Professional Documents
Culture Documents
DC0-117-2.04
Note
Please observe Notes and Warnings for your own safety in the Preface.
Document Label:
SICRTUs-HBSAFETY-ENG_V2.04
Issuing date
2015.03.13
This manual describes the safety-oriented use of SICAM RTUs. It explains the measures
necessary in order to plan and implement a safety-relevant process.
Take these measures into consideration for all projects in which safety components of
SICAM RTUs are used.
Scope of Validity
· SICAM AK 3
─ CPCX26 ....................... (Rev. 01 and higher)
─ PCCX26 ....................... (Rev. 01 and higher)
─ SPLC01........................ (Rev. 02 and higher))
─ CP-2019 ....................... 6MF10132CA100AA0 (ab BC2-019--.03)
· SICAM AK
─ CPCX25 ....................... (Rev. 02 and higher)
─ PCCX25 ....................... (Rev. 08 and higher)
─ SPLC01........................ (Rev. 01 and higher)
─ CP-2017 ....................... 6MF10130CA170AA0 (from BC2-017--.14)
· SICAM TM
─ CPCX65 ....................... (Rev. 08 and higher)
─ SPLC01........................ (Rev. 02 and higher)
─ CP-6014 ....................... 6MF11130GA140AA0 (ab GC6-014--.14)
─ USIO66 ........................ (Rev. 05 and higher)
─ DI-6170 ........................ 6MF11130GB700AA0 (from GC6-170--.03)
─ DO-6270....................... 6MF11130GC700AA0 (from GC6-270--.03)
─ AI-6370 ........................ 6MF11130GD700AA0 (from GC6-370--.03)
This manual is intended for persons who are entrusted with the planning, parameterization,
commissioning and maintenance of safety-oriented SICAM RTUs.
Conventions Used
For the work with SICAM RTUs, depending on the case of application you require the
following specified documentation.
Further Support
The Siemens Power Academy offers a comprehensive program of professional training events
in the fields of power generation, distribution and transmission.
This manual does not constitute a complete catalog of all safety measures required for
operating the equipment (module, device) in question because special operating conditions
might require additional measures. However, it does contain notes that must be adhered to for
your own personal safety and to avoid damage to property. These notes are highlighted with a
warning triangle and different keywords indicating different degrees of danger.
Danger
means that death, serious bodily injury or considerable property damage will occur, if the appropriate
precautionary measures are not carried out.
Warning
means that death, serious bodily injury or considerable property damage can occur, if the appropriate
precautionary measures are not carried out.
Caution
means that minor bodily injury or property damage could occur, if the appropriate precautionary measures
are not carried out.
Note
is important information about the product, the handling of the product or the respective part of the
documentation, to which special attention is to be given.
Qualified Personnel
Properly trained personnel are persons with all the following characteristics:
Warning
The use, the setting into operation and the operation of one of the items of operating equipment described
in this manual (module, device, configuration tool) may only be carried out by qualified personnel.
Use as Prescribed
The equipment (device, module) must not be used for any other purposes than those
described in the Catalog and the Technical Description. If it is used together with third-party
devices and components, these must be recommended or approved by Siemens.
Correct and safe operation of the product requires adequate transportation, storage,
installation, and mounting as well as appropriate use and maintenance.
· Before making any connections at all, ground the equipment at the PE terminal.
· Hazardous voltages can be present on all switching components connected to the power
supply.
· Even after the supply voltage has been disconnected, hazardous voltages can still be
present in the equipment (capacitor storage).
· Equipment with current transformer circuits must not be operated while open.
· The limit values indicated in the manual or the operating instructions must not be
exceeded; that also applies to testing and commissioning.
Consider obligatory the safety rules for the accomplishment of works at electrical plants:
CAEx safety is used in the defined development process by properly trained personnel in
order to commission and operate applications only on SICAM RTUs, up to max. SIL 2,
according "IEC 61508 (2010)".
This document is only valid for SICAM safety, even if the term "E/E/PE system” is used.
A defined development process is required for the development and the commissioning of an
application.
The development process must deal with the requirements of the appropriate underlying
standard, in particular the required validation and verification measures must be dealt with.
The workflows presented in this manual (see section Workflow for working with SICAM
Safety.) illustrate the usage of CAEx safety. They are no substitutes for a development
process and they do not claim to be exhaustive regarding the requirements of the underlying
standards.
3.1 Concept.......................................................................................................... 34
3.2 Safety Functions............................................................................................. 38
3.2.1 Periodical Safety Functions ....................................................................... 38
3.2.2 Integrated Error Monitoring in the Safety Firmware (SPLC01) .................... 38
3.2.3 Integrated Error Monitoring in the Safety I/O Module .................................. 38
3.2.4 Secure Communication between SICAM Safety PLC’s .............................. 38
3.3 Segregation of Safe and Standard Firmware................................................... 39
3.4 Recognizability of Safety Product Components ............................................... 40
3.5 System Limits ................................................................................................. 41
3.6 Safety Firmware AP-0771/SPLC01 ................................................................. 42
3.7 Safety Application sPLC (User Program) ........................................................ 43
3.8 Standard Firmware PCCX25, PCCX26 and CPCX65 ...................................... 44
3.9 Safety Communication between BSE and Safety I/O Modules ........................ 45
3.10 Safety Communication between two Safety PLC’s .......................................... 46
3.10.1 Configuration of the Communication Channel ............................................ 48
3.10.1.1 Singular Communication Channel ......................................................... 48
3.10.1.2 Redundant Communication Channel .................................................... 49
3.10.2 Parameter Setting in the User Program (CAEx plus) .................................. 51
3.10.2.1 Configuration Parameters ..................................................................... 51
3.10.2.1.1 Assignment of the Remote Station ................................................... 51
3.10.2.1.2 Definition of the Timing Behavior ..................................................... 52
3.10.2.1.3 Change of Parameter Values during Operation ................................ 53
3.10.2.2 Simulation Mode................................................................................... 53
3.10.2.3 Assignment of the Process Data ........................................................... 53
3.10.2.4 Operating State of the Remote Station.................................................. 54
3.10.2.5 Communication Status.......................................................................... 54
3.10.3 Transmission of the Process Data ............................................................. 55
3.10.3.1 Periodical with Settable Grid ................................................................. 55
3.10.3.2 Spontaneous Controlled by Application................................................. 55
3.10.3.3 Timing Behavior ................................................................................... 56
3.10.4 Transmission Protection ............................................................................ 57
3.10.4.1 Protection by PROFIsafe ...................................................................... 57
3.10.4.2 Data Topicality with Watchdog Function ............................................... 57
3.10.4.3 Retry Handling with Communication Faults ........................................... 57
3.10.4.4 Safe State with Communication Failure ................................................ 57
3.10.5 Diagnostic Function for Error Detection...................................................... 58
3.10.5.1 Behavior with System Errors................................................................. 58
3.10.5.2 Behavior with Communication Errors .................................................... 59
3.10.6 Requirements on the User Program........................................................... 60
3.11 Basic System Element CP-2016 for SICAM AK 3............................................ 61
3.12 Basic System Element CP-2014 for SICAM AK .............................................. 61
3.13 Basic System Element CP-2019/PCCX26 SICAM AK 3 .................................. 62
3.14 Basic System Element CP-2017/PCCX25 SICAM AK ..................................... 63
3.15 Basic System Element CP-6014/CPCX65 SICAM TM..................................... 64
3.16 PE-641x/USIO66 Peripheral Coupling Module ................................................ 65
3.17 Safety I/O Modules ......................................................................................... 66
3.17.1 Introduction ............................................................................................... 66
3.17.2 Basic Concept ........................................................................................... 66
3.17.3 Addressing the Safety I/O Modules ............................................................ 66
3.17.4 Monitoring the Supply Voltage ................................................................... 67
3.17.5 DI-6170 ..................................................................................................... 67
3.17.6 DO-6270 ................................................................................................... 67
3.17.7 AI-6370 ..................................................................................................... 68
Contents
1.1 Introduction
Operators of machines are obliged by the legislator to ensure for the safety of people and the
environment. For this purpose all rules, regulations and ordinances valid at the operating
location are to be applied. If a potential hazard exists, a hazard and risk analysis must be
carried out. In this the risks present are described and existing as well as additional measures
defined for their reduction. The residual risk remaining must always be below the tolerable
level.
One defines that state that is free of unjustifiable risks for humans or regarded as free of
hazards as the overall safety of a machine.
The Functional Safety describes that part of the overall safety of a system that is dependent
on the correct function of the safety-related systems and external equipment for the reduction
of risks. In case of need these parts must be able to bring the entire system to the safe state
at all times.
The parts of machine controllers that perform safety tasks are known in the international
standards as “Safety-related parts of controllers”. These parts can consist of hardware and/or
software and be separate or integral components of the machined controller.
Safety-related controller parts in each case include the entire chain of effects of a safety
function, consisting of the Input level (sensor), the Logics (safe signal processing) and the
Output level (actuator).
The general objective is to design these controller parts so that the safety of the controller
function as well as the behavior of the controller in the case of error corresponds with that
degree of risk reduction determined in the risk assessment.
Therefore the higher the risk reduction to be provided by the safety-related controller part is,
the higher the required safety class or the safety-related performance level of the controller
part.
Note
It is pointed out, that besides those points listed in this Safety Manual, requirements going beyond this are
also to be fulfilled. These are the legislative, national requirements or requirements from the Machinery
Directive (e.g. Attachment I).
One of the measures for the realization of the free movement of goods in Europe is the
adaptation of the technical legal regulations to a Europe-wide uniformly formulated standard.
For this purpose the Council of the EU issues directives according to Article 95 of the EC
Treaty concerning the harmonization of the technical product requirements (e.g. Machinery
Directive 2006/42/EC).
As regards content these directives must be implemented 1:1 in national law by the member
states. As a sign of the conformity with a manufacturer directive the manufacturer attaches the
CE identification symbol to every product.
The Machinery Directive 2006/42/EC regulates the free movement of goods for machines,
machine installations, and machine components in the European Economic Area (EEA). It
specifies binding uniform requirements on the quality and on the method for the assessment
of the conformity.
The aim is the free movement of goods for safe machines in the European Economic Area.
What is a machine?
In every case the CE identification symbol with corresponding safety evidence is the visible
proof for the fulfillment of the Machinery Directive. According to the EU Framework Directive
for Occupational Safety it is specified as binding.
· EN ISO 12100-1 Safety of Machinery (basic concepts, general principles for design)
· EN ISO 14121-1 Safety of Machinery
Risk assessment – Part 1: Principles
From these result functional and safety-relevant requirements for safety-related controllers.
This international standard deals with those aspects that are to be considered, when
electrical/electronic/programmable electronic systems (E/E/PES) are used for the execution of
safety functions.
The IEC 61508 standard defines four different levels of safety. These describe measures for
the management of risks with the components used, that are rated by the so-called Safety
Integrity Level. The higher this is, the greater is the risk reduction. With that the SIL is the
measure for the probability, that the safety-related system can fulfill the required safety
functions for a particular period.
The EN 62061 standard defines extensive requirements. It provides recommendations for the
design, integration and validation of safety-related electrical, electronic as well as
programmable electronic control systems (SRECS) for machines.
It considers for the first time the entire safety chain from sensor to actuator. In order to
achieve a Safety Integrity Level such as perhaps SIL 3, it is no longer sufficient that the
individual components are certified accordingly. On the contrary, the entire safety function
must satisfy the defined requirements.
This standard classifies the systems according to SIL (Safety Integrity Level)
This part of the EN ISO 13849 provides safety requirements and a guideline for the principles
of design and integration of safety-related parts of control systems (SRP/CS), including the
development of software. For these parts of the SRP/CS characteristics are defined, including
the Performance Level, that are required for the execution of the corresponding safety
functions. It is to be applied to SRP/CS on all types of machines, regardless of the technology
and energy used (electrical, hydraulic, pneumatic, mechanical etc.).
This European standard defines the validation procedure, including the two methods Analysis
and Inspection, for the safety functions and categories of safety-related parts of control
systems.
1.9 EN 5012x
This group of standards classifies the systems according to Safety Integrity Level - SIL and
essentially refers to the standard EN 61508. It consists of 3 essential standards:
Note
For the use of SICAM RTUs with the Safety function it is necessary to guarantee the compliance with the
specified environmental conditions, according to the application classes defined in the standards
EN 50121, EN 50124 and EN 50125. This is accomplished by means of surrounding structure (e.g. wall-
cabinet, 19” cabinet).
For monitoring the operating temperature, an external temperature monitoring system, e.g. AI-6310 analog
input 2x2 Pt100/Ni100, must be used during the operation of SICAM RTUs with the Safety function.
The actual operating temperature must be evaluated by the application. In the event of non-compliance
with the specified temperature range, the application must derive safety-related measures.
Contents
2.1 Introduction
The SICAM RTUs automation concept provides suitable components in order to fulfill the
safety classes determined in a risk assessment. This takes place with a concept, with which
the process information from the sensors is processed 2-channel via the control system
through to the actuators.
· All Safety I/O modules are constructed two-channel internally. The two integrated
processors process the firmware in parallel, monitor each other, detect errors and with the
occurrence of an error, switch immediately to a safe state and remain in that state.
· There is a separation between standard and safety-oriented automation tasks.
· The communication between a safety-oriented control system as well as assigned safety-
oriented periphery takes place via the PROFIsafe protocol.
· The communication between two safety-oriented applications takes place via the
PROFIsafe protocol.
· The creation, verification and validation of the safety control systems is carried out with the
CAEx safety-Toolset of the SICAM TOOLBOX II.
· The editing of the safety parameters is carried out with the OPM II. The verification and
validation of the safety parameters is carried out with the CAEx safety Toolset of the
SICAM TOOLBOX II.
· The generation of the user program takes place with the CAEx plus Toolset.
This concept was realized in the products SICAM AK and SICAM TM with the function SICAM
Safety.
With suitable parameterization of the safety control system as well as by means of a particular
arrangement and wiring of suitable sensors and actuators, the following safety classes can be
achieved:
2.2.2 Modules
The following picture shows an overview of those components that are required for the
construction and operation of a failsafe SICAM RTUs automation system.
SICAM TOOLBOX II
with toolset „CAEx safety“
SICAM AK
with basic system
AU2
element
TOOLBOX II
Rev ision:
Li cense Pa k:
CP-2017/PCCX25
Version 5 | S ie mens AG
and safety-firmware
AP-0771/SPLC01
Safety communication
SICAM AK 3
with basic system
AU1
element
CP-2019/PCCX26
and safety-firmware
AP-0771/SPLC01
Version 5 | Siemens AG
CP-6014
T M 1703 ACP
SICAM
Secure communication with PROFIsafe layer
via Ax 1703 peripheral bus and TM bus.
The objective of the safety technology is to keep the endangering of people and the
environment through technical equipment as little as possible, without restricting the industrial
production and the use of machines more than is absolutely necessary in this process.
SICAM RTUs systems with safety components can be used everywhere, where the risk
assessment has resulted in that the use is possible and the safe state is brought about by
“switching the voltage off”.
A typical case of application is the use in hydroelectric power stations for the protection of
turbines and generators from impermissible mechanical stressing.
Other scopes of application are automation tasks in the fields of oil, gas and railways.
Before the implementation of a SICAM RTUs Safety System a safety assessment according
to the Machinery Directive is necessary. A SICAM RTUs Safety System as single component
is a safety-related system in the sense of EN/IEC 61508. It guarantees functional safety
against errors in the hardware and firmware. However it does not guarantee the safety of the
entire process as well as the planning of the project.
The user is responsible for the safety of the project. Proceed with particular care when
programming and observe the regulations and standards valid for the place of use.
A faulty control system can nullify the safety of the entire process!
Define the safety requirements for the entirety of the machine, for all service life phases and
the entire safety life cycle and how they are to be realized technically and organizationally.
Technical Measures
The technical measures include e.g. the use of the SICAM RTUs safety components and the
planning and creation of the project with the CAEx safety Toolset of the SICAM TOOLBOX II.
Organizational Measures
One regards organizational measures as e.g. the determination of the personnel responsible
or the documentation of all work steps for the setting into operation. That also includes
determinations regarding responsibilities and access rights. The safety requirements are
governed by the function of the machine and the hazards resulting therefrom. Malfunctions
and maloperation and the possible consequences must also be included in a safety
assessment.
SICAM RTUs are suitable both for standard as well as safety applications.
There are:
· Standard and Safety Modules
· Standard and Safety Modules in the SICAM TOOLBOX II
· Standard and Safety Communication Channels
· Standard and Safety PLC
The safety-related tasks must only be programmed with safety modules. For the programming
of safety modules the user can also simply access standard data types. To do this the safety
data types must only be connected in series to an upstream "converter module".
Note
The standard data types and standard modules must not influence the safe shutdown.
The random types of error include e.g. the inversion of a bit in the memory or during the data
transmission.
The systematic types of error include errors in the firmware or hardware. This concerns either
logical errors due to faulty information (e.g. false allocation of a data type) or also errors that
first have an effect due to certain boundary conditions in the program sequence (memory
overflows, boundary conditions not taken into account etc.).
SICAM RTUs have various functions for the detection of errors (diagnostic functions),
whereby a detected error always leads to a defined error reaction.
Note
The error reaction of the system can be determined through parameter setting.
The 2-channel design of the safety modules and the various other measures for error
detection and error reaction provide a high level of safety. It must be ensured during planning,
configuration and user programming, that this high level of safety is not nullified through errors
and negligence.
Note
Programming errors in the user program cannot be detected.
The aim of the data saving is the securing of data against loss.
All SICAM RTUs parameters, applications and firmware are managed and stored centrally in
the SICAM TOOLBOX II. The tool "Data Distribution Center" provides the possibility to secure
these data by means of a backup.
The following engineering data can be exported / imported in the Data Distribution Center.
· Logbook Data
· Information for Verification and Validation
One regards data security as the security of data with respect to availability, integrity and
confidentiality.
In SICAM RTUs various mechanisms are used for data security. A distinction is made
between technical measures and organizational measures.
Technical Measures
The technical measures contribute towards data security as regards errors and faults. They
intervene automatically, as soon as the data are exposed to a corresponding influence. The
technical measures include e.g.:
Warning
If an SD card is exchanged, a repeat commissioning must be carried out.
Organizational Measures
· Security
It is advisable to develop a comprehensive strategy with regard to security measures.
Falling under security are all criteria that concern the integrity, availability, confidentiality,
reliability, operational safety and authenticity of data.
Contents
3.1 Concept.......................................................................................................... 34
3.2 Safety Functions............................................................................................. 38
3.3 Segregation of Safe and Standard Firmware................................................... 39
3.4 Recognizability of Safety Product Components ............................................... 40
3.5 System Limits ................................................................................................. 41
3.6 Safety Firmware AP-0771/SPLC01 ................................................................. 42
3.7 Safety Application sPLC (User Program) ........................................................ 43
3.8 Standard Firmware PCCX25 and CPCX65 ..................................................... 44
3.9 Safety Communication between BSE and Safety I/O Modules ........................ 45
3.10 Safety Communication between two Safety PLC’s .......................................... 46
3.11 Basic System Element CP-2014 for SICAM AK .............................................. 61
3.12 Basic System Element CP-2017/PCCX25 SICAM AK ..................................... 62
3.13 Basic System Element CP-6014/CPCX65 SICAM TM..................................... 64
3.14 PE-641x/USIO66 Peripheral Coupling Module ................................................ 65
3.15 Safety I/O Modules ......................................................................................... 66
3.1 Concept
As a basis of the safety concept a safe state has been defined for all process variables, which
is assumed in the case of error. This “safe state” is the state of the entire system without
current and voltage.
The SICAM RTUs system is grouped into the SICAM TOOLBOX II working offline and the
online system SICAM AK, consisting of basic system elements and I/O modules, which
communicate with each other over a bus.
The SICAM RTUs Safety Concept, from the acquisition of the sensors and the processing
through to output at the actuator is achieved in the following way:
Processing and
*)
Communication communication element Communication
Protocol element(s) Protocol element(s)
Safety firmware
AP-0771/SPLC01
Node bus PLC standard
open-/closed-loop sPLC safety
control function open-/closed-loop
control function
Safety Layer
**)
Master control element
Safety Layer
TM bus
periodical safety data
Safety Layer
spontaneous data
Ax Peripheral bus
Firmware
USIO66 Peripheral
interfacing
Process
further
peripheral elements
*) **)
CP-2019/PCCX26 (SICAM AK 3) CP-2016/CPCX26 (SICAM AK 3)
CP-2017/PCCX25 (SICAM AK) CP-2014/CPCX25 (SICAM AK)
Safety firmware
AP-0771/SPLC01
PLC standard
open-/closed-loop sPLC safety
control function open-/closed-loop
control function
Safety Layer
Safety Layer
TM bus
periodical safety data Safety Layer
spontaneous data
Ax Peripheral bus
Firmware
USIO66 Peripheral
interfacing
Process
further
peripheral elements
**)
Master control element Processing and
communication element
*) AP-0771/SPLC01
PLC standard
SL
Safety Layer
SL
Processing and
*)
Protocol element communication element Protocol element(s)
Safety Layer
SL
AP-0771/SPLC01
AU1
PLC standard
Node bus
sPLC safety sCM
Safety Layer
**)
Master control element
Safety Layer
SICAM TM I/O Modules
TM bus
periodical safety data Safety Layer
Ax Peripheral bus
spontaneous data
Peripheral
USIO66 interfacing
further Process
peripheral elements
*) **)
CP-2019/PCCX26 (SICAM AK 3) CP-2016/CPCX26 (SICAM AK 3)
CP-2017/PCCX25 (SICAM AK) CP-2014/CPCX25 (SICAM AK)
Safety functions have the task of holding the system in the safe state or bringing it to the safe
state. These functions for the error detection and error reaction are contained in the safety
firmware and the safety I/O modules. They monitor the periodical processing of the process
information and the I/O modules for internal errors or external circuitry faults.
· Periodical acquisition of process information on the safety I/O modules and forwarding to
the safety application
· Periodical processing of process information by the safety application with settable cycle
time
· Forwarding of the process information calculated by the safety application to the safety
output modules and output to the peripherals.
· Failure of the safety open- and closed loop control function (sPLC)
· Access protection to safety-critical user programs and parameters
· Failure of the data flow
· Error detection by means of self-tests
· Error/failure in the I/O modules by the safety layer
· Logical program sequence monitoring
· Errors in the communication with the I/O modules by the safety layer
· Secure point-to-point connections between Safety PLC’s on various BSE’s for the
transmission of binary information and measured values
· Secure transmission of the operating status
· Secure communication for redundant Safety PLC’s
This principle ensures, that modifications or exchange of the “standard” firmware has no effect
on the safe firmware. As a result no repeat commissioning of the safety function is necessary
when the standard firmware is changed.
All safety components of a SICAM RTUs system are unambiguously identifiable based on the
following features:
· Safety Hardware
─ yellow housing
─ yellow labeling plates on the safety I/O modules
─ yellow labeling stripes on CPU module
(processing and communication element CP-2017/PCCX25)
─ yellow safety-label on SICAM TM master control module
(CP-6014/CPCX65)
─ TÜV-Süd inspection symbol
─ Company address on the housing
· Safety Documentation
─ Unambiguous recognizability of safety-relevant components in graphics through yellow
marking.
· Safety Firmware
─ Safety modules in SICAM TOOLBOX II are yellow
─ Safety application (system element AP-0771/SPLC01 or node "Safety Applications" in
library overview) in SICAM TOOLBOX II is yellow.
─ Safety CAEx modules in SICAM TOOLBOX II are yellow
─ Safety parameters are indicated in the tool “Safety V&V”
Value / Qty
Maximum number of peripheral coupling elements in SICAM AK with function SICAM 16
Safety
Maximum number of peripheral coupling elements in SICAM TM with function SICAM 16
Safety
Maximum number of safety I/O modules per peripheral coupling element 8 *)
Maximum number of AI-6370 per peripheral coupling element 4
Maximum number of DO-6270 per peripheral coupling element 4
Maximum number of safety I/O modules 128
*) Only for modules with single module width.
When using modules with double module width (e.g. DO-6270) this number is reduced.
The peripheral element may be maximum 8 single module widths long.
The safety open-/closed loop control function (sPLC) for automation functions is created with
CAEx plus in function diagram technology.
The maximum achievable system response time of a safety application (from the change of
the input signal until output of the tripping signal) is 100 ms.
The processing of the safe user program takes place diversely over 2 channels.
Note
Standard periodical information are not available on an sPLC.
The sPLC runs parallel to the standard open-/closed loop control function (PLC).
· Communication Functions
─ Organization of the data flow to the communication interfaces
─ Data storage in target-selective process images
─ Priority control
─ Spontaneous serial communication via up to 4 independent serial interfaces or
spontaneous LAN/WAN communication over Ethernet to optional higher- or lower level
automation units
· Node Functions (only PCCX26, PCCX25)
─ Coupling to the node bus
─ Organization of the data flow from and to the peripheral elements and communication
interfaces that can be used on the basic system element
─ Freely parameter-settable distribution of the messages
· Operating System - MQX
· Supplementary Module Functions
─ Coupling to the supplementary module bus
─ Freely parameter-settable organization of the data flow from and to the messages on
the supplementary modules
· Ax Bus Driver
Periodical and spontaneous communication with SICAM AK 3, SICAM AK, SICAM TM and
AM 1703 – peripheral elements with IEC functionality over the serial Ax 1703 peripheral
bus (up to 16 peripheral elements)
· Standard Open-/Closed Loop Control Function (PLC)
for automation functions in function diagram technology with CAEx plus.
· Spontaneous Data Forwarding from and to Peripheral Elements
· Synchronizing Function for Command Procedure (DI-DO coupling)
(for pure peripheral modules this control takes place automatically on this firmware)
· Interface for Safety Firmware
For the safety-oriented communication between the basic system element and the safety I/O
modules a Safety Layer is implemented over the standard communication channel. The
standard communication channel thereby serves as transport medium for the safety-oriented
messages.
The transmission of the process images and spontaneous information between the basic
system element and the I/O modules takes place over the Ax 1703 peripheral bus and the
TM-Bus. The Ax 1703 peripheral bus provides the communication between the basis system
element and the peripheral coupling modules, while the TM-Bus is responsible for the
communication between the peripheral coupling module and the I/O modules.
The safe communication corresponds with the PROFIsafe – Profile for Safety Technology IEC
61784-3-3 on PROFIBUS DP and PROFINET I/O.
Process data are exchanged periodically between two Safety PLC’s (safe user programs)
over a secure communication channel. This is realized as a point-to-point connection
according to the Master-Slave principle. The terminals of the point-to-point connection form
“Safety Communication Modules” in the Safety user program, which are configured once as
Master and once as Slave. The Safety PLC´s can be configured in different AU’s as well as in
the same automation unit. The transmission path between the two terminals is defined as
black channel.
**)
Master control element Processing and
communication element
*) AP-0771/SPLC01
PLC standard
SL
Safety Layer
SL
Processing and
*)
Protocol element communication element Protocol element(s)
Safety Layer
AP-0771/SPLC01 SL
AU1
PLC standard
Node bus
sPLC safety sCM
Safety Layer
**)
Master control element
Safety Layer
SICAM TM I/O Modules
TM bus
periodical safety data Safety Layer
Ax Peripheral bus
spontaneous data
Peripheral
USIO66 interfacing
further Process
peripheral elements
*) **)
CP-2019/PCCX26 (SICAM AK 3) CP-2016/CPCX26 (SICAM AK 3)
CP-2017/PCCX25 (SICAM AK) CP-2014/CPCX25 (SICAM AK)
**)
Master control element Processing and
*)
communication element AP-0771/SPLC01
Node bus
Safety Layer
Protocol element
SL
AP-0771/SPLC01
AU1
PLC standard
sPLC safety sCM
Safety Layer
CP-6014/CPCX65
Safety Layer
SICAM TM I/O Modules
TM bus
Safety Layer
Peripheral
USIO66 interfacing
spontaneous data
*) **)
CP-2019/PCCX26 (SICAM AK 3) CP-2016/CPCX26 (SICAM AK 3)
CP-2017/PCCX25 (SICAM AK) CP-2014/CPCX25 (SICAM AK)
· Configuration:
─ Singular communication channel
─ Redundant communication channel
· Parameterization of the communication module in the user program (CAEx plus):
─ Assignment of the remote station
─ Definition of the timing behavior
─ Assignment of the process data
· Transmission of the process data:
─ Periodical with settable grid
─ Spontaneous controlled by application
─ Multiple communication channels to one remote station
· Transmission protection:
─ Data protection by PROFIsafe
─ Data topicality with Watchdog function
─ Retry handling for communication faults
If the communication connection fails, then the output “State” of those singular communication
modules which represent the communication channel is set to FALSE on expiry of a timeout
(WatchdogTime).
*)
Processing and communication element
SICAM AK 3 or SICAM AK (AU1)
AP-0771/SPLC01
Application program
Communication
module - Master
Sa
fe r
ty aye
L
ty aye
fe r
Sa
SICAM AK 3 or SICAM AK (AU2)
Communication
module - Slave
Application program
AP-0771/SPLC01
*)
Processing and communication element
*)
CP-2019/PCCX26 (SICAM AK 3)
CP-2017/PCCX25 (SICAM AK)
The following diagram shows a possible configuration for a redundant secure communication.
This configuration shows a singular “head end” with 2 redundant substations. However, the
head station can also be operated redundant.
*)
Processing and communcation element
SICAM AK 3 or SICAM AK (AU1)
AP-0771/SPLC01
Communication
module - Master
Application program
Saf
r
Sa
ye
r
aye fet
ety
La
yL y La
fet
ty
Lay
ye
Sa r
fe
Sa
r e
SICAM AK 3 or SICAM AK (AU2)
Communication Communication
module - Slave module - Slave
AP-0771/SPLC01 AP-0771/SPLC01
*) *)
Processing and communcation element Processing and communcation element
passive active
Redundancy switchover
*)
CP-2019/PCCX26 (SICAM AK 3)
CP-2017/PCCX25 (SICAM AK)
· Priority 1:
If one communication path fails, then the process image (PAB) of the other controller is
forwarded to the user program (Top Priority). The failure is detected by the PROFIsafe
Stack.
· Priority 2:
For the Voting the application must assign a priority by means of the parameter
“UserPriority”. E.g.: failure of a Safety I/O-module on one of the redundant Safety PLCs:
the UserPriority flag must be set to FALSE by the user program.
For the fault, that both redundant applications are in state „ACTIVE“ or „PASSIVE“, the
voting is controlled with the parameter „UserPriority“. In all other faults the latest valid
voting-state remains.
Note
The parameter „UserPriority“ must be set per default from the application, otherwise
no distinction is possible between the redundant Aus.
· Priority 3:
If the active communication path fails, then the process image of the passive controller is
forwarded to the application.
However, this concerns only a preferential voting, since the current process data are
always transmitted in both channels. The ACTIVE/PASSIVE identifier of the redundancy
switchover function is transmitted in the “System data” of the safe process data.
· Priority 4:
If both communication paths are invalid or have failed, then the process values and the
output “State” are brought to the safe state.
The following diagram shows the layout of the safety communication modules (singular /
redundant) with the possible parameters (module inputs/outputs).
SI_COM_RED_16BOOL_8REAL
Master
State
DestRegNr
DestCompNr RecOS_Stop
SI_COM_16BOOL_8REAL DestBSENr RecOS_Test
RecOS_Run
DestZSENr
Master State
ID
DestRegNr RecOS_Stop
DestRedRegNr
DestCompNr RecOS_Test
RecOS_Run DestRedCompNr
DestBSENr
DestRedBSENr
DestZSENr
ID DestRedZSENr
SendSpontan RecSpontan
SendSpontan RecSpontan
SendCycleTime
SendCycleTime
WatchdogTime
WatchdogTime
RecDataDis
RecDataDis
UserPriority
SendBOOL_00 RecBOOL_00 SendBOOL_00 RecBOOL_00
SendBOOL_01 RecBOOL_01 SendBOOL_01 RecBOOL_01
SendBOOL_02 RecBOOL_02 SendBOOL_02 RecBOOL_02
SendBOOL_03 RecBOOL_03 SendBOOL_03 RecBOOL_03
SendBOOL_04 RecBOOL_04 SendBOOL_04 RecBOOL_04
SendBOOL_05 RecBOOL_05 SendBOOL_05 RecBOOL_05
SendBOOL_06 RecBOOL_06 SendBOOL_06 RecBOOL_06
SendBOOL_07 RecBOOL_07 SendBOOL_07 RecBOOL_07
SendBOOL_08 RecBOOL_08 SendBOOL_08 RecBOOL_08
SendBOOL_09 RecBOOL_09 SendBOOL_09 RecBOOL_09
SendBOOL_10 RecBOOL_10 RecBOOL_10
SendBOOL_10
SendBOOL_11 RecBOOL_11 SendBOOL_11 RecBOOL_11
SendBOOL_12 RecBOOL_12 SendBOOL_12 RecBOOL_12
SendBOOL_13 RecBOOL_13 SendBOOL_13 RecBOOL_13
SendBOOL_14 RecBOOL_14 SendBOOL_14 RecBOOL_14
SendBOOL_15 RecBOOL_15 SendBOOL_15 RecBOOL_15
Master
In general each communication channel is defined by one Master module and one Slave
module.
Dest. Address
The unambiguous destination address of the respective communication partner is formed from
In addition a flag for the validity of the process data must be provided by the application for
voting with redundant communication:
In the case of a redundant communication channel, the process data can be marked as high
priority. This information is an input information for the Voter.
UserPriority[SAFEBOOL]: TRUE = Process data are high priority
FALSE = Process data are low priority
Watchdog Time
The parameter WatchdogTime defines the upper limit for the time-related monitoring
(Timeout) of the cyclic communication.
SendCycleTime
The parameter SendCycleTime defines the periodical grid for sending the system data
container with the process data.
This is only evaluated by the Master, but must be less than the Watchdog time.
Watchdog Time
The Watchdog time is a configuration parameter of the PROFIsafe channel and cannot be
changed during operation. If it is changed despite this, then an internal error is set, that can
only be deleted again with a reset.
SendCycleTime
This configuration parameter is applied during operation and is automatically active after the
next message is sent.
The parameter RecDataDis is used to deactivate the receive data for simulation purposes
(Online-Test).
This input suppresses the output of the receive data. The output can be simulated via an
Online Test field in the CAEx plus Online Test, which is connected to the respective output of
the communication module.
Caution
The simulation mode “RecDataDis” is only evaluated in the operating state “STOP” and “TEST”.
In the RUN state the outputs are always forwarded.
The process data to be transmitted are provided over inputs of the communication module
and transmitted to the remote station by the transmit functions. The process data received by
the remote station are forwarded to the user program over outputs of the communication
module.
· RecOS_Stop,
· RecOS_Test,
· RecOS_Run.
The communication module / Slave does not evaluate the parameter “SendCycleTime”.
The transmission of the process data in the periodical grid (Master / Slave message
exchange) as well as the transmission of spontaneous forwarding of process data are shown
(both for Master as well as Slave).
In addition it shows the Retry behavior with a fault and failure of the communication
connection and the behavior of the status outputs (communication ok/nok) of the
communication module.
CycleTime
20ms
MASTER
Zyklus
Anwenderprogramm
SendCycleTime
100ms
Daten senden
(Systemtelegramm)
Daten empfangen
(Systemtelegramm)
WatchdogTime
Watchdog Watchdog Watchdog Watchdog Watchdog 240ms
retrigger retrigger retrigger retrigger retrigger
Kommunikationsmodul
Status Ausgang
SLAVE
Zyklus
Anwenderprogramm
Daten empfangen
(Systemtelegramm)
Daten senden
(Systemtelegramm)
Kommunikationsmodul
Status Ausgang
The secure communication channel is realized with a system data container which is
protected by the PROFIsafe Stack. Due to the PROFIsafe protection at the source and
destination (Safety SPLC function) the communication connection is defined as “black
channel”, through which the communication path is not safety-relevant. The implemented
protection algorithms of the PROFIsafe Stack are certified according to SIL 3.
For this reason all existing communication protocols (e.g. Fast Ethernet IEEE 802.3 10/100,
serial protocols) can be used. However, it is a question of the protocol bandwidth in which
periodical grid the safe communication channel can be operated.
Caution
The parameter WatchdogTime must always be greater than the transmit cycle time “SendCycleTime”,
otherwise a diagnosis is set. A factor of at least 2 is recommended between WatchdogTime and
SendCycleTime.
Caution
The “WatchdogTime” determines the system response time of the safe communication connection.
In addition the Safety Communication function is subjected to the standard error detection
mechanisms of the PROFIsafe Stack.
The secure communication channel transmits process data between 2 Safety PLC´s. The safe
state of a communication channel is defined by the output “State = FALSE” and “Process data
= 0”. Apart from that, no action is performed by the system, e.g.: deactivation of the local safe
outputs. The user program is responsible for this.
For this reason the following precautions are to be taken in the user program:
SI_COM_16BOOL_8REAL SI_COM_16BOOL_8REAL
Detailed information about this system element can be found in the following documents:
Detailed information about this system element can be found in the following documents:
Both firmwares are independent system elements in the SICAM TOOLBOX II and can be
loaded into the automation unit independently of each other.
Note
If the basic system element CP-2019/PCCX26 is configured with the safety firmware AP-0771/SPLC01,
the associated labeling strips (TC2-066) in the front panel of the housing of the automation unit must be
exchanged for the yellow safety labeling strips.
Detailed information about this system element can be found in the following documents:
Both firmwares are independent system elements in the SICAM TOOLBOX II and can be
loaded into the automation unit independently of each other.
Note
If the basic system element CP-2017/PCCX25 is configured with the safety firmware AP-0771/SPLC01,
the associated labeling strips (TC2-066) in the front panel of the housing of the automation unit must be
exchanged for the yellow safety labeling strips.
Detailed information about this system element can be found in the following documents:
Both firmwares are independent system elements in the SICAM TOOLBOX II and can be
loaded into the automation unit independently of each other.
Detailed information about this system element can be found in the following documents:
Note
If the basic system element CP-6014/CPCX65 is assembled with the safety-firmware AP-0771/SPLC01,
then a SICAM Safety-label (TC6-221 / 6MF13130GC210AA0) must be placed on the housing.
· Not safety-relevant
· Standard telecontrol functions
· 1 ms time tagging of standard I/O modules
· 10 ms time tagging of safety I/O modules
· Conversion of the safety-relevant periodical information from Ax-PE-Bus and TM-Bus
Detailed information about this system element can be found in the following documents:
3.17.1 Introduction
There are 2 types of safety I/O modules available. These are dies:
Detailed information about these modules can be found in the following documents:
· The safety I/O modules have a 2-channel structure. Two CPUs are used, which mutually
monitor each other and the surrounding switching elements via crosswise data
comparison and by means of a State-Machine form a “Super-Watchdog”.
· Both CPU’s are monitored by an independent HW-Watchdog. The expiry of one of the two
watchdogs brings both the own as well as the other CPU to the safe state.
· The voltage supply for the CPU’s or their monitoring also takes place 2-channel, so that an
individual malfunction does not lead to the faulty behavior of both CPUs.
· The setting of the addressing on the I/O module (PBA#, IOM#) is used for monitoring the
correct addressing of the module, which is specified by the SICAM RTUs system
architecture.
· There is a galvanic isolation to the TM-Bus, through which decoupling is achieved.
· All galvanic connections (e.g. synchronization) between the two channels are safely
separated by decouple resistors. These decouple resistors are designed so that an error in
one channel (Common Cause) cannot influence the other channel.
· LED displays: System LEDs (Ready, Safety, Error) and Process LEDs
Located on the safety I/O modules are two rotary switches. With these it is set, at which
position of the SICAM RTUs system the respective module is used.
The first rotary switch determines the PBA# (=peripheral module address) and the second
rotary switch determines the IOM# (=position number of the module on the peripheral
element).
Consequently the safety I/O modules can be unambiguously identified and mistaking is
prevented.
Both numbers are assigned through the configuring in the OPM II and entered in the safety
parameters. On startup and during operation the set addresses are checked for plausibility.
The supply voltage on the I/O modules is that voltage from which the sensors / actuators and
the entire module is supplied. When a certain voltage range is undershot or exceeded a
passivating of all channels takes place. If possible a diagnosis is transmitted and a Power
Down initiated with subsequent Power Up.
· Overvoltage 24 VDC
protection against:
─ Destruction of the module
─ Undefined behavior of the sensors or actuators
· Undervoltage 24 VDC
protection against:
─ Undefined behavior of the sensors or actuators
· Overvoltage 5 VDC
protection against:
─ Destruction of the module
─ Undefined behavior of the sensors or actuators
· Undervoltage 5 VDC
protection against:
─ Undefined behavior of the sensors or actuators
3.17.5 DI-6170
The binary information created as binary states are guided to the ADCs over a voltage
distributor and processed further analog. This permits a cross comparison of the measured
binary information voltage and therefore mutual monitoring for observance of the tolerances in
real-time. Excessive deviations indicate a component fault (short circuit, value deviation, ADC-
error).
A parameter-settable cycling of the external signal voltage enables the discovery of diverse
(external) faults.
The safe state of the binary information inputs is defined by the value "0" for the binary
information input and the value "1" for the associated status.
3.17.6 DO-6270
It is ensured through the monitoring of the sensor voltage, that the external load is activated
with a large enough voltage. The function of the output driver and the external wiring is
monitored by pulses of the output switch.
3.17.7 AI-6370
The AI-6370 is used for the measurement of four 20 mA currents. The measured values
supplied to the ADC over a voltage distributor are supplied to the CPU via the ADC’s and
checked for plausibility by means of cross-wise comparisons.
The safe state of the measured value inputs is defined by the value "0" for the measured
value input and the value "1" for the associated status.
Contents
PS-263x CP-2016 DI-2110 DO -2210 AI-2300 DI-2110 AI-2301 DI-2110 AI-2301 DI-2110 CP-2019 DI-2110 DO -2210 AI-2300 AI-2301 DI-2110 PS-263 x
SICA M AK SI CAM AK
S ICAM
S ICAM
1703
1703
CP-2019
CP-2016 Peripheral element (with standard and safety I/O-modules)
SICAM
SICAM
1703
1703
Peripheral element (with standard and safety I/O-modules)
Standard
Safety
Layer
communication
SICAM AK
S ICAM
S ICAM
17 03
17 03
CP-2017
CP-2014 Peripheral element (with standard and safety I/O-modules)
PS -263x CP- 2016 DI- 2110 DO-2 210 A I-230 0 DI-211 0 DI-2110 DI -2110 CP -2 019 DI- 2110 DO-2210 A I-230 0 DI-211 0 PS -26 3x PS -26 3x CP- 2016 DI -2110 DO- 2210 A I-2 300 DI- 2110 DI-2110 DI-2110 CP-2 019 DI -2110 DO-22 10 A I-23 00 DI-2 110 P S-2 63x
A I-2 301 A I-2301 A I-2301 AI-2 301 A I-230 1 A I-230 1
CP-2019 CP-2019
CP-2016 CP-2016
Standard Safety
communication Layer
SICAM AK (AU3)
SICAM AK (AU4)
CP-2017 CP-2017
CP-2014 CP-2014
SICAM
1703
Peripheral element
(with standard and safety I/O-modules)
Maximum 16 SICAM TM
peripheral elements
Warning
· The Activ/Passiv – switch must guarantee, that only one component is active. The implementation of
this function is in the users responsibility.
· It is necessary to check via the Safety-monitor, if both Safety-PLC’s have the same state of parameters
and are in state RUN.
P S-2 63x CP -2016 DI-2110 DO-2210 AI- 2300 DI -2110 DI- 2110 DI-2110 CP- 2019 DI-2110 DO-2 210 AI-2 300 DI- 2110 P S- 263x P S- 263x CP -201 6 DI-2110 DO-2210 AI -2300 DI-2110 DI- 2110 DI-2 11 0 CP -2019 DI-2110 DO-2 210 AI- 2300 DI -2110 P S -263x
AI- 2301 A I-2 301 A I-23 01 A I-2301 AI-2 301 A I-2 301
CP-2019 CP-2019
CP-2016 CP-2016
Standard Safety
communication Layer
SICAM AK (AU3)
SICAM AK (AU4)
CP-2017 CP-2017
CP-2014 CP-2014
SIC AM
SIC AM
1703
1703
Maximum 16 SICAM TM
peripheral elements
Warning
· The Activ/Passiv – switch must guarantee, that only one component is active. The implementation of
this function is in the users responsibility.
· It is necessary to check via the Safety-monitor, if both Safety-PLC’s have the same state of parameters
and are in state RUN.
See also: Commissioning of redundant Safety-PLC's
Contents
5.1 Introduction
This chapter describes the basic method of procedure for working with failsafe SICAM RTUs
systems.
The workflow plan for the engineering of the individual system elements and the
commissioning of a plant for the “non-safe” standard operation is presumed as known and is
documented in the manuals of the SICAM RTUs product family.
In the following the work steps necessary for the commissioning of a Safety plant are
sketched out. These range from the definition of the plant parameters and the engineering
through to the commissioning and operation of the plant.
Design plant
Install hardware
Engineering
• HW/FW configuration of automation unit
• Set parameter
• Create application and generate code
• Simulate function chart offline
Therefore, you must make sure after a download and during the current iteration of the
verification, validation and release that the correct application is running on the controller and
all measures are performed for the same version of the application (version "A").
This is possible by using Safety Monitor (Online) and Safety V&V (Offline) and identifying the
application by means of the following fingerprints:
e.g. Safety I/O module parameters and parameters of the safety firmware (SPLC01).
· V&V data
Fingerprint of the V&V data (status of validation, verification or release)
If one of these statuses change, its fingerprint also changes.
Record the displayed values of the code fingerprints (e.g. on review or test protocols) when
performing the respective step of the workflow. Compare the recorded values from the earlier
step with the ones displayed in Safety Monitor or Safety V&V while performing the current
step. See the respective step of the workflow to find out which CAEx safety component must
be used to record the values or which one must be used to compare them.
Warning
In case of all comparisons, check whether the values for the above mentioned code fingerprints are
identical. If the values differ, the steps of the workflow are not done for the same application or the same
version of the application.
Note
Safety V&V displays additional fingerprints for information not being code-relevant. They are not needed to
basically identify the application, but they can be used as a basis for other examinations.
During the design of the plant a risk assessment is carried out for every safety function. Based
on this a corresponding safety class (SIL/PL) is then defined. The requirements on the
components for the realization of the safety functions (open-/closed loop control function,
sensors, actuators) are derived from these. These decisions influence further activities, such
as hardware design, configuration and programming.
Note
Important for the planning is the functional separation of standard and safety functions.
The installation of the hardware of a safety-oriented SICAM system must take place in
accordance with the guidelines of the following documents. These are:
Note
The power for the safety plant is to be supplied with SELV-conforming power supply
units/batteries/charging devices.
The individual power circuits/supply circuits are to be protected with fuses. A circuit
breaker 2-pole 10 A (or less) characteristic C is prescribed for each peripheral element.
(Standard Type: Siemens 5SY5 210-7).
· Labeling
5.5 Engineering
The safety-relevant parts of a plant are configured and parameterized in the OPM II just as
standard parts. All engineering activities, from the system diagnostics through to the online
test, are performed with the SICAM TOOLBOX II.
The open-/closed loop control user programs are created using CAEx plus according to the
standard IEC 61131-3. This applies for safety as well as for standard function diagrams. All
data are stored in the SICAM TOOLBOX II database.
SICAM TOOLBOX II
EM II CAEx safety
(Engineering Manager)
OPM II
Safety Umsetzer
Safety-Parameter
Standard (Parameter + FUP)
Parameter
CAEX plus
Safety Safety V&V
Parameter
Safety Parameter
signed
verified & validated
PSRII
(Configuration- and Service Engine)
Safety Monitor
Data flow
CAEx plus test, Parameter
Diagnostics Loader Read fingerprint
Online test Telegram
simulation
Safety Layer
TM 1703 A CP CP-6 014
SICA M
Design plant
Engineering
Define plant and automation unit
HW/FW configuration of
automation unit
Set Parameter
For the initial creation of a plant the configuration data in the OPM II must be entered in the
SICAM TOOLBOX II. This task is supported by "Wizards". The parameterized configuration
data define the plant topology.
· Customer data
· Plant data
· System- and process technical automation units
Before the parameter setting an automation unit must be configured with the required system
elements. The configuration is carried out with the tool "OPM II" via the menu items TOOLS |
SYSTEM TECHNIQUE and TOOLS | LIBRARY OVERVIEW .
Note
If a Confirmation-ID is assigned, then the user must ensure the storage of this.
The system-technical and process-technical settings of a plant are set in SICAM TOOLBOX II
with the tool "OPM II". Safety- and standard-parameter must be treated equally.
· System-Technical Settings
The parameter setting is carried out in the menu tree, respectively below the selected
basic system element:
─ Common settings
─ Time management
─ Communication protocols
─ Network settings
─ Topology
─ Dataflow filter
─ Periphery
─ Decentralized archiving
─ Redundancy
· Process-Technical Settings
The process-technical settings of the system elements can be opened centrally via the
menu item TOOLS | IMAGES
The parameters for the technological processing of process signals reside in the menu tree
below the link images:
─ Addressing
─ Signal preprocessing
─ Signal postprocessing
The user program for the open-/closed loop control functions is created in the SICAM
TOOLBOX II with the tool CAEx plus according to IEC 61131-3.
CAEx plus supports the programming languages "FBS" (function block language, function
diagram) and "AS" (sequential function chart language) according to the standard IEC 61131-
3 (Programmable Logic Controllers Part 3: Programming Languages).
Note
Safety programs can only be created in the Function Block Language (FBS). Use of the sequential
function chart language (AS) is not possible.
The tool CAEx plus provides various editors and standard libraries for the creation of the
open-/closed loop control functions.
Precondition
· The signals of the process technical plant created with the "OPM II" converted. This is
carried out with the tool "OPM II" by selecting the menu TARGET SYSTEM | CAEX PLUS |
TRANSFORM… .
· The distinction between standard and safety signals takes place by means of the suffix
_SAFE. In addition the safety signals are identified by means of an attribute in the signal
list.
Note
The user must not use the suffix _SAFE for his own signal names, as these can easily
be mistaken.
Sequence
Warning
When creating the application, fulfill the requirements presented by the underlying
standards and/or by the underlying development process and described in the
corresponding documents (e.g. in specifications)..
Stick to the guidelines that SICAM Safety gives for programming (see Guidelines for
programming) and mind the restrictions that the respective target system gives.
Warning
Check the messages in the programming system for logi.LINT's final messages
"logi.LINT checks finished with 0 messages (with 0 errors)" and
"Finished successfully.". Both messages must be listed, the second one right
after the first one.
You must fix reported problems and generate code anew until both of logi.LINT's final
messages are listed.
Result
· The safety parameters are exported with the tool and stored in the Oracle database. All
safety parameters are given a checksum.
The logic operations of a function diagram can be tested in CAEx plus with the OFFLINE-
SIMULATION.
The offline test is identical for standard and safety function diagrams and is started in
CAEx plus with the function "Offline-Simulation". The following possibilities are available:
Engineering
Verification
Verification of the
application
The safety parameters are verified using the "Safety V&V” tool. The user program is thereby
represented again in function diagram technology and the safety parameters displayed.
Precondition
· Reviews, as one of the possible verification measures, must be performed with the help of
Safety V&V (see Review of the Application.).
Sequence
· In the system technique of the OPM II on the safety application for the safety resource
start the menu item "Safety V&V".
· Enter the Confirmation-ID (optional). The verification is protected by the Confirmation-ID.
· The user must now verify and confirm the user program. In addition the safety parameters
must be confirmed.
· After the verification has been completed, record the state for the verification in Safety
V&V:
─ Identify the application for which you want to record the state: Compare the values of
the code fingerprints that are displayed in Safety V&V with the recorded values. The
same values must be found.
─ Check which user identification is displayed in the status bar of Safety V&V. Your
identification must be displayed.
─ Enter the state for verification that is matching the results of the verification and save
this state.
· After the entry of the status Passed or Failed a test report of the application must be
created.
Note
The user himself is responsible for the archiving of the test report.
Reviews are possible verification measures. They must be performed by using Safety V&V.
· Before the reviews are started: Check the following data in Safety V&V:
─ values of the code fingerprints in Safety V&V (to identify the application): Compare the
displayed values with the recorded ones. The same values must be found.
─ user identification in the status bar of Safety V&V
Your identification must be displayed.
─ Release information (time stamp of release and user identification) of used translation
database
· The reviews must examine logic and parameterization of the application data regarding
correctness, consistency and completeness against the corresponding specification.
· Condition for performing the reviews by using Safety V&V: You must be familiar with how
all elements are displayed in Safety V&V, in particular how the logic elements are
displayed.
· Review the following data by using Safety V&V:
─ instance data
Examine the resource (= folder object with icon ) and all its sub-objects that are
displayed in the explorer of Safety V&V.
─ user-defined POUs and data types
Examine all objects under the folder object Library with objects to be examined that
are displayed in the explorer of Safety V&V. All the POUs must contain a logic
describing the behavior.
─ parameter data
Examine the parameter sets and/or parameter blocks (= folder objects with icon )
and all its parameter tables that are displayed in the explorer of Safety V&V.
· When user-defined POUs are reviewed, make sure that the execution order is shown
within the POUs.
· If you are using examined objects (= examined user-objects, system blocks, system data
types) within the application, during the reviews you must do the following: Check the
consistency of the examined objects against your specification. This is to make sure that
the correct "examined objects" are being used in the application.
· Observe that the state for the verification must be recorded after verification has been
completed. Take note, that after the verification is concluded the status of the verification
is to be recorded.
Download
parameter Download of the application
to the controller
Following transformation and verification all data from the engineering must be loaded into the
automation unit (Flash Card in master control element). However that is only possible when
the automation unit is in the operating state STOP, TEST or KILL.
The interrogation of the operating state takes place before the actual loading operation. If the
automation unit is in the operating state RUN, the loading operation is not started. The user is
informed by means of a Message box, at what point he must first switch to the operating state
STOP or TEST in the OPM II and then restart the loading operation.
Precondition
Note
The PBA and I/O module numbers are to be set correctly on all Safety I/O modules with
the rotary switches.
· The safety application and/or the safety parameters have been tested and verified offline.
· Automation unit is in the operating state STOP, TEST or KILL.
Sequence
Result
· The safety parameters are now loaded in the BSE and protected against modifications
with a checksum.
· The parameters on the BSE correspond to application status "B". These can be used for
subsequent Delta tests.
· Following the very first initialization the automation unit is in the operating state STOP.
Caution
Switching off the master control element during a loading operation must definitely be avoided, as the data
on the Flash Card could be destroyed as a result.
Online-test
Online-test of the
application
After the very first parameter loading the automation unit is in the operating state STOP. In the
STOP state the safety outputs are in the safe state (passivated). In the TEST state the safety
outputs can be switched. To test the outputs one must switch to the TEST state.
Danger
In this operating state the safety measures are switched off. I.e. the plant is in the non-safe state.
Measures are to be taken (e.g. spatial cordoning off of the danger zone) to prevent the endangering of
persons.
This operating state may only be executed for a limited time and must be terminated after commissioning
at the latest.
The loaded and verified user program is tested using the Toolbox in the destination system
with the help of the online test.
The online test corresponds with a graphical display of the function diagram, in which the
current states of the logic are visualized. i.e. The state of binary information is shown in color
(red = on and blue = off) and analog information can be displayed by means of so-called
online test fields.
Precondition
Sequence
· Switch to the operating state TEST. Optionally the Confirmation-ID must be entered
· In the CAEx plus project management select the corresponding safety resource of the
BSE and start the online test via the context menu.
· Test the function with full online test functionality as in the standard PLC (Forcing …).
· If write access to the user program is to take place during the test procedure (e.g. setting
(forcing) of variables), then for reasons of consistency a reset is to be performed after that.
Result
· The safe user program is to be tested on the plant under environmental conditions.
Validation
Validation of the
application
Precondition
Sequence
· In the system technique of the OPM II on the safety application or in CAEx plus for the
safety resource, start the menu item "Safety V&V".
· Identify the application for which you want to record the status (see section Identify
application by means of code fingerprints): compare the values of the code fingerprints
displayed in Safety V&V with the logged values. The values must be the same.
· Check which user identification is displayed in the status bar of Safety V&V. It must be
your own identification.
· Enter the status of the validation according to the results of the validation process and
save the status.
· After the entry of the status Passed or Failed a test report of the application must be
created.
Note
The user himself is responsible for the archiving of the test report.
Result
Release
Release of the application
and operation preparation
Operation
Precondition
Sequence
· In the system technique of the OPM II on the safety application for the safety resource
start the menu item "Safety V&V".
· Identify the application for which you want to record the state (see section Identify
application by means of code fingerprints): Compare the values of the code fingerprints
that are displayed in Safety V&V with the recorded values. The same values must be
found.
· Check which user identification is displayed in the status bar of Safety V&V. Your
identification must be displayed.
· Check which state for validation and which state for verification is displayed. Passed and
an authorized person must be displayed for both.
· Enter the state Passed for the release and save this state.
· With the help of the multifunction bar command EXPORT TEST REPORT record the value
of the V&V fingerprint displayed in Safety V&V after recording the release status, for
further verification (the subsequent comparison).
Note
The parameters are automatically stored in State “C” for a subsequent Delta test.
· Document the revisions of the used, tested hardware and firmware of the plant
─ Documentation of the firmware used (SPLC01)
This is output during the course of the logging for the V&V fingerprint
─ Documentation of the hardware used (CP-2019, CP-2017 or CP-6014).
Note the serial number.
Safety module
Serial number
(e.g.: BF1208xxxxxx)
Result
Precondition
Sequence
· In the programming system: Start the download to the controller. Then check the
messages to make sure that the download has finished successfully.
· Check the values of the code fingerprints in Safety Monitor (to make sure that the correct
application is running on the controller see section Identify application by means of code
fingerprints): Compare the displayed values with the recorded ones. The same values
must be found.
· Compare the V&V- fingerprint that was recorded after acquisition of the release status in
Safety V&V. The same value must be displayed.
· Check the status of the release and the details recorded for this.
Passed must be entered and a person authorized for the release.
· Check the release information (time tag of the release and user identification) of the
transformation database used in Safety Monitor.
· Activate the operating state "RUN“ for the controller.
· Check in the Safety Monitor which operating state is displayed in the Start register. The
operating state “RUN” must be displayed.
· Create the inspection report in Safety Monitor for the released application that is running
on the controller and in commission.
· Process the exported inspection report according to your company's guidelines, for
instance sign and file a printout of it.
Result
5.11 Operation
Operation
This use case considers the startup of an automation unit that has already been successfully
set into operation and run in the state RUN.
Warning
The restart protection for the process is not implemented in the firmware of the system components, rather
is in the scope of responsibility of the application. The application must control the restart of the process
dependent on the process states.
The restart behavior can be set with the parameter safe state at channel error
Precondition
Sequence
The user performs a Reset (on the basic system element) or Power-Up. The system executes
the following steps:
· When all boundary conditions for safe operation are fulfilled the basic system and the I/O
modules switch to the safe operation (RUN). Otherwise the “safe” state (STOP) is
adopted.
· The loaded user program checks the initial conditions regarding the restart protection of
the process.
Result
Precondition
Sequence
· In the OPM II system technique on the safety application call the menu item “Display /
switchover operating state”.
· Enter the Confirmation-ID.
· In the dialog activate the operating state STOP.
Result
Precondition
Sequence
· In the OPM II system technique on the safety application call the menu item “Display /
switchover operating state”.
· Enter the Confirmation-ID.
· In the dialog activate the operating state TEST.
Result
Danger
In this operating state the safety measures are deactivated. I.e. the plant is in the non-safe state.
Measures are to be taken (e.g. spatial cordoning off of the danger zone) to prevent the endangering of
persons.
This operating state may only be executed for a limited time and must be terminated after commissioning
at the latest.
Precondition
Sequence
· In the OPM II system technique on the safety application call the menu item “Display /
switchover operating state”.
· Enter the Confirmation-ID.
· In the dialog activate the operating state RUN.
Result
5.12 Maintenance
Maintenance
Exchange basic system element
Exchange SD-card
No maintenance work is required unless reference is made to it in the user manual (e.g. AI-
6370 for the period of the guaranteed safety accuracy)
Note
When exchanging basic system elements observe the specifications for the Assembly/Disassembly in the
SICAM AK User Manual.
The exchange of basic system elements is possible during operation without firmware
adaptation.
Precondition
Sequence
Result
Note
When exchanging I/O modules observe the specifications for Assembly/Disassembly in the SICAM TM
Installation Manual.
The exchange of Safety I/O modules is possible without firmware adaptation and SICAM
TOOLBOX II.
Warning
The PE coupling module must be switched de-energized beforehand.
Precondition
· The peripheral element with the defective I/O module is in the de-energized state.
Sequence
· Set the PBA number and the module number on the "new” I/O module.
· Document the revisions of the used, tested hardware and firmware of the plant
─ Documentation of the hardware used (Safety I/O Modules)
Note the serial number.
Safety module
Serial number
(e.g.: BF1208xxxxxx)
· Power-Up of the peripheral element with the new I/O module and PE is ready
automatically.
Result
Precondition
Sequence
· Check in Safety V&V the values of the code fingerprints (to ensure, that the correct
application version in the SICAM TOOLBOX II is available for this plant; see section
Identify application by means of code fingerprints): Compare the values displayed with the
logged values.
Note
Observe, that after loading a released application the plant is immediately in the
operating state RUN.
· Start the download (initialize parameters, load firmware) on the controller with the help of
the SICAM TOOLBOX II and ensure based on the output messages, that the download
has concluded successfully.
· Check in the Safety Monitor the values of the code fingerprints (to ensure, that the correct
application runs on the controller; see section Identify application by means of code
fingerprints): Compare the values displayed with the logged values.
· In the Safety Monitor check the operating state of the plant and initiate the corresponding
measures.
Result
When an application is modified and this application has already been commissioned by
means of CAEx safety, this modified application must be examined anew according to the
regulations of the underlying standards.
A development process compatible with "IEC 61508-2 (2010)" must include a change
management process during which a change specification and an effects analysis of the
changes are done before the changes are made.
This excludes the usage of Safety V&V as device to perform the effects analysis on the
changes because the compare mode of Safety V&V can be used well only after the changes
have been made.
A modified application can be examined as described in the workflow for the software
development. All steps of the workflow must be performed fully.
Warning
Observe all instructions and notes given.
CAEx safety provides the possibility to perform a delta verification and a delta validation of the
modified application in order to restrict the scope of the verification/validation.
During the Delta test one of the states is compared with another.
Version „A“
(latest in TBII
generated or in
safety V&V saved
parameter version
TOOLBOX II
re f
Pa in
wa o
De v
m ad
ra saf
„B atio
m et
fir lo
l ta e r s
et y
nd lid
ty er
v e i on
“
er V&
“ a /va
fe et
rif „A
re V
sa ram
„A n
ica “
lea
n tio
tio an
Pa
io a
se
rs ific
n/ d „
va C
ve ver
lid “
lta
at
io
De
Attention
Status "B" can also be created offline by generating the Flashcard. In this case this flashcard must be
present in the destination system at the time of the Delta Verification/Validation. Otherwise the Delta
Verification/Validation is not correct.
Precondition
· condition for restricting the scope of the examination measures is the complete
identification of the functions that are affected directly or indirectly by the modifications.
· You must examine the modified application according to the following criteria during delta
examination:
Sequence
· development process valid for the application (see Requirements for the development
process) must define the scope and the measures to perform during the verification and/or
the validation. If the development process allows for a delta examination, there must be
appropriate regulations for delta verification and/or delta validation as well.
· Make sure that all measures for delta verification, delta validation and release are
performed for the same version of the application. Moreover, make sure that the correct
and archived version of the application is used as reference for the comparison. For this
purpose, identify the version of the application by using CAEx safety (see section Identify
application by means of code fingerprints).
· Make sure that you are authenticated correctly during delta verification, delta validation
and release and that authorized persons only have access to the workstation (see
Authentication measures).
· Bear in mind when planning the examination measures that errors can be implemented
during step "Re-engineering” of workflow. The end user as well as the programming
system or the PC environment can be the initiator of such errors. Example: because of
systematic errors in the programming system or data corruptions in the memory or on the
hard disk
The detection rate of the errors found during dynamic test only might not be sufficient
depending on the requirements of the underlying standard and on the required safety
integrity level.
The delta examination requires reviews by using Safety V&V. Make sure during these
reviews that just the requested modifications have been implemented (see also the above
mentioned criteria during delta examination).
· Record the progress during your workflow by appropriate tools, in particular during delta
verification, delta validation and release. You must not skip any measures during the steps
and/or even steps themselves.
If the workflow or a step has been interrupted or aborted, the recordings must make it
possible to resume the workflow or step where it has been interrupted or aborted. If this is
not possible, you must re-start the workflow and start with step "Re-engineering" again.
Therefore, you must make sure after a download and during the current iteration of the delta
verification, delta validation and release that the correct application is running on the controller
and all measures are performed for the same version of the application (version "A").
With CAEx safety that is possible through the identification of the application versions based
on the following fingerprints:
E.g. Safety I/O Module parameters and Safety Firmware parameters (SPLC01).
· V&V Data
Fingerprint of the V&V data (status of validation, verification or release)
If one of these states changes, this fingerprint also changes.
In order to see the code fingerprints for version "A" as well as for version "B" or version "C",
Safety V&V must have been started for
Use the code fingerprints for version "A" to make sure that the correct application is running
on the controller and that it is really the same version of the application:
Record the displayed values of the code fingerprints for version "A" (e.g. on review or test
protocols) when performing the respective step of the workflow. Compare the recorded values
from the earlier step with the ones displayed in Safety V&V or Safety Monitor while performing
the current step. See the respective step of the workflow to find out which CAEx safety
component must be used to record the values or which one must be used to compare them.
Warning
In case of all comparisons for version "A", check whether the values for the above mentioned code
fingerprints are identical. If the values differ, the steps of the workflow are not done for the same
application or the same version of the application.
Use the code fingerprints for version "B" and/or version "C" to make sure that the correct and
archived version of the application is used as reference for the comparison:
Compare the displayed values of the code fingerprints for version "B" and/or version "C" with
the ones re-corded in the respective inspection reports for the archived version of the
application. See the respective step of the workflow to find out when the values must be
compared.
Warning
In case of the comparisons for version "B" and/or version "C", check whether the values for the above
mentioned code fingerprints are identical with the respectively archived code fingerprints. If the values
differ, the steps of the workflow are not done for the archived version of the application that must be used
as reference for the comparison during the delta verification and the delta validation.
Warning
When modifying the application, fulfill the change specification presented by the
underlying standards and/or by the underlying development process and described in
the corresponding documents (e.g. in change orders or review protocols).
Stick to the guidelines that CAEx safety gives for programming (see Guidelines for
programming) and mind the restrictions that the respective target system gives.
2. In the programming system: Start the code generation for CAEx safety.
Warning
Check the messages in the programming system for logi.LINT's final messages "lo-
gi.LINT checks finished with 0 messages (with 0 errors)" and
"Finished successfully.". Both messages must be listed, the second one right
after the first one.
You must fix reported problems and generate code anew until both of logi.LINT's final
messages are listed.
Note
The automatically created work file version "A" is consistent with the current version of
the application after the modification have been made.
Observe the notes under section Workflow with delta examination regarding the following
items:
· complete identification of the functions that are affected directly or indirectly by the
modifications
· criteria for the examination of the application during the delta validation
· archived application as reference for comparison during the delta examination
· scope/measures of delta validation
· authentication and access to workstation
· when planning the examination measures: including reviews in order to increase the
detection rate of implemented errors
· recording of progress by appropriate tools
Before the delta examination: Check the following items to make sure that the correct
hardware/software is used:
After the validation has been completed, record the state for the validation in Safety V&V:
· Identify the current version of the application for which you want to record the state (see
section Identify application by means of code fingerprints): Compare the values of the
code fingerprints that are displayed for version "A" in Safety V&V with the recorded values
(recorded for version "A"). The same values must be found.
· Check which user identification is displayed in the status bar of Safety V&V. Your
identification must be displayed.
· Enter the state for validation that is matching the results of the delta validation (see
Definitions for the state of "Validation") and save this state.
For a subsequent delta examination after the entry of the status Passed or Failed the test
report must be archived.
Note
The user himself is responsible for the archiving of the test report.
This step of the workflow is analogous to the one during the initial examination (see Release
of the application). Observe for the current iteration:
· When you have to compare the values of the code fingerprints (before the release),
compare the values that are displayed in Safety Monitor with the recorded values
(recorded for version "A").
· When you have to compare the values of the code fingerprints (when recording the state
for release in Safety V&V), compare the values that are displayed in Safety Monitor with
the recorded values (recorded for version "A").
This step of the workflow is analogous to the one during the initial examination (see Operation
preparation for the released application). Observe for the current iteration:
· When you have to compare the values of the code fingerprints (after the download),
compare the values that are displayed in Safety Monitor with the recorded values
(recorded for version "A").
Redundant Safety-PLC‘s are independent from each other with identical safety parameter and
application program. They may be located in two separate or in one automation unit.
The safety parameter and the safety application program are created on the „Original“
automation unit and afterwards copied to the „Image“ automation unit. This is done while
maintaining the fingerprint. The copying takes place with function „Copy mirror parameters to
..“ in toolset „OPMII“ of SICAM TOOLBOX II.
SICAM TOOLBOX II
TOOLBOX II
Re vision:
L ice ns e P a k:
OPMII - System technique
Ve rsion 5 | S iem e ns AG
*)
AE1
**)
BSE
AP-0771/SPLC01
Safety-Parameter
Safety-Application Program
AE2
*) copy mirror
parameters
**)
BSE
AP-0771/SPLC01
Safety-Parameter
Safety-Application Program
*) **)
SICAM AK 3 CP-2016/CPCX26 (SICAM AK 3)
SICAM AK CP-2014/CPCX25 (SICAM AK)
This function allows, that the safety parameter and safety application program are identical
loaded and no detailed verification and validation of the safety function in the redundant
automation units is required.
The check, if both redundant automation units are loaded correct , is in the responsibility of
the user and takes place by comparison to identical fingerprints in the redundant automation
unit. The tool „Safety Monitor“ is used for this check.
Hint
The timeout(WatchdogTime) of the communication module, in case of redundant communication
channels, must be larger than the time for the redundancy switchover.
Warning
This is only a parameter copy-function in SICAM TOOLBOX II.
The application program of the target system is not synchronized.
Sequence
· Parameter setting
─ Both BSE, inclusive the SSEs and PEs, must be configured separate.
─ Set connection parameters separate.
─ On the BSE you must set with parameterRedundancy – Red_Sync Org_img which
BSE is the Original and which is the Image.
─ Further you must parametrize (Region-Nr., Component-Nr., BSE-Nr.) which BSE is the
redundant BSE with the parameter Address of the redundant BSE .
· Process technique
─ The parameter are only set for the original BSE. Placing an image on the PEs of the
"Image"-BSE is blocked by TBII.
─ The 1703 transformer converts only the parameters of the "Original"-BSE.
· CAEx plus
─ The function diagram is only created for the "Original"-BSE. Changes in the function
diagram of the "Image"-BSE are blocked.
· Transfomation andSafety V&V
─ Perform "1703 transform" on the original BSE, if the images were changed.
─ Transform CAEx plus.
─ Create the CAEx plus safety-function diagram and generate the code.
─ Open CAEx Safety V&V for verification, validation and release.
· Load and verify the parameter of the „Original“-BSE
─ Load original parameters.
─ Read out the fingerprint with Safety-Monitor and compare with Safety-V&V Fingerprint.
─ Switch Safety PLC into state RUN.
· Copy the mirror parameters
─ Right-click the "Original"-BSE in OPMII and select „Copy mirror parameters to ..“.
─ Right-click the "Image"-BSE in OPMII and select „Insert mirror parameter“.
─ After successful copying, the Safety-Parameter can be loaded into the "Image"-BSE.
· Load and verify the parameter of the „Image“-BSE
─ Load Safety-Parameter into the "Image"-BSE and compare with Safety V&V with the
"Original"-BSE.
─ Read out the fingerprint with Safety-Monitor and compare with the "Original"-BSE.
─ Switch Safety PLC into state RUN.
Contents
The safe operation of a SICAM RTUs system is that operating state in which the safety-
oriented communication by means of safety messages is possible and safety functions are
guaranteed.
In this state all safety functions for error detection and error reaction are activated in the
Safety Modules and the Safety Application.
Basically the setting of the operating states is carried out with the SICAM TOOLBOX II
(Loader, Online Test, OPM II) through explicit operator input.
The operating states are displayed on the I/O module, on the BSE, in the OPM II and in the
online test.
Warning
Following an unwanted disconnection of the SICAM TOOLBOX II connection the plant remains in the state
TEST.
With regard to the operating states both the total system as well as subsystems consisting of
peripheral elements and the safety application are taken into consideration and can adopt the
operating states STOP, TEST, RUN and KILL.
TOOLBOX II Reset
Reset ter
r ame
Error a d
y-p se
a fet elea
S tr
Res ety-par d)
no
(Saf release
are
et ame
STOP KILL
ter
Parameter load RU (safe
Frimware load N mode)
Online-test (S
afe
ty
ar -par
e r am
TE S
ele e
as ter
T
ed
)
STO
P
ST
OP
TEST RUN
TEST
Parameter load (safety
Frimware load RUN (parameter validated operation)
Online-test and released)
6.2.1 RUN
RUN is the “Safe Mode” of the safety system. In this state the safety functions are executed
and the system is protected against modifications of safety-relevant information and
parameters. All outputs are active.
Preconditions for both cases are, that the safety parameters and safety application are
validated and released.
Warning
Following a startup the operating state RUN is adopted, regardless of the operating state set previously.
For Reset or Power-Up the restart protection of the total system, consisting of SICAM RTUs and the plant,
are in the scope of responsibility of the application.
6.2.2 STOP
In this state the outputs are passivated (=safe state) and parameters and firmware can be
loaded and tested in the online test with all functions.
· Restart of correctly initialized AU with loaded safety application, which however has not
yet been released.
· Change of operating state using the SICAM TOOLBOX II from the operating state RUN or
TEST.
6.2.3 TEST
Essentially corresponds with the operating state STOP, but the safety outputs are activated. A
release of the application does not need to have taken place.
Danger
In this operating state the safety measures are switched off. I.e. the plant is in the non-safe state.
Measures are to be taken (e.g. spatial cordoning off of the danger zone) to prevent the endangering of
persons.
This operating state may only be executed for a limited time and must be terminated after commissioning
at the latest.
6.2.4 KILL
This state is adopted following system errors and brings the system to the "safe state", which
does not enable any restart without explicit operator input (e.g. Reset, Power up).
6.3 Startup
The “Startup” is a temporary operating state that is achieved either by means of a “Power up”
or “Reset”.
· Self-tests
· Address assignment and communication setup with I/O modules.
(communication with I/O modules is not safe)
· The safety parameters and the safety application are checked for completeness,
consistency and plausibility.
· The installed modules are checked against the parameter setting (configuration and HW
switches). Deviating modules assume the operating state KILL.
· The outputs remain deactivated
After a successful startup the system is in the state RUN, if safety application and safety
parameters are present and enabled. If this is not the case, the operating state STOP is
adopted.
On the destination system the user has no direct possibility to set the operating states. The
user can only change the individual operating states (with the exception of KILL) via the
SICAM TOOLBOX II in the OPM II. In addition the input of the Confirmation-ID is required.
The dialog is called from the context menu of the safety application in the system technique.
6.5.1 SICAM AK 3
The display takes place by means of LEDs on every safety I/O module and on the basic
system element. In addition the operating state can be displayed in the SICAM TOOLBOX II
and on any optional control system (standard diagnostic function).
CP-2019
PS-263x CP-2016 CP-2019 DI-2110 DI-2110 DI-2110 DI-2110 DO-2210 AI-2301 AI-2300 AI-2300 CP-201 9 DI-2110 DI-2110 DI-2110 DO-2210 AI-2301 PS-263 x
SICAM AK SICAM AK
The following LED states are assumed in the individual operating states:
6.5.2 SICAM AK
The display takes place by means of LEDs on every safety I/O module and on the basic
system element. In addition the operating state can be displayed in the SICAM TOOLBOX II
and on any optional control system (standard diagnostic function).
The following LED states are assumed in the individual operating states:
6.5.3 SICAM TM
The display takes place by means of LEDs on every safety I/O module. In addition the
operating state can be displayed in the SICAM TOOLBOX II and on any optional control
system (standard diagnostic function).
Note
SICAM TM has no display of the operating state on the master control element.
CP-6014
RES
LOC
TM 1703 ACP CP-6014
RY
S I0
S I1
S I2
S I3
CPY
ERx RX TX
/ LK
/ LK
X1
COM
LOC
/P K
/P K
RY
SI0
SI1
SI2
SI3
ER
R ELE ASE
PU SH TO
CPY
ERx RX TX
/LK
/LK
SICAM
COM
/PK
/PK
X15
X16
ER
X14
X5
X10
X11
X12
X3
X6
X7
X8
X9
FB X4
WD
ER
SIM0
TB
SI1 (ETO)
1 2 3 4 5 6
R ELEASE
PUSH TO
M-PRE/0
M-PRE/1
M-PRE/2
M-PRE/3
SI2 (FB)
PUSH TO UNLOCK
SI0
SI3
NC
24-60VDC
X2
X13
PWR
The following LED states are assumed in the individual operating states:
The following table shows which functions are possible in which operating state:
Danger
Since in the Online test with write accesses (e.g. forcing) due to the system the Safety PLC program
monitoring would determine a deviation, in this case the program monitoring is deactivated and therefore
false values can be output.
Note
The operating states RUN, STOP, TEST are adopted by all elements involved in the safety function. The
state KILL can also be adopted by individual elements (e.g. I/O module).
The following table shows which operator inputs are possible in which operating state.
Note
If write accesses have been performed in the Online test (e.g. modify variables) on the safety application,
a reset is tripped after switching to the operating state RUN.
The operating states on the I/O modules are defined according to the operating states on the
BSE. As master the BSE specifies the actual operating states, which are synchronized on the
I/O modules via the safe communication. The state “Startup" is a temporary operating state,
which is necessary for the implementation of the synchronization procedure with the BSE.
Contents
7.1 Introduction
To achieve functional safety of a machine or plant, it is not only necessary that the safety-
critical parts of the protection and control equipment function correctly, but in the event of an
error also behave so that the plant is brought to a safe state or remains in a safe state. In
addition to the corresponding safety-oriented behavior of the system, an appropriate
diagnostic information is also set.
For this purpose the system continuously checks the correct function of
Depending on the severity of the error and the system parts affected, error classes are
differentiated:
System errors are errors which bring the total system or parts of the system to the operating
state KILL. Depending on the location of the occurrence (basic system element or I/O module)
there are different effects on the total system.
Possible causes
Effects
Remedy
If a system error is detected on the basic system element, the system element is set to the
operating state KILL. In this operating state the communication to the I/O modules is stopped.
This leads to all I/O modules also being set to the operating state KILL. For output I/O
modules that causes the outputs to be switched off.
Danger
If no restart procedure is programmed in the application program, a restart takes place after reset or by
switching the supply voltage on without any further operator input.
If a system error is detected on an I/O module with inputs, the system element is set to the
operating state KILL. In this operating state the communication to the higher level basic
system element is stopped. This leads to all data points of the affected I/O module being set
to the safe state (see Passivating of Channels)
Danger
If the state of the affected data points is not taken into account in the application program, it can lead to
faulty behavior of the plant.
A restart takes place by means of a Reset of the higher-level peripheral element coupling
module (Service Function Online in the TOOLBOXII) or through Power up.
Danger
If no restart procedure is programmed in the application program, a restart takes place after unplugging
and plugging or through exchange of the I/O module without any further operator input.
If a system error is detected on an I/O module with outputs, the system element is set to the
operating state KILL. In this operating state all outputs are switched off. This state is provided
to the application program by the higher-level basic system element. In addition all data points
of the affected I/O module are set to the safe state (see Passivating of Channels)
Danger
In the application program this state is to be taken into account, so that no danger develops for the total
system.
A restart takes place by means of a Reset of the higher-level peripheral element coupling
module (Service Function Online in the TOOLBOXII) or through Power up.
Danger
If no restart procedure is programmed in the safety application, an immediate restart takes place when all
channel errors have been rectified (e.g. after unplugging and plugging or through exchange of the I/O
module) without any further operator input.
Channel errors are errors for which individual data points are set to the safe state
(passivation). Depending on the location of the occurrence (basic system element or I/O
module) there are different effects on the total system.
Possible causes
· Defect of the hardware used (e.g. ADC defect, short circuit in the input circuit)
· Wiring errors
· Sensor defect
· Implausible values of individual data points
· Calculation errors in the application program (e.g. value overflow)
Effects
· Passivation of the affected data point
· Dependent on the location of the error there are different effects on the total system
─ Channel Errors on the Basic System Element
─ Channel Errors on the I/O Modules with Inputs
─ Channel Errors on the I/O Modules with Outputs
Remedy
· Diagnosis with the SICAM TOOLBOX II
· Error rectification (depassivation of channels)
e.g. repair wiring error
· Perform restart.
Errors which occur during the processing of the safety application (global error of a safety
module), lead to a passivating of the safe outputs on the output modules.
Under which conditions a global error is detected can be taken from the Online Help for “CAEx
plus Modules”.
If a channel error is detected on an I/O module with inputs, the affected input is set to the safe
state (passivated). The channel error is provided to the safety application. Any further
processing of this information is carried out according to the parameter safe state at
channel error (see Behavior with Channel Errors)
If a channel error is detected on an I/O module with outputs, the affected output is set to the
safe state (passivated). The channel error is provided to the safety application. Any further
processing of this information is carried out according to the parameter safe state at
channel error (see Behavior with Channel Errors)
Warning
The restart protection for the process is not implemented in the firmware of the system components, rather
is in the scope of responsibility of the application. The application must control the restart of the process
dependent on the process states.
The restart behavior for channel errors that are detected by the system can be set with the parameter
safe state at channel error.
Depending on the application, a behavior for the safe state of the automation unit can be
selected.
· User program
The safe state must be ensured through logic links in the safety application.
I.e. the safety outputs must be linked with error conditions in the safety application.
If the “Global Error” is set by the safety application, the safe outputs are also switched to
the safe state in this case.
· Automatic without restart inhibit
As soon as a channel error occurs (e.g. input of the DI_00 is disturbed or a calculation
error in the safety application), all outputs are switched to the safe state. With going fault
the outputs are immediately switched through again.
Note
This confiugration is not permissible for railway applications.
·
· Automatic with restart inhibit
As soon as a channel error occurs (e.g. input of the DI_00 is disturbed or a calculation
error in the safety application is set), all safe outputs are switched to the safe state. With
going fault the switching through of the outputs must be acknowledged via the system
module TB_RESTART_INHIBIT.
If the parameter safe state at channel error is set to “User Program”, with the
channel error not all outputs of the automation unit are automatically set to the safe state. It
must be ensured through applicative measures, that the corresponding outputs are brought to
the safe state.
Note
Evaluations of the channel errors must be performed in the user program
The applicative measure is only required for channel errors of I/O modules. Channel errors
which originate from the safety application (“Global Error”) automatically set all outputs to the
safe state.
Danger
If no restart procedure is programmed in the safety application, an immediate restart takes place when all
channel errors have been rectified (e.g. after unplugging and plugging or through exchange of the I/O
module) without any further operator input.
>=1
IOM BI output IOMx - OUT D00 faulty SAFE
2
IOM
BI output IOMy - OUT D00 faulty SAFE
Anwenderprogramm
3
GlobalError
Legende:
IOM 0 … DI-6170
IOM 1 … AI-6370
IOM 2 … DO-6270
IOM 3 … DO-6270
IOM 4 … DI-6170 Safety Firmware
If the parameter safe state at channel error is set to “Automatic without restart
inhibit”, with a channel error all outputs of the automation unit are automatically set to the safe
state.
Danger
If no restart procedure is programmed in the safety application, an immediate restart takes place when all
channel errors have been rectified (e.g. after unplugging and plugging or through exchange of the I/O
module) without any further operator input.
IOM
BI output IOMy - OUT D00 faulty SAFE
Anwenderprogramm
3
GlobalError
Legende:
Note
This confiugration is not permissible for railway applications.
If the parameter safe state at channel error is set to “Automatic with restart inhibit”,
with a channel error all outputs of the automation unit are automatically set to the safe state.
When all channel errors have been rectified (e.g. after unplugging and plugging or through
exchange of the I/O module) a restart first takes place when an explicit operator input (a
positive edge) is detected on the system module for the restart “TB_RESTART_INHIBIT”.
IOM
BI output IOMy - OUT D00 faulty SAFE
Anwenderprogramm
3
GlobalError
S
Legende: RS
7.5 Diagnostics
For the diagnostics of system or channel errors, depending on the detailing required the
following diagnostic possibilities are provided.
· Standard diagnostics
· LED display
The SICAM TOOLBOX II has the means for diagnostic evaluation and acknowledgement of
the diagnostic information originating from the I/O modules and the basic system element.
In addition, with the standard diagnostics the diagnostic information can be distributed for
further processing (as process information).
Attention
Information of the standard diagnostics must not be used to influence the safe state.
Basically the operating states and diagnostic information are displayed on the LED’s of the
automation unit.
· The data is processed by CAEx safety components that are independent of the
programming system.
· Checksums and fingerprints guarantee the integrity of the application data while the data
is processed by CAEx safety until its execution on the controller.
· If the data is corrupted and errors are generated during the processing of the data, the
next processing step will be aborted.
· Code fingerprints are available so that the end user can identify the application data in
CAEx safety.
· The end user must check these code fingerprints after each download, for each validation,
verification and release in order to ensure that the correct application is loaded and
modified.
· CAEx safety executes plausibility checks for the processed data once again before the
data is downloaded (e.g. comparing the checksum of the binary file).
· You can record the result of the examination measures (validation, verification, release) in
component "Safety V&V". The examination measures must be predefined in your
development process. The recorded result of the examination measures is stored in the
application data (including user identification of the person who recorded the result,
date/time and entered comment).
· The application data is displayed within the application "Safety V&V" that is independent of
the programming system so that the data can be reviewed in it: The data is displayed in a
form similar to the programming system.
· Safety V&V displays modifications (enhancements or bug fixes) for an application which
has already been commissioned by means of CAEx safety. This makes a delta verification
and delta validation possible.
· The component "Safety Monitor" enables the examination of the application data on the
controller and of the E/E/PE system itself:
─ identification of the running application by means of code fingerprints
─ state for validation, verification and release of the running application
─ operating state of E/E/PE system
─ other parameter data to monitor the application and/or the E/E/PE system
· Inspection reports about the application (in format "XML" or "PDF") can be generated in
Safety V&V and Safety Monitor. The base for these inspection reports is the application
data process by CAEx safety. Accidental corruptions of the application data are
documented in the inspection report. Moreover, accidental corruptions of the XML
inspection report can be recognized.
· On the controller there is another check making sure that the data can be processed
according to the restrictions of the controller.
CAEx safety automatically uses the user identification, when the result of the examination
measures (validation, verification, release) is recorded in Safety V&V.
The user identification of the person is used under which he/she logged on.
Warning
Only authorized persons may have access to the workstations used during verification, validation, release
and for download.
Appropriate measures must be adopted for unattended workstations (during interrupts, breaks etc.).
Make sure that all persons using the workstation are authenticated correctly.
Note
Example for restricted access:
Apply the operating system features "Locking the computer" and "Screen saver password" when leaving
the workstation unattended. Disclose the required password to authorized persons only.
Safety V&V and Safety Monitor allow to check under which user identification the modifications will be
made resp. have been made. The workflows instruct to check this user identification.
When the examination measures are recorded in Safety V&V, CAEx safety also uses the date
and the time as specified in the operating system.
Note
Change the settings for date/time of the operating system only, if it is imperative to do so (e.g. adjustment
to daylight saving time). Subsequently, the changed timestamp is used in Safety V&V, when the
examination measures are recorded.
Contents
8.1 General
The shutdown of a plant or machine must occur within a defined time. This time is called
system response time.
The system response time is that time measured between the change of input signal (sensor
DI-6170 or AI-6370) and the output of the tripping signal (actuator DO-6270).
The detection of a safety-relevant error in the system must cause the system to be brought to
a safe state within this time and be kept in it.
The system response time is dependent on the configuration. A distinction is made between
the following configurations:
The maximum achievable system response time (from the change of input signal until output
of the tripping signal) is 100 ms.
The system response time is dependent on the settable cycle time of the sPLC.
The following times must be analyzed for the consideration of the system response time:
TERF ... 10 ms; time for the acquisition on the DI-6170 or AI-6370
TBUS ... 20 ms; time for the processing of the bus transmission
TSPLC . time for the processing of the safety open-/closed loop control function
TDO .... 10 ms; time for the output on theDO-6270
Note
The minimum cycle time TSPLC for the processing is dependent on the number of
processing blocks.
TBUS is comprised of the regular duration for the processing of the communication and the
number of tolerable transmission errors (Retries).
The maximum achievable system response time (from the change of input signal until output
of the tripping signal) is dependent on the bandwidth of the communication between the
automation units and on the settable cycle times of the two sPLCs.
The following times must be analyzed for the consideration of the system response time:
TERF ......... 10 ms; time for the acquisition on the DI-6170 or AI-6370
TBUS ..... 20 ms; time for the processing of the communication
TSPLCM .. parameter-settable cycle time for the safety open-/closed loop control function
in the master basic system element
TWD .......... parameter-settable watchdog time for the secure communication between basic
system elements / automation units
TSPLCS .. parameter-settable cycle time for the safety open-/closed loop control function
in the slave basic system element
TDO ...... 10 ms; time for the output on the DO-6270
The minimum cycle time TSPLCM and TSPLCS for the processing is dependent on the number of
processing blocks.
TBUS is comprised of the standard duration for the processing of the communication and the
number of tolerated transmission errors (Retries).
The parameter-settable watchdog time for the secure communication between basic system
elements / automation units is calculated from:
TCYC ..... parameter-settable transmit cycle time for the secure communication between
basic system elements / automation units
F.......... Factor for the maximum permitted number of retries of the communication
channel between basic system elements / automation units
0 = No Retries
The parameter-settable transmit cycle time for the secure communication between basic
system elements / automation units is calculated from:
TCOM .... Transmission time of the message on the transmission link between basic
system elements / automation units
MAX(TSPLCM, TSPLCS)
The greater cycle time for the safety open-/closed loop control function of
master or slave basic system element is to be selected.
TCOM is dependent on the protocol, the type of traffic (point/point, Master/Slave, etc), the
bandwidth and the availability of the communication connection and is comprised of the
standard duration for the processing of the communication without retries.
Contents
Note
To get to valid parameters the safety code generation and the 1703 converter must be activated.
The consistency check controls whether the verified, and if applicable also released safety
parameters match the parameters of the standard firmware.
The configuration of the safety I/O modules is also contained in the safety parameters. The
PROFISafe Master (Safety-Layer) is configured based on this configuration.
In addition the configuration of the safety I/O modules is checked against the standard
configuration. E.g. if it concerns a USIO66 on which the safety I/O module is configured.
9.1.3 DI-6170
The test cycling is used to check the circuitry and the external wiring.
Note
A test cycling is only meaningful when using switches without own power supply and without own testing.
9.1.4 DO-6270
The parameter relaistype_SAFE defines for each output the use (relay with or without
electronics).
This parameter is determined in the OPM II by assigning an image. With a parameter change
a reset is required.
In this type the output including the relay coil is proofed by following tests:
In this type (without relay coil) the output is proofed by following tests:
Note
Examples for external circuitry can be found in document SICAM TM – I/O Modules .
The safety PLC parameters are the parameters in which the user program is stored. The user
program is created by the user in the Toolset CAEx plus in function diagram technology. The
function diagram in graphic form is the common root of the diversified 2-channel control
parameters.
By means of the parameter safe state at channel error the behavior of the safety
controller with the occurrence of a channel error (e.g. fault of an input information, global error
is detected by the user program) can be parameterized by the user.
With the parameter Failure Behavior it is set on the BSE how it behaves after fatal errors.
It is recommended to set this parameter to “Shut down firmware” so that in the event of an
error the safe state is adopted.
Contents
The calculation of the safety-technical characteristic values are based on a life expectancy of
20 years, as normatively required.
The device type according to IEC 61508/Part 2 (chapter 7.4.4.1.3) equates type B.
The calculation of the fault rate is done for safety functions which are operated in the
operating mode with high demand rate or in the operating mode with continuous demand
(PFH). The control is suitable for this operation purpose.
Principle it is possible to use the control also for safety functions in operation mode with low
demand (PFD).
10.3.1 MTBF
The failure rates of a module are calculated from the failure rates of the components.
The manual MIL 217E serves as a basis for this. The data from MIL 217E are basically worst-
case data.
After non-elementary influencing components for the calculation have also been taken into
consideration for the function, the MTBF specified in the tables can still be multiplied with the
factor 2 to 10.
During the design of the modules consideration was given to a long operating duration.
Therefore, for the Safety I/O Modules no components with limited service life are used.
Consequently, e.g. the use of electrolytic capacitors was dispensed with.
A proof test interval is not defined, the life cycle of the product is 20 years (analog modules
are restricted to 10 years). Afterwards the modules must be replaced.
If other components within the safety chain (e.g. emergency off, relay, contactors, ...) require a
proof test, then you have to comply to the resulting proof test interval.
Note
An exception is the module AI-6370. For details refer to SICAM TM – I/O Modules (DC6-041-2.05)
Note
A function test of the application (e.g. switch off outputs on activation of emergency stop) does not apply
as proof test for the control.
The declarations of conformity of the safety modules can be called up in Online Support
Products. If you have no access please consult your project manager at Siemens.
Contents
11.1 General
CAEx safety restricts the scope of the programming possibilities available according to "IEC
61131-3 (2003)". This reduces the risk of programming errors.
Warning
Stick to the guidelines that are given in this section, when you are creating an application in the
programming system so that the workflows presented in this document (see section 7.) can be executed
without problems.
Note
Consult the "CAEx plus Online-Help (2012)", if you need more information on the CAEx plus guidelines.
If you need information on an IEC block or a safety block, consult the accompanying HTML documentation
of the specific block.
Start this documentation by selecting the block in the programming system CAEx plus V5.2 B320 and by
pressing the F1-Key.
Only create the following CAEX plus-objects within a resource of the CAEX plus project:
· program instances
· type instances
Note: A type instance will be processed as program instance by CAEx safety.
Subsequently, Safety V&V displays the instance below the resource and the type below
Library with objects to be examined.
· 1 Task
· global-variable objects
Only create the following CAEx plus objects in the CAEx plus project for the programming:
· program types in FBD
· function block types in FBD
· functions in FBD
· data types
All CAEx plus objects in the scope of the resource must have unique names. This is also valid
for objects of different types, even if they are located in other folders than the resource folder.
Example: In case of type instance "GateSimulation", there must be no other object with
name "GateSimulation" in the same scope of the resource. This is also valid for the used
program types, function block types, functions and data types.
Observe the sections Logic and POU interface resp. global variable, if you create the contents
of the corresponding CAEx plus object.
11.3 Logic
If you create the contents of instances resp. of POUs (program organization units = program
types, function block types and functions), the following guidelines apply:
· Create the instance/POU only in FBD (function block diagram) and with page size "A4
landscape".
· Within the instance/POU, only use objects of the following type for a programming in which
the data flow goes "from the left to the right":
─ blocks (function block instances and function invocations) with inputs on the left edge
and with outputs on the right edge
Such blocks are the following CAEx plus objects in the CAEx plus project:
− user-defined function block types resp. functions in FBD
− supported IEC blocks (see section 8.5.3.)
− safety blocks (see section 8.5.4.)
─ value fields for variables/constants for data flow "from the left to the right"
Do not use flipped value fields in CAEx plus.
─ connectors and continuations for data flow "from the left to the right"
Do not use flipped connectors/continuations in CAEx plus.
─ completely connected segments (lines) with elementary data type (see section 8.5.1.),
with safety data type (see section 8.5.2.) or with supported user-defined data types
(see in section 8.3)
─ comment fields
· All objects of one type are displayed with the same, fixed object properties in Safety V&V .
The following object properties are affected:
─ colors for background, frame, fonts
─ frame layout (e.g. width)
─ font and alignment of texts
─ graphics
─ attachment of a comment field to a drawing field object
· Do not use any of these design possibilities for depicting information that are safety
relevant (e.g. important comments in comment fields with red background color).
· Do not use the following elements for function block instances resp. function invocations
because they are not displayed in Safety V&V and hence, they cannot be reviewed:
─ attribute INLINE
─ attribute Retain
If you create the POU interface or the variables (in instances, POUs and global-variable
objects), the following guidelines apply:
In case of the workflow with the delta examination, consider also the effects on the explorer in
Safety V&V with activated compare view, if you modify an application in CAEx plus and you
review the modifications:
Nr. This modification in CAEx plus: has Safety V&V with compare mode displayed the
following:
1. An object (e.g. a program instance) In the explorer, the object will be displayed as:
is renamed in the CAEx plus · "new" for version "A"
project. Consequence for the corresponding tab (e.g. tab Logic
Note: If the object is a block that or Global variables): The entire contents of the object
has already been set in the logic of will be displayed as "new".
an POU or an instance, this change · "deleted" for version "B" (resp. version "C")
can affect the display in tab Logic Consequence for the corresponding tab (e.g. tab Logic
for the POU/instance; see no. 6). or Global variables): The entire contents of the object
will be displayed as "deleted".
Reason: The object name is used as key for the
comparison of the project contents (the contents of the
objects).
2. A variable in an existing In tab Variables, the variable will be displayed as:
POU/instance is renamed. · "new" for version "A"
· "deleted" for version "B" (resp. version "C")
Reason: The name of the variables is used as key for the
comparison of the variables.
3. A variable in an existing global- In tab Global variables, the global variable will be
variable-object is renamed. displayed as:
· "new" for version "A"
· "deleted" for version "B" (resp. version "C")
Reason: The name of the global variables is used as key
for the comparison of the global variables.
4. A structure element in an existing In tab Data type, the structure element will be displayed
data type is renamed. as:
· "new" (in the field on the left) for version "A".
· "deleted" (in the field on the right) for version "B" (resp.
version "C")
Reason: The name of the structure elements is used as
key for the comparison of the data type content.
5. The instance name of a block (of a In tab Logic, the block will be highlighted by:
function block instance resp. of a
function invocation) has been · (as new element) for version "A".
changed within an existing · (as deleted element) for version "B" (resp.
POU/instance. version "C").
The instance name can Reason: The instance name is used as key for the
automatically and manually be comparison of blocks within the logic. A list of all logic
changed in CAEX elements and their key for the comparison can be found in
Example for the automatic the CAEx safety online-help.
change: You replace the existing
block by another one.
6. Special case "combining no. 1) and In tab Logic for the POU/instance in which the block is set,
no. 5)": the block is highlighted by (as code-relevant
· See no. 1): A block (a function change).
block instance resp. function Reason: The instance name is used as key for the
invocation) is renamed in the comparison of blocks within the logic.
project.
· This block has already been set
in the logic of an POU or an
instance. A new instance name is
automatically entered by updating
the POU contents in CAEx plus;
see no. 5).
· See no. 5): You correct the new
instance name to the one
previously assigned.
When programming, you will be using "ready-made" CAEx plus data types and CAEx plus
blocks. The subsections inform about specific guidelines and restrictions applying for these
CAEx plus data types and CAEx plus blocks.
Warning
Use the supported CAEx plus blocks only with the range of values that is valid for the block.
Warning
In case of data types TIME, DATE, TIME_OF_DAY und DATE_AND_TIME you must use only integer
values (resolution 1 ms) within the following range of values:
lower limit: –7.730.063.005.354.400 ms
upper limit: 7.730.063.005.354.400 ms
In case of all other data types, you must use the values within the range of values valid for CAEx plus.
See "CAEx plus Help (2012)", keyword "Data Type, Range of Values"
Segments (lines) type-coded with one of these data types are displayed in Safety V&V with a
color appropriate for the data type. This color is also used for connected value fields,
connectors and continuations.
Warning
The safety data types are derivations of the corresponding elementary data type. For instance, SAFEBOOL
is the derivation of BOOL.
The safety data types SAFEINT and SAFEREAL serve only to emphasize visually safe signals and safe
information flows. They do not realize a safeguarding of the signal flow.
The safety data type SAFEBOOL can be used to safeguard the signal flow (see the following note on
SAFEBOOL).
Consider that if the SAFEBOOL has an invalid condition, the processing on the controller will be aborted at
once.
Note
It is possible to recognize invalid conditions, when using SAFEBOOL.
Fixed bit patterns are assigned to (safe) TRUE and (safe) FALSE on the controller. If blocks with
inputs/variables of data type SAFEBOOL are processed and there are deviations of the assigned patterns
during this processing, the controller recognizes such deviations and aborts the processing.
Segments (lines) type-coded with one of the safety data types are displayed in Safety V&V
with color "Yellow". This color is also used for connected value fields, connectors and
continuations.
The safety data types are available in the sub-library "DataType" of the safety library
"SafetyIEC61131-3". They can be used like the elementary data types in CAEx plus for the
project engineering (e.g. enter the name in field Declaration when declaring the variable).
The IEC blocks are functions and function blocks as described in "IEC 61131-3 (2003)" resp.
provided as enhancement for it. They are contained in the sub-libraries of the library
"SICAM1703_Safety". Exceptions: "SafetyIEC61131-3”, "SafetyIEC61131-3-Ext”, "System
Function”
Warning
Use appropriate design measures to make sure that the supported IEC blocks are only connected with
values that are valid for the input data type of the IEC block and that are within the range of values of the
output data type of the IEC block.
This must be applied in particular, if you are using the "Convert" blocks from the IEC libraries. Mind the
precision of the values (integer vs. floating point) and the admissible range of values (values not outside
the upper/lower limit).
Apply the following rule for the admissible range of values:
If the input data type has a bigger range of values than the output data type, the inputs of the block must
only be connected with values within the smaller range of values of the output data type.
If uncertain, do not use the "Convert" blocks from the IEC libraries.
Example how values outside the upper/lower limit might arise: The "Convert" block AtoInt is
connected with data type REAL. (Thus, a value in format REAL is converted to format INT.)
In this case, make sure that only values admissible for INT (lower limit: -32768, upper limit: 32767)
are connected to the input. To do so, check the admissible values regarding upper/lower limit by using
an appropriate "Compare" block (EQ, GE, GT, LE, LT, NE) in the logic.
Warning
Only use the safety blocks when programming for emphasizing the safety-related logic.
The safety blocks do not include any integrated safety function, such as redundant calculations by
comparators.
Consider that the ENO output of a safety block is set to FALSE and a global error is set as central error
information, if a problem occurs during the processing of this safety block (such as the overflow with an
adder block). The outputs of the faulty safety block are set to FALSE resp. 0 as well.
Use block SI_GetGlobalError (available in the safety library "Safety-IEC61131-3" – sub-library
"GlobalError") in the application to retrieve the state of the global error: Output OUT1 of
SI_GetGlobalError is set to TRUE.
If you are using the blocks SI_ResetGlobalError resp. SI_SetGlobalError to change the state of
the global error, use appropriate design measures to make sure that the change does not compromise or
influence the safety function of the E/E/PE system.
If uncertain, do not use these blocks.
The safety blocks are variants of the appropriate IEC blocks resp. enhancements for it. They
are contained in the safety library "SafetyIEC61131-3", which is available in the object
"SICAM1703_Safety".
The following characteristics help to distinguish the safety blocks from the IEC blocks in the
programming:
Observe that the safety blocks may only be connected with safety data types. Exception:
Other data types are possible for the safety conversion blocks and the safety timer-blocks only
(available in the corresponding sub-libraries of "SafetyIEC61131-3").
A safety conversion block converts the elementary data type BOOL, INT or REAL into the
safety data type SAFEBOOL, SAFEINT or SAFEREAL and vice versa.
The safety conversion blocks are available in the safety library "SafetyIEC61131-3", namely in
sub-library "Convert".
Warning
If a standard signal is converted to a safe signal (by the safety conversion block SI_BOOL_TO_SAFEBOOL,
SI_INT_TO_SAFEINT or SI_REAL_TO_SAFEREAL), use the appropriate design measures to make sure
that the conversion does not compromise or influence the safety function of the E/E/PE-system.
Example for design measure: usage of 2-out-of-3-logic
SIEMENS recommends to specify your own guidelines for the following items in your
development process, although CAEx safety has no restrictions for them:
The following tables provide an overview of the reserved keywords according to "IEC 61131-3
(2003)".
Please observe that the case of characters is not significant in keywords. For instance, the
terms "FOR" and "for" are equivalent.
Table 8 – Date and time of day literals according to "IEC 61131-3 (2003)"
Feature description Prefix Keyword
Date literals (long prefix) DATE#
Date literals (short prefix) D#
Time of day literals (long prefix) TIME_OF_DAY#
Time of day literals (short prefix) TOD#
Date and time literals (long prefix) DATE_AND_TIME#
Date and time literals (short prefix) DT#
Note
The following table 10 is an extract of "IEC 61131-3 (2003)" concerning the keywords.
The table 10 in "IEC 61131-3 (2003)" is containing additional information on the range of values and
precision of representation per data type.
The generic data types are keywords as well and identified by the prefix ANY.
If the EN input of a module is used, the outputs of this module must not be wired directly with
signals. In this case a MOVE module must be connected between module output and signal.
Contents
A.1 Planning
Tasks Yes No
Have relevant points of the risk analysis been observed and implemented? □ □
Are the process requirements defined? □ □
e.g. response times, error reactions
Have the following been defined/described according to the standard used (EN □ □
ISO 13849-1 or EN 62061):
− The entire safety functions?
− The implementation of the requirements?
Has the safe startup been planned for the plant/machine? □ □
e.g. prevent automatic startup
Are all required operating states of the plant determined? □ □
Are the existing operating elements of the plant named? □ □
Are the existing accessory equipment of the plant named? □ □
Is it determined, which locally valid regulations must be observed? □ □
Are the test specifications defined for commissioning? □ □
Have the safety measures been described separately? □ □
Has a spatial cordoning off of the plant or danger zone been planned? □ □
Has password protection been provided? □ □
Has maintenance and test of the plant, modules been planned after □ □
commissioning?
A.2 Programming
Tasks Yes No
Have relevant points from the risk analysis been observed and implemented? □ □
Have safety modules with mixed input interface been adequately commented? □ □
(e.g. I/O assignment)
Have special plausibility tests been planned, if non-safe signals or variables □ □
influence safety functions?
Have special test procedures been defined for the commissioning? □ □
System Check
Is the target configuration suitable for the required function? □ □
Does the I/O assignment including hardware suit the required function? □ □
Have the test clock pulses been configured? □ □
Has the preliminary cycle time for tasks been specified, cycle time optimized □ □
during commissioning?
Has a device naming been carried out for all devices in the project? □ □
Have hints/notes (Errors, Warnings) been observed during the realization of the □ □
project?
Have hints/notes (Diagnostics) been observed during parameter loading? □ □
Has an Offline Test been performed before loading the application program? □ □
A.3 Installation
Tasks Yes No
Have relevant points from the risk analysis been observed and implemented? □ □
Have the installation guidelines been observed? □ □
Has the wiring diagram been adhered to? □ □
Are inputs that are not assigned in the I/O assignment not wired? □ □
Have all the rules and regulations for the prevention of accidents valid for the □ □
place of use been observed and adhered to?
Have all regulations concerning protective measures valid for the place of use □ □
been observed and adhered to?
A.4 Commissioning
Tasks Yes No
Have relevant points from the risk analysis been observed and implemented? □ □
Have the assembly instructions been created under consideration of the risk □ □
analysis?
Have the safety measures been described? □ □
Has commissioning been performed based on the test specification? □ □
e.g. signal tests for inputs and outputs, functional test of the user program
Force Variables
Have relevant points from the separate risk analysis been observed? □ □
Have the implementations in chapter Guidelines for working with SICAM RTUs □ □
Safety been observed?
Has machine or danger zone been spatially cordoned off? □ □
Has attention been given to the time limit of “Force Variables”? □ □
− The function “Force Variables” must be stopped manually immediately after
setting into operation.
− The function “Force Variables” is stopped automatically after 12 hours at
the latest.
General
Have the regulations been observed? □ □
e.g. Machinery Directive
Has a backup copy of the original project been created and saved according to □ □
the project backup plan?
Has the checksum of the original project been documented? □ □
Has the commissioning been documented? □ □
Has the safety function been approved by an independent body or third person? □ □
Has it been checked whether the correct version of the application program is □ □
running in the destination system?
Tasks Yes No
Have relevant points from the risk analysis been observed and implemented? □ □
Have the SICAM systems been switched to the STOP state before the □ □
exchange?
Have the safety requirements been adhered to for the following activities? □ □
(see corresponding checklists):
− Planning
− Programming
− Installation
− Commissioning
Have the specifications in the system description been observed during the □ □
exchange of the memory card (SD card) on a SICAM system?
Have the modifications been documented? □ □
Has the (re-) commissioning been carried out and documented? □ □
(see checklist “Commissioning”)
Has a backup copy of the original project been created and saved according to □ □
the project backup plan?
Has the checksum of the new original project been documented? □ □
Literature
IEC 61131-3 (2003) standard IEC 61131 part 3 "Programmable Controllers - Programming
Languages"; basis for a standardized programming for PLCs considering the modern
concepts of software technology, International Electrotechnical Commission, published in
2003
CAEx plus Help (2012) product documentation "CAEx plus Help" V5.2 B320, published in
2012 for CAEx plus version 5.2 build 320; The CAEx plus help can be started from within the
application CAEx plus V5.2 B320 and contains information how to use the programming
system CAEx plus.
A
AU
Automation Unit
Application program
Logical arrangement of all program language elements and constructs, that are required for the intended
signal processing for the control of a machine or of a process with a PLC system (acc. to
IEC 61131-12.1).
With CAEx plus application programs for open-/closed-loop control functions are created. An application
program comprises the task(s) and the related program instances and type instances. An application
program is executed by a resource ( CPU).
Article 95 EC Treaty
Article 95 of the EC Treaty defines analogously, that the member states must all implement the European
Directives referring to this article into national law. These directives are, expressed another way, to be
translated in identical content into national law and represent quality requirements on goods. No member
state may create, by means of national regulations, conditions that prescribe higher or lower
specifications on goods.
Automation unit
An automation unit is a modular structured device for the acquisition, processing and output of process
information. It communicates in automation networks via a serial or Ethernet protocols with other
automation units or control center systems.
An automation unit consists of at least 1 mounting rack or 1 DIN rail (depending on system), 1 power
supply and 1 basic system element, as well as optional peripheral elements and optional protocol
elements.
B
Basic system element
System element for processing of information according to different criterions (e.g. automation,
telecontrol, etc.) and for the administration of system functions (e.g. parameter, diagnosis, etc).
BSE
Basic System Element (master control element, processing and communication element)
Black channel
A transmission channel protected with the PROFISafe Layer on any transmission link not adequately
protected for SIL.
Is an unsafe transmission medium over which the data are however be transmitted corruption-proof. A
"black channel" does not ensure that the data are transmitted safely, rather ensures that a corruption of
the data caused by the transmission link is detected.
CAEx plus
Tool for the creation of application programs (Computer Aided Engineering), based on the tool logiCAD ®
from the company logi.cals ®
CAEx safety
Toolset for the safety-relevant tools such as "Safety V&V", "Safety Monitor" and "Safety Converter" of the
company logi.cals.
Checksum
data computed from a data block in order to detect errors that might have occurred during data
transmission or storage. The data integrity can be checked by recomputing the check sum and comparing
it with the original one. If they match, it can be assumed that the data were not modified (with or without
intention). The checksum value depends on the representation of the data. That means, different
checksum values are computed, if the data is mapped in XML format or in binary format. CAEx safety
uses the CRC32 algorithm for calculating the checksum .Compare "fingerprint"
Configuration
Configuration is used in a multiple meaning:
a) engineering of the configuration of an automation unit in the engineering tool
b) physical aligning and mounting of the configured hardware
– plugging in the slot defined by the configuration (slot addressing), or
– setting the address defined by the configuration, and plugging in an arbitrary slot (adjustable address)
Controller
The controller is a PE device that is part of the E/E/PE system. It is being used to control a machine or
plant, its programming is application-specific. See also "PE (programmable electronic)"
D
Delta examination
examination of a modified application during which the scope of the examination is restricted according to
the modifications. A major part of the delta examination is the complete identification of the functions that
are affected directly or indirectly. The scope of the delta verification and of the delta validation is deduced
from this identification.
Depassivation of channels
Dependent on the error class certain errors can also be remedied by the user without the exchange of a
module (e.g. wiring errors, configuration/programming errors). Following localization of the error a further
cyclic test is carried out. If the result of the running test of the module is, that there is no further error
present, the process values are then reactivated (“Depassivation”) and given the status “valid”.
Depassivation is only possible for input channels with errors of the error class < > system errors.
EM II
Configuration tool of SICAM TOOLBOX II (Engineering Manager II)
Examined user-objects
POUs (program types, function block types, functions) or data types that the supplier has already
verified/validated and that has been made an "examined user-object". Examined user-objects are not a
fixed part of the controller; compare "system blocks" and "system data types".
Firmware
Program that is not changeable by the user, that adds a predefined and parameter-settable functionality
to the hardware
Fingerprint
A fingerprint is the mapping of a bigger data block to a much shorter character string and serves to
identify this data block. In CAEx safety, the fingerprint is computed for the contents of the data and is
independent from the representation. This means, the same fingerprint values are computed, no matter if
the data is mapped in XML format or in binary format. Compare "checksum"
Functional safety
Functional safety is the capability of an electrical, electronic or programmable electronic system to remain
in the safe state or to switch to a safe state with the occurrence of random and/or systematic failures with
dangerous effect.
Part of the overall safety, relative to the machine and the machine control system, that depends on the
correct function of the SRECS (safety-related electrical control system), safety-related systems of another
technology and external equipment for the reduction of risks.
Function diagram
Graphical program for open-/closed-loop control functions according IEC 61131-3
FUD
Function diagram
FW
Firmware
IOA
Information Object Address
N
NIP
Network Interface Processor
M
Module Number
System-technical identification of a system element within an automation unit, part of the IOA in a
message with system-technical addressing. The other parts of the IOA are the value number and the
subaddress.
MTBF
MTBF = Mean Time Between Failure
MTTFd
MTTF = Mean Time To Failure
OPM II
Central SICAM TOOLBOX II configuration tool (Object-oriented Process Data Manager)
Passivation
One regards the “passivation” of a channel as the activation of the process value “0” with error status “1”
(“invalid”).
Passivation of the channels can be controlled both from the basic system element as well as from the I/O
module itself, for example after the detection of errors in the self-tests or following the occurrence of
communication errors.
Module-wide errors lead to the passivation of all channels of the relevant module. With the occurrence of
channel-specific errors only the affected channel data are passivated.
Passivation of channels can take place in every operating state.
PBA
Peripheral Module Address
The peripheral module address is set on the peripheral element by means of a rotary switch. A maximum
of 16 PE's can be configured on one Ax 1703 peripheral bus.
PE
Peripheral Element
PE (programmable electronic)
Definition according to "IEC 61508-4 (2010)":
based on computer technology which may be comprised of hardware, software, and of input and/or out-
put units
Note: This term covers microelectronic devices based on one or more central processing units (CPUs)
together with associated memories, etc.
Example: The following are all programmable electronic devices:
· microprocessors;
· micro-controllers;
· programmable controllers;
· application specific integrated circuits (ASICs);
· programmable logic controllers (PLCs);
· other computer-based devices (for example smart sensors, transmitters, actuators).
Peripheral element
The peripheral element is a supplementary system element for process data acquisition and/or control of
actuators. It communicates via the Ax-PE-Bus with the basic system element.
Performance Level
Discrete Level, that specifies the capability of safety-related parts of a control system to execute a safety
function under predictable conditions: from PL “a” (highest failure probability) to PL “e” (lowest failure
probability).
PFHD
Probability of dangerous failure per hour
Probability of a dangerous failure per hour.
PL
Performance Level
PLC
Programmable Logic Controller
POU
Program-Organisation-Units = program types, function block types, functions
PRE
Protocol Element
PROFIsafe
Safety-orientated bus profile of PROFIBUS DP/PA for the communication between the safety program
and the safe peripherals.
Protocol element
The protocol element is a supplementary system element for communication with other automation units
or control systems. It communicates via the internal bus (ZBG-Bus) with the basic system element.
RAMS
Reliability, Availability, Maintainability and Safety
Recommended (R)
A technique or measure is recommended for a corresponding Safety Integrity Level. This value can range
from a low to a high recommendation. [IEC 61508-3, Annex A].
Release
organizational measure (activity of an authorized person) by which the application is released as "ready
for operation" The release state of the application is recorded in Safety V&V by the V&V state "Release".
Review
static examination of an application in the course of which one/several natural and competent persons
examine the application (e.g. by using Safety V&V). Usually, reviews are part of the verification. Your
company's guidelines define whether the verification consists of review and test (e.g. unit tests) or review
only.
Safety Application
A user program created by CAEx plus and verified, validated and protected against corruption by CAEx
safety.
Safety Firmware
Is a firmware which has been developed according to the requirements of Functional Safety and
processes the Safety Application.
Safety Parameters
In this document Safety Parameters is used as summarization of the safe user program and the safe
parameters.
safe
free of unwarranted risks
Safe state
Basis of the safety concept in F-systems is, that a “safe state” exists for all process variables. With digital
I/O peripherals that is e.g. the value ‘0’.
safety-related system
Definition according to "IEC 61508-4 (2010)":
designated system that both
· implements the required safety functions necessary to achieve or maintain a safe state for the EUC;
and
· is intended to achieve, on its own or with other E/E/PE safety-related systems and other risk reduction
measures, the necessary safety integrity for the required safety functions
Safety function
Definition according to "IEC 61508-4 (2010)":
function to be implemented by an E/E/PE safety-related system or other risk reduction measures, that is
intended to achieve or maintain a safe state for the EUC, in respect of a specific hazardous event
Safety integrity
Definition according to "IEC 61508-4 (2010)":
probability of an E/E/PE safety-related system satisfactorily performing the specified safety functions
under all the stated conditions within a stated period of time
Safety lifecycle
Definition according to "IEC 61508-4 (2010)":
necessary activities involved in the implementation of safety-related systems, occurring during a period of
time that starts at the concept phase of a project and finishes when all of the E/E/PE safety-related
systems and other risk reduction measures are no longer available for use
Safe operation
Operating state of the system, in which safety-oriented communication is possible over safety messages
and safety functions are guaranteed.
SD card
Secure Digital Memory Card; up to 2 GB storage capacity
SICAM TOOLBOX II
PC-based set of tools for configuration and service of SICAM automation units
SIL
Safety Integrity Level
Software lifecycle
Definition according to "IEC 61508-4 (2010)":
activities occurring during a period of time that starts when software is conceived and ends when the
software is permanently disused
SRCF
Safety-Related Control Function
Control function
Safety-related control function executed by SRECS with a defined Integrity Level, which is intended to
maintain the safe state of the machine or prevent an immediate increase of risks.
SRECS
Safety-Related Electrical Control System
Safety-related electrical control system of a machine (according to EN 62061), the failure of which leads
to an immediate increase of risks.
SRP/CS
Safety-Related Parts of Control System
Safety-related part of a control system (according to EN ISO 13849-1), that responds to safety-related
input signals and generates safety-related output signals.
SSE
Supplementary system element
SSM
Tool for the administration of SICAM TOOLBOX II data (Siemens Stammdaten Manager); reserved for
developer of Siemens AG.
· Status "A" is the last status generated in the SICAM TOOLBOX II.
This corresponds with the current application status and can be subjected to a review with Safety
V&V.
· Status "B" is the last status loaded in the destination system.
· Status "C" is the last status released in the SICAM TOOLBOX II.
During the delta examination status “A” is compared with one of the other two statuses.
Standard operation
Operating state of the system, in which the safety functions are not guaranteed.
Standard application
Is the user program of the standard firmware.
Standard firmware
Is a firmware which cannot be loaded according to the requirements of Functional Safety.
System element
Functional unit consisting of hardware and firmware
System blocks
POUs (function block types, functions) that are a fixed part of the controller. Compare "examined user-
objects" and "system data types".
T
Target system
Synonym for "controller"; This term is used, if the description refers to a concrete controller type.
Test
systematic examination of the functionality of an application by a natural and competent person. Usually,
the dynamic test is meant with the application being executed. Your company's guidelines define whether
the verification and/or validation include (dynamic) tests.
TM
Terminal Module; Module for mounting on a DIN-rail
TM-Bus
Bus between peripheral control module (Master) and I/O-module (Slave)
V
Validation, validate
documented, objective line of argument that an application correctly meets the specific requirements (the
original aims of the customer) for the indented usage. The validation state for the application can be re-
corded in Safety V&V by the V&V state "Validation".
Definition according to "IEC 61508-4 (2010)":
Confirmation by examination and provision of objective evidence that the particular requirements for a
specific intended use are fulfilled […] Therefore, for example, software validation means confirming by
examination and provision of objective evidence that the software satisfies the software safety
requirements specification.
Verification, verify
formal, objective examination of an application whether it and its used elements are conform to a
specification and/or whether they fulfill the given specification. The verification state for the application can
be recorded in Safety V&V by the V&V state "Verification".
Definition according to "IEC 61508-4 (2010)":
Confirmation by examination and provision of objective evidence that the requirements have been fulfilled;
In the context of this standard, verification is the activity of demonstrating for each phase of the relevant
safety lifecycle (overall, E/E/PE system and software), by analysis, mathematical reasoning and/or tests,
that, for the specific inputs, the deliverables meet in all respects the objectives and requirements set for
the specific phase.
V&V state
state for verification, for validation and for release of an application; The current V&V state of an
application can be recorded in Safety V&V.