Vous êtes sur la page 1sur 46

SITRAIN Training for

Page 1 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Conventional One standard PLC with distributed I/O (ET200S via PROFIBUS DP) controls the
Safety Technology standard functions of a plant; a safety relay controls the dangerous machine
function.

Functional The dangerous machine function is switched via the two forced contactors K1 and
Control K2, which are controlled in a safety-oriented manner by a safety relay. The safety
relay receives the necessary On/Off control signals for the functional On and Off
via the wiring from a digital standard output of the standard PLC, which for this
purpose analyzes the corresponding signals from the plant (among other things,
those of the operator panel) in the standard program.

Protective FunctionsIn order to protect the operator, the dangerous machine function is equipped with
an Emergency Stop command device and an isolating protective equipment in the
form of a safety door. As soon as a wiring error is determined, the Emergency
Stop is pressed, or, the safety door is opened, the safety relay independent from
the control signals of the standard PLC shuts down the motor via the contactors
K1 and K2 as per Stop-Category 0 according to EN 60204-1.
Before every renewed switch on of the contact, the safety relay checks whether
the contacts of the Emergency Stop and the safety door are closed and the
contactors drop or their feedback contacts are closed.

Wiring The wiring and architecture of the safety functions are implemented according to
EN 61508 in SIL 3 or according to EN 954 in Cat.4: The Emergency Stop
command device and the position switch of the safety door are wired via two-
channels with the safety relay. To control the dangerous machine function, two
contactors connected in series are used whose feedback or mirror contacts return
a feedback signal to the safety relay.

SITRAIN Training for


Page 2 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Safety Integrated One PLC with failsafe CPU (F-CPU) and distributed I/O stations (ET200S via
PROFIBUS DP) controls the standard as well as the safety functions.

Functional The dangerous machine function is switched via the two forced contactors K1 and
Control K2, that now are no longer controlled in a safety-oriented manner by the safety
relay but rather from the safety program of the F-CPU in conjunction with safety-
related input and output modules.
The conditions for the functional On and Off are still analyzed by the standard
program that informs the safety program through variables (such as memory bits)
when the contactors are to be switched on and switched off.

Protective FunctionsThe previously described protective functions will no longer be handled by the
safety relay but rather by the safety program of the F-CPU and the safety-related
input and output modules (F-DI/DO):
As soon as a wiring error is determined, the Emergency Stop is pressed, or, the
safety door is opened, the safety relay must shut down the motor or the contactors
K1 and K2 as per Stop-Category 0 according to EN 60204-1 independent from
the control signals of the standard program.
The wire monitoring of the safety-related actuators and sensors now occurs
through the F-DI / DO modules.

Wiring The wiring and architecture of the protective functions according to SIL 3 (EN
62061) Cat.4 (EN 954) is unchanged in principle:
The Emergency Off command device and the position switch of the safety door
are still two-channel wired, however, no longer with a safety relay, but rather with
an F-DI module of the safety-related ET200S station.
To switch the dangerous machine function, there are still two contactors used
which are connected in series. Now they are controlled by an F-DO module and
their feedback or mirror contacts are now analyzed by the safety program.

SITRAIN Training for


Page 3 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
F-CPU As a rule, it is sufficient if the F-CPU used at least fulfills the same requirements as
the previously used standard CPU with regards to performance data or
performance profile (including communication possibilities). The most important
characteristic values are the CPU processing speed from which the cycle time and
thus the response time of the automation system result and the size of the working
memory that must accommodate the execution-related parts of the standard and
safety programs.

F-DI/DO Standard and safety-related input and output modules (F-DI/DO) can be operated
together in mixed configurations. The F-DI/DO modules required in place of the
safety relay could also be integrated in an already existing ET200S station. All
already used I/O modules including their wiring can continue to be used
unchanged.
If the dangerous function of the plant is implemented in SIL3/Cat.4, then the F-DI
and the F-DO modules must be inserted into a separate potential group or must be
isolated from the standard modules by an additional power module (PM) (see
slide).

PROFIsafe The safety-related communication between F-CPU and the F-DI/DO modules
Communication using PROFIsafe is integrated in the failsafe modules. It is executed automatically
and does not have to be programmed regardless of whether the F-DI/DO
modules are used centrally or distributed via PROFIBUS or PROFINET. Already
configured standard communication remains unaffected by the safety-related
communication via PROFIsafe.

SITRAIN Training for


Page 4 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Libraries S7 Distributed Safety Library:
Library with prefabricated blocks that are approved by TV for controlling typical,
safety-related functions

SITRAIN Training for


Page 5 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Achievable When F-DI modules are used, the corresponding safety class is achieved through
Safety Classes
internal test switching
the external sensor/encoder wiring
the sensor/encoder quality or "characteristic safety values" (e.g. proof test
interval) of the sensor/encoder used according to EN 62061

1v1 Evaluation For 1v1 evaluation, there is one sensor/encoder and is connected to the F-DI
module via one channel.
If the sensor/encoder quality is less than that of the required safety class,
the sensor/encoder must be used redundantly and connected via two
channels.

2v2 Evaluation For 2v2 evaluation, two input channels are occupied
through two 1-channel sensors/encoders
or
through one 2-channel sensor/encoder
The input signals are compared for equality (equivalency) or non-equality (non-
equivalency) (-> discrepancy analysis).

SITRAIN Training for


Page 6 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
SITRAIN Training for
Page 7 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
ET 200S The ET 200S distributed I/O system is a DP-slave/IO-device on PROFIBUS
DP/PROFINET IO that can contain standard ET 200S modules as well as fail-safe
modules. You can set up the PROFIBUS DP/PROFINET IO lines with copper
cable, with fiber-optic cable or with WLAN (S7 Distributed Safety as of V5.4). Even
a design with fail-safe motor starters and frequency converters is possible.

F-DI / F-DO Fail-safe The basic difference between fail-safe modules and standard ET 200S modules
Modules is that fail-safe modules are designed internally with two-channels. The two
integrated processors monitor each other and automatically test the input and
output switching and transfer the F-module to a safe state in case of failure.
Fail-safe digital input modules (F-DI) acquire the signal states from safety-related
encoders and send corresponding safety message frame telegrams to the F-CPU.
Fail-safe digital output modules (F-DO) are suitable for safety-related switch-off
operations with short-circuit and cross-circuit monitoring up to the actuator.
The F-CPU communicates with the fail-safe modules over the safety-related bus
profile PROFIsafe.

Power Modules / Power modules are used for the load voltage supply of potential groups.
Potential Groups Potential groups in which F-DI/DO modules are used must be supplied by selected
standard power modules (see slide).
With fail-safe power modules, you can economically implement the safety-related
switching off of the load voltage from standard output modules up to (Cat.3 / SIL2).
A new potential group always begins with a power module.
Standard and safety-related modules can be used
in combination within a potential group for applications up to SIL2 / Cat.3
in separate potential groups for applications SIL3 / Cat.4

SITRAIN Training for


Page 8 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
CPU Password As with standard CPUs, STEP7 queries for the assigned password as soon as the
user tries to access the CPU online (for example, to download a block into the
CPU). The assignment is required to activate the option "CPU contains safety
program".

CPU Contains If "CPU contains safety program" is not activated, no safety program can be
Safety Program downloaded into the CPU later on! This option is therefore absolutely
necessary to operate the CPU in safety mode.

Process Mode Test functions such as "Monitoring" or "Monitor/control variable" are restricted so
that the set permissible cycle time extension cannot be exceeded. Testing using
breakpoints and step-by-step program execution cannot be performed.

Test Mode All test functions can be used without restrictions, even if they cause greater cycle
time extensions.

SITRAIN Training for


Page 9 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Safety Mode can be If the F-CPU executes the safety program in safety mode, all safety mechanisms
Deactivated for error detection are activated. In this state, the safety program cannot be
changed during operation of the CPU (in RUN).
The safety mode of the F-CPU can be temporarily switched off and then back on
again. The "deactivated safety mode" enables the safety program to be tested
online and be changed as needed while the CPU is in RUN mode. Switching back
into safety mode is only possible by changing the operating mode of the CPU from
STOP to RUN.

Basis for PROFIsafe addresses are assigned automatically and uniquely identify source
PROFIsafe and destination. The "Basis for PROFIsafe addresses" can be set in increments of
Addresses 1000 and is practical if several DP master systems or PROFINET IO systems are
operated in a network.

F-DB / F-FB When compiling the safety program, F-function and F-data blocks are
automatically added to the function and data blocks created by the user. Their
number range can be set here. We recommend that the number range for the
automatically generated F-blocks is defined in the upper end of the range possible
for the respective CPU used (see CPU performance data) so that the lower range
remains free for the user-defined blocks.

SITRAIN Training for


Page 10 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
General The selected F-DI module supports PROFIsafe V2, that means, that this module
can be used in PROFIBUS as well as in PROFINET networks.

Addresses of the The addresses of fail-safe input and output modules can be set freely just as with
Inputs and Outputs standard modules.
The fail-safe input and output modules also occupy, in addition to the pure input
and output user data, additional bytes in the process images for handling the
safety-related PROFIsafe communication. An F-DI module therefore also occupies
bytes in the process image of outputs, an F-DO module also bytes in the process
image of inputs.

SITRAIN Training for


Page 11 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
F-Parameters In the "F-Parameters" tab, settings are made that concern the fail-safe
communication of the module with the F-CPU.

F_Source and are the PROFIsafe addresses and are used to uniquely identify the source
F_Destination (F-CPU) and the destination (F-module). The PROFIsafe addresses must be
Address unique in the station and throughout the network. To prevent incorrect parameter
assignment, the F_destination_address is automatically assigned. When the
F_destination_address is changed manually, its station-side uniqueness is
checked automatically, but not its network-wide uniqueness! It is up to the user to
ensure this!

DIP Switch Setting corresponds to the F_destination_address in binary representation. The address
DIP switch setting of the module must match the bit pattern shown here. The
address DIP switch of the F-module must therefore be set PRIOR TO the
installation of the F-module.

F-Monitoring Time is the PROFIsafe monitoring time for the safety-related communication between
(ms) the F-CPU and F-I/O. If the F-I/O does not receive a valid safety message frame
from the F-CPU within a parameterizable monitoring time, the F-module
passivates itself by means of a "communication error".
The F-monitoring time should be long enough so that uncritical message frame
delays are tolerated, but short enough so that in the event of an error the response
is as quick as required by the control process.
You will find more information on determining the F-monitoring time in the chapter
"Configuring the Monitoring Times".

SITRAIN Training for


Page 12 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Behavior at The input signals are compared for equivalence or non-equivalence
Discrepancy (-> discrepancy analysis). In the event of a discrepancy, (different levels when
evaluating for equivalence or identical levels when evaluating for non-
equivalence), a discrepancy time is initiated. If the discrepancy exists longer than
the set discrepancy time, this is reported as an error and the module is passivated.

Discrepancy Time The behavior at discrepancy is only relevant during the discrepancy time! If the
discrepancy still exists after the discrepancy time has elapsed, the module
recognizes this as an error and signals (as always in the event of an error) the
value "0" for the affected channel to the F-CPU.
Two module channel response settings are possible during the discrepancy time:
"Supply last valid value"
The last valid value prior to the occurrence of the discrepancy (old value) is made
available to the safety program of the F-CPU as soon as a discrepancy between
the signals of the two affected input channels is determined. This value remains
available until the discrepancy is cleared, or until the discrepancy time has expired
and a discrepancy error is detected. After the discrepancy time has elapsed, if a
discrepancy error is detected, the value '0' is signaled in any case to the safety
program of the CPU!
Attention: Since a discrepancy error is only detected after the discrepancy time
has elapsed, the response time of the controller is prolonged. If, for safety
reasons, very fast responses by the PLC are required, the discrepancy time
should not be set longer than necessary.
"Supply value 0"
Since, with this setting, the "safe" value "0" is signaled to the safety program of the
F-CPU during the discrepancy time, the response time of the PLC is not
prolonged. This is because the value "0" is already the value that is signaled to the
CPU anyway in the event of an error (that is, after the discrepancy time has
elapsed).

SITRAIN Training for


Page 13 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
General/Addresses The settings to be made in the "General" and "Addresses" tabs are equivalent to
Tabs those of the standard modules.

Activated In order to avoid errors, outputs that are not used should be deactivated.

Read-back Time is the maximum time after switching off an output that a read-back signal may
still be detected before the error "short-circuit" results in the passivation of the
output channel. The set read-back time must be sufficiently long, especially when
switching capacitative loads, to permit the discharge of the switched capacity
within the read-back time.
The read-back time is also the dark period in switch-off tests. 0-signals are
switched to the output bit while the output is active for checking the actuator wiring.
A sufficiently slow actuator does not respond to the temporary deactivation of the
output and remains switched on.

Diagnostics: If wire break diagnostics is activated, the module passivates itself in the event of a
Wire Break wire break and signals a diagnostic interrupt to the CPU. However, a wire break is
only detected if an output channel is switched on at the moment. The wire break
diagnostic is no safety-related test function.

Hell- / Dark Tests Independent of the wire break diagnostics, the F-DO modules always carry out
(cannot be parameterized!) so-called light and dark period tests internally in which
the respective output channel is briefly (<=1m) switched on or off. The actuators
connected to the fail-safe outputs should therefore be selected sufficiently slow-
acting (possibly use interface relays).

SITRAIN Training for


Page 14 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
F-FC, F-FB The user can program the required safety functions as required in the
programming languages "F_FBD" and/or "F-LAD". These programming languages
basically correspond to the standard FBD/LAD, with limited instruction set and
usable data types and address ranges.

F-DBs Data blocks for storing shared (global) data are also available in the safety
program. Safety-related data blocks (F-DBs) are created/changed and used in the
program in the same manner as standard DBs. Only the number of usable data
types is restricted. Instance data blocks of safety-related FBs (no matter if created
by the user or inserted from the Distributed Safety library) are, as in the standard,
not edited by the user but generated by STEP7.

SBs In order to make the user-programmed safety program executable, Distributed


Safety generates F-system blocks (SBs) in the form of F-FBs when saving and
compiling the hardware configuration as well as when compiling the safety
program. These blocks are used for detecting errors and for ensuring the fault
reaction so that failures of the F-system generate a safe state. Furthermore they
handle communication between the F-CPU (process image) and F-I/O using the
PROFIsafe safety protocol.

Shared (global) DB The "shared DB" is a failsafe data block (F-DB) that contains shared data of the
safety program. The "shared DB" is automatically inserted or expanded when the
hardware configuration is saved and compiled. The data of the "shared DB" can be
evaluated both in the safety and in the standard user program.

I/O DB For every F-I/O, an F-I/O DB is automatically generated when the hardware
configuration is compiled. This DB contains variables that describe the state of the
respective module (passivation, depassivation capability, diagnostic data, channel
information etc.).

SITRAIN Training for


Page 15 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
F-Program Structure Structured programming of the safety program is possible just as with the standard
program.

Run-time Group By integrating the "F-Call" into a time interrupt OB, it is ensured that the safety
program is executed at defined intervals, which is essential for determining the
response times of the safety program and thus for the safety functions in the plant.

F-CALL Each runtime group is represented by an "F-Call", a function (FC) that is inserted
(not programmed!) by the user in the programming language "F-Call" and can be
generated by Distributed Safety. In addition to the system blocks automatically
generated by Distributed Safety (SBs, F-FBs, used for implementing safety
functions, that serve as I/O drivers that contain the diverse redundant logic etc.),
the F-Call block also contains the call of the "program block", which is declared as
such (FC or FB) by the user. Invoking the F-Call is therefore tantamount to calling
a runtime group of the safety program.

Program Block PB The "program block" (PB), created by the user in the form of an F-FC or F-FB
contains the user program. The user can program his control logic directly in this
PB and/or he can use it to invoke other safety-related user or library blocks from
Distributed Safety (F-FCs, F-FBs) for program structuring.

SITRAIN Training for


Page 16 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Creating F-FC / F-FB The functions (FCs) or the function blocks (FBs) of the safety program are created
in exactly the same manner as those of the standard program. When selecting the
safety-related creation language the block is automatically created as a safety-
related block.

F-Program Block The "F-program block" (F-PB) of a runtime group must be programmed as a
(F-PB) non-parameterizable, F-FC or F-FB. The user can create the safety-related logic
directly in the program block, and/or the block can used for program structuring
where other safety-related user or library blocks are called up within it.
The properties that an F-FC or F-FB are to serve as a "program block" are only
assigned to this block when the runtime group is created. When the safety
program is compiled, the call of the program block is integrated into the F-CALL.

SITRAIN Training for


Page 17 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Programming The editing of fail-safe blocks is carried out exactly as with standard blocks.
in F-FBD / F-LAD
The programming languages, F-FBD and F-LAD, basically correspond to the
standard FBD/LAD, with limited instruction set and usable data types and address
ranges. The programming of statement lists (STL) is not possible in a safety-
related block.

Editor Settings Within F-blocks, the Editor marks all not fail-safe addresses (standard inputs and
outputs, bit memories etc.) in color. In the Editors standard settings, this is the
color yellow. On the other hand, safety-related modules, such as F-CPUs, of all
things, are marked in yellow which very easily leads to confusion.
For that reason, it is recommended that you choose another color other than
yellow in the Editor Settings to identify not fail-safe addresses.

SITRAIN Training for


Page 18 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Creating F-CALL The "F-CALL" of a runtime group is inserted by the user as an FC using the
programming language "F-CALL", but not edited. Later, when compiling the safety
program, Distributed Safety generates the F-Call or the internal F-Call program.

Invoking F-CALL To guarantee that execution of the safety program is carried out continuously at
equal intervals, the safety program or the F-CALL of a runtime group is
programmed in a cyclic interrupt OB (e.g. OB35). The call is programmed just like
it would for a standard block. Other standard blocks, in addition to the F-CALL, can
also be called in this cyclic interrupt OB.

SITRAIN Training for


Page 19 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Creating Once all safety-related blocks including the "F-Call" and the program block of a
Runtime Groups runtime group have been created, The safety program can subsequently be
compiled completely and downloaded to the CPU.

F-Call Block The block that is to be used as F-Call for the runtime group that is newly created in
this dialog can be selected here.

F-Program Block The F-FC or F-FB that is to serve as the program block (PB) in this runtime group
can be selected here. Distributed Safety will integrate the call of the specified F-
program block in the F-Call program when the F-Call is generated.

SITRAIN Training for


Page 20 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Compile Once the runtime group has been created, the complete safety program still has to
be completely compiled using the menu command Compile. In the process,
Distributed Safety generates further system blocks in the form of F-FBs in
accordance with the user safety program.
It is necessary to compile the safety program after every change to a safety-
related block and a safety-relevant parameter of an F-module. If the safety
program is successfully compiled, it receives a new signature and can be
downloaded into the CPU.

SITRAIN Training for


Page 21 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Downloading the All changes or the complete safety program can be downloaded into the CPU.
This
Safety Program is only possible when the CPU is in STOP mode.

Safety Mode After a consistent safety program has been downloaded into the CPU and a warm
restart has subsequently been carried out, the safety mode of the CPU is
activated.

SITRAIN Training for


Page 22 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
SITRAIN Training for
Page 23 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
SITRAIN Training for
Page 24 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
SITRAIN Training for
Page 25 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
De motor wordt in- en uitgeschakeld via standaard uitgangen Q8.4 en Q
8.5 vanuit het standaard programma.

SITRAIN Training for


Page 26 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
SITRAIN Training for
Page 27 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 1: Maak voor het bestaande project de hardware configuratie kompleet
overeenkomstig de testopstelling. Hierbij dienen alle typenummers exact
overeen te komen met de testopstelling. Ook alle profibus-adressen
moeten overeenkomen met de werkelijk ingestelde adressen.
Ook de ProfiSafe-deelnemer moet geheel ingegeven worden in de
hardware-configuratie.
De symboltable is deels al ingevuld, het programma gebruikt bepaalde
adressen; zorg dus dat de adressen overeen komen met de adressen die
op de volgende bladzijde ingegeven zijn.
Bij het plaatsen van de failsafe modules zal om een (nieuw) password
gevraagd worden. Dit password beschermt zowel de safety
hardwaremodules als de safety bouwstenen in de blocks map.

In de cursus gebruiken wij 300f

Omdat in deze eerste opdracht nog geen failsafe functies gebruikt worden,
hoeven de parameters van de failsafe hardware nog niet ingesteld te
worden.

SITRAIN Training for


Page 28 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 2: Stel de adressen voor de Safety modules in zoals in bovenstaand beeld
aangeven wordt (4/8 F-DI begint met 10, 4 F-DO begint met 16). Save &
compile de hardware configuratie.

Stap 3: Laad de hardware configuratie in de PLC.

NB. Bij enkele opstellingen kan deze configuratie iets afwijken van
bovenstaande ivm de toevoeging van de functiemodellen. Neem de exacte
configuratie over van de opstelling.

SITRAIN Training for


Page 29 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
SITRAIN Training for
Page 30 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 1: Open de eigenschappen van de F CPU en kies het tabblad Protection.
Het F programma kan alleen geactiveerd worden als Can be bypassed
with password aangevinkt wordt en een paswoord ingevuld wordt, of als
de Write- of Write-/Read Protection aangevinkt wordt.
In de workshop wordt het paswoord siemens gebruikt zodat alle
cursisten van alle opstellingen gebruik kunnen maken.
Met de instelling Can be bypassed with password is het standaard
programma door iedereen te wijzigen, kunnen standaard adressen
gemodificeerd worden, maar kunnen wijzigingen in standaard
componenten waar ook safety componenten inzitten (zoals de
HardwareConfiguratie) pas geladen worden nadat het password
siemens ingegeven is. Wijzigingen in het specifieke F programma en de
hardware configuratie van de F modules vragen om het eigen password
(300f). Het is ook mogelijk een hoger beveiligingsniveau te kiezen
waardoor altijd het password siemens ingegeven moet worden om
standaard componenten te kunnen wijzigen of zelfs te lezen , maar dit zal
in de workshop niet gebruikt worden.

Stap 2: Zet het vinkje CPU contains safety program aan om de CPU te kunnen
laden met een F-programma.

SITRAIN Training for


Page 31 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
De F applicatie wordt vanuit het standaard-gebruikers-programma
aangeroepen met de cyclische Organisatie Bouwsteen OB35.

Stap 3: Open tabblad Cyclic Interrupt en stel de aanroeptijd voor OB35 in op


50ms.

SITRAIN Training for


Page 32 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 4: Open de eigenschappen van de F DI kaart in de ET200S.
Alle instellingen die door Step7 gegenereerd worden zijn grijs en niet aan
te passen.
F parameters zijn de instellingen geldig voor de gehele module.
Iedere F-module krijgt een uniek adres: decimaal uitgedrukt is dit het
F_dest_address, binair uitgedrukt de DIL switch setting (9..0)
In de praktijk levert het plaatsen van de modules in de HW-config een
unieke code voor iedere module, en wordt de DIL Switch code van de HW-
config overgenomen op de feitelijke hardware.
In onze oefeningen nemen wij de default adressen, deze zijn ook al in de
modules ingesteld opdat wij niet iedere workshop de DIL-switches hoeven
te wijzigen.

Stap 5: geef F_dest_address 200 in.

SITRAIN Training for


Page 33 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Module parameters

Stap 6: Parametreer de ingangskanalen zoals deze aangesloten zijn, voor de


noodstop en eindschakelaars. Op het plaatje is aangeven welke
signaalsoorten gebruikt zijn. Zet overige signalen op not activated. De
kortsluittest moet op cyclisch staan.

NB. Laat de instellingen voor de overige sensoren op not-activated staan.

SITRAIN Training for


Page 34 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 7: Open de eigenschappen van de F-DO kaart in de ET200S.

F parameters Alle instellingen die door Step7 gegenereerd worden zijn grijs en niet aan
te passen.

Stap 8: geef F_dest_address 199. Activeer daarna kanaal 0 zoals te zien is op de


volgende bladzijde.

SITRAIN Training for


Page 35 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
SITRAIN Training for
Page 36 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 9: Save & Compile de HW configuratie als alle gewenste instellingen correct
zijn ingevuld. Download daarna de HW configuratie in de PLC

Bij het compileren zal een extra schermpje met loop-balk te zien zijn
(Initializing safety program) tijdens het genereren van de FBs en DBs
behorende bij de fail-safe-modules.
Deze zullen dan te zien zijn in de Blocks folder van de Manager.

Opmerking: Downloaden van de HW-configuratie is mogelijk. Er mogen geen


hardware-foutmeldingen (rode leds, SF) meer zijn. Het standaard-
gebruikersprogramma is nog steeds functionerend.

Downloaden van de failsafe-blocks heeft in dit stadium geen zin!


Er zijn nu wel FBs en DBs gegenereerd tbv HW-modules, maar er is nog
geen structuur voor de fail-safe software; deze structuur bouwen wij in de
volgende oefening.

SITRAIN Training for


Page 37 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
SITRAIN Training for
Page 38 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Het afhandelen van het failsafe programma gebeurt in twee stappen.

 Het applicatie programa in FC 10 geschreven in F-LAD of F-FBD


 De F systeem blokken die door de HW configuratie gegenereerd zijn
Deze komen bij elkaar in de F-Call

F-call In de F-call wordt de eerste F-FC (bv. FC10) aangeroepen van de


applicatie. Deze kan eventueel weer volgende F-FBs / F-FCs aanroepen.
De watchdogtijd houdt in de gaten of de maximale programmaduur niet
overschreden wordt. De F-Call is een FC in de block folder, met als
eigenschap F-call

OB35 De F-Call zelf (bv. FC1) wordt cyclisch aangeroepen vanuit OB35.
Hierdoor wordt een constant gedrag van de F applicatie verkregen.

SITRAIN Training for


Page 39 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 10: Voeg in de Blocks folder een FC in met Created in Language: F-Call.
Geef deze het bouwsteennummer FC1, met als symbolische naam F-
aanroep. (aanmaken, niet openen)

SITRAIN Training for


Page 40 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 11: Voeg in de Blocks folder een FC in met Created in Language: F-FBD.
Geef deze het bouwsteennummer FC10, met als symbolische naam F-
applicatie.

Stap 12: Maak OB35. Maak hier een aanroep naar F-aanroep (FC1, de F-Call) en
sla alles op.

SITRAIN Training for


Page 41 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Doel: Het doel van deze oefening is het maken van een eenvoudige noodstop.
Hiervoor maken we gebruik van de gecertificeerde standaard bouwsteen
uit de F-Library.

Stap 13: Open FC10.


Sleep de Call van F_ESTOP1 (FB215) uit de F-Application Blocks (Library
Distibuted Safety (V1) in netwerk 1 van FC10 en geef DB215 in als
instance DB. Sluit daarna de volgende parameters aan:
SAFETY-NOODSTOP (I10.1) - E_STOP
BEVESTIGING (I1.7) - ACK

SAFETY_UITGANG_RELAIS (Q16.0) -Q

Stap 14: Omdat na het bevestigen van de NOODSTOP de band NIET direct mag
gaan draaien, gebruiken we de SAFETY_UITGANG_RELAIS (Q16.0) op
de RESET ingang van K1 en K2 om de bandmotor uit te schakelen na het
bedienen van de NOODSTOP. Breidt OB1 uit met bovengenoemde
wijziging.
Save FC10 (F-APPLICATIE) en OB1 en sluit beide bouwstenen.

SITRAIN Training for


Page 42 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 14: Open FC1 (F-aanroep, de F-Call) door te dubbelklikken.

De runtime group wordt automatisch geopend. Geef bij F-program block


FC10 aan. Accepteer de instellingen en accepteer de Runtime Group.

SITRAIN Training for


Page 43 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Stap 15: Compile en download het Safety programma (inclusief het standaard
programma).

Stap 16: Test het in- en uitschakelen van de transportband en test de werking van
de NOODSTOP.

SITRAIN Training for


Page 44 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Doel: Het doel van deze oefening is om het uitschakelen van het safety relais te
controleren (nodig voor SIL 3). Blijft een relais kleven, dan wordt dit geregistreerd
door de Feedback bouwsteen en wordt voorkomen dat de bandmotor
ingeschakeld kan worden.
Stap 1: Open FC10 en maak een Tempvariabele COMMANDO (type Bool).

Stap 2: Sleep de Call van F_FDBACK (FB216) uit de F-Application Blocks (Library
Distibuted Safety (V1) in netwerk 2 van FC10 en geef deze als instanceDB
DB216.

Verbindt de uitgang Q van #NOODSTOP aan de Tempvariabele COMMANDO.


Sluit daarna de volgende parameters aan bij de FEEDBACK bouwsteen FB216:

COMMAND - ON
I 8.3 - FEEDBACK
F00016_4_F_DO_DC24_24_2A.QBAD - QBAD_FIO
I 1.5 - ACK
T#100MS - FDB_TIME
SAFETY_UITGANG_RELAIS (Q16.0) -Q

Stap 3: Test wederom het in- en uitschakelen van de transportband en test de werking van
de NOODSTOP eerst zonder dat een relais blijft kleven. Zet daarna voorzichtig het
oranje lipje van een relais omhoog en test wederom de werking van de
NOODSTOP.

SITRAIN Training for


Page 45 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety
Global Acknowledge Om alle modules die in Passivatie staan in n keer te Rentegreren is er de
gecertificeerde bouwsteen FB219 F_ACK_GL. Breidt FC10 uit met een netwerk
met de passivatie en acknowledge_request signalen van de Safety modules.
Stap 1: Voeg in een nieuw FB219 toe zodat alle modules gerentegreerd worden. Koppel
aan FB219 de InstanceDB DB219.

SITRAIN Training for


Page 46 ST-PPDS
Automation and Industrial Solutions Safety Concept: Distributed Safety