You will find more information about configuring and programming safety related communication between safety programs on different F CPUs in the references provided under See also See also Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 131 Page 13 Pn Page 156 S7 Distributed Safety configuring and programming 248 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 2 20 Introduction 9 1 Distributed Safety F library V1 FB 225 F_SENDS7 und FB 226 F_RCVS7 Communication via S7 Connections You use the F_SENDS7 and F_RCVS7 F application blocks for fail safe sending and receiving data via S7 connections Note In S7 Distributed Safety S7 connections are generally permitted over Industrial Ethernet only Safety related communication via S7 connections is possible from and to the following CPUs e CPU 315F 2 PN DP only via PN interface of the CPU e CPU 317F 2 PN DP only via PN interface of the CPU e CPU 416F 3 PN DP only via PN interface of the CPU e CPU 416F 2 firmware version V4 0 and higher Connections of F Application Block F_SENDS7 Parameter Data Type Description Default Inputs SEND_DB BLOCK_DB Number of F communication DB 0 TIMEOUT
11. Change the declaration table in called FBs FCs or in F PB F FB F FC of F DBs used Change in the declaration table in F FBs contained as multi instances Missing F FBs called as multi instances I DB for F program block DB for F FB Change in the declaration table of the F PB F FB for each I DB F application block F system block Modified version of F block for example due to use of F blocks from a new version of S7 Distributed Safety Missing F FBs called as multi instances I DB for F application block Modified version of associated F application block F DB Change in the declaration table of the F DB F I O DB Change in the hardware configuration of the respective F I O Change in F parameters of the F CPU Modified version of F system blocks 292 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 7 Moditying the Safety Program Modified F block Automatically generated F block Change in Safety Program Change in the maximum cycle time of the F runtime group Change in F parameters of the F CPU Modified version of F system blocks Change in the F runtime group communication for example change in the number of a DB for F runtime group communication F CALL Change in the assignment of the F PB and its instance DB Change in the F I O add
12. F l O Access 5 5 Passivation and Reintegration of F I O after F System Startup 5 5 Passivation and Reintegration of F I O after F System Startup Behavior after Startup After a startup of the F system communication between the F CPU and F l O must be established in accordance with the PROFIsafe safety protocol During this time the entire F I O are passivated While fail safe values 0 are being used variables QBAD PASS_OUT QBAD_I_xx and QBAD_O_xx 1 Reintegration of F I O Reintegration of the F I O that is the provision of process data in the PII or the transfer of process data provided in the PIQ to the fail safe outputs takes place automatically starting at the earliest with the second cycle of the F run time group after startup of the F system this happens regardless of the setting at variable ACK_NEC Depending on the F I O you are using and the cycle time of the F run time group and PROFIBUS DP PROFINET IO several cycles of the F run time group can elapse before reintegration occurs If communication between the F CPU and F I O takes longer to establish than the monitoring time set in the object properties for the F I O in HW Config automatic reintegration does not take place S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 109 F l O Access 5 5 Passivation and Reintegration of F I O after F System Startup Signal Chart for Passivation and
13. All F blocks F PB F FB F FC F DB that you created in the safety program in the applicable programming language For F DBs the data view is printed e Safety program List of all F blocks of the safety program and other data relevant to the acceptance test see Chapter Printed Project Data for the Safety Program e Hardware Configuration see Chapter Printed Project Data for the Hardware Configuration e Symbol table You must print out all print content for the system acceptance test S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 297 Compiling and commissioning a safety program 10 8 Printing out Project Data Footer of the Printouts The following information is displayed in the footer of the printouts e Collective signature of all F blocks with F attribute in the block container e Signature of symbols only for printout of the offline safety program e Version identifier of S7 Distributed Safety used to create the printouts e Depending on the status of the safety program Safety program changed Safety program not changed or Symbols changed Note If Symbols changed is output it signifies that assignments for global or local symbols have changed e g changes in the symbol table or to parameter names of F DBs or F FBs and the changes were not made in all affected F FB F FCs To correct this situation use the Check block cons
14. BE MS_11 Sender Danger E zone MS_12 Receiver E S7 Distributed Safety configuring and programming 204 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 e The two muting sensors MS_21 and MS_22 must be activated within DISCTIM2 before muting sensors MS_11 and MS_12 are switched to inactive apply signal state 0 In this way the F application block retains the MUTING function Q 1 MUTING 1 m MS_11 Sender E Danger E L zone I I MS_12 Receiver e Only if one of the two muting sensors MS_21 and MS_22 is switched to inactive product enables sensors is the MUTING function terminated Q 1 MUTING 0 The maximum activation time for the MUTING function is the time set at input TIME MAX Note The MUTING function is also started if the product passes the light curtain in the reverse direction and the muting sensors are thus activated by the product in reverse order S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 205 F Libraries 9 1 Distributed Safety F library V1 Timing Diagrams for Error Free Muting Procedure with Four Muting Sensors FREE TG a MS_11 e l i l MS_12 7 i l MS_21 O CO a E i i l A P E ee E y l l l l l l l l I Lee l l l l l l l l t lt DISCTIM1 I ag t lt DISCTIM2 iT I gt
15. PASS_ON of F I O of emergency STOP switch Emergency STOP switchis Check emergency STOP defective switch Wiring fault Check wiring of emergency STOP switch Bit5 If enable is missing input ACK Acknowledgment button Check acknowledgment has a permanent signal state defective button of 1 Wiring fault Check wiring of acknowledgment button Bit6 Acknowledgment required state of ACK_REQ Bit 7 State of output Q gt Note Access to the DIAG output is not permitted in the safety program See also F410 DB Page 101 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 231 F Libraries 9 1 Distributed Safety F library V1 9 1 2 16 FB 216 F_FDBACK Feedback Monitoring Connections Parameter Data Type Description Default Inputs ON BOOL 1 Enable output 0 FEEDBACK BOOL Feedback input 0 QBAD_FIO BOOL QBAD or QBAD_O_xx signal of F 0 O channel of output Q F I O DB ACK_NEC BOOL 1 Acknowledgment necessary 1 ACK BOOL Acknowledgment 0 FDB_TIME TIME Feedback time T 0 ms Outputs Q BOOL Output 0 ERROR BOOL Feedback error 0 ACK_REQ_ BOOL Acknowledgment request 0 DIAG BYTE Service information B 16 0 Principle of Operation This F application block implements feedback monitoring To do this the signal state of the output Q is checked for equality with the inverse signal state
16. SBs and the F shared DB that are automatically inserted in the safety program F system blocks The F system blocks F SBs are automatically inserted by S7 Distributed Safety when the safety program is compiled in order to create an executable safety program from the user s safety program You must not insert F system blocks from the F System Blocks block container in an F PB F FB F FC Likewise you must not modify rename or delete F system blocks in the Distributed Safety F library V1 or the block container of your user project F shared DB Fail safe block that contains all of the global data of the safety program and additional information needed by the F system When the hardware configuration is saved and compiled the F shared DB is automatically inserted and expanded Using the symbolic name of the F shared DB i e F_GLOBDB you can evaluate certain data of the safety program in the standard user program Note A detailed description of the F application blocks can be found in Chapter Distributed Safety F Library V1 See also F I O Access Page Overview of Distributed Safety F Librar Custom F Libraries Page 183 V1 S7 Distributed Safety configuring and programming 60 Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 1 Overview of Programming 4 1 4 Differences between the F FBD and F LAD programming langu
17. Structuring 57 Testing Transferring to multiple F CPUs 53 Safety program dialog 267 Safety program states Safety requirements 8 Achievable 8 Safety related communication 86 Between F runtime groups 86 Safety related communication via S7 connections 173 Configuring 173 Programming 178 Safety related communication via S7 connections Limits of data transfer 181 Safety related CPU CPU communication 23 25 59 w 287 Configuring ane F_RCVDP 242 F_SENDDP 242 F communication DB 176 Options Overview Programming 131 Safety related IO controller lIO controller communication 172 Safety related I slave slave communication 152 158 Configuring 158 Configuring Address Areas 156 Programming 152 Safety related I slave slave communication 165 Configuring 165 Safety Related I Slave Slave Communication Configuring Address Areas 162 Safety related master I slave communication 146 Configuring 353 Index Configuring address areas 144 Programming 152 Safety related master master communication Configuring 136 Programming Safety related master master communication Limits of data transfer 144 Safety relevant parameters 25 Changing 25 Scale INT 186 Sending and receiving data via S7 connections 249 Service amp Supoa Automation and Drives 3 Setting up access permission for the F CPU 53 SFC 46 STP 323 Initiat
18. 4 ws pr fe gt is MS_11 t lt DISCTIM1 i lt l 4 MS_12 i i t lt DISCTIM1 t lt DISCTIM1 i gt lt MS_21 1 l t lt DISCTIM2 t lt DISCTIM2 t lt DISCTIM2 l lae t lt DISCTIM1 gt t lt TIME_MAX i AK y i MUTING a a Q FAULT ACK_REQ Schematic Sequence of Muting Procedure with Reflection Light Barriers If reflection light barriers are used as muting sensors they are generally arranged diagonally In general this arrangement of reflection light barriers as muting sensors requires only two light barriers and only MS_11 and MS_12 are interconnected The sequence is similar to that of the muting procedure with four multiple sensors Step 3 is omitted In step 4 replace MS_21 and MS_22 with MS_11 and MS_12 respectively m Sender Danger MS_11 D E a zone gt o o s g aa oe P v MS_12 Receiver L S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 223 F Libraries 9 1 Distributed Safety F library V1 Restart Inhibit upon Interruption of Light Curtain MUTING Is Not Active as Well as When Errors Occur and During F System Startup Enable signal Q cannot be set to 1 or becomes O if e Light curtain is interrupted e g by a person or material transport while the MUTING function is not active e Light curtain is be
19. A WARNING When STOP 1 or ENABLE 0 discrepancy monitoring is shut down During this time if inputs MSx1 MSx2 of a sensor pair both assume a signal state of 1 due to an unknown error e g because both muting sensors fail to 1 the fault is not detected and the MUTING function can be started unintentionally when ENABLE 1 S7 Distributed Safety configuring and programming 226 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Output DIAG The DIAG output provides non fail safe information on errors for service purposes You can read out this information by means of operator control and monitoring systems or if applicable you can evaluate it in your standard user program DIAG bits 0 to 6 are saved until acknowledgment at input ACK Structure of DIAG Bit Assignment Possible Causes of Remedies No Problems BitO Discrepancy error or incorrect Malfunction in production Malfunction in production discrepancy time DISCTIM 1 sequence sequence eliminated setting for sensor pair 1 Sensor defective Check sensors Wiring fault Check wiring of sensors Sensors are wired to For a solution see DIAG different F I O and F l O variable bits O to 6 in fault channel fault or Chapter F I O DB communication error or passivation by means of PASS_ON on an F I O Discrepancy time setting is If necessary set a higher too low discrepancy time
20. Chapter FB 223 F_SENDDP and FB 224 F_RCVDP Sending and Receiving Data via PROFIBUS DP S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 3 Safety Related Master Slave Communication Assigning F CPUs to FSENDDP F_RCVDP See also Assign the F CPUs to F_LSENDDPs F_RCVDPs as follows e Configure the address areas local and partner addresses for the DP master and the l slave s in HW Config e Specify the following addresses for master l slave communication in the safety program of the F CPU of the DP master AtF_SENDDP at input parameter LADDR the partner address for sending F Configuration tab row Mode F MS R AtF_RCVDP at input parameter LADDR the partner address for receiving F Configuration tab row Mode F MS S e Specify the following addresses for master l slave or slave l slave communication in the safety program of the F CPU of an I slave AtF_SENDDP at input parameter LADDR the local address for sending F Configuration tab row Mode F MS S or F DX S AtF_RCVDP at input parameter LADDR the local address for receiving F Configuration tab row Mode F MS R or F DX R Make these assignments for each F CPU involved Note Thus the following always applies for safety related master I slave and I slave lI slave communication e At the F_SENDDP F_RCV
21. Discrepancy time setting is lt Set discrepancy time in Osor gt 3s range between 0s and 3s Bit 1 Discrepancy error or incorrect Same as Bit 0 Same as Bit 0 discrepancy time DISCTIM 2 setting for sensor pair 2 Bit2 Maximum muting time Malfunction in production Malfunction in production exceeded or incorrect muting sequence sequence eliminated time TIME_MAX setting Maximum muting time If necessary set a higher setting is too low maximum muting time Muting time setting is lt 0 s Set muting time in range or gt 10 min from 0 s to 10 min Bit3 Light curtain interrupted and ENABLE 0 Set ENABLE 1 muting not active Light curtain is defective Check light curtain Wiring fault Check wiring of light curtain FREE input I O fault channel fault or For a solution see DIAG communication error or variable bits O to 6 in passivation by means of Chapter F I O DB PASS_On of F I O of light curtain FREE input Startup of F system For FREE see DIAG variable Bit 5 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 227 F Libraries 9 1 Distributed Safety F library V1 See also 228 Bit Assignment Possible Causes of Remedies No Problems See other DIAG bits Bit4 Muting lamp is defective or Muting lamp is defective Replace muting lamp cannot be set Wiring fault Check wiring of muting lamp F I O fault channel fault or F
22. F 1 0 35 Group diagnostics 35 Level of protection of the F CPU 26 Overview 23 Particularities 25 PROFIsafe address setting Same as standard 25 35 Symbolic names 44 with GSD file 39 Configuring 146 158 165 173 Address areas for safety related l slave l slave communication 156 35 347 Index Address areas for safety related l slave slave communication 162 Address areas for safety related master l slave communication 144 Communication connection between two F CPUs via DP DP coupler 136 Communication connection via DP DP coupler 136 Of safety related communication via S7 connections 173 Safety related slave l slave communication 158 Safety related I slave slave communication 165 Safety related master I slave communication 146 Safety related master master communication 136 Configuring communication via S7 connections 173 Configuring Slave I Slave Communication 158 Configuring slave slave communication 165 Configuring master l slave communication 146 Connection table 173 Connections 186 211 216 219 229 232 236 249 ACK_REI_GLOB 241 Consistent 271 Conventions 3 Converting BOOL to WORD 258 Converting WORD to BOOL 259 Conveyor equipment 348 Stopped Count down Count up Count up and down 190 CPU Operating System Update 325 CPU CPU communication 23 25 131 140 152 178 Options fo
23. S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 113 F I O Access 5 7 Passivation and Reintegration of F l O after F l O Faults and Channel Faults Reintegration of F I O Reintegration of the relevant F I O or the relevant channels of the F I O that is provision of process data in the PII or transfer of process data provided in the PIQ to the fail safe outputs takes place only when the following occurs e All F I O faults or channel faults have been eliminated If you have configured channel specific passivation for the F I O the relevant channels are reintegrated once the fault is corrected any faulty channels remain passivated Reintegration takes place as follows depending on your setting for ACK_NEC e When ACK_NEC 0 automatic reintegration takes place as soon as the F system detects that the fault has been eliminated For F I O with inputs reintegration takes place right away For F I O with outputs or F I O with inputs and outputs depending on the F I O you are using reintegration can take place several minutes after completion of necessary test signal inputs which are used by the F I O to determine that the fault has been eliminated e With ACK_NEC 1 reintegration takes place only as a result of a user acknowledgement with a positive edge on the ACK_REI variable of the F I O DB or on the ACK_REI_GLOB input of the FB 219 F_ACK_GL F application block
24. S7 F Configuration Pack V5 5 SP1 standard slaves standard I O devices with individual device parameters i parameters Write protected saving of F blocks STEP 7V5 4 SP2 Rewiring function of STEP 7 for F blocks STEP 7 V 5 4 SP2 and S7 F Configuration Pack V5 5 SP1 Fail safe standard I O devices STEP 7V5 4 SP2 S7 F Configuration Pack V5 4 Support of SM 336 F AI 6 x 0 4 20 mA HART S7 F Configuration Pack V5 5 SP4 without use of HART function Use of SM 336 F Al 6 x 0 4 20 mA HART with STEP 7 V5 4 SP3 and use of HART function S7 F Configuration Pack V5 5 SP4 Reading Readme Files The readme files contain important up to date information about the software for example Windows versions supported You can display the readme file in the setup program or open it at a later time by selecting the Start gt Simatic gt Information gt English menu command S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 17 Product Overview 7 3 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package Installing S7 Distributed Safety 1 Start the programming device or PC on which the STEP 7standard package has been installed and make sure that all STEP applications are closed 2 Insert the product CD for the optional package 3 Initiate the SETUP EXE program on the CD 4 Follow the instructions of the Setup program bearing i
25. Select the Offline tab in the Safety Program dialog 2 3 Print the project data with all print content see Chapter Printing the Project Data 4 Check all printouts see Chapter Checking the Printouts 5 Download the complete safety program to the F CPU see Chapter Checks after Downloading the Safety Program to the F CPU 6 Carry out a complete function test Downloading the Safety Program Page 275 Printing out Project Data Page 297 Testing the Safety Program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 313 System Acceptance Test 11 2 Checking the Printouts 11 2 Checking the Printouts Procedure Check the printouts as follows 1 Check whether the two signatures in the footer of the printout matches in all four printouts Collective signature of all F blocks with F attribute in the block container Signature of symbols 2 Check whether Symbols changed is output in the footer of the printout 3 Check the printout of the hardware configuration see Chapter Configuration Acceptance Test of F CPU and F I O 4 Check the printout of the F blocks you created F PBs F FBs F FCs and F DBs 5 Check the printout of the symbol table 6 Check the Safety program printout see Chapter Safety Program Acceptance Test Note If Symbols changed is output it signifies that assignments for global or local symbols
26. When F DBs are opened When know how protection is set for user created F FBs F FCs and F DBs When the Edit F Runtime Groups dialog is opened When the password is changed When an F I O that is set to Safety mode is arranged in the configuration table When the F parameters tab in the object properties is opened When the object properties dialog for an F I O is opened When the PROFIsafe tab in the object properties dialog for a fail safe DP standard slave standard I O device is opened When parameters in the tabs and dialog boxes indicated above are changed When an F I O or F CPU is deleted from the configuration table When a HW configuration is saved and compiled only the safety program is protected from changes When new F blocks are created inserted moved in the offline block container of the safety program When F blocks are saved When F blocks are renamed in the offline block container of the safety program When F blocks are cut and deleted from the offline block container of the safety program When F blocks are rewired When write protected F blocks are stored When the offline block container is deleted When the S7 Programs folder is deleted When object properties of F blocks are opened When object properties of an F block are edited When safety mode is deactivated the password must always be entered even if access permission to the safety program is still valid When data in the safe
27. or in the corresponding symbolic representation Transfers in other forms are not permitted You will find examples for the parameter assignment of ADDR_INT END_INT and OFFS_INT in the references provided under See also See also FC 178 F_INT_WR Write Value of Data Type INT Indirectly to an F DB Page 260 S7 Distributed Safety configuring and programming 262 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 9 1 3 F System Blocks Function F system blocks are automatically added when the safety program is compiled to create an executable safety program from the safety program you create With F system blocks fault control measures are automatically added to your safety program and additional safety related tests are performed Overview of F System Blocks The following F system blocks are available e F_CTRL_1 e F_CTRL_2 e F_IO_BOl e FSIO_BOI e F_RTGCO2 e F_IO_CGP e FSIO_CGP e F_DIAG_N e FISCALI e FICTU e FICTD e FICTUD e FITP e FITON e FITOF e FIACK_OP e FI2HAND e FIMUTING e Fl1002DI e FI2H_EN e FIMUT_P e FIACK_GL e FISHL_W e FISHR_W e FIBO W e FIW_BO e FIINT_WR e FIINT_RD S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 263 F Libraries 9 1 Distributed Safety F library V1 See also 9 1 4 Function See also 264 When the safety program is compile
28. the entries are overwritten in order The logbook function for the safety program is not safety related as defined in IEC 61508 2000 Contents of the Logbook Entries are made in the safety program logbook for the following actions e Changing the hardware configuration for a safety program e Creating an F block e Saving an F block e Renaming an F block e Rewiring an F block e Changing object properties of an F block e Deleting an F block e Changing an F runtime group e Compiling the safety program e Deactivating safety mode e Downloading F blocks e Downloading a safety program or safety program changes Example of a logbook entry Action Creating F block FB1 Entry in the logbook Date time time of entry in the logbook user ID program path action F block FB1 created S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 295 Compiling and commissioning a safety program 10 7 Modifying the Safety Program Displaying Saving Printing and Copying the Logbook 1 Select the F CPU or the S7 program assigned to it 2 In SIMATIC Manager select the Options gt Edit safety program menu command or the corresponding icon in the toolbar The Safety Program dialog will appear 3 Click Logbook This opens the logbook message window You can save the logbook as a text file in your Windows directory structure and print it later When a Safety p
29. value of the F_PROG_SIG variable in the F shared DB These two signatures must match for the acceptance test Differences between the two signatures generally indicate that the safety program has been changed or is inconsistent This is also indicated in the footer e Version identifier of S7 Distributed Safety last used to compile the safety program e Time when safety program was compiled e Message if the amount of local data reserved for the safety program has been exceeded e List of all F blocks contained in the block container Square brackets enclosing the block name and signature designate F blocks without F attribute Information provided for each F block Block number Symbolic name Function in the safety program F CALL F program block etc Signature Initial value signature for all F FBs not generated automatically e List of parameters for safety related CPU CPU communication such as DP_DP_ID and LADDR of F_LSENDDP F_RCVDP ID R_ID and number of the F communication DB of F_LSENDS7 F_RCVS7 TIMEOUT of FLSENDDP F_RCVDP F_SENDS7 F_RCVS7 The following information is provided for parameters Parameter name Name of the associated F application block Numbers of instance DBs used to call the F application block Name of F block in which the F application block is called Network number of call Name of F runtime group Name of F CALL Parameter value S7 Distributed Safe
30. 1022 for the PROFIsafe target address Otherwise the information for the PROFIsafe address assignment in Chapter Configuring the F I O applies F_WD_Time Parameter This parameter defines the monitoring time in the fail safe DP standard slave standard I O device A valid current safety message frame must arrive from the F CPU within the monitoring time This ensures that failures and faults are detected and appropriate reactions are triggered to maintain the F system in the safe state or bring it to a safe state The selected monitoring time should be long enough to tolerate frame delays in communication while ensuring that the fault reaction function has a sufficiently fast reaction when a connection is interrupted or some other fault occurs see Safety Engineering in SIMATIC S7system manual The F_WD_Time parameter can be set in 1 ms increments The value range of the F_WD_Time parameter is specified by the GSD file F_iPar_CRC Parameter See also CRC via individual device parameters i parameter The individual device parameters i parameters of a fail safe DP standard slave standard I O device are configured with their own parameter assignment tool provided by the device manufacturer Enter here the CRC calculated by the parameter tool from the device manufacturer for the protection of the i parameters S7 Distributed Safety takes the value into account when calculating the CRC F parameter CRC1 Configuring the
31. 2 Safety Program States 10 2 Safety Program States Possible States The safety program can have the following states e Consistent The collective signature of all F blocks with F attribute in the block container is identical to the collective signature of the safety program F blocks that are not called in the F runtime group of the safety program are displayed in the Safety Program dialog without the F attribute in the block symbol and are not included in the calculation of the collective signatures When the safety program is compiled you are notified about unused F blocks in the block container For greater clarity it is recommended that you delete unused F blocks On the other hand it is possible to configure F I O that have not yet been addressed in the safety program and still compile a consistent safety program A consistent safety program is required for the acceptance of the safety program e Inconsistent The collective signature of all F blocks with F attribute in the block container and the collective signature of the safety program are different because for example an F block with F attribute has been copied but the copied F block with F attribute is not called in the F runtime group of the safety program If in the F CPU a safety program has the state inconsistent the F CPU startup is prevented when the F CPU supports this ID see product information for respective F CPU To obtain a consistent safety progr
32. 2013 A5E00109537 05 Glossary Safe State The basic principle of the safety concept in gt fail safe systems is the existence of a safe state for all process variables For digital gt F I O the value is always 0 Safety Function Safety function is a mechanism built into the gt F CPU and gt F I O that allows them to be used in gt fail safe systems In accordance with IEC 61508 2000 safety functions are implemented by a safety system in order to maintain the system in a gt safe state or to place it in a safe state in the event of a particular error gt user safety function Safety Integrity Level Safety Integrity Level SIL according to IEC 61508 2000 The higher the Safety Integrity Level the more stringent the measures for prevention of systematic faults and for management of systematic faults and hardware failures S7 Distributed Safety can be used in safety mode up to SIL3 Safety Message Frame In gt safety mode data is transferred in a safety frame between the gt F CPU and gt F I O or between the F CPUs in safety related CPU CPU communication Safety Mode 1 Safety mode is the operating mode of the gt F I O that allows gt safety related communication by means of a gt safety frame 2 Operating mode of the safety program In safety mode of the safety program all safety mechanisms for fault detection and reaction are activated In safety mode the safety program cannot be mod
33. 3 Commissioning Testing Powering up Rules for commissioning same as for 7 300 standard standard system S7 400 standard Downloading safety e Rules for downloading Chapter Downloading the Safety program and standard e Rules for program identification Program user program f Chapter Comparing Safety Programs e Comparing safety programs Testing safety program e Rules for deactivating safety mode Chapter Function Test of Safety s Procedures for chanain safet Program or Protection through Program ging satety Identification Testing of Safety program data Program Deactivating Safety Mode S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 333 Checklist A 1 Checklist Phase Changing the safety program Requirement Rule e Rules for deactivating safety mode e Rules for modifying the safety program Reference Chapter Modifying the Safety Program in RUN Mode Deactivating Safety Mode Deleting the Safety Program Check Testing the safety related parameters Rules for configuration Chapter Printing Out Project Data of the Safety Program F SMs Manual Chapters 4 9 10 F Modules Manual Chapters 2 4 7 ET 200eco Manual Chapters 3 8 ET 200pro Manual Chapters 2 4 8 Acceptance test e Rules and notes on the acceptance test e Printouts Chapter System Acceptance Test Operation Maintenance General operation Note
34. 8 7 Safety Related Communication via S7 Connections Procedure for Configuring S7 Connections You configure the S7 connections for safety related CPU CPU communication the same was as for standard systems Note If you change the configuration of the S7 connections for safety related communication the collective signature of the safety program is set to 0 You must then recompile the safety program Additional Information For a description of configuring S7 connections refer to the Configuring Hardware and Communication Connections with STEP 7 V5 x and the STEP 7 Online Help S7 Distributed Safety configuring and programming 174 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 7 2 8 7 Safety Related Communication via S7 Connections Communication via F_SENDS7 F_RCVS7 and F Communication DB Communication by Means of F_LSENDS7 and F_RCVS7 F CPU 1 e g CPU 416F 2 CP 443 1 IT F CPU 2 e g CPU 416F 2 CP 443 1 IT F_RCVS7 a Coe F Comm DB 1 _f SENDS7 F Comm DB 2 Send data Receive data EESENDS F Comm DB 4 Send data F_RCVS7 F Comm DB 3 Receive data Industrial Ethernet You use the F_LSENDS7 and F_RCVS7 F application blocks for fail safe sending and receiving data via S7 connections These F application blocks can be used to transmit a specified amount of fail safe data of data types BOOL INT WORD and TIME in a fail s
35. A5E00109537 05 Compiling and commissioning a safety program 10 4 Downloading the Safety Program Downloading in SIMATIC Manager or FDB LAD Editor F blocks and standard blocks can be simultaneously downloaded to the F CPU using standard STEP 7tools However as soon as F blocks are to be downloaded a check is carried out to determine whether or not the F CPU is in STOP mode or deactivated safety mode If not you have the option of switching to deactivated safety mode or placing the F CPU in STOP mode Be aware that the consistency of the safety program in the F CPU cannot be guaranteed when individual F blocks are downloaded Therefore use the download from the Safety Program dialog with the F CPU in STOP to ensure a consistent safety program Note If S7 Distributed Safety detects an inconsistent safety program during startup of the F CPU the F CPU cannot be started up if the F CPU supports this detection function see Product Information for the particular F CPU The following diagnostic event is then entered in the diagnostic buffer of the F CPU e Inconsistent safety program If the F CPU does not support this detection function the F CPU can go to STOP mode if an inconsistent safety program is executed when safety mode is enabled One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the
36. A5E00109537 05 149 Configuring and Programming Communication 8 3 Safety Related Master Slave Communication 8 3 3 Introduction Communication by Means of F_LSENDDP and F_RCVDP Safety Related Master I Slave I Slave I Slave Communication The procedure for programming safety related master l slave communication or safety related I slave I slave communication is the same as for programming safety related master master communication For this reason only the differences are described in the following section Communication by Means of FLSENDDP and F_RCVDP 150 DP master I slave slave F_SENDDP F_RCVDP F_RCVDP F_SENDDP safety related PROFIBUS DP For safety related communication between the F CPUs of the DP master and an I slave or between the F CPUs of several I slaves you make use of the F application blocks F_SENDDP for sending and F_RCVDP for receiving They can be used to transfer a fixed amount of fail safe data of data types BOOL and INT in a fail safe manner You can find these F application blocks in the F application blocks block container in the Distributed Safety F library V1 The F_RCVDP must be called at the start of the F PB The F_SENDDP must be called at the end of the F PB Note that the send signals are sent only after the F_LSENDDP call at the end of the relevant F runtime group execution For a detailed description of the FLSENDDP and F_RCVDP F application blocks refer to
37. ACK_REQ 1 as soon as the light curtain is no longer interrupted or the errors have been eliminated Once acknowledgment has occurred the block resets ACK_REQ to 0 S7 Distributed Safety configuring and programming 224 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 User Acknowledgment of Restart Inhibit at Least One Muting Sensor Is Activated and ENABLE 1 Enable signal Q becomes 1 again if e Errors if present are eliminated see output DIAG e FREE occurs until a valid combination of muting sensors is detected The FAULT output is set to 0 The MUTING function is restarted if necessary and the MUTING output becomes 1 if a valid combination of muting sensors is detected When ENABLE 1 output ACK_REQ 1 signals that FREE is necessary for error elimination and for removal of the restart inhibit Following a successful FREE ACK_REQ is reset to 0 by the block Note Once the maximum muting time is exceeded TIME_MAX is rewound as soon as the MUTING function is restarted FREE function If an error cannot be corrected immediately the FREE function can be used to free the muting range Enable signal Q and output MUTING 1 temporarily The FREE function can be used if e ENABLE 1 e Atleast one muting sensor is activated e A user acknowledgment with rising edge at input ACK occurs twice within 4 s and the second user acknowledgment at input ACK rem
38. Acknowledgment can be made as soon as the F system detects that the fault has been eliminated and it has set ACK_REQ 1 Awwarninc Following a power failure of the F I O lasting shorter than the specified monitoring time for the F I O in HW Config see Safety Engineering in SIMATIC S7 system manual automatic reintegration can occur regardless of your setting for ACK_NEC as described for the case when ACK 0 If for this case automatic reintegration is not permissible for the relevant process you must program startup protection by evaluating variables QBAD or QBAD_I_xx and QBAD_O_xx or PASS_OUT In the event of a power failure of the F I O lasting longer than the specified monitoring time for the F I O in HW Config the F system detects a communication error S7 Distributed Safety configuring and programming 114 Programming and Operating Manual 07 2013 A5E00109537 05 F I O Access 5 7 Passivation and Reintegration of F l O after F I O Faults and Channel Faults Signal Sequence for Passivation and Reintegration of F I O after F I O Faults and Channel Faults When ACK_NEC 0 for Passivation of Entire F I O after Channel Faults F_SENDDP l l l ERROR i i i i l l l l l SUBS_ON l l i J l l l i i i i i l l I F_RCVDP I I ACK_REI i l i I I ACK_REQ s l l l I I ERROR i j l i l i l l l l l I SUBS_ON States F system
39. BIOCKS osrstenie aSa EEN ER E AE A RAE E EEEE 9 1 4 F Shared DB iire ra eaaa aa aaa aeia Taea ee ee 9 1 5 Custom F LIDrarieS eee eececeeeeeeene cece ecneeeeeeaaeeeeeeaaeeeeeeaaeeeseeaaeeeeeeaaeeeseeaaeeeeeeaaeeeseeaeeeesenaeeeeseaas Compiling and commissioning a Safety Programm cccccccccccccceccceeeeceeceeeceeeeeeceeceeeeceeeeeeeeeeeeeeeeeeeess 10 1 Safety Program DIAlOG iccciissceceesicceceetedeecetcaneceu site ctentbbeedevees ed A EEE ENEE 10 2 Safety Program States 0 cccceeeee ee eeneee ee enne ee erste ee ee eeee ee eaeee eee aeeeeeeaeeeeeseeeeesaeeeeeeneeeeeead 10 3 Compiling Safety Program seisin a TEENA E E cual 10 4 Downloading the Safety Program sissrcsissiricreeresrerreermervcent arininn aaae E ia 10 5 Work Memory Requirement for Safety Program ccccccceceeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeseneeeeseeneeees 10 6 Function Test of Safety Program and Protection through Program Identification 10 7 Modifying the Safety Program ccccccceeesseeeeeeeeneeeeeeaeeeeeeaeeeeeeaeeeeeeaaeeeseeaeeesesnaeeeseenateeeeeaaes 10 7 1 Modifying the safety program in RUN mode cc ceeeeeeeeeeeeeeeeeeenneeeeeeaaeeeseeaeeeeeeaeeeeeenaeeeeeeaaes 10 7 2 Comparing Safety Programs w i ce cccccscnddecesncedeceeneddecehecdeceyeneddydesneaeedsenedddeeheneectveneddvevsaceeeeveneds 10 7 3 Deleting the Safety Program essre ninr nsa iinan sea ade aA hind A OA anda shane eee sans 10 7 4 Logbook of the Safety Program es
40. Blocks Unlinked and DB is Write Protected in the PLC Note The available option Unlinked in the object properties for a DB must not be set for F DBs and instance DBs of F blocks The available option DB is write protected in the PLC in the object properties for a DB must not be set for F DBs and instance DBs of F blocks If you have selected either of these options the selection will be corrected when the safety program is compiled F Communication DB for Safety Related CPU CPU Communication via S7 Connections For safety related CPU CPU communication via S7 connections you must create an F communication DB on the sender side and another on the receiver side F communication DBs are F DBs that you create and edit in the same way as other F DBs in S MAT C Manager Special requirements for F communication DBs are described in Chapter Programming Safety Related CPU CPU Communication via S7 Connections DB for F Runtime Group Communication See also 4 3 4 For safety related communication between F runtime groups of a safety program you must create a DB for F runtime group communication for each F runtime group that is to provide data for another F runtime group The procedure for creating DBs for F runtime group communication and the special requirements for these DBs are described in Chapter Defining F Runtime Groups Creating and editing F FB F FC Page 78 Know How Protection for User Created F FBs F F
41. CPU 3 An available PROFIBUS address is automatically assigned in the shortcut menu You can change this in address area 1 to 125 This address must be set via a switch on the DP DP coupler either directly on the DP DP coupler by means of the DIP switch or using STEP 7 see DP DP Coupler manual You can insert the name of the subnet the subnet ID the author and a comment using the Properties menu command In the Network Settings tab you should set the transmission rate to at least 1 5 Mbps You must select DP as the profile 4 In order for safety related communication between CPUs to be able to be established consistently and for any address and length settings to be possible you must use universal modules Select DP DP on the DP master system and insert a universal module from the DP DP Coupler folder Use two universal modules for each F CPU for bidirectional connections that is each F CPU will send and receive data S7 Distributed Safety configuring and programming 136 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 2 Satety Related Master Master Communication 5 Select the first universal module and select the Edit gt Object Properties menu command The object properties dialog appears i Properties DP slave Out input fe fiz fee a faae z E 6 In the object properties for the first universal module select Out inpu
42. CPU are consistent To do so you must use F application blocks of a single S7 Distribution Safety version only and compile the safety program using the S7 Distributed Safety setup Note If you call a block the enable input EN and the enable output ENO appear automatically You must not interconnect these connections supply them with 0 or evaluate them Timing Imprecision for F Application Blocks with Time Processing A WARNING When using an F application block with time processing take the following timing imprecision sources into account when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update time of the time base used in the F application block see figure below e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value e You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision Timing Imprecision Resulting from the Update Time of the Time Base Used in the F Application Block Cycle n Cycle n 1 Cycle n 2 of the OB of the F runtime of the OB of the F runtime of the OB of the
43. Communication 8 5 3 F I O Access for Safety Related I Slave Slave Communication Access via the Process Image In safety related I slave slave communication you use the process image PII or PIQ to access the F I O in the safety program of the F CPU of the I slave This is the same as F I O access to F I O that are directly assigned to the I slave In the I slave you reference the F I O using the starting address that you configured as Address _LADDR under Local safety program in the F Configuration tab Direct I O access is not permitted The channels of an F I O can only be accessed from one F runtime group A WARNING Due to the special safety protocol the F I O occupy a larger area of the process image than is required for the channels that are actually present on the F I O To find out the area of the process image where the channels user data are stored refer to the relevant manuals for the F I O When the process image is accessed in the safety program only the channels that are actually present are permitted to be accessed Note that for certain F I O such as S7 300 F SMs and ET 2008S fail safe modules a 1002 evaluation of the sensors can be specified To find out which of the channels combined by the 1002 evaluation of the sensors you can access in the safety program refer to the relevant manuals for the F I O See also FF V0 Access Page 97 S7 Distributed Safety configuring and progra
44. Config select the F CPU and select the Edit gt Object Properties menu command Open the Protection tab and deactivate the CPU Contains Safety Program option Save and compile the hardware configuration The offline project no longer contains a safety program The following applies to F CPUs with an inserted memory card MMC or Flash Card To delete a safety program on a Memory Card MMC or Flash Card insert the Memory Card MMC or Flash Card in the programming device or PC In SIMATIC Manager select the File gt S7 Memory Card gt Delete menu command You can now copy the offline standard user program to the Memory Card MMC or Flash Card The following applies to F CPUs without an inserted Flash Card You can delete the safety program by resetting the module in the SIMATIC Manager menu commandPLC gt Reset You can then download the offline standard user program to the F CPU S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 7 4 Logbook 10 7 Moditying the Safety Program Logbook of the Safety Program Changes and actions for a safety program are logged in a logbook Various user actions result in corresponding entries in the logbook Each safety program has its own logbook Entries are listed in chronological order A logbook can contain up to 300 entries When the number of entries exceeds 300
45. Consistent over 13 Enter the associated values for the input data address area In our example enter 28 as Start Address 12 as Length Byte as Unit and Total Length as Consistent over 14 Click OK to confirm This completes the configuration of the master master communication for F CPU 1 Perform steps 1 to 14 for F CPU 2 Note that you have to adjust the addresses accordingly see figure in Chapter Configuring the Address Areas Safety Related Master Master Communication Note Make sure that the values you assign for the start addresses of the output and input data address areas are identical Always select the Consistent over total length option for all input and output data address areas S7 Distributed Safety configuring and programming 138 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 2 Safety Related Master Master Communication Additional Information The DP DP coupler is described in the DP DP Coupler manual 8 2 3 Communication by Means of FLSENDDP and F_RCVDP Safety Related Master Master Communication Communication by Means of FLSENDDP and F_RCVDP DP master DP master F_SENDDP F_RCVDP F_RCVDP F_SENDDP safety related DP DP Coupler PROFIBUS DP Safety related communication makes use of the F application blocks F_SENDDP for sending and F_RCVDP for receiving They can be used to transfer a fi
46. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described Since variance cannot be precluded entirely we cannot guarantee full consistency However the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions Siemens AG A5E00109537 05 Copyright Siemens AG 2002 2013 Industry Sector 08 2013 Technical data subject to change All rights reserved Postfach 48 48 90026 NURNBERG GERMANY Preface Preface Purpose of this Documentation The information in this documentation enables you to configure and program S7 Distributed Safety fail safe systems Basic Knowledge Requirements General basic knowledge of automation engineering is needed to understand this documentation Basic knowledge of the following is also necessary e Fail safe automation systems e S7 300 S7 400 automation systems e Distributed I O systems on PROFIBUS DP PROFINET IO e STEP 7 standard package particularly Working with S MA TIC Manager LAD and FBD programming languages Hardware configuration with HW Config Communication between CPUs Scope of Documentation This documentation is applicable to the following optional package Release Number and Higher S7 Distributed Safety optional 6ES7833 1FC02 0YA5 V5 4 SP4 package The S7 Distributed Safety optional package is used for conf
47. F CPU for which access authorization by means of an F CPU password does not yet exist you must first revoke existing access authorization for any other F CPU S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 285 Compiling and commissioning a safety program 10 6 Function Test of Safety Program and Protection through Program Identification Transferring the Safety Program to the F CPU with a Memory Card Use of MMC or Flash Card The following warning applies when the safety program is transferred using a e Flash Card e g for CPU 416F 2 e MMC e g for CPU 317F 2 DP CPU 315F 2 PN DP or IM 151 7 F CPU A WARNING If the function test of the safety program is not carried out in the target F CPU you must comply with the following procedure when transferring the safety program to the F CPU with a memory card MMC or Flash Card to ensure that the F CPU does not contain an old safety program e Turn off the power to the F CPU For F CPUs with battery backup e g CPU 416F 2 remove the battery if present To make sure that the F CPU is de energized wait for the buffer time of the power supply you are using or if this is unknown remove the F CPU e Remove the Memory Card MMC or Flash Card with the old safety program from the F CPU e Insert the Memory Card MMC or Flash Card with the new safety program in the F CPU e Switch on the F CPU agai
48. F DBs and instance DBs of F FBs or F application blocks of the safety program starting with 1 You are not permitted to use the reserved automatically added F data blocks in the safety program or the standard user program If you have changed the band of numbers e g you replaced an F CPU with an F CPU having a narrower band of numbers some of the automatically added F DBs in the modified band of numbers the band of numbers associated with the new F CPU will not be created during the next compile operation Instead these F DBs retain their old number As a result it may not be possible to download them to the F CPU Solution Delete all automatically generated F blocks in the offline block container of the safety program and recompile the safety program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 29 Configuration 2 3 Configuring the F CPU F Function Blocks Parameter 30 F blocks are automatically added when the safety program is compiled to create an executable safety program from your safety program You must reserve a band of numbers for the automatically added F function blocks You define the first and last number of the band Rule for selecting magnitude of the band of numbers At a minimum the default setting should be accepted In addition the following is applicable Number of automatically added F function blocks Number of F blocks F FB
49. F I O Page 35 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 43 Configuration 2 6 Assigning Symbolic Names 2 6 Assigning Symbolic Names Symbolic Name for F I O DBs During compilation in HW Config an F I O DB is automatically created for each F I O and a symbolic name is entered for the F I O DB in the symbol table The symbolic name is generated in each case by combining the prefix F with the start address of the F I O and the name maximum of 17 characters entered for the F I O module in the object properties in HW Config for example FOO005_4 8 F_DI_24VDC In so doing any special characters included in the name are replaced with _ For F I O accessed via I slave slave communication an X for Mode F DX Module fail safe slave slave communication is added after the start address of the F I O e g If a name other than the default name entered in the object properties for the F I O is to be adopted as the symbolic name you must change the name in the object properties for the F I O before compiling for the first time in HW Config Be aware that only the first 17 characters are entered in the symbolic name After compiling for the first time you can only change the symbolic name as follows e By editing the symbolic name directly in the symbol table Note that the maximum symbol length comprises 24 characters and that the symbolic name will
50. F I O is receiving invalid parameter assignment data or Internal F I O fault or Replace F I O connection and ensure that there are no external sources of interference Check the parameter assignment of the F I O in HW Config f necessary set a higher value for the monitoring time Recompile the hardware configuration and download it to the F CPU Recompile the safety program Check the diagnostics buffer of the F I O Turn the power of the F I O off and back on Internal F CPU fault Replace F CPU Bit 1 F I O fault or channel fault See F O manuals See F O manuals detected by F I O Bit 2 CRC error or sequence See description for Bit 0 See description for Bit 0 number error detected by F 1 0 Bit 3 Reserved Bit 4 Timeout detected by F See description for Bit 0 See description for Bit 0 system Bit 5 Sequence number error See description for Bit 0 See description for Bit 0 detected by F system Bit 6 CRC error detected by F See description for Bit 0 See description for Bit 0 system Bit 7 Reserved See also Configuring the F I O Page 35 Passivation and Reintegration of F I O after F I O Faults and Channel Faults Group passivation Page 118 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Page 113 107 F I O Access 5 4 Accessing F l O DB Variables 5 4 Accessing F I O DB Variab
51. F runtime group group group l Basis_1 Teang i Toss l I j I lt L L F runtime F runtime F runtime group group group A T hA A A A nji L r Oi i T Basis_2 Update of the time base seasea Call times of an F application block with time processing S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 185 F Libraries 9 1 Distributed Safety F library V1 9 1 2 2 Inputs Outputs Description 1 For the first call in cycle n 1 the call time of the F application block relative to the start of the F runtime group is earlier than that in cycle n by the amount of Ai e g because portions of the safety program of the F runtime group before the call time of the F application in cycle n 1 are skipped For the time update the F application block takes into account time Tpase_1 instead of the time T1 that has actually elapsed in cycle n since the call 2 The F application block is called a second time in cycle n 1 This does not involve another time update by A2 3 For the call in cycle n 2 the call time of the F application block relative to the start of the F runtime group is later than that in cycle n by the amount of As e g because the F runtime group was interrupted by a higher priority interrupt prior to the time of the F application block call in cycle n 2 The F application block took into account time Tpase_1 TBa
52. INT WORD are Output channels of data type BOOL are write only and can only be accessed using the Output bit unit Access is not possible for example with the output word unit write only and can only be accessed using the Output word unit Access to individual bits using the Output bit unit is not permitted e Of standard I O In the F PB the safety program also calculates the values for the outputs of the standard I O if applicable and stores them in the process output image At the beginning of the next OB 1 cycle the F CPU writes the calculated output values to the outputs of the standard I O With the S7 400 also bear in mind the update times when using partial process images Output bit Output word QW Output channels of the standard I O are write only and can only be accessed using the indicated units Therefore a transfer to IN_OUT parameters of an F FB or F FC is not permitted Bit memory Bit memory bit Memory word MW This area is used for data exchange with the standard user program Memory can only be accessed using the indicated units In addition read access requires a process specific validity check For a memory bit either read access or write access is possible in the safety program Therefore a transfer to IN_OUT parameters of an F FB or F FC is not permitted Note that memory bits can only be used for connecting the standard user prog
53. IO In safety related CPU CPU communication a fixed amount of fail safe data of data types BOOL and INT is transmitted in a fail safe manner between the safety programs in F CPUs of DP masters I slaves or IO controllers The data transmission makes use of F application blocks F_LSENDDP for sending and F_RCVDP for receiving The data are stored in configured address areas of the DP DP coupler DP master I slave or PN PN coupler Safety Related I Slave Slave Communication via PROFIBUS DP Safety related I slave slave communication is possible with F I O in a DP slave that supports safety related I slave slave communication e g with all ET 200S F modules and with all S7 300 fail safe signal modules with IM 153 2 order no G6ES7 153 2BA01 0XB0 or higher firmware version gt V4 0 0 Safety related communication between the safety program of the F CPU of an I slave and F I O of a slave takes place using direct data exchange same as in standard programs The process image PII and PIQ is used to access the channels of the F I O in the safety program of the F CPU of the I slave S7 Distributed Safety configuring and programming 132 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 1 Overview of safety related communication Use of IE PB Link You can use the IE PB Link to link the four options for safety related communication via PROFIBUS DP in S7 Distributed Safety F systems to
54. Overview 7 3 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package Changeover to S7 Distributed Safety V5 4 SP4 Reading a safety program with S7 Distributed Safety V5 4 SP4 If you would like to use S7 Distributed Safety V5 4 SP4 to read but not change a safety program created with an earlier version of S7 Distributed Safety open the Safety Program dialog with V5 4 SP4 Do not compile the safety program and do not save and compile with replacement of F library blocks of the Distributed Safety F library V1 in HW Config Note When you open the Safety Program dialog for a consistent safety program created with S7 Distributed Safety V5 1 the status The safety program is consistent is output although different signatures are displayed Reason the length of the signatures has changed from 16 to 32 bits Changing a safety program with S7 Distributed Safety V5 4 SP4 You can use the new functions of S7 Distributed Safety V5 4 SP4 in a safety program that was created with an earlier version of S7 Distributed Safety see also What s New in the preface Note Note that channel level passivation of F I O and connection of F I O to PROFINET IO extend the runtime of the F runtime group s and increase the work memory requirement of the safety program see also Excel file s7cotia x s for response time calculation n addition you must make at least 330 bytes of local data available for the safety progra
55. PROFIBUS IO Hardware components 14 PROFIsafe address setting 35 Program identification 283 Programming 131 139 140 152 178 F communication DB 176 Group Passivation 118 Overview 55 Safety related CPU CPU communication 131 Safety related CPU CPU communication via S7 connections 178 Safety related I slave l slave communication Safety related master I slave communication 152 Safety related master master communication 140 Validity checks 129 Programming startup protection 95 Project data for the safety hon 5l Proof test 325 Protection 82 Know how of F FBs F FCs F DBs Protection through program identification 283 Purpose of this documentation 3 Q QBAD S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Index R Read accesses for the safety program Read INT indirectly from an F DB 262 Reading of data from the standard user program When changes are possible during runtime of an F runtime group 129 Ready made F functions 59 Reflection light barriers 202 Reintegration 102 123 Reintegration of an F I O 99 111 113 124 after communication errors 111 after F I O faults and channel faults 113 Programming a user acknowledgment 121 124 with group passivation 118 Reintegration of F I O 109 After startup of F system 109 Removing 265 S7 Distributed Safety 265 325 Restart inhibit 202
56. PROFINET IO as well see also the documentation on PROFINET IO and IE PB Link Note If you are using an IE PB Link you must take this into account when configuring the F specific monitoring times and when calculating the maximum response time of your F system see also Excel File for Response Time Calculation s cotib x s for S7 Distributed Safety Note that this Excel file does not support all of the conceivable configurations Safety Related CPU CPU Communication via Industrial Ethernet Safety related CPU CPU communication via Industrial Ethernet is possible by means of configured S7 connections Communication from and to the following CPUs is possible e CPU 315F 2 PN DP only via the CPU PN interface e CPU 317F 2 PN DP only via the CPU PN interface e CPU 319F 3 PN DP only via the CPU PN interface e CPU 416F 2 firmware version V4 0 and higher e CPU 416F 3 PN DP In safety related communication via S7 connections a specified amount of fail safe data of data types BOOL INT WORD or TIME is transferred in a fail safe manner between the safety programs of the F CPUs linked by means of the S7 connection The data transfer makes use of the F application blocks F_LSENDS7 for sending and F_RCVS7 for receiving Data are exchanged using one F DB F communication DB each on the sender and receiver sides In addition safety related communication between S7 Distributed Safety and S7 F Systems is possible S7 Distribut
57. Pig da gt 1 PEEN le PEEN e i ke i PE i 1 1 1 gt gt 1 2 Startup of F system Cycle time of the OB in which the F runtime group is called Runtime of the F runtime group Data of F runtime group 1 written to DB for F runtime group communication of F runtime group 1 Data of F runtime group 2 read in DB for F runtime group communication of F runtime group 1 Presetting in the DB for F runtime group communication Reading of data from F runtime group 1 that has a shorter OB cycle and higher priority than F runtime group 2 92 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 4 Defining F Runtime Groups I J l 1 1 i I x i xt4 i x 2 x 3 x 4 i x 5 i x 6 i x 7 i ple ple p lt rie ple ple rie gt M i gt i gt gt ie gt meri i z 1 1 1 l l l l I l 1 1 i u 2 3 4 5 6 7 8 l 1 1 i f i i l f l 1 I l l 1 l 1 1 t i I Li I Li I Li I I I Li I x x 1 x 2 4 gt 4 gt 4 gt 1 I z i i i 1 1 1 1 1 1 l an ketrece gt Mee gt gt ZAAAZZ E KEA 1 Startup of F system Cycle time of the OB in which the F runtime group is called Pane te Runtime of the F runtime group 1 Data of F runtime group 1 written to DB for F runtime g
58. Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 3 Configuring the F CPU Configuring the F Parameters of the F CPU Use the following procedure to configure the F parameters 1 In HW Config select the F CPU and select the Edit gt Object Properties menu command 2 Open the F Parameters tab After opening the tab you will be prompted to enter the password for the safety program or you have to assign the password for the safety program in a separate dialog box For information on the password for the safety program refer to Chapter Overview of Access Protection In the F parameters tab you can change or accept the default settings for the following parameters Enabling or disabling the function for deactivating safety mode Base for PROFIsafe addresses Compatibility mode for F CPUs only for F CPUs that support PROFIsafe V2 MODE and that have only PROFIBUS DP interfaces not PROFINET IO Band of numbers for F data blocks Band of numbers for F function blocks Local data volume provided for the safety program Note A change in the F parameters of the F CPU can cause changes in the safety program when it is recompiled and consequently a new acceptance test may be required Safety Mode Can Be Deactivated Parameter You can enable or disable the function for deactivating safety mode in the F Parameters tab Safety mode can be deactivated is enabled in the default settings
59. Reintegration of F I O after F System Startup PII to outputs QBAD QBAD_I_xx QBAD_O_xx PASS_OUT ACK_REQ ACK_REI Startup of F system Automatic Automatic Passivation Reintegration D Reintegration i a 3rd cycle aa 5th cycle Fail saf values gt Process values J Fail safe values Process values gt t t Fail safd values are output Passivation output set a 1 Cycle 2 Cycle 3 Cycle 4 Cycle 5 Cycle 1 for F V O with inputs for F I O with outputs and F I O with inputs and outputs See also 110 A WARNING If you do not want automatic reintegration to take place after startup of the F system you must program startup protection Programming Startup Protection Page 95 Passivation and Reintegration of F I O after Communication Errors Page 111 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F I O Access 5 6 Passivation and Reintegration of F l O after Communication Errors 5 6 Passivation and Reintegration of F l O after Communication Errors Behavior after Communication Errors If the F system detects an error during safety related communication communication error between the F CPU and an F I O in accordance with the PROFIsafe safety protocol the relevant F I O are passivated The QBAD PASS_OUT QBAD_I_xx and QBAD_O_ xx variables are
60. TIME Monitoring time in ms for safety related 0 ms communication see also Safety Engineering in SIMATIC S7 system manual EN_SEND BOOL 1 Send enable 1 ID WORD Local ID of the S7 connection from 0 NetPro R_ID DWORD Unambiguous network address 0 correlation between F_SENDS7 and F_RCVS7 Outputs ERROR BOOL 1 Communication error 0 SUBS_ON BOOL 1 Receiver outputs fail safe values 1 STAT_RCV WORD Error code of SFB FB URCV 0 SFB9 FBQ for a description of error codes refer to the Online Help for SFB9 STAT_SND WORD Error code of SFB FB USEND SFB 0 8 FB 8 For a description of error codes refer to online Help for SFB 8 DIAG BYTE Service information 0 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 249 F Libraries 9 1 Distributed Safety F library V1 Connections of F Application Block F_LRCVS7 Parameter Data Type Description Default Inputs ACK_REIl BOOL Acknowledgment for reintegration of 0 send data following communication error RCV_DB BLOCK_DB Number of F communication DB 0 TIMEOUT TIME Monitoring time in ms for safety 0 ms related communication see also Safety Engineering in SIMATIC S7 system manual ID WORD Local ID of the S7 connection from 0 NetPro R_ID DWORD Unambiguous network address 0 correlation between F_SENDS7 and F_RCVS7 Outputs ERROR BOOL 1 Communication error
61. Transferring the safety program to the F CPU 283 With a Flash Card 283 With a Memory Card MMC 283 With a PG PC 283 Two hand monitoring 200 Two hand monitoring with enable 216 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Index U Unidirectional connections 136 Universal module 136 Unlinked 61 DB 61 Update Reference Data 274 Use of Access to an F I O DB 101 User acknowledgement 124 By means of acknowledgment key 121 124 By means of operator control and monitoring system 121 124 During interruption of the light curtain 202 For reintegration of an F I O 121 124 User safety function 8 Example 8 User created F libraries 265 V Validity check 129 Variables of an F I O DB 101 W Wiring test 308 WORD 61 Work memory requirement 275 281 Of the safety program 275 281 Write INT indirectly to an F DB 260 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 355 Index S7 Distributed Safety configuring and programming 356 Programming and Operating Manual 07 2013 A5E00109537 05
62. a discrepancy error is detected and DISC_FLT is set to 1 restart inhibit S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 211 F Libraries 9 1 Distributed Safety F library V1 If the discrepancy between inputs IN1 and IN2 is no longer detected the discrepancy error is acknowledged according to the parameter assignment of ACK_NEC e If ACK_NEC 0 the acknowledgment is automatic e If ACK_NEC 1 you must use a rising edge at input ACK to acknowledge the discrepancy error ACK_REQ 1 signals that a user acknowledgment at input ACK is necessary to acknowledge the discrepancy error cancel the restart inhibit The F application block sets ACK_REQ 1 as soon as discrepancy is no longer detected After acknowledgment or if prior to acknowledgment there is once again a discrepancy between inputs IN1 and IN2 the F application block resets ACK_REQ to 0 Output Q can never be set to 1 if the discrepancy time setting is lt 0 or gt 60 s In this case output DISC_FLT is also set to 1 restart inhibit The call interval of the safety program e g OB35 must be less than the discrepancy time setting A WARNING Variable ACK_NEC must not be assigned a value of 0 unless an automatic restart of the affected process is otherwise excluded A WARNING When using an F application block with time processing take the following timing imprecision sources into acc
63. access permission for the safety program is reset automatically when all STEP 7 applications that have S7 Distributed Safety opened e g SIMATIC Manager FBD LAD editor have been exited If you reopen STEP 7 after exiting these STEP 7 applications and perform an action that requires a password you are prompted to enter the password for the safety program again S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Access Protection 3 3 Read Accesses without Password for the Safety Program 3 3 Read Accesses without Password for the Safety Program Read Access without a Password The Password for Safety Program dialog allows you to set up the password for the safety program Alternatively you can opt for read accesses without a password You can use read access without a password to access F relevant tabs and object properties dialogs for the F CPU F I O F blocks and safety related communication F blocks of the safety program and the Edit F Runtime Groups dialog Password for Safety Program Dialog The Password for Safety Program dialog looks like this 30 Password for Safety Program Enter password I Read only access no password necessary For all other actions For this access only OK Cancel Help Read Access for all Other Actions If you have specified read access for all other actions the user is not prompted to enter t
64. and the special characteristics you must consider when programming this access Access via the Process Image As with standard I O F I O e g S7 300 F SMs are accessed via the process image PII and PIQ Direct I O access is not permitted The channels of an F I O can only be accessed from one F runtime group The process input image is updated at the start of the F runtime group before the F program block is processed The process output image is updated at the end of the F runtime group after the F program block is processed see figure in Chapter Structure of Safety Program in S7 Distributed Safety The actual communication between the F CPU process image and the F I O for the purpose of updating the process image takes place in the background using a special safety protocol in accordance with PROFIsafe A WARNING Due to the special safety protocol the F I O occupy a larger area of the process image than is required for the channels that are actually present on the F I O To find out the area of the process image where the channels user data are stored refer to the relevant manuals for the F I O When the process image is accessed in the safety program only the channels that are actually present are permitted to be accessed Note that for certain F I O such as S7 300 F SMs and ET 2008S fail safe modules a 1002 evaluation of the sensors can be specified To find out which of the channels combined by th
65. and the standard FBD and LAD programming languages 61 Discrepancy error at sensor pair 1 202 Timing diagrams 202 Distributed Safety F library V1 183 Directory 55 F blocks 59 Distributed Safety F library V1 Overview 183 Documentation 3 Additional 3 Scope 3 Downloading 275 In SIMATIC Manager or FBD LAD Editor 275 In the Safety Program dialog 275 Of the safety program 275 Downloading in SIMATIC Manager or FBD LAD Editor Rules 275 Downloading to an S7 PLCSIM 275 DP DP coupler 139 140 Configuring safety related master master communication 136 Programming safety related master master communication 139 140 E Editing F FB F FC 78 Emergency STOP up to Stop Category 1 229 EN 61 Enable input 61 Enable output 61 ENO 61 Entering changing or canceling the password for the safety program 48 Evaluation 327 Diagnostic variables parameters 327 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F F I O DB 44 Symbolic names 44 F local data 26 Maximum possible ruminer 2 F parameters of the F CPU 26 Base for PROFIsafe addresses 26 Configuration 26 F local data 26 F data blocks 26 F function blocks F BO W 258 F Check SeqN a9 9 F_CRC_Length F_INT_RD F_INT_WR F_lO_StructureDescCRC 39 F_MUT_P 219 F_MUTING 202 Structure of DIAG 202 F_MUTING
66. are found under Parameters F Parameters and Parameters Module parameters For F I O that you address via safety related I slave slave communication the parameters can be found in the printout of the hardware configuration of the station of the DP maser see Chapter Printed Project Data for the Hardware Configuration For fail safe DP standard slaves standard I O devices the safety related parameters are found under PROFIsafe In addition note the documentation for the relevant fail safe DP standard slave standard I O device regarding any other safety related technological parameters Note F I O that are to be assigned the same safety related parameters except for PROFIsafe addresses can be copied during configuration Except for the PROFIsafe addresses you no longer have to check the safety related parameters individually It is sufficient to compare the Parameter CRC without F addresses of the copied F I O or F_Par_CRC without F addresses in the case of fail safe DP standard slaves standard I O devices with the corresponding cyclic redundancy check of the already checked F I O The Parameter CRCs without F addresses can be found in the printout of the hardware configuration in the respective module description of the F I O S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 315 System Acceptance Test 11 2 Checking the Printouts 3
67. can only deactivate safety mode in the Safety Program dialog For a detailed description of the S7 PLCSIM function of STEP 7 refer to the S7 PLCS M V5 x user manual Program structure of the safety program in S7 Distributed Safetyprocess or fail safe valuesChanges to the safety program in RUN Page 57 Structure of the Safety Program in S7 Distributed Safet Process Data or Fail Safe Values F I O DB Page 101 Downloading the Safety Program Page 275 Page 287 Page Modifying the safety program in RUN mode Page 304 Deactivating Safety Mode S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 System Acceptance Test 1 1 11 1 Introduction Requirements Procedure See also Overview of System Acceptance Test During the system acceptance test all relevant application specific standards must be adhered to as well as the procedure described below This also applies to systems that are not subject to acceptance testing For the acceptance test you must consider the systems in the Certification Report As a general rule the acceptance test of an F System is performed by independent experts The hardware configuration and parameter assignment is complete The safety program has been created and compiled and is consistent Use the following procedure for the system acceptance test 1 Back up the entire the STEP 7 project
68. case of F I O with inputs when passivation occurs the F system provides fail safe values 0 instead of the process data pending in the PII to the safety program The F system recognizes an overflow or underflow of a channel of the SM 336 Al 6 x 13Bit or the SM 336 F Al 6 x 0 4 20 mA HART as an F I O fault or channel fault The fail safe value 0 is provided in place of 7FFFu for overflow or 80004 for underflow in the PII for the safety program If in the case of F I O with inputs you want to process other fail safe values besides 0 for analog channels of data type INT WORD in the safety program you can specify individual fail safe values when QBAD QBAD_ _xx QBAD_O_xx 1 Awwarninc For F I O with inputs the fail safe value 0 provided in the PII must be further processed for digital channels of data type BOOL in the safety program When passivation occurs in a F I O module with outputs the F system transfers fail safe values 0 to the fail safe outputs instead of the output values in the PIQ provided by the safety program The F system overwrites the associated PIQ with fail safe values 0 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 99 F I O Access 5 2 Process Data or Fail Safe Values Reintegration of F l O Channels of an F I O The switchover from fail safe values 0 to process data reintegration of an F I O takes place automatica
69. channel fault of Check I O feedback input Bit 1 Passivation of F I O channel F I O fault channel fault or For a solution see DIAG controlled by output Q communication error or variable bits O to 6 in state of QBAD_FIO passivation by means of Chapter F I O DB PASS_On of F I O Bit2 After feedback error feedback II O fault or channel fault of Check I O input has permanent signal feedback input state of 0 Feedback contact is Check feedback contact defective F I O fault channel fault or For a solution see DIAG communication error or variable bits O to 6 in passivation by means of Chapter F I O DB PASS_On of F I O of feedback input Bit3 Reserved Bit4 Reserved Bit5 For feedback error input ACK Acknowledgment button Check acknowledgment has a permanent signal state defective button of 1 Wiring fault Check wiring of acknowledgment button Bit6 Acknowledgement required state of ACK_REQ Bit 7 State of output Q Note Access to the DIAG output is not permitted in the safety program See also F I O DB Page 101 Overview of F application blocks Page 183 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 235 F Libraries 9 1 Distributed Safety F library V1 9 1 2 17 FB 217 F_SFDOOR Safety Door Monitoring Connections Parameter Data Type Description Default Inp
70. configuration of communication is necessary in the object properties for the F I O of the DP slave and DP master S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 163 Contiguring and Programming Communication 8 5 Safety Related Slave Slave Communication Assigned Address Areas Each of the local and partner addresses represents a start address of an address area of input and output data Once the local and partner addresses are configured the address areas are automatically assigned An example of assigned address areas for slave l slave communication with F I O is shown in the table below for a 4 8F DI and a 4 F DO of ET 200S Communication Connection Assigned Address Areas in slave I slave communication Of F CPU of I slave 6 bytes of input data and 4 bytes of output data with 4 8 F DI Of F CPU of DP master 6 4 bytes of input data slave l slave communication Of F CPU of I slave 5 bytes of output data and 5 bytes of input data with 4 F DO Of F CPU of DP master 5 5 bytes of input data Example for 4 8 F DI and 4 F DO of ET 200S for specific address relationship see F I O manuals The CPU of the DP master can be an F CPU or a standard CPU Whether or not the PROFIBUS DP interface of the standard CPU supports direct data exchange can be found in the info text for the relevant CPU in the hardware catalog in HW Config
71. data for communication are stored e Call and assign parameters for F application blocks for communication from the Distributed Safety F library V1 in the safety program Requirements for Programming The following requirements must be met prior to programming e The S7 connections between the relevant F CPUs must be configured in NetPro e Both CPUs must be configured as F CPUs CPU contains safety program option must be selected The password for the F CPU must be entered S7 Distributed Safety configuring and programming 176 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 7 Safety Related Communication via S7 Connections Creating and Editing an F Communication DB F communication DBs are F DBs that you create and edit in the same way as other F DBs in SIMATIC Manager Note the following when creating F communication DBs When creating the F DB assign the COM_DBS7 identifier in the Family field in the General Part 2 tab of the object properties for the F DB This identifier designates the F DB as an F communication DB Only F DBs with this identifier can be transferred as F communication DBs to FLSENDS7 or F_RCVS7 Assign a symbolic name for the F communication DB Note The length and structure of the F communication DB on the receiver side must match the length and structure of the associated F communication DB on the sender side If the F communic
72. directly in OBs cyclic interrupt OBs to the extent possible you should not declare any additional local data in these cyclic interrupt OBs Certain resources must be reserved for the safety program This is done during configuration of the F CPU in HW Config in the Object Properties dialog for the F CPU If you do not make any settings explicitly meaningful default values are used Create your program according to the general STEP 7rules Consider for example the data flow Note You can improve performance by writing section of the program that are not required for the safety function in the standard user program When determining which elements to include in the standard user program and which to include in the safety program you should keep in mind that the standard user program can be modified and downloaded to the F CPU more easily In general changes in the standard user program do not require an acceptance test Page 86 Page 317 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 3 Creating F Blocks in F FBD F LAD 4 3 Creating F Blocks in F FBD F LAD 4 3 1 Creating F Blocks in F FBD F LAD Overview This section describes how to create a safety program in F FBD or F LAD using F FBs F FCs and or F DBs you have created The basic procedure is the same as for the standard user program therefore only the deviations from p
73. eeeceeeeeeeeeeeeeee cece tenes ee taeeeeettaeeeeeenaeeeeee 156 8 4 1 Configuring Address Areas Safety Related I Slave I Slave Communication 05 156 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Table of contents 8 4 2 Configuring Safety Related I Slave I Slave COMMUNICATION ce ceeeeeeeeeteeeeeetteeeeeenaeteeeenas 158 8 4 3 Communication by Means of F_SENDDP and F_RCVDP Safety Related I Slave I Slave COMMUNICATION ise pesecrees tieeed adenine r caveat EE EEA EEE E EEE 8 4 4 Programming Safety Related I Slave I Slave COMMUNICAtION cee eeeeeeeeeeeeeeeteeneeeeteeeeees 8 4 5 Limits for Data Transfer Safety Related Slave I Slave Communication 00ee 8 5 Safety Related I Slave Slave COMMUNICATION ccceeceeteeeeeeeeeeeeeeeaeeeeeeaaeeeseeaeeeeeenaeeeeneaaes 8 5 1 Configuring Address Areas Safety Related Slave Slave Communication 08 8 5 2 Configuring Safety Related I Slave Slave Communication ce ce eeteeeeeeeeeeeeeeeeeeeeetaeeeeeeaaes 8 5 3 F I O Access for Safety Related I Slave Slave Communication ccceeeeeeeeenteeeeeeeees 8 5 4 Limits for Data Transfer Safety Related I Slave Slave Communication 0 ceeeeees 8 6 Safety Related IO Controller IO Controller Communication cecceeeeseeeeeeeeeeeeeeeneeeeeeaaes 8 7 Safety Related Communication
74. for PROFIBUS subnets The PROFIsafe destination address and thus the switch setting on the address switch of the F I O must be unique network wide and station wide system wide For 87 300 F SMs and ET 200S ET 200eco and ET 200pro F modules you can assign a maximum of 1022 different PROFIsafe destination addresses Exception The F I O in different l slaves may be assigned the same PROFIsafe destination address as they are only addressed within the station that is by the F CPU in the I slave Rules for Ethernet subnets and hybrid configurations of PROFIBUS and Ethernet subnets The PROFIsafe destination address and thus the address switch setting on the F I O have to be unique only within the Ethernet subnet including all lower level PROFIBUS subnets and station wide system wide For S7 300 F SMs and ET 200S ET 200eco and ET 200pro F modules you can assign a maximum of 1022 different PROFIsafe destination addresses Exception The F I O in different l slaves may be assigned the same PROFIsafe destination address as they are only addressed within the station that is by the F CPU in the I slave The networked nodes of an Ethernet subnet are characterized by having IP addresses with the same subnet address i e the IP addresses match in the digits that have the value 1 in the subnet mask Example IP address 140 80 0 2 Subnet mask 255 255 0 0 11111111 11111111 00000000 00000000 Meaning Bytes 1 and 2
75. group for which you furnished the F DB while it can only be read accessed by the receiver F runtime group Tip You can improve performance by structuring your safety program in such a way that as few data as possible are exchanged between the F runtime groups Creating a DB for F Runtime Group Communication in SIMATIC Manager You can create the DB for F runtime group communication in S MAT IC Manager in the same way as other F DBs see Chapter Creating and Editing an F DB Note the following when creating the DB for F runtime group communication in S MA TIC Manager Assign the RTG_DB identifier in the Family box in the General Part 2 tab of the object properties for the F DB This identifier designates the F DB as a DB for F runtime group communication Assign a symbolic name for the DB for F runtime group communication Up to Dateness of Data When Reading from Another F Runtime Group Note The data read from another F runtime group are as up to date as they were when the F runtime group furnishing the data was last processed before the start of the F runtime group reading the data If the furnished data undergo multiple changes while the F runtime group furnishing the data is being processed the F runtime group reading the data always receives the last change Assignment of fail safe values S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 91 Pr
76. is to be incorporated in the consistency check CRC calculation of the F user data frame In PROFlsafe V1 MODE you need to set the F_Check_SeqNr parameter to No check Only fail safe DP standard slaves that behave accordingly are supported F_CHECK_SegqNr is irrelevant in PROFIsafe V2 mode F_SIL Parameter This parameter defines the safety class of the fail safe DP standard slave or standard I O device The parameter is device dependent Possible settings for the F_SIL parameter are SIL 1 to SIL 3 depending on the GSD file F_CRC_Length Parameter Depending on the length of the F user data process data the safety class and the PROFIsafe MODE the length of the CRC signature must be 2 3 or 4 bytes This parameter provides information to the F CPU on the size of the CRC2 key in the safety message frame In PROFIsafe V1 mode For a user data length less than or equal to 12 bytes select 2 byte CRC as the setting for the F_CRC_Length parameter for a user data length ranging from 13 bytes to 122 bytes select 4 byte CRC S7 Distributed Safety supports only 2 byte CRC the fail safe DP standard slave must behave accordingly In PROFIsafe V2 mode For a user data length less than or equal to 12 bytes select 3 byte CRC as the setting for the F_CRC_Length parameter for a user data length ranging from 13 bytes to 123 bytes select 4 byte CRC S7 Distributed Safety supports only 3 byte CRC the fail
77. networks are displayed in STL The STL code they contain must not be changed Rule STL networks are not permitted in the F FBD representation STL networks in F LAD must be represented again as F FBD networks when there is a switch to F FBD A WARNING Editing the instance DB of F FBs is not permitted online or offline and can cause the F CPU to go to STOP mode Note Accesses to static parameters of instance DBs of other F FBs are not permitted Note Note when using F FCs that the first access of output parameters of F FCs must be a write access This initializes the output parameters Output parameters from F FCs must always be initialized The F CPU can go to STOP if this is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety program internal CPU fault internal error information 404 Note If you wish to assign an address from the data area data block to a formal parameter of an F FC as an actual parameter you have to use fully qualified DB access Note Variable names in F FBs F FCs can contain a maximum of 22 characters S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 79 Programming 4 3 Creating F Block
78. no longer match the name in the object properties for the F I O Or e By deleting the applicable symbol table entry changing the name in the object properties and then recompiling in HW Config Note In the case of fail safe DP standard slaves standard I O devices take care not to use the description that can be entered in HW Config instead of the name for generating the symbolic name for the associated F I O DB The symbolic name is always generated in this case using the prefix F the start address of the fail safe DP standard slave standard I O device and a fixed character string You can change the symbolic name only be editing it directly in the symbol table A WARNING An F I O DB is always assigned to a particular F I O module using the F I O DB number and not the start address entered by default in the symbolic name For this reason you must not modify the automatically assigned numbers of the F I O DBs otherwise your safety program can no longer access the F I O DB assigned to the F I O Symbolic Names for Input Channels of the SM 336 Al 6 x 13Bit and SM 336 F Al 6 x 0 4 20 mA HART See also 44 If you want to assign symbols for the input channels of the SM 336 Al 6 x 13Bit or SM 336 F Al 6 x 0 4 20 mA HART make sure that the symbols are of data type INT F O DB Page 101 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E
79. of the IP address define the subnet subnet address 140 80 A network consists of one or more subnets Network wide means beyond the boundaries of the subnet The address is unique for a station configured in HW Config for example an S7 300 station or I slave Across Ethernet subnets excluding cyclic PROFINET IO communication RT communication S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 37 Configuration 2 4 Configuring the F I O Group Diagnostics for S7 300 F SMs 38 The Group diagnostics parameter activates and deactivates the transmission of channel specific diagnostic messages of F SMs such as wire break and short circuit to the F CPU For availability reasons you should shut down the group diagnostics on unused input or output channels of the following F SMs e SM 326 DI 8 x NAMUR e SM 326 DO 10 x 24 VDC 2 A e SM 336 Al 6 x 13 Bit A WARNING For fail safe F SMs in safety mode group diagnostics must be activated on all connected channels It is recommended that you check to verify that you shut down group diagnostics only for unused input and output channels Diagnostic interrupts can be enabled optionally For SM 326 DI 24 x 24 VDC Order No 6ES7326 1BK01 0ABO0 or higher and SM 326 DO 8 x 24 VDC 2 A PM the following applies If you deactivate a channel in STEP 7 HW Config the group diagnost
80. of the feedback input FEEDBACK Output Q is set to 1 as soon as input ON 1 Requirement for this is that the feedback input FEEDBACK 1 and no feedback error is saved Output Q is reset to 0 as soon as input ON 0 or if a feedback error is detected A feedback error ERROR 1 is detected if the inverse signal state of the feedback input FEEDBACK to input Q does not follow the signal state of output Q within the maximum tolerable feedback time The feedback error is saved If a discrepancy is detected after a feedback error between the feedback input FEEDBACK and the output Q the feedback error is acknowledged in accordance with the parameter assignment of ACK_NEC e If ACK_NEC 0 the acknowledgment is automatic e If ACK_NEC 1 you must acknowledge the feedback error with a rising edge at input ACK The ACK_REQ 1 output then signals that a user acknowledgment is necessary at input ACK to acknowledge the feedback error Following an acknowledgment the F application block resets ACK_REQ to 0 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 To avoid a feedback error from being detected and an acknowledgment from being required when the F I O controlled by output Q are passivated you must supply input QBAD_FIO with the QBAD or QBAD_O_ xx variable of the associated F I O Awwarninc Variable ACK_NE
81. parallel 219 F_Par_Version F_RCVDP 242 Behavior in event of communication errors 242 Programming safety related l slave l slave communication 150 Programming safety related master l slave communication 150 Programming safety related master master communication 139 140 Receiving data 242 Structure of DIAG 242 Behavior in event of communication errors 242 Programming safety related I slave slave communication 150 349 Index Programming safety related master l slave communication 150 Programming safety related master master communication Sending data 242 Structure of DIAG 242 F_SIL F_Source_Add 139 F_WD_Time 39 Fail safe acknowledgment 198 Fail safe blocks 59 Fail safe DP standard slaves Configuration 39 Fail safe inputs outputs of F I 0 25 Assigning symbols 25 Fail safe outputs Passivation over longer time period 325 Fail safe standard I O devices Configuration 39 Fail safe value output for pom Fail safe values or process data F application boce Bal 8 Fault reaction function 350 FB 226 249 F blocks 59 F runtime group 59 Storing write protected 78 FC 174 FC 179 262 F CALL 59 75 86 ining 86 F call block 59 F communication DB Programming 176 Safety related CPU CPU communication 176 F components 23 Configuration 23 F CPU 93 53 Changing an existing password for the F CPU 5
82. parameter of the same F_RCVDP call or another F RCVDP or F_RCVS7 call The F CPU can go to STOP if this is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety Program internal CPU fault internal error information 404 A WARNING If the F CPU with the associated F_SENDDP is in deactivated safety mode you can no longer assume that the data received from this F CPU were generated safely You must then implement organizational measures such as operation monitoring and manual safety shutdown to ensure safety in those portions of the system that are affected by the received data Alternatively you must output fail safe values instead of the received data in the F CPU with the F_RCVDP by evaluating SENDMODE Page 140 Programming Safety Related Master Master Communication Deactivating Safety Mode Page 304 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 3 Safety Related Master Slave Communication 8 3 5 Limits for Data Transfer Safety Related Master I Slave or I Slave I Slave Communication Limits for Data Transfer If the amount of data to be transferred is greater than the capacity of an F_
83. part of the operator The supplier is also obliged to comply with certain actions when monitoring the product For this reason we publish a special newsletter containing information on product developments and features that are or could be relevant to operation of safety related systems By subscribing to the relevant newsletter you will always have the latest information and be able to make changes to your system when necessary To subscribe online go to this page http my ad siemens de myAnD guiThemes2select asp subjectID 2 amp lang en and register for the following newsletters e SIMATIC S7 300 S7 300F e SIMATIC S7 400 S7 400H S7 400F FH e Distributed I O e SIMATIC Industrial Software Select the Updates check box for each newsletter Sitrain http Awww sitrain com S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Table of contents PR OTACG E ETET E 1 PRODUCE OVOMVIOW i sini icc anura annann a aa a E a a A E E EEEN 1 1 OIE E E A E EN N E E E 1 2 Hardware and Software Component 2 ccccceeeceeceece cece ee eeeaeaeeeeeeeseseceaeaeeeeeeeeesennaneeeeeeetee 1 3 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package cee 2 COMP QUPALION sio ceteeae nieeenke aaa 2 1 Overview of Configurator aniani aaia AEA AAAA ARAE pncuuastpedwausvebewade une 2 2 Particularities for Configuring the F System ssseseesse
84. passivated in deactivated safety mode as a result of evaluation of the MODE variable system safety must be ensured in deactivated safety mode through other organizational measures such as operation monitoring and manual safety shutdown See also Modifying the safety program in RUN mode Page 287 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 307 Compiling and commissioning a safety program 10 9 Testing the Safety Program 10 9 3 Testing the Safety Program Introduction In deactivated safety mode certain fault control measures of the safety program are deactivated to enable online changes to be made to the safety program in RUN mode In this way Safety program data can be changed using standard STEP tools S7 Distributed Safety configuring and programming 308 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 9 Testing the Safety Program Modifying the Data of the Safety Program with Monitor Modify Variable Function In addition to data in the standard user program which can always be modified you can modify the following data in a safety program using the Monitor Modify Variable function in deactivated safety mode e Process image of F I O e F DBs except DB for F runtime group communication instance DBs of F FBs e Instance DBs of F application blocks e F I O DBs for permitted si
85. possible You can obtain the assigned address areas in the DP master and the l slaves in the Configuration tab S7 Distributed Safety configuring and programming 160 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 4 Safety Related Slave Slave Communication Disabling Active Coupling of an I Slave Before you can disable active coupling of an I slave you must delete all safety related communication connections to other F CPUs or F modules in the F Configuration tab Additional Information You will find a description of the parameters in the context sensitive online help for the F Configuration tab For information on address areas partial process images and supported interrupt OBs refer to the fechnical specifications for the CPU you are using 8 4 3 Communication by Means of F_LSENDDP and F_RCVDP Safety Related l Slave I Slave Communication Reference For a description refer to Chapter Communication by Means of F_SENDDP and F_RCVDP Safety Related Master I Slave I Slave I Slave Communication 8 4 4 Programming Safety Related I Slave I Slave Communication Reference For a description refer to Chapter Programming Safety Related Master I Slave I Slave l Slave Communication 8 4 5 Limits for Data Transfer Safety Related I Slave I Slave Communication Limits for Data Transfer For a description refer to Chapter Limits for Data Transfer Sa
86. program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 273 Compiling and commissioning a safety program 10 4 Downloading the Safety Program Check for Accesses from the Standard Program The following is checked e Whether OBs FBs and FCs from the standard user program are writing to F DBs of the safety program using fully qualified DB accesses e Whether OBs FBs and FCs from the standard user program are writing to address areas of F I O using process image accesses or direct I O accesses e Whether F blocks are called in OBs FBs and FCs of the standard user program e Whether the clock memory in the F block is read accessed You have defined the clock memory during configuration of the F CPU in HW Config in the object properties dialog for the F CPU The result is displayed in a message window Note Note that the checks described above are not exhaustive e g the check to determine whether F DBs are write accessed from the standard user program is unsuccessful in the event of indirect addressing or partially qualified access to F DBs in the standard user program Update Reference Data See also 274 You can disable the reference data update at the end of the compilation operation This shortens the time required to compile the complete safety program Note If updating of reference data is disabled the program structu
87. program any calls of additional gt F FBs F FCs for program structuring and any F application blocks from the block container of gt F application blocks of the Distributed Safety F library and F blocks from gt user created F libraries The gt safety program consists of one or two F runtime groups An F runtime group is a logical construct of several associated gt F blocks It is generated internally by the F system An F runtime group consists of the following F blocks gt F CALL gt F PB gt F FBs gt F FCs if applicable gt F DBs if applicable gt F I O DBs F blocks of Distributed Safety F library and user created F libraries instance DBs gt F SBs and gt automatically generated F blocks S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Glossary F SBs F shared DB F SMs F system blocks F systems i Parameter MSR F SBs are fail safe system blocks which are automatically inserted and called when the gt safety program is compiled in order to generate an executable safety program from the user s safety program The F shared DB is a fail safe data block that contains all of the shared data of the gt safety program and additional information needed by the F system When the hardware configuration is saved and compiled in HW Config the F shared DB is automatically inserted and expanded Using its symbolic name F_G
88. safe DP standard slave standard I O device must behave accordingly F_Block_ID Parameter The F_Block_ID parameter has the value 1 if the F_iPar_CRC parameter exists otherwise it has the value 0 The F_Block_ID parameter indicates that the data record for the value of F_iPar_CRC has been extended by 4 bytes You must not change the parameter S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 41 Configuration 2 5 Configuring fail safe DP standard slaves and fail safe standard I O devices F_Par_Version Parameter This parameter identifies the PROFlsafe operating mode You can find out the operating modes supported by the device from the range of values offered The parameter is set to 1 PROFIsafe V2 MODE for fail safe standard IO devices and cannot be changed For fail safe DP standard slaves you can set this parameter to the following e Set F_Par_Version to 1 PROFIsafe V2 MODE for a PROFIBUS DP homogeneous network if the device and the F CPU support this Otherwise set it to 0 PROFIsafe V1 MODE e F_Par_Version must be set to 1 PROFIsafe V2 MODE for a network composed of PROFIBUS DP and PROFINET IO subnets Note The following F CPUs support V2 MODE e CPU 416F 2 firmware version V4 1 and higher e CPU 416F 3 PN DP e IM 151 7 F CPU firmware version V2 6 and higher e CPU 315F 2 PN DP e CPU 315F 2 DP firmware version V2 6 and
89. safety program prior to output to partner F CPU e Safety program internal CPU fault internal error information 404 While it is possible to download a safety program to an S7 PLCSIM in SIMATIC Manager or FBD LAD Editor no simulation blocks are automatically downloaded and the therefore safety program cannot run Downloading individual F blocks in S MA TIC Manager or FBD LAD Editorto an S7 PLCSIM in deactivated safety mode is only practical for test purposes A WARNING If F blocks are downloaded in S MATIC Manager or FBD LAD Editor you must ensure that there is not an unused F CALL in the block container If you always download the safety program in the Safety Program dialog all uncalled F blocks including an unused F CALL block are automatically deleted S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 279 Compiling and commissioning a safety program 10 4 Downloading the Safety Program Rules for Downloading F Blocks in SIMATIC Manager or FBD LAD Editor The following rules apply to downloading of F blocks e You can only download in deactivated safety mode or when the F CPU is in STOP mode e F blocks can only be downloaded to an F CPU to which a safety program has already been downloaded with the Safety Program dialog e The offline password and online password of the safety program must match e Changes to the password for the safety prog
90. set to 1 when fail safe values 0 are being used Reintegration of F I O Reintegration of the relevant F I O that is provision of process data in the PII or transfer of process data provided in the PIQ to the fail safe outputs takes place only when the following occurs e All communication errors have been eliminated and the F system has set ACK_REQ 1 e A user acknowledgment with a positive edge has occurred On the ACK_REI variable of the F I O DB or On the ACK_REI_GLOB input of the FB 219 F_ACK_GL F application block see Chapter 9 7 2 78 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 111 F I O Access 5 7 Passivation and Reintegration of F l O after F l O Faults and Channel Faults Signal Chart for Passivation and Reintegration of F I O after Communication Errors Communication error Communication error no longer passivation present Reintegration sy a 4 Fail safe values ia _ PII Process values Process values 4 Fail safe values R to outputs Process values Process values Fail safe values are output Q es a QBAD Fa QBAD_I_xx O QBAD_O_xx Passivation output set oe PASS_OUT _s__oe D Acknowledgment request ACK_REQ S User acknowledgement N ACK_REI DIAG bit set DIAG bit x D for F I O with inputs for F I O with outputs and F I O with inputs and outputs signal pa
91. table for assignment and prompting of passwords the Set up permission for safety program dialog for assigning the password for the safety program is displayed automatically Note Make sure that you use identical online and offline passwords for the safety program by downloading the safety program to the F CPU with the Safety Program dialog as otherwise you cannot download it by means of SIMATIC Manager and LAD FBD Editor A WARNING safety program To optimize access protection you must use different passwords for the F CPU and the 48 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Access Protection 3 2 Access Permission for the Safety Program A WARNING If access protection is not used to limit access to the programming device or PC to only those persons who are authorized to modify the safety program the following organizational measures must be taken to ensure the effectiveness of password protection at the programming device or PC e Only authorized personnel may have access to the password e Authorized personnel must explicitly cancel the access permission for the safety program before leaving the programming device or PC If this is not strictly implemented a screen saver equipped with a password accessible only to authorized personnel must also be used Changing the Password for the Safety Program The
92. the F PB Assign the applicable F communication DB numbers to the SEND_DB input of F_SENDS7 and the RCV_DB input of FLRCVS7 Assign the local ID of the S7 connection data type WORD configured in NetPro to the F_SENDS7 input ID Assign the local ID of the S7 connection data type WORD configured in HW Config to the F_RCVS7 input ID S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 7 Safety Related Communication via S7 Connections 8 Assign an odd number data type DWORD to the F_SENDS7 and F_RCVS7 R_ID inputs This specifies that an FLSENDS7 and an F_RCVS7 belong together The related F blocks are given the same R_ID CPU 416F 2 CPU 416F 2 F_SENDS7 SEND_DB 1 F_RCVS7 RCV_DB 2 ID W 16 1 ID W 16 1 R_ID DW 16 9 R_ID DW 16 9 F_RCVS7 RCV_DB 3 F_SENDS7 SEND_DB 4 ID W 16 1 ID W 16 1 R_ID DW 16 B R_ID DW 16 B A WARNING The value for each address association input parameter R_ID data type DWORD is user defined however it must be unique from all other safety related communication connections in the network The value R_ID 1 is assigned internally and must not be used Note A separate instance DP must be used for each call of an F_SENDS7 and F_RCVS7 The input and output parameters of the F_RCVS7 must not be supplied with local data of the F
93. the standard user program when the F CPU is in RUN mode regardless of whether safety mode is activated or deactivated A WARNING In safety mode access by means of the F CPU password must not be authorized when making changes to the standard user program since changes to the safety program can also be made To rule out this possibility you must configure Level of Protection 1 If only one person is authorized to change the standard user program and the safety program level of protection 2 or 3 should be configured so that other persons have only limited access or no access at all to the entire user program standard and safety programs S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 7 Modifying the Safety Program Modifying the F Runtime Group Call If an OB e g OB35 or FB with an F CALL call is downloaded to the F CPU during operation in RUN mode the mode is only updated after the Safety Program dialog has been closed and re opened Procedure for Applying Changes to the Safety Program If you download individual F blocks to the F CPU during operation in RUN mode the F system blocks F SBs and the automatically generated F blocks are neither updated nor downloaded resulting in an inconsistent safety program in the F CPU Use the following procedure to accept changes to the safety program
94. the valve is opened S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 13 Product Overview 1 2 Hardware and Software Components 1 2 Hardware and Software Components Hardware and Software Components of S7 Distributed Safety The following figure provides an overview of the hardware and software components required to configure and operate an S7 Distributed Safety fail safe system Automation system Programming device possibly additional distributed I O systems possibly fail safe DP standard slaves standard I O devices light grid laser scanner etc PROFIBUS DP PROFINET IO Hardware Components for PROFIBUS DP The hardware components of S7 Distributed Safety include the following e F CPU such as 315F 2 DP CPU e Fail safe inputs and outputs F I O such as S7 300 fail safe signal modules in S7 Distributed Safety centralized configuration S7 300 fail safe signal modules in ET 200M distributed configuration Fail safe power and electronic modules in ET 200S ET 200eco fail safe I O module Fail safe modules in ET200pro Fail safe DP standard slaves You can expand the configuration using standard I O S7 Distributed Safety configuring and programming 14 Programming and Operating Manual 07 2013 A5E00109537 05 Product Overview 1 2 Hardware and Software Components Hardware Components for PROFINET IO You can
95. way that it supplies the useful signal see manual for the F I O you are using In order to keep the discrepancy time from influencing the response time you must assign 0 provide value for the behavior of discrepancy during configuration If a discrepancy is detected a fail safe value of 0 is entered in the process input image PII for the momentary contact switch and QBAD or QBAD_I_xx 1 is set in the relevant F I O DB A WARNING When using an F application block with time processing take the following timing imprecision sources into account when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update timing of the time base used in the F application block see figure in the F Application Blocks section e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision Additional Information You will find additional information about the configuration and the F I O DB in the references provided under See also See also Overview of Conf
96. when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update time of the time base used in the F application block see figure in F Application Blocks e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision S7 Distributed Safety configuring and programming 192 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 A WARNING The functionality of this F application block complies with IEC 61131 3 however it deviates from IEC TIMER SFB 3 TP as follows e When it is called with PT 0 ms the F_TP instance is not reset completely initialized The block behaves in accordance with the timing diagrams only outputs Q and ET are reset Another rising edge at input IN is required to restart the pulse once PT is greater than 0 again e Acall with PT lt 0 ms resets outputs Q and ET Another rising edge at input IN is required to restart the pulse once PT is greater than 0 again
97. you must transmit the acknowledgment signal from the safety program in the F CPU of the DP master to the safety program in the F CPU of the I slave by means of safety related master I slave communication Programming Procedure 1 Call the F_LSENDDP F application block in the safety program in the F CPU of the DP master 2 Call the F_RCVDP F application block in the safety program in the F CPU of the I slave 3 Supply an input SD_BO_xx of the F_LSENDDP block with the input of the acknowledgment key S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 125 Implementation of user acknowledgment 6 2 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU 4 The acknowledgment signal for evaluating user acknowledgments is now available at the corresponding output RD_BO_xx of the F_RCVDP The acknowledgment signal can now be read in the program sections in which further processing is to take place with fully qualified access directly in the associated instance DB for example Name F_RCVDP1 RD_BO_02 To enable this you must first assign a symbolic name Name F_RCVDP 1 in the example for the instance DB of F_LRCVDP in the symbol table 5 Supply the corresponding input SUBBO_xx of the F_RCVDP with the fail safe value RLOO so that an unintentional user acknowledgment is not triggered before communication is established the first time after startup of t
98. 0 SUBS_ON BOOL 1 Fail safe values are output 1 ACK_REQ BOOL 1 Acknowledgment for reintegration of 0 send data required SENDMODE BOOL 1 F CPU with F_SENDS7 in 0 deactivated safety mode STAT_RCV WORD Error code of SFB FB URCV 0 SFB9 FBQ for a description of error codes refer to the Online Help for SFB9 STAT_SND WORD Error code of SFB FB USEND USEND 0 SFB 8 FB 8 For a description of error codes refer to online Help for SFB 8 DIAG BYTE Service information 0 Principle of Operation F_SENDS7 sends the send data contained in an F communication DB to the F 250 communication DB of the associated F_RCVS7 in a fail safe manner via an S7 connection An F communication DB is an F DB for safety related CPU CPU communication with special properties The properties creation and editing of F communication DBs are described in Chapter Programming Safety Related CPU CPU Communication via S7 Connections You must specify the numbers of the F communication DBs at inputs SEND_DB and RCV_DB of F application blocks FLSENDS7 and F_RCVS7 The operating mode of the F CPU with the F_SENDS7 is provided at output SENDMODE of F_F_RCVS7 If the F CPU with the F_LSENDS7 is in deactivated safety mode output SENDMODE 1 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 To reduce the bus load you can temporarily sh
99. 00109537 05 Access Protection 3 1 Overview of Access Protection Introduction Access to the S7 Distributed Safety F system is protected by two password prompts one for the F CPU and another for the safety program For the password for the safety program a distinction is made between an offline password and an online password for the safety program e The offline password is part of the safety program in the offline project on the programming device e The online password is part of the safety program in the F CPU The following table presents an overview of the access permissions for the F CPU and the safety program The sections below show you how to assign the passwords and how to set up change and cancel access permissions for the F CPU and for the safety program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 45 Access Protection 3 1 Overview of Access Protection Password for F CPU Password for Safety Program Assignment In HW Config during e In S MATIC Manager Options gt Edit Safety Program gt Permission menu configuration of the F command CPU Properties CPU f A Protection tab e When the F PB is opened for the first time appropriate protection e When F FBs F FCs are opened for the first time level e g 1 Access e When F DBs are opened for the first time protection for F CPU and Removable with e When the Edi
100. 00109537 05 267 Compiling and commissioning a safety program 10 1 Safety Program Dialog Procedure for Calling the Safety Program Dialog 1 Select the correct F CPU or S7 program assigned to it 2 In SIMATIC Manager select the Options gt Edit safety program menu command or in STEP 7V5 4 and higher select the corresponding icon in the toolbar The Safety Program dialog will appear era Safety Program DS_Getting_StartedSIMATIC 300 1 CPU 315F 2 DP S7 Programmi 1 Offine Onine Rack a Slot 2 Current mode Collective signature of all F blocks with F attributes for the block container D0876944 unknown Collective signature of the safety program D0876944 Current compilation 12 21 2006 11 28 58 AM Safety mode The safety program is consistent F blocks F runtimeF block Function in safety program Compare Permission i J M F Runtime groups J Fei00 Sicherheitspro F program block AF7B m a FB186 F_TOF F application block 14B4 rA F application block F521 i F application block B6DA rA F 7 Download da FB1638 F system block FAFA i dy FB1639 F system block 504C F d FB1640 F_CTRL_2 F system black 40BA F Logbook EFi FB1641 FITOF F system block B9AF rA at FB1642 Automatically generated 153C al d Print o e S7 Distributed Safety configuring and programming 268 Programming and Operating Manu
101. 1 7 CPU Every applicable F CPU has its own product information The product information describes only the deviations from the corresponding standard CPUs ET 200eco Distributed I O Station Fail Safe I O Module manual Describes the ET 200eco fail safe I O module hardware including installation wiring and technical specifications ET 2008S Distributed I O System Fail Safe Modules operating instructions Describes the hardware of the ET 200S fail safe modules including installation wiring and technical specifications Automation System S7 300 Fail Safe Signal Modules manual Describes the hardware of the S7 300 fail safe signal modules including installation wiring and technical specifications ET 200pro Distributed I O System Fail Safe Modules operating instructions Describes the hardware of the ET 200pro fail safe modules including installation wiring and technical specifications S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 5 Preface Documentation STEP 7 manuals Brief Description of Relevant Contents e The Configuring Hardware and Communication Connections with STEP 7 V5 x manual describes how to operate the applicable STEP 7 standard tools e The Ladder Diagram LAD for S7 300 400 reference manual describes the Ladder Diagram standard programming language in STEP 7 e The Function Block Diagram FBD fo
102. 109537 05 229 F Libraries 9 1 Distributed Safety F library V1 A WARNING When using F application block F_ESTOP1 F application block F_TOF must have number FB 186 and must not be renumbered WARNING When using an F application block with time processing take the following timing imprecision sources into account when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update timing of the time base used in the F application block see figure in Chapter F Application Blocks e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision The F application block supports the requirements of EN 418 EN 292 2 and EN 60204 1 Note Only one emergency STOP signal E_STOP can be evaluated on the F application block Discrepancy monitoring of the two NC contacts when two channels are involved in accordance with Categories 3 and 4 as defined in ISO 13849 1 2006 EN ISO 13849 1 2008 is performed with suitable configuration type of sensor in
103. 140 80 0 2 Subnet mask 255 255 0 0 11111111 11111111 00000000 00000000 Meaning Bytes 1 and 2 of the IP address define the subnet subnet address 140 80 A network consists of one or more subnets Network wide means beyond the boundaries of the subnet The address is unique for a station configured in HW Config for example an S7 300 station or I slave Across Ethernet subnets excluding cyclic PROFINET IO communication RT communication S7 Distributed Safety configuring and programming 316 Programming and Operating Manual 07 2013 A5E00109537 05 System Acceptance Test 11 2 Checking the Printouts 11 2 2 Safety Program Acceptance Test Checking the Safety Program Safety Program Print Content 1 In the printout check whether the two collective signatures match Collective signature of all F blocks with F attribute in the block container Collective signature of the safety program Check whether the version of S7 Distributed Safety used to create the printout footer of the printout is greater than or equal to the version used to compile the safety program information section of the Safety program printout Check whether the version of S7 Distributed Safety used to compile the safety program information section of the Safety program printout corresponds to the version in Annex 1 of the Certification Report Check whether the signatures and initial value signature
104. 2 close EN F0000B_DI24xDC24V OBAD INI 0 Sensor 1 open IN2 ACK_REQ T 100MS DISCTIME DISC_FLT ACK_NEC DIAG ACK END S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 213 F Libraries 9 1 Distributed Safety F library V1 Timing Diagrams for F_1002DI If ACK_NEC 1 l l Io l l Io l l f Lo l l l Io l l l l I l l i l l l l I Dal l l l l l I Io l l l l l IN1 1 l Spo in eee ea TEN l 1 ae ane 1 DODA aoe l l l l i i l l I l I l l l l i l l l l l l l l l l IN2 NNE EEE Sof Sys pl ipa eee fee ns E Joe oe Ai l l Io l l l l l l pri l l l l l l l l l l l l l l l l l l l l l l l Q l oe Leo BE AS l l l l l DRA ee K l l l Io l l l l l 14 l l eSa l It l l l l I I l l l l l l l l l l l I I DISCFLT l l l l l a ae l l l I I l l l l l l l l l l l l ACK_REQ l l l l T adel l l l l l l l l I I I I l l l l l l l l l l ACK l l l l l l L l I I I I l l l I I I l l l l l l l l DIAG Bit1 r prah insga L l l l l I l l l l l l I l l l l l I I I I I I DIAG Bit2 l i l l l l l DISCTIME DISCTIME DISCTIME DISCTIME i l a I l l l Startup Characteristics Note If the sensors at inputs IN1 and IN2 are assigned to different F I O it is possible th
105. 2013 A5E00109537 05 203 F Libraries 9 1 Distributed Safety F library V1 Schematic Sequence of Error Free Muting Procedure with Four Muting Sensors MS_11 MS_12 MS_21 MS_22 o a MS_11 Sender MS_21 Danger O oo I I E E MS_12 Receiver MS_22 LL _ e If both muting sensors MS_11 and MS_12 are activated by the product within DISCTIM1 apply signal state 1 the F application block starts the MUTING function Enable signal Q remains 1 even when input FREE 0 light curtain interrupted by product The MUTING output for setting the muting lamp switches to 1 Note The muting lamp can be monitored using the QBAD_MUT input To do this you must wire the muting lamp to an output with wire break monitoring of an F I O and supply the QBAD_MUT input with the QBAD or QBAD_O_xx signal of the associated F I O or channel If QBAD_MUT 1 muting is terminated by the F application block If monitoring of the muting lamp is not necessary you do not have to supply input QBAD_MUT F I O that can promptly detect a wire break after activation of the muting operation must be used see manual for specific F 1 O Sender e usa D zone MS_ L Receiver e As long as both muting sensors MS_11 and MS_12 continue to be activated the MUTING function of the F application block causes Q to remain 1 and MUTING to remain 1 so that the product can pass through the light curtain without causing the machine to stop
106. 3 Setting up access permission 53 F DBs 82 Setting Know How Protection 82 Feedback monitoring 232 F FBD 61 F FBD and F LAD programming languages 61 F FBs 82 Setting know how protection 82 F FCs 82 Setting know how protection 82 F V0 23 325 Removing and inserting during operation 325 F I O access 97 During operation 287 Via the process image 97 F I O DB 101 Evaluation of diagnostic variables parameters Structure of DIAG 101 F I O faults and channel faults 113 F I O with inputs 99 F I O with outputs 99 F LAD 61 Flash Card 283 F libraries 265 User created 265 F program block 59 86 Defining 86 F relevant tabs F runtime group Defining F runtime groups 86 F blocks 59 Rules for F runtime groups 86 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Index F runtime group communication 86 F shared DB 59 127 F system blocks 59 263 Overview 263 Fully qualified DB access 61 108 Function test of the safety program 283 G Group diagnostics For S7 300 F SMs Group passivation 1 GSD file 39 Configuration 39 Parameters 39 Guide 3 H Hardware components 14 Hardware configuration 25 Saving and compiling 25 Hardware simulation 275 IE PB Link 172 IM 151 1 High Feature ET 200S 325 Implementation of user acknowl
107. 5E00109537 05 261 F Libraries 9 1 Distributed Safety F library V1 9 1 2 26 FC 179 F_INT_RD Read Value of Data Type INT Indirectly from an F DB Connections Parameter Data Type Description Inputs ADDR_INT POINTER Start address of the INT area in an F DB END_INT POINTER End address of the INT area in an F DB OFFS_INT INT Address offset in the INT area Outputs OUT INT Value to be read from the F DB Principle of Operation This F application block reads the variable of data type INT in an F DB addressed using ADDR_INT and OFFS_INT and makes it available at output OUT The address of the variable addressed by means of ADDR_INT and OFFS_INT must be within the address area defined by addresses ADDR_INT and END_INT If the F CPU has gone to STOP mode with diagnostic event ID 75E2 verify that this condition is satisfied The start address of the area with variables of data type INT in an F DB from which the variable is to be read is transferred using the ADDR_INT input The associated address offset in this area is transferred using the OFFS_INT input The addresses transferred at the ADDR_INT or END_INT inputs must point to a variable of data type INT in an F DB Only variables of data type INT are permitted between the ADDR_INT and END_INT addresses The ADDR_INT address must be smaller than the END_INT address The ADDR_INT and END_INT addresses must be transferred fully qualified as DBx DBWy
108. 6 bytes Length 6 bytes addr 28 Q addr 30 Length 12 bytes Length 12 bytes F_RCVDP LADDR 28 F_SENDDP LADDR 30 Q addr 28 addr 30 Length 6 bytes Length 6 bytes DP DP Coupler Rules for Defining the Address Areas The output data address area for data to be sent must begin with the same start address as the associated input data address area A total of 12 bytes consistent is required for the output data address area while 6 bytes consistent are required for the input data address area The input data address area for data to be received must begin with the same start address as the associated output data address area A total of 12 bytes consistent is required for the input data address area while 6 bytes consistent are required for the output data address area S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 135 Configuring and Programming Communication 8 2 Safety Related Master Master Communication 8 2 2 Configuring Safety Related Master Master Communication Requirements You have created two stations with one DP master system each in HW Config Procedure for Configuring Master Master Communication example with bidirectional communication 1 Open the station with F CPU 1 2 Select the DP DP coupler from the hardware catalog PROFIBUS DP Additional field devices Gateway DP DP coupler Place the DP DP coupler on the DP master system of your F
109. 7 Compiling and commissioning a safety program 10 7 Modifying the Safety Program Restrictions on Safety Related CPU CPU Communication During operation in RUN mode you cannot establish new safety related CPU CPU communication by means of a new F_LSENDDP F_RCVDP F_SENDS7 F_RCVS7 block pair To establish new safety related CPU CPU communication you must always recompile the relevant safety program and download it in its entirety to the F CPU in STOP mode after inserting a new block call for FLSENDDP F_SENDS7 F_RCVDP or F_LRCVS7 Restrictions on F Runtime Group Communication You cannot make any changes to the safety related communication between F runtime groups in RUN mode That means you may not add delete or modify a DB for F runtime communication in the Define New F Runtime Groups or Edit F Runtime Groups dialogs or in SIMATIC Manager Following changes in the F runtime group communication you must always recompile the safety program and download it in its entirety to the F CPU in STOP mode Restrictions on F I O Access If during operation in RUN mode you insert an F I O access to an F I O of which no single channel or variable from the associated F I O DB in the safety program has yet been used the F I O access only becomes effective when the safety program is recompiled and downloaded in its entirety to the F CPU in STOP mode Modifications to the Standard User Program 288 You can download modifications to
110. 7 Distributed Safety configuring and programming 28 Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 3 Configuring the F CPU F Data Blocks Parameter F blocks are automatically added when the safety program is compiled to create an executable safety program from your safety program You must reserve a band of numbers for the automatically added F data blocks You define the first and last number of the band Rule for selecting the magnitude of the band of numbers At a minimum the default setting should be accepted In addition the following is applicable Number of automatically added F data blocks Number of configured F I O Number of F DBs except DBs for F runtime group communication 5 x number of DBs for F runtime group communication Number of F block calls of type FB F FBs F PBs F application blocks Number of F blocks of type FC F FCs F PBs F application blocks Number of F blocks of type FC F FCs F PBs F application blocks used in two F runtime groups 6 x number of F runtime groups If the configured band of numbers turns out to be insufficient S7 Distributed Safety signals this with an error message You must then increase the size of the number band accordingly Tip Allocate the band of numbers for the automatically added F data blocks starting from the largest possible number in the F CPU and working down Assign numbers for DBs of the standard user program and for
111. A5E00109537 05 69 70 Programming 4 1 Overview of Programming Example of Fully Qualified DB Access FB5 Title Comment the F DB Network 1 You have to assign a symbolic name for example F DATA 1 Compare VALUE_A with VALUE_B With fully qualified access and with symbolic names for the F DB and instead of the absolute addresses use the names assigned in the declaration of F DATA 1 VALUE A INI F DATA 1 VALUE_B j IN2 CMP F DATA _1 RESULT Symbol information DB2 DBWO F DATA 1 VALUE_A DB2 DBW2 F DATA 1 VALUE B DB2 DBX4 0 F DATA 1 RESULT Example of Not Fully Qualified DB Access Network 2 Open F DB F_ DATA 1 Without fully qualified access and without symbolic names DEZ Hetwork 3 Compare YALUE_A with VALUE_B Without fully qualified access and without symbolic names DEWO DEUZ S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 1 Overview of Programming Access to Instance DBs You can also access instance DBs of F FBs with fully qualified access e g for transfer of block parameters It is not possible to access static data in instance DBs of other F FBs Make sure that Report Cross References as Error is not selected in the General dialog Options gt Settings in the FBD LAD Editor Otherwise instance DBs
112. AD QBAD_I_xx QBAD_O_xx S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 101 F I O Access 5 3 F V O DB PASS_ON The PASS_ON variable allows you to enable passivation of an F I O for example as a function of particular states in your safety program Using the PASS_ON variable in the F I O DB you can only passivate the entire F I O channel level passivation is not possible As long as PASS_ON equals 1 the associated F I O are passivated ACK_NEC If an F I O fault is detected by the F I O the relevant F I O are passivated If channel faults are detected the relevant channels are passivated if channel level passivation is configured If passivation of the entire F I O is configured all channels of the relevant F I O are passivated Once the F I O fault or channel fault has been eliminated the relevant F I O are reintegrated depending on ACK_NEC e With ACK_NEC 0 you can program automatic reintegration e With ACK_NEC 1 you can program reintegration through a user acknowledgment A WARNING ACK_NEC 0 can be assigned only if automatic reintegration is permissible for the relevant process from a safety standpoint Note By default ACK_NEC 1 after creation of the F I O DB If you do not require automatic reintegration you do not need to describe ACK_NEC S7 Distributed Safety configuring and programming 102 Programming and Operatin
113. ATIC Manager Procedure for Defining an F Runtime Group Page 88 Changing F Runtime Groups Changing F Runtime Groups See also 94 You can make the following changes for each F runtime group of your safety program in the Edit F Runtime Groups dialog e Define a different FB FC as the F program block select an FB FC from the drop down list e Enter a different or new I DB for the F program block e Change the value of the maximum cycle time of the F runtime group e Define a different F DB as the data block for F runtime group communication select an F DB from the drop down list or enter a new one Once the OK button is activated the changes are saved and following a prompt any non existing F blocks are created automatically Procedure for Defining an F Runtime Group Page 88 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 5 Introduction 4 5 Programming Startup Protection Programming Startup Protection A WARNING When an F CPU is switched from STOP to RUN mode the standard user program starts up in the normal way When the safety program is started up all data blocks with an F attribute are initialized with the values from the load memory as is the case with a cold restart This means that saved error information is lost The F system automatically reintegrates the F I O A data handling error or an intern
114. C must not be assigned a value of 0 unless an automatic restart of the affected process following a feedback error is otherwise excluded Note Prior to inserting the F_FDBACK F application block you must copy the F_TOF F application block from the F Application Blocks Blocks block container of the Distributed Safety F library V1 to the block container of your S7 program if it is not already present A WARNING When using the F_FDBACK F application block the F_TOF F application block must have number FB 186 and must not be renumbered A WARNING When using an F application block with time processing take the following timing imprecision sources into account when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update timing of the time base used in the F application block see figure in Chapter F Application Blocks e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision S7 Distributed Safety configuring and p
115. CPU CPU communication F SENDDP and F_RCVDP parameter assignment and the bus connection You can also find possible causes of error by evaluating the RETVAL14 and RETVAL15 outputs In general always evaluate RETVAL14 and RETVAL15 since only one of the two outputs may be able to receive error information S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 245 F Libraries 9 1 Distributed Safety F library V1 Timing Diagrams for F_SENDDP F_RCVDP F_SEND_DP ERROR SUBS_ON F_RCVDP ACK_REI ACK_REQ ERROR SUBS_ON Status Restart of Communication F system established I l l l Communication Communication error of I I re established F_SENDDP detected Communication error of Acknowledgement on F_RCVDP detected F_RCVDP Output DIAG In addition non fail safe information about the type of error that has occurred is provided for service purposes at output DIAG of both F application blocks F_LSENDDP and F_RCVDP You can read out this information by means of operator control and monitoring systems or if applicable you can evaluate it in your standard user program DIAG bits are saved until acknowledgment at input ACK_REI S7 Distributed Safety configuring and programming 246 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Structure of DIAG in F Application Block F_SENDDP F_RCV
116. Check that the PROFIsafe destination addresses are unique from one another A WARNING Rule for PROFIBUS subnets The PROFIsafe destination address and thus the switch setting on the address switch of the F I O must be unique network wide and station wide system wide For S7 300 F SMs and ET 200S ET 200eco and ET 200pro F modules you can assign a maximum of 1022 different PROFIsafe destination addresses Exception The F I O in different l slaves may be assigned the same PROFIsafe destination address as they are only addressed within the station that is by the F CPU in the l slave Rules for Ethernet subnets and hybrid configurations of PROFIBUS and Ethernet subnets The PROFIsafe destination address and thus the address switch setting on the F I O have to be unique only within the Ethernet subnet including all lower level PROFIBUS subnets and station wide system wide For S7 300 F SMs and ET 200S ET 200eco and ET 200pro F modules you can assign a maximum of 1022 different PROFIsafe destination addresses Exception The F I O in different l slaves may be assigned the same PROFIsafe destination address as they are only addressed within the station that is by the F CPU in the I slave The networked nodes of an Ethernet subnet are characterized by having IP addresses with the same subnet address i e the IP addresses match in the digits that have the value 1 in the subnet mask Example IP address
117. Communication I Communication l Communication startup established i re established l error detected by F_SENDDP Communication Acknowledgment to error detected by F_RCVDP F_RCVDP Signal Sequence for Passivation and Reintegration of F I O after F I O Faults and Channel Faults when ACK_NEC 1 for Passivation of Entire F I O after Channel Faults For the signal sequence for passivation and reintegration of the F I O after F I O faults or channel faults when ACK_NEC 1 default see Chapter Passivation and Reintegration of the F I O after Communication Errors S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 115 F l O Access 5 7 Passivation and Reintegration of F l O after F l O Faults and Channel Faults Signal Chart for Passivation and Reintegration of F I O after Channel Faults when ACK_NEC 1 for channel specific passivation Example of an F periphery with inputs 2 la Substitute value ole N PAE Channel 0 Process value l Process value i T Substitute value i lt 4 t gt 4 t gt 4 gt PAE Channel 1 Process value l Process value QBAD_I_00 QBAD_1_01 QBAD I Substitute value issued for channel 0 l Sub At stitute value issued for channel 1 I F least one channel is passivated l l i l Passivation output set l l l PASS_OUT ee ACK_NEC l Acknowledgement
118. Cs and F DBs Know How Protection 82 A block with know how protection is a protected block that cannot be edited You can furnish user created F FBs F FCs and F DBs except instance DBs with know how protection The protected F FBs F FCs F DBs can no longer be modified You can read the block properties of protected F FBs F FCs F DBs but the instruction portion remains hidden S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming Using Know How Protection 4 3 Creating F Blocks in F FBD F LAD Use know how protection if you want to protect the knowledge contained in an F FB F FC F DB or if you want to prevent unintentional manipulation of the F FBs F FCs and F DBs except instance DBs Requirements You have created F FBs F FCs or F DBs whose know how you want to protect The F FBs F FCs F DBs you want to protect are not open in the FBD LAD Editor Procedure for Setting Know How Protection Follow the steps outlined below 1 Open the Safety Program dialog in S MA TIC Manager 2 You set know how protection for F FBs F FCs F DBs in the offline safety program For this purpose select the Offline tab a Safety Program DS_Getting_Started SIMATIC 300 1 CPU 315F 2 DP S7 Programm 1 Offline Online Rack a Slot 2 Collective signature of all F blocks with F attributes for the block container Collective signature of t
119. Current mode is enclosed in square brackets abc this indicates that the collective signatures of the safety program and or the passwords for the safety program do not match online and offline This means one of the following e The offline safety program was modified after downloading e The wrong F CPU was addressed You can verify the latter based on the online collective signature of all F blocks with F attribute in the block container 5 Activate the Safety mode button and enter the password for the online safety program If the password is not valid safety mode is not deactivated and remains active 6 If you enter the correct password another prompt will appear which also contains the collective signature of the safety program in the F CPU Check to see whether this is the collective signature you expected 7 If it is not the collective signature you expected verify that you have addressed the correct F CPU and check to see whether the F CPU contains the correct F blocks To do this close all STEP 7 applications and then open the Safety Program dialog this is necessary to prevent multiple applications from accessing the F CPU simultaneously S7 Distributed Safety configuring and programming 306 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 9 Testing the Safety Program 8 Confirm the prompt to deactivate safety mode with OK Safety mode will be deact
120. DDP and F_RCVDP F application blocks used 4 4 Kbytes each Work memory requirement for F_SENDS7 and F_RCVS7 F application blocks used 9 5 Kbytes each Work Requirement for Data 5 x work memory requirement for all F DBs including F communication DB but excluding DB for F runtime group communication and I DBs for F PB F FB 24 x work memory requirement for all DBs for F runtime group communication 2 3 x work memory requirement for all DBs of F application blocks except F_SENDDP F_RCVDP F_SENDS7 and F_RCVS7 Work memory requirement for all DBs of the F application blocks FLSENDDP 0 2 Kbyte FLRCVDP 0 3 Kbyte FLSENDS7 0 6 Kbyte and F_RCVS7 1 0 Kbyte 0 7 Kbyte per F FC including F application block of type FC 0 7 Kbyte per F I O for F I O DBs etc 4 5 Kbytes S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 281 Compiling and commissioning a safety program 10 5 Work Memory Requirement for Safety Program Block Size of Automatically Generated F Blocks To ensure that the automatically generated F blocks do not exceed the maximum possible size in the particular F CPU observe the following e An F FB F FC F PB should be not exceed 25 of the maximum size of the FBs or FCs see Technical Specifications in the manual for the F CPU you are using e F FBs F FCs F PBs must comply with the following 2 x number of all parameters or st
121. DP Bit No Assignment of Possible Causes of Problems Remedies F_SENDDP and F_RCVDP Bit 0 Reserved Bit 1 Reserved Bit 2 Reserved Bit 3 Reserved Bit 4 Timeout detected by Interference in bus connection to Check bus connection and ensure that no F_SENDDP F_RCVDP partner F CPU external interference sources are present Monitoring time setting for F CPU Check assigned monitoring time parameter and partner F CPU is too low TIMEOUT at F_SENDDP and F_RCVDP of both F CPUs If necessary set a higher value Recompile safety program DP DP coupler configuration is Check DP DP coupler configuration invalid Internal error of DP DP coupler Replace DP DP coupler CP in STOP mode or internal fault Switch CP to RUN mode check diagnostic in CP buffer of CP and replace CP if necessary F CPU partner F CPU in STOP Switch F CPUs to RUN mode check mode or internal fault in F diagnostic buffer of F CPUs and replace F CPU partner F CPU CPUs if necessary Bit 5 Sequence number error See description for Bit 4 See description for Bit 4 detected by F_SENDDP F_RCVDP Bit 6 CRC error recognized by See description for Bit 4 See description for Bit 4 F_SENDDP F_RCVDP Bit 7 Reserved Note Outputs DIAG RETVAL14 and RETVAL15 cannot be accessed in the safety program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05
122. DP of the DP master always enter the partner addresses for the communication connections from HW Config F Communication tab of the I slave e At the FLSENDDP F_RCVDP of a DP slave always enter the local addresses for the communication connections from HW Config F Communication of the I slave Programming Safety Related Master Master Communication Page 140 FB 223 F_SENDDP and FB 224 F_RCVDP Send and Receive Data via PROFIBUS DP S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 151 Configuring and Programming Communication 8 3 Safety Related Master l Slave Communication 8 3 4 Programming Safety Related Master I Slave and I Slave I Slave Communication Requirements The following requirements must be met prior to programming e The address areas local and partner addresses for the DP master and the I slave s must be configured in HW Config e Both CPUs must be configured as F CPUs CPU contains safety program option must be selected The password for the F CPU must be entered Programming Procedure The procedure for programming safety related master I slave communication or I slave I slave communication is the same as for programming safety related master master communication The figure below contains an example of how to specify the address relationships at the inputs of F application blocks FLSENDDP and F_RCVDP for two safety related mast
123. DP standard slave Fail safe standard I O devices Documentation for specific fail safe standard I O devices S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 23 Configuration 2 1 Overview of Configuration Safety Related Communication Options that Can Be Configured 24 You must use HW Config to configure the following safety related communication options Safety related master master communication Safety related master I slave communication Safety related I slave I slave communication Safety related I slave slave communication Safety related IO controller lIO controller communication Safety related communication via S7 connections S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 2 Particularities for Configuring the F System 2 2 Particularities for Configuring the F System F Systems Configured Same as Standard Systems You configure an S7 Distributed Safety fail safe system the same as a standard S7 system That is you configure and assign parameters for the hardware in HW Config as a centralized configuration F CPU and if necessary S7 300 F SMs and or as a decentralized distributed configuration F CPU F SMs in ET 200M F modules in ET 200S ET 200 pro and ET 200eco fail safe DP standard slaves fail safe standard I O devices For a detailed descriptio
124. Deactivating Safety Mode Introduction The safety program generally runs in the F CPU in safety mode This means that all fault control measures are activated The safety program cannot be modified during operation in RUN mode in safety mode You must deactivate safety mode of the safety program to download changes to the safety program in RUN mode Safety mode remains deactivated until F CPU is next switched from STOP to RUN mode S7 Distributed Safety configuring and programming 304 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 9 Testing the Safety Program You can enable or disable the option for deactivating the safety mode in the object properties of the F CPU F Parameter tab A WARNING Because changes to the safety program can be made in RUN mode when safety mode is deactivated you must take the following into account Deactivation of safety mode is intended for test purposes commissioning etc Whenever safety mode is deactivated the safety of the system must be ensured by other organizational measures such as operation monitoring and manual safety shutdown Deactivation of safety mode must be indicated The printout of the safety program contains the address of the variables in the F shared DB F_GLOBDB MODE that you can evaluate to read out the operating mode 1 deactivated safety mode Thus not only is the deactivated safety mode disp
125. Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 319 System Acceptance Test 11 4 Acceptance Test of Changes 11 4 Acceptance Test of Changes Introduction For the acceptance test of changes you must use the same procedure as for the initial acceptance test see Chapter Overview of System Acceptance Test For the acceptance test of changes it is sufficient to check the following aspects of the hardware configuration and the F blocks and to perform the following function test e Check the safety related parameters of the changed or newly added F I O in the printout of the hardware configuration e Check the changed or newly added F blocks in the printout of the F blocks e Check whether the signatures and initial value signatures of the modified F application blocks and F system blocks in the printout of the safety program match the signatures specified in Annex 1 of the Certification Report e Perform a function test of the changes Basic Procedure for Determining Changes To determine safety related changes compare the two collective signatures in the information section of the Safety program printout of the modified safety program undergoing acceptance testing with the signatures in the printout of the accepted safety program If the signatures are different there is a safety related change in the configuration of the F CPU and or F I O and or in the safety pr
126. During interruption of the light curtain 202 Restart inhibit during interruption of the light curtain 219 F_MUT_P 219 Restart protection 95 RETVAL14 327 RETVAL15 327 Reuse of created F blocks 77 Rules for downloading F blocks in SIMATIC Manager or FBD LAD Editor 275 Rules for F runtime groups 86 Rules for testing 308 Rules for the program structure 75 S S7 connections Programming of safety related communication 178 Safety related communication via 131 S7 Distributed Safety 14 325 Configuring and programming software 14 Principles of safet functions 8 Product overview 8 Removing 325 Steps for program creation 73 S7 Distributed Safety fail safe system 8 Hardware and software components 14 S7 Distributed Safety optional package 14 Safety program 14 S7 PLCSIM 275 Downloading to 275 Safety door monitoring 236 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Safety mode 304 323 Deactivating 304 Of the safety program 323 Safety mode can be deactivated 27 Safety program 14 48 53 73 75 271 272 275 290 303 323 Basic procedure for creating 73 Comparing 290 Compiling 272 Downloading 275 Inconsistent 271 Notes on Safety Mode 323 Password 48 Printing out 297 Rules for the program structure 75 Setting up access permission 48 Steps for program creation 73
127. EOUT expires outputs ERROR and SUBS_ON are set to 1 at F_SENDS7 and F_RCVS7 Receiver F_RCVS7 then provides the fail safe values default in its F communication DB Output SENDMODE is not updated while output SUBS_ON 1 The send data present in the F communication DB of F_LSENDS7 are only output again when the communication error is no longer detected ACK_REQ 1 and you acknowledge with a positive edge at input ACK_REI of F_RCVS7 A WARNING For the user acknowledgment you must interconnect the ACK_REI input with a signal generated by the operator input An interconnection with an automatically generated signal is not allowed Note that when a communication error occurs the ERROR output 1 communication error is set for the first time if communication has already been established between communication peers F SENDS7 and F_RCVS7 If communication cannot be established after startup of the sending and receiving F systems check the configuration of the safety related CPU CPU communication F SENDS7 and F_RCVS7 parameter assignment and the bus connection You can also find possible causes of error by evaluating the STAT_RCV and STAT_SND outputs In general always evaluate STAT_RCV and STAT_SND since only one of the two outputs may be able to receive error information If one of the DIAG bits is set at output DIAG also check whether the length and structure of the associated F communication DB on the sender side matc
128. F 2 CP 443 1 IT F CPU 1 such as CPU 417 4H F_RCVS7 F Comm DB 2 F_SDS_BO Receipt data F_RDS_B F_SENDS7 F Comm DB 4 _RDS_BO Send data Industrial Ethernet S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 181 Contiguring and Programming Communication 8 8 Safety Related Communication between S7 Distributed Safety and S7 F System Procedure on the S7 Distributed Safety side On the S7 Distributed Safety side proceed as described in Chapter Safety Related Communication via S7 Communications Particularity For communication between S7F Systems and S7 Distributed Safety you must create the F communication DB with exactly 32 data elements of data type BOOL on the S7 Distributed Safety side Procedure on the S7 F Systems side 182 On the S7 F Systems side proceed as described in Chapter Safety Related Communication between F CPUs in the S7 F FH Systems Configuring and Programming manual http support automation siemens com WW view de 16537972 Particularity Communication between S7 F Systems and S7 Distributed Safety is only possible on the S7 F Systems side with the F Blocks F_LSDS_BO F_RDS_BO S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 9 1 1 Overview 9 1 2 9 1 2 1 Distributed Safety F library V1 Overview of Distributed Safet
129. F Libraries 9 1 Distributed Safety F library V1 Structure of DIAG Bit No Assignment Possible Causes of Problems Remedies Bit 0 Incorrect discrepancy time Discrepancy time setting is Set discrepancy time in DISCTIME setting lt 0 or gt 500 ms range of 0 to 500 ms Bit 1 Discrepancy time elapsed Discrepancy time setting is If necessary set a higher too low discrepancy time Momentary contact switches Release momentary were not activated within the contact switches and discrepancy time activate them within the discrepancy time Wiring fault Check wiring of momentary contact switches Momentary contact switches Check momentary contact defective switches Momentary contact switches For a solution see DIAG are wired to different F I O variable bits O to 6 in and F I O fault channel fault Chapter F I O DB or communication error or passivation by means of PASS_ON on an F I O Bit 2 Reserved Bit 3 Reserved Bit 4 Incorrect activation sequence One momentary contact Release momentary switch was not released contact switches and activate them within the discrepancy time Momentary contact switches Check momentary contact defective switches Bit 5 Enable ENABLE does not exist Enable ENABLE 0 Set ENABLE 1 release momentary contact switch and activate it within the discrepancy time Bit 6 Reserved Bit 7 State of output Q Note See also 218 Access to th
130. F SMs e gt Fail safe modules for ET 200S e gt Fail safe modules for ET 200pro e gt Fail safe DP standard slaves e gt Fail safe standard I O devices S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 341 Glossary F I O DB F 1 O faults F LAD F modules F PB F runtime group 342 An F I O DB is a fail safe data block for an gt F I O in S7 Distributed Safety An F I O DB is automatically created for each F I O during compilation in HW Config The F I O data block contains variables that the user can evaluate in the safety program or that he can or must write to as follows e For reintegration of F I O after communication errors F I O faults or channel faults e If F I O should be passivated as a result of particular safety program conditions for example group passivation e For reassignment of parameters for fail safe DP standard slaves e In order to evaluate whether fail safe values or process data are output An F I O fault is a module related fault for F I O such as a communication error or a parameter assignment error gt F FBD gt Fail safe modules The F PB is the introductory fail safe block for fail safe programming of the gt safety program in S7 Distributed Safety The F PB is an gt F FB or gt F FC that the user assigns to the gt F CALL of an gt F runtime group The F PB contains the F FBD or F LAD safety
131. F application block sets ACK_REQ 1 as soon as the door is closed Following an acknowledgment the F application block resets ACK_REQ to 0 In order for the F application block to recognize whether inputs IN1 and IN2 are 0 merely due to passivation of the associated F I O you must supply inputs QBAD_IN1 or QBAD_IN2 with the QBAD or QBAD_I_xx variable of the associated F I O or channel This will prevent you from having to open the safety door completely prior to an acknowledgment in the event the F I O are passivated A WARNING Variable ACK_NEC must not be assigned a value of 0 unless an automatic restart of the affected process is otherwise excluded The F application block supports the requirements according to ISO 13849 1 2006 or EN ISO 13849 1 2008 and EN 1088 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 237 F Libraries 9 1 Distributed Safety F library V1 Interconnection Example You must interconnect the NC contact of position switch 1 of the safety door at input IN1 and the NO contact of position switch 2 at input IN2 Position switch 1 must be mounted in such a way that it is positively operated when the safety door is open Position switch 2 must be mounted in such a way that it is operated when the safety door is closed Safety door open z OPEN Safety door il CLOSE Lp Position switch 1 activated
132. F_RCVS7 F CPU CPU Inputs of F I O a H communication are read to the process input F FB F FC xy Ack led F PB assignment to aie ea ie F CALL by user Timers and i Call of F RCVDP s counters Editing of i F_RCVS7 s optional Ready made F blocks created i F functions or inserted by B F DB xy the user Call of F_SENDDP s F_SENDS7 s optional Editing of automatically added F blocks fault control measures a F CPU CPU k communication Process output N image is written Automati F System to the outputs of cally Blocks the F I O generated F shared F blocks DB gt Call by user Write read gt Automatically called lt From library S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 57 Programming 4 1 Overview of Programming Description of Program Structure Entry into the safety program is made by calling F CALL from the standard user program Call the F CALL directly in an OB preferably in a cyclic interrupt OB e g OB35 The advantage of using cyclic interrupt OBs is that they interrupt the cyclic program execution in OB1 of the standard user program at fixed time intervals that is a safety program is called and executed at fixed time intervals in a cyclic interrupt OB Once the safety program is executed the standard user program res
133. If you disable the function for deactivating safety mode safety mode can generally no longer be deactivated That is you cannot deactivate safety mode even if you enter the password for the safety program e Inthe Safety Program dialog e Inthe dialog box for deactivating safety mode during testing commissioning functions and while loading F blocks Basis for PROFlsafe Addresses Parameter This information is required for internal administration of the PROFIsafe addresses of the F system The PROFIsafe addresses are used to uniquely identify the source and destination You can set the Base for PROFlsafe addresses i e the range for automatically assigning the PROFIsafe destination addresses for S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 27 Configuration 2 3 Configuring the F CPU e Newly placed ET 200S ET 200pro and ET 200eco F I O in HW Config e S7 300 fail safe signal modules That are newly placed and operable only in safety mode see S7 300 Fail Safe Signal Modules manual For which you have set safety mode for the first time in HW Config and whose PROFIsafe addresses are not assigned using the module starting addresses see S7 300 Fail Safe Signal Modules manual For all other F I O this parameter has no affect Setting this parameter defines a range for the PROFIsafe target addresses This is useful if several DP master systems
134. LOBDB the user can evaluate certain data of the gt safety program F SMs are S7 300 fail safe signal modules that can be used for safety related operation in gt safety mode as centralized modules in an S7 300 or as distributed modules in the ET 200M distributed I O system F SMs are equipped with integrated gt safety functions Block container of Distributed Safety F library containing gt F SBs and the gt F shared DB gt Fail safe systems Individual parameter of gt fail safe DP standard slaves Instrumentation and control technology Non equivalent Sensor A non equivalent sensor is a two way switch that is connected in gt fail safe systems two channel to two inputs of an gt F I O module for 1002 evaluation of sensor signals gt sensor evaluation S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 343 Glossary Passivation PROFIsafe When passivation occurs in a gt F I O module with inputs the gt F system provides fail safe values 0 for the safety program instead of the process data pending in the PII at the fail safe inputs When passivation occurs in a F I O module with outputs the F system transfers fail safe values 0 to the fail safe outputs instead of the output values in the PIQ provided by the safety program Safety related bus profile of PROFIBUS DP PA and PROFINET IO according to IEC 61784 3 3 Ed2 for communic
135. N l i Fail safe values are output Seen j Q ry ae eo lb oE QBAD_O_xx PASS_OUT F I O B PASS_ON l Activate passivation l Fail safe values are output QBAD QBAD_I_xx QBAD_O_xx i i i PASS_OUT F I O A PII Process values O S l Process values to outputs Process values l Process values F I O B l l l l l Cyclen n 1 Cyclem m 1 m x for F I O with inputs for F I O with outputs and F I O with inputs and outputs signal pattern dependent on the F I O used S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 119 F l O Access 5 8 Group passivation S7 Distributed Safety configuring and programming 120 Programming and Operating Manual 07 2013 A5E00109537 05 Implementation of user acknowledgment 6 6 1 Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Options for User Acknowledgment You can implement a user acknowledgment in one of the following ways e By means of an acknowledgment key that you connect to an F I O with inputs e By means of an operator control and monitoring system User Acknowledgment by Means of Acknowledgment Key Note If you use the option of user acknowledgment by means of an acknowledgment key and a communication error an F I O fault or a channel fault occurs a
136. O fault or a channel fault A WARNING ACK_NEC 0 can only be assigned if automatic reintegration is permissible for the relevant process from a safety standpoint Optional Evaluate the QBAD or QBAD_I_xx and QBAD_O_xx or DIAG variables in the respective F I O DB to trigger an indicator light if applicable in the event of an error and or generate error messages on your operator control and monitoring system in your standard user program by evaluating QBAD or QBAD_ _xx and QBAD_O_xx or DIAG these messages can be evaluated before performing the acknowledgment operation Alternatively you can evaluate the diagnostic buffer of the F CPU Optional Evaluate the ACK_REQ variable in the respective F I O DB for example in the standard user program or on the operator control and monitoring system to query or to indicate whether user acknowledgment is required Assign the input of the acknowledgment key or the OUT output of F_ ACK_OP to the ACK_REI variable in the respective F I O DB or the ACK_REI_GLOB input of the FB 219 F_ACK_GL F application block see above FB 187 F_ACK_OP Fail Safe Acknowledgment Page 198 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 123 Implementation of user acknowledgment 6 2 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU 6 2 Implementing User Acknowledgment in the Safety Progr
137. S R receive via fail safe master I slave communication For DP partner sender Address LADDR 2048 For Local receiver Address LADDR 256 Accept the defaults for the other parameters in the dialog box The dialog box has the following appearance DP slave properties F Configuration Row 1 Parameter Sq F Configuration LIE Mode Hq DP partner sender DP address 2 Master f CPU name CPU 416F 2 Address LADDA 2048 LE Process image 2 Interrupt O 40 EH J local recipient DP address 5 Slave f CPU name IM151 F CPU LIE Address LADDA 256 E Process image LJE Comment Apply Cancel Help 10 Confirm your entry with OK 11 In the F Configuration tab of the object properties for the l slave select New S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 147 Configuring and Programming Communication 8 3 Safety Related Master Slave Communication 12 In the next dialog make the following entries for the send connection to the DP master for our example For Mode F MS R send via fail safe master l slave communication For DP partner receiver Address LADDR 2060 For Local sender Address LADDR 268 13 Confirm your entry with OK This results in two configuration lines for this example Properties DP s
138. SENDDP F_RCVDP block pair you can use additional F_SENDDP F_RCVDP calls Configure additional communication connections for this purpose Remember the maximum limit of 244 bytes of input and 244 bytes of output data for transfer between an I slave and a DP master The following table shows you the amount of output data and input data that is assigned for safety related communication connections Safety Related Communication Assigned Input and Output Data Communication Connection Between I Slave 1 and DP Between I Slave 2 and DP Master Master Output Data Input Data Output Data Input Data Master l slave Send l slave 1 to DP 12 bytes 6 bytes master Receive l slave 1 from 6 bytes 12 bytes DP master l slave I slave Send I slave 1 to l 12 bytes 6 bytes slave 2 Receive l slave 1 from 6 bytes 12 bytes I slave 2 If necessary you should also taken into account fail safe slave l slave communication F DX modules master slave connections MS or direct data exchange connections DX used to exchange data within your standard user program as part of the maximum limit of 244 bytes of input data and 244 bytes of output data for transmission between an l slave and a DP master You can check whether you are within the maximum limit of 244 bytes of input data and 244 bytes of output data for all configured safety related and standard communication connections in the Configuration tab in t
139. SIEMENS SIMATIC Industrial Software S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Preface Product Overview Configuration Access Protection Programming F I O Access Implementation of user acknowledgment O Data Exchange between Standard User Programs and Safety Program Configuring and Programming Communication Compiling and commissioning a safety program 11 System Acceptance Test Operation and Maintenance 1 2 Checklist l Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety as well as to prevent damage to property The notices referring to your personal safety are highlighted in the manual by a safety alert symbol notices referring only to property damage have no safety alert symbol These notices shown below are graded according to the degree of danger indicates that death or severe personal injury will result if proper precautions are not taken A WARNING indicates that death or severe personal injury may result if proper precautions are not taken CAUTION indicates that minor personal injury can result if proper precautions are not taken NOTICE indicates that property damage can result if proper precautions are not taken If more than one degree of danger is present t
140. Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 33 Configuration 2 3 Configuring the F CPU Use of Local Data in an F FB or F FC Note F blocks are automatically added when the safety program is compiled to create an executable safety program from your safety program If you use the local data memory area in an F FB F FC remember the following limit irrelevant for S7 400 F CPUs Local data requirement lt maximum local data amount per block see technical specifications in the Product Information for the F CPU you are using Mean local data requirement in bytes 2 x amount of all local data of the F FB F FC of data type BOOL 4 x amount of all local data of the F FB F FC of data type INT or WORD 6 x amount of all local data of the F FB F FC of data type TIME 12 14 if a fixed point function or word logic instruction is programmed 6 if an F FB F FC or F application block is called If the amount of local data required is greater you cannot download your safety program to the F CPU Reduce the local data requirement of your programmed F FB or F FC See also Page 17 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package Overview of Access Protection Page 45 Access Permission for the F CPU Pagel53 Structure of the Safety Program in S7 Distributed Safet Page 57 Overview of System Acceptance Test S7 Di
141. Safety Program 10 9 Testing the Safety Program 10 9 1 Overview of Testing the Safety Program Testing Options In general all read only test functions such as variable monitoring are also available for safety programs and in safety mode While all F blocks can be used as the monitored object this is only useful for the F blocks created by you F PB F FB F FC and F DB Monitoring is available without restrictions It is possible to modify data of the safety program using the Monitor modify variable function and to gain write access using HW Config or FBD LAD Editor However restrictions apply and safety mode must be deactivated Other write accesses to the safety program are not permitted and can cause the F CPU to go to STOP mode Testing with S7 PLCSIM Function of STEP 7 You can test the safety program with the S7 PLCSIM V5 3 and higher hardware simulation function of STEP 7 You use S7 PLCSIM in the same way as for standard user programs Note You can use F application blocks F_SENDDP F_RCVDP F_SENDS7 F_RCVS7 in conjunction with the S7 PLCSIM function hardware simulation of STEP 7 Note however that the F application blocks constantly signal communication errors when they are run in the simulation CPU S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 303 Compiling and commissioning a safety program 10 9 Testing the Safety Program 10 9 2
142. Set up permission for safety program dialog is also used to change a password for the safety program This is done using the same procedure as in Windows by entering the old password and then entering the new password twice Procedure for Setting Up Access Permission for the Safety Program To set up access permission for the safety program 1 In S IMATIC Manager select the F CPU or its S7 program 2 Select the Options gt Edit Safety Program menu command The Safety Program dialog will appear 3 Click Permission and enter the password for the safety program in the Old password field in the Set up permission for safety program dialog If you have not yet set up any access permission but you perform an action that triggers the password prompt for the safety program see table for assignment and prompting of passwords the Password for safety program dialog for assigning the password is displayed automatically S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 49 Access Protection 3 2 Access Permission for the Safety Program Validity of Access Permission for a Safety Program A set up access permission for a safety program enables exclusive access by the Windows user who was the current user at the time of the setup In addition the access permission for a safety program acts only in the context of the project in which the safety program was located at the ti
143. Type BOOL to a Data Element of Data Type WORD Connections Parameter Data Type Description Default Inputs INO BOOL Bit 0 of WORD value 0 IN1 BOOL Bit 1 of WORD value 0 IN15 BOOL Bit 15 of WORD value 0 Outputs OUT WORD WORD value consisting of INO to IN15 0 Principle of Operation This F application block converts the 16 values of data type BOOL at inputs INO to IN15 toa value of data type WORD which is made available at output OUT The conversion takes place as follows the ith bit of the WORD value is set to 0 or 1 if the value at input INi is 0 or 1 Note To supply inputs INO to IN15 with Boolean constants 0 and 1 you can access variables RLOO and RLO1 in the F shared DB using a fully qualified DB access F_GLOBDB RLOO or F_GLOBDB RLO1 258 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 9 1 2 24 FC 177 F_W_BO Convert a Data Element of Data Type WORD to 16 Data Elements of Data Type BOOL Connections Parameter Data Type Description Default Inputs IN WORD WORD value 0 Outputs OUTO BOOL Bit 0 of WORD value OUT1 BOOL Bit 1 of WORD value OUT15 BOOL Bit 15 of WORD value 0 Principle of Operation This F application block converts the value of data type WORD at input IN to 16 values of data type BOOL which
144. V5 2 and higher is not supported for F blocks S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 311 Compiling and commissioning a safety program 10 9 Testing the Safety Program Procedure for Testing the Safety Program The following procedure is used for testing 1 Deactivate safety mode 2 Monitor and modify the required F data and or F I O from a variable table HW Config or FBD LAD Editor 3 Terminate existing modify requests after testing is complete before activating safety mode 4 To activate safety mode switch the F CPU from STOP to RUN mode If the safety program does not behave as you wish during testing you have the option of modifying the safety program in RUN mode and immediately continuing testing until the safety program behaves according to your requirements You can find additional information about modifying the safety program in RUN mode in Chapter Modifying the Safety Program in RUN Mode Testing the Safety Program with S7 PLCSIM See also 312 You can monitor and modify variables of your safety program in an S7 PLCSIM and perform other write access functions in your safety program To use S7 PLCSIM you only have to download your consistent safety program to an S7 PLCSIM Note If you would like to modify variables in an S7 PLCSIM you must deactivate safety mode beforehand Otherwise the S7 PLCSIM can go to STOP mode You
145. _RCVDP Send and Receive Data via PROFIBUS DP You use F application blocks F_LSENDDP and F_RCVDP for fail safe sending and receiving of data by means of e Safety related master master communication e Safety related master l slave communication e Safety related slave l slave communication S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Parameter Data Description Default Type Inputs SD_BO_00 BOOL Send data BOOL 00 0 SD_BO_15 BOOL Send data BOOL 15 0 SD_I_00 INT Send data INT 00 0 SD_I_01 INT Send data INT 01 0 DP_DP_ID INT Network wide unique value for address 0 association between F_SENDDP and F_RCVDP TIMEOUT TIME Monitoring time in ms for safety related 0 ms communication see also Safety Engineering in SIMATIC S7 system manual LADDR INT Start address of address area 0 e Of DP DP coupler for safety related master master communication e For safety related master slave communication e For safety related slave l slave communication Outputs ERROR BOOL 1 Communication error 0 SUBS_ON BOOL 1 Receiver outputs fail safe values 1 RETVAL14 WORD Error code of SFC 14 0 You can find a description of error codes in the online Help for SFC 14 RETVAL15 WORD Error code of SFC 15 0 You can find a description of error codes in the online Help for SFC 15 DIAG BYTE Service information 0 F Librarie
146. afe manner The fail safe data are stored in F DBs that you have created You can find these F application blocks in the F app ication blocks block container in the Distributed Safety F library V1 The F_RCVS7 must be called at the start of the F PB The F_SENDS7 must be called at the end of the F PB Note that the send signals are sent only after the F_LSENDS call at the end of the relevant F runtime group execution For a detailed description of the F application blocks refer to Chapter FB 225 F_SENDS7 FB 226 F_RCVS7 Communication via S7 Connections F communication DB See also For each connection send data are stored in an F DB F communication DBx and receive data are stored in an F DB F communication DBy The F communication DB numbers are made available to the F_LSENDS7 or F_RCVS7 as parameters FB 225 F_SENDS7 und FB 226 F_RCVS7 Communication via S7 Connections S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 175 Configuring and Programming Communication 8 7 Safety Related Communication via S7 Connections 8 7 3 Programming Safety Related CPU CPU Communication via S7 Connections Introduction This section describes how to program safety related communication between safety programs of the F CPUs via S7 connections You must do the following in the safety programs of the relevant F CPUs e Create F DBs in which send data or receive
147. ages and the standard FBD and LAD programming languages Introduction The user program in the F CPU typically consists of a standard user program and a safety program The standard user program is created in STEP 7 using standard programming languages such as STL LAD or FBD The safety program for S7 Distributed Safetyis programmed using F FBD or F LAD F FBD and F LAD Programming Languages The F FBD and F LAD programming languages correspond fundamentally to the standard FBD LAD languages The standard FBD LAD Editorin STEP 7 is used for programming The primary differences between the F FBD and F LAD programming languages and their standard counterparts are limitations in the instruction set and in the data types and the address areas that can be used Supported Data and Parameter Types The following elementary data types are supported in F FBD F LAD e BOOL e INT e WORD e TIME Non Permissible Data and Parameter Types The following are not permitted e Elementary data types not listed above for example BYTE DWORD DINT REAL e Complex data types for example STRING ARRAY STRUCT UDT e Parameter types for example BLOCK_FB BLOCK_DB ANY S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 61 Programming 4 1 Overview of Programming Supported Address Areas The system memory of an F CPU is divided into the same address areas as the system memory of a s
148. ains at a signal state of 1 acknowledgment button remains activated A WARNING When using the FREE function the action must be observed A dangerous situation must be able to be interrupted at any time by releasing the acknowledgment button The acknowledgment button must be mounted in such a way the entire danger area can be managed S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 225 F Libraries 9 1 Distributed Safety F library V1 Timing Diagrams for Discrepancy Errors at Sensor Pair 1 or Interruption of the Light Curtain MUTING Is Not Active FREE MS_11 i MS_12 Eeee a E MS_21 Ee O n M MS_22 eee E E t DISCTIM1 t lt 4s 1 Sensor pair 1 MS_11 and MS_22 is not activated within discrepancy time DISCTIM1 2 The light curtain is interrupted even though there is no enable ENABLE 0 3 FREE function 4 Acknowledgment Behavior with Stopped Conveyor Equipment If monitoring is deactivated while the conveyor equipment has stopped for one of the following reasons e To comply with discrepancy time DISCTIM1 or DISCTIM2 e To comply with maximum muting time TIME_MAX you must supply input STOP with a 1 signal for as long as the conveyor equipment is stopped As soon as the conveyor equipment is running again STOP 0 discrepancy times DISCTIM1 and DISCTIM2 and maximum muting time TIME_MAX are reset
149. al 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 1 Safety Program Dialog Information Regarding F Blocks of Safety Program All of the F blocks of the block container are displayed in this dialog Use the Offline Online tab to choose whether the F blocks of the offline or online block container are to be listed e The F Runtime Group folder contains the F runtime group structure of the safety program The F Runtime Groups view is displayed only for the offline safety program containing an existing F shared DB and at least one defined F runtime group The names of the F runtime group folders are formed as follows F runtime group name of F CALL of F runtime group The following is displayed in the F Runtime Group folder all F FBs F FCs F application blocks instance DBs F DBs the F CALL and if applicable the DB for F runtime communication for each respective F runtime group The F Runtime Group folder also contains an F I O DBs folder This folder contains all F I O DBs that are addressed from the F runtime group Note If a consistent safety program does not exist the contents of the F runtime group and F I O DBs folders are not complete e The Complete folder contains all F blocks of the offline block container The following properties are displayed for each F block Block designation type number with without F attribute with without know how
150. al error can also trigger a startup of the safety program with the values from the load memory If your process does not allow such a startup you must program a restart startup protection in the safety program Process data outputs must be blocked until manually enabled These outputs must not be enabled until it is safe to do so and faults have been corrected Example of Restart Startup Protection See also In order to apply restart startup protection it must be possible to detect a startup To detect a startup you declare a variable of data type BOOL with an initial actual value of 1 in an F DB Block the output of process data when this variable has a value of 1 for example by passivating F I O with the PASS_ON variable in the F I O DB To manually enable the process data outputs you reset this variable by means of a user acknowledgment Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 124 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 95 Programming 4 5 Programming Startup Protection S7 Distributed Safety configuring and programming 96 Programming and Operating Manual 07 2013 A5E00109537 05 F I O Access 5 5 1 F I O Access Overview This section describes how to access the F I O
151. aluating stacks in STEP 7 Online Help for STEP 7 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 327 Operation and Maintenance 12 3 Guide to Diagnostics Step Procedure Reference 4 Evaluating diagnostic variable of the F I O DB using testing and Chapter F I O Access commissioning functions or in the standard user program Evaluate the DIAG variable in the F I O DB 5 Evaluating diagnostic parameters of instance DBs of F application Chapter on relevant F application blocks using testing and commissioning functions or in the standard block user program e Evaluate the following for FLMUTING F_1002DI F_2H_EN F_MUT_P F_ESTOP1 F_ FDBBACK F_SFDOOR in the assigned instance DB DIAG parameter e Evaluate the following for F_SENDDP or F_RCVDP in the assigned instance DB RETVAL14 parameter RETVAL15 parameter DIAG parameter e Evaluate the following for F_LSENDS7 or F_RCVS7 in the assigned instance DB STAT_RCV parameter STAT_SND parameter DIAG parameter Evaluation of the Diagnostic Variable or Parameters of F I O DBs or Instance DBs 328 Note The following diagnostic variables parameters provide you with detailed diagnostic information DIAG RETVAL14 RETVAL15 STAT_RCV and STAT_SND These can be read out using the testing and commissioning functions on the programming device or using an operator con
152. am of a l Slave F CPU Options for User Acknowledgment You can implement a user acknowledgment in one of the following ways e By means of an operator control and monitoring system that you can use to access the F CPU of the I slave e By means of an acknowledgment key that you connect to an F I O with inputs that is assigned to the F CPU of the I slave e By means of an acknowledgment key that you connect to an F I O with inputs that is assigned to the F CPU of the DP master These three options are illustrated in the figure below PROFIBUS DP 7 400 station with CPU 416 2 DP master ET 200S with IM151 7 F CPU I slave For 3rd Safety relaed JN Master l slave communication for acknowledgment signal eX e 2 F DI ffi B eiU I DI f ET 200m aN Control and 3 monitoring system 1 User Acknowledgment by Means of an Operator Control and Monitoring System that You Can Use to Access the F CPU of the I Slave 124 To implement a user acknowledgment by means of an operator control and monitoring system that you can use to access the F CPU of the I slave you need the F_LACK_OP F application block from the Distributed Safety F library V1 Programming Procedure Follow the procedure described in Chapter Procedure for Programming User Acknowledgment by Means of an Operat
153. am you must regenerate the safety program e Modified The collective signature of the safety program is set to 0 because the safety program or the safety relevant parameter of the F CPU and F I Os have been changed The collective signature of all F blocks with F attribute in the block container is different to the collective signature of the safety program If in the F CPU a safety program has the state modified the F CPU startup is prevented when the F CPU supports this ID see product information for respective F CPU If F CPU does not support this ID executing a safety program with state modified can cause the F CPU to STOP in the enabled safety program To obtain a consistent safety program you must regenerate the safety program See also Overview of System Acceptance Test Page 313 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 271 Compiling and commissioning a safety program 10 3 Compiling Safety Program 10 3 Compiling Safety Program Note Before you compile the safety program close the LAD FBD Editor Display S7 Reference Data and Check Block Consistency applications as well as the symbol table Procedure for Compiling the Safety Program 1 Select the correct F CPU or S7 program assigned to it 2 In SIMATIC Manager select the Options gt Edit Safety Program menu command The Safety Program dialog will appear 3 Activate the Co
154. ancead dece a aaa a aaia a 4 1 4 Differences between the F FBD and F LAD programming languages and the standard FBD and LAD programming languages ccceeeeeeeceeeeeeeeeeeeeeeeeesaaeeeeesaaeeeeetaaeeeetiaeeeeeenaeeeeeeaa 4 2 Creating the Safety Prograim cccccccceeeeneeeeecneeedeceneeedecenenndeceneeedecaneedeceneeeeeceneeededenseedeceneeeds 4 2 1 Basic Procedure for Creating the Safety Program ccccceeeeeeeeeeeeeneeeeeeeneeeeetaaeeeeesaeeeesenaeeeeneaa 4 2 2 Defining the Program Structure cccccccccceeeseccceeeeccceteeseceteseeceeetendeceneceecceneseeeeeneeteceeteeneadenenees 4 3 Creating F Blocks in F FBD F LAD saia AE EERE AAA aAA 4 3 1 Creating F Blocks in F FBD F LAD sisenta aadi AE 4 3 2 Creating and editing F FB F F C oinei ai naaa ENAA NA AEA A AAE a aa 4 3 3 Creating and Editing FED B es 2c s seect exietcsaiiccee seseeetd puget ede eniecnd neetens pnusetineudeun pensel eeacead peeeetieees 4 3 4 Know How Protection for User Created F FBs F FCs and F DBS seeen 4 3 5 Check Block Consistency Function for User Created F FBs F FCs and F DBs 4 3 6 Compile and Download Objects Function 0 0 0 eee eeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeaaeeeseeaaeeeseeaeeeeseaaes 4 3 7 Store Write Protected Function for User Created F FBs F FCs and F DBs 0005 4 3 8 Rewiring Function for F FBs and FFCS eioi A A AA AEE S7 Distributed Safety configuring and programmin
155. ancy time in range between 0s and 3 s Bit 1 Discrepancy error or incorrect Same as Bit 0 Same as Bit 0 discrepancy time DISCTIM 2 setting for sensor pair 2 Bit 2 Maximum muting time exceeded or Malfunction in production sequence Malfunction in production sequence incorrect muting time TIME_MAX eliminated setting Maximum muting time setting is too If necessary set a higher maximum low muting time Muting time setting is lt 0 s or gt Set muting time in range from 0 s to 10 min 10 min Bit 3 Light curtain interrupted and muting Light curtain is defective Check light curtain not active Wiring fault Check wiring of light curtain FREE input F I O fault channel fault or For a solution see DIAG variable communication error or passivation bits 0 to 6 in Chapter F I O DB by means of PASS_ON of F I O of light curtain FREE input See other DIAG bits Bit 4 Muting lamp is defective or cannot Muting lamp is defective Replace muting lamp be set Wiring fault Check wiring of muting lamp F I O fault channel fault or For a solution see DIAG variable communication error or passivation bits 0 to 6 in Chapter F I O DB by means of PASS_On of F I O of muting lamp Bit 5 Reserved Bit 6 Reserved Bit 7 Reserved S7 Distributed Safety configuring and programming 210 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries See also 9 1 2 12 C
156. and PROFINET IO systems are operated on one network Subsequent address changes are possible but not necessary because the address range was reserved according to your parameter assignment You can specify the Base for PROFIsafe addresses in increments of 1000 PROFIsafe target addresses are always assigned automatically based on the following formula Base for PROFIsafe address divided by 10 The maximum PROFIsafe target address possible is 1022 Example You set the base as 2000 PROFIsafe target addresses are automatically assigned starting with address 200 Compatibility Mode Parameter This parameter is available only for F CPUs that support PROFlsafe V2 MODE and that have only PROFIBUS DP interfaces not PROFINET IO A change in the default setting compatibility mode off is only relevant if you want to replace an F CPU in your hardware configuration that supports only PROFIsafe V1 MODE with an F CPU that also supports PROFIsafe V2 MODE To prevent this CPU replacement and subsequent compilation from changing the safety program thus requiring a new acceptance test you must enable compatibility mode If you do not the PROFIsafe MODE of all F I O that support V2 MODE will be changed to V2 MODE when the hardware configuration is saved and compiled in HW Config If your project uses F I O on PROFINET IO or in a hybrid configuration on PROFIBUS DP and PROFINET IO based on IE PB Links compatibility mode must be disabled S
157. are Packages in the Standard User Program See also 322 For software packages that can be used in parallel with the standard program and safety program for example SW Redundancy general conditions may apply that must be observed Note If the safety program occupies block numbers for FBs DBs and FCs that are required by the software package it may be necessary to change the safety program to release the block numbers for subsequent use of the software package This requires another acceptance test for the changes in the safety program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Operation and Maintenance 1 2 12 1 Notes on Safety Mode of the Safety Program Introduction Pay attention to the following important notes on safety mode of the safety program Using Simulation Devices Simulation Programs A WARNING If you operate simulation devices or simulation programs that generate safety message frames e g based on PROFIsafe and make them available to an S7 Distributed Safety F system via the bus system such as PROFIBUS DP or PROFINET IO you have to ensure the safety of the F system using organizational measures such as operational monitoring and manual safety shutdown If you use the S7 PLCSIM function of STEP 7 to simulate safety programs these measures are not necessary because S7 PLCSIM cannot establish an online connection t
158. are provided at outputs OUTO to OUT15 The conversion takes place as follows output OUTi is set to 0 or 1 if the ith bit of the WORD value is 0 or 1 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 259 F Libraries 9 1 Distributed Safety F library V1 9 1 2 25 FC 178 F_INT_WR Write Value of Data Type INT Indirectly to an F DB Connections Parameter Data Type Description Inputs IN INT Value to be written to the F DB ADDR_INT POINTER Start address of the INT area in an F DB END_INT POINTER End address of the INT area in an F DB OFFS_INT INT Address offset in the INT area Principle of Operation This F application block writes the value of data type INT indicated at input IN to the variable in an F DB addressed by means of ADDR_INT and OFFS_INT The address of the variable addressed by means of ADDR_INT and OFFS_INT must be within the address area defined by addresses ADDR_INT and END_INT If the F CPU has gone to STOP mode with diagnostic event ID 75E2 verify that this condition is satisfied The start address of the area with variables of data type INT in an F DB in which the value at input IN is to be written is transferred using the ADDR_INT input The associated address offset in this area is transferred using the OFFS_INT input The addresses transferred at the ADDR_INT or END_INT inputs must point to a variable of data
159. at the fail safe values are output for different lengths of time following startup of the F system due to different startup characteristics of the F I O If the signal states of inputs IN1 and IN2 remain different after the discrepancy time DISCTIME has expired a discrepancy error is detected after the F system starts up If ACK_NEC 1 you must acknowledge the discrepancy error with a rising edge at input ACK Output DIAG The DIAG output provides non fail safe information on errors for service purposes You can read out this information by means of operator control and monitoring systems or if applicable you can evaluate it in your standard user program DIAG bits are saved until acknowledgment at input ACK S7 Distributed Safety configuring and programming 214 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Structure of DIAG Bit No Assignment Possible Causes of Problems Remedies Bit 0 Discrepancy error or incorrect Sensor defective Check sensors discrepancy time setting status of DISC_FLT Wiring fault Check wiring of sensors Sensors are wired to different For a solution see DIAG F I O and F I O fault variable bits O to 6 in channel fault or Chapter F I O DB communication error or passivation by means of PASS_ON on an F I O Discrepancy time setting is If necessary set a higher too low discre
160. ata bits cannot be initialized with the Flip Flop SR RS Set Output S or Reset Output R instructions The F CPU can go to STOP if this is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety program internal CPU fault internal error information 404 You can find out which address areas are possible for your F CPU in the product information for the CPU you are using S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 65 Programming 4 1 Overview of Programming Address Areas for N P NEG POS S R SR RS Instructions Particularities Note The process input image not be used for edge memory bits of the RLO Edge Detection N P or Address Edge Detection NEG POS instructions or for the address of the Flip Flop SR RS instructions process output image and bit memory address areas must If the local data address area is used for the edge memory bits of the RLO Edge Detection N P or Address Edge Detection NEG POS instructions or for the address of the Flip Flop SR RS Set Output S or Reset Output R instructions the local data bit must be initialized beforehand Supported Instructions You can use the instructions listed
161. atic data of data type BOOL 4x number of all parameters or static data of data type INT WORD 6x number of all parameters or static data of the data type TIME 36 lt Maximum size of data blocks in bytes see Technical Specifications in the manual for the F CPU you are using F DBs must comply with the following 2 x number of all variables of the F DB of data type BOOL 4x number of all variables of the F DB of data type INTAWORD 6x number of all variables of the F DB of data type TIME 36 lt Maximum size of data blocks in bytes see Technical Specifications in the manual for the F CPU you are using If you receive the message Block x could not be copied when you download your safety program to the F CPU check whether these conditions are met Reduce the following as necessary e Size of F FB F FC F PB e Number of parameters and static data of F FBs F FCs F PBs e Number of variables of F DBs e Number of blocks You must not exceed the maximum block limit of the F CPU see Technical Specifications in the manual for the F CPU you are using S7 Distributed Safety configuring and programming 282 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 6 Function Test of Safety Program and Protection through Program Identification 10 6 Function Test of Safety Program and Protection through Program Identification Complete Function Test or Test of Changes After
162. ation DBs do not match the F CPU can go to STOP mode One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety Program internal CPU fault internal error information 404 For this reason we recommend that you use the following procedure 1 Create an F communication DB in the block container of the offline safety program on the sender side in S IMATIC Manager 2 Specify the appropriate structure of the F communication DB taking into account the data to be transferred 3 Copy this F communication DB in the block container of the offline safety program on the receiver side and change the DB number if necessary S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 177 Configuring and Programming Communication 8 7 Safety Related Communication via S7 Connections Other Requirements for F Communication DBs F communication DBs must also conform to the following properties They are not permitted to be instance DBs Their length is not permitted to exceed 100 bytes Only data types BOOL INT WORD and TIME are permitted to be declared in the F communication DBs Data types must be arranged block by block in the following order BOOL INT WORD and TIME Only one block per data
163. ation between the gt Safety program and the gt F I O in an gt F system PROFIsafe Address Every gt F I O module has a PROFIsafe address You must configure the PROFIsafe address in HW Config of STEP 7 and set the address via a switch on the F I O Program Signature gt Collective signature Proof Test Interval Reintegration 7 PLCSIM 344 A component must be put into fail free state following the proof test interval That is it is replaced by an unused component or it is proven to be completely error free Switching from substitute values 0 to process data reintegration of a gt F I O module occurs automatically or after user acknowledgment in the F I O DB The reintegration method depends on the following e The cause for gt passivation of the F I O or channels of the F I O e Parameter assignment in the gt F I O DB For an gt F I O module with inputs the process data in the PII pending at the F inputs are provided again for the safety program after reintegration The F System transfers the PIO output values provided in the safety program to the fail safe outputs of the F I O The S7 PLCSIM application enables you to execute and test your program on a simulated automation system on your programming device or PC Because the simulation takes place entirely in STEP 7 you do not require any hardware CPU I O S7 Distributed Safety configuring and programming Programming and Operating Manual 07
164. by the standard user program or an operator control and monitoring system during runtime of the F runtime group in which the data are read for example because your standard user program is being executed by a higher priority cyclic interrupt You must write the data from the standard user program to these memory bits immediately before calling the F runtime group You can then only access these memory bits in the safety program Note too that clock memory that you defined when configuring your F CPU in HW Config in the object properties for the F CPU can change during runtime of the F runtime group since clock memory runs asynchronously to the F CPU cycle Note The F CPU can go to STOP if the information above is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety Program internal CPU fault internal error information 404 Differences between the F FBD and F LAD programming languages and the standard FBD and LAD programming languages Pagel61 Page 272 Compiling Safety Program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 8 1 Overview of safety related communication Introduction This se
165. cannot be accessed Note that accessing instance DBs of F FBs that are not called in the safety program can cause the F CPU to go to STOP mode MOVE Instruction Particularities Note The MOVE operation is permitted if the data types at the input and output are the same or between data with the INT and WORD data types For data from the standard user program the length of the data types at the input and output must match Call Multiple Instances Particularities Note You must not declare the FLSENDS7 and R_RCVS7 F application blocks as multiple instances even if they have the multiple instance capable property Accesses to static data of a multiple instance within the F FB in which the multiple instance is declared are not permitted Accesses to inputs and outputs of a multiple instance outside the F FB in which the multiple instance is declared are not permitted JMP JMPN RET Instructions Particularities Note You are not permitted to program an F_LSENDDP or F_SENDS7 call between a jump instruction and the associated destination of the jump instruction You are not permitted to program a RET instruction prior to an FLSENDDP or F_LSENDS7 call S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 71 Programming 4 1 Overview of Programming Non Permissible Instructions All instructions that are not listed in the table above are not permi
166. ccccccccssceeecsneeeeecneeeeeeaeeeeeeaeeeeecaeeeescaeeeescaeeeeeeseeseneaas 9 1 2 5 FB183 F_CTUD Count Up and Down ccccccceceeeeececcee cece ee eeeeceaeaeeeeeeeeesencaeaeeeeeeetesenaaees 9 1 2 6 FB184 F_TP Create Pulse cccccccccceceeeeeeeeceeceeeeeeeeeceeeaeeeeeeeeesceaeaeeeeeeeeeseneaeaeeeeeeeseeenaees 9 1 2 7 FB185 F_TON Create ON Delay cccccccccescccceeeeneeceeeenceeeeesneeeesesnseeeensneeeeennseeeeneneeeeensaee 9 1 2 8 FB186 F_TOF Create OFF Delay ccccccccccccceeeeceeseeceeeeeceaeeeseaeseeneeseeeeescaeeeeaaeseeneessaees 9 1 2 9 FB187 F_ACK_OP Fail Safe Acknowledgment cceecceeeeeeeeeeeeeneeeeeeneeeeeeaeeeseeaeeeeeeaas 9 1 2 10 FB 188 F_2HAND Two Hand Monitoring ccccceeeeeeeeeeeeeneeeeeeceeeeeteeeeeesaaeeeeeenaeeeeesneeeeee 9 42 11 FB 189 F_MUTING MUtihGicd cccticccccesste cnc sccacccevideccascheecees is ac cscteeseasavssncdsatdanessatieteascteuietvarts 9 1 2 12 FB 190 F_1002DI 1002 Evaluation with Discrepancy Analysis ecsceeeeseeeeeeenteeeeeeaes 9 1 2 13 FB 211 F_2H_EN Two Hand Monitoring with Enable eeceeeeeeeeeeeeneeeeeeeaeeeeeenaeeeeeeaas 9 1 2 14 FB 212 F_MUT_P Parallel Muting 0 cccccccccsseceecsneceeesseeeeecaeeeeeeaeeeeeesaeeeesssaeesesesaeeseneaas 9 1 2 15 FB 215 F_ESTOP1 Emergency STOP up to Stop Category 1 oo eeeeneeeeenteeeeeetteeeeeaes 9 1 2 16 FB 216 F_FDBACK Feedback Monitoring 0c cccccc
167. ceesceeeeeeeeeeeeeeeeeeeeeeceneeeseaeeesaeeneeeeeeaees 9 1 2 17 FB 217 F_SFDOOR Safety Door Monitoring 0 eccceeeeeneeeeeeeeeeeeeeneeeeeeneeeeeeaeeeeeenaeeeeeeaas 9 1 2 18 FB 219 F_ACK_GL Global Acknowledgment of all F I O in an F Runtime Group 9 1 2 19 FB 223 F_SENDDP and FB 224 F_RCVDP Send and Receive Data via PROFIBUS DP242 9 1 2 20 FB 225 F_SENDS7 und FB 226 F_RCVS7 Communication via S7 Connections 249 9 1 2 21 FC 174 F_SHL_W Shift Left 16 Bits 2 0 0 ccc cece ccceeceeeeeeeeeceeeeeceaeeeseaeeeceeeseeeeeseaeeeseeenenees 256 9 1 2 22 FC 175 F_SHR_W Shift Right 16 Bits 2 0 0 0 ccc ccccccceecceceeeceeeeeeeeeeeceaeeeseaeeeceeeseeeeseaeeesneeeseeees 257 9 1 2 23 FC 176 F_BO_W Convert 16 Data Elements of Data Type BOOL to a Data Element of Data Type WORD siiiecciiicicieecsinni aon hasten in eee cision ieee delineation 258 9 1 2 24 FC 177 F_W_BO Convert a Data Element of Data Type WORD to 16 Data Elements of Data Type BO Qk vsciicticecitenscccdadeceevd ctcceveten snes decieevvatiectelanete EE intel aay EE nih TE 259 9 1 2 25 FC 178 F_INT_WR Write Value of Data Type INT Indirectly to an F DB 0 eee 260 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 11 Table of contents 10 11 12 12 9 1 2 26 FC 179 F_INT_RD Read Value of Data Type INT Indirectly from an F DB eee 9 1 3 F System
168. cess is otherwise excluded Output DIAG The DIAG output provides non fail safe information on errors for service purposes You can read out this information by means of operator control and monitoring systems or if applicable you can evaluate it in your standard user program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 239 F Libraries 9 1 Distributed Safety F library V1 Structure of DIAG Bit No Bit 0 Assignment Reserved Possible Causes of Problems Remedies Bit 1 Signal state 0 is missing at both IN1 and IN2 inputs Safety door was not completely opened when OPEN_NEC 1 after F system startup Open safety door completely Open safety door was not completely opened Open safety door completely Wiring fault Check wiring of position switch Position switch is defective Check position switch Position switch is incorrectly adjusted Adjust position switch properly Bit 2 Signal state 1 is missing at both IN1 and IN2 inputs Safety door was not closed Wiring fault Close safety door Check wiring of position switch Position switch is defective Check position switch Position switch is incorrectly adjusted Adjust position switch properly Bit 3 QBAD_IN1 and or QBAD_IN2 1 F I O fault channel fault or communication error or passivation by means o
169. ck of the standard user program in which the F runtime group is called Call time for the F runtime group That is the execution time of the cyclic interrupt OB in which the F CALL is called You configured this time in HW Config object properties for the F CPU Cyclic interrupts tab Execution time parameter of the corresponding OB Repeat steps 2 to 6 to create a second F runtime group Once the OK button is activated in the Edit F Runtime Groups dialog the entries are saved and following a prompt any non existing F blocks are automatically created S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 4 Defining F Runtime Groups 4 4 3 Safety Related Communication between F Runtime Groups of a Safety Program Safety Related Communication between F Runtime Groups Safety related communication can take place between the two F runtime groups of a safety program That is fail safe data that are provided by one F runtime group in an F DB are read in another F runtime group You have the following options for creating the DB for F runtime group communication e Inthe Define New F Runtime Group dialog e In the Edit F Runtime Groups dialog e In SIMATIC Manager see Creating a DB for F Runtime Group Communication in SIMATIC Manager below Note A DB for F runtime group communication can be read and write accessed by the F runtime
170. cluded in the block container are shown in the table below F application blocks Block Container Purpose of F Block Function F Blocks This block container contains the F application blocks that can be called by the user in the F PB F FBs F CPU CPU communication FCs Safety related CPU F application blocks for safety related CPU CPU CPU communication communication F_SENDDP F_RCVDP F_SENDS7 and F_RCVS7 for sending and receiving data during safety related S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 59 Programming 4 1 Overview of Programming Block Container Purpose of F Block Function F Blocks Acknowledgment F application block F_ACK_OP for fail safe acknowledgment by means of an operator control and monitoring system F application block F_ACK_GL for a global acknowledgement of all F I O of an F runtime group Timers and counters F application blocks F_TP F_TON F_TOF F application blocks F_CTU F_CTD F_CTUD Ready made F F application blocks for functions such as two hand functions monitoring muting emergency STOP safety door monitoring and feedback loop monitoring Data conversion and F application blocks F_SCA_I F_LBO_W F_W_BO scaling Copying F application blocks F_INT_WR F_INT_RD Shift instructions F application blocks F_SHL_W F_SHR_W F system blocks This block container contains the F system blocks F
171. creating a safety program you must carry out a complete function test in accordance with your automation task For changes made to a safety program that has already undergone a complete function test only the changes need be tested S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 283 Compiling and commissioning a safety program 10 6 Function Test of Safety Program and Protection through Program Identification Transferring the Safety Program to the F CPU with a Programming Device or PC F CPUs with Inserted Memory Card Flash Card or MMC The following warnings apply when the safety program is transferred from a programming device or PC to e F CPUs with flash card inserted e g CPU 416F 2 e F CPUs with MMC e g CPU 317F 2 DP CPU 315F 2 PN DP or IM 151 7 F CPU A WARNING If the function test of the safety program is not carried out in the target F CPU you must comply with the following procedure when transferring the safety program to the F CPU with a programming device or PC to ensure that the F CPU does not contain an old safety program e For F CPUs with MMC Download the safety program to the F CPU in the Safety Program dialog e For F CPUs with inserted Flash Card Download the safety program to the F CPU in the Download User Program to Memory Card dialog e Perform a program identification that is check to determine whether the collecti
172. cted by the received data Alternatively you must output fail safe values instead of the received data in the F CPU with the F_RCVS7 by evaluating SENDMODE See also Creating and Editing F DB Page 81 S7 Distributed Safety configuring and programming 180 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 8 Safety Related Communication between S7 Distributed Safety and S7 F System 8 7 4 Limits for Data Transfer Safety Related Communication via S7 Connections Limits for Data Transfer Note If the amount of data to be transmitted exceeds the permissible length for the F communication DB 100 bytes you can create another F communication DB that you transfer to an additional F_SENDS7 F_RCVS7 call with modified R_ID Note that SFB 8 and SFB 9 are called internally at each F_LSENDS7 call or F_RCVS7 call and use connection resources in the F CPU This affects the maximum number of communication connections available Information about the connection resources of an F CPU is obtained in the same way as for standard systems in the Module Information dialog of the Communication tab 8 8 Safety Related Communication between S7 Distributed Safety and S7 F System Introduction Safety related communication via S7 connections for F CPUs in S7 F Systems is also possible A maximum of 32 data elements of data type BOOL can be exchanged F CPU 2 such as CPU 416
173. ction provides an overview of the following options for safety related communication in S7 Distributed Safety F systems Safety related slave slave communication via PROFIBUS DP Safety related CPU CPU communication Safety related master master communication via PROFIBUS DP Safety related master I slave communication via PROFIBUS DP Safety related slave I slave communication via PROFIBUS DP Safety related IO controller lO controller communication via PROFINET IO Safety related communication by means of S7 connections via Industrial Ethernet Safety related communication between S7 Distributed Safety and S7 F Systems S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 131 Configuring and Programming Communication 8 1 Overview of safety related communication Overview of Safety Related Communication via PROFIBUS DP The figure below presents an overview of the four options for safety related communication via PROFIBUS DP in S7 Distributed Safety F systems DP master system 1 DP mastersystem 2 DP DP coupler PROFIBUS subnet 2 PROFIBUS subnet 2 DP slave with F modules Safety related master master communication via DP DP coupler Safety related master l slave communication Safety related I slave I slave communication Safety related I slave slave communication Safety Related CPU CPU Communication via PROFIBUS DP or PROFINET
174. d F system blocks are automatically added and stored in the number range you have reserved for the F function blocks in order to create an executable safety program from the safety program you have programmed Note You must not insert F system blocks from the F System Blocks block container in an F PB F FB F FC Likewise you must not modify rename or delete F system blocks in the Distributed Safety F library V1 or the block container of your user project Overview of Configuration Page 23 F Shared DB The F shared data block is a fail safe block that contains all of the shared data of the safety program and additional information needed by the F system When the hardware configuration is saved and compiled in HW Config the F shared DB is automatically inserted and expanded Using the symbolic name of the F shared DB i e F_GLOBDB you can evaluate certain data of the safety program in the standard user program A WARNING Do not copy the F shared DB from a safety program to another safety program exception copying the entire S7 program Data Transfer from the Safety Program to the Standard User Program Page 127 Page 129 Data Transfer from Standard User Program to Safety Program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 9 1 5 Custom F Libraries Introductio
175. d in F FBD F LAD in the FBD LAD Editor all addresses that are not fail safe are shown by default with a yellow background S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 129 Data Exchange between Standard User Programs and Safety Program 7 2 Data Transfer from Standard User Program to Safety Program Example Programming Validity Checks e Use comparison instructions to check whether unsafe data from the standard user program exceed or fall below permitted upper and lower limits You can then influence your safety function with the result of the comparison e With unsafe signals from the standard user program for example only allow a motor to be switched off but not to be switched on using Set Reset or Flip flop instructions e For starting cycles gate unsafe signals from the standard user program for example using AND gating with starting conditions that you derive from fail safe signals If you want to process unsafe data in the safety program bear in mind that a sufficiently simple method of checking validity does not exist for all unsafe data Reading Data from the Standard User Program When Changes to the Data are Possible during Runtime of an F Runtime Group See also 130 You must use dedicated memory bits if you want to read data from the standard user program bit memory or PII of standard I O in the safety program and these data can be changed
176. d instance DB is not permitted Note A separate instance DB must be used for each call of FLACK_OP Each call can be processed only once in an F run time group cycle The F CPU can go to STOP mode if the information above is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety program internal CPU fault internal error information 404 Additional Information See also You will find additional information about fail safe acknowledgment with the FLACK_OP F application block in the references provided under See also Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 124 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU Page 183 Overview of F application blocks S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 199 F Libraries 9 1 Distributed Safety F library V1 9 1 2 10 FB 188 F_2HAND Two Hand Monitoring Connections Parameter Data Type Description Default Inputs IN1 BOOL Momentary contact switch 1 0 IN2 BOOL Momentary contact switch 2 0 DISCTIME TIME Discrepancy time 0 to 500 ms T 0 ms Outputs Q BOOL 1 Enable 0
177. ddress Areas Safety Related Master Master Communication 00 8 2 2 Configuring Safety Related Master Master Communication cecceceeeeeeeeeeeeeteeeeetneeeeeeee 8 2 3 Communication by Means of F_LSENDDP and F_RCVDP Safety Related Master Master COMMU IC ATION e255 asicices asarcsea es adi cenn opine eaciedan speci bateeed speeeessteeued dptewedd batiiveda pnceedesateedd iateceea nets 8 2 4 Programming Safety Related Master Master Communication ceesseceeeeeeeeeeeeenteeeeeeaaes 8 2 5 Limits for Data Transfer Safety Related Master Master Communication s0cce 8 3 Safety Related Master I Slave COMMUNICATION cece eeeeeeeeeeee eee eeteeeeeeaeeeeetaeeeeetnaeeeeeead 8 3 1 Configuring Address Areas Safety Related Master I Slave Communication 2 05 8 3 2 Configuring Safety Related Master I Slave COMMUNICATION ccc eeteeecetteeeeeettteeeeetneeeeeeee 8 3 3 Communication by Means of F_SENDDP and F_RCVDP Safety Related Master I Slave I Slave I Slave Communication cece ee eeeee ee eeee ee ee eae ee eeeaaeeeeeeaaeeeeeeaaeeeeeeaaeeeseenateeeeeaas 150 8 3 4 Programming Safety Related Master I Slave and I Slave I Slave Communication 8 3 5 Limits for Data Transfer Safety Related Master I Slave or l Slave l Slave COMMUNICALION eee eee eee eeee ee eee a ia Tae aE eee EE oaa AEREE Ea 155 8 4 Safety Related I Slave I Slave Communication
178. dgement S7 Distributed Safety configuring and programming 122 Programming and Operating Manual 07 2013 A5E00109537 05 Implementation of user acknowledgment 6 1 Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or 1O Controller A WARNING If your operator control and monitoring system can access multiple F CPUs that use F_ACK_OP for fail safe acknowledgment or if you have networked operator control and monitoring systems and F CPUs with F_ACK_OP F application blocks you must be sure that the correct F CPU is in fact being addressed before executing the two acknowledgment steps In each F CPU store a network wide unique name for the F CPU in a DB of your standard user program In your operator control and monitoring system set up a field from which you can read out the F CPU name from the DB online before executing the two acknowledgment steps Optional In your operator control and monitoring system set up a field to permanently store the F CPU name Then you can determine whether the intended F CPU is being addressed by simply comparing the F CPU name read out online with the permanently stored name Example of Procedure for Programming a User Acknowledgment for Reintegrating an F I O 1 See also Optional Set the ACK_NEC variable in the respective F I O DB to 0 if automatic reintegration without user acknowledgment is to take place after an F I
179. ding a safety program to an F CPU for which access rights by means of an F CPU password do not yet exist you must first revoke existing access permission for any other F CPU Configuring the F CPU Page S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 4 1 Overview of Programming 4 1 1 Overview of Programming Introduction A safety program consists of fail safe blocks that you select from an F library or create using the F FBD or F LAD programming languages and fail safe blocks that are automatically added when the safety program is compiled Fault control measures are automatically added to the safety program you create and additional safety related tests are performed Overview This section contains a description of the following e Structure of the safety program in S7 Distributed Safety e Fail safe blocks e Differences between the F FBD F LAD programming languages and the standard FBD and LAD languages S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 55 Programming 4 1 Overview of Programming Schematic Structure of a Project with Standard User Program and Safety Program The figure below presents the schematic structure of a STEP 7 project in the programming device PC with a standard user program and a safety program for S7 Distributed Safety The Distributed Safety F block l
180. dress Input address 1298 Process image Interrupt O 40 E Comment Apply 12 Confirm your entry with OK 13 In the F Configuration tab of the object properties for l slave 1 select New S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 159 Configuring and Programming Communication 8 4 Safety Related Slave Slave Communication 14 In the next dialog make the following entries for the send connection to I slave 2 for our example For Mode F DX S send via fail safe slave I slave communication For DP partner receiver DP address 5 Slave address LADDR 142 For Local sender Address LADDR 140 Accept the defaults for the other parameters in the dialog box 15 Confirm your entry with OK This results in two configuration lines for this example Properties DP slave General Connection Configuration F Configuration Partner DP_Addr Local addr 3 CPU 315F 2 DP _F Des F 3 CPU 315F 2 DP F DP Receive F_RACVDP Partner Sender 3 CPU 315F 2 DP Assigned station 2 SIMATIC 416F 1 Comment Cancel Help Note In the object properties for the respective l slave entries are automatically made in the Configuration tab based on the configuration in the F Configuration tab These entries must not be modified Otherwise safety related l slave l slave communication is not
181. e e Compilation date of the safety program F_PROG_DAT variable DATE_AND_TIME data type You use fully qualified access to access these variables e g F_GLOBDB MODE The number and symbolic name of the F shared DB and the absolute addresses of variables are indicated in the printout of the safety program You can also write to memory bits in the safety program to enable intermediate results of the safety program to be used by the standard user program without having to pass through F data blocks However these memory bits must not be read in the safety program itself Process Output Image See also 128 The process output image PIQ of standard I O can also be written to in the safety program e g for display purposes These values must not be read in the safety program either see table of supported address areas in Chapter Differences between the F FBD F LAD Programming Languages and the Standard FBD LAD Languages Differences between the F FBD and F LAD programming languages and the standard FBD and LAD programming languages Pagel61 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Data Exchange between Standard User Programs and Safety Program 7 2 Data Transfer trom Standard User Program to Safety Program 7 2 Data Transfer from Standard User Program to Safety Program Data Transfer from Standard User Program to Safety Program As a ba
182. e in the standard user program or on the operator control and monitoring system in order to query or to indicate whether a communication error has occurred 13 Optional Evaluate the SENDMODE output of the F_RCVDP in order to query whether the F CPU with the associated F_SENDDP is in deactivated safety mode A WARNING If the F CPU with the associated F_SENDDP is in deactivated safety mode you can no longer assume that the data received from this F CPU were generated safely You must then implement organizational measures such as operation monitoring and manual safety shutdown to ensure safety in those portions of the system that are affected by the received data Alternatively you must output fail safe values instead of the received data in the F CPU with the F_RCVDP by evaluating SENDMODE See also Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 304 Deactivating Safety Mode S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 143 Configuring and Programming Communication 8 3 Safety Related Master Slave Communication 8 2 5 8 3 8 3 1 Introduction Limits for Data Transfer Safety Related Master Master Communication Note If the data quantities to be transmitted exceed the capacity of the F_SENDDP F_RCVDP block pair a second or third FSENDDP F_RCVDP call ca
183. e 1002 evaluation of the sensors you can access in the safety program refer to the relevant manuals for the F I O S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 97 F l O Access 5 1 F l O Access Signal Charts See also 98 The signal charts presented in the Signal Chart figures in the following sections represent typical signal charts for the indicated behavior Actual signal charts and in particular the relative position of the status change of individual signals can deviate from the given signal charts within the scope of known distortion for cyclic program execution depending on the following e Which F I O are being used F I O with inputs F I O with outputs F I O with inputs and outputs S7 300 F SMs ET200S F modules ET 200eco F modules ET 200pro F modules or fail safe DP standard slaves standard I O devices version of PROFIsafe bus profile for the F I O and F CPU e The cycle time of the OB in which the associated F runtime group is called e The target rotation time of the PROFIBUS DP or the update time of the PROFINET IO Note The signal charts refer to the status of signals in the user s safety program If the signals are evaluated in the standard user program before or after the safety program is called in the same OB the status change of the signals can be displaced by one cycle Contrary to what is shown in the signal cha
184. e 5 5 Passivation and Reintegration of F I O after F System Startup c csecscceeeeeeeeeesteeees 5 6 Passivation and Reintegration of F I O after Communication ErrorS 2 ccceeeeseesecteees 5 7 Passivation and Reintegration of F I O after F I O Faults and Channel Faults 00 5 8 Group PASSIVALON pasisian aiina E iaaa rea AAE E AA EAE a AEREA A AREE ANAE AAE AAGE KAA Implementation of user ACKNOWIEUGMENL ccccccccccccccceceeccceccececeeecececeeeeeeeeeeeeeeeceseeeeeceseeeeseeeesseseeess 6 1 Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master OF lO Controlef irsi aaa aa ea a e ia AE AEEA EER 6 2 Implementing User Acknowledgment in the Safety Program of a l Slave F CPU seese Data Exchange between Standard User Programs and Safety Program cccccccccccccccecceeeeeeeeeeeeeeees 7 1 Data Transfer from the Safety Program to the Standard User Program sssesceeeeeeeese 7 2 Data Transfer from Standard User Program to Safety Program ececeeeeeceeeeeeteeeeeesteeeeeeaaes Configuring and Programming Communication cccccccccccccccccececeececceeeeeccceeeceeeeeeeseseeseeeeeseeseeeess 8 1 Overview of safety related COMMUNICATION eeeeeeee cette ee eeee ee ee eeeeeeeeeaeeeeeeaeeeeetaeeeeetnaeeeeread 8 2 Safety Related Master Master COMMUNICATION cece cette ee eeeeeeeeeeteeeeeeaeeeeetaeeeeeenaeeeeeead 8 2 1 Configuring A
185. e DIAG output is not permitted in the safety program Overview of F application blocks 101 Page 183 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 9 1 2 14 FB 212 F_MUT_P Parallel Muting Connections Parameter Data Type Description Default Inputs MS_11 BOOL Muting sensor 11 0 MS_12 BOOL Muting sensor 12 0 MS_21 BOOL Muting sensor 21 0 MS_22 BOOL Muting sensor 22 0 STOP BOOL 1 Conveyor system stopped 0 FREE BOOL 1 Light curtain uninterrupted 0 ENABLE BOOL 1 Enable MUTING 0 QBAD_MUT BOOL QBAD or QBAD_O_xx signal of F 0 O channel of muting lamp F I O DB ACK BOOL Acknowledgment of restart inhibit 0 DISCTIM1 TIME Discrepancy time of sensor pair 1 T 0 ms 0 to 3s DISCTIM2 TIME Discrepancy time of sensor pair 2 T 0 ms 0 to 3s TIME_MAX TIME Maximum muting time 0 to 10 min T 0 ms Outputs Q BOOL 1 Enable not off 0 MUTING BOOL Display of muting is active 0 ACK_REQ BOOL Acknowledgment necessary 0 FAULT BOOL Group error 0 DIAG WORD Service information W 16 0 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 219 F Libraries 9 1 Distributed Safety F library V1 Principle of Operation This F application block performs parallel muting with t
186. e STOP in F CPU 323 Shift left 16 bits 256 Shift right 16 bits 257 Siemens Intranet 3 SIMATIC documentation 3 Signal chart for passivation and reintegration of F I O after communication errors 111 after F I O faults and channel faults 113 After startup of F system with group passivation 118 Simulation 275 Of hardware 275 Simulation devices 323 Use of 323 Size 275 Of automatically generated F blocks 275 Software com ponents 14 325 Replacing 325 Software requirements 17 Startup characteristics 211 219 229 232 ACK_REI_GLOB 241 F ESTOP1 F_FDBACK 354 Startup of F system Startup protection 95 STEP 7 Rewiring function 78 STEP 7 instructions 61 STL 78 STOP 323 F CPU Stop Initiated by SFC 46 STP 323 Via communication function 323 Via Mode Selector 323 Via programming device or PC 323 Structure of safety program in S7 Distributed Safety 57 Support 3 Additional 3 Supported address areas 61 Supported data and parameter types 61 Supported instructions 61 Symbolic name of the F I O DB 108 Symbolic names 44 Assignment 44 For F I O DBs 44 T Tab 39 Testing options 303 Testing the safety program 308 Testing with S7 PLCSIM 308 TIME 61 Timers and counters 59 Timing diagrams 192 194 196 202 211 219 242 F_1002DI 211 F_TON 194 F_TP 192 Training Center 3 Transferring the safety program to multiple F CPUs 53
187. e in the following cases e The connection between the programming device and the F CPU is broken by removing the bus cable e The variable table no longer responds These modify requests can only be deleted through a memory reset of the F CPU or by switching the F CPU from STOP to RUN mode while at the same time disconnecting the F CPU from the programming device or PC S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 309 Compiling and commissioning a safety program 10 9 Testing the Safety Program Wiring Test The wiring test is simplified by using symbolic names for the signals You can carry out a wiring test for an input by modifying an input signal and verifying whether or not the new value arrives at the PII You can carry out a wiring test for an output by modifying the output with the Modify function and verifying whether the required actuator responds For the wiring test for both inputs and outputs note that a safety program must be running on the F CPU in which at least one channel of the F I O to be modified or one variable from the associated F I O DB has been used For F I O that can also be operated as standard I O e g S7 300 fail safe signal modules you can also carry out the wiring test for outputs using the Modify function in STOP mode by operating the F I O as standard I O rather than in safety mode When doing so you must com
188. e info text for the relevant CPU in the hardware catalog in HW Config Note We recommend that you use addresses outside the process image as the local and partner addresses since the process image should be reserved for the address areas of modules S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 157 Configuring and Programming Communication 8 4 Safety Related Slave Slave Communication 8 4 2 Requirements Configuring Safety Related I Slave I Slave Communication You have created a project in STEP 7 Procedure for Configuring Slave Il Slave Communication Example with Bidirectional Communication 158 Create a station in your project in SIMATIC Manager for example an S7 300 station Assign an F CPU to this station from the hardware catalog in HW Config Configure this CPU as a DP slave in HW Config in the Operating Mode tab of the object properties for the DP interface of the CPU Follow steps 1 to 3 to configure another DP slave I slave Create another station and assign an F CPU see steps 1 and 2 6 Configure this CPU as a DP master in HW Config in the Operating Mode tab of the object properties for the DP interface of the CPU Note The CPU of the DP master can be an F CPU or a standard CPU Inthe hardware catalog under Configured stations select the station type of one I slave for exam
189. e within the space of 100 hours and this occurs repeatedly check whether the PROFINET or PROFIBUS installation guidelines have been followed There is a CRC error if e The ACK_REQ tag of the F I O DB is set and the DIAG tag of the F I O DB bit 2 or bit 6 indicates CRC errors e ACRC error is entered in the diagnostic buffer of the F CPU In this case the probability of failure values PFD PFH for safety related communication no longer apply Information on installation guidelines for PROFINET and PROFIBUS can be found in PROFINET Installation Guide guide downloads profinet installation guide display PROFIBUS Installation Guidelines http www profibus com nc download installation uide downloads profibus installation guideline display If your check indicates that the installation guidelines for PROFIBUS and PROFINET have been met contact Technical Support Programming Startup Protection Page 95 Page 303 Overview of Testing the Safety Program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Operation and Maintenance 12 2 Replacing Software and Hardware Components 12 2 Replacing Software and Hardware Components Replacement of Software Components When replacing software components on your programming device or PC e g with a new version of STEP 7 you must observe the notes regarding upward and downward compatib
190. ed After canceling access permission you should check to determine whether the collective signature of all F blocks with an F attribute in the block container online is identical to the collective signature of all F blocks with an F attribute in the block container of the accepted safety program If not you must download the correct safety program to the F CPU Validity Revoking the Access Permission for the F CPU Access permission for the F CPU is valid until S MA TIC Manager is closed permission is revoked using the PLC gt Access Rights gt Cancel menu command or the last S7 application is closed S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 53 Access Protection 3 4 Access Permission for the F CPU Transferring the Safety Program to Multiple F CPUs See also 54 A WARNING If multiple F CPUs can be reached over a network such as MPI by one programming device or PC you must take the following actions to ensure that the safety program is downloaded to the correct F CPU Use passwords specific to each F CPU e g a uniform password for the F CPUs having the respective MPI address as an extension max 8 characters PW_8 Note the following e A point to point connection must be used when assigning a password to an F CPU for the first time analogous to assigning an MPI address to an F CPU for the first time e Before downloa
191. ed however it must be unique from all other safety related communication connections in the network You must supply inputs DP_DP_ID and LADDR with constant values when calling the F application block Direct read or write access in the associated instance DB is not permitted in the safety program Note Within a safety program you must assign a different start address at the LADDR input for each F_SENDDP and F_RCVDB call You must use a separate instance DB for each F_SENDDP and F_RCVDP call The input and output parameters of the F_RCVDP must not be supplied with local data of the F program block You must not use an actual parameter for an output parameter of an F_LRCVDP if it is already being used for an input parameter of the same F_RCVDP call or another F LRCVDP or F_RCVS7 call The F CPU can go to STOP if this is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety Program internal CPU fault internal error information 404 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Startup Characteristics After the sending and receiving F systems are started up communication must be establish
192. ed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 3 3 F DBs 4 3 Creating F Blocks in F FBD F LAD Creating and Editing F DB Similarly to F FBs or F FCs you can also create and edit F DBs with the F DB programming language whose parameters can be read write accessed within one F runtime group of the safety program The data types are checked during editing Any errors detected are output in the FBD LAD Editor same as when creating a standard user program Note You must not use the DB numbers in the band of numbers you reserved for automatically added F data blocks F data blocks parameter in the object properties for the F CPU see Chapter Configuring the F CPU Note When an F DB is saved in the FBD LAD Editor only a local consistency check is performed for the F block A safety program is not yet generated Note For greater clarity assign unique symbolic names to the F DBs you have created These symbolic names appear in the Details view of S MAT C Manager in the Safety Program dialog and in the symbol table Symbolic names are assigned in the same way as in standard programming Variable names in F DBs can contain a maximum of 22 characters S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 81 Programming 4 3 Creating F Blocks in F FBD F LAD Options for Data
193. ed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 133 Contiguring and Programming Communication 8 2 Safety Related Master Master Communication 8 2 Safety Related Master Master Communication 8 2 1 Configuring Address Areas Safety Related Master Master Communication DP DP coupler Safety related communication between safety programs of the F CPUs of DP masters takes place via a DP DP coupler Order No 6 S7158 0AD01 OXA0O Each F CPU is linked to the DP DP coupler by means of its PROFIBUS DP interface Note Switch the data validity indicator DIA on the DIP switch of the DP DP coupler to OFF Otherwise safety related CPU CPU communication is not possible S7 Distributed Safety configuring and programming 134 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 2 Safety Related Master Master Communication Configuring Address Areas You must configure one address area for output data and another address area for input data in the DP DP coupler in HW Config for each connection between two F CPUs via DP DP coupler In the figure below each of the two F CPUs will be able to send and receive data bidirectional communication DP master 1 DP master 2 F CPU 1 l l F CPU 2 HW Config HW Config Q addr 16 l addr 18 Length 12 bytes Length 12 bytes F_SENDDP LADDR 16 F_RCVDP LADDR 18 addr 16 Q addr 18 Length
194. ed initially between communication peers F_SENDDP and F_RCVDP During this time receiver F_RCVDP outputs the fail safe values present at its inputs SUBBO_xx and SUBBI_xx F_SENDDP and F_RCVDP signal this at output SUBS_ON with 1 Output SENDMODE has a default of O and is not updated as long as output SUBS_ON 1 Behavior in Event of Communication Errors If a communication error occurs for example due to a test value error CRC or when monitoring time TIMEOUT expires outputs ERROR and SUBS_ON are set to 1 at both F application blocks Receiver F_RCVDP then outputs the fail safe values assigned at its SUBBO_xx inputs Output SENDMODE is not updated while output SUBS_ON 1 The send data of FLSENDDP present at inputs SD_BO_xx and SUBI_xx are only output again when the communication error is no longer detected ACK_REQ 1 and you acknowledge with a positive edge at input ACK_REI A WARNING For the user acknowledgment you must interconnect the ACK_REI input with a signal generated by the operator input An interconnection with an automatically generated signal is not allowed Note that when a communication error occurs the ERROR output 1 communication error is set for the first time if communication has already been established between communication peers F SENDDP and F_RCVDP If communication cannot be established after startup of the sending and receiving F systems check the configuration of the safety related
195. edgment 121 In safety program of F CPU of DP master 121 In safety program of F CPU of intelligent DP slave 124 Inconsistent 271 Industrial Ethernet 131 Safety related communication via 131 Information landscape 3 Placement 3 Instance DB 61 327 Access 61 Evaluation of diagnostic variables parameters 327 Instructions 61 INT 61 Internet 3 Service amp Support 3 SIMATIC documentation 3 Interruption of the light curtain 202 IPAR_EN 101 IPAR_OK 101 slave I slave communication 158 Configuring slave slave communication 165 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring K Know how protection 82 For user created F FBs and F FCs 82 L Level of protection of the F CPU 26 Configuration 26 Life Cycle of Fail Safe Automation Systems 331 Light curtain 202 Limits of data transfer Safety related communication via S7 connections 181 Limits of data transfer safety related master master communication 144 Local data 61 Local ID 173 Of S7 connection 173 Logbook of the Safety Program 295 M Master l slave communication 146 Configuring 146 Master master communication 136 Configuring 136 Memory Card 283 Memory requirements 275 Of the safety program 275 Memor reset 283 308 MMC 283 Modifications to the standard user program 287 Modifying data of the sa
196. edn lan adie 12 1 Notes on Safety Mode of the Safety Program 0 eeccceeeeeeeceeeeeeeeeeeeeeeeeeeaeeeeeeaeeeeeenaeeeeeeaaes 12 2 Replacing Software and Hardware Components ccceceeeeeeeeneeceeeeeeeseceeaeeeeeeeeeeeesnaeess 12 3 Guide to DiaQGnOStiCs icc scccesscsceeeseccceeescdcetes can eeeebtecden saben cebesasceevi auceeeriaiedeveabeedetededceevesareeeeenicd Checklistiiiiicssiiiiviniicientieeiis heiiiintiiiianitien ited NEN ENDLER EEEE nin TEKENEN EENE NENEK KEEKEEKE KELES pent A 1 CHECKS oirein E E EEA GOSS ANY saia EEEE EEE a SEEE S EEEE E ERES MEN Oo ccc E R E a E E E E eteeueae cede evens S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Product Overview 1 1 1 Overview S7 Distributed Safety Fail Safe System The S7 Distributed Safety fail safe system is available to implement safety concepts in the area of machine and personnel protection for example for emergency STOP devices for machining and processing equipment and in the process industry for example for implementation of protection functions for instrumentation and controls and burners Achievable Safety Requirements S7 Distributed Safety fail safe systems can satisfy the following safety requirements e Safety Integrity Level SIL3 in accordance with IEC 61508 2000 e Performance level PL e and category 4 in accordance with ISO 13849 1 2006 or EN ISO 13849 1 2008 Principles of Safet
197. elated CPU CPU communication One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety program internal CPU fault internal error information 404 Therefore you should take appropriate steps when programming to comply with the permissible range for integers 16 bits or evaluate the OV bit A warning is issued if you have not programmed an OV bit scan for ADD_ SUB_I MULLI NEG _I and DIV_I instructions By evaluating the OV bit you can identify an overflow without the F CPU going to STOP mode in the case of an overflow The result quotient behaves like the analogous instruction in a standard user program Note An OV bit scan is only permitted in the network following the network with the instruction affecting the OV bit The network with the OV bit scan must not be the destination of a jump instruction in other words it must not contain a jump label If an OV bit scan is programmed in the network following the instruction affecting the OV bit the execution time of the instruction affecting the OV bit is increased see also Excel File for Response Time Calculation s7fcotia x s S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 1 Overview of P
198. elete all automatically generated and added F blocks in the offline block container of the safety program 2 Save and compile the hardware configuration in HW Config 3 Change the safety program according to your requirements 4 Recompile the safety program Changing from S7 Distributed Safety V5 4 SP4 to V5 2 When you open the Safety Program dialog for a consistent safety program created with S7 Distributed Safety V5 4 SP4 the status The safety program is not consistent is output even though the safety program is consistent You can use V5 2 to modify a safety program created with V5 4 SP4 if you use only those functions that were made available in V5 2 The procedure for changing from V5 4 SP4 to V5 3 applies Calculation of the Maximum Response Time of your F System See also Use the Microsoft Excel file available for S7 Distributed Safety V5 4 SP4 to calculate the maximum response time of your F system This file is available for download at http support automation siemens com WW view en 11669702 133100 Safety Program Acceptance Test Page 317 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 21 Product Overview 7 3 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package S7 Distributed Safety configuring and programming 22 Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 1 Overview of Configuratio
199. er I slave communication connections and one I slave l slave communication connection S7 Distributed Safety configuring and programming 152 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 3 Safety Related Master Slave Communication DP master l slave 1 F_SENDDP DP_DP_ID 1 F_RCVDP DP_DP_ID 1 F_RCVDP DP_DP_ID 2 F_SENDDP DP_DP_ID 2 F_SENDDP DP_DP_ID 3 F_RCVDP DP_DP_ID 5 F_RCVDP DP_DP_ID 4 F_SENDDP DP_DP_ID 6 l slave 2 F_RCVDP DP_DP_ID 6 F_SENDDP DP_DP_ID 5 F_RCVDP DP_DP_ID 3 gt Master l slave communication P slave slave communication F_SENDDP DP_DP_ID 4 A WARNING The value for each address association input parameter DP_DP_ID data type INT is user defined however it must be unique from all other safety related communication connections in the network S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 153 Configuring and Programming Communication 8 3 Safety Related Master Slave Communication See also 154 Note A separate instance DP must be used for each call of an F SENDDP or F_LRCVDP The input and output parameters of the F_RCVDP must not be supplied with local data of the F program block You must not use an actual parameter for an output parameter of an F_RCVDP if it is already being used for an input
200. er function Subtract integer S7 Distributed Safety configuring and programming 66 Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 1 Overview of Programming S Instruction Particularities Instruction Function Description CMP CMP Comparison instruction Compare integer CMP I CMP lt gt l CMP gt I CMP lt l CMP gt I CMP lt l NEG NEG Conversion instruction Create twos complement integer 16 Bit OPN OPN DB instruction Open data block MOVE MOVE Move instruction Assign a value CALL_FC call CALL_FC Program control Call F FCs unconditionally FC as box call FC as EN 1 no interconnection of box EN CALL_FB call CALL_FB Program control Call F FBs unconditionally FB as box call FB as EN 1 no interconnection of box EN VRET RET Program control Return exit block Call multiple Call multiple Program control Call multiple instances instances instances JMP JMP Jump instruction Unconditional jump in block Jump in block if 1 conditional JMPN JMPN Jump instruction Jump in block if 0 conditional OV OV Status bit Evaluate exception bit overflow OV bit in status word Note The Set Output S instruction is only executed if it is applied to an output of an F I O that is passivated e g during startup of the F system For this reason you should only attempt to access outputs o
201. erences provided under See also See also Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 124 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU Overview of safety related communication Page 131 Configuring safety related communication using S7 connections Page 173 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 255 F Libraries 9 1 Distributed Safety F library V1 9 1 2 21 FC 174 F_SHL_W Shift Left 16 Bits Connections Parameter Data Type Description Default Inputs IN WORD Value that is shifted N INT Shift number Outputs OUT WORD Result of shift operation Principle of Operation This F application block shifts the content of the bits of the value transferred at input IN to the left bit by bit The bit locations that are freed up during the shift operation are filled with zeros Shift number N indicates by how many bits the content is to be shifted The result of the shift instruction is provided at output OUT Output OUT is always 0 when 15 lt N lt 255 Note that when N lt 0 or N gt 255 is specified only the low byte of the value transferred at input N is evaluated as a shift number 15 8 7 0 IN 0 00 0 1 1141 14 010 14 0 1 0 1 N lt 6 places out oo 0011 1 10 1J 0 101f0100 000 0
202. es to perform a group passivation of associated F I O Group passivation by means of PASS_OUT PASS_ON can for example be used to force simultaneous reintegration of all F I O after startup of the F system For group passivation you must OR all PASS_OUT variables of the F I O in the group and assign the result to all PASS_ON variables of the F I O in the group While fail safe values 0 are being applied due to group passivation using PASS_ON 1 the QBAD QBAD_I_xx and QBAD_O_xx variables of the F I O in the group are set to 1 Example of Group Passivation Hetwork 5 Group passivation FOOOOS PME F DC24V_10A PASS OUT Foooos 4 8 F DI_pezay PASS OUT FOOOOS PME F DC24 _10A E PASS ON FOOO1L 4 F DO_DC24V_2A PASS_OUT FO0005_4 8 F DI pczay PASS_ON FOOO11 4 F DO DC24 _2a PASS_ON Reintegration of F I O 118 Reintegration of F I O passivated by group passivation takes place automatically if reintegration of the F I O that triggered the group passivation takes place either automatically or through user acknowledgment PASS_OUT 0 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F I O Access 5 8 Group passivation Signal Chart for Group Passivation Error in F I O A Passivation Passivation of Error in F I O A Reintegration of F I O A F O B corrected F I O A and B Nd LY F IOA Activate passivation PASS_O
203. example For Mode F DX Module fail safe slave slave communication For DP partner F I O DP address 1 Slave PROFIBUS address of slave with F I O Address LADDR 6 4 F DO starting address of F I O For Local safety program Address LADDR 120 starting address of F I O via which access is made in the safety program of the F CPU of the I slave Accept the defaults for the other parameters in the dialog box 15 Confirm your entry with OK This results in two configuration lines for this example Properties DP RO 52 2 General Addresses Operating Mode Configuration F Configuration Feo ade Paine DE ds mea ED modules 10M1 1AF OA SE DIDCOdY 2 F DX modules 1 IM151 1 HF B4 F D DC24V 2A 120 i New Edit Delete Symbols PROFlsave D lt direct data exchange Sender 1 1M151 1 HF Assigned station 2 SIMATIC 300 Master Comment Cancel Help Note Entries are automatically made in the Configuration tab in the object properties for the l slave based on the configuration in the F Configuration tab These entries must not be modified Otherwise safety related l slave slave communication is not possible You can obtain the assigned address areas in the DP master and l slave in the Configuration tab S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configurin
204. f PASS_On of F I O or channel of IN1 and or IN2 For a solution see DIAG variable bits O to 6 in Chapter F I O DB Bit 4 Reserved Bit 5 If enable is missing input ACK has a permanent signal state of 1 Acknowledgment button defective Check acknowledgment button Wiring fault Check wiring of acknowledgment button Bit 6 Acknowledgment required state of ACK_REQ Bit 7 State of output Q Note Access to the DIAG output is not permitted in the safety program See also Passivation and Reintegration of F I O after F System Startup 240 Page 109 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 9 1 2 18 FB 219 F_ACK_GL Global Acknowledgment of all F I O in an F Runtime Group Connections Parameter Data Description Default Type input ACK_REI_GLOB BOOL 1 acknowledgment for reintegration lo sd Principle of Operation This F application block creates an acknowledgment for the simultaneous reintegration of all F l Os channels of the F I O of an F runtime group after communication errors or F I O channel errors For the reintegration an acknowledgment with a positive edge at the input ACK_REI_GLOB is required The acknowledgement is analogous to the user acknowledgment via the variable ACK_REI of the F I O DB however has a simu
205. f F I O with the Assign F FBD or Output Coil F LAD instruction You can evaluate whether an F I O or channels of an F I O are passivated in the associated F I O DB S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 67 Programming 4 1 Overview of Programming S R SR RS N NEG P POS Instructions Particularities Note If you wish to use a formal parameter of an F FB F FC for the edge memory bits of the RLO Edge Detection N P or Address Edge Detection NEG POS instructions or for the address of the Flip Flop SR RS Set Output S or Reset Output R instructions it must be declared as an in out parameter The F CPU can go to STOP if this caution is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety program internal CPU fault internal error information 404 ADD_I SUB_I MUL_I NEG DIV_I OV Instructions Particularities 68 Note If the result of an ADD_I SUB_I MUL_I or NEGLI instruction or the quotient of a DIV_I instruction is outside the permitted range for integers 16 bits the F CPU goes to STOP mode if the result quotient is used in an output to an F I O or to a partner F CPU by means of safety r
206. f Operation This F application block implements an emergency STOP shutdown with acknowledgment for Stop Categories 0 and 1 Enable signal Q is reset to 0 as soon as the E_STOP input assumes a signal state of 0 Stop category 0 Enable signal Q_DELAY is reset to 0 after the time delay set at input TIME_DEL Stop Category 1 Enable signal Q is reset to 1 only if input E_STOP assumes a signal state of 1 and an acknowledgment occurs The acknowledgment for the enable takes place according to the parameter assignment at input ACK_NEC e f ACK_NEC 0 the acknowledgment is automatic e If ACK_NEC 1 you must use a rising edge at input ACK for acknowledging the enable Output ACK_REQ is used to signal that a user acknowledgment is required at input ACK for the acknowledgment The F application block sets output ACK_REQ to 1 as soon as input E STOP 1 Following an acknowledgment the F application block resets ACK_REQ to 0 A WARNING Variable ACK_NEC must not be assigned a value of 0 unless an automatic restart of the affected process is otherwise excluded Note Prior to inserting F application block F_ESTOP you must copy F application block F_TOF from the F Application Blocks Blocks block container of the Distributed Safety F library V1 to the block container of your S7 program if it is not already present S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00
207. f the safety program has been modified or is not consistent you are notified of the option to generate compile a consistent safety program 4 Confirm the prompt indicating that the F CPU will be stopped Note To download the entire safety program the F CPU must be in STOP mode If you are downloading F blocks only the blocks in which the F CALL blocks are called e g cyclic interrupt OB35 are not downloaded You must then download these OBs separately the same way as for a standard program Note When you download the safety program in the Safety Program dialog an online offline comparison is automatically performed for all F blocks with F attribute in the safety program All F blocks without F attribute are deleted in the F CPU The F CPU now contains exactly the same F blocks with F attribute as the offline block container S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 275 Compiling and commissioning a safety program 10 4 Downloading the Safety Program 5 In the Safety Program dialog select the Offline and Online tabs in turn to check whether the collective signatures of all F blocks with F attribute in the block container match offline and online If they match downloading was successful If not repeat the download operation 6 To activate safety mode switch the F CPU from STOP to RUN mode Note If the download operation is abo
208. fety Related Master I Slave I Slave l Slave Communication S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 161 Contiguring and Programming Communication 8 5 Safety Related Slave Slave Communication 8 5 8 5 1 Introduction Restrictions 162 Safety Related Slave Slave Communication Configuring Address Areas Safety Related I Slave Slave Communication Safety related communication between the safety program of the F CPU of an I slave and F I O in a DP slave takes place using direct data exchange same as in standard programs The channels of the F I O in the safety program of the F CPU of the I slave are accessed via the process image PII and PAA as described in Chapter F I O Access For F I O access via safety related slave l slave communication an F I O DB is generated automatically in the safety program of the F CPU when the program is compiled in HV Config You do not need any additional hardware for slave slave communication Note Safety related I slave slave communication is possible with F I O in a DP slave that supports safety related I slave slave communication e g with all ET 200S F modules and with all S7 300 fail safe signal modules with IM 153 2 order no G6ES7 153 2BA01 0XB0 or higher firmware version gt V4 0 0 Note With safety related slave slave communication make sure that the CPU of the DP master i
209. fety Related Master Il Slave Communication You have created a project in STEP 7 Procedure for Configuring Master I Slave Communication Example with Bidirectional Communication 146 Create a station in your project in SIMATIC Manager for example an S7 300 station Assign an F CPU to this station from the hardware catalog in HW Config Configure this CPU as a DP slave in HW Config in the Operating Mode tab of the object properties for the DP interface of the CPU Create another station and assign an F CPU see steps 1 and 2 Configure this CPU as a DP master in HW Config in the Operating Mode tab of the object properties for the DP interface of the CPU Inthe hardware catalog under Configured stations select the station type of the I slave for example CPU 31x and place it on the DP master system Link the I slave to the DP master in the Connection dialog which opens automatically Now you can define the address areas for safety related master I slave communication Inthe F Configuration tab of the object properties for the I slave select New S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 3 Safety Related Master Slave Communication 9 In the next dialog make the following entries for the receive connection from the DP master for our example For Mode F M
210. fety program 308 Modifying the safety program in RUN mode 287 Modifying values in F DBs 308 Monitor modify variable function 308 Muting procedure with 4 muting sensors 202 Muting procedure with reflection light barriers 202 N Non permissible address areas 61 Non permissible data and parameter types 61 Non permissible instructions 61 O Opening F Blocks 308 351 Index Operating system update 325 Operational safety of the system 8 Preserving the 8 Order number 3 S7 Distributed Safety 3 P Partner ID 173 Of S7 connection 173 PASS_ON 101 PASS_OUT QBAD 101 Passivation and reintegration of F I O after communication errors 111 after F I O faults and channel faults 113 After startup of F system Password Assigning a new password for the safety pear 48 Assignment 45 Prompt Safety prog ram 48 Validity 45 PN PN ope 172 Preface 3 Preventive maintenance proof test 325 Principle of operation 352 216 Changing existing password for safety program 48 F CPU 53 F_TP 192 F_W_BO Principle of O peration 236 F_SHL W 256 Principles of safety functions in S7 Distributed Safety 8 Printing Safety program 297 Printing out project data 297 Process data ad fail safe values Process image 97 Process input image se e117 Process output ima 127 Product overview 8 PROFIBUS DP Hardware components 14
211. fety program in RUN mode Comparing Safety Programs Page 290 Page 294 Page 297 Page 304 Testing the Safety Program Page 308 Page 313 Page 323 Replacing Software and Hardware Components Guide to Diagnostics Page 86 Page 183 V1 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package A 1 Checklist Page 17 335 Checklist A 1 Checklist S7 Distributed Safety configuring and programming 336 Programming and Operating Manual 07 2013 A5E00109537 05 Glossary Access protection gt Fail safe systems must be protected against dangerous unauthorized access Access security is implemented in F Systems by assigning two passwords one for the gt F CPU and one for the gt safety program Automatically Generated F Blocks Category Channel Fault gt F blocks that are created and if necessary launched automatically when the gt safety program is generated in order to produce an executable safety program from the user programmed safety program Category in accordance with ISO 13849 1 2006 or EN ISO 13849 1 2008 S7 Distributed Safety can be used in gt safety mode up to Category 4 Channel related fault such as a wire break or short circuit Collective Signatures CRC CRC Signature The collective signat
212. g Programming and Operating Manual 07 2013 A5E00109537 05 9 Table of contents 10 4 4 Defining F Runtime Groups ccccccceceeeeeeeceaeee cece ees ceceaeeeceeeeesaanaeeeeeeeeeseeacaeeeseseeesessanaeess 4 4 1 Rules for F Runtime Groups of the Safety Program cceccceeseeeeeeeeeeeeeeeneeeseeaeeeeeeneeeeneaaes 4 4 2 Procedure for Defining an F Runtime Group cece cece ce seeeeeeeeeeeeeeeseneeeeeeeneeeeeseneaeeeseneeeeeeenaes 4 4 3 Safety Related Communication between F Runtime Groups of a Safety Program 00 4 4 4 Deleting F Runtime Group ii csccccecceeveececeveeniecsdatecetdacheces E EA EE EEEE bees 4 4 5 Changing F Runtime Group 00 ccceeeceecceeeeeeeeeeeeeeeeeeeeeeeeeeseeeaeeeeeeeaeeeeeeeaeeeseeaeeeseeaeeeeeenaeeeeeeaas 4 5 Programming Startup Protection cccccecceeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeseeeeeeeseneaeeeseeeaeeeseneeeereeeeaees F l O ACCOSS wiiiiiintticiveteriiiiniiieniitintidaniicinaniel diininediinieeeielieens reali kuara Eak N EA ENEN KEKEKE K KNEKKE KENEEN 5 1 FVO ACCESS ninae eaa o aE e eaaa aaan ala AEA Ea aa nA aa ea aaaea aaa Ea la ade he raaa RAE i 5 2 Process Data or Fail Safe Values ccccccecccceeeeceeseeeeceteesceeeeneeeeeeenseneeedececedeneeeeeeeneneedeeneenees 5 3 FNO lB gt ieerserce peer rreer peer ere er nreeere i ye cre rrr pe rrerer ster err Perr ereeer pre eprerre reer rr rer sree 5 4 Accessing F l O DB Varlables sposini N NAAT aA hte antec ended at
213. g Manual 07 2013 A5E00109537 05 F l O Access ACK_REIl 5 3 F O DB When the F system detects a communication error or an F I O fault for an F I O the relevant F I O are passivated If channel faults are detected the relevant channels are passivated if channel level passivation is configured If passivation of the entire F I O is configured all channels of the relevant F I O are passivated Reintegration of the F I O channels of the F I O after the fault has been eliminated requires a user acknowledgment with a positive edge at variable ACK_REI of the F I O DB e After every communication error e After F I O faults or channel faults when ACK_NEC 1 is assigned Reintegration after channel faults reintegrates all channels whose faults were eliminated Acknowledgment is only possible when ACK_REQ 1 In your safety program you must provide for a user acknowledgment by means of ACK_REI for each F I O A WARNING For the user acknowledgement you must interconnect the ACK_REI variable of the F I O DB with a signal generated by an operator input An interconnection with an automatically generated signal is not allowed Note Alternatively you can use the FB 219 F_ACK_GL F application block to carry out reintegration of the F I O following communication errors or F I O channel faults see Chapter FB 219 F_ACK_GL Global Acknowledgment of all F I O of an F Runtime Group S7 Distributed Safety c
214. g a safety program 10 7 Modifying the Safety Program Procedure for Comparing Safety Programs To compare two safety programs 1 Select the correct F CPU or S7 program assigned to it 2 In SIMATIC Manager select the Options gt Edit Safety Program menu command The Safety Program dialog will appear 3 Click the Compare button The Compare safety program dialog will appear A Compare Safety Program DS_Getting_Started SIMATIC 300 1 CPU 315F 2 DP S7 Programm 1 Compare safety program with Selection beate_S7DS_V5_4 SIMATIC 300 1 CPU31 7F 245 7 Programm 1 Browse Online r Result of the comparison The collective signatures of all F blocks with the F attribute of the block container are not Source program DS_Getting_Started SIMATIC 300 1 CPU 315F 2 DPSS Programm 1 fe7cosopb Compared program beate_S7DS_V5_4 SIMATIC 300 1 CPUS1 7F 2457 Programm 1 fi The F block comparison found the following differences F block Symb name Function in safety program Signature in source Signature in compar Different int A FCI EFE ICA d FCIO0 F CALL 054A f Fei F FB 1305 it FB100 Sicherheitsprogr F program block 33BE Eri FB186 F_TOF F application block 14B4 Fi FB216 F_FDBACK F application block F521 at FB217 F_SFDOOR F application block BEDA _ F reien Fin Ani E custam black FAFA Close Print Help 4 Select the
215. g and Operating Manual 07 2013 A5E00109537 05 Programming 4 3 Creating F Blocks in F FBD F LAD 4 3 5 Check Block Consistency Function for User Created F FBs F FCs and F DBs Check Block Consistency Function The Check block consistency function can be found in S MAT C Manager in the Edit menu if you have selected a block container The Check block consistency function rectifies many of the time stamp conflicts and block inconsistencies You can use this function in your safety program for F FBs F FCs and F DBs without know how protection The procedure is the same as in standard programming The Go To functionality is not supported You can select the Program gt Compile and Program gt Compile All menu commands for the Check block consistency function The complete safety program is then compiled as follows e lf you select Program gt Compile the safety program is recompiled only if it was changed e lf you select Program gt Compile All the safety program is recompiled regardless of whether it was modified 4 3 6 Compile and Download Objects Function Compile and Download Objects Function You cannot use the Compile and download objects function in SIMATIC Manager to compile safety programs or download them to the F CPU 4 3 7 Store Write Protected Function for User Created F FBs F FCs and F DBs Storing an F Block as a Write Protected Block You can use the Store write protected func
216. g and Programming Communication 8 5 Safety Related Slave Slave Communication Change in Configuration of I Slave Slave Communication A WARNING If you have configured a new l slave slave communication for an F I O or have deleted an existing l slave slave communication you must save and compile the hardware configuration of the station of the DP master as well as the hardware configuration of the station of the l slave and download them to the station of the DP master or l slave The collective signature of the safety program of the F CPU of the l slave and the collective signature of the safety program of the F CPU of the DP master if a safety program exists there too are set to 0 You must then recompile the safety program s Disabling Active Coupling of an l Slave Before you can disable active coupling of an l slave you must delete all safety related communication connections to other F CPUs or F modules in the F Configuration tab Additional Information You will find a description of the parameters in the context sensitive online help for the F Configuration tab For information on address areas process images and supported interrupt OBs refer to the technical specifications for the CPU you are using S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 169 Configuring and Programming Communication 8 5 Safety Related Slave Slave
217. g box when compilation is finished Warnings are specially labeled Using the drop down arrow on the Compile button you can e View and save the log of the most recent compile process e Enable Check for accesses from standard e Enable or disable Update reference data A WARNING You must not insert F system blocks from the F System Blocks block container of the Distributed Safety library V1 in an F PB F FB F FC Likewise e Inthe Distributed Safety F library V1 you must not e insert delete or rename F system blocks in the Distributed Safety F library V1 or the block container of your user project offline This could cause errors during the next compile operation e Insert delete or rename F system blocks in the Distributed Safety F library V1 or the block container of your user project online This could cause the F CPU to go to STOP mode Depending on the extent of the intervention the compiled safety program may not be executable In this case you must delete all automatically added F blocks that is all F blocks in SIMATIC Manager indicated by a yellow symbol with F STL programming language or author FALGxxxx and the F shared DB you must then perform the following actions e Copy all blocks from the F Application Blocks block container of the Distributed Safety library V1 to your user project e Save and compile in HW Config e Defining the F run time groups e Compile the complete safety
218. g time setting for F CPU and partner F CPU is too low Check assigned monitoring time parameter TIMEOUT at F_LSENDS7 and F_RCVS7 of both F CPUs If necessary set a higher value Recompile safety program CPs in STOP mode or internal fault in CPs Switch CPs to RUN mode Check diagnostic buffer of CPs Replace CPs if necessary F CPU partner F CPU in STOP mode or internal fault in F CPU partner F CPU Switch F CPUs to RUN mode Check diagnostic buffer of F CPUs Replace F CPUs if necessary Communication was shut down with EN_SEND 0 S7 connection has changed the IP address of the CP has changed for example Enable communication again at associated F_SENDS7 with EN_SEND 1 Recompile the safety programs and download them to the F CPUs Bit5 Sequence numbers detected by F_LSENDS7 and F_RCVS7 See description of bit 4 See description of bit 4 Bit6 CRC error detected by F_SENDS7 and F_RCVS7 See description of bit 4 See description of bit 4 Bit 7 Reserved Note Access to outputs DIAG STAT_RCV and STAT_SND is not permitted in the safety program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Additional Information You will find more information about configuring and programming safety related communication via S7 connections in the ref
219. gher level standard user program For this reason you should call the F CALL blocks directly in OBs cyclic interrupt OBs whenever possible and additional local data should not be declared in these cyclic interrupt OBs e Maximum amount of local data of the utilized F CPU see technical specifications in the Product Information for the utilized F CPU For CPU 416F 2 you can configure the local data for each priority class Therefore allocate the largest possible local data area for the priority classes in which the safety program F CALL blocks will be called e g OB35 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 31 Configuration 2 3 Configuring the F CPU Maximum Possible Amount of F Local Data According to Local Data Requirement of Higher Level Standard User Program Case 1 F CALL blocks called directly in OBs Standard user Program Safety Program F runtime group x Set the F local data parameter to one the following e Maximum amount of local data of the F CPU you are using minus 32 bytes e Maximum amount of local data of the F CPU you are using minus the local data requirement of OB x for two F runtime groups of OB x with the greatest local data requirement if this amount is greater than 32 bytes Note You can derive the local data requirement of the OBs from the program structure For this purpose select the Options gt Reference Data gt Di
220. gnals see Chapter F I O DB Note F I O can only be modified in RUN mode of the F CPU You must allocate a separate row in the variable table for each channel to be modified this means for example that digital channels of data type BOOL cannot be modified on a byte by byte or word by word basis You can modify a maximum of 5 inputs outputs from one variable table You can use more than one variable table You cannot modify configured F I O in which no single channel or variable from the associated F I O DB has been used Therefore always use at least one variable from the associated F I O DB or at least one channel of the F I O to be controlled in your safety program As a trigger point you must set Begin scan cycle or End scan cycle Note however that regardless of the trigger point setting requests to modify inputs PII of F I O always become effective before the F PB is executed and requests to modify outputs PIQ always become effective after execution of the F PB For inputs PII modify requests take priority over fail safe value output while for outputs PIQ fail safe value output takes priority over modify requests For outputs channels that are not activated in the object properties for the F I O in HW Config see F O manuals modify requests affect the PIQ only and not the F I O As the trigger frequency you can set Once or Permanently A WARNING Permanent modification of F I O remains activ
221. gram can be run on the F CPU A standard program can coexist with a safety program in an F CPU because the safety related data of the safety program are protected from being affected unintentionally by data of the standard user program Data are exchanged between the safety program and the standard user program in the F CPU by means of bit memory or by accessing the process input and output images S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Product Overview 7 3 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package 1 3 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package Software Requirements for S7 Distributed Safety V5 4 SP4 At a minimum the following software packages must be installed on the programming device or PC e STEP 7 V5 3 Service Pack 3 or higher A WARNING Use of S7 Distributed Safety Programming V5 4 Service Pack 4 with earlier versions of STEP 7 is not permitted e S F Configuration Pack V5 2 Service Pack 3 or higher Use of the following functions requires the software indicated below Function Software Requirement Safety related l slave slave communication for STEP 7V5 4 and S7 F Configuration Pack V5 5 S7 300 fail safe signal modules ET 200M or higher Disabling the deactivation of safety mode S7 F Configuration Pack V5 5 SP1 F iPar_CRC parameter for support of fail safe DP
222. gram of the F CPU of a DP Master or IO Controller Page 121 Overview of safety related communication Page 131 FB 187 F_ACK_OP Fail Safe Acknowledgment Page 198 FB 223 F_SENDDP and FB 224 F_RCVDP Send and Receive Data via PROFIBUS DP S7 Distributed Safety configuring and programming 126 Programming and Operating Manual 07 2013 A5E00109537 05 Data Exchange between Standard User Programs 7 and Safety Program 7 1 Data Transfer from the Safety Program to the Standard User Program Data Transfer from the Safety Program to the Standard User Program The standard user program can read out all data of the safety program for example through symbolic fully qualified accesses to the following e Instance DBs of the F FBs e F DBs for example Name F_DB Signal_1 e Process input image and process output image of F I O for example Emergency_Stop_Button_1 I 5 0 Note The process input image for F I O is updated not only at the start of an F runtime group prior to execution of the F program block but also by the standard operating system To find out the standard operating system update times refer to Process image of inputs outputs in the STEP 7 Online Help With F CPUs that support partial process images also bear in mind the update times when using partial process images For this reason when accessing the process input image for F I O in the standard user program you can obtain different value
223. h S7 Distributed Safety configuring and programming 252 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Time Diagram F_SENDS7 and F_RCVS7 F_SENDS7 ERROR SUBS_ON F_RCVS7 ACK_REI ACK_REQ ee ERROR SUBS_ON States Startup Communication F systems established Communication re established Communication error i detected by l F_SENDS7 Communication error Acknowledge on detected by F_RCVS7 F_RCVS7 Output DIAG The DIAG output provides non fail safe information on the type of communication errors that occurred for service purposes You can read out this information by means of operator control and monitoring systems or if applicable you can evaluate it in your standard user program The DIAG bits are saved until acknowledgment at input ACK_REI of the associated F_RCVS7 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 253 F Libraries 9 1 Distributed Safety F library V1 Structure of DIAG 254 Bit Assignment F_SENDS7 No and F_RCVS7 Bit 0 Reserved Possible Causes of Problems Remedies Bit 1 Reserved Bit 2 Reserved Bit 3 Reserved Bit4 Timeout detected by F_SENDS7 and F_RCVS7 Interference in bus connection to partner F CPU Check bus connection and ensure that no external interference sources are present Monitorin
224. hanges in the parameter assignment of all configured F I O you must compare the Parameter CRC or the F Par_CRC for fail safe DP standard slaves standard I O devices directly in the printout of the hardware configuration Do not forget to compare the parameter CRCs of the F I O that you address via safety related slave slave communication Detection of Changes of the Start Addresses of F I O To determine changes in the start addresses of the F I O addressed in the safety program compare the start addresses of all F I O in the Addressed F I O section of the Safety program printout with those in the printout of the accepted safety program If you want to determine changes in the start addresses of all configured F I O you must compare them directly in the printout of the hardware configuration S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 321 System Acceptance Test 11 4 Acceptance Test of Changes Detection of Changes in the Safety Program To determine changes in the safety program compare the changed safety program offline with the saved accepted program using the Compare button in the Safety Program dialog This enables you to identify which F blocks were changed Determine the changes in the F blocks you created F PBs F FBs F FCs and F DBs by comparing the printouts Function Block Diagram Ladder Diagram print content Use of Softw
225. hapter Configuring the F CPU program 7 300 standard e Password S7 400 standard e Define set F specific parameters IM 151 7 CPU e Call time for the F runtime group in which the safety program is to be executed defined in accordance with the requirements and safety regulations same as with standard system Configuration of F I O e Settings for safety mode Chapter Configuring the F I O and subsequent chapters SM Appendix A F SMs Manual Chapters 3 9 10 F Modules Manual Chapters 2 4 7 ET 200eco Manual Chapters 3 8 ET 200pro Manual Chapters 2 4 8 e Configure monitoring times e Define type of sensor interconnection evaluation e Define diagnostic behavior e Assign symbolic names Saving compiling and e System data are generated loading or nardware e F shared DB F system blocks and F configuration I O DBs are generated Programming Define program design e Observe warnings and notes on Chapter Overview of Programming and structure programming Program Structure Defining the Program Structure Programming a Startup Protection e Verify software components used with Annex 1 of Certification Report Annex 1 of Certification Report S7 Distributed Safety configuring and programming 332 Programming and Operating Manual 07 2013 A5E00109537 05 Checklist A 1 Checklist Phase Requirement Rule Reference Check Creating inser
226. have changed e g changes in the symbol table or to parameter names of F DBs or F FBs and the changes were not made in all affected F FB F FCs To correct this situation use the Check block consistency function see STEP 7 online help If necessary you must recompile the safety program S7 Distributed Safety configuring and programming 314 Programming and Operating Manual 07 2013 A5E00109537 05 System Acceptance Test 11 2 Checking the Printouts 11 2 1 Acceptance Test for the Configuration of the F CPU and the F I O Checking the Hardware Configuration Hardware Configuration print content 1 Check the parameters of the F CPU in the printout In particular check the protection level setting of the F CPU and whether the CPU contains a safety program option is selected A WARNING In safety mode access by means of the F CPU password must not be authorized when making changes to the standard user program since changes to the safety program can also be made To rule out this possibility you must configure Protection Level 1 If only one person is authorized to change the standard user program and the safety program level of protection 2 or 3 should be configured so that other persons have only limited access or no access at all to the entire user program standard and safety programs 2 Check the safety related parameters of all configured F I O in the printout The safety related parameters
227. he password for additional read accesses and is granted read only access Exception Read access is not permitted for the requested action and you would like to terminate read access Read access for all other actions is not time limited It applies only to the safety program for which it was activated and not to other safety programs on the same programming device or PC S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 51 Access Protection 3 3 Read Accesses without Password for the Safety Program Terminating Read Access for all Other Actions Read access for all other actions is terminated when you perform one of the following actions e You revoke access permission in the Set Up Permission for Safety Program dialog e You revoke the access permission in the Safety Program dialog by clicking the drop down arrow on the Permission button e You close all S7 applications that were processing the data of a safety program with read access for all other actions e You have entered a password for the safety program for an action for which read access is not permitted e g compiling the safety program e You restart the programming device or PC Read Only Access for this Access If you have specified one time read access the user is prompted to enter a password again for the next read access and for all other actions requiring a password S7 Distributed Safet
228. he object properties for the I slave Include all lines with MODE MS in the Configuration tab The lines with MODE DX are not included S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 155 Configuring and Programming Communication 8 4 Safety Related Slave Slave Communication 8 4 8 4 1 Introduction Safety Related I Slave I Slave Communication Configuring Address Areas Safety Related l Slave l Slave Communication Safety related communication between the safety program of the F CPUs of I slaves takes place using direct data exchange same as in standard programs You do not need any additional hardware for slave l slave communication Configuring Address Areas 156 For every communication connection between two F CPUs you must configure address areas in HW Config In the figure below each of the two F CPUs will be able to send and receive data bidirectional communication l slave 1 l slave 2 F_SENDDP LADDR 140 ah F_RCVDP LADDR 142 rs F_RCVDP LADDR 128 F_SENDDP LADDR 130 7 Addresses in the partner are entered automatically You configure the following in the object properties for I slave 1 e For sending to I slave 2 a local address I slave 1 and a partner address I slave 2 e For receiving from I slave 2 a local address I slave 1 and a partner address I slave 2 No further configuration of communication is necessa
229. he safety program Current compilation The safety program is consistent F blocks F runtinn FH EB 12 21 2006 11 28 58 AM D0S7B94A D0S7B94A e F black Function in safety program Current mode unknown Safety mode Compare HE F runtime group FC100 E4 All Objects Permission F Runtime groups Compile f ay FCi00 F CALL F ii FB100 Sicherheitspro F program black AFFB C Fri FB186 F_TOF F application block 1464 rA Eri FB216 F_FDBACK F application block F521 rd Eri F_SFDOQOR F application block rA Download Logbook d FB1638 F_I0_B0I F system block FAFA al H FB1639 F_CTRL_1 F system black 504C F a FB1640 F_CTRL_2 F system black 40BA M H FB1641 FITOF F system black BOAF r at FB1B42 Automatically generated 1530 i Print Help 3 Select the relevant check box for the F FBs F FCs and F DBs in the Know how protection column Result A dialog for creating a backup copy opens automatically for every F FB F FC F DB you want to protect S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 83 Programming 4 3 Creating F Blocks in F FBD F LAD 4 Remember the following when you save the backup copy Note Assign the name to the backup copy ex
230. he sending and receiving F system or in the event of a safety related communication error RLO 0 is available in the F shared DB At input SUBBO_xx enter F_GLOBDB RLOO fully qualified Note If a communication error an F I O fault or a channel fault occurs at the F I O to which the acknowledgment key is connected then an acknowledgment for reintegration of this F I O will no longer be possible This block can only be removed by a STOP to RUN transition of the F CPU of the DP master Consequently it is recommended that you also provide for an acknowledgment by means of an operator control and monitoring system that you can use to access the F CPU of the DP master for the acknowledgment for reintegration of the F I O to which an acknowledgment key is connected If a safety related master I slave communication error occurs the acknowledgment signal cannot be transmitted and an acknowledgment for reintegration of safety related communication is no longer possible This block can only be removed by a STOP to RUN transition of the F CPU of the l slave Consequently it is recommended that you also provide for an acknowledgment by means of an operator control and monitoring system that you can use to access the F CPU of the I slave for the acknowledgment for reintegration of the safety related communication for transmission of the acknowledgment signal see 1 See also Implementing User Acknowledgment in the Safety Pro
231. he warning notice representing the highest degree of danger will be used A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage Qualified Personnel The product system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation in particular its warning notices and safety instructions Qualified personnel are those who based on their training and experience are capable of identifying risks and avoiding potential hazards when working with these products systems Proper use of Siemens products Note the following A WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation If products and components from other manufacturers are used these must be recommended or approved by Siemens Proper transport storage installation assembly commissioning operation and maintenance are required to ensure that the products operate safely and without any problems The permissible ambient conditions must be complied with The information in the relevant documentation must be observed Trademarks All names identified by are registered trademarks of Siemens AG The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner
232. heck Planning Requirement Safety Process dependent requirements specification available for the intended application Specification of system Process dependent architecture Assignment of functions Process dependent Chapter Product Overview and subfunctions to SM Chapters 1 5 2 4 system components Selection of sensors and Requirements for actuators F SMs Manual Chapter 6 5 actuators F Modules Manual Chapter 4 5 ET 200eco Manual Chapter 5 5 ET 200pro Manual Chapter 4 4 Specification of required e IEC 61508 2000 SM Chapters 4 7 4 8 safety properties for individual components S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 331 Checklist A 1 Checklist Phase Requirement Rule Reference Check Configuration Installing the optional Requirements for installation Chapter Installing Removing package Selection of S7 Rules for configuration Chapter Hardware and Software components Components SM Chapter 2 4 F SMs Manual Chapter 3 F Modules Manual Chapter 3 ET 200eco Manual Chapter 3 ET 200pro Manual Chapter 2 Configuration of hardware e Rules for F systems Chapter Overview of Configuration Particularities for Configuring e Verification of utilized hardware components based on Annex 1 of Certification Report Annex 1 of Certification Report Configuration of F CPU e Protection level CPU contains safety C
233. higher e CPU 317F 2 PN DP e CPU 317F 2 DP firmware version V2 5 and higher e CPU 319F 3 PN DP If you set F_Par_Version to 1 for F CPUs that do not support V2 MODE this will result in a communication error for the safety related communication with the device One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e F I O passivated Check value error CRC Sequence number error e F I O passivated Monitoring time for safety message frame exceeded A WARNING F_Par_Version must be set to 1 PROFIsafe V2 MODE for a network composed of PROFIBUS DP and PROFINET IO subnets Devices that do not support PROFIsafe V2 MODE must not be used on PROFINET IO or in hybrid configurations of PROFIBUS DP and PROFINET IO S7 Distributed Safety configuring and programming 42 Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 5 Configuring fail safe DP standard slaves and fail safe standard I O devices F_Source_Add and F_Dest_Add Parameters The PROFIsafe addresses F_Source_Add and F_Dest_Add parameters uniquely identify the source and destination The F_Source_Add and F_Dest_Add parameters for fail safe DP standard slaves and standard I O devices correspond to the F_source_address and F_destination_address parameters of other F I O Exception The range of values is specified by the GSD file and is not limited to a range of 1 to
234. his documentation the terms safety engineering and fail safe engineering are used synonymously The same applies to the terms fail safe and F When S7 Distributed Safety appears in italics it refers to the optional package for the S7 Distributed Safety fail safe system The term safety program refers to the fail safe portion of the user program and is used instead of fail safe user program F program etc For purposes of contrast the non safety related user program is referred to as the standard user program All fail safe blocks are represented with a yellow background on the STEP 7 user interface in SIMATIC Manager for example to distinguish them from standard user program blocks Additional Support Training Center For any unanswered questions about the use of products presented in this manual contact your local Siemens representative You can find your representative at htto www siemens com automation partner A guide to the technical documentation for the individual SIMATIC products and systems is available at http Awww siemens com simatic tech doku portal We offer courses to help you get started with the S7 automation system Contact your regional training center or the central training center in D 90327 Nuremberg Germany http www siemens com automation partner H F Competence Center The H F Competence Center in Nuremberg offers special workshops on S MATIC S7 fail safe and fau
235. ibrary V1 is supplied with the S7 Distributed Safety optional package for creating the safety program The F library is located in the step7 s7libs directory Additional information about programming is provided in the following sections PG PC S7 Distributed Safety STEP 7 project User program Hardware configuration Safety program User created F library x Standard user Standard user program fa Distributed Safety V1 F System Blocks Safety program F Application Blocks in F LAD or F FBD F libraries Jef JEAN NN cil Standard I O Figure 4 1 Configuration S7 Distributed Safety configuring and programming 56 Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 1 Overview of Programming 4 1 2 Structure of the Safety Program in S7 Distributed Safety Representation of Program Structure The figure below shows the schematic structure of a safety program for S7 Distributed Safety For structuring purposes a safety program consists of one or two F runtime groups Each F runtime group contains e F blocks that you create or select from the Distributed Safety F library V1 or a user created F library e F blocks that are added automatically F system blocks automatically generated F blocks and the F shared DB Standard user Distributed Safety program F library V1 Safety program F runtime group x F Application F_RCVDP Blocks F CALL
236. ication DB of the associated FLRCVS7 and the receiver F_RCVS7 provides fail safe values for this period default F communication DB If communication was already established between the partners a communication error is detected 11 Optional Evaluate the ACK_REQ output of the F_RCVS7 for example in the standard user program or on the operator control and monitoring system in order to query or to indicate whether user acknowledgment is required 12 Provide the ACK_REI input of the F_RCVS7 with the signal for the acknowledgment for reintegration 13 Optional Evaluate output SUBS_ON of F_RCVS7 or F_SENDS7 to query whether the F_RCVS7 is outputting the fail safe values you specified as defaults in the F communication DB 14 Optional Evaluate the ERROR output of the F_RCVS7 or the FLSENDS 7 for example in the standard user program or on the operator control and monitoring system in order to query or to indicate whether a communication error has occurred 15 Optional Evaluate the SENDMODE output of the F_RCVS7 in order to query whether the F CPU with the associated F_SENDS7 is in deactivated safety mode A WARNING If the F CPU with the associated F_SENDS7 is in deactivated safety mode you can no longer assume that the data received from this F CPU were generated safely You must then implement organizational measures such as operation monitoring and manual safety shutdown to ensure safety in those portions of the system that are affe
237. ics for this channel is deactivated simultaneously S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 5 Configuring fail safe DP standard slaves and fail safe standard I O devices 2 5 Configuring fail safe DP standard slaves and fail safe standard I O devices Requirements In order to use fail safe DP standard slaves with S7 Distributed Safety the standard slaves must be on the PROFIBUS DP and support the PROFIsafe bus profile Fail safe DP standard slaves used in hybrid configurations on PROFIBUS DP and PROFINET IO based on IE PB links must support the PROFIsafe bus profile in V2 mode In order to use fail safe standard I O devices with S7 Distributed Safety the standard devices must be on the PROFINET IO and support the PROFIsafe bus profile in V2 mode Configuration with GSD Files As is the case in a standard system the basis for configuring fail safe DP standard slaves is the device specification in the GSD file A GSD file contains all of the properties of a DP standard slave or standard I O device For fail safe DP standard slaves standard I O devices portions of the specification are ensured by a CRC The GSD files are supplied by the device manufacturers Protection of the Data Structure of the Device in GSD Files Starting with PROFIsafe Specification V2 0 the device data structure described in the GSD file must be protected with a CRC
238. ied online Note If you do not want to modify the safety program during operation see Chapter Creating F Blocks in F FBD F LAD Procedure for Modifying the Safety Program in RUN Mode 1 Modify and save the F PB or F FB and its associated instance DB F FC or F DB in the FBD LAD Editor 2 Download the modified F block from the FBD LAD Editor to the F CPU If you want to download several modified F blocks select and download them in S MAT C Manager The procedure for downloading F blocks in deactivated safety mode is the same as for a standard program Observe the applicable rules for the download sequence in the online Help for STEP 7 3 If safety mode is active a dialog box for deactivating safety mode will appear Confirm this dialog box Note When downloading in S MAT IC Manager you can only download fail safe blocks created by you F PB F FB F FC or F DB F application blocks or standard blocks and their associated instance DBs in deactivated safety mode If you download automatically added F blocks F SBs or automatically generated F blocks and associated instance DBs or F shared DB the F CPU can go to STOP mode or safety mode can be activated Therefore when downloading in S MATIC Manager always select individual F blocks instead of the Station S7 Program or Block Container objects S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 28
239. ified during operation Safety mode can be deactivated by the user gt deactivated safety mode Safety Program The safety program is a safety related user program Safety Protocol gt Safety message frame Safety related communication Safety related communication is used to exchange fail safe data S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 345 Glossary Sensor Evaluation There are two types of sensor evaluation e 1001 evaluation sensor signal is read in once e 1002 evaluation sensor signal is read in twice by the same gt F l O and compared internally Signature gt Collective signatures Standard Communication Standard communication is used to exchange non safety related data Standard Mode Standard mode is the operating mode of gt F I O in which gt safety related communication by means of gt safety frames is not possible only gt standard communication is possible in this operating mode Standard User Program The standard user program is a non safety related user program Startup of F system When an gt F CPU switches from STOP to RUN mode the gt standard user program is started as usual When the gt safety program is started all data blocks with gt F attribute are initialized with values from the load memory as with a cold start This means that saved error information is lost The gt F system a
240. iguration F I O DB Page 101 Overview of F application blocks Page 23 Page 183 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 201 F Libraries 9 1 Distributed Safety F library V1 9 1 2 11 FB 189 F_MUTING Muting Connections Parameter Data Type Description Default Inputs MS_11 BOOL Muting sensor 1 of sensor pair 1 0 MS_12 BOOL Muting sensor 2 of sensor pair 1 0 MS_21 BOOL Muting sensor 1 of sensor pair 2 0 MS_22 BOOL Muting sensor 2 of sensor pair 2 0 STOP BOOL 1 Conveyor system stopped 0 FREE BOOL 1 Light curtain uninterrupted 0 QBAD_MUT BOOL QBAD or QBAD_O_ xx signal of F 0 O channel of muting lamp F I O DB DISCTIM1 TIME Discrepancy time of sensor pair 1 T O ms 0 to 3s DISCTIM2 TIME Discrepancy time of sensor pair 2 T O ms 0 to 3s TIME_MAX TIME Maximum muting time 0 to 10 min THOM ACK BOOL Acknowledgment of restart inhibit 0 Outputs Q BOOL 1 Enable not off 0 MUTING BOOL Display of muting is active 0 ACK_REQ BOOL Acknowledgment necessary 0 FAULT BOOL Group error 0 DIAG BYTE Service information 0 S7 Distributed Safety configuring and programming 202 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Principle of Operation This F application block performs parallel muting with two o
241. igured safety related and standard communication connections in the Configuration tab in the object properties for the I slave Include all lines with MODE MS in the Configuration tab The lines with MODE DX are not included S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 171 Configuring and Programming Communication 8 6 Safety Related IO Controller lO Controller Communication 8 6 Requirements Reference 172 Safety Related IO Controller lO Controller Communication Safety related communication between safety programs of the F CPUs of IO controllers takes place over a PN PN coupler order number 6ES7158 3AD00 OXA0O that you set up between the F CPUs For this communication you will need HSP 101 for STEP 7 V5 4 SP1 or the GSD file for the PN PN coupler In the case of a CPU 416F without an integrated PROFINET interface use CP 443 1 Advanced Note Disable the Data validity indicator DIA same as default setting in the object properties for the PN PN coupler in HW Config Otherwise safety related O controller lO controller communication is not possible In addition the information on safety related master master communication in Chapter Safety Related Master Master Communication also applies analogously S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Program
242. iguring and programming S7 Distributed Safety fail safe systems Integration of the fail safe I O listed below in S7 Distributed Safety is also addressed e ET 200S fail safe modules e ET 200eco fail safe I O modules e ET 200pro fail safe modules e S7 300 fail safe signal modules e Fail safe DP standard slaves e Fail safe standard I O devices S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 3 Preface What s New This documentation reflects the following significant changes additions to the previous version e The contents of the Product Information for S7 Distributed Safety V5 4 SP1 and SP3 Edition 01 2007 have been integrated into this manual e Description of the following important innovations in S7 Distributed Safety V5 4 SP4 Ability to install the S7 Distributed Safety optional package in Windows Vista Support of SM 336 F Al 6 x 0 4 20 mA HART fail safe signal module Support of the Compatibility mode F CPU parameter Approvals S7 Distributed Safety ET 200S ET 200eco and ET 200 pro fail safe modules and S7 300 fail safe signal modules are certified for use in safety mode up to and including the following e Safety Integrity Level SIL3 in accordance with IEC 61508 2000 e Performance level PL e and category 4 in accordance with ISO 13849 1 2006 or EN ISO 13849 1 2008 Position in the Information Landscape Depending on your applicat
243. ility in the documentation and readme files for these products Replacement of Hardware Components Hardware components for S7 Distributed Safety F CPU F I O batteries etc are replaced in the same way as in a standard automation system Removing and Inserting F I O during Operation It is possible to remove and insert F I O during operation as with standard F I O However be aware that replacing an F I O module while in service can cause a communication error in the F CPU You must acknowledge the communication error in your safety program in the ACK_REI variable of the F I O DB Otherwise the F I O will remain passivated CPU Operating System Update Check of the CPU operating for F validity When using a new CPU operating system operating system update you must check to see if the CPU operating system you are using is approved for use in an F system The minimum CPU operating system versions with guaranteed F capability are specified in the annex of the Certification Report This information and any notes on the new CPU operating system must be taken into account Operating System Update for Interface Module When using a new operating system for an interface module e g IM 151 1 HIGH FEATURE of ET 200S operating system update see online Help for STEP 7 you must observe the following If the Activate firmware after download check box is selected for the operating system update the IM will be automatically reset fo
244. ime group Based on the start address of the F I O check whether the symbolic name used in the safety program and the number of the F I O DB belong to the proper F I O Check whether the value of F_Monitoring_Time matches the corresponding value of the F I O with the same start address in the Hardware configuration printout or F_WD_Time for fail safe DP standard slaves standard I O devices Check whether PROFIsafe is in V2 mode when F I O are used on PROFINET IO or in a hybrid configuration on PROFIBUS DP and PROFINET IO based on IE PB Links Check whether the type of passivation corresponds the value you configured 11 Check the additional information See also Check whether the Safety mode can be deactivated setting corresponds the value you configured Check whether the printout of the project data is complete based on the total page count Printing out Project Data Page 297 318 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 System Acceptance Test 11 3 Introduction 11 3 Checks after Downloading the Safety Program to the F CPU Checks after Downloading the Safety Program to the F CPU You download the S7 program to the F CPU as described in Chapter Downloading the Safety Program Afterwards you perform the checks described below Note The Safety Program dialog must be used to download F blocks the last time prior to the accepta
245. imum muting time TIME_MAX e Discrepancy times DISCTIM1 and DISCTIM2 have been set to values lt 0 or gt 3 s e Maximum muting time TIME_MAX has been set to a value lt 0 or gt 10 min In the identified cases output FAULT group error is set to 1 restart inhibit If the MUTING function is started it will be terminated and the Muting output becomes 0 A WARNING When a valid combination of muting sensors is immediately detected at startup of the F system for example because the muting sensors are interconnected to inputs of a standard I O that immediately provide process values during the F system startup the MUTING function is immediately started and the MUTING output and enable signal Q are set to 1 The FAULT output group error is not set to 1 no restart inhibit Acknowledgment of Restart Inhibit Enable signal Q becomes 1 again if e The light curtain is no longer interrupted e Errors if present are eliminated see output DIAG and e A user acknowledgement with a positive edge is issued at input ACK see also Chapter Implementing User Acknowledgment The FAULT output is set to 0 Output ACK_REQ 1 signals that user acknowledgment at input ACK is required to eliminate the restart inhibit The block sets ACK REQ 1 as soon as the light curtain is no longer interrupted or errors have been eliminated Once acknowledgment has occurred the block resets ACK_REQ to 0 Note Following discrepancy err
246. in the table below in the safety program Instruction Function Description F FBD F LAD gt 1 Bit logic instruction OR logic operation amp Bit logic instruction AND logic operation XOR Bit logic instruction EXCLUSIVE OR logic operation Bit logic instruction Insert binary input 0 Bit logic instruction Negate binary input Bit logic instruction Assign Bit logic instruction Normally open contact Bit logic instruction Normally closed contact NOT Bit logic instruction Invert power flow Bit logic instruction Output coil Bit logic instruction Midline output S S Bit logic instruction Set output R R Bit logic instruction Reset output SR SR Bit logic instruction Set reset flip flop RS RS Bit logic instruction Reset set flip flop N N Bit logic instruction Negative RLO edge detection NEG NEG Bit logic instruction Address negative edge detection P P Bit logic instruction Positive RLO edge detection POS POS Bit logic instruction Address positive edge detection WAND_W WAND_W Word logic instruction Word AND Word WOR_W WOR_W Word logic instruction Word OR Word WXOR_W WXOR_W Word logic instruction Word Exclusive OR Word ADD_ ADD_ Integer function Add integer DIVI DIVI Integer function Divide integer MULLI MULI Integer function Multiply integer SUB SUB Integ
247. ing interrupted and the muting lamp monitoring responds at input QBAD_MUT e Light curtain is being interrupted and the MUTING function is not enabled by setting input ENABLE to 1 e Sensor pair 1 MS_11 and MS_12 or sensor pair 2 MS_21 and MS_22 is not activated or deactivated during discrepancy time DISCTIM1 or DISCTIM2 respectively e The MUTING function is active longer than the maximum muting time TIME_MAX e Discrepancy times DISCTIM1 and DISCTIM2 have been set to values lt 0 or gt 3 s e Maximum muting time TIME_MAX has been set to a value lt 0 or gt 10 min e The F system starts up irrespective of whether or not the light curtain is interrupted because the F I O is passivated after F system startup and thus the FREE input is initially supplied with 0 In the identified cases output FAULT group error is set to 1 restart inhibit If the MUTING function is started it will be terminated and the Muting output becomes 0 User Acknowledgment of Restart Inhibit No Muting Sensor Is Activated or ENABLE 0 Enable signal Q becomes 1 again if e The light curtain is no longer interrupted e Errors if present are eliminated see output DIAG and e A user acknowledgement with a positive edge is issued at input ACK see also Chapter Implementing User Acknowledgment The FAULT output is set to 0 Output ACK_REQ 1 signals that user acknowledgment at input ACK is required to eliminate the restart inhibit The block sets
248. ing is shut down During this time if inputs MSx1 MSx2 of a sensor pair both assume a signal state of 1 due to an unknown error e g because both muting sensors fail to 1 the error is not detected and the MUTING function can be started unintentionally Output DIAG The DIAG output provides non fail safe information on errors for service purposes You can read out this information by means of operator control and monitoring systems or if applicable you can evaluate it in your standard user program DIAG bits are saved until acknowledgment at input ACK S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 209 F Libraries 9 1 Distributed Safety F library V1 Structure of DIAG Bit No Assignment Possible Causes of Problems Remedies Bit 0 Discrepancy error or incorrect Malfunction in production sequence Malfunction in production sequence discrepancy time DISCTIM 1 setting for sensor pair 1 eliminated Sensor defective Check sensors Wiring fault Sensors are wired to different F I O and F I O fault channel fault or communication error or passivation by means of PASS_ON on an F I O Check wiring of sensors For a solution see DIAG variable bits 0 to 6 in Chapter F I O DB Discrepancy time setting is too low If necessary set a higher discrepancy time Discrepancy time setting is lt 0 s or gt 3s Set discrep
249. ion you will need the following supplementary documentation when working with S7 Distributed Safety This documentation includes references to the supplementary documentation where appropriate S7 Distributed Safety configuring and programming 4 Programming and Operating Manual 07 2013 A5E00109537 05 Preface Documentation Safety Engineering in SIMATIC S7 system manual Brief Description of Relevant Contents Provides general information about the use structure and function of S7 Distributed Safety and S7 F FH fail safe automation systems Contains detailed technical information about the S7 Distributed Safety and S7 F FH systems Contains monitoring time and response time calculations for S7 Distributed Safety and S7 F FH fail safe systems For S7 Distributed Safety system The following documentation is required according to the utilized F CPU 7 300 CPU 31xC and CPU 31x nsiallation operating instructions describe how to assemble and wire S7 300 systems The CPU 31xC and CPU 31x Technical Specifications manual describes the CPUs 315 2 DP and PN DP the CPU 317 2 DP and PN DP and the CPU 319 3 PN DP The Automation System S7 400 Hardware and Installation installation manual describes how to assemble and wire S7 400 systems The Automation System S7 400 CPU Specifications reference manual describes the CPU 416 2 and the CPU 416 3 PN DP The ET 2008S IM 151 7 CPU Interface Module manual describes the IM 15
250. ional Rules for Testing e Forcing is not possible for F I O e Setting breakpoints in the standard user program will cause the following errors in the safety program Expiration of F cycle time monitoring Error during communication with the F I O Error during safety related CPU CPU communication Internal CPU faults If you nevertheless want to use breakpoints for testing you must first deactivate safety mode This will result in the following errors Error during communication with the F I O Error during safety related CPU CPU communication e Changes in the configuration of F I O or safety related CPU CPU communication can only be tested after the hardware configuration has been saved and downloaded and after the safety program has been compiled and downloaded in the Safety Program dialog Note If you use the Monitor Modify Variable function to test a safety program this function does not detect all additional changes you make using other applications in the F CPU For example if the collective signature of the safety program is changed through revision modification while safety mode is deactivated the change may not be detected and an old collective signature may continue to be displayed In such cases terminate the Monitor Modify Variable function and restart the function in order to work with updated data Control at contact function The Control at contact function supported in STEP 7
251. is F application block implements two hand monitoring If momentary contact switches IN1 and IN2 are activated within the permissible discrepancy time DISCTIME lt 500 ms IN1 IN2 1 synchronous activation output signal Q is set to 1 when existing enable ENABLE 1 If the time difference between activation of momentary contact switch IN1 and momentary contact switch IN2 is greater than DISCTIME then the momentary contact switches must be released and reactivated Q is reset to 0 as soon as one of the momentary contact switches is released IN1 IN 2 0 or ENABLE 0 Enable signal Q can be reset to 1 only if the other momentary contact switch has been released and if both switches are then reactivated within the discrepancy time when existing enable ENABLE 1 The F application block supports requirements in accordance with EN 574 Note Only one signal per momentary contact switch can be evaluated in the F application block With suitable configuration type of sensor interconnection 2 channel non equivalent discrepancy monitoring of the NC and NO contacts of momentary contact switches IN1 and IN2 is performed directly by the F I O with inputs The NO contact must be wired in such a way that it supplies the useful signal see manual for the F I O you are using In order to keep the discrepancy time from influencing the response time you must assign Provide 0 value for the behavior of discrepancy during configuration If a discrepa
252. ision resulting from the update timing of the time base used in the F application block see figure in the F Application Blocks section e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision S7 Distributed Safety configuring and programming 196 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 A WARNING The functionality of this F application block complies with IEC 61131 3 however it deviates from IEC TIMER SFB 5 TOF as follows e When it is called with PT 0 ms the F_TOF instance is not reset completely initialized The block behaves in accordance with the timing diagrams only outputs Q and ET are reset Another falling edge at input IN is required to restart the OFF delay once PT is greater than 0 again e Acall with PT lt 0 ms resets outputs Q and ET Another falling edge at input IN is required to restart the OFF delay once PT is greater than 0 again F_TOF Timing Diagrams IN Startup Characteristics The instances of F_TOF are reset in the first cyc
253. istency function see STEP 7 online help If necessary you must recompile the safety program S7 Distributed Safety configuring and programming 298 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 8 1 Procedure 10 8 Printing out Project Data Printed Project Data for the Hardware Configuration If you have selected the Hardware Configuration print content a follow up dialog is displayed 1 Select All as the print area The printout will then include the Module description and the Address list 2 Select the Including parameter description option to include your parameter descriptions in the printout Printed Information The following information in the printout of the hardware configuration Hardware Configuration print content is important for the configuration acceptance test e The following F CPU parameters Protection level F parameters e All parameters of the F I O Procedure for Safety Related I Slave Slave Communication For the system acceptance test with safety related I slave slave communication you also need a printout of the parameters of the F I O that you address via safety related slave slave communication The printout of the hardware configuration of the station with the DP master contains this information If the CPU of the DP master is an F CPU to which a safety program is assigned you can print out
254. istributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 141 Contiguring and Programming Communication 8 2 Safety Related Master Master Communication Note A separate instance DP must be used for each call of an F SENDDP or F_LRCVDP The input and output parameters of the FLRCVDP must not be supplied with local data of the F program block You must not use an actual parameter for an output parameter of an F_RCVDP if it is already being used for an input parameter of the same F_RCVDP call or another F_RCVDP or F_RCVS7 call The F CPU can go to STOP if this is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety program internal CPU fault internal error information 404 5 Provide the SD_BO_xx inputs of the F_SENDDP with the send signals To cut down on intermediate signals when transferring block parameters you can write the value directly to the instance DB of the F_SENDDP using symbolic fully qualified access for example Name F_SENDDP1 SD_BO_02 before calling the F SENDDP 6 Supply the RD_BO_xx outputs of the F RCVDP with the signals that you want to process further in other program sections or use fully qualified access to read the received signals directly in the a
255. ivated You can now download changes in the safety program to the F CPU during operation in RUN mode Note To activate safety mode the F CPU must be switched from STOP to RUN mode Switching the F CPU from STOP to RUN mode always activates safety mode even if the safety program has been modified or is not consistent The MODE variable in the F shared DB is set to 0 Keep this in mind when you evaluate the MODE variable to read out the operating mode If you have modified your safety program but have not recompiled and downloaded it the F CPU can revert to STOP mode Evaluating Safety Mode Deactivated Safety Mode If you wish to evaluate safety mode deactivated safety mode in the safety program you can evaluate the MODE variable in the F shared DB 1 deactivated safety mode You access this variable with fully qualified access F_GLOBDB MODE The number and symbolic name of the F shared DB and the absolute addresses of variables are indicated in the printout of the safety program You can use this evaluation for example to passivate F I O when the safety program is in deactivated safety mode To do so assign the MODE variable in the F shared DB to all PASS_ON variables in the F I O DBs of the F I O that you wish to passivate A WARNING When the safety program is in deactivated safety mode the MODE variable in the F shared DB is also evaluated in deactivated safety mode Even if the F I O are
256. lave General Connection Configuration F Configuration 2048 F DOP Receive F_RCVDP Partner Master 2 DP Station SIMATIC 416F 1 Comment Cancel Help Note Entries are automatically made in the Configuration tab in the object properties for the l slave based on the configuration in the F Configuration tab These entries must not be modified Otherwise safety related master l slave communication is not possible You can obtain the assigned address areas in the DP master and l slave in the Configuration tab S7 Distributed Safety configuring and programming 148 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 3 Safety Related Master l Slave Communication Disabling Active Coupling of an I Slave Before you can disable active coupling of an I slave you must delete all safety related communication connections to other F CPUs or F modules in the F Configuration tab Additional Information You will find a description of the parameters in the context sensitive online help for the F Configuration tab For more information on master I slave communication refer to the STEP 7 Online Help For information on address areas partial process images and supported interrupt OBs refer to the fechnical specifications for the F CPU you are using S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013
257. layed on the programming device or PC in the dialog box for deactivating safety mode but it can also be indicated by means of an indicator light controlled by the standard user program or a message to an operator control and monitoring system generated by evaluating the Deactivated Safety Mode variable in the F shared DB Changes in the safety program in RUN mode when safety mode is deactivated can cause changeover effects to occur The procedure for downloading F blocks in deactivated safety mode is the same as for a standard program Observe the applicable rules for the download sequence in the online Help for STEP 7 To the extent possible the standard user program and the safety program should be modified separately and changes should be downloaded otherwise an error could be downloaded simultaneously to the standard user program thus disrupting a necessary protective feature or causing changeover effects to occur in both the safety program and the standard program It must be possible to verify that safety mode has been deactivated A log is required if possible by recording messages to the operator control and monitoring system but if necessary through organizational measures In addition it is recommended that deactivation of safety mode be indicated on the operator control and monitoring system Safety mode is deactivated across the F CPU only You must take the following into account for safety related CPU CPU communication If
258. le following a startup of the F system resulting in e ET 0 e Q 0 See also Overview of F application blocks Page 183 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 197 F Libraries 9 1 Distributed Safety F library V1 9 1 2 9 FB 187 F_ACK_OP Fail Safe Acknowledgment Connections Parameter Data Type Description Default In Out IN INT Input variable from operator control and 0 Parameters monitoring system Outputs OUT BOOL Output for acknowledgment 0 Q BOOL Time status 0 Principle of operation This F application block enables fail safe acknowledgment from an operator control and monitoring system It allows for example reintegration of F I O to be controlled from the operator control and monitoring system Acknowledgment takes place in two steps 1 In out parameter IN changes to a value of 6 2 In out parameter IN changes to a value of 9 within 1 min Once the in out parameter IN has changed to a value of 6 the F application block evaluates whether this parameter has changed to a value of 9 after 1 s at the earliest or 1 min at the latest Output OUT output for acknowledgment is then set to 1 for one cycle If an invalid value is input or if in out parameter IN has not changed to 9 within 1 min or the change occurred before 1 s has elapsed then in out parameter IN is reset to 0 and both steps listed above mus
259. les Symbolic Name of the F I O DB During compilation in HW Config an F I O DB is automatically created for each F I O and a symbolic name is entered for the F I O DB in the symbol table The symbolic name is generated by combining the fixed prefix F the start address of the F I O and the names maximum 17 characters entered in the object properties for the F I O in HW Config example FO0005_4 8 F_DI_DC24V For F I O accessed via I slave slave communication an X is added after the start address of Rule for Accessing Variables of F l O DB Variables of the F I O DB of an F I O can only be accessed from one F runtime group and only from the F runtime group from which the channels of this F I O are accessed if access is made Fully Qualified DB Access You can access the variables of the F I O DB with fully qualified DB access that is by specifying the symbolic name of the F I O DB and by specifying the name of the variable Make sure that Report Cross References as Error is not selected in the General dialog Options gt Settings in the FBD LAD Editor Otherwise the variables of the F I O DBs cannot be accessed Example of Evaluating the QBAD Variable See also 108 Hetwork 4 Fully qualified access to the variable QBAD Foods 4 6 F DI pczay QBaD 22a Assigning Symbolic Names Page 44 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05
260. les of the F I O DB of an F I O can only be accessed from one F runtime group and only from the F runtime group from which the channels of this F I O are accessed if access is made An F program block must not be used in more than one F runtime group F FBs can be used in more than one F runtime group but they must be called with different instance DBs Instance DBs can only be accessed from the F runtime group in which the associated F FB is called Individual parameters of F DBs except the F shared DB can only be used in one F runtime group however an F DB can be used in more than one F runtime group A DB for runtime group communication can be read and write accessed by the F runtime group for which you furnished the DB but only read accessed by the receiver F runtime group The F communication DB can only be accessed from one F runtime group F blocks must not be called directly in an OB rather they must be inserted into one or two F runtime groups For optimal use of local data you must call the F CALL blocks the F runtime groups directly in OBs cyclic interrupt OBs to the extent possible you should not declare any additional local data in these cyclic interrupt OBs Within a cyclic interrupt OB the F CALL the F runtime group should be executed before the standard user program that is it should be at the very beginning of the OB so that the F runtime group is always called at fixed time intervals regard
261. less of how long it takes to process the standard user program An F CALL can only be called once Multiple calls are not permitted and can cause the F CPU to go to STOP mode The process input and output images from standard I O and memory bits can be accessed from more than one F runtime group F FCs can generally be called in more than one F runtime group S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 87 Programming 4 4 Defining F Runtime Groups 4 4 2 Procedure for Defining an F Runtime Group Procedure 1 In S MATIC Manager select the Options gt Edit Safety Program menu command The Safety Program dialog will appear Activate the F Runtime Groups button to open the Edit F Runtime Groups dialog Edit F run time groups F run time group parameter Value New Delete OF Cancel Help 2 In the Edit F Runtime Groups dialog select New The Define New F Runtime Group dialog is displayed A Define new F run time group F CALL black I F program block FCI l DE for F program block Max cycle time of the F run time in ms 200 DE for F run time group communication Cancel Help 3 From the drop down list select the FC that you want to define as the F CALL for the new F runtime group or specify another FC This FC is automatically created as soon as you exit the Edit F Runti
262. library V1 and not counters OB calls S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 89 Programming 4 4 Defining F Runtime Groups 6 If this F runtime group is to provide data to another F runtime group select an F DB for DB for F runtime group communication from the drop down list or specify another F DB symbolic entry possible This F DB is automatically created as soon as you exit the Edit F Runtime Groups dialog with OK After the OK button is activated the entries in the Edit F Runtime Groups dialog undergo an internal validity check and are then applied E Edit F Run Time Groups Ed F run time group parameter Value He F tun time group FC1O0 FB100 100ms OB35 E F CALL block ag FC100 E Symbolic name F CALL block F program block fg FB100 Symbolic name F program block Sicherheitspragramim 1 DB for F program block Eri DB100 B Symbolic name DB for F program block iS Max cycle time of the F run time in ms 100 4 Call F run time in OB35 The call time of the F run time group in ms 50 Data block for F run time groups communication r TE E E Symbolic name DB for F run time groups communication 90 Cancel Help This dialog also displays The symbolic names of the newly defined F blocks The blo
263. llowing a successful loading operation and will then run on the new operating system The entire F I O is passivated after startup of the IM The F I O is reintegrated in the same way as when a communication error occurs that is an acknowledgment in the ACK_REI variable of the F I O DB is required S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 325 Operation and Maintenance 12 2 Replacing Software and Hardware Components Preventive Maintenance Proof Test The probability values for the certified F system components guarantee a proof test interval of 10 years for ordinary configurations For detailed information refer to the F I O manuals Proof test for complex electronic components generally means replacement with unused items If for particular reasons you require a proof test interval in excess of 10 years contact your Siemens representative As a rule a shorter proof test interval is required for sensors and actuators Removing S7 Distributed Safety To remove the software see Chapter Installing Removing S7 Distributed Safety V5 4 SP4 Optional Package F system hardware is removed and disposed of in the same way as with standard automation systems refer to the appropriate hardware manuals See also Page 17 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package F I O Access Page 97 S7 Distributed Safety configuring and pr
264. lly or following user acknowledgment in the F I O DB The reintegration method depends on the following e Cause of passivation of the F I O channels of the F l O e Parameters you have to assign for the F I O DB see below Note Note that channel level passivation is possible for the faulty channel in the event of a channel fault in the F I O If configured accordingly in HW Config the fail safe value 0 is output for the affected channel If you have configured channel level passivation for the F I O the relevant channels are reintegrated once the fault is corrected any faulty channels remain passivated See also Configuring the F I O Page 35 S7 Distributed Safety configuring and programming 100 Programming and Operating Manual 07 2013 A5E00109537 05 F l O Access 5 3 F O DB 5 3 F I O DB Introduction An F I O DB is automatically created for each F I O during compilation in HW Config This F I O DB contains variables that you can evaluate in the safety program or that you can or must describe except for the DIAG variable which can only be evaluated in the standard user program The initial values or actual values of the variables cannot be changed directly in the F I O DB because the F I O DB is know how protected Use of Access to an F I O DB You access variables of the F I O DB for the following reasons e For reintegration of F I O after communication errors F I O faults or channel faults e If
265. lt tolerant automation systems The H F Competence Center can also provide assistance with on site configuration commissioning and troubleshooting For questions about workshops etc contact hf cc aud siemens com Technical Support Technical support is available for all A amp D products e Using the Support Request Web form http www siemens com automation support You can find additional information about our Technical Support on the Internet at http Awww siemens com automation service S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Preface Service amp Support on the Internet In addition to our paper documentation we offer our complete knowledge base on the Internet http www siemens com automation service amp support Here you will find the following information e Our newsletter containing the latest information on your products e A search engine in Service amp Support for locating the documents you need e A forum for global information exchange by users and experts e Your local contact partner for Automation amp Drives e Information regarding on site service repairs spare parts and much more is available under Services Important Information for Preserving the Operational Safety of your System See also Note Systems with safety related characteristics are subject to special operational safety requirements on the
266. ltaneous effect on all F I Os of the F runtime group in which the F application block is called If you use the F application block F_ACK_GL you do not have to provide for a user acknowledgment for each F I O of the F runtime group by means of the variable ACK_REI of the F I O DB Note Use of the F_LACK_GL F application block is only possible if your safety program was created with S7 Distributed Safety V5 4 or higher you have configured channel level passivation for at least one F I O or at least one F I O is connected to PROFINET IO The F system block F_IO_CGP is then in the block container of the S7 Program An acknowledgment via F_ACK_GL is only possible if the variable ACK_REI of the F l O DB 0 Accordingly an acknowledgment via the variable ACK_REI of the F I O DB is only possible if the input ACK_REI_GLOB of the F application block 0 The F application block is only allowed to be called once per F runtime group See also 101 Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 124 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 241 F Libraries 9 1 Distributed Safety F library V1 9 1 2 19 Introduction Connections of F Application Block F_LSENDDP 242 FB 223 F_SENDDP and FB 224 F
267. lues 0 to 32767 Principle of operation This F application block forms an edge controlled up counter with functionality based on IEC counter SFB 0 CTU The counter counts up 1 on a rising edge relative to the last F application block call at input CU When the counter value reaches the upper limit of 32 767 it no longer counts up For every additional rising edge at input CU no counter action takes place Signal state 1 at input R causes the counter to be reset to O irrespective of the value at input CU Output Q displays whether the current counter value is greater than or equal to the default value PV The functionality of this F application block is in accordance with IEC 61131 3 Startup Characteristics Following an F system startup the instances of the F_CTU are reset resulting in e CV 0 e Q 0 S7 Distributed Safety configuring and programming 188 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 9 1 2 4 FB 182 F_CTD Count Down Inputs Outputs Parameter Data Type Description Default Inputs CD BOOL Counter input 0 LOAD BOOL Load input LOAD prevails over CD 0 PV INT Default value the counter is preset to PV if 0 the signal state 1 is present at input LOAD Outputs Q BOOL Counter status 0 Q 1 if CV lt 0 Q 0 if CV gt 0 CV INT Current counter value 0 possible values 32768 to 32767
268. m see Chapter Configuring the F CPU S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 19 Product Overview 7 3 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package If you want to use S7 Distributed Safety V5 4 SP4 to change a safety program created with an earlier version of S7 Distributed Safety proceed as follows 1 Compile the safety program with S7 Distributed Safety V 5 4 SP4 prior to making changes Result All F blocks of the Distributed Safety F library V1 that were used in the safety program and for which there is a new version in the Distributed Safety F library V1 in V5 4 SP4 are automatically replaced following confirmation The collective signature of all F blocks and the signature of individual F blocks change for the following reasons The length of the collective signature has been changed from 16 to 32 bits for conversion from V5 1 to V5 4 SP4 only F blocks of the Distributed Safety F library V1 were replaced Automatically compiled F blocks have changed When changing from V5 4 SP3 to V5 4 SP4 the collective signature of all F blocks remains the same although the F _CTRL_1 F system block is replaced by a newer version non safety related change 2 Change the safety program according to your requirements 3 Recompile the safety program 4 Perform a comparison of the old and new version of the safety
269. m as a whole Specifying a password for the safety program Compiling the safety program Downloading the safety program Deactivating safety mode Comparing safety programs Printing a safety program The collective signatures are formed using all F blocks of the safety program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 75 Programming 4 2 Creating the Safety Program Rules for the Program Structure You must keep the following rules in mind when designing a safety program for S7 Distributed Safety See also 76 Overview of Configuration Page 23 Differences between the F FBD and F LAD programming languages and the standard FBD and LAD programming languages Page 61 Rules for F Runtime Groups of the Safety Program Safety Program Acceptance Test F blocks must not be called directly in an OB rather they must be inserted into one or two F runtime groups The safety program consists of one or two F runtime groups each with one F CALL A maximum of one F program block can be assigned to each F CALL The channels of an F I O can only be accessed from one F runtime group Variables of the F I O DB of an F I O can only be accessed from one F runtime group and only from the F runtime group from which the channels of this F I O are accessed if access is made For optimal use of local data you must call the F CALL blocks the F runtime groups
270. me Groups dialog with OK S7 Distributed Safety configuring and programming 88 Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 4 Defining F Runtime Groups 4 Define the F program block of the F runtime group by selecting the F FB or F FC from the drop down list that you want to define as the F PB for the new F runtime group symbolic entry possible Only F FBs F FCs without parameters can be specified If the block to be assigned is an F block of type FB you must specify an instance DB e g DB10 for I DB for F program block symbolic entry possible This DB is automatically created as soon as you exit the Edit F Runtime Groups dialog with OK The number of the I DB must not come from the range reserved in HW Config If you specify an existing I DB it must be suitable for the selected F program block 5 The F CPU monitors the F cycle time in the F runtime group For Max Cycle Time of F Runtime Group in ms enter the maximum permissible time between two calls of this F runtime group maximum of 120 000 ms see Safety Engineering in SIMATIC S7 system manual A WARNING The F runtime group call interval is monitored relative to the maximum value that is monitoring is performed to determine whether the call is executed often enough but not whether it is executed too often For this reason fail safe timers must be implemented using F application blocks from the Distributed Safety F
271. me as those from the Distributed Safety F library V1 Removing S7 Distributed Safety When you remove S7 Distributed Safety the user created F libraries are retained S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 265 F Libraries 9 1 Distributed Safety F library V1 S7 Distributed Safety configuring and programming 266 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 1 0 10 1 Safety Program Dialog Introduction The Safety Program dialog provides information about the safety program and contains important functions you can use to edit your safety program Note F blocks are highlighted in yellow in S MATIC Manager and in the Safety Program dialog e In S MATIC Manager know how protected blocks are also represented with a lock symbol Once the safety program has been successfully compiled all blocks of the safety program are know how protected The exception to this are any F blocks you created F PB F FBs F FCs F DBs and did not assign know how protection to e Inthe Safety Program dialog F blocks with F attribute are also represented with an F in the block symbol Once the safety program has been successfully compiled only the blocks of the safety program have the F attribute S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E
272. me of the setup Once the correct password has been entered access is authorized for 1 hour or until permission is revoked Within this hour the validity period of the online password is reset to 1 hour with each online action triggering the password prompt see table for assignment and prompting of passwords and likewise the validity period of the offline password is reset to 1 hour with each offline action triggering the password prompt If the validity of an access permission expires and you are at that moment executing an action for which a password is required e g editing an F block then you are prompted again for the current password when you save If you do not enter a password you cannot save the result of the action Revoking Access Permission for the Safety Program 50 You can revoke the access permission for the safety program in the Set up permission for safety program dialog by clicking the Cancel button You can also revoke the access permission for the safety program in the Safety Program dialog by clicking the drop down arrow on the Permission button The user will then be prompted to enter the password for the safety program again the next time an action requiring a password see table for assignment and prompting of passwords is performed To revoke access permission when using the Modify function the connection to the F CPU must be terminated for example by closing the STEP 7 applications The
273. mined or F runtime group was not called The associated F CALL was not called for at least one F runtime group e g because no F CALL call was programmed in an OB OB35 FB or FC Note If the text below Current Mode is enclosed in square brackets abc this indicates that the collective signatures of the safety program and or the passwords for the safety program do not match online and offline This means one of the following e The offline safety program was modified after downloading e The wrong F CPU was addressed You can verify the latter based on the online collective signature of all F blocks with F attribute in the block container Click on the title row of the block list to sort the list Note that the current safety mode display may not be up to date if the programming device or PC is not directly connected to the F CPU intelligent DP slave and the safety program dialog for a safety program located on this F CPU is opened In this case unknown is output for the mode Solution Connect the programming device or PC directly to the F CPU for which the safety program dialog should be opened To log the safety program see Chapter Printing Project Data of Safety Program Safety Program States Page 271 Printing out Project Data Page 297 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10
274. ming Communication 8 7 8 7 1 Introduction Restrictions 8 7 Safety Related Communication via S7 Connections Safety Related Communication via S7 Connections Configuring safety related communication using S7 connections Safety related communication between the safety programs of F CPUs via S7 connections takes place by means of connection tables in NefPro same as in standard programs Note In S7 Distributed Safety S7 connections are generally permitted over Industrial Ethernet only Safety related communication via S7 connections is possible from and to the following CPUs e CPU 315F 2 PN DP only via the CPU PN interface e CPU 317F 2 PN DP only via the CPU PN interface e CPU 416F 3 PN DP only via the CPU PN interface e CPU 416F 2 firmware version V4 0 and higher Creating an S7 Connection in the Connection Table For each connection between two F CPUs you must create an S7 connection in the connection table in NetPro STEP 7 assigns a local ID and a partner ID for each connection end point If necessary you can change the local ID in MetPro You assign the local ID to the ID parameter of the appropriate F application blocks in the safety programs Note Safety related communication via S7 connections to unspecified partners is not possible S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 173 Contiguring and Programming Communication
275. mming 170 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 5 Safety Related Slave Slave Communication 8 5 4 Limits for Data Transfer Safety Related I Slave Slave Communication Limits for Data Transfer Note the maximum limit of 244 bytes of input data and 244 bytes of output data for transfer between an l slave and a DP master An example of the amount of output and input data that are assigned for safety related communications is shown in the table below for a 4 8 F DI and a 4 F DO of ET 2008S Safety Related Communication I slave slave Communication Connection Assigned Input and Output Data Between I Slave and DP Master Output Data in the I Slave Input Data in the I Slave l slave slave communication with 4 bytes 6 bytes 4 8 F DI I slave slave communication with 5 bytes 5 bytes 4 F DO Example for 4 8 F DI and 4 F DO of ET 200S If necessary you should also take into account fail safe master I slave communication F MS R F MS S and master slave connections MS or direct data exchange connections DX used to exchange data within your standard user program as part of the maximum limit of 244 bytes of input data and 244 bytes of output data for transmission between an l slave and a DP master You can check whether you are within the maximum limit of 244 bytes of input data and 244 bytes of output data for all conf
276. mpile button The safety program will now be compiled Alternatively you can compile the safety program using the Check block consistency function in S MATIC Manager see Check Block Consistency function in Chapter Creating and Editing F FB F FC S7 Distributed Safety configuring and programming 272 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 3 Compiling Safety Program Compiling the Safety Program Compilation is only possible for valid runtime groups That is none of the F blocks you defined in the F runtime groups dialog can be missing in the F runtime group When the safety program is compiled a consistency check is performed That is the safety program is checked for errors and for F blocks that you created in the block container but did not use in the F runtime group Any error messages are output in an error window Only F blocks that are part of the safety program receive an F attribute Following a successful compile operation the block container always contains a consistent safety program composed entirely of F blocks with F attribute The offline block container can contain F blocks without F attribute Following a successful consistency check the additional F system blocks that are required and the automatically generated F blocks are added Error messages and warnings identified during the compile operation are collected and output in a dialo
277. n Introduction You configure an S7 Distributed Safety fail safe system in basically the same way as a standard S7 300 S7 400 or ET 200S automation system For this reason this section presents only the essential differences you encounter when configuring an S7 Distributed Safety F system compared to standard PLC configuration F Components That Must Be Configured The following hardware components are configured for an S7 Distributed Safety F system 1 F CPU such as CPU 315F 2 DP 2 F I O such as ET 200S fail safe modules 7 300 fail safe signal modules for centralized configuration next to the F CPU or decentralized configuration in ET 200M ET 200pro fail safe modules ET 200eco fail safe I O modules Fail safe DP standard slaves Fail safe standard I O devices Information on F I O that Can be Used For detailed information on which F I O can be used refer to the manuals in the following table Topic Configuration rules such as e Centralized configuration distributed configuration with F I O e Coexistence of F I O and standard I O Reference e Safety Engineering in SIMATIC S7 system manual e Manual for specific F O PROFIsafe address assignment for F I O Manual and context sensitive online Help for specific F l O Allocation of address areas by F I O in the F CPU Manual for specific F l O Fail safe DP standard slaves Documentation for specific fail safe
278. n You have the option of creating your own F libraries for S7 Distributed Safety How to Create an F Library You create your own F library as follows 1 In SIMATIC Manager select File gt New Inthe Libraries tab select F library from the Type list 2 3 Assign a name to the F library 4 Specify the file path 5 Close the dialog with OK The F library is created Working with User Created F Libraries To use F FBs F FCs application templates from user created F libraries you must have the same S7 Distributed Safety version installed on your PC or programming device that was used to create the F FBs F FCs or application templates You must check yourself whether an existing user created F library is still current If necessary you must replace a user created F library with a newer available version S7 Distributed Safety does not check the versions of the F FBs F FCs in a user created F library When you compile a safety program there is also no automatic replacement of F FBs F FCs from a user created F library with corresponding F FBs F FCs from a newer version of this F library If necessary copy F FBs F FCs with a newer version from the user created F library into the block container of your safety program You cannot use symbolic names of F application blocks of the Distributed Safety F library V1 for user created F FBs F FCs and blocks The F FBs F FCs from user created F libraries are handled the sa
279. n For F CPUs with battery backup e g CPU 416F 2 reinsert the battery if one was removed You must make sure that the inserted memory card MMC or Flash Card contains the correct safety program You can do so through a program identification or other measures such as a unique identifier on the memory card MMC or Flash Card When downloading a safety program to a memory card MMC or Flash Card you must adhere to the following procedure e Download the safety program to the memory card MMC or flash card e Perform a program identification in other words check whether the collective signatures of all F blocks with F attribute in the offline block container and on the memory card MMC or Flash Card match e Affix an appropriate label to the memory card MMC or Flash Card The procedure outlined must be ensured through organizational measures See also Comparing Safety Programs Page 290 S7 Distributed Safety configuring and programming 286 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 7 Modifying the Safety Program 10 7 Modifying the Safety Program 10 7 1 Modifying the safety program in RUN mode Introduction Changes to the safety program during operation in RUN mode can only be made in deactivated safety mode You make changes to F blocks offline in the FBD LAD Editor in the same way as for a standard program F blocks cannot be modif
280. n be used This requires configuration of an additional connection via the DP DP coupler Whether or not this is possible with one single DP DP coupler depends on the capacity restrictions of the DP DP coupler Safety Related Master I Slave Communication Configuring Address Areas Safety Related Master I Slave Communication Safety related communication between the safety program of the F CPU of the DP master and the safety program s of the F CPU s of one or more I slaves takes place over master l slave connections as in standard systems You do not need any additional hardware for the master I slave communication Configuring Address Areas 144 For every communication connection between two F CPUs you must configure address areas in HW Config In the figure below each of the two F CPUs will be able to send and receive data bidirectional communication DP master l slaves F CPU 1 HW Config F CPU 2 F_SENDDP LADDR 2048 F_RCVDP LADDR 256 Partner addr 2048 F_RCVDP LADDR 2060 You configure the following in the object properties for the I slave Local addr 268 F_SENDDP LADDR 268 Partner addr 2060 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 3 Safety Related Master Slave Communication e A local address I slave and a partner address DP master for sending data to
281. n mind the information in the readme files Starting S7 Distributed Safety S7 Distributed Safety is completely integrated in STEP 7 This means you do not specifically start S7 Distributed Safety rather each STEP 7 application S MATIC Manager HW Config and FBD LAD Editor assists you in configuring and programming S7 Distributed Safety Displaying Integrated Help Context sensitive help is available for the S7 Distributed Safety dialogs You can access this help during each configuration and programming step by pressing the F1 key or clicking the Help button For advanced help select Help gt Contents gt Access Help for Optional Packages gt S7 Distributed Safety Work with F systems menu command Removing S7 Distributed Safety The S7 Distributed Safety optional package has two components as follows e S7 F Configuration Pack V5 5 SP4 e S7 Distributed Safety Programming V5 4 SP4 You can remove these components individually Use the normal procedure in Windows for removing software 1 In Windows double click the Add or Remove Programs icon in Control Panel to open the dialog box for installing software 2 Select the appropriate entry in the list of installed software Click Add Remove to remove the software 3 If the Remove shared file dialog appears click No in case you are in doubt S7 Distributed Safety configuring and programming 18 Programming and Operating Manual 07 2013 A5E00109537 05 Product
282. n of the configuration options refer to the Safety Engineering in SIMATIC S7 system manual Special F Relevant Tabs There are a few special tabs for the F functionality included in the object properties of the fail safe components F CPU and F I O These tabs are described in the following sections Assigning Symbols for Fail Safe Inputs Outputs of F I O For convenience when programming S7 Distributed Safety it is particularly important that you assign symbols for the fail safe inputs and outputs of the F I O in HW Config Saving and Compiling the Hardware Configuration You must save and compile the hardware configuration of the S7 Distributed Safety F system in HW Config This is required for subsequent programming of the safety program Changing Safety Relevant Parameters Note If you change a safety relevant parameter for an F I O a fail safe DP standard slave a fail safe standard I O device or an F CPU you must recompile the safety program The same applies to changes in the configuration of safety related communication and in particular for changes in the S7 connections for safety related communication via S7 connections S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 25 Configuration 2 3 Configuring the F CPU 2 3 Introduction Configuring the F CPU You configure the F CPU in basically the same way as a standard automation system Fo
283. n the safety program in which data are to be received call the F_RCVDP F application block for receiving at the start of the F PB 3 Assign the start addresses of the output and input data address areas of the DP DP coupler configured in HW Config to the respective LADDR inputs You must carry out this assignment for every communication connection for each of the F CPUs involved S7 Distributed Safety configuring and programming 140 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 2 Safety Related Master Master Communication 4 Assign the value for the respective address association to the DP_DP_ID inputs This establishes the association between an F_LSENDDP in one F CPU and an F_RCVDP in the other F CPU The associated fail safe blocks receive the same value for DP_DP_ID DP master DP master F_SENDDP DP_DP_ID 1 I F_RCVDP DP_DP_ID 2 H DP DP Coupler F_SENDDP DP_DP_ID 3 F_RCVDP DP_DP_ID 4 DP DP Coupler DP DP Coupler F_RCVDP DP_DP_ID 3 K F_RCVDP DP_DP_ID 1 m F_SENDDP DP_DP_ID 2 F_RCVDP DP_DP_ID 5 DP master F_SENDDP DP_DP_ID 4 F_SENDDP DP_DP_ID 5 A WARNING The value for each address association input parameter DP_DP_ID data type INT is user defined however it must be unique from all other safety related communication connections in the network S7 D
284. nce test Downloading the changes is not sufficient Checks after Downloading See also 1 Once the safety program has been downloaded to the F CPU check the following Check whether the online collective signature of all F blocks with F attribute in the block container match the collective signatures in the accepted offline printout Verify that the online safety program contains no unused F CALLs Verify that no more than two F CALL blocks are present in the F CPU If this is not the case check to determine whether you downloaded the safety program to the correct F CPU and if necessary download the safety program again Note In the case of recurring tests you can determine whether the F CPU contains the correct safety program by comparing the online collective signature of all F blocks with F attribute in the block container with the collective signature in the accepted offline printout If there is no programming device or PC with S7 Distributed Safety V5 4 available for recurring tests you can read out the collective signature of the safety program from the F shared DB using an operator control and monitoring system You can obtain the address in the F shared DB where the collective signature of the safety program is found F_PROG_SIG variable from the Safety program printout This option should only be used if you do not have to perform a manipulation Downloading the Safety Program Page 275 S7
285. ncy is detected a fail safe value of 0 is entered in the process input image PII for the momentary contact switch and QBAD or QBAD_I_xx 1 is set in the relevant F I O DB A WARNING When using an F application block with time processing take the following timing imprecision sources into account when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update timing of the time base used in the F application block see figure in Chapter F Application Blocks e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision Output DIAG The DIAG output provides non fail safe information on errors for service purposes You can read out this information by means of operator control and monitoring systems or if applicable you can evaluate it in your standard user program DIAG bits 0 to 5 are saved until the cause of the error has been eliminated S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 217
286. nd the calls for the automatically added F blocks of the F runtime group You create the F CALL but you cannot edit it It is possible to call the F CALL in an OB or FB FC that is called in an OB Programming Language F CALL F FB F FC F PB F DB F I O DB You program the actual safety function using F FBD or F LAD The starting point for F programming is the F program block The F PB is an F FC or F FB with instance DB that becomes the F PB when assigned to the F CALL You can do the following in the F PB e Program the safety program with F FBD or F LAD e Call other created F FBs F FCs for structuring the safety program e Insert F blocks of the F App ication Blocks block container from the Distributed Safety F library V1 e Insert F blocks from user created F libraries You define the call sequence of the F blocks within the F PB Optional fail safe data blocks that can be read write accessed from within anywhere in the safety program An F I O DB is automatically created for each F I O during compilation in HW Config You can or you must access the variables of the F I O DB in conjunction with F I O accesses F FBD F LAD F DB F Blocks of Distributed Safety F Library V1 The Distributed Safety F library V1 contains e F application blocks in the F App lication Blocks Blocks block container e F system blocks and the F shared DB in the F System Blocks Blocks block container The F blocks in
287. nings apply when the safety program is transferred from a programming device or PC to e F CPUs without an inserted Flash card e g CPU 416F 2 A WARNING If the function test of the safety program is not carried out in the target F CPU you must comply with the following procedure when transferring the safety program to the F CPU with a programming device or PC to ensure that the F CPU does not contain an old safety program e Perform a memory reset of the F CPU using the mode selector or via the programming device PC e Download the configuration to the F CPU in HW Config e Download the safety program to the F CPU in the Safety Program dialog e Perform a program identification that is check to determine whether the collective signatures of all F blocks with F attribute in the block container match online and offline A WARNING If multiple F CPUs can be reached over a network such as MPI by one programming device or PC you must take the following actions to ensure that the safety program is downloaded to the correct F CPU Use passwords specific to each F CPU such as a uniform password for the F CPUs having the respective MPI address as an extension Password_8 Note the following e A point to point connection must be used when assigning a password to an F CPU for the first time analogous to assigning an MPI address to an F CPU for the first time Before downloading a safety program to an
288. nit Access to individual bits channels using the Input bit unit is not permitted e Of standard I O At the beginning of each OB 1 cycle the F CPU reads the inputs from the standard I O and saves the values to the process input image With the S7 400 also bear in mind the update times when using partial process images Input bit l Input channels of the standard I O are read Input word IW only and can only be accessed using the indicated units Therefore a transfer to IN_OUT parameters of an F FB or F FC is not permitted In addition a process specific validity check is required S7 Distributed Safety configuring and programming 62 Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 1 Overview of Programming Address Area Process output image Accessible Size Units S7 Notation Description e Of F I O In the F PB the safety program calculates the values for the outputs of the F I O and stores them in the process output image At the end of the F runtime group F CALL the F CPU writes the calculated output values to the outputs of the F I O Output channels are write only channels Therefore a transfer to IN_OUT parameters of an F FB or F FC is not permitted Channels of data type BOOL such as digital channels Channels of data type INT WORD such as analog channels Output bit Output word QW Output channels of data type
289. no error exists S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Glossary DP DP Coupler Device for coupling two PROFIBUS DP subnets that is required in S7 Distributed Safety for master master communication between gt safety programs in different gt F CPUs At least two F CPUs are involved in safety related master master communication via a DP DP coupler Each F CPU is linked to the DP DP coupler by means of its PROFIBUS DP interface Expert A system is generally approved that is the safety acceptance test of the system is usually carried out by an independent expert for example from TUV Fail safe DP standard slaves Fail safe DP standard slaves are standard slaves that are operated on PROFIBUS with the DP protocol They must behave in accordance with the standard IEC 61784 1 Ed3 CP 3 1 and the PROFIsafe bus profile according to IEC 61784 3 3 Ed2 A GSD file is used to configure fail safe DP standard slaves Fail Safe I O Modules ET 200eco modules are fail safe I O modules that can be used for safety related operation in gt safety mode These modules feature integrated gt safety functions They behave in accordance with the standards IEC 61784 1 Ed3 CP 3 1 or IEC 61784 2 CP 3 5 and CP 3 6 and IEC 61158 Types 5 10 and 6 10 and the PROFIsafe bus profile according to IEC 61784 3 3 Ed2 Fail Safe Modules ET 200S and ET 200pro modules that can be
290. nput IN or Assign function key 1 to transfer an acknowledgment value of 6 first step in acknowledgment and function key 2 to transfer an acknowledgment value of 9 second step in acknowledgment in the instance DB of FLACK_OP input IN 3 Optional On your operator control and monitoring system evaluate input Q in the instance DB of F_LACK_OP to indicate the time frame within which the second step in acknowledgment must occur or to indicate that the first step in acknowledgment has already occurred If you should only be able to perform a user acknowledgment from one programming device or PC using the Monitor Modify Variable function and you do not want to deactivate safety mode then you must transfer an address memory word at input IN when calling the F_ACK_OP F block You can then transfer acknowledgment values 6 and 9 on the programming device or PC by modifying the memory word The memory word must not be described by the program Note If you interconnect input IN to a memory word it may only be an input at F_ACK_OP in one F runtime group A WARNING The two acknowledgment steps must not be triggered by one single operation for example by automatically storing them along with the time conditions in one program and using one function key to trigger them The two separate acknowledgement steps also prevents your non fail safe operator control and monitoring system from erroneously triggering an acknowle
291. nstances of F_TON are reset in the first cycle following a startup of the F system resulting in e ET 0 e Q 0 See also Overview of F application blocks Page 183 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 195 F Libraries 9 1 Distributed Safety F library V1 9 1 2 8 FB 186 F_TOF Create OFF Delay Connections Parameter Data Type Description Default Inputs IN BOOL Start input 0 PT TIME Time by which the falling edge at input IN is T 0 ms delayed with PT gt 0 Outputs Q BOOL Time status 0 ET TIME Elapsed time T 0 ms Principle of operation This F application block delays a falling edge by time PT this functionality is based on IEC TIMER SFB 5 TOF A rising edge at input IN causes a rising edge at output Q A falling edge at input IN results in a falling edge at output Q once time PT has elapsed If input IN changes back to 1 before time PT has elapsed then output Q remains at 1 Output ET supplies the time that has passed since the last falling edge at input IN not to exceed the value at input PT ET is reset if input IN changes to 1 A WARNING When using an F application block with time processing take the following timing imprecision sources into account when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprec
292. nual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Performance in the Event of Overflow or Underflow of Analog Values and Fail Safe Value Output Note If inputs from the PII of an SM 336 Al 6 x 13 bit are used as input values you must bear in mind that the F system detects an overflow or underflow of a channel of this F SM as an F I O fault or channel fault The fail safe value 0 is provided in place of 7FFFx for overflow or 80004 for underflow in the PII for the safety program If other fail safe values are to be output in this case you must evaluate the QBAD variable in the F I O DB branch to output of an individual fail safe value If the value in the PII of the F SM is within the overrange or underrange but is greater than 27648 or less than 0 you can likewise branch to the output of an individual fail safe value by evaluating outputs OUT_HI and OUT_LO respectively S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 187 F Libraries 9 1 Distributed Safety F library V1 9 1 2 3 FB 181 F_CTU Count Up Connections Parameter Data Type Description Default Inputs CU BOOL Counter input 0 R BOOL Reset input R prevails over CU 0 PV INT Default value see parameter Q for effect of 0 PV Outputs Q BOOL Counter status 0 Q 1 if CV gt PV Q 0 if CV lt PV CV INT Current counter value 0 possible va
293. o a real S7 component Note for example that a protocol analyzer may not perform functions that reproduce recorded frame sequences with correct time behavior STOP by Means of Programming Device or PC Mode Selector or Communication Function A WARNING Switching from STOP to RUN mode using a programming device or PC interface mode selector or communication function is not interlocked For example only one keystroke is necessary to switch from STOP to RUN mode on a programming device or PC interface For this reason a STOP that you have set by means of a programming device or PC mode selector or communication function must not be regarded as a safety condition Therefore always switch off the F CPU directly at the device when performing maintenance work S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 323 Operation and Maintenance 12 2 Replacing Software and Hardware Components F CPU Stop Initiated by SFC 46 STP A WARNING A STOP state initiated by SFC46 STP can be canceled very easily and unintentionally from the programming device or PC For this reason an F CPU STOP initiated by SFC46 is not a fail safe STOP CRC error in safety related communication See also 324 Note CRC error in safety related communication If you observe that an F CPU requests manual acknowledgement of a CRC error more than onc
294. oading to an S7 PLCSIM 1 2 Select the correct F CPU or S7 program assigned to it In SIMATIC Manager select the Options gt Edit Safety Program menu command The Safety Program dialog will appear Inthe Safety Program dialog press the Download button All F blocks with F attribute belonging to the safety program are identified and downloaded to S7 PLCSIM Confirm the prompt indicating that the F CPU will be stopped Note S7 Distributed Safety automatically determines whether the target device is a real F CPU or S7 PLCSIM If the target device is S7 PLCSIM special simulation blocks F system blocks are downloaded automatically from the S7 Distributed Safety F library V1 to S7 PLCSIM Your offline safety program is unchanged and consistent following the download operation to the S7 PLCSIM The collective signature of all F blocks with F attribute no longer matches the collective signature in S7 PLCSIM Because the safety program is not changed offline for support of S7 PLCSIM it can also be downloaded to an F CPU after being downloaded to S7 PLCSIM To download the safety program to an F CPU simply deactivate S7 PLCSIM You must re download the safety program to the S7 PLCSIM following each S7 PLCSIM STOP It is also possible to download changes in the safety program to an S7 PLCSIM see above 278 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013
295. ocal data setting is applicable to all F runtime groups of a safety program You must provide at least 330 bytes of local data for the safety program However the local data requirement for the automatically added F blocks may be higher depending on the requirements of your safety program Thus you should provide as much local data as possible for the automatically added F blocks If there is not enough local data available for the automatically added F blocks 330 bytes or more the safety program will be compiled nevertheless Data in automatically added F DBs are then used instead of local data This increases the runtime of the F runtime group s however You will receive a notice via S7 Distributed Safety if the automatically added F blocks would require more local data than configured A WARNING The calculated maximum runtime of the F runtime group using the MS Excel file s7fcotia xls is no longer correct in this case because the calculation assumes sufficient F local data are available In this case use the value you configured for the maximum cycle time of the F runtime group F monitoring time as the maximum runtime of the F runtime group when calculating the maximum response times in the event of an error and for any runtimes of the standard system using the above mentioned Excel file Note Note that the maximum possible amount of F local data depends on the following e Local data requirement of your hi
296. ogram S7 Distributed Safety configuring and programming 320 Programming and Operating Manual 07 2013 A5E00109537 05 System Acceptance Test 11 4 Acceptance Test of Changes Detection of Safety Related Changes in the Parameter Assignment of the F I O To determine safety related changes in the parameter assignment of the F I O addressed in the safety program compare the parameter CRCs of all F I O in the Addressed F I O section of the Safety program printout with those in the printout of the accepted safety program If the Parameter CRC for an F I O is different there is a safety related change in the parameter assignment of this F I O e g for PROFIsafe addresses In this case also compare the Parameter CRC without F addresses or F Par CRC without F addresses for fail safe DP standard slaves standard I O devices in the printout of the modified hardware configuration with the corresponding cyclic redundancy check in the printout of the accepted hardware configuration The printout of the hardware configuration contains this information in the relevant module description for the F I O If this information is identical only the PROFIsafe addresses were changed In this case you do not have to check the other safety related parameters of the F I O individually Make sure that the PROFIsafe destination addresses of all configured F I O continue to be unique from all others If you want to determine safety related c
297. ogramming 4 4 Defining F Runtime Groups After a startup of the F system fail safe values are made available to the F runtime group having read access to data in the DB for F runtime group communication of another F runtime group for example F runtime group 2 The values you specified in the DB for F runtime group communication of F runtime group 1 are made available as fail safe values presetting of the DB for F runtime group communication F runtime group 2 reads the fail safe values the first time it is called The second time F runtime group 2 is called it reads the latest data if F runtime group 1 has been processed completely between the two calls of F runtime group 2 If F runtime group 1 has not been processed completely F runtime group 2 continues to read the fail safe values until F runtime group 1 is completely processed The behavior is illustrated in the two figures below Reading data from F runtime group 1 that has a longer OB cycle and lower priority than F runtime group 2 F ALG 1 F ALG 2 x i x 1 H x 2 i wt rit gt i i i i i gt 2 gt l 41 ke i 1 t I 3 4 5 6 1 i 1 1 j 1 L 1 I 1 1 I Li I 1 Li 1 i I Li I 1 I Li I 1 1 1 Sr EF 1 t I Li I I Li I I Li I I 1 I I Li I I 1 I 1 1 i 1 I I Li I I 1 I I Li I I Li I I 1 I i 1 I x 1 x 2 x 3 x 4 x 5 x 6 x 7 I a vis ict gt H
298. ogramming 326 Programming and Operating Manual 07 2013 A5E00109537 05 Operation and Maintenance 12 3 Guide to Diagnostics Introduction 12 3 Guide to Diagnostics This chapter presents a compilation of diagnostic capabilities that can be evaluated for your system when an error occurs Most of the diagnostic capabilities are the same as those in standard automation systems The sequence of steps represents one recommendation Steps for Evaluating Diagnostic Capabilities If the F CPU is in STOP mode read out the following in consecutive order in HW Config using the PLC gt Module Information menu command e B stack Check whether STOP mode of the F CPU was triggered by an F block of the safety program e Ustack e L stack Step Procedure Reference 1 Evaluating LEDs on the hardware F CPU F I O e BUSF LED on the F CPU flashes when a communication error eae occurs on PROFIBUS DP PROFINET IO z when OB85 and OB121 are programmed illuminates when a programming error occurs e g instance DB is not loaded e STP LED on the F CPU illuminates when the F CPU is in STOP mode e Fault LEDs on the F I O SF LED group error LED illuminates if any fault occurs in the individual F I O 2 Evaluating diagnostic buffer in STEP 7 STEP 7 online help and In HW Config read out the diagnostic buffer for the modules F CPU F CPU and F I O CPs using the PLC gt Module Information menu command F I O manuals 3 Ev
299. ompiling and commissioning a safety program 10 8 Printing out Project Data e List of the F I O addressed in the F runtime group that is not for all F I O configured in HW Config but rather only for those F I O actually used Symbolic name of the F I O DB Number of the F I O DB Start address Name identifier of the F I O Module type F_Monitoring_Time Cyclic redundancy check by means of parameter assignment in order to allow quick detection of changes on the I O PROFIsafe source and target address PROFIsafe mode Type of passivation e The following information is indicated for the F shared DB of the safety program Number of the F shared DB Symbolic name F_GLOBDB Absolute and symbolic address of the safety program s collective signature Absolute and symbolic address for reading out the operating mode Absolute and symbolic address for reading out error information Absolute and symbolic address for reading out the compilation time Absolute and symbolic address of the RLO 0 Absolute and symbolic address of the RLO 1 e Additional information See also The setting of the Safety mode can be deactivated parameter for the safety program Printout created on Total number of pages in this printout Safety Program Dialog Page 267 302 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 9 Testing the
300. on contained in the STATUS parameter of SFB9 FB9 The diagnostic information contained in the STAT_SND parameter corresponds to the diagnostic information contained in the STATUS parameter of SFB8 FB8 For a description refer to the Online Help for STEP 7 on SFB8 and SFB9 See also FIO Access Page 97 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 329 Operation and Maintenance 12 3 Guide to Diagnostics S7 Distributed Safety configuring and programming 330 Programming and Operating Manual 07 2013 A5E00109537 05 Checklist A 1 Checklist Life Cycle of Fail Safe Automation Systems The table below contains a checklist summarizing all activities in the life cycle of a fail safe S7 Distributed Safety system including requirements and rules that must be observed in the various phases Checklist Key e Stand alone chapter references refer to this documentation e SM stands for the Safety Engineering in SIMATIC S7 system manual e F SMs Manual stands for the Automation System S7 300 Fail Safe Signal Modules manual e F Modules Manual stands for the ET 200S Distributed I O System Fail Safe Modules manual e ET 200eco Manual stands for the ET 200eco Distributed I O Station Fail Safe I O Module manual e ET 200pro Manual stands for the ET 200pro Distributed VO Station Fail Safe Modules manual Phase Requirement Rule Reference C
301. onfiguring and programming Programming and Operating Manual 07 2013 A5E00109537 05 103 F l O Access 5 3 F O DB IPAR_EN The IPAR_EN variable corresponds to the iPar_EN_C variable in the PROFIsafe bus profile PROFIsafe Specification V1 20 and higher Fail safe DP standard slaves standard I O devices To find out when this variable has to be set or reset when parameters of fail safe DP standard slaves are reassigned consult the PROFIsafe specification V1 20 or higher or the documentation for the fail safe DP standard slave standard I O device A WARNING Note that IPAR_EN 1 does not trigger passivation of the relevant F I O If passivation should continue to occur when IPAR_EN 1 you must also set variable PASS_ON 1 HART communication with SM 336 F Al 6 x 0 4 20 mA HART If you set variable IPAR_EN to 1 when parameter HART_GATE switchable the HART communication is enabled for the SM 336 F Al 6 x 0 4 20 mA HART Setting this variable to 0 disables the HART communication The F SM acknowledges the enabled or disabled HART communication with variable IPAR_OK 1 or 0 The HART communication is not enabled until the status of your system allows the parameters of the associated HART field device to be safely reassigned If you want to evaluate the Enable HART communication status in your safety program e g for the purpose of programming interlocks you must generate the information a
302. onnections 9 1 Distributed Safety F library V1 Note Access to the DIAG output is not permitted in the safety program 101 Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 124 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU Page 183 Overview of F application blocks FB 190 F_1002DI 1002 Evaluation with Discrepancy Analysis Parameter Data Type Description Default Inputs IN1 BOOL Sensor 1 0 IN2 BOOL Sensor 2 0 DISCTIME TIME Discrepancy time 0 to 60 s T 0 ms ACK_NEC BOOL 1 acknowledgment necessary for 1 discrepancy error ACK BOOL Acknowledgment of discrepancy error 0 Outputs Q BOOL Output 0 ACK_REQ BOOL 1 acknowledgement required 0 DISC_FLT BOOL 1 discrepancy error 0 DIAG BYTE Service information 0 Principle of Operation This F application block implements a 1002 evaluation of two single channel sensors combined with a discrepancy analysis Output Q is set to 1 if the signal states of inputs IN1 and IN2 both equal 1 and no discrepancy error DISC_FLT is stored if the signal state of one or both inputs is 0 output Q is set to 0 As soon as the signal states of inputs IN1 and IN2 are different the discrepancy time DISCTIME is started If the signal states of the two inputs are still different once the discrepancy time expires
303. or Control and Monitoring System under Implementing User Acknowledgment in Safety Program of F CPU of DP Master From your operator control and monitoring system you can then access the instance DB of F_ACK_OP in the I slave directly S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Implementation of user acknowledgment 6 2 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU 2 User Acknowledgment by Means of an Acknowledgment Key at an F I O with Inputs Assigned to the F CPU of the I Slave Note In the event of a communication error F I O fault or channel fault in the F I O to which the acknowledgment key is connected an acknowledgment for reintegration of this F I O is no longer possible This block can only be removed by a STOP to RUN transition of the F CPU of the I slave Consequently it is recommended that you also provide for an acknowledgment by means of an operator control and monitoring system that you can use to access the F CPU of the I slave for the acknowledgment for reintegration of an F I O to which an acknowledgment key is connected See 1 3 User Acknowledgment by Means of Acknowledgment Key at an F I O with Inputs Assigned to the F CPU of the DP Master If you want to use the acknowledgment key that is assigned to the F CPU on the DP master for a user acknowledgment in the safety program of the F CPU of an I slave
304. or a solution see DIAG communication error or variable bits O to 6 in passivation by means of Chapter F I O DB PASS_On of F I O of muting lamp Bit5 FREE is necessary See other DIAG bits Two rising edges at ACK within 4 s and activate acknowledgment button until ACK_REQ 0 Bit6 Acknowledgment necessary Bit 7 State of output Q z Bit8 State of output MUTING Bit9 FREE active Bit 10 Reserved Bit 15 Reserved Note Access to the DIAG output is not permitted in the safety program Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 124 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU Overview of F application blocks Page 183 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 9 1 2 15 FB 215 F_ESTOP1 Emergency STOP up to Stop Category 1 Connections Parameter Data Type Description Default Inputs E STOP BOOL Emergency STOP 0 ACK_NEC BOOL 1 Acknowledgment necessary 1 ACK BOOL 1 Acknowledgment 0 TIME_DEL TIME Time delay T 0 ms Outputs Q BOOL 1 Enable 0 Q_DELAY BOOL Enable is OFF delayed 0 ACK_REQ_ BOOL 1 Acknowledgment request 0 DIAG BYTE Service information B 16 0 Principle o
305. ors and once the maximum muting time has been exceeded ACK_REQ is immediately set to 1 As soon as a user acknowledgment has taken place at input ACK discrepancy times DISCTIM1 and DISCTIM2 and maximum muting time TIME_MAX are reset S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 207 F Libraries 9 1 Distributed Safety F library V1 Timing Diagrams for Discrepancy Errors at Sensor Pair 1 or Interruption of the Light Curtain If MUTING Is Not Active FREE 208 1 2 3 Sensor pair 1 MS_11 and MS_12 is not activated within discrepancy time DISCTIM1 The light curtain is interrupted even though the MUTING function is not active Acknowledgment S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Behavior with Stopped Conveyor Equipment If monitoring is deactivated while the conveyor equipment has stopped for one of the following reasons e To comply with discrepancy time DISCTIM1 or DISCTIM2 e To comply with maximum muting time TIME_MAX you must supply input STOP with a 1 signal for as long as the conveyor equipment is stopped As soon as the conveyor equipment is running again STOP 0 discrepancy times DISCTIM1 and DISCTIM2 and maximum muting time TIME_MAX are reset A WARNING When STOP 1 the discrepancy monitor
306. ostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety program internal CPU fault internal error information 404 A WARNING A modification to the safety program causes a change in the collective signature and consequently a new acceptance test may be required Downloading to an S7 PLCSIM You can test the safety program with the S7 PLCSIM function hardware simulation of STEP 7 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 277 Compiling and commissioning a safety program 10 4 Downloading the Safety Program Requirements for Downloading to an S7 PLCSIM The S7 PLCSIM V5 3 or higher optional package is installed on your programming device or PC You have write authorization for the directory where the Distributed Safety F library V1 is installed S7 PLCSIM is active To activate S7 PLCSIM select Options gt Simulate Modules in SIMATIC Manager The S7 PLCSIM application is started and the CPU subwindow is displayed A hardware configuration with F CPU is downloaded To download this hardware configuration open HW Config and download the desired configuration the same way as you would download it to a real CPU The safety program is consistent Procedure for Downl
307. ount when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update timing of the time base used in the F application block see figure in Chapter F Application Blocks e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision S7 Distributed Safety configuring and programming 212 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Activating Inputs IN1 and IN2 Example Inputs IN1 and IN2 must both be activated in such a way that their safe state is 0 For nonequivalent signals you have to invert the input IN1 or IN2 to which you have assigned the sensor signal with a safe state of 1 You must also OR the sensor signal with the QBAD or QBAD_I_xx variable of the associated F I O DB or channel so that a signal state of 0 is present at input IN1 or IN2 after inversion if fail safe values are output Network 1 F_loo2DI with nonequivalent signals DB190 E loo2DI Sensor
308. pancy time Discrepancy time setting is lt Set discrepancy time in Osor gt 60s range from 0 s to 60 s Bit 1 For discrepancy errors last signal state change was at input IN1 Bit 2 For discrepancy errors last signal state change was at input IN2 Bit 3 Reserved Bit 4 Reserved Bit 5 For discrepancy errors input Acknowledgment button Replace acknowledgment ACK has a permanent signal defective button state of 1 Wiring fault Check wiring of acknowledgment button Bit 6 Acknowledgment necessary Bit 7 State of output Q Note Access to the DIAG output is not permitted in the safety program See also Overview of F application blocks S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Page 183 215 F Libraries 9 1 Distributed Safety F library V1 9 1 2 13 FB 211 F_2H_EN Two Hand Monitoring with Enable Connections Parameter Data Type Description Default Inputs IN1 BOOL Momentary contact switch 1 FALSE IN2 BOOL Momentary contact switch 2 FALSE ENABLE BOOL Enable input FALSE DISCTIME TIME Discrepancy time 0 to 500 ms T 0 ms Outputs Q BOOL 1 Enable FALSE DIAG BYTE Service information B 16 0 S7 Distributed Safety configuring and programming 216 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Principle of Operation Th
309. ple the CPU 31x and place it on the DP master system Link the l slave to the DP master in the Connection dialog which opens automatically 9 After steps 7 and 8 link the second I slave to the DP master Now you can define the address areas for safety related I slave I slave communication 10 In the F Configuration tab of the object properties for I slave 1 select New S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 4 Safety Related Slave Slave Communication 11 In the next dialog make the following entries for the receive connection from I slave 2 in our example For Mode F DX R receive via fail safe slave I slave communication For DP partner sender DP address 5 Slave PROFIBUS address address LADDR 130 For Local receiver Address LADDR 128 Accept the defaults for the other parameters in the dialog box The dialog box has the following appearance Parameter E 4 F Configuration HE ORR DP partner sender DP address 3 Slave CPU name CPU 315F 2 DP E Address LADDA 130 Process image E3 local recipient DP address 5 Slave CPU name IM151 F CPU E Address LADDA 128 2 Process image Diagnostic address 2044 Di Ej Master ad
310. plicitly so that you can relate the F FB F FC F DB to the protected F FB F FC F DB later e g same name comments regarding F FB F FC F DB Do not store the backup copy in the project containing the protected F FB F FC F DB otherwise a non protected copy of the F FB F FC F DB will be available If you want to store the backup copy in an F library make sure that the F library is a user created F library in S7 Distributed Safety The FBD LAD Editor displays only F libraries for S7 Distributed Safety Save the backup copy of the F FB F FC F DB Result The check box in the Know how protection column of the Safety Program dialog is selected and cannot be cleared The block symbol in the Block column is shown with a padlock The F FB F FC or F DB is protected Follow the same procedure until all the F FBs F FCs F DBs you want to protect are protected Modifying Protected F FBs F FCs F DBs See also 84 Note You cannot cancel the know how protection of F FBs F FCs F DBs If you want to modify a protected F FB F FC F DB proceed as follows 1 Delete the protected F FB F FC F DB from your project 2 Copy the backup copy of the F FB F FC F DB into your project 3 4 If required set know how protection for the F FB F FC F DB see above Edit the unprotected F FB F FC F DB in the FBD LAD Editor Custom F Libraries Page 265 S7 Distributed Safety configuring and programming Programmin
311. ply with the other rules for testing Note A Modify function controlled by the F system requires the use of STEP 7with the S7 Distributed Safety optional package If an operator control and monitoring system or STEP 7 without the S7 Distributed Safety optional package is used to modify variables the F CPU can go to STOP mode Testing and commissioning functions are selected with standard STEP 7 tools FBD LAD Editor Variable Editor HW Config An attempt to modify a safety program in safety mode is rejected with a corresponding error message or a dialog box for deactivating safety mode is provided In certain circumstances a modify request can cause the F CPU to go to STOP mode Opening F Blocks The FBD LAD Editor can be used to open an F block online in the F CPU as a write protected block only that is you cannot modify an F block directly in the F CPU even if safety mode is deactivated Instead you must edit it offline and then download it Modifying Values in F DBs Values in F DBs can only be modified online in the F CPU If the value is also to be changed offline you must do this by editing the actual value and compiling the safety program offline as well Modify only the parameters described in this documentation S7 Distributed Safety configuring and programming 310 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 9 Testing the Safety Program Addit
312. program block You must not use an actual parameter for an output parameter of an F_RCVS7 if it is already being used for an input parameter of the same F_RCVS7 or another F_RCVS7 or F_RCVDP call The F CPU can go to STOP if this is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety program internal CPU fault internal error information 404 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 179 Configuring and Programming Communication 8 7 Safety Related Communication via S7 Connections 9 Configure the TIMEOUT inputs of the F_LSENDS7 and F_RCVS7 with the required monitoring time A WARNING It can be ensured from a fail safe standpoint that a signal level to be transferred will be captured on the sender side and transferred to the receiver only if the signal is pending for at least as long as the assigned monitoring time TIMEOUT Information on calculation of monitoring times can be found in the system manual Safety Engineering in SIMATIC S7 10 To reduce the bus load you can temporarily shut down communication between the F CPUs To do so supply input EN_SEND of F_SENDS7 with 0 default 1 Then send data are no longer sent to the F commun
313. program in the Compare safety program dialog see Chapter Comparing safety programs You can identify changes to the version of an F block of the Distributed Safety F library V1 by the changes to F block signatures The modified signatures and initial value signatures of all F application blocks and F system blocks must correspond to those in Annex 1 of the Certification Report Furthermore you can identify whether changes have been made in the safety program If necessary the safety program must undergo another acceptance test Changing from S7 Distributed Safety V5 4 SP4 to an Earlier Version If you want to change to an S7 Distributed Safety version lt V5 4 SP4 you must completely remove S7 Distributed Safety V5 4 SP4 beforehand S7 Distributed Safety configuring and programming 20 Programming and Operating Manual 07 2013 A5E00109537 05 Product Overview 7 3 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package Changing from S7 Distributed Safety V5 4 SP4 to V5 3 When you open the Safety Program dialog for a consistent safety program created with S7 Distributed Safety V5 4 SP4 the status The safety program is consistent is output You can use V5 3 to modify a safety program created with V5 4 SP4 if you use only those functions that were made available in V5 3 If you want to use V5 3 to change a safety program created with S7 Distributed Safety V5 4 SP4 proceed as follows 1 D
314. prompt l I l i I i Channel 0 l iChannel 1 ACK_REQ o ee ee a ee Useriacknowledgement Channel 0 User acknowledgement Channel 1 l l l l l ACK_REI es a EE I i i DIAG Bit set l i DIAG Bit 1 i Channel error for channel 0 passivation channel 0 Channel error for channel 1 passivation channel 1 Channel error for channel 0 remedied 116 Reintegration channel 0 Channel error for channel 1 remedied Reintegration channel 1 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F I O Access 5 7 Passivation and Reintegration of F I O after F l O Faults and Channel Faults See also Configuring the F I O Page 35 Programming Startup Protection Page 95 Passivation and Reintegration of F I O after Communication Errors Page 111 Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 124 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 117 F l O Access 5 8 Group passivation 5 8 Group passivation Programming a Group Passivation If you want to enable passivation of additional F I O when an F I O or a channel of an F I O is passivated by the F system you can use the PASS_OUT PASS_ON variabl
315. protection in the block symbol Symbolic block name Function in the safety program Signature of the F block Know how protection is has been selected for offline safety program Note The symbolic names of F blocks from the Distributed Safety F library V1 and automatically generated F blocks must not be changed The symbolic name of these F blocks must always match the header name otherwise the safety program compile operation will be aborted S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 269 Compiling and commissioning a safety program 10 1 Safety Program Dialog See also 270 Information Regarding Safety Program The following information regarding the safety program is displayed e Date of the last compile operation and the collective signatures calculated during compilation Collective signature of all F blocks with F attribute in the block container Collective signature of the safety program value across all F blocks called in the F runtime group of the safety program e Information regarding the state of the safety program There are three possible states Consistent Inconsistent Modified e Current Mode contains information on whether The safety mode is activated or The safety mode is deactivated CPU is in STOP mode The status of safety mode is unknown that is it cannot be deter
316. r an S7 Distributed Safety F system you must also do the following e Configure Level of Protection 1 e Configure the F parameters Configuring the Level of Protection of the F CPU 26 A WARNING In safety mode access by means of the F CPU password must not be authorized when making changes to the standard user program since changes to the safety program can also be made To rule out this possibility you must configure Level of Protection 1 If only one person is authorized to change the standard user program and the safety program level of protection 2 or 3 should be configured so that other persons have only limited access or no access at all to the entire user program standard and safety programs Use the following procedure to configure Level of Protection 1 1 In HW Config select the F CPU such as CPU 315F 2 DP and select the Edit gt Object Properties menu command 2 Open the Protection tab 3 Set Level of Protection 1 Access protection for F CPU and Removable with Password Enter a password for the F CPU in the field provided and select the CPU contains safety program option Note that the Mode field is not relevant for safety mode For information on the password for the F CPU refer to Chapter Overview of Access Protection Pay particular attention to the warnings in Chapter Setting Up Access Permission for the F CPU S7 Distributed Safety configuring and programming
317. r PC Note however that any symbols used in the safety program are deleted and cannot be recreated since no symbol information is saved in the F CPU Symbols are available only if you are using an offline project After you upload a safety program to a programming device or PC you can download it to the F CPU again without repeating acceptance testing as long as the safety program was not modified The safety program you downloaded to the F CPU again can only be executed if e The F CPU did not execute the safety program prior to uploading it to the programming device or PC e The hardware configuration of the safety related communication see Chapter Configuring and Programming Communication has not been changed Note If the safety program has been changed or has already been executed in the F CPU you must do the following before downloading the complete safety program to the F CPU again 1 Delete all instance DBs of F blocks from the block container 2 Reinsert all F blocks used in the safety program from the Distributed Safety library V1 or from a custom F library in the offline block container thereby overwriting existing F blocks 3 Reassign constants for parameters of F blocks from the Pointer data type required for F blocks F_INT_WR F_INT_RD only 4 Recompile the safety program This recreates the deleted instance DBs The F CPU can go to STOP mode if this is disregarded One of the following diagn
318. r S7 300 400 reference manual describes the Function Block Diagram standard programming language in STEP 7 e The System Software for S7 300 400 System and Standard Functions reference manual describes functions for accessing and performing diagnostics on the distributed I O and CPU e The Programming with STEP 7 V 5 x manual provides an overview of programming with STEP 7 e g installation startup program creation and user program components STEP 7 online help e Describes the operation of STEP 7 standard tools e Contains information about configuration and parameter assignment for modules and I slaves with HW Config e Contains a description of the FBD and LAD programming languages Guide The complete S MAT C S7 documentation is available on CD ROM This documentation describes how to work with the S7 Distributed Safety optional package It includes both instructional material and reference material description of fail safe library blocks The following topics are addressed e Configuring of S7 Distributed Safety e Access protection for S7 Distributed Safety e Programming of safety program safety related user program e Safety related communication e F libraries e Support for system acceptance test e Operation and maintenance of S7 Distributed Safety S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Preface Conventions In t
319. r four muting sensors Muting is a defined suppression of the protective function of light curtains Light curtain muting can be used to introduce goods or objects into the danger area monitored by the light curtain without causing the machine to stop To utilize the muting function at least two independently wired muting sensors must be present The use of two or four muting sensors and correct integration into the production sequence must ensure that no persons enter the danger area while the light curtain is muted A WARNING When using an F application block with time processing take the following timing imprecision sources into account when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update timing of the time base used in the F application block see figure in Chapter F Application Blocks e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision S7 Distributed Safety configuring and programming Programming and Operating Manual 07
320. r safety related Overview for safety related Safety related Create OFF delay Create ON delay Create pulse 192 Creating F FB F FC 78 Creating and editing an F FB F FC 78 Creating F blocks in F FBD F LAD 77 Creating F blocks in F FBD F LAD Without assignment to an F CPU 77 Creating network templates 77 Creating the safety program 73 Cycle time For F runtime group 86 D Data and parameter types 61 Data block 61 Access 61 Data structure Protection 39 Data transfer From safety program to standard user program 127 From standard user program to safety program 129 Data transfer Limits for safety related communication via S7 connections 181 Data transfer Limits for safety related master master communication 144 DB for F runtime group communication 86 Defining 86_ Deactivating safety mode 304 Defining the F runtime groups 86 Defining the program structure 75 DIAG 211 216 219 229 F_1002DI 211 F_ESTOP1 F_FDBACK F_MUTING F_RCVS7 F_SENDDP F_RCVDP 242 F_SENDS7 249 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Index F_SFDOOR 236 F I O DB 101 Diagnostic options Steps for evaluation Diagnostic parameters 327 Evaluation 327 Diagnostic variable 327 Evaluation 327 Diagnostics 327 Differences between the F FBD and F LAD programming languages
321. r value is greater than or equal to the preset value PV Output QD displays whether the current counter value is less than or equal to zero Startup Characteristics The instances of the F_CTUD are reset in the first cycle following a startup of the F system resulting in e CV 0 e QU 0 e QD 0 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 191 F Libraries 9 1 Distributed Safety F library V1 9 1 2 6 FB 184 F_TP Create Pulse Connections Parameter Data Type Description Default Inputs IN BOOL Start input 0 PT TIME Pulse duration with PT gt 0 T 0 ms Outputs Q BOOL Time status 0 ET TIME Elapsed time T O ms Principle of operation This F application block generates a pulse of length PT at output Q this functionality is based on IEC TIMER SFB 3 TP The pulse is initiated on a rising edge at input IN Output Q remains set for duration PT irrespective of any further variation of the input signal that is even if input IN switches from 0 back to 1 before time PT has elapsed Output ET displays how long output Q has already been set It can have a maximum value equal to the value of input PT It is reset when input IN changes to 0 however time PT must elapse before it can be reset A WARNING When using an F application block with time processing take the following timing imprecision sources into account
322. ram Permission button in the Safety Program dialog can only be activated in the F CPU by downloading the safety program using the Safety Program dialog e Only an offline safety program is permitted to be used as a source program Consequently the Safety Program dialog must be used to download the safety program for the first time and after any change to the password for the safety program If F blocks cannot be downloaded because the F CPU is in safety mode or because no password or the wrong password was entered for the safety program you are notified of the option to continue downloading the remaining standard blocks See also Testing the Safety Program Page 308 S7 Distributed Safety configuring and programming 280 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 5 Work Memory Requirement for Safety Program 10 5 Work Memory Requirement for Safety Program Estimation You can estimate the work memory requirement for the safety program as follows Work Memory Requirement for Safety Program 31 Kbytes for F system blocks F_CTRL_1 F_CTRL_2 F_IO_CGP F_IO_BOI and F_DIAG_N 4 3 Kbytes for F system block F_RTGCO2 for F runtime group communication only 4 5 x work memory requirement for all F FB F FC F PB 4 5 x work memory requirement for all F blocks used except F_SENDDP F_RCVDP F_SENDS7 and F_RCVS7 Work memory requirement for F_SEN
323. ram and the safety program they cannot be used as a buffer for F data S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 63 Programming 4 1 Overview of Programming Address Area Accessible Size S7 Description Units Notation Data block Data blocks store information for the program They can either be defined such that all F FBs F FCs and F PBs can access them F DBs or assigned to a particular F FB or F PB instance DB They must be created with the F DB programming language or as an instance DB of an F FB or F PB Data bit DBX Local data can only be accessed using the Data word DBW units corresponding to the data type in the Data double word pgp 4ec aration table Local data This memory area accepts the temporary data of a block or an F block while this block is being executed The local data stack also provides memory for transferring block parameters and for saving intermediate results Local data bit L Local data can only be accessed using the Local data word LW units corresponding to the data type in the Local data double LD PEA word Non Permissible Address Areas Access using units other than those listed in the table above is not permitted as is access to address areas not listed in particular 64 Counters fail safe counters are implemented using F application blocks from the Distributed Safet
324. ram are provided an F attribute identified in the Safety Program dialog box by an F in the F block symbol Only the blocks of the gt safety program have the F attribute after the gt safety program is successfully compiled Fault Reaction Function gt User safety function Fault Reaction Time F blocks F CALL 340 The maximum fault reaction time for an F system specifies the time between the occurrence of any error and a safe reaction at all affected fail safe outputs The following fail safe blocks are designated as F blocks e Blocks created by the user in programming languages gt F FBD F LAD F CALL and F DB e Blocks selected by the user from an F library e Blocks automatically added in the gt safety program gt F SBs gt automatically generated F blocks gt F shared DB All F blocks are depicted with a yellow background in the Safety Program dialog box and SIMATIC Manager F CALL is the F call block for the gt safety program in S7 Distributed Safety F CALL is created by the user as a function in the F CALL programming language and cannot be edited F CALL calls the gt F runtime group from the gt standard user program It contains a call for the gt F PB and calls for the F blocks gt F SBs gt automatically generated F blocks gt F shared DB of the F runtime group that were automatically added S7 Distributed Safety configuring and programming Programming and Ope
325. rating Manual 07 2013 A5E00109537 05 Glossary F Communication DBs F CPU F DBs F FBD F FBs F FCs F I O F communication DBs are fail safe data blocks for safety related CPU CPU communication via S7 connections An F CPU is a central processing unit with fail safe capability that is permitted for use in S7 Distributed Safety and in which a gt safety program can run in addition to the gt standard user program Optional fail safe data blocks with read write access from anywhere within the safety program exception DBs for F runtime group communication F FBD is a programming language for gt safety programs in S7 Distributed Safety The standard FBD LAD Editorin STEP Zis used for programming F FBs are fail safe function blocks with instance DBs in which the user programs the gt safety program in gt F FBD or gt F LAD F FCs are fail safe FCs in which the user programs the gt safety program in gt F FBD or gt F LAD F I O is a group designation for fail safe inputs and outputs available in S MATIC S7 for integration in S7 Distributed Safety among others They behave in accordance with the standards IEC 61784 1 Ed3 CP 3 1 or IEC 61784 2 CP 3 5 and CP 3 6 and IEC 61158 Types 5 10 and 6 10 and the PROFIsafe bus profile according to IEC 61784 3 3 Ed2 The following F I O modules are available for S7 Distributed Safety e ET 200eco fail safe I O module e S7 300 fail safe signal modules gt
326. re F I O is passivated The F system sets PASS_OUT QBAD QBQD_I_xx and QBAD_O_xx 1 as long as fail safe 0 values are used instead of process data for the associated F I O or individual channels of the F I O However if you enable passivation by setting PASS_ON 1 only QBAD QBAD_I_xx and QBAD_O_xx 1 is set PASS_OUT does not change value in the event of passivation is enabled with PASS_ON 1 For this reason PASS_OUT can be used for group passivation of additional F I O S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 105 F I O Access 5 3 F O DB ACK_REQ IPAR_OK DIAG 106 When the F system detects a communication error or an F I O fault or channel fault for an F I O the relevant F I O or individual channels of the F I O are passivated ACK_REQ 1 signals that user acknowledgment is required for reintegration of the relevant F I O or channels of the F I O The F system sets ACK_REQ 1 as soon as the fault has been eliminated and user acknowledgment is possible For channel level passivation the F system sets ACK_REQ 1 as soon as the channel fault is corrected User acknowledgement is possible for this fault Once acknowledgment has occurred the F system resets ACK_REQ to 0 Note For F I O with outputs acknowledgment after F I O faults or channel faults may only be possible minutes after the fault has been eliminated due to necessary test
327. re may be displayed incorrectly in the reference data Updating of reference data is enabled by default The setting applies to the current Windows user Creating and editing F FB F FC Page 78 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 4 Downloading the Safety Program 10 4 Downloading the Safety Program Introduction Once you have compiled your safety program you can download it to the F CPU You have the following options e Downloading the entire safety program in the Safety Program dialog in STOP mode This is the recommended method for downloading a consistent safety program e Downloading the changes in the safety program in the Safety Program dialog in STOP mode e Downloading individual F blocks in S MATIC Manager or FBD LAD Editor Procedure for Downloading the Entire Safety Program to the F CPU in the Safety Program Dialog 1 Select the correct F CPU or S7 program assigned to it 2 In SIMATIC Manager select the Options gt Edit Safety Program menu command The Safety Program dialog will appear 3 Activate the Download button All F blocks with F attribute belonging to the safety program are identified and downloaded to the F CPU A note is displayed offering you the option of downloading the standard user program in addition to the safety program provided this prompt is enabled I
328. ressed in the safety program Change in read access to data of the standard user program Change in F parameters of the F CPU Modified version of F system blocks Change in the F runtime group communication The changes can also occur in combination meaning that changes to an F block can have multiple causes If no modified F blocks are indicated but the collective signature is different differences exist in the automatically generated blocks which are not included in the comparison This can occur for example if you renumber F blocks or modify the resources reserved for the safety program in the object properties dialog for the F CPU in HW Config S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 293 Compiling and commissioning a safety program 10 7 Modifying the Safety Program 10 7 3 Deleting the Safety Program Deleting Individual F Blocks To delete an F block follow the same procedure as for a standard program Deleting an F runtime Group 1 2 3 In the Edit F Runtime Groups dialog select the folder of the F runtime group to be deleted Press the Delete button Close the dialog with OK The assignment of the F blocks to an F runtime group is deleted However the F blocks continue to exist Deleting the Entire Safety Program 1 2 294 Delete all F blocks highlighted in yellow offline in S MA TIC Manager In HW
329. rogram is copied the logbook associated with the safety program if present is also copied Safety Program lt V5 4 SP1 If the safety program was created with an earlier version of S7 Distributed Safety prior to V5 4 SP1 the logbook will not be available until a logbook relevant action has been performed with V5 4 SP1 or higher S7 Distributed Safety configuring and programming 296 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 8 Printing out Project Data 10 8 Printing out Project Data Introduction The Print button in the Safety Program dialog allows you to print out all important project data of the hardware configuration and the safety program that you need for example for the system acceptance test The signatures in the footer of the printouts ensure that the printouts are explicitly associated with a safety program Note Before you print out the project data close the HW Config and LAD FBD Editor applications and the symbol table Procedure for Printing All Important Project Data of the Hardware Configuration and the Safety Program 1 In SIMATIC Manager select the correct F CPU or S7 program assigned to it 2 In SIMATIC Manager select the Options gt Edit Safety Program menu command The Safety Program dialog will appear 3 Click the Print button Then you can select the print content e Function Block Diagram Ladder Diagram
330. rogramming Note If the divisor input IN2 of a DIV_I instruction 0 the quotient of the division result of division at output OUT 0 The result behaves like the corresponding instruction in a standard user program The F CPU does not go to STOP mode This is the response regardless of whether an OV bit scan is programmed in the next network OPN DB Instruction Particularities Note Keep in mind when using the OPN DB instruction that the content of the DB register can be changed following calls of F FB F FC and fully qualified DB accesses such that there is no guarantee that the last data block you opened with OPN DB is still open You should therefore use the following method for addressing data to avoid errors when accessing data of the DB register e Use symbolic addressing e Use only fully qualified DB accesses If you still want to use the OPN DB instruction you must ensure that the DB register is restored by repeating the OPN DB instruction following calls of F FB F FC and fully qualified DB accesses Otherwise an error could result Fully Qualified DB Access The initial access to data of a data block in an F FB F FC must always be a fully qualified DB access or it must be preceded by the OPN DB instruction This also applies to the initial access to data of a data block after a jump label S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013
331. rogramming Programming and Operating Manual 07 2013 A5E00109537 05 233 F Libraries 9 1 Distributed Safety F library V1 Interconnection Example DC24V DI 1 Standard DI 2 Input FEEDBACK 3 Output Q The feedback contact is wired to a standard I O module Startup Characteristics After an F system startup the F application block does not have be acknowledged when no errors are present Output DIAG The DIAG output provides non fail safe information on errors for service purposes You can read out this information by means of operator control and monitoring systems or if applicable it can be evaluated in your standard user program DIAG bits 0 2 and 5 are saved until acknowledgment at input ACK S7 Distributed Safety configuring and programming 234 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Structure of DIAG Bit Assignment Possible Causes of Remedies No Problems BitO Feedback error or incorrect Feedback time setting lt 0 Set feedback time gt 0 feedback time setting state of ERROR Feedback time setting is too If necessary set a higher low feedback time Wiring fault Check wiring of actuator and feedback contact Actuator or feedback contact Check actuator and is defective feedback contact I O fault or
332. rogramming a standard user program are presented below You will find an explanation of how F blocks are represented in S MA TIC Manager in Chapter Safety Program Dialog Creating Individual F Blocks without Assignment to an F CPU Note It is possible to create individual F blocks directly in an S7 program that is not assigned to any F CPU This allows you to create safety programs for different F CPUs irrespective of the hardware used However keep in mind that F addresses and the validity of F I O accesses are not checked in this case See also Safety Program Dialog Page 267 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 77 Programming 4 3 Creating F Blocks in F FBD F LAD 4 3 2 Creating and editing F FB F FC Procedure for Creating and Editing an F FB F FC 1 Go to the block container of S MAT C Manager and select the Insert gt S7 Block gt Function or function block menu command You can also use the Insert New Object shortcut menu Note You must not use the FB numbers in the band of numbers you reserved for automatically added F function blocks F function blocks parameter in the object properties for the F CPU 2 In the General Part 1 tab of the Properties Function window enter the name of the F FB F FC Select F FBD or F LAD as the programming language Click OK to confirm Enter the password for the safe
333. roup communication of F runtime group 1 5 Data of F runtime group 2 read in DB for F runtime group communication of F runtime group 1 Z Presetting in the DB for F runtime group communication F runtime group providing the data is not processed Note If the F runtime group whose DB for F runtime group communication supplies the data to be read is not processed F CALL of the F runtime group is not called in an OB or FB the F CPU goes to STOP mode One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Error in safety program cycle time exceeded e Number of the relevant F CALL block of F runtime group that is not processed e Current cycle time in ms 0 See also Creating and Editing F DB Page 81 Procedure for Defining an F Runtime Group Page 88 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 93 Programming 4 4 Defining F Runtime Groups 4 4 4 Deleting F Runtime Groups Deleting F Runtime Groups See also 4 4 5 1 In the Edit F Runtime Groups dialog select the folder of the F runtime group to be deleted 2 Activate the Delete button 3 Close the dialog with OK The assignment of the F blocks to an F runtime group is deleted However the F blocks continue to exist Note If you want to delete your safety program delete all yellow highlighted F blocks offline in SIM
334. roups to another F runtime group of the safety program assign a DB for F runtime group communication 6 Compile safety program in the Safety Program dialog Compiling the Safety Program 7 Call F CALL blocks directly in OBs cyclic interrupt OBs to Defining F Runtime Group the extent possible 8 Download the entire user program standard user program Downloading the Safety and safety program to the F CPU in the Safety Program Program dialog See also Page 23 Page 75 Page 77 Rules for F Runtime Groups of the Safety Program Compiling Safety Program Page 272 Downloading the Safety Program Page 275 Page 86 Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package Page 17 S7 Distributed Safety configuring and programming 74 Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 2 Creating the Safety Program 4 2 2 Defining the Program Structure Structuring of the Safety Program in Two F Runtime Groups You can divide your safety program into two F runtime groups By arranging for portions of your safety program one F runtime group to run in a faster priority class you achieve faster safety circuits with short response times Note You can better structure your safety program by dividing it into two F runtime groups However note that the following actions cannot be performed for individual F runtime groups but only for the safety progra
335. rror code of SFC 15 You can find a 0 description of error codes in the online Help for SFC 15 DIAG BYTE Service information 0 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 243 F Libraries 9 1 Distributed Safety F library V1 Principle of Operation 244 F application block FLSENDDP sends 16 data elements of data type BOOL and 2 data elements of data type INT in a fail safe manner to another F CPU via PROFIBUS DP There they can be received by the associated F_RCVDP F application block In F_LSENDDP the data to be sent for example outputs of other F blocks are applied at inputs SD_BO_xx and SD_I_xx In FLRCVDP the data received are available at outputs RD_BO_xx and RD_I_xx for additional processing by other F blocks The operating mode of the F CPU with the F_SENDDP is provided at output SENDMODE If the F CPU with the F_SENDDP is in deactivated safety mode output SENDMODE 1 Communication between F CPUs takes place hidden in the background by means of a special safety protocol You must define an association between an F_SENDDP in one F CPU and an F_RCVDP in the other F CPU by assigning a unique address association at the DP_DP_ID inputs of the FLSENDDP and F_RCVDP Associated F_LSENDDPs and F_RCVDPs receive the same value for DP_DP_ID Awwarninc The value for each address association input parameter DP_DP_ID data type INT is user defin
336. rted you must repeat the download step step 3 and the recheck the collective signatures of all F blocks with F attribute in the block container online and offline step 5 Procedure for Downloading Changes to the Safety Program in the Safety Program Dialog 1 Select the correct F CPU or S7 program assigned to it 2 In S IMATIC Manager select the Options gt Edit Safety Program menu command The Safety Program dialog will appear 3 Click the down arrow Download Changes on the Download button All new and changed F blocks with F attribute in the safety program are identified and downloaded to the F CPU The rest of the procedure is the same as for downloading the entire safety program in the Safety Program dialog see above Note Note that downloading changes in the safety program is intended for the commissioning phase only Prior to the acceptance test of the safety program you must download the complete safety program to the F CPU Failure to do so could result in different online and offline time stamps for the F blocks in the block container S7 Distributed Safety configuring and programming 276 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 4 Downloading the Safety Program Downloading the Safety Program to a Programming Device or PC Note In principle it is possible to download a safety program from the F CPU to a programming device o
337. rts status changes between process data and fail safe values that are transmitted to the fail safe outputs To Outputs signal chart can occur before the status change of the associated QBAD signal if necessary The timing of the status change is dependent on whether F I O with outputs or F I O with inputs and outputs were used Structure of the Safety Program in S7 Distributed Safet F I O Access for Safety Related Slave Slave Communication Page 170 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F I O Access 5 2 Process Data or Fail Safe Values 5 2 Process Data or Fail Safe Values When are Fail Safe Values Used The safety function requires that fail safe values 0 be used instead of process data for passivation of the entire F I O or individual channels of an F I O in the following cases This applies both to digital channels of data type BOOL and analog channels of data type INT WORD as follows e When the F system starts up e When errors occur during safety related communication communication errors between the F CPU and F I O using the safety protocol in accordance with PROFIsafe e When F I O faults and channel faults occur Such as wire break short circuit and discrepancy errors e As long as you enable passivation of the F I O with PASS_ON 1 in the F I O DB see below Fail Safe Output for F I O Channels of an F I O In the
338. ry in the object properties for I slave 2 The addresses are entered automatically in the object properties for I slave 2 You assign the configured addresses to the LADDR parameter of the corresponding F_SENDDP and F_RCVDP F application blocks in the safety programs S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 4 Safety Related Slave Slave Communication Assigned Address Areas Each of the local and partner addresses represents a start address of an address area of input and output data Once the local and partner addresses are configured the address areas are automatically assigned The assigned address areas for a send connection and a receive connection are shown in the following table Communication Connection Assigned Address Areas in the F CPU of the Send l slave 1 12 bytes of output data and 6 bytes of input data slave 1 to I slave 2 l slave 2 12 bytes of input data and 6 bytes of output data DP masters 12 6 bytes of input data Receive l slave 1 12 bytes of input data and 6 bytes of output data l slave 1 from I slave 2 l slave 2 12 bytes of output data and 6 bytes of input data DP masters 12 6 bytes of input data The CPU of the DP master can be an F CPU or a standard CPU Whether or not the PROFIBUS DP interface of the standard CPU supports direct data exchange can be found in th
339. s Connections of F Application Block F_RCVDP 9 1 Distributed Safety F library V1 Parameter Data Type Description Default Inputs ACK_REI BOOL 1 Acknowledgment for reintegration of 0 send data following communication error SUBBO_00 BOOL Fail safe value for receive data BOOL 00 0 SUBBO_15 BOOL Fail safe value for receive data BOOL 15 0 SUBI_00 INT Fail safe value for receive data INT 00 0 SUBI_01 INT Fail safe value for receive data INT 01 0 DP_DP_ID INT Network wide unique value for address 0 association between F_SENDDP and F_RCVDP TIMEOUT TIME Monitoring time in ms for safety related 0 ms communication see also Safety Engineering in SIMATIC S7 system manual LADDR INT Start address of address area 0 e Of DP DP coupler for safety related master master communication e For safety related master slave communication e For safety related slave l slave communication Outputs ERROR BOOL 1 Communication error 0 SUBS_ON BOOL 1 Fail safe values are output 1 ACK_REQ BOOL 1 Acknowledgment for reintegration of 0 send data required SENDMODE_ BOOL 1 F_CPU with F_SENDDP in deactivated 0 safety mode RD_BO_00 BOOL Receive data BOOL 00 0 RD_BO_15 BOOL Receive data BOOL 15 0 RD_I_00 INT Receive data INT 00 0 RD_ _01 INT Receive data INT 01 0 RETVAL14 WORD Error code of SFC 14 You can find a 0 description of error codes in the online Help for SFC 14 RETVAL15 WORD E
340. s e A project structure must be created in S MA TIC Manager e The hardware components of the project in particular the F CPU and the F I O must have been configured prior to programming e The safety program must be assigned to an F CPU such as a CPU 315F 2 DP S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 73 Programming 4 2 Creating the Safety Program Steps for Creating an S7 Distributed Safety Program The primary steps for creating the safety program are as follows Step Action Reference 1 Save and compile hardware configuration in HW Config Configuring and download it to the F CPU if necessary 2 Define the program structure Defining the Program Structure 3 Create F FBs and F FCs with the F FBD or F LAD Creating F Blocks in F programming language in S MAT C Manager FBD F LAD 4 Edit and save F FBs and F FCs in the FBD LAD Editor Creating F Blocks in F FBD F LAD 5 Specify one or two F runtime groups Defining F Runtime Groups For each F runtime group e Assign a previously programmed F FB or F FC to the F CALL of the F runtime group assignment causes F FB or F FC to become the F PB e If the F PB is a function block assign an instance DB e Set the maximum cycle time of the F runtime group Safety Engineering in SIMATIC S7 system manual e If one F runtime group is to provide data for evaluation Defining F Runtime G
341. s F FCs F PBs F application blocks Number of F blocks F FBs F FCs that are called in two F runtime groups Number of F application blocks contained in the reserved band of numbers 5 If the configured band of numbers turns out to be insufficient S7 Distributed Safety signals this with an error message You must then increase the size of the number band accordingly Tip Allocate the band of numbers for the automatically added F data blocks starting from the largest possible number in the F CPU and working down Assign numbers for FBs of the standard user program and F FBs of the safety program starting with 1 You are not permitted to use the reserved automatically added F function blocks in the safety program or the standard user program F application blocks from the Distributed Safety F library may be within this band of numbers S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 3 Configuring the F CPU F Local Data Parameter F blocks are automatically added when the safety program is compiled to create an executable safety program from your safety program This parameter is used to specify the amount of local data in bytes for the entire safety program i e local data that are available for the F CALL blocks of the F runtime groups of the safety program and thus also for the automatically added F blocks called in the F CALL Note The l
342. s in F FBD F LAD See also 80 Configuring the F CPU Page 26 Overview of Access Protection Page Differences between the F FBD and F LAD programming languages and the standard FBD and LAD programming languages Compiling Safety Program Note Note that access to the input parameters in an F FB F FC is read only while access to the output parameters is write only Use an in out parameter if you wish to have both read and write access Save the F FB F FC block Note When an F FBD F LAD block is saved in the FBD LAD Editor only a local consistency check is performed for the F block A safety program is not yet generated Note Occasionally certain networks that you have edited in F FBD are represented in STL for example upstream interconnections with edge memory bits and branches when you try to save the F block Such F blocks cannot be saved You must delete the STL network and replace the upstream interconnection with your own networks in which you direct the upstream interconnection to a temporary variable You can then use this temporary variable as an address Note For greater clarity assign unique symbolic names to the F FBs F FCs you have created These symbolic names appear in the Details view of S MA TIC Manager in the Safety Program dialog and in the symbol table Symbolic names are assigned in the same way as in standard programming Page 272 S7 Distribut
343. s of all F application blocks and F system blocks match the signatures specified in Annex 1 of the Certification Report Ensure that you have assigned a unique DP_DP_ID parameter throughout the network for all safety related communication connections for safety related master master master I slave slave l slave and IO controller IO controller communication Ensure that you have assigned a unique R_ID parameter throughout the network for all safety related communication connections for safety related communication via S7 connections Check to determine whether a validity check was programmed for all data in the safety program transferred from the standard user program Check the number of F runtime groups in the safety program maximum of 2 and whether all necessary F blocks are present in the F runtime group For each F runtime group check whether the following values in the F runtime group information correspond to the values you configured Number of the F CALL Number of the called F program block Number of the associated instance DB if applicable Maximum cycle time of the F runtime group Number of the DB for F runtime group communication if applicable S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 317 System Acceptance Test 11 2 Checking the Printouts 10 Check the following For each F I O addressed in the F runt
344. s on operation Chapter Notes on Safety Mode Access protection Chapter Access Protection Diagnostics Responses to faults and events Chapter Guide to Diagnostics Replacement of software and hardware components Removing disassembly e Rules for module replacement e Rules for updating the operating system of the F CPU same as for standard system e Rules for updating software components e Notes on IM operating system update e Notes on preventive maintenance e Notes for removing software components e Notes for disassembling modules Chapter Replacing Software and Hardware Components F I O Access Online Help for STEP 7 Chapter Installing Removing Replacing Software and Hardware Components 334 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Checklist See also Page 13 Overview of Configuration Page 23 Particularities for Configuring the F System Page 36 Overview of Access Protection Page 45 Structure of the Safety Program in S7 Distributed Safet Page 25 Pagel57 Defining the Program Structure Page 75 Creating F Blocks in F FBD F LAD Page 77 Rules for F Runtime Groups of the Safety Program FO Access Page 97 Overview of Distributed Safety F Librar Custom F Libraries Page 265 Page 272 Page 275 Page 287 Modifying the sa
345. s powered up before the F CPU of the I slave Otherwise depending on the F monitoring time specified for the F I O the F system can detect an error in the safety related communication communication error between the F CPU and the F I O assigned to the I slave That is after startup of the F system the F I O are not reintegrated automatically Rather they are only reintegrated after a user acknowledgment with a positive edge on the ACK_REI variable of the F I O DB see also Chapters Passivation and Reintegration of F I O after Communication Errors and Passivation and Reintegration of F I O after F System Startup S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 5 Safety Related Slave Slave Communication Configuring Address Areas For every communication connection from an F CPU of an I slave to an F I O in a slave you must configure address areas in HW Config The figure below shows an example for an ET 200S with F DI and F DO modules slaves Slave a EE Motor starter HIGH FEATURE Bus termination module You can configure the following in the object properties for the I slave for each slave slave communication with an F lO e A local address safety program that you can use to access the F I O in the safety program of the I slave e A partner address F I O of the F I O in the DP master No
346. s shown in the following example This is necessary to ensure that the information is properly available even if communication errors occur while the HART communication is enabled with IPAR_EN 1 Only change the IPAR_EN variable when evaluating the status if there is no passivation due to a communication error or F I O channel fault PASS_OUT 0 Example of enabling HART communication S7 Distributed Safety configuring and programming 104 Programming and Operating Manual 07 2013 A5E00109537 05 F I O Access 5 3 F O DB Network 1 Enable HART communication Comment F00210_FAI6x15Bit_ CONDITION_1 HART IPAR_EN CONDITION 2 EDGE_TRIGGER_FLAG HART COMM ENABLED PO0210 FAL xiSBit_ HART PAR_OK POO210 PAIGxLSBit_ HART IPAR_EW Figure 5 1 Example of enabling HART communication You can find additional information on HART communication with SM 336 F Al 6 x 0 4 20 mA HART in the S7 300 Fail Safe Signal Modules manual and in the object properties of this F SM in the online help for HW Konfig PASS_OUT QBAD QBAD_I_xx QBAD_O_xx If you have configured channel level passivation for the F I O PASS_OUT 1 and QBAD 1 indicate that at least one channel was passivated QBAD_I_xx and QBAD_O_xx indicate the input and output channels that were passivated If you have configured passivation of the entire F I O the PASS_OUT 1 and QBAD 1 variables indicate that the enti
347. s than in the safety program The differing values can occur due to e Different update times e Use of fail safe values in the safety program To obtain the same values in the standard user program as in the safety program you may access the process input image in the standard program only after execution of an F runtime group In this case you can also evaluate the QBAD or QBAD_ _xx variable in the associated F I O DB in the standard user program to find out whether the process input image is receiving fail safe values 0 or process data When using partial process images make sure as well that the process image is not updated by the standard operating system or by SFC 26 UPDAT_PI between execution of an F runtime group F CALL and evaluation of the process input image in the standard user program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 127 Data Exchange between Standard User Programs and Safety Program 7 1 Data Transfer from the Safety Program to the Standard User Program F Shared DB Bit Memory The following information can be read out in the F shared DB in the standard user program or on an operator control and monitoring system e Operating mode safety mode or deactivated safety mode MODE variable e Error information Error occurred when executing safety program ERROR variable e Collective signature of the safety program F_PROG_SIG variabl
348. safety program to the gt F CPU during ongoing operation in RUN mode e Test functions such as Modify or other write access to data of the gt safety program with limitations Whenever safety mode is deactivated the safety of the system must be ensured by other organizational measures such as operation monitoring and manual safety shutdown gt Reintegration Discrepancy Analysis Discrepancy analysis for equivalence or nonequivalence is used for fail safe inputs to determine errors based on the time characteristic of two signals with the same functionality The discrepancy analysis is initiated when different levels are detected in two associated input signals for non equivalence testing when the same levels are detected The signals are checked to establish whether the difference when checking for non quality has disappeared after the so called gt discrepancy time has expired If not there is a discrepancy error The discrepancy analysis is performed between the two input signals of the 1002 sensor evaluation gt sensor evaluation in the fail safe input Discrepancy Time 338 Discrepancy time is a period of time configured for the gt discrepancy analysis If the discrepancy time is set too high the fault detection time and gt fault reaction time are extended unnecessarily If the discrepancy time is set too low availability is decreased unnecessarily because a discrepancy error is detected when in reality
349. safety program you would like to compare with Activate the Browse button to indicate its path 5 Activate the Start comparison button The required block comparison is executed and the different F blocks are displayed in tabular form in the dialog box S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 291 Compiling and commissioning a safety program 10 7 Modifying the Safety Program Result of Comparison The comparison result displays modified F blocks different entries in the Signature in Source Program and Signature in Compared Program columns F blocks located in the source program only entry in Signature in Source Program column only and F blocks located in the compared program only entry in Signature in Compared Program column only The Interface Different column indicates whether or not changes have occurred in the declaration table of F blocks The result can be printed out with the Print button If you are comparing an offline safety program with an online safety program and the connection to the F CPU is interrupted during the comparison the comparison result will be incorrect Assignment of Changes You can assign the changes in the safety program on the basis of the modified F blocks indicated in the comparison result Modified F block F program block F FB F FC Change in Safety Program Change in this block
350. sare inaa aE EEA EAA Aa 10 8 Printing out Project Data ccc icccetsiecceeesnteseetvdlinveev uate r irren Er E E ES 10 8 1 Printed Project Data for the Hardware Configuration c cceeeceeeeeeeeeeeeeenaeeeeeeeaeeeeeenaeeeeeeaaes 10 8 2 Printed Project Data for the Safety Program ccccececcceceseeeeeeeecneeeeeeneeeseeaeeeeeeaaeeeeeenaeeeeeeaaes 10 9 Testing the Safety Programi scrii reai aan EAAS AAAA EATR AE ERA 10 9 1 Overview of Testing the Safety Program n s ssisrsesiiciisnniniernnniinini ennnen nanie innana aiana ANa 10 9 2 Deactvating Safety Mode sosea i Aaa n AAA EA Ka AEEA Aa AAE EA a 10 9 3 Testing the Safety Program scissione anaa aAa AAE AE Eaa System Acceptance Test ccssccccsococod on NENNEN eects eee ee eee 11 1 Overview of System Acceptance est ceccceeeseeeeeeeeeneeeeeetteeeeetaeeeeetaeeeeesaeeeeesiaeeeersaeeeeeead 11 2 Checking the Printouts 00 ccc eeeeeee ee eene ee ee entree eee e ee erent ee ee ea aeee eee aeee ee taaeee ee saaeeeeesaaeeeeesaeeeereed 11 2 1 Acceptance Test for the Configuration of the F CPU and the F I O 0 0 0 eeeeeeeenteeeeeenaes 11 2 2 Safety Program Acceptance Test ccccsccceessccceeeeeeseeeseeeeeeeeseneeeeeseeceeeesenseeeeseeseeeeseeeeteesenees 11 3 Checks after Downloading the Safety Program to the F CPU cseceessteeeeeeeteeeeeenteeeereed 11 4 Acceptance Test of Chang e s i 2 scsei ied neer rE E ned SOE E ER Operation and Maintenance vicina innnaciieeediied
351. se_2 instead of the time T3 that has actually elapsed in cycle n since the call This would also be the case if no call occurred in cycle n 1 FB 179 F_SCA_I Scale Values of Data Type INT Parameter Data Type Description Default Inputs IN INT Input value to be scaled in physical units O HI_LIM INT Upper limit value in physical units 0 LO_LIM INT Lower limit value in physical units 0 Outputs OUT INT Result of scaling OUT_HI BOOL 1 Input value gt 27648 OUT HI_LIM OUT_LO BOOL 1 Input value lt 0 OUT LO_LIM 0 Principle of operation 186 This F application block scales the value at input IN in physical units between the lower limit value at input LO_LIM and the upper limit value at input HI_LIM It is assumed that the value at input IN is between 0 and 27 648 The scaling result is provided at output OUT The F application block acts according to the following equation OUT IN HI_LLIM LO_LIM 27648 LO_LIM So long as the value at input IN is greater than 27 648 output OUT is linked to HI_LLIM and OUT_HI is set to 1 So long as the value at input IN is less than 0 output OUT is linked to LO_LIM and OUT_LO is set to 1 For reverse scaling you must assign LO_LIM gt HI_LIM With reverse scaling the output value at output OUT decreases while the input value at input IN increases S7 Distributed Safety configuring and programming Programming and Operating Ma
352. sesssrrsserresrirrsstrrsstirrsstinnnstennssennnnten 2 3 Gontigurifig the F CPU eroas so a E N peededen sptemeti aedcendene 2 4 Configuring the FAO ciscccccieccceccectensececcanaeceetecnedectessvgenrin selectebadvectoeaedecnebadeceniasedectebavseendeaedecnees 2 5 Configuring fail safe DP standard slaves and fail safe standard I O devices 0 0ce 2 6 Assigning Symbolic NAMES 0 ceeeeeeee eee eeeeeeeeeeeeeaeeeeeeaaeeeeeeaaeeeceeaaeeeseeaaeeeseeaeeeseeaeeeeeenaeeeeeeaas 3 ACCESS PFOt CtON iviic siiscsssesssessecvnndsssstdennesususdevsvsennnecsvvccadagedeinnciansdsnsvvauesvcshnsceshsudsoutesunsesusseunsscebbneesb asd 3 1 Overview of Access Protection 0 cccceneeeeseeneeedeceneesesceneendecaneeeeeaaneeedecaneeeseaaneeededeneeeseeeneens 3 2 Access Permission for the Safety Program c ccccceseeeeeeeeeneeeeeenaeeeeeeaeeeeeeaeeeeeeaeeeseenaeeeeeeaas 3 3 Read Accesses without Password for the Safety Program cccceeeseeeeeeeeeteeeeeenneeeeeenaeeeeees 3 4 Access Permission for the F CPU ccccccccssccceeesecceeeseeeeeeeesneesedseeeaeedeseeeedseeeaeedeseeneedeneneeetersaee 4 PROGMAUIMING araa aE a a a a E E a Raa a EAEE RES 4 1 Overview Of Programming sessies ins ii iiaa anaa NAA AKT MEA KESAR PSEREN 4 1 1 Overview of Programming sssrinin Ea Eaa E E 4 1 2 Structure of the Safety Program in S7 Distributed Safety 0 00 eect eeeeeeeeeeeeeeeeeeeeeeeeeeneees 4 1 3 Fail Safe BIOCKS oiiro opnandnneseaecdsdends
353. sic principle only fail safe data or fail safe signals from fail safe I O and other safety programs in other F CPUs can be processed in the safety program since standard data and signals are not safe If you nevertheless have to process data from the standard user program in the safety program you can evaluate either memory bits from the standard user program or the process input image PII for standard I O in the safety program see table of supported address areas in Chapter Differences between the F FBD F LAD Programming Languages and the Standard FBD LAD Languages A WARNING Because these data are not generated safely you must carry out additional process specific validity checks in the safety program to ensure that no dangerous states can arise If a memory bit or input of standard I O is used in both F runtime groups you must perform the validity check separately in each F runtime group To facilitate the checks all signals from the standard user program that are evaluated in the safety program are included when the safety program is printed out Note Data from the standard user program bit memory or PII of standard I O cannot be used for edge memory bits of the RLO Edge Detection N P or Address Edge Detection NEG POS instructions or for the address of the Flip Flop SR RS instructions since these data are read and written to by the instruction Note When F blocks are being edite
354. signal inputs see F I O manuals The IPAR_OK variable corresponds to the iPar_OK_S variable in the PROFIsafe bus profile PROFIsafe Specification V1 20 and higher Fail safe DP standard slaves standard I O devices To find out how to evaluate this variable when parameters of fail safe DP standard slaves or standard I O devices are reassigned consult the PROFIsafe specification V1 20 or higher or the documentation for the fail safe DP standard slave standard I O device HART communication with SM 336 F Al 6 x 0 4 20 mA HART See Section IPAR_EN The DIAG variable provides non fail safe information 1 byte about errors or faults that have occurred for service purposes You can read out this information by means of operator control and monitoring systems or if applicable you can evaluate it in your standard user program DIAG bits are saved until you perform an acknowledgment at ACK_REI or until automatic reintegration takes place Note Access to this variable in the safety program is not permitted S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F I O Access 5 3 F l O DB Structure of DIAG Bit No Assignment Possible Causes of Problems Remedies Bit 0 Timeout detected by F I O The PROFIBUS PROFINET e Check the PROFIBUS PROFINET connection between F CPU and F I O is faulty The monitoring time of the F 1 0 in HW Config is set too low The
355. slave slave communication Assignment 162 Definition 162 Address areas for master l slave communication Assignment 144 Definition 144 Address setting 35 PROFIsafe 35 Applying changes to the safety program 287 Approvals 3 Automatically generated F blocks 275 Block size 275 B Band of numbers F data blocks 26 F function blocks 26 38 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Basic knowledge 3 Required Basic procedure for creating the safety program 73 Behavior after a startup 109 Behavior after communication errors 111 Behavior after F I O faults and channel faults 113 Bidirectional connections 136 Bit memory 61 127 BOOL 61 C Changing F runtime groups 86 85 Checking block consistency Checklist 331 Communication Via F_SENDS7 and F_RCVS7 Communication between standard user program and safety program 127 129 Communication connection between two F CPUs via DP DP coupler 136 Configuring 136 Programming 136 Communication connection via DP DP coupler 136 Configuring 136 Programming 136 Communication error 111 242 F_SENDDP F_RCVDP 242 Communication via S7 connections 173 Configuring 173 Comparing safety programs 290 Compiling the safety program 272 Complete function test of the safety program 283 Configuration F parameters of the F CPU 26 Fail safe DP standard slaves 39
356. sors MS_11 and MS_12 continue to be activated the MUTING function of the F application block causes Q to remain 1 and MUTING to remain 1 so that the product can pass through the light curtain without causing the machine to stop Each of the two muting sensors MS_11 and MS_12 may be switched to inactive t lt DISCTIM1 for a short time apply signal state 0 MS_11 Sender Danger O zone MS_12 Receiver e Muting sensors MS_21 and MS_22 must both be activated within DISCTIM2 before muting sensors MS_11 and MS_12 are switched to inactive apply signal state 0 In this way the F application block retains the MUTING function Q 1 MUTING 1 oe MS_11 Sender MS_21 Danger zone MS_12 Receiver MS_22 Only if muting sensors MS_21 and MS_22 are both switched to inactive product enables sensors is the MUTING function terminated Q 1 MUTING 0 The maximum activation time for the MUTING function is the time set at input TIME_MAX Note The MUTING function is also started if the product passes the light curtain in the reverse direction and the muting sensors are thus activated by the product in reverse order S7 Distributed Safety configuring and programming 222 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Timing Diagrams for Error Free Muting Procedure with Four Muting Sensors FREE a a t lt DISCTIM2 l i i k gt lt gt
357. splay menu command in S MATIC Manager setting Program Structure selected This shows you the local data requirement in the path or for the individual blocks see also STEP 7 online Help Case 2 F CALL blocks not called directly in OBs Standard user program Safety program Standard user program A F runtime group x Standard user program B S7 Distributed Safety configuring and programming 32 Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 3 Configuring the F CPU Set the F local data parameter to one of the following e Maximum amount of local data of the F CPU you are using minus 32 bytes e Maximum amount of local data of the F CPU you are using minus the local data requirement of OB x for two F runtime groups of OB x with the greatest local data requirement and minus the local data requirement of standard user program A if these amounts combined are greater than 32 bytes Note You can derive the local data requirement of the OBs and standard user program A from the program structure For this purpose select the Options gt Reference Data gt Display menu command in S MATIC Manager setting Program Structure selected This shows you the local data requirement in the path or for the individual blocks see also STEP 7 online Help Local Data Requirement for the Automatically Added F Blocks According to the Local Data Requirement of Your Safety Program The information below m
358. ss assignment when multiple DP master systems and PROFINET IO systems are operated on one network you must set the Basis for PROFIsafe addresses parameter in the object properties for the F CPU in S7 Distributed Safety F systems differently before placing the F I Oin the various stations of a network If you change the F_destination_address the uniqueness of the F_destination_address within the station is checked automatically You yourself must make sure that the F_destination_address is unique network wide You must set the F_destination_address on the F I O via the DIP switch before installing the F I O Note For the following 87 300 F SMs the F_destination_address is the same as the start address of the F SM 8 e SM 326 DI 24 x DC 24 V order no 6ES7326 1BK00 0ABO e SM 326 DI 8 x Namur order no 6ES7326 1RF00 0AB0 e SM 326 DO 10 x DC 24 V 2A order no 6ES7326 2BF01 0AB0 e SM 336 Al 6 x 13 Bit order no 6ES7336 1HE00 0AB0 The Basis for PROFIsafe addresses does not affect the assignment of the F_destination_address for these F SMs Assign low start addresses for these F SMs if you are also using other F I O F_source_address The F_source_address is automatically assigned in S7 Distributed Safety S7 Distributed Safety configuring and programming 36 Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 4 Configuring the F 1 O Rules for Address Assignment A WARNING Rule
359. ssign appropriate initial actual values for these variables to be output by F_RCVDP in the first cycle after a startup of the F system S7 Distributed Safety configuring and programming 142 Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 2 Safety Related Master Master Communication 8 Configure the TIMEOUT inputs of the F_RCVDPs and F_SENDDPs with the required monitoring time A WARNING It can be ensured from a fail safe standpoint that a signal level to be transferred will be captured on the sender side and transferred to the receiver only if the signal is pending for at least as long as the assigned monitoring time TIMEOUT For information on calculating the monitoring times refer to the Safety Engineering in SIMATIC S7system manual 9 Optional Evaluate the ACK_REQ output of the F_RCVDP for example in the standard user program or on the operator control and monitoring system in order to query or to indicate whether user acknowledgment is required 10 Provide the ACK_REI input of the F_RCVDP with the signal for the acknowledgment for reintegration 11 Optional Evaluate the SUBS_ON output of the FLRCVDP or the F_SENDDP in order to query whether the F_RCVDP is outputting the fail safe values assigned at the SUBBO_xx and SUBI_xx inputs of the FLRCVDP 12 Optional Evaluate the ERROR output of the F_LRCVDP or the F_LSENDDP for exampl
360. ssociated instance DB in the program sections to be processed further for example Name F_RCVDP1 RD_BO_02 7 Provide the SUBBO_xx and SUBI_xx inputs of the F_RCVDP with the fail safe values that are to be output by F_RCVDP in place of the process data until communication is established for the first time after startup of the sending and receiving F systems or in the event of an error in safety related communication Specification of constant fail safe values For data of data type INT you can enter constant fail safe values directly as constants at input SUBI_xx If you want to specify constant fail safe values for data of data type BOOL use variables RLOO or RLO1 from the F shared DB Then at input SUBBO_xx enter F_GLOBDB RLOO with fully qualified access if you want to specify a fail safe value of 0 and F_GLOBDB RLO1 if you want to assign a fail safe value of 1 Specification of dynamic fail safe values If you want to specify dynamic fail safe values define a variable that you can change dynamically through your safety program in an F DB and declare this variable with fully qualified access at input SUBI_xx or SUBBO_xx A WARNING Note that your safety program for dynamically changing a variable for a dynamic fail safe value can only be processed after the call of the F_RCVDP because prior to the F_RCVDP call there can be no network in the F PB and at most there can be one other F_RCVDP You must therefore a
361. stored in this file setpoint for F_IO_StructureDescCRC F_IO_StructureDescCRC You receive one of the following items of information for each configured fail safe DP standard slave or standard I O device when it is placed in HW Config or in the printout of the hardware configuration project data e The value calculated by S7 Distributed Safety for F_lO_StructureDescCRC matches does not match the setpoint in the installed GSD file e The setpoint for F_lIO_StructureDescCRC is not available in the installed GSD file Note The information of the F_IO_StructureDescCRC is irrelevant for the system acceptance test see Chapter System Acceptance Test if the project was compiled with S7 Distributed Safety V5 4 SP4 For versions of S7 Distributed Safety gt V5 4 SP4 the F_lO_StructureDescCRC check must be without errors calculated value matches the setpoint For this reason you should obtain the appropriate GSD file containing the setpoint for F_lO_StructureDescCRC from the device manufacture S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 39 Configuration 2 5 Configuring fail safe DP standard slaves and fail safe standard I O devices Procedure for Configuring with GSD Files You import the GSD files in your project see STEP 7 Online Help 1 Select the fail safe DP standard slave standard I O device in the hardware catalog of HW Config and insert it in
362. stributed Safety configuring and programming 34 Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 4 Configuring the F l O 2 4 Configuring the F I O F I O Configured Same as Standard I O The ET 200S ET 200eco and ET 200pro F modules and the S7 300 F SMs are always configured in the same way Once the F I O have been inserted in the station window of HW Config you can access the configuration dialog by selecting Edit gt Object Properties or by double clicking the F I O After opening the dialog box you will be prompted to enter the password for the safety program or you have to assign the password for the safety program in a separate dialog box For information on the password for the safety program refer to Overview of Access Protection The values in the shaded fields are automatically assigned by S7 Distributed Safety in the F relevant tab You can change the values in the non shaded fields Channel Level Passivation after Channel Faults You can configure how the F I O will respond to channel faults such as a short circuit overload discrepancy error or wire break provided the F I O supports this parameter e g for ET 200S ET 200pro F modules You configure this behavior in the object properties for the relevant F I O Behavior after channel faults parameter This parameter is used to specify whether the entire F I O or just the faulty channel s are passivated in the event of channel faul
363. systems resulting from cyclic processing e Timing imprecision resulting from the update timing of the time base used in the F application block see figure in the F Application Blocks section e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision S7 Distributed Safety configuring and programming 194 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 A WARNING The functionality of this F application block complies with IEC 61131 3 however it deviates from IEC TIMER SFB 4 TON as follows e When it is called with PT 0 ms the F_TON instance is not reset completely initialized The block behaves in accordance with the timing diagrams Only output ET is reset Another rising edge at input IN is required to restart the ON delay once PT is greater than 0 again e Acall with PT lt 0 ms resets outputs Q and ET Another rising edge at input IN is required to restart the ON delay once PT is greater than 0 again F_TON Timing Diagrams IN Startup Characteristics The i
364. t as the I O type 7 Enter the associated values for the output data address area In our example enter 16 as Start Address 12 as Length Byte as Unit and Total Length as Consistent 8 Enter the associated values for the input data address area In our example enter 16 as Start Address 6 as Length Byte as Unit and Total Length as Consistent 9 Click OK to confirm S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 137 Configuring and Programming Communication 8 2 Safety Related Master Master Communication 10 Select the second universal module and select the Edit gt Object Properties menu command The object properties dialog appears Address ID 1 0 Type g Direct Entry m Output Address Length Unit Consistent over Start 28 fe Byte Total length End 33 Process image Ka Input Address Length Unit Consistent over Start 28 fi2 Byte Total length End 39 Process image B Manufacturer specific data Maximum 14 bytes hexadecimal separated by comma or blank space Cancel Help 11 In the object properties for the second universal module select Out input as the I O type 12 Enter the associated values for the output data address area In our example enter 28 as Start Address 6 as Length Byte as Unit and Total Length as
365. t F Runtime Groups dialog is opened for the first time Password and CPU e When compiling for the first time Contains Safety Program in HW Config after a first time save operation check boxes selected e When F I O that are set to safety mode are arranged in the configuration table e When the F parameters tab in the object properties for the F CPU is opened for the first time e When the object properties for an F I O is opened for the first time e When the F Configuration tab in the object properties dialog for an l slave is opened for the first time e When the PROFIsafe tab in the object properties dialog for a fail safe DP standard slave standard I O device is opened for the first time e When parameters in the tabs and dialog boxes indicated above are changed e When an F I O or F CPU is deleted from the configuration table S7 Distributed Safety configuring and programming 46 Programming and Operating Manual 07 2013 A5E00109537 05 Access Protection 3 1 Overview of Access Protection Prompt Password for F CPU e When the safety program is downloaded in its entirety e When F blocks with an F attribute are downloaded and deleted Password for Safety Program Offline password Offline password When F blocks are downloaded in SIMATIC Manager When compiling in the Safety Program dialog During compilation with Check block consistency function When the F PB is opened When F FBs F FCs are opened
366. t be repeated During the time in which in out parameter IN must change from 6 to 9 output Q is set to 1 Otherwise Q has a value of 0 A WARNING imprecision sources into account when determining your response times F application block see figure in the F Application Blocks section e Tolerance of internal time monitoring in the F CPU possible timing imprecision When using an F application block with time processing take the following timing e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update timing of the time base used in the For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the S7 Distributed Safety configuring and programming 198 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Note You can evaluate output Q only in your standard user program Access to output Q in the safety program is not permissible You can supply in out parameter IN with just a memory word or nothing at all In the safety program read and write access to in out parameter IN in the associate
367. t the F I O to which the acknowledgment key is connected then it will not be possible to acknowledge the reintegration of this F I O This blocking can only be remedied by a STOP to RUN transition of the F CPU Consequently it is recommended that you also provide for an acknowledgment by means of an operator control and monitoring system for the acknowledgment for reintegration of an F I O to which an acknowledgment key is connected User Acknowledgment by Means of an Operator Control and Monitoring System User acknowledgment by means of an operator control and monitoring system requires the F_ACK_OP F application block from the Distributed Safety F library V1 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 121 Implementation of user acknowledgment 6 7 Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Procedure for Programming User Acknowledgment by Means of an Operator Control and Monitoring System 1 Call the F_ACK_OP F application block in your safety program The acknowledgment signal for evaluating user acknowledgments is provided at output OUT of FLACK_OP 2 On your operator control and monitoring system set up a field for manual entry of an acknowledgment value of 6 first step in acknowledgment and an acknowledgment value of 9 second step in acknowledgment in the instance DB of F_LACK_OP i
368. taining the I slave You must not select these For the Address LADDR a list field displays the start addresses of the F l O of the selected DP slave Select the desired F I O from this list The dialog box has the following appearance S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Configuring and Programming Communication 8 5 Safety Related Slave Slave Communication Properties DP RO S2 2 F Configuration Row 1 E Sy F Configuration HEJ Mode EHEJ DP partner F 1 0 2 DP address 2 Name Address LADDA Process image F source address F target address CHY local F safety program 2 DP address E CPU name Address LADDAR E Process image Diagnostic address EHS Master address E Input address Process image Interrupt O 12 Confirm your entry with OK 13 In the F Configuration tab of the object select New S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F D Modules rr 1M151 1 HF 0 4 8 F DI DC24y rr 2002 CPUS1 F 2 n yyy oyyy CPU317F 2 e 2044 200 0 properties for the I slave 167 Configuring and Programming Communication 8 5 Safety Related Slave Slave Communication 168 14 In the next dialog make the following entries for the connection to the 4 F DO module for our
369. tandard CPU You can access the address areas listed in the table below in the safety program Note that you can only access data in F FBD and F LAD as follows e Data of data type BOOL in bits e Data of data type INT in words e Data of data type WORD in words e Data of data type TIME in double words This restriction does not apply when data are write accessed from the standard user program bit memory or process image of standard I O Example To access input channels of data type BOOL in the process input image of F I O you must use the input bit unit For reasons of clarity you should always access address areas in a safety program using symbolic names Address Area Accessible Size S7 Description Units Notation Process input image e OfF I O At the beginning of the F runtime group F CALL the F CPU reads the inputs from the F I O and saves the values to the process input image Input channels are read only channels Therefore a transfer to IN_OUT parameters of an F FB or F FC is not permitted Channels of data Input bit l Input channels of data type BOOL are read type BOOL such only and can only be accessed using the as digital channels Input bit unit Access is not permitted for example with the Input word unit Channels of data Input word IW Input channels of data type INT WORD are type INT WORD read only and can only be accessed using the such as analog Input word u
370. terconnection 2 channel equivalent directly through the F I O with inputs In order to keep the discrepancy time from influencing the response time during the configuration of discrepancy behavior you must configure Supply value 0 Startup Characteristics Output DIAG 230 After an F system startup when ACK_NEC 1 you must acknowledge the F application block using a rising edge at input ACK The DIAG output provides non fail safe information on errors for service purposes You can read out this information by means of operator control and monitoring systems or if applicable you can evaluate it in your standard user program DIAG bits 1 to 5 are saved until acknowledgment at input ACK S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Structure of DIAG Bit Assignment Possible Causes of Remedies No Problems BitO Incorrect TIM_DEL setting Time delay setting lt 0 Set time delay gt 0 Bit 1 Reserved Bit2 Reserved Bit3 Reserved Bit4 Acknowledgment not possible Emergency STOP switchis Release interlocking of because emergency STOP is interlocked emergency STOP switch still active F I O fault channel fault or For a solution see DIAG communication error or variable bits O to 6 in passivation by means of Chapter F I O DB
371. the DP master e A local address I slave and a partner address DP master for receiving data from the DP master You assign the configured addresses to the LADDR parameter of the corresponding F_SENDDP and F_RCVDP F application blocks in the safety programs Assigned Address Areas Each of the local and partner addresses represents a start address of an address area of input and output data Once the local and partner addresses are configured the address areas are automatically assigned The assigned address areas for a send connection and a receive connection are shown in the following table Communication Connection Send I slave to DP master Assigned Address Area in the F CPU of the l slaves 12 bytes of output data and 6 bytes of input data DP masters 12 bytes of input data and 6 bytes of output data Receive l slave from DP master l slaves 12 bytes of input data and 6 bytes of output data DP masters 12 bytes of output data and 6 bytes of input data Note We recommend that you use addresses outside the process image as the local and partner addresses since the process image should be reserved for the address areas of modules S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 145 Configuring and Programming Communication 8 3 Safety Related Master l Slave Communication 8 3 2 Requirements Configuring Sa
372. the F CPU with the F_SENDDP or F_SENDS7 is in deactivated safety mode you can no longer assume that the data sent by this F CPU are generated safely You must then implement organizational measures such as operation monitoring and manual safety shutdown to ensure safety in those portions of the system that are affected by the sent data Alternatively you must output fail safe values instead of the received data in the F CPU with FLRCVDP or F_RCVS7 by evaluating SENDMODE S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 305 Compiling and commissioning a safety program 10 9 Testing the Safety Program Requirements for Deactivating Safety Mode The Safety mode can be deactivated parameter in the F parameter tab of the F CPU in HW Config is enabled see Chapter Configuring the F CPU The F CPU is in RUN mode and safety mode is activated Procedure for Deactivating Safety Mode 1 Select the correct F CPU or S7 program assigned to it 2 In SIMATIC Manager select the Options gt Edit Safety Program menu command The Safety Program dialog will appear 3 If you are prompted to enter the password for the F CPU do so now 4 Check to see whether Safety mode activated is indicated as the Current mode If so continue with the next step if not stop the process because safety mode is already deactivated or cannot be deactivated Note If the text below
373. the parameters of these F I O by selecting the F CPU of the DP master or the S7 program assigned to it in S MA TIC Manager and initiating a printout using the Options gt Safety Program menu command as described above If the CPU of the DP master is a standard CPU you print out the parameters of these F I O as follows 1 Select the station with the DP master 2 In S IMATIC Manager select the Print gt Object Content menu command A follow up dialog is displayed 3 Select All as the print area The printout will then include the Module description and the Address list 4 Select the Including parameter description option to include your parameter descriptions in the printout S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 299 Compiling and commissioning a safety program 10 8 Printing out Project Data 10 8 2 Printed Project Data for the Safety Program Printed Information The printout of the safety program Safety program print content contains the following information important for the safety program acceptance test e Collective signatures F blocks with F attribute in the block container collective signature of all F blocks with F attribute in the block container in the Safety Program dialog also displayed in the footer of the printout Safety Program collective signature of the safety program in the Safety Program dialog
374. ting the F e Generate edit and save F FBs F Chapter Creating F Blocks in F FBD F blocks FCs and F DBs in accordance with LAD Distributed Safety F Library V1 the requirements of the program Chapter F I O Access structure Chapter Implementation of User e Rules for Acknowledgment F I O access Chapter F Libraries Passivation and reintegration of F Chapter Configuring and Programming 1 0 Communication Inserting F blocks from Distributed Chapter Data Exchange between Safety F library V1 and user Standard User Programs and Safety created F libraries Program Safety related CPU CPU communication Communication with the standard user program Creating the F runtime e Create F CALL Chapter Defining F Runtime Groups goes e Assign F FB F FC to F CALL SM Appendix A e Set maximum cycle time for the F runtime group in accordance with requirements dependent on process and safety regulations e Create DB for F runtime group communication Compiling the safety Chapter Compiling a Safety Program program Implementing call of Call of F CALL blocks directly in OBs Chapter Defining F Runtime Groups safety program e g OB35 FBs or FCs Installation Hardware configuration e Rules for mounting Chapter Overview of Configuration Poe Particularities for Configuring e Rules for wiring F SMs Manual Chapters 5 6 F Modules Manual Chapters 3 4 ET 200eco Manual Chapters 3 4 ET 200pro Manual Chapters 2
375. tion for F blocks If you execute the File gt Store write protected menu command for the F block currently open in the FBD LAD Editor a write protected copy of the F block is created in any block container S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 85 Programming 4 4 Defining F Runtime Groups 4 3 8 Rewiring Function for F FBs and F FCs Rewiring Function You can use the STEP 7 Rewiring function for F FBs and F FCs in the offline safety program After successful rewiring an appropriate entry is made in the logbook of the safety program The automatic consistency tests that are performed when F blocks are saved are not performed for Rewiring A consistent safety program is not generated A WARNING Rewiring of F blocks constitutes a change in the safety program and thus causes the collective signature to change For this reason the safety program must undergo acceptance testing again 4 4 Defining F Runtime Groups 4 4 1 Rules for F Runtime Groups of the Safety Program Requirements 86 You must have created your safety program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming Rules 4 4 Defining F Runtime Groups A WARNING Note the following The channels of an F I O can only be accessed from one F runtime group Variab
376. trol and monitoring system or they can be evaluated in your standard user program These parameters must not be accessed in the safety program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Operation and Maintenance 12 3 Guide to Diagnostics Evaluation of Diagnostic Variable or Parameters in the Standard User Program Do not evaluate the diagnostic variable or parameters in the safety program rather use the following procedure 1 Load the diagnostic information of the above mentioned variables parameters from the F I O DB or the corresponding instance DB with fully qualified DB access into your standard user program example for F I O DB L F00005_4 8 F_DI_DC24V DIAG If necessary assign a symbolic name for the instance DB in the symbol table 2 Place the diagnostic information in your standard user program e g in a bit memory address area using the T MB x instruction 3 You could then evaluate the individual bits of the diagnostic information in your standard user program that is M x y in this example Tip on RETVAL14 and 15 The diagnostic information contained in the RETVAL14 and RETVAL15 parameters corresponds to that of SFC14 and SFC15 For a description refer to the On ine Help for STEP 7on SFC14 and SFC15 Tip on STAT_RCV and STAT_SND The diagnostic information contained in the STAT_RCV parameter corresponds to the diagnostic informati
377. ts Note Note that channel level passivation increases the runtime of the F runtime group s compared to passivation of the entire F I O see also Excel file s7cotia x s for response time calculation Additional Information For information on which ET 200S ET 200eco and ET 200pro F modules and which S7 300 F SMs you can use centrally or decentrally refer to the Safety Engineering in SIMATIC S7 system manual For a description of the parameters refer to the context sensitive online Help for the tab and the relevant F O manual For information on what you must consider when configuring the monitoring time for F I O refer to the Safety Engineering in SIMATIC S7 system manual PROFIsafe Addresses The PROFIsafe addresses F_source_address F_destination_address parameters uniquely identify the source and destination S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 35 Configuration 2 4 Configuring the F I O F_destination_address The F_destination_address uniquely identifies the PROFIsafe destination of the F I O Therefore the F_destination_address must be unique network wide and station wide see the following rules for address assignment To prevent incorrect parameter assignment a station wide unique F_destination_address is automatically assigned when the F I O is placed in HW Config To ensure a network wide unique F_destination_addre
378. tted in particular e Counter instructions fail safe counters are implemented using F application blocks from the Distributed Safety F library V1 F_CTU F_CTD F_CTUD e Timer instructions fail safe timers are implemented using F application blocks from the Distributed Safety F library V1 F_TP F_TON F_TOF e Shift and Rotate instructions shift instructions are implemented using F application blocks from the Distributed Safety F library V1 F_SHL_W F_SHR_W e The following program control instructions Call standard blocks FBs FCs CALL Call FC SFC without parameters Call F FBs F FCs conditionally interconnection of EN and EN 0 Call SFBs SFCs Note In fail safe programming you must not interconnect assign 0 to or evaluate the enable input EN or the enable output ENO See also F I O Access Page 97 Data Transfer from the Safety Program to the Standard User Program Page 127 Data Transfer from Standard User Program to Safety Program Page 129 S7 Distributed Safety configuring and programming 72 Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 2 Creating the Safety Program 4 2 Creating the Safety Program 4 2 1 Basic Procedure for Creating the Safety Program Software Requirements The software requirements are described in Chapter Installing Removing the S7 Distributed Safety V5 4 SP4 Optional Package Additional Requirement
379. ttern dependent on the F I O used See also Implementing User Acknowledgment in the Safety Program of the F CPU of a DP Master or IO Controller Page 121 Page 124 Implementing User Acknowledgment in the Safety Program of a I Slave F CPU S7 Distributed Safety configuring and programming 112 Programming and Operating Manual 07 2013 A5E00109537 05 F I O Access 5 7 Passivation and Reintegration of F I O after F l O Faults and Channel Faults 5 7 Passivation and Reintegration of F I O after F I O Faults and Channel Faults Behavior after F I O Faults If the F system detects an F I O fault programming errors excess temperature for example it passivates the corresponding F I O The QBAD PASS_OUT QBAD_I_xx and QBAD_O_xx variables are set to 1 when fail safe values 0 are being used Behavior after Channel Faults If the F system detects a channel fault e g short circuit overload discrepancy error or wire break the response of the F system depends on how the Behavior after Channel Faults parameter for the F I O is configured in HW Config If you have configured channel specific passivation the relevant channels of the F I O are passivated While fail safe values 0 are being used variables QBAD PASS_OUT or QBAD_ _xx and QBAD_O_xx of the relevant channels 1 If you have configured passivation of the entire F I O passivation occurs just like after F I O errors See above
380. ty configuring and programming 300 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 8 Printing out Project Data e List of data transferred from the standard user program Address Symbol F runtime group in which the data element is used e List of data for data exchange between the F runtime groups Number of the F CALL of the sender F runtime group Number of the F CALL of the receiver F runtime group Number of the DB for F runtime group communication e Runtime group information for each F runtime group Number of the F CALL Symbolic name of the F CALL Number of the called F program block Symbolic name of the F program block Number of the associated instance DB if applicable Symbolic name of the associated instance DB Maximum cycle time of the F runtime group e List of all F blocks used in the F runtime group except F system blocks the F shared DB and automatically generated F blocks Square brackets around the block name and signature designate F blocks without F attribute Information provided for each F block Block number Symbolic name Function in the safety program F CALL F program block etc Signature Initial value signature for all F FBs not generated automatically S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 301 C
381. ty program password prompts will no longer be mentioned in operating procedures below The block symbol displayed in S MAT C Manager is highlighted in yellow The created F block can then be opened and edited with the FBD LAD Editor 3 Double click the F FB F FC in SIMATIC Manager The FBD LAD Editor is displayed 4 You should select Type Check of Addresses in the LAD FBD dialog in the FBD LAD Editor Options gt Settings Note Only the following elements are displayed in the F Program Elements Catalog e Supported instructions e F FBs and F FCs from the block container of your S7 program e F blocks from F libraries e g F application blocks of Distributed Safety F library V1 e Multi instances of the edited F block S7 Distributed Safety configuring and programming 78 Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 3 Creating F Blocks in F FBD F LAD 5 Edit your F FB F FC block The data types are checked during editing Any errors detected are output in the FBD LAD Editor same as when creating a standard user program Note An F FB F FC called in the F CALL which then becomes the F PB cannot have any parameters because they cannot be initialized see Defining F runtime Groups Note F FBs F FCs must not call themselves Note When switching from F FBD to F LAD graphic representation of certain F FBD networks might not be possible in F LAD rather these
382. ty program are modified When new F blocks are created in the online block container of the safety program S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 47 Access Protection 3 2 Access Permission for the Safety Program Password for F CPU Validity Once the correct password has been entered access is authorized until S MATIC Manager is closed or permission is revoked using the PLC gt Access Rights gt Cancel menu command Password for Safety Program Once the correct password has been entered access is authorized for 1 hour For additional information see Chapter Access Permission for the Safety Program Condition The safety program in assigned to an F CPU 3 2 Access Permission for the Safety Program Procedure for Assigning the Password for the Safety Program Use the following procedure to assign the password for the safety program 1 In SIMATIC Manager select the F CPU or its S7 program 2 Select the Options gt Edit Safety Program menu command The Safety Program dialog will appear 3 Click Permission and enter the password for the safety program in the New password and Confirm password fields in the Set up permission for safety program dialog If you have not yet assigned a password for the safety program but you perform an action that triggers the password prompt for the safety program see
383. type INT in an F DB Only variables of data type INT are permitted between the ADDR_INT and END_INT addresses The ADDR_INT address must be smaller than the END_INT address As shown in the following example the ADDR_INT and END_INT addresses must be transferred fully qualified as DBx DBWy or in the corresponding symbolic representation Transfers in other forms are not permitted S7 Distributed Safety configuring and programming 260 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Examples of Parameter Assignment of ADDR_INT END_INT and OFFS_INT A 1 pr a 2 0 AR TID 6 0 AR TIME 10 0 AR IN 12 0 AR INI 14 0 AR IN 16 0 AR IN 18 0 20 0 END INT F DB VAR_INT15 24 0 20 fir Jo lt ADR INT F DB VAR_INT20 lt OFFS_INT 0 Example 2 26 0 21 28 0 22 32 0 r30 NT jo lt ADDR INT F DB VAR_INT30 Example 3 36 0 32 38 0 33 Tnitial value lh IE A A A lt ADDR_INT F DB VAR_INT10 PERE w Z zZ Zz il Zz alala alala Z i Z 3 4 Een ee Eaz ez Cez Ee Zea Een en Ee men eron an Eer 2220 EZZ ees 240 Ee EEn 30 05 Een EE seo 356 0 40 0 42 0 Ee S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A
384. type is permitted in an F communication DB No more than 128 data elements of data type BOOL are permitted to be declared The amount of data of data type BOOL must always be an integer multiple of 16 word limit Reserve data must be added if necessary If these criteria are not fulfilled S7 Distributed Safety outputs an error message Assigning Fail Safe Values Fail safe values are made available from the receiver side While the connection between the communication partners is being established the first time after startup of the F systems Whenever a communication error occurs The values you specified in the F communication DB on the receiver side are made available as fail safe values default of F communication DB Programming Procedure 178 1 Supply the variables in the F communication DB of the sender side with send signals using symbolic fully qualified access e g Name of F communication DB variable name Read the variables in the F communication DB of the receiver side receive signals that you want to process further in other sections of the program using symbolic fully qualified access e g Name of F communication DB variable name In the safety program from which data are to be sent call the F_SENDS7 F application block for sending at the end of the F PB Inthe safety program from which data are to be received call the F_RCVS7 F application block for receiving at the start of
385. u must not call these F application blocks as multiple instances The input and output parameters of F_RCVS7 must not be supplied with local data of the F program block You must not use an actual parameter for an output parameter of an F_RCVS7 if it is already being used for an input parameter of the same or another F_RCVS7 or F_LRCVDP call The F CPU can go to STOP if this is not observed One of the following diagnostic events is then entered in the diagnostic buffer of the F CPU e Data corruption in the safety program prior to output to F I O e Data corruption in the safety program prior to output to partner F CPU e Safety Program internal CPU fault internal error information 404 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 251 F Libraries 9 1 Distributed Safety F library V1 Startup Characteristics After the sending and receiving F systems are started up communication must be established initially between communication peers F_SENDS7 and F_RCVS7 Receiver F_RCVS7 provides fail safe values for this time period default in its F communication DB F_SENDS7 and F_RCVS7 signal this at output SUBS_ON with 1 Output SENDMODE of the F_RCVS7 has a default of 0 and is not updated as long as output SUBS_ON 1 Behavior in Event of Communication Errors If a communication error occurs for example due to a test value error CRC or when monitoring time TIM
386. ual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Schematic Sequence of Error Free Muting Procedure with Four Muting Sensors MS_11 MS_12 MS_21 MS_22 m MS_11 Sender MS_21 Danger Oo Co oO I I E MS_12 Receiver MS_22 ba If muting sensors MS_11 and MS_12 are both activated by the product within DISCTIM1 apply signal state 1 and MUTING is enabled by setting the ENABLE input to 1 the F application block starts the MUTING function Enable signal Q remains 1 even when input FREE 0 light curtain interrupted by product The MUTING output for setting the muting lamp switches to 1 Note The muting lamp can be monitored using the QBAD_MUT input To do this you must wire the muting lamp to an output with wire break monitoring of an F I O and supply the QBAD_MUT input with the QBAD or QBAD_O_ xx signal of the associated F I O or channel If QBAD_MUT 1 muting is terminated by the F application block If monitoring of the muting lamp is not necessary you do not have to supply input QBAD_MUT F I O that can promptly detect a wire break after activation of the muting operation must be used see manual for specific F I O Sender e vsa D zone MS_ J Receiver S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 221 F Libraries 9 1 Distributed Safety F library V1 e As long as both muting sen
387. umes F Runtime Groups To improve handling a safety program consists of one or two F runtime groups An F runtime group involves a logical construct of several related F blocks that is formed internally by the F system An F runtime group consists of the following e One F call block F CALL e One F program block F PB an F FB F FC that you assign to the F CALL e Additional F FBs or F FCs that you program using F FBD or F LAD as needed e One or more F DBs as needed e F I O DBs e F blocks of the Distributed Safety F library V1 e F blocks from user created F libraries e F system blocks F SBs e Automatically generated F blocks Structuring of the Safety Program in Two F Runtime Groups See also 58 You can divide your safety program into two F runtime groups By arranging for portions of your safety program one F runtime group to run in a faster priority class you achieve faster safety circuits with short response times Rules for F Runtime Groups of the Safety Program Page 86 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 1 Overview of Programming 4 1 3 Fail Safe Blocks F Blocks of an F Runtime Group You use the F blocks in the table below in an F runtime group F Block F CALL Function F block for calling the F runtime group from the standard user program The F CALL contains the call for the F program block a
388. unter 0 QU 1 if CV gt PV QU 0 if CV lt PV QD BOOL Status of down counter 0 QD 1 if CV lt 0 QD 0 if CV gt 0 CV INT Current counter value 0 possible values 32768 to 32767 S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Principle of operation This F application block forms an edge controlled up down counter with functionality based on IEC counter SFB 2 CTUD At a rising edge relative to the last F application block call the counter behaves as follows e Counter counts up 1 at input CU When the counter value reaches the upper limit 32 767 it no longer counts up e Counter counts down 1 at input CD When the counter value reaches the lower limit 32 768 it no longer counts down If there is a rising edge at both input CU and input CD during one cycle the counter remains at its current value A WARNING When the CU signal and the CD signal are present simultaneously performance deviates from that prescribed in IEC 61131 3 According to the standard the CU input prevails when the CU signal and the CD signal are present simultaneously Load 1 CV is preset with the value of the PV input The values at inputs CU and CD are ignored R 1 CV is reset to 0 The values at inputs CU CD and LOAD are ignored Output QU displays whether the current counte
389. ured stations select the station type of the I slave for example CPU 31x and place it on the DP master system Link the I slave to the DP master in the Connection dialog which opens automatically Now you can define the F I O for safety related I slave slave communication 10 In the F Configuration tab of the object properties for the I slave select New S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 165 Contiguring and Programming Communication 8 5 Safety Related Slave Slave Communication 166 11 In the next dialog make the following entries for the connection to the 4 8 F DI module in our example For Mode F DX Module fail safe I slave slave communication For DP partner F I O DP address 1 Slave PROFIBUS address of slave with F I O Address LADDR 0 4 8 F DI starting address of F I O For Local safety program Address LADDR 100 starting address of F I O via which access is made in the safety program of the F CPU of the I slave Accept the defaults for the other parameters in the dialog box Note DP partner F I O For the DP address a list field displays the PROFIBUS addresses of possible DP slaves that support safety related I slave slave communication Select the desired DP slave from this list Note however that the list may include DP slaves that are not assigned to the DP master system con
390. ures uniquely identify a particular state of the gt safety program and the safety related parameters of the F CPU and F I O They are important for the preliminary acceptance test of the safety program e g by gt experts The following signatures are displayed by the programming software and can also be printed out e Collective signature of all F blocks with F attribute of the block container e Collective signature of the safety program These two signatures must match for the acceptance test Cyclic Redundancy Check gt CRC Signature The validity of the process data in the gt safety message frame the accuracy of the assigned address references and the safety related parameters are ensured by means of a CRC signature contained in the safety message frame S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 337 Glossary Custom F Libraries User created F libraries are F libraries created by the user containing F FBs F FCs and application templates network templates DB for F Runtime Group Communication gt F DB for safety related communication between F runtime groups of a safety program Deactivated Safety Mode Depassivation Deactivated safety mode is the temporary deactivation of gt safety mode for test purposes commissioning etc The following actions are possible only in deactivated safety mode e Downloading changes of the gt
391. use the following fail safe components in S7 Distributed Safety F systems on PROFINET IO e F CPUs with PN interface e g CPU 416F 3 PN DP e Fail safe electronic modules in ET 200S e Fail safe electronic modules in ET 200pro e Fail safe standard I O devices light grid laser scanner etc You can expand the configuration using standard I O Additional Information Detailed information on hardware components can be found in the Safety Engineering in SIMATIC S7system manual Using a CPU for copying safety related data between F CPU and F IO Note the following if you use a standard CPU to copy safety related data between an F CPU and F I O A WARNING If you use a standard CPU on the PROFINET IO or PROFIBUS DP that copies safety related input and output data between the F CPU and F IO per user program you must test all safety functions affected by the copy function whenever you change the user programmed copy function Software Components Software components of S7 Distributed Safety include the following e S7 Distributed Safety optional package on the programming device PC for configuring and programming the F system e Safety program in the F CPU In addition you need the STEP 7 basic software on the programming device or PC for configuring and programming the standard PLC S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 15 Product Overview
392. used for safety related operation in gt safety mode in the ET 200S and ET 200pro distributed I O systems These modules feature integrated gt safety functions They behave in accordance with the standards IEC 61784 1 Ed3 CP 3 1 or IEC 61784 2 CP 3 5 and CP 3 6 and IEC 61158 Types 5 10 and 6 10 and the PROFIsafe bus profile according to IEC 61784 3 3 Ed2 Fail safe standard I O devices Fail safe standard I O devices are standard devices that are operated on PROFINET with the IO protocol They must behave in accordance with the standards IEC 61784 2 CP 3 5 and CP 3 6 and IEC 61158 Types 5 10 and 6 10 and the PROFIsafe bus profile according to IEC 61784 3 3 Ed2 A GSD file is used to configure fail safe DP standard slaves Fail Safe Systems Fail safe systems F systems are systems that remain in a safe state or immediately switch to another safe state as soon as particular failures occur S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 339 Glossary F application blocks Block container for the Distributed Safety F library containing the gt F application blocks F Application Blocks F attribute F application blocks are F blocks F FBs F FCs with ready made functions in the Distributed Safety F library The F application blocks can be called by the user in the gt F PB and in additional gt F FBs and gt F FCs All gt F blocks in a gt safety prog
393. ust be taken into account only if the amount of local data available for your safety program is insufficient and you received a message from S7 Distributed Safety to that effect You can estimate the probable local data requirement for the automatically added F blocks as follows For each F runtime group determine the local data requirement for each call hierarchy path in the F runtime group starting from and including the F PB through all nesting levels down to the lowest of your safety program Local data requirement for a call hierarchy path local data requirement in bytes 2 x amount of all local data of F FBs F FCs of data type BOOL in the path 4 x amount of all local data of F FBs F FCs of data type INT or WORD in the path 6 x amount of all local data of F FBs F FCs of data type TIME in the path 42 x number of nesting levels in which an F application block is called 18 x number of nesting levels 14 x number of nesting levels in which a fixed point function or word logic instruction is programmed The estimated local data requirement for the automatically added F blocks is then equivalent to the maximum path local data requirement for all paths of all F runtime groups Note If you are unable to provide a sufficient amount of local data for the automatically added F blocks we recommend that you reduce the local data requirement of your safety program by reducing nesting depth for example S7 Distributed
394. ut down communication between the F CPUs To do so supply input EN_SEND of F_SENDS7 with 0 default 1 Then send data are no longer sent to the F communication DB of the associated F_RCVS7 and the receiver F_RCVS7 provides fail safe values for this period default F communication DB If communication was already established between the partners a communication error is detected For F CPU purposes the local ID of the S7 connection from connection table in NetPro must be specified at input ID of FSSENDS7 or F_LRCVS7 Communication between F CPUs takes place hidden in the background by means of a special safety protocol You must define a communication association between an F_SENDS7 in one F CPU and an F_RCVS7 in the other F CPU by assigning an odd number at the R_ID inputs of the FLSENDS7 and F_RCVS7 Associated F_LSENDS7s and F_RCVS7s receive the same value for R_ID A WARNING The value for each address association input parameter R_ID data type DWORD is user defined however it must be unique from all other safety related communication connections in the network The value R_ID 1 is internally assigned and must not be used You must supply inputs ID and R_ID with constant values when calling the F application block Direct read or write access in the associated instance DB is not permitted in the safety program Note A separate instance DP must be used for each call of an F_SENDS7 and F_RCVS7 Yo
395. utomatically performs gt reintegration of the gt F I O User safety function The gt safety function for the process can be provided through a user safety function or a fault reaction function The user only has to program the user safety function In the event of a fault and the F system can no longer execute its actual user safety function it will execute the fault reaction function for example the associated outputs are deactivated and the F CPU switches to STOP mode if necessary Voltage Group In the ET 200S and ET 200pro distributed I O systems A voltage group is a group of electronic modules supplied by one power module S7 Distributed Safety configuring and programming 346 Programming and Operating Manual 07 2013 A5E00109537 05 Index 1 1002 Evaluation with Discrepancy Analysis 211 A Access permission 48 53 Canceling for the F CPU 53 Canceling for the safety program 48 Setting up for the F CPU 53 Setting up for the safety program 48 Access protection 45 Overview 45 Accessing variables of F I O DB 108 ACK_NEC 101 ACK_REI 101 ACK_REI_GLOB 241 ACK_REQ 101 Acknowledgment 59 Address areas 61 For safety related I slave l slave communication 156 for safety related slave slave communication 162 For safety related master l slave communication 144 Address areas for slave l slave communication Assignment 156 Definition 156 Address areas for
396. uts IN1 BOOL Input 1 0 IN2 BOOL Input 2 0 QBAD_IN1 BOOL QBAD or QBAD_I_xx signal of F 0 O channel of input IN1 F I O QBAD_IN2 BOOL QBAD or QBAD_I_xx signal of F 0 O channel of input IN2 F I O OPEN_NEC BOOL 1 Open necessary at startup 1 ACK_NEC BOOL 1 Acknowledgment necessary 1 ACK BOOL Acknowledgment 0 Outputs Q BOOL 1 Enable safety door closed 0 ACK_REQ_ BOOL Acknowledgment request 0 DIAG BYTE Service information B 16 0 S7 Distributed Safety configuring and programming 236 Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Principle of Operation This F application block implements safety door monitoring Enable signal Q is reset to 0 as soon as one of the inputs IN1 or IN2 assumes a signal state of 0 safety door is opened The enable signal can be reset to 1 only if e Inputs IN1 and IN2 both assume a signal state of 0 prior to opening the door safety door has been completely opened e Inputs IN1 and IN2 then both assume a signal state of 1 safety door is closed e An acknowledgment occurs The acknowledgment for the enable takes place according to the parameter assignment at input ACK_NEC e If ACK_NEC 0 the acknowledgment is automatic e If ACK_NEC 1 you must use a rising edge at input ACK for acknowledging the enable Output ACK_REQ 1 is used to signal that a user acknowledgment is required at input ACK for the acknowledgment The
397. ve signatures of all F blocks with F attribute in the block container match online and offline e Perform a memory reset of the F CPU using the mode selector or via the programming device PC Once the work memory has been deleted the safety program is again transferred from the load memory Memory Card MMC for F CPUs 3xxF and IM 151 7 F CPU or Flash Card for F CPUs 4xxF A WARNING If multiple F CPUs can be reached over a network such as MPI by one programming device or PC you must take the following actions to ensure that the safety program is downloaded to the correct F CPU Use passwords specific to each F CPU such as a uniform password for the F CPUs having the respective MPI address as an extension Password_8 Note the following e A point to point connection must be used when assigning a password to an F CPU for the first time analogous to assigning an MPI address to an F CPU for the first time e Before downloading a safety program to an F CPU for which access authorization by means of an F CPU password does not yet exist you must first revoke existing access authorization for any other F CPU S7 Distributed Safety configuring and programming 284 Programming and Operating Manual 07 2013 A5E00109537 05 Compiling and commissioning a safety program 10 6 Function Test of Safety Program and Protection through Program Identification F CPUs without Inserted Flash Card The following war
398. via S7 Connections cece eeeeeeeeeeneeeeeeneeeeeeaeeeeeeaeeeeeenaes 8 7 1 Configuring safety related communication using S7 CONNECTIONS ceeeeeeeeeeeeeeeteeteeeees 8 7 2 Communication via FLSENDS7 F_RCVS7 and F Communication DB esceee 8 7 3 Programming Safety Related CPU CPU Communication via S7 Connections 0 8 7 4 Limits for Data Transfer Safety Related Communication via S7 Connections 8 8 Safety Related Communication between S7 Distributed Safety and S7 F System 9 FMLIDIAM OS sisin asnunpi issi vv dveetveti cet evaveseasuendeeeeeevsvabebe ss ender veseusuuseeevevevsveverte ara EENEN ENa NEEE Sahan Nava aN 9 1 Distributed Safety F library V1 ceccceeseeeeeeeeeeeeeeeeeeeeeeeseeeeeeeseeeeeeseeeeeseeeeeeeeseeeeeeeseneaeeeseenaees 9 1 1 Overview of Distributed Safety F Library V1 ceeceeeeeeeneeeeeeeeeeeeeeeeaeeeeeeaaeeeeeeaaeeeesenaeeeeeeaas 9 1 2 F Application BIOCKS ccccccceeeececceeeeeeeeeceecae cece eects caacaeceeeeeeeseceacaeceeeeeeesecacaeeeeeeeeetecsiaeeeeess 9 1 2 1 Overview of F application blocks c ccccecceceecee cece ee ee eee ecae cece cece seceaeaeeeeeeeeetenseaeeeeeeetenenaees 9 1 2 2 FB179 F_SCA_I Scale Values of Data Type INT ceeeececeeeeeneeeceeeneeeeeenaeeeeeeaeeeeeenaeeeeeeaas 9 1 2 3 FB 181 FE CTU Count Up sikerse neh rset aad aia 9 1 2 4 FB 182 F_CTD Count DOWN 0 cc
399. wledgment of all F I Os in an F Runtime group FB223 F_SENDDP Send data 16 BOOL 2 INT via PROFIBUS DP FB224 F_RCVDP Receive data 16 BOOL 2 INT via PROFIBUS DP FB 225 F_SENDS7 For CPUs 4xxF Send data from F DB via S7 connections FB 226 F_RCVS7 For CPUs 4xxF Receive data from F DB via S7 connections FC 174 F_SHL_W Shift Left 16 Bits FC 175 F_SHR_W Shift Right 16 Bits FC 176 F_BO_W Convert 16 Data Elements of Data Type BOOL to a Data Element of Data Type WORD FC 177 F_W_BO Convert a Data Element of Data Type WORD to 16 Data Elements of Data Type BOOL FC 178 F_INT_WR Write value of data type INT indirectly to an F DB FC 179 F_INT_RD Read value of data type INT indirectly from an F DB Note You may change the numbers of the F application blocks Exception When using the F_ESTOP1 and F_FDBACK F application blocks the F_TOF F application block must have number FB 186 and must not be renumbered If you change the numbers for an F application block note that the symbolic name in the symbol table must continue to match the name in the object properties for the block header You cannot use symbolic names of F application blocks of the Distributed Safety F library V1 for user created F FBs F FCs and blocks S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 F Libraries 9 1 Distributed Safety F library V1 Note You must ensure that the F blocks in the F
400. wo or four muting sensors Muting is a defined suppression of the protective function of light curtains Light curtain muting can be used to introduce goods or objects into the danger area monitored by the light curtain without causing the machine to stop To utilize the muting function at least two independently wired muting sensors must be present The use of two or four muting sensors and correct integration into the production sequence must ensure that no persons enter the danger area while the light curtain is muted A WARNING When using an F application block with time processing take the following timing imprecision sources into account when determining your response times e Known timing imprecision based on standard systems resulting from cyclic processing e Timing imprecision resulting from the update timing of the time base used in the F application block see figure in Chapter F Application Blocks e Tolerance of internal time monitoring in the F CPU For time values up to 100 ms a maximum of 20 of the configured time value For time values starting at 100 ms a maximum of 2 of the configured time value You must choose the interval between two call times of an F application block with time processing so that the required response times are achieved taking into account the possible timing imprecision S7 Distributed Safety configuring and programming 220 Programming and Operating Man
401. xed amount of fail safe data of data types BOOL and INT in a fail safe manner You can find these F application blocks in the F app ication blocks block container in the Distributed Safety F library V1 The FLRCVDP must be called at the start of the F PB The F_SENDDP must be called at the end of the F PB Note that the send signals are sent only after the F_LSENDDP call at the end of the relevant F runtime group execution For a detailed description of the FLSENDDP and F_RCVDP F application blocks refer to Chapter FB 223 F_SENDDP and FB 224 F_RCVDP Sending and Receiving Data via PROFIBUS DP See also FB 223 F_SENDDP and FB 224 F_RCVDP Send and Receive Data via PROFIBUS DP S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 139 Configuring and Programming Communication 8 2 Safety Related Master Master Communication 8 2 4 Programming Safety Related Master Master Communication Requirements The following requirements must be met prior to programming e The address areas for input and output data for the DP DP coupler must be configured in HW Config e Both CPUs must be configured as F CPUs CPU contains safety program option must be selected The password for the F CPU must be entered Programming Procedure 1 In the safety program from which data are to be sent call the F_LSENDDP F application block for sending at the end of the F PB 2 I
402. y configuring and programming 52 Programming and Operating Manual 07 2013 A5E00109537 05 Access Protection 3 4 Access Permission for the F CPU 3 4 Access Permission for the F CPU Procedure for Assigning a Password for the F CPU You assign the password for the F CPU when configuring the F CPU see Chapter Configuring the F CPU Changing the Password for the F CPU The password for the F CPU can be changed only by modifying the configuration You must switch the F CPU to STOP mode to download the modified configuration Procedure for Setting up an Access Permission for the F CPU 1 In SIMATIC Manager select the F CPU or its S7 program 2 Select PLC gt Access Rights gt Setup In the resulting dialog enter the password for the F CPU that you assigned when configuring the F CPU in the Protection tab A WARNING If access protection is not used to limit access to the programming device or PC to only those persons who are authorized to modify the safety program the following organizational measures must be taken to ensure the effectiveness of the password protection for the F CPU at the PG PC e Only authorized personnel may have access to the password e Authorized personnel must explicitly cancel the access permission for the F CPU before leaving the programming device or PC If this is not strictly implemented a screen saver equipped with a password accessible only to authorized personnel must also be us
403. y F Library V1 The Distributed Safety F library V1 contains e F application blocks in the F App lication Blocks Blocks block container e F system blocks and the F shared DB in the F System Blocks Blocks block container Note You must not change the F library name The Distributed Safety F library V1 can contain only those F blocks that were installed with the S7 Distributed Safety version F Application Blocks Overview of F application blocks Overview of F Application Blocks Block number Block Name Function FB179 F_SCA_I Scale Values of Data Type INT FB181 F_CTU Count up FB182 F_CTD Count down FB183 F_CTUD Count up and down FB184 F_TP Create pulse FB185 F_TON Create ON delay FB186 F_TOF Create OFF delay FB187 F_ACK_OP Fail safe acknowledgment FB188 F_2HAND Two hand monitoring FB189 F_MUTING Muting S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 183 F Libraries 9 1 Distributed Safety F library V1 184 Block number Block Name Function FB 190 F_1002DI 1002 evaluation with discrepancy analysis FB 211 F_2H_EN Two hand monitoring with enable FB 212 F_MUT_P Parallel Muting FB 215 F_ESTOP1 Emergency STOP up to Stop Category 1 FB 216 F_FDBACK Feedback monitoring FB 217 F_SFDOOR Safety door monitoring FB 219 F_ACK_GL Global ackno
404. y F library V1 F_CTU F_CTD F_CTUD Timers fail safe timers are implemented using F application blocks from the Distributed Safety F library V1 F_TP F_TON F_TOF Data blocks of the standard user program Data blocks F DBs using OPN DI Data blocks that were automatically added Exception certain data in the F I O DB and the F shared DB of the safety program I O area Inputs I O area Outputs S7 Distributed Safety configuring and programming Programming and Operating Manual 07 2013 A5E00109537 05 Programming 4 1 Overview of Programming Boolean Constants 0 and 1 If you require Boolean constants 0 and 1 in your safety program to assign parameters during block calls you can access the VKEO and VKE1 variables in the F shared DB using fully qualified DB access F_GLOBDB VKEO or F_GLOBDB VKE 1 Local Data Address Area Particularities Note Note when using the local data address area that the first access of a local data element in an F PB F FB or F FC must always be a write access This initializes the local data element Make sure that the initialization of the local data element is not skipped over by JMP JMPN or RET instructions branching Initialization of a local data bit should be performed with the Assign instruction F FBD or Output Coil instruction F LAD Assign the local data bit a signal state of 0 or 1 as a Boolean constant Local d
405. y Functions in S7 Distributed Safety Functional safety is implemented principally through safety functions in the software Safety functions are executed by the S7 Distributed Safety system to place or maintain the system in a safe state in case of a dangerous occurrence Safety functions are contained mainly in the following components e Inthe safety related user program safety program in the F CPU e In the fail safe inputs and outputs F I O The fail safe I O ensure safe processing of field information emergency STOP buttons light barriers motor control They contain all of the required hardware and software components for safe processing in accordance with the required safety class The user only has to program the user safety function The safety function for the process can be provided through a user safety function or a fault reaction function In the event of an error if the F system can no longer execute its actual user safety function it executes the fault reaction function for example the associated outputs are deactivated and the F CPU switches to STOP mode if necessary Example of User Safety Function and Fault Reaction Function In the event of overpressure the F system opens a valve user safety function In the event of a hazardous fault in the F CPU all outputs are deactivated fault reaction function whereby the valve is opened and the other actuators also attain a safe state If the F system is intact only
406. you want to passivate the F I O as a function of particular states of the safety program for example group passivation e For reassignment of parameters for fail safe DP standard slaves standard I O devices e If you want to evaluate whether fail safe values or process data should be output Variables of an F I O DB The following table presents the variables of an F I O DB Variable Data type Function Default Variables that PASS_ON BOOL 1 enable passivation 0 Can or Must ACK_NEC BOOL 1 acknowledgment for reintegration 1 be Described required in the event of F I O or channel faults ACK_REI BOOL 1 acknowledgment for reintegration IPAR_EN BOOL Variable for parameter reassignment of 0 fail safe DP standard slaves standard I O devices or SM 336 F AI 6 x 0 4 20 mA HART for enabling HART communication Variablesthat PASS _OUT BOOL Passivation output 1 Can Be QBAD BOOL 1 Fail safe values are output Evaluated z ACK_REQ BOOL 1 acknowledgment requirement for 0 reintegration IPAR_OK BOOL Variable for parameter reassignment of 0 fail safe DP standard slaves standard I O devices or SM 336 F Al 6 x 0 4 20 mA HART for enabling HART communication DIAG BYTE Service information QBAD_I_xx BOOL 1 fail safe values are output to input 1 channel xx QBAD_O_xx BOOL 1 fail safe values are output to output 1 channel xx For a description see information in PASS_OUT QB
407. your DP master system or IO system 2 Select the fail safe DP standard slave standard I O device 3 Open the object properties dialog using the Edit gt Object Properties menu command or by double clicking the slot of the F component After opening the dialog box you will be prompted to enter the password for the safety program or you have to assign the password for the safety program in a separate dialog box For information on the password for the safety program refer to Chapter Overview of Access Protection Channel level passivation is not supported for fail safe DP standard slaves standard I O devices PROFIsafe tab The parameter texts specified in the GSD file are contained in the PROFIsafe tab under Parameter name and the current value for each parameter is found under Value You can modify this value using the Change Value button The parameters are explained below Properties DP slave x Address 7 ID Parameter Assignment PROFIsafe l Value No Check SIL 3 3 Byte CAC F Change value 1 7002 700 150 F_iPa_CRC a Current F parameter CAC CRC1 hexadecimal D388 Cancel Help S7 Distributed Safety configuring and programming 40 Programming and Operating Manual 07 2013 A5E00109537 05 Configuration 2 5 Configuring fail safe DP standard slaves and fail safe standard I O devices F_Check_SeqNr Parameter This parameter defines whether the sequence number
Download Pdf Manuals
Related Search