Safety Concept: Distributed Safety: SITRAIN Training For

Safety Concept:
Distributed Safety
Siemens AG © 2009
Contents Page
Conventional Safety Technology .................................................................................................... 2
Example: Conventional Safety Technology ...................................................................................... 3
Safety Integrated Technology …………………................................................................................ 4
Example: Safety Integrated Technology …………………............................................................... 5
SIMATIC Safety Integrated: Required Hardware .............................................................................. 6
SIMATIC Safety Integrated: Required Software ............................................................................... 7
Safety Concept - Distributed Safety: Hardware and Firmware Expansions .................................. 8
Safety Concept - Distributed Safety: Safety-related Communication with PROFIsafe (1) ……….. 9
Safety Concept - Distributed Safety: Safety-related Communication with PROFIsafe (2) ............. 10
Safety Concept - Distributed Safety: Safety-related Communication with PROFIsafe (3) ……….. 11
Safety Concept - Distributed Safety: Safety Program (1) .............................................................. 12
Safety Concept - Distributed Safety: Safety Program (2) .............................................................. 13
Distributed Safety: Libraries ........................................................................................................ 14
SITRAIN Training for

Page 1 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Conventional Safety Technology
Standard Host / PLC
(DP master , Class 1)
Standard I/O
(DP slave)
PROFIBUS DP
Standard Level Standard I/O

(DP slave)
Safety Level Wiring?

Protected
safety bus Conventional
Relay safety technology
e.g. 3TK
Safety controller Flexibility?
Volume?
Safe I/O
SITRAIN
ST-PPDS / Safety Concept: Distributed Safety Page 2 Siemens AG © 2009
Conventional Standard and safety functions are implemented with separate controllers and bus
Safety Technology systems. Safety functions can be implemented either with safety relays or with
failsafe controllers.

Page 2 ST-PPDS
Example: Conventional Safety Technology
Separate Standard and Safety Technology
ET200S
Standard section of the plant to be controlled
SIMATIC S7 ET200S
Control signals
Position switch
K1
HMI device Safety relay

PROFIBUS
START
STOP
STEP 7 basic package Acknowledge
Error
K2
Safety door
Emergency
Position switch Stop
Motor
Safety-related section of the plant
SITRAIN
Conventional One standard PLC with distributed I/O (ET200S via PROFIBUS DP) controls the
Safety Technology standard functions of a plant; a safety relay controls the dangerous machine
function.
Functional The dangerous machine function is switched via the two forced contactors K1 and
Control K2, which are controlled in a safety-oriented manner by a safety relay. The safety
relay receives the necessary On/Off control signals for the functional On and Off
via the wiring from a digital standard output of the standard PLC, which for this
purpose analyzes the corresponding signals from the plant (among other things,
those of the operator panel) in the standard program.
Protective FunctionsIn order to protect the operator, the dangerous machine function is equipped with
an Emergency Stop command device and an isolating protective equipment in the
form of a safety door. As soon as a wiring error is determined, the Emergency
Stop is pressed, or, the safety door is opened, the safety relay – independent from
the control signals of the standard PLC – shuts down the motor via the contactors
K1 and K2 as per Stop-Category 0 according to EN 60204-1.
Before every renewed switch on of the contact, the safety relay checks whether
the contacts of the Emergency Stop and the safety door are closed and the
contactors drop or their feedback contacts are closed.
Wiring The wiring and architecture of the safety functions are implemented according to
EN 61508 in SIL 3 or according to EN 954 in Cat.4: The Emergency Stop
command device and the position switch of the safety door are wired via two-
channels with the safety relay. To control the dangerous machine function, two
contactors connected in series are used whose feedback or mirror contacts return
a feedback signal to the safety relay.

Page 3 ST-PPDS
Safety Integrated Technology
F-I/O
F-PLC Standard I/O Standard Host / PLC
Coexistence of Standard and Failsafe Communication Repeater
DP/PA
PG/ES with
secure access
e.g. Firewall
F-Gate-
way Standard-I/O
TCP/IP
Engineering F-Sensor F-Field F-Actuator
Tool other Master-Slave
Device
Safety Assignment
Bus
F = Failsafe
SITRAIN
Safety Integrated Safety Integrated is a holistic safety concept for Automation and Drives
Technology from Siemens. Proven technologies and systems from automation are
used for the safety technology. Safety Integrated includes the complete safety
chain from sensor/encoder and actuator up to the controller including safety-
related communication via standard field buses. In addition to their function tasks,
drives and controllers also take on safety tasks. In addition to reliable safety,
safety integrated technology enables higher flexibility and productivity.
Standard and safety-related stations are linked via a common bus system. The
bus can be PROFIBUS, PROFINET or a combination of both since failsafe
communication is possible even across bus boundaries.
Benefits The integration of safety technology in standard automation systems results in the
following important benefits:
• more flexibility than electromechanical solutions
• reduced wiring overhead
• only one CPU is necessary because of the coexistence of the standard and
safety program
• simple communication between standard and safety program
• reduced engineering overhead since a standard engineering tool is used for
configuring and programming

Page 4 ST-PPDS
Example: Safety Integrated Technology
Standard and Safety Technology Integrated in one System
F-CPU
Standard functions
Error Loading F-DI

Textfile: F-DO
Safety
functions
PROFIsafe
Standard
Distributed HMI device
Safety START
STOP
STEP 7 Acknowledge
Basic Package Error K2
SITRAIN
Safety Integrated One PLC with failsafe CPU (F-CPU) and distributed I/O stations (ET200S via
PROFIBUS DP) controls the standard as well as the safety functions.
Functional The dangerous machine function is switched via the two forced contactors K1 and
Control K2, that now are no longer controlled in a safety-oriented manner by the safety
relay but rather from the safety program of the F-CPU in conjunction with safety-
related input and output modules.
The conditions for the functional On and Off are still analyzed by the standard
program that informs the safety program through variables (such as memory bits)
when the contactors are to be switched on and switched off.
Protective FunctionsThe previously described protective functions will no longer be handled by the
safety relay but rather by the safety program of the F-CPU and the safety-related
input and output modules (F-DI/DO):
As soon as a wiring error is determined, the Emergency Stop is pressed, or, the
safety door is opened, the safety relay must shut down the motor or the contactors
K1 and K2 as per Stop-Category 0 according to EN 60204-1 – independent from
the control signals of the standard program.
The wire monitoring of the safety-related actuators and sensors now occurs
through the F-DI / DO modules.
Wiring The wiring and architecture of the protective functions according to SIL 3 (EN
62061) Cat.4 (EN 954) is unchanged in principle:
The Emergency Off command device and the position switch of the safety door are
still two-channel wired, however, no longer with a safety relay, but rather with an
F-DI module of the safety-related ET200S station.
To switch the dangerous machine function, there are still two contactors used
which are connected in series. Now they are controlled by an F-DO module and
their feedback or mirror contacts are now analyzed by the safety program.

Page 5 ST-PPDS
SIMATIC Safety Integrated: Required Hardware
Previous Standard CPU Failsafe CPU

CPU315-2PN/DP CPU315F-2PN/DP
exchange
Previous Standard ET200S Failsafe ET200S
expand
SITRAIN
F-CPU As a rule, it is sufficient if the F-CPU used at least fulfills the same requirements as
the previously used standard CPU with regards to performance data or
performance profile (including communication possibilities). The most important
characteristic values are the CPU processing speed from which the cycle time and
thus the response time of the automation system result and the size of the working
memory that must accommodate the execution-related parts of the standard and
safety programs.
F-DI/DO Standard and safety-related input and output modules (F-DI/DO) can be operated
together in mixed configurations. The F-DI/DO modules required in place of the
safety relay could also be integrated in an already existing ET200S station. All
already used I/O modules including their wiring can continue to be used
unchanged.
If the dangerous function of the plant is implemented in SIL3/Cat.4, then the F-DI
and the F-DO modules must be inserted into a separate potential group or must be
isolated from the standard modules by an additional power module (PM) (see
slide).
PROFIsafe The safety-related communication between F-CPU and the F-DI/DO modules
Communication using PROFIsafe is integrated in the failsafe modules. It is executed automatically
and does not have to be programmed – regardless of whether the F-DI/DO
modules are used centrally or distributed via PROFIBUS or PROFINET. Already
configured standard communication remains unaffected by the safety-related
communication via PROFIsafe.

Page 6 ST-PPDS
SIMATIC Safety Integrated: Required Software
Mandatory: Optional:
(Configuring / Programming) (Configuration support)
"Distributed Safety" option ET200 Configurator

package
any ET200 stations
Safety program
• configuring
• programming
• verifying
• documenting
• exporting
STEP7 basic package • creating parts lists
• all standard functions
• configuring and parameter
assignment of F-modules
SITRAIN
Distributed Safety The software package, "Distributed Safety", is an option to the STEP7 basic
package and is used to program or generate and document the safety program.
The configuring and parameter assignment of F-modules is done with the standard
"HW Config" tool of the STEP7 basic package. It is expanded accordingly with the
installation of "Distributed Safety".
The standard program can be executed unchanged. Only the additional safety
program required for controlling the safety functions must still be created with the
option package "Distributed Safety".
ET200 Configurator Optionally, the "ET200 Configurator" tool is also available. With the configurator,
ET200 stations can be configured easily and graphically supported, and, can be
checked for their feasibility in various safety categories. The station including
accessories configured in this way can be printed out as a parts list and/or
exported in a STEP7 project.

Page 7 ST-PPDS
Safety Concept – Distributed Safety:
Hardware and Firmware Expansions
F-CPU
• operating system expansions
• protection mechanisms
Failsafe input modules: Failsafe output modules:
• discrepancy analysis • wirebreak monitoring
• short- / cross-circuit monitoring • light / dark test
F-CPU
F-CPU
F-Hardware and Firmware

Sensor Actuator
Standard Program
Standard Hardware and Firmware
Acquire Respond
Analyze
Communication
with the PROFIsafe profile
SITRAIN
Standard When integrating safety-related functions in a SIMATIC controller, the standard

- I/O control functions and their implementation can continue to be used almost
- Program unchanged:
• standard I/O modules and their wiring
• standard program
F-I/O Essentially, the difference between failsafe modules and standard modules is that
they are designed two-channel internally. The two integrated processors monitor
one another and automatically test the input and output circuits. In case of a fault,
they put the F-module in a safe state.
Failsafe digital input modules acquire the signal states of safety-related
sensors/encoders (for example, Emergency Stop pushbuttons), carry out short-
circuit and cross-circuit tests as well as discrepancy analysis and send appropriate
safety message frames (telegrams) to the F-CPU.
Failsafe digital output modules are suitable for shutdown procedures with short-
circuit monitoring up to the actuator.
The F-I/O modules communicate with the failsafe CPU via the safety-related bus
profile PROFIsafe.
F-CPU Only the standard CPU is exchanged for a safety-related F-CPU. This unit
combines the functionalities of a standard CPU with those of a safety CPU. With
an operating system extended with protective mechanisms, standard and safety-
related user programs can be executed on one CPU.
PROFIsafe PROFIsafe is the first open standard (IEC 61784) for safety-related (failsafe)
communication that allows standard and safety-related communication over one
and the same connection (cable or wireless through WLAN).

Page 8 ST-PPDS
Safety-related Communication with PROFIsafe (1)
Safety-related data Standard data Safety-related data Standard data
PROFIsafe layer PROFIsafe layer
Standard bus protocol Standard bus protocol

Black
channel
PROFIBUS DP or PROFINET
SITRAIN
PROFIsafe Layer PROFIsafe is the first open standard (IEC 61784) for safety-related (failsafe)
communication that allows standard and safety-related communication over one
and the same connection (cable or wireless through WLAN).
With PROFIsafe, the network infrastructure that already exists for the standard
communication can be used simultaneously for the safety-related (failsafe)
communication.
Safety-related and standard data is transferred using PROFIsafe via the same bus
line. For this, the existing standard bus protocols (the "black channel") are used
with which the safety-related data is transported as additional data (PROFIsafe
layer). Thus, the safety-related communication is independent of the bus system
and the subordinate network components.
Benefits • since standard and safety-related communication takes place on the standard
PROFIBUS DP or standard PROFINET IO, no additional hardware
components are necessary
• safety-related communication tasks can be solved for which conventional
solutions (such as, hard-wiring of Emergency OFF) or special buses were
required up until now, whereby safety-related, distributed applications are
possible, for example, in the automobile plant with presses and robots, in fuel
technology, for passenger transportation in aerial cable cars and in process
automation
• failsafe DP-norm slaves can be integrated in the S7 F and S7 F/FH systems
(bus-capable sensors/actuators and protective devices of DP-norm slaves that
are PROFIsafe-capable)
• failsafe IO-norm devices can be integrated in S7 F-systems (IO-norm devices
that are PROFIsafe-capable).

Page 9 ST-PPDS
Message frame of a bus node (max. 244 bytes with PROFIBUS )
F-I/O Data Status / Control Byte Sequence Number CRC

V1
Identifier for sender and Consecutive number of the Data backup for
only Failsafe I/O data
receiver sender F-data and F-parameters
DP
Max. 12 / 123 bytes 1 byte 1 byte 2 / 4 bytes*
V2 F-I/O Data Status / Control Byte CRC 2
Identifier for sender and

DP Failsafe I/O data Data backup for F-data and F-parameters
receiver
+
PN Max. 12 / 123 bytes 1 byte 3 or 4 bytes*
SITRAIN
PDU Just like in standard mode, data exchange between the CPU and the I/O modules
is handled using PDUs (Process Data Units) which contain the I/O data of the
individual I/O modules (usually max. 12 bytes for production automation and max.
123 bytes for process automation).
F-PDUs In safety engineering it is not only important that a message frame transmits the
correct process signals or values. In accordance with the PROFIsafe profile,
failsafe modules therefore supplement the I/O data by safety information:
Status/Control Byte
Using this byte, the failsafe modules inform the respective communications peer of
their status (for example, module has detected a communications error such as
data falsification, timeout, etc.). A sign of life ("toggle bit") is also included.
Sequence Number
The replaced PDUs are numbered consecutively so that, for example, the loss of a
PDU can be recognized immediately (see also the table of errors on the next
page). With PROFIsafe V2, the consecutive numbering is included in the
calculation of CRC2.
CRC (V1) or CRC2 (V2)
The "Cyclic Redundancy Check" is a mathematical procedure for detecting data
falsification. Also included is a sender/receiver identifier ("password") through
which an unambiguous 1:1 connection is ensured between sender and receiver.
The sequence number is also included in the calculation of the CRC2.

Page 10 ST-PPDS
Error Measure Consecu- Expected time Identifier for Sender Data Backup
tive with Acknowl- and Receiver CRC
Number edgement
Repeat 
Loss  
Insertion   
Incorrect sequence 
Data falsification 
Delay 
Coupling of safety-related messages
  
and standard messages (masquerade)
FIFO errors (first-in-first-out data

register for maintaining the sequence)
Circular buffer error 
SITRAIN
PROFIsafe Errors can basically occur during transmission of data. It is especially important
Errors and to take care of such sources of error during safety-related communication.
Measures PROFIsafe implements this with the following measures:
Repetition: Old messages which have not been updated are sent again at the
wrong point in time.
Loss: A message is not received or not recognized.
Insertion: A message is inserted which refers to an unexpected or unknown
source.
Incorrect Sequence: The defined sequence (for example, consecutive number,
time bases) of the messages from a particular source is faulty.
Data Falsification (Corruption): Messages can be corrupted by faults in a bus
node or in the transmission medium, or by the mutual interference of messages.
Delay: Messages can be delayed beyond the permissible window for arrival, for
example, as a result of faults in the transmission medium, overloaded connection
cables, mutual interference, or bus nodes which send messages in a manner that
services are delayed or not recognized (for example, FIFOs in switches, bridges
and routers).
Masquerade: A message is additionally inserted which comes from an obviously
valid source. Thus a non-safety-related message can be received by a safety-
related node which then rates it as safety-relevant.
FIFO Fault: First-in-first-out. The correct data sequence is not retained.

Page 11 ST-PPDS
Safety Concept – Distributed Safety: Safety Program (1)
Part of the Diverse part

safety program created by of the safety program
the user in FBD / LAD generated by
Distributed Safety
Failsafe input Failsafe output

module F-CPU
F-CPU module
F-Program
F-Hardware and Firmware

Sensor Actuator
Standard Program
Standard
Standard input output
Standard Hardware and Firmware
module module
Acquire Analyze Respond
SITRAIN
F-Program The safety program (F-program) for controlling the safety-related functions of the
plant is comprised of a part created by the user in FBD or LAD and a part
generated by Distributed Safety that, among other things, contains the diverse
logic to the user part.
To this part of the safety program created by the user, Distributed Safety
generates a diverse program that works with diverse operands and operations.
The creation of the standard and safety program takes place in the same
programming environment. TÜV-certified function blocks for all the usual safety
functions simplify the programming as well and thus lead quickly to the finished
program.
Coexistence of The standard program and safety program are executed independently in the
Standard and CPU. Through the coexistence of both programs on one CPU, the communication
F-Program program between the two programs can be implemented by means of global
variables.
Changes to the standard program have no affect on the safety program so that it is
still fully functional.

Page 12 ST-PPDS
Safety Concept – Distributed Safety: Safety Program (2)
Diverse part of the

safety program generated Diverse /A, /B Diverse D = /C Diverse
by Distributed Safety operands operation result
STOP when
Coding Comparison
D ≠ /C
Part of the
safety program created by
the user in FBD / LAD Operands Operation Result
A, B C
SITRAIN
Diversity and SIMATIC S7 safety-related CPUs work according to the principles of time
Time Redundancy redundancy and diversity, making possible the implementation of F-systems with
only one CPU and only one processor.
F-blocks (F-FC/-FB) are generated by the programming tool "Distributed Safety" in
addition to the safety program created by the user. These are based on logic
which uses "diverse" operands and operations and which is redundant to the user
program.
The two parts of the safety program are executed time-redundant or in succession,
and the results are compared. If there is an error, the F-CPU reacts and switches
the plant to the safe state.
In addition, Distributed Safety generates F-system blocks which also handle the
safety-related PROFIsafe communication with the F-I/O.

Page 13 ST-PPDS
Distributed Safety: Libraries
Package S7 Distributed Safety Press Option Package Burner Option Package
Certified S7 blocks, Certified S7 blocks Certified S7 blocks for

Blocks such as, Emergency OFF, for controlling presses controlling burners
two-hand control,
muting, door monitoring
Certif- IEC 61508: 2000 SIL 1 – 3 EN 954-1, Cat. 4 IEC 61508: 2000, Part3, SIL 3
icates EN 594-1: 1997 Cat. 2 – 4 EN 61508, SIL 3 DIN EN 676: 2003
IEC 61511: 2003 DIN EN 267: 1999
EN 60204-1: 1997 DIN EN 12952-8: 2002
IEC 62061: 2005 DIN EN 12953-7: 2002
NFPA 79-2002, TRN 411: 1997,
NFPA 85 TRN 412: 1997
DIN EN 746-2: 1997
DIN VDE 0116: 1989
SITRAIN
Libraries S7 Distributed Safety Library:

Library with prefabricated blocks that are approved by TÜV for controlling typical,
safety-related functions
"Burner" Option Package:
Library with blocks certified by TÜV for thermo and steam boilers for controlling
industrial gas and oil burners
"Press" Option Package:
Library with function blocks that implement press safety functions according to
EN 954-1, Cat.4 and EN 61508, for example, for mechanical, hydraulic or
pneumatic presses

Page 14 ST-PPDS

Safety Concept: Distributed Safety: SITRAIN Training For

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety Concept: Distributed Safety: SITRAIN Training For

Uploaded by

Copyright:

Available Formats

Safety Concept:

SITRAIN Training for

Standard Level Standard I/O

Safety Level Wiring?

SITRAIN Training for

Standard section of the plant to be controlled

HMI device Safety relay

SITRAIN Training for

F-PLC Standard I/O Standard Host / PLC

Coexistence of Standard and Failsafe Communication Repeater

SITRAIN Training for

Error Loading F-DI

SITRAIN Training for

Previous Standard CPU Failsafe CPU

Previous Standard ET200S Failsafe ET200S

SITRAIN Training for

"Distributed Safety" option ET200 Configurator

SITRAIN Training for

F-Hardware and Firmware

Standard Hardware and Firmware

Standard When integrating safety-related functions in a SIMATIC controller, the standard

SITRAIN Training for

Safety-related data Standard data Safety-related data Standard data

PROFIsafe layer PROFIsafe layer

Standard bus protocol Standard bus protocol

SITRAIN Training for

Message frame of a bus node (max. 244 bytes with PROFIBUS )

F-I/O Data Status / Control Byte Sequence Number CRC

V2 F-I/O Data Status / Control Byte CRC 2

Identifier for sender and

SITRAIN Training for

SITRAIN Training for

Part of the Diverse part

Failsafe input Failsafe output

F-Hardware and Firmware

Acquire Analyze Respond

SITRAIN Training for

Diverse part of the

SITRAIN Training for

Package S7 Distributed Safety Press Option Package Burner Option Package

Certified S7 blocks, Certified S7 blocks Certified S7 blocks for

Libraries S7 Distributed Safety Library:

SITRAIN Training for

You might also like