ET 200pro Distributed I/O System - Fail- ___________________ Preface Safe Modules 1 ___________________ Product Overview SIMATIC Distributed I/O fail-safe engineering ET 200pro Distributed I/O System Fail-Safe Modules Operating Instructions 2 ___________________ Configuration Address Assignment and 3 ___________________ Installation 4 ___________________ Wiring 5 ___________________ Diagnostics General Technical 6 ___________________ Specifications Fail-Safe Connection 7 ___________________ Modules 8 ___________________ Fail-Safe Electronic Modules Diagnostic Data of Fail-Safe A ___________________ Modules B ___________________ Dimension Drawings Accessories and Order C ___________________ Numbers D ___________________ Response Times E ___________________ Switching of Loads 07/2013 A5E00394073-03 Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION indicates that minor personal injury can result if proper precautions are not taken. NOTICE indicates that property damage can result if proper precautions are not taken. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. Trademarks All names identified by (R) are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Industry Sector Postfach 48 48 90026 NURNBERG GERMANY A5E00394073-03 09/2013 Technical data subject to change Copyright (c) Siemens AG 2005 - 2013. All rights reserved Preface Purpose of this Manual The information in this manual is a reference source for operations, function descriptions, and technical specifications of the fail-safe modules of the ET 200pro distributed I/O system. Basic Knowledge Requirements This manual is a supplement to the ET 200pro Distributed I/O System manual. Working with this manual requires general knowledge of automation engineering. Knowledge of the STEP 7 basic software and the ET 200pro distributed I/O system is also required. Scope of this Manual Module Order Number Release Number and Higher CM IO 16xM12 fail-safe connection module for EM 8/16 F-DI electronic module 6ES7194-4DD00-0AA0 01 CM IO 12xM12 fail-safe connection module for EM 4/8 F-DI/4 F-DO electronic module 6ES7194-4DC00-0AA0 01 CM F-IO 2xM12 fail-safe connection module for FSwitch PROFIsafe 6ES7194-4DA00-0AA0 01 EM 8/16 F-DI DC24V PROFIsafe fail-safe digital electronic module 6ES7148-4FA00-0AB0 01 EM 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe fail-safe digital electronic module 6ES7148-4FC00-0AB0 01 F-Switch PROFIsafe fail-safe digital electronic module 6ES7148-4FS00-0AB0 01 What's New Compared with the previous version, this manual includes the following major changes/additions: Approvals F-Switch PROFIsafe digital electronic module See "Standards and Approvals" In addition, ET 200pro fail-safe modules are certified for use in safety mode up to the following levels: Safety Integrity Level SIL3 in accordance with IEC 61508:2000 Performance level (PL) e and category 4 in accordance with ISO 13849-1:2006 or EN ISO 13849-1:2008 CE C ertification See "Standards and Approvals" Certification Mark for Australia (C-Tick Mark) See "Standards and Approvals" ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 3 Preface Standards See "Standards and Approvals" Position in the Information Landscape When working with ET 200pro fail-safe modules and depending on your particular application, you will need to consult the additional documentation listed below. References to additional documentation are included in this manual where appropriate. Documentation Brief Description of Relevant Contents ET 200pro Distributed I/O System Manual Describes all generally applicable topics for the ET 200pro hardware (including configuration, installation, and wiring of ET 200pro) Safety Engineering in SIMATIC S7 System * Provides an overview of the application, configuration, and method of operation of S7 Distributed Safety and S7 F/FH Systems fail-safe automation systems * Contains a summary of detailed technical information concerning fail-safe engineering in S7-300 and S7-400 * Includes monitoring and response time calculations for S7 Distributed Safety and S7 F/FH Systems fail-safe systems Description For integration in the S7 Distributed Safety fail-safe system The following elements are described in the S7 Distributed Safety Configuring and Programming Operating Manual and Online Help: * Configuration of the F-CPU and the F-I/O * Programming of the F-CPU in F-FBD or F-LAD Depending on which F-CPU you are using, you will need the following documentation: STEP 7 manuals STEP 7 Online Help PCS 7 manuals * The S7-300, CPU 31xC and CPU 31x Operating Instructions: Installation describes the assembly and wiring of S7-300 systems. * The CPU 31xC and CPU 31x, Technical Data Manual describes the standard functions of the CPU 315-2 DP and PN/DP and the CPU 317-2 DP and PN/DP. * The Automation System S7-400 Hardware and Installation Installation Manual describes the assembly and wiring of S7-400 systems. * The Automation System S7-400 CPU Specifications Reference Manual describes CPU 416-2. * Each applicable F-CPU has its own product information bulletin. These product information bulletins describe only the deviations from the relevant standard CPUs. * The Configuring Hardware and Communication Connections with STEP 7 V5.x Manual describes the operation of the relevant standard tools of STEP 7. * The System Software for S7-300/400 System and Standard Functions Reference Manual describes functions for distributed I/O access and diagnostics. * Describes how to operate the standard tools of STEP 7 * Contains information about how to configure and assign parameters for modules and intelligent slaves with HW Config * Contains a description of the FBD and LAD programming languages * Describe how to operate the PCS 7 process control system (required when ET 200pro with fail-safe modules is integrated in a higher-level control system). The entire SIMATIC S7 documentation is available on CD-ROM. ET 200pro Distributed I/O System - Fail-Safe Modules 4 Operating Instructions, 07/2013, A5E00394073-03 Preface Guide This manual describes the fail-safe modules of the ET 200pro distributed I/O system. It consists of instructional sections and reference sections (technical specifications and appendices). This manual presents the following basic aspects of fail-safe modules: Structure and application Configuring Addressing, installing, and wiring Diagnostic evaluation Technical Specifications Order numbers Conventions In this manual, the terms "safety engineering" and "fail-safe engineering" are used synonymously. The same applies to the terms "fail-safe" and "F-". "When "S7 Distributed Safety" appears in italics, it refers to the optional packages for the two "S7 Distributed Safety" fail-safe systems. Recycling and Disposal Due to the low levels of pollutants in the fail-safe modules of the ET 200pro, the modules can be recycled. For proper recycling and disposal of your old module (device), consult a certified disposal facility for electronic scrap. Additional Support If you have further questions about the use of products presented in this manual, contact your Siemens representative in your local office. (http://www.siemens.com/automation/partner) ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 5 Preface Training Center We offer courses to help you get started with the S7 automation system. Contact your regional training center or the central training center in D 90327 Nuremberg, Federal Republic of Germany. Internet: (http://www.sitrain.com) H/F Competence Center The H/F Competence Center in Nuremberg offers special workshops on SIMATIC S7 failsafe and fault-tolerant automation systems. The H/F Competence Center can also provide assistance with onsite configuration, commissioning, and troubleshooting. For questions about workshops, etc., contact: hf-cc@siemens.com Technical Support Technical support for all A&D products can be obtained Using the Support Request Web form on the Internet (http://www.siemens.en/automation/support-request) You can find additional information about our Technical Support on the Internet (http://www.siemens.en/automation/service) ET 200pro Distributed I/O System - Fail-Safe Modules 6 Operating Instructions, 07/2013, A5E00394073-03 Preface Service & Support on the Internet In addition to our paper documentation, we offer our complete knowledge base on the Internet (http://www.siemens.com/automation/service&support). There, you will find the following information: Newsletters providing the latest information on your products Relevant documentation for your application, which you can access via the search function in Service & Support A forum where users and experts from all over the world exchange ideas Your local Automation & Drives representative Information about local service, repair, and replacement parts and much more can be found under "Services." Important Note for Maintaining the Operational Safety of Your System Note Operators of systems with safety-related characteristics are subject to special requirements for operational safety. The supplier is also obliged to comply with special product monitoring measures. For this reason, we publish a special newsletter containing information on product developments and product properties that are important (or potentially important) for operation of systems where safety is an issue. By subscribing to the relevant newsletter, you will ensure that you are always up-to-date and able to make changes to your system, when necessary. Please go to the Internet (http://my.ad.siemens.de/myAnD/guiThemes2Select.asp?subjectID=2&lang=en) and register for the following newsletters: * SIMATIC S7-300 * SIMATIC S7-400 * Distributed I/O * SIMATIC Industrial Software To receive these newsletters, select the corresponding check boxes. See also Standards and Approvals (Page 39) ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 7 Preface ET 200pro Distributed I/O System - Fail-Safe Modules 8 Operating Instructions, 07/2013, A5E00394073-03 Table of contents Preface ................................................................................................................................................... 3 1 2 3 4 5 6 7 Product Overview.................................................................................................................................. 11 1.1 ET 200pro Fail-Safe Modules ......................................................................................................11 1.2 Application of ET 200pro fail-safe modules .................................................................................13 1.3 Guide for Commissioning of ET 200pro with Fail-Safe Modules .................................................16 Configuration ........................................................................................................................................ 17 2.1 Configuration of ET 200pro with Fail-Safe Modules ....................................................................17 2.2 Allocation of Modules of an ET 200pro ........................................................................................18 2.3 Limitation of Connectable Modules/Maximum Configuration ......................................................19 2.4 Configuration and Parameter Assignment ...................................................................................20 Address Assignment and Installation ..................................................................................................... 21 3.1 Address Assignments in the F-CPU ............................................................................................21 3.2 Assignment of PROFIsafe Address .............................................................................................23 3.3 Installing .......................................................................................................................................24 Wiring ................................................................................................................................................... 25 4.1 Safe Functional Extra Low Voltage for Fail-Safe Modules ..........................................................25 4.2 Wiring of Fail-Safe Modules .........................................................................................................27 4.3 Inserting and removing fail-safe connection modules and electronic modules ...........................28 4.4 Requirements for Sensors and Actuators ....................................................................................29 Diagnostics ........................................................................................................................................... 31 5.1 Reactions to Faults ......................................................................................................................31 5.2 Error Diagnostics..........................................................................................................................34 General Technical Specifications .......................................................................................................... 39 6.1 Standards and Approvals .............................................................................................................39 6.2 Electromagnetic Compatibility ......................................................................................................43 6.3 Transport and storage conditions ................................................................................................47 6.4 Mechanical and Climatic Environmental Conditions ....................................................................47 6.5 Specifications for Dielectric Tests, Protection Class, Degree of Protection, and Rated Voltage .........................................................................................................................................49 Fail-Safe Connection Modules .............................................................................................................. 51 7.1 CM IO 16xM12 Fail-Safe Connection Module for EM 8/16 F-DI DC24V PROFIsafe ..................51 ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 9 Table of contents 8 A B C D E 7.2 CM IO 12xM12 Fail-Safe Connection Module for EM 4/8 F-DI/4-DO DC24V/2A PROFIsafe................................................................................................................................... 53 7.3 CM F-IO 2 x M12 Fail-Safe Connection Module for F-Switch PROFIsafe ................................. 55 Fail-Safe Electronic Modules ................................................................................................................. 57 8.1 8.1.1 8.1.2 8.1.3 8.1.4 8.1.5 8.1.6 8.1.7 8.1.8 8.1.9 8.1.10 8/16 F-DI DC24V PROFIsafe Digital Electronic Module ............................................................. 58 Properties of 8/16 F-DI DC24V PROFIsafe Electronic Module .................................................. 58 Terminal Assignment of 8/16 F-DI DC24V PROFIsafe Electronic Module ................................. 59 Block Diagram of 8/16 F-DI DC24V PROFIsafe Electronic Module ........................................... 60 Parameters for the 8/16 F-DI DC24V PROFIsafe Electronic Module ......................................... 61 Wiring of Inputs of 8/16 F-DI DC24V PROFIsafe Electronic Module .......................................... 65 Use Case 1: Safety Mode SIL2/Category 3 ................................................................................ 67 Use Case 2: Safety Mode SIL3/Category 3 ................................................................................ 70 Use Case 3: Safety Mode SIL3/Category 4 ................................................................................ 81 Diagnostic Functions of the 8/16 F-DI DC24V PROFIsafe Electronic Module ........................... 86 Technical Specifications for the 8/16 F-DI DC24V PROFIsafe Electronic Module ..................... 89 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.2.6 8.2.7 8.2.8 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module............................................. 93 Properties of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module ............................ 93 Terminal Assignment of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module .......... 95 Block Diagram for the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module .................... 96 Parameters for the 4/8 F-DI/4 F-DO DC24V/2 A PROFIsafe Electronic Module ........................ 97 Wiring of Inputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module ................. 101 Wiring of Outputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module............... 102 Diagnostic Functions of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module ......... 105 Technical Specifications for the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module....................................................................................................................................... 108 8.3 F-Switch PROFIsafe Digital Electronic Module......................................................................... 113 8.3.1 Properties of the F-Switch PROFIsafe Electronic Module ........................................................ 113 8.3.2 Terminal Assignment of the F-Switch PROFIsafe Electronic Module....................................... 114 8.3.3 Block Diagram of the F-Switch PROFIsafe Electronic Module ................................................. 115 8.3.4 Parameters for the F-Switch PROFIsafe Electronic Module..................................................... 116 8.3.5 Wiring of Inputs of the F-Switch PROFIsafe Electronic Module ............................................... 120 8.3.6 Use Case 1: Safety Mode of F-Switch PROFIsafe ................................................................... 122 8.3.7 Use Case 2: Safety Mode SIL3/Category 3 .............................................................................. 122 8.3.8 Use Case 3: Safety Mode SIL3/Category 4 .............................................................................. 133 Wiring of Outputs of the F-Switch PROFIsafe Electronic Module............................................. 137 8.3.9 8.3.10 Properties of the F-Switch PROFIsafe Electronic Module ........................................................ 141 8.3.11 Technical Specifications for the F-Switch PROFIsafe Electronic Module ................................ 144 Diagnostic Data of Fail-Safe Modules...................................................................................................149 Dimension Drawings ............................................................................................................................159 Accessories and Order Numbers..........................................................................................................161 C.1 Accessories and Order Numbers .............................................................................................. 161 Response Times ..................................................................................................................................163 D.1 Response Times ....................................................................................................................... 163 Switching of Loads ...............................................................................................................................167 E.1 Switching of Capacitive Loads .................................................................................................. 167 E.2 Switching of Inductive Loads .................................................................................................... 169 Glossary ..............................................................................................................................................171 Index ...................................................................................................................................................181 ET 200pro Distributed I/O System - Fail-Safe Modules 10 Operating Instructions, 07/2013, A5E00394073-03 Product Overview 1 Overview This chapter provides information about the following topics: ET 200pro distributed I/O system with fail-safe modules and its place in SIMATIC S7 failsafe automation systems Components comprising the ET 200pro distributed I/O system with fail-safe modules The steps you must perform, ranging from selection of the F-modules to commissioning of ET 200S on PROFIBUS DP/PROFINET IO 1.1 ET 200pro Fail-Safe Modules Fail-Safe Automation System Fail-safe automation systems (F-systems) are used in systems with increased safety requirements. F-systems are used to control processes that can achieve a safe state immediately as a result of a shutdown. In other words, F-systems control processes where an immediate shutdown will not endanger humans or the environment. ET 200pro Distributed I/O System The ET 200pro distributed I/O system is a DP slave/IO device on PROFIBUS DP/PROFINET IO that can contain fail-safe modules in addition to ET 200pro standard modules. You can use copper cables to assemble the PROFIBUS DP/PROFINET IO lines. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 11 Product Overview 1.1 ET 200pro Fail-Safe Modules Fail-Safe Modules The primary difference between fail-safe modules and ET 200pro standard modules is that fail-safe modules have a two-channel internal design. The two integrated processors monitor each other, automatically test the input and output circuits and set the F-module to a safe state in the event of a fault. The F-CPU communicates with the fail-safe module using the PROFIsafe safety-related bus profile. Fail-safe digital input modules record the signal states of safety-related sensors and send corresponding safety message frames to the F-CPU. Fail-safe digital output modules are suitable for shutdown operations with short-circuit and cross-circuit monitoring up to the actuator. Fail-safe switch acquires the signal states of safety-related sensors and sends corresponding safety message frames to the F-CPU and is suitable for connection of frequency converters, motors, and output modules. Fail-safe connection modules are mounted on the fail-safe electronic modules. They are used to connect sensors and actuators. ET 200pro Distributed I/O System - Fail-Safe Modules 12 Operating Instructions, 07/2013, A5E00394073-03 Product Overview 1.2 Application of ET 200pro fail-safe modules 1.2 Application of ET 200pro fail-safe modules Possible Applications of ET 200pro With Fail-Safe Modules The use of ET 200pro with fail-safe modules enables conventional safety engineering designs to be replaced with PROFIBUS DP/PROFINET IO components. This includes replacement of switching devices for emergency stop, protective door monitors and twohand operation. Use in F-Systems ET 200pro fail-safe modules can be used: In the S7 Distributed Safety F-system with the S7 Distributed Safety V 5.1 or higher and F-Configuration Pack V 5.4 or higher optional packages The following manuals are applicable to the use of ET 200pro fail-safe modules in Fsystems: ET 200pro Distributed I/O Device Safety Engineering in SIMATIC S7 S7 Distributed Safety, Configuring and Programming ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 13 Product Overview 1.2 Application of ET 200pro fail-safe modules F-System with ET 200pro The following figure presents an example configuration for an S7 Distributed Safety Fsystem including an ET 200pro on PROFIBUS DP/PROFINET IO. The fail-safe DP master/IO controller exchanges safety-relevant and non-safety-relevant data, for example, with the fail-safe and standard ET 200pro modules. Figure 1-1 S7 Distributed Safety Fail-Safe Automation System ET 200pro Distributed I/O System - Fail-Safe Modules 14 Operating Instructions, 07/2013, A5E00394073-03 Product Overview 1.2 Application of ET 200pro fail-safe modules Availability of Fail-Safe Electronic Modules The following fail-safe electronic modules are available for ET 200pro: 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe digital electronic module; P/M switching (current sourcing/sinking) F-Switch PROFIsafe digital electronic module, (one F-switch per potential group allowed) Fail-safe connection modules are available for the fail-safe electronic modules. A detailed list of these modules is included in this manual. Application Limited to Safety Mode You can operate standard and fail-safe modules simultaneously in an ET 200pro. Fail-safe modules can only be used in safety mode. They cannot be operated in standard mode. Achievable Safety Classes Fail-safe modules are equipped with integrated safety functions for safety mode. The following safety classes can be achieved by assigning applicable parameters to the safety functions in STEP 7 with the S7 Distributed Safety or S7 F/FH Systems optional package, combining certain standard and F-modules and arranging the wiring of the sensors and actuators in a specific way: Table 1- 1 Achievable Safety Classes in Safety Mode Safety class in safety mode According to IEC 61508:2000 According to ISO 13849-1:2006 or EN ISO 138491:2008 SIL2 Cat. 3/PLe SIL3 Cat. 4/PLe See also Configuration of ET 200pro with Fail-Safe Modules (Page 17) ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 15 Product Overview 1.3 Guide for Commissioning of ET 200pro with Fail-Safe Modules 1.3 Guide for Commissioning of ET 200pro with Fail-Safe Modules Introduction The following table lists all important steps required for commissioning ET 200pro distributed I/O systems with fail-safe modules as DP slaves/IO devices on PROFIBUS DP/PROFINET IO. Sequence of Steps Starting From Selection of F-Modules to Commissioning of ET 200pro Table 1- 2 Sequence of Steps Starting From Selection of F-Modules to Commissioning of ET 200pro Step Procedure See ... 1. Select F-modules for ET 200pro configuration. Chapter "Configuration Options" 2. Configure and assign parameters for Fmodules in STEP 7. Chapter "Configuration and Parameter Assignment" and "Fail-Safe Modules" 3. Set PROFIsafe addresses on F-modules. Chapter "Address Assignment and Installation" 4. Mount ET 200pro. Chapter "Address Assignment and Installation" 5. Wire ET 200pro. Chapter "Wiring and Assembly" 6. Commission ET 200pro on PROFIBUS DP/PROFINET IO. ET 200pro Distributed I/O Device manual 7. If commissioning was not successful, perform diagnostics on ET 200pro. Chapters "Diagnostics" and "Fail-Safe Modules" and ET 200pro Distributed I/O Device manual Note You must configure and assign parameters for the F-modules in STEP 7 prior to commissioning. Reason: STEP 7 automatically assigns the PROFIsafe addresses to the F-modules. You must set these PROFIsafe addresses on each F-module via a switch before mounting the module. ET 200pro Distributed I/O System - Fail-Safe Modules 16 Operating Instructions, 07/2013, A5E00394073-03 2 Configuration 2.1 Configuration of ET 200pro with Fail-Safe Modules Introduction You can configure ET 200pro distributed I/O systems with standard and fail-safe modules. This chapter presents an example configuration. Configuration Example for ET 200pro with Fail-Safe Modules The figure below presents a configuration example with standard and fail-safe modules within an ET 200pro. CM IM DP Direct connection module for the interface module Connection modules for the electronic modules IM 154-2 DP HIGH FEATURE (PROFIBUS DP) interface module (6ES7 154-2AA00-0AB0) IM 154-4 PN HIGH FEATURE (PROFINET IO) interface module (6ES7 154-4AA00-0AB0) Terminating module Heavy-gauge threaded joints for cables at the connection module Figure 2-1 Configuration Example for ET 200pro with Fail-Safe Modules ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 17 Configuration 2.2 Allocation of Modules of an ET 200pro 2.2 Allocation of Modules of an ET 200pro Introduction This chapter describes the assignment of F-electronic modules to F-connection modules for ET 200pro. Assignment of F-Electronic Modules to F-Connection Modules You can use the following fail-safe electronic modules and connection modules together: Table 2- 1 Assignment of F-Electronic Modules to F-Connection Modules F-electronic modules F-connection modules 8/16 F-DI DC24V PROFIsafe electronic module (6ES7 148-4FA00-0AB0) CM IO 16xM12 for 8/16 F-DI electronic module (6ES7 194-4DD00-0AA0) 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe electronic module (6ES7 148-4FC00-0AB0) CM IO 12xM12 for 4/8 F-DI/4 F-DO electronic module (6ES7 194-4DC00-0AA0) F-Switch PROFIsafe electronic module (6ES7 148-4FS00-0AB0) CM F-IO 2xM12 for F-Switch PROFIsafe electronic module (6ES7 194-4DA00-0AA0) See also Properties of 8/16 F-DI DC24V PROFIsafe Electronic Module (Page 58) Properties of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 93) Properties of the F-Switch PROFIsafe Electronic Module (Page 113) ET 200pro Distributed I/O System - Fail-Safe Modules 18 Operating Instructions, 07/2013, A5E00394073-03 Configuration 2.3 Limitation of Connectable Modules/Maximum Configuration 2.3 Limitation of Connectable Modules/Maximum Configuration Maximum Number of Modules PROFIBUS DP: The maximum number of modules in an ET 200pro depends on the parameter length of the modules. A total of 244 bytes per ET 200pro are possible. PROFINET IO: A maximum installation width of 1 m must not be exceeded. Table 2- 2 Parameter Length of F-Modules in Bytes Fail-Safe Module Parameter length 8/16 F-DI DC24V PROFIsafe 42 bytes 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe 34 bytes F-Switch PROFIsafe 26 bytes Example for PROFIBUS DP In the following example, modules with a total parameter length of 205 bytes were used in an ET 200pro. There are also 39 bytes available for installation of additional modules. Number and : 1 x + type of IM154-2 modules HIGH FEATURE 2x 8/16 F-DI 4/8 F-DI/4 F-DO Parameter length 84 bytes + 68 bytes : 27 bytes + + 2x + 1x = 6 modules F-Switch PROFIsafe + 26 bytes = 205 bytes ET 200pro: Limitation and Maximum Configuration For information on the limitations and maximum configuration of the standard ET 200pro, refer to the ET 200pro Distributed I/O System manual. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 19 Configuration 2.4 Configuration and Parameter Assignment 2.4 Configuration and Parameter Assignment Requirements The following are required for configuring and assigning parameters for ET 200pro fail-safe modules: STEP 7, V 5.3 SP2 or higher; HSP 63 to 68 S7 Distributed Safety, V 5.1 or higher F Configuration Pack, V 5.5 SP2 or higher The F Configuration Pack V 5.5 SP2 is available for download on the Internet at: http://www.siemens.com/automation/service&support Configuring Fail-safe modules are configured in the same way as ET 200pro standard modules with STEP 7 HW Config. Assigning Parameters for Electronic Module Properties To assign parameters to fail-safe electronic module properties, select the module in STEP 7 HW Config and select "Edit > Object Properties". During a download operation, the parameters are transferred from the programming device (PG) to the F-CPU and stored there. The parameters are then transferred from the F-CPU to the fail-safe module. Parameter Description You will find a description of assignable fail-safe electronic module parameters in this manual. PROFIsafe Address and PROFIsafe Address Assignment You will find a description of the PROFIsafe address and the procedure for assigning the address in this manual. See also Assignment of PROFIsafe Address (Page 23) Parameters for the 8/16 F-DI DC24V PROFIsafe Electronic Module (Page 61) Parameters for the 4/8 F-DI/4 F-DO DC24V/2 A PROFIsafe Electronic Module (Page 97) Parameters for the F-Switch PROFIsafe Electronic Module (Page 116) ET 200pro Distributed I/O System - Fail-Safe Modules 20 Operating Instructions, 07/2013, A5E00394073-03 3 Address Assignment and Installation 3.1 Address Assignments in the F-CPU Address Assignment The fail-safe modules occupy the following address ranges in the F-CPU: For S7 Distributed Safety: in the process image area Table 3- 1 Address Assignment in the F-CPU F-module Occupied bytes in the F-CPU: In input range In output range 8/16 F-DI DC24V PROFIsafe x + 0 to x + 7 x + 0 to x +3 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe x + 0 to x +6 x + 0 to x +4 F-Switch PROFIsafe x + 0 to x + 6 x + 0 to x + 4 x = Module start address Addresses Occupied by User Data Of the assigned fail-safe module addresses in the F-CPU, the user data occupy the following: Table 3- 2 Bytes in the F-CPU Addresses Occupied by Input User Data Occupied bits in F-CPU per F-module: 7 6 5 4 3 2 1 0 8/16 F-DI DC24V PROFIsafe: x+0 Channel 7 or 0 (SIL3) Channel 6 or 0 (SIL3) Channel 5 or 0 (SIL3) Channel 4 or 0 (SIL3) Channel 3 Channel 2 Channel 1 Channel 0 x +1 Channel 15 or 0 (SIL3) Channel 14 or 0 (SIL3) Channel 13 or 0 (SIL3) Channel 12 or 0 (SIL3) Channel 11 Channel 10 Channel 9 Channel 8 Channel 6 or 0 (SIL3) Channel 5 or 0 (SIL3) Channel 4 or 0 (SIL3) Channel 3 Channel 2 Channel 1 Channel 0 0 0 0 0 0 Channel 1 Channel 0 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe: x+0 Channel 7 or 0 (SIL3) F-Switch PROFIsafe: X+0 0 x = Module start address ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 21 Address Assignment and Installation 3.1 Address Assignments in the F-CPU Table 3- 3 Bytes in the F-CPU Addresses Occupied by Output User Data Occupied bits in F-CPU per F-module: 7 6 5 4 3 2 1 0 - - - Channel 3 Channel 2 Channel 1 Channel 0 0 0 0 0 Channel 2 Channel 1 Channel 0 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe: x+0 - F-Switch PROFIsafe: X+0 0 x = Module start address WARNING You can only access addresses occupied by user data. The other addresses occupied by the F-modules are assigned for functions including safety-related communication between F-modules and the F-CPU in accordance with PROFIsafe. In 1oo2 sensor evaluation, only the lower-value channel of the channels combined by the 1oo2 sensor evaluation can be accessed in the safety program. Additional Information For detailed information about F-I/O access, refer to the S7 Distributed Safety, Configuring and Programming manual. ET 200pro Distributed I/O System - Fail-Safe Modules 22 Operating Instructions, 07/2013, A5E00394073-03 Address Assignment and Installation 3.2 Assignment of PROFIsafe Address 3.2 Assignment of PROFIsafe Address PROFIsafe Address Each fail-safe module has its own PROFIsafe address in addition to the PROFIBUS/Industrial Ethernet address. Before installing fail-safe modules, you must set the PROFIsafe address of the F-module on each F-module. PROFIsafe Address Assignment The PROFIsafe addresses (F_source_address, F_destination_address) are automatically assigned when the fail-safe modules are configured in STEP 7. The F_destination_address is shown in binary format in the "DIP switch setting" parameter in the object properties for the fail-safe modules in HW Config. You must obtain this PROFIsafe address from the parameter assignment dialog box and set it on the fail-safe modules using an address switch. You can change the configured F_destination_address in HW Config. To prevent addressing errors, however, we recommend that you use the automatically assigned F_destination_address. Address Switch for Setting the PROFIsafe Address An address switch (10-pin DIP switch) is located on the electronic module. You set the PROFIsafe address (F_destination_address) of the F-module at this address switch. Note Fail-safe modules in ET 200pro can only be used in safety mode. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 23 Address Assignment and Installation 3.3 Installing Setting the Address Switch Make sure that the address switch is set properly before installing the F-module. PROFIsafe addresses 1 through 1022 are permitted. The figure below illustrates an example of the switch setting for an address. Figure 3-1 Example for Setting the Address Switch (DIP Switch) Note An address switch of the smallest possible dimensions is installed for reasons of space saving. This makes it sensitive to pressure and objects with sharp edges. Always use a suitable tool to operate the address switch. Diverse tools suitable for activating the address switch are available on the market, for example, the Grayhill DIPSTICK. A ballpoint pen may be employed if used carefully. It is imperative to avoid any burring which would prevent the switch from reaching its home position. Therefore, DO NOT use screwdrivers or knives to operate the address switch. Rules for Address Assignment WARNING Observe the following rules when assigning the address: * Make sure that the address switch setting of the F-I/O matches the PROFIsafe destination address in STEP 7 HW Config (Parameter "F_Destination_Address"). 3.3 Installing Installing Fail-Safe Modules Fail-safe electronic modules and connection modules are part of the ET 200pro range of modules. They are installed in the same way as standard modules in an ET 200pro. For more information about module installation, refer to the ET 200pro Distributed I/O Device manual. ET 200pro Distributed I/O System - Fail-Safe Modules 24 Operating Instructions, 07/2013, A5E00394073-03 4 Wiring WARNING In order to prevent danger to humans or the environment, you must not under any circumstances override safety functions or implement measures that cause safety functions to be bypassed or result in the bypassing of safety functions. The manufacturer is not liable for the consequences of such manipulations or for damage resulting from a failure to heed this warning. Overview This chapter presents the specific characteristics involved in wiring fail-safe modules. Generally applicable information about wiring both ET 200pro with fail-safe modules and ET 200pro with standard modules can be found in the ET 200pro Distributed I/O Device manual. 4.1 Safe Functional Extra Low Voltage for Fail-Safe Modules Safe Functional Extra Low Voltage WARNING Fail-safe modules must be operated with safe functional extra low voltage (SELV, PELV). This means that only a maximum voltage Um can ever be applied to these modules, even in the event of a fault. The following applies to all fail-safe modules: Um < 60.0 V You can find additional information about safe functional extra low voltage, for example, in the data sheets for the applicable power supplies. All components of the system that are capable of supplying electrical energy in any form must meet this requirement. Each additional power circuit (24 V DC) installed in the system must be operated with safe functional extra low voltage (SELV, PELV). Refer to the relevant data sheets or contact the manufacturer for information. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 25 Wiring 4.1 Safe Functional Extra Low Voltage for Fail-Safe Modules Note, too, that sensors and actuators with an external power supply can be connected to Fmodules. In this context, bear in mind the supply voltage from safe functional extra low voltage. The process signal of a 24 V DC digital module must not exceed a fault voltage Um, even in the event of a fault. WARNING All voltage sources, for example, internal 24 V DC load voltage supplies, external 24 V DC load voltage supplies and 5 V DC bus voltage, must be electrically connected externally. This prevents voltage additions in the individual voltage sources that would cause the fault voltage Um to be exceeded, even in the event of potential differences. Make sure that the cable cross section is sufficient for the electrical connection, in accordance with the ET 200pro configuration guidelines (see ET 200pro Distributed I/O Device manual). Power Supply Requirements for Compliance With the NAMUR Recommendation Note To comply with NAMUR recommendation NE 21, IEC 61131-2 and EN 298, only power packs or power supplies (230 V AC --> 24 V DC) with a power loss ride-through of at least 20 ms can be used. The latest information about PS components can be accessed on the Internet at: https://mall.ad.siemens.com These requirements also apply to power packs or power supplies not produced in ET 200pro or S7-300/400 designs. ET 200pro Distributed I/O System - Fail-Safe Modules 26 Operating Instructions, 07/2013, A5E00394073-03 Wiring 4.2 Wiring of Fail-Safe Modules 4.2 Wiring of Fail-Safe Modules Same Wiring Procedure as ET 200pro Fail-safe electronic modules and connection modules are part of the ET 200pro range of modules. They are wired in the same way as standard modules in an ET 200pro. For more information about wiring modules, refer to the ET 200pro Distributed I/O Device manual. WARNING When assigning the F-DI module signals, remember that signals should only be routed within a cable or a non-metallic sheathed cable if: * A short circuit in the signals does not conceal a serious safety risk. * Signals are supplied by different sensor supplies of this F-DI module. Applicable Mounting Rails Only racks for ET 200pro can be used for installing ET 200pro with fail-safe modules (see ET 200pro Distributed I/O Device manual). Terminal Assignment of Connection Modules The terminal assignment of the connection modules depends on which electronic module is inserted. See also Block Diagram of 8/16 F-DI DC24V PROFIsafe Electronic Module (Page 60) Use Case 1: Safety Mode SIL2/Category 3 (Page 67) Use Case 2: Safety Mode SIL3/Category 3 (Page 70) Use Case 3: Safety Mode SIL3/Category 4 (Page 81) Wiring of Inputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 101) Wiring of Outputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 102) Block Diagram of the F-Switch PROFIsafe Electronic Module (Page 115) Use Case 1: Safety Mode of F-Switch PROFIsafe (Page 122) Use Case 2: Safety Mode SIL3/Category 3 (Page 122) Use Case 3: Safety Mode SIL3/Category 4 (Page 133) ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 27 Wiring 4.3 Inserting and removing fail-safe connection modules and electronic modules 4.3 Inserting and removing fail-safe connection modules and electronic modules Inserting and Removing Modules Fail-safe modules in ET 200pro are inserted and removed in the same way as all standard modules in an ET 200pro. Inserting and Removing Modules During Operation F-modules can be removed and inserted during operation in exactly the same way as standard modules in ET 200pro. Follow the instructions in the "Maintenance and Service" chapter in the ET 200pro Distributed I/O Device manual. Note Note that replacing fail-safe modules in ET 200pro during operation will generate a communication error in the F-CPU. You must acknowledge the communication error in your safety program (for information about F-system behavior after communication errors, fail-safe value output and user acknowledgment, refer to the S7 Distributed Safety, Configuring and Programming manual). If the communication error is not acknowledged, the user data of the F-DO modules will remain passivated (outputs at "0"). Remember to Set the PROFIsafe Address When an F-module is replaced, make sure that the address switch (DIP switch) setting on the electronic module is the same. See also Assignment of PROFIsafe Address (Page 23) ET 200pro Distributed I/O System - Fail-Safe Modules 28 Operating Instructions, 07/2013, A5E00394073-03 Wiring 4.4 Requirements for Sensors and Actuators 4.4 Requirements for Sensors and Actuators General Requirements for Sensors and Actuators Note the following important information for the safety-related use of sensors and actuators: WARNING Note that instrumentation with sensors and actuators bears a considerable safety responsibility. Note that sensors and actuators generally do not withstand a proof-test interval of 10 years according to the IEC 61508:2000 standard without considerable safety degradation. The probability of dangerous faults and the rate of occurrence of dangerous faults of a safety function must adhere to an SIL-based upper limit. You will find a list of values achieved by F-modules under "Fail-Safe Performance Characteristics" in the technical specifications for the F-modules. To achieve SIL3 (Category 4), suitably qualified sensors and actuators are necessary. Requirements for the Duration of Sensor Signals WARNING Note the following requirements for sensor signals: * In order to guarantee accurate detection of sensor signals by the F-DI/F-DO module inputs, you must ensure that the sensor signals exhibit a certain minimum duration. * In order for pulses to be detected with certainty, the time between two signal changes (pulse duration) must be greater than the PROFIsafe monitoring time. Reliable Detection by the F-DI/F-DO Module Inputs The following table lists the minimum duration of the sensor signals for the F-DI module. The minimum duration depends on the parameter settings for the short-circuit test and the input delay in STEP 7. Table 4- 1 Minimum Duration of Sensor Signals for Proper Detection by an F-DI Module Electronic module Short-circuit test parameter Assigned input delay 0.5 ms 3 ms 15 ms 8/16 F-DI Disabled 10 ms 13 ms 25 ms Enabled 10 ms 18 ms 56 ms 4/8 F-DI/4 F-DO Disabled 11 ms 13 ms 25 ms Enabled 11 ms 20 ms 57 ms ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 29 Wiring 4.4 Requirements for Sensors and Actuators Electronic module Short-circuit test parameter F-Switch PROFIsafe Assigned input delay 0.5 ms 3 ms 15 ms Disabled - 14 ms - Enabled - 27 ms - Reliable Detection By the Safety Program in the F-CPU For information about the times for proper detection of sensor signals in the safety program, refer to "Fail-Safe Modules" in the Safety Engineering in SIMATIC S7 system description. Additional Requirements for Sensors General rule: A single-channel sensor is sufficient to achieve SIL2/Category 3. However, the sensors must be connected using two channels in order to achieve SIL3/Category 4. However, to achieve SIL2/Category 3 with a single-channel sensor, the sensor itself must be SIL2/Category 3-capable, otherwise the sensors must be connected using two channels in order to achieve this safety level. Additional Requirements for Actuators Fail-safe output modules test the outputs at regular intervals. For this purpose, the F-module briefly switches off enabled outputs. The test pulses have the following duration: Dark period < 1 ms Fast-acting actuators can drop out briefly during the test. If your process does not tolerate this, you must use actuators with a sufficient lag (> 1 ms). WARNING If the actuators are operated at voltages greater than 24 V DC (for example, 230 V DC) or if the actuators switch higher voltages, safe isolation must be ensured between the outputs of a fail-safe output module and the components conducting the higher voltage (in accordance with EN 50178). This is generally the case for relays and contactors. Particular attention must be paid to this requirement for semiconductor switching devices. See also Assignment of PROFIsafe Address (Page 23) Technical Specifications for the 8/16 F-DI DC24V PROFIsafe Electronic Module (Page 89) Technical Specifications for the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 108) Technical Specifications for the F-Switch PROFIsafe Electronic Module (Page 144) ET 200pro Distributed I/O System - Fail-Safe Modules 30 Operating Instructions, 07/2013, A5E00394073-03 5 Diagnostics 5.1 Reactions to Faults Safe State (Safety Concept) The basic principle behind the safety concept is the existence of a safe state for all process variables. Note For digital F-modules, this safe state is the value "0". This applies to both sensors and actuators. Reactions to Faults and F-System Startup The safety function requires the use of fail-safe values (safe state) instead of process data (passivation of the fail-safe module) in the following situations: When the F-system starts up In the event of errors during safety-related communication between the F-CPU and Fmodule via the PROFIsafe safety protocol (communication error) In the event of F-I/O or channel faults (e.g., wire break, short circuit, discrepancy error) Detected faults are written to the diagnostic buffer of the F-CPU and communicated to the safety program in the F-CPU. F-modules cannot store faults retentively. When the system is powered down and then restarted, any faults still existing are detected again during startup. However, you have the option of saving faults in your safety program. WARNING For channels that you have set to "disabled" in STEP 7, no diagnostic response or error handling is triggered when a channel fault occurs, not even when such a channel is affected indirectly by a channel group ("Channel enabled/disabled" parameter). ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 31 Diagnostics 5.1 Reactions to Faults Fail-Safe Value Output for Fail-Safe Modules In the case of F-DI modules, if channels are passivated, the F-system provides fail-safe values for the safety program instead of the process data pending at the fail-safe inputs: For F-DI modules, this is always the fail-safe value (0). In the case of F-DO modules, if channels are passivated, the F-system transfers fail-safe values (0) to the fail-safe outputs instead of the output values provided by the safety program. The output channels are set to the zero current and zero voltage state. This also applies when the F-CPU switches to STOP mode. It is not possible to assign fail-safe values. Depending on which F-system you are using and the type of fault that occurred (F-I/O fault, channel fault or communication error), fail-safe values are used either for the relevant channel only or for all channels of the relevant fail-safe module. In S7 Distributed Safety F-systems up to V 5.3, when a channel fault occurs the entire Fmodule is passivated (in S7 Distributed Safety V 5.4 and higher, the entire module or, alternatively, selected channel(s) are passivated). Reintegration of a Fail-Safe Module Switchover from fail-safe values to process data (reintegration of an F-module) occurs automatically or, alternatively, after user acknowledgment in the safety program. If channel faults occur, it may be necessary to remove and reinsert the F-module. A detailed listing of faults requiring removal and insertion of the F-module can be found in the "Diagnostic Messages of 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module, Causes of Faults and Corrective Actions" tables for "8/16 F-DI DC24V PROFIsafe" to "4/8 F-DI/4 F-DO DC24V/2A PROFIsafe" the "Diagnostic Messages of F-Switch PROFIsafe Electronic Module, Causes of Faults and Corrective Actions" tables for "F-Switch PROFIsafe". After reintegration: In the case of a fail-safe DI module, the process data pending at the fail-safe inputs are provided to the safety program In the case of a fail-safe DO module, the output values provided in the safety program are again transferred to the fail-safe outputs ET 200pro Distributed I/O System - Fail-Safe Modules 32 Operating Instructions, 07/2013, A5E00394073-03 Diagnostics 5.1 Reactions to Faults Additional Information About Passivation and Reintegration For additional information about passivation and reintegration of F-I/O, refer to the S7 Distributed Safety, Configuring and Programming manual. Behavior of the F-DI Module When a Communication Error Occurs The F-DI module responds differently to a communication error than to other faults or errors. If a communication error occurs, the current process data remain set at the inputs of the F-DI module; the channels are not passivated. The current process data are sent to the F-CPU and are passivated there. See also Properties of 8/16 F-DI DC24V PROFIsafe Electronic Module (Page 58) Diagnostic Functions of the 8/16 F-DI DC24V PROFIsafe Electronic Module (Page 86) Properties of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 93) Diagnostic Functions of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 105) Properties of the F-Switch PROFIsafe Electronic Module (Page 113) Properties of the F-Switch PROFIsafe Electronic Module (Page 141) ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 33 Diagnostics 5.2 Error Diagnostics 5.2 Error Diagnostics Purpose of Diagnostics Diagnostics are used to determine whether fail-safe modules are detecting signals without errors. Diagnostic information is assigned either to one channel or to the entire F-module. Diagnostic Functions Are Not Safety-Critical None of the diagnostic functions (displays and messages) are safety-critical. Consequently, they are not implemented as safety-related features, i.e., they are not tested internally. Diagnostic Options for Fail-Safe Modules in ET 200pro The following diagnostic options are available for fail-safe modules: LED display on the module front panel Diagnostic functions of F-modules Non-Assignable Diagnostic Functions Fail-safe electronic modules provide non-assignable diagnostic functions. This means that diagnostics are always enabled and are automatically made available by the F-module in STEP 7 and forwarded to the F-CPU in the event of an error. Assignable Diagnostic Functions You can assign (enable) certain diagnostic functions as parameters in STEP 7: Short-circuit monitoring for the F-DI module Wire break detection for the F-DO module Short-circuit monitoring for the F-Switch PROFIsafe WARNING Diagnostic functions should be enabled or disabled in accordance with the application. Diagnostics Using LED Display Every fail-safe connection module indicates faults via its channel LED and SF LED (group fault LED). The channel LED and SF LED turn red as soon as a diagnostic function is triggered by the F-module. The LEDs go out once all faults have been eliminated. The SF LED flashes until you acknowledge passivation following a module fault. ET 200pro Distributed I/O System - Fail-Safe Modules 34 Operating Instructions, 07/2013, A5E00394073-03 Diagnostics 5.2 Error Diagnostics Slave Diagnostics Slave diagnostics comply with IEC 61784-1 Ed3 CP 3/1. The fail-safe electronic modules support slave diagnostics in exactly the same way as standard ET 200pro modules. For information about the universal structure of the slave diagnostics for ET 200pro and the fail-safe modules, refer to the ET 200pro Distributed I/O Device manual. A supplementary description of channel-specific diagnostics for fail-safe modules appears below. Channel-Specific Diagnostics As with ET 200pro, there are three bytes available for each channel-specific diagnosis starting at byte 19. A maximum of 10 channel-specific diagnostic messages are possible per distributed I/O device. Channel-specific diagnostics for fail-safe modules are structured as follows: Figure 5-1 Structure of Channel-Specific Diagnostics ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 35 Diagnostics 5.2 Error Diagnostics Note Channel-specific diagnostics are always updated as far as the current diagnostic function in the diagnostic frame. Subsequent, older diagnostic functions are not deleted. Remedy: Evaluate the valid current length of the diagnostic frame in STEP 7 using the RET_VAL parameter of SFC 13. Possible Fault Types of Fail-Safe Modules The following table lists the fault types of channel-specific diagnostics. You can obtain detailed diagnostic information via HW Diagnostics in STEP 7. Table 5- 1 Fault Types of Channel-Specific Diagnostics Fault type 00001B 1D Diagnostic function in STEP 7 F-module Special meaning for F-modules Short circuit All Short circuit to L+ on the unconnected sensor wire Short circuit to L+ sensor supply Ground short circuit or defective sensor supply Internal fault in the read circuit/test circuit 4/8 F-DI/4 F-DO P output driver defective Short circuit of output to L+ or output driver M output driver defective Short circuit of output to M or output driver F-Switch Output driver overcurrent P output driver defective Short circuit of output to L+ or output driver Short circuit of output to M or output driver 00100B 4D Overload 4/8 F-DI/4 F-DO Output driver overcurrent 00101B 5D Overtemperature All - 00110B 6D Open circuit 4/8 F-DI/4 F-DO Wire break 01001B 9D Fault All RAM error EPROM error Processor failure (expected DIP switch value/actual DIP switch value) Internal fault in the read circuit/test circuit 10000B 16D Parameter assignment error All Parameter assignment error 10001B 17D Sensor voltage or load voltage is missing All Module-internal supply voltage 4/8 F-DI/4 F-DO, Load voltage is defective or not connected F-Switch ET 200pro Distributed I/O System - Fail-Safe Modules 36 Operating Instructions, 07/2013, A5E00394073-03 Diagnostics 5.2 Error Diagnostics Fault type Diagnostic function in STEP 7 F-module Special meaning for F-modules Cyclic redundancy check (CRC) error in data message frame 10011B 19D Communication error All 11001B 25D Safety-related shutdown All Discrepancy error 4/8 F-DI/4 F-DO, Switching frequency too high Monitoring time for data message frame exceeded F-Switch Behavior of F-Modules When a Module Failure Occurs In the event of a fatal internal fault in the F-module resulting in failure of the F-module, the following occurs: The connection to the backplane bus is interrupted and the fail-safe inputs and outputs are passivated. Diagnostics are not issued by the F-module and the standard "Module Fault" diagnostics message is issued. The SF LED of the relevant F-module illuminates. Specific Information About Diagnostic Functions All module-specific diagnostic functions, possible causes, and corrective actions are described in "8/16 F-DI DC24V PROFIsafe", "4/8 F-DI/4 F-DO DC24V/2A PROFIsafe" to "FSwitch PROFIsafe". The status and diagnostic functions indicated by LEDs on the front panel of each F-module are also presented in these sections. Reading Out Diagnostic Functions You can have the cause of a fault displayed in the module diagnostics in STEP 7 (see STEP 7 online help). You can read out diagnostic functions (slave diagnostics) by means of SFC 13 in the standard user program (see System and Standard Functions reference manual). See also Diagnostic Functions of the 8/16 F-DI DC24V PROFIsafe Electronic Module (Page 86) Diagnostic Functions of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 105) Properties of the F-Switch PROFIsafe Electronic Module (Page 141) ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 37 Diagnostics 5.2 Error Diagnostics ET 200pro Distributed I/O System - Fail-Safe Modules 38 Operating Instructions, 07/2013, A5E00394073-03 General Technical Specifications 6 Overview This chapter presents the following information about fail-safe modules: Information about the most important standards and approvals Information about the general technical specifications General Technical Specifications The general technical specifications include the standards and test values met by the failsafe modules when used in an ET 200pro as well as the criteria used to test the fail-safe modules. The transport and storage requirements for the fail-safe modules and the prescribed environmental conditions are also included. 6.1 Standards and Approvals CE Certification The ET 200pro fail-safe modules meet the requirements and protection targets of the following EC Directives and comply with the harmonized European Standards (EN) for programmable logic controllers published in the Official Journal of the European Communities: 2006/42/EC "Machinery Directive" 73/23/EEC "Electrical Equipment for Use within Fixed Voltage Ranges" (Low-Voltage Directive) 89/336/EEC "Electromagnetic Compatibility" (EMC Directive) The EC declarations of conformity are kept available for the responsible authorities at: Siemens Aktiengesellschaft Bereich Automatisierungstechnik A&D AS RD ST Type Test Postfach 1963 D-92209 Amberg, Germany ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 39 General Technical Specifications 6.1 Standards and Approvals UL/CSA Approval Underwriters Laboratories Inc., in accordance with UL 508 (Industrial Control Equipment) CSA C22.2 No. 142 (Process Control Equipment) Note The nameplate of the specific module indicates the currently valid approvals. Certification Mark for Australia The fail-safe modules of the ET 200pro satisfy the requirements of AS/NZS 2064 (Class A). IEC 61131 The fail-safe modules of the ET 200pro satisfy the requirements and criteria of IEC 61131-2 (Programmable Controllers - Part 2: Equipment Requirements and Tests). PROFIBUS/Industrial Ethernet Standard The ET 200pro distributed I/O device is based on the IEC 61784-1 standard. ET 200pro Distributed I/O System - Fail-Safe Modules 40 Operating Instructions, 07/2013, A5E00394073-03 General Technical Specifications 6.1 Standards and Approvals Marine approval Submitted to the following classification organizations ABS (American Bureau of Shipping) BV (Bureau Veritas) DNV (Det Norske Veritas) GL (Germanischer Lloyd) LRS (Lloyds Register of Shipping) Class NK (Nippon Kaiji Kyokai) Use in Industrial Environment SIMATIC products are designed for use in industrial environments. Area of Application Industry Requirement for Emitted Interference Interference Immunity EN 61000-6-4 EN 61000-6-2 Use in Residential Areas If you are using the ET 200pro in residential areas, you must ensure compliance with limit class B for emission of radio interference in accordance with EN 61000-6-4. Suitable measures for achieving a limit class B radio interference level are: Installation of the ET 200pro in grounded control cabinets/control boxes Use of filters in supply lines ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 41 General Technical Specifications 6.1 Standards and Approvals TUV Certificate and Standards Fail-safe modules are certified to the following standards. Refer to the report accompanying the TUV certificate for the current version/edition of the standard. Standard/Directive Designation Standards/Directives for Functional Safety IEC 61508:2000 prEN 50159-1 and 2 Standards/Directives for Process Engineering VDI/VDE 2180-1 to 5 NE 31 ISA S 84.01 Standards/Directives Machine Safety IEC 62061 98/37/EC EN 60204-1 Standards/Directives for Burner Management Systems DIN VDE 0116, Clause 8.7 prEN 50156-1 EN 230, Clause 7.3 EN 298, Clauses. 7.3, 8, 9, and 10 DIN V ENV 1954 (stop to position) Additional Standards/Guidelines DIN VDE 0110-1 DIN VDE 0160 93/68/EEC 92/31/EEC and 93/68/EEC DIN EN 55011 (stop to position) EN 50081-2 (stop to position) EN 61000-6-2 DIN EN 61131-2 The current TUV certificate report is available for downloading on the Internet at https://support.automation.siemens.com under "Product Support". Requesting TUV Certificate You can request copies of the TUV certificate and the accompanying report at the following address: Siemens Aktiengesellschaft Bereich Automatisierungstechnik A&D AS RD ST Type Test Postfach 1963 D-92209 Amberg, Germany ET 200pro Distributed I/O System - Fail-Safe Modules 42 Operating Instructions, 07/2013, A5E00394073-03 General Technical Specifications 6.2 Electromagnetic Compatibility 6.2 Electromagnetic Compatibility Introduction This chapter presents information about the interference immunity of fail-safe modules and information about RFI suppression. Definition of EMC Electromagnetic compatibility is the ability of an electrical device to function satisfactorily in its electromagnetic environment without interfering with that environment. The fail-safe modules meet the requirements of the European Union's EMC law, for example. This requires that the ET 200pro Distributed I/O System meets the specifications and directives concerning electrical installation. Pulse-Shaped Interference The following table shows the electromagnetic compatibility of the fail-safe modules relative to pulse-shaped interference. Pulse-shaped interference Tested with Electrostatic discharge in accordance with IEC 61000-4-2 (DIN VDE 0843 Part 2) 8 kV Degree of severity 3 (air discharge) 6 kV 3 (contact discharge) Burst pulses (rapid transient interference) in accordance with IEC 61000-4-4 (DIN VDE 0843 Part 4) 2 kV (supply line) 3 2 kV (signal line) 4 Surge in accordance with IEC 61000-4-5 (DIN VDE 0839 Part 10) Degrees of severity 2 and 3 require an external protective circuit (see section further down). Asymmetrical connection 1 kV (supply line) 1 kV (signal line/data line) 2 kV (supply line) Symmetrical connection 0.5 kV (supply line) 0.5 kV (signal line/data line) 1 kV (supply line) 1 kV (signal line/data line) 2 3 2 3 ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 43 General Technical Specifications 6.2 Electromagnetic Compatibility Protecting the ET 200pro With Fail-Safe Modules Against Overvoltages If your equipment makes protection against overvoltage necessary, we recommend that you use an external protective circuit (surge filter) between the load voltage supply and the load voltage input of the terminal modules to ensure surge immunity for the ET 200pro with failsafe modules. Note Lightning protection measures always require a case-by-case examination of the entire system. Virtually complete protection against overvoltages, however, can only be achieved if the entire building surrounding the system has been designed for protection against overvoltages. In particular, this involves structural measures in the building design phase. Therefore, for detailed information regarding protection against overvoltages, we recommend that you contact your Siemens representative or a company specializing in lightning protection. The following figure illustrates an example configuration with ET 200pro F-modules and standard modules. You can also use fewer power supplies. However, you must ensure that the total current of the modules fed from one power supply does not exceed the permissible limits. For additional information about surge protection for standard modules, see the ET 200pro Distributed I/O System Manual. ET 200pro Distributed I/O System - Fail-Safe Modules 44 Operating Instructions, 07/2013, A5E00394073-03 General Technical Specifications 6.2 Electromagnetic Compatibility Figure 6-1 Example Configuration with F Modules and Standard Modules of ET200pro Note Note for Installation in Accordance with EN928 You must disable the "Load voltage failure diagnostics" for the head-end of the ET 200pro-F. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 45 General Technical Specifications 6.2 Electromagnetic Compatibility Sinusoidal Interference HF radiation: Tested in accordance with IEC 61000-4-3, "Radiated Electromagnetic Field Requirements" Standard test: - from 80 MHz through 1 GHz, tested at 10 V/m and 20 V/m; 80 % AM (1 kHz) - from 1.4 GHz through 2.7 GHz, tested at 10 V/m; 80 % AM (1 kHz) GSM/ISM/UMTS field interferences of different frequencies (Standard: EN 298: 2004, IEC 61326-3-1 (draft)) HF interference on signal and data lines: Tested in accordance with IEC 61000-4-6, "Testing and measurement techniques - Immunity to conducted disturbances induced by radio-frequency fields" Standard test: - RF band, asymmetrical, amplitude modulated: From 0.15 MHz through 80 MHz, tested at 10 V and 20 V rms; 80 % AM (1 kHz) ISM interferences of different frequencies (Standard: EN 298: 2004, IEC 61326-3-1 (draft)) Emission of Radio Interference Interference transmission of electromagnetic fields in accordance with EN 61000-6-4: Limit class A, group 1 (measured at a distance of 10 m). Frequency Emitted Interference Between 30 MHz and 230 MHz < 40 dB (V/m)Q Between 230 MHz and 1,000 MHz < 47 dB (V/m)Q Interference transmission via supply AC input in accordance with EN 61000-6-4: Limit class A, group 1. Frequency Emitted Interference Between 0.15 MHz and 0.5 MHz < 79 dB (V)Q, < 66 dB (V)M Between 0.5 MHz and 5 MHz < 73 dB (V)Q, < 60 dB (V)M Between 5 MHz and 30 MHz < 73 dB (V)Q, < 60 dB (V)M ET 200pro Distributed I/O System - Fail-Safe Modules 46 Operating Instructions, 07/2013, A5E00394073-03 General Technical Specifications 6.3 Transport and storage conditions 6.3 Transport and storage conditions Requirements for Fail-Safe Modules Fail-safe modules surpass the requirements for transport and storage conditions defined in IEC 61131, Part 2. The following specifications apply to fail-safe modules that are transported and stored in the original packaging. 6.4 Type of condition Permissible range Free fall 1m Temperature From -25C to +70C Temperature change 20 K/h Air pressure From 1080 hPa to 660 hPa (corresponds to an altitude of -1000 m to 3500 m) Relative humidity From 5% to 95%, without condensation Mechanical and Climatic Environmental Conditions Climatic environmental conditions The following climatic environmental conditions are applicable: Environmental Conditions Areas of Application Comments Temperature From -25 C to 55 C All mounting positions Temperature change 10 K/h Relative humidity From 5% to a maximum of 100% With condensation Air pressure From 1080 hPa to 795 hPa Corresponds to an altitude of -1000 m to 2000 m Pollutant concentration SO2: < 0.5 ppm; Relative humidity < 60%, no condensation H2S: < 0.1 ppm; Relative humidity < 60%, no condensation Test: 10 ppm; 4 days 1 ppm; 4 days ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 47 General Technical Specifications 6.4 Mechanical and Climatic Environmental Conditions Mechanical Environmental Conditions The requirements for mechanical environmental conditions are presented in the following table in the form of sinusoidal vibrations. Frequency range Constant Intermittent 5 f 8 Hz 0.35 mm amplitude 0.75 mm amplitude 8 f 150 Hz 5 g constant acceleration 10 g constant acceleration Testing for Mechanical Environmental Conditions The following table provides information on the type and scope of tests for mechanical environmental conditions. Condition Test Standard Terminal and Electronic Modules Vibrations Vibration test in accordance with IEC 60068-2-6 Type of vibration: Frequency sweeps with a sweep rate of 1 octave/minute. 5 Hz f 8 Hz, constant amplitude of 0.75 mm 8 Hz f 150 Hz, constant acceleration of 10 g Duration of vibration: 10 frequency sweeps per axis in each of the 3 perpendicular axes Shock Repetitive shock Shock, tested in accordance with IEC 60068-2-27 Shock, tested in accordance with IEC 60068-29 Type of shock: half sine Force of shock: 30 g peak value, 18 ms duration Direction of shock: 3 shocks each in +/- direction in each of the 3 perpendicular axes Type of shock: half sine Force of shock: 25 g peak value, 6 ms duration Direction of shock: 1000 shocks each in +/- direction in each of the three perpendicular axes Reduction of Vibrations If fail-safe modules are subjected to greater shocks or vibrations, you must take appropriate measures to reduce acceleration and amplitude. We recommend that you mount the ET 200pro on damping material (e.g., on a rubber-metal vibration damper). ET 200pro Distributed I/O System - Fail-Safe Modules 48 Operating Instructions, 07/2013, A5E00394073-03 General Technical Specifications 6.5 Specifications for Dielectric Tests, Protection Class, Degree of Protection, and Rated Voltage 6.5 Specifications for Dielectric Tests, Protection Class, Degree of Protection, and Rated Voltage Test Voltage Dielectric strength is proven during the type test with the following test voltage in accordance with IEC 61131-2: Circuits with rated voltage Ue to other circuits or to ground Test voltage 50V 500 V DC 150V 2,500 V DC 250V 4,000 V DC Pollution Degree/Overvoltage Category in Accordance With IEC 61131 Pollution degree 2 Overvoltage category - At Ur = 24 V DC: II Degree of Protection IP65 Degree of protection in accordance with IEC 529 Protection against the ingress of dust and full protection against physical contact Water projected by a nozzle against the enclosure from any direction shall have no harmful effect. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 49 General Technical Specifications 6.5 Specifications for Dielectric Tests, Protection Class, Degree of Protection, and Rated Voltage Degrees of Protection IP66 and IP67 Degree of protection in accordance with IEC 529 Protection against the ingress of dust and full protection against physical contact IP66: Water from heavy seas or water projected in powerful jets shall not enter the enclosure in harmful quantities. IP67: Protection against water when enclosure is immersed at specified pressures over a specified time period (water must not enter the enclosure in any harmful amount) Rated Voltage for Operation The ET 200pro distributed I/O device operates at the following rated voltage and corresponding tolerance. Rated voltage Tolerance range 24 V DC 20.4 V DC to 28.8 V DC ET 200pro Distributed I/O System - Fail-Safe Modules 50 Operating Instructions, 07/2013, A5E00394073-03 7 Fail-Safe Connection Modules 7.1 CM IO 16xM12 Fail-Safe Connection Module for EM 8/16 F-DI DC24V PROFIsafe Order Number 6ES7 194-4DD00-0AA0 Properties The CM IO 16 x M12 connection module has the following properties: Can be plugged in and screwed to the electronic module 16 M12 circular socket connectors 16 labels and one module label Terminal assignment The terminal assignment depends on which electronic module is being used. View Terminal Designation X1 1. M12 circular socket connector X2 2. M12 circular socket connector X3 3. M12 circular socket connector X4 4. M12 circular socket connector X5 5. M12 circular socket connector X6 6. M12 circular socket connector X7 7. M12 circular socket connector X8 8. M12 circular socket connector X9 9. M12 circular socket connector X10 10. M12 circular socket connector X11 11. M12 circular socket connector X12 12. M12 circular socket connector X13 13. M12 circular socket connector X14 14. M12 circular socket connector X15 15. M12 circular socket connector X16 16. M12 circular socket connector ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 51 Fail-Safe Connection Modules 7.1 CM IO 16xM12 Fail-Safe Connection Module for EM 8/16 F-DI DC24V PROFIsafe Block Diagram The following figure presents the block diagram of the CM IO 16 x M12 connection module. Figure 7-1 Block Diagram of CM IO 16xM12 Connection Module Technical specifications Dimensions and Weight Dimensions W x H x D (mm) 90 x 130 x 39 Weight 505 g See also Properties of 8/16 F-DI DC24V PROFIsafe Electronic Module (Page 58) Block Diagram of 8/16 F-DI DC24V PROFIsafe Electronic Module (Page 60) ET 200pro Distributed I/O System - Fail-Safe Modules 52 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Connection Modules 7.2 CM IO 12xM12 Fail-Safe Connection Module for EM 4/8 F-DI/4-DO DC24V/2A PROFIsafe 7.2 CM IO 12xM12 Fail-Safe Connection Module for EM 4/8 F-DI/4-DO DC24V/2A PROFIsafe Order Number 6ES7 194-4DC00-0AA0 Properties The CM IO 12 x M12 connection module has the following properties: Can be plugged in and screwed to the electronic module 12 M12 circular socket connectors 12 labels and one module label Terminal assignment The terminal assignment depends on which electronic module is being used. View Terminal Designation X1 1. M12 circular socket connector X2 2. M12 circular socket connector X3 3. M12 circular socket connector X4 4. M12 circular socket connector X5 5. M12 circular socket connector X6 6. M12 circular socket connector X7 7. M12 circular socket connector X8 8. M12 circular socket connector X9 9. M12 circular socket connector X10 10. M12 circular socket connector X11 11. M12 circular socket connector X12 12. M12 circular socket connector ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 53 Fail-Safe Connection Modules 7.2 CM IO 12xM12 Fail-Safe Connection Module for EM 4/8 F-DI/4-DO DC24V/2A PROFIsafe Block Diagram The following figure presents the block diagram of the CM IO 12 x M12 connection module. Figure 7-2 Block Diagram of CM IO 12xM12 Connection Module Technical specifications Dimensions and Weight Dimensions W x H x D (mm) 90 x 130 x 39 Weight 18.70 oz See also Properties of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 93) Block Diagram for the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 96) ET 200pro Distributed I/O System - Fail-Safe Modules 54 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Connection Modules 7.3 CM F-IO 2 x M12 Fail-Safe Connection Module for F-Switch PROFIsafe 7.3 Order Number CM F-IO 2 x M12 Fail-Safe Connection Module for F-Switch PROFIsafe 6ES7 194-4DA00-0AA0 Properties The CM F-IO 2xM12 connection module has the following properties: Can be plugged in and screwed to the electronic module 2 M12 circular socket connectors 2 labels and one module label Terminal Assignment The terminal assignment is shown in the following table. View Terminal Designation X1 1. M12 circular socket connector X2 2. M12 circular socket connector ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 55 Fail-Safe Connection Modules 7.3 CM F-IO 2 x M12 Fail-Safe Connection Module for F-Switch PROFIsafe Block Diagram The following figure presents the block diagram of the CM F-IO 2xM12 connection module. Figure 7-3 Block Diagram of CM F-IO 2xM12 Connection Module Technical Specifications Dimensions and Weight Dimensions W x H x D in [mm] 45 x 130 x 40 Weight 310 g See also Properties of the F-Switch PROFIsafe Electronic Module (Page 113) Block Diagram of the F-Switch PROFIsafe Electronic Module (Page 115) ET 200pro Distributed I/O System - Fail-Safe Modules 56 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8 Overview Fail-safe digital modules are available for connecting digital sensors or encoders and actuators or loads to ET 200pro. This chapter provides the following information for each failsafe module: Properties and specific characteristics Front view, terminal assignment for connection modules and block diagram Wiring diagram and assignable parameters Diagnostic functions, including corrective actions Technical specifications WARNING The fail-safe performance characteristics in the technical specifications are applicable to a proof-test interval of 10 years and a mean time to repair of 100 hours. Description of Applicable Electronic Modules and Connection Modules The applicable standard electronic modules and standard connection modules are described in the ET 200pro Distributed I/O Device manual. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 57 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.1 Properties of 8/16 F-DI DC24V PROFIsafe Electronic Module Order Number 6ES7 148-4FA00-0AB0 Properties The F-Switch electronic module has the following properties: 16 inputs (SIL2/Category 3) or 8 inputs (SIL3/Category 3 or Category 4) 24 V DC rated input voltage Suitable for switches and 3- or 4-wire proximity switches (BEROs) Four short-circuit-proof sensor supplies for each of the four inputs External sensor supply possible Group fault display (SF; red LED) Fault LED for each sensor supply (Vs1F to Vs4F) is mapped to VsF LED and the associated channels Status and fault LEDs for each input (two-color green/red LED) Identification data (see ET 200pro Distributed I/O System Standard Manual) Assignable diagnostics Can only be operated in safety mode ET 200pro Distributed I/O System - Fail-Safe Modules 58 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.2 Terminal Assignment of 8/16 F-DI DC24V PROFIsafe Electronic Module Terminal Assignment on CM IO 16xM12 Connection Module The following table presents the terminal assignment of the 8/16 F-DI DC24V PROFIsafe electronic module on the CM IO 16xM12 connection module. Sockets X1 to X4 and X9 to X12 are assigned twice. This enables you to implement a 1oo2 evaluation with one connecting cable, e.g., channels 0 and 4 at connector X1. The functional ground (FG) is located on the shield. Table 8- 1 Terminal Assignment on the CM IO 16xM12 Connection Module for 8/16 F-DI DC24V PROFIsafe Circular connector view Terminal Assignment of X1 to X16 1 Connectors X1 to X4: 24 V sensor supply 1 (Vs1)2 Connectors X5 to X8: 24 V sensor supply 2 (Vs2)2 Connectors X9 to X12: 24 V sensor supply 3 (Vs3)2 Connectors X13 to X16: 24 V sensor supply 4 (Vs4)2 2 Input signal: Connector X1: Channel 43 Connector X2: Channel 53 Connector X3: Channel 63 Connector X4: Channel 73 Connector X5: Not assigned Connector X6: Not assigned Connector X7: Not assigned Connector X8: Not assigned 3 Sensor supply ground (1M) 4 Input signal: Connector X1: Channel 0 Connector X2: Channel 1 Connector X3: Channel 2 Connector X4: Channel 3 Connector X5: Channel 4 Connector X6: Channel 5 Connector X7: Channel 6 Connector X8: Channel 7 5 Connector X9: Channel 123 Connector X10: Channel 133 Connector X11: Channel 143 Connector X12: Channel 153 Connector X13: Not assigned Connector X14: Not assigned Connector X15: Not assigned Connector X16: Not assigned Connector X9: Channel 8 Connector X10: Channel 9 Connector X11: Channel 10 Connector X12: Channel 11 Connector X13: Channel 12 Connector X14: Channel 13 Connector X15: Channel 14 Connector X16: Channel 15 Connectors X1 to X4: 24 V sensor supply 2 (Vs2)3 Connectors X5 to X8: Not assigned Connectors X9 to X12: 24 V sensor supply 4 (Vs4)3 Connectors X13 to X16: Not assigned 1 3-, 4- or 5-core copper cable Made available by the ET 200pro for the connected sensor 3 Relevant only in the case of 1oo2 evaluation via a connecting cable 2 ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 59 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.3 Block Diagram of 8/16 F-DI DC24V PROFIsafe Electronic Module Block Diagram Figure 8-1 Block Diagram of 8/16 F-DI DC24V PROFIsafe Electronic Module ET 200pro Distributed I/O System - Fail-Safe Modules 60 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.4 Parameters for the 8/16 F-DI DC24V PROFIsafe Electronic Module Parameters in STEP 7 The following table presents the parameters that can be assigned to the 8/16 F-DI DC24V PROFIsafe electronic module. Table 8- 2 Parameters for the 8/16 F-DI DC24V PROFIsafe Electronic Module Parameters Range Default Type of parameter Range of effectiven ess F_destination_address 1 to 1022 Assigned by STEP 7 Static Module F-monitoring time 10 to 10000 ms 150 ms Static Module 0.5; 3; 15 ms 3 ms Static Module Short-circuit test Cyclic/Disable Cyclic Static Module Behavior after channel faults* Passivate the entire module/Passivate the channel Passivate the entire module Static Module Channel n, n+4 Enabled/disabled Enabled Static Channel group Evaluation of the sensors 1oo2 evaluation/ 1oo1 evaluation 1oo2 evaluation Static Channel group Type of sensor interconnection 1-channel; 2-channel equivalent Static Channel group F-parameters: Module Parameters: Input delay 2-channel equivalent; 2-channel nonequivalent Behavior at discrepancy Provide last valid value; Provide last valid value Provide value 0 Static Channel group Discrepancy time 10 to 30000 ms 10 ms Static Channel group Reintegration after discrepancy error Test of 0-signal not required/Test of 0signal required Test of 0-signal not required Static Channel group * This setting is only relevant when the S7 Distributed Safety V 5.4 or higher optional package is installed. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 61 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Short-Circuit Test Parameter The cyclic short-circuit test is enabled and disabled using the short-circuit test parameter. The short-circuit test is only useful for simple switches that do not have their own power supply. If the short-circuit test has been enabled, the internal sensor supplies must be used (see also "Use Cases of the 8/16 F-DI DC24V PROFIsafe Electronic Module"). Behavior at Discrepancy Parameter As the "behavior at discrepancy" you assign the value that is made available to the safety program in the F-CPU while there is a discrepancy between the two input channels involved, i.e., during the discrepancy time. You assign the behavior at discrepancy as follows: "Provide last valid value", or "Provide value 0" Requirements You have assigned the following: Evaluation of the sensors: "1oo2 evaluation" "Provide last valid value" The last valid value (old value) before discrepancy occurs is made available to the safety program in the F-CPU as soon as a discrepancy is detected between the two relevant input channel signals. This value is supplied until the discrepancy disappears or until the discrepancy time expires and a discrepancy error is detected. The sensor-actuator response time is extended by an amount equal to this time. As a result, the discrepancy time of sensors connected via two channels must be set for fast reactions to short response times. It makes no sense, for example, for a time-critical shutdown to be triggered by sensors connected via two channels with a discrepancy time of 500 ms. In the worst case, the sensor-actuator response time is extended by an amount approximately equal to the discrepancy time. For this reason, position the sensors in the process in such a way as to minimize discrepancy. Then select the shortest possible discrepancy time that includes a sufficient cushion against false tripping of discrepancy errors. "Provide value 0" The value "0" is made available to the safety program in the F-CPU as soon as a discrepancy is detected between the signals of the two relevant input channels. If you specified "Provide value 0", the sensor-actuator response time will not be affected by the discrepancy time. ET 200pro Distributed I/O System - Fail-Safe Modules 62 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Discrepancy Time Parameter Here, you can specify the discrepancy time for each channel pair. The entered value is rounded to a multiple of 10 ms. Requirements You have assigned the following: Evaluation of the sensors: "1oo2 evaluation" and Type of sensor interconnection: "2-channel equivalent" or "2-channel nonequivalent" Discrepancy Analysis and Discrepancy Time If you are using one two-channel sensor, one nonequivalent sensor or two single-channel sensors that are measuring the same physical process variable, the sensors will respond with a time delay due to the limited accuracy of their arrangement. The discrepancy analysis for equivalence/nonequivalence is used with fail-safe inputs to detect faults based on the timing of two signals with the same functionality. Discrepancy analysis is initiated when different levels (when testing for nonequivalence: same voltage levels) are detected at two associated input signals. A test is conducted to determine whether the difference in levels (when testing for nonequivalence: the consistency) has disappeared within a programmable period known as the discrepancy time. If not, a discrepancy error exists. In most cases, the discrepancy time starts but does not elapse completely, since the signal differences disappear after a short time. Select a discrepancy time of sufficient length so that in case of no error, the difference between the two signals (when checking for nonequivalence: the consistency) has definitely disappeared before the discrepancy time expires. Behavior While Discrepancy Time is Running While the assigned discrepancy time is running internally on the module, either the last valid value or "0" is made available to the safety program in the F-CPU by the relevant input channels, depending on the parameter assignment for the behavior at discrepancy. Behavior After Discrepancy Time Elapses If the input signals are not equivalent following expiration of the specified discrepancy time (when checking for nonequivalence: no inequality), for example due to wire break at a sensor line, the system detects a discrepancy error and generates a "discrepancy" diagnostic message in the diagnostic buffer of the F-I/O module to identify the faulty channels. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 63 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Reintegration After Discrepancy Error Parameter This parameter is used to specify when a discrepancy error is regarded as eliminated and, thus, when the relevant input channels can be reintegrated. The following can be assigned: "Test of 0-signal required" or "Test of 0-signal not required" Requirements You have assigned the following: Evaluation of the sensors: "1oo2 evaluation" "Test of 0-signal required" If you assigned "Test of 0-signal required", a discrepancy error is regarded as eliminated once a 0-signal is present again at both of the relevant input channels. If you are using nonequivalent sensors, i.e., the "Type of sensor interconnection" is set to "2channel nonequivalent", a 0-signal must be present again at the channel supplying the wanted signal. For information about which F-module channels supply the wanted signals, refer to the manual for the F-module you are using. "Test of 0-signal not required" If you assigned "Test of 0-signal not required", a discrepancy error is regarded as eliminated once the discrepancy at the two relevant input channels disappears. F-modules in SIMATIC S7 for which the "Reintegration after discrepancy error" parameter is not available also exhibit this behavior. ET 200pro Distributed I/O System - Fail-Safe Modules 64 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.5 Wiring of Inputs of 8/16 F-DI DC24V PROFIsafe Electronic Module Note The following sections on wiring options and specific STEP 7 parameters (use cases) apply to the 8/16 F-DI and the inputs of the 4/8 F-DI/4 F-DO. Use Case Selection The following figure provides information to help you select the use case that corresponds to your fail-safe requirements. The following sections provide instructions on wiring the Fmodule and identify the parameters you must assign in STEP 7 for each use case. Figure 8-2 Use Case Selection WARNING The achievable Safety Integrity Level is determined by the sensor quality and the length of the proof-test interval according to the IEC 61508:2000 standard. If the sensor quality does not meet Safety Integrity Level requirements, always use the sensor in redundant operation and connect it via two channels. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 65 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Conditions for Achieving SIL/Category The conditions for achieving the respective safety requirements are presented in the following table. Table 8- 3 F-DI Modules: Conditions for Achieving SIL/Category Use case Sensors Evaluation of the sensors Sensor supply Achievable SIL/Category 1 1-channel 1oo1 Internal, with shortcircuit test 2/3 Internal, without shortcircuit test External 2.1 1-channel 1oo2 Internal, with shortcircuit test 3/3 Internal, without shortcircuit test External 2.2 2-channel equivalent 1oo2 Internal, without shortcircuit test 2.3 2-channel nonequivalent 1oo2 Internal, without shortcircuit test 3.1 2-channel equivalent 1oo2 Internal, with shortcircuit test 3.2 2-channel nonequivalent External External 3/4 Note You can operate the various inputs of an F-DI module simultaneously in SIL2/Category 3 and SIL3/Category 3 or 4. You only have to connect the inputs and assign parameters as shown in the following sections. Sensor Requirements Please note the information in "Requirements for Sensors and Actuators" when using sensors for safety-related applications. ET 200pro Distributed I/O System - Fail-Safe Modules 66 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.6 Use Case 1: Safety Mode SIL2/Category 3 Sensor Supply The sensors can be powered internally or externally. Table 8- 4 Use Case 1: Assignment of Sensor Supply to Input Channels 8/16 F-DI DC24V PROFIsafe Input channels DI 0 to DI 3: Sensor supply Vs1 Input channels DI 4 to DI 7: Sensor supply Vs2 Input channels DI 8 to DI 11: Sensor supply Vs3 Input channels DI 12 to DI 15: Sensor supply Vs4 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Input channels DI 0 to DI 3: Sensor supply Vs1 Input channels DI 4 to DI 7: Sensor supply Vs2 Wiring Diagram for Use Case 1 - Connecting One Sensor Via One Channel One sensor is connected via one channel for each process signal (1oo1 evaluation). The wiring is carried out at the appropriate connection module. The figures below illustrate an example wiring diagram for channel groups 1 and 2. Figure 8-3 Wiring Diagram for F-DI Modules - One Sensor Connected Via One Channel, Internal Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 67 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Figure 8-4 Wiring Diagram for F-DI Modules - One Sensor Connected Via One Channel, External Sensor Supply Assignable Parameters for Use Case 1 Set the "Evaluation of the sensors" parameter to "1oo1 evaluation" for the respective input. You can enable or disable the "Short-circuit test" parameter. However, you must disable the short-circuit test as soon as at least one fail-safe digital input is externally supplied. Otherwise, the "Short circuit" diagnostic is reported. ET 200pro Distributed I/O System - Fail-Safe Modules 68 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Specific Characteristics for Fault Detection (Use Case 1) The following table summarizes fault detection according to the sensor supply and the parameter assignment for the short-circuit test: Table 8- 5 F-DI Modules: Fault Detection (Use Case 1) Example of fault Fault detection in case of ... Internal sensor supply Internal sensor supply and short-circuit test and short-circuit test enabled disabled External sensor supply Short circuit of DI 0 with DI 1 No No No Short circuit of DI 0 with DI 4 Yes* No No P-short circuit of DI 0 Yes No No M-short circuit of DI 0 Yes* Yes* No - - - P-short circuit of Vs1 Yes No No M-short circuit of Vs1, or Vs2 defective Yes Yes Yes Short circuit of Vs1 with Vs2 Yes No No Fault in read/test circuit Yes Yes Yes Supply voltage fault Yes Yes Yes Discrepancy error *: Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor signal. If there is no signal corruption relative to the sensor signal, fault detection is not possible and is not required from a safety standpoint. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 69 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.7 Use Case 2: Safety Mode SIL3/Category 3 Assigning Inputs to Each Other The F-DI modules have 2, 8, or 16 fail-safe inputs (SIL2). A pair of these inputs can be used as one input (SIL3). The following assignments apply in this case: Table 8- 6 Use Case 2: Assignment of Input Channels to Each Other 8/16 F-DI DC24V PROFIsafe Input channels DI 0 and DI 4 Input channels DI 1 and DI 5 Input channels DI 2 and DI 6 Input channels DI 3 and DI 7 Input channels DI 8 and DI 12 Input channels DI 9 and DI 13 Input channels DI 10 and DI 14 Input channels DI 11 and DI 15 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Input channels DI 0 and DI 4 Input channels DI 1 and DI 5 Input channels DI 2 and DI 6 Input channels DI 3 and DI 7 Sensor Supply The sensor supply can be provided internally or externally. Table 8- 7 Use Case 2: Assignment of Sensor Supply to Inputs 8/16 F-DI DC24V PROFIsafe 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Input channels DI 0 to DI 3: Sensor supply Vs1 Input channels DI 0 to DI 3: Sensor supply Vs1 Input channels DI 4 to DI 7: Sensor supply Vs2 Input channels DI 4 to DI 7: Sensor supply Vs2 Input channels DI 8 to DI 11: Sensor supply Vs3 Input channels DI 12 to DI 15: Sensor supply Vs4 ET 200pro Distributed I/O System - Fail-Safe Modules 70 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 2.1 - Connecting One Sensor Via One Channel to Two Inputs One sensor is connected via one channel to two inputs of the F-module for each process signal (1oo2 evaluation). Note If the voltage is supplied to the sensor from the F-DI module, you must use the internal sensor supply Vs1. Connection to Vs2 is not possible. The wiring is carried out at the appropriate connection module. The figures below illustrate an example wiring diagram for channel groups 1 and 2. Figure 8-5 Wiring Diagram for F-DI Modules - One Sensor Connected Via One Channel to Two Inputs, Internal Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 71 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Figure 8-6 Wiring Diagram for F-DI Modules - One Sensor Connected Via One Channel to Two Inputs, External Sensor Supply WARNING In order to achieve SIL3/Category 3 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. ET 200pro Distributed I/O System - Fail-Safe Modules 72 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Assignable Parameters for Use Case 2.1 Set the "Evaluation of the sensors" parameter to "1oo2 evaluation" and the "Type of sensor interconnection" parameter to "1-channel" for the relevant input. The discrepancy time is permanently preset to 10 ms and cannot be changed. You can enable or disable the "Short-circuit test" parameter. However, you must disable the short-circuit test as soon as at least one fail-safe digital input is externally supplied. Otherwise, the "Short circuit" diagnostic is reported. Specific Characteristics for Fault Detection (Use Case 2.1) The following table summarizes fault detection according to the sensor supply and the parameter assignment for the short-circuit test: Table 8- 8 8/16 F-DI DC24V PROFIsafe Electronic Module: Fault Detection (Use Case 2.1) Example of fault Fault detection in case of ... Internal sensor supply Internal sensor supply and short-circuit test and short-circuit test enabled disabled Short circuit of DI 0 with DI 1 External sensor supply No No No Short circuit of DI 0 with DI 5 No No No P-short circuit of DI 0 Yes No No M-short circuit of DI 0 Yes* Yes* No Discrepancy error Yes Yes Yes P-short circuit of Vs1 Yes No No M-short circuit of Vs1, or Vs2 defective Yes Yes Yes Short circuit of Vs1 with Vs2 Yes No No Fault in read/test circuit Yes Yes Yes Supply voltage fault Yes Yes Yes *: Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor signal (discrepancy error). If there is no signal corruption relative to the sensor signal, fault detection is not possible and is not required from a safety standpoint. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 73 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 2.2 - Connecting One Two-Channel Sensor Via Two Channels One two-channel sensor is connected via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The wiring is carried out at the appropriate connection module. The figures below illustrate an example wiring diagram for channel groups 1 and 2. Figure 8-7 Wiring Diagram for F-DI Modules - One Two-Channel Sensor Connected, Internal Sensor Supply Figure 8-8 Wiring Diagram for F-DI Modules - One Two-Channel Sensor Connected Via Two Channels, External Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules 74 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 2.2 - Connecting Two One-Channel Sensors Via Two Channels Two single-channel sensors are connected via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The sensors can also be supplied via an external sensor supply. The figure below illustrates an example wiring diagram for channel groups 1 and 2. Figure 8-9 Wiring Diagram for F-DI Modules - Two One-Channel Sensors Connected Via Two Channels, Internal Sensor Supply WARNING In order to achieve SIL3/Category 3 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. Assignable Parameters for Use Case 2.2 Set the "Evaluation of the sensors" parameter to "1oo2 evaluation" and the "Type of sensor interconnection" parameter to "2-channel equivalent" for the relevant input. Disable the "Short-circuit test" parameter. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 75 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Specific Characteristics for Fault Detection (Use Case 2.2) The following table presents fault detection according to the sensor supply and the parameter assignment for the short-circuit test: Table 8- 9 F-DI Modules: Fault Detection (Use Case 2.2) Example of fault Short circuit of DI 0 with DI 1 Fault detection in case of ... Internal sensor supply and short-circuit test disabled External sensor supply Yes* Yes* Short circuit of DI 0 with DI 4 No No Short circuit of DI 0 with DI 5 Yes* Yes* P-short circuit of DI 0 Yes* Yes* M-short circuit of DI 0 Yes* Yes* Discrepancy error Yes Yes P-short circuit of Vs1 No No M-short circuit of Vs1, or Vs2 defective Yes Yes Short circuit of Vs1 with Vs2 No No Fault in read/test circuit Yes Yes Supply voltage fault Yes Yes *: Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor signal (discrepancy error). If there is no signal corruption relative to the sensor signal, fault detection is not possible and is not required from a safety standpoint. ET 200pro Distributed I/O System - Fail-Safe Modules 76 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 2.3 - Connecting One Nonequivalent Sensor Via Two Channels Nonequivalently One nonequivalent sensor is connected nonequivalently via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The left channels on the F-module (DI 0 to DI 2, DI 0 to DI 3, or DI 8 to DI 11) supply the wanted signals. If no faults are detected, these signals will be available in the I/O area for inputs in the F-CPU. Note If the voltage is supplied to the sensor from the F-DI module, you must use the internal sensor supply Vs1 (or Vs3). Connection to Vs2 (or Vs4) is not possible. The wiring is carried out at the appropriate connection module. The figures below illustrate an example wiring diagram for channel groups 1 and 2. Figure 8-10 Wiring Diagram for F-DI Modules - One Nonequivalent Sensor Connected Nonequivalently Via Two Channels, Internal Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 77 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Figure 8-11 Wiring Diagram for F-DI Modules - One Nonequivalent Sensor Connected Nonequivalently Via Two Channels, External Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules 78 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 2.3 - Connecting Two One-Channel Sensors Nonequivalently Via Two Channels Two one-channel sensors are connected nonequivalently via two channels to two inputs of the F-I/O module for each process signal (1oo2 evaluation). The left channels on the F-module (DI 0 to DI 2, DI 0 to DI 3, or DI 8 to DI 11) supply the wanted signals. If no faults are detected, these signals will be available in the I/O area for inputs in the F-CPU. The sensors can also be supplied via an external sensor supply. The figure below illustrates an example wiring diagram for channel groups 1 and 2. Figure 8-12 Wiring Diagram for F-DI Modules - Two One-Channel Sensors Connected Nonequivalently Via Two Channels, Internal Sensor Supply WARNING In order to achieve SIL3/Category 3 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 79 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Assignable Parameters for Use Case 2.3 Set the "Evaluation of the sensors" parameter to "1oo2 evaluation" and the "Type of sensor interconnection" parameter to "2-channel nonequivalent" for the relevant input. Disable the "Short-circuit test" parameter. Specific Characteristics for Fault Detection (Use Case 2.3) The following table summarizes fault detection according to the sensor supply and the parameter assignment for the short-circuit test: Table 8- 10 F-DI Modules: Fault Detection (Use Case 2.3) Example of fault Fault detection in case of ... Internal sensor supply and short-circuit test disabled External sensor supply Short circuit of DI 0 with DI 1 Yes* Yes* Short circuit of DI 0 with DI 4 Yes Yes Short circuit of DI 0 with DI 5 Yes* Yes* P-short circuit of DI 0 Yes* Yes* M-short circuit of DI 0 Yes* Yes* Discrepancy error Yes Yes P-short circuit of Vs1 No No M-short circuit of Vs1, or Vs2 defective Yes Yes Short circuit of Vs1 with Vs2 No No Fault in read/test circuit Yes Yes Supply voltage fault Yes Yes *: Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor signal (discrepancy error). If there is no signal corruption relative to the sensor signal, fault detection is not possible and is not required from a safety standpoint. ET 200pro Distributed I/O System - Fail-Safe Modules 80 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.8 Use Case 3: Safety Mode SIL3/Category 4 Assigning Inputs to Each Other The F-DI modules have 2, 8, or 16 fail-safe inputs (SIL2). A pair of these inputs can be used as one input (SIL3). The following assignments apply in this case: Table 8- 11 Use Case 3: Assignment of Input Channels to Each Other 8/16 F-DI DC24V PROFIsafe Input channel DI 0 and DI 4 Input channel DI 1 and DI 5 Input channel DI 2 and DI 6 Input channel DI 3 and DI 7 Input channel DI 8 and DI 12 Input channel DI 9 and DI 13 Input channel DI 10 and DI 14 Input channel DI 11 and DI 15 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Input channel DI 0 and DI 4 Input channel DI 1 and DI 5 Input channel DI 2 and DI 6 Input channel DI 3 and DI 7 Sensor supply The sensor must be supplied internally. Table 8- 12 Use Case 2: Assignment of Sensor Supply to Inputs 8/16 F-DI DC24V PROFIsafe 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Input channels DI 0 to DI 3: Sensor supply Vs1 Input channels DI 0 to DI 3: Sensor supply Vs1 Input channels DI 4 to DI 7: Sensor supply Vs2 Input channels DI 4 to DI 7: Sensor supply Vs2 Input channels DI 8 to DI 11: Sensor supply Vs3 Input channels DI 12 to DI 15: Sensor supply Vs4 ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 81 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 3.1 - Connecting One Two-Channel Sensor Via Two Channels One two-channel sensor is connected via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The wiring is carried out at the appropriate connection module. The figure below illustrates an example wiring diagram for channel groups 1 and 2. Figure 8-13 Wiring Diagram for F-DI Modules - One Two-Channel Sensor Connected Via Two Channels, Internal Sensor Supply Alternatively, two one-channel sensors can be connected via two channels (see Figure "Wiring Diagram for F-DI Modules - Two One-Channel Sensors Connected Via Two Channels, Internal Sensor Supply"). In this case, the same process variable is measured with mechanically separated sensors. WARNING In order to achieve SIL3/Category 4 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. Assignable Parameters for Use Case 3.1 Set the "Evaluation of the sensors" parameter to "1oo2 evaluation" and the "Type of sensor interconnection" parameter to "2-channel equivalent" for the relevant input. Enable the "Short-circuit test" parameter. ET 200pro Distributed I/O System - Fail-Safe Modules 82 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 3.2 - Connecting One Nonequivalent Sensor Via Two Channels Nonequivalently Eight process signals can be connected to an 8/16 F-DI DC24V PROFIsafe electronic module, 4 process signals to a 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe electronic module, and 2 process signals to an F-Switch PROFIsafe. One sensor is connected nonequivalently via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The left channels on the F-module (DI 0 to DI 3 or DI 8 to DI 11) supply the wanted signals. If no faults are detected, these signals will be available in the I/O area for inputs in the F-CPU. Note You must use internal sensor supply Vs1 (or Vs3) to supply voltage to the sensor. Connection to Vs2 (or Vs4) is not possible. The wiring is carried out at the appropriate connection module. The figure below illustrates an example wiring diagram for channel groups 1 and 2. Figure 8-14 Wiring Diagram for F-DI Modules - One Nonequivalent Sensor Connected Nonequivalently Via Two Channels, Internal Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 83 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Alternatively, two one-channel sensors can be connected nonequivalently via two channels (see Figure "Wiring Diagram for F-DI Modules - Two One-Channel Sensors Connected Nonequivalently Via Two Channels, Internal Sensor Supply"). In this case, the same process variable is measured with mechanically separated sensors. WARNING In order to achieve SIL3/Category 4 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. Assignable Parameters for Use Case 3.2 Set the "Evaluation of the sensors" parameter to "1oo2 evaluation" and the "Type of sensor interconnection" parameter to "2-channel nonequivalent" for the relevant input. Enable the "Short-circuit test" parameter. Specific Characteristics for Fault Detection (Use Cases 3.1 and 3.2) The following table presents fault detection according to the sensor supply and the parameter assignment for the short-circuit test: Table 8- 13 F-DI Modules: Fault Detection (Use Cases 3.1 and 3.2) Example of fault Fault detection with internal sensor supply and enabled short-circuit test for ... Sensor 2-channel equivalent Sensor 2-channel nonequivalent Short circuit of DI 0 with DI 1 Yes* Yes* Short circuit of DI 0 with DI 4 Yes* Yes Short circuit of DI 0 with DI 5 Yes* Yes* P-short circuit of DI 0 Yes Yes M-short circuit of DI 0 Yes* Yes* Discrepancy error Yes Yes P-short circuit of Vs1 Yes Yes M-short circuit of Vs1, or Vs2 defective Yes Yes Short circuit of Vs1 with Vs2 Yes Yes Fault in read/test circuit Yes Yes Supply voltage fault Yes Yes *: Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor signal (discrepancy error). If there is no signal corruption relative to the sensor signal, fault detection is not possible and is not required from a safety standpoint. ET 200pro Distributed I/O System - Fail-Safe Modules 84 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Requirements for Machine Protection Applications With Category 4 The following requirements apply to machine protection applications with Category 4: State-of-the-art wiring must be used between the sensors and the automation system or between the automation system and the actuators to prevent short circuits. All short circuits listed in the above table are detected. Detection of a short circuit is sufficient in this case, because two faults must exist for the short circuit to occur (both of the short-circuited signal cables exhibit an insulation fault). Thus, a multiple short-circuit analysis is not required. Processes for detection of all short circuits are also permissible if individual short circuits are not detected, provided: The short circuits do not cause corruption of read signals compared to the sensor signals or The short circuits cause corruption of read signals compared to the sensor signals, but in the direction that ensures safety. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 85 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.9 Diagnostic Functions of the 8/16 F-DI DC24V PROFIsafe Electronic Module Behavior in Case of Supply Voltage Failure Failure of sensor supplies Vs1 to Vs4 is indicated by the SF LED, the VsF LED, and the LEDs of the relevant channel group on the F-module. This information is also provided on the module (diagnostic entry). The relevant channel groups or channels (in the case of channel-level passivation) of the module are passivated. Diagnostic Functions The following table presents an overview of the diagnostic functions of the 8/16 F-DI DC24V PROFIsafe electronic module. The diagnostic functions are assigned either to one channel or to the entire module. Table 8- 14 Diagnostic Functions of the 8/16 F-DI DC24V PROFIsafe Electronic Module Diagnostic Function* Fault Number LED Signaled in Use Case Range of Effectiveness of Diagnostic Assignabl e Short circuit 1H SF 1, 2, 3 Channel Yes Overtemperature 5H SF 1, 2, 3 Module No Fault 9H SF 1, 2, 3 Module No Parameter assignment error 10H SF 1, 2, 3 Module No Sensor voltage or load voltage is missing 11H VsF 1, 2, 3 Module No Communication error 13H SF 1, 2, 3 Module No Safety-related shutdown 19H SF 2.3 Channel No VsF *: Specifically for F-modules; display in STEP 7, see the "Channel-Specific Diagnostics, Fault Types of Fail-Safe Modules" table Note If you have enabled the short-circuit test for the F-DI module in STEP 7 and are using only one of the two internal sensor supplies of the module (Vs1 or Vs2, or Vs3 or Vs4), a channel M-short circuit is detected for each of the four channels whose sensor supply is not used. Four "short-circuit" diagnostic functions are generated in the diagnostic buffer of the Fmodule. Specific Characteristics for Fault Detection Detection of some faults (such as short circuits or discrepancy errors) is dependent on the use case, wiring, and parameter assignment of the short-circuit test. For this reason, tables on fault detection are presented for the use cases in "Use Case 1: Safety Mode SIL2/Category 3" to "Use Case 3: Safety Mode SIL3/Category 4". ET 200pro Distributed I/O System - Fail-Safe Modules 86 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Causes of Faults and Corrective Actions The following table presents the possible causes of faults and corrective actions for the individual diagnostic messages of the 8/16 F-DI DC24V PROFIsafe electronic module. Table 8- 15 Diagnostic Messages of the 8/16 F-DI DC24V PROFIsafe Electronic Module, Causes of Faults and Corrective Actions Diagnostic Message Fault Detection Possible Causes Corrective Actions Short circuit Always Internal fault Replace module Cyclically during shortcircuit test Short circuit at the sensor Eliminate short circuit/cross circuit on sensor Always Shutdown due to violation of temperature limit values in the module case. Overtemperature Cross circuit at the sensor Check ambient temperature. Check whether permissible output current of the sensor power supply is exceeded for the ambient temperature. Once the fault has been eliminated, the module must be removed and inserted, or the power switched off and on. Fault Always Internal module fault has Replace module occurred Parameter assignment error Always Inserted module does not match configuration Correct the configuration (compare actual and preset configuration). PROFIsafe address set incorrectly on the Fmodule Check whether the PROFIsafe address on the module matches the configuration in Sensor voltage or Always load voltage is missing Communication error Always STEP 7 HW Config No supply voltage or Check module for proper contact. supply voltage is too low Once the fault has been eliminated, the module must be removed and inserted, or the power switched off and on. Voltage dip due to short circuit Eliminate short circuit/cross circuit. Error in communication between the F-CPU and module, e.g., due to defective PROFIBUS/Industrial Ethernet connection or higher than permissible electromagnetic interferences. Check the PROFIBUS/Industrial Ethernet connection. PROFIsafe monitoring time set too low Set a higher value for the "F-monitoring time" parameter for the module in STEP 7 Configuration of the Fmodule does not match the fail-safe program Eliminate the interferences. HW Config Recompile the safety program; then reload the configuration and safety program to the F-CPU ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 87 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Diagnostic Message Fault Detection Possible Causes Corrective Actions Safety-related shutdown Always Faulty process signal Check process signal. Replace sensor if necessary. Defective sensor Short circuit between unconnected sensor cable and the sensor supply cable Eliminate short circuit Wire break in connected sensor cable or sensor supply cable Eliminate broken wire Assigned discrepancy time is too short Check the assigned discrepancy time. Once the error is eliminated, the F-module must be reintegrated in the safety program. For more information on passivation and reintegration of F-I/O, refer to "Diagnostics" and the S7 Distributed Safety Configuring and Programming or Programmable Controllers S7 F/FH manuals. Generally Applicable Information on Diagnostics For information on diagnostics pertaining to all fail-safe modules (e.g., readout of diagnostic functions; passivation of channels), refer to "Diagnostics" in this manual as well as the S7 Distributed Safety Configuring and Programming or Programmable Controllers S7 F/FH manuals. ET 200pro Distributed I/O System - Fail-Safe Modules 88 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module 8.1.10 Technical Specifications for the 8/16 F-DI DC24V PROFIsafe Electronic Module Overview Technical Specifications Dimensions and Weight Dimensions W x H x D (mm) 90 x 175 x 65.2 (including rack) Weight Approx. 270 g Module-Specific Specifications Number of inputs * 1-channel Max. 16 * 2-channel Max. 8 Assigned address area * I/O area for inputs 8 bytes * I/O area for outputs 4 bytes Cable length * Unshielded Max. 30 m * Shielded Max. 30 m Maximum achievable safety class 1-channel 2-channel SIL3 Category 4 * According to IEC 61508:2000 SIL2 * According to ISO 13849-1:2006 or EN ISO 13849-1:2008 Category 3 Fail-safe performance characteristics SIL2 SIL3 < 1.00E-05 < 1.00E-09 * Low demand mode (average probability of failure on demand) < 1.00E-03 * High demand/continuous mode (probability of a dangerous failure per hour) < 1.00E-08 Voltages, Currents, Potentials Rated supply voltage L+ 24 V DC * Permissible range 20.4 V to 28.8 V * Power loss ride-through of L+ None * Power loss ride-through of internal P5 5 ms * Reverse polarity protection Yes Number of simultaneously controllable inputs * All mounting positions - Up to 40C - Up to 55C 16 (for 28.8 V) 16 (for 24.7 V) or 8 (for 28.8 V) ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 89 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Technical Specifications Electrical isolation * Between channels and backplane bus Yes * Between channels and power supply No * Between channels No * Between channels/power supply and shield Yes Permissible potential difference between * Shield and ET 200pro bus connection 75 V DC/60 V AC * Shield and I/O (DIs) 75 V DC/60 V AC * ET 200pro bus connection and I/O (DIs) 75 V DC/60 V AC Insulation tested during type test with * Shield and ET 200pro bus connection 350 V AC/1 min * Shield and I/O (DIs) 350 V AC/1 min * ET 200pro bus connection and I/O (DIs) 350 V AC/1 min Current consumption * From backplane bus Typ. 20 mA * From load voltage L+ (without sensor) Typ. 120 mA Power loss of module Typ. 4.5 W Status, Interrupts, Diagnostics Status displays * Inputs Two-color red/green LED per channel * Sensor supply LED VsF and display via channel LEDs of channel groups Diagnostic functions Interrupts * Diagnostic interrupt Channel LED red * Group fault display Red LED (SF) * Diagnostic information can be read out Possible * I&M functionality * See "ET 200pro Distributed I/O" Manual ET 200pro Distributed I/O System - Fail-Safe Modules 90 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Technical Specifications Sensor Supply Outputs Number of outputs 4 Output voltage * Loaded Min. L+ (-1.5 V) Output current * Rated value 200 mA * Permissible range 0 mA to 200 mA Permissible aggregate current of outputs 800 mA Short-circuit protection Yes, electronic Operating value 0.7 A to 2.1 A * Data for Selecting a Sensor ** Input voltage * Rated value 24 V DC * At signal "1" 15 V to 30 V * At signal "0" -30 V to 5 V Input current * At signal "1" Input delay * * At "0" after "1" At "1" after "0" Input characteristic Connection of 2-wire BERO * Permissible quiescent current Typ. 3.7 mA Assignable (for all inputs together) Typ. 0.5 ms (0.3 ms to 0.7 ms) Typ. 3 ms (2.6 ms to 3.4 ms) Typ. 15 ms (13 ms to 17 ms) Typ. 0.5 ms (0.3 ms to 0.7 ms) Typ. 3 ms (2.6 ms to 3.4 ms) Typ. 15 ms (13 ms to 17 ms) In accordance with IEC 61131-2, Type 1 Not possible Max. 0.6 mA ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 91 Fail-Safe Electronic Modules 8.1 8/16 F-DI DC24V PROFIsafe Digital Electronic Module Technical Specifications Time, Frequency Internal preprocessing times See "Response Times" Acknowledgment time in safety mode * Short-circuit test enabled With input delay of 0.5 ms: With input delay of 3 ms: With input delay of 15 ms: * Short-circuit test disabled Minimum sensor signal duration Min. 4 ms / max. 7 ms Min. 4 ms / max. 12 ms Min. 4 ms / max. 9 ms Min. 4 ms / max. 6 ms See "Minimum Duration of Sensor Signals for Proper Detection by F-DI Module" table in "Wiring" Protection against Overvoltage Protection of supply voltage L+ from surge in accordance with IEC 61000-4-5 with external protection elements only * Symmetrical (L+ to M) + 1 kV; 1.2/50 s * Asymmetrical (L+ to PE, M to PE) + 2 kV; 1.2/50 s Protection of inputs and outputs from surge in accordance with IEC 61000-4-5 with external protection elements only Not required since cable length is < 30 m Protection of supply voltage 1L+ from overvoltages Internal fuse tripped *: Identification sets are described in the "ET200 pro Distributed I/O System" manual. **: For requirements for sensors and actuators, see "Requirements for Sensors and Actuators" ET 200pro Distributed I/O System - Fail-Safe Modules 92 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module 8.2.1 Properties of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module Order Number 6ES7 148-4FC00-0AB0 Properties The 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe electronic module has the following properties: Inputs - 8 inputs (SIL2/Category 3) or four inputs (SIL3/Category 3 or Category 4) - 24 V DC rated input voltage - Suitable for switches and 3- or 4-wire proximity switches (BEROs) - Two short-circuit-proof sensor supplies for each of the four inputs - External sensor supply possible Outputs - Four outputs, P/M switching (current sourcing/sinking) - 2 A output current - 24 V DC rated load voltage - Suitable for solenoid valves, DC contactors and indicator lights Group fault display (SF; red LED) Fault LED for each sensor supply (Vs1F to Vs2F) is mapped to VsF LED and the associated channels. Status and fault LEDs for each input/output (two-color green/red LED) Identification data (see ET 200pro Distributed I/O System Standard Manual) Assignable diagnostics Safety class SIL3 achievable Can only be operated in safety mode ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 93 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Switching of Grounded Loads If the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe electronic module switches loads that have a connection between the chassis and ground (e.g., to improve the EMC properties) and if the chassis and ground are connected in the power supply, a "short circuit" will be detected. From the perspective of the F-module, the M-switch (current sinking) is bridged by the chassis-ground connection (refer to the following figure for an example for a 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe electronic module). Remedy: The resistance (R) between the chassis and ground on the load side must be greater than 100 k. Figure 8-15 Switching Grounded Loads (Resistance Between Chassis and Ground) ET 200pro Distributed I/O System - Fail-Safe Modules 94 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module 8.2.2 Terminal Assignment of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module Terminal Assignment on CM IO 12xM12 Connection Module The following table presents the terminal assignment of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe electronic module on the CM IO 12xM12 connection module. Sockets X1 to X4 are assigned twice. This enables you to implement a 1oo2 evaluation with one connecting cable, e.g., channels 0 and 4 at connector X1. Table 8- 16 Terminal Assignment on the CM IO 12xM12 Connection Module for 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Circular connector view Terminal Assignment of X1 to X12 Digital inputs 1 Connectors X1 to X4: 24 V sensor supply 1 (Vs1) Connectors X5 to X8: 24 V sensor supply 2 (Vs2) Connectors X9 to X12: Not assigned 2 Input signal: Connector X1: Input channel 42 Connector X2: Input channel 52 Connector X3: Input channel 62 Connector X4: Input channel 72 3 Connectors X1 to X8: Sensor supply ground (1M) Connector X9: Output channel M0 Connector X10: Output channel M1 Connector X11: Output channel M2 Connector X12: Output channel M3 4 Input signal: Connector X1: Input channel 0 Connector X2: Input channel 1 Connector X3: Input channel 2 Connector X4: Input channel 3 Connector X5: Input channel 4 Connector X6: Input channel 5 Connector X7: Input channel 6 Connector X8: Input channel 7 Digital outputs 5 1 2 Connector X5: Not assigned Connector X6: Not assigned Connector X7: Not assigned Connector X8: Not assigned Connector X9: Not assigned Connector X10: Not assigned Connector X11: Not assigned Connector X12: Not assigned Connector X9: Output channel P0 Connector X10: Output channel P1 Connector X11: Output channel P2 Connector X12: Output channel P3 Connectors X1 to X4: 24 V sensor supply 2 (Vs2) Connectors X5 to X8: Not assigned Connectors X9 to X12: Functional ground (FG) 3-, 4- or 5-core copper cable Only relevant for 1oo2 evaluation via a connecting cable ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 95 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module 8.2.3 Block Diagram for the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module Block Diagram Figure 8-16 Block Diagram for the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module ET 200pro Distributed I/O System - Fail-Safe Modules 96 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module 8.2.4 Parameters for the 4/8 F-DI/4 F-DO DC24V/2 A PROFIsafe Electronic Module Parameters in STEP 7 The following table shows the parameters that can be set for the F-DI/F-DO module (see also "Configuration and Parameter Assignment"). Table 8- 17 Parameters of the F-DI/DO Module Parameters Range Default Type of parameter Range of effectiveness F_destination_address 1 to 1022 Assigned by STEP 7 Static Module F-monitoring time 10 to 10000 ms 150 ms Static Module Static Module F-parameters: Module Parameters: Behavior after channel faults* Passivate the entire Passivate the entire module/Passivate the module channel Module Parameter Inputs: Input delay 0.5; 3; 15 ms 3 ms Static Module Short-circuit test Cyclic/Disable Cyclic Static Module Channel n, n+4 Enabled/disabled Enabled Static Channel group Evaluation of the sensors 1oo2 evaluation/ 1oo1 evaluation 1oo2 evaluation Static Channel group Type of sensor interconnection 1-channel; 2-channel equivalent Static Channel group 2-channel equivalent; 2-channel nonequivalent Behavior at discrepancy Provide last valid value; Provide value 0 Provide last valid value Static Channel group Discrepancy time 10 to 30000 ms 10 ms Static Channel group Reintegration after discrepancy error Test of 0-signal not required/Test of 0signal required Test of 0-signal not required Static Channel group Module Parameter Outputs: DO channel n Enabled/disabled Enabled Static Channel Readback time 1 to 400 ms 1 ms Static Channel Diagnostics: Wire break Enabled/disabled Disabled Static Channel * This setting is only relevant when the S7 Distributed Safety V 5.4 or higher optional package is installed. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 97 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Short-Circuit Test Parameter The cyclic short-circuit test is enabled and disabled using the short-circuit test parameter. The short-circuit test is only useful for simple switches that do not have their own power supply. If the short-circuit test has been enabled, the internal sensor supplies must be used (see also "Use Cases of the 8/16 F-DI DC24V PROFIsafe Electronic Module"). Behavior at Discrepancy Parameter As the "behavior at discrepancy" you assign the value that is made available to the safety program in the F-CPU while there is a discrepancy between the two input channels involved, i.e., during the discrepancy time. You assign the behavior at discrepancy as follows: "Provide last valid value", or "Provide value 0" Requirements You have assigned the following: Evaluation of the sensors: "1oo2 evaluation" "Provide last valid value" The last valid value (old value) before discrepancy occurs is made available to the safety program in the F-CPU as soon as a discrepancy is detected between the two relevant input channel signals. This value is supplied until the discrepancy disappears or until the discrepancy time expires and a discrepancy error is detected. The sensor-actuator response time is extended by an amount equal to this time. As a result, the discrepancy time of sensors connected via two channels must be set for fast reactions to short response times. It makes no sense, for example, for a time-critical shutdown to be triggered by sensors connected via two channels with a discrepancy time of 500 ms. In the worst case, the sensor-actuator response time is extended by an amount approximately equal to the discrepancy time. For this reason, position the sensors in the process in such a way as to minimize discrepancy. Then select the shortest possible discrepancy time that includes a sufficient cushion against false tripping of discrepancy errors. "Provide value 0" The value "0" is made available to the safety program in the F-CPU as soon as a discrepancy is detected between the signals of the two relevant input channels. If you specified "Provide value 0", the sensor-actuator response time is not affected by the discrepancy time. ET 200pro Distributed I/O System - Fail-Safe Modules 98 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Discrepancy Time Parameter Here, you can specify the discrepancy time for each channel pair. The entered value is rounded to a multiple of 10 ms. Requirements You have assigned the following: Evaluation of the sensors: "1oo2 evaluation" and Type of sensor interconnection: "2-channel equivalent" or "2-channel nonequivalent" Discrepancy Analysis and Discrepancy Time If you are using one two-channel sensor, one nonequivalent sensor or two single-channel sensors that are measuring the same physical process variable, the sensors will respond with a time delay due to the limited accuracy of their arrangement. The discrepancy analysis for equivalence/nonequivalence is used with fail-safe inputs to detect faults based on the timing of two signals with the same functionality. Discrepancy analysis is initiated when different levels (when testing for nonequivalence: same voltage levels) are detected at two associated input signals. A test is conducted to determine whether the difference in levels (when testing for nonequivalence: the consistency) has disappeared within a programmable period known as the discrepancy time. If not, a discrepancy error exists. In most cases, the discrepancy time starts but does not elapse completely, since the signal differences disappear after a short time. Select a discrepancy time of sufficient length so that in case of no error, the difference between the two signals (when checking for nonequivalence: the consistency) has definitely disappeared before the discrepancy time expires. Behavior While Discrepancy Time is Running While the assigned discrepancy time is running internally on the module, either the last valid value or "0" is made available to the safety program in the F-CPU by the relevant input channels, depending on the parameter assignment for the behavior at discrepancy. Behavior After Discrepancy Time Elapses If the input signals are not equivalent following expiration of the specified discrepancy time (when checking for nonequivalence: no inequality), for example due to wire break at a sensor line, the system detects a discrepancy error and generates a "discrepancy" diagnostic message in the diagnostic buffer of the F-I/O module to identify the faulty channels. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 99 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Reintegration After Discrepancy Error Parameter This parameter is used to specify when a discrepancy error is regarded as eliminated and, thus, when the relevant input channels can be reintegrated. The following can be assigned: "Test of 0-signal required" or "Test of 0-signal not required" Requirements You have assigned the following: Evaluation of the sensors: "1oo2 evaluation" "Test of 0-signal required" If you assigned "Test of 0-signal required", a discrepancy error is regarded as eliminated once a 0-signal is present again at both of the relevant input channels. If you are using nonequivalent sensors, i.e., the "Type of sensor interconnection" is set to "2channel nonequivalent", a 0-signal must be present again at the channel supplying the wanted signal. For information about which F-module channels supply the wanted signals, refer to the manual for the F-module you are using. "Test of 0-signal not required" If you assigned "Test of 0-signal not required", a discrepancy error is regarded as eliminated once the discrepancy at the two relevant input channels disappears. F-modules in SIMATIC S7 for which the "Reintegration after discrepancy error" parameter is not available also exhibit this behavior. Readback Time Parameter Each output channel has its own assignable readback time. This time specifies the maximum duration of the switch-off test for the corresponding channel and, thus, also the readback time for the switch-off operation of the channel. The following readback times can be assigned: 1 ms, 5 ms, 10 ms, 50 ms, 100 ms, 200 ms, and 400 ms. You should set a sufficiently long readback time if the relevant channel switches highcapacitive loads. If the readback time for a controlled capacitive load is set too low, the output channel is passivated because the discharge of the capacitance does not take place within the switch-off test. In the event of false readback signals, an amount of time equivalent to the readback time is permitted to elapse before the "short circuit" fault causes the output channel to become passivated. ET 200pro Distributed I/O System - Fail-Safe Modules 100 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module 8.2.5 Wiring of Inputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module Use cases Note The use cases for the digital input modules apply to all digital inputs of the ET 200pro failsafe modules. For this reason, the wiring diagrams for the inputs are presented for the 8/16 F-DI DC24V PROFIsafe digital electronic module. Figure 8-17 Wiring of Inputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module See also Use Case 1: Safety Mode SIL2/Category 3 (Page 67) Use Case 2: Safety Mode SIL3/Category 3 (Page 70) Use Case 3: Safety Mode SIL3/Category 4 (Page 81) Wiring of Outputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 102) ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 101 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module 8.2.6 Wiring of Outputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module Use Case 1: Wiring a Load to Each Digital Output Each of the four fail-safe digital outputs consists of one DOx P P-switch (current sourcing) and one DOx M M-switch (current sinking). They connect the load between the P- and Mswitches. The two switches are always controlled so that voltage is applied to the load. The wiring is carried out at the connection module. Figure 8-18 Wiring Diagram for the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module ET 200pro Distributed I/O System - Fail-Safe Modules 102 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Use Case 2: Wiring Loads to L+ and M at Each Digital Output You can switch two relays with one fail-safe digital output. The following conditions should be kept in mind: L+ and M of the relays must be connected with L+ and M of the F-DO module (reference potential must be equal). The normally open contacts of the two relays must be switched in series. A connection to each of the four digital outputs is possible. The following figure shows an example of the connection at DO 0. This circuit achieves SIL3/Category 4. Figure 8-19 Wiring Diagram for Each of Two Relays at One F-DO of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module WARNING When two relays are connected at one digital output (as shown in the figure above), "wire break" and "overload" faults are detected only at the P-switch of the output (not at the Mswitch). The controlled actuator can no longer be switched off in the event of a cross circuit between the P- and M-switches of the output. WARNING To avoid cross circuits between P- and M-switches of a fail-safe digital output, you must route the cables for the relay connection at the P- and M-switches to protect against cross circuits (e.g., as separately sheathed cables or in separate cable ducts). ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 103 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Use Case 3: Wiring Two Loads in Parallel to Each Digital Output Avoiding/Managing Cross Circuits: To protect against cross circuits between P- and M-switches of a fail-safe digital output, we recommend the following wiring schemes: Figure 8-20 Wiring Diagram for Each of Two Relays Parallel at One F-DO of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module See also Block Diagram for the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module (Page 96) ET 200pro Distributed I/O System - Fail-Safe Modules 104 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module 8.2.7 Diagnostic Functions of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module Behavior in Case of Supply Voltage Failure Failure of sensor supplies Vs1 and Vs2 is indicated by the SF LED, VsF LED, and the LEDs of the relevant channel group on the F-module. This information is also provided on the module (diagnostic entry). All channels of the module are passivated. Diagnostic Functions The following table presents an overview of the diagnostic functions of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe electronic module. The diagnostic functions are assigned either to one channel or to the entire module. Table 8- 18 Diagnostic Functions of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module Diagnostic Function* Fault Number LED Range of Effectiveness of Diagnostic Assignabl e Short circuit 1H SF Channel No Overload 4H SF Channel No Overtemperature 5H SF Module No Wire break 6H SF Channel Yes Fault 9H SF Module No Parameter assignment error 10H SF Module No Sensor voltage or load voltage is missing 11H SF Module No Communication error 13H SF Module No Safety-related shutdown 19H SF Channel No *: Specifically for F-modules; display in STEP 7, see the "Channel-Specific Diagnostics, Fault Types of Fail-Safe Modules" table ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 105 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Causes of Faults and Corrective Actions The following table presents the possible causes of faults and corrective actions for the individual diagnostic messages of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe electronic module. Table 8- 19 Diagnostic Messages of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module, Causes of Faults and Corrective Actions Diagnostic Message Fault Detection Possible Causes Corrective Actions Short circuit Always Short circuit in the actuator Eliminate short circuit/cross circuit on actuator Cross-circuit in the actuator Once the fault has been eliminated, the module must be removed and inserted, or the power switched off and on. Internal fault Replace module Short circuit Cyclically during short-circuit test Short circuit at the sensor Eliminate short circuit/cross circuit on sensor Cross circuit at the Overload For "1" output signal only Output stage is Eliminate overload. overloaded and becomes too hot Overtemperature Always Shutdown due to violation of temperature limit values in the module case. sensor Check load wiring. Check ambient temperature. Check whether permissible output current (aggregate current) is exceeded for the ambient temperature. Once the fault has been eliminated, the module must be removed and inserted, or the power switched off and on. Open circuit For "1" output signal only Open circuit Correct the wire break. Ensure specified minimum load (see "Technical Fault Always Internal module fault has occurred Replace module Parameter assignment error Always Inserted module does not match configuration; incorrect parameter assignment Correct the configuration (compare actual and preset configuration). Check communication paths. PROFIsafe address set incorrectly on the Fmodule Check whether the PROFIsafe address on the module matches the configuration in STEP 7 HW Config Specifications of the 4/8 F-DO/4 F-DO DC24V/2A PROFIsafe Electronic Module"). Correct the configuration. ET 200pro Distributed I/O System - Fail-Safe Modules 106 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Diagnostic Message Fault Detection Sensor voltage or Always load voltage is missing Communication error Always Possible Causes Corrective Actions No supply voltage or supply voltage is too low Check module for proper contact. Once the fault has been eliminated, the module must be removed and inserted, or the power switched off and on. Voltage dip due to short circuit Eliminate short circuit/cross circuit. Error in communication between the F-CPU and module due to defective PROFIBUS/Industrial Ethernet connection or higher than permissible electromagnetic interferences, for example Test PROFIBUS/Industrial Ethernet connection. Eliminate the interferences. PROFIsafe monitoring time set too low Reduce the call interval for F-program, or Set a higher value for the "F-monitoring time" parameter for the module in STEP 7 HW Config Safety-related shutdown Always Configuration of the Fmodule does not match the fail-safe program Recompile the safety program; then reload the configuration and safety program to the F-CPU Process signal is faulty Sensor is defective Check process signal. Replace sensor if necessary. Short circuit between unconnected sensor cable (open switch) and the sensor supply cable Eliminate short circuit Wire break in connected sensor cable (closed switch) or sensor supply cable Eliminate broken wire Assigned discrepancy time is too short Check the assigned discrepancy time. Once the error is eliminated, the Fmodule must be reintegrated in the safety program. Switching frequency exceeded Reduce the switching frequency Generally Applicable Information on Diagnostics For information on diagnostics pertaining to all fail-safe modules (e.g., for reading out diagnostic functions, passivating channels), refer to "Diagnostics". ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 107 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module 8.2.8 Technical Specifications for the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module Overview Technical Specifications Dimensions and Weight Dimensions W x H x D (mm) 90 x 175 x 65.2 including rack Weight Approx. 280 g Module-Specific Specifications Number of inputs * 1-channel Max. 8 * 2-channel Max. 4 Number of outputs (P/M switching) 4 Assigned address area * I/O area for inputs 7 bytes * I/O area for outputs 5 bytes Cable length * Unshielded < 30 m * Shielded < 30 m Maximum achievable safety class 1-channel 2-channel * According to IEC 61508:2000 SIL2 SIL3 * According to ISO 13849-1:2006 or EN ISO 13849-1:2008 Category 3 Category 4 SIL2 SIL3 Fail-safe performance characteristics * Low demand mode (average probability of failure on demand) < 1.00E-03 < 1.00E-05 * High demand/continuous mode (probability of a dangerous failure per hour) < 1.00E-08 < 1.00E-09 Voltages, Currents, Potentials Rated supply voltage L+ 24 V DC * Permissible range 20.4 V to 28.8 V * Power loss ride-through of L+ None * Power loss ride-through of internal P5 5 ms * Reverse polarity protection (1L/1M) Yes * Reverse polarity protection (2L/2M) No ET 200pro Distributed I/O System - Fail-Safe Modules 108 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Technical Specifications Number of simultaneously controllable inputs * All mounting positions - Up to 40 C - Up to 55 C 8 (for 28.8 V) 8 (for 24.8 V) or 4 (for 28.8 V) Aggregate current of outputs * All mounting positions - Up to 40 C - Up to 50 C - Up to 55 C 6A 4A 3A Electrical isolation * Between channels and backplane bus Yes * Between channels and power supply No * Between DIs No * Between DOs No * Between DIs and DOs Yes * Between channels/power supply and shield Yes Permissible potential difference between * Shield and ET 200pro bus connection 75 V DC/60 V AC * Shield and I/O (DIs, DOs) 75 V DC/60 V AC * ET 200pro bus connection and I/O (DIs, DOs) 75 V DC/60 V AC * Between DIs and DOs 75 V DC/60 V AC Insulation tested during type test with * Shield and ET 200pro bus connection 350 V AC/1 min * Shield against I/O (DOs) 350 V AC/1 min * ET 200pro bus connection against I/O (DOs) 350 V AC/1 min Current consumption * From backplane bus Max. 20 mA * From the electronic supply (without load) Typ. 100 mA * From load voltage L+ (without load) Typ. 50 mA Power loss of module Typ. 5.8 W Status, Interrupts, Diagnostics Status display * Inputs Two-color red/green LED per channel * Outputs Two-color red/green LED per channel * Sensor supply LED VsF and display via channel LEDs of channel groups Interrupts ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 109 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Technical Specifications * Diagnostic interrupt Channel LED red Diagnostic functions * Group fault display Red LED (SF) * Diagnostic information can be read out Possible * I&M functionality * See "ET 200pro Distributed I/O" Manual Sensor Supply Outputs Number of outputs 2 Output voltage * Loaded Min. L+ (-1.5 V) Output current * Rated value 200 mA * Permissible range 0 mA to 200 mA * Permissible aggregate current of outputs 400 mA * Short-circuit protection Yes, electronic * Operating value 0.7 A to 2.1 A Data for Selecting a Sensor ** * Input voltage * Rated value 24 V DC * At signal "1" 15 V to 30 V * At signal "0" -30 V to 5 V Input current * At signal "1" Input delay * * At "0" after "1" At "1" after "0" Typ. 3.7 mA Assignable (for all inputs together) Typ. 0.5 ms (0.3 ms to 0.7 ms) Typ. 3 ms (2.6 ms to 3.4 ms) Typ. 15 ms (13 ms to 17 ms) Typ. 0.5 ms (0.3 ms to 0.7 ms) Typ. 3 ms (2.6 ms to 3.4 ms) Typ. 15 ms (13 ms to 17 ms) Input characteristic In accordance with IEC 61131-2, Type 1 Connection of 2-wire BERO Not possible * Permissible quiescent current Max. 0.6 mA ET 200pro Distributed I/O System - Fail-Safe Modules 110 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Technical Specifications Data for Selecting an Actuator** Output voltage * At signal "1" * Min. L+ (-1.5 V) * P-switch: L+ (-1.5 V), minimum; voltage drop at M-switch: 0.5 V, maximum Output current for "1" signal * Rated value 2A * Permissible range 20 mA to 2.4 A For "0" signal (residual current) Max. 0.5 mA Indirect control of load by means of coupling relay: For "0" signal (residual current) * P-switch Max. 0.5 mA * M-switch Max. 1 mA Load resistance range 12 to 1 k Lamp load Max. 10 W Wire break monitoring (open load detection) and overload monitoring * Response threshold I < 4 to 19 mA * Fault detection time Depends on the assigned readback time (see "Response Times") Parallel switching of 2 outputs Not possible Control of a digital input Not possible Switching frequency * With resistive load Max. 30 Hz * With inductive load in accordance with IEC 60947-5-1, DC13 Max. 0.1 Hz * With lamp load Max. 10 Hz Limit on inductive shutdown voltage to Typ. 2L+ (-2x47 V) Short-circuit protection of output Yes, electronic * Response threshold (short circuit) 5 A to 12 A * Response threshold (external M-short circuit) 5 A to 12 A * Response threshold (external P-short circuit) 25 A to 45 A Overload protection * Response threshold Yes I > 2.8 A to 3.2 A ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 111 Fail-Safe Electronic Modules 8.2 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Digital Electronic Module Technical Specifications Time, Frequency Internal preprocessing times See "Response Times" Acknowledgment time in safety mode Min. 4 ms / max. 8 ms * Short-circuit test enabled For input delay of 0.5 ms For input delay of 3 ms: For input delay of 15 ms: Min. 4 ms / max. 7 ms Min. 4 ms / max. 12 ms Min. 4 ms / max. 9 ms * Short-circuit test disabled Min. 4 ms / max. 6 ms Minimum sensor signal duration See "Minimum Duration of Sensor Signals for Proper Detection by F-DI Module" table in "Wiring". Protection against Overvoltage Protection of supply voltage L+ from surge in accordance with IEC 61000-4-5 with external protection elements only * Symmetrical (L+ to M) + 1 kV; 1.2/50 s * Asymmetrical (L+ to PE, M to PE) + 2 kV; 1.2/50 s Protection of inputs and outputs from surge in accordance with IEC 61000-4-5 with external protection elements only Not required since cable length is < 30 m Protection of supply voltage 1L+ from overvoltage Internal fuse tripped *: Identification sets are described in the "ET200 pro Distributed I/O System" manual. **: For more information on the requirements for sensors and actuators, refer to "Wiring". ET 200pro Distributed I/O System - Fail-Safe Modules 112 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.1 Properties of the F-Switch PROFIsafe Electronic Module Order Number 6ES7 148-4FS00-0AB0 Properties The F-Switch PROFIsafe electronic module has the following properties: Inputs - 2 inputs (SIL3/Category 3 or 4) - 24 V DC rated input voltage - Suitable for switches and 3- or 4-wire proximity switches (BEROs) - Two short-circuit-proof sensor supplies for each pair of inputs - External sensor supply possible - 1oo2 evaluation only supported Outputs - 3 outputs, PP-switching - Output current 1 A (F0/F1) in SIL3/Category 4, 6 A (2L+) in SIL2/Category 3 - 24 V DC rated input voltage - Suitable for standard output modules (2L+ power bus), frequency converter, and motor starter (F0, F1 power bus) Group fault display (SF; red LED) Group fault display for the sensor supplies (VsF; red LED) Status and fault LEDs for each input/output (two-color green/red LED) Identification data (see ET 200pro Distributed I/O System Standard Manual) Can only be operated in safety mode ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 113 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.2 Terminal Assignment of the F-Switch PROFIsafe Electronic Module Terminal Assignment on CM F-IO 2xM12 Connection Module The following table contains the terminal assignment of the F-Switch PROFIsafe on the CM F-IO 2xM12 connection module. Sockets X1 to X2 are assigned twice. This enables you to implement a 1oo2 evaluation with one connecting cable, e.g., channels 0 and 2 at connector X1. The functional ground (FG) is located on the shield. Table 8- 20 Terminal Assignment on CM F-IO 2xM12 Connection Module for F-Switch PROFIsafe Circular connector view Terminal Assignment of X1 to X2 1 Connectors X1 to X2: 24 V sensor supply 1 (Vs1)2 2 Input signal: Connector X1: Channel 2 Connector X2: Channel 3 3 Sensor supply ground (1M) 4 Input signal: Connector X1: Channel 0 Connector X2: Channel 1 5 Connectors X1 to X2: 24 V sensor supply 2 (Vs2)2 1 3-, 2 4- or 5-core copper cable Provided by the ET 200pro for the connected sensor ET 200pro Distributed I/O System - Fail-Safe Modules 114 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.3 Block Diagram of the F-Switch PROFIsafe Electronic Module Block Diagram Figure 8-21 Block Diagram of the F-Switch PROFIsafe Electronic Module ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 115 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.4 Parameters for the F-Switch PROFIsafe Electronic Module Parameters in STEP 7 The table below lists the parameters that can be assigned for the F-Switch PROFIsafe (see also "Configuration and Parameter Assignment"). Table 8- 21 Parameters of the F-Switch PROFIsafe Module Parameters Range Default Type of Parameter Range of Effectiveness F_destination_address 1 to 1022 Assigned by STEP 7 Static Module F-monitoring time 10 to 10000 ms 150 ms Static Module Static Module F-parameters: Module Parameters: Behavior after channel faults* Passivate the entire Passivate the entire module/Passivate the module channel Module Parameter Inputs: Input delay 3 ms 3 ms Static Module Short-circuit test Cyclic/Disable Cyclic Static Module Channel n, n+2 Enabled/disabled Enabled Static Channel group Sensor supply Internal/external Internal Static Module Evaluation of the sensors 1oo2 evaluation 1oo2 evaluation Static Channel group Type of sensor interconnection 1-channel; 1-channel equivalent Static Channel group 2-channel equivalent; 2-channel equivalent 2-channel nonequivalent Behavior at discrepancy Provide last valid value; Provide value 0 Provide last valid value Static Channel group Discrepancy time 10 to 30000 ms 10 ms Static Channel group Reintegration after discrepancy error Test of 0-signal not required/Test of 0signal required Test of 0-signal not required Static Channel group Enabled Static Module Module Parameter Outputs: Test of outputs Enabled/disabled * This setting is only relevant when the S7 Distributed Safety V 5.4 or higher optional package is installed. ET 200pro Distributed I/O System - Fail-Safe Modules 116 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Short-circuit test parameter The cyclic short-circuit test is enabled and disabled using the short-circuit test parameter. The short-circuit test is only useful for simple switches that do not have their own power supply. If the short-circuit test has been enabled, the internal sensor supplies must be used (see also "Use Cases of the F-Switch PROFIsafe Electronic Module"). Sensor Supply Parameter This parameter can be used to enable the "internal sensor supply" of the F-module. This setting is a prerequisite for using the short-circuit test. Note When there are different sensor supply parameter settings (internal/external) for the individual channel groups, the use cases presented in the section "Use Cases of the FSwitch PROFIsafe Electronic Module" apply to specific channel groups. Behavior at Discrepancy Parameter As the "behavior at discrepancy" you assign the value that is made available to the safety program in the F-CPU while there is a discrepancy between the two input channels involved, i.e., during the discrepancy time. You assign the behavior at discrepancy as follows: "Provide last valid value", or "Provide value 0" "Provide last valid value" The last valid value (old value) before discrepancy occurs is made available to the safety program in the F-CPU as soon as a discrepancy is detected between the two relevant input channel signals. This value is supplied until the discrepancy disappears or until the discrepancy time expires and a discrepancy error is detected. The sensor-actuator response time is extended by an amount equal to this time. As a result, the discrepancy time of sensors connected via two channels must be set for fast reactions to short response times. It makes no sense, for example, for a time-critical shutdown to be triggered by sensors connected via two channels with a discrepancy time of 500 ms. In the worst case, the sensor-actuator response time is extended by an amount approximately equal to the discrepancy time. For this reason, position the sensors in the process in such a way as to minimize discrepancy. Then select the shortest possible discrepancy time that includes a sufficient cushion against false tripping of discrepancy errors. "Provide value 0" The value "0" is made available to the safety program in the F-CPU as soon as a discrepancy is detected between the signals of the two relevant input channels. If you specified "Provide value 0", the sensor-actuator response time will not be affected by the discrepancy time. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 117 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Discrepancy Time Parameter Here, you can specify the discrepancy time for each channel pair. The entered value is rounded to a multiple of 10 ms. Requirements You have assigned the following: Type of sensor interconnection: "2-channel equivalent" or "2-channel nonequivalent" Discrepancy Analysis and Discrepancy Time If you are using one two-channel sensor, one nonequivalent sensor or two single-channel sensors that are measuring the same physical process variable, the sensors will respond with a time delay due to the limited accuracy of their arrangement. The discrepancy analysis for equivalence/nonequivalence is used with fail-safe inputs to detect faults based on the timing of two signals with the same functionality. Discrepancy analysis is initiated when different levels (when testing for nonequivalence: same voltage levels) are detected at two associated input signals. A test is conducted to determine whether the difference in levels (when testing for nonequivalence: the consistency) has disappeared within a programmable period known as the discrepancy time. If not, a discrepancy error exists. In most cases, the discrepancy time starts but does not elapse completely, since the signal differences disappear after a short time. Select a discrepancy time of sufficient length so that in case of no error, the difference between the two signals (when checking for nonequivalence: the consistency) has definitely disappeared before the discrepancy time expires. Behavior While Discrepancy Time is Running While the assigned discrepancy time is running internally on the module, either the last valid value or "0" is made available to the safety program in the F-CPU by the relevant input channels, depending on the parameter assignment for the behavior at discrepancy. Behavior After Discrepancy Time Elapses If the input signals are not equivalent following expiration of the specified discrepancy time (when checking for nonequivalence: no inequality), for example due to wire break at a sensor line, the system detects a discrepancy error and generates a "discrepancy" diagnostic message in the diagnostic buffer of the F-I/O module to identify the faulty channels. ET 200pro Distributed I/O System - Fail-Safe Modules 118 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Reintegration After Discrepancy Error Parameter This parameter is used to specify when a discrepancy error is regarded as eliminated and, thus, when the relevant input channels can be reintegrated. The following can be assigned: "Test of 0-signal required" or "Test of 0-signal not required" "Test of 0-signal required" If you assigned "Test of 0-signal required", a discrepancy error is regarded as eliminated once a 0-signal is present again at both of the relevant input channels. If you are using nonequivalent sensors, i.e., the "Type of sensor interconnection" is set to "2channel nonequivalent", a 0-signal must be present again at the channel supplying the wanted signal. For information about which F-module channels supply the wanted signals, refer to the manual for the F-module you are using. "Test of 0-signal not required" If you assigned "Test of 0-signal not required", a discrepancy error is regarded as eliminated once the discrepancy at the two relevant input channels disappears. F-modules in SIMATIC S7 for which the "Reintegration after discrepancy error" parameter is not available also exhibit this behavior. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 119 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.5 Wiring of Inputs of the F-Switch PROFIsafe Electronic Module Note The information about wiring options and specific parameters in STEP 7 (use cases) in the following section is applicable to the F-Switch PROFIsafe. Use Case Selection The following figure provides information to help you select the use case that corresponds to your fail-safe requirements. The following sections provide instructions on wiring the Fmodule and identify the parameters you must assign in STEP 7 for each use case. Figure 8-22 Selecting a use case WARNING The achievable safety class is dependent on the quality of the sensor and the length of the proof-test interval in accordance with IEC 61508:2000. ET 200pro Distributed I/O System - Fail-Safe Modules 120 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Conditions for Achieving SIL/Category The conditions for achieving the respective safety requirements are presented in the following table. Table 8- 22 F-DI Modules: Conditions for Achieving SIL/Category Use case Sensors Evaluation of the sensors Sensor supply Achievable SIL/Category 2.1 1-channel 1oo2 Internal, with shortcircuit test 3/3 Internal, without shortcircuit test External 2.2 2-channel equivalent 1oo2 Internal, without shortcircuit test 2.3 2-channel nonequivalent 1oo2 Internal, without shortcircuit test 3.1 2-channel equivalent 1oo2 Internal, with shortcircuit test 3.2 2-channel nonequivalent External External 3/4 Note You can operate the various inputs of an F-Switch PROFIsafe simultaneously in SIL3/Category 3 and in SIL3/Category 4. You only have to connect the inputs and assign parameters as shown in the following sections. Sensor Requirements Please note the information in "Requirements for Sensors and Actuators" when using sensors for safety-related applications. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 121 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.6 Use Case 1: Safety Mode of F-Switch PROFIsafe Use Case 1 Note Use case 1 is not intended for the F-Switch PROFIsafe. 8.3.7 Use Case 2: Safety Mode SIL3/Category 3 Conditions for Achieving SIL/Category Note For the conditions for achieving the SIL/Category and the requirements for sensors, see "Wiring of Inputs of the F-Switch PROFIsafe Electronic Module". Assigning Inputs to Each Other The F-Switch PROFIsafe electronic module has 2 fail-safe inputs (SIL3). The following assignment applies: F-Switch PROFIsafe Input channels DI 0 with DI 2 Input channels DI 1 with DI 3 Sensor Supply The F-Switch PROFIsafe electronic module provides sensor supplies VS1 and VS2 for inputs 0 to 3. The sensors can be powered internally or externally. F-Switch PROFIsafe Input channels DI 0 with DI 1 with sensor supply Vs1 Input channels DI 2 with DI 3 with sensor supply Vs2 ET 200pro Distributed I/O System - Fail-Safe Modules 122 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 2.1 - Connecting One Sensor Via One Channel to Two Inputs One sensor is connected via one channel to two inputs of the F-module for each process signal (1oo2 evaluation). The wiring is carried out at the appropriate connection module. WARNING In order to achieve SIL3/Category 3 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. Note If the voltage is supplied to the sensor from the F-Switch PROFIsafe electronic module, you must use the internal sensor supply Vs1. Connection to Vs2 is not possible. Figure 8-23 Wiring Diagram for F-Switch - One Sensor Connected Via One Channel to Two Inputs, Internal Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 123 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Figure 8-24 Wiring Diagram for F-Switch - One Sensor Connected Via One Channel to Two Inputs, External Sensor Supply Assignable Parameters for Use Case 2.1 Set the "Type of sensor interconnection" parameter to "1-channel" for the corresponding input. The discrepancy time is permanently preset to 10 ms and cannot be changed. You can enable or disable the "short-circuit test" parameter. For digital inputs connected to an external supply, set the "Sensor supply" parameter for the corresponding digital input to "external". The program will otherwise report a "short circuit" diagnostics event if the "shortcircuit test" is enabled. ET 200pro Distributed I/O System - Fail-Safe Modules 124 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Special Features for Fault Detection in Use Case 2.1 The following table presents fault detection according to the sensor supply and the parameter assignment for the short-circuit test: Table 8- 23 F-Switch PROFIsafe Electronic Module: Fault Detection Example of Fault Fault detection in case of ... Internal sensor supply Internal sensor supply and short-circuit test and short-circuit test enabled disabled Short circuit of DI 0 with DI 1 External sensor supply No No No Short circuit of DI 0 with DI 3 No No No P-short circuit of DI 0 Yes No No M-short circuit of DI 0 Yes* Yes* No Discrepancy error Yes Yes Yes P-short circuit of sensor supply Yes No No M-short-circuit in sensor supply or defective Yes Yes Yes Short-circuit in sensor supply at DI 0 No No No Supply voltage fault Yes Yes Yes *: Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor signal (discrepancy error). If there is no signal corruption relative to the sensor signal, fault detection is not possible and is not required from a safety standpoint. WARNING If the short-circuit test is disabled or cannot be enabled, the wiring between the sensor and input channel must be short circuit-proof. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 125 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 2.2 - Connecting One Two-Channel Sensor Via Two Channels One two-channel sensor is connected via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The wiring is carried out at the appropriate connection module. Figure 8-25 Wiring Diagram for F-Switch - One Two-Channel Sensor Connected, Internal Sensor Supply Figure 8-26 Wiring Diagram for F-Switch - One Two-Channel Sensor Connected Via Two Channels, External Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules 126 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Wiring Diagram of the Connection of Two Single-Channel Sensors to Two Channels Two single-channel sensors are connected via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The sensors can also be supplied via an external sensor supply. WARNING In order to achieve SIL2/Category 3 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. Assignable Parameters for Use Case 2.2 Set the "Type of sensor interconnection" parameter to "2-channel equivalent" for the corresponding input. You can enable or disable the "short-circuit test" parameter. For digital inputs connected to an external supply, set the "Sensor supply" parameter for the corresponding digital input to "external". The program will otherwise report a "short circuit" diagnostics event if the "shortcircuit test" is enabled. Figure 8-27 Wiring Diagram for F-Switch - Two One-Channel Sensors Connected Via Two Channels, Internal Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 127 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Special Features for Fault Detection in Use Case 2.2 The following table presents fault detection according to the sensor supply and the parameter assignment for the short-circuit test: Table 8- 24 F-Switch PROFIsafe Electronic Module: Fault Detection Example of Fault Fault detection in case of ... Internal sensor supply Internal sensor supply and short-circuit test and short-circuit test enabled disabled Short circuit of DI 0 with DI 1 Yes* Yes* External sensor supply Yes* Short circuit of DI 0 with DI 2 No No No Short circuit of DI 0 with DI 3 Yes* Yes* Yes* P-short circuit of DI 0 Yes* Yes* Yes* M-short circuit of DI 0 Yes* Yes* Yes* Discrepancy error Yes Yes Yes P-short circuit of sensor supply Yes No No M-short-circuit in sensor supply or defective Yes Yes Yes Short-circuit in sensor supply at DI 0 Yes* Yes* Yes* Supply voltage fault Yes Yes Yes *: Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor signal (discrepancy error). If there is no signal corruption relative to the sensor signal, fault detection is not possible and is not required from a safety standpoint. WARNING If the short-circuit test is not enabled or the sensor supply to digital inputs is set to "external", the wiring between the sensor and the input channel must be short circuit-proof. ET 200pro Distributed I/O System - Fail-Safe Modules 128 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 2.3 - Connecting One Nonequivalent Sensor Via Two Channels Nonequivalently One nonequivalent sensor is connected nonequivalently via two channels to two inputs of the F-I/O module for each process signal (1oo2 evaluation). The left channels on the F-module (DI0 through DI1) supply the wanted signals. If no faults are detected, these signals will be available in the I/O area for inputs on the F-CPU. Note If the voltage is supplied to the sensor from the F-Switch PROFIsafe module, you must use the internal sensor supply Vs1. Connection to Vs2 is not possible. The wiring is carried out at the appropriate connection module. Figure 8-28 Wiring Diagram for F-Switch - One Nonequivalent Sensor Connected Via Two Channels Nonequivalently, Internal Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 129 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Figure 8-29 Wiring Diagram for F-Switch - One Nonequivalent Sensor Connected Via Two Channels Nonequivalently, External Sensor Supply ET 200pro Distributed I/O System - Fail-Safe Modules 130 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Wiring Diagram for Nonequivalent Connection of Two Single-Channel Sensors to Two Channels Two single-channel sensors are connected via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The left channels of the F-module (DI 0 through DI 1) return the wanted signals. If no faults are detected, these signals will be available in the I/O area for inputs on the F-CPU. The sensors can also be supplied via an external sensor supply. Figure 8-30 Wiring Diagram for F-Switch - Two One-Channel Sensors Connected Via Two Channels Nonequivalently, Internal Sensor Supply WARNING In order to achieve SIL2/Category 3 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. Assignable Parameters for Use Case 2.3 Set the "Type of sensor interconnection" parameter to "2-channel nonequivalent" for the corresponding input. You can enable or disable the "short-circuit test" parameter. For digital inputs connected to an external supply, set the "Sensor supply" parameter for the corresponding digital input to "external". The program will otherwise report a "short circuit" diagnostics event if the "shortcircuit test" is enabled. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 131 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Special Features for Fault Detection in Use Case 2.3 The following table presents fault detection according to the sensor supply and the parameter assignment for the short-circuit test: Table 8- 25 F-Switch PROFIsafe Electronic Module: Fault Detection (Use Case 2.3) Example of Fault Fault detection in case of ... Internal sensor supply Internal sensor supply and short-circuit test and short-circuit test enabled disabled Short circuit of DI 0 with DI 1 Yes* Yes* External sensor supply Yes* Short circuit of DI 0 with DI 2 Yes Yes Yes Short circuit of DI 0 with DI 3 Yes* Yes* Yes* P-short circuit of DI 0 Yes* Yes* Yes* M-short circuit of DI 0 Yes* Yes* Yes* Discrepancy error Yes Yes Yes P-short circuit of sensor supply Yes No No M-short circuit of sensor supply or sensor supply defective Yes Yes Yes Short-circuit in sensor supply at DI 0 Yes* Yes* Yes* Supply voltage fault Yes Yes Yes *: Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor signal (discrepancy error). If there is no signal corruption relative to the sensor signal, fault detection is not possible and is not required from a safety standpoint. ET 200pro Distributed I/O System - Fail-Safe Modules 132 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.8 Use Case 3: Safety Mode SIL3/Category 4 Assigning Inputs to Each Other The F-Switch PROFIsafe has 2 fail-safe inputs (SIL3). The following assignments apply in this case: Table 8- 26 Use Case 3: Assignment of Input Channels to Each Other F-Switch PROFIsafe Input channels DI 0 with DI 2 Input channels DI 1 with DI 3 Sensor Supply The F-Switch PROFIsafe electronic module provides sensor supplies VS1 and VS2 for inputs 0 to 3. The sensor must be supplied internally. Table 8- 27 Use Case 2: Assignment of Sensor Supply to Inputs F-Switch PROFIsafe Input channels DI 0 with DI 1 with sensor supply Vs1 Input channels DI 2 with DI 3 with sensor supply Vs2 ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 133 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 3.1 - Connecting One Two-Channel Sensor Via Two Channels One two-channel sensor is connected via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The wiring is carried out at the appropriate connection module. The figure below illustrates an example wiring diagram for channel groups 1 and 2. Figure 8-31 Wiring Diagram for F-Switch - One Two-Channel Sensor Connected Via Two Channels, Internal Sensor Supply Alternatively, two one-channel sensors can be connected via two channels (see Figure "Wiring Diagram for F-DI Modules - Two One-Channel Sensors Connected Via Two Channels, Internal Sensor Supply"). In this case, the same process variable is measured with mechanically separated sensors. WARNING In order to achieve SIL3/Category 4 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. Assignable Parameters for Use Case 3.1 Set the "Type of sensor interconnection" parameter to "2-channel equivalent" for the corresponding input. Enable the "short-circuit test" parameter and set "internal" at the "sensor supply" parameter. ET 200pro Distributed I/O System - Fail-Safe Modules 134 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Wiring Diagram for Use Case 3.2 - Connecting One Nonequivalent Sensor Via Two Channels Nonequivalently You can connect two process signals to an F-Switch PROFIsafe. One sensor is connected nonequivalently via two channels to two inputs of the F-module for each process signal (1oo2 evaluation). The left channels of the F-module (DI 0 through DI 1) return the wanted signals. If no faults are detected, these signals will be available in the I/O area for inputs on the F-CPU. Note You must use the internal sensor supply Vs1 to supply voltage to the sensor. Connection to Vs2 is not possible. The wiring is carried out at the appropriate connection module. Figure 8-32 Wiring Diagram for F-Switch - One Nonequivalent Sensor Connected Via Two Channels Nonequivalently, Internal Sensor Supply Alternatively, two one-channel sensors can be connected nonequivalently via two channels (see Figure "Wiring Diagram for F-DI Modules - Two One-Channel Sensors Connected Nonequivalently Via Two Channels, Internal Sensor Supply"). In this case, the same process variable is measured with mechanically separated sensors. WARNING In order to achieve SIL3/Category 4 with this wiring, you must install a suitably qualified sensor, for example, in accordance with IEC 60947. Assignable Parameters for Use Case 3.2 Set the "Type of sensor interconnection" parameter to "2-channel nonequivalent" for the corresponding input. Enable the "short-circuit test" parameter and set "internal" at the "sensor supply" parameter. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 135 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Specific Characteristics for Fault Detection (Use Cases 3.1 and 3.2) The following table presents fault detection according to the sensor supply and the parameter assignment for the short-circuit test: Table 8- 28 F-Switch PROFIsafe Electronic Module: Fault Detection (Use Cases 3.1 and 3.2) Example of Fault Fault detection with internal sensor supply and enabled short-circuit test for ... Sensor 2-channel equivalent Sensor 2-channel nonequivalent Short circuit of DI 0 with DI 1 Yes* Yes* Short circuit of DI 0 with DI 2 Yes* Yes Short circuit of DI 0 with DI 3 Yes* Yes* P-short circuit of DI 0 Yes Yes M-short circuit of DI 0 Yes* Yes* Discrepancy error Yes Yes P-short circuit of Vs1 Yes Yes M-short circuit of Vs1, or Vs2 defective Yes Yes Short circuit of Vs1 with Vs2 Yes Yes Fault in read/test circuit Yes Yes Supply voltage fault Yes Yes *: Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor signal (discrepancy error). If there is no signal corruption relative to the sensor signal, fault detection is not possible and is not required from a safety standpoint. Requirements for Machine Protection Applications With Category 4 The following requirements apply to machine protection applications with Category 4: State-of-the-art wiring must be used between the sensors and the automation system or between the automation system and the actuators to prevent short circuits. All short circuits listed in the above table are detected. Detection of a short circuit is sufficient in this case, because two faults must exist for the short circuit to occur (both of the short-circuited signal cables exhibit an insulation fault). Thus, a multiple short-circuit analysis is not required. Processes for detection of all short circuits are also permissible if individual short circuits are not detected, provided: The short circuits do not cause corruption of read signals compared to the sensor signals or The short circuits cause corruption of read signals compared to the sensor signals, but in the direction that ensures safety. ET 200pro Distributed I/O System - Fail-Safe Modules 136 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.9 Wiring of Outputs of the F-Switch PROFIsafe Electronic Module Assignment of Channels Channel Power bus DO0 F0 DO1 F1 DO2 2L+ A list of the modules operated behind the F-Switch can be obtained on the Internet under ID 25371449. Actuator Interconnection The actuators are interconnected via the power bus. The PP-switching outputs of the F-Switch PROFIsafe are fed to the actuators via the power bus. The power bus is permanently wired within the system. As a result, only limited wiring variations are possible. The power buses can be tapped and routed or conditioned only from modules of the ET 200pro system. Wiring Diagram of Frequency Converter (SIL2/Category 3) Figure 8-33 Wiring Diagram of F-Switch PROFIsafe - Connection of Frequency Converter ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 137 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Wiring Diagram of Standard Digital Outputs (SIL2/Category 3) Figure 8-34 Wiring Diagram of F-Switch PROFIsafe - Connection of Digital Outputs WARNING In the event of a cross circuit between 2L+ and DO or an external P-short circuit, the controlled actuator or the 2L+ power bus is no longer switched off. You should always wire the actuators in a cross-circuit-proof and an external P-short-circuit-proof manner, for example, using sheathed cables or separate cable ducts, in order to prevent a cross-circuit or an external P-short circuit. WARNING When supplying power to standard digital output modules, always use the CM modules of these digital output modules to supply the actuators (actuator feedback on the DO module). Otherwise, a residual current can flow for a "0-signal" in the event of a current break. ET 200pro Distributed I/O System - Fail-Safe Modules 138 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Wiring Diagram of Shutdown Modules (SIL3/Category 4) Figure 8-35 Wiring Diagram of F-Switch PROFIsafe - Connection of Shutdown Modules WARNING "Test of outputs" must be enabled for this mode for SIL3/Category 4. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 139 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Safety-Related Shutdown of Standard Output Modules WARNING Safety-related activation of standard DO module outputs is not possible. Only safety-related shutdown is possible. The following issues must therefore be taken into consideration: In the worst case you must consider all possible faults of the standard DO modules and the program controlling them for which there is no direct fault detection. For example, the FMSwitch PROFIsafe does not detect external short circuits to L+ at the standard DO module outputs. All faults of the standard DO modules influence the process by means of final controlling elements. The process status must be made known to the F-CPU by way of sensors and a suitable safety program. The safety program must react in a safety-related and logically suitable fashion to unwanted or potentially dangerous states in the process using the F-Switch PROFIsafe and fail-safe output modules. See also on the Internet (http://www.siemens.com/automation/support-request) ET 200pro Distributed I/O System - Fail-Safe Modules 140 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.10 Properties of the F-Switch PROFIsafe Electronic Module Behavior in Case of Supply Voltage Failure Failure of sensor supplies Vs1 and Vs2 is indicated by the SF LED, the VsF LED, and the LEDs of the relevant channel group on the F-module. This information is also provided on the F-module (diagnostic entry). All channels of the F-module are passivated. Diagnostic Functions The following table shows an overview of the diagnostic functions of the F-Switch PROFIsafe electronic module. The diagnostic functions are assigned either to one channel or to the entire module. Table 8- 29 Properties of the F-Switch PROFIsafe Electronic Module Diagnostic Function* Fault Number LED Range of Effectiveness of Diagnostic Assignabl e Short circuit 1H SF Channel Yes Overtemperature 5H SF Module No Fault 9H SF Module No Parameter assignment error 10H SF Module No Sensor voltage or load voltage is missing 11H SF Module No Communication error 13H SF Module No Safety-related shutdown 19H SF Channel No *: Specifically for F-modules; display in STEP 7, see the "Channel-Specific Diagnostics, Fault Types of Fail-Safe Modules" table ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 141 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Causes of Faults and Corrective Actions The following table lists the possible causes of faults and corrective measures for the individual diagnostic messages of the F-Switch PROFIsafe electronic module. Table 8- 30 Causes of Faults and Corrective Measures for Diagnostic Messages of the F-Switch PROFIsafe Electronic Module Diagnostic Message Fault Detection Possible Causes Corrective Actions Short circuit Always Short circuit in the actuator Eliminate short circuit/cross circuit on Cross-circuit in the actuator actuator Once the fault has been eliminated, the module must be removed and inserted, or the power switched off and on Internal fault Overtemperature Replace module For output Overload: output stage is signal "1" overloaded and becomes only too hot. Eliminate overload. Cyclically during shortcircuit test Short circuit at the sensor Eliminate short circuit/cross circuit on sensor Always Shutdown due to violation of temperature limit values in the module case. Cross circuit at the sensor Check load wiring. Check ambient temperature. Check whether permissible output current (aggregate current) is exceeded for the ambient temperature. Once the fault has been eliminated, the module must be removed and inserted, or the power switched off and on Fault Always Internal module fault has occurred Replace module Parameter assignment error Always Inserted module does not match configuration; incorrect parameter assignment Correct the configuration (compare actual and preset configuration). Check communication paths. Correct the configuration. PROFIsafe address set Check whether the PROFIsafe address incorrectly on the F-module on the module matches the configuration in STEP 7 HW Config Sensor voltage or Always load voltage is missing No supply voltage or supply voltage is too low Voltage dip due to short circuit Check module for proper contact. Once the fault has been eliminated, the module must be removed and inserted, or the power switched off and on Eliminate short circuit/cross circuit. ET 200pro Distributed I/O System - Fail-Safe Modules 142 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Diagnostic Message Fault Detection Possible Causes Corrective Actions Communication error Always Error in communication between the F-CPU and module, e.g., due to defective PROFIBUS/Industrial Ethernet connection or higher than permissible electromagnetic interferences Test PROFIBUS/Industrial Ethernet connection. Eliminate the interferences. PROFIsafe monitoring time Reduce the call interval for F-program, set too low or Set a higher value for the "F-monitoring time" parameter for the module in STEP 7 HW Config Configuration of the FRecompile the safety program; then module does not match the reload the configuration and safety safety program program to the F-CPU Safety-related shutdown Always Process signal is faulty Sensor is defective Check process signal. Replace sensor if necessary. Short circuit between unconnected sensor cable (open switch) and the sensor supply cable Eliminate short circuit Wire break in connected sensor cable (closed switch) or sensor supply cable Eliminate broken wire Assigned discrepancy time is too short Check the assigned discrepancy time. Once the error is eliminated, the Fmodule must be reintegrated in the safety program. Switching frequency exceeded Reduce the switching frequency Generally Applicable Information on Diagnostics For information on diagnostics pertaining to all fail-safe modules (e.g., for reading out diagnostic functions, passivating channels), refer to "Diagnostics". ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 143 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module 8.3.11 Technical Specifications for the F-Switch PROFIsafe Electronic Module Overview Technical Specifications Dimensions and Weight Dimensions W x H x D (mm) 45 x 130 x 65.2 (including rack) Weight Approx. 170 g Module-Specific Specifications Number of inputs * 2-channel Number of outputs (P/P switching) Max. 2 Max. 3 Assigned address area * I/O area for inputs 7 bytes * I/O area for outputs 5 bytes Cable length * Unshielded < 30 m * Shielded < 30 m Maximum achievable safety class 2-channel * According to IEC 61508:2000 SIL3 * According to ISO 13849-1:2006 or EN ISO 13849-1:2008 Category 4 Fail-safe performance characteristics SIL2 / SIL3 * Low demand mode (average probability of failure on demand) < 1.00 E-05 * High demand/continuous mode (probability of a dangerous failure per hour) < 1.00 E-09 Voltages, Currents, Potentials Rated supply voltage L+ 24 V DC * Permissible range 20.4 V to 28.8 V * Power loss ride-through of L+ None * Power loss ride-through of internal P5 5 ms * Reverse polarity protection Yes: electronics, No: load supply (reverse polarity causes fuse to trip (12.5 A quick-response) in the head module) ET 200pro Distributed I/O System - Fail-Safe Modules 144 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Technical Specifications Electrical isolation * Shield and ET 200pro bus connection Yes * ET 200pro bus connection and I/O Yes * Shield and I/O (DIs, DOs) Yes * Between DIs and DOs Yes Permissible potential difference between: * Shield and ET 200pro bus connection 75 V DC/60 V AC * ET 200pro bus connection and I/O 75 V DC/60 V AC * Shield and I/O (DIs, DOs) 75 V DC/60 V AC * Between DIs and DOs 75 V DC/60 V AC Insulation tested during type test with * Shield and ET 200pro bus connection 370 V AC / 1 min or 520 V DC / 1 min * ET 200pro bus connection and I/O 370 V AC / 1 min or 520 V DC / 1 min * Shield and I/O (DIs, DOs) 370 V AC / 1 min or 520 V DC / 1 min * Between DIs and DOs 370 V AC / 1 min or 520 V DC / 1 min Current consumption * From backplane bus Max. 40 mA * From the electronic supply (without load) 50 mA * From load voltage L+ (without load) Typ. 25 mA Power loss of module 3W Status, Interrupts, Diagnostics Status displays * Inputs Two-color red/green LED per channel * Outputs Two-color red/green LED per channel * Sensor supply LED VsF and display via channel LEDs of channel group Interrupts * Diagnostic interrupt Channel LED red Diagnostic functions * Group fault display Red LED (SF) * Diagnostic information can be read out Possible * I&M functionality * See "ET 200pro Distributed I/O" Manual Sensor Supply Outputs Number of outputs 2 Output voltage * Loaded Min. L+ (-1.5 V) ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 145 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Technical Specifications Output current * Rated value 200 mA * Permissible range 0 mA to 200 mA * Permissible aggregate current of outputs 400 mA * Short-circuit protection Yes, electronic * Operating value 4 A to 9 A Data for Selecting a Sensor ** Input voltage * Rated value 24 V DC * At signal "1" 15 V to 30 V * At signal "0" -30 V to 5 V Input current * At signal "1" Input delay Typ. 3.5 mA For all inputs together * At "0" after "1" Typ. 3 ms 2.0 ms to 4.5 ms * At "1" after "0" Typ. 3 ms 2.0 ms to 4.5 ms Input characteristic In accordance with IEC 1131-2, Type 1 Connection of 2-wire BERO Not possible * Permissible quiescent current * Max. 0.6 mA * L+ -1.5 V (F0 / F1) * L+ -1.5 V (2L+) * 1 A (F0 / F1) * 6 A (2L+) * Up to 1.2 A (F0 / F1) * 20 mA to 6 A (2L+) Data for Selecting an Actuator* Output voltage * At signal "1" Output current for "1" signal * * Rated value Permissible range For "0" signal (residual current) Max. 0.5 mA Indirect control of load by means of coupling relay: For "0" signal (residual current) P-switch Max. 0.5 mA Lamp load * Not possible (F0 / F1) * Max. 60 W (2L+) Parallel switching of 2 outputs Not possible Control of a digital input Possible ET 200pro Distributed I/O System - Fail-Safe Modules 146 Operating Instructions, 07/2013, A5E00394073-03 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module Technical Specifications Switching frequency * * * With resistive load * Max. 10 Hz 1 A (F0 / F1) * Max. 2 Hz (2L+) With inductive load in accordance with IEC 60947-5-1, DC13 * Max. 0.1 Hz (F0 / F1) * Max. 0.1 Hz (2L+) With lamp load Max. 2 Hz (2L+) Limit on inductive shutdown voltage to Short-circuit protection of output * -36 V (F0 / F1) * -1 V (2L+) Yes, electronic * Response threshold (short circuit) (FO/FI) 5 A to 12 A * Response threshold (short circuit) (2L+) 20 A to 120 A Time, Frequency Internal preprocessing times See "Response Times" Acknowledgment time in safety mode Min. 4 ms / max. 8 ms Short-circuit test enabled 2.0 ms -4.5 ms * With input delay of 3 ms: Minimum sensor signal duration See Table "Minimum Duration of Sensor Signals for Proper Detection by F-DI Module" in "Wiring" Outputs * Safety mode SIL3, Category 4 20 ms * Safety mode with fault reaction < 20 ms for signal change < 15 min for static signals Protection against Overvoltage Protection of supply voltage 1L+ and 2L+ from surge in accordance with IEC 61000-4-5 with external protection elements only * Symmetrical (L+ to M) + 1 kV; 1.2/50 s * Asymmetrical (L+ to PE, M to PE) + 2 kV; 1.2/50 s Protection of inputs from surge in accordance with IEC 61000-4-5 with external protection elements only * Symmetrical (L+ to M) +1 kV; 1.2/50 s * Asymmetrical (L+ to PE, M to PE) +2 kV; 1.2/50 s Protection of supply voltage 1L+ from overvoltages Internal fuse tripped *: Identification sets are described in the "ET200 pro Distributed I/O System" manual. **: For requirements for sensors and actuators, see "Requirements for Sensors and Actuators" ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 147 Fail-Safe Electronic Modules 8.3 F-Switch PROFIsafe Digital Electronic Module ET 200pro Distributed I/O System - Fail-Safe Modules 148 Operating Instructions, 07/2013, A5E00394073-03 Diagnostic Data of Fail-Safe Modules A Introduction This appendix describes the structure of diagnostic data in the system data. You need to know this structure if you want to evaluate diagnostic data of fail-safe modules in the standard user program. Further Reading The System and Standard Functions reference manual describes in detail the principles of evaluating diagnostic data of F-modules in the standard user program and describes the SFCs used for this. SFCs for Reading Out Diagnostic Data The following SFCs are available for reading out diagnostic data of fail-safe modules in the standard user program: Table A- 1 SFCs for Reading Out Diagnostic Data SFC Number Identifier Application 59 RD_REC Reading out data records of S7 diagnostics (storing in data area of the standard user program) 13 DPNRM_DG Reading out slave diagnostics (storing in data area of the standard user program) Position in the Diagnostic Frame of the Slave Diagnostics When fail-safe modules are being used in the ET 200pro and a diagnostic interrupt occurs, data records 0 and 1 are entered in the slave diagnostics of the ET 200pro (= interrupt section). The position of the interrupt section in the slave diagnostics depends on the structure of the diagnostic frame and the length of the channel-specific diagnostics. You will find a detailed description of the structure of the diagnostic frame and the position of the interrupt section in accordance with the PROFIBUS standard in the section on "Commissioning and Diagnostics" in the ET 200pro Distributed I/O System Manual. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 149 Diagnostic Data of Fail-Safe Modules Data Records 0 and 1 of the System Data The diagnostic data of a module can be up to 44 bytes long and is located in data records 0 and 1 of the system data area: Data record 0 contains 4 bytes of diagnostic data that describe the state of the F-module. Data record 1 contains - The 4 bytes of diagnostic data of the F-module that are also in data record 0 and - Up to 40 bytes of channel-specific diagnostic data depending on the F-module (see "Channel-Specific Diagnostics Starting at Byte 8"). Description The structure and content of the individual diagnostic data bytes are described below. In general, the following applies: If a fault occurs, the corresponding bit is set to "1". Bytes 0 and 1 The following figure shows the content of bytes 0 and 1 of the diagnostic data. Figure A-1 Bytes 0 and 1 of Diagnostic Data ET 200pro Distributed I/O System - Fail-Safe Modules 150 Operating Instructions, 07/2013, A5E00394073-03 Diagnostic Data of Fail-Safe Modules Bytes 2 and 3 The following figure shows the content of bytes 2 and 3 of the diagnostic data. Figure A-2 Bytes 2 and 3 of Diagnostic Data Bytes 4 to 6 The following figure shows the content of bytes 4 to 6 of the diagnostic data. Figure A-3 Bytes 4 to 6 of Diagnostic Data 4/8 F-DI/4 F-DO: For the 4/8 F-DI/4 F-DO module, the diagnostic data are separated according to inputs and outputs. The diagnostic data for the inputs are in bytes 4 to 23 and the diagnostic data for outputs are in bytes 24 to 43. You can determine whether the module has diagnostic data in bytes 24 to 43 by evaluating bit 7 in byte 4. F-Switch: For the F-Switch electronic module, the diagnostic data are divided according to inputs and outputs. The diagnostic data for the inputs are in bytes 4 to 15, and the diagnostic data for outputs are in bytes 16 to 31. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 151 Diagnostic Data of Fail-Safe Modules Byte 7 for 8/16 F-DI and 4/8 F-DI/4 F-DO (Inputs) The figure below shows the content of byte 7 of the diagnostic data for the 8/16 F-DI and the inputs of 4/8 F-DI/4 F-DO. Figure A-4 Byte 7 of the Diagnostic Data for 8/16 F-DI and Inputs of 4/8 F-DI/4 F-DO Byte 7 for F-Switch The figure below shows the content of byte 7 of the diagnostic data for the inputs of the FSwitch electronic module. Figure A-5 Byte 7 of the Diagnostic Data for the Inputs of the F-Switch ET 200pro Distributed I/O System - Fail-Safe Modules 152 Operating Instructions, 07/2013, A5E00394073-03 Diagnostic Data of Fail-Safe Modules Channel-Specific Diagnostics Starting at Byte 8 to Byte 23 The channel-specific diagnostics start in byte 8 of the diagnostic data. Four bytes of diagnostic information are provided per channel. Figure A-6 Channel-Specific Diagnostics Starting in Byte 8 of the Diagnostic Data ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 153 Diagnostic Data of Fail-Safe Modules Bytes 24 to 26 for 4/8 F-DI/4 F-DO The following figure shows the content of bytes 24 to 26 of the diagnostic data. Figure A-7 Bytes 24 to 26 of Diagnostic Data Bytes 16 to 18 for F-Switch The following figure shows the content of bytes 16 to 18 of the diagnostic data of the FSwitch. Figure A-8 Bytes 16 to 18 of the Diagnostic Data of the F-Switch ET 200pro Distributed I/O System - Fail-Safe Modules 154 Operating Instructions, 07/2013, A5E00394073-03 Diagnostic Data of Fail-Safe Modules Byte 27 for 4/8 F-DI/4 F-DO (Outputs) The following figure shows the content of byte 27 of the diagnostic data for the outputs of 4/8 F-DI/4 F-DO. Figure A-9 Byte 27 of Diagnostic Data for the Outputs of 4/8 F-DI/4 F-DO Byte 19 for F-Switch (Outputs) The figure below shows the content of byte 19 of the diagnostic data for the outputs of the FSwitch. Figure A-10 Byte 19 of the Diagnostic Data for the Outputs of the F-Switch ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 155 Diagnostic Data of Fail-Safe Modules Channel-Specific Diagnostics Starting at Byte 28 to Byte 43 for 4/8 F-DI/4 F-DO The channel-specific diagnostics start in byte 28 of the diagnostic data. Four bytes of diagnostic information are provided per channel. Figure A-11 Channel-Specific Diagnostics Starting in Byte 28 of the Diagnostic Data ET 200pro Distributed I/O System - Fail-Safe Modules 156 Operating Instructions, 07/2013, A5E00394073-03 Diagnostic Data of Fail-Safe Modules Channel-Specific Diagnostics Starting at Byte 20 to Byte 31 for F-Switch The channel-specific diagnostics start in byte 20 of the diagnostic data. Four bytes of diagnostic information are provided per channel. Figure A-12 Channel-Specific Diagnostics Starting at Byte 20 of the Diagnostic Data of the F-Switch Due to the different numbers of channels of the F-modules, data record 1 has differing lengths: 8/16 F-DI 40 bytes 4/8 F-DI/4 F-DO 44 bytes F-Switch 32 bytes ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 157 Diagnostic Data of Fail-Safe Modules ET 200pro Distributed I/O System - Fail-Safe Modules 158 Operating Instructions, 07/2013, A5E00394073-03 Dimension Drawings B F-Connection Module With Inserted F-Module A dimension drawing for an F-connection module with inserted F-electronic module is shown below. The upper figure shows a narrow rack, while the lower figure shows a compact rack. Figure B-1 Dimension Drawing of F-Connection Module With Inserted F-Electronic Module ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 159 Dimension Drawings CM F-IO 2xM12 Fail-Safe Connection Module with Inserted F-Switch PROFIsafe A dimension drawing for a CM F-IO 2xM12 fail-safe connection module with inserted FSwitch PROFIsafe is shown below. The upper figure shows a narrow rack, while the lower figure shows a compact rack. Figure B-2 Electronic Module with CM F-IO 2xM12 Connection Module ET 200pro Distributed I/O System - Fail-Safe Modules 160 Operating Instructions, 07/2013, A5E00394073-03 C Accessories and Order Numbers C.1 Accessories and Order Numbers Accessories and Order Numbers The order numbers and accessories are found in the appendix of the ET 200pro Distributed I/O Device manual. Component Order Number 8/16 F-DI DC24V PROFIsafe 6ES7 148-4FA00-0AB0 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe 6ES7 148-4FC00-0AB0 F-Switch PROFIsafe 6ES7 148-4FS00-0AB0 CM 16xM12 for 8/16 F-DI 6ES7 194-4DD00-0AA0 CM 12xM12 for 4/8 F-DI/4 F-DO 6ES7 194-4DC00-0AA0 CM F-IO 2xM12 for F-Switch PROFIsafe 6ES7 194-4DA00-0AA0 ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 161 Accessories and Order Numbers C.1 Accessories and Order Numbers ET 200pro Distributed I/O System - Fail-Safe Modules 162 Operating Instructions, 07/2013, A5E00394073-03 Response Times D.1 D Response Times Introduction The response times of the ET 200pro fail-safe modules are presented below. The response times of the fail-safe modules enter into the calculation of the F-system response time. For information on calculating the F-system response time, refer to the Safety Engineering in SIMATIC S7 system description. Definition of Response Time The response time is the time between detection of an input signal and a change in the gated output signal. The actual response time lies somewhere between a minimum and maximum response time. The maximum response time must always be anticipated when configuring a system. For fail-safe digital inputs: The response time is the time between a signal change at the digital input and safe loading of the -> safety message frame on the backplane bus. For fail-safe digital outputs: The response time is the time between an incoming safety message frame from the backplane bus and the signal change at the digital output. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 163 Response Times D.1 Response Times Maximum Response Time of the 8/16 F-DI DC24V PROFIsafe, the Inputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, and the F-Switch PROFIsafe In the case of problem-free operation: Table D- 1 In the Case of Problem-Free Operation Electronic module Short-circuit test parameter Assigned input delay 0.5 ms 3 ms 15 ms 8/16 F-DI Disabled 10 ms 13 ms 25 ms Enabled 10 ms 18 ms 56 ms 4/8 F-DI/4 F-DO Disabled 11 ms 13 ms 25 ms Enabled 11 ms 20 ms 57 ms F-Switch PROFIsafe Disabled - 14 ms - Enabled - 27 ms - Table D- 2 8/16 F-DI DC24V PROFIsafe Electronic Module, Inputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, and F-Switch PROFIsafe: Internal Preprocessing Times Electronic module Evaluation of the sensors Minimum internal preprocessing time Tmin Maximum internal preprocessing time Tmax 8/16 F-DI 1oo1 and 1oo2 3 ms 12 ms 4/8 F-DI/4 F-DO 1oo1 and 1oo2 4 ms 7 ms 1oo2 4 ms 8 ms F-Switch PROFIsafe ET 200pro Distributed I/O System - Fail-Safe Modules 164 Operating Instructions, 07/2013, A5E00394073-03 Response Times D.1 Response Times Maximum response time if a fault occurs: The following table shows the maximum response time of the F-DI module when a fault occurs, depending on the parameter assignment in STEP 7 and the evaluation of the sensors. Table D- 3 Electronic Modules: Maximum Response Time if a Fault Occurs Electronic module 8/16 F-DI 4/8 F-DI/4 F-DO F-Switch PROFIsafe Input delay 1oo1 evaluation 1oo2 evaluation** 0.5 ms 3 ms 15 ms 0.5 ms 3 ms 15 ms Short-circuit test disabled 15 ms 15 ms 15 ms 10 ms 10 ms 10 ms Short-circuit test enabled 37 ms 58 ms 161 ms 10 ms 15 ms 41 ms Short-circuit test disabled 19 ms 19 ms 19 ms 10 ms 10 ms 10 ms Short-circuit test enabled 30 ms 40 ms 90 ms 10 ms 18 ms 42 ms Short-circuit test disabled - - 10 ms - Short-circuit test enabled - - 23 ms - **: With 1oo2 evaluation, the response times also depend on the assigned behavior at discrepancy: Provide value 0: The times in the above table apply. Provide last valid value: The times in the above table are extended by the amount of the assigned discrepancy time. Note Please note that the Excel file for calculation of the maximum response times provided with the S7 Distributed Safety optional package already supports calculation of the extension of the "Maximum response time if a fault occurs" by the assigned discrepancy time. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 165 Response Times D.1 Response Times Maximum Response Time of the Outputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module The maximum response time of the outputs of the 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe electronic module (in the fault-free case and when a fault occurs) corresponds to the maximum internal preprocessing time Tmax. The internal preprocessing times depend on the assigned readback time (see table below). Table D- 4 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module: Internal Preprocessing Times 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Electronic Module Assigned Readback Time Limit Frequency Minimum Internal Preprocessing Time Tmin Maximum Internal Preprocessing Time Tmax 1 ms 62.5 Hz 4 ms 13 ms 5 ms 50.0 Hz 4 ms 14 ms 10 ms 40.0 Hz 4 ms 17 ms 50 ms 15.4 Hz 4 ms 30 ms 100 ms 8.7 Hz 4 ms 46 ms 200 ms 4.6 Hz 4 ms 71 ms 400 ms 2.4 Hz 4 ms 135 ms Maximum Response Time of Outputs of the F-Switch PROFIsafe Electronic Module The maximum response time of the outputs of the F-Switch PROFIsafe electronic module (with or without fault) is equivalent to the maximum internal preprocessing time Tmax. The internal preprocessing times depend on the assigned readback time (see table below). Table D- 5 F-Switch PROFIsafe Electronic Module: Internal Preprocessing Time F-Switch PROFIsafe Electronic Module Assigned Readback Time Limit Frequency Minimum Internal Preprocessing Time Tmin Maximum Internal Preprocessing Time Tmax 3 ms 45.4 Hz 4 ms 11 ms ET 200pro Distributed I/O System - Fail-Safe Modules 166 Operating Instructions, 07/2013, A5E00394073-03 Switching of Loads E.1 E Switching of Capacitive Loads Switching of Capacitive Loads If the electronic outputs of the 4/8 F-DI/4F-DO DC24V/2A PROFIsafe electronic module are interconnected with loads that draw little current and have capacitance, the "short circuit" error message can result. Reason: capacitances are not sufficiently discharged within the assigned readback time during the self-test. The following figure shows typical curves indicating the relationship between the load current and switchable load capacitance for the assignable readback times. Figure E-1 Relationship Between Load Current and Switchable Load Capacity for the 4/8 F-DI/4 FDO DC24V/2A PROFIsafe Electronic Module Remedy: 1. Determine the load current and capacitance of the load. 2. Determine the operating point in the figure above. 3. If the operating point is above the curve, you must increase the load current until the new operating point is below the curve by connecting a resistor in parallel. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 167 Switching of Loads E.1 Switching of Capacitive Loads Switching of Capacitive Loads for the F-Switch PROFIsafe The figure below shows the typical curves indicating the relationship between load resistance and switchable load capacitance. Behavior is as described above. Figure E-2 Comparison of Maximum Switchable Capacitive Loads for the F-Switch PROFIsafe ET 200pro Distributed I/O System - Fail-Safe Modules 168 Operating Instructions, 07/2013, A5E00394073-03 Switching of Loads E.2 Switching of Inductive Loads E.2 Switching of Inductive Loads Switching of Inductive Loads for EM 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe The diagram below shows the maximum permitted inductive load as a function of the load current and switching frequency. Figure E-3 Relationship between Load Resistance and Inductive Loads ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 169 Switching of Loads E.2 Switching of Inductive Loads ET 200pro Distributed I/O System - Fail-Safe Modules 170 Operating Instructions, 07/2013, A5E00394073-03 Glossary 1oo1 Evaluation -> 1oo1 Evaluation 1oo1 evaluation Type of -> sensor evaluation - 1oo1 evaluation is a type of sensor evaluation in which a nonredundant -> sensor is connected to the F-module via one channel. 1oo2 Evaluation -> 1oo2 Evaluation 1oo2 evaluation Type of -> sensor evaluation - In 1oo2 evaluation, two input channels are occupied, either by one two-channel sensor or two one-channel sensors. The input signals are compared internally for equivalence or nonequivalence. Acknowledgment Time During the acknowledgment time, the -> F-I/O acknowledges the sign of life specified by the -> F-CPU. The acknowledgment time enters into the calculation of the -> monitoring time and -> response time for the F-system as a whole. Actuator Actuators can be power relays or contactors for switching on loads, or they can be loads themselves (e.g., directly controlled solenoid valves). Assigning Parameters Parameter assignment via PROFIBUS DP: Transfers slave parameters from the DP master to the DP slave. Parameter assignment of modules/submodules: Sets the behavior of modules/submodules with the STEP 7 configuration software. Availability Availability is the probability that a system is functional at a specific point in time. It can be increased by redundancy, for example, by using multiple -> sensors at the same measuring point. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 171 Glossary Backplane Bus The backplane bus is a serial data bus via which the IM 154 interface module communicates with the electronic modules/motor starters and the necessary voltage is supplied. The connection between individual modules is established by means of the terminal modules. Channel Fault A channel fault is a channel-specific fault, such as a wire break or a short circuit. In the case of channel-level passivation, the affected channel is either automatically reintegrated or the F-module must be removed and inserted after the fault has been eliminated. Channel Group The channels of a module are grouped together into a channel group. Certain parameters in STEP 7 can only be assigned to channel groups and not to individual channels. Channel Number Channel numbers are used to uniquely identify the inputs and outputs of a module and to assign channel-specific diagnostic messages. Channel-Level Passivation When a -> channel fault occurs, either the relevant channel or the entire module is passivated in this passivation method. In the event of a -> module fault, all channels of the -> fail-safe module are passivated. Configuring Configuring involves a systematic arrangement of the individual modules of ET 200pro. CRC Signature The validity of the process data in the safety message frame, the accuracy of the assigned address references and the safety-relevant parameters are ensured by means of a CRC signature contained in the safety message frame. CRC Cyclic Redundancy Check -> CRC signature ET 200pro Distributed I/O System - Fail-Safe Modules 172 Operating Instructions, 07/2013, A5E00394073-03 Glossary Dark Period Dark periods occur during switch-off tests and during complete bit pattern tests. During these tests, test-related 0-signals are switched to the output by the fail-safe output module while the output is active. The output is then switched off briefly (dark period). A sufficiently slow -> actuator does not respond and remains switched on. Discrepancy Analysis The discrepancy analysis for equivalence/nonequivalence is used with fail-safe inputs to detect faults based on the timing of two signals with the same functionality. Discrepancy analysis is initiated when different levels (when testing for nonequivalence: same voltage levels) are detected at two associated input signals. The signals are checked to determine whether the difference (when checking for nonequivalence: the consistency) has disappeared within a programmable period known as the -> discrepancy time. If not, a discrepancy error exists. A discrepancy analysis is carried out between the two input signals of the 1oo2 sensor evaluation in the fail-safe input module. Discrepancy Time Discrepancy time is a period of time assigned for the -> discrepancy analysis. If the discrepancy time is set too high, the fault detection time and -> fault reaction time are extended unnecessarily. If the discrepancy time is set too low, availability is decreased unnecessarily because a discrepancy error is detected when, in reality, no error exists. DP Master A master which operates in compliance with the standard IEC 61784-1 Ed3 CP 3/1. DP Slave A slave which operates on PROFIBUS based on the PROFIBUS DP protocol in compliance with the standard IEC 61784-1 Ed3 CP 3/1. Fail-Safe Modules ET 200pro modules that can be used for safety-related operation (-> safety mode) in the ET 200pro distributed I/O device. These modules are equipped with integrated -> safety functions. Fail-Safe Systems Fail-safe systems (F-systems) are systems that remain in a safe state or immediately switch to another safe state when particular failures occur. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 173 Glossary Fault Reaction Time The maximum fault reaction time for an F-system is the time between the occurrence of a fault and a safe response at all affected fail-safe outputs. For -> F-systems in general: The maximum fault reaction time is the time between the occurrence of any fault in any -> F-I/O and the safe response at the associated fail-safe output. For digital inputs: The maximum fault reaction time is the time between the occurrence of the fault and the safe response on the backplane bus. For digital outputs: The maximum fault reaction time is the time between the occurrence of the fault and the safe response at the digital output. F-CPU An F-CPU is a central processing unit with fail-safe capability that is permitted for use in S7 Distributed Safety/S7 F/FH Systems. For S7 F/FH Systems, the F-copy license allows the central processing unit to be used as an F-CPU. In other words, it can execute a -> safety program. For S7 Distributed Safety, an F-copy license is not required. A -> standard user program can also be run in the F-CPU. F-I/O F-I/O is a group designation for fail-safe inputs and outputs available in SIMATIC S7 for integration in S7 Distributed Safety and S7 F/FH System F-systems. They comply with the standards IEC 61784-1 Ed3 CP 3/1 or IEC 61784-2 CP 3/5 and CP 3/6 and IEC 61158 types 5-10 and 6-10 and the PROFIsafe bus profile according to IEC 61784-3-3 Ed2. The following F-I/O modules are available: Fail-safe I/O module for ET 200eco S7-300 fail-safe signal modules (F-SMs) Fail-safe modules for ET 200pro Fail-safe modules for ET 200S Fail-safe DP standard slaves Fail-safe I/O standard devices F-Monitoring Time -> PROFIsafe Monitoring Time F-Systems -> Fail-Safe Systems ET 200pro Distributed I/O System - Fail-Safe Modules 174 Operating Instructions, 07/2013, A5E00394073-03 Glossary Industrial Ethernet Industrial Ethernet is a design that permits fail-safe transmission of data in an industrial environment. The openness of PROFINET enables use of standard Ethernet components. However, we recommend configuring PROFINET as Industrial Ethernet. Module Fault Module faults can be external faults (e.g., missing load voltage) or internal faults (e.g., processor failure). An internal fault always requires module replacement. Monitoring Time -> PROFIsafe Monitoring Time Motor Starter (MS) Motor starter is the generic term for direct starters and reversing starters. Motor starters determine motor startup and direction of rotation. M-Switch Each fail-safe digital output of ET 200pro F-modules consists of a P-switch (current sourcing) and an M-switch (current sinking). The load is connected between the P- and M-switches. The two switches are always controlled so that voltage is applied to the load. Nonequivalent Sensor A nonequivalent -> sensor is a reversing switch that is connected to two inputs of an -> F-I/O (via two channels) in -> fail-safe systems (for -> 1oo2 evaluation of sensor signals). Passivation If an -> F-I/O detects a fault, it switches either the affected channel or all channels to a -> safe state; that is, the channels of this F-I/O are passivated. The F-I/O signals the detected fault to the -> F-CPU. In the case of an F-I/O with inputs, if channels are passivated, the -> F-system provides failsafe values for the -> safety program instead of the process data pending at the fail-safe inputs. In the case of an F-I/O with outputs, if passivation occurs, the F-system transfers fail-safe values (0) to the fail-safe outputs instead of the output values provided by the safety program. PG Programming device (PG): Personal computer in a special compact industrial design. A PG is fully equipped for programming SIMATIC automation systems. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 175 Glossary Process Image The process image is a component of the system memory of the CPU. At the beginning of the cyclic program, the signal states of the inputs are transferred to the process input image. At the end of the cyclic program, the process output image is transferred as a signal state to the outputs. Process Safety Time The process safety time of a process is the time interval during which the process can be left on its own without risk to life and limb of the operating personnel or damage to the environment. Within the process safety time, any type of F-system process control is tolerated. That is, during this time, the -> F-system can control its process incorrectly or it can even exercise no control at all. The process safety time depends on the process type and must be determined on a case-by-case basis. PROFIBUS PROcess FIeld BUS, process and fieldbus standard specified in IEC 61784-1 Ed3 CP 3/1. This standard specifies functional, electrical and mechanical properties for a bit-serial fieldbus system. PROFIBUS is available with the protocols DP (= distributed periphery) and PA (= process automation). PROFINET IO PROFINET IO is the PROFINET communication concept for implementing modular, distributed applications. PROFINET IO enables the creation of automation solutions using the familiar, proven methods of PROFIBUS. PROFINET IO is implemented based on both the PROFINET standard for automation devices and the STEP 7 engineering tool. This means that you have the same application view in STEP 7, regardless of whether you are configuring PROFINET or PROFIBUS devices. Creation of your user program is similar for PROFINET IO and PROFIBUS DP, provided you use the expanded blocks and system status lists for PROFINET IO. PROFINET IO Controller A PROFINET IO controller is a device that is addressed via the connected IO device. That is, the IO controller exchanges input and output signals with assigned field devices. The IO controller is often the controller in which the automation program runs. PROFINET IO Device A PROFINET IO device is a distributed field device that is assigned to one of the IO controllers (e.g., remote IO, valve terminals, frequency converters, switches). ET 200pro Distributed I/O System - Fail-Safe Modules 176 Operating Instructions, 07/2013, A5E00394073-03 Glossary PROFINET IO Supervisor A PROFINET IO supervisor is a programming device/PC or HMI device used for commissioning and diagnostics. PROFINET IO controller with assigned PROFINET IO devices PROFIsafe Address Every -> fail-safe module has a PROFIsafe address. You must configure the PROFIsafe address in STEP 7 HW Config and set it on the F-I/O using a switch. PROFIsafe Monitoring Time Monitoring time for safety-related communication between the F-CPU and F-I/O PROFIsafe Safety-related PROFIBUS DP/PA and PROFINET IO bus profile according to IEC 61784-3-3 Ed2 for communication between the -> safety program and the -> F-I/O in an -> F-system. Proof-Test Interval The proof-test interval is the time after which a component must be put into a fault-free state. That is, it is replaced by an unused component or it is proven to be completely fault-free. P-Switch -> M-switch Redundancy, Availability-Enhancing Multiple instances of components with the goal of maintaining component function even in the event of hardware faults. Redundancy, Safety-Enhancing Multiple instances of components with the goal of detecting hardware faults through comparison; for example, -> 1oo2 evaluation in -> fail-safe modules. Reintegration Once a fault has been eliminated, the -> F-I/O must be reintegrated (depassivated). Reintegration (switchover from fail-safe values to process data) occurs automatically or, alternatively, after user acknowledgment in the safety program. For an F-I/O module with inputs, the process data pending at the fail-safe inputs are provided again for the -> safety program after reintegration. For an F-I/O module with outputs, the -> F-system again transfers the output values provided in the safety program to the fail-safe outputs. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 177 Glossary Response Time The response time is the time between detection of an input signal and a change in the gated output signal. The actual response time lies somewhere between a minimum and maximum response time. The maximum response time must always be anticipated when configuring a system. For fail-safe digital inputs: The response time is the time between a signal change at the digital input and safe loading of the -> safety message frame on the backplane bus. For fail-safe digital outputs: The response time is the time between an incoming safety message frame from the backplane bus and the signal change at the digital output. Safe State The basic principle behind the safety concept in F-systems is the existence of a safe state for all process variables. For the digital F-I/O, for example, the safe state is the value "0". Safety Class Safety Integrity Level (SIL) according to IEC 61508:2000. The higher the Safety Integrity Level, the more rigid the measures for prevention of systematic faults and for management of systematic faults and hardware failures. Fail-safe modules can be used in safety mode up to SIL3. Safety Function Safety function is a mechanism built into the -> F-CPU and -> F-I/O that allows them to be used in -> S7 Distributed Safety or S7 F/FH Systems fail-safe systems. According to IEC 61508:2000: A safety function is implemented by a safety system to ensure that the system is kept in a safe state or brought into a safe state in the event of a particular fault. Safety Message Frame In safety mode, data are transferred between the -> F-CPU and the -> F-I/O in a safety message frame. Safety Mode Safe mode is the operating mode of the -> F-I/O that allows -> safety-related communication by means of -> safety message frames. -> ET 200pro fail-safe modules are designed for operation only in safety mode. Safety Program Safety-related user program ET 200pro Distributed I/O System - Fail-Safe Modules 178 Operating Instructions, 07/2013, A5E00394073-03 Glossary Safety-Related Communication Safety-related communication is used to exchange fail-safe data. Sensor Evaluation There are two types of sensor evaluation: -> 1oo1 evaluation - Sensor signal is read in once. -> 1oo2 evaluation - Sensor signal is read in twice from the same F-module and compared internally. Sensors Sensors are used for accurate detection of digital and analog signals as well as routes, positions, velocities, rotational speeds, masses, etc. Static Parameters Static parameters can only be set when the CPU is in STOP mode and cannot be changed by means of SFC (system function) while the user program is running. Terminating Module The ET 200pro distributed I/O device is terminated with the terminating module. If a terminating module is not inserted, the ET 200pro is not ready for operation. ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 179 Glossary ET 200pro Distributed I/O System - Fail-Safe Modules 180 Operating Instructions, 07/2013, A5E00394073-03 Index Specific characteristics for fault detection, 76, 80, 84 Specific Characteristics for Fault Detection, 69, 73 Technical specifications, 89 Use cases, 65, 120 Wiring diagram, 67, 71, 74, 77, 79, 82 1 1oo1 evaluation 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 67 8/16 F-DI DC24V PROFIsafe, 67 1oo2 evaluation 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 74 8/16 F-DI DC24V PROFIsafe, 74, 77, 79, 82 4 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe Acknowledgment time, 112 Block diagram, 96 Diagnostic functions, 105 Discrepancy time, 99 Fault types, 36 Faults and remedies, 106 Maximum response time, 164 Order number, 93 Parameters in STEP 7, 97 Properties, 93 Readback time, 100 Short-circuit test, 98 switching grounded loads, 94 Technical specifications, 108 Wiring diagram, 102 Wiring of inputs, 101 Wiring of outputs, 102 8 8/16 F-DI DC24V PROFIsafe Acknowledgment time, 92 Block diagram, 60 Diagnostic functions, 86 Discrepancy time, 63 Fail-safe performance characteristics, 89, 108 Fault types, 36 Faults and remedies, 87 Maximum response time, 164 Order Number, 58 Parameters in STEP 7, 61 Properties, 58 Sensor supply, 70, 81 Short-circuit test, 62 A Accessories Order numbers, 161 Acknowledgment time 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 112 8/16 F-DI DC24V PROFIsafe, 92 Actuators Requirements, 29 With external power supply, 25 With sufficient lag, 30 Address PROFIsafe, 23 Address assignment F-modules in F-CPU, 21 PROFIsafe, 23 User data in F-CPU, 21 Address switch For PROFIsafe address, 23 Setting, 24 Assignable diagnostics Functions, 34 Assigning parameters F-modules, 20 Module properties, Of the safety function, 15 Assignment Fail-safe inputs, 70, 81 F-electronic modules to F-connection modules, 18 Automation system Fail-safe, 11 B Behavior In the event of discrepancy, 62, 98, 117 On channel faults, 97, 116 On module failure, 37 When a communication error occurs, 33 Behavior at discrepancy, 62, 98, 117 ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 181 Index 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 8/16 F-DI DC24V PROFIsafe, 61 Block diagram 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 96 8/16 F-DI DC24V PROFIsafe, 60 CM IO 12 x M12, 54 CM IO 16 x M12, 52 Block Diagram CM F-IO 2 x M12, 56 C Cable cross section, 25 Capacitive loads Switching, 100 Causes of faults 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 106 8/16 F-DI DC24V PROFIsafe, 87 CE Certification, 39 Certification CE, 39 cULus, 40 Marine, 41 Certification mark for Australia, 40 Channel Disabled, 31 Channel fault, 32 Channel group fault, 31 Channel n 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 Channel n+4 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 Channel-specific diagnostics of F-modules, 35 Starting at byte 20 to byte 31 (F-Switch), 157 Channel-Specific Diagnostics Starting at byte 28 to byte 43, 156 Starting at byte 8 to byte 23 in diagnostic data, 153 Climatic environmental conditions, 47 CM F-IO 2 x M12 Block diagram, 56 Terminal assignment, 114 CM F-IO 2 x M12 connection module Block Diagram, 56 Technical specifications, 56 CM IO 12 x M12 Block diagram, 54 Properties, 53 Technical specifications, 54 Terminal assignment, 53 CM IO 12 x M12 connection module Block diagram, 54 Properties, 53, 53 Technical specifications, 54 CM IO 16 x M12 Block diagram, 52 Properties, 51 Technical specifications, 52 Terminal assignment, 51, 59 CM IO 16 x M12 connection module Block diagram, 52 Properties, 51 Technical specifications, 52 Terminal assignment, 59 Terminal assignment, 59 Combination of standard and F-modules, 17 Commissioning Of ET 200pro, 16 Communication error, 28, 36 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 105 8/16 F-DI DC24V PROFIsafe, 86 Behavior of the F-DI module, 33 Conditions For safety class with 8/16 F-DI DC24V PROFIsafe, 66, 121 Transport and storage of F-modules, 47 Configuration ET 200pro with F-modules, 17 Configuration example Voltage group, 17 Configuring F-modules, 20 Connection module Terminal assignment, 27 Conventions in this manual, 5 Corrective actions 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 106 8/16 F-DI DC24V PROFIsafe, 87 Cross circuit 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 103 CSA approval, 40 C-Tick, 40 cULus approval, 40 D Dark period Of actuators, 30 Data Records 0 and 1 of the System Data, 150 Degree of Protection IP65, 49 Degree of protection IP66, 50 Degree of protection IP67, 50 Determining parameter length ET 200pro Distributed I/O System - Fail-Safe Modules 182 Operating Instructions, 07/2013, A5E00394073-03 Index F-modules, 19 Determining parameter length, 19 Diagnostic data Byte 19 for F-Switch (Outputs), 155 Byte 27 for 4/8 F-DI/4 F-DO (Outputs), 155 Byte 7 for F-Switch, 152 Bytes 0 and 1, 150 Bytes 16 to 18 of F-Switch, 154 Bytes 2 and 3, 151 Bytes 24 to 26, 154 Bytes 4 to 6, 151 Position in frame, 149 Structure and content, 150 Diagnostic functions, 34 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 105 8/16 F-DI DC24V PROFIsafe, 86 Assignable, 34 Non-assignable, 34 reading out, 37 Diagnostic option For F-modules in ET 200pro, 34 Diagnostics Channel-specific, 35 On the slave, 35 Purpose, 34 Using LED display, 34 Dielectric test, 49 Digital I/O module Fail-safe, 12 Directives, 42 Disabled channel, 31 Discrepancy analysis, 63, 99, 118 Discrepancy error 8/16 F-DI DC24V PROFIsafe, 86 Discrepancy time, 63, 99, 118 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 8/16 F-DI DC24V PROFIsafe, 61 Disposal, 5 Distributed I/O system Definition, 11 DO channel n 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 Documentation, additional, 4 Duration of sensor signals Requirements, 29 E Electrical connection, 25 Electromagnetic Compatibility, 43 EMC, 43 Emission Of radio interference, 46 ET 200pro Commissioning, 16 Distributed I/O system, 11 External protective circuit, 44 Protection against overvoltage, 44 ET 200pro with F-modules Configuration, 17 Evaluation of the sensors 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 F F Configuration Pack, 20 F_destination_address, 23 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 8/16 F-DI DC24V PROFIsafe, 61 F_source_address, 23 Fail-safe automation systems, 11 Fail-safe digital input modules, 12 Fail-Safe Module Reintegrating, 32 Fail-safe performance characteristics 8/16 F-DI DC24V PROFIsafe, 89, 108 Scope, 57 Fail-safe value output For fail-safe modules, 32 Fault, 36 Fault detection 8/16 F-DI DC24V PROFIsafe, 69, 73, 76, 80, 84 Fault reaction of F-modules, 31 Fault types of F-modules, 36 F-connection modules, 18 F-CPU Addresses occupied by user data, 21 F-electronic module Applicable terminal modules, 18 F-inputs Assignment, 70, 81 F-modules, 12 Address assignment in F-CPU, 21 Assigning parameters, 20 Available, 15 Configuring, 20 Dimension drawings, 159 Fault reaction, 31 In combination with standard modules, 17 Inserting and removing, 28 Installing, 24 Outputting fail-safe values, 32 ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 183 Index Parameter length, 19 Passivation, 31 Possible applications, 13 Response Times, 163 Use in F-systems, 13 Wiring, 27 F-monitoring time 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 8/16 F-DI DC24V PROFIsafe, 61 F-Switch Block diagram, 115 Order number, 113 Properties, 113 Wiring diagram, 137, 139 Wiring of outputs, 137, 139 F-Switch PROFIsafe Fault types, 36 Maximum response time, 164, 166 F-systems, 11 Example configuration, 14 Functional extra low voltage Safe, 25 Functions For diagnostics, 34 Interference Pulse-shaped, 43 Sinusoidal, 46 Internal fault 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 105 8/16 F-DI DC24V PROFIsafe, 86 Behavior on, 37 Internal sensor supply, 62, 98, 117 Internet Service & Support, 7 L Lag requirement For actuators, 30 LED display Diagnostics, 34 Of faults, 34 Limitation of maximum configuration, 19 Load voltage missing, 36 Loads Switching capacitively, 100 M G General Technical Specifications, 39 Guide to the manual, 5 H H/F Competence Center, 6 I I/O system Distributed, 11 IEC 61131, 40 IM 154-2 HIGH FEATURE, 17 IM 154-4 HIGH FEATURE, 17 Input delay, 29 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 8/16 F-DI DC24V PROFIsafe, 61 Inserted F-module (dimension drawing) For terminal modules, 159 Inserting F-module, 28 Installation Of F-modules, 24 Machine protection Applications relating to, 34 Manual Contents, 5 Marine approval, 41 Maximum configuration ET 200pro with F-modules, 19 Limitation, 19 Maximum response time 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 164 8/16 F-DI DC24V PROFIsafe, 164 F-Switch PROFIsafe, 164, 166 Mechanical Environmental Conditions, 48 Missing external auxiliary supply 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 105 8/16 F-DI DC24V PROFIsafe, 86 Missing external auxiliary voltage 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 141 Module diagnostics, 37 Module failure Behavior on, 37 Module fault Diagnostic Message, 37 Module properties Assigning parameters, 20 Module replacement ET 200pro Distributed I/O System - Fail-Safe Modules 184 Operating Instructions, 07/2013, A5E00394073-03 Index PROFIsafe address setting, 28 Modules Fail-safe, 12 Monitoring time 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 8/16 F-DI DC24V PROFIsafe, 61 Mounting rails Applicable, 27 N Nameplate of module Valid approvals, 40 NAMUR recommendation Requirements of the power supply, 26 Non-assignable diagnostics Functions, 34 Number of modules ET 200pro with F-modules, 19 O Open circuit, 36 Operational safety of system, 7 Optional package S7 Distributed Safety, 20 S7 F-systems, 20 Order numbers Of the accessories, 161 Overload, 36 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 103 Overtemperature, 36 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 105 8/16 F-DI DC24V PROFIsafe, 86 P Parameter assignment error, 36 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 105 8/16 F-DI DC24V PROFIsafe, 86 Parameters 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 8/16 F-DI DC24V PROFIsafe, 61 Passivation, 32 Passivation of the F-module, 31 Pollution degree, 49 Possible applications, 15 F-modules, 13 Power loss Ride-through, 26 Power module Fail-safe, 12 Power supply Requirements of, 26 Probability Dangerous faults, 29 Product Overview, 7, 11 PROFIBUS/Industrial Ethernet standard Standard, 40 PROFIsafe, 12 Address, 23, 28 Address switch, 23 Setting an address, 23 PROFIsafe address assignment Rules, 24 PROFIsafe address setting On module replacement, 28 Proof-test interval, 29, 65, 120 For fail-safe performance characteristics, 57 Properties CM IO 12 x M12, 53, 53 CM IO 16 x M12, Protection class, 49 Pulse-shaped interference, 43 PWR LED, 34 R Radio interference Emission of, 46 Rated voltage, 50 Readback time 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 Reading out Diagnostic functions, 37 Recycling, 5 Reducing of vibrations, 48 References, additional, 4 Reintegration After discrepancy error, 97, 116 Fail-safe module, 32 Reintegration after discrepancy error, 61 Relays, two At one digital output, 103 Removing F-module, 28 Removing and inserting F-modules during operation, 28 Repetitive shock, 48 Requirements ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 185 Index For sensors and actuators, 29 Response time Definition, 163 F-modules, 163 Ride-through On power loss, 26 S S7 Distributed Safety Example configuration, 14 Optional package, 15, 20 S7 F-systems Optional package, 20 Safe functional extra low voltage, 25 Safe state, 31, 36 Safety class, 65, 120 Achievable, 15 Achieving with 8/16 F-DI DC24V PROFIsafe, 66, 121 Safety function Assigning parameters, 15 Safety mode, 15, 23 Safety-related shutdown, 36, 86 Saving faults, 31 Sensor evaluation 8/16 F-DI DC24V PROFIsafe, 61, 68, 73, 75, 80, 82, 84 Sensor interconnection 1-channel, 61 2-channel equivalent, 61 2-channel nonequivalent, 61, 83 8/16 F-DI DC24V PROFIsafe, 61, 75, 80, 84, 135 Sensor signal Requirements of the duration, 29 Sensor supply 8/16 F-DI DC24V PROFIsafe, 68, 70, 73, 81 Internal, 62, 98, 117 Sensor voltage missing, 36 Sensors Requirements, 29 With external power supply, 25 Service & Support, 6 Setting PROFIsafe address switch, 24 SF LED, 34 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 105 8/16 F-DI DC24V PROFIsafe, 86 SFC 13, 37 SFCs For reading out diagnostic data, 149 Shock, 48 Short circuit, 36 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 105 8/16 F-DI DC24V PROFIsafe, 68, 73, 86 Short-circuit test, 29, 34 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 8/16 F-DI DC24V PROFIsafe, 61, 62, 68, 73, 75, 80, 82, 84, 86 SIMATIC product Use in industrial environment, 41 Sinusoidal interference, 46 Slave diagnostics, 35 Slave Diagnostics reading out, 37 Standard modules In combination with F-modules, 17 Standards, 42 State Safe, 31 Storage conditions, 47 Supply voltage 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 102 8/16 F-DI DC24V PROFIsafe, 86 Support, additional, 5 Surge filter, 44 Switching grounded loads With 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 94 Switching of capacitive loads, 100 T Technical specifications 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 108 8/16 F-DI DC24V PROFIsafe, 89 Climatic environmental conditions, 47 CM F-IO 2 x M12, 56 CM IO 12 x M12, 54 CM IO 16 x M12, 52 General, 39 Mechanical environmental conditions, 47 Terminal assignment CM F-IO 2 x M12, 114 CM IO 16 x M12, 59 CM IO 16 x M12, 59 Connection modules, 27 Terminal module (dimension drawing) With inserted F-module, 159 Test voltage, 49 Total width ET 200pro, 19 Training center, 6 Transport and storage conditions, 47 TUV certificate, 42 ET 200pro Distributed I/O System - Fail-Safe Modules 186 Operating Instructions, 07/2013, A5E00394073-03 Index Type of sensor interconnection 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 U UL approval, 40 Use cases 8/16 F-DI DC24V PROFIsafe, 65 Use of ET 200pro in industrial environment, 41 in residential areas, 41 V Vibrations, 48 Reducing, 48 Voltage group Configuration example, 17 VsF LED, 34 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 105 8/16 F-DI DC24V PROFIsafe, 86 W Wire break 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 97 Wiring Inputs, 101 Of F-modules, 27 Outputs, 102 Wiring diagram 4/8 F-DI/4 F-DO DC24V/2A PROFIsafe, 102 8/16 F-DI DC24V PROFIsafe, 67, 71, 74, 77, 79, 82 ET 200pro Distributed I/O System - Fail-Safe Modules Operating Instructions, 07/2013, A5E00394073-03 187 Index ET 200pro Distributed I/O System - Fail-Safe Modules 188 Operating Instructions, 07/2013, A5E00394073-03