Przykłady zastosowań 
Functional Examples · March 2007
safety
INTEGRATED
Safety applications
quickly and easily implemented
Safety Integrated
Safety applications quickly and easily implemented
Preliminary Remark
The functional examples dealing with "Safety Integrated" are
fully functional and tested automation configurations based
on A&D standard products for simple, fast and inexpensive implementation of automation tasks in safety engineering. Each
of these functional examples covers a frequently occurring
subtask of a typical customer problem in safety engineering.
Apart from a list of all required hardware and software components and a description of the way they are connected to
each other, the functional examples include the tested and
commented code. This ensures that the functionalities described here can be reset in a short period of time and thus
also be used as basis for individual expansions.
Note
The Safety Functional Examples are not binding and do not
claim to be complete regarding the circuits shown, equipping and any eventuality. The Functional Examples do not
represent customer-specific solutions. They are only intended to provide support for typical applications. You are
responsible in ensuring that the described products are correctly used. These Functional Examples do not relieve you of
the responsibility in safely and professionally using, installing, operating and servicing equipment. When using these
Functional Examples, you recognize that Siemens cannot be
made liable for any damage/claims beyond the liability
clause described above. We reserve the right to make
changes to these Functional Examples at any time without
prior notice. If there are any deviations between the recommendations provided in these Functional Examples and
other Siemens publications - e.g. catalogs - then the contents of the other documents have priority.
Safety Integrated
Functional Examples
March 2007
© Siemens AG 2007
Safety-related controls
SIRIUS Safety Integrated
Fail-safe Controllers
SIMATIC Safety Integrated
Safety Drives Systems
Warranty, Liability and Support
Contact partners
s
1
Safety-related controls
SIRIUS Safety Integrated
1
Functional examples with
SIRIUS 3TK28 safety relay
1.1 E-Stop with manual start
Category 2 acc. to EN 954-1
with a SIRIUS 3TK28 safety
relay
4
1.2 E-Stop with monitored start
Category 4 acc. to EN 954-1
with a SIRIUS 3TK28 safety
relay
6
1.3 Protective door monitoring with
automatic start Category 2 acc.
to EN 954-1 with a SIRIUS
3TK28 safety relay
8
1.4 Protective door monitoring with
automatic start Category 4 acc.
to EN 954-1 with a SIRIUS
3TK28 safety relay
10
1.5 E-Stop with monitored start
Category 2 acc. to EN 954-1
with a SIRIUS 3TK28 safety relay with contactor relays
12
1.6 E-Stop with monitored start
Category 2 acc. to EN 954-1
with/without operational switching with a SIRIUS 3TK28 safety
relay with contactor relays
1.11 E-Stop with monitored start,
protective door monitoring with
automatic start and service
mode, Category 2 acc. to EN
954-1 with a SIRIUS 3TK2845
safety relay
24
1.12 E-Stop with monitored start,
protective door monitoring with
automatic start and service
mode, Category 4 acc. to EN
954-1 with a SIRIUS 3TK2845
safety relay
26
2
Functional examples with
SIRIUS 3RA7 fused load
feeders
2.1 E-Stop with monitored start
Category 2 acc. to EN 954-1
with a safety fused load feeder
3RA7
26
30
14
2.2 E-Stop with monitored start
Category 2 acc. to EN 954-1
with/without operational switching with a safety fused load
feeder 3RA7
32
1.7 E-Stop with monitored start
Category 4 acc. to EN 954-1
with/without operational switching with a SIRIUS 3TK28 safety
relay with contactor relays
16
2.3 E-Stop with monitored start
Category 4 acc. to EN 954-1
with/without operational switching with a safety fused load
feeder 3RA7
2.4 Protective door monitoring with
automatic start Category 2 acc.
to EN 954-1 with a safety fused
load feeder 3RA7
34
1.8 Protective door monitoring with
automatic start Category 2 acc.
to EN 954-1 with a SIRIUS
3TK28 safety relay with contactor relays
18
2.5 Protective door monitoring with
automatic start Category 2 acc.
to EN 954-1 with/without operational switching with a safety
fused load feeder 3RA7
36
1.9 Protective door monitoring with
automatic start Category 2 acc.
to EN 954-1 with/without operational switching with a SIRIUS
3TK28 safety relay with contactor relays
20
2.6 Protective door monitoring with
automatic start Category 4 acc.
to EN 954-1 with/without operational switching with a safety
fused load feeder 3RA7
38
1.10 Protective door monitoring with
automatic start Category 4 acc.
to EN 954-1 with/without operational switching using a SIRIUS
3TK28 safety relay with contactor relays
22
2.7 E-Stop with monitored start
Category 2 acc. to EN 954-1
with a safety fuseless load
feeder 3RA7
40
Safety Integrated · March 2007
42
44
2.8 E-Stop with monitored start
Category 2 acc. to EN 954-1
with/without operational switching
with a safety fuseless load feeder
3RA7
2.9 E-Stop with monitored start,
Category 4 acc. to EN 954-1
with/without operational switching
with a safety fuseless load feeder
3RA7
46
2.10 Protective door monitoring with
automatic start Category 2 acc. to
EN 954-1 with a safety fuseless
load feeder 3RA7
48
2.11 Protective door monitoring with
automatic start Category 2 acc. to
EN 954-1 with/without operational
switching with a safety fuseless
load feeder 3RA7
50
2.12 Protective door monitoring with
automatic start Category 4 acc. to
EN 954-1 with/without operational
switching with a safety fuseless
load feeder 3RA7
3
52
4
70
4.1 Emergency Stop and protective
door monitoring with monitored
start according to Category 2 of
EN 954-1
78
4.2 Emergency stop and protective
door monitoring with monitored
start according to Category 4 of
EN 954-1
87
4.3 Protective door with door interlocking via a spring-actuated lock
according to Category 3 of
EN 954-1
97
4.4 Protective door with door interlocking via a spring-actuated lock
according to Category 4 of
EN 954-1
107
4.5 Protective door with door interlocking via a magnet-field lock
according to Category 3 of
EN 954-1
117
4.6 Protective door with door interlocking via a magnet-field lock
according to Category 4 of
EN 954-1
Functional examples with
ET 200S Safety Motorstarters
3.1 Emergency Stop with monitored
start Category 2 acc. to EN 954-1
with ET200S Safety Motorstarter
Solution Local
55
3.2 Emergency Stop with monitored
start Category 4 acc. to EN 954-1
with ET200S Safety Motorstarter
Solution Local
58
3.3 Protective door monitoring with
automatic start Category 2 acc. to
EN 954-1 with ET200S Safety
Motorstarter Solution Local
61
3.4 Protective door monitoring with
automatic start Category 4 acc. to
EN 954-1 with ET200S Safety
Motorstarter Solution Local
63
3.5 2 safety circuits in a cascade according to Category 4 in compliance with EN 954-1 (PM-D F X1
and Failsafe Motor Starter ) with
ET200S Safety Motor Starter Solution Local
Functional examples with
ASIsafe
5
Functional examples with
SIMOCODEpro
127
5.1 SIMOCODE pro direct starters
with safety technology
Emergency stop monitoring with
monitored start Category 4
according to EN 954-1
141
5.2 SIMOCODE pro reversing starters
with safety technology
Emergency stop monitoring with
monitored start Category 4
according to EN 954-1
155
5.3 SIMOCODE pro star-delta starters
with safety technology
Emergency stop monitoring with
monitored start Category 4
according to EN 954-1
Safety Integrated · March 2007
Ex. No.
1.1
E-Stop with manual start Category 2 acc. to EN 954-1
with a SIRIUS 3TK28 safety relay
Function
Description of the functionality
Note
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418
(EN ISO 13850 in draft status).
In this Safety Functional Example, the E-Stop command device
is monitored by a positively-driven contact using a safety relay
in accordance with Category 2 to EN 954-1. If the E-Stop button is pressed, the safety relay opens the contactor via the
safety-related relay output using a positively-driven contact in
accordance with stop Category 0 according to EN 60204-1. In
this particular example, a drive is stopped. Before restarting or
acknowledging the E-Stop shutdown using the start button, a
check is made as to whether the contact of the E-Stop command device is closed and the contactor is de-energized
(open).
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
Safety relay
3TK2824
3TK2824-1BB40
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator,
22 mm nominal diameter
3SB3 000-0AA11
1
Optional: Inscription plate "Start"
3SB3 906-1EL
1
Contactor K1
4
Contactor, AC-3, 3KW/400V, 1NC, 24V DC, 3-pole, 3RT1015-1BB42
Size S00, screw connection
Qty
Manufacturer
Siemens AG
1
Note
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from this list can be used (e.g. another 3TK28 safety relay). However, in this case, please carefully note that it
may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
Using this circuit example, Category 2 acc. to EN 954-1
can only be fulfilled if, when the actuator fails, an alarm
is automatically put out or the machine control initiates
a safety condition. If this is not the case, a second shutdown path is required.
Functional Example No. CD-FE-I-001-V11-EN
Ex. No.
1.1
Structure and wiring
Wiring of the hardware components
L +(24V DC)
Start
K1
A1 Y1 Y2 13 23
A2 14 24
M
K1
K1
M
Functional Example No. CD-FE-I-001-V11-EN
G_FB_XX_002
E-stop
3TK2824-1BB40
An overview of the hardware structure
5
Ex. No.
1.2
E-Stop with monitored start Category 4 acc. to EN 954-1
with a SIRIUS 3TK28 safety relay
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
In this Safety Functional Example, the E-Stop command device
is monitored using two positively-driven contacts using a
safety relay in accordance with Category 4 to EN 954-1. If the
E-Stop button is pressed, the safety relay opens the redundantly connected contactors via the safety-related relay outputs using positively-driven contacts in accordance with stop
Category 0 according to EN 60204-1. In this particular example, a drive is stopped. Before restarting or acknowledging the
E-Stop shutdown using the start button, a check is made as to
whether both contacts of the E-Stop command device are
closed and both contactors are de-energized (open).
Note
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418
(EN ISO 13850 in draft status).
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
Qty
1
1NC contact for base-mounting
3SB3 420-0C
1
Safety relay
3TK2823
3TK2823-1CB30
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator,
22 mm nominal diameter
3SB3 000-0AA11
1
Optional: Inscription plate "Start"
3SB3 906-1EL
1
Contactors K1 / K2
Contactor, AC-3, 3KW/400V, 1NC, 24V DC, 3-pole, 3RT1015-1BB42
Size S00, screw connection
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from this list can be used (e.g. another 3TK28 safety relay). However, in this case, please carefully note that it
may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment)
6
Functional Example No. CD-FE-I-002-V10-EN
2
Manufacturer
Siemens AG
Ex. No.
1.2
Structure and wiring
Wiring of the hardware components
L +(24V DC)
Start
K1
K2
A1 Y11 Y12 13 23 Y33
Y21 Y22 A2 14 24
M
K1
K2
K1
M
K2
Functional Example No. CD-FE-I-002-V10-EN
G_FB_XX_004
E-stop
3TK2823-1CB30
An overview of the hardware structure
7
1.3
Protective door monitoring with automatic start Category 2
acc. to EN 954-1 with a SIRIUS 3TK28 safety relay
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
Position switch with
separate actuator
The protective door is monitored using a SIRIUS position
switch with positively-opening contact using a safety relay relay in accordance with Category 2 acc. to EN 954-1. If this protective door is opened, the safety relay opens the downstream
contactor via the safety-related relay output with positivelydriven contact according to stop Category 0 to EN 60204-1. In
this particular example, a drive is stopped. If the protective
door is closed, after the position switch and downstream contactor have been checked, then the drive automatically starts.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Actuator
Advantages/customer benefits
Protective door opened
Protective door closed
G_FB_XX_005
Ex. No.
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS position
switch
Position switch with separate actuator
3SE2 243-0XX40
1
Actuator for position
switch
Radius actuator
3SX3 228
1
Safety relay
3TK2824
3TK2824-1BB40
1
Contactor K1 / K2
Contactor, AC-3, 3KW/400V, 1NC, 24V DC, 3-pole, 3RT1015-1BB42
Size S00, screw connection
2
8
Qty
Manufacturer
Siemens AG
Note
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from this list can be used (e.g. another 3TK28 safety relay). However, in this case, please carefully note that it
may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
Using this circuit example, Category 2 acc. to EN 954-1
can only be fulfilled if, when the actuator fails, an alarm
is automatically put out or the machine control initiates
a safety condition. If this is not the case, a second shutdown path is required.
Functional Example No. CD-FE-I-003-V11-EN
Ex. No.
1.3
Structure and wiring
Wiring of the hardware components
L +(24V DC)
K1
A2 14 24
K1
M
K1
M
Functional Example No. CD-FE-I-003-V11-EN
G_FB_XX_007
A1 Y1 Y2 13 23
3TK2824-1BB40
An overview of the hardware structure
9
1.4
Protective door monitoring with automatic start Category 4
acc. to EN 954-1 with a SIRIUS 3TK28 safety relay
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
Position switch with
separate actuator
If this protective door is opened, the safety relay opens the
downstream redundantly connected contactors via the safetyrelated relay outputs with positively-driven contacts according
to stop Category 0 to EN 60204-1. In this particular example,
a drive is stopped. If the protective door is closed, after the position switch and downstream contactors have been checked,
then the drive automatically starts.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Actuator
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
Protective door opened
Protective door closed
G_FB_XX_008
Ex. No.
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
The protective door is monitored using two SIRIUS position
switches with positively-opening contacts using a 3TK28
safety relay in accordance with Category 4 acc. to EN 954-1.
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS position
switch
Position switch with separate actuator
3SE2 243-0XX40
2
Actuator for position
switch
Radius actuator
3SX3 228
2
Safety relay
3TK2822
3TK2822-1CB30
1
Contactors K1 / K2
Contactor, AC-3, 3KW/400V, 1NC, 24V DC, 3-pole, 3RT1015-1BB42
Size S00, screw connection
2
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from this list can be used (e.g. another 3TK28 safety relay). However, in this case, please carefully note that it
may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
10
Functional Example No. CD-FE-I-004-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
1.4
Structure and wiring
Wiring of the hardware components
L +(24V DC)
K1
K2
Y21 Y22 A2 14 24
M
K1
K2
K1
M
K2
Functional Example No. CD-FE-I-004-V10-EN
G_FB_XX_010
A1 Y11 Y12 13 23 Y33
3TK2822-1CB30
An overview of the hardware structure
11
Ex. No.
1.5
E-Stop with monitored start Category 2 acc. to EN 954-1
with a SIRIUS 3TK28 safety relay with contactor relays
Function
Description of the functionality
Note
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418 (EN ISO
13850 in draft status).
In this Safety Functional Example, the E-Stop command device
with a positively-opening contact is monitored by a SIRIUS
3TK28 safety relay with contactor relays according to Category
2 in compliance with EN 954-1. If the E-Stop command device
is actuated, the safety relay shuts down via its contactor relays
with positively-opening contacts according to Stop Category 0
in compliance with EN 60204-1. Before restarting or acknowledging the E-Stop shutdown using the start button, a check is
made as to whether the E-Stop command device contact is
closed and the contactor relays of the safety relay been de-energized.
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
Safety relay
with contactor relays
3TK28
3TK2850-1BB40
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different 3TK28
safety relay). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
12
Qty
Functional Example No. CD-FE-I-017-V10-EN
3SB3 906-1EL
Manufacturer
Siemens AG
Ex. No.
1.5
Structure and wiring
Wiring of the hardware components
L +(24V DC)
E-stop
Start
A1 A2 Y11 Y12 Y20 Y21Y22 Y33 Y34 A1 A2 13 33 43
14 34 44
M
K1 K2 K3
Functional Example No. CD-FE-I-017-V10-EN
3TK2850-1BB40
K1...K3
G_FB_XX_042
An overview of the hardware structure
13
Ex. No.
1.6
E-Stop with monitored start Category 2 acc. to EN 954-1
with/without operational switching with a SIRIUS 3TK28
safety relay with contactor relays
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
In this Safety Functional Example, the E-Stop command device
with a positively-opening contact is monitored by a SIRIUS
3TK28 safety relay with contactor relays according to Category
2 in compliance with EN 954-1. If the E-Stop command device
is actuated, the safety relay shuts down via its contactor relays
with positively-opening contacts according to Stop Category 0
in compliance with EN 60204-1. Before restarting or acknowledging the E-Stop shutdown using the start button, a check is
made as to whether the E-Stop command device contact is
closed and the contactor relays of the safety relay been de-energized. It is possible to operationally switch (in/out) the contactors. Either a floating (electrically isolated) contact is connected between terminal 3 and terminal 4 or a non-floating
(non-electrically isolated) output (24 V DC) - e.g. from a stan-
dard PLC - at terminal 4. The operational switching has a lower
priority than the safety function. If the operational switching
is no longer required, a wire link (jumper) should be connected between terminal 3 and terminal 4 (refer to „Wiring of
the hardware components“ page 15).
Note
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418 (EN ISO
13850 in draft status).
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
Safety relay
with contactor relays
3TK28
3TK2850-1BB40
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different 3TK28
safety relay). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
14
Qty
Functional Example No. CD-FE-I-018-V10-EN
3SB3 906-1EL
Manufacturer
Siemens AG
Ex. No.
1.6
Structure and wiring
Wiring of the hardware components
L +(24V DC)
E-stop
Start
K1...K3
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3 4 A1 A2 13 23 33
14 24 34
M
K1 K2 K3
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-018-V10-EN
3RA7112-4CA26-0AB4
*
G_FB_XX_044
An overview of the hardware structure
15
Ex. No.
1.7
E-Stop with monitored start Category 4 acc. to EN 954-1
with/without operational switching with a SIRIUS 3TK28
safety relay with contactor relays
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
In this Safety Functional Example, the E-Stop command device
with two positively-opening contacts is monitored by a SIRIUS
3TK28 safety relay with contactor relays according to Category
4 in compliance with EN 954-1. If the E-Stop command device
is actuated, the safety relay shuts down via its contactor relays
with positively-opening contacts according to Stop Category 0
in compliance with EN 60204-1. In this particular example, a
drive is stopped. Before restarting or acknowledging the EStop shutdown using the start button, a check is made as to
whether the contacts of the E-Stop command device are
closed and the contactors of the safety relay have droppedout. It is possible to operationally switch (in/out) the contactors. Either a floating (electrically isolated) contact is connected between terminal 3 and terminal 4 or a non-floating
(non-electrically isolated) output (24 V DC) - e.g. from a standard PLC - at terminal 4. The operational switching has a lower
priority than the safety function. If the operational switching
is no longer required, a wire link (jumper) should be connected between terminal 3 and terminal 4 (refer to „Wiring of
the hardware components“ page 17).
Note
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418 (EN ISO
13850 in draft status).
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
Qty
1
1NC contact for base-mounting
3SB3 420-0C
1
Safety relay
with contactor relays
3TK28
3TK2850-1BB40
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different 3TK28
safety relay). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
16
Functional Example No. CD-FE-I-019-V10-EN
3SB3 906-1EL
Manufacturer
Siemens AG
Ex. No.
1.7
Structure and wiring
Wiring of the hardware components
L +(24V DC)
E-stop
Start
K1...Kn
14 24 34
M
K1 K2 Kn
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-019-V10-EN
3TK2853-1BB40
*
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3 4 A1 A2 13 23 33
G_FB_XX_046
An overview of the hardware structure
17
1.8
Protective door monitoring with automatic start Category 2
acc. to EN 954-1 with a SIRIUS 3TK28 safety relay
with contactor relays
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
The protective door is monitored by a SIRIUS position switch
with positively-opening contacts using a SIRIUS 3TK28 safety
relay with contactor relays according to Category 2 in compliance with EN 954-1. If this protective door is opened, the
safety relay shuts down via its contactor relays with positivelyopening contacts according to Stop Category 0 in compliance
with EN 60204-1. If the protective door is closed and after the
position switch and the contactors of the safety relay have
been checked, the drive automatically starts.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Position switch with
separated actuator
Actuator
Advantages/customer benefits
Protective door opened
Protective door closed
G_FB_XX_047
Ex. No.
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS
position switch
Position switch with separate actuator
3SE2 243-0XX40
1
Actuator for
position switch
Radius actuator
3SX3 228
1
safety relay
with contactor relays
3TK28
3TK2850-1BB40
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different 3TK28
safety relay). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
18
Functional Example No. CD-FE-I-020-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
1.8
Structure and wiring
Wiring of the hardware components
L +(24V DC)
A1 A2 Y11 Y12 Y20 Y21Y22 Y33 Y34 A1 A2 13 33 43
14 34 44
M
K1 K2 K3
Functional Example No. CD-FE-I-020-V10-EN
3TK2850-1BB40
K1...K3
G_FB_XX_049
An overview of the hardware structure
19
1.9
Protective door monitoring with automatic start Category 2
acc. to EN 954-1 with/without operational switching
with a SIRIUS 3TK28 safety relay with contactor relays
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door. The
most frequently used solution for plants and machines to secure hazardous areas is mechanically isolating protective equipment or access hatches. In this case, the function is to monitor
unauthorized entry into plant and system areas as well as to
prevent potentially hazardous machine functions if the protective equipment - in this case protective door - is not closed.
Position switch with
separated actuator
Actuator
opening contacts according to Stop Category 0 in compliance
with EN 60204-1. If the protective door is closed and after the
position switch and the contactors of the safety relay are
checked, the drive automatically starts. It is possible to operationally switch (in/out) the contactors. Either a floating (electrically isolated) contact is connected between terminal 3 and
terminal 4 or a non-floating (non-electrically isolated) output
(24 V DC) - e.g. from a standard PLC - at terminal 4. The operational switching has a lower priority than the safety function.
If the operational switching is no longer required, a wire link
(jumper) should be connected between terminal 3 and terminal 4 (refer to „Wiring of the hardware components“ page 21).
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Protective door opened
Protective door closed
G_FB_XX_047
Ex. No.
The protective door is monitored by a SIRIUS position switch
with positively-opening contacts using a SIRIUS 3TK28 safety
relay with contactor relays according to Category 2 in compliance with EN 954-1. If this protective door is opened, the
safety relay shuts down via its contactor relays with positively
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS
position switch
Position switch with separate actuator
3SE2 243-0XX40
1
Actuator for
position switch
Radius actuator
3SX3 228
1
Safety relay
with contactor relays
3TK28
3TK2850-1BB40
1
Note
The functionality was tested using the specified hardware
components. Products that are similar but deviate from
the list above can be used (e.g. a different 3TK28 safety
relay). However, in this case, please carefully note that it
may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
20
Functional Example No. CD-FE-I-021-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
1.9
Structure and wiring
Wiring of the hardware components
L +(24V DC)
K1...Kn
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3 4 A1 A2 13 23 33
14 24 34
M
K1
Kn
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-021-V10-EN
3TK2853-1BB40
*
G_FB_XX_052
An overview of the hardware structure
21
1.10
Protective door monitoring with automatic start Category 4
acc. to EN 954-1 with/without operational switching
using a SIRIUS 3TK28 safety relay with contactor relays
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
Position switch with
separated actuator
Actuator
with positively-opening contacts according to Stop Category 0
in compliance with EN 60204. If the protective door is closed
and after the position switch and the contactors of the safety
relay are checked, the drive automatically starts. It is possible
to operationally switch (in/out) the contactors. Either a floating (electrically isolated) contact is connected between terminal 3 and terminal 4 or a non-floating (non-electrically isolated) output (24 V DC) - e.g. from a standard PLC - at terminal
4. The operational switching has a lower priority than the
safety function. If the operational switching is no longer required, a wire link (jumper) should be connected between terminal 3 and terminal 4 (refer to „Wiring of the hardware components“ page 23).
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Protective door opened
Protective door closed
G_FB_XX_053
Ex. No.
The protective door is monitored by two SIRIUS position
switches with positively-opening contacts using a SIRIUS
3TK28 safety relay with contactor relays according to Category
4 in compliance with EN 954-1. If this protective door is
opened, the safety relay shuts down via its contactor relays
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS
position switch
Position switch with separate actuator
3SE2 243-0XX40
2
Actuator for
position switch
Radius actuator
3SX3 228
2
Safety relay
with contactor relays
3TK28
3TK2850-1BB40
1
Note
The functionality was tested using the specified hardware
components. Products that are similar but deviate from
the list above can be used (e.g. a different 3TK28 safety
relay). However, in this case, please carefully note that it
may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
22
Functional Example No. CD-FE-I-022-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
1.10
Structure and wiring
Wiring of the hardware components
L +(24V DC)
K1...Kn
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3 4 A1 A2 13 23 33
14 24 34
M
K1
Kn
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-022-V10-EN
3TK2853-1BB40
*
G_FB_XX_055
An overview of the hardware structure
23
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. This Safety Functional example describes how an E-Stop
command device and a guard in the form of a protective door
are monitored. The E-Stop command device represents a
widely established component that protects people,
plants/systems and the environment against potential hazards. An additional solution for plants and machines to secure
hazardous areas is mechanically isolating protective equipment (guards) or access hatches. In this case, the function is
to monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is
opened.
Position switch with
separated actuator
If the "Service mode" key-operated switch is actuated, then
contactor K2 drops-out and the protective door can be opened
without contactor K1 dropping-out. After the "Service mode"
has been completed, when the key-operated switch is reactuated, contactor K2 is automatically closed again. K1 and K2
switch two separate drives.
EMERGENCY
STOP
(Y42)
Protective door
(Y42)
Relay output
instantaneous
(13/14)
&
Cascading input
(1)
Electronic output
instantaneous
contactor K1
(24)
R
Start
S
1
Key-operated
switch "service
mode"
(Y72/Y82)
&
Relaisausgang
unverzögert
(33/34)
Relay output
instantaneous
contactor K2
(44)
Safety logic 3TK2845-1BB40 Stop Category 0
Actuator
Note
Protective door opened
Protective door closed
In this Safety Functional Example, the E-Stop command device
with a positively-opening contact is monitored by a SIRIUS
3TK2845 safety relay according to Category 2 in compliance
with EN 954-1. If the E-Stop button is pressed, the safety-relay
opens, via safety outputs, the downstream contactors K1 and
K2 with positively driven contacts according to stop Category
0 in compliance with EN 60204-1.
Before powering-up again and acknowledging the E-Stop device using the start button, a check is made as to whether the
contact of the E-Stop command device is closed and both contactors have been de-energized (i.e. the contactors have
dropped-out).
The protective with a SIRIUS position switch with positivelyopening contact door is also monitored by the 3TK2845 safety
relay according to Category 2 in compliance with EN 954-1. If
this protective door is opened, the safety relay also opens the
downstream contactors K1 and K2 via the positively driven
safety-related outputs according to stop Category 0 in compliance with EN 60204-1. If the protective door is closed and after the position switch and downstream contactor have been
checked, then the drive automatically starts.
24
Functional Example No. CD-FE-I-023-V10-EN
Using this circuit example, Category 2 according to EN
954-1 can only be fulfilled if, when the actuator fails, an
alarm is automatically output or the machine control initiates a safety condition. If this is not the case, a second
shutdown path is required.
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418
(EN ISO 13850 in draft status).
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
G_FB_XX_057
1.11
E-Stop with monitored start, protective door monitoring
with automatic start and service mode, Category 2
acc. to EN 954-1 with a SIRIUS 3TK2845 safety relay
G_FB_XX_056
Ex. No.
Ex. No.
1.11
Required components
Hardwarekomponenten
Component
Type
MRPD / Ordering data
SIRIUS
position switch
Position switch with separate actuator
3SE2 243-0XX40
Qty
1
Actuator for
position switch
Radius actuator
3SX3 228
1
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
Start button and
service mode
Empty enclosure of two command points
3SB3 802-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
2
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Key-operated switch CES
3SB3000-4LD01
1
Safety relay
3TK2845
3TK2845-1BB40
1
Contactors K1 / K2
Contactor, AC-3, 3KW/400V, 1NC, 24V DC, 3-pole, 3RT1015-1BB42
Size S00, screw connection
2
Manufacturer
Siemens AG
Note
The functionality was tested using the specified hardware
components. Products that are similar but deviate from
the list above can be used (e.g. a different 3TK28 safety
relay). However, in this case, please carefully note that it
may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
Structure and wiring
Wiring of the hardware components
L +(24V DC)
E-stop
A1 Y41 Y42 Y65 Y51 Y52 1 Y11 Y12 Y35Y21 Y22
Service
mode
13 14 24 Y72 Y82 A2 33 34 44 Y34 Y64 32
Start
K1
M1
M
K1
K1
K2
3TK2845-1BB40
An overview of the hardware structure
K2
K2
M2
G_FB_XX_059
Functional Example No. CD-FE-I-023-V10-EN
25
Function
stream contactor have been checked, then the drive automatically starts.
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment.
This Safety Functional example describes how an E-Stop command device and a guard in the form of a protective door are
monitored. The E-Stop command device represents a widely
established component that protects people, plants/systems
and the environment against potential hazards. An additional
solution for plants and machines to secure hazardous areas is
mechanically isolating protective equipment (guards) or access hatches. In this case, the function is to monitor unauthorized entry into plant and system areas as well as to prevent
potentially hazardous machine functions if the protective
equipment - in this case protective door - is opened.
Position switch with
separated actuator
If the "Service mode" key-operated switch is actuated, then
contactors K3 and K4 drop-out and the protective door can be
opened without contactors K1 and K2 dropping-out. After the
"Service mode" has been completed, when the key-operated
switch is re-actuated, contactors K3 and K4 are automatically
closed again. K1, K2 and K3, K4 switch two separate drives.
EMERGENCY
STOP
(Y11,Y12/Y21,Y22)
Protective door
(Y41,Y42/Y51,Y52)
Electronic output
instantaneous
contactor K2
(24)
R
Start
S
1
Key-operated
switch "service
mode"
(Y72/Y82)
Actuator
Relay output
instantaneous
contactor K1
(13/14)
&
Cascading input
(1)
&
Relay output
instantaneous
contactor K3
(33/34)
Electronic output
instantaneous
contactor K4
(44)
Sicherheitslogik 3TK2845-1BB40 Stop-Kategorie 0
Note
Protective door opened
Protective door closed
In this Safety Functional Example, the E-Stop device with two
positively-opening contacts is monitored by a SIRIUS 3TK2845
safety relay according to Category 4 in compliance with
EN 954-1. If the E-Stop button is pressed, the safety-relay
opens, via safety outputs, the downstream contactors K1 and
K2 and K3 and K4 with positively driven contacts according to
stop Category 0 in compliance with EN 60204-1.
Before powering-up again and acknowledging the E-Stop device using the start button, a check is made as to whether the
contacts of the E-Stop command device are closed and all four
contactors have been de-energized (i.e. the contactors have
dropped-out).
The protective with two SIRIUS position switches with positively-opening contact door is also monitored by the 3TK2845
safety relay according to Category 4 in compliance with EN
954-1. If this protective door is opened, the safety relay also
opens the downstream contactors K1 and K2 and K3 and K4
via the positively driven safety-related outputs according to
stop Category 0 in compliance with EN 60204-1. If the protective door is closed and after the position switches and down-
26
Functional Example No. CD-FE-I-024-V10-EN
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418 (EN ISO
13850 in draft status).
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
G_FB_XX_061
1.12
E-Stop with monitored start, protective door monitoring
with automatic start and service mode, Category 4
acc. to EN 954-1 with a SIRIUS 3TK2845 safety relay
G_FB_XX_060
Ex. No.
Ex. No.
1.12
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS
position switch
Position switch with separate actuator
3SE2 243-0XX40
2
Actuator for
position switch
Radius actuator
3SX3 228
2
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
1NC contact for base-mounting
3SB3 420-0C
1
Empty enclosure of two command points
3SB3 802-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
3
Start button and
service mode
Qty
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Key-actuated switch CES
3SB3000-4LD01
1
Safety relay
3TK2845
3TK2845-1BB40
1
Contactors
K1,K2 / K3,K4
Contactor, AC-3, 3KW/400V, 1NC, 24V DC, 3-pole, 3RT1015-1BB42
Size S00, screw connection
4
Manufacturer
Siemens AG
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different 3TK28
safety relay). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
Structure and wiring
Wiring of the hardware components
L +(24V DC)
E-stop
A1 Y41 Y42 Y65 Y51 Y52 1 Y11 Y12 Y35Y21 Y22
Service
mode
13 14 24 Y72 Y82 A2 33 34 44 Y34 Y64 32
K1
Start
K2
M
K1 K2
3TK2845-1BB40
An overview of the hardware structure
K1 K3
K4
K4
K3 K4
M1
M2
G_FB_XX_063
Functional Example No. CD-FE-I-024-V10-EN
27
Ex. No.
2.1
E-Stop with monitored start Category 2 acc. to EN 954-1
with a safety fused load feeder 3RA7
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
In this Safety Functional Example, the E-Stop command device
is monitored by a positively-opening contact using a safety
fused load feeder in accordance with Category 2 to EN 954-1.
If the E-Stop button is pressed, the load feeder safely shutsdown in accordance with stop Category 0 according to EN
60204-1. In this particular example, a drive is stopped. Before
restarting or acknowledging the E-Stop shutdown using the
start button, a check is made as to whether the contact of the
E-Stop command device is closed and the contactors of the
load feeder have dropped-out (opened).
Note
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418
(EN ISO 13850 in draft status).
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
Safety fused load
feeder
3RA7
3RA7100-5AA26-0AB4
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. another safety load
feeder). However, in this case, please carefully note that
it may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
28
Qty
Functional Example No. CD-FE-I-005-V10-EN
3SB3 906-1EL
Manufacturer
Siemens AG
Ex. No.
2.1
Structure and wiring
Wiring of the hardware components
L +(24V DC)
E-stop
Start
T1 T2 T3
M
M
Functional Example No. CD-FE-I-005-V10-EN
G_FB_XX_012
A1 A2 Y11 Y12 Y20 Y21Y22 Y33 Y34 L1 L2 L3
3RA7100-5AA26-0AB4
An overview of the hardware structure
29
Ex. No.
2.2
E-Stop with monitored start Category 2 acc. to EN 954-1
with/without operational switching with a safety fused load
feeder 3RA7
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
In this Safety Functional Example, the E-Stop command device
is monitored by a positively-opening contact using a safety
fused load feeder in accordance with Category 2 to EN 954-1.
If the E-Stop button is pressed, the load feeder is safely shutdown in accordance with stop Category 0 to EN 60204-1. In
this particular example, a drive is stopped. Before restarting or
acknowledging the E-Stop shutdown using the start button, a
check is made as to whether the contact of the E-Stop command device is closed and the contactors of the load feeder
have dropped-out (opened). It is possible to operationally
switch the contactors (open and close them). Either a floating
(electrically isolated) contact is connected between terminals
3 and 4 (refer to „Wiring of the hardware components“ page
31) or a non-floating (non electrically-isolated) output
(24 V DC) is connected to terminal 4, e.g. from a standard PLC.
The operational switching has a lower priority than the safety
function. If operational switching is not required, then a wire
jumper should be connected between terminals 3 and 4.
Note
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418
(EN ISO 13850 in draft status).
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
Safety fused load
feeder
3RA7
3RA7100-5AA26-0AB4
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. another safety load
feeder). However, in this case, please carefully note that
it may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
30
Qty
Functional Example No. CD-FE-I-006-V10-EN
3SB3 906-1EL
Manufacturer
Siemens AG
Ex. No.
2.2
Structure and wiring
Wiring of the hardware components
Motor*
on/off
L +(24V DC)
E-stop
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3
4 A1 A2 L1 L2 L3
T1 T2 T3
M
M
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-006-V10-EN
3RA7110-5AA26-0AB4
Start
G_FB_XX_014
An overview of the hardware structure
31
Ex. No.
2.3
E-Stop with monitored start Category 4 acc. to EN 954-1
with/without operational switching with a safety fused load
feeder 3RA7
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
In this Safety Functional Example, the E-Stop command device
is monitored using two positively-opening contacts using a
safety fused load feeder in accordance with Category 4 to
EN 954-1. If the E-Stop button is pressed, the load feeder
safely switches-out the contactors, connected in series, with
positively-driven contacts in accordance with stop Category 0
according to EN 60204-1.
In this particular example, a drive is stopped. Before restarting
or acknowledging the E-Stop shutdown using the start button,
a check is made as to whether the contact of the E-Stop command device is closed and the contactors of the load feeder
have dropped-out (opened). It is possible to operationally
switch the contactors (open and close them). Either a floating
(electrically isolated) contact is connected between terminals
3 and 4 (refer to „Wiring of the hardware components“ page
33) or a non-floating (non electrically-isolated) output
(24 V DC) is connected to terminal 4, e.g. from a standard PLC.
The operational switching has a lower priority than the safety
function. If operational switching is not required, then a wire
jumper should be connected between terminals 3 and 4.
Note
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418 (EN ISO
13850 in draft status).
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
Qty
1
1NC contact for base-mounting
3SB3 420-0C
1
Safety fused load
feeder
3RA7
3RA7100-5AA26-0AB4
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. another safety load
feeder). However, in this case, please carefully note that
it may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
32
Functional Example No. CD-FE-I-007-V10-EN
3SB3 906-1EL
Manufacturer
Siemens AG
Ex. No.
2.3
Structure and wiring
Wiring of the hardware components
L +(24V DC)
Motor*
on/off
E-stop
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3
4 A1 A2 L1 L2 L3
T1 T2 T3
M
M
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-007-V10-EN
3RA7110-5AA26-0AB4
Start
G_FB_XX_016
An overview of the hardware structure
33
2.4
Protective door monitoring with automatic start Category 2
acc. to EN 954-1 with a safety fused load feeder 3RA7
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
The protective door is monitored using a SIRIUS position
switch with a positively-opening contact using a safety fused
load feeder in accordance with Category 2 to EN 954-1. If this
protective door is opened, the load feeder safety shuts-down
in accordance with stop Category 0 according to EN 60204-1.
In this particular example, a drive is stopped. If the protective
door is closed, after checking the position switch and the contactors of the load feeder, the drive is automatically re-started.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Position switch with
separated actuator
Actuator
Advantages/customer benefits
Protective door opened
Protective door closed
G_FB_XX_017
Ex. No.
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS
position switch
Position switch with separate actuator
3SE2 243-0XX40
1
Actuator
for position switch
Radius actuator
3SX3 228
1
Safety load feeder
3RA7
3RA7100-5AA26-0AB4
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. another safety load
feeder). However, in this case, please carefully note that
it may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
34
Functional Example No. CD-FE-I-008-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
2.4
Structure and wiring
Wiring of the hardware components
L +(24V DC)
T1 T2 T3
M
M
Functional Example No. CD-FE-I-008-V10-EN
G_FB_XX_019
A1 A2 Y11 Y12 Y20 Y21Y22 Y33 Y34 L1 L2 L3
3RA7100-5AA26-0AB4
An overview of the hardware structure
35
2.5
Protective door monitoring with automatic start Category 2
acc. to EN 954-1 with/without operational switching
with a safety fused load feeder 3RA7
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
Position switch with
separate actuator
In this particular example, a drive is stopped. If the protective
door is closed, after checking the position switch and the contactors of the load feeder, the drive is automatically re-started.
It is possible to operationally switch the contactors (open and
close them). Either a floating (electrically isolated) contact is
connected between terminals 3 and 4 (refer to „Wiring of the
hardware components“ page 37) or a non-floating (non electrically-isolated) output (24 V DC) is connected to terminal 4,
e.g. from a standard PLC. The operational switching has a
lower priority than the safety function. If operational switching is not required, then a wire jumper should be connected
between terminals 3 and 4.
Note
Actuator
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Protective door opened
Protective door closed
G_FB_XX_020
Ex. No.
The protective door is monitored using a SIRIUS position
switch with a positively-opening contact using a safety fused
load feeder in accordance with Category 2 to EN 954-1. If this
protective door is opened, the load feeder safety shuts-down
in accordance with stop Category 0 according to EN 60204-1.
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS
position switch
Position switch with separate actuator
3SE2 243-0XX40
1
Actuator
for position switch
Radius actuator
3SX3 228
1
Safety load feeder
3RA7
3RA7100-5AA26-0AB4
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. another safety load
feeder). However, in this case, please carefully note that
it may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
36
Functional Example No. CD-FE-I-009-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
2.5
Structure and wiring
Wiring of the hardware components
Motor*
on/off
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3
4 A1 A2 L1 L2 L3
T1 T2 T3
M
M
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-009-V10-EN
3RA7110-5AA26-0AB4
L +(24V DC)
G_FB_XX_022
An overview of the hardware structure
37
2.6
Protective door monitoring with automatic start Category 4
acc. to EN 954-1 with/without operational switching
with a safety fused load feeder 3RA7
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
Position switch with
separated actuator
Actuator
contacts in accordance with stop Category 0 according to
EN 60204. In this particular example, a drive is stopped. If the
protective door is closed, after the position switch and downstream contactors have been checked, then the drive automatically starts. It is possible to operationally switch the contactors (open and close them). Either a floating (electrically
isolated) contact is connected between terminals 3 and 4
(refer to „Wiring of the hardware components“ page 39) or a
non-floating (non electrically-isolated) output (24 V DC) is
connected to terminal 4, e.g. from a standard PLC. The operational switching has a lower priority than the safety function.
If operational switching is not required, then a wire jumper
should be connected between terminals 3 and 4.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Protective door opened
Protective door closed
G_FB_XX_0023
Ex. No.
The protective door is monitored using two SIRIUS position
switches with positively-opening contacts using a safety fused
load feeder in accordance with Category 4 acc. to EN 954-1. If
this protective door is opened, the load feeder safety switchesout the contactors, connected in series, with positively-driven
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS
position switch
Position switch with separate actuator
3SE2 243-0XX40
2
Actuator for
position switch
Radius actuator
3SX3 228
2
Safety fused
load feeder
3RA7
3RA7110-5AA26-0AB4
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. another safety load
feeder). However, in this case, please carefully note that
it may be necessary to make modifications as to how the
hardware components are connected-up (e.g. another
connection assignment).
38
Functional Example No. CD-FE-I-010-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
2.6
Structure and wiring
Wiring of the hardware components
Motor*
on/off
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3 4 A1 A2 L1 L2 L3
T1 T2 T3
M
M
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-010-V10-EN
3RA7110-5AA26-0AB4
L +(24V DC)
G_FB_XX_025
An overview of the hardware structure
39
Ex. No.
2.7
E-Stop with monitored start Category 2 acc. to EN 954-1
with a safety fuseless load feeder 3RA7
Function
Description of the functionality
Note
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418 (EN ISO
13850 in draft status).
In this Safety Functional Example, the E-Stop command device
is monitored by a positively-driven contact using a safety,
fuseless load feeder in accordance with Category 2 in compliance with EN 954-1. If the E-Stop button is pressed, the load
feeder is safety shutdown according to Stop Category 0 in
compliance with EN 60204-1. In this particular example, a
drive is stopped. Before restarting or acknowledging the ESTOP shutdown using the start button, a check is made as to
whether the contact of the E-Stop command device is closed
and the contactors of the load feeder have dropped-out.
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
Safety load feeder
3RA7
3RA7102-4CA26-0AB4
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different safety
load feeder). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
40
Qty
Functional Example No. CD-FE-I-011-V10-EN
3SB3 906-1EL
Manufacturer
Siemens AG
Ex. No.
2.7
Structure and wiring
Wiring of the hardware components
L +(24V DC)
E-stop
Start
T1 T2 T3
M
M
Functional Example No. CD-FE-I-011-V10-EN
G_FB_XX_027
A1 A2 Y11 Y12 Y20 Y21Y22 Y33 Y34 L1 L2 L3
3RA7102-4CA26-0AB4
An overview of the hardware structure
41
Ex. No.
2.8
E-Stop with monitored start Category 2 acc. to EN 954-1
with/without operational switching with a safety fuseless load
feeder 3RA7
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
In this Safety Functional Example, the E-Stop command device
is monitored by a positively-driven contact using a safety,
fuseless load feeder in accordance with Category 2 in compliance with EN 954-1. If the E-Stop button is pressed, the load
feeder is safety shutdown according to Stop Category 0 in
compliance with EN 60204-1. In this particular example, a
drive is stopped. Before restarting or acknowledging the EStop shutdown using the start button, a check is made as to
whether the contact of the E-Stop command device is closed
and the contactors of the load feeder have dropped-out. It is
possible to operationally switch (in/out) the contactors. Either
a floating (electrically isolated) contact is connected between
terminal 3 and terminal 4 (refer to „Wiring of the hardware
components“ page 43) or a non-floating (non-electrically iso-
lated) output (24 V DC) - e.g. from a standard PLC - is connected at terminal 4. The operational switching has a lower
priority than the safety function. If the operational switching
is no longer required, a wire link (jumper) should be connected between terminal 3 and terminal 4.
Note
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418
(EN ISO 13850 in draft status).
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
Safety load feeder
3RA7
3RA7102-4CA26-0AB4
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different safety
load feeder). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
42
Qty
Functional Example No. CD-FE-I-012-V10-EN
3SB3 906-1EL
Manufacturer
Siemens AG
Ex. No.
2.8
Structure and wiring
Wiring of the hardware components
Motor*
on/off
L +(24V DC)
E-stop
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3 4 A1 A2 L1 L2 L3
T1 T2 T3
M
M
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-012-V10-EN
3RA7112-4CA26-0AB4
Start
G_FB_XX_029
An overview of the hardware structure
43
Ex. No.
2.9
E-Stop with monitored start, Category 4 acc. to EN 954-1
with/without operational switching with a safety fuseless load
feeder 3RA7
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The E-Stop command device represents a widely established component that protects people, plants/systems and
the environment against potential hazards.
In this Safety Functional Example, the E-Stop command device
is monitored by two positively-driven contacts using a safety,
fuseless load feeder in accordance with Category 4 in compliance with EN 954-1. If the E-Stop command device is actuated, the load feeder safety shuts down (de-activates) the contactors, connected in series with positively-drive contacts
according to stop Category 0 in compliance with EN 60204-1.
In this particular example, a drive is stopped. Before restarting
or acknowledging the E-Stop shutdown using the start button,
a check is made as to whether the contacts of the E-Stop command device are closed and the contactors of the load feeder
have dropped-out. It is possible to operationally switch
(in/out) the contactors. Either a floating (electrically isolated)
contact is connected between terminal 3 and terminal 4 (refer
to „Wiring of the hardware components“ page 45) or a non-
floating (non-electrically isolated) output (24 V DC) - e.g.
from a standard PLC - is connected at terminal 4. The operational switching has a lower priority than the safety function.
If the operational switching is no longer required, a wire link
(jumper) should be connected between terminal 3 and terminal 4.
Note
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418
(EN ISO 13850 in draft status).
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
1NC contact for base-mounting
3SB3 420-0C
1
Safety load feeder
3RA7
3RA7102-4CA26-0AB4
1
Start button
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different safety
load feeder). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
44
Qty
Functional Example No. CD-FE-I-013-V10-EN
3SB3 906-1EL
Manufacturer
Siemens AG
Ex. No.
2.9
Structure and wiring
Wiring of the hardware components
L +(24V DC)
Motor*
on/off
E-stop
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3 4 A1 A2 L1 L2 L3
T1 T2 T3
M
M
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-013-V10-EN
3RA7112-4CA26-0AB4
Start
G_FB_XX_031
An overview of the hardware structure
45
2.10
Protective door monitoring with automatic start Category 2
acc. to EN 954-1 with a safety fuseless load feeder 3RA7
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
The protective door is monitored by a SIRIUS position switch
with positively-opening contacts using a safety fuseless load
feeder according to Category 2 in compliance with EN 954-1.
If this protective door is opened, the load feeder safety shuts
down according to Stop Category 0 in compliance with
EN 60204-1. In this particular example, a drive is stopped. If
the protective door is closed and after the position switch and
the contactors of the load feed are checked, the drive automatically starts.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Position switch with
separated actuator
Actuator
Advantages/customer benefits
Protective door opened
Protective door closed
G_FB_XX_032
Ex. No.
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS position
switch
Position switch with separate actuator
3SE2 243-0XX40
1
Actuator for
position switch
Radius actuator
3SX3 228
1
Safety load feeder
3RA7
3RA7102-4CA26-0AB4
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different safety
load feeder). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
46
Functional Example No. CD-FE-I-014-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
2.10
Structure and wiring
Wiring of the hardware components
L +(24V DC)
T1 T2 T3
M
M
Functional Example No. CD-FE-I-014-V10-EN
G_FB_XX_034
A1 A2 Y11 Y12 Y20 Y21Y22 Y33 Y34 L1 L2 L3
3RA7102-4CA26-0AB4
An overview of the hardware structure
47
2.11
Protective door monitoring with automatic start Category 2
acc. to EN 954-1 with/without operational switching
with a safety fuseless load feeder 3RA7
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
Position switch with
separated actuator
Actuator
down according to Stop Category 0 in compliance with
EN 60204-1. In this particular example, a drive is stopped. If
the protective door is closed and after the position switch and
the contactors of the load feed are checked, the drive automatically starts. It is possible to operationally switch (in/out)
the contactors. Either a floating (electrically isolated) contact
is connected between terminal 3 and terminal 4 (refer to „Wiring of the hardware components“ page 49) or a non-floating
(non-electrically isolated) output (24 V DC) - e.g. from a standard PLC - is connected at terminal 4. The operational switching has a lower priority than the safety function. If the operational switching is no longer required, a wire link (jumper)
should be connected between terminal 3 and terminal 4.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Protective door opened
Protective door closed
G_FB_XX_035
Ex. No.
The protective door is monitored by a SIRIUS position switch
with positively-opening contacts using a safety fuseless load
feeder according to Category 2 in compliance with EN 954-1.
If this protective door is opened, the load feeder safety shuts
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS position
switch
Position switch with separate actuator
3SE2 243-0XX40
1
Actuator for position
switch
Radius actuator
3SX3 228
1
Safety load feeder
3RA7
3RA7102-4CA26-0AB4
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different safety
load feeder). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
48
Functional Example No. CD-FE-I-015-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
2.11
Structure and wiring
Wiring of the hardware components
Motor*
on/off
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3
4 A1 A2 L1 L2 L3
T1 T2 T3
M
M
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-015-V10-EN
3RA7112-4CA26-0AB4
L +(24V DC)
G_FB_XX_037
An overview of the hardware structure
49
2.12
Protective door monitoring with automatic start Category 4
acc. to EN 954-1 with/without operational switching
with a safety fuseless load feeder 3RA7
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
Position switch with
separated actuator
Actuator
Category 0 in compliance with EN 60204. In this particular example, a drive is stopped. If the protective door is closed and
after the position switch and downstream contactors have
been checked, then the drive automatically starts. It is possible to operationally switch (in/out) the contactors. Either a
floating (electrically isolated) contact is connected between
terminal 3 and terminal 4 (refer to „Wiring of the hardware
components“ page 51) or a non-floating (non-electrically isolated) output (24 V DC) - e.g. from a standard PLC - is connected at terminal 4. The operational switching has a lower
priority than the safety function. If the operational switching
is no longer required, a wire link (jumper) should be connected between terminal 3 and terminal 4.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
Protective door opened
Protective door closed
G_FB_XX_038
Ex. No.
The protective door is monitored by two SIRIUS position
switches with positively-opening contacts using a safety fuseless load feeder according to Category 4 in compliance with
EN 954-1. If this protective door is opened, the load feeder
safety shuts down (de-activates) the contactors, connected in
series, with its positively-driven contacts according to stop
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software
■ A low scope of simple wiring
■ Space-saving design using our compact safety relay
■ Can be simply expanded using expansion devices
Required components
Hardware components
Component
Type
MRPD / Ordering data
SIRIUS
position switch
Position switch with separate actuator
3SE2 243-0XX40
2
Actuator for
position switch
Radius actuator
3SX3 228
2
Safety load feeder
3RA7
3RA7112-4CA26-0AB4
1
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from the list above can be used (e.g. a different safety
load feeder). However, in this case, please carefully note
that it may be necessary to make modifications as to
how the hardware components are connected-up (e.g.
another connection assignment).
50
Functional Example No. CD-FE-I-016-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
2.12
Structure and wiring
Wiring of the hardware components
Motor*
on/off
A1 A2 1 2 Y11 Y12 Y35 Y21 Y22 Y32 Y33 Y34 3 4 A1 A2 L1 L2 L3
T1 T2 T3
M
M
* If the operational switching function is not required, insert a jumper between terminals 3 and 4
Functional Example No. CD-FE-I-016-V10-EN
3RA7112-4CA26-0AB4
L +(24V DC)
G_FB_XX_040
An overview of the hardware structure
51
3.1
Emergency Stop with monitored start Category 2
acc. to EN 954-1 with ET200S Safety Motorstarter Solution Local
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The Emergency Stop control device represents a widely
established component that protects man, machine and environment against potential hazards. In this Safety Functional
Example, the Emergency Stop control device with positivelyopening contacts is monitored by the PM-D-F 1 safety module.
If the Emergency Stop control device is pressed, the PM-D-F1
safety module shuts down the motor starter assigned to it according to Stop Category 0 acc. to EN 60204-1. In this particular example, a drive is stopped. Before restarting or acknowledging the Emergency Stop shutdown using the start button,
it is checked as to whether the contacts of the Emergency Stop
control device are closed and the motor starter has been shut
down. This example only discusses the safety function. The
motor starter is operationally switched using a standard PLC
and is not considered any further here.
PAE
ET200S Standard
ET200S HF
0.0 Ready
0.0 Ready (automatic)
0.1 Close contactor
0.1 Start motor (current
measurement)
0.2 Circuit-breaker
tripped
0.2 Group fault
0.3 Group alarm
0.4 Input 1
0.5 Input 2
0.6 Input 3
0.7 Input 4
1.0-1.5 Motor current Iact
1.6 Mode H-V-O
1.7 Ramp mode (only
DSS1e-x)
PAA
0.0 Motor clockwise
0.0 Motor clockwise
0.1 Motor counter-clockwise
Note
0.2 Brake
0.2 Release brake
Equipment, functional aspects and design guidelines for
E-Stop command devices are provided in EN 418 (EN ISO
13850 in draft status).
0.3 Trip reset
0.4 Emergency start
0.5 Self-test
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software for the safety-relevant technology
■ Extensive Profibus diagnostics of the motor starter and the
PM-D-F1 safety module.
■ As a result of the lower time/costs involved with materials
and wiring, the mounting space in the cabinet is reduced
and therefore the overall dimensions of the plants/system.
Contactor contacts welded signal
Using this circuit example, Category 2 according to EN 954-1
can only be fulfilled if, when the actuator fails, an alarm is automatically output or the machine control initiates a safe condition. If this is not the case, a second shutdown path is required.
This signal can be generated using the process image of the
motor starter.
52
Functional Example No. CD-FE-I-025-V10-EN
Network 1:Time delay of the Emergency stop signal
Comments:
T1
#Emergency stop
&
S5T#500MS
SE
TW
Network 2:Feedback signal, contactor contacts welded, standard motor starter
Comments
#Contactor_close
T1
&
#Contactor_welded
&
Typical block: Signal, contactor contacts welded for motor starter
standard
Using the standard output "contactor welded" an indicator
light can be controlled. As a result of this signal, a second
shutdown path is no longer required.
G_FB_XX_064
Ex. No.
Ex. No.
3.1
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
1
Switching element with a switching contact, NC
contact
3SB34 20-0C
1
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Start button
ET200S station
SIMATIC S7
Qty
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
3SB3 906-1EL
Direct starter, can be expanded 5.5 kW; 9.0 to 12 A 3RK1301-1KB00-0AA2
1
Terminal module for a direct starter with feeder
cable connection
3RK1903-0AB00
1
TM for PM-D F1/2; single or higher-level safety
circuit
3RK1903-1AA00
1
TM for connection module
3RK1903-1AB00
1
PM-D F1 power module for E-Stop application;
monitored start
3RK1903-1BA00
1
Failsafe kit for direct starter
3RK1903-1CA00
1
IM 151 Basic to connect ET200S to PROFIBUS DP
6ES7151-1CA00-0AB0
1
Optional: Supply block M45-PEN-F
3RK1903-2AA00
1
Power supply PS307 5A
6ES73071EA00-0AA0
1
SIMATIC S7-300, CPU 315-2DP
6ES7315-2AG10-0AB0
1
Micro Memory Card MMC 512 kB
6ES7953-8LJ10-0AA0
1
Manufacturer
Siemens AG
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from this list can be used (e.g. another ET200S Motorstarter).
When the ET200S Motor Starter High Feature is used,
the F-Kit is not required as this is already integrated in
the motor starters.
Functional Example No. CD-FE-I-025-V10-EN
53
Ex. No.
3.1
Structure and wiring
Wiring of the hardware components
A1
L+
U1
M
Terminating cover
A2
1
6
8
13
2
7
9
14
Some important settings from the STEP 7 hardware configuration are shown below as an overview.
PM-X
F-Kit1
L1 L2 L3
Terminatin module
DS
PROFIBUS DP
24V
M
Additional motor starters can be inserted before the PM-X
module in an ET 200S Station. These are then also shut down
when the Emergency Stop control device is pressed (group
stop).
Important hardware component settings
PM-D
F1
IM
151
Master
PLC
24V
M
A2
TM-PF 30 S47-B1
A1
TM-X 15 S27-01
An overview of the hardware structure
22
23
24
OUT +
1
OUT -
RF1 21
2
RF2
22
13
ON
14
17
U2
A2+
54
Functional Example No. CD-FE-I-025-V10-EN
27
11
25
5
26
12
28
EMERGENCY STOP
11
21
21
12
22
22
6
AUX 2
7
AUX 3
G_FB_XX_066
A1+
4
Emergency Stop with monitored start Category 4
acc. to EN 954-1 with ET200S Safety Motorstarter Solution Local
Function
Advantages/customer benefits
Description of the functionality
■ Pure hardware engineering without having to configure/program software for the safety-relevant technology
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The Emergency Stop control device represents a widely
established component that protects man, machine and environment against potential hazards. In this Safety Functional
Example, the Emergency Stop control device is monitored using two positively-driven contacts using the PM-D-F1 safety
module in accordance with Category 4 acc. to EN 954-1. If the
Emergency Stop control device is pressed, the PM-D-F1 safety
module shuts down the motor starter assigned to it and the
supply contactor according to Stop Category 0 acc. to EN
60204-1. In this particular example, a drive is stopped. Before
restarting or acknowledging the Emergency Stop shutdown
using the start button, it is checked as to whether the contacts
of the Emergency Stop control device are closed and the motor starter has been shut down. This example only discusses
the safety function. The motor starter is operationally
switched using a standard PLC and is not considered any further here.
■ Extensive Profibus diagnostics of the motor starter and the
PM-D-F1 safety module.
■ As a result of the lower time/costs involved with materials
and wiring, the mounting space in the cabinet is reduced
and therefore the overall dimensions of the plants/system.
Note
Equipment, functional aspects and Design Guidelines
for Emergency Stop control devices are provided in
EN 418 (EN ISO 13850 being prepared).
Functional Example No. CD-FE-I-026-V10-EN
55
Ex. No.
3.2
Ex. No.
3.2
Required components
Hardware components
Component
Type
MRPD / Ordering data
E-Stop
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
2
Switching element with a switching contact, NC
contact
3SB34 20-0C
2
Empty housing of a command point
3SB3 801-0AA3
1
1NO contact for base-mounting
3SB3 420-OB
1
Start button
ET200S - Station
Supply contactor
SIMATIC S7
Pushbutton, black with flat actuator, 22 mm nom- 3SB3 000-0AA11
inal diameter
1
Optional: Inscription plate "Start"
1
3SB3 906-1EL
Direct starter, can be expanded 5.5 kW; 9.0 to 12 A 3RK1301-1KB00-0AA2
1
Terminal module for a direct starter with feeder
cable connection
3RK1903-0AB00
1
TM for PM-D F1/2; single or higher-level safety
circuit
3RK1903-1AA00
1
TM for connection module
3RK1903-1AB00
1
PM-D F1 power module for Emergency Stop
application; monitored start
3RK1903-1BA00
1
Failsafe kit for direct starter
3RK1903-1CA00
1
IM 151 Basic to connect ET200S to PROFIBUS DP
6ES7151-1CA00-0AB0
1
Optional: Supply block M45-PEN-F
3RK1903-2AA00
1
Supply contactor for max. expansion 40 A
3RT1035-1BB40
1
Auxiliary contact for supply contactor
3RH1921-1DA11
1
Connecting switch
3RA931-1A
1
Power supply PS307 5A
6ES73071EA00-0AA0
–
SIMATIC S7-300, CPU 315-2DP
6ES7315-2AG10-0AB0
–
Micro Memory Card MMC 512 kB
6ES7953-8LJ10-0AA0
–
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from this list can be used (e.g. another ET200S Motorstarter).
When the ET200S Motor Starter High Feature is used,
the F-Kit is not required as this is already integrated in
the motor starters.
56
Qty
Functional Example No. CD-FE-I-026-V10-EN
Manufacturer
Siemens AG
Ex. No.
3.2
Structure and wiring
Wiring of the hardware components
F-Kit1
A1
L+
U1
M
K1
Supply
contactor
Terminal cover
TM-PF 30 S47-B1
PROFIBUS DP
24V
M
L1 L2 L3
A2
1
6
8
13
2
7
9
14
22
23
24
OUT +
1
OUT -
RF1 21
K1
2
RF2
22
13
ON
14
17
4
A1+
U2
A2+
EMERGENCY
STOP
27
11
25
5
26
12
28
11
21
21
12
22
22
6
AUX 2
A1
K1
7
A2
AUX 3
Functional Example No. CD-FE-I-026-V10-EN
G_FB_XX_068
Additional motor starters can be inserted before the PM-X
module in an ET 200S Station. These are then also shut down
when the Emergency Stop control device is pressed (group
stop).
IM
151
Master
PLC
24V
M
DS
PM-X
PM-D
F1
A2
Terminal module
A1
TM-X 15 S27-01
An overview of the hardware structure
57
3.3
Protective door monitoring with automatic start Category 2
acc. to EN 954-1 with ET200S Safety Motorstarter Solution Local
Function
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door.
The most frequently used solution for plants and machines to
secure hazardous areas is mechanically isolating protective
equipment or access hatches. In this case, the function is to
monitor unauthorized entry into plant and system areas as
well as to prevent potentially hazardous machine functions if
the protective equipment - in this case protective door - is not
closed.
The protective door is monitored by a SIRIUS position switch
with positively-opening contacts using a PM-D-F2 safety module according to Category 2 in compliance with EN 954-1. If
this protective door is opened, the PM-D-F2 safety module
shuts down the motor starter assigned to it according to Stop
Category 0 acc. to EN 60204-1. In this particular example, a
drive is stopped. If the protective door is closed, after the position switch is checked, the motor automatically starts.
PAE
ET200S Standard
ET200S HF
0.0 Ready
0.0 Ready (automatic)
0.1 Close contactor
0.1 Start motor (current
measurement)
0.2 Circuit-breaker
tripped
0.2 Group fault
0.3 Group alarm
0.4 Input 1
0.5 Input 2
0.6 Input 3
0.7 Input 4
1.0-1.5 Motor current Iact
1.6 Mode H-V-O
1.7 Ramp mode (only
DSS1e-x)
PAA
0.0 Motor clockwise
0.0 Motor clockwise
0.1 Motor counter-clockwise
0.2 Brake
This example only discusses the safety function. The motor
starter is operationally switched using a standard PLC and is
not considered any further here.
0.2 Release brake
0.3 Trip reset
0.4 Emergency start
0.5 Self-test
Advantages/customer benefits
■ Pure hardware engineering without having to configure/program software for the safety-relevant technology
■ Extensive Profibus diagnostics of the motor starter and the
PM-D-F2 safety module.
■ As a result of the lower time/costs involved with materials
and wiring, the mounting space in the cabinet is reduced
and therefore the overall dimensions of the plants/system.
Netzwork 1:Time delay of the protective door signal
Comments:
T1
#Protective door
&
S5T#500MS
SE
TW
Network 2:Feedback signal, contactor contacts welded, standard motor starter
Comments:
Contactor contacts welded signal
#Contactor_closed
Using this circuit example, Category 2 according to EN 954-1
can only be fulfilled if, when the actuator fails, an alarm is automatically output or the machine control initiates a safe condition. If this is not the case, a second shutdown path is required.
This signal can be generated using the process image of the
motor starter.
T1
&
#Contactor_welded
&
Typical block: Signal, contactor contacts welded for motor starter
standard
Using the standard output "contactor welded" an indicator
light can be controlled. As a result of this signal, a second
shutdown path is no longer required.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed.
This is the reason that they may not be used as mechanical endstop.
58
Functional Example No. CD-FE-I-027-V10-EN
G_FB_XX_069
Ex. No.
Ex. No.
3.3
Required components
Hardware components
Component
Type
MRPD / Ordering data
Protective door
SIRIUS position switch
3SE2 243-0XX40
1
Radius actuator for position switch
3SX3 228
1
ET200S station
SIMATIC S7
Qty
Direct starter, can be expanded 5.5 kW; 9.0 to 12 A 3RK1301-1KB00-0AA2
1
Terminal module for a direct starter with feeder
cable connection
3RK1903-0AB00
1
TM for PM-D F1/2; single or higher-level safety
circuit
3RK1903-1AA00
1
TM for connection module
3RK1903-1AB00
1
PM-D F1 power module for emergency stop
application; monitored start
3RK1903-1BA00
1
Failsafe kit for direct starter
3RK1903-1CA00
1
IM 151 Basic to connect ET200S to PROFIBUS DP
6ES7151-1CA00-0AB0
1
Optional: Supply block M45-PEN-F
3RK1903-2AA00
1
Power supply PS307 5A
6ES73071EA00-0AA0
1
SIMATIC S7-300, CPU 315-2DP
6ES7315-2AG10-0AB0
1
Micro Memory Card MMC 512 kB
6ES7953-8LJ10-0AA0
1
Manufacturer
Siemens AG
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from this list can be used (e.g. another ET200S Motorstarter).
When the ET200S Motor Starter High Feature is used,
the F-Kit is not required as this is already integrated in
the motor starters.
Functional Example No. CD-FE-I-027-V10-EN
59
Ex. No.
3.3
Structure and wiring
An overview of the hardware structure
A1
A2
6
OUT +
1
13
7
14
OUT -
RF1 21
2
RF2
22
22
23
24
17
25
Protective door
11
21
12
22
26
28
Additional motor starters can be inserted before the PM-X
module in an ET 200S Station. These are then also shut down
when the Emergency Stop control device is pressed (group
stop).
Wiring of the hardware components
PM-X
F-Kit1
IM
151
G_FB_XX_072
PROFIBUS DP
L1 L2 L3
Terminal cover
DS
Terminal module
PM-D
F1
TM-X 15 S27-01
A2
TM-PF 30 S47-B1
PLC
Master
A1
60
Functional Example No. CD-FE-I-027-V10-EN
6
AUX 2
7
AUX 3
G_FB_XX_071
27
Important hardware component settings
Some important settings from the STEP 7 hardware configuration are shown below as an overview.
Protective door monitoring with automatic start Category 4
acc. to EN 954-1 with ET200S Safety Motorstarter Solution Local
Function
This example only discusses the safety function. The motor
starter is operationally switched using a standard PLC and is not
considered any further here.
Description of the functionality
This Safety Functional Example describes a mechanically isolating protective mechanism in the form of a protective door. The
most frequently used solution for plants and machines to secure hazardous areas is mechanically isolating protective equipment or access hatches. In this case, the function is to monitor
unauthorized entry into plant and system areas as well as to
prevent potentially hazardous machine functions if the protective equipment - in this case protective door - is not closed.
Note
The position switches must be arranged so that they are
not damaged when they are approached and passed. This
is the reason that they may not be used as mechanical endstop.
Advantages/customer benefits
The protective door is monitored by two SIRIUS position
switches each with a positively-opening contact using a PM-DF2 safety module according to Category 4 in compliance with
EN 954-1. If this protective door is opened, the PM-D-F2 safety
module shuts down the motor starter assigned to it according
to Stop Category 0 acc. to EN 60204-1. In this particular example, a drive is stopped. If the protective door is closed, after the
position switch is checked, the motor automatically starts.
■ Pure hardware engineering without having to configure/program software for the safety-relevant technology
■ Extensive PROFIBUS diagnostics of the motor starter and
the PM-D-F2 safety module.
■ As a result of the lower time/costs involved with materials
and wiring, the mounting space in the cabinet is reduced
and therefore the overall dimensions of the plants/system
Required components
Hardware components
Komponente
Type
MRPD / Ordering data
Protective door
SIRIUS position switch
3SE2 243-0XX40
2
Radius actuator for position switch
3SX3 228
2
ET200S station
Supply contactor
SIMATIC S7
Qty
Direct starter, can be expanded 5.5 kW; 9.0 to 12 A 3RK1301-1KB00-0AA2
1
Terminal module for a direct starter with feeder
cable connection
3RK1903-0AB00
1
TM for PM-D F1/2; single or higher-level safety
circuit
3RK1903-1AA00
1
TM for connection module
3RK1903-1AB00
1
PM-D F1 power module for emergency stop
application; monitored start
3RK1903-1BA00
1
Failsafe kit for direct starter
3RK1903-1CA00
1
IM 151 Basic to connect ET200S to PROFIBUS DP
6ES7151-1CA00-0AB0
1
Optional: Supply block M45-PEN-F
3RK1903-2AA00
1
Supply contactor for max. expansion 40 A
3RT1035-1BB40
1
Auxiliary contact for supply contactor
3RH1921-1DA11
1
Connecting switch
3RA931-1A
1
Power supply PS307 5A
6ES73071EA00-0AA0
1
SIMATIC S7-300, CPU 315-2DP
6ES7315-2AG10-0AB0
1
Micro Memory Card MMC 512 kB
6ES7953-8LJ10-0AA0
1
Manufacturer
Siemens AG
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate
from this list can be used (e.g. another ET200S Motorstarter).
When the ET200S Motor Starter High Feature is used,
the F-Kit is not required as this is already integrated in
the motor starters.
Functional Example No. CD-FE-I-028-V10-EN
61
Ex. No.
3.4
Ex. No.
3.4
Structure and wiring
An overview of the hardware structure
A1
A2
6
OUT +
1
13
7
14
OUT -
RF1 21
K1
2
RF2
22
22
23
24
17
25
Protective door
11
21
12
22
26
28
Additional motor starters can be inserted before the PM-X
module in an ET 200S Station. These are then also shut down
when the Emergency Stop control device is pressed (group
stop).
Wiring of the hardware components
PM-X
K1
Supply
contactor
G_FB_XX_075
F-Kit1
TM-X 15 S27-01
PROFIBUS DP
L1 L2 L3
Terminal module
DS
IM
151
TM-PF 30 S47-B1
PLC
Master
PM-D
F1
A2
Terminal cover
A1
62
Functional Example No. CD-FE-I-028-V10-EN
6
7
Important hardware component settings
AUX 2
A1
K1
A2
AUX 3
G_FB_XX_074
27
2 safety circuits in a cascade according to Category 4 in
compliance with EN 954-1
(PM-D F X1 and Failsafe Motor Starter )
with ET200S Safety Motor Starter Solution Local
Ex. No.
3.5
Function
Description of the functionality
If people (in production technology) are close to machines,
then they must be protected using the appropriate equipment. The EMERGENCY STOP command device represents a
widely established component that protects man, machine
and environment against potential hazards.
This safety function example will show how a cascaded
EMERGENCY STOP shutdown with 2 motor starter groups can
be implemented in an ET200S station.
A PM-D F X1 safety module can provide a total of 6 safetyrelated shutdown groups (refer to the ET200S Motor Starter
Manual) by accessing the SG1 to SG6 buses (safety groups) of
the Failsafe Motor Starter. It routes the safety-related control
voltage of the safety shutdown groups SG1 to SG6 to the SG
rail of the terminal module of the next Failsafe Motor Starter.
The terminal modules of the Failsafe Motor Starter additionally have a coding block. This allows the motor starter to be
assigned one of the six safety-related shutdown groups (refer
to page 67). The shutdown is realized by a safety relay switching one of the 6 SG buses into a no-voltage condition.
The first two motor starters (refer to page 66) are, in this function example, connected to SG1 - the others to SG2. The motor starters can be shutdown in a safety-related fashion by
shutting down an SG.
The EMERGENCY STOP command devices with positivelyopening contacts are monitored by the 3TK2841 safety relays.
If the EMERGENCY STOP of group 1 is actuated, then the
3TK2841 (K1) shuts down its enable circuit according to stop
Category 0 according to EN 60204-1. The SG1 and the
3TK2841 (K2) are shutdown. The 3TK2841 (K2) in turn shuts
down the SG2.
If the EMERGENCY STOP of group 1.1 is actuated, the 3TK2841
(K2) shuts down its enable circuit according to stop Category
0 in compliance with EN 60204-1. SG2 is shutdown.
Drives are stopped in this particular function example. Before
restarting or acknowledging the EMERGENCY STOP shutdown
using the start button, it is checked as to whether the contacts
of the EMERGENCY STOP commanding device are closed.
This functional example only discusses the safety function.
The motor starter is operationally switched using a standard
PLC and is not considered any further here.
Note
Equipment, functional aspects and design guidelines
for EMERGENCY STOP command devices are provided
in EN 418.(EN ISO 13850 in draft status).
Functional Example No. CD-FE-I-029-V10-EN
63
Ex. No.
3.5
Advantages/customer benefits
■ Planning and engineering
- Lower time and costs for engineering and documentation:
Motor starters are re-parameterized and documented using the standard Step 7 tool.
The PLC can handle all of the control functions of the motor starter.
Only 2 motor starter versions are required to cover the
power range up to 7.5 kW.
■ Operation
- The availability and productivity have been increased:
Faults are detected early on thanks to powerful diagnostic
functions
Motor starter overloads can be simply acknowledged with
a remote reset via PROFIBUS (or PROFINET)
Emergency Start function
Coordination type "2" for 50 kA
■ Installation and commissioning
- Fast installation and mounting:
Fast installation system of the ET 200S with self-establishing 50 A power bus
All of the various cable ducts and terminals are eliminated.
All of the load feeders - with the exception of the motor
connection - are completely wired and connected-up
Every power supply voltage is only connected once and is
automatically connected to the next modules
Optimum cabinet design without de-rating up to 60°C
- Low space requirement (either few / smaller electrical
cabinets):
The mounting space in the electrical cabinet is required
due to the fewer materials and wiring - in turn this reduces the space required in the plant or system.
- Fast commissioning:
Reduced testing costs as a result of the modular and standardized plant/system concept - no risk of wiring mistakes/errors.
- Simple acceptance at favorable costs (Machinery Directives):
Motor starters and safety modules have been certified by
the TÜV [German Technical Inspectorate]
■ Service and maintenance:
- Simple and preventive service and maintenance:
Single diagnostics, overload and short circuit are separately detected.
- Short downtimes:
Hot swapping (motor starters can be replaced in just a few
seconds in operation without requiring any tools) - thanks
to the pre-configured wiring
Self-coding motor starters (an incorrect motor starter cannot be inserted as it is mechanically interlocked)
The master automatically and remotely parameterizes the
devices when replaced under voltage (hot swapping)
Full motor protection thanks to the overload protection short circuit protection - dissymmetry - anti-stall protection - zero current detection, long motor starter lifetimes
up to 10 million switching operations.
- Lower costs when stocking spare parts:
There are only 2 motor versions up to 7.5kW with wide
setting ranges
■ Upgrades and expansions
Existing plants and systems can be simply and quickly upgraded/expanded.
Failsafe Motor Starters
A Failsafe Motor Starter comprises a circuit-breaker with shunt
release, a contactor with positively-driven auxiliary contacts
and an electronic evaluation unit for fault detection.
The PM-D F X1 power module disconnects the contactor supply voltage. If the contactor control (energization) does not
match the switching state of the positively-driven auxiliary
contact, then the evaluation electronics detects a fault and
opens the circuit-breaker.
In this case, the second shutdown element is therefore the circuit-breaker that is shutdown from a monitored shunt release
when a fault occurs.
64
Functional Example No. CD-FE-I-029-V10-EN
Ex. No.
3.5
Components required
Hardware component
Components
Type
MRPD / Ordering data
Qty.
Manufacturer
EMERGENCY STOP
Mushroom head pushbutton, 1 NC, 40 mm, with
yellow upper section without protective collar
3SB3 801-0DG3
2
Siemens AG
Switching element with a switching contact, NC
contact
3SB34 20-0C
2
Empty enclosure of a command point
3SB3 801-0AA3
2
1NO contact for base-mounting
3SB3 420-OB
2
Pushbutton, black with flat actuator, 22 mm
nominal diameter
3SB3 000-0AA11
2
Optional:
Inscription plate "Start"
3SB3 906-1EL
2
Safety relay
3TK2841 safety relay
3TK2841-1BB40
2
ET 200S station
Failsafe direct starter; 2.4 to 8 A
3RK1301-0BB13-0AA2
4
Terminal module for a direct starter F with feeder
cable connection
3RK1903-3AC00
1
Terminal module for a direct starter F without
feeder cable connection
3RK1903-3AC10
3
Terminal module for the supply terminal module
PM-D F X1; supply at the left
3RK1903-3AE00
1
PM-D F X1 power module (feed terminal module)
3RK1903-3DA00
1
IM 151 to connect ET200S to PROFIBUS DP
6ES7151-1AA03-0AB0
1
optional Supply block M65-PEN-F
3RK1903-2AC00
1
M65-PEN-S connection block
3RK1903-2AC10
3
Power supply PS307 5A
6ES7307-1EA00-0AA0
1
SIMATIC S7-300, CPU 315-2DP
6ES7315-2AG10-0AB0
1
Micro Memory Card MMC 512 kB
6ES7953-8LJ10-0AA0
1
Start button
SIMATIC S7
Note
The functionality was tested using the specified hardware components. Products that are similar but deviate from this list can be used (e.g. another ET200S
Motor Starter).
Functional Example No. CD-FE-I-029-V10-EN
65
Ex. No.
3.5
Structure and wiring
An overview of the hardware structure
Additional motor starters can be inserted in an ET 200S Station. These are assigned to a group and can be shutdown by
actuating the appropriate EMERGENCY STOP command device.
Group 1
Group 1.1
PM -D F X1
F -DS1e-x
SF
F-DS1e-x
SG1
PLC
F -DS1e-x
SG1
F-DS1e-x
SG2
SG2
Feeding
IM 151
PWR
SG 1
SG 2
SG 5
SG 6
SG 4
1
5
PROFIBUS DP
1
6
2
2
2
3
ET200S with PM-D-FX1
and Motorstarter Failsafe
2
6
1
3
4 T2
6 T3
3 L2
5 L3
2 T1
4 T2
6 T3
2 T1
4 T2
6 T3
2 T1
4 T2
6 T3
3TK28-41
3TK28-41
2 T1
1 L1
E-Stop Group 1.1
E-Stop Group 1
Start
Start
Connecting-up the hardware components
Group 1
Group 1.1
A1
IM
151-1
PROFIBUS
DP
66
F-DS1e-x
= SG1
A3
F-DS1e-x
= SG1
A4
F-DS1e-x
= SG2
K1
A5
F-DS1e-x
= SG2
A0
K2
1
8
2
9
3 TK2841
3T K2 84 1
T M - PF 30 S 47- G1
SPS
M ast er
PM-D
F X1
A2
Terminating module
S7-300
Functional Example No. CD-FE-I-029-V10-EN
L+
U2 ext.
M
1L+
2L+
1M
2M
6
L+
U1 ext. 13
7
M
14
A1 15
22
16
23
18
25
19
26
20
27
21
28
1
K1 Y32
Y35
Y34
EIN
A1
Y11
NOT-HALT
Y21
11 21
Y22
Y12
12 22
SG1
SG2
A2
SG3
SG4
1
K2 Y32
Y35
Y34
EIN
A1
Y11
Y21
NOT-HALT
13
14
A2
Y22
Y12
SG5
14
14
SG6
24
24
Make sure the wiring is cross-proof!
13
14
11 21
12 22
Ex. No.
3.5
Important hardware component settings
Set the safety-related shutdown group on the terminal module of the Failsafe Motor Starter.
Some important settings in the STEP7 hardware configuration
are shown below as an overview.
Functional Example No. CD-FE-I-029-V10-EN
67
Ex. No.
3.5
Note
Diagram
Safety shutdown group
The safety shutdown group must be set.
This number is compared with the safety-related mechanical assignment on the terminal module - this is not visible from outside - and
must match this.
Default: Not assigned
Rated operating current
Here, the rated operating current is entered, which the feeder can
conduct without any interruption (switching device and motor) (rated motor current). The current that can be set depends on the motor
starter current range (e.g. 0.3 A to 3 A; 2.4 A to 8 A; 2.4 A to 16 A).
This can be set in 10 mA steps within a specific range.
-> Wide range setting
Default: Minimum value
Current limit
Upper current limit:
The mechanical system/equipment is more difficult to move - e.g. if
the bearings are damaged, the mixture being mixed is too viscous
-> current is greater than that set
Lower current limit:
The mechanical system/equipment is easier to move, e.g. the material being processed in the plant or system is no longer present, drive
belts broken
-> current is less than that set
Protection by evaluating how the current limit is violated
Default: Alarm
68
Funktionsbeispiel Nr. CD-FE-I-029-V10-DE
Ex. No.
3.5
Note
Diagram
Overload, thermal motor model
The motor winding temperature is calculated from the measured motor currents and the device parameters, rated operating current and
shutdown class. It is therefore possible to identify as to whether the
motor is overloaded or is operating in the normal operating range.
Default: Shutdown without restart
The pause time is the time that is specified for cooling-down after operational shutdowns, i.e. not as a result of overload trips. After this
time has expired, the "thermal memory" of the motor starter is
· changed to 0 % for motor temperature rise < 50%
· reduced to 50 % for motor temperature rise < 50 %
This means that frequent starting attempts are possible (jog mode).
Zero current detection
Zero current is detected if the motor current in all phases is <18.75 %
of the selected rated operating current.
Default: Shutdown
Dissymmetry
Three-phase induction motors respond to low levels of dissymmetry
of the line supply voltage by draining a higher non-symmetrical current. This therefore increases the temperature of the stator and rotor
windings.
The dissymmetry limit value is a percentage value by which the motor
current in the individual phases may deviate.
Dissymmetry is present if the difference between the smallest and
the highest phase current is greater than 30 %.
Default: Shutdown
Funktionsbeispiel Nr. CD-FE-I-029-V10-DE
69
Ex. No.
4.1
Emergency Stop and protective door monitoring with
monitored start according to Category 2 of EN 954-1
Automation Function
Scope of Validity of this Functional Example
Functionality of the Functional Example
Persons near machines (e.g. in production engineering) must
be suitably protected by technical equipment.
The EMERGENCY-STOP control unit and protective door monitoring are widely used components for protecting persons,
machines and the environment against danger.
Problem
A standard AS-i network consists of control/master, power
supply unit, a yellow AS-i cable and various slaves. Only two
further components are necessary for safe usage: A safety
monitor and safe slaves.
Solution
Each safe slave is programmed with a factory-default code
table that clearly identifies each slave for the safety monitor.
At each master prompt, correlation is checked between the
code value expected by the comparator (safety monitor) and
the code value actually sent by the slave. In the case of deviations or time-outs, disconnection via 2-channel OSSDs occurs
on the safety monitor.
Implementation of EMERGENCY-STOP disconnection and protective door monitoring via ASIsafe. Category 2 of EN 954-1 is
to be attained.
In this Safety Functional Example, the EMERGENCY-STOP control unit and a protective door are monitored by a K45F ASIsafe
module according to Category 2 of EN 954-1. When the
EMERGENCY-STOP is activated or the protective door is
opened, the K45F ASIsafe module sends a signal to the safety
monitor. The safety monitor then switches the downstream
contactor with positively-driven contacts via the relay output
according to Stop category 0 of EN 60204-1.
A drive is shut down in this example. Before renewed switching-on via the start button, a check is carried out to monitor
whether the contact of the EMERGENCY-STOP control unit and
the protective door are closed and whether the contactor has
switched off.
Advantages / Customer Benefits
■ Secure and non-secure data on one bus
■ Simple assembly thanks to standardized AS-i technology
■ Existing system can be quickly and easily expanded
■ Integration of safety signals in the system diagnosis
■ Failsafe PLC or special master not required
■ Space-saving design thanks to compact safety combination
70
Functional Example No. CD-FE-I-030-V10-EN
Ex. No.
4.1
Required Components
This chapter contains an overview of the hardware and software components required for the Functional Example.
Hardware components
Component
Type
Order No. / Order Information
Quantity
Manufacturer
Power supply
PS307 5A
6ES73071EA00-0AA0
1
Siemens AG
AS-i power supply unit
3 A power supply unit
3RX9501-0BA00
1
DP/ASILINK Advanced
IP20 degree of protection, router from
PROFIBUS DP to AS-Interface
6GK1415-2BA10
1
EMERGENCY-STOP stop
control unit
40- mm mushroom pushbutton with 1NC
and yellow top, without protective collar
3SB3 801-0DG3
1
SIRIUS position switch
Position switch with separate actuator
3SE2 243-0XX40
1
Actuator for position
switch
Radius actuator
3SX3 228
1
Safety monitor
Safety monitor with one OSSD
3RK1105-1AE04-0CA0
1
K45F ASIsafe module
Compact module with two safe inputs
3RK1205-0BQ00-0AA3
1
Mounting plate(for standard mounting rail)
3RK1901-2DA00
1
Optional: Mounting plate(for wall mounting)
3RK1901-2EA00
1
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Black pushbutton with flat button, 22 mm
nominal diameter
3SB3 000-0AA11
1
Start button
Optional: "Start" designation plate
3SB3 906-1EL
1
K1 contactor
Contactor, AC-3, 3 KW/400 V, 1NC, DC 24 V,
3-pole, size S00, screw terminal
3RT1015-1BB42
1
Cable loom
PC configuration cable
Transfer cable
3RK1901-5AA00
1
AS-i shaped cable
Yellow rubberized cable
3RX9010-0AA00
1
Note
Functionality was tested with the hardware components listed above. Similar products not found in this
list may also be used. If this is the case, please note
that it may be necessary to change the example code
(e.g. change the settings of other addresses).
Software components
Component
Type
Order No. / Order Information
asimon
Safety monitor configuration
3RK1802-2FB06-0GA0
Quantity
1
Manufacturer
Siemens AG
Functional Example No. CD-FE-I-030-V10-EN
71
Ex. No.
4.1
Assembly and Wiring
Overview of Hardware Setup
Important Hardware Component Settings
DP/AS-i LINK Advanced
AS-i power
supply unit
SIRIUS
position switch
Protective
door
Prerequisites:
■ The DP/AS-INTERFACE LINK Advanced is mounted and connected to the AS-i line.
■ The AS-i power supply unit is connected to the AS-i line.
■ The AS-i slaves are not yet connected.
PROFIBUS DP
EMERGENCY
STOP
DP/AS-i
LINK Advanced
■ The slaves that are to be connected have default address "0"
delivery status).
K45 F
Procedure/Working on the DP/AS-INTERFACE LINK Advanced:
Safety monitor
Start
L1 L2 L3
K1
■ Switch on the AS-i power supply unit so that the DP/ASINTERFACE LINK Advanced is in operation.
■ Connect each AS-i slave to the AS-i line and allocate each
the desired slave address (K45F module, address 2).
Hardware Component Wiring
SYSTEM
AS-i line 1
Change slave address
Lifelist
Change address
■ Adopt the actual configuration of the slave as the defined
configuration in the DP/AS-INTERFACE LINK Advanced
SYSTEM
AS-i line 1
Actual -> Adopt defined
Lifelist
Actual -> Defined
Result:
All displays for the AS-i line on the DP/AS-INTERFACE LINK
Advanced are off or green, i.e. all slaves have been successfully integrated.
72
Functional Example No. CD-FE-I-030-V10-EN
Ex. No.
4.1
Example Code
This chapter describes which functions are implemented and how the asimon program is structured.
Description of the asimon Program
Description
Parameters
After the asimon software has been started, the start assistant is used
to create a new safety monitor configuration.
Enter a name for the configuration in the Information about monitor
tab, select the operating mode and the function range of the AS Interface safety monitor ("Basic" or "Enhanced").
In the Information about bus tab, you must enter the AS-Interface
bus addresses of the standard slaves used and the safety-oriented
AS-Interface slaves in this network.
Functional Example No. CD-FE-I-030-V10-EN
73
Ex. No.
4.1
Description
Parameters
In the Diagnosis / Service tab you can adjust the settings for "Diagnosis stop" and "Reset of error condition" as well as configure the AS-Interface bus diagnosis.
Simulating slaves
If less than 4 safe or standard AS-Interface slaves are connected to the
AS-Interface bus, you must activate the control box Simulate slaves.
At least 4 slave addresses must be activated to ensure that the AS-Interface safety monitor functions correctly.
Configuration of an AS-Interface safety monitor with asimon software
is graphic interactive, i.e. you can select and collectively configure the
safe AS-Interface slaves that are to be monitored and further function
devices from a symbol library that is classified according to devices
(left window).
The K45F module is monitored via two channels independently. For
the "double channel independent" monitoring device, each of the two
switching signals of the corresponding safe AS-Interface slaves affects
2 bits of the transfer sequence. Both switching signals are independently monitored. There is no synchronization time.
74
Functional Example No. CD-FE-I-030-V10-EN
Ex. No.
4.1
Description
Parameters
The contactor control input of the AS-Interface safety monitor must be
active = ON as long as the safety outputs are switched off. After the
safety outputs are switched on (enabled), the contactor control input
is no longer relevant for the set switching time. Thereafter, the input
must be inactive = OFF. The external device monitoring circuit
device is active = ON (switched on).
After the safety output has been switched off, the external device
monitoring circuit device becomes inactive = OFF (switched off) and
the contactor control input is no longer queried for the duration of the
set switching time.
Thereafter, the contactor control input is active = ON again. When the
external device monitoring circuit device is inactive = OFF, the safety outputs cannot be switched on again until the downstream contactor has reached its resting position.
After switching on the AS-Interface safety monitor, the contactor control input must be active = ON.
The Monitored start - monitor input device requires activation of the
start input of the corresponding OSSD as an additional start requirement. If the AND link of all the monitoring, linking and external device
monitoring circuit devices of an OSSD delivers an ON result, and if the
start requirements have been fulfilled, the monitored start - monitor
input start device relays the enabling request to the output device.
When the circuit is enabled (ON), the signal output and the output circuit are simultaneously activated by the Stop category 0 output device. When the circuit is switched off (OFF), the signal output and the
output circuit are immediately switched off without a delay.
Functional Example No. CD-FE-I-030-V10-EN
75
Ex. No.
4.1
Commissioning the AS Interface Safety Monitor
Transferring a configuration to the AS Interface safety
monitor
Learning the safe configuration
Before the safe configuration can be learned, the-AS Interface
bus including all safe AS-Interface slaves that are to be monitored must be commissioned, and all safe AS-Interface slaves
that are to be monitored must be switched ON. Only then can
the AS-Interface safety monitor learn the code tables of all the
relevant safe AS-Interface slaves.
To learn the code tables, select the Teach safe configuration
in the Monitor menu and confirm the question "Do you want
to learn the code sequence?" with Yes.
The code tables are then learned by the AS-Interface safety
monitor. Learning takes several seconds. Progress is displayed
in a window.
Once the code tables of all the safe AS-Interface slaves that are
to be monitored have been successfully learned, a provisional
configuration log will be immediately transferred to asimon.
To transfer the current asimon configuration to the connected
AS-Interface safety monitor, select the Monitor menu and
then the PC -> Monitor command.
The configuration is then transferred to the AS-Interface
safety monitor. Transfer takes several seconds.
After successful completion of the data transfer to the
AS-Interface safety monitor, the configuration is saved in the
AS-Interface safety monitor.
After transferring a configuration to a connected AS-Interface
safety monitor, the safe configuration has to be "learned". To
this end, the code tables of the safe AS-Interface slaves that
are to be monitored are read in via the AS-Interface. The code
table of each safe AS-Interface slave that is to be monitored is
stored in the configuration log.
76
Functional Example No. CD-FE-I-030-V10-EN
The progress of the transfer of the provisional configuration
log is displayed in a window.
An information window will then prompt you to have the configuration checked by the safety appointee responsible for the
application using the configuration log.
Ex. No.
4.1
The provisional configuration log is displayed in asimon in its
own window.
Configuration validation
To validate a configuration, select the Validate command in
the Monitor menu. A window will appear in which you can
validate a configuration by entering your name and password.
Confirm your entry with the OK button. An information window will then confirm that the configuration has been successfully validated.
The configuration log will then be immediately transferred.
Progress of the transfer of the final configuration log is displayed in a window.
The final configuration log is displayed in asimon in its own
window. To illustrate that the configuration has been validated and to differentiate between a validated and a provisional configuration log, the validation information will be displayed in Line 10.
Starting the AS-Interface safety monitor
If a valid, validated configuration is available on the AS-Interface safety monitor, you can switch the AS-Interface safety
monitor from configuration mode to protection mode via the
Start command in the Monitor menu. After the protection
mode has been started, the status line will indicate the
change to the new operating mode.
Functional Example No. CD-FE-I-030-V10-EN
77
Ex. -No.
4.2
Emergency stop and protective door monitoring with
monitored start according to Category 4 of EN 954-1
Automation Function
Scope of Validity of this Functional Example
Functionality of the Functional Example
Persons near machines (e.g. in production engineering) must
be suitably protected by technical equipment. The
EMERGENCY-STOP control unit and protective door monitoring are widely used components for protecting persons,
machines and the environment against danger.
Problem
A standard AS-i network consists of control/master, power
supply unit, a yellow AS-i cable and various slaves. Only two
further components are necessary for safe usage:
A safety monitor and safe slaves.
Solution
Each safe slave is programmed with a factory-default code
table that clearly identifies each slave for the safety monitor.
At each master prompt, correlation is checked between the
code value expected by the comparator (safety monitor) and
the code value actually sent by the slave. In the case of deviations or time-outs, disconnection via 2-channel OSSDs occurs
on the safety monitor.
Implementation of EMERGENCY-STOP disconnection and protective door monitoring with monitored start via ASIsafe.
Category 4 of EN 954-1 is to be attained.
In this Safety Functional Example, the EMERGENCY-STOP control unit and a protective door are monitored by a K45F ASIsafe
module according to Category 4 of EN 954-1. When the
EMERGENCY-STOP is activated or the protective door is
opened, the K45F ASIsafe module sends a signal to the safety
monitor. The safety monitor then switches the downstream
contactor with positively-driven contacts via the safe relay
output according to Stop category 0 of EN 60204-1.
A drive is shut down in this example. Before renewed switching-on via the start button, a check is carried out to monitor
whether the contact of the EMERGENCY-STOP control unit and
the protective door are closed and whether the contactors
have switched off.
Advantages / Customer Benefits
■ Secure and non-secure data on one bus
■ Simple assembly thanks to standardized AS-i technology
■ Existing system can be quickly and easily expanded
■ Integration of safety signals in the system diagnosis
■ Failsafe PLC or special master not required
■ Space-saving design thanks to compact safety combination
78
Functional Example No. CD-FE-I-031-V10-EN
Ex.- No.
4.2
Required Components
This chapter contains an overview of the hardware and software components required for the Functional Example.
Hardware components
Component
Type
Order No. / Order Information
Quantity
Manufacturer
Power supply
PS307 5A
6ES73071EA00-0AA0
1
Siemens AG
AS-i power supply unit
3 A power supply unit
3RX9501-0BA00
1
DP/AS-i LINK Advanced
IP20 degree of protection, router from
PROFIBUS DP to AS-Interface
6GK1415-2BA10
1
EMERGENCY-STOP
40-mm mushroom pushbutton with 1NC
and yellow top
3SB3 801-0DG3
1
1NO contact block
3SB3 420-0C
1
SIRIUS position switch
Position switch with separate actuator
3SE2 243-0XX40
2
Actuator for position
switch
Radius actuator
3SX3 228
2
Safety monitor
Safety monitor with one OSSD
3RK1105-1AE04-0CA0
1
ASi Safe module K45F
Compact module with two safe inputs
3RK1205-0BQ00-0AA3
2
Mounting plate (for standard mounting rail)
3RK1901-2DA00
2
Optional: Mounting plate (for wall mounting)
3RK1901-2EA00
2
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Black pushbutton with flat button, 22 mm
nominal diameter
3SB3 000-0AA11
1
Start button
Optional: "Start" designation plate
3SB3 906-1EL
1
K1 / K2 contactor
Contactor, AC-3, 3 KW/400 V, 1NC, DC 24 V,
3-pole, size S00, screw terminal
3RT1015-1BB42
2
Cable loom
PC configuration cable
Transfer cable
3RK1901-5AA00
1
AS-i shaped cable
Yellow rubberized cable
3RX9010-0AA00
1
Note
Functionality was tested with the hardware components listed above. Similar products not found in this
list may also be used. If this is the case, please note
that it may be necessary to change the example code
(e.g. change the settings of other addresses).
Software components
Component
Type
Order No. / Order Information
asimon
Safety monitor configuration
3RK1802-2FB06-0GA0
Quantity
1
Manufacturer
Siemens AG
Functional Example No. CD-FE-I-031-V10-EN
79
Ex. -No.
4.2
Assembly and Wiring
Overview of Hardware Setup
Important Hardware Component Settings
DP/AS-i LINK Advanced
Prerequisites:
■ The DP/AS-INTERFACE LINK Advanced is mounted and connected to the AS-i line.
AS-i power supply unit
Protective
door
SIRIUS
Position switch
■ The AS-i power supply unit is connected to the AS-i line.
■ The AS-i slaves are not yet connected.
PROFIBUS DP
■ The slaves that are to be connected have default address "0"
(delivery status).
EMERGENCYSTOP
DP/AS-i
LINK Advanced
K45 F
K45 F
Procedure/Working on the DP/AS-INTERFACE LINK Advanced:
L1 L2 L3
Safety monitor
K1
Start
K2
■ Switch on the AS-i power supply unit so that the DP/ASINTERFACE LINK Advanced is in operation
■ Connect each AS-i slave to the AS-i line and allocate each
the desired slave address (K45F module, address 2).
SYSTEM
AS-i line 1
Change slave address
Hardware Component Wiring
Lifelist
Change address
■ Adopt the actual configuration of the slave as the defined
configuration in the DP/AS-INTERFACE LINK Advanced
SYSTEM
AS-i line 1
Actual -> Adopt defined
Lifelist
Actual -> Defined
Result:
All displays for the AS-i line on the DP/AS-INTERFACE LINK Advanced are off or green, i.e. all slaves have been successfully
integrated.
80
Functional Example No. CD-FE-I-031-V10-EN
Ex.- No.
4.2
Example Code
This chapter describes which functions are implemented and how the asimon program is structured.
Description of the asimon Program
Description
Parameters
After the asimon software has been started, the start assistant is used
to create a new safety monitor configuration.
Enter a name for the configuration in the Information about monitor
tab, select the operating mode and the function range of the AS Interface safety monitor ("Basic" or "Enhanced").
In the Information about bus tab, you must enter the AS-Interface bus
addresses of the standard slaves used and the safety-oriented AS-Interface slaves in this network.
Functional Example No. CD-FE-I-031-V10-EN
81
Ex. -No.
4.2
Description
Parameters
In the Diagnosis / Service tab you can adjust the settings for "Diagnosis stop" and "Reset of error condition" as well as configure the AS-Interface bus diagnosis.
Simulating slaves
If less than 4 safe or standard AS-Interface slaves are connected to the
AS-Interface bus, you must activate the control box Simulate slaves.
At least 4 slave addresses must be activated to ensure that the AS-Interface safety monitor functions correctly.
Configuration of an AS-Interface safety monitor with asimon software
is graphic interactive, i.e. you can select and collectively configure the
safe AS-Interface slaves that are to be monitored and further function
devices from a symbol library that is classified according to devices
(left window).
For the double channel forced monitoring device, the switching signal of the corresponding safe AS-Interface slave affects all 4 bits of the
transfer sequence.
As an option, a start-up test and/or a local acknowledgement can be
carried out. When the control box Always is activated, a local acknowledgement must also always be carried out whenever the AS-Interface
safety monitor is switched on or a communication error (warm restart
of the AS-Interface safety monitor) occurs.
82
Functional Example No. CD-FE-I-031-V10-EN
Ex.- No.
4.2
Description
Parameters
For the double channel forced monitoring device, each of the two
switching signals of the corresponding safe AS-Interface slaves affects
2 bits of the transfer sequence. Both switching signals must be received within the synchronization time defined by the user. If only one
contact opens, the second contact must also open before both contacts can be once again closed.
As an option, a start-up test and/or a local acknowledgement can be
carried out. When the control box Always is activated, a local acknowledgement must also always be carried out whenever the AS-Interface
safety monitor is switched on or a communication error (warm restart
of the AS-Interface safety monitor) occurs.
The contactor control input of the AS-Interface safety monitor must be
active = ON as long as the safety outputs are switched off. After the
safety outputs are switched on (enabled), the contactor control input
is no longer relevant for the set switching time. Thereafter, the input
must be inactive = OFF. The external device monitoring circuit device is active = ON (switched on).
After the safety outputs have been switched off, the external device
monitoring circuit device becomes inactive = OFF (switched off) and
the contactor control input is no longer queried for the duration of the
set switching time.
Thereafter, the contactor control input is active = ON again. When the
external device monitoring circuit is inactive = OFF, the safety outputs cannot be switched on again until the downstream contactor has
reached its resting position.
After switching on the AS-Interface safety monitor, the contactor control input must be active = ON.
The Monitored start - monitor input device requires activation of the
start input of the corresponding OSSD as an additional start requirement. If the AND link of all the monitoring, linking and external device
monitoring circuit devices of an OSSD delivers an ON result, and if the
start requirements have been fulfilled, the monitored start - monitor
input start device relays the enabling request to the output device.
Functional Example No. CD-FE-I-031-V10-EN
83
Ex. -No.
4.2
Description
Parameters
When the circuit is enabled (ON), the signal output and the output
circuit are simultaneously activated by the Stop category 0 output
device. When the circuit is switched off (OFF), the signal output and
the output circuit are immediately switched off without a delay.
84
Functional Example No. CD-FE-I-031-V10-EN
Ex.- No.
4.2
Commissioning the AS Interface Safety Monitor
Transferring a configuration to the AS Interface safety
monitor
Learning the safe configuration
Before the safe configuration can be learned, the-AS Interface
bus including all safe AS-Interface slaves that are to be monitored must be commissioned, and all safe AS-Interface slaves
that are to be monitored must be switched ON. Only then can
the AS-Interface safety monitor learn the code tables of all the
relevant safe AS-Interface slaves.
To learn the code tables, select the Teach safe configuration
in the Monitor menu and confirm the question "Do you want
to learn the code sequence?" with Yes.
The code tables are then learned by the AS-Interface safety
monitor. Learning takes several seconds. Progress is displayed
in a window.
Once the code tables of all the safe AS-Interface slaves that are
to be monitored have been successfully learned, a provisional
configuration log will be immediately transferred to asimon.
To transfer the current asimon configuration to the connected
AS-Interface safety monitor, select the Monitor menu and
then the PC -> Monitor command.
The configuration is then transferred to the AS-Interface
safety monitor. Transfer takes several seconds.
After successful completion of the data transfer to the
AS-Interface safety monitor, the configuration is saved in the
AS-Interface safety monitor.
After transferring a configuration to a connected AS-Interface
safety monitor, the safe configuration has to be "learned". To
this end, the code tables of the safe AS-Interface slaves that
are to be monitored are read in via the AS-Interface. The code
table of each safe AS-Interface slave that is to be monitored is
stored in the configuration log.
The progress of the transfer of the provisional configuration
log is displayed in a window.
An information window will then prompt you to have the configuration checked by the safety appointee responsible for the
application using the configuration log.
Functional Example No. CD-FE-I-031-V10-EN
85
Ex. -No.
4.2
The provisional configuration log is displayed in asimon in its
own window.
Configuration validation
To validate a configuration, select the Validate command in
the Monitor menu. A window will appear in which you can
validate a configuration by entering your name and password.
Confirm your entry with the OK button. An information window will then confirm that the configuration has been successfully validated.
The configuration log will then be immediately transferred.
Progress of the transfer of the final configuration log is displayed in a window.
The final configuration log is displayed in asimon in its own
window. To illustrate that the configuration has been validated and to differentiate between a validated and a provisional configuration log, the validation information will be displayed in Line 10.
Starting the AS-Interface safety monitor
If a valid, validated configuration is available on the AS-Interface safety monitor, you can switch the AS-Interface safety
monitor from configuration mode to protection mode via the
Start command in the Monitor menu. After the protection
mode has been started, the status line will indicate the
change to the new operating mode.
86
Functional Example No. CD-FE-I-031-V10-EN
Protective door with door interlocking via a spring-actuated
lock according to Category 3 of EN 954-1
Ex.- No.
4.3
Automation Function
Scope of Validity of this Functional Example
Functionality of the Functional Example
Locking mechanisms equipped with a tumbler are mechanical
or electrical mechanisms which only allow a machine to be
operated when the door is closed and locked. The interlocking
remains in place until there is no longer any risk of injury due
to dangerous machine functions or movements. Monitoring is
usually carried out by a speed monitor or a standstill monitor.
In this example, machine movement/standstill is simulated by
the door release button.
Problem
A standard AS-i network consists of control/master, power
supply unit, a yellow AS-i cable and various slaves. Only two
further components are necessary for safe usage: A safety
monitor and safe slaves.
Each safe slave is programmed with a factory-default code
table that clearly identifies each slave for the safety monitor.
At each master prompt, correlation is checked between the
code value expected by the comparator (safety monitor) and
the code value actually sent by the slave. In the case of deviations or time-outs, disconnection via 2-channel OSSDs occurs
on the safety monitor.
The protective door is monitored via a SIRIUS position switch
equipped with a spring-actuated lock by an ASIsafe K45F
module according to Category 3 of EN 954-1. When the door
release is activated, the safety monitor switches the downstream contactors with positively-driven contacts via the first
OSSD according to Stop category 0 of EN 60204-1. The protective door interlock is enabled with a delay.
A drive is shut down in this example. When the protective door
is closed, a manual start is carried out after the position switch
and the downstream contacts have been checked.
Implementation of a protective door interlock with a springactuated lock via ASIsafe. Category 3 of EN 954-1 is to be
attained.
Solution
In the example presented here, an actuator mounted in the
door moves into a form-fit mounted position switch with a
tumbler. During the potential danger (machine in operation),
the actuator is kept in position (and thus the door also remains
closed) by the power supply being disconnected from a magnet in the position switch. This type of interlocking is referred
to as a spring-actuated lock.
Advantages / Customer Benefits
■ Secure and non-secure data on one bus
■ Simple assembly thanks to standardized AS-i technology
■ Existing system can be quickly and easily expanded
■ Integration of safety signals in the system diagnosis
■ Failsafe PLC or special master not required
■ Space-saving design thanks to compact safety combination
■ Simple configuration via the asimon software
■ The protective door remains locked even if there is a power
outage.
Functional Example No. CD-FE-I-032-V10-EN
87
Ex. -No.
4.3
Required Components
This chapter contains an overview of the hardware and software components required for the Functional Example.
Hardware components
Component
Type
Order No. / Order Information
Quantity
Manufacturer
Power supply
PS307 5A
6ES73071EA00-0AA0
1
Siemens AG
AS-i power supply unit
3 A power supply unit
3RX9501-0BA00
1
DP/AS-i LINK Advanced
IP20 degree of protection, router from
PROFIBUS DP to AS-Interface
6GK1415-2BA10
1
SIRIUS position switch
Position switch with a spring-actuated lock,
2 NC/2 NC
3SE2840-6XX00
1
Actuator for position
switch
Radius actuator
3SX3 228
1
Safety monitor
Safety monitor with two OSSDs
3RK1105-1BE04-2CA0
1
ASi Safe module K45F
Compact module with two safe inputs
3RK1205-0BQ00-0AA3
1
ASi Safe module K45F
Compact module with 4 standard inputs
3RK1200-0CQ20-0AA3
1
Accessories for K45
modules
Mounting plate(for standard mounting rail)
3RK1901-2DA00
2
Optional: Mounting plate(for wall mounting)
3RK1901-2EA00
2
Door unlocking device
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Toggle switch with 2 switch positions
3SB30 00-2KA11
1
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Black pushbutton with flat button, 22 mm
nominal diameter
3SB3 000-0AA11
1
Start button
Optional: "Start" designation plate
3SB3 906-1EL
1
K1 / K2 contactor
Contactor, AC-3, 3 KW/400 V, 1NC, DC 24 V,
3-pole, size S00, screw terminal
3RT1015-1BB42
2
Cable loom
PC configuration cable
Transfer cable
3RK1901-5AA00
1
AS-i shaped cable
Yellow rubberized cable
3RX9010-0AA00
1
Quantity
Note
Functionality was tested with the hardware components listed above. Similar products not found in this
list may also be used. If this is the case, please note
that it may be necessary to change the example code
(e.g. change the settings of other addresses).
Software components
Component
Type
Order No. / Order Information
asimon
Safety monitor configuration
3RK1802-2FB06-0GA0
88
Functional Example No. CD-FE-I-032-V10-EN
1
Manufacturer
Siemens AG
Ex.- No.
4.3
Assembly and Wiring
Overview of Hardware Setup
open
Door release
PROFIBUS DP
Protective door
DP/AS-i
LINK Advanced
L1 L2 L3
Safety monitor
Start
K45 F Modul
K45 Modul
K1
AS-i
power
supply
unit
-+
closed
- +
SIRIUS
Position switch
with tumbler
PROFIBUS
AS-i power
supply unit
Hardware Component Wiring
K2
AS-i power supply unit and DP/AS-i Link wiring
Note
The actuator of the SIRIUS position switch must be
protected against external acts of violence.
Wiring of the K45 module release
Functional Example No. CD-FE-I-032-V10-EN
89
Ex. -No.
4.3
The actuator must be protected against external acts of violance.
Closed
Open
Actuator
Protective door
Terminal
Terminal
Terminal
Terminal
Wiring of the protective door and the safety monitor
Important Hardware Component Settings
Procedure/Working on the DP/AS-INTERFACE LINK Advanced:
DP/AS-i LINK Advanced
■ Switch on the AS-i power supply unit so that the DP/ASINTERFACE LINK Advanced is in operation
Prerequisites:
■ The DP/AS-INTERFACE LINK Advanced is mounted and connected to the AS-i line.
■ Connect each AS-i slave to the AS-i line and allocate the
desired slave address (K45F module, address 1 / K45 standard module, address 2).
■ The AS-i power supply unit is connected to the AS-i line.
■ The AS-i slaves are not yet connected.
■ The slaves that are to be connected have default address "0"
(delivery status).
SYSTEM
AS-i line 1
Change slave address
Lifelist
Change address
■ Adopt the actual configuration of the slave as the defined
configuration in the DP/AS-INTERFACE LINK Advanced
SYSTEM
AS-i line 1
Actual -> Adopt defined
Lifelist
Actual -> Defined
Result:
All displays for the AS-i line on the DP/AS-INTERFACE LINK
Advanced are off or green, i.e. all slaves have been successfully integrated.
90
Functional Example No. CD-FE-I-032-V10-EN
Ex.- No.
4.3
Example Code
This chapter describes which functions are implemented and how the asimon program is structured.
Description of the asimon Program
Description
Parameters
After the asimon software has been started, the start assistant is used
to create a new safety monitor configuration.
Enter a name for the configuration in the Information about monitor tab, and select the operating mode and the function range of the
AS Interface safety monitor ("Basic" or "Enhanced").
When the operating mode two dependent OSSDs is selected, the
second OSSD is dependent on the first OSSD.
In the Information about bus tab, you must enter the AS-Interface
bus addresses of the standard slaves used and the safety- oriented
AS-Interface slaves in this network.
Functional Example No. CD-FE-I-032-V10-EN
91
Ex. -No.
4.3
Description
In the Diagnosis / Service tab you can adjust the settings for "Diagnosis stop" and "Reset of error condition" as well as configure the ASInterface bus diagnosis.
Simulating slaves
If less than 4 safe or standard AS-Interface slaves are connected to the
AS-Interface bus, you must activate the control box Simulate slaves.
At least 4 slave addresses must be activated to ensure that the AS-Interface safety monitor functions correctly.
Configuration of an AS-Interface safety monitor with asimon software is graphic interactive, i.e. you can select and collectively configure the safe AS-Interface slaves that are to be monitored and further
function devices from a symbol library that is classified according to
devices (left window).
92
Functional Example No. CD-FE-I-032-V10-EN
Parameters
Ex.- No.
4.3
Description
Parameters
For the double channel dependent monitoring device, each of the
two switching signals of the corresponding safe AS-Interface slaves
affects 2 bits of the transfer sequence. Both switching signals must be
received within the synchronization time defined by the user. If only
one contact opens, the second contact must also open before both
contacts can be once again closed.
As an option, a start-up test and/or a local acknowledgement can be
carried out. When the control box Always is activated, a local acknowledgement must also always be carried out whenever the
AS-Interface safety monitor is switched on or a communication error
(warm restart of the AS-Interface safety monitor) occurs.
The Standard slave monitoring device is used to integrate a bit (input or output) of a standard AS-Interface slave that is not safetyoriented as an additional switching signal for standard switching of
the AS-Interface safety monitor relay(s) in an OSSD.
The protective door is unlocked via this device.
The contactor control input of the AS-Interface safety monitor must
be active = ON as long as the safety outputs are switched off. After
the safety outputs are switched on (enabled), the contactor control
input is no longer relevant for the set switching time. Thereafter, the
input must be inactive = OFF. The external device monitoring circuit device is active = ON (switched on).
After the safety outputs have been switched off, the external device
monitoring circuit device becomes inactive = OFF (switched off) and
the contactor control input is no longer queried for the duration of
the set switching time.
Thereafter, the contactor control input is active = ON again. When the
external device monitoring circuit device is inactive = OFF, the safety outputs cannot be switched on again until the downstream contactor has reached its resting position.
After switching on the AS-Interface safety monitor, the contactor
control input must be active = ON.
Functional Example No. CD-FE-I-032-V10-EN
93
Ex. -No.
4.3
Description
The external device monitoring circuit for a dependent, second OSSD
has the same function as the standard external device monitoring
circuit.
This circuit monitors the second channel, but does not have any
effect on the enabling of channel 1.
In this example, the magnet contact is monitored by the second
external device monitoring circuit.
The Monitored start - monitor input device requires activation of the
start input of the corresponding OSSD as an additional start requirement. If the AND link of all the monitoring, linking and external device
monitoring circuit devices of an OSSD delivers an ON result, and if the
start requirements have been fulfilled, the Monitored start - monitor
input start device relays the enabling request to the output device.
After the first output circuit is switched off, the second output circuit
is switched on after the set delay time elapses. The delay time can
be set between 1 s and 300 s in 1 s increments. The second output
circuit must be switched off before the first output circuit is switched
on.
If the door is enabled, status ON, before the second output circuit is
switched on, the first output circuit is switched on again and the second output circuit remains switched off.
Unlocking function
After the first output circuit is switched off via the door release and
the set delay time has elapsed (or via the standstill monitor), the second output circuit switches on, so that in turn the doors are unlocked.
This type of unlocking is not always desired.
By activating the Unlocking device checkbox, a standard slave can
be specified whose status (LOCK signal) determines whether or not
the interlocking should remain after the delay time has elapsed.
When the machine is switched off, the LOCK signal enables the door
interlock to be switched on or off as desired.
94
Functional Example No. CD-FE-I-032-V10-EN
Parameters
Ex.- No.
4.3
Commissioning the AS Interface Safety Monitor
Transferring a configuration to the AS Interface safety
monitor
Learning the safe configuration
Before the safe configuration can be learned, the-AS Interface
bus including all safe AS-Interface slaves that are to be monitored must be commissioned, and all safe AS-Interface slaves
that are to be monitored must be switched ON. Only then can
the AS-Interface safety monitor learn the code tables of all the
relevant safe AS-Interface slaves.
To learn the code tables, select the Teach safe configuration
in the Monitor menu and confirm the question "Do you want
to learn the code sequence?" with Yes.
The code tables are then learned by the AS-Interface safety
monitor. Learning takes several seconds. Progress is displayed
in a window.
Once the code tables of all the safe AS-Interface slaves that are
to be monitored have been successfully learned, a provisional
configuration log will be immediately transferred to asimon.
To transfer the current asimon configuration to the connected
AS-Interface safety monitor, select the Monitor menu and
then the PC -> Monitor command.
The configuration is then transferred to the AS-Interface
safety monitor. Transfer takes several seconds.
After successful completion of the data transfer to the AS-Interface safety monitor, the configuration is saved in the AS-Interface safety monitor.
After transferring a configuration to a connected AS-Interface
safety monitor, the safe configuration has to be "learned". To
this end, the code tables of the safe AS-Interface slaves that
are to be monitored are read in via the AS-Interface. The code
table of each safe AS-Interface slave that is to be monitored is
stored in the configuration log.
The progress of the transfer of the provisional configuration
log is displayed in a window.
An information window will then prompt you to have the configuration checked by the safety appointee responsible for the
application using the configuration log.
Functional Example No. CD-FE-I-032-V10-EN
95
Ex. -No.
4.3
The provisional configuration log is displayed in asimon in its
own window.
Configuration validation
To validate a configuration, select the Validate command in
the Monitor menu. A window will appear in which you can
validate a configuration by entering your name and password.
Confirm your entry with the OK button. An information window will then confirm that the configuration has been successfully validated.
The configuration log will then be immediately transferred.
Progress of the transfer of the final configuration log is displayed in a window.
The final configuration log is displayed in asimon in its own
window. To illustrate that the configuration has been validated and to differentiate between a validated and a provisional configuration log, the validation information will be displayed in Line 10.
Starting the AS-Interface safety monitor
If a valid, validated configuration is available on the AS-Interface safety monitor, you can switch the AS-Interface safety
monitor from configuration mode to protection mode via the
Start command in the Monitor menu. After the protection
mode has been started, the status line will indicate the
change to the new operating mode.
96
Functional Example No. CD-FE-I-032-V10-EN
Protective door with door interlocking via a spring-actuated
lock according to Category 4 of EN 954-1
Ex. No.
4.4
Automation Function
Scope of Validity of this Functional Example
Functionality of the Functional Example
Locking mechanisms equipped with a tumbler are mechanical
or electrical mechanisms which only allow a machine to be
operated when the door is closed and locked. The interlocking
remains in place until there is no longer any risk of injury due
to dangerous machine functions or movements. Monitoring is
usually carried out by a speed monitor or a standstill monitor.
In this example, machine movement/standstill is simulated by
the door release button.
Problem
A standard AS-i network consists of control/master, power
supply unit, a yellow AS-i cable and various slaves. Only two
further components are necessary for safe usage: A safety
monitor and safe slaves.
Each safe slave is programmed with a factory-default code
table that clearly identifies each slave for the safety monitor.
At each master prompt, correlation is checked between the
code value expected by the comparator (safety monitor) and
the code value actually sent by the slave. In the case of deviations or time-outs, disconnection via 2-channel OSSDs occurs
on the safety monitor.
The protective door is monitored via a SIRIUS position switch
equipped with a spring-actuated lock by an ASIsafe K45F module according to Category 4 of EN 954-1. When the door
release is activated, the safety monitor switches the downstream contactors with positively-driven contacts via the first
OSSD according to Stop category 0 of EN 60204-1. The protective door interlock is enabled with a delay.
A drive is shut down in this example. When the protective door
is closed, a manual start is carried out after the position switch
and the downstream contacts have been checked.
Implementation of a protective door interlock with a springactuated lock via ASIsafe. Category 4 of EN 954-1 is to be
attained.
Solution
In the example presented here, an actuator mounted in the
door moves into a form-fit mounted position switch with a
tumbler. During the potential danger (machine in operation),
the actuator is kept in position (and thus the door also remains
closed) by the power supply being disconnected from a magnet in the position switch. This type of interlocking is referred
to as a spring-actuated lock.
Advantages / Customer Benefits
■ Secure and non-secure data on one bus
■ Simple assembly thanks to standardized AS-i technology
■ Existing system can be quickly and easily expanded
■ Integration of safety signals in the system diagnosis
■ Failsafe PLC or special master not required
■ Space-saving design thanks to compact safety combination
■ Simple configuration via the asimon software
■ The protective door remains locked even if there is a power
outage.
Functional Example No. CD-FE-I-033-V10-EN
97
Ex. No.
4.4
Required Components
This chapter contains an overview of the hardware and software components required for the Functional Example.
Hardware components
Component
Type
Order No. / Order Information
Quantity
Manufacturer
Power supply
PS307 5A
6ES7307-1EA00-0AA0
1
Siemens AG
AS-i power supply unit
3 A power supply unit
3RX9501-0BA00
1
DP/AS-i LINK
Advanced
IP20 degree of protection, router from
PROFIBUS DP to AS-Interface
6GK1415-2BA10
1
SIRIUS position switch
Position switch with a spring-actuated lock, 2
NC/2 NC
3SE2840-6XX00
1
Position switch witha twist lever
3SE2120-1GW
1
Actuator for position
switch
Radius actuator
3SX3 228
1
Safety monitor
Safety monitor with two OSSDs
3RK1105-1BE04-2CA0
1
ASi Safe module K45F
Compact module with two safe inputs
3RK1205-0BQ00-0AA3
1
ASi Safe module K45F
Compact module with 4 standard inputs
3RK1200-0CQ20-0AA3
1
Accessories for K45
modules
Mounting plate(for standard mounting rail)
3RK1901-2DA00
2
Optional: Mounting plate(for wall mounting)
3RK1901-2EA00
2
Door unlocking device
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Toggle switch with 2 switch positions
3SB30 00-2KA11
1
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Black pushbutton with flat button, 22 mm
nominal diameter
3SB3 000-0AA11
1
Start button
Optional: "Start" designation plate
3SB3 906-1EL
1
K1 / K2 contactor
Contactor, AC-3, 3 KW/400 V, 1NC, DC 24 V,
3-pole, size S00, screw terminal
3RT1015-1BB42
2
Cable loom
PC configuration cable
Transfer cable
3RK1901-5AA00
1
AS-i shaped cable
Yellow rubberized cable
3RX9010-0AA00
1
Quantity
Note
Functionality was tested with the hardware components listed above. Similar products not found in this
list may also be used. If this is the case, please note
that it may be necessary to change the example code
(e.g. change the settings of other addresses).
Software components
Component
Type
Order No. / Order Information
asimon
Safety monitor configuration
3RK1802-2FB06-0GA0
98
Functional Example No. CD-FE-I-033-V10-EN
1
Manufacturer
Siemens AG
Ex. No.
4.4
Assembly and Wiring
Hardware Component Wiring
- +
AS-i
power
supply
unit
-+
PROFIBUS
Overview of Hardware Setup
AS-i power supply unit and DP/AS-i Link wiring
Wiring of the K45 module door release
Functional Example No. CD-FE-I-033-V10-EN
99
Ex. No.
4.4
M
L+
L / L+
L+
K1
K1
S t ar t
K2
Closed
K2
Open
1.13 1.23 1.Y1 2.13 2.23 2.Y1
M
1. Y1
AS-i+ AS-i- 1.Y2
2.Y2
AS-i
Service
1
Actuator
1
1 READY
2
2
2 ON
3 FAULT
11
21
3
3
E1(+)
CONFIG
12
E2(-)
22
M ag n e t
L+
M
1.32
1.14 1.24 PE
K1
Protective door
2.32
31
32
41
42
2.14 2.24
21
22
13
14
K2
L+
N/M
3SE2 840-6XX00
M
3SE2120-1GW
FIN1
PIN 1 = Terminal 12
PIN 2 = Terminal 11
P IN 3 = n.c .
P IN 4 = n.c .
FIN2
4
4
5
3
5
1
3
2
1
2
PIN 1 = Terminal 21
PIN 2 = Terminal 22
PIN 3 = n.c.
PIN 4 = n.c.
ADDR
AS-i
FAULT
SIEMENS
3RK1205-0BQ00-0AA3
Wiring of the protective door and the safety monitor
Important Hardware Component Settings
Procedure/Working on the DP/AS-INTERFACE LINK Advanced:
DP/AS-i LINK Advanced
■ Switch on the AS-i power supply unit so that the DP/ASINTERFACE LINK Advanced is in operation
Prerequisites:
■ The DP/AS-INTERFACE LINK Advanced is mounted and connected to the AS-i line.
■ Connect each AS-i slave to the AS-i line and allocate the
desired slave address (K45F module, address 1 / K45 standard module, address 2).
■ The AS-i power supply unit is connected to the AS-i line.
■ The AS-i slaves are not yet connected.
■ The slaves that are to be connected have default address "0"
(delivery status).
SYSTEM
AS-i line 1
Change slave address
Lifelist
Change address
■ Adopt the actual configuration of the slave as the defined
configuration in the DP/AS-INTERFACE LINK Advanced
SYSTEM
AS-i line 1
Actual -> Adopt defined
Lifelist
Actual -> Defined
Result:
All displays for the AS-i line on the DP/AS-INTERFACE LINK Advanced are off or green, i.e. all slaves have been successfully
integrated.
100
Functional Example No. CD-FE-I-033-V10-EN
Ex. No.
4.4
Example Code
This chapter describes which functions are implemented and how the asimon program is structured.
Description of the asimon Program
Description
Parameters
After the asimon software has been started, the start assistant is used
to create a new safety monitor configuration.
Enter a name for the configuration in the Information about monitor tab, and select the operating mode and the function range of the
AS Interface safety monitor ("Basic" or "Enhanced").
When the operating mode two dependent OSSDs is selected, the
second OSSD is dependent on the first OSSD.
In the Information about bus tab, you must enter the AS-Interface
bus addresses of the standard slaves used and the safety-oriented
AS-Interface slaves in this network.
Functional Example No. CD-FE-I-033-V10-EN
101
Ex. No.
4.4
Description
In the Diagnosis / Service tab you can adjust the settings for "Diagnosis stop" and "Reset of error condition" as well as configure the
AS-Interface bus diagnosis.
Simulating slaves
If less than 4 safe or standard AS-Interface slaves are connected to the
AS-Interface bus, you must activate the control box Simulate slaves.
At least 4 slave addresses must be activated to ensure that the ASInterface safety monitor functions correctly.
Configuration of an AS-Interface safety monitor with asimon software is graphic interactive, i.e. you can select and collectively configure the safe AS-Interface slaves that are to be monitored and further
function devices from a symbol library that is classified according to
devices (left window).
102
Functional Example No. CD-FE-I-033-V10-EN
Parameters
Ex. No.
4.4
Description
Parameters
For the double channel dependent monitoring device, each of the
two switching signals of the corresponding safe AS-Interface slaves
affects 2 bits of the transfer sequence. Both switching signals must be
received within the synchronization time defined by the user. If only
one contact opens, the second contact must also open before both
contacts can be once again closed.
As an option, a start-up test and/or a local acknowledgement can be
carried out. When the control box Always is activated, a local acknowledgement must also always be carried out whenever the ASInterface safety monitor is switched on or a communication error
(warm restart of the AS-Interface safety monitor) occurs.
The Standard slave monitoring device is used to integrate a bit (input or output) of a standard AS-Interface slave that is not safetyoriented as an additional switching signal for standard switching of
the AS-Interface safety monitor relay(s) in an OSSD.
The protective door is unlocked via this device.
The contactor control input of the AS-Interface safety monitor must
be active = ON as long as the safety outputs are switched off. After
the safety outputs are switched on (enabled), the contactor control
input is no longer relevant for the set switching time. Thereafter, the
input must be inactive = OFF. The external device monitoring circuit is active = ON (switched on).
After the safety outputs have been switched off, the external device
monitoring circuit device becomes inactive = OFF (switched off) and
the contactor control input is no longer queried for the duration of
the set switching time.
Thereafter, the contactor control input is active = ON again. When the
external device monitoring circuit is inactive = OFF, the safety outputs cannot be switched on again until the downstream contactor
has reached its resting position.
After switching on the AS-Interface safety monitor, the contactor
control input must be active = ON.
Functional Example No. CD-FE-I-033-V10-EN
103
Ex. No.
4.4
Description
The external device monitoring circuit for a dependent, second
OSSD has the same function as the standard external device
monitoring circuit.
This circuit monitors the second channel, but does not have any
effect on the enabling of channel 1.
In this example, the magnet contact is monitored by the second
external device monitoring circuit.
The Monitored start - monitor input device requires activation of the
start input of the corresponding OSSD as an additional start requirement. If the AND link of all the monitoring, linking and external device
monitoring circuit devices of an OSSD delivers an ON result, and if the
start requirements have been fulfilled, the monitored start - monitor
input start device relays the enabling request to the output device.
After the first output circuit is switched off, the second output circuit
is switched on after the set delay time elapses. The delay time can be
set between 1 s and 300 s in 1 s increments. The second output circuit must be switched off before the first output circuit is switched
on.If the door is enabled, status ON, before the second output circuit
is switched on, the first output circuit is switched on again and the
second output circuit remains switched off.
Unlocking function
After the first output circuit is switched off via the door release and
the set delay time has elapsed (or via the standstill monitor), the second output circuit switches on, so that in turn the doors are unlocked.
This type of unlocking is not always desired.
By activating the Unlocking device checkbox, a standard slave can
be specified whose status (LOCK signal) determines whether or not
the interlocking should remain after the delay time has elapsed.
When the machine is switched off, the LOCK signal enables the door
interlock to be switched on or off as desired.
104
Functional Example No. CD-FE-I-033-V10-EN
Parameters
Ex. No.
4.4
Commissioning the AS Interface Safety Monitor
Transferring a configuration to the AS Interface safety
monitor
Learning the safe configuration
Before the safe configuration can be learned, the AS-Interface
bus including all safe AS-Interface slaves that are to be monitored must be commissioned, and all safe AS-Interface slaves
that are to be monitored must be switched ON. Only then can
the AS-Interface safety monitor learn the code tables of all the
relevant safe AS-Interface slaves.
To learn the code tables, select the Teach safe configuration
in the Monitor menu and confirm the question "Do you want
to learn the code sequence?" with Yes.
The code tables are then learned by the AS-Interface safety
monitor. Learning takes several seconds. Progress is displayed
in a window.
Once the code tables of all the safe AS-Interface slaves that are
to be monitored have been successfully learned, a provisional
configuration log will be immediately transferred to asimon.
To transfer the current asimon configuration to the connected
AS-Interface safety monitor, select the Monitor menu and
then the PC -> Monitor command.
The configuration is then transferred to the AS-Interface
safety monitor. Transfer takes several seconds.
After successful completion of the data transfer to the
AS-Interface safety monitor, the configuration is saved in the
AS-Interface safety monitor.
After transferring a configuration to a connected AS-Interface
safety monitor, the safe configuration has to be "learned". To
this end, the code tables of the safe AS-Interface slaves that
are to be monitored are read in via the AS-Interface. The code
table of each safe AS-Interface slave that is to be monitored is
stored in the configuration log.
The progress of the transfer of the provisional configuration
log is displayed in a window.
An information window will then prompt you to have the configuration checked by the safety appointee responsible for the
application using the configuration log.
Functional Example No. CD-FE-I-033-V10-EN
105
Ex. No.
4.4
The provisional configuration log is displayed in asimon in its
own window.
Configuration validation
To validate a configuration, select the Validate command in
the Monitor menu. A window will appear in which you can
validate a configuration by entering your name and password.
Confirm your entry with the OK button. An information window will then confirm that the configuration has been successfully validated.
The configuration log will then be immediately transferred.
Progress of the transfer of the final configuration log is displayed in a window.
The final configuration log is displayed in asimon in its own
window. To illustrate that the configuration has been validated and to differentiate between a validated and a provisional configuration log, the validation information will be displayed in Line 10.
Starting the AS-Interface safety monitor
If a valid, validated configuration is available on the AS-Interface safety monitor, you can switch the AS-Interface safety
monitor from configuration mode to protection mode via the
Start command in the Monitor menu. After the protection
mode has been started, the status line will indicate the
change to the new operating mode.
106
Functional Example No. CD-FE-I-033-V10-EN
Protective door with door interlocking via a magnet-field
lock according to Category 3 of EN 954-1
Ex. No.
4.5
Automation Function
Scope of Validity of this Functional Example
Functionality of the Functional Example
Locking mechanisms equipped with a tumbler are mechanical
or electrical mechanisms which only allow a machine to be
operated when the door is closed and locked. The interlock
remains in place until there is no longer any risk of injury due
to dangerous machine functions or movements. Monitoring is
usually carried out by a speed monitor or a standstill monitor.
In this example, machine movement/standstill is simulated by
the door release button.
Problem
A standard AS-i network consists of control/master, power
supply unit, a yellow AS-i cable and various slaves. Only two
further components are necessary for safe usage: A safety
monitor and safe slaves.
Each safe slave is programmed with a factory-default code
table that clearly identifies each slave for the safety monitor.
At each master prompt, correlation is checked between the
code value expected by the comparator (safety monitor) and
the code value actually sent by the slave. In the case of deviations or time-outs, disconnection via 2-channel OSSDs occurs
on the safety monitor.
The protective door is monitored via a SIRIUS position switch
equipped with a magnet-field lock by an ASIsafe K45F module
according to Category 3 of EN 954-1. When the door release
is activated, the safety monitor switches the downstream contactors with positively-driven contacts via the first OSSD according to Stop category 0 of EN 60204-1. The protective door
interlock is enabled with a delay.
Implementation of a protective door interlock with a magnetfield lock via ASIsafe. Category 3 of EN 954-1 is to be attained.
Solution
In the example presented here, an actuator mounted in the
door moves into a form-fit mounted position switch with a
tumbler. During the potential danger (machine in operation),
the actuator is kept in position (and thus the door also remains
closed) by the power supply being supplied to a magnet in the
position switch. This type of interlocking is referred to as a
magnet-field lock.
Advantages / Customer Benefits
■ Secure and non-secure data on one bus
■ Simple assembly thanks to standardized AS-i technology
■ Existing system can be quickly and easily expanded
■ Integration of safety signals in the system diagnosis
■ Failsafe PLC or special master not required
■ Space-saving design thanks to compact safety combination
■ Simple configuration via the asimon software
■ The protective door is no longer locked in the case of a
power outage.
A drive is shut down in this example. When the protective door
is closed, a manual start is carried out after the position switch
and the downstream contacts have been checked.
Functional Example No. CD-FE-I-034-V10-EN
107
Ex. No.
4.5
Required Components
This chapter contains an overview of the hardware and software components required for the Functional Example.
Hardware components
Component
Type
Order No. / Order Information
Quan-tity
Manufacturer
Power supply
PS307 5A
6ES73071EA00-0AA0
1
Siemens AG
AS-i power supply unit
3 A power supply unit
3RX9501-0BA00
1
DP/AS-i LINK Advanced
IP20 degree of protection, router from
PROFIBUS DP to AS-Interface
6GK1415-2BA10
1
SIRIUS position switch
Position switch with a spring-actuated lock,
2 NC/2 NC
3SE2 830-6XX00
1
Actuator for position
switch
Radius actuator
3SX3 228
1
Safety monitor
Safety monitor with two OSSDs
3RK1105-1BE04-2CA0
1
ASi Safe module K45F
Compact module with two safe inputs
3RK1205-0BQ00-0AA3
1
ASi Safe module K45F
Compact module with 4 standard inputs
3RK1200-0CQ20-0AA3
1
Accessories for K45
modules
Mounting plate(for standard mounting rail)
3RK1901-2DA00
2
Optional: Mounting plate(for wall mounting)
3RK1901-2EA00
2
Door unlocking device
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Toggle switch with 2 switch positions
3SB30 00-2KA11
1
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Black pushbutton with flat button, 22 mm
nominal diameter
3SB3 000-0AA11
1
Start button
Optional: "Start" designation plate
3SB3 906-1EL
1
K1 / K2 contactor
Contactor, AC-3, 3 KW/400 V, 1NC, DC 24 V,
3-pole, size S00, screw terminal
3RT1015-1BB42
2
Cable loom
PC configuration cable
Transfer cable
3RK1901-5AA00
1
AS-i shaped cable
Yellow rubberized cable
3RX9010-0AA00
1
Quan-tity
Note
Functionality was tested with the hardware components listed above. Similar products not found in this
list may also be used. If this is the case, please note
that it may be necessary to change the example code
(e.g. change the settings of other addresses).
Software components
Component
Type
Order No. / Order Information
asimon
Safety monitor configuration
3RK1802-2FB06-0GA0
108
Functional Example No. CD-FE-I-034-V10-EN
1
Manufacturer
Siemens AG
Ex. No.
4.5
Assembly and Wiring
Hardware Component Wiring
AS-i power
supply unit
PROFIBUS
Overview of Hardware Setup
Closed Open
SIRIUS
Position switch
with tumbler
Door release
PROFIBUS DP
L1 L2 L3
Safety monitor
Start
K45 F modul
K45 modul
K1
AS-i
power
supply
unit
- +
DP/AS-i
LINK Advanced
-+
Protective door
K2
AS-i power supply unit and DP/AS-i Link wiring
Note
The actuator of the SIRIUS position switch must be
protected against external acts of violence.
Wiring of the K45 module door release
Functional Example No. CD-FE-I-034-V10-EN
109
Ex. No.
4.5
The actuator must be protected against external acts of violance.
Closed
Open
Actuator
Protective door
Terminal
Terminal
Terminal
Terminal
Wiring of the protective door and the safety monitor
Important Hardware Component Settings
Procedure/Working on the DP/AS-INTERFACE LINK Advanced:
DP/AS-i LINK Advanced
■ Switch on the AS-i power supply unit so that the DP/ASINTERFACE LINK Advanced is in operation
Prerequisites:
■ The DP/AS-INTERFACE LINK Advanced is mounted and connected to the AS-i line.
■ Connect each AS-i slave to the AS-i line and allocate the
desired slave address (K45F module, address 1 / K45 standard module, address 2).
■ The AS-i power supply unit is connected to the AS-i line.
■ The AS-i slaves are not yet connected.
■ The slaves that are to be connected have default address "0"
(delivery status).
SYSTEM
AS-i line 1
Change slave address
Lifelist
Change address
■ Adopt the actual configuration of the slave as the defined
configuration in the DP/AS-INTERFACE LINK Advanced
SYSTEM
AS-i line 1
Actual -> Adopt defined
Lifelist
Actual -> Defined
Result:
All displays for the AS-i line on the DP/AS-INTERFACE LINK Advanced are off or green, i.e. all slaves have been successfully
integrated.
110
Functional Example No. CD-FE-I-034-V10-EN
Ex. No.
4.5
Example Code
This chapter describes which functions are implemented and how the asimon program is structured.
Description of the asimon Program
Description
Parameters
After the asimon software has been started, the start assistant is used
to create a new safety monitor configuration.
Enter a name for the configuration in the Information about monitor tab, and select the operating mode and the function range of the
AS Interface safety monitor ("Basic" or "Enhanced").
When the operating mode two dependent OSSDs is selected, the
second OSSD is dependent on the first OSSD.
In the Information about bus tab, you must enter the AS-Interface
bus addresses of the standard slaves used and the safety-oriented
AS-Interface slaves in this network.
Functional Example No. CD-FE-I-034-V10-EN
111
Ex. No.
4.5
Description
In the Diagnosis / Service tab you can adjust the settings for "Diagnosis stop" and "Reset of error condition" as well as configure the ASInterface bus diagnosis.
Simulating slaves
If less than 4 safe or standard AS-Interface slaves are connected to the
AS-Interface bus, you must activate the control box Simulate slaves.
At least 4 slave addresses must be activated to ensure that the ASInterface safety monitor functions correctly.
Configuration of an AS-Interface safety monitor with asimon software is graphic interactive, i.e. you can select and collectively configure the safe AS-Interface slaves that are to be monitored and further
function devices from a symbol library that is classified according to
devices (left window).
112
Functional Example No. CD-FE-I-034-V10-EN
Parameters
Ex. No.
4.5
Description
Parameters
For the double channel dependent monitoring device, each of the
two switching signals of the corresponding safe AS-Interface slaves
affects 2 bits of the transfer sequence. Both switching signals must be
received within the synchronization time defined by the user. If only
one contact opens, the second contact must also open before both
contacts can be once again closed.
As an option, a start-up test and/or a local acknowledgement can be
carried out. When the control box Always is activated, a local acknowledgement must also always be carried out whenever the ASInterface safety monitor is switched on or a communication error
(warm restart of the AS-Interface safety monitor) occurs.
The Standard slave monitoring device is used to integrate a bit (input or output) of a standard AS-Interface slave that is not safetyoriented as an additional switching signal for standard switching of
the AS-Interface safety monitor relay(s) in an OSSD.
The protective door is unlocked via this device.
The contactor control input of the AS-Interface safety monitor must
be active = ON as long as the safety outputs are switched off. After
the safety outputs are switched on (enabled), the contactor control
input is no longer relevant for the set switching time. Thereafter, the
input must be inactive = OFF. The external device monitoring circuit is active = ON (switched on).
After the safety outputs have been switched off, the external device
monitoring circuit device becomes inactive = OFF (switched off) and
the contactor control input is no longer queried for the duration of
the set switching time.
Thereafter, the contactor control input is active = ON again. When the
external device monitoring circuit is inactive = OFF, the safety outputs cannot be switched on again until the downstream contactor
has reached its resting position.After switching on the AS-Interface
safety monitor, the contactor control input must be active = ON.
Functional Example No. CD-FE-I-034-V10-EN
113
Ex. No.
4.5
Description
The external device monitoring circuit for a dependent, second
OSSD has the same function as the standard external device monitoring circuit. This circuit monitors the second channel, but does not
have any effect on the enabling of channel 1.
In this example, the magnet contact is monitored by the second
external device monitoring circuit.
The Monitored start - monitor input device requires activation of the
start input of the corresponding OSSD as an additional start requirement. If the AND link of all the monitoring, linking and external device
monitoring circuit devices of an OSSD delivers an ON result, and if the
start requirements have been fulfilled, the monitored start - monitor
input start device relays the enabling request to the output device.
When the circuit is enabled (ON), the output circuits (2 relays each)
of both OSSDs are simultaneously activated by the Stop category 1two relay outputs output device.
When the circuit is switched off (OFF), the output circuit of OSSD 1 is
immediately switched off without a delay. The output circuit of the
dependent OSSD is switched off after the set switch-off delay has
elapsed. The switch-off delay can be set between 0 s and 300 s in
100 ms increments. It is not possible to switch the system on again
until both output circuits have switched off.
114
Functional Example No. CD-FE-I-034-V10-EN
Parameters
Ex. No.
4.5
Commissioning the AS Interface Safety Monitor
Transferring a configuration to the AS Interface safety
monitor
Learning the safe configuration
Before the safe configuration can be learned, the-AS Interface
bus including all safe AS-Interface slaves that are to be monitored must be commissioned, and all safe AS-Interface slaves
that are to be monitored must be switched ON. Only then can
the AS-Interface safety monitor learn the code tables of all the
relevant safe AS-Interface slaves.
To learn the code tables, select the Teach safe configuration
in the Monitor menu and confirm the question "Do you want
to learn the code sequence?" with Yes.
The code tables are then learned by the AS-Interface safety
monitor. Learning takes several seconds. Progress is displayed
in a window.
Once the code tables of all the safe AS-Interface slaves that are
to be monitored have been successfully learned, a provisional
configuration log will be immediately transferred to asimon.
To transfer the current asimon configuration to the connected
AS-Interface safety monitor, select the Monitor menu and
then the PC -> Monitor command.
The configuration is then transferred to the AS-Interface
safety monitor. Transfer takes several seconds.
After successful completion of the data transfer to the
AS-Interface safety monitor, the configuration is saved in the
AS-Interface safety monitor.
After transferring a configuration to a connected AS-Interface
safety monitor, the safe configuration has to be "learned". To
this end, the code tables of the safe AS-Interface slaves that
are to be monitored are read in via the AS-Interface. The code
table of each safe AS-Interface slave that is to be monitored is
stored in the configuration log.
The progress of the transfer of the provisional configuration
log is displayed in a window.
An information window will then prompt you to have the configuration checked by the safety appointee responsible for the
application using the configuration log.
Functional Example No. CD-FE-I-034-V10-EN
115
Ex. No.
4.5
The provisional configuration log is displayed in asimon in its
own window.
Configuration validation
To validate a configuration, select the Validate command in
the Monitor menu. A window will appear in which you can
validate a configuration by entering your name and password.
Confirm your entry with the OK button. An information window will then confirm that the configuration has been successfully validated.
The configuration log will then be immediately transferred.
Progress of the transfer of the final configuration log is displayed in a window.
The final configuration log is displayed in asimon in its own
window. To illustrate that the configuration has been validated and to differentiate between a validated and a provisional configuration log, the validation information will be displayed in Line 10.
Starting the AS-Interface safety monitor
If a valid, validated configuration is available on the AS-Interface safety monitor, you can switch the AS-Interface safety
monitor from configuration mode to protection mode via the
Start command in the Monitor menu. After the protection
mode has been started, the status line will indicate the
change to the new operating mode.
116
Functional Example No. CD-FE-I-034-V10-EN
Protective door with door interlocking via a magnet-field
lock according to Category 4 of EN 954-1
Ex. No.
4.6
Automation Function
Scope of Validity of this Functional Example
Functionality of the Functional Example
Locking mechanisms equipped with a tumbler are mechanical
or electrical mechanisms which only allow a machine to be operated when the door is closed and locked. The interlocking
remains in place until there is no longer any risk of injury due
to dangerous machine functions or movements. Monitoring is
usually carried out by a speed monitor or a standstill monitor.
In this example, machine movement/standstill is simulated by
the door release button.
Problem
A standard AS-i network consists of control/master, power
supply unit, a yellow AS-i cable and various slaves. Only two
further components are necessary for safe usage: A safety
monitor and safe slaves.
Each safe slave is programmed with a factory-default code
table that clearly identifies each slave for the safety monitor.
At each master prompt, correlation is checked between the
code value expected by the comparator (safety monitor) and
the code value actually sent by the slave. In the case of deviations or time-outs, disconnection via 2-channel OSSDs occurs
on the safety monitor.
The protective door is monitored via a SIRIUS position switch
equipped with a magnet-field lock by an ASIsafe K45F module
according to Category 4 of EN 954-1. When the door release
is activated, the safety monitor switches the downstream contactors with positively-driven contacts via the first OSSD according to Stop category 0 of EN 60204-1. The protective door
interlock is enabled with a delay.
Implementation of a protective door interlock with a magnetfield lock via ASIsafe. Category 4 of EN 954-1 is to be attained.
Solution
In the example presented here, an actuator mounted in the
door moves into a form-fit mounted position switch with a
tumbler. During the potential danger (machine in operation),
the actuator is kept in position (and thus the door also remains
closed) by the power supply being supplied to a magnet in the
position switch. This type of interlocking is referred to as a
magnet-field lock.
Advantages / Customer Benefits
■ Secure and non-secure data on one bus
■ Simple assembly thanks to standardized AS-i technology
■ Existing system can be quickly and easily expanded
■ Integration of safety signals in the system diagnosis
■ Failsafe PLC or special master not required
■ Space-saving design thanks to compact safety combination
■ Simple configuration via the asimon software
■ The protective door is no longer locked in the case of a
power outage.
A drive is shut down in this example. When the protective door
is closed, a manual start is carried out after the position switch
and the downstream contacts have been checked.
Functional Example No. CD-FE-I-035-V10-EN
117
Ex. No.
4.6
Required Components
This chapter contains an overview of the hardware and software components required for the Functional Example.
Hardware components
Component
Type
Order No. / Order Information
Quantity
Manufacturer
Power supply
PS307 5A
6ES73071EA00-0AA0
1
Siemens AG
AS-i power supply unit
3 A power supply unit
3RX9501-0BA00
1
DP/AS-i LINK Advanced
IP20 degree of protection, router from
PROFIBUS DP to AS-Interface
6GK1415-2BA10
1
SIRIUS position switch
Position switch with a spring-actuated lock,
2 NC/2 NC
3SE2 830-6XX00
1
Position switch witha twist lever
3SE2120-1GW
1
Actuator for position
switch
Radius actuator
3SX3 228
1
Safety monitor
Safety monitor with two OSSDs
3RK1105-1BE04-2CA0
1
ASi Safe module K45F
Compact module with two safe inputs
3RK1205-0BQ00-0AA3
1
ASi Safe module K45F
Compact module with 4 standard inputs
3RK1200-0CQ20-0AA3
1
Accessories for K45
modules
Mounting plate(for standard mounting rail)
3RK1901-2DA00
2
Optional: Mounting plate(for wall mounting)
3RK1901-2EA00
2
Door unlocking device
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Toggle switch with 2 switch positions
3SB30 00-2KA11
1
Empty command point enclosure
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Black pushbutton with flat button, 22 mm
nominal diameter
3SB3 000-0AA11
1
Optional: "Start" designation plate
3SB3 906-1EL
1
K1 / K2 contactor
Contactor, AC-3, 3 KW/400 V, 1NC, DC 24 V,
3-pole, size S00, screw terminal
3RT1015-1BB42
2
Cable loom
PC configuration cable
Transfer cable
3RK1901-5AA00
1
AS-i shaped cable
Yellow rubberized cable
3RX9010-0AA00
1
Quantity
Start button
Note
Functionality was tested with the hardware components listed above. Similar products not found in this
list may also be used. If this is the case, please note
that it may be necessary to change the example code
(e.g. change the settings of other addresses).
Software components
Component
Type
Order No. / Order Information
asimon
Safety monitor configuration
3RK1802-2FB06-0GA0
118
Functional Example No. CD-FE-I-035-V10-EN
1
Manufacturer
Siemens AG
Ex. No.
4.6
Assembly and Wiring
Hardware Component Wiring
- +
AS-i
power
supply
unit
-+
PROFIBUS
Overview of Hardware Setup
AS-i power supply unit and DP/AS-i Link wiring
AS-i power supply unit and DP/AS-i Link wiring
Functional Example No. CD-FE-I-035-V10-EN
119
Ex. No.
4.6
M
L+
L / L+
L+
K1
K1
S t ar t
K2
Closed
K2
Open
1.13 1.23 1.Y1 2.13 2.23 2.Y1
M
1. Y1
AS-i+ AS-i- 1.Y2
2.Y2
AS-i
Service
1
Actuator
1
1 READY
2
2
2 ON
3 FAULT
11
21
3
3
E1(+)
CONFIG
12
E2(-)
22
M ag n e t
L+
M
1.32
1.14 1.24 PE
K1
Protective door
2.32
31
32
41
42
2.14 2.24
21
22
13
14
K2
L+
N/M
3SE2 840-6XX00
M
3SE2120-1GW
FIN1
PIN 1 = Terminal 12
PIN 2 = Terminal 11
P IN 3 = n.c .
P IN 4 = n.c .
FIN2
4
4
5
3
5
1
3
2
1
2
PIN 1 = Terminal 21
PIN 2 = Terminal 22
PIN 3 = n.c.
PIN 4 = n.c.
ADDR
AS-i
FAULT
SIEMENS
3RK1205-0BQ00-0AA3
Wiring of the protective door and the safety monitor
Important Hardware Component Settings
DP/AS-i LINK Advanced
Procedure/Working on the DP/AS-INTERFACE LINK Advanced:
Prerequisites:
■ Switch on the AS-i power supply unit so that the DP/ASINTERFACE LINK Advanced is in operation
■ The DP/AS-INTERFACE LINK Advanced is mounted and connected to the AS-i line.
■ The AS-i power supply unit is connected to the AS-i line.
■ The AS-i slaves are not yet connected.
■ The slaves that are to be connected have default address "0"
(delivery status).
■ Connect each AS-i slave to the AS-i line and allocate the
desired slave address (K45F module, address 1 / K45 standard module, address 2).
SYSTEM
AS-i line 1
Change slave address
Lifelist
Change address
■ Adopt the actual configuration of the slave as the defined
configuration in the DP/AS-INTERFACE LINK Advanced
SYSTEM
AS-i line 1
Actual -> Adopt defined
Lifelist
Actual -> Defined
Result:
All displays for the AS-i line on the DP/AS-INTERFACE LINK Advanced are off or green, i.e. all slaves have been successfully
integrated.
120
Functional Example No. CD-FE-I-035-V10-EN
Ex. No.
4.6
Example Code
This chapter describes which functions are implemented and how the asimon program is structured.
Description of the asimon Program
Description
Parameters
After the asimon software has been started, the start assistant is used
to create a new safety monitor configuration.
Enter a name for the configuration in the Information about monitor tab, and select the operating mode and the function range of the
AS-Interface safety monitor ("Basic" or "Enhanced").
When the operating mode two dependent OSSDs is selected, the
second OSSD is dependent on the first OSSD.
In the Information about bus tab, you must enter the AS-Interface
bus addresses of the standard slaves used and the safety- oriented
AS-Interface slaves in this network.
Functional Example No. CD-FE-I-035-V10-EN
121
Ex. No.
4.6
Description
In the Diagnosis / Service tab you can adjust the settings for "Diagnosis stop" and "Reset of error condition" as well as configure the
AS-Interface bus diagnosis.
Simulating slaves
If less than 4 safe or standard AS-Interface slaves are connected to the
AS-Interface bus, you must activate the control box Simulate slaves.
At least 4 slave addresses must be activated to ensure that the ASInterface safety monitor functions correctly.
Configuration of an AS-Interface safety monitor with asimon software is graphic interactive, i.e. you can select and collectively configure the safe AS-Interface slaves that are to be monitored and further
function devices from a symbol library that is classified according to
devices (left window).
122
Functional Example No. CD-FE-I-035-V10-EN
Parameters
Ex. No.
4.6
Description
Parameters
For the double channel dependent monitoring device, each of the
two switching signals of the corresponding safe AS-Interface slaves
affects 2 bits of the transfer sequence. Both switching signals must be
received within the synchronization time defined by the user. If only
one contact opens, the second contact must also open before both
contacts can be once again closed.
As an option, a start-up test and/or a local acknowledgement can be
carried out. When the control box Always is activated, a local acknowledgement must also always be carried out whenever the ASInterface safety monitor is switched on or a communication error
(warm restart of the AS-Interface safety monitor) occurs.
The Standard slave monitoring device is used to integrate a bit (input or output) of a standard AS-Interface slave that is not safetyoriented as an additional switching signal for standard switching of
the AS-Interface safety monitor relay(s) in an OSSD.
The protective door is unlocked via this device (door release).
The contactor control input of the AS-Interface safety monitor must
be active = ON as long as the safety outputs are switched off. After
the safety outputs are switched on (enabled), the contactor control
input is no longer relevant for the set switching time. Thereafter, the
input must be inactive = OFF. The external device monitoring circuit is active = ON (switched on).
After the safety outputs have been switched off, the external device
monitoring circuit device becomes inactive = OFF (switched off) and
the contactor control input is no longer queried for the duration of
the set switching time.
Thereafter, the contactor control input is active = ON again. When the
external device monitoring circuit is inactive = OFF, the safety outputs cannot be switched on again until the downstream contactor
has reached its resting position.
After switching on the AS-Interface safety monitor, the contactor
control input must be active = ON.
Functional Example No. CD-FE-I-035-V10-EN
123
Ex. No.
4.6
Description
The external device monitoring circuit for a dependent, second
OSSD has the same function as the standard external device monitoring circuit. This circuit monitors the second channel, but does not
have any effect on the enabling of channel 1.
In this example, the magnet contact is monitored by the second
external device monitoring circuit.
The Monitored start - monitor input device requires activation of the
start input of the corresponding OSSD as an additional start requirement. If the AND link of all the monitoring, linking and external device
monitoring circuit devices of an OSSD delivers an ON result, and if the
start requirements have been fulfilled, the monitored start - monitor
input start device relays the enabling request to the output device.
When the circuit is enabled (ON), the output circuits (2 relays each)
of both OSSDs are simultaneously activated by the Stop category 1two relay outputs output device.
When the circuit is switched off (OFF), the output circuit of OSSD 1 is
immediately switched off without a delay. The output circuit of the
dependent OSSD is switched off after the set switch-off delay has
elapsed. The switch-off delay can be set between 0 s and 300 s in
100 ms increments. It is not possible to switch the system on again
until both output circuits have switched off.
124
Functional Example No. CD-FE-I-035-V10-EN
Parameters
Ex. No.
4.6
Commissioning the AS Interface Safety Monitor
Transferring a configuration to the AS Interface safety
monitor
Learning the safe configuration
Before the safe configuration can be learned, the-AS Interface
bus including all safe AS-Interface slaves that are to be monitored must be commissioned, and all safe AS-Interface slaves
that are to be monitored must be switched ON. Only then can
the AS-Interface safety monitor learn the code tables of all the
relevant safe AS-Interface slaves.
To learn the code tables, select the Teach safe configuration
in the Monitor menu and confirm the question "Do you want
to learn the code sequence?" with Yes.
The code tables are then learned by the AS-Interface safety
monitor. Learning takes several seconds. Progress is displayed
in a window.
Once the code tables of all the safe AS-Interface slaves that are
to be monitored have been successfully learned, a provisional
configuration log will be immediately transferred to asimon.
To transfer the current asimon configuration to the connected
AS-Interface safety monitor, select the Monitor menu and
then the PC -> Monitor command.
The configuration is then transferred to the AS-Interface
safety monitor. Transfer takes several seconds.
After successful completion of the data transfer to the
AS-Interface safety monitor, the configuration is saved in the
AS-Interface safety monitor.
After transferring a configuration to a connected AS-Interface
safety monitor, the safe configuration has to be "learned". To
this end, the code tables of the safe AS-Interface slaves that
are to be monitored are read in via the AS-Interface. The code
table of each safe AS-Interface slave that is to be monitored is
stored in the configuration log.
The progress of the transfer of the provisional configuration
log is displayed in a window.
An information window will then prompt you to have the configuration checked by the safety appointee responsible for the
application using the configuration log.
Functional Example No. CD-FE-I-035-V10-EN
125
Ex. No.
4.6
The provisional configuration log is displayed in asimon in its
own window.
Configuration validation
To validate a configuration, select the Validate command in
the Monitor menu. A window will appear in which you can
validate a configuration by entering your name and password.
Confirm your entry with the OK button. An information window will then confirm that the configuration has been successfully validated.
The configuration log will then be immediately transferred.
Progress of the transfer of the final configuration log is displayed in a window.
The final configuration log is displayed in asimon in its own
window. To illustrate that the configuration has been validated and to differentiate between a validated and a provisional configuration log, the validation information will be displayed in Line 10.
Starting the AS-Interface safety monitor
If a valid, validated configuration is available on the AS-Interface safety monitor, you can switch the AS-Interface safety
monitor from configuration mode to protection mode via the
Start command in the Monitor menu. After the protection
mode has been started, the status line will indicate the
change to the new operating mode.
126
Functional Example No. CD-FE-I-035-V10-EN
SIMOCODE pro direct starters with safety technology
Emergency stop monitoring with monitored start
Category 4 according to EN 954-1
Ex. No.
5.1
Function
Description of the Functionality
Flow Diagram
Persons near machines (e.g. in production engineering) must
be suitably protected by technical equipment. The
EMERGENCY STOP control unit is a widely used component for
protecting persons, machines and the environment against
danger.
The following flow diagram illustrates functional interrelationships (for reasons of clarity, operational stopping has not been
included)
SIMOCODE pro is a flexible, modular motor management system for low-voltage motors with constant speeds. It optimizes
the connection between I&C and the motor feeder, increases
plant availability while helping to cut planning and commissioning costs during plant operation and maintenance. Integrated in the low-voltage switchgear, SIMOCODE pro is the intelligent connection between the higher-level automation
system and the motor feeder.
In this Safety Functional Example, the EMERGENCY STOP control unit with positive opening contacts is monitored by a
SIRIUS 3TK2823 safety switching device as per category 4 according to EN 954-1. If the EMERGENCY STOP is activated, the
3TK2823 safety switching device switches off its corresponding drive as per Stop Category 0 according to EN 60204-1.
Activation of the EMERGENCY STOP is signaled to the
SIMOCODE pro via the IN4 input. This signal is used to activate
the switching state in SIMOCODE when the EMERGENCY STOP
is activated. If this contact reports "zero", SIMOCODE issues
the OFF command. After the EMERGENCY STOP has been released and the safety switching device has been acknowledged, the signal at the IN4 input is active and the drive can
be restarted.
Start
Operating voltage
switched on?
yes
Has the
EMERGENCY STOP
pushbutton been released?
no
acknowledged?
yes
3TK2823 switches off
K 1 and K 2
EMERGENCY STOP
is acknowledged,
K1 is activated
Drive stops and is
disconnected from
the network
EMERGENCY STOP
signal to
SIMOCODE pro
changes to 1,
SIMOCODE pro
is ready for switch-on
EMERGENCY STOP
signal to SIMOCODE
pro changes activates
the switch-off command
The same signal is sent to the higher-level PLC via the Cyclic
Send 1 function, and can be used here to release the switchon function in the remote operating mode.
SIMOCODE pro
starts the motor,
K2 is activated
yes
Has the
EMERGENCY STOP
pushbutton been pressed?
no
no
yes
Start command?
Is the motor running?
yes
no
yes
A yellow LED on the operator panel will light up if the
3TK2823 trips. The operator can start the drive again as soon
as the LED turns off.
This example takes the safety function into particular consideration. Operational switching of the motor feeder is via a
standard PLC and is not taken into further consideration here.
no
no
Stop category 0
SIMOCODE pro signals
EMERGENCY STOP
on the operator panel
and sends the message
via cycl. signal data
Drive is running
Note
Equipment, functional aspects and design guidelines
for EMERGENCY STOP control units can be found in
EN 418 (ISO 73850).
Functional Example No. CD-FE-I-037-V10-EN
127
Ex. No.
5.1
Advantages/Customer Benefits
■ The combination of SIMOCODE pro and 3TK28 safety
switching device provides the customer with a flexible,
modular motor management system and safe switchingoff of the device.
■ All 3TK28 signal statuses can be sent on to the higher-level
PLC via PROFIBUS.
■ Comprehensive motor feeder protection thanks to
SIMOCODE's combination of various, multi-level protection
and monitoring functions.
■ No further auxiliary contacts are required for the contactors, the safety switching device and the EMERGENCY STOP
pushbutton.
■ All necessary control logic functions are already available
as active logic modules in SIMOCODE.
■ By using fewer devices and less cabling, the installation
space required in switchgear cabinets and, hence, plant
floor space, is reduced.
■ Standardized integration of the motor feeder in the automation system, thanks to the integrated PROFIBUS DP
interface.
■ Compliance with all relevant safety standards.
128
Functional Example No. CD-FE-I-037-V10-EN
Ex. No.
5.1
Required Components
Hardware components
Component
Type
Order Nr. / Order Information
Quantity
Manufacturer
EMERGENCY STOP
2NC 40-mm mushroom pushbutton with yellow
top, without protective collar
3SB3 801-0EG3
1
Siemens AG
Start button
Empty enclosure, one command station
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Black pushbutton with flat button,
22-mm nominal diameter
3SB3 000-0AA11
1
Safety switching
device
3TK2823
3TK2823-2CB30
1
Contactor K1 / K2
Contactor, AC-3, 3 KW/400 V, 1NC, DC 24 V,
3-pole, size S00
Screw terminal
3RT1015-1BB42
2
Circuit breaker for
motor protection
Release 0.35 ... 0.5 A
3RV1011-0FA1
1
SIMOCODE pro
SIMOCODE pro C
Basic unit 1
3UF7 000-1AB00-0
1
Current measurement module
0.3 ... 3 A
3UF7 100-1AA00-0
1
Operator panel
3UF7 200-1AA00-0
1
0.1-m connection cable
3UF7 931-0AA00-0
1
0.5-m connection cable
3UF7 932-0AA00-0
1
PS307 5A
power supply
6ES7307-1EA00-0AA0
1
SIMATIC S7-300,
CPU 315-2DP
6ES7315-2AG10-0AB0
1
MMC 512 kB
Micro Memory Card
6ES7953-8LJ10-0AA0
1
SIMATIC S7
Note
Note
Functionality has been tested with the hardware
listed. Similar products not found in this list can also
be used. If this is the case, remember that it could be
necessary to modify the example code (e.g. other addresses) and/or the hardware wiring (e.g. a different
connection assignment).
This Functional Example has been carried out and
tested with SIMOCODE pro C. It can, of course, be carried out with SIMOCODE pro V.
Configuration software/tools
Component
Type
Order Nr. / Order Information
SIMATIC STEP 7
V5.3 + SP3
6ES7 810-4CC07-0YA5
Quantity
1
SIMOCODE ES Professional 2004
V1.0 + SP1 + HF2
3ZS1 312-2CC10-0YA0
1
SIMOCODE ES Graphic 2005
V1.0
3ZS1 312-3CC10-0YA0
1
Manufacturer
Siemens AG
Functional Example No. CD-FE-I-037-V10-EN
129
Ex. No.
5.1
Assembly and Wiring
Overview of Hardware Assembly
PLC/control station
Operator panel
SIMOCODE Pro
K1
PROFIBUS DP
EMERGENCY
STOP
Start
Safety switching device
3TK2823
K2
130
Functional Example No. CD-FE-I-037-V10-EN
Ex. No.
5.1
Wiring of Hardware Components
/9'&
0
13($&+]9
/
/
/
1
3(
6<6
;
3(
$
%
$
%
352),%86
)
7(67
5(6(7
2))
*(1)$8/7
4
21
'(9,&( %86
/9&'
I>
6<6
.
287
.
$
$
9
'2/
287
$ << <
%DVLFXQLW
2SHUDWRUSDQHO
$
.
<< $ <
$
.
$
3(
$
0
$&
(0(5*(1&<6723SXVKEXWWRQ
8
9
:
0
7.&%
3(
(0(5*(1&<6723DFNQRZOHGJHG
$FNQRZOHGJHPHQW(0(5*(1&<6723
.
,1
%8
,1
37& ,1
'HYLFH 9'&
%86
*HQIDXOW
7HVWUHVHW
287
,1
3352),%86'3
6,02&2'(SUR&9
;
$
&7
.
7
7
&XUUHQWPHDVXUHPHQW
7
/
7
/
7
/
63(3(
$
%
,!,!,!
0
Functional Example No. CD-FE-I-037-V10-EN
131
Ex. No.
5.1
Important Hardware Component Settings
CPU 315-2DP settings
An overview of important STEP 7 hardware configuration settings follows. These settings can also be found in the STEP 7
project supplied.
The CPU 315-2DP settings can be adopted.
Overview illustration
To have SIMOCODE available as DP slave in the HW configurator of the SIMATIC manager, the corresponding GSD file must
be installed. The necessary GSD files can be downloaded via
the following link:
SIMOCODE pro C settings in HW config
http://support.automation.siemens.com/WW/view/de/113630
The following GSD files are available for SIMOCODE pro C:
■ SI0180FD.GSG (German)
■ SI0180FD.GSE (English)
The following GSD files are available for SIMOCODE pro V:
■ SI1180FD.GSG (German)
■ SI1180FD.GSE (English)
To install the GSD file, start STEP 7 and select the Extras >
Install new GSD file menu command in HW Config.
Select the GSD file to be installed in the following dialog and
confirm with OK.
132
Functional Example No. CD-FE-I-037-V10-EN
Ex. No.
5.1
Note
Screenshot
SIMOCODE is inserted into the system as a standard slave via the GSD
file. The field device is found in the PROFIBUS DP directory under
Further field devices > Switching devices > SIMOCODE >
SIMOCODE pro, and inserted in PROFIBUS.
The properties can be accessed via a double click on slot 1 in
SIMOCODE. The input and output address is changed here to 16 (for
example).
The PROFIBUS address is set to 5.
The menu for setting the PROFIBUS address can be accessed via
Properties - DP slave via double click on the PROFIBUS button.
Functional Example No. CD-FE-I-037-V10-EN
133
Ex. No.
5.1
Parameterizing SIMOCODE pro C in SIMOCODE ES
Parameterization of SIMOCODE with SIMOCODE ES Professional is illustrated in the following.
Application selection
Note
Screenshot
The direct starter is selected in the application selection menu.
Device configuration
Note
Screenshot
SIMOCODE pro C is selected in the device configuration.
134
Functional Example No. CD-FE-I-037-V10-EN
Ex. No.
5.1
Parameter settings
Note
Screenshot
Parameterization control stations
Deselect the marked defaults of the control station.
Parameterization mode selector
The PROFIBUS DP address is set to 5.
Functional Example No. CD-FE-I-037-V10-EN
135
Ex. No.
5.1
Example Code
Preliminary remark
Enclosed you will find the SIMOCODE pro and STEP 7 Project
example codes with which you can reconstruct the functionality described here.
The example code is always assigned to the components used
in the Function Examples and functions as necessary. Any further problems to be solved must be dealt with individually by
the user. However, the example code can serve as a basis.
Downloading the STEP 7 Project
To access the corresponding project file, open the proffered
"CD-FE-I-037-V10-proC.zip" file and extract this into any directory.
To download the S7 Project in the CPU you must have a connection between the MPI interface of your PG/PC and the MPI
interface of the CPU.
Please proceed as follows:
Table of controls at the PLC interface
Cyclical control data
Bit 0.0
Not assigned
Bit 0.1
OFF
Bit 0.2
ON
Bit 0.3
Not assigned
Bit 0.4
Not assigned
Bit 0.5
REMOTE operating mode
Bit 0.6
Not assigned
Bit 0.7
Not assigned
Table of signals at the PLC interface
Cyclical signal data
Bit 0.0
Not assigned
Bit 0.1
OFF
Bit 0.2
ON
Bit 0.3
Pre-warning Overload
■ Change to SIMATIC Manager
Bit 0.4
Not assigned
■ Activate the Module folder
Bit 0.5
REMOTE operating mode
■ Click the Load button
Bit 0.6
General Fault
The assignment of the cyclical control and signal data that has
been exchanged between the DP Master and SIMOCODE once
in each DP mode is listed in the following table. The control
data is sent to SIMOCODE from the DP Master. SIMOCODE answers by sending the signal data to the master module. The
CPU 315-2DP is the master in this example. In the PLC program, access to the cyclical data is via the inputs (signal data)
and the outputs (control data).
Bit 0.7
General Warning
Bit 1.0
EMERGENCY STOP
Bit 1.1
Not assigned
Bit 1.2
Not assigned
Bit 1.3
Not assigned
Bit 1.4
Not assigned
Bit 1.5
Not assigned
Bit 1.6
Not assigned
Bit 1.7
Not assigned
■ First load the hardware configuration in the S7 CPU
Note
The program code for creating the control commands
to switch the direct starter on and off must be individually created by the user.
The program code for further processing the
"EMERGENCY STOP" signal in the PLC must be individually created by the user.
The "EMERGENCY STOP" signal is not safety oriented.
136
Functional Example No. CD-FE-I-037-V10-EN
Ex. No.
5.1
Downloading the SIMOCODE pro project
To access the corresponding project file, copy the proffered
file "CD-FE-I-037-V10-Direkt-NH-Kat4.sdp" into any directory.
Open the project via the Switching devices > Open menu
You can choose between a PROFIBUS DP or an RS232 connection to download the SIMOCODE pro project into the control
unit.
The following window will open when you activate the Load
in switching device button:
Select the desired interface and confirm with OK.
A PROFIBUS cable is required for the download via
PROFIBUS DP. For downloading via RS232, a PC cable with the
order number 3UF7 940-0AA00-0 is required.
Functional Example No. CD-FE-I-037-V10-EN
137
Ex. No.
5.1
SIMOCODE pro C parameterization
138
Functional Example No. CD-FE-I-037-V10-EN
Ex. No.
5.1
The displayed link is parameterized in the SIMOCODE ES Professional software graphic editor to activate the EMERGENCY
STOP function.
A truth table is switched between the "OFF" socket of the control station and the "OFF" plug of the "protecting/controlling"
function. The "EMERGENCY STOP" signal from BU input 4 is assigned to the "E3" plug of the truth table. The truth table wiring is illustrated as follows.
The "Cyclic Send 1" function is used to signal the EMERGENCY
STOP to the higher-level PLC. In this case, the "EMERGENCY
STOP" signal from the BU input is assigned to Bit 0. The yellow
3 LED is used to visually indicate the EMERGENCY STOP on the
operator panel (see the figure on page 138).
SIMOCODE issues a warning via the External Fault 1 function
whenever the EMERGENCY STOP is activated.
Functional Example No. CD-FE-I-037-V10-EN
139
Ex. No.
5.1
Function Test
After the hardware components have been wired and the S7
and SIMOCODE pro projects have been downloaded, the assigned inputs and outputs can be checked for functionality.
Assigned inputs and outputs
No.
HW component
Terminal
Symbol
Signal (default
value)
Note
Device
1
EMERGENCY STOP input
IN4
EMERGENCY STOP
1
EMERGENCY STOP
activated at 0
SIMO
2
EMERGENCY STOP pushbutton contact 1
Y11 - Y12
1
3TK2823
3
EMERGENCY STOP pushbutton contact 2
Y21 - Y22
1
3TK2823
4
Acknowledge EMERGENCY
STOP button
Y33 - Y34
0
3TK2823
5
Contactor K1
14
K1
6
Operational switching
OUT3
Output 3
7
ON button OP buttons
ON
OP
8
OFF button OP buttons
OFF
OP
3TK2823
0
Start 3TK28 at 1
SIMO
Testing inputs and outputs
No.
Action
Reaction
1
Ensure that the EMERGENCY STOP pushbutton is released
If the EMERGENCY STOP has been activated,
the 3TK28 must be acknowledged.
The contacts K1 and K2 are closed.
2
Press the Acknowledge EMERGENCY STOP
button.
Contactor K1 responds and there is voltage
on contact 24 of the 3TK28.
3TK28 is acknowledged and the load
can be started via SIMOCODE
3
Press the ON button on the SIMOCODE
operator panel
Output OUT3 switches voltage to contactor
K2, this responds
The motor runs
4
Press the EMERGENCY STOP pushbutton.
Contactors K1 and K2 release, activation of
the EMERGENCY STOP is signaled to
SIMOCODE via contact 24 of the 3TK28.
SIMOCODE switches output OUT3 to 0.
The load is stopped safely
SIMOCODE has activated the
EMERGENCY STOP, no fault is signaled.
5
Release the EMERGENCY STOP pushbutton.
Contacts K1 and K2 are closed
6
Press the Acknowledge EMERGENCY STOP
button.
Contactor K1 responds and there is voltage
on contact 24 of the 3TK28.
140
Functional Example No. CD-FE-I-037-V10-EN
Note
3TK28 is acknowledged and the load
can be started via SIMOCODE
SIMOCODE pro reversing starters with safety technology Ex. No.
5.2
Emergency stop monitoring with monitored start
Category 4 according to EN 954-1
Function
Description of the Functionality
Flow Diagram
Persons near machines (e.g. in production engineering)
must be suitably pro-tected by technical equipment. The
EMERGENCY STOP control unit is a widely used component for
protecting persons, machines and the environment against
danger.
The following flow diagram illustrates functional interrelationships (for reasons of clarity, operational stopping has not been
included)
SIMOCODE pro is a flexible, modular motor management
system for low-voltage motors with constant speeds. It optimizes the connection between I&C and the motor feeder,
increases plant availability while helping to cut planning and
commis-sioning costs during plant operation and maintenance. Integrated in the low-voltage switchgear, SIMOCODE
pro is the intelligent connection between the higher-level
automation system and the motor feeder.
In this Safety Functional Example, the EMERGENCY STOP
control unit with positive opening contacts is monitored by
a SIRIUS 3TK2823 safety switching device as per category 4
according to EN 954-1. If the EMERGENCY STOP is activated,
the 3TK2823 safety switching device switches off its
corresponding drive as per Stop Category 0 according to
EN 60204-1.
Activation of the EMERGENCY STOP is signaled to the
SIMOCODE pro via the IN4 input. This signal is used to activate
the switching state in SIMOCODE when the EMERGENCY STOP
is activated. If this contact reports "zero", SIMOCODE issues
the OFF command. After the EMERGENCY STOP has been released and the safety switching device has been acknowledged, the signal at the IN4 input is active and the drive can
be restarted.
A yellow LED on the operator panel will light up if the
3TK2823 trips. The operator can start the drive again as soon
as the LED turns off.
Start
Operating voltage
switched on?
no
yes
Has the
EMERGENCY STOP
pushbutton been released?
no
acknowledged?
yes
no
yes
yes
3TK2823 switches
off K1, K2 and K3
yes
Drive stops and is
disconnected from
the network
EMERGENCY STOP
signal to SIMOCODE
pro changes to 1,
SIMOCODE pro is
ready for switch-on
EMERGENCY STOP
signal to SIMOCODE
pro changes to 0,
SIMOCODE pro
activates the switchoff command
yes
Has the
EMERGENCY STOP
pushbutton been pressed?
no
no
EMERGENCY STOP
is acknowledged,
K1 is activated
Start command?
Is the motor running?
no
Stop category 0
SIMOCODE pro signals
EMERGENCY STOP
on the operator panel
and sends the message
via cycl. signal data
SIMOCODE pro
starts the motor,
K2 or K3 is activated
Drive is running
The same signal is sent to the higher-level PLC via the Cyclic
Send 1 function, and can be used here to release the switchon function in the remote operating mode.
This example takes the safety function into particular consideration. Operational switching of the motor feeder is via a
standard PLC and is not taken into further consideration here.
Note
Equipment, functional aspects and design guidelines
for EMERGENCY STOP control units can be found in
EN 418 (ISO 73850).
Functional Example No. CD-FE-I-039-V10-EN
141
Ex. No.
5.2
Advantages/Customer Benefits
■ The combination of SIMOCODE pro and 3TK28 safety
switching device provides the customer with a flexible,
modular motor management system and safe switchingoff of the device.
■ All 3TK28 signal statuses can be sent on to the higher-level
PLC via PROFIBUS.
■ Comprehensive motor feeder protection thanks to
SIMOCODE's combination of various, multi-level protection
and monitoring functions.
■ No further auxiliary contacts are required for the contactors, the safety switching device and the EMERGENCY STOP
pushbutton.
■ All necessary control logic functions are already available
as active logic modules in SIMOCODE.
■ By using fewer devices and less cabling, the installation
space required in switchgear cabinets and, hence, plant
floor space, is reduced.
■ Standardized integration of the motor feeder in the automation system, thanks to the integrated PROFIBUS DP
interface.
■ Compliance with all relevant safety standards.
142
Functional Example No. CD-FE-I-039-V10-EN
Ex. No.
5.2
Required Components
Hardware components
Component
Type
Order Nr. / Order Information
Quantity
Manufacturer
EMERGENCY STOP
2NC 40-mm mushroom pushbutton with
yellow top, without protective collar
3SB3 801-0EG3
1
Siemens AG
Start button
Empty enclosure, one command station
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Black pushbutton with flat button,
22-mm nominal diameter
3SB3 000-0AA11
1
Safety switching
device
3TK2823
3TK2823-2CB30
1
Contactor K1 / K2 /K3
Contactor, AC-3, 3 KW/400 V, 1NC, DC 24 V,
3-pole, size S00
Screw terminal
3RT1015-1BB42
3
Circuit breaker for
motor protection
Release 0.35 ... 0.5 A
3RV1011-0FA1
1
SIMOCODE pro
SIMOCODE pro C
Basic unit 1
3UF7 000-1AB00-0
1
Current measurement module
0.3 ... 3 A
3UF7 100-1AA00-0
1
Operator panel
3UF7 200-1AA00-0
1
0.1-m connection cable
3UF7 931-0AA00-0
1
0.5-m connection cable
3UF7 932-0AA00-0
1
PS307 5A
power supply
6ES7307-1EA00-0AA0
1
SIMATIC S7-300,
CPU 315-2DP
6ES7315-2AG10-0AB0
1
MMC 512 kB
Micro Memory Card
6ES7953-8LJ10-0AA0
1
SIMATIC S7
Note
Note
Functionality has been tested with the hardware
listed. Similar products not found in this list can also
be used. If this is the case, remember that it could be
necessary to modify the example code (e.g. other addresses) and/or the hardware wiring (e.g. a different
connection assignment).
This Functional Example has been carried out and
tested with SIMOCODE pro C. It can, of course, be carried out with SIMOCODE pro V.
Configuration software/tools
Component
Type
Order Nr. / Order Information
SIMATIC STEP 7
V5.3 + SP3
6ES7 810-4CC07-0YA5
Quantity
1
SIMOCODE ES Professional 2004
V1.0 + SP1 + HF2
3ZS1 312-2CC10-0YA0
1
SIMOCODE ES Graphic 2005
V1.0
3ZS1 312-3CC10-0YA0
1
Manufacturer
Siemens AG
Functional Example No. CD-FE-I-039-V10-EN
143
Ex. No.
5.2
Assembly and Wiring
Overview of Hardware Assembly
L1
L2
L3
Operator panel
PLC / control station
SIMOCODE Pro
K1
PROFIBUS DP
EMERGENCY
STOP
Start
Safety switching device
3TK2823
K2
K3
144
Functional Example No. CD-FE-I-039-V10-EN
Ex. No.
5.2
Wiring of Hardware Components
13($&+]9
/
/
/
1
3(
/9'&
0
6<6
;
21!
'(9,&(
4
)
%86
21!!
2))
7(67
5(6(7
*(1)$8/7
;
$
%
$
%
3(
352),%86
,!
287
287
287
9
.
.
,1
.
(0(5*(1&<6723DFNQRZOHGJHG
%DVLF8QLW
2SHUDWRU3DQHO
$
<< $ <
$
$
$
.
(0(5*(1&<6723
SXVKEXWWRQ
3(
0DLQVFRQWDFWRUOHIW
0
$&
$
3(
8
9
:
0
.
$
.
.
0DLQVFRQWDFWRUULJKW
$ < < <
$FNQRZOHGJH
(0(5*(1&<6723
6<6
$
$
63(3(
$
%
,1
,1
7
7
7
7
7
%8
,1
9'&
'HYLFH
%XV
*HQIDXOW
7HVWUHVHW
37&
352),%86'3
6,02&2'(SUR&9
&7
$
/
/
/
&XUUHQWPHDVXUHPHQW
.
;
/9'&
7.&%
,!,!,!
.
Functional Example No. CD-FE-I-039-V10-EN
145
Ex. No.
5.2
Important Hardware Component Settings
CPU 315-2DP settings
An overview of important STEP 7 hardware configuration settings follows. These settings can also be found in the STEP 7
project supplied.
The CPU 315-2DP settings can be adopted.
Overview illustration
To have SIMOCODE available as DP slave in the HW configurator of the SIMATIC manager, the corresponding GSD file must
be installed. The necessary GSD files can be downloaded via
the following link:
SIMOCODE pro C settings in HW config
http://support.automation.siemens.com/WW/view/de/113630
The following GSD files are available for SIMOCODE pro C:
■ SI0180FD.GSG (German)
■ SI0180FD.GSE (English)
The following GSD files are available for SIMOCODE pro V:
■ SI1180FD.GSG (German)
■ SI1180FD.GSE (English)
To install the GSD file, start STEP 7 and select the Extras > Install new GSD file menu command in HW Config.
Select the GSD file to be installed in the following dialog and
confirm with OK.
146
Functional Example No. CD-FE-I-039-V10-EN
Ex. No.
5.2
Note
Screenshot
SIMOCODE is inserted into the system as a standard slave via the GSD
file. The field device is found in the PROFIBUS DP directory under
Further field devices > Switching devices > SIMOCODE >
SIMOCODE pro, and inserted in PROFIBUS.
The properties can be accessed via a double click on slot 1 in
SIMOCODE. The input and output address is changed here to 16 (for
example).
The PROFIBUS address is set to 5.
The menu for setting the PROFIBUS address can be accessed via
PROFIBUS - DP slave via double click on the PROFIBUS button.
Functional Example No. CD-FE-I-039-V10-EN
147
Ex. No.
5.2
Parameterizing SIMOCODE pro C in SIMOCODE ES
Parameterization of SIMOCODE with SIMOCODE ES Professional is illustrated in the following.
Application selection
Note
Screenshot
The reversing starter is selected in the application selection menu.
Device configuration
Note
Screenshot
SIMOCODE pro C is selected in the device configuration.
148
Functional Example No. CD-FE-I-039-V10-EN
Ex. No.
5.2
Parameter settings
Note
Screenshot
Parameterization control stations
Deselect the marked defaults of the control station.
Parameterization mode selector
The PROFIBUS DP address is set to 5.
Functional Example No. CD-FE-I-039-V10-EN
149
Ex. No.
5.2
Example Code
Preliminary remark
Enclosed you will find the SIMOCODE pro and STEP 7 Project
example codes with which you can reconstruct the functionality described here.
The example code is always assigned to the components used
in the Function Examples and functions as necessary. Any further problems to be solved must be dealt with individually by
the user. However, the example code can serve as a basis.
Downloading the STEP 7 Project
To access the corresponding project file, open the proffered
"CD-FE-I-039-V10-proC.zip" file and extract this into any directory.
To download the S7 Project in the CPU you must have a connection between the MPI interface of your PG/PC and the MPI
interface of the CPU.
Please proceed as follows:
Table of controls at the PLC interface
Cyclical control data
Bit 0.0
ON<
Bit 0.1
OFF
Bit 0.2
ON>
Bit 0.3
Not assigned
Bit 0.4
Not assigned
Bit 0.5
Mode Selector S1
Bit 0.6
Not assigned
Bit 0.7
Not assigned
Table of signals at the PLC interface
Cyclical signal data
Bit 0.0
ON<
Bit 0.1
OFF
Bit 0.2
ON>
Bit 0.3
Pre-warning Overload
■ Change to SIMATIC Manager
Bit 0.4
Interlocking time active
■ Activate the Module folder
Bit 0.5
REMOTE operating mode
■ Click the Load button
Bit 0.6
General Fault
The assignment of the cyclical control and signal data that has
been exchanged between the DP Master and SIMOCODE once
in each DP mode is listed in the following table. The control
data is sent to SIMOCODE from the DP Master. SIMOCODE answers by sending the signal data to the master module. The
CPU 315-2DP is the master in this example. In the PLC program, access to the cyclical data is via the inputs (signal data)
and the outputs (control data).
Bit 0.7
General Warning
Bit 1.0
EMERGENCY STOP
Bit 1.1
Actuator failure
Bit 1.2
Not assigned
Bit 1.3
Not assigned
Bit 1.4
Not assigned
Bit 1.5
Not assigned
Bit 1.6
Not assigned
Bit 1.7
Not assigned
■ First load the hardware configuration in the S7 CPU
Note
The program code for creating the control commands
to switch the direct starter on and off must be individually created by the user.
The program code for further processing the
"EMERGENCY STOP" signal in the PLC must be individually created by the user.
The "EMERGENCY STOP" signal is not safety oriented.
150
Functional Example No. CD-FE-I-039-V10-EN
Ex. No.
5.2
Downloading the SIMOCODE pro project
To access the corresponding project file, copy the proffered
file "CD-FE-I-039-V10-Direkt-NH-Kat4.sdp" into any directory.
Open the project via the Switching devices > Open menu
You can choose between a PROFIBUS DP or an RS232 connection to download the SIMOCODE pro project into the control
unit.
The following window will open when you activate the Load
in switching device button:
Select the desired interface and confirm with OK.
A PROFIBUS cable is required for the download via
PROFIBUS DP. For downloading via RS232, a PC cable with the
order number 3UF7 940-0AA00-0 is required.
Functional Example No. CD-FE-I-039-V10-EN
151
Ex. No.
5.2
SIMOCODE pro C parameterization
152
Functional Example No. CD-FE-I-039-V10-EN
Ex. No.
5.2
The displayed link is parameterized in the SIMOCODE ES Professional software graphic editor to activate the EMERGENCY
STOP function.
A truth table is switched between the "OFF" socket of the control station and the "OFF" plug of the "protecting/controlling"
function. The "EMERGENCY STOP" signal from BU input 4 is assigned to the "E3" plug of the truth table. The truth table wiring is illustrated as follows.
The "Cyclic Send 1" function is used to signal the EMERGENCY
STOP to the higher-level PLC. In this case, the EMERGENCY
STOP signal from the BU input is assigned to Bit 0. The yellow
3 LED is used to visually indicate the EMERGENCY STOP on the
operator panel (see the figure on page 152).
SIMOCODE issues a warning via the External Fault 1 function
whenever the EMERGENCY STOP is activated.
Functional Example No. CD-FE-I-039-V10-EN
153
Ex. No.
5.2
Function Test
After the hardware components have been wired and the S7
and SIMOCODE pro projects have been downloaded, the assigned inputs and outputs can be checked for functionality.
Assigned inputs and outputs
No.
HW component
Terminal
Symbol
Signal (default
value)
Note
Device
1
EMERGENCY STOP input
IN4
EMERGENCY STOP
1
EMERGENCY STOP
activated at 0
SIMO
2
EMERGENCY STOP pushbutton contact 1
Y11 - Y12
1
3TK2823
3
EMERGENCY STOP pushbutton contact 2
Y21 - Y22
1
3TK2823
4
Acknowledge EMERGENCY
STOP button
Y33 - Y34
0
3TK2823
5
Contactor K1
14
K1
6
Operational switching right
OUT1
Output 1
0
Start 3TK28 at 1
SIMO
7
Operational switching left
OUT2
Output 2
0
Start 3TK28 at 1
SIMO
8
ON> button OP buttons
ON>
OP
9
OFF button OP buttons
OFF
OP
10
ON< button OP buttons
ON<
OP
3TK2823
Testing inputs and outputs
No.
Action
Reaction
1
Ensure that the EMERGENCY STOP pushbutton is released
If the EMERGENCY STOP has been activated,
the 3TK28 must be acknowledged. The contacts K1, K2 and K3 are closed.
2
Press the Acknowledge EMERGENCY STOP
button.
Contactor K1responds and there is a voltage
on contact 24 of the 3TK28
3TK28 is acknowledged and the load
can be started via SIMOCODE
3
Press the ON> or ON< button on the
SIMOCODE operator panel
Output OUT2 switches voltage to contactor
K2 or output OUT1 switches voltage to contactor K3.
The contactors respond accordingly.
The motor runs
4
Press the EMERGENCY STOP pushbutton.
Contactors K1, K2 and K3 release, activation
of the EMERGENCY STOP is signaled to
SIMOCODE via contact 24 of the 3TK28.
SIMOCODE switches outputs OUT1 and
OUT2 to 0
The load is stopped safely
SIMOCODE has activated the
EMERGENCY STOP, no fault is signaled.
5
Release the EMERGENCY STOP pushbutton.
The contacts K1, K2 and K3 are closed
6
Press the Acknowledge EMERGENCY STOP
button.
Contactor K1 responds and there is a voltage
on contact 24 of the 3TK28
154
Functional Example No. CD-FE-I-039-V10-EN
Note
3TK28 is acknowledged and the load
can be started via SIMOCODE
SIMOCODE pro star-delta starters with safety technology Ex. No.
5.3
Emergency stop monitoring with monitored start
Category 4 according to EN 954-1
Function
Description of the Functionality
Flow Diagram
Persons near machines (e.g. in production engineering) must
be suitably pro-tected by technical equipment. The
EMERGENCY STOP control unit is a widely used component for
protecting persons, machines and the environment against
danger.
The following flow diagram illustrates functional interrelationships (for reasons of clarity, operational stopping has not been
included)
SIMOCODE pro is a flexible, modular motor management system for low-voltage motors with constant speeds. It optimizes
the connection between I&C and the motor feeder, increases
plant availability while helping to cut planning and commissioning costs during plant operation and maintenance. Integrated in the low-voltage switchgear, SIMOCODE pro is the intelligent connection between the higher-level automation system and the motor feeder.
In this Safety Functional Example, the EMERGENCY STOP control unit with positive opening contacts is monitored by a
SIRIUS 3TK2823 safety switching device as per category 4 according to EN 954-1. If the EMERGENCY STOP is activated, the
3TK2823 safety switching device switches off its corresponding drive as per Stop Category 0 according to EN 60204-1.
Activation of the EMERGENCY STOP is signaled to the
SIMOCODE pro via the IN4 input. This signal is used to activate
the switching state in SIMOCODE when the EMERGENCY STOP
is activated. If this contact reports "zero", SIMOCODE issues
the OFF command. After the EMERGENCY STOP has been released and the safety switching device has been acknowledged, the signal at the IN4 input is active and the drive can
be restarted.
A yellow LED on the operator panel will light up if the
3TK2823 trips. The operator can start the drive again as soon
as the LED turns off.
Start
Start
Start
Start
Start
Start
Start
Start
Start
Start
Start
Start
Start
Start
Start
Start
Operating
Operating
Operating
Operating
voltage
voltage
voltage
voltage
Operating
Operating
Operating
Operating
voltage
voltage
voltage
voltage
Operating
Operating
Operating
Operating
voltage
voltage
voltage
voltage
Operating
Operating
Operating
Operating
voltage
voltage
voltage
voltage
switched
switched
switched
switched
on?
on?
on?
on?
switched
switched
switched
switched
on?
on?
on?
on?
switched
switched
switched
switched
on?
on?
on?
on?
switched
switched
switched
switched
on?
on?
on?
on?
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
Has
Has
Has
Has
the
the
the
the
Has
Has
Has
Has
the
the
the
the
Has
Has
Has
Has
the
the
the
the
Has
Has
Has
Has
the
the
the
the
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
pushbutton
pushbutton
pushbutton
pushbutton
been
been
been
been
released?
released?
released?
released?
pushbutton
pushbutton
pushbutton
pushbutton
been
been
been
been
released?
released?
released?
released?
pushbutton
pushbutton
pushbutton
pushbutton
been
been
been
been
released?
released?
released?
released?
pushbutton
pushbutton
pushbutton
pushbutton
been
been
been
been
released?
released?
released?
released?
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
acknowledged?
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
Is
the
the
the
the
motor
motor
motor
motor
running?
running?
running?
running?
IsIs
IsIs
IsIs
Is
the
the
the
the
motor
motor
motor
motor
running?
running?
running?
running?
Is
Is
Is
Is
the
the
the
the
motor
motor
motor
motor
running?
running?
running?
running?
Is
Is
Is
Is
the
the
the
the
motor
motor
motor
motor
running?
running?
running?
running?
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
Has
Has
Has
Has
the
the
the
the
Has
Has
Has
Has
the
the
the
the
Has
Has
Has
Has
the
the
the
the
Has
Has
Has
Has
the
the
the
the
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
pushbutton
pushbutton
pushbutton
pushbutton
been
been
been
been
pressed?
pressed?
pressed?
pressed?
pushbutton
pushbutton
pushbutton
pushbutton
been
been
been
been
pressed?
pressed?
pressed?
pressed?
pushbutton
pushbutton
pushbutton
pushbutton
been
been
been
been
pressed?
pressed?
pressed?
pressed?
pushbutton
pushbutton
pushbutton
pushbutton
been
been
been
been
pressed?
pressed?
pressed?
pressed?
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
3TK2823
3TK2823
3TK2823
3TK2823
switches
switches
switches
switches
3TK2823
3TK2823
3TK2823
3TK2823
switches
switches
switches
switches
3TK2823
3TK2823
3TK2823
3TK2823
switches
switches
switches
switches
3TK2823
3TK2823
3TK2823
3TK2823
switches
switches
switches
switches
off
off
off
off
K1,
K1,
K1,
K1,
K2
K2
K2
K2
and
and
and
and
K4
K4
K4
K4
off
off
off
off
K1,
K1,
K1,
K1,
K2
K2
K2
K2
and
and
and
and
K4
K4
K4
K4
off
off
off
off
K1,
K1,
K1,
K1,
K2
K2
K2
K2
and
and
and
and
K4
K4
K4
K4
off
off
off
off
K1,
K1,
K1,
K1,
K2
K2
K2
K2
and
and
and
and
K4
K4
K4
K4
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
is
is
isis
is
acknowledged,
acknowledged,
acknowledged,
acknowledged,
is
is
is
is
acknowledged,
acknowledged,
acknowledged,
acknowledged,
is
acknowledged,
acknowledged,
acknowledged,
acknowledged,
isis
isis
is
is
acknowledged,
acknowledged,
acknowledged,
acknowledged,
K1
K1
K1
K1
is
is
is
is
activated
activated
activated
activated
K1
K1
K1
K1
is
activated
activated
activated
activated
K1
K1
K1
K1
isis
isis
isis
is
activated
activated
activated
activated
K1
K1
K1
K1
is
is
is
is
activated
activated
activated
activated
Drive
Drive
Drive
Drive
stops
stops
stops
stops
and
and
and
and
isis
isis
isis
is
Drive
Drive
Drive
Drive
stops
stops
stops
stops
and
and
and
and
is
is
is
is
Drive
Drive
Drive
Drive
stops
stops
stops
stops
and
and
and
and
is
Drive
Drive
Drive
Drive
stops
stops
stops
stops
and
and
and
and
is
is
is
is
disconnected
disconnected
disconnected
disconnected
from
from
from
from
disconnected
disconnected
disconnected
disconnected
from
from
from
from
disconnected
disconnected
disconnected
disconnected
from
from
from
from
disconnected
disconnected
disconnected
disconnected
from
from
from
from
the
the
the
the
network
network
network
network
the
the
the
the
network
network
network
network
the
the
the
the
network
network
network
network Stop
the
the
the
the
network
network
network
network
Stop
Stop
Stop
category
category
category
category
Stop
Stop
Stop
Stop
category
category
category
category
Stop
Stop
Stop
Stop
category
category
category
category
0000000000000000
Stop
Stop
Stop
Stop
category
category
category
category
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
signal
signal
signal
signal
toto
toto
toto
to
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
signal
signal
signal
signal
to
to
to
to
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
signal
signal
signal
signal
to
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
signal
signal
signal
signal
to
to
to
to
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
changes
changes
changes
changes
toto
toto
toto
to
1,1,
1,1,
1,1,
1,
pro
pro
pro
pro
changes
changes
changes
changes
to
to
to
to
1,
1,
pro
pro
pro
pro
changes
changes
changes
changes
to
1,
pro
pro
pro
pro
changes
changes
changes
changes
to
topro
to
to
1,1,
1,
1,1,
1,
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
is
is
is
is
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
is
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
isis
isis
isis
is
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
is
is
is
is
ready
ready
ready
ready
for
for
for
for
switch-on
switch-on
switch-on
switch-on
ready
ready
ready
ready
for
for
for
for
switch-on
switch-on
switch-on
switch-on
ready
ready
ready
ready
for
for
for
for
switch-on
switch-on
switch-on
switch-on
ready
ready
ready
ready
for
for
for
for
switch-on
switch-on
switch-on
switch-on
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
signal
signal
signal
signal
toto
toto
toto
to
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
signal
signal
signal
signal
to
to
to
to
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
signal
signal
signal
signal
to
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
signal
signal
signal
signal
to
tochanges
to
to
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
changes
changes
changes
to
to
to
to
0,
0,
0,
0,
pro
pro
pro
pro
changes
changes
changes
changes
to
0,
pro
pro
pro
pro
changes
changes
changes
changes
toto
toto
toto
to
0,0,
0,0,
0,0,
0,
pro
pro
pro
pro
changes
changes
changes
changes
to
to
to
to
0,
0,
0,
0,
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
activates
activates
activates
activates
the
the
the
the
switchswitchswitchswitchactivates
activates
activates
activates
the
the
the
the
switchswitchswitchswitchactivates
activates
activates
activates
the
the
the
the
switchswitchswitchswitchactivates
activates
activates
activates
the
the
the
the
switchswitchswitchswitchoff
offoff
off
off
command
command
command
command
off
off
off
off
command
command
command
command
off
off
off
command
command
command
command
off
offoff
off
command
command
command
command
Start
Start
Start
Start
command?
command?
command?
command?
Start
Start
Start
Start
command?
command?
command?
command?
Start
Start
Start
Start
command?
command?
command?
command?
Start
Start
Start
Start
command?
command?
command?
command?
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
signals
signals
signals
signals
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
signals
signals
signals
signals
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
signals
signals
signals
signals
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
signals
signals
signals
signals
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
EMERGENCY
EMERGENCY
EMERGENCY
EMERGENCY
STOP
STOP
STOP
STOP
on
on
on
on
the
the
the
the
operator
operator
operator
operator
panel
panel
panel
panel
on
on
on
on
the
the
the
the
operator
operator
operator
operator
panel
panel
panel
panel
on
on
on
on
the
the
the
the
operator
operator
operator
operator
panel
panel
panel
panel
on
on
on
on
the
the
the
the
operator
operator
operator
operator
panel
panel
panel
panel
and
and
and
and
sends
sends
sends
sends
the
the
the
the
message
message
message
message
and
and
and
and
sends
sends
sends
sends
the
the
the
the
message
message
message
message
and
and
and
and
sends
sends
sends
sends
the
the
the
the
message
message
message
message
and
and
and
and
sends
sends
sends
sends
the
the
the
the
message
message
message
message
via
via
via
via
cycl.
cycl.
cycl.
cycl.
signal
signal
signal
signal
data
data
data
data
via
via
via
via
cycl.
cycl.
cycl.
cycl.
signal
signal
signal
signal
data
data
data
data
via
via
via
via
cycl.
cycl.
cycl.
cycl.
signal
signal
signal
signal
data
data
data
data
via
via
via
via
cycl.
cycl.
cycl.
cycl.
signal
signal
signal
signal
data
data
data
data
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
starts
starts
starts
starts
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
starts
starts
starts
starts
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
starts
starts
starts
starts
SIMOCODE
SIMOCODE
SIMOCODE
SIMOCODE
pro
pro
pro
pro
starts
starts
starts
starts
the
the
the
the
motor,
motor,
motor,
motor,
K2
K2
K2
K2
and
and
and
and
K3/K4
K3/K4
K3/K4
K3/K4
the
the
the
the
motor,
motor,
motor,
motor,
K2
K2
K2
K2
and
and
and
and
K3/K4
K3/K4
K3/K4
K3/K4
the
the
the
the
motor,
motor,
motor,
motor,
K2
K2
K2
K2
and
and
and
and
K3/K4
K3/K4
K3/K4
K3/K4
the
the
the
the
motor,
motor,
motor,
motor,
K2
K2
K2
K2
and
and
and
and
K3/K4
K3/K4
K3/K4
K3/K4
are
are
are
are
activated
activated
activated
activated
are
are
are
are
activated
activated
activated
activated
are
are
are
are
activated
activated
activated
activated
are
are
are
are
activated
activated
activated
activated
Drive
Drive
Drive
Drive
isis
isis
isis
is
running
running
running
running
Drive
Drive
Drive
Drive
is
is
is
is
running
running
running
running
Drive
Drive
Drive
Drive
is
running
running
running
running
Drive
Drive
Drive
Drive
is
is
is
is
running
running
running
running
The same signal is sent to the higher-level PLC via the Cyclic
Send 1 function, and can be used here to release the switchon function in the remote operating mode.
This example takes the safety function into particular consideration. Operational switching of the motor feeder is via a
standard PLC and is not taken into further consideration here.
Note
Equipment, functional aspects and design guidelines
for EMERGENCY STOP control units can be found in
EN 418 (ISO 73850).
Functional Example No. CD-FE-I-042-V10-EN
155
Ex. No.
5.3
Advantages/Customer Benefits
■ The combination of SIMOCODE pro and 3TK28 safety
switching device provides the customer with a flexible,
modular motor management system and safe switchingoff of the device.
■ All 3TK28 signal statuses can be sent on to the higher-level
PLC via PROFIBUS.
■ Comprehensive motor feeder protection thanks to
SIMOCODE's combination of various, multi-level protection
and monitoring functions.
■ No further auxiliary contacts are required for the contactors, the safety switching device and the EMERGENCY STOP
pushbutton.
■ All necessary control logic functions are already available
as active logic modules in SIMOCODE.
■ By using fewer devices and less cabling, the installation
space required in switchgear cabinets and, hence, plant
floor space, is reduced.
■ Standardized integration of the motor feeder in the automation system, thanks to the integrated PROFIBUS DP
interface.
■ Compliance with all relevant safety standards.
156
Functional Example No. CD-FE-I-042-V10-EN
Ex. No.
5.3
Required Components
Hardware components
Component
Type
Order Nr. / Order Information
Quantity
Manufacturer
EMERGENCY STOP
2NC 40-mm mushroom pushbutton with yellow top, without protective collar
3SB3 801-0EG3
1
Siemens AG
Start button
Empty enclosure, one command station
3SB3 801-0AA3
1
1NO contact block for base mounting
3SB3 420-OB
1
Black pushbutton with flat button,
22-mm nominal diameter
3SB3 000-0AA11
1
Safety switching
device
3TK2823
3TK2823-2CB30
1
Contactor K1 / K2 /K3
Contactor, AC-3, 3 KW/400 V, 1NC, DC 24 V,
3-pole, size S00
Screw terminal
3RT1015-1BB42
3
Circuit breaker for
motor protection
Release 0.35 ... 0.5 A
3RV1011-0FA1
1
SIMOCODE pro
SIMOCODE pro V
Basic unit 2
3UF7 010-1AB00-0
1
Current measurement module
0.3 ... 3 A
3UF7 100-1AA00-0
1
Operator panel
3UF7 200-1AA00-0
1
0.1-m connection cable
3UF7 931-0AA00-0
1
0.5-m connection cable
3UF7 932-0AA00-0
1
PS307 5A
power supply
6ES7307-1EA00-0AA0
1
SIMATIC S7-300,
CPU 315-2DP
6ES7315-2AG10-0AB0
1
MMC 512 kB
Micro Memory Card
6ES7953-8LJ10-0AA0
1
SIMATIC S7
Note
Functionality has been tested with the hardware
listed. Similar products not found in this list can also
be used. If this is the case, remember that it could be
necessary to modify the example code (e.g. other addresses) and/or the hardware wiring (e.g. a different
connection assignment).
Configuration software/tools
Component
Type
Order Nr. / Order Information
SIMATIC STEP 7
V5.3 + SP3
6ES7 810-4CC07-0YA5
Quantity
1
SIMOCODE ES Professional 2004
V1.0 + SP1 + HF2
3ZS1 312-2CC10-0YA0
1
SIMOCODE ES Graphic 2005
V1.0
3ZS1 312-3CC10-0YA0
1
Manufacturer
Siemens AG
Functional Example No. CD-FE-I-042-V10-EN
157
Ex. No.
5.3
Assembly and Wiring
Overview of Hardware Assembly
L1
L2
L3
Operator panel
PLC / control station
SIMOCODE Pro
K1
PROFIBUS DP
EMERGENCY
STOP
Start
Safety switching device
3TK2823
K2
K4
K3
158
Functional Example No. CD-FE-I-042-V10-EN
Ex. No.
5.3
Wiring of Hardware Components
13($&+]9
/
/
/
1
3(
$
6<6
3(
;
$
$
63(3(
$
%
.
.
.
$ < < <
< < $ <
$
.
$
(0(5*(1&<6723
SXVKEXWWRQ
$
$
$
$
$
.
3(
3(
: :
9 0
9
8 $& 8
.
'HOWDFRQWDFWRU
0
.
$
0DLQVFRQWDFWRU
.
7.&%
287
$FNQRZOHGJH
(0(5*(1&<6723
6<6
287
287
9
,1
1
1
7
7
37& ,1
7
7
7
'HYLFH 9'&
%XV
*HQIDXOW
7HVWUHVHW
352),%86'3
6,02&2'(SUR9
&7
/
/
/
;
$
.
.
7(67
5(6(7
!
(0(5*(1&<6723
DFNQRZOHGJHG
.
2))
*(1)$8/7
/9'&
21!!
%86
!
&XUUHQWPHDVXUHPHQW
21!
'(9,&(
!
!
)
6WDUFRQWDFWRU
4
;
/9'&
0
352),%86
$ % $%
0
%DVLF8QLW
2SHUDWRU3DQHO
Functional Example No. CD-FE-I-042-V10-EN
159
Ex. No.
5.3
Important Hardware Component Settings
CPU 315-2DP settings
An overview of important STEP 7 hardware configuration settings follows. These settings can also be found in the STEP 7
project supplied.
The CPU 315-2DP settings can be adopted.
Overview illustration
To have SIMOCODE available as DP slave in the HW configurator of the SIMATIC manager, the corresponding GSD file must
be installed. The necessary GSD files can be downloaded via
the following link:
SIMOCODE pro C settings in HW config
http://support.automation.siemens.com/WW/view/de/113630
The following GSD files are available for SIMOCODE pro C:
■ SI0180FD.GSG (German)
■ SI0180FD.GSE (English)
The following GSD files are available for SIMOCODE pro V:
■ SI1180FD.GSG (German)
■ SI1180FD.GSE (English)
To install the GSD file, start STEP 7 and select the Extras >
Install new GSD file menu command in HW Config.
Select the GSD file to be installed in the following dialog and
confirm with OK.
160
Functional Example No. CD-FE-I-042-V10-EN
Ex. No.
5.3
Note
Screenshot
SIMOCODE is inserted into the system as a standard slave via the GSD
file. The field device is found in the PROFIBUS DP directory under
Further field devices > Switching devices > SIMOCODE >
SIMOCODE pro, and inserted in PROFIBUS.
The properties can be accessed via a double click on slot 1 in
SIMOCODE. The input and output address is changed here to 16 (for
example).
The PROFIBUS address is set to 5.
The menu for setting the PROFIBUS address can be accessed via
PROFIBUS - DP slave via double click on the PROFIBUS button.
Functional Example No. CD-FE-I-042-V10-EN
161
Ex. No.
5.3
Parameterizing SIMOCODE pro C in SIMOCODE ES
Parameterization of SIMOCODE with SIMOCODE ES Professional is illustrated in the following.
Application selection
Note
Screenshot
The reversing starter is selected in the application selection menu.
Device configuration
Note
Screenshot
SIMOCODE pro C is selected in the device configuration.
162
Functional Example No. CD-FE-I-042-V10-EN
Ex. No.
5.3
Parameter settings
Note
Screenshot
Parameterization control stations
Deselect the marked defaults of the control station.
Parameterization mode selector
The PROFIBUS DP address is set to 5.
Functional Example No. CD-FE-I-042-V10-EN
163
Ex. No.
5.3
Example Code
Preliminary remark
Enclosed you will find the SIMOCODE pro and STEP 7 Project
example codes with which you can reconstruct the functionality described here.
The example code is always assigned to the components used
in the Function Examples and functions as necessary. Any further problems to be solved must be dealt with individually by
the user. However, the example code can serve as a basis.
Downloading the STEP 7 Project
To access the corresponding project file, open the proffered
"CD-FE-I-042-V10-proC.zip" file and extract this into any directory.
To download the S7 Project in the CPU you must have a connection between the MPI interface of your PG/PC and the MPI
interface of the CPU.
Please proceed as follows:
Table of controls at the PLC interface
Cyclical control data
Bit 0.0
Not assigned
Bit 0.1
OFF
Bit 0.2
ON
Bit 0.3
Not assigned
Bit 0.4
Not assigned
Bit 0.5
Mode Selector S1
Bit 0.6
Not assigned
Bit 0.7
Not assigned
Table of signals at the PLC interface
Cyclical signal data
Bit 0.0
Not assigned
Bit 0.1
OFF
Bit 0.2
ON>
Bit 0.3
Pre-warning Overload
■ Change to SIMATIC Manager
Bit 0.4
Change-Over Pause active
■ Activate the Module folder
Bit 0.5
REMOTE operating mode
■ Click the Load button
Bit 0.6
General Fault
The assignment of the cyclical control and signal data that has
been exchanged between the DP Master and SIMOCODE once
in each DP mode is listed in the following table. The control
data is sent to SIMOCODE from the DP Master. SIMOCODE answers by sending the signal data to the master module. The
CPU 315-2DP is the master in this example. In the PLC program, access to the cyclical data is via the inputs (signal data)
and the outputs (control data).
Bit 0.7
General Warning
Bit 1.0
EMERGENCY STOP
Bit 1.1
Not assigned
Bit 1.2
Not assigned
Bit 1.3
Not assigned
Bit 1.4
Not assigned
Bit 1.5
Not assigned
Bit 1.6
Not assigned
Bit 1.7
Not assigned
■ First load the hardware configuration in the S7 CPU
Note
The program code for creating the control commands
to switch the direct starter on and off must be individually created by the user.
The program code for further processing the
"EMERGENCY STOP" signal in the PLC must be individually created by the user.
The "EMERGENCY STOP" signal is not safety oriented.
164
Functional Example No. CD-FE-I-042-V10-EN
Ex. No.
5.3
Downloading the SIMOCODE pro project
To access the corresponding project file, copy the proffered
file "CD-FE-I-042-SternDrei-NH-Kat4.sdp" into any directory.
Open the project via the Switching devices > Open menu.
You can choose between a PROFIBUS DP or an RS232 connection to download the SIMOCODE pro project into the control
unit.
The following window will open when you activate the Load
in switching device button:
Select the desired interface and confirm with OK.
A PROFIBUS cable is required for the download via
PROFIBUS DP. For downloading via RS232, a PC cable with the
order number 3UF7 940-0AA00-0 is required.
Functional Example No. CD-FE-I-042-V10-EN
165
Ex. No.
5.3
SIMOCODE pro C parameterization
166
Functional Example No. CD-FE-I-042-V10-EN
Ex. No.
5.3
The displayed link is parameterized in the SIMOCODE ES Professional software graphic editor to activate the EMERGENCY
STOP function.
A truth table is switched between the "OFF" socket of the control station and the "OFF" plug of the "protecting/controlling"
function. The "EMERGENCY STOP" signal from BU input 4 is assigned to the "E3" plug of the truth table.
The truth table wiring is illustrated as follows.
The "Cyclic Send 1" function is used to signal the EMERGENCY
STOP to the higher-level PLC. In this case, the EMERGENCY
STOP signal from the BU input is assigned to Bit 0. The yellow
3 LED is used to visually indicate the EMERGENCY STOP on the
operator panel (see the figure on page 166).
SIMOCODE issues a warning via the External Fault 1 function
whenever the EMERGENCY STOP is activated.
Functional Example No. CD-FE-I-042-V10-EN
167
Ex. No.
5.3
Function Test
After the hardware components have been wired and the S7
and SIMOCODE pro projects have been downloaded, the assigned inputs and outputs can be checked for functionality.
Assigned inputs and outputs
No.
HW component
Terminal
Symbol
Signal (default
value)
Note
Device
1
EMERGENCY STOP input
IN4
EMERGENCY
STOP
1
EMERGENCY STOP
activated at 0
SIMO
2
EMERGENCY STOP pushbutton
contact 1
Y11 - Y12
1
3TK2823
3
EMERGENCY STOP pushbutton
contact 2
Y21 - Y22
1
3TK2823
4
Acknowledge EMERGENCY STOP
button
Y33 - Y34
0
3TK2823
5
Contactor K1
14
K1
6
Operational switching
OUT1
Output 1
0
Start 3TK28 at 1
SIMO
7
Operational switching star-delta
OUT2
Output 2
0
Start 3TK28 at 1
SIMO
8
ON button OP buttons
ON
OP
9
OFF button OP buttons
OFF
OP
3TK2823
Testing inputs and outputs
No.
Action
Reaction
1
Ensure that the EMERGENCY STOP pushbutton is released
If the EMERGENCY STOP has been activated,
the 3TK28 must be acknowledged. The contacts K1, K2 and K4 are closed.
2
Press the Acknowledge EMERGENCY STOP
button.
Contactor K1 responds and there is voltage
on contact 24 of the 3TK28.
3TK28 is acknowledged and the load
can be started via SIMOCODE
3
Press the ON> or ON>> button on the
SIMOCODE operator panel
Output OUT1 switches voltage to contactor
K2, and the outputs OUT2 and OUT3 switch
voltage to the contactors K4 and K3 as per
star-delta switching.The contactors respond
accordingly.
The motor runs
4
Press the EMERGENCY STOP pushbutton.
Contactors K1, K2 and K4 release, activation
of the EMERGENCY STOP is signaled to
SIMOCODE via contact 24 of the 3TK28.
SIMOCODE switches outputs OUT1 and
OUT2 to 0.
The load is stopped safely
SIMOCODE has activated the
EMERGENCY STOP, no fault is signaled.
5
Release the EMERGENCY STOP pushbutton.
Contacts K1, K2 and K4 are closed
6
Press the Acknowledge EMERGENCY STOP
button.
Contactor K1 responds and there is voltage
on contact 24 of the 3TK28.
168
Functional Example No. CD-FE-I-042-V10-EN
Note
3TK28 is acknowledged and the load
can be started via SIMOCODE
Fail-safe Controllers
SIMATIC Safety Integrated
170
1. Emergency Stop with Acknowledgement in Category 4 acc. to
EN 954-1
179
2. Safety Door with Spring-Loaded
Engagement in Category 4 acc. to
EN 954-1
193
3. Safety Door with Magnetic Engagement in Category 4 acc. to
EN 954-1
207
4. Safety Door without Guard Locking in Category 4 acc. to EN 954-1
219
5. Light Curtain in Category 4 with
Muting Function acc. to EN 954-1
233
6. Two-Hand Control Panel with Integrated Emergency Stop in Category 4 acc. to EN 954-1
245
7. Integration of the Readback Signal in an Application of Category
4 acc. to EN 954-1
259
8. Safety Shutdown in the Stop Categories 0 and 1 in Safety Category
4 according to EN 954-1
277
9. Single and Group Shutdown of
Actuators in Safety Category 4
acc. to EN 954-1
292
10. Distributed application of laserscanner LS4-4 in Category 3 according to EN 954-1
317
11. Passivation and Reintegration of
F-I/O considering as example the
ET 200S
364
12. Safe Standstill Detection and
Safely Reduced Speed with
F-CPU and MASTERDRIVES in
Category 3 of EN 954-1 or SIL 2
of IEC 62061
Safety Integrated · March 2007
Emergency Stop with Acknowledgement in Category 4
acc. to EN 954-1
Ex. No.
Automation Function
Note
Description of the functionality
If persons (e.g. in manufacturing engineering) work in the vicinity of machines, they have to be adequately protected by
technical devices. Emergency stop is an additional safety
measure in order to protect people and plants from hazards.
Emergency stop must have priority over all other functionalities.
Devices, functional aspects and basic design principles of the
emergency stop push button are laid down in EN 418, and additionally, EN 60204-1 : 1997 must be observed.
In this example, the hazardous machine is simulated by
an indicator light. When using other actuators than this
indicator light, safe switching-off function of the loads
including signal feedback is to be supplemented.
For calculating the max. reaction time of your F-system please
use the Excel file (Cotia table), which is available for S7 Distributed Safety V 5.3. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505.
In this example, an actuated emergency stop push button disables an output of a failsafe digital output module at which
e.g. a hazardous machine is operated. All other outputs of this
output module remain in their current status. Prior to a renewed machine start the emergency stop push button must
be reset manually. This requires an acknowledgement signal.
The flowchart below illustrates the relation.
Prefabricated blocks and network templates from the Distributed Safety library were used to implement the emergency
stop functionality. Alternatively, you can also access the respective block from the Distributed Safety library (from Distributed Safety V5.3) for the realization.
Start
■ Wiring reduced to a minimum due to use of failsafe S7-CPU
and distributed I/O. The more safety functions are implemented, the more useful this advantage is.
"Machine" STOP
Emergency
stop pressed?
■ Programming the failsafe program with STEP 7 engineering tools.
N
Acknowledgement
■ Editor user interface within the failsafe program is used as
familiar from STEP 7.
N
Y
Emergency
stop pressed?
Y
N
START?
N
Y
Emergency
stop pressed?
Y
N
"Machine" ON
Y
Emergency
stop pressed?
N
170
Advantages/customer benefits
■ Only one S7-CPU is required, since within the CPU failsafe
and standard program parts run on a coexistent basis.
Y
G_FB_XX_076
1
Functional Example No. AS-FE-I-001-V10-EN
Ex. No.
1
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
1
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 kB
6ES7953-8LJ10-0AA0
1
Interface module for ET 200M
IM 153-2
6ES7153-2AA02-0XB0
1
Digital input module
SM321 DI16xDC24V
6ES7321-7BH00-0AB0
1
Safety protector
-
6ES7195-7KF00-0XA0
1
Digital input module, failsafe
SM326 DI24xDC24V
6ES7326-1BK00-0AB0
1
Digital output module, failsafe
SM326 DO10xDC24V/2A
6ES7326-2BF01-0AB0
1
Rack
482.6 mm
6ES7390-1AE80-0AA0
2
Optional:
Indicator light incl.incandescent
lamp
yellow
3SB3217-6AA30
1
Emergency stop
Mushroom-head pushbutton 1NC
3SB3801-0DG3
1
Contact (for Emergency stop)
1NC, screw-type connection
3SB3420-0C
1
Push button
green, 1NO
3SB3801-0DA3
2
Manufacturer
Siemens AG
Note
The functionality was tested with the hardware components listed. Similar products not included in the above
list (e.g. a different digital input module) can also be
used. Please note that in this case changes in the sample
code (e.g. different addresses) may become necessary.
Configuration software/tools
Component
Type
MRPD / Ordering data
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
Qty
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
Manufacturer
Siemens AG
Functional Example No. AS-FE-I-001-V10-EN
171
Ex. No.
1
Setup and Wiring
Wiring of the hardware components
In order to set up and wire the functional example, it is absolutely necessary to consider the following note:
Requirements: The power supplies are supplied with 230V AC.
First check the addresses set at the hardware components
listed below:
Warning!
In order to meet the requirements of Safety Category
4, it is obligatory to read back the process signal to
the actuator. Read back is not implemented in this
example.
Hardware
component
Address
to be set
Note
IM 153-2
6
(PROFIBUS
adress)
Can be changed
The actuator in this example is an indicator light simulating a machine. If other actuators are used, read
back has to be ensured by the user. The Safety Integrated Functional Example No. 7 „Integration of the
Readback Signal in an Application of Category 4 acc.
to EN 954-1“ provides a detailed description of "Read
back".
DI (SM326)
8
You can change
the address areas of the module via inputs
(DIL button at
the back of the
module).
Please note the
following:
During safety
operation, input
and output address have to be
identical,
divisible by 8
and they must
have a value
between 8 and
8176 (see
screenshot).
You can change
the address areas of the module via inputs
(DIL button at
the back of the
module).
Please note the
following:
During safety
operation, input
and output address have to be
identical,
divisible by 8
and they must
have a value
between 8 and
8176 (see
screenshot).
An overview of the hardware structure
The arrangement to implement the emergency stop functionality consists of a PROFIBUS configuration. A failsafe S7-CPU is
used as DP master, an ET 200M as DP slave. The ideally used
indicator light simulates the hazardous "machine". The indicator light can be replaced by actuators in accordance with their
requirements.
PS
307
CPU
315F
IM
153-2
Safety
protector
DI
SM321
DO
SM326
DI
SM326
Actuator
Acknowledge
button
(NO)
optional
NC / NC
Emergency
stop
button
„Start“
button
(NO)
172
DO (SM326) 24
Functional Example No. AS-FE-I-001-V10-EN
Note
The DP interface of the CPU 315F must be connected
with the DP interface of the IM 153-2.
Ex. No.
1
Safety
Protector
IM 153-2
DI SM321
PS 307 / CPU 315F
1
2
3
4
5
6
7
8
9
10
L1
Start
11
12
13
14
15
16
17
18
19
20
N
PE
L+
M
Acknowledgement
L1
M
Actuator
DI SM326
SF
21
22
23
24
25
26
27
28
29
30
11
12
13
14
15
16
17
18
19
20
31
32
33
34
35
36
37
38
39
40
SF
SAFE
1
2
3
4
5
6
7
8
9
10
21
22
23
24
25
26
27
28
29
30
11
12
13
14
15
16
17
18
19
20
31
32
33
34
35
36
37
38
39
40
Emergency
stop button
G_FB_XX_077
SAFE
DO SM326
1
2
3
4
5
6
7
8
9
10
Note
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the S7 project into the CPU
315F-2DP.
Function test
After wiring the hardware components, you can check the inputs and outputs used with regard to their functionality (after
downloading the S7 project).
Inputs/outputs used
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Push button (NO)
E 0.0
ACK
"0"
Acknowledgement
2
Push button (NO)
E 0.1
START
"0"
Start
3
Emergency stop
push button (NC/NC)
E 8.0
ESTP
"1"
–
4
Actuator (Indicator light)
A 24.0
ACTUATOR
"0"
"1": "Machine" active
Functional Example No. AS-FE-I-001-V10-EN
173
Ex. No.
1
Testing inputs and outputs
Requirements: The inputs and outputs have the default values
specified under "Inputs/outputs used".
No. Instruction
Response Note
A24.0
1
None
"0"
After start of the S7-CPU
2
Press ACK and release the button
"0"
Acknowledgement
3
Press START and
release the button
"1"
"Machine" (here simulated by
indicator light) runs
4
Press ESTP
"0"
Emergency stop pressed
Important hardware component settings
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
Warning!
The settings shown below contribute to meet the requirements of Safety Category 4. Changes at the settings may cause loss of the safety function.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
The safety protector is not listed in the hardware configuration of STEP 7.
Overview picture
The PROFIBUS adress at IM 153-2 is set using DIP-switches.
174
Functional Example No. AS-FE-I-001-V10-EN
Ex. No.
Settings of the CPU 315F-2DP
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture").
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
Settings of the failsafe DI (SM 326)
The settings are displayed after double-clicking "DI24xDC24V"
(see "Overview picture").
Setting the monitoring time.
Channels which are not used are to be deactivated.
Settings of the failsafe DO (SM 326)
The settings are displayed after double-clicking
"DO10xDC24V/2A" (see "Overview picture").
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
Setting the monitoring time.
Channels which are not used are to be deactivated.
Functional Example No. AS-FE-I-001-V10-EN
175
1
Ex. No.
1
Basic Performance Data
Sample Code
Load and main memory (without program code)
Preliminary Remarks
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37,5
approx. 0,2 k
approx. 37,3 k
Main memory
approx.
28,2
approx. 0,08 k
approx. 28,1 k
Enclosed, we offer you the STEP 7 project as sample code with
which you can reset the described emergency stop functionality.
The sample code is always assigned to the components used
in the functional example and implements the required functionality. Problems not dealt with in this document are to be
implemented by the user; the sample code may serve as basis.
Load and main memory (with program code)
Password
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
42,9 k
approx. 1,1 k
approx. 41,8 k
Main memory
approx.
31,1 k
approx. 0,4 k
approx. 30,6 k
Cycle time
Total cycle time
(typical value)
approx.
5 ms
Standard and safety program
Max. runtime of the
safety program
10 ms
Calculation with the Cotia table. Page 180 specifies where
to find it.
In all cases, the passwords used for the safety-relevant part is
„siemens“.
Use of the STEP 7 Project
An indicator light (simulates a machine) is switched on via a
push-button (START). The emergency stop button is used for
switching off. Restarting requires an acknowledge signal (ACK
button).
Operation related switching off is not implemented in this example, however, on the following pages it will be illustrated
how to include this signal.
Download
The download is available via the following link:
http://support.automation.siemens.com/WW/view/en/
21064024
To call the corresponding project file, open the
"as_fe_i_001_v10_code_estop.zip " file offered as a separate
download and extract it into a user defined directory.
■ First load the hardware configuration into the S7-CPU
■ Switch to the SIMATIC Manager
■ Select the "Blocks" container
■ Menu "Options" -> Edit safety program
■ Click the "Download" button
■ Finally, set the mode switch of the F-CPU from STOP to RUN
176
Functional Example No. AS-FE-I-001-V10-EN
Ex. No.
The sample code with the given configurations enables the
following:
In this example it has already been implemented. Generally,
however, the following applies:
■ Renewed setting (= start of the application) of the failsafe
digital output requires the following:
1. User acknowledgement (does not automatically start
the application)
2. Starting the application (only possible in case of previous acknowledgement)
Program procedure
FC "START_AND_STOP" (FC10)
The (non-failsafe) FC "START_AND_STOP" (FC 10) is called
from OB 1 (see following figure).
Note
If the above section is not observed the F CPU may go to
STOP mode.
The FC "START_AND_STOP" (FC 10) in the following figure
sets/resets #COND whose signal status ("0" or "1") starts or
stops the "machine" in the failsafe program. #COND can only
become "1" if the emergency stop button has been unlocked
and acknowledged prior to the start (occurs in the safety program). This is ensured by the "Instanz_FB1".EN_ESTP bit from
the instance data block DB 1 of FB 1 (from the safety program). This bit must have been set for a possible start. If this
bit is "0" the "1" signal lies at the R entry of the flipflop, which
makes the output Q always "0", even if with #START the S entry receives the "1" signal (resetting has priority with the used
flipflop).
"P"
"START"
"STOP"
EN
START
STOP
COND
"COND"
ENO
Parameter
Adress
Explanation
START
E 0.1
Push button (NO) for the start requirement.
STOP
M 90.5
Dummy. If the operation related stop
is to be implemented, replace the
memory bit by an input Ex.y.
COND
M 90.0
Saves the information start/ stop of
the "machine".
#STOP
"INSTANZ_
FB1".
EN_ESTP
SR
S
#START
G_FB_XX_078
...
"SR"
P
"START_AND_STOP"
>=1
#COND
G_FB_XX_079
■ Resetting a failsafe digital output after actuating the emergency stop push button
=
R
Q
The failsafe program has the following program sequence:
FB"ESTOP"
(FB1,DB1)
F-Call
(FC1)
FC"COORDINATION"
(FC2)
The information of the memory bit "COND" is read as memory
bit COND1 in the safety program. This allocation occurs in the
cyclic interrupt OB35 for the following reason:
FC"REINTEGRATION"
(FC3)
G_FB_XX_080
When reading data, which may be changed by the standard
user program or an operation control and monitoring system
during running of an F runtime group, from the standard user
program (memory bits or PAE of standard I/O), in the safety
program, it is necessary to use separate memory bits (here
COND1). Data from the standard user program have to be
written to these memory bits immediately before calling the F
runtime group. Only these memory bits may then be accessed
in the safety program.
Functional Example No. AS-FE-I-001-V10-EN
177
1
Ex. No.
F-CALL (FC1)
Operating instructions
F-CALL (FC1) is the F runtime group and is called from the cyclic interrupt OB (OB 35). F-CALL calls the F-programe block
(here: FC2).
FC "COORDINATION" (FC2)
For modularity reasons all further failsafe blocks are called
from here.
The table below will help you during operation.
No. Instruction
The emergency stop is implemented as follows:
#N
#ACK
N
#ESTP
#EN_ESTP
S
SR
R
Q
#COND1
&
#ACTUATOR
=
The signal status of #COND1 is defined in the user program
(see FC 10 or OB 35). #COND1="1" is the first condition for a
start of the "machine" (#ACTUATOR="1"). The second condition is the acknowledgement required before the start. The
flipflop is set with #ACK="1" (#EN_ESTP="1"). In the standard
user program (FC 10) the static variable #EN_ESTP is read as
bit of the instance DB of FB1 and ensures, that only after acknowledgment the COND bit (or COND1 in the safety program) is set there by the start signal.
By pressing the emergency stop button #ESTP becomes ="0"
which sets the flipflop of the output Q back to "0" (resetting
has the priority at this flipflop procedure), which makes #ACTUATOR also "0". ("machine" is switched off).
FC "REINTEGRATION" (FC3)
This FC ensures the reintegration of the passivated failsafe
modules (F-DI and/or F-DO). For the F-DO a memory bit REINT
is prepared. With a positive flank of REINT the F-DO will be reintegrated. A passivation is indicated at the failsafe module
via LED. The reintegration of an F module may take approx.
one minute.
Note
In this example, the reintegration of passivated
modules occurs automatically. Use the automatic reintegration for your application only if it will not
cause any hazards.
178
Functional Example No. AS-FE-I-001-V10-EN
Result/Note
1
Press the acknowl–
edgement push button
ACK and release it.
2
Press the push button
for START instruction
and release it.
Indicator light goes on
("machine" active).
3
Press the emergency
stop push button.
Indicator light goes off. The output of
the failsafe digital output module is
reset.
4
Unlock emergency
stop push button.
Perform action 1.
FB "ESTOP" (FB1, DB1)
G_FB_XX_081
1
Safety Door with Spring-Loaded Engagement in Category 4
acc. to EN 954-1
Ex. No.
Automation Function
The diagram below illustrates the concept of safety door monitoring:
Interlocking devices with guard locking are mechanical or
electrical devices which only enable operation of a machine if
the door is closed and guard locked. Interlock and guard locking is maintained until the risk of injury caused by hazardous
machine functions or motions is excluded. This monitoring is
usually performed by overspeed trips or standstill monitors. In
this example, motion/stoppage of a machine is simulated by a
NO contact.
In this example, an actuator installed on the door moves form
fit into a safety position switch with locked engagement. During the potential hazard (machine in RUN), the actuator is held
(and thus the door guard locked) by the fact that the voltage
applied to a magnet in the safety position switch is removed.
This type of interlock is referred to as spring-actuated lock.
If the safety position switch fails, the safety function is maintained by the hinge switch (also detects the opened safety
door). This ensures that the requirements of the
EN 954 : 1996 standard (Category 4) are met which prescribes redundant installation of all safety-relevant parts for
position monitoring of the safeguard (here: Safety door).
Start
"Machine"
stop?
N
Y
N
F-DO="1"
F-DO="0"
Start request
Position switch
Door closed?
N
Y
N
Release?
Hinge switch:
Door closed?
N
Y
N
Position switch:
Door closed?
Y
N
Hinge switch:
Door closed?
Y
F-DO="0"
N
Monitoring
locking
OK?
Stop request?
N
N
Y
"Machine"
stop
Monitoring
unlocking
OK?
Y
"Machine"
starts
G_FB_XX_083
Description of the functionality
Note
The voltage applied to the magnet is removed by resetting a
failsafe digital output channel of the ET 200S; this channel is
linked to the magnet. The other way, the magnet is supplied
with voltage to be able to open the safety door by setting this
output.
F-DO
Safety position switch with
lock engagement
(interlocked with spring force)
Magnet
G_FB_XX_084
Fail-Safe digital
output module
In this example, no real machine is controlled; the concept of a safety door monitoring with guard locking (on
sensor side) is shown. If you want to additionally integrate a real machine or other actuators, you can of
course use the parameters described in the corresponding STEP 7 as basis.
Functional Example No. AS-FE-I-002-V10-EN
179
2
Ex. No.
2
For calculating the max. reaction time of your F-system please
use the Excel file (Cotia table), which is available for S7 Distributed Safety V 5.3. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505
Advantages/customer benefits
■ In case of power failure, the safety door remains interlocked
■ Wiring reduced to a minimum due to use of failsafe S7-CPU
and distributed I/O. The more safety functions are implemented, the more useful this advantage is
■ Only one CPU is required, since failsafe and standard program parts run on a coexistent basis in the CPU
■ Programming the failsafe program with STEP 7 engineering tools
180
Functional Example No. AS-FE-I-002-V10-EN
Ex. No.
2
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
1
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 kB
6ES7953-8LJ10-0AA0
1
Interface module for ET 200S
IM 151 High Feature
6ES7151-1BA00-0AB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
4DI HF DC24V
6ES7131-4BD00-0AB0
1
Electronic module for ET 200S
4/8 F-DI DC24V
6ES7138-4FA01-0AB0
1
Electronic module for ET 200S
4 F-DO DC24V/2A
6ES7138-4FB01-0AB0
1
Terminal module for ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
2
Terminal module for ET 200S
TM-E15S24-A1
6ES7193-4CA20-0AA0
1
Terminal module for ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
Profile rail
482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length: 483 mm
6ES5710-8MA11
1
Optional:
Indicator light incl.incandescent
lamp
yellow
3SB3217-6AA30
1
Safety position switch with locked
engagement
interlocked with spring force
3SE2840-6XX01
1
Actuator
–
3SX3197
1
SIGUARD hinge switch
1NO, 1NC
3SE2200-1GA11
1
Push button
green, 1NO
3SB3801-0DA3
2
Push button
red, 1NC
3SB3801-0DB3
1
Manufacturer
Siemens AG
Note
The functionality was tested with the hardware components listed. Similar products not included in the above
list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Configuration software/tools
Component
Type
MRPD / Ordering data
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
Qty
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
Manufacturer
Siemens AG
Functional Example No. AS-FE-I-002-V10-EN
181
Ex. No.
2
Setup and Wiring
In order to set up and wire the functional example, it is absolutely necessary to consider the following note:
Warning!
In order to meet the requirements of Safety Category
4, it is obligatory to read back the process signal to
the actuator. Read back is not implemented in this
example.
The actuator in this example is an indicator light simulating a machine. If other actuators are used, read
back has to be ensured by the user. The Safety Integrated Functional Example No. 7 „Integration of the
Readback Signal in an Application of Category 4 acc.
to EN 954-1“ provides a detailed description of "Read
back".
An overview of the hardware structure
The arrangement to implement the safety door interlock consists of a PROFIBUS configuration. A failsafe S7-CPU is used as
DP master, an ET 200S as DP slave. Below, the wiring of conventional modules is shown only partly to provide greater clarity.
PS
307
CPU
315F
PM-E
IM 151
HF
PM-E
4DI
HF
Warning!
A speed or standstill monitor for monitoring hazardous slowing down of a machine is simulated in this
example with a button (NO) which is connected as
single-channel to the failsafe input module (F-DI).
When using real speed or standstill monitors they
must be connected to the F-DI as double-channels
(1oo2 evaluation).
Note
The "high feature" electronic modules can also be replaced by standard modules.
Wiring of the hardware components
Requirements: The power supplies are supplied with 230V AC.
First check the addresses set at the hardware components
listed below:
Hardware
component
Adress
to be set
Note
IM 151 High
Feature
6 (PROFIBUS address)
Can be changed
F-DI
Switch position:
1111111110
F-DO
Switch position:
1111111101
The PROFIsafe addresses are
automatically assigned during configuring the failsafe
modules in STEP 7. The
PROFIsafe addresses 1 to
1022 are permissible. Please
make sure that the setting at
the address switch (DIL
switch) on the side of the
module corresponds to the
PROFIsafe address in the
hardware configuration of
STEP 7.
F-DO
F-DI
DP
Actuator
Monitoring
unlocking
START
4DI HF
Actuator
Contact
Magnet
The DP interface of the CPU 315F must be connected
with the DP interface of the IM 151 HF.
STOP
Machine
runs
F-DI
Hinge
switch
182
Note
Safety
position
switch
Functional Example No. AS-FE-I-002-V10-EN
Note
The wiring of the hardware is illustrated below. In the
following table, the hardware components occurring
several times are numbered so they can be allocated in
the subsequent wiring plan.
Ex. No.
2
PM-E
IM 151
HF
PM-E
4DI
HF
F-DO
F-DI
PM-E
PM-E
AUX1
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A4
A4
A8
G_FB_XX_085
A8
PM-E
PM-E
AUX1
PS 307 / CPU 315F
AUX1
4 DI HF
8
4
8
2
6
2
6
3
7
3
7
2
6
3
7
Safety position
switch
A8
A4
N
E1
E2
Start
A8
A4
5
32
31
22
21
12
11
A8
A4
L1
1
42
41
4
IM 151 HF
PE
L+
M
L L M M
Stop
Machine runs
F-DI
1
5
9
13
2
6
10
14
F-DO
13
14
21
22
Hinge switch
7
11
15
4
8
12
16
A4
A8 A12
A16
A3
A7 A11
A15
5
9
13
2
6
10
14
3
7
11
15
4
8
12
16
Actuator
A4
A8 A12
A16
A3
A7 A11
A15
G_FB_XX_086
3
1
Note
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the S7 project into the
CPU 315F-2DP.
Functional Example No. AS-FE-I-002-V10-EN
183
Ex. No.
2
Function test
After wiring the hardware components, you can check the inputs and outputs used with regard to their functionality (after
downloading the S7 project).
Inputs/outputs used
The values listed in the "Signal (default value)" column refer to
the following (error-free) state:
■ Closed safety door
■ Stoppage of a hazardous machine
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Monitoring unlocking of
the safety position switch
(NC)
E 0.0
E_MAGNET
"0"
"0" signal if U=24V at the magnet of the safety position
switch
2
Push button (NO)
E 0.1
START
"0"
-
3
Push button (NC)
E 0.2
STOP
"1"
-
4
Actuator contact in the
safety position switch (NC)
E 0.2
SEP_ACT
"1"
Contact picking up the separate actuator. "1" signal, if actuator in the safety position
switch
5
Hinge switch (NC)
E 2.4
HINGED_SW
"1"
"1" signal, if door closed.
6
Push button (NO)
E 2.1
ACT_PAS
"0"
Simulates motion of a hazardous machine "0" means stoppage
7
Magnet in the safety
position switch
A 8.0
COIL
"1"
"1": Door can be opened
8
Indicator light
A 8.1
ACTUATOR
"0"
Simulates hazardous machine
Testing inputs and outputs
Requirements: The inputs and outputs have the default values
specified under "Inputs/outputs used".
No. Instruction
Response
Note
A 8.0 A 8.1
1
None
"1"
"0"
Safety door can be opened
2
Press E 0.1 and
release
"0"
"1"
Pressing then holding E2.1
(simulated movement).
Safety door cannot be
opened
3
Press E 0.2 and
release
"0"
"0"
Keep E2.1 pressed (machine is switched off, however hazardous slowing
down), Safety door cannot
be opened
4
Release E 2.1
"1"
"0"
Machine stoppage. Safety
door can be opened
184
Functional Example No. AS-FE-I-002-V10-EN
Ex. No.
2
Important hardware component settings
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
Warning!
The settings shown below contribute to meet the requirements of Safety Category 4. Changes at the settings may cause loss of safety functions.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
Overview picture
The PROFIBUS adress at IM 151HF is set using DIP-switches.
Settings of the CPU 315F-2DP
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture").
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
Set mode: "Test Mode"
During Process Mode, the test functions such as program status or monitor/modify variable are restricted in such a way
that the set permitted increase in scan cycle time is not exceeded. Testing with stop-points and gradual program execution cannot be performed.
During Test Mode, all test functions can be used without restrictions via PG/PC which can also cause larger extensions of
the cycle time. Important: During test mode of the CPU, you
have to make sure that the CPU or the process can "stand"
large increases in cycle time.
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
Functional Example No. AS-FE-I-002-V10-EN
185
Ex. No.
2
Settings of the failsafe F-DI
Settings of the failsafe F-DO
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
DIL switch settings
This value has to be set on the module (F-DI).
DIL switch settings
This value has to be set on the module (F-DI).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Also in the "Parameter" tab.
The safety position switch is assigned to channel 0, the hinge
switch to channel 4 and the simulation of the speed or standstill monitor to channel 1. All three sensors are connected as
single-channel. The other channels are deactivated.
Activate used channels, deactivate channels which are not
used. The read-back time defines the duration of the switchoff procedure for the respective channel. If the respective
channel switches high capacity loads, the read back time
should be set sufficiently large. We recommend setting the
read back time as small as possible, however large enough so
that the output channel does not become passive.
186
Functional Example No. AS-FE-I-002-V10-EN
Ex. No.
2
Basic Performance Data
Load and main memory (without program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37,5
approx. 0,2 k
approx. 37,3 k
Main memory
approx.
28,2
approx. 0,09 k
approx. 28,1 k
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
44,8 k
approx. 1,3 k
approx. 43,5 k
Main memory
approx.
32,5 k
approx. 0,5 k
approx. 32,0 k
Cycle time
Total cycle time
(typical value)
approx.
5 ms
Standard and safety program
Max. runtime of the
safety program
9 ms
Calculation with the Cotia table. Page 180 specifies where
to find it.
Functional Example No. AS-FE-I-002-V10-EN
187
Ex. No.
Sample Code
Preliminary Remarks
Enclosed, we offer you the STEP 7 project as sample code with
which you can reset the described emergency stop functionality.
The sample code is always assigned to the components used
in the functional example and implements the required functionality. Problems not dealt with in this document are to be
implemented by the user; the sample code may serve as a basis.
The sample code with the given configurations enables the
following:
■ A safety door is guard locked until the hazardous action
(example of a "machine" in RUN) is over.
■ The safety door can always be opened with the keylock
switch on the safety position switch (e.g. in case of an
emergency).
■ The safety door is interlocked/unlocked by resetting/setting
a failsafe module (F-DO) of the ET 200S.
Program procedure
Password
In all cases, the passwords used for the safety-relevant part is
„siemens“.
The (non-failsafe) FC "STANDARD" (FC 3) is called from OB 1
(see following figure).
"STANDARD"
...
Use of the STEP 7 Project
The STEP 7 project shows the possibility of a safety door locking in safety category 4. In this example, the hazardous machine is simulated by an indicator light. The conditions necessary for the actuators to reach safety category 4 (e.g. read
back of actuator signals) are not considered in this example.
"START"
"E_MAGNET"
"STOP"
EN
START
E_MAGNET
STOP
COND
"COND"
ENO
G_FB_XX_087
2
Note
With this example, no real machine is controlled. The indicator lights simulate the state of a hazardous machine
activity. The state "Machine in STOP" or "Machine in
RUN" is simulated by a (NO) push button ("0" signal
means: "Machine in STOP").
Parameter
Explanation
E 0.1
Push button (NO) for the start requirement.
E_MAGNET
E 0.0
Position monitoring of the unlocking
magnet in the safety position switch.
E 0.2
Button (NC) for the stop requirement.
CONDSTOP
Download
Adress
START
COND
M 90.0
Saves the information start/ stop of
the "machine".
The download is available via the following link:
http://support.automation.siemens.com/WW/view/en/
21063946
The information of the memory bit "COND" is read as memory
bit COND1 in the safety program. This allocation occurs in the
cyclic interrupt OB35 for the following reason:
To call the corresponding project file, open the
"as_fe_i_002_v10_code_sdoorspring.zip" file offered as a separate download (on the HTML page) and extract it into a user
defined directory.
When reading data, which may be changed by the standard
user program or an operation control and monitoring system
during running of an F runtime group, from the standard user
program (memory bits or PAE of standard I/O), in the safety
program, it is necessary to use separate memory bits (here
COND1). Data from the standard user program have to be
written to these memory bits immediately before calling the F
runtime group. Only these memory bits may then be accessed
in the safety program.
■ First load the hardware configuration into the S7-CPU.
■ Switch to the SIMATIC Manager.
■ Select the "Blocks" container
■ Menu "Options" -> Edit safety program.
■ Click the "Download" button
188
Functional Example No. AS-FE-I-002-V10-EN
In this example it has already been implemented. Generally,
however, the following applies:
Ex. No.
2
F-CALL (FC1)
Note
F-CALL (FC1) is the F runtime group and is called from the cyclic interrupt OB (OB35). F-CALL calls the F-programe block
(here the FB 1)
If the above section is not observed the F CPU may go to
STOP mode.
FB "F_SFDOOR" (FB217, DB217)
The FC "STANDARD" (FC 3) in the following figure sets/resets
#COND whose information starts or stops the "machine" in the
failsafe program.
FB "COORDINATION" (FB1, DB1) is the first to call the FB
"F_SFDOOR" (FB217, DB217). FB 217 is a certified block from
the library of distributed safety, which from version 5.3 on is
available for safety door monitoring.
"P"
#START
P
&
S
#E_MAGNET
"SR"
"INSTANZ_
FB217
SR
"F_SFDOOR"
"N"
N
>=1
"INSTANZ_
FB1".
RELEASE
"COND"
R
Q
=
G_FB_XX_088
#STOP
"INSTANZ_FB1".RELEASE is a bit from the instance data block
(DB 1) of the FB 1, which is processed in the safety program.
The static variable "RELEASE" is set or reset. Here in FC 3 the
standard user program will read this information, as the machine must only be operated with "RELEASE"="1".
The failsafe program has the following program sequence:
FB"F_SFDOOR"
(FB217,DB217)
EN
"SEP_ACT"
IN1
"HINGED_
SW"
IN2
"F00002
4_8_F_DI_
DC24V".
QBAD
QBAD_IN1
"F00002
4_8_F_DI_
DC24V".
QBAD
QBAD_IN2
#OPEN_NEC
OPEN_NEC
#ACK_NEC
From the
Distributed
Safety library
#ACK
Q
#RELEASE
ACK_REQ
#ACK_REQ
ACK_NEC
DIAG
ACK
ENO
...
The enable signal Q (#RELEASE) decides whether
■ the actuator is switched on/off
FC"REINTEGRATION"
(FC2)
■ whether the safety door must be opened
G_FB_XX_090
F-CALL FB"COORDINATION"
(FC1)
(FB1,DB1)
...
G_FB_XX_089
FC "STANDARD" (FC 3)
The inputs of the safety position switch "SEP_ACT" and the
hinge switch are allocated to the inputs IN1 and IN2 of the FB
217. As soon as one of the two inputs IN1 and IN2 has the signal status "0", it is interpreted as opening the safety door. The
enable signal is thereby reset to '0'.
Functional Example No. AS-FE-I-002-V10-EN
189
Ex. No.
2
The enable signal can only be reset to 1 if:
■ prior to closing the door both inputs IN1 and IN2 have the
signal status 0 (safety door completely opened). This
uncovers the error of a broken actuator still in the position
switch despite of an opened door.
■ subsequently both inputs IN1 and IN2 take on signal status
1 (safety door closed)
■ an acknowledgement is given
The acknowledgement for the enable is given at the input
ACK_NEC depending on the parameters:
■ For ACK_NEC = 0 an automatic acknowledgement is given
(as implemented in this example).
■ For ACK_NEC = 1 you must first acknowledge ACK at the
input by means of a rising edge.
In order for the F application block to recognize whether the
inputs IN1 and IN2 are only "0" due to a passivation of the respective F-periphery, you must supply the inputs QBAD_IN1
and QBAD_IN2 with the variable QBAD of the respective F periphery DB. This prevents for example that for a passivation of
the F-periphery the safety door must be completely opened
prior to acknowledgement.
Warning!
The parameterization of the variables ACK_NEC=0 is
only permitted, if an automatic restart of the respective process is excluded otherwise.
After restarting the F system, the enable signal Q is reset to
"0". The acknowledgement for the enable is given at the input
OPEN_NEC and ACK_NEC depending on the parameters:
■ For OPEN_NEC = 0 an automatic acknowledge is given
independent of ACK_NEC, as soon as both inputs IN1 and
IN2 have the signal status 1 for the first time after reintegration of the respective F periphery (safety door is closed).
In this example this variant has not been activated.
■ For OPEN_NEC = 1 or if at least one of both inputs IN1 and
IN2 also has the F periphery signal status "0" after reintegration, there will be an automatic acknowledgement
dependent on ACK_NEC or you must acknowledge ACK at
the input by means of a rising edge. Prior to acknowledgement both inputs IN1 and IN2 must have had the signal status 0 (safety door completely opened) and subsequently
signal status 1 (safety door closed).
Warning!
The parameterization of the variables OPEN_NEC=0
is only permitted, if an automatic restart of the respective process is excluded otherwise.
At the output DIAG a non-failsafe information on occurred errors is provided for service purposes. You can read it out via
HMI systems or if necessary evaluate them in your standard
user program.
Note
Should you supplement the example by means of a manual
acknowledgement, please note the following:
Note
For safety door applications, the acknowledge signal
must be read via a failsafe input module (F-DI), if it is an
accessible hazardous area. For a non-accessible hazardous area, the acknowledge signal can also be read via a
standard input module.
The F-application module supports the requirements according to EN954-1 and EN 1088.
190
Functional Example No. AS-FE-I-002-V10-EN
The safety program does not allow accessing the output
DIAG!
Ex. No.
2
FB "COORDINATION" (FB1, DB1)
FC "REINTEGRATION" (FC2)
After processing the FB 217, processing is continued in FB 1:
Network 4 of FB1 calls the FC2, where in case of a passivation
of F-DI or F-DO the reintegration will be implemented. For the
F-DO a memory bit REINT is prepared. With a positive flank of
REINT the F-DO will be reintegrated.
Network 2
&
"E_MAGNET"
Warning!
G_FB_XX_091
#ACTUATOR
#RELEASE
=
#COND1
The machine must only start at valid enable from FB 217 (#RELEASE="1") and the start request ("COND1"="1") from the
standard user program. Additionally the tumbler (E_MAGNET)
must be monitored (see "Network 3" below). The "machine"
stops by a failure locking.
A passivation is indicated via LED "SF" lighting up on the module. The reintegration of an F module may take approx. one
minute.
Operating instructions
No. Instruction
Network 3
Plug the actuator into
the safety position
switch.
2
Check the position of
the hinge switch.
3
Press the START button "Machine" starts (here: indicator light
goes on)
4
Press the and hold the Simulation of machine movement:
ACT_PAS button
5
Press the STOP button
Indicator light goes off, however,
safety door cannot be opened (if still
pressing down ACT_PAS).
6
Release ACT_PAS
Simulated machine stoppage. Safety
door can be opened (actuator outside positioning switch and hinge
switch turned).
7
Repeat no. 1 to 4
–
8
Turn the hinge switch
until the "0"signal.
Enable signal is reset and machine
stops.
9
Release hinge switch
and ACT_POS button.
–
10
Press the START button "Machine" does not start! Safety door
must first be opened completely for
the enable signal to return to "1".
>=1
"COND1"
"COIL"
=
"ACT_PAS"
The safety door locks ("COIL"="0"), if
■ the machine is active or
■ a movement of the machine (slowing down movement)
has been detected
Only in case of locked door (COIL="0") E_MAGNET will be "1".
E_MAGNET="1" is necessary for a start of the "machine" (see
"Network 2"). The locking will be active with the start signal.
The start will be active (ACTUATOR="1") one programe cyclus
later as COIL="0".
Result/Note
1
&
G_FB_XX_092
#RELEASE
In this example, the reintegration of passivated
modules occurs automatically. Use the automatic reintegration for your application only if it will not
cause any hazards.
Safety door is closed (safety position
switch and hinge switch deliver "1"
signal)
Functional Example No. AS-FE-I-002-V10-EN
191
Ex. No.
Timing diagram
Time
The timing diagram below (explanation is provided after the
diagram) illustrates the following case: While the hazardous
machine is active, the door is opened (by force); during this
process, the actuator breaks off the door and gets stuck in the
safety position switch.
t1
t2
RELEASE
Enable
given
Enable
reset
START
Start
request
SEP_ACT
Door
closed
START
t
SEP_ACT
t
HINGED_SW
t
ACTUATOR
t
ACT_PAS
t
COIL
t
t1
t2
t3
t4
t5
t
t3
t4
t5
Bit
RELEASE
HINGED_SW
ACTUATOR
ACT_PAS
G_FB_XX_093
2
COIL
Stays
reset
Start
request
Door
open,
however actuator
breaks
and
stays in
the
position
switch
Door
closed
For
enable,
the door
must be
completely
opened
(error
uncovered)
Door
open,
"Ma„Machine" ro- chine“
tates
stops
Slowing
down
movement
Door locked
No start
of the
"machine"
"Machine" in
standstill
Door unlocked
Alternative
In the case of the principle of interlock by spring force used
here, the safety door remains locked in case of a power failure. This is the reason why professional associations prefer
spring-actuated lock.
An alternative is the principle according to which the safety
door remains closed due to magnetic force. A voltage must be
applied to the magnet of the safety position switch to keep
the door interlocked. This principle is described in the Safety
Integrated Functional example No. 3 „Safety Door with Magnetic Engagement in Category 4 acc. to EN 954-1“.
192
Functional Example No. AS-FE-I-002-V10-EN
Safety Door with Magnetic Engagement in Category 4
acc. to EN 954-1
Ex. No.
Automation Function
Description of the functionality
Interlocking devices with guard locking are mechanical or
electrical devices which only enable operation of a machine if
the door is closed and guard locked. Interlock and guard locking is maintained until the risk of injury caused by hazardous
machine functions or motions is excluded. This monitoring is
usually performed by overspeed trips or standstill monitors. In
this example, motion/stoppage of a machine is simulated by a
NO contact.
In this example, an actuator installed on the door moves form
fit into a safety position switch with locked engagement. During the potential hazard (machine in RUN), the actuator is held
(and thus the door guard locked) by the fact that voltage is applied to a magnet in the safety position switch. This type of interlock is referred to as magnet-field lock.
If the safety position switch fails, the safety function is maintained by the hinge switch (also detects the opened safety
door). This ensures that the requirements of the
EN 954 : 1996 standard (Category 4) are met which prescribes redundant installation of all safety-relevant parts for
position monitoring of the safeguard (here: Safety door).
The diagram below illustrates the concept of safety door monitoring:
Start
"Machine"
stop?
N
J
N
F-DO="0"
F-DO="1"
Start request?
Position switch:
Door closed?
N
J
N
Release?
Hinge switch:
Door closed?
N
J
N
Position switch:
Door closed?
J
N
Hinge switch:
Door closed?
J
F-DO="1"
N
Monitoring
locking
OK?
Stop request?
N
N
J
"Machine"
stops
Monitoring
unlocking
OK?
G_FB_XX_096
J
"Machine"
starts
Note
The voltage is applied to the magnet of the safety position
switch via a failsafe digital output module (F-DO) of the ET
200S.
In this example, no real machine is controlled; the concept of a safety door monitoring with guard locking (on
sensor side) is shown. If you want to additionally integrate a real machine or other actuators, you can of
course use the parameters described in the corresponding STEP 7 as basis.
For calculating the max. reaction time of your F-system please
use the Excel file (Cotia table), which is available for S7 Distributed Safety V 5.3. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505
Functional Example No. AS-FE-I-003-V10-EN
193
3
Ex. No.
3
Advantages/customer benefits
■ Wiring reduced to a minimum due to use of failsafe S7-CPU
and distributed I/O. The more safety functions are implemented, the more useful this advantage is.
■ Programming the failsafe program with STEP 7 engineering tools
■ Only one CPU is required, since failsafe and standard program parts run on a coexistent basis in the CPU
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
1
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 kB
6ES7953-8LJ10-0AA0
1
Interface module for ET 200S
IM 151 High Feature
6ES7153-2AA02-0XB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
4DI HF DC24V
6ES7131-4BD00-0AB0
1
Electronic module for ET 200S
4/8 F-DI DC24V
6ES7138-4FA01-0AB0
1
Electronic module for ET 200S
4 F-DO DC24V/2A
6ES7138-4FB01-0AB0
1
Terminal module for ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
2
Terminal module for ET 200S
TM-E15S24-A1
6ES7193-4CA20-0AA0
1
Terminal module for ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
Profile rail
482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length: 483 mm
6ES5710-8MA11
1
Optional:
Indicator light incl.incandescent
lamp
yellow
3SB3217-6AA30
1
Safety position switch with locked
engagement
interlocked with magnetic force
3SE2830-6XX00
1
Actuator
–
3SX3197
1
SIGUARD hinge switch
1NO, 1NC
3SE2200-1GA11
1
Push button
green, 1NO
3SB3801-0DA3
2
Push button
red, 1NC
3SB3801-0DB3
1
Manufacturer
Siemens AG
Note
The functionality was tested with the hardware components listed. Similar products not included in the above
list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Configuration software/tools
Component
Type
MRPD / Ordering data
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
194
Functional Example No. AS-FE-I-003-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
3
Setup and Wiring
In order to set up and wire the functional example, it is absolutely necessary to consider the following note:
Warning!
In order to meet the requirements of Safety Category
4, it is obligatory to read back the process signal to
the actuator. Read back is not implemented in this
example.
The actuator in this example is an indicator light simulating a machine. If other actuators are used, read
back has to be ensured by the user. The Safety Integrated Functional Example AS-FE-I-007-V10-EN provides a detailed description of "Read back".
Warning!
A speed or standstill monitor for monitoring hazardous slowing down of a machine is simulated in this
example with a button (NO) which is connected as
single-channel to the failsafe input module (F-DI).
When using real speed or standstill monitors they
must be connected to the F-DI as double-channels
(1oo2 evaluation).
Note
The "high feature" electronic modules can also be replaced by standard modules.
An overview of the hardware structure
Wiring of the hardware components
The arrangement to implement the safety door interlock consists of a PROFIBUS configuration. A failsafe S7-CPU is used as
DP master, an ET 200S as DP slave. Below, the wiring of conventional modules is shown only partly to provide greater clarity.
Requirements: The power supplies are supplied with 230V AC.
First check the addresses set at the hardware components
listed below:
PS
307
CPU
315F
PM-E
IM 151
HF
PM-E
4DI
HF
F-DO
F-DI
Hardware
component
Einzustellende
Adress
Note
IM 151 High
Feature
6 (PROFIBUS address)
Can be changed
F-DI
Switch position:
1111111110
F-DO
Switch position:
1111111101
The PROFIsafe addresses are
automatically assigned during configuring the failsafe
modules in STEP 7. The
PROFIsafe addresses 1 to
1022 are permissible. Please
make sure that the setting at
the address switch (DIL
switch) on the side of the
module corresponds to the
PROFIsafe address in the
hardware configuration of
STEP 7.
DP
Actuaor
START
Monitoring
unlocking
4DI HF
Actuator
contact
STOP
Machine
runs
Magnet
Note
The DP interface of the CPU 315F must be connected
with the DP interface of the IM 151 HF.
F-DI
Hinge
switch
Safety
position
switch
Note
The wiring of the hardware is illustrated below. In the
following table, the hardware components occurring
several times are numbered so they can be allocated in
the subsequent wiring plan.
Functional Example No. AS-FE-I-003-V10-EN
195
Ex. No.
3
PM-E
IM 151
HF
PM-E
4DI
HF
F-DO
F-DI
PM-E
PM-E
AUX1
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A4
A4
A8
G_FB_XX_097
A8
PS 307 / CPU 315F
PM-E
PM-E
AUX1
AUX1
4 DI HF
4
8
4
8
2
6
2
6
7
3
A8
A4
L1
2
6
Start
3
A4
N
E1
E2
7
Safety
position switch
32
31
22
21
12
11
A8
A4
7
5
42
41
3
1
A8
IM 151 HF
PE
L+
M
L L M M
Stop
Machine runs
F-DI
1
5
9
13
2
6
10
14
F-DO
1 3
1 4
2 1
2 2
Hinge switch
7
11
15
4
8
12
16
A4
A8 A12
A16
A3
A7 A11
A15
5
9
13
2
6
10
14
3
7
11
15
4
8
12
16
A4
A8 A12
A16
A3
A7 A11
A15
Note
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the S7 project into the
CPU 315F-2DP.
196
Functional Example No. AS-FE-I-003-V10-EN
Actuator
G_FB_XX_098
3
1
Ex. No.
3
Function test
After wiring the hardware components, you can check the inputs and outputs used with regard to their functionality (after
downloading the S7 project).
Inputs/outputs used
The values listed in the "Signal (default value)" column refer to
the following (error-free) state:
■ Closed safety door
■ Stoppage of a hazardous machine
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Monitoring unlocking of
the safety position switch
(NO)
E 0.0
E_MAGNET
"0"
"0" signal if U=0 V at the magnet of the safety position
switch
2
Push button (NO)
E 0.1
START
"0"
–
3
Push button (NC)
E 0.2
STOP
"1"
–
4
Actuator contact in the
safety position switch (NC)
E 2.0
SEP_ACT
"1"
Contact picking up the separate actuator. "1" signal, if actuator in the safety position
switch
5
Hinge switch (NC)
E 2.4
HINGED_SW
"1"
"1" signal, if door closed.
6
Push button (NO)
E 2.1
ACT_PAS
"0"
Simulates motion of a hazardous machine "0" means stoppage
7
Magnet in the safety position switch
A 8.0
COIL
"0"
"0": Door can be opened
8
Indicator light
A 8.1
ACTUATOR
"0"
Simulates hazardous machine
Testing inputs and outputs
Requirements: The inputs and outputs have the default values
specified under "Inputs/outputs used".
No. Instruction
Response
Note
A 8.0 A 8.1
1
None
"0"
"0"
Safety door can be opened
2
Press E 0.1
and release
"1"
"1"
Pressing then holding E2.1
(simulated movement).
Safety door cannot be
opened
3
Press E 0.2
and release
"1"
"0"
Keep E2.1 pressed (machine
is switched off, however
hazardous slowing down),
Safety door cannot be
opened
4
Release E 2.1
"0"
"0"
Machine stoppage. Safety
door can be opened
Functional Example No. AS-FE-I-003-V10-EN
197
Ex. No.
3
Important hardware component settings
Overview picture
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
Warning!
The settings shown below contribute to meet the requirements of Safety Category 4. Changes at the settings may cause loss of safety functions.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
The PROFIBUS adress at IM 151HF is set using DIP-switches.
198
Functional Example No. AS-FE-I-003-V10-EN
Ex. No.
3
Settings of the CPU 315F-2DP
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture").
Set mode: "Test Mode"
During Process Mode, the test functions such as program status or monitor/modify variable are restricted in such a way
that the set permitted increase in scan cycle time is not exceeded. Testing with stop-points and gradual program execution cannot be performed.
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
During Test Mode, all test functions can be used without restrictions via PG/PC which can also cause larger extensions of
the cycle time. Important: During test mode of the CPU, you
have to make sure that the CPU or the process can "stand"
large increases in cycle time.
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
Functional Example No. AS-FE-I-003-V10-EN
199
Ex. No.
3
Settings of the failsafe F-DI
Settings of the failsafe F-DO
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
DIL switch settings
This value has to be set on the module (F-DI).
DIL switch settings
This value has to be set on the module (F-DI).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Also in the "Parameter" tab.
The safety position switch is assigned to channel 0, the hinge
switch to channel 4 and the simulation of the speed or standstill monitor to channel 1. All three sensors are connected as
single-channel. The other channels are deactivated.
Activate used channels, deactivate channels which are not
used.
The read-back time defines the duration of the switch-off procedure for the respective channel. If the respective channel
switches high capacity loads, the read back time should be set
sufficiently large. We recommend setting the read back time
as small as possible, however large enough so that the output
channel does not become passive.
200
Functional Example No. AS-FE-I-003-V10-EN
Ex. No.
3
Basic Performance Data
Load and main memory (without program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37,5
approx. 0,2 k
approx. 37,3 k
Main memory
approx.
28,2
approx. 0,09 k
approx. 28,1 k
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
44,6 k
approx. 1,1 k
approx. 43,5 k
Main memory
approx.
32,5 k
approx. 0,5 k
approx. 32,0 k
Cycle time
Total cycle time
(typical value)
approx.
5 ms
Standard and safety program
Max. runtime of the
safety program
9 ms
Calculation with the Cotia table. Page 180 specifies where
to find it.
Functional Example No. AS-FE-I-003-V10-EN
201
Ex. No.
Sample Code
Preliminary Remarks
Enclosed, we offer you the STEP 7 project as sample code with
which you can reset the described emergency stop functionality.
The sample code is always assigned to the components used
in the functional example and implements the required functionality. Problems not dealt with in this document are to be
implemented by the user; the sample code may serve as a basis.
The sample code with the given configurations enables the
following:
■ A safety door is guard locked until the hazardous action
(example of a "machine" in RUN) is over.
■ The safety door is interlocked and unlocked by setting/resetting a failsafe module (F-DO) of the ET 200S.
Program procedure
The (non-failsafe) FC "STANDARD" (FC 3) is called from OB 1
(see following figure).
"STANDARD"
Password
In all cases, the passwords used for the safety-relevant part is
„siemens“.
Use of the STEP 7 Project
The STEP 7 project shows the possibility of a safety door locking in safety category 4. In this example, the hazardous machine is simulated by an indicator light. The conditions necessary for the actuators to reach safety category 4 (e.g. read
back of actuator signals) are not considered in this example.
Note
With this example, no real machine is controlled. The indicator lights simulate the state of a hazardous machine
activity. The state "Machine in STOP" or "Machine in
RUN" is simulated by a (NO) push button
("0" signal means: "Machine in STOP").
Download
The download is available via the following link:
http://support.automation.siemens.com/WW/view/en/
21064258
To call the corresponding project file, open the
"as_fe_i_003_v10_code_sdoormag.zip " file offered as a separate download (on the HTML page) and extract it into a user
defined directory. For downloading the project into the F-CPU
please proceed as follows:
■ First load the hardware configuration into the S7-CPU
■ Switch to the SIMATIC Manager
...
"START"
"E_MAGNET"
"STOP"
Parameter
EN
START
E_MAGNET
STOP
Adress
COND
"COND"
ENO
Explanation
START
E 0.1
Push button (NO) for the start requirement.
E_MAGNET
E 0.0
Position monitoring of the unlocking
magnet in the safety position switch.
STOP
E 0.2
Button (NC) for the stop requirement.
COND
M 90.0
Saves the information start/ stop of
the "machine".
The information of the memory bit "COND" is read as memory
bit COND1 in the safety program. This allocation occurs in the
cyclic interrupt OB35 for the following reason:
When reading data, which may be changed by the standard
user program or an operation control and monitoring system
during running of an F runtime group, from the standard user
program (memory bits or PAE of standard I/O), in the safety
program, it is necessary to use separate memory bits (here
COND1). Data from the standard user program have to be
written to these memory bits immediately before calling the F
runtime group. Only these memory bits may then be accessed
in the safety program.
In this example it has already been implemented. Generally,
however, the following applies:
■ Select the "Blocks" container
Note
■ Menu "Options" -> Edit safety program
If the above section is not observed the F CPU may go to
STOP mode.
■ Click the "Download" button
202
Functional Example No. AS-FE-I-003-V10-EN
G_FB_XX_099
3
Ex. No.
3
FC "STANDARD" (FC 3)
"INSTANZ_
FB217"
The FC "STANDARD" (FC 3) in the following figure sets/resets
#COND whose information starts or stops the "machine" in the
failsafe program.
P
#START
&
"SR"
S
#E_MAGNET
SR
"N"
>=1
"INSTANZ_
FB1".
RELEASE
#COND
R
Q
=
G_FB_XX_100
N
#STOP
"INSTANZ_FB1".RELEASE is a bit from the instance data block
(DB 1) of the FB 1, which is processed in the safety program.
The static variable "RELEASE" is set or reset. Here in FC 3 the
standard user program will read this information, as the machine must only be operated with "RELEASE"="1".
The failsafe program has the following program sequence:
...
EN
"SEP_ACT"
IN1
"HINGED_SW"
IN2
"F00002
4_8_F_DI_
DC24V".
QBAD
QBAD_IN1
"F00002
4_8_F_DI_
DC24V".
QBAD
QBAD_IN2
#OPEN_NEC
OPEN_NEC
#ACK_NEC
#ACK
FB"F_SFDOOR"
(FB217,DB217)
F-CALL FB"COORDINATION"
(FC1)
(FB1,DB1)
Q
#RELEASE
ACK_REQ
#ACK_REQ
ACK_NEC
DIAG
ACK
ENO
...
G_FB_XX_101
"P"
"F_SFDOOR"
The enable signal Q (#RELEASE) decides whether
■ the actuator is switched on/off
From the
Distributed Safety
library
■ whether the safety door must be opened
Enable is given at #RELEASE="1".
G_FB_XX_102
FC"REINTEGRATION"
(FC2)
F-CALL (FC1)
F-CALL (FC1) is the F runtime group and is called from the cyclic interrupt OB (OB35). F-CALL calls the F programe block
(here the FB 1).
FB "F_SFDOOR" (FB217, DB217)
FB "COORDINATION" (FB1, DB1) is the first to call the FB
"F_SFDOOR" (FB217, DB217). FB 217 is a certified block from
the library of distributed safety, which from version 5.3 on is
available for safety door monitoring.
The inputs of the safety position switch "SEP_ACT" and the
hinge switch are allocated to the inputs IN1 and IN2 of the FB
217. As soon as one of the two inputs IN1 and IN2 has the signal status "0", it is interpreted as opening the safety door. The
enable signal is thereby reset to '0'.
The enable signal can only be reset to 1 if:
■ prior to closing the door both inputs IN1 and IN2 have the
signal status 0 (safety door completely opened). This
uncovers the error of a broken actuator still in the position
switch despite of an opened door.
■ subsequently both inputs IN1 and IN2 take on signal status
1 (safety door closed)
■ an acknowledgement is given
Functional Example No. AS-FE-I-003-V10-EN
203
Ex. No.
The acknowledgement for the enable is given at the input
ACK_NEC depending on the parameters:
Warning!
■ For ACK_NEC = 0 an automatic acknowledgement is given
(as implemented in this example).
The parameterization of the variables OPEN_NEC=0
is only permitted, if an automatic restart of the respective process is excluded otherwise.
■ For ACK_NEC = 1 an enable requires acknowledging ACK at
the input by means of a rising edge.
In order for the F application block to recognize whether the
inputs IN1 and IN2 are only "0" due to a passivation of the respective F-periphery, you must supply the inputs QBAD_IN1
and QBAD_IN2 with the variable QBAD of the respective F periphery DB. This prevents for example that for a passivation of
the F-periphery the safety door must be completely opened
prior to acknowledgement.
At the output DIAG a non-failsafe information on occurred errors is provided for service purposes. You can read it out via
HMI systems or if necessary evaluate them in your standard
user program.
Note
The safety program does not allow accessing the output
DIAG!
Warning!
Should you supplement the example by means of a manual
acknowledgement, please note the following:
After processing the FB 217, processing is continued in FB 1:
Network 2
"E_MAGNET"
&
#ACTUATOR
#RELEASE
Note
For safety door applications, the acknowledge signal
must be read via a failsafe input module (F-DI), if it is an
accessible hazardous area. For a non-accessible hazardous area, the acknowledge signal can also be read via a
standard input module.
The F-application module supports the requirements according to EN954-1 and EN 1088.
After restarting the F system, the enable signal Q is reset to
"0". The acknowledgement for the enable is given at the input
OPEN_NEC and ACK_NEC depending on the parameters:
■ For OPEN_NEC = 0 an automatic acknowledge is given
independent of ACK_NEC, as soon as both inputs IN1 and
IN2 have the signal status 1 for the first time after reintegration of the respective F periphery (safety door is closed).
In this example this variant has not been activated.
■ For OPEN_NEC = 1 or if at least on of both inputs IN1 and
IN2 have the signal status "0" even after reintegration of
the respective periphery, an automatic acknowledgement
is given depending on ACK_NEC, or the enable requires
acknowledging ACK at the input by means of a rising edge.
Prior to acknowledgement both inputs IN1 and IN2 must
have had the signal status 0 (safety door completely
opened) and subsequently signal status 1 (safety door
closed).
204
FB "COORDINATION" (FB1, DB1)
Functional Example No. AS-FE-I-003-V10-EN
=
#COND1
G_FB_XX_103
The parameterization of the variables ACK_NEC=0 is
only permitted, if an automatic restart of the respective process is excluded otherwise.
The machine must only start at valid enable from FB 217 (#RELEASE="1") and the start request ("COND1"="1") from the
standard user program. Additionally the tumbler (E_MAGNET)
must be monitored (see "Network 3" below). The "machine"
stops by a failure locking.
Network 3
&
#RELEASE
>=1
#COND1
"COIL"
=
"ACT_PAS"
G_FB_XX_104
3
Ex. No.
The safety door locks ("COIL"="1"), if
■ the machine is active or
■ a movement of the machine (slowing down movement)
has been detected.
Only in case of locked door (COIL="1") E_MAGNET will be "1".
E_MAGNET="1" is necessary for a start of the "machine" (see
"Network 2"). The locking will be active with the start signal.
The start will be active (ACTUATOR="1") one programe cyclus
later as COIL="1".
FC "REINTEGRATION" (FC2)
Network 4 of FB1 calls the FC2, where in case of a passivation
of F-DI or F-DO the reintegration will be implemented. For the
F-DO a memory bit REINT is prepared. With a positive flank of
REINT the F-DO will be reintegrated.
No. Instruction
A passivation is indicated via LED "SF" lighting up on the module. The reintegration of an F module may take approx. one
minute.
Result/Note
1
Plug the actuator into
the safety position
switch.
2
Check the position of
the hinge switch.
3
Press the START button "Machine" starts (here: indicator light
goes on)
4
Press the and hold the Simulation of machine movement:
ACT_PAS button
5
Press the STOP button
Indicator light goes off, however,
safety door cannot be opened (if still
pressing down ACT_PAS).
6
Release ACT_PAS
Simulated machine stoppage. Safety
door can be opened (actuator outside positioning switch and hinge
switch turned).
7
Repeat no. 1 to 4
–
8
Turn the hinge switch
up to the "0"signal.
Enable signal is reset and machine
stops.
9
Release hinge switch
and ACT_POS button.
–
10
Press the START button "Machine" does not start! Safety door
must first be opened completely for
the enable signal to return to "1".
Warning!
In this example, the reintegration of passivated
modules occurs automatically. Use the automatic reintegration for your application only if it will not
cause any hazards.
3
Operating instructions
Safety door is closed (safety position
switch and hinge switch deliver "1"
signal)
Functional Example No. AS-FE-I-003-V10-EN
205
Ex. No.
Timing diagram
Time
The timing diagram below (explanation is provided after the
diagram) illustrates the following case:
While the hazardous machine is active, the door is opened (by
force); during this process, the actuator breaks off the door
and gets stuck in the safety position switch.
t1
t2
RELEASE
Enable
given
Enable
reset
START
Start request
SEP_ACT
Door
closed
START
t
SEP_ACT
t
HINGED_SW
ACTUATOR
HINGED_SW
t
ACTUATOR
t
ACT_PAS
t
COIL
t
ACT_PAS
COIL
t1
t2
t3
t4
t5
t
t3
t4
t5
Bit
RELEASE
Stays reset
Start request
Door
open,
however actuator
breaks
and
stays in
the position
switch
Door
closed
For enable, the
door
must be
completely
opened
(error
uncovered)
Door
open,
"MaMachine
chine" ro- stops
tates
Slowing
down
movement
Door locked
No start
of the
"Machine"
"Machine" in
STOP
Door unlocked
Alternative
G_FB_XX_105
3
In case of the principle of interlock by magnetic force used
here, the safety door remains locked as long as voltage is applied to the magnet in the safety position switch.
An alternative is the principle according to which the safety
door remains closed due to spring force. The voltage applied
to the magnet of the safety position switch must drop to zero
to keep the door interlocked. This principle is described in the
Safety Integrated Functional Example No. AS-FE-I-002-V10EN.
206
Functional Example No. AS-FE-I-003-V10-EN
Safety Door without Guard Locking in Category 4
acc. to EN 954-1
Ex. No.
4
Automation Function
Warning!
Description of the functionality
In general, two types of safety doors can be used. In case of
the type with guard locking, the door is held in a position
switch during the potential hazard. In case of hazardous machine motions with short braking times, position switches
without tumbler are often used. The example introduced
here shows how the requirements of Safety Category 4 can be
met with the latter variant according to EN 954 : 1996.
Position switch
When using different actuators, the feedback circuits
have to be integrated and evaluated by the user. You
find more information about the readback signals in
the Safety Functional Example no. AS-FE-I-007-V10EN.
For calculating the max. reaction time of your F-system please
use the Excel file (Cotia table), which is available for S7 Distributed Safety V 5.3. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505
Actuator
The diagram below illustrates the conditions for a start or a
stop of the "machine".
Protective Door opened
Protective door closed
G_FB_XX_106
Start
Button for
"Machine" STOP
pressed?
N
Actuator
in each position
switch?
The requirements of Safety Category 4 are met due to use of
2 SIGUARD position switches (or a magnetic switch) with separate actuators (redundancy for mechanical parts). The position switch is installed form fit at the closing edge on the fixed
part, the actuator is installed at the moving door.
N
Y
Button for
acknowledgement
pressed?
The position switch features positive-opening contacts which
are directly connected to the failsafe digital input module of
the ET 200S I/O system. The commands acquired that way are
evaluated in the safety program of the S7-CPU. The safety program of the S7-CPU ensures that:
Door open
N
Y
Button for
"Machine" START
pressed?
Y
G_FB_XX_107
■ prior to each start, acknowledgement is necessary if the
application has been stopped by opening the safety door
■ if only one position switch indicates an open safety door, it
must be completely opened prior to a restart (open/close
safety door, acknowledge, start)
Y
N
"Machine" ON?
N
Y
"Machine" ON
"Machine" OFF
■ the application can only be started if the safety door is
closed
■ the application stops if the safety door is opened during
operation or as soon as a contact of the position switch
responds
In this example, the hazardous machine is simulated by an indicator light which is connected to a failsafe digital output
module of the ET 200S I/O system. In this document, the designation "machine" refers to this indicator light.
Functional Example No. AS-FE-I-004-V10-EN
207
Ex. No.
4
Advantages/customer benefits
■ Wiring reduced to a minimum due to use of failsafe S7-CPU
and distributed I/O. The more safety functions are implemented, the more useful this advantage is.
■ Programming the failsafe program with STEP 7 engineering tools.
■ Only one CPU is required, since failsafe and standard program parts run on a coexistent basis in the CPU
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
1
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 kB
6ES7953-8LJ10-0AA0
1
Interface module for ET 200S
IM 151 High Feature
6ES7151-1BA00-0AB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
2DI HF DC24V
6ES7131-4BB00-0AB0
1
Electronic module for ET 200S
4/8 F-DI DC24V
6ES7138-4FA01-0AB0
1
Electronic module for ET 200S
4 F-DO DC24V/2A
6ES7138-4FB01-0AB0
1
Terminal module for ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
2
Terminal module for ET 200S
TM-E15S24-A1
6ES7193-4CA20-0AA0
1
Terminal module for ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
Profile rail
482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length: 483 mm
6ES5710-8MA11
1
Optional:
Indicator light incl.incandescent
lamp
yellow
3SB3217-6AA30
1
Position switch
metal-enclosed
3SE2120-6XX
2
Actuator
–
3SX3197
2
Push button
green, 1NO
3SB3801-0DA3
2
Push button
red, 1NC
3SB3801-0DB3
1
Manufacturer
Siemens AG
Note
The functionality was tested with the hardware components listed. Similar products not included in the above
list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Configuration software/tools
Component
Type
MRPD / Ordering data
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
208
Functional Example No. AS-FE-I-004-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
4
Setup and Wiring
Wiring of the hardware components
In order to set up and wire the functional example, it is absolutely necessary to consider the following note:
Requirements: The power supplies are supplied with 230V AC.
First check the addresses set at the hardware components
listed below:
Warning!
In order to meet the requirements of Safety Category
4, it is obligatory to read back the process signal to the
actuator. Read back is not implemented in this example.
The actuator in this example is an indicator light simulating a machine. If other actuators are used, read back
has to be ensured by the user. The Safety Integrated
Functional Example AS-FE-I-007-V10-EN provides a detailed description of "Read back".
Hardware
component
Einzustellende
Adress
Note
IM 151 High
Feature
6 (PROFIBUS address)
Can be changed
F-DI
Switch position:
1111111110
F-DO
Switch position:
1111111101
The PROFIsafe addresses are
automatically assigned during configuring the failsafe
modules in STEP 7. The
PROFIsafe addresses 1 to
1022 are permissible. Please
make sure that the setting at
the address switch (DIL
switch) on the side of the
module corresponds to the
PROFIsafe address in the
hardware configuration of
STEP 7.
An overview of the hardware structure
The arrangement to implement the safety door consists of a
PROFIBUS configuration. A failsafe S7-CPU is used as DP master,
an ET 200S as DP slave. The yellow indicator light can be replaced by actuators in accordance with their requirements.
Below, the wiring of conventional modules is shown only partly
to provide greater clarity.
PS
307
CPU
315F
PM-E
IM 151
HF
PM-E
4DI
HF
F-DO
The DP interface of the CPU 315F must be connected
with the DP interface of the IM 151 HF.
Note
F-DI
The wiring of the hardware is illustrated below. In the
following table, the hardware components occurring
several times are numbered so they can be allocated in
the subsequent wiring plan.
DP
Acknowledgement
Note
F-DI
Aktuator
START
2DI HF
Position
switch
Position
switch
STOP
Note
The "high feature" electronic modules can also be replaced by standard modules.
Functional Example No. AS-FE-I-004-V10-EN
209
Ex. No.
4
PM-E
IM 151
HF
PM-E
PM-E
F-DO
PM-E
AUX1
2DI
HF
F-DI
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A8
A4
A8
G_FB_XX_108
A4
PS 307 / CPU 315F
PM-E
PM-E
AUX1
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A 4
A8
A 4
A8
L1
2 DI HF
AUX1
1
5
2
6
3
7
A 4
N
Stop
Start
A8
IM 151 HF
PE
L+
M
L L M M
F-DI
5
9
1 3
2 6
10
1 4
3 7
11
1 5
4 5
12
1 6
1
F-DO
A 4 A 8 A 12 A 16
1
5
9
1 3
A 1 5 7 A 11 A 15
2 6
10
1 4
3 7
11
1 5
4 5
12
1 6
2 2
2 1
1 2
1
Position switch1
Acknowledgement
2 2
2 1
1 2
1
Position switch2
Actuator
A 1 5 7 A 11 A 15
Note
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the S7 project into the CPU
315F-2DP.
210
Functional Example No. AS-FE-I-004-V10-EN
G_FB_XX_109
A 4 A 8 A 12 A 16
Ex. No.
4
Function test
After wiring the hardware components, you can check the inputs and outputs used with regard to their functionality (after
downloading the S7 project).
Inputs/outputs used
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Push button (NO)
E 0.0
START
"0"
–
2
Push button (NC)
E 0.1
STOP
"1"
–
3
Position switch
E 2.0
SW1
"1"
"1" signal, if actuator in the position switch
4
Push button (NO)
E 2.1
ACK
"0"
Acknowledgement
5
Position switch
E 2.4
SW2
"1"
"1" signal, if actuator in the position switch
6
Indicator light (yellow)
A 8.0
ACTUATOR
"0"
Simulates "machine"
Testing inputs and outputs
Requirements: The inputs and outputs have the default values
specified under "Inputs/outputs used".
No. Instruction
A 8.0 Note
No. Instruction
1
Pull both actuators from the
position
switches
"0"
Open the safety
door
Necessary prior to the first
start.
2
Plug both actuators into the
position
switch.
"0"
Close safety door
3
Press the push
button E2.1
and release it
"0"
Acknowledge
4
Press the push
button E0.0
and release it
"1"
"Machine" start
5
Press the push
button E0.1
and release it
"0"
"Machine" stop
6
Press the push
button E0.0
and release it
"1"
"Machine" start
7
Pull one actuator from the position switch
"0"
Error case: Door open, an actuator
breaks and gets stuck in the position
switch
A 8.0 Note
8
Plug the actuator back into
the position
switch
"0"
Close safety door
9
Press the push
button E2.1
and release it
"0"
Acknowledgement obligatory after
opening the safety door
10
Press the push
button E0.0
and release it
"0"
Start not possible, only...
11
Repeat no. 1 to
4
"1"
... after completely opening and
closing the safety door and subsequent acknowledgement.
12
Press the push
button E0.1
and release it
"0"
"Machine" stop
Functional Example No. AS-FE-I-004-V10-EN
211
Ex. No.
Timing diagram
Important hardware component settings
As an illustration, points 1 to 10 from the preceding table are illustrated in the following time diagram. The time axis contains
numbers 1 to 10, which refer to the numbers in the table.
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
SW1
Warning!
SW2
t
ACK
t
The settings shown below contribute to meet the requirements of Safety Category 4. Changes at the settings may cause loss of the safety function.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
t
START
Overview picture
STOP
t
ACTUATOR
t
1
2 3
4
5
6
7
8
9
10
t
G_FB_XX_110
4
The PROFIBUS adress at IM 151HF is set using DIP-switches.
212
Functional Example No. AS-FE-I-004-V10-EN
Ex. No.
4
Settings of the CPU 315F-2DP
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture").
Set mode: "Test Mode"
During Process Mode, the test functions such as program status or monitor/modify variable are restricted in such a way
that the set permitted increase in scan cycle time is not exceeded. Testing with stop-points and gradual program execution cannot be performed.
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
During Test Mode, all test functions can be used without restrictions via PG/PC which can also cause larger extensions of
the cycle time. Important: During test mode of the CPU, you
have to make sure that the CPU or the process can "stand"
large increases in cycle time.
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
Functional Example No. AS-FE-I-004-V10-EN
213
Ex. No.
4
Settings of the failsafe F-DI
Settings of the failsafe F-DO
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
DIL switch settings:
This value has to be set on the module (F-DI).
DIL switch settings
This value has to be set on the module (F-DI).
F monitoring time:
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Activate used channels, deactivate channels which are not
used.
Also in the "Parameter" tab.
The two position switches are transferred to the channels 0
and 4 as single-channel sensors.
The button for acknowledgement is assigned to channel 1 as
single channel sensor.
All other channels: Deactivate
The read-back time defines the duration of the switch-off procedure for the respective channel. If the respective channel
switches high capacity loads, the read back time should be set
sufficiently large. We recommend setting the read back time
as small as possible, however large enough so that the output
channel does not become passive.
Basic Performance Data
Load and main memory (without program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37,4
approx. 0,1 k
approx. 37,3 k
Main memory
approx.
28,1
approx. 0,04 k
approx. 28,1 k
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
44,6 k
approx. 1,1 k
approx. 43,5 k
Main memory
approx.
32,4 k
approx. 0,4 k
approx. 32,0 k
Cycle time
214
Functional Example No. AS-FE-I-004-V10-EN
Total cycle time
(typical value)
approx.
5 ms
Standard and safety program
Max. runtime of the
safety program
9 ms
Calculation with the Cotia table. Page 180 specifies where
to find it.
Ex. No.
Sample Code
Preliminary Remarks
Enclosed, we offer you the STEP 7 project as sample code with
which you can reset the described emergency stop functionality.
The sample code is always assigned to the components used
in the functional example and implements the required functionality. Problems not dealt with in this document are to be
implemented by the user; the sample code may serve as a basis.
Password
In all cases, the passwords used for the safety-relevant part is
„siemens“.
4
The sample code with the given configurations enables the
following:
■ An application (here: Machine simulated by indicator
lights) can only be started if the safety door is closed.
■ Opening the safety door during operation of the machine
stops the application
■ After each opening, the safety must be acknowledged prior
to a restart.
■ If an actuator breaks off during opening the safety door
and gets stuck in the position switch, this error will be certainly recognized.
Program procedure
The (non-failsafe) FC "STANDARD" (FC 3) is called from OB 1
(see following figure).
Use of the STEP 7 Project
"STANDARD"
...
"START"
"STOP"
EN
START
STOP
COND
"COND"
G_FB_XX_111
The STEP 7 project shows the possibility of a safety door locking without guard locking in safety category 4. In this example, the hazardous machine is simulated by an indicator light.
The conditions necessary for the actuators to reach safety category 4 (e.g. read back of actuator signals) are not considered
in this example.
ENO
Download
The download is available via the following link:
http://support.automation.siemens.com/WW/view/en/
21331363
To call the corresponding project file, open the
"as_fe_i_004_v10_code_sdoor.zip" file offered as a separate
download (on the HTML page) and extract it into a user defined directory. For downloading the project into the F-CPU
please proceed as follows:
■ First load the hardware configuration into the S7-CPU
■ Switch to the SIMATIC Manager
■ Select the "Blocks" container
■ Menu "Options" -> Edit safety program.
■ Click the "Download" button
Parameter
START
Adress
Explanation
E 0.1
Push button (NO) for the start
requirement.
STOP
E 0.1
Button (NC) for the stop requirement.
COND
M 90.0
Information for the safety program
The information of the memory bit "COND" is read as memory
bit COND1 in the safety program. This allocation occurs in the
cyclic interrupt OB 35 for the following reason:
When reading data, which may be changed by the standard
user program or an operation control and monitoring system
during running of an F runtime group, from the standard user
program (memory bits or PAE of standard I/O), in the safety
program, it is necessary to use separate memory bits (here
COND1). Data from the standard user program have to be
written to these memory bits immediately before calling the F
runtime group. Only these memory bits may then be accessed
in the safety program.
Functional Example No. AS-FE-I-004-V10-EN
215
Ex. No.
In this example it has already been implemented. Generally,
however, the following applies:
Note
If the above section is not observed the F CPU may go to
STOP mode.
FB "F_SFDOOR" (FB 217, DB 217)
FB "COORDINATION" (FB1, DB1) is the first to call the FB
"F_SFDOOR" (FB217, DB217). FB 217 is a certified block from
the library of distributed safety, which from version 5.3 on is
available for safety door monitoring.
"INSTANZ_
FB217"
FC "STANDARD" (FC3)
#START
P
"SR"
S
SR
"N"
N
>=1
"INSTANZ_
FB1".
RELEASE
#COND
R
Q
=
G_FB_XX_112
#STOP
"INSTANZ_FB1".RELEASE is a bit from the instance data block
(DB 1) of the FB 1, which is processed in the safety program.
The static variable "RELEASE" is set or reset. Here in FC 3 the
standard user program will read this information, as the machine must only be operated with "RELEASE"="1".
The failsafe program has the following program sequence:
...
EN
"SW1"
IN1
"SW2"
IN2
"F00002
4_8_F_DI_
DC24V".
QBAD
QBAD_IN1
"F00002
4_8_F_DI_
DC24V".
QBAD
QBAD_IN2
#OPEN_NEC
#ACK_NEC
FB"F_SFDOOR"
(FB217,DB217)
F-CALL FB"COORDINATION"
(FC1)
(FB1,DB1)
#ACK
From the
Distributed Safety
library
#RELEASE
ACK_REQ
#ACK_REQ
ACK_NEC
DIAG
ACK
ENO
...
The enable signal Q (#RELEASE) decides whether the actuator
is switched on/off. Enable is given at #RELEASE="1".
FC"REINTEGRATION"
(FC2)
F-CALL (FC 1)
F-CALL (FC 1) is the F runtime group and is called from the cyclic interrupt OB (OB 35). F-CALL calls the F programe block
(here the FB 1).
216
OPEN_NEC
Q
G_FB_XX_114
"F_SFDOOR"
"P"
G_FB_XX_113
4
Functional Example No. AS-FE-I-004-V10-EN
The inputs of the position switch "SW1" and "SW2" are allocated to the inputs IN1 and IN2 of the FB 217. As soon as one
of the two inputs IN1 and IN2 has the signal status "0", it is interpreted as opening the safety door. The enable signal is
thereby reset to '0'.
The enable signal can only be reset to 1 if:
■ prior to closing the door both inputs IN1 and IN2 have the
signal status 0 (safety door completely opened). This
uncovers the error of a broken actuator still in the position
switch despite of an opened door
■ subsequently both inputs IN1 and IN2 take on signal status
1 (safety door closed)
■ an acknowledgement is given
Ex. No.
■ For ACK_NEC = 0 an automatic acknowledgement is given.
■ For enable at ACK_NEC = 1 you must acknowledge ACK at
the input by means of a rising edge (as implemented in
this example).
Note
The acknowledgement signal is in this example read via
a failsafe input module (F-DI). For safety door applications this becomes necessary if the hazardous area is accessible. For a non-accessible hazardous area, the acknowledge signal can also be read via a standard input
module.
In order for the F application block to recognize whether the
inputs IN1 and IN2 are only "0" due to a passivation of the respective F-periphery, you must supply the inputs QBAD_IN1
and QBAD_IN2 with the variable QBAD of the respective F periphery DB. This prevents for example that for a passivation of
the F-periphery the safety door must be completely opened
prior to acknowledgement.
Warning!
Should you change the example in that ACK_NEC=0 is
set for the parameterization of the FB 217, an automatic
restart of the respective process must be excluded some
other way.
4
Warning!
Should you change the example in that OPEN_NEC=0
is set for the parameterization of the FB 217, an automatic restart of the respective process must be excluded some other way.
At the output DIAG a non-failsafe information on occurred errors is provided for servicing purposes. You can read it out via
HMI systems or if necessary evaluate them in your standard
user program.
Note
The safety program does not allow accessing the output
DIAG!
FB "COORDINATION" (FB1, DB1)
After processing the FB 217, processing is continued in FB 1:
&
#RELEASE
#ACTUATOR
=
G_FB_XX_115
The acknowledgement for the enable is given at the input
ACK_NEC depending on the parameters:
#COND1
The machine must only start at valid enable from FB 217 (#RELEASE="1") and the start request ("COND1"="1") from the
standard user program.
The F-application module supports the requirements according to EN954-1 and EN 1088.
FC "REINTEGRATION" (FC2)
After restarting the F system, the enable signal Q is reset to
"0". The acknowledgement for the enable is given at the input
OPEN_NEC and ACK_NEC depending on the parameters:
Network 3 of FB1 calls the FC2, where in case of a passivation
of F-DI or F-DO the reintegration will be implemented. For the
F-DO a memory bit REINT is prepared. With a positive flank of
REINT the F-DO will be reintegrated.
■ For OPEN_NEC = 0 an automatic acknowledge is given
independent of ACK_NEC, as soon as both inputs IN1 and
IN2 have the signal status 1 for the first time after reintegration of the respective F periphery (safety door is closed).
■ For OPEN_NEC = 1 or if at least on of both inputs IN1 and
IN2 have the signal status "0" even after reintegration of
the respective periphery, an automatic acknowledgement
is given depending on ACK_NEC, or the enable requires
acknowledging ACK at the input by means of a rising edge.
Prior to acknowledgement both inputs IN1 and IN2 must
have had the signal status 0 (safety door completely
opened) and subsequently signal status 1 (safety door
closed). In this example this variant has not been activated.
Warning!
In this example, the reintegration of passivated
modules occurs automatically. Use the automatic reintegration for your application only if it will not
cause any hazards.
A passivation is indicated via LED "SF" lighting up on the module. The reintegration of an F module may take approx. one
minute.
Functional Example No. AS-FE-I-004-V10-EN
217
Ex. No.
4
Operating instructions
Note
The table below will help you during operation.
No. Instruction
A 8.0 Result/Note
1
Pull both actuators
from the position
switches
"0"
Open the
safety door
2
Plug both actuators
into the position
switch.
"0"
Close safety
door
3
Press the push button
E2.1 and release it
"0"
Acknowledge
4
Press the push button
E0.0 and release it
"1"
"Machine" start
5
Press the push button
E0.1 and release it
"0"
"Machine" stop
Necessary
prior to the
first start.
Now number 4 and 5 can be performed continuously without
having to acknowledge. Acknowledgement will become necessary
if the safety door has been opened once.
6
Press the push button
E0.0 and release it
"1"
"Machine" start
7
Pull one actuator from
the position switch
"0"
Error case: Door open, an actuator breaks and gets stuck
in the position switch
8
Plug the actuator back
into the position
switch
"0"
Close safety door
9
Press the push button
E2.1 and release it
"0"
Acknowledgement obligatory after opening the safety
door
10
Press the push button
E0.0 and release it
"0"
Start not possible, only...
11
Repeat no. 1 to 4
"1"
... after completely opening
and closing the safety door
and subsequent acknowledgement.
12
Disconnect a connection between indicator
light and F-DO.
"0"
Wire break will be recognized
and F-DO be passivated.
13
Re-connect the connection between indicator light and F-DO.
"0"
The reintegration of the F-DO
starts automatically. It may
take several minutes.
After reintegration, the actuator is automatically set to "1" (unless
safety door has not been opened). Please note above warning note
under the heading FC "Reintegration" (FC2).
14 Press the push button
"0" "Machine" stop
E0.1 and release it
218
Functional Example No. AS-FE-I-004-V10-EN
In the case of the "machine" simulated by the yellow indicator light, it is assumed that no hazardous slowing
down emanates from the "machine" after a stop request
by the user (or after opening the safety door during operation).
Alternative
In case hazardous slowing down emanates from the machine,
it has to be made sure that the safety door can only be opened
after the slowing down no longer constitutes a hazard. In this
case, e.g. safety position switches with locked engagement
are suitable. The Safety Integrated Functional examples 2
„Safety Door with Spring-Loaded Engagement“ and 3 „Safety
Door with Magnetic Engagement“ describe the use of such a
switch in order to meet the requirements of Safety Category 4
according to EN 954-1.
Light Curtain in Category 4 with Muting Function
acc. to EN 954-1
Ex. No.
Automation Function
Description of the functionality
Light curtain
SIGUARD light curtains 3RG7844 meet the requirements of
Safety Category 4 according to IEC 61496-1 : 2004 and
EN 61496-1 : 2004 The relevant machine safety regulations apply for the application, particularly:
■ machinery directive 98/37/EC and
Light curtains can only realize their protective effect, if they
are installed with an adequate safety margin. The formulas
used to calculate the safety margin depend on the type of protection. Mounting situations and calculation formulas are
available in the standard EN 999 ("The positioning of protective equipment in respect of approach speeds of parts of the
human body"). The formula for the required distance to reflecting areas complies with the European Standard for "Active
Opto-Electronic Protective Devices" prEN IEC 61496-2 : 1997.
The transmitter and receiver type used in this example provides a 12-pin Hirschmann connector (see figure).
■ work equipment directive 89/655/EEC
The SIGUARD light curtain used here is mainly used in vertical
arrangement of the danger spot protection (see figure). With
the physical resolution of 30 millimeters, hand/arm are safely
detected in a range from 0.8 to 18 meters.
The Hirschmann connector uses the following pins:
Transmitter
Pin Input / output
Connected to
Note
1
Input
+24 V DC
Supply
2
Input
0 V DC
3
Output
Pin 4
4
Input
Pin 3
No internal jumper set in
factory
Receiver
SIGUARD light curtains 3RG7844 consist of a transmitter and
a receiver (see figure).
Receiver
G_FB_XX_117
Sender
Starting with the first beam (= synchronization beam), the
transmitter quickly pulses beam after beam. The receiver detects the specially formed pulse packets of the send beams
and successively opens the linked receive elements with the
same rhythm. This ensures that a protection field is created
between transmitter and receiver. Transmitter and receiver
are synchronized optically.
Pin Input / output
Connected to
Note
1
Input
+24 V DC
Supply
2
Input
0 V DC
3
Output
F-DI
OSSD1
4
Output
F-DI
OSSD2
OSSD1 and OSSD2 are the safety-relevant switching outputs
(Output Signal Switching Devices). They are placed on the FDI and polled by the F CPU using a 1oo2 evaluation. "0" signal
means: Light curtain is interrupted. The F program causes the
stop of the hazardous machine.
Warning!
In this example, the hazardous machine is simulated
by an indicator light. When using other actuators than
this indicator light, safe switching-off of the loads including signal feedback is to be supplemented.
Functional Example No. AS-FE-I-005-V10-EN
219
5
Ex. No.
For calculating the max. reaction time of your F-system please
use the Excel file (Cotia table), which is available for S7 Distributed Safety V 5.3. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505
MS_11
Sender
Sender
MS_21
Hazardous Area
Receiver
MS_22
G_FB_XX_121
MS_12
MS_22
G_FB_XX_118
Receiver
MS_22
MS_21
Hazardous Area
MS_12
Receiver
Before the muting sensors MS_11 and MS_12 switch inactive,
the muting sensors MS_21 and MS_22 must have been activated within the time DISCTIM2. This ensures that muting
mode remains active.
MS_11
MS_11
MS_21
G_FB_XX_120
In this example we show parallel muting. Muting is an intended suppression of the protective function. This is e.g. required during transporting the material into the danger zone.
Muting is triggered by muting sensors. In this example, FB189
(F_MUTING) is called in the F program (FB 1, DB 1). Among
other things, FB189 as input parameter has the signals of the
four muting sensors (MS_11...MS_22) as well as three parameterizable times (DISCTIM1, DISCTIM2; TIME_MAX).
Sender
Hazardous Area
MS_12
Muting
If the muting sensors MS_11 and MS_12 are activated by the
product within the time DISCTIM1, the muting mode is activated.
The muting mode is terminated, if one of the muting sensors
MS_21 or MS_22 is switched inactive by the product. The
maximum time for the muting mode to be active is
TIME_MAX.
Note
Muting mode also becomes active if the muting sensors
MS_21 and MS_22 respond first.
MS_11
Sender
MS_21
Active muting operation is indicated by white indicator lights.
In this example, one indicator light is used to display the muting mode. The diagram below illustrates the relations during
muting mode with regard to time.
Hazardous Area
MS_12
Receiver
MS_22
G_FB_XX_119
MS_11
MS_12
MS_21
The muting mode remains active as long as MS_11 and
MS_12 are activated by the product. The product may pass the
light curtain without causing a stop of the machine.
MS_22
t < DISCTIM1
MUTING
220
Functional Example No. AS-FE-I-005-V10-EN
t < DISCTIM2
t < TIME_MAX
G_FB_XX_122
5
Ex. No.
5
Flow chart
The flow chart below shows the relation between hazardous
"machine", protection field and muting mode.
Start
"Machine" in RUN?
Y
N
Y
Muting active?
Protection field
interrupted?
Y
N
Protection field can be
interrupted without the
"Machine" stopping
N
Y
Protection field
interrupted?
Acknowledgement
given?
N
DISCTIM1,
DISCTIM2,
TIME_MAX
exceeded?
N
Y
N
Y
N
Was a start
request givem?
Wire break at
muting lamp?
N
Y
Y
"Machine" in STOP
G_FB_XX_123
"Machine" in RUN
Advantages/customer benefits
■ Wiring reduced to a minimum due to use of failsafe S7-CPU
and distributed I/O. The more safety functions are implemented, the more useful this advantage is.
■ The output signals of the light curtain (OSSD1 and OSSD2
of the receiver) can be directly transferred to the failsafe I/O
modules (F-DI).
■ Programming the failsafe program with STEP 7 engineering tools.
■ Use of prefabricated (and certified) failsafe blocks from the
Distributed Safety library to implement the muting mode.
■ Only one CPU is required, since failsafe and standard program parts run on a coexistent basis in the CPU
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
2
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 kB
6ES7953-8LJ10-0AA0
1
Interface module for ET 200S
IM 151 High Feature
6ES7151-1BA00-0AB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
2DI HF DC24V
6ES7131-4BB00-0AB0
3
Electronic module for ET 200S
4/8 F-DI DC24V
6ES7138-4FA01-0AB0
1
Electronic module for ET 200S
4 F-DO DC24V/2A
6ES7138-4FB01-0AB0
1
Manufacturer
Siemens AG
Functional Example No. AS-FE-I-005-V10-EN
221
Ex. No.
5
Component
Type
MRPD / Ordering data
Terminal module for ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
Qty
2
Terminal module for ET 200S
TM-E15S24-A1
6ES7193-4CA20-0AA0
3
Terminal module for ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
Profile rail
482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length: 483 mm
6ES5710-8MA11
1
Indicator light incl. incandescent
lamp
white
3SB3217-6AA60
1
Optional: Indicator light incl.
incandescent lamp
yellow
3SB3217-6AA30
1
Optical proximity switch
(as muting sensor)
Diffuse sensor (type K80)
3RG7200-6CC00
4
SIGUARD light curtain Cat. 4
Standard TRANSMITTER
resolution 30 mm
3RG7844-2SD03-0SS0
1
SIGUARD light curtain Cat. 4
Standard RECEIVER
resolution 30 mm
3RG7844-2SD03-0SS1
1
Hirschmann contact box
incl. crimp contacts, even
3RG7848-2DA
2
Push button
green, 1NO
3SB3801-0DA3
2
Manufacturer
Siemens AG
Note
The functionality was tested with the hardware components listed. Similar products not included in the above
list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Configuration software/tools
Component
Type
MRPD / Ordering data
Qty
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
Manufacturer
Siemens AG
Setup and Wiring
An overview of the hardware structure
In order to set up and wire the functional example, it is absolutely necessary to consider the following note:
The arrangement to implement the light curtain with muting
function consists of a PROFIBUS configuration. A failsafe S7CPU is used as DP master, an ET 200S as DP slave. The yellow
indicator light, which can be used optionally, simulates the
hazardous "machine", the white indicator light indicates active
muting.
Warning!
In order to meet the requirements of Safety Category
4, it is obligatory to read back the process signal to
the actuator. Read back is not implemented in this
example.
The actuator in this example is an indicator light simulating a machine. If other actuators are used, read
back has to be ensured by the user. The Safety Integrated Functional Example AS-FE-I-007-V10-EN provides a detailed description of "Read back".
Note
Except for the connected safety components, the Power
supply (for the light curtain) must not supply any additional parts of the machine with power. Both power supplies require the same ground.
Note
A 4DI electronic module can also be used instead of two
2DI electronic modules. The "high feature" electronic
modules can also be replaced by standard modules.
222
Functional Example No. AS-FE-I-005-V10-EN
Ex. No.
PS
307
CPU
315F
PM-E
IM 151
HF
PM-E
2DI
HF
PS
307
F-DO
F-DI
Simulated
„Machine“
DP
Muting lamp
5
Note
The wiring of the hardware is illustrated below. In the
following table, the hardware components occurring
several times are numbered so they can be allocated in
the subsequent wiring plan.
PM-E
ACK
IM 151
HF
PM-E
2DI
HF
F-DO
F-DI
START
RECEIVER
Light
curtain
Light
curtain
PM-E
AUX1
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A4
A8
A4
A8
Muting
Muting
sensor 21 sensor 22
G_FB_XX_124
Muting
Muting
sensor 11 sensor 12
SENDER
PM-E
Wiring of the hardware components
Requirements: The power supplies are supplied with 230V AC.
First check the addresses set at the hardware components
listed below:
Address
to be set
Note
IM 151 High
Feature
6 (PROFIBUS address)
Can be changed
F-DI
Switch position:
1111111110
The PROFIsafe addresses are
automatically assigned during configuring the failsafe
modules in STEP 7. The
PROFIsafe addresses 1 to
1022 are permissible. Please
make sure that the setting at
the address switch (DIL
switch) on the side of the
module corresponds to the
PROFIsafe address in the
hardware configuration of
STEP 7.
F-DO
Switch position:
1111111100
PM-E
IM 151
HF
PM-E
2DI
HF
F-DO
F-DI
1
5
2
8
3
7
A4
2 DI HF
A8
2 DI HF
1
5
1
5
2
6
2
8
3
7
3
7
A4
A4
A8
Note
A8
G_FB_XX_125
Hardware
component
2 DI HF
The DP interface of the CPU 315F must be connected
with the DP interface of the IM 151 HF.
Functional Example No. AS-FE-I-005-V10-EN
223
Ex. No.
5
PS 307 / CPU 315F
L1
PS
307
CPU
315F
N
PS
307
PE
L+
M
G_FB_XX_126
PS 307
PS 307 / CPU 315F
PM-E
PM-E
AUX1
AUX1
4
8
4
8
1
5
2
6
2
6
2
6
3
7
3
7
A8
A4
L1
N
A4
A8
3
Acknowledgement
PE
L L M M
1
5
2
6
2 DI HF
1
5
2
6
3
3
A4
Muting
sensor 21
Muting
sensor 21
Muting
sensor 21
7
A8
A4
PS 307
Start
7
A8
A4
2 DI HF
IM 151 HF
L+
M
2 DI HF
7
Muting
sensor 22
A8
F-DO
F-DI
1
5
9
13
2
6
10
14
3
7
11
15
4
8
12
16
N
PE
1
5
9
13
2
6
10
14
3
7
11
15
4
8
12
16
A8 A12
A16
A3
A7 A11
A15
4
3
5
A8 A12
2
A16
11
1
A3
A7 A11
A15
PE
4
3
6
9
A4
A4
Actuator
Signal lamp
(Muting)
5
6
9
7
2
8
Light curtain
(Receiver)
11
1
PE
7
8
Light curtain
(sender)
G_FB_XX_127
L1
Note
Note
A connection between the MPI interface of your PG/PC and
the MPI interface of the CPU 315F-2DP (MPI cable) is required to download the S7 project into the CPU 315F-2DP.
The ground of the two power supplies (PS) used has to
be identical.
224
Functional Example No. AS-FE-I-005-V10-EN
Ex. No.
5
Function test
After wiring the hardware components, you can check the inputs and outputs used with regard to their functionality (after
downloading the S7 project).
Inputs/outputs used
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Push button (NO)
E 0.0
START
"0"
–
2
Push button (NO)
E 0.1
ACK
"0"
–
3
Optical proximity switch
E 1.0
MS_11
"0"
4
Optical proximity switch
E 1.1
MS_12
"0"
Muting sensors
"1": sensor detects material
5
Optical proximity switch
E 2.0
MS_21
"0"
6
Optical proximity switch
E 2.1
MS_22
"0"
7
Receiver light curtain
E 4.0
OSSD
"1"
"1" signal in case of free protection field
8
Indicator light (yellow)
A 10.0
ACTUATOR
"0"
Simulated machine
9
Indicator light (white)
A 10.1
MLAMP
"0"
Muting lamp
Testing inputs and outputs
Requirements: The inputs and outputs have the default values
specified under "Inputs/outputs used".
Note
The times DISCTIM1 and TIME_MAX mentioned in the
following table are parameterized in FB 1 of the program
code.
No. Instruction
Response
Note
A 10.0 A 10.1
No. Instruction
Response
Note
A 10.0
A 10.1
1
Press the push
button E 0.1 and
release it.
"0"
"0"
Acknowledgement
6
"1"
"1"
Start muting mode
Protection field not
active!
2
Press the push
button E 0.0 and
release it.
"1"
"0"
Start of the
"machine"
Set E 1.1 = "1"
(this action has to
be performed
within DISCTIM1)
7
Interrupt the protection field
"1"
"1"
–
3
Interrupt the protection field
"0"
"0"
OSSD="0"
8
"0"
"0"
4
Repeat No. 1 and
2
"1"
"0"
Start of the
"machine"
Wait until
TIME_MAX has
elapsed
Muting not yet completed and
t>TIME_MAX
5
Set E 1.0 = "1"
"1"
"0"
Muting sensor 11
triggers
Functional Example No. AS-FE-I-005-V10-EN
225
Ex. No.
5
Important hardware component settings
Settings of the CPU 315F-2DP
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture").
Warning!
The settings shown below contribute to meet the requirements of Safety Category 4. Changes at the settings may cause loss of safety functions.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
Overview picture
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
The PROFIBUS adress at IM 151HF is set using DIP-switches.
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
226
Functional Example No. AS-FE-I-005-V10-EN
Ex. No.
5
Settings of the failsafe F-DI
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
Set mode: "Test Mode"
During Process Mode, the test functions such as program status or monitor/modify variable are restricted in such a way
that the set permitted increase in scan cycle time is not exceeded. Testing with stop-points and gradual program execution cannot be performed.
During Test Mode, all test functions can be used without restrictions via PG/PC which can also cause larger extensions of
the cycle time. Important: During test mode of the CPU, you
have to make sure that the CPU or the process can "stand"
large increases in cycle time.
With external sensor supply, the requirements of Cat. 4 according to EN 954-1 can be met by using intelligent sensors
which independently monitor the wiring with regard to shortcircuit and wire break. For this application case, the short-circuit test has to be deactivated in the F-DI.
DIL switch settings
This value has to be set on the module (F-DO).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Also in the "Parameter" tab.
The OSSD outputs of the light curtain are evaluated in a 1oo2
evaluation.
All other channels: Deactivate
Functional Example No. AS-FE-I-005-V10-EN
227
Ex. No.
5
Settings of the failsafe F-DO
Basic Performance Data
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
Load and main memory (without program code)
DIL switch settings
This value has to be set on the module (F-DO).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37,5
approx. 0,2 k
approx. 37,3 k
Main memory
approx.
28,1
approx. 0,09 k
approx. 28,1 k
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
48,0 k
approx. 1,0 k
approx. 47,0 k
Main memory
approx.
35,1
approx. 0,4 k
approx. 34,7 k
Cycle time
Channel 0:
Actuator connection (in this case: Indicator light)
Channel 1:
Muting lamp
All other channels: deactivate
The read-back time defines the duration of the switch-off procedure for the respective channel. If the respective channel
switches high capacity loads, the read back time should be set
sufficiently large. We recommend setting the read back time
as small as possible, however large enough so that the output
channel does not become passive.
228
Functional Example No. AS-FE-I-005-V10-EN
Total cycle time
(typical value)
approx.
5 ms
Standard and safety program
Max. runtime of the
safety program
10 ms
Calculation with the Cotia table. Page 180 specifies where
to find it.
Ex. No.
Sample Code
Download
Preliminary Remarks
The download is available via the following link:
http://support.automation.siemens.com/WW/view/en/
21331201
Enclosed, we offer you the STEP 7 project as sample code with
which you can reset the functionality described here.
The sample code is always assigned to the components used
in the functional examples and implements the required functionality. Problems not dealt with in this document are to be
implemented by the user; the sample code may serve as a basis.
5
To call the corresponding project file, open the
"as_fe_i_005_v10_code_lcurtain.zip " file offered as a separate download (on the HTML page) and extract it into a user
defined directory.
For downloading the project into the F-CPU please proceed as
follows:
■ First load the hardware configuration into the S7-CPU
Password
■ Switch to the SIMATIC Manager
In all cases, the passwords used for the safety-relevant part is
„siemens“.
Use of the STEP 7 Project
The STEP 7 project indicates the possibility of operating light
curtain of safety category 4 according to EN 954-1 by means
of a failsafe S7-CPU. In this example, the hazardous machine
is simulated by an indicator light. The conditions necessary for
the actuators to reach safety category 4 (e.g. read back of actuator signals) are not considered in this example.
■ Select the "Blocks" container
■ Menu "Options" -> Edit safety program
■ Click the "Download" button
The sample code with the given configurations enables the
following:
■ Connection of a SIGUARD light curtain 3RG7844 to the failsafe I/O modules of a failsafe SIMATIC S7-CPU for danger
spot protection.
■ Muting mode
After setting up and commissioning the functionality introduced here, the indicator lights used provide the following information:
Illuminated
indicator lights
Explanation
Yellow
Hazardous "machine" running (simulates
the actuator).
White
Muting mode
Functional Example No. AS-FE-I-005-V10-EN
229
Ex. No.
Program procedure
OB 1 defines the start conditions for the hazardous machine
(here simulated by an indicator light):
"P"
"START"
P
&
"MS_12"
"SR"
S
"MS_22"
"INSTANZ_
FB1".FAULT
STOP"
SR
>=1
"COND"
R
Q
=
G_FB_XX_128
Parameter
Adress
Explanation
START
E 0.0 (NO)
Start request
MS_11
E 1.0
MS_12
E 1.1
MS_21
E 2.0
MS_22
E 2.1
The information of the memory bit "COND" is read as memory
bit COND1 in the safety program. This allocation occurs in the
cyclic interrupt OB 35 for the following reason:
When reading data, which may be changed by the standard
user program or an operation control and monitoring system
during running of an F runtime group, from the standard user
program (memory bits or PAE of standard I/O), in the safety
program, it is necessary to use separate memory bits (here
COND1). Data from the standard user program have to be
written to these memory bits immediately before calling the F
runtime group. Only these memory bits may then be accessed
in the safety program.
"MS_11"
"MS_21"
A start in this example shall only be possible if workpieces are
out of the monitored area of the light curtain
(MS_11…MS_22="0").
Optical proximity switch (as muting
sensor) Any type of sensor can be
used which need not be failsafe.
Convention: At the "1" signal the object is recognized.
INSTANZ_FB1. DB1.DBX4.2 This bit causes a start of the "maFAULT
chine" to only be possible after previous acknowledgement. The signal
status of this bit is defined in the
safety program (FB 1) and filed in its
respective instance DB (DB1, byte 4,
bit 2)
STOP
M 92.3
Dummy bit In this example, no operational stopping has been implemented. If you wish to extend the
example accordingly, the memory bit
can be replaced by the respective
sensor signal.
COND
M 92.0
Sets or resets the machine (in FB 1 of
the safety program).
In this example it has already been implemented. Generally,
however, the following applies:
Note
If the above section is not observed the F CPU may go to
STOP mode.
The failsafe program has the following program sequence:
FB"L_CURTAIN"
(FB1,DB1)
F-Call
(FC1)
FC"Safety_Prg"
(FC10)
FB"F_MUTING"
(FB 189,DB 189)
From the
Distributed Safety
library
FC"REINTEGRATION"
(FC2)
G_FB_XX_129
5
F-CALL (FC1)
F-CALL (FC 1) is the F runtime group and is called from the cyclic interrupt OB (OB 35). F-CALL calls the F-programe block
(here the FC 10).
FC "Safety_Prg" (FC 10)
FC 10 ensures the modular setup of the safety program.
230
Functional Example No. AS-FE-I-005-V10-EN
Ex. No.
FB "L_CURTAIN" (FB 1, DB 1)
After successful acknowledgement, an enable (#RELEASE="1")
is given by FB 189. A standard requirement in OB 1 makes
"COND1"="1" and the "machine" is switched on
(#ACTUATOR="1").
FB 1 has two functions:
1.Call of FB "F_MUTING" (FB 189, DB 189) from the Distributed Safety library (network 1).
If the light curtain, for example, is interrupted, the enable is
reset by FB 189 and the "machine" is switched off.
2.Switching the "machine" (here simulated by an indicator
light) on and off (network 2).
Network 1
FB "F_MUTING" (FB 189, DB 189)
"INSTANZ_
FB189"
FB 189 is a certified block from the Distributed Safety library.
"F_MUTING"
#MS_12
#MS_21
#MS_22
...
OSSD
"F00010_
4_F_DO_
DC24V_
2A".QBAD
...
MS_11
Muting sensors of
non-failsafe input
module
MS_12
MS_21
Failsafe output signal
for receiver of light
curtain. Read in via a
failsafe input module.
If the light curtain is
interrupted,
#OSSD=“0“, Q=0 and
ACK_RWQ=“1“ indicates that
acknowledgement i
snecessary.
MS_22
STOP
FREE
QBAD_MUT
MUTING
T#2S
DISCTIM1
ACK_REQ
T#2S
DISCTIM2
FAULT
TIME_MAX
DIAG
ACK
ENO
T#10S
#ACK
#RELEASE
MS_12
#MS_21
MS_21
#MS_22
MS_22
...
STOP
OSSD
FREE
"F00010_
4_F_DO_
DC24V_
2A".QBAD
"MLAMP"
QBAD_MUT
MUTING
T#2S
DISCTIM1
ACK_REQ
T#2S
DISCTIM2
FAULT
TIME_MAX
DIAG
ACK
ENO
#RELEASE
"MLAMP"
#ACK_REQ
#FAULT
...
Display
Muting
on/off
Acknowledgement required
Common
error
Monitoring the muting lamp via
the QBAD signal of the F output
module
#FAULT
Network 2
FC "REINTEGRATION" (FC 2)
Network 2 of FB 10 calls the FC2, where in case of a passivation of F-DI or F-DO the reintegration will be implemented. For
the F-DO a memory bit REINT is prepared. With a positive flank
of REINT the F-DO will be reintegrated.
Warning!
In this example, the reintegration of passivated
modules occurs automatically. Use the automatic reintegration for your application only if it will not
cause any hazards.
A passivation is indicated via LED "SF" lighting up on the module. The reintegration of an F module may take approx. one
minute.
&
B_XX_132
#ACTUATOR
=
Q
Time monitoring sensor pair 1
Time monitoring sensor pair 2
Maximal mutin time
#ACK_REQ
...
Enable
Acknowledgement
In OB 1 the static variable #EN_FAULT is read from the instance DB of FB 1 and connected so that a start is only possible
if acknowledged in FB 1.
#COND1
MS_11
#MS_12
#ACK
If the light curtain for example has been interrupted, a restart
of the "machine" (here simulated by an indicator light) requires acknowledgement. This requirement is indicated by
the output parameter ACK_REQ="1 of FB 189.
#RELEASE
#MS_11
T#10S
Q
EN
G_FB_XX_131
#MS_11
"F_MUTING"
EN
G_FB_XX_130
...
"INSTANZ_
FB189"
Functional Example No. AS-FE-I-005-V10-EN
231
5
Ex. No.
5
Operating instructions
No. Instruction
The table below will help you during operation.
Switch the muting push but- Muting sensor 1 of sensor pair 2
ton MS_21 back to "0" sigis released by the work piece.
nal.
Muting is no longer active ->
The white muting lamp goes
off.
10
Switch the muting push but- Muting sensor 2 of sensor pair 2
ton MS_22 back to "0" signal. is released by the work piece.
Operating instructions 1: Interrupting light curtain
No. Instruction
Result/Note
1
Press the acknowledgement Required before starting the
push button ACK
"machine". The 4 muting sensors must be on "0" signal.
2
Press the start push button
START
"Machine" running (simulated
by yellow indicator lights).
3
Interrupt the light curtain
Yellow indicator light goes off
("machine" stops).
Operating instructions 2: Muting
Operating instructions 3: Wire break of the muting lamp
No. Instruction
No. Instruction
Press the acknowledgement Required before starting the
push button ACK.
"machine". The 4 muting sensors must be on "0" signal.
2
Press the start push button
START.
3
Switch the muting push but- Muting sensor 1 of sensor pair 1
ton MS_11 and keep it on
triggers.
"1" signal.
4
Switch the muting push but- Muting sensor 2 of sensor pair 1
ton MS_12 and keep it on
triggers. The white muting
"1" signal.
lamp indicates active muting
function. Interrupting the light
curtain does not cause a stop of
the "machine".
5
Disconnect the connection Wire break: "Machine" is
of the muting lamp from the switched off.
F-DO.
Result/Note
1
Press the acknowledgement Required before starting the
push button ACK.
"machine". The 4 muting sensors must be on "0" signal.
2
Press the start push button
START.
3
Switch the muting push but- Muting sensor 1 of sensor pair 1
ton MS_11 and keep it on
triggers.
"1" signal.
4
Switch the muting push but- Muting sensor 2 of sensor pair 1
ton MS_12 and keep it on
triggers. The white muting
"1" signal.
lamp indicates active muting
function. Interrupting the light
curtain does not cause a stop of
the "machine".
5
Switch the muting push but- Muting sensor 1 of sensor pair 2
ton MS_21 and keep it on
triggers.
"1" signal.
6
Switch the muting push but- Muting sensor 2 of sensor pair 2
ton MS_22 and keep it on
triggers.
"1" signal.
7
Switch the muting push but- Muting sensor 1 of sensor pair 1
ton MS_11 back to "0" signal. is released by the work piece.
8
Switch the muting push but- Muting sensor 2 of sensor pair 1
ton MS_12 back to "0" signal. is released by the work piece.
232
"Machine" running (simulated
by yellow indicator light).
Functional Example No. AS-FE-I-005-V10-EN
Result/Note
1
Note
During performing the following actions, please make
sure that the discrepancy times DISCTIM1 and DISCTIM2
as well as the maximum muting time TIME_MAX are not
exceeded. The allocation of the time values is available
in the F program (FB 1, network 1 when calling FB189).
Result/Note
9
Required before starting the
"machine". The 4 push buttons
(NC) for muting have to be on
"0" signal.
Two-Hand Control Panel with Integrated Emergency Stop
in Category 4 acc. to EN 954-1
Ex. No.
6
Automation Function
Function
Description of the functionality
A characteristic feature of the two-hand control is the fact that
both hands are fixed. The desired actions can only be started
if both push buttons of the two-hand control are pressed. Each
of the two push buttons is an exclusive OR sensor (make contact and break contact).
Use and version of the two-hand control panel
Two-hand controls are widely used in the industrial field, e.g.:
■ Pressing
■ Spot welding
Two-hand control panel
■ Punching
The SIGUARD two-hand control panels 3SB38 6 are designed
in accordance with the requirements of Category 4 according
to EN 954-1: 1996. The standard equipment of all control
panels features two operator push buttons and one emergency stop mushroom-head pushbutton.
Exclusive OR sensor 1
Emergency-stop
Exclusive OR sensor 2
G_FB_XX_133
■ Print finishing or wood working
Make contact and break contact of the exclusive OR sensor
have to switch within a discrepancy time when operated. The
length of this discrepancy time is parameterized in the hardware configuration of STEP 7 (max. 500 ms according EN 574).
Aside from the discrepancy time monitoring between make
contact and break contact of an exclusive OR sensor, the
switching times between exclusive OR sensor 1 and 2 are
monitored. This discrepancy time monitoring is parameterized at the F-application block in the safety program of STEP 7.
Actuator used
Standards
The relevant standards for the two-hand control panel are
listed below:
Standard
Content
DIN 24980 (EN 574)
Safety of machinery Two-hand control devices
EN 418
Safety of machinery Emergency stop equipment
EN 999: 1998
Approach speeds
EN ISO 12100-1: 2003 Safety of machinery General principles of design
EN 954-1: 1996
Safety of machinery Safety-related parts of control systems
EN 60204-1: 1997
Safety of machinery Electrical equipment of machines
EN 60947-5-1: 1991
Low-voltage switching devices Positive opening operation
This document describes the following example: When pressing both exclusive OR sensors a "machine" starts which is active for 4 seconds. After that period of time (or if at least one
of the exclusive OR sensors is released) the machine automatically shuts down. A restart is only possible by a release of both
exclusive OR sensors and again pressing. In this example, instead of a real machine an indicator light is used for simulation. The designation "machine" refers to this indicator light.
Warning!
In this example the hazardous machine is simulated
by an indicator light. When using other actuators
than this indicator light, safe switching-off of the
loads including signal feedback is to be supplemented.
Use the Excel file (Cotia table), which is available for S7 Distributed Safety V 5.3, for the calculation of the max. reaction
time of your F system. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505
Functional Example No. AS-FE-I-006-V10-EN
233
Ex. No.
Emergency stop
Time Explanation
Pressing the emergency stop push button resets the indicator
light (simulated stop of the "machine"). Prior to a restart of the
"machine" start it is required to unlock and acknowledge the
emergency stop push button.
t2
Note
Stop of the "machine"
Possible reasons:
■ End of "machine time"
■ At least one exclusive OR
sensor was released
■ Emergency stop was actuated
■ Passivation of the failsafe
Flowchart
input module of ET 200S
(F-DI)
The flowchart below once again illustrates the relations.
Start
Y
Y
N
Emergency
stop tripped?
Parametrized in the
hardware configuration of
STEP 7
Discrepancy time
exceeded between make
contact and break
contact?
N
N
Was machine
in RUN?
Y
"Machine" in STOP
N
Y
t3
t
t
t3
"Machine" in STOP
Diskrepanzzeitüberschreitung zwischen
Antivalentsensor 1
und 2?
N
"Machine" in RUN
N
Exclusive OR
sensor 2 1
Break contact
Y
Both exclusive OR
sensors pressed?
Y
Y
t
t1
Exclusive OR
sensor 2 1
Make contact
N
Programmed in the safety
program of STEP 7
N
Exclusive OR
sensor 1 1
Break contact
Acknowledgement?
t
"Machine" 1
Acknowledgement?
N
t1
Y
The runtime of the
"machine" is
simulated by a
constant time during
which the indicator
light is ON.
Y
t
Advantages/customer benefits
End runtime
"Machine"?
"Machine" in STOP
t2
G_FB_XX_135
First start?
Exclusive OR
sensor 1 1
Make contact
G_FB_XX_134
6
■ Wiring reduced to a minimum due to use of failsafe S7-CPU
and distributed I/O. The more safety functions are implemented, the more useful this advantage is.
■ Programming the failsafe program with STEP 7 engineering
tools.
Time sequence
■ Only one CPU is required since failsafe and standard program parts run on a coexistent basis in the CPU.
Die in der nachfolgenden Tabelle genannten Zeiten werden
im weiteren in einem Zeitdiagramm gezeigt.
■ Use of prefabricated (and certified) failsafe blocks from the
Distributed Safety library.
Time Explanation
∆t1
Note
Discrepancy time beParameterized in the hardware
tween make contact and configuration of STEP 7.
break contact at exclusive
OR sensor 1
∆t2
Discrepancy time between make contact and
break contact at exclusive
OR sensor 2
∆t3
Discrepancy time beProgrammed in the failsafe F
tween exclusive OR sensor program of STEP 7.
1 and 2
t1
234
Start of the "machine"
Simulated by indicator light.
Functional Example No. AS-FE-I-006-V10-EN
■ Design of the two-hand control with integrated control
devices including emergency stop.
■ Additional control devices can be mounted.
■ All relevant standards are complied with.
■ The metal version of the two-hand control is also suitable for
harsh industrial conditions.
Ex. No.
6
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
1
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 kB
6ES7953-8LJ10-0AA0
1
Interface modules for ET 200S
IM 151 High Feature
6ES7151-1BA00-0AB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
2DI HF DC24V
6ES7131-4BB00-0AB0
1
Electronic module for ET 200S
4/8 F-DI DC24V
6ES7138-4FA01-0AB0
1
Electronic module for ET 200S
4 F-DO DC24V/2A
6ES7138-4FB01-0AB0
1
Terminal module for ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
2
Terminal module for ET 200S
TM-E15S24-A1
6ES7193-4CA20-0AA0
1
Terminal module for ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
Profile rail
482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length: 483 mm
6ES5710-8MA11
1
Indicator light including
incandescent lamp
yellow
3SB3217-6AA30
1
Push button
green, 1NO
3SB3801-0DA3
1
SIGUARD two-hand control panel
Plastic version
3SB3863-1BB
1
Manufacturer
Siemens AG
Note
The functionality was tested with the hardware components listed. Similar products not included in the above
list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Configuration software/tools
Component
Type
MRPD / Ordering data
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
Qty
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
Manufacturer
Siemens AG
Functional Example No. AS-FE-I-006-V10-EN
235
Ex. No.
6
Setup and Wiring
Wiring of the hardware components
In order to set up and wire the functional example, it is absolutely necessary to consider the following note:
Requirements: The power supplies are supplied with 230V AC.
First check the addresses set at the hardware components
listed below:
Warning!
In order to meet the requirements of Safety Category
4, it is obligatory to read back the process signal to
the actuator. Read back is not implemented in this
example.
The actuator in this example is an indicator light simulating a machine. If other actuators are used, read
back has to be ensured by the user. The Safety Integrated Functional Example No. 7 „Integration of the
Readback Signal in an Application of Category 4 acc.
to EN 954-1“ provides a detailed description of "Read
back".
Hardware
component
Address
to be set
Note
IM 151 High
Feature
6 (PROFIBUS address)
Can be changed
F-DI
Switch position:
1111111110
F-DO
Switch position:
1111111101
The PROFIsafe addresses are
automatically assigned during configuring the failsafe
modules in STEP 7. The
PROFIsafe addresses 1 to
1022 are permissible. Please
make sure that the setting at
the address switch (DIP
switch) on the side of the
module corresponds to the
PROFIsafe address in the
hardware configuration of
STEP 7.
An overview of the hardware structure
The arrangement to use a two-hand control panel consists of
a PROFIBUS configuration. A failsafe S7-CPU is used as DP master, an ET 200S as DP slave. The indicator light simulates the
hazardous "machine".
PS
307
CPU
315F
PM-E
IM 151
HF
PM-E
2DI
HF
Note
F-DI
The wiring of the hardware is illustrated below. In the
following table the hardware components which occur
several times are numbered to ensure that they can be
clearly assigned in the subsequent wiring diagram.
Simulated
„machine“
ACK
Exclusive OR
sensor 2
Two-hand control panel
Note
The "high feature" electronic modules can also be replaced by standard modules.
236
The DP interface of the CPU 315F must be connected
with the DP interface of the IM 151 HF.
F-DO
DP
Exclusive OR
sensor 1
Note
Functional Example No. AS-FE-I-006-V10-EN
Ex. No.
6
PM-E
IM 151
HF
PM-E
2DI
HF
F-DO
F-DI
PM-E
PM-E
AUX1
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A8
A4
A8
G_FB_XX_136
A4
PS 307 / CPU 315F
PM-E
PM-E
AUX1
AUX1
2 DI HF
4
8
4
8
2
6
2
6
3
7
3
A8
A4
A4
7
1
5
2
6
3
A8
L1
7
A8
A4
N
Acknowledgement
IM 151 HF
PE
L L M M
F-DI
1
1
5
9
13
2
6
10
14
3
7
11
15
4
8
12
16
2
F-DO
1
5
2
6
3
4
9
13
10
14
7
11
15
8
12
16
A4
A8 A12
A16
A3
A7 A11
A15
A4
A8 A12
A16
A3
A7 A11
A15
3
4
1L
2L
1R
2R
1
3
2
Two-handcontrol panel
(with integrated
4 emergency stop
Actuator
Functional Example No. AS-FE-I-006-V10-EN
G_FB_XX_137
L+
M
237
Ex. No.
6
has to be connected in such a way that the first contact is a
make contact and the second contact is a break contact. If the
short circuit test of the failsafe input module (F-DI) is activated, both contacts of the exclusive OR sensor have to be
supplied with voltage via the internal sensor supply VS1.
Note
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the S7 project into the CPU
315F-2DP.
The following point is taken into account in the wiring: Each
of the two exclusive OR sensors of the two-hand control panel
As soon as a discrepancy between the signals of the two affected input channels is detected, the value "0" is made available to the safety program in the F CPU (parameterized in the
hardware configuration of STEP 7).
Function test
After wiring the hardware components, you can check the inputs and outputs used with regard to their functionality (after
downloading the S7 project).
Inputs/outputs used
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Push button (NO)
E 0.0
ACK
"0"
Acknowledgement
2
Push button 1 two-hand
control panel (NO/NC)
E 0.1
HAND1
"0"
The make contact is evaluated
3
Push button 2 two-hand
control panel (NO/NC)
E 1.1
HAND2
"0"
The make contact is evaluated
4
Emergency stop on twohand control panel
(NC/NC)
E 1.2
ESTP
"1"
–
5
Indicator light (yellow)
A 7.0
LAMP
"0"
Simulates hazardous machine
Testing inputs and outputs
Requirements: The inputs and outputs have the default values
specified under "Inputs/outputs used".
No. Instruction
Response Note
A 7.0
1
Press the push button E
0.0 and release it.
"0"
Acknowledgement
(the negative edge
is evaluated)
2
Press and simultaneously
keep pressed the push
buttons E 1.0 and E 1.1.
"1"
"Machine" active
3
Wait 4 seconds
4
5
238
"1" -> "0"
Simulated machine
time
Release the push buttons
E 1.0 and E 1.1
"0"
New start is possible
Press and simultaneously
keep pressed the push
buttons E 1.0 and E 1.1
and release one (or both
of them) after approximately 1s.
"1" -> "0"
"Machine" starts
and shutdown.
Functional Example No. AS-FE-I-006-V10-EN
An acknowledgement is required
■ when the "machine" is started for the first time
■ after unlocking the emergency stop
■ after reintegration (module was passivated) of the failsafe
input module (F-DI) of the ET 200
Ex. No.
6
Important hardware component settings
Settings of the CPU 315F-2DP
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture").
Warning!
The settings shown below contribute to meet the requirements of Safety Category 4. Changes of the settings may cause a loss of the safety functions.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
Overview picture
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
The PROFIBUS adress at IM 151HF is set using DIP-switches.
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
Functional Example No. AS-FE-I-006-V10-EN
239
Ex. No.
6
Set mode: "Test Mode"
During Process Mode the test functions such as program status
or monitor/modify variable are restricted in such a way that the
set permitted increase in scan cycle time is not exceeded. Testing with stop-points and gradual program execution cannot be
performed.
During Test Mode all test functions can be used without restrictions via PG/PC, which can also cause larger extensions of the
cycle time. Important: During test mode of the CPU you have to
make sure that the CPU or the process can "stand" large increases in cycle time.
Settings of the failsafe F-DI
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
Also in the "Parameter" tab.
During 1oo2 evaluation only the first-mentioned channel (0,
1, 2) is used in each case, the channels 4, 5, 6 cannot be accessed.
Channel 0, 4 and channel 1, 5
Exclusive OR sensor of the two-hand control panel: The discrepancy time between make contact and break contact of an
exclusive OR sensor can be defined here.
Channel 2, 6
Emergency stop
The two-channel push buttons are supplied with power via
the module. Category 4 is reached due to the fact that a crosscircuit detection is possible. This requires that the short circuit
test is activated.
DIL switch settings
This value has to be set on the module (F-DI).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
240
Functional Example No. AS-FE-I-006-V10-EN
All other channels (3, 7)
deactivate
Ex. No.
6
Settings of the failsafe F-DO
Basic Performance Data
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
Load and main memory (without program code)
DIL switch settings
This value has to be set on the module (F-DO).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37,5 k
approx. 0,2 k
approx. 37,3 k
Main memory
approx.
28,2 k
approx. 0,09 k
approx. 28,1 k
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
48,0 k
approx. 0,9 k
approx. 47,1 k
Main memory
approx.
34,8
approx. 0,3 k
approx. 34,5 k
Cycle time
Total cycle time
(typical value)
approx.
5 ms
Standard and safety program
Max. runtime of the
safety program
11 ms
Calculation with the Cotia table. Page 180 specifies where
to find it.
Activate used channels, deactivate channels which are not
used.
The read-back time defines the duration of the switch-off process for the respective channel. If the respective channel
switches high capacity loads the read-back time should be set
sufficiently. We recommend to set the read-back time as small
as possible by trying, however large enough to ensure that the
output channel is not passivated.
Functional Example No. AS-FE-I-006-V10-EN
241
Ex. No.
6
Sample Code
Preliminary Remarks
Enclosed, we offer you the STEP 7 project as sample code with
which you can reset the functionality described here.
The sample code is always assigned to the components used
in the functional examples and implements the required functionality. Problems not dealt with in this document are to be
implemented by the user; the sample code may serve as a basis
Password
The sample code with the given configurations enables the
following:
■ Connecting a SIGUARD two-hand control panel with integrated emergency stop to the failsafe I/O modules (F-DI/FDO) and evaluation using a failsafe SIMATIC S7-CPU
Program procedure
The standard user program only consists of a call of FC "FCALL" in the cyclic interrupt OB (OB 35). The only nonsafetyrelated signal (acknowledgement signal) is evaluated directly
in the safety program.
The failsafe program has the following program sequence:
In all cases, the passwords used for the safety-relevant part is
„siemens“.
OB35
FC1(F-CALL)
FC3
FC2
"2HAND"
Use of the STEP 7 Project
With the two-hand control panel a "machine" is started, which
is simulated by an indicator light in this example. As long as
the two push buttons of the two-hand control panel remain
pressed, the "machine" "runs" (indicator light is on). As soon as
one push button is released or if the simulated "machine time"
has elapsed, the "machine" stops (indicator light goes off).
Furthermore, the "machine" stops if the failsafe input/output
modules of the ET 200S is passivated and if the emergency
stop push button integrated in the two-hand control panel is
actuated.
The conditions necessary for the actuators to meet the requirements of Safety Category 4 (e.g. read back of the actuator signals) are not described in this example.
Download
...
EN
"HAND1"
HAND1
"HAND2"
HAND2
Q1
"HELP_DB1
.COND1"
EN0
FC4
"E_STOP"
...
"ACK"
"ESTP"
EN
ACK
Q2
"HELP_DB1
.COND2"
EN0
ESTP
FC5
"START"
...
EN
"HELP_DB1"
.COND1
COND1
"HELP_DB1"
.COND2
COND2
LAMP
"LAMP"
EN0
FC6
...
EN
"REINTEG
RATION"
EN0
G_FB_XX_138
The download is available via the following link:
http://support.automation.siemens.com/WW/view/en/
21331100
To call the corresponding project file, open the
"as_fe_i_006_v10_code_2hand.zip" file offered as separate
download (on the HTML page) and extract it into a user-defined directory.
To download the project to the F CPU please proceed as follows:
■ First load the hardware configuration into the S7-CPU
■ Switch to the SIMATIC Manager
■ Select the "Blocks" folder
■ Menu "Options" -> Edit safety program
■ Click the "Download" button
242
Functional Example No. AS-FE-I-006-V10-EN
Ex. No.
F-CALL (FC1)
F-CALL (FC1) is the F runtime group and is called from the cyclic interrupt OB (OB35). F-CALL calls the F-programe block
(here the FC 2).
FC "2H_and_ESTP" (FC 2)
FC 2 ensures the modular setup of the safety program.
The "two-hand control" functionality is basically implemented
in the function blocks FC3, FC4 and FC5, FC6 called by FC2.
In #HAND1 and #HAND2 the make contacts are polled by the
exclusive OR sensors of the two-hand control panel.
Both exclusive OR sensors have to be pressed within a time.
This time is indicated on the DISCTIME parameter of FB
"F_2H_EN" (FB 211). The maximum permissible value which
can be parameterized is 500 ms according to EN 574).
Only with "1"-signal at ENABLE, Q can be set. The bit
"HELP_DB1".EN_ESTP is the the emergency stop signal (see FC
4): "HELP_DB1".EN_ESTP will be set, if the emergency stop
button is unlocked and acknowledged. Consider the following
scenario:
Block
Task
FC "2Hand" (FC 3)
Evaluation of the status of the two exclusive OR sensors of the two-hand control
panel.
FC "E_STOP" (FC 4)
Evaluation of the status of the emergency
stop mushroom-head push button integrated in the two-hand control panel.
■ The emergency stop is pressed
FC "START" (FC 5)
Evaluation of the information from FC3 and
FC4 to start the "machine".
■ An acknowledgement is done
FC "REINTEGRATION"
(FC 6)
Reintegration after passivation of F-DI or FDO.
■ Both exclusive OR sensors are pressed and will be pressed
all along
■ The emergency stop is unlocked
Even though both exclusive OR sensors have been pressed
during those 4 steps, the "machine" will not turn on (a release
of the both exclusive OR sensors is necessary).
FC "2Hand" (FC 3)
Input
parameter
Assignment Function
HAND1
Exclusive OR
sensor of the
two-hand
control panel
HAND2
FC "E_STOP" (FC 4)
Starting the "machine". To start the
machine both exclusive OR sensors
must be pressed simultaneously
and have to remain pressed during
the entire "machine time".
Input
parameter
Assignment Function
ACK
Push button
(NO)
■ After unlocking the
Output
parameter
Assignment Function
HELP_DB1.CO
ND1
Bit from F-DB Storing the result for later evaluation in FC5
For realisation of the "two-hand control", FC 3 calls the FB
"F_2H_EN" (FB 211, DB 211). FB 211 is a certified block from
the Distributed Safety library.
ESTP
IN1
#HAND2
IN2
"HELP_
DB1".
EN_ESTP
ENABLE
T#500MS
DISCTIME
Output
parameter
Emergency
stop push
button
(NC/NC)
Interruption of the "machine
activity"
Assignment Function
HELP_DB1.COND2 Bit from F-DB Storing the result for later
evaluation in FC5
Q
#01
ACTUATOR
...
ENO
G_FB_XX_139
#HAND1
■ After the F-DI has come from
passivation (reintegration)
The ACK signal is received by a standard DI. The signals which are not
failsafe are indicatedin
incolor
color in the
F program.
"F_2H_EN"
EN
emergency stop
ACK
"INSTANZ_
FB211"
...
An acknowledgement prior to the
start of the "machine" is required in
the following cases:
■ First start
Functional Example No. AS-FE-I-006-V10-EN
243
6
Ex. No.
FC "START" (FC 5)
FC "REINTEGRATION" (FC 6)
Input
parameter
Assignment Function
HELP_DB1.CO
ND1
Bit from F-DB Condition for the start of the "machine" from FC3
HELP_DB1.CO
ND2
Condition for the start of the "machine" from FC4
Output
parameter
Assignment Function
LAMP
Indicator
Simulates the "machine" to be startlight coned by the two-hand control.
nected to the
F-DO
To start and operate the "machine" (indicator light ON),
HELP_DB1.COND1 and HELP_DB1.COND2 each have to be on
"1" signal. The "machine" runs for 4 seconds with the default
setting (LAMP="1"). Subsequently the "machine" stops
(LAMP="0"). In order to restart the machine it is necessary to
release the push buttons of the two-hand control once before
restarting.
The machine time is simulated with FB "F_TON" (FB185). FB
"F_TON" (FB185) is a certified block from the Distributed
Safety library.
#COND 1
#COND 2
#Instanz_F
B185"
&
"F_TON"
...
EN
Q
IN
ET
T#4S
Network 4 of FC 2 calls FC 6 where the reintegration is implemented in case of a passivation of F-DI or F-DO. For the F-DO
a memory bit REINT is prepared. With a positive flank of REINT
the F-DO will be reintegrated.
Warning!
In this example the reintegration of passivated modules takes place automatically. Only use the automatic reintegration for your applications if it does
not cause hazards.
A passivation is indicated by an illuminated LED "SF" on the
module. The reintegration of an F module may take approx.
one minute.
Operating instructions
Prerequisite:
■ Hardware configuration and safety program are in the S7CPU
■ Emergency stop unlocked
■ No passivation of F-DI/F-DO
No. Instruction
PT
"HELP_DB1"
.RUNTIME_B
IT
ENO
Press the acknowledgement Necessary prior to the first start.
push button and release it.
2
Simultaneously press the
exclusive OR sensors of the
two-hand control and keep
them pressed
Start of the "machine" (indicator
light goes on)
3
Wait 4 seconds
Simulated machine time. After 4
seconds the "machine" goes off
(indicator light goes off).
4
Release the exclusive OR
sensor
You can continue with no. 2.
&
Simulated
machine time
"HELP_DB1"
.RUNTIME_B
IT
#LAMP
=
Result/Note
1
...
G_FB_XX_140
6
Note
Note
The bits from DB "HELP_DB1" (DB1) mentioned here and
used in the STEP 7 program are only used for buffering.
244
Functional Example No. AS-FE-I-006-V10-EN
An acknowledgement is required after an actuated
emergency stop, discrepancy time exceeding of an exclusive OR sensor or prior to starting the "machine" for
the first time.
Integration of the Readback Signal in an Application
of Category 4 acc. to EN 954-1
Ex. No.
7
Automation Function
Flowchart
Description of the functionality
The flowchart shown below illustrates the function process of
the example. The acknowledgement in the flowchart is required
What is "read back"?
The part of a circuit in which read back is implemented is referred to as feedback circuit. In this circuit the status of the
contactor auxiliary contacts are evaluated; it is required to use
positively driven contacts. Starting a safety application is only
possible in a closed feedback circuit. If, for instance, a main
contact or a release contact welds at a contactor reactivating
the safety circuit is not possible.
Read back is thus used for monitoring the load to prevent a reactivation in case of a fault. This also applies to the use of
valves and it is already required from Safety Category 2.
■ prior to starting the motor for the first time
■ prior to a start after activating the emergency stop
■ after reintegration (end of a passivation) of the failsafe
input module of the ET 200S
Start
Motor OFF?
Y
In the functional example described here a motor is started
and stopped. Using this example it will be shown
■ how the feedback circuit is integrated in the circuit design
and
■ how it is evaluated using STEP 7
According to the machinery directive each machine has to be
equipped with one or several emergency stop control devices.
This is the reason why an emergency stop functionality is integrated in this example; however, this functionality is not described in detail. Explanations on the subject emergency stop
are available in "Safety Integrated Functional Example" 1.
Emergency
stop unlocked?
N
Emergency stop
pressed?
Y
Acknowledgement
required?
N
Y
Readback error?
N
Readback error?
Y
In order to meet the requirements of Safety Category 4 it is
obligatory to read back the process signal to the actuator. This
example complies with the requirements of Safety Category 4.
Reaction times
Use the Excel file, which is available for S7 Distributed Safety
V 5.3, for the calculation of the max. reaction time of your
F system. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505
Y
N
N
Start command?
N
Stop command?
Y
Safety Category 4
Y
Motor ON
Y
N
Motor OFF
G_FB_XX_141
Functional example
Advantages/customer benefits
■ Wiring reduced to a minimum due to use of failsafe S7-CPU
and distributed I/O. Dieser Vorteil kommt um so mehr zum
Tragen, je mehr Sicherheitsfunktionen realisiert werden
■ Programming the failsafe program with STEP 7 engineering tools
■ Only one CPU is required, since failsafe and standard program parts run on a coexistent basis in the CPU
Functional Example No. AS-FE-I-007-V10-EN
245
Ex. No.
7
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
1
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 kB
6ES7953-8LJ10-0AA0
1
Interface module for ET 200S
IM 151 High Feature
6ES7151-1BA00-0AB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
2DI HF DC24V
6ES7131-4BB00-0AB0
3
Electronic module for ET 200S
4/8 F-DI DC24V
6ES7138-4FA01-0AB0
1
Electronic module for ET 200S
4 F-DO DC24V/2A
6ES7138-4FB01-0AB0
1
Terminal module for ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
2
Terminal module for ET 200S
TM-E15S24-A1
6ES7193-4CA20-0AA0
3
Terminal module for ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
Profile rail
482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length: 483 mm
6ES5710-8MA11
1
Emergency stop
Push button, 1NC
3SB3801-0DG3
1
Contact (for Emergency stop)
1NC, screw-type connection
3SB3420-0C
1
Push button
green, 1NO
3SB3801-0DA3
2
Push button
red, 1NC
3SB3801-0DB3
1
Contactor
AC-3, 3KW/400V, 1NC, DC 24V,
3RT1015-2BB42
2
Excess voltage limiter for plugging
onto contactor
RC element AC 24...48V, DC
24...70V
3RT1916-1CB00
2
Motor
Low-voltage motor 0.12kW
1LA7060-4AB10
1
Circuit breaker for motor protection
0.35...0.5A
3RV1011-0FA1
1
Manufacturer
Siemens AG
Note
Warning!
The functionality was tested with the hardware components listed. Similar products not included in the above
list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Always check whether contactors and circuit breakers are suitable for the used motor with regard to the
performance data. Furthermore, ensure safe operation on the net by using appropriate fuses.
Configuration software/tools
Component
Type
MRPD / Ordering data
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
246
Functional Example No. AS-FE-I-007-V10-EN
Qty
Manufacturer
Siemens AG
Ex. No.
7
Setup and Wiring
In order to set up and wire the functional example, it is absolutely necessary to consider the following note:
PS
307
CPU
315F
PM-E
IM 151
HF
PM-E
2DI
HF
F-DO
F-DI
Note
In order to meet the requirements of Safety Category 4, it is
obligatory to read back the process signal to the actuator.
Load
circuit
DP
An overview of the hardware structure
Overall arrangement
START
The arrangement used to demonstrate the signal feedback
consists of a PROFIBUS configuration. A failsafe S7-CPU is used
as DP master, an ET 200S as DP slave.
Emergency
stop
STOP
Note
One 4DI electronic module can be used instead of two
2DI electronic modules. The "high feature" electronic
modules can also be replaced by standard modules.
Circuit
breaker
Contactor
Readback
signals
ACK
Contactor
Three-phase alternating
current motor
Readback signal
The readback signals are connected to the hardware via the
auxiliary contacts (NC) of the contactors. The auxiliary contacts of the contactors are connected to the standard input
channel of the ET 200S. There are 2 options:
Option 1
Option 2
As described in this example:
Could also be done as shown below:
2DI HF
2 DI HF
2DI HF
Read back signal
Contactor K1
Contactor K2
Contactor K1
G_FB_XX_142
Read back signal
Contactor K2
The signals are read back individually via one input each. This provides The signals are read back via a total of one input.
better diagnostic functions.
Note
The reason that two input modules are shown under
"Option 1" is due to the division of the signals in the re-
spective example program. In general, the two required
inputs can also be located on one input module.
Functional Example No. AS-FE-I-007-V10-EN
247
Ex. No.
Wiring of the hardware components
Requirements: The power supplies are supplied with 230V AC.
First check the addresses set at the hardware components
listed below:
Note
The DP interface of the CPU 315F must be connected
with the DP interface of the IM 151 HF.
Hardware
component
Einzustellende
Adress
Note
Note
IM 151 High
Feature
6 (PROFIBUS address)
Can be changed
F-DI
Switch position:
1111111110
F-DO
Switch position:
1111111101
The PROFIsafe addresses are
automatically assigned during configuring the failsafe
modules in STEP 7. The
PROFIsafe addresses 1 to
1022 are permissible. Please
make sure that the setting at
the address switch (DIP
switch) on the side of the
module corresponds to the
PROFIsafe address in the
hardware configuration of
STEP 7.
The wiring of the hardware is illustrated below. In the
following table the hardware components which occur
several times are numbered to ensure that they can be
clearly assigned in the subsequent wiring diagram.
PM-E
IM 151
HF
PM-E
PM-E
F-DO
PM-E
AUX1
2DI
HF
F-DI
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A8
A8
A4
G_FB_XX_143
A4
2 DI HF
2 DI HF
PM-E
IM 151
HF
PM-E
2DI
HF
F-DO
F-DI
1
2
3
A4
5
2 DI HF
1
5
2
6
1
5
3
7
2
6
A8
3
7
6
7
A8
A4
A4
A8
G_FB_XX_144
7
248
Functional Example No. AS-FE-I-007-V10-EN
Ex. No.
PM-E
AUX1
4
PS 307 / CPU 315F
2
3
A4
L1
7
PM-E
2 DI HF
AUX1
8
4
6
2
7
6
3
A8
2 DI HF
8
7
5
2
6
3
A8
A4
1
A4
N
2 DI HF
1
5
2
6
3
7
Stop
7
A8
A4
IM 151 HF
A8
1
5
2
6
3
7
A8
A4
PE
L+
M
Start
Acknowledgement
L L M M
F-DO
A1+
21
A2-
22
A1+
21
A2-
22
Contactor K2
5
9
13
2
6
10
14
3
7
11
15
4
8
12
16
A4
A8 A12
A16
A3
A7 A11
A15
F-DI
1
5
9
13
2
6
10
14
3
7
11
15
4
8
12
16
A4
A8 A12
A16
A3
A7 A11
A15
Contactor K1
Emergency
stop button 1
G_FB_XX_145
1
The load circuit looks as follows:
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the S7 project to the CPU 315F2DP.
L1
L2
L3
Circuit
breaker
F1
1 3 5
2 4 6
Contactor
K1
1 3 5
2 4 6
Contactor
K2
1 3 5
2 4 6
PE
Star connection
Functional Example No. AS-FE-I-007-V10-EN
G_FB_XX_146
Note
249
Ex. No.
7
Function test
After wiring the hardware components you can check the inputs and outputs used with regard to their functionality (after
downloading the S7 project).
Inputs/outputs used
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Push button (NO)
E 0.0
START
"0"
Start request
2
Push button (NC)
E 0.1
STOP
"1"
Stop request
3
Push button (NO)
E 1.0
ACK
"0"
Acknowledgement
4
Contactor auxiliary contact (NC)
E 1.1
K1_HELP
"1"
Readback signal
5
Contactor auxiliary contact (NC)
E 2.0
K2_HELP
"1"
6
Emergency stop push button
E 3.0
ESTP
"1"
–
7
Magnet coil contactor
A 9.0
K1_K2
"0"
–
Testing inputs and outputs
Requirements: The inputs and outputs have the default values
specified under "Inputs/outputs used".
Warning!
The instructions listed in the table below should first
be performed without activated load circuit.
No. Instruction
A 9.0
Response
K1
K2
Motor
Note
1
Press the push button E 1.0 and
release it.
"0"
not activated
AUS
Acknowledgement
2
Press the push button E 0.0 and
release it.
"1"
activated
AN
Start request
3
Press the push button E 0.1 and
release it.
"0"
not activated
AUS
Stop request
4
Repeat no. 2.
"1"
activated
AN
Start request
5
Press the emergency stop
(E 3.0).
not activated
"0"
Activate emergency stop
AUS
6
Unlock the emergency stop.
7
Repeat no. 1 and 2.
"1"
not activated
activated
AN
Acknowledgement and start request
8
Press the push button E 0.1 and
release it.
"0"
not activated
AUS
Stop request
An acknowledgement is required
■ when starting for the first time
■ after unlocking the emergency stop
■ after reintegration (module was passivated) of the failsafe
input module (F-DI) of the ET 200S
■ after exceeding the read-back time in the feedback circuit
monitoring
250
Functional Example No. AS-FE-I-007-V10-EN
–
Ex. No.
Important hardware component settings
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements) but please consider the following note:
7
Settings of the CPU 315F-2DP
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture").
Warning!
The settings shown below contribute to meet the requirements of Safety Category 4. Changes at the settings may cause loss of the safety function.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
Overview picture
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
The PROFIBUS adress at IM 151HF is set using DIP-switches.
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
Functional Example No. AS-FE-I-007-V10-EN
251
Ex. No.
7
Settings of the failsafe F-DI
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
Set mode: "Test Mode"
During Process Mode the test functions such as program status or monitor/modify variable are restricted in such a way
that the set permitted increase in scan cycle time is not exceeded. Testing with stop-points and gradual program execution cannot be performed.
The two-channel emergency stop push button is supplied with
power via the module. Category 4 is reached due to the fact
that a cross-circuit detection is possible. This requires that the
short circuit test is activated.
During Test Mode all test functions can be used without restrictions via PG/PC, which can also cause larger extensions of
the cycle time. Important: During test mode of the CPU you
have to make sure that the CPU or the process can "stand"
large increases in cycle time.
DIL switch settings
This value has to be set on the module (F-DI).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Also in the "Parameter" tab.
Channel 0, 4
The two break contacts of the emergency stop push button
are polled in a 1oo2 evaluation.
All other channels
deactivate
252
Functional Example No. AS-FE-I-007-V10-EN
Ex. No.
Settings of the failsafe F-DO
7
Settings for the readback signals
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
DIL switch settings
This value has to be set on the module (F-DO).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
The readback signals ("K2_HELP" is shown in the screenshot)
are read in via a standard input module of the ET 200S; they
don't have to be read via a failsafe input module.
Activate the used channel 0, deactivate channels (1, 2, 3)
which are not used.
The output of channel 0 provides the pick-up/drop-out of the
contactor coils of K1 and K2.
The read-back time defines the duration of the switch-off process for the respective channel. If the respective channel
switches high capacity loads the read-back time should be set
sufficiently. We recommend to set the read-back time as small
as possible by trying, however large enough to ensure that the
output channel is not passivated.
Functional Example No. AS-FE-I-007-V10-EN
253
Ex. No.
7
Basic Performance Data
Load and main memory (without program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37,5 k
approx. 0,2 k
approx. 37,3 k
Main memory
approx.
28,2 k
approx. 0,09 k
approx. 28,1 k
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
46,3 k
approx. 1,0 k
approx. 45,3 k
Main memory
approx.
33,4 k
approx. 0,4 k
approx. 33,0 k
Cycle time
Total cycle time
(typical value)
approx.
5 ms
Standard and safety program
Max. runtime of the
safety program
8 ms
Calculation with the Cotia table. Page 180 specifies where
to find it.
254
Functional Example No. AS-FE-I-007-V10-EN
Ex. No.
7
Sample Code
Preliminary Remarks
Enclosed, we offer you the STEP 7 project as sample code in
which readback is demonstrated.
Note
The focus of this functional example is to demonstrate
how the readback signal is connected to the hardware
and how it is evaluated using software (STEP 7). Running the motor is a means to an end. The emergency
stop functionality is used for safety reasons if the example is reproduced.
The sample code is always assigned to the components used
in the functional examples and implements the required functionality. Problems not dealt with in this document are to be
implemented by the user; the sample code may serve as a basis.
Program procedure
Password
The standard user program basically consists of two networks
in OB1:
Network 1
&
"K1_HELP"
"FEEDBACK"
Use of the STEP 7 Project
Download
The download is available via the following link:
http://support.automation.siemens.com/WW/view/en/
21331098
To call the corresponding project file open the
"f07_readback_v10.zip" file offered as separate download (on
the HTML page) and extract it into a user-defined directory.
To download the project to the F CPU please proceed as follows:
■ First load the hardware configuration into the S7-CPU
■ Switch to the SIMATIC Manager
■ Select the "Blocks" folder
■ Menu "Options" -> Edit safety program
■ Click the "Download" button
The sample code with the given configurations enables the
following:
■ Starting and stopping a three-phase asynchronous motor
considering the signals read back from the actuator.
■ Emergency stop for shutdown in case of a fault.
=
G_FB_XX_147
A three-phase asynchronous motor is started via a push button (NO) and stopped via a push button (NC). In case of emergency the motor can also be stopped via an emergency stop
push button.
This functionality is used as a framework to show how the signals are read back from the actuator and evaluated within the
STEP 7 program.
"K2_HELP"
The auxiliary contacts of K1 and K2 are evaluated under the
memory bit FEEDBACK in the safety program.
Network 2
"FL_P"
"SR"
P
"STOP"
"INSTANZ_
FB1".EN
SR
S
"START"
>=1
"COND"
=
R
Q
G_FB_XX_148
In all cases, the passwords used for the safety-relevant part is
„siemens“.
The switch-on condition COND="1" is only possible if the R input of the flip-flop is on "0" signal (if "1" signal at S and R input
the reset function is predominant in this flip-flop).
INSTANZ_FB1.EN characterizes the signal state of a flip-flop in
the safety program (used as static variable in the safety program). As long as a necessary acknowledgement has not been
transmitted in the safety program this bit remains on "0" and
it cannot be started.
The information of the flag "COND" is read as flag COND1 in
the safety program. This assignment takes place in the cyclic
interrupt OB 35 for the following reason:
Note
The reason below also applies to the memory bit
FEEDBACK from network 1.
Functional Example No. AS-FE-I-007-V10-EN
255
Ex. No.
This has already been implemented in this example. In general,
however, the following applies
FB "F_PRG" (FB 1, DB 1) und FB "F_FDBACK" (FB 216, DB
216)
Network 1
FB "F_PRG" (FB1, DB1) first calls FB "F_FDBACK" (FB216, DB216).
FB 216 is a certified block from the Distributed Safety library; this
block is available from version 5.3.
#N
"ACK"
"ESTP"
#ERROR
N
#EN
S
SR
"INSTANZ_
FB216"
>=1
R
Q
"F_FDBACK"
&
EN
"COND1"
ON
"FEEDBACK K1"
Note
"F00009_
4_F_DO_
DC24V_
2A".QBAD
If the above section is not observed the F CPU may go to
STOP mode.
"ACK_NEC"
"ACK"
T#100MS
The failsafe program has the following program sequence:
FB"F_PRG"
(FB1,DB1)
Q
QBAD_FIO
ACK_NEC
ERROR
ACK_REQ
ACK
DIAG
FDB_TIME
ENO
"K1_K2"
#ERROR
#ACK_REQ
...
The acknowledgement signal ACK is responsible for the acknowledgement after activating and unlocking the emergency stop as well as after exceeding the feedback time
FDB_TIME (on FB 1). The latter is indicated by #ERROR="1".
FB"F_FDBACK"
(FB216,DB216)
F-CALL
(FC1)
FEEDBACK
The status of the flip-flop is stored in the static variable #EN
and read as switch-on condition in OB 1.
From the
Distributed Safety
library
"1" signal on the formal parameter ACK_NEC indicates that a
manual acknowledgement is required to set release (formal
parameter Q). The bit #ACK_NEC is a static variable with initial
value "0".
FC"REINTEGRATION"
(FC2)
F-CALL (FC1)
The obligatory F-CALL (FC 1) is called from the cyclic interrupt
OB (OB 35). This OB calls the F runtime group (here FB 1).
Output Q is set to 1 as soon as input ON = 1. It is required that
readback input FEEDBACK = 1 and no readback error must be
stored.
A readback error ERROR = 1 is detected if the signal state of the
readback input FEEDBACK (to output Q) does not follow the
signal state of the input ON within the maximum tolerable
readback time FDB_TIME. K1_K2 is the bit from the F-output
module, which sets the contactors K1 and K2.
To ensure that no readback error is detected and that no acknowledgement is required in a passivation of failsafe the I/O
modules controlled by output Q you have to supply the input
QBAD_FIO with the variable QBAD of the corresponding failsafe I/O module DB.
Note
Before inserting the F application block F_FDBACK, you
have to copy the F application block F_TOF from the
block container F-Application Blocks\Blocks of the F library Distributed Safety (V1) into the block container of
your S7 program if it is not available in this container
(has already been done in this example project).
256
G_FB_XX_150
If you want to read data from the standard user program (flags
or PII of standard I/O) in the safety program (here: COND),
which can be changed by the standard user program or an operator control and monitoring system during the runtime of
an F run-time group, it is required to use separate flags (here:
COND1). Data from the standard user program have to be
written to these flags immediately before calling the F runtime group. Only these flags may then be accessed in the
safety program.
G_FB_XX_149
7
Functional Example No. AS-FE-I-007-V10-EN
Ex. No.
Warning!
When using the F application block F_FDBACK it is required that the F application block F_TOF has the
number FB 186 and that the number is not changed!
Contactor K1 welds during shutdown. In the S7 program this
process is detected as follows:
No. Function
The memory bit "FEEDBACK" does not OB 1, network 1
go to "1" after shutting down so that
the auxiliary contacts of K1 and K2 are
on different signals.
2
At the input FEEDBACK of FB 216 in
FB 216, call in FB 1
the safety program this signal does
now not follow (within the parameterizable read-back time FDB_TIME) the
signal of the status of the input ON.
3
The error bit ERROR is set at FB216.
4
ACK_REQ="1" is only displayed after
eliminating the welding of the contactor, which indicates that the error has
been corrected and that an acknowledgement can be made.
5
After the acknowledgement ERROR is
reset and a restart can be performed.
FC "REINTEGRATION" (FC 2)
Warning!
In this example, the reintegration of passivated
modules takes place automatically. Only use the automatic reintegration for your applications if it does
not cause hazards.
A passivation is indicated by an illuminated LED "SF" on the
module. The reintegration of an F module may take approx.
one minute.
Comment
1
Network 2
Network 2 of FB 1 calls FC 2 where the reintegration is implemented in case of a passivation of F-DI or F-DO.
7
Example
Functional Example No. AS-FE-I-007-V10-EN
257
Ex. No.
7
Operating instructions
Welding of a contactor
No. Instruction
Prerequisite:
■ Hardware configuration of STEP 7 and safety program are
in the S7-CPU
If the motor is started for the An acknowledgement is refirst time: Press the acquired before starting the moknowledgement push but- tor for the first time.
ton
If not: No. 2
2
Press the push button for
start request and release it.
3
Press the STOP push button Simulated welding of the conand keep the coil of contac- tactor.
tor K1 or K2activated.
4
Press the push button for
start request and release it.
■ Emergency stop unlocked
■ No passivation of the F-DI/F-DO
Warning!
The instructions listed in the table below should first
be performed without activated load circuit.
Motor ON/OFF
No. Instruction
Result/Note
1
Press the acknowledgement Necessary before starting the
push button and release it. motor for the first time.
2
Press the push button for
start request and release it.
Contactors K1 and K2 are activated; due to this the motor
starts
3
Press the push button for
stop request and release it.
Contactors K1 and K2 drop out;
due to this the motor stops
Emergency stop
No. Instruction
Result/Note
1
If the motor is started for the An acknowledgement is refirst time: Press the acquired before starting the motor
knowledgement push but- for the first time.
ton
If not: No. 2
2
Press the push button for
start request and release it.
Contactors K1 and K2 are activated; due to this the motor
starts
3
Press the emergency stop
push button.
Contactors K1 and K2 drop out:
The motor stops
4
Unlock the emergency stop
push button
–
5
Press the push button for
start request and release it.
Contactors K1 and K2 are not activated, the motor does not
start.
Starting the motor is only possible after an acknowledgement.
258
Functional Example No. AS-FE-I-007-V10-EN
Result/Note
1
Contactors K1 and K2 are activated; due to this the motor
starts
F output for K1 and K2 is not
switched.
Safety Shutdown in the Stop Categories 0 and 1
in Safety Category 4 according to EN 954-1
Ex. No.
Automation Function
Description of the functionality
Classification
Three Stop Categories (Stop Category 0, 1 and 2) are defined
for the safety shutdown of machines. The Stop Category has
to be defined on the basis of the risk assessment of the machine. The standards and regulations are listed in DIN
EN 60204-1: 1998.
Stop Category 0
Stopping by immediate shutdown of the energy supply to the
machine actuators. This stopping is an uncontrolled stop.
Each machine has to be equipped with a stop function of Stop
Category 0. The stop of Category 0 must have priority. In this
example the shutdown complies with Safety Category 4.
Stop Category 1
Controlled stop during which the energy supply to the machine actuators is maintained to enable the stopping. The energy supply is only interrupted when the stop is reached. In
this example the shutdown complies with Safety Category 4.
In addition the conditions listed below apply to the emergency
stop:
■ Precedence over all other functions and operations
■ Resetting may not start a restart (acknowledgement
required)
Note
In this example we used a motor holding brake. The parameters for the MICROMASTER used by us, take this
motor holding brake into consideration. Should you
wish to not use the motor holding break, please change
the parameterization of the MICROMASTERS.
Reaction times
Use the Excel file (Cotia table), which is available for S7 Distributed Safety V 5.3, for the calculation of the max. reaction
time of your F system. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505
Stop Category 2
Controlled stop during which the energy supply to the machine actuators is maintained.
Functional example
In this example, safety shutdown in the Stop Categories 0 and
1 is shown. The DS asynchronous motor is hereby switched on
and off via a MICROMASTER frequency converter. Apart form
the operational stop, the motor can be fail-safe stopped as follows:
Stop Category 0
An NC button simulates a safety door contact. If the safety
door is opened during operation ("0" signal of the button) the
drive is immediately electrically isolated from the line supply
Stop Category 1
Stop Category 1 is used for an emergency stop. The motor is
brought to a standstill. After a parameterized time (after
which the motor must be safely in standstill) the motor is
taken off the grid.
Functional Example No. AS-FE-I-008-V11-EN
259
8
Ex. No.
Flowchart
The following flow chart shows the correlation (for a better
overview, operational stoppage is not displayed here):
Begin
Motor running?
Y
N
N
Readback error?
Emergency stop
unlocked?
N
Y
Y
Safety door open?
(simulated
signal)
Readback error?
N
Acknowledgement
necessary?
N
N
Y
N
Emergency stop
pressed?
Acknowledged?
Y
MICROMASTER is
supplied with voltage
N
Y
Start command?
Y
MICROMASTER
starts motor
Motor runs
Y
Y
N
MICROMASTER sets
motor in stop
MICROMASTER and motor
are electrically isolated
from the line supply
Functional Example No. AS-FE-I-008-V11-EN
Motor in stop and
electrically isolated
from the line supply
Motor in stop and
electrically isolated
from the line supply
Stop category 1
260
MICROMASTER and motor
are electrically isolated
from the line supply
Stop category 0
G_FB_XX_151
8
Ex. No.
8
Time sequence for Stop Category 0
The times listed in the following table are also shown in a timing diagram below. The names of the signals correspond to
the ones of the S7 program code.
ACK
START
t
With the acknowledge signal (negative edge) the contactors
K1 and K2 are activated and supply the MICROMASTER with
power. This switches the MICROMASTER on.
FDOOR
t
With the start signal (positive edge) the output MM of the
standard output module "1" signal switches to the MICROMASTER. This starts the motor according to a ramp parameterized in the MICROMASTER.
MM
t
K1_K2
t
t1
t2
t3
During operation the safety door is opened (FDOOR="0").
The safety door signal is in this example simulated by an
(NC) button. The contactors K1 and K2 drop out and electrically isolate MICROMASTER and motor from the line supply;
output MM is reset in the program.
t1
t2
t3
t
G_FB_XX_152
Time Explanation
Time sequence for Stop Category 1
Time Explanation
t1
With the acknowledge signal (negative edge) the contactors
K1 and K2 are activated and supply the MICROMASTER with
power. This switches the MICROMASTER on.
t2
With the start signal (positive edge) the output MM of the
standard output module "1" signal switches to the MICROMASTER. This starts the motor according to a ramp parameterized in the MICROMASTER.
t3
After activating the emergency stop (ESTP=0") the output
MM of the standard output module is reset. This puts MICROMASTER motor to stop.
t4-t3 After this time the motor must be in standstill. This time is
specified in the safety program as input parameter at a certified function block from the distributed Safety library.
t4
At motor standstill (parameterized time has elapsed) the
contactors K1 and K2 drop out. This isolates the drive from
the supply.
Operational stop
If in this example, the (NC) button for the operational stop is
pressed, the following procedure has been prepared:
The motor is brought to a standstill by the MICROMASTER.
Contactor K1 and K2 continue to supply the MICROMASTER
with power. A motor restart is possible without previous acknowledgement.
ACK
START
t
ESTP
t
MM
t
K1_K2
t
t1
t2
t3
t4
t
G_FB_XX_153
The times listed in the following table are also shown in a timing diagram below. The names of the signals correspond to
the ones of the S7 program code.
Advantages/customer benefits
■ Wiring reduced to a minimum due to use of fail-safe S7CPU and distributed I/O. The more safety functions are
implemented, the more useful this advantage is.
■ Programming the fail-safe program with STEP 7 engineering tools.
■ Only one CPU is required, since fail-safe and standard program parts run on a coexistent basis in the CPU
■ Use of prefabricated (and certified) fail-safe blocks from the
Distributed Safety library.
Functional Example No. AS-FE-I-008-V11-EN
261
Ex. No.
8
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
1
S7-CPU, can be used for
safety applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 KByte
6ES7953-8LJ10-0AA0
1
Interface module for ET 200S
IM 151 High Feature
6ES7151-1BA00-0AB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
2DI HF DC24V HF
6ES7131-4BB00-0AB0
3
Electronic module for ET 200S
2DO HF DC24V HF
6ES7 132-4BB00-0AB0
1
Electronic module for ET 200S
4/8 F-DI DC24V
6ES7138-4FA01-0AB0
1
Electronic module for ET 200S
4 F-DO DC24V/2A
6ES7138-4FB01-0AB0
1
Terminal module for ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
2
Terminal module for ET 200S
TM-E15S24-A1
6ES7193-4CA20-0AA0
4
Terminal module for ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
Profile rail
482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length: 483 mm
6ES5710-8MA11
1
Emergency stop
Push button, 1NC
3SB3801-0DG3
1
Contact (for Emergency stop)
1NC, screw-type connection
3SB3420-0C
1
Push button
Green, 1NO
3SB3801-0DA3
2
Push button
Red, 1NC
3SB3801-0DB3
2
Contactor
AC-3, 3KW/400V, 1NC, DC 24V
3RT1015-2BB42
2
Contactor
AC-3, 3KW/400V, 1NO, DC 24V
3RT1015-2BB41
1
Excess voltage limiter for plugging
onto contactor
RC element AC 24...48V, DC
24...70V
3RT1916-1CB00
3
Circuit breaker for motor
protection
0.35...0.5A
3RV1011-1JA20
1
Frequency inverter
MICROMASTER 410
6SE6410-2BB13-7AA0
1
Operator panel for the frequency
inverter
MM410 Operator Panel
6SE6400-0SP00-0AA0
1
Motor
Low-voltage motor 0.18kW
1LA7063-4AB10-Z +Option 26
1
Manufacturer
Siemens AG,
A&D
Note
Note
In this example we used a motor holding brake. The parameters for the MICROMASTER used by us, take this
motor holding brake into consideration. If you do not
want to use the motor holding break, the following
hardware components are not necessary: Contactor
with auxiliary contact (NO), 1 excess voltage limiter for
plugging onto the contactor, option 26 at the motor.
The functionality was tested with the hardware components listed. Similar products not included in the above
list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Configuration software/tools
Component
Type
MRPD / Ordering data
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
262
Functional Example No. AS-FE-I-008-V11-EN
Qty
Manufacturer
Siemens AG
Ex. No.
8
Setup and Wiring
Overview of the hardware configuration
Regarding the use of MICROMASTER 410, please consider the
following safety note:
The arrangement for shutdown in the Stop Categories 0 and 1
consists of a PROFIBUS configuration. A fail-safe S7-CPU is
used as DP master, an ET 200S as DP slave.
Warning!
■ The MICROMASTER carries hazardous voltages
and controls potentially dangerous rotating
mechanical parts. Non-compliance with warnings
or failure to follow the instructions contained in the
MICROMASTER manual can result in loss of life,
severe personal injury, or serious damage to property.
■ Only adequately qualified personnel may work at
this equipment. It is required that this personnel is
informed in detail on and familiar with all safety
notices, installation, operation and maintenance
procedures listed in the MICROMASTER manual.
Proper and safe operation of the equipment
requires proper handling, installation, operation
and maintenance.
■ Risk of electric shock. The DC link capacitors remain
charged for 5 minutes after power has been
removed. It is thus not permissible to open the
equipment until 5 minutes after the power has
been removed.
■ Children and not authorized persons must be prevented from accessing or approaching the equipment!
■ The equipment may only be used for the purpose
specified by the manufacturer. Unauthorized modifications and the use of spare parts and accessories
which are not sold or recommended by the manufacturer of the equipment can cause fires, electric
shocks and injuries.
Overview control circuit
PS
307
CPU
315F
2DO
HF
PM-E
IM 151
HF
2DI
HF
F-DI
PM-E
F-DO
DP
START
Emergency
stop
STOP
Contactor K1
2DO HF
ACK
Safety door
(simulated)
Contactor K2
Contactor K3
MICROMASTER
Note
In this example we used a motor holding brake. The parameters for the MICROMASTER used by us, take this
motor holding brake into consideration. If you do not
want to use the motor holding break, the contactor K3
is not necessary.
Note
One 4DI electronic module can be used instead of two
2DI electronic modules. The "high feature" electronic
modules can also be replaced by standard modules.
Functional Example No. AS-FE-I-008-V11-EN
263
Ex. No.
8
Overview load circuit
Input of the parameters
L1 N
Circuit
breaker
Contactor K1
Contactor K3
Contactor K2
MICROMASTER
Rectifier for
motor break
Three-phase motor
with motor break
The inverter parameters can be accessed with the operator
panel (OP). Below, it is shown how to set the parameter "Function of digital input 1" (P0701). All other parameters can be
set identically.
At this point, the procedure during parameterization is described; the parameters are explained under "Parameters
used".
Requirements: The MICROMASTER is supplied with voltage.
No. Drücken Sie...
… to be able to
access the parameters.
2
… until P0701 is
displayed.
3
… to display the
parameter value
level.
4
.. to receive the
required value
(here: 1)
5
… to confirm
and save the
value.
Note
In this example we used a motor holding brake. The parameters for the MICROMASTER used by us, take this
motor holding brake into consideration. If you do not
want to use the motor holding break, the contactor K3
is not necessary:
Parameterization of the MICROMASTER 410
The parameterization of MICROMASTER 410 is described in
the respective instruction manual. To provide better understanding, some points are emphasized in this document:
■ Input of the parameters
Note
1
■ Parameters used
Note
Alternatively, the MICROMASTER can also be parameterized with the "STARTER" software by Siemens, which can
be downloaded on the Internet (link on page 273) free
of charge.
264
Functional Example No. AS-FE-I-008-V11-EN
Ex. No.
8
Parameters used
Below, some characteristic parameters are shown which were
used for this example (with the motor used).
Parameter No.
Parameter name
Value to be set
Note/Explanation
P0700
Selection of command source
2 (connecting terminal plate)
There different options of starting or stopping the
motor using the MICROMASTER, e.g. via the keyboard on the OP. In this example, the commands
for starting/stopping the motor come from the
standard output module (2DO HF) of the ET 200S
and are transferred to the terminal connecting
plate of the MICROMASTER.
P0701
Function of digital input 1
1 (ON/OFF1)
The commands for starting/stopping are acquired
by digital input 1 on the MICROMASTER. If "1": Motor starts (ON)
If "0": Motor stops (OFF1)
P0731
Function of digital output 1
52.C (motor holding brake
(MHB) active)
Motor holding brake active (see also P1215)
P0971
Transfer data from RAM to EEPROM 1 Start RAM -> EEPROM
All values are transferred from RAM to EEPROM.
P1120
Startup time
6
Time value in seconds required by the motor to accelerate from stop to the highest motor frequency.
P1121
Ramp-down time
6
Time value in seconds required by the motor for
delaying the maximum motor frequency until
stop.
P1215
Holding break enable
1: Motor holding brake enabled
By the value 52.C in P0731, a relay is switched
at the points 1 and 2 to control the brake. The
relay is located at the terminals 11 and 12 of the
MICROMASTER.
Point 1
Point 2
fmin
(P1080)
Note
Warning!
The parameters are stored in the
"as_fe_i_008_v10_code_pstopcat.zip" file. The
"STARTER" software by Siemens is required to use this
file. Page 273 provides information on where to download this software.
Please note that the parameters stored in the file
"as_fe_i_008_v10_code_pstopcat.zip" refer to the
motor with holding break used by us for testing. If
you use a different motor, the parameters have to be
adapted for the MICROMASTER.
For safety reasons, the motor with the prepared parameters does not accelerate to maximum speed.
Functional Example No. AS-FE-I-008-V11-EN
265
Ex. No.
Wiring of the hardware components
Note
Requirements: The power supplies are supplied with 230V AC.
The DP interface of the CPU 315F must be connected
with the DP interface of the IM 151 HF.
First check the addresses set at the hardware components
listed below:
Note
The wiring of the hardware is illustrated below. In the
following table, the hardware components occurring
several times are numbered so they can be allocated in
the subsequent wiring plan.
Hardware
component
Einzustellende
Address
Note
IM 151 High
Feature
6 (PROFIBUS address)
Can be changed
F-DI
Switch position:
1111111110
F-DO
Switch position:
1111111101
The PROFIsafe addresses are
automatically assigned during configuring the fail-safe
modules in STEP 7. The
PROFIsafe addresses 1 to
1022 are permissible. Please
make sure that the setting at
the address switch (DIL
switch) on the side of the
module corresponds to the
PROFIsafe address in the
hardware configuration of
STEP 7.
2DO
HF
PM-E
IM 151
HF
2DI
HF
PM-E
F-DI
PM-E
AUX1
PM-E
F-DO
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A8
A4
A8
G_FB_XX_155
A4
2 DI HF
2DO
HF
PM-E
IM 151
HF
2DI
HF
F-DI
PM-E
F-DO
1
5
2
6
3
7
A4
In this example we used a motor holding brake (see following page). The parameters for the MICROMASTER
used by us, take this motor holding brake into consideration. If you do not want to use the motor holding break,
the contactor K3 is not necessary.
266
Functional Example No. AS-FE-I-008-V11-EN
5
2
6
3
7
A4
2 DI HF
Note
1
A8
2 DI HF
1
5
2
6
3
7
A8
A4
A8
G_FB_XX_156
8
Ex. No.
8
PS 307 / CPU 315F
PM-E
PM-E
AUX1
AUX1
2 DI HF
4
8
4
8
1
5
2
6
2
6
2
6
3
7
3
A8
A4
7
3
A8
A4
2 DI HF
Stop
PE
L+
M
1
5
2
6
3
7
A8
1
5
9
13
5
2
6
10
14
2
6
3
7
11
15
3
7
4
8
12
16
A8 A12
A16
A3
A7 A11
A15
A1+
21
A2-
22
A1+
21
A8
A2-
5
9
13
2
6
10
14
3
7
11
15
4
8
12
16
A3
A1+
21
A2-
22
Contactor K2
1
A4
Safety door
(simulated)
A8 A12
A7 A11
A16
A15
MICROMASTER
frequency converter
22
11
Contactor K3
12
1 2 3 4 5 6 7 8 9 10
Emergency
stop button
G_FB_XX_157
A4
Acknowledgement
Contactor K1
F-DI
1
A8
7
A4
F-DO
A4
6
3
L L M M
A4
2 DO HF
2
Start
A8
A4
2 DI HF
IM 151 HF
5
7
L1
N
1
Warning!
The MICROMASTER has to be grounded.
Note
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the S7 project into the
CPU 315F-2DP.
Functional Example No. AS-FE-I-008-V11-EN
267
Ex. No.
8
The load circuit looks as follows:
Contactor K3 is responsible for the power supply of the rectifier for the motor brake.
Note
Please note that, in this example, contactor K3 - unlike
K1 and K2 - features a make contact. If you do not want
to use the motor holding break, the contactor K3 is not
necessary.
268
Functional Example No. AS-FE-I-008-V11-EN
Ex. No.
8
Function test
The inputs and outputs used can be checked with regard to
their functionality, if
■ the hardware components are wired
■ the S7 project was loaded to the F CPU
■ the MICROMASTER was supplied with the respective
parameters.
Inputs/outputs used
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Push button (NO)
E 0.0
START
"0"
Start request
2
Push button (NC)
E 0.1
STOP
"1"
Operational stop
3
Push button (NO)
E 1.0
ACK
"0"
Acknowledgement
4
Push button (NC)
E 3.1
FDOOR
"1"
Simulated safety door contact
5
Contactor auxiliary contact
(NC)
E 1.1
K1_HELP
"1"
Contactor K1
6
Contactor auxiliary contact
(NC)
E 2.0
K2_HELP
"1"
Contactor K2
7
Emergency stop push button (NC)
E 3.0
ESTP
"1"
Emergency stop
8
Micromaster
A 0.0
MM
"0"
Control MICROMASTER
9
Magnet coil contactor
A 9.0
K1_K2
"0"
From A 9.0 to K1 and K2
Testing inputs and outputs
Requirements: The inputs and outputs have the default values
specified under "Inputs/outputs used".
No. Instruction
Response
MICROMASTER
A 9.0
Motor
1
Press the push button E 1.0 and release it.
"1"
Supplied with voltage via K1 and K2
In stop
2
Press the push button E 0.0 and release it.
"1"
ON
Accelerates
3
Wait until the motor has accelerated.
"1"
ON
Runs
4
Press the emergency stop push button E 3.0
After stopping the motor, K1 and K2 drop out
and the MICROMASTER is electrically isolated
from the line supply (stop category 1).
Decelerates to stop
5
Unlock the emergency stop button and repeat no 1 to 3.
"1"
Supplied with voltage via K1 and K2
Accelerates
6
Press the push button E 3.1 and release it.
"0"
By drop-out of K1 and K2, MICROMASTER and
motor are electrically isolated from the line
supply immediately (stop category 0).
"0"
(delayed)
Note
After an emergency stop, a signal from the simulated
safety door, and an initial start an acknowledgement is
required before restarting.
Functional Example No. AS-FE-I-008-V11-EN
269
Ex. No.
8
Important hardware component settings
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
Settings of the CPU 315F-2DP
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture").
Warning!
The settings shown below contribute to meet the requirements of Safety Category 4 in Stop Category 0.
Changes at the settings may cause loss of the safety
function.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
Overview picture
The PROFIBUS address at IM 151HF is set using DIP switches.
270
Functional Example No. AS-FE-I-008-V11-EN
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
Ex. No.
8
Settings of the fail-safe F-DI
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
Set mode: "Test Mode"
During Process Mode, the test functions such as program status or monitor/modify variable are restricted in such a way
that the set permitted increase in scan cycle time is not exceeded. Testing with stop-points and gradual program execution cannot be performed.
During Test Mode, all test functions can be used without restrictions via PG/PC which can also cause larger extensions of
the cycle time. Important: During test mode of the CPU, you
have to make sure that the CPU or the process can "stand"
large increases in cycle time.
The two-channel emergency stop push button is supplied with
power via the module. Category 4 is reached due to the fact
that a cross-circuit detection is possible. This requires that the
short circuit test is activated.
DIL switch settings
This value has to be set on the module (F-DI).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Also in the "Parameter" tab.
A two-channel connection of the emergency stop push button
to channel 0 is performed. At channel 1 the simulated safety
contact NC is read in.
All other channels are to be deactivated.
Functional Example No. AS-FE-I-008-V11-EN
271
Ex. No.
8
Warning!
Monitoring a safety door of safety category 4 is performed with two sensors (see Safety Function Examples no. 2, 3 and 4). The connected single button
simulates only one signal, which is assigned to a
safety door for better clarity.
Basic Performance Data
Load and main memory (without program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37,5 k
approx. 0,2 k
approx. 37,3 k
Main memory
approx.
28,2 k
approx. 0,09 k
approx. 28,1 k
Settings of the fail-safe F-DO
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
DIL switch settings
This value has to be set on the module (F-DO).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Activate used channel 0 for the switching of the line contactors K1 und K2, deactivate channels which are not used.
The read-back time defines the duration of the switch-off procedure for the respective channel. If the respective channel
switches high capacity loads, the read back time should be set
sufficiently large. We recommend setting the read back time
as small as possible, however large enough so that the output
channel does not become passive.
272
Functional Example No. AS-FE-I-008-V11-EN
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
47,1 k
approx. 1,0 k
approx. 46,1 k
Main memory
approx.
31,5 k
approx. 0,4 k
approx. 31,1 k
Cycle time
Total cycle time
(typical)
approx.
4 ms
Standard and safety program
Max. runtime of the
safety program
7 ms
Calculation with the Cotia table. Page 259 specifies where
to find it.
Ex. No.
8
Sample Code
Preliminary Remarks
Enclosed, we offer you the STEP 7 project as sample code with
which you can reset the functionality described here.
The sample code is always assigned to the components used
in the functional examples and implements the required functionality. Problems not dealt with in this document are to be
realized by the user; the sample code may serve as a basis.
Password
In all cases, the passwords used for the safety-relevant part is
„siemens“.
Use of the STEP 7 Project
Note
If you want to use the parameter settings used by us for
the MICROMASTER
("as_fe_i_008_v10_code_pstopcat.zip"), you need the
Siemens software "STARTER", which you can download
free of charge via the internet. The link is listed below.
Link: www.siemens.de/automation/service&support
Subsequently click the "Download" link and enter "Starter" as
keyword.
Older projects (*.mcp) can be converted into a current project
and further edited. Select the Starter project in the displayed
window and confirm by clicking OK. The project is converted
and possible errors are displayed in the detail display.
Using a MICROMASTER, a motor can be started via a push button (NO). There are two options of stopping the motor:
Program procedure
1. Operational via a button NC.
The standard user program consists of two networks of OB 1:
2. fail-safe via (NC) button, simulating a safety door contact
(stop category 0)
Network 1
&
"K1_HELP"
Download
The download is available via the following link:
http://support.automation.siemens.com/WW/view/en/
21331097
To call the corresponding project file, open the
"as_fe_i_008_v10_code_cstopcat.zip" file offered as a separate download (on the HTML page) and extract it into a user
defined directory.
For downloading the project into the F-CPU please proceed as
follows:
■ First load the hardware configuration into the S7-CPU
■ Switch to the SIMATIC Manager
■ Select the "Blocks" container.
■ Menu "Options" -> Edit safety program
■ Click the "Download" button
The sample code with the given configurations enables the
following:
■ A motor is turned off via a push button (NC) simulating a
safety door contact according to Stop Category 0.
"FEEDBACK"
=
"K2_HELP"
G_FB_XX_158
3. fail-safe via an emergency stop button in stop category 1
The memory bit "FEEDBACK" evaluates the readback signals of
the contactors K1 and K2. "FEEDBACK" is used as input parameter of FB "F_FDBACK" in the safety program. FB "F_FDBACK" is
a certified block from the Distributed Safety library for the
monitoring of the readback signals.
The information of the memory bit FEEDBACK is read as memory bit FEEDBACK1 in the safety program. This allocation occurs in the cyclic interrupt OB 35 for the following reason:
If you want to read data from the standard user program (flags
or PII of standard I/O) in the safety program (here: FEEDBACK),
which can be changed by the standard user program or an operator control and monitoring system during the runtime of
an F run-time group, it is required to use separate flags (here:
FEEDBACK1). Data from the standard user program have to be
written to these memory bits immediately before calling the F
runtime group. Only these memory bits may then be accessed
in the safety program.
■ A motor is turned off via an emergency stop push button
(NC/NC) according to Stop Category 1
Functional Example No. AS-FE-I-008-V11-EN
273
Ex. No.
In this example it has already been realized. Generally, however, the following applies:
The fail-safe program has the following program sequence:
FB"F_TOF"
(FB186,DB3)
Note
If the above section is not observed the F-CPU may go to
STOP mode.
F-Call
(FC1)
FB"SAFETY_PRG"
(FB1,DB1)
Network 2
"P_ST"
P
"START"
From the
Distributed
Safety
library
FB"F_FDBACK"
(FB216,DB216)
"SR2"
SR
S
>=1
"INSTANZ_
FB1".ERROR
FC"REINTEGRATION"
(FC2)
"STOP"
"MM"
=
R
Q
In network 2 the signal for operational starting (START) and
the stopping (Stop) are given. The output of the standard output module MM is set/reset. This output is connected with
the MICROMASTER. With MM="1" the MICROMASTER receives
the request of starting up the motor; with MM="0" the
MICROMASTER sets the motor to standstill.
As long as there is a "1" signal at the R input of the flip-flop,
MM="0" remains true, even if the start button is pressed, as
the reset function at this flip-flop type has priority.
FB "Safety_PRG" (FB 1, DB 1)
Network 1
#Instanz_
FB186_3"
#N_ACK
"ACK"
N
#EN_ESTP
S
"ESTP"
"F_TOF"
SR
R
...
Q
T#4S
#EN_FDOOR
S
"FDOOR"
R
SR
#Q_FDOOR
Q
=
EN
Q
IN
ET
PT
ENO
#Q_ESTP
...
G_FB_XX_161
"INSTANZ_
FB1"
EN_FDOOR
G_FB_XX_160
"INSTANZ_
FB1".
EN_ESTP
G_FB_XX_159
8
At an acknowledgement (negative edge of ACK) both
#Q_ESTP and #Q_FDOOR remain "1" (precondition: emergency stop button unlocked and simulated safety door contact FDOOR="1"). In network 2 the contactors K1 and K2 are
activated and supply the MICROMASTER with power.
If the safety door is opened during operation (simulated with
FDOOR), then FDOOR becomes 0" and Q_FDOOR="0", which
in network 2 causes an immediate drop-out of contactor K1
and K2. The drive is immediately isolated form the supply
(stop category 0).
If the emergency stop button is pressed during running operation (ESTP="0"), #Q_ESTP is reset after the time parameterized at PT has elapsed. This time must be set so that after it has
elapsed, the motor is in standstill. Only then is the drive isolated from the supply in network 2 (stop category 1).
274
Functional Example No. AS-FE-I-008-V11-EN
Ex. No.
Network 2
FB "Safety_PRG" (FB1, DB1) calls FB "F_FDBACK" (FB216,
DB216). FB 216 is a certified block from the Distributed Safety
library; this block is available from version 5.3.
"INSTANZ_
FB216"
F_GLOBDB.VKE1 applies a "1" signal at the input ACK_NEC.
This requires acknowledgement at the input ACK in case of an
error (ERROR="1").
"F_FDBACK"
...
#Q_FDOOR
"FEEDBACK1"
"F00009_
4_F_DO_
DC24V_
2A".0BAD
"F_
GLOBDB"._
VKE1
"ACK"
T#200MS
EN
ON
Note
The F-Global-DB (F_GLOBDB) provides the variables
"VKE0" or "VKE1". This can be used in the safety program
for supplying parameters at block calls if the Boolean
constants "0" and "1" are required.
FEEDBACK
QBAD_FI0
Q
ERROR
ACK_NEC ACK_REQ
ACK
DIAG
FDB_TIME
ENO
"K1_K2"
#ERROR
Network 3
#ACK_REQ
FC "REINTEGRATION" (FC 2)
...
G_FB_XX_162
&
#Q_ESTP
To ensure that no readback error is detected and that no
acknowledgement is required in a passivation of the fail-safe
I/O modules controlled by output Q you have to supply the input QBAD_FIO with the variable QBAD of the corresponding
fail-safe I/O module DB.
Note
Before inserting the F application block F_FDBACK you
have to copy the F application block F_TOF from the
block container F-Application Blocks\Blocks of the F library Distributed Safety (V1) into the block container of
your S7 program, if it is not available in this container
(has already been done in this example project).
Warning!
Network 3 of FB 1 calls FC 2 where the reintegration is realized
in case of a passivation of F-DI or F-DO. For R-DO, a REINT
memory bit has been prepared, which reintegrates the module with a positive edge.
Warning!
In this example, the reintegration of passivated
modules occurs automatically. Use the automatic reintegration for your application only if it will not
cause any hazards.
A passivation is indicated via LED "SF" lighting up on the module. The reintegration of an F module may take approx. one
minute.
When using the F application block F_FDBACK it is required that the F application block F_TOF has the
number FB 186 and that the number is not changed!
The acknowledgement signal ACK is responsible for the acknowledgement after exceeding the feedback time FDB_TIME
(at FB 216).
Output Q is set to 1 as soon as input ON = 1. It is required that
readback input FEEDBACK = 1 and no readback error must be
stored. In this example, this causes contactor K1 and K2 to
pick up, which supplies the MICROMASTER with power.
A readback error ERROR = 1 is detected if the signal state of the
readback input FEEDBACK (to output Q) does not follow the
signal state of the input ON within the maximum tolerable
readback FDB_TIME time.
Functional Example No. AS-FE-I-008-V11-EN
275
8
Ex. No.
8
Operating instructions
Prerequisite:
■ Hardware configuration and safety program are in the
S7-CPU
■ Emergency stop unlocked
■ No passivation of the F-DI/F-DO
The tables below demonstrate the function principle:
No. Instruction
Result/Note
1
Press the acknowledgement Necessary prior to the first start.
push button (NO) and reContactor K1 and K2 pick up and
lease it.
supply the MICROMASTER with
power.
2
Press the start push button
(NO) and release it.
3
Press the button (NC) which Contactors K1 and K2 drop out:
simulates the safety door
MICROMASTER and motor are
contact and release it.
isolated from the supply (stop
category 0).
4
Repeat No. 1 and 2
–
5
Press the emergency stop
push button.
The output MM of the digital
output module is reset. The
MICROMASTER receives the signal for stopping the motor. The
MICROMASTER brings the motor
to standstill according to its parameterization. Contactors K1
and K2 drop out and isolate the
drive from the supply.
The output MM of the digital
output module is set. The
MICROMASTER receives the signal for starting the motor. The
MICROMASTER starts the motor
up according to its parameterization.
Note
After an emergency stop, a signal from the simulated
safety door, and an initial start an acknowledgement is
required before restarting.
Alternative
The Distributed Safety library offers a Stop Category function
block FB "F_ESTOP1" (FB 215). With this block you can realize
an emergency stop in the Stop Categories 0 and 1.
276
Functional Example No. AS-FE-I-008-V11-EN
Single and Group Shutdown of Actuators in Safety Category 4
acc. to EN 954-1
Ex. No.
9
Automation Function
Failsafe input and output modules
Description of the functionality
One failsafe input and output module of the ET 200S switching the following variables is used in each case:
Single and group shutdown
When using several actuators within a system, the following
behavior is often required: It is to be possible to safely power
an individual actuator down (independent of the other actuators). Additionally it should be possible to safely switch off all
actuators together.
Failsafe…
Signals
Input module (F-DI)
Emergency stop button for group 1
Emergency stop button for group 2
Emergency stop button for both groups
Output module (F-DO)
Switches all contactors (K1, K2, K3, K4).
Functional example
Standard input modules
This example shows single and group shutdown of actuators.
Two three-phase asynchronous motors which can be started
independently of one another are used. An emergency stop
button is assigned to each motor for safe stopping (single
shutdown). Furthermore, there is an emergency stop button
which safely stops all motors (group shutdown).
The standard input modules read the signals listed below for
each group:
Operational stopping of motors has not been included in this
example.
Allocation contactors - motors
Group 1 consists of the motor M1 which is switched via the
contactors K1 and K2.
Group 2 consists of the motor M2 which is switched via the
contactors K3 and K4.
If a readback error is detected in a group, this group is
stopped. Safe operational start and stop of the other group is
still possible.
Safety Category
The actuator shutdown via failsafe outputs of the ET 200S
shown here complies with Safety Category 4 according to
EN 954-1: 1996.
Reaction times
For calculating the max. reaction time of your F-system please
use the Excel file (Cotia table), which is available for S7 Distributed Safety V 5.3. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505
■ Start request
■ Acknowledgement
■ Readback signals of the contactors
In addition, an acknowledgement signal exists with which an
acknowledgement can be transmitted for all groups.
Acknowledgement
An acknowledgement is required
■ prior to the first start
■ after a readback error (acknowledgement with the
acknowledgement push button assigned to the group or
the acknowledgement push button applying to all groups)
■ after activating an emergency stop push button after this
push button was unlocked manually (acknowledgement
either individually for each group with the assigned
acknowledgement push button or with the acknowledgement push button applying to all groups)
■ after the reintegration of the passivated F-DI
Recognizing a welding
A readback error occurs, for example, when a contacts welds.
This error is revealed in the program code by the use of a certified block from the Distributed Safety block library. Starting
the application is only possible if the error was corrected and
if an acknowledgement was transmitted.
Functional Example No. AS-FE-I-009-V10-EN
277
Ex. No.
Flowchart
The following flow chart shows the functionality at the example of group 1 (motor M1) and the group shutdown. The same
procedure applies to group 2 (motor M2); only M1 and M2
need to be exchanged and K1, K2 be replaced with K3, K4.
START_M1
(NO)
t
START_M2
(NO)
t
ACK_ALL
(NO)
t
Start
M1 running?
ESTP1
(NC)
t
J
ESTP2
(NC)
t
Common emergency
stop unlocked?
J
N
Emergency stop1
unlocked?
J
N
Readback signal K1
and K2 OK?
J
J
Common emergency
stop unlocked?
t
J
Emergency stop1
unlocked?
ESTP_ALL
(NC)
N
M2 stops
M1
N
G_FB_XX_164
N
J
Readback signal K1
and K2 OK?
t1 t2 t3
Time
J
Acknowledgement
necessary?
M1 stops
N
N
t
M2
N
Start command M1?
J
M1 starts
G_FB_XX_083
9
Designation
Explanation
START_M1
Start command for motor 1 (group 1).
START_M2
Start command for motor 2 (group 2).
ACK_ALL
Acknowledgement for all groups
ESTP1
Emergency stop for motor M1 (group 1)
ESTP2
Emergency stop for motor M2 (group 2)
ESTP_ALL
Emergency stop for all groups
M1
Motor 1 (group 1)
M2
Motor 2 (group 2)
278
Functional Example No. AS-FE-I-009-V10-EN
t5
t6
t7 t8
t9
t10
t
Explanation
t1
An acknowledgement is required before starting for the
first time.
t2
Start command for motor M1. Motor M1 starts.
t3
Start command for motor M2. Motor M2 starts.
t4
Emergency stop triggered for group 1 Motor M1 stops.
t5
Emergency stop triggered for group 2 Motor M2 stops.
t6
Unlocking both pressed emergency stop buttons.
t7
Acknowledgement is necessary prior to every restart.
t8
Start command for motor M1. Motor M1 starts.
t9
Start command for motor M2. Motor M2 starts.
t10
Emergency stop, applying to all groups, is activated and
switches all groups off.
Time sequence for single/group shutdown
To illustrate the process, the time sequence during a single
and a group shutdown is shown below. The names at the ordinates correspond to the names in the program code.
t4
Note
Apart from the acknowledge button applying to all
groups, each group as a respective acknowledge button
(not displayed in the above time sequence).
Advantages/customer benefits
■ Wiring reduced to a minimum due to use of failsafe S7-CPU
and distributed I/O. Dieser Vorteil kommt um so mehr zum
Tragen, je mehr Sicherheitsfunktionen realisiert werden.
■ Programming the failsafe program with STEP 7 engineering
tools.
■ Only one CPU is required, since failsafe and standard program parts run on a coexistent basis in the CPU
■ Use of prefabricated (and certified) failsafe blocks from the
Distributed Safety library.
Ex. No.
9
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
1
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 KByte
6ES7953-8LJ10-0AA0
1
Interface module for ET 200S
IM 151 High Feature
6ES7151-1BA00-0AB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
2DI HF DC24V
6ES7131-4BB00-0AB0
4
Electronic module for ET 200S
4/8 F-DI DC24V
6ES7138-4FA01-0AB0
1
Electronic module for ET 200S
4 F-DO DC24V/2A
6ES7138-4FB01-0AB0
1
Terminal module for ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
2
Terminal module for ET 200S
TM-E15S24-A1
6ES7193-4CA20-0AA0
4
Terminal module for ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
Profile rail
482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length: 483 mm
6ES5710-8MA11
1
Emergency stop
Push button, 1NC
3SB3801-0DG3
3
Contact (for Emergency stop)
1NC, screw-type connection
3SB3420-0C
3
Push button
green, 1NO
3SB3801-0DA3
5
Contactor
AC-3, 3KW/400V, 1NC, DC 24V
3RT1015-2BB42
4
Excess voltage limiter for plugging
onto contactor
RC element AC 24...48V, DC
24...70V
3RT1916-1CB00
4
Circuit breaker for motor
protection
0.35...0.5A
3RV1011-0FA1
2
Motor
Low-voltage motor 0.12kW
1LA7060-4AB10
2
Manufacturer
Siemens AG
Note
The functionality was tested with the hardware components listed. Similar products not included in the above
list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Configuration software/tools
Component
Type
MRPD / Ordering data
Qty
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
Manufacturer
Siemens AG
Functional Example No. AS-FE-I-009-V10-EN
279
Ex. No.
9
Setup and Wiring
In order to set up and wire the functional example, it is absolutely necessary to consider the following note:
Note
In order to meet the requirements of Safety Category 4, it is
obligatory to read back the process signal to the actuator.
An overview of the hardware structure
The arrangement for single or group shutdown consists of a
PROFIBUS configuration. A failsafe S7-CPU is used as DP master, an ET 200S as DP slave.
PS
307
CPU
315F
PM-E
IM 151
HF
PM-E
2DI
HF
F-DO
Load circuit 400V
F-DI
Circuit
breaker
DP
K1
K3
K2
K4
Emergency
stop (1)
START M1
START M2
ACK all
ACK (2)
Emergency
stop (2)
Emergency
stop (all)
Contactor K1 Contactor K2 Contactor K3 Contactor K4
ACK (1)
Readback signals
Note
One 4DI electronic module can be used instead of two
2DI electronic modules. The "high feature" electronic
modules can also be replaced by standard modules.
Wiring of the hardware components
Requirements: The power supplies are supplied with 230V AC.
First check the addresses set at the hardware components
listed below:
280
Motor M1
Y switch
Functional Example No. AS-FE-I-009-V10-EN
Motor M2
Y switch
Hardware
component
Address
to be set
Note
IM 151 High
Feature
6 (PROFIBUS address)
Can be changed
F-DI
Switch position:
1111111110
F-DO
Switch position:
1111111101
The PROFIsafe addresses are
automatically assigned during configuring the failsafe
modules in STEP 7. The
PROFIsafe addresses 1 to
1022 are permissible. Please
make sure that the setting at
the address switch (DIL
switch) on the side of the
module corresponds to the
PROFIsafe address in the
hardware configuration of
STEP 7.
Ex. No.
9
Note
Note
The DP interface of the CPU 315F must be connected
with the DP interface of the IM 151 HF.
The wiring of the hardware is illustrated below. In the
following table, the hardware components occurring
several times are numbered so they can be allocated in
the subsequent wiring plan.
PM-E
IM 151
HF
PM-E
PM-E
F-DO
PM-E
AUX1
2DI
HF
F-DI
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A4
A8
A8
G_FB_XX_165
A4
2 DI HF
IM 151
HF
PM-E
2DI
HF
F-DO
F-DI
5
2
6
1
5
3
7
2
6
1
5
A8
3
7
2
6
A8
3
7
A4
A4
2 DI HF
A4
A8
2 DI HF
1
5
2
6
3
7
A4
A8
G_FB_XX_166
PM-E
2 DI HF
1
Functional Example No. AS-FE-I-009-V10-EN
281
Ex. No.
9
PM-E
AUX1
4
PS 307 / CPU 315F
8
N
8
2
6
2
6
3
7
3
7
A8
A4
L1
4
2 DI HF
A4
A8
1
6
1
5
3
7
2
6
1
5
A8
3
7
2
6
A8
3
7
A4
IM 151 HF
A4
PE
L+
M
Emergency
stop button
1
5
9
2
6
10
14
3
7
11
15
4
8
12
16
A4
A3
A8 A12
A7 A11
Emergency
stop button
2
A16
A15
1
5
9
13
2
6
10
14
3
7
11
15
4
Emergency
stop button
all
8
12
16
A4
A8 A12
A16
A3
A7 A11
A15
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the S7 project to the CPU 315F2DP.
Functional Example No. AS-FE-I-009-V10-EN
A1+
21
A2-
22
A1+
21
A2-
22
A8
1
5
2
6
3
7
A4
Note
282
Acknowledgement all
Contactor K1
2 DI HF
F-DO
13
Start M1
Stop
L L M M
F-DI
1
Start M2
2 DI HF
2
A4
Acknowledgement M1
2 DI HF
5
Acknowledgement M2
Contactor K2
A8
A1+
21
A1+
21
A2-
Contactor K4
22
Contactor K3
A2-
22
G_FB_XX_167
PM-E
AUX1
Ex. No.
Load circuit 400V
1 3 5
Standard-DI (2DI HF)
1 3 5
M
Circuit
breaker
M
P
K1
K3
K2
K4
P
K3
2 4 6
2 4 6
1 3 5
1 3 5
Group 1
G_FB_XX_169
1 3 5
1 3 5
K1
9
Contactor auxiliary contacts:
The terminal markings of the load circuit are as follows:
Group 2
Control of the contactor coils:
K4
K2
2 4 6
2 4 6
F-DO
The interconnection of the contactor auxiliary contacts and
the control of the contactor coils is shown once again to provide greater clarity (it is also shown in the wiring diagram).
K1
K2
Group 1
P
K3
M
K4
Group 2
Functional Example No. AS-FE-I-009-V10-EN
G_FB_XX_170
Motor M2
Y switch
G_FB_XX_168
Motor M1
Y switch
M
P
283
Ex. No.
9
Function test
The inputs and outputs used can be checked with regard to
their functionality, if
■ the hardware components are wired
■ the S7 project was loaded to the F CPU
Inputs/outputs used
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Emergency stop push button (NC / NC)
E 0.0
ESTP1
"1"
Emergency stop for group 1
2
Emergency stop push button (NC / NC)
E 0.1
ESTP2
"1"
Emergency stop for group 2
3
Emergency stop push button (NC / NC)
E 0.2
ESTP_ALL
"1"
Emergency stop for all groups
4
Push button (NO)
E 6.0
START_M1
"0"
Start requirement group 1
5
Push button (NO)
E 6.1
ACK_M1
"0"
Acknowledgement for group 1
6
Contactor auxiliary contact (NC)
E 7.0
K12_HELP
"1"
Readback signal (group 1)
7
Push button (NO)
E 7.1
START_M2
"0"
Start requirement group 2
8
Push button (NO)
E 8.0
ACK_M2
"0"
Acknowledgement for group 2
9
Contactor auxiliary contact (NC)
E 8.1
K34_HELP
"1"
Readback signal (group 2)
10
Push button (NO)
E 9.0
ACK_ALL
"0"
Acknowledgement signal for
groups 1 and 2
11
Magnet coil contactor
A16.0
M1
"0"
For motor M1 (group 1, connection to F-DO)
12
Magnet coil contactor
A16.1
M2
"0"
For motor M2 (group 2, connection to F-DO)
Testing inputs and outputs
Requirements: The inputs and outputs have the default values
specified under "Inputs/outputs used".
No. Instruction
Note
You can also test the instructions listed in the table below without connected main circuit.
M1
M2
Note
1
Press the push button E 9.0 and release it.
"0"
"0"
Acknowledgement required prior to first start. Instead of
E 10.0, you can also press the two push buttons E 6.1
and E 8.0.
2
Press the push button E 6.0 and release it.
"1"
"0"
Start request for motor M1.
3
Press the push button E 7.1 and release it.
"1"
"1"
Start request for motor M2.
4
Press the emergency stop push button E 0.0
"0"
"1"
Single shutdown group 1
5
Press the emergency stop push button E 0.1
"0"
"0"
Single shutdown group 2
6
Unlock the pressed emergency stop buttons.
"0"
"0"
–
7
Repeat no. 1 to 3
"1"
"1"
Start request for motor M1 and M2.
8
Press the emergency stop push button E 0.2
"0"
"0"
Group shutdown
Note
After an emergency stop (and when starting for the first
time), an acknowledgement is required before a restart.
284
Functional Example No. AS-FE-I-009-V10-EN
Ex. No.
Important hardware component settings
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
9
Settings of the CPU 315F-2DP
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture")..
Warning!!
The settings shown below contribute to meet the requirements of Safety Category 4. Changes at the settings may cause loss of the safety function.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
Overview picture
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
The PROFIBUS adress at IM 151HF is set using DIP-switches.
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
Functional Example No. AS-FE-I-009-V10-EN
285
Ex. No.
9
Settings of the failsafe F-DI
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
Set mode: "Test Mode"
During Process Mode, the test functions such as program status or monitor/modify variable are restricted in such a way
that the set permitted increase in scan cycle time is not exceeded. Testing with stop-points and gradual program execution cannot be performed.
During Test Mode, all test functions can be used without restrictions via PG/PC which can also cause larger extensions of
the cycle time. Important: During test mode of the CPU, you
have to make sure that the CPU or the process can "stand"
large increases in cycle time.
The two-channel emergency stop push button for shutdown
of the group is supplied with power via the module. Category
4 is reached due to the fact that a cross-circuit detection is
possible. This requires that the short circuit test is activated.
DIL switch settings
This value has to be set on the module (F-DI).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Also in the "Parameter" tab.
For the 1oo2 evaluation, only the respective initially mentioned channel (0,1,2) is used for addressing.
Channel 0: Emergency stop for group 1
Channel 1: Emergency stop for group 2
Channel 3: Emergency stop applying to all groups
Channel 4: deactivated
286
Functional Example No. AS-FE-I-009-V10-EN
Ex. No.
9
Settings of the failsafe F-DO
Basic Performance Data
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
Load and main memory (without program code)
DIL switch settings
This value has to be set on the module (F-DO).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37,5 k
approx. 0,2 k
approx. 37,3 k
Main memory
approx.
28,2 k
approx. 0,09 k
approx. 28,1 k
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
47,7 k
approx. 1,0 k
approx. 46,7
Main memory
approx.
34,7
approx. 0,4 k
approx. 34,2
Cycle time
Total cycle time
(typical value)
approx.
5 ms
Standard and safety program
Max. runtime of the
safety program
8 ms
Calculation with the Cotia table. Page 277 specifies where
to find it.
Channels which are not used (channel 2 and 3): Deactivate
Channel 0: For switching the contactors K1 and K2 (group 1
with motor M1).
Channel 1: For switching the contactors K3 and K4 (group 2
with motor M2).
The read-back time defines the duration of the switch-off procedure for the respective channel. If the respective channel
switches high capacity loads, the read back time should be set
sufficiently large. We recommend setting the read back time
as small as possible, however large enough so that the output
channel does not become passive.
Functional Example No. AS-FE-I-009-V10-EN
287
Ex. No.
Sample Code
Enclosed, we offer you the STEP 7 project as sample code with
which you can reset the functionality described here.
The sample code is always assigned to the components used
in the functional examples and implements the required functionality. Problems not dealt with in this document are to be
implemented by the user; the sample code may serve as a basis.
Password
In all cases, the passwords used for the safety-relevant part is
„siemens“.
Use of the STEP 7 Project
Two three-phase asynchronous motors can be started independently of one another with separate push buttons (NO).
The motors are either safely stopped:
1. individually (respectively one emergency stop button assigned to one group) or
2. as group shutdown. An emergency stop button exists that
switches off all groups (stopping all motors).
Download
The download is available via the following link:
http://support.automation.siemens.com/WW/view/en/
21330890
To call the corresponding project file, open the
"as_fe_i_009_v10_code_singlegroup.zip" file offered as a separate download (on the HTML page) and extract it into a user
defined directory.
For downloading the project into the F-CPU please proceed as
follows:
■ First load the hardware configuration into the S7-CPU
■ Switch to the SIMATIC Manager
■ Select the "Blocks" container
■ Menu "Options" -> Edit safety program
■ Click the "Download" button
Note
Operational stopping has not been prepared in this
example.
Program procedure
The standard user program consists of two networks of OB 1.
Network 1
"P1"
"SR1"
P
"START_M1"
SR
S
>=1
"INSTANZ_
FB1".EN1
"COND1"
"INSTANZ_
FB1"
ERROR1
=
R
Q
G_FB_XX_171
Preliminary Remarks
The signal for operational starting (START_M1) for group 1
consisting of motor M1 is given in network 1.
The "INSTANZ_FB1".... ensures that the motor cannot be
started with an acknowledgement transmitted in the safety
program. As long as on of these bits is "0", COND1= "0" remains true also if the start button is pressed, since the reset
function has priority in this flip-flop type.
Network 2
"P2"
"SR2"
P
"START_M2"
SR
S
>=1
"INSTANZ_
FB1".EN2
"INSTANZ_
FB1"
ERROR2
"COND2"
=
R
Q
G_FB_XX_172
9
The sample code with the given configurations enables the
following:
Basically the above information on network 1 applies to group
2 with motor M2.
■ Independent starting of two motors M1 (group 1)and M2
(group 2).
The information of the flags "COND1" and "COND2" from the
networks 1 and 2 is read in the safety program as flag
COND1_F or COND2_F. This allocation occurs in the cyclic interrupt OB 35 for the following reason:
■ Safe shutdown of individual groups (motor M1 and/or M2)
■ Group shutdown for both motors (M1 and M2)
If you want to read data from the standard user program (flags
or PII of standard I/O) in the safety program (here: COND1 or
288
Functional Example No. AS-FE-I-009-V10-EN
Ex. No.
COND2), which can be changed by the standard user program
or an operator control and monitoring system during the runtime of an F run-time group, it is required to use separate flags
(here: COND1_F or COND2_F). Data from the standard user
program have to be written to these flags immediately before
calling the F run-time group. Only these flags may then be accessed in the safety program.
In this example it has already been implemented. Generally,
however, the following applies:
Note
If the above section is not observed the F CPU may go to
STOP mode.
The failsafe program has the follwoing structure:
FB"F_TOF"
(FB186,DB3)
FB"SAFETY_PRG"
(FB1,DB1)
Readback monitoring
group 1
(contactors K1 and K2)
From the
Distributed Safety
library
FB"F_BACK"
(FB216,DB216)
Readback monitoring
group 2
(contactors K3 and K4)
FC"REINTEGRATION"
(FC2)
Reintegration passivated
F-DI/F-DO modules
Functional Example No. AS-FE-I-009-V10-EN
G_FB_XX_173
F-Call
(FC1)
289
9
Ex. No.
FB "F_PRG" (FB 1, DB 1)
Network 1
This network is assigned to group 1 with motor M1.
FB "Safety_PRG" (FB1, DB1) first calls FB "F_FDBACK" (FB216,
DB216). FB 216 is a certified block from the Distributed Safety
library; this block is available from version 5.3.
#N1
"ACK_M1"
N
>=1
#EN1
#N2
"ACK_ALL"
N
"ESTP1"
"ESTP_ALL"
S
SR
"INSTANZ_
FB216_1"
>=1
R
Q
"F_FDBACK"
&
EN
"COND1_F"
ON
"K12_HELP"
"ACK_M1"
QBAD_FI0
"F_
GLODB".
VKE1
ACK_NEC
>=1
"ACK_ALL"
If the emergency stop for group 1 (ESTP1) or the emergency
stop button (ESTP_ALL) applying to all groups is pressed, then
ON="0" which makes Q="0". With Q="0" the contactors K1 and
K2 drop out (actual parameter M1).
For a start (Q="1") it is required that readback input FEEDBACK
= 1 and no readback error must be stored. A readback error ERROR = 1 is detected if the signal state of the readback input
FEEDBACK (to output Q) does not follow the signal state of the
input ON within the maximum tolerable readback FDB_TIME
time.
The status of the flip-flop is stored in the static variable #EN1
and read as switch-on condition in OB 1.
290
Functional Example No. AS-FE-I-009-V10-EN
FEEDBACK
"F00016_
4_F_DO_
DC24V_
2A".QBAD
ERROR
ACK
T#100MS
Q
FDB_TIME
ACK_REQ
DIAG
"M1"
#ERROR1
#ACK_REQ1
...
EN0
G_FB_XX_174
9
To ensure that no readback error is detected and that no acknowledgement is required in a passivation of the failsafe I/O
modules controlled by output Q you have to supply the input
QBAD_FIO with the variable QBAD of the corresponding failsafe I/O module DB.
F_GLOBDB.VKE1 applies a "1" signal at the input ACK_NEC.
This requires acknowledgement at the input ACK in case of an
error (ERROR="1").
Note
The F-Global-DB (F_GLOBDB) provides the variables
“VKE0“ or “VKE1“. This can be used in the safety program
for supplying parameters at block calls if the Boolean
constants "0" and "1" are required.
Ex. No.
Please consider the following notes on using the FB
"F_FDBACK":
Note
Before inserting the F application block F_FDBACK you
have to copy the F application block F_TOF from the
block container F-Application Blocks\Blocks of the F library Distributed Safety (V1) into the block container of
your S7 program, if it is not available in this container
(has already been done in this example project).
9
Operating instructions
Prerequisite:
■ Hardware configuration and safety program are in the
S7-CPU
■ All emergency stop buttons are unlocked
■ No passivation of the F-DI/F-DO
The tables below demonstrate the function principle:
No. Instruction
Result/Note
1
Press the acknowledgement Acknowledgement (here with
push button E 9.0 (NO) and the acknowledgement signal
release it.
ACK_ALL applying to all groups)
is required prior to the first start
and after activating the emergency stop. Transmitting the acknowledgement signal for
individual groups is also possible
(push buttons E 6.1 or E 8.0).
2
Press the push button E 6.0
(NO) and release it.
The structure of the program is identical to network 1. The
statements on network 1 thus also apply to network 2.
If all conditions for a start of
group 1 are met, the contactors
K1 and K2 switch motor M1.
3
Press the push button E 7.1
(NO) and release it.
If all conditions for a start of
group 2 are met, the contactors
K3 and K4 switch motor M2.
Network 3
4
Press the emergency stop
push button E0.0.
The contactors K1 and K2 drop
out, due to this motor M1 of
group 1 is shut down.
5
Press the push button E 0.1
and release it.
Contactors K3 and K4 drop out,
due to this motor M2 of group 2
is shut down.
6
Unlock the emergency stop Motors M1 and M2 start.
button and repeat no 1 to 3.
7
Press the emergency stop
push button E 0.2
Warning!
When using the F application block F_FDBACK it is required that the F application block F_TOF has the
number FB 186 and that the number is not changed!
Network 2
This network is assigned to group 2 with motor M2.
FC „REINTEGRATION“ (FC 2)
Network 3 of FB 1 calls FC 2 where the reintegration is implemented in case of a passivation of F-DI or F-DO. For R-DO, a REINT memory bit has been prepared, which reintegrates the
module with a positive edge.
Warning!
In this example, the reintegration of passivated
modules occurs automatically. Use the automatic
reintegration for your application only if it will not
cause any hazards.
A passivation is indicated via LED "SF" lighting up on the module. The reintegration of an F module may take approx. one
minute.
K1 to K4 drop out and shut
down groups 1 and 2 (with their
motors M1 and M2).
Note
An acknowledgement is required after an actuated
emergency stop or prior to the first start.
Functional Example No. AS-FE-I-009-V10-EN
291
Distributed application of laserscanner LS4-4 in Category 3
according to EN 954-1
Ex. No.
Automation Function
Communication between fail-safe S7-CPU and the LS4
Description of the functionality
fail-safe S7-CPU (F-CPU) and LS4 laser scanner communicate
via PROFIBUS. Hereby the LS4 of the S7-CPU provides cyclic input data of 1 byte length. The LS4 in return expects from the
S7-CPU cyclic output data of 1 byte length. These input and
output data can only be processed or evaluated in user program and fail-safe STEP 7 program.
Application areas
The SIGUARD laser scanner LS4 is mainly used in order to provide safe operation. At a predominantly horizontal alignment,
the presence of persons within the detection zone is continuously monitored. When using LS4, access to the hazardous location must only be possible through the detection zone. A
safe distance must be kept between detection zone and hazardous location. The distance is calculated according to the
formulas in the specific machine related European C standards
or in the general B1 standard EN 999: 1998.
Cyclic input and output data
F-CPU
Cyclic
input data
Cyclic
output data
Picture of the LS4 laser scanner
DP-Master
DP
LS4
DP-Slave
G_FB_XX_175
10
The name input and output data refer to the view of the DP
master:
■ Input data are read from the DP master, hence are output
data from the LS4.
Function principle of the LS4 laser scanner
The LS4 is an area scanner. It sends very short laser pulses and
measures the time until the pulse hits an object, as well as its
remission (diffuse reflection of a beam by a non-reflecting
surface) to the receiver in the LS4. The device uses this time
to calculate the distance between object and LS4. The sensor
unit within the LS4 rotates and sends/receives a laser pulse after respectively 0.36°. A circular sector of up to 190° is
scanned in the center of which the LS4 is located.
Distributed application
In the "PROFIBUS" variant, the LS4 can be operated as safe bus
component together with non-safe standard components at
the same bus (PROFIBUS DP). This is enabled by PROFIsafe, a
functional expansion of PROFIBUS DP. For the user this makes
no difference: You connect the LS4 in the same way to the
PROFIBUS in which you are used to it from other DP slaves.
292
Functional Example No. AS-FE-I-010-V11-EN
■ Output data are written by the DP master, hence are control signals for the LS4.
The integration of the cyclic input and output data into the
program code can seed in the delivered S7 example project.
Bits of the cyclic input data
Only one bit (Bit 7), which is useful for understanding the
complete functionality, is discussed here.
The bit OSSD (Bit 7) describes the fail-safe output signals of
the LS4. In case of a detection zone violation, this bit changes
from "1" to "0", which in fail-safe programs causes the actuator
to be switched off.
Ex. No.
7
Cyclic
input data
The detection and warning zones are defined with the LS4Soft
software. The PROFIsafe adapter enables correct time behavior when switching the zone pairs.
0
A violation of detection and warning zones is indicated by
■ LEDs at the LS4 and by
G_FB_XX_176
■ the bits of the cyclic input data
OSSD
Violation of warning zones are not evaluated in the STEP 7 example program. A violation of the detection zone turns the
OSSD bit of the cyclic input data to "0", which changes the actuator used in this example to the fail-safe status.
Warning!
Example for an active zone pair
Bits 0 to 6 must not be used for safety relevant
decisions. The fail-safe S7-CPU only has to evaluate
bit 7 in order to enable the successive actuator if
necessary.
The robotic cell displayed below consists of two zone pairs:
Zone pair 1 (SF1, WF1): This zone is active, intrusion into SF1
stops the roboter.
Zone pair 2 (SF2, WF2): At the displayed point in time, the
specified detection and warning zone 2 may be entered.
Bits of the cyclic output data
Only individual bits, which are useful for understanding the
complete functionality, are discussed here. Proxy-Enable
(Bit 6):
Setting this bit is important for switching between the detection zones (further information on detection zones available
at the bottom of this page).
WF 2
SF 2
Detection zone number (bits 0, 1, 2):
A detection / warning zone pair in LS4 is selected with this bit.
7
Cyclic
output data
SF 2
(active)
LS4
0
WF 1
(active)
NSC0_00646
Detection zone number
Proxy-Enable
G_FB_XX_177
Example project
The STEP 7 project used as an example in this document consists of
■ a fail-safe S7-CPU (DP-Master),
■ the LS4 laser scanner for PROFIBUS (DP-Slave) as well as
Detection and warning zones
When using the LS4 you define detection and warning zones.
A detection zone (SF) and a warning zone (WF) always form a
zone pair. All in all, only 4 zone pairs can be defined, whereas
only one zone pair must be active at a time. Detection zone
numbers (bits 0, 1 and 2 of the cyclic output data) define the
zone pair (1, 2, 3 or 4) to be active. The Proxy-Enable bit of
the cyclic output data must be "0".
■ standard and fail-safe input and output modules of ET 200S
(DP-Slave)
In this example, the actuator is simulated by an indicator light.
It is switched on and off via a fail-safe output (F-FO or the
ET 200S). If the detection zone of the LS4 is violated while the
output (indicator light ON) is switched (active), the indicator
light is automatically switched off. Restarting is only possible
in case of previous acknowledgement.
Functional Example No. AS-FE-I-010-V11-EN
293
10
Ex. No.
10
The status of the sensors defines the detection zone numbers
(bits 0-2 of the cyclic output data). This defines which detection and warning zone is active. Possible activation in this example:
■ zone pair detection zone 1 and warning zone 1 or
■ zone pair detection zone 2 and warning zone 2
If you want to expand the example in such a way as to work
with three or (maximum) four zone pairs, you can use the already prepared program sequences (further information
given on page 311).
The sensors for switching the detection zones are directed to
a fail-safe input module of the ET 200S. In case of a failure at
this input module, switching between the detection zones is
not possible anymore. This error is detected and sets the failsafe output module into fail-safe mode (indicator light is
switched off).
Reaction times
For calculating the max. reaction time of your F-system please
use the Excel file (Cotia table), which is available for S7 Distributed Safety V 5.3. This file is available on the internet:
http://support.automation.siemens.com/WW/view/en/
19138505
Prepared detection and warning zones
Apart from the STEP 7 project, both prepared zone pairs
(SF1-WF1, SF2-WF2) are also available as a separate download
file. Chapter 4 describes how to load these configuration data
into the LS4. The prepared zone pairs are illustrated below for
a first impression of the parameterization software LS4Soft.
Note
The contours of the detection and warning zones used
in the example project are rectangles. The software
LS4Soft also offers the possibility of perameterizing
other contours (e.g. semi circles) as zone delimiters.
294
Functional Example No. AS-FE-I-010-V11-EN
Ex. No.
Time sequence
For a better understanding, the time sequence of the parameters used in the sample project is displayed in this section.
The name of the parameters corresponds to the symbols in
the STEP 7 project.
Variable
Input / output
Note/Explanation
START
Input (NO)
Start command for switching
the actuator on.
STOP
Input (NC)
Stop command for switching
the actuator off.
ACK
Input (NO)
Acknowledgement signal
OSSD
Cyclic input date
Bit which reads the fail-safe
S7-CPU of the LS4 via
PROFIBUS. A signal change
from "1" to "0" indicates a detection zone violation.
ACTUATOR
10
An explanation of the times is given in the diagram below:
Output
Time Explanation
t1
Switching the actuator on: Indicator light goes on
(ACTUATOR="1").
t2
Switching the actuator off: Indicator light goes on
(ACTUATOR="0").
t3
Switching the actuator on: Indicator light goes on
(ACTUATOR="1").
t4
LS4 recognizes a violation of the active detection zone
(OSSD="0") . Then...
t5
...a restart does not cause the indicator light to be switched on,
but...
t6
...it must first be acknowledged. Only then...
t7
…does a renewed start request cause the indicator light to be
switched on.
fail-safe output with indicator
light connected to it.
START 1
0
t
STOP 1
(NC)
0
t
ACK 1
(NO)
0
OSSD 1
t
Detection zone
violation
0
t
ACTUATOR 1
0
t
t1
t2
t3
t4
t5
t6
t7
G_FB_XX_178
(NO)
Note
Requirement for the above time sequence is an
adjusted, active zone pair.
Functional Example No. AS-FE-I-010-V11-EN
295
Ex. No.
Flow chart
The flowchart below once again illustrates the relations.
Begin
ACTUATOR
="1"?
Y
N
ACTUATOR="0",
because OSSD="0"
or passivation of F-DI?
N
Y
Stop request?
Y
Y
OSSD="0"?
Y
N
N
N
OSSD="0"?
N
OSSD="0"?
Acknowledged?
Y
N
Y
N
Start request?
Y
ACTUATOR="1"
ACTUATOR="0"
In this example, an indicator simulates an actuator in order to demonstrate the functionality
of the laser scanner. When replacing the indicator light with an other actuator, you have to
evaluate the read back signals (see also example no. 7)
Standards for the application of area scanners
Standards on PROFIsafe
The relevant regulations of machine safety in Europe apply for
the application of LS4 PROFIBUS are scanners:
Relevant standards are:
■ machinery directive 98/37/EC and
■ EN954-1: 1996
■ work equipment directive 89/655/EEC
G_FB_XX_179
10
■ IEC 61508
Safety Category
The SIGUARD laser scanner LS4-4 corresponds to safety category 3 of EN954-1: 1996. The example on hand complies with
the requirements of Safety Category 3.
296
Functional Example No. AS-FE-I-010-V11-EN
Ex. No.
10
Advantages/customer benefits
■ Four freely programmable detection zone pairs
■ Wiring reduced to a minimum due to use of fail-safe S7CPU and distributed I/O. The more safety functions are
implemented, the more useful this advantage is.
■ Detection zone switching with any sensors without additional evaluation device
■ Programming the fail-safe program with STEP 7 engineering tools.
■ Expanded measuring range of 190°
■ Low current intake (approx. 300 mA)
■ Only one CPU is required, since fail-safe and standard program parts run on a coexistent basis in the CPU
■ Simple connection to PROFIBUS-DP
■ Comfortable operator software LS4Soft
■ Use of prefabricated (and certified) fail-safe blocks from
the Distributed Safety library.
Required components
Hardware components
Component
Type
MRPD / Ordering data
Power supply
PS307 5A
6ES73071EA00-0AA0
Qty
1
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES7315-6FF01-0AB0
1
Micro Memory Card
MMC 512 KByte
6ES7953-8LJ10-0AA0
1
Interface module for ET 200S
IM 151 High Feature
6ES7151-1BA00-0AB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
2DI HF DC24V
6ES7131-4BB00-0AB0
2
Electronic module for ET 200S
4/8 F-DI DC24V
6ES7138-4FA01-0AB0
1
Electronic module for ET 200S
4 F-DO DC24V/2A
6ES7138-4FB01-0AB0
1
Terminal module for ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
2
Terminal module for ET 200S
TM-E15S24-A1
6ES7193-4CA20-0AA0
2
Terminal module for ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
Profile rail
482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length: 483 mm
6ES5710-8MA11
1
Push button
Green, 1NO
3SB3801-0DA3
3
Push button
Red, 1NC
3SB3801-0DB3
1
Position switch
Overtravel plunger, 1S+1Ö
3SE2200-1C
2
Indicator light with lamp
Yellow
3SB3217-6AA30
1
SIGUARD laser scanner
LS4-4 for PROFIBUS
3SF7834-6PB00
1
Optical PC adapter cable
–
3RG7838-1DC
1
PROFIBUS M12 connecting plug
Pin insert (5 ea)
6GK1905-0EA00
1
PROFIBUS M12 connecting plug
Connector insert (5 ea)
6GK1905-0EB00
1
PROFIBUS M12 connecting plug
(5 ea)
6GK1905-0EC00
1
Manufacturer
Siemens AG,
A&D
Note
The functionality was tested with the hardware components listed. Similar products not included in the above
list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Functional Example No. AS-FE-I-010-V11-EN
297
Ex. No.
10
Configuration software/tools
Component
Type
MRPD / Ordering data
SIMATIC STEP 7
V5.3 + SP1
6ES7810-4CC07-0YA5
Qty
1
SIMATIC Distributed Safety
V5.3
6ES7833-1FC01-0YA5
1
LS4Soft
V1.08
Delivered with the LS4
1
Manufacturer
Siemens AG
Setup and Wiring
Overview of the hardware configuration
Wiring of the hardware components
Like the ET 200S, the laser scanner LS4-4 is operated at
PROFIBUS DP as a DP slave. A fail-safe S7-CPU is thereby used as
DP master.
Requirements: The power supplies are supplied with 230V AC.
PS
307
CPU
315F
2DI
HF
PM-E
IM 151
HF
2DI
HF
F-DI
PM-E
F-DO
DP
4DI HF
Laser scanner Button for
LS4-4
restarting the
LS4-4 (NO)
START
Indicator light
First check the addresses set at the hardware components
listed below:
Hardware
component
Address
to be set
Note
IM 151 High
Feature
6 (PROFIBUS
address)
Can be changed
Laserscanner
LS4-4
4 (PROFIBUS
address)
Default setting, can be
changed
F-DI
Switch position:
1111111110
F-DO
Switch position:
1111111101
The PROFIsafe addresses are
automatically assigned during configuring the fail-safe
modules in STEP 7. The
PROFIsafe addresses 1 to
1022 are permissible. Please
make sure that the setting at
the address switch (DIL
switch) on the side of the
module corresponds to the
PROFIsafe address in the
hardware configuration of
STEP 7.
Position button for
zone pair switching
(NC)
STOP
Note
ACK
The laser is not illustrated in the figure below. Its connections are discussed separately later on.
Warning!
Note
In this example, the actuator is simulated by an indicator
light. For reaching safety category 3, the actuator must
be read back via two channels (using two contactors).
The DP interface of the CPU 315F must be connected with
the respective DP interface of the IM 151 HF.
Note
Note
One 4DI electronic module can be used instead of both
2DI electronic modules. The "high feature" electronic
modules can also be replaced by standard modules.
298
Functional Example No. AS-FE-I-010-V11-EN
The wiring of the hardware is illustrated below. In the
following table, the hardware components occurring
several times are numbered so they can be allocated in
the subsequent wiring plan.
Ex. No.
10
PM-E
IM 151
HF
2DI
HF
2DI
HF
F-DI
PM-E
F-DO
PM-E
PM-E
AUX1
AUX1
4
8
4
8
2
6
2
6
3
7
3
7
A4
A4
A8
G_FB_XX_180
A8
IM 151
HF
2DI
HF
2DI
HF
2 DI HF
F-DI
PM-E
F-DO
1
5
2 DI HF
2
6
1
5
3
7
2
6
3
7
A4
A8
A4
A8
G_FB_XX_181
PM-E
Functional Example No. AS-FE-I-010-V11-EN
299
Ex. No.
10
PM-E
PS 307 / CPU 315F
2 DI HF
PM-E
AUX1
AUX1
4
8
4
8
1
5
2
6
2
6
2
6
3
7
3
7
3
7
Stop
A8
A4
L1
N
A4
A4
A8
A8
IM 151 HF
1
5
2
6
3
PE
L+
M
Start
2 DI HF
L L M M
7
Actuator
A8
A4
Acknowledgement
F-DO
F-DI
LS4-4
1
5
9
13
2
6
10
14
3
7
11
15
4
X1
X2
X3
X4
8
12
16
A4
A8 A12
A16
A3
A7 A11
A15
1
5
9
13
2
6
10
14
3
7
11
15
4
8
12
16
21
A4
A8 A12
A16
A3
A7 A11
A15
Restart button
LS4-4
Note
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the S7 project into the
CPU 315F-2DP.
300
Functional Example No. AS-FE-I-010-V11-EN
22
Position switch
(NC) for zone pair 2
21
Position switch
(NC) for zone pair 1
22
G_FB_XX_182
X5
Ex. No.
Integrating the LS4 into the PROFIBUS network requires the
GSD file of the LS4. It is delivered with the LS4. Install the GSD
into the hardware configuration of STEP 7 ( Menu Options ->
Install new GSD). Subsequently, the LS4 is available in the
hardware catalog (within the hardware configuration of
STEP 7, see following figure).
10
Externally, the LS4 has five male/female connectors
(X1, X2,...,X5).
X5
G_FB_XX_183
Connection of the LS4
X1
X2
X3
X4
Connect these male/female connectors as follows:
Male/
female
Function
Note/Explanation
Restart
button
Here you connect a push button (NO)
(considered in chapter 3 in the table
"Hardware components"). This button has
two functions:
■ Unlocking the scanner-internal starting/restarting lockout, if it has been
activated. In this example it has not
been activated. However, a restarting
lockout has been realized in the failsafe S7-program.
connector
X1
■ Error acknowledgement, if the LS4 is in
failure mode.
X2
PROFIBUS
output
If the LS4 is the last device at the PROFIBUS, a standards compliant terminating
resistor should be connected (this was the
case in our test run).
X3
PROFIBUS
input
–
X4
Power supply
Pin 1: +24V DC
Pin 3: 0V DC
X5
Optical PC
interface
(also referred
to as PC
adapter)
Connected to the COM interface of the
PG/PC on which the programming software LS4Soft has been installed.
Note
The cable outlet of the PC adapter at LS4 must point in the
direction of the detection zone. The PC adapter should
only be connected in the installation phase or for control
purposes.
Functional Example No. AS-FE-I-010-V11-EN
301
Ex. No.
10
Configuration and diagnosis software LS4Soft
The following example illustrates how to load the example file
as_fe_i_010_v10_code_plscanner.ls to the LS4 using LS4Soft.
The sample file is available as separate download (like as the
respective STEP 7 project).
No. Instruction
Note
1
Install the LS4Soft software on your PG/PC.
–
2
Switch on the LS4.
–
3
Start LS4Soft.
–
4
Connect the COM interface of your PG/PC with the LS4 via the The configuration data currently located on the LS4 are now loaded.
PC adapter.
5
Register as "authorized customer" and enter the required
password LS4SIG.
A query that no individual password has been specified appears.
6
Wait until the LS4 has determined the status information.
–
7
Click "Close".
–
302
Functional Example No. AS-FE-I-010-V11-EN
Ex. No.
No. Instruction
8
Click "Cancel".
10
Note
No new configuration shall be generated, but the example file
as_fe_i_010_v10_code_plscanner. ls be used.
9
Verify whether the "Display of measurement values" is active. The currently active zone pairs and contours appear.
10
Activate the "LS4 configuration" tab via mouse click and select LS4 configuration -> Load configuration data from file
and transfer to LS4 system from the menu
–
11
Now search the example file
as_fe_i_010_v10_code_plscanner.ls
and follow the further instructions
–
Note
Ensure the COM interface is set correctly. The COM interface settings are available in the menu Settings -> PC
configuration -> Interface
Functional Example No. AS-FE-I-010-V11-EN
303
Ex. No.
10
Changing detection and warning zones
If you wish to change detection and warning zones, mouseclick the "Definition of detection zone/warning fields" tab. Set
the detection or warning zone to be edited, and select detection zone/warning fields->Define->Enter detection
zone/warning field from the menu.
Working with the wizard
A helpful wizard for time efficient scanner configuration exists
for the access "authorized customer" layer. The wizard can be
called up as illustrated below.
Amongst other things, the wizard enables you to set the zone
pairs to be enabled when starting the LS4. In the prepared
example this is zone pair 1 (detection zone 1 and warning
zone 1).
304
Functional Example No. AS-FE-I-010-V11-EN
The wizard can also be used to specify which zone pairs can be
switched. In the prepared example, it may be switched from
zone pair 1 to 2 and from zone pair 2 to 1. Zone pairs 3 and 4
have not been prepared in this example.
Ex. No.
10
Function test
After wiring the hardware components, you can check the inputs and outputs used with regard to their functionality (after
downloading the S7 project and transferring the
as_fe_i_010_v10_code_plscanner.ls file).
Inputs/outputs used
No. Hardware
component
Adress
Symbol
Signal
(default value)
Note
1
Push button (NO)
E 0.0
START
"0"
Switches the indicator light
ON
2
Push button (NC)
E 0.1
STOP
"1"
Switches the indicator light
OFF
3
Push button (NO)
E 1.0
ACK
"0"
Acknowledgement
4
Position switch (NC)
E 2.0
SEN_FIELD1
"1"
5
Position switch (NC)
E 2.4
SEN_FIELD2
"1"
Defining which zone pair is
active.
6
Indicator light
A 8.0
ACTUATOR
"0"
Actuator (In this case:
Indicator light)
Testing inputs and outputs
Requirements:
■ The inputs and outputs have the default values specified
under "Inputs/outputs used".
■ The STEP 7 sample project is loaded
■ The LS4 has been switched on and has loaded the example
project as_fe_i_010_v10_code_plscanner.ls.
■ No objects are currently in the detection zone of the LS4
No. Instruction
Response!
8.0
Note
Activating zone pair 1 (detection zone 1 and warning zone 1)
1
Keep E 2.0 on "0" signal
"0"
2
Keep E 2.4 on "1" signal
"0"
3
Press the push button E 1.0 and release it.
"0"
Acknowledgement necessary at initial start.
4
Press the push button E 0.0 and release it.
"1"
Start request
5
Press the push button E 0.1 and release it.
"0"
Stop request
6
Press the push button E 0.0 and release it.
"1"
No acknowledgement required for Start
7
Place an object into the detection zone of LS4
"0"
Violation of the detection zone
8
Remove the object from the detection zone of LS4
"0"
–
9
Press the push button E 0.0 and release it.
"0"
Acknowledgement necessary prior to the start.
10
Press the push button E 1.0 and release it.
"0"
Acknowledgement
11
Press the push button E 0.0 and release it.
"1"
Start possible again
Functional Example No. AS-FE-I-010-V11-EN
305
Ex. No.
10
Testing the LEDs at LS4
The LS4 indicates its current status via five LEDs:
LED Color
1
Function/Meaning
Perform the following actions:
Pictogram
Instruction
Response
Sensor function is active, active
Green detection zone is free
2
Warning zone occupied
Yellow
3
OSSD outputs switched off
Red
4
OSSD outputs switched on
Green
■ Permanent light: Restarting
5
Ensure, that objects
are located neither
in the warning zone,
nor in the detection
zone
ON
OFF
OFF
ON
OFF
Place an object into
the warning zone of
LS4
ON
ON
OFF
ON
OFF
Place an object into
the detection zone
of LS4
OFF
ON
ON
OFF
OFF
lockout
■ Slowly blinking (1): Warning
Yellow
message (ca. 0.25 Hz)
■ Blinking fast (((1))): Failure message (ca. 4 Hz)
306
Functional Example No. AS-FE-I-010-V11-EN
Note
In order to remove a failure message of the LS4-4, the
error must be removed and the "1" signal be applied to
the LS4-4 for 0.5 - 3 s using the restart button.
Ex. No.
Important hardware component settings
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
10
Settings of the CPU 315F-2DP
The settings are displayed after double-clicking "CPU 315F-2
DP" (see "Overview picture").
Warning!
The settings shown below contribute to meet the requirements of Safety Category 3. Changes at the settings may cause loss of safety functions.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
Overview picture
The PROFIBUS address at IM 151HF is set using DIP-switches.
Default value: 100 ms. It has to be observed that the F monitoring time must be larger than the call time of OB 35.
Available in the "Protection" tab.
A password has to be allocated in order to be able to set the
parameter "CPU Contains Safety Program". It is only in this
case that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration of STEP 7.
Password used here: siemens
Functional Example No. AS-FE-I-010-V11-EN
307
Ex. No.
10
Settings of the fail-safe F-DI
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
Activate the short circuit test.
Set mode: "Test Mode"
During Process Mode, the test functions such as program status or monitor/modify variable are restricted in such a way
that the set permitted increase in scan cycle time is not exceeded. Testing with stop-points and gradual program execution cannot be performed.
During Test Mode all test functions can be used without restrictions via PG/PC, which can also cause larger extensions of
the cycle time. Important: During test mode of the CPU, you
have to make sure that the CPU or the process can "stand"
large increases in cycle time.
A function block "FB LS4" is provided with the LS4, which in
this example is not used (this FB is briefly referred to in the
sample code ). Should you wish to use the "FB LS4" for adjusting the example program to your requirements, you must ensure to reserve a retentive memory area of at least 36 bytes.
308
Functional Example No. AS-FE-I-010-V11-EN
DIL switch settings
This value has to be set on the module (F-DI).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Also in the "Parameter" tab.
The sensors, which define which zone pair must be active, are
integrated as fail-safe. In this example, two position switches
are connected at channels 0 and 4. The remaining channels
are deactivated.
Ex. No.
10
Settings of the fail-safe F-DO
Settings of the LS4
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
Select the LS4 and then double-click the line which appears
(see following figure):
Mark first...
...then doubleclick
this line
DIL switch settings
This value has to be set on the module (F-DO).
F monitoring time
It has to be observed that the F monitoring time must be
larger than the call time of OB 35.
Click the PROFIsafe tab.
F_Dest_Add:
This value always results from the PROPIBUS address (here: 4)
plus 500
Activate used channels, deactivate channels which are not
used. The indicator light ACTUATOR has been connected to
channel 0.
The read-back time defines the duration of the switch-off procedure for the respective channel. If the respective channel
switches high capacity loads, the read back time should be set
sufficiently large. We recommend setting the read back time
as small as possible, however large enough so that the output
channel does not become passive.
F_WD_Time:
The default value of 10 ms is usually too small.
A valid current safety frame must be received from the F-CPU
within the watchdog time period. Otherwise, the DP standard
slave goes to the safe state.
The selected watchdog time should be long enough to tolerate frame delays in communication, but also short enough for
your process to run without interference.
Functional Example No. AS-FE-I-010-V11-EN
309
Ex. No.
10
Basic Performance Data
Load and main memory (without program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
37.5 k
approx. 0.2 k
approx. 37.3 k
Main memory
approx.
28.2 k
approx. 0.09 k
approx. 28.1 k
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks (failsafe)
Load memory
approx.
97.8 k
approx. 48.9 k
approx. 48.9 k
Main memory
approx.
79.6 k
approx. 44.9 k
approx. 34.7 k
Cycle time
Total cycle time
(typical value)
approx.
8 ms
Standard and safety program
Max. runtime of the
safety program
14 ms
Calculation with the Cotia table. Page 294 specifies where
to find it.
Performance data of the LS4
■ 4 user programmable contactors up to 4 m
■ 4 user programmable warning zones up to 15 m
■ Monitored radius up to 190°
■ Low power consumption 300 mA
■ Weight 2 kg
310
Functional Example No. AS-FE-I-010-V11-EN
Ex. No.
10
Sample Code
Program procedure
Preliminary Remarks
The standard user program consists mainly of three networks
of OB 1:
The sample code is always assigned to the components used
in the functional examples and implements the required functionality. Problems not dealt with in this document are to be
realized by the user; the sample code may serve as a basis.
Password
In all cases, the passwords used for the safety-relevant part is
„siemens“.
Network 1
"P"
"SR"
P
SR
"START"
STOP"
"INSTANZ_
FB3".EN
>=1
"COND"
G_FB_XX_184
Enclosed, we offer you the STEP 7 project as sample code with
which you can reset the functionality described here.
=
Use of the STEP 7 project
The STEP 7 project enables you to safely monitor the connection with the laser scanner LS4. If the LS4 recognizes a safety
zone violation, the fail-safe S7-CPU switches the output channel at the actuator (here: indicator light) safely off.
Download the STEP 7 project
To call the corresponding project file, open the
"as_fe_i_010_v10_code_clscanner.zip" file offered as a separate download (on the HTML page) and extract it into a user
defined directory.
For downloading the project into the F-CPU please proceed as
follows:
■ First load the hardware configuration into the S7-CPU
■ Switch to the SIMATIC Manager.
■ Select the "Blocks" container.
■ Menu "Options" -> Edit safety program.
■ Click the "Download" button.
The sample code with the given configurations enables the
following:
■ Connecting a laser scanner to a fail-safe S7-CPU via
PROFIBUS DP
■ Switching between two prepared zone pairs (SZ1/WZ1 and
SZ2/WZ2)
Download of the LS4Soft project
For parameterizing the LS4 project, please load the sample
project as_fe_i_010_v10_code_plscanner.ls to the LS4 (instructions are available on page 302 under „Configuration and
diagnosis software LS4Soft“), which is also available as separate download (on the HTM-page)
The signal for an operational start (START) and stop (STOP) request for the actuator (here simulated by an indicator light) is
given in network 1.
The "INSTANZ_FB3" bit includes the status of an SR flip-flop in
the safety program (FB3, NW1) and in this case prevents the
starting of the actuator (here simulated by an indicator light)
with an acknowledgement transmitted in the safety program.
As long as "INSTANZ_FB3".EN="0", COND= "0" remains, also if
the start push button is pressed since the reset function has
priority in this flip-flop type.
The information of the memory bit "COND" from network 1 is
read as memory bit COND1 in the safety program. This allocation occurs in the cyclic interrupt OB 35 for the following reason:
If you want to read data from the standard user program
(memory bits or PII of standard I/O) in the safety program
(here: COND), which can be changed by the standard user
program or an operator control and monitoring system during
the runtime of an F run-time group, it is required to use separate memory bits (here: COND1). Data from the standard user
program have to be written to these memory bits immediately
before calling the F runtime group. Only these memory bits
may then be accessed in the safety program.
In this example it has already been realized. Generally, however, the following applies:
Note
If the above section is not observed the F CPU may go to
STOP mode.
Network 2
In OB 1 the "Proxy-Enable" bit (Bit 6 of the cyclic output data)
is reset as the default value "0".
Functional Example No. AS-FE-I-010-V11-EN
311
Ex. No.
Network 3
Parameter Note
Additionally contained in OB 1 is the "FB LS4", which, however, is not processed. It only serves as preparation it is to
be used. Please note: Before calling the "FB LS4" the "ProxyEnable" bit must be permanently set to "1".
The "FB LS4" enables automatic parameterization when exchanging the LS4.
Acknowledgement signal
OSSD
Safety-relevant output of LS4.
COND1
Starting condition defined in OB 1 (or OB 35).
ACTUATOR
Indicator light
FB 4, DB 4 is called here:
FB"SET_ACT"
(FB3,DB3)
"INSTANZ_
FB4"
FC"FMAIN"
(FC2)
"FIELD_PAIR_
SWITCHING"
FB"FIELD_PAIR_SWITCHING"
(FB4,DB4)
G_FB_XX_185
FC"REINTEGRATION"
(FC3)
FC "FMAIN" (FC 2)
EN
...
"SEN_
FIELD1"
SEN_
FIELD1
"SEN_
FIELD2"
SEN_
FIELD2
"SEN_
FIELD3"
SEN_
FIELD3
"SEN_
FIELD4"
SEN_
FIELD4
FIELD
BIT0
"FIELD
BIT0"
FIELD
BIT1
"FIELD
BIT1"
FIELD
BIT2
"FIELD
BIT2"
ENO
G_FB_XX_186
F-Call
(FC1)
ACK
Network 2
The fail-safe program has the following structure:
Inputs: Position switches which define which zone pair is active. The inputs "SEN_FIELD3" and "SEN_FIELD4" are not used
in this example and are therefore assigned with memory bits
as dummies.
Outputs: Detection zone number (bit 0 to 2) of the cyclic output data.
The calls of the F-blocks are coordinated from here.
Network 1
Network 3
FB 3, DB 3 is called here:
"INSTANZ_
FB3"
...
"ACK"
312
EN
...
ACK
"OSSD"
OSSD
"COND"
COND1
ACTUATOR
ENO
"ACTUATOR"
Functional Example No. AS-FE-I-010-V11-EN
EN
ENO
G_FB_XX_188
"REINTEG
RATION"
"SET_ACT"
G_FB_XX_187
10
Here the FC 3 is called for reintegration of passivated modules
(F-DI / F-DO) and the LS4.
Ex. No.
FB "SET_ACT" (FB 3, DB 3)
ready. If you also wish to use these zone pairs, replace the
memory bits (in this example the dummys) by sensors (e.g.
further position switches). These zone pairs 3 and/or 4 must
previously have been configured with the LS4Soft software.
Network 1
#N
#EN
N
#RELEASE
=
#OSSD
R
Q
G_FB_XX_189
SR
S
#ACK
The status of the SR flip-flop (#EN) is evaluated in OB 1 as a
precondition for a start command. In case of a detection zone
violation OSSD becomes "0" and resets the SR flip-flop as well
as the #RELEASE (used in network 2).
In the prepared example, it can be switched from zone pair 1
to 2 and from zone pair 2 to 1. Which zone pair is now active
depends on bits 0, 1, 2 of the cyclic output data (parameter
"FIELD_BIT0", "FIELD_BIT1", "FIELD_BIT2").
Note
When switching the zone pairs, the PC adapter must not
be connected (PC adapter must not be connected at the
LS4).
Note
For this type of flip-flop it is reset if the S input and the
R input are controlled with a "1" signal (resetting has priority).
7
Cyclic
output data
0
Network 2
FIELD_BIT1
&
FIELD_BIT2
#ACTUATOR
=
#RELEASE
G_FB_XX_190
#COND1
G_FB_XX_191
FIELD_BIT0
The following assignments apply:
FIELD_BIT2 FIELD_BIT1 FIELD_BIT0
Active Note
zone pair
The actuator (here simulated by an indicator light) only becomes active if
0
0
1
1
–
0
1
0
2
–
■ the start condition could be transmitted (see OB 1 or
OB 35) and
0
1
1
3
1
0
0
4
Not realized in the
example
■ an enable was given (see previous network 1)
FB "FIELD_PAIR_SWITCHING" (FB 4)
The statuses of these three bits are determined by the status
of the position switches (SEN_FIELD1 and SEN_FIELD2). The
realization in the program code is displayed below.
The following table describes the parameters.
Parameter
Input / output
Convention
SEN_FIELD1
Position switch (NC)
"1": Switch not activated
SEN_FIELD2
Position switch (NC)
"1": Switch not activated
SEN_FIELD3
Memory bit
Dummy
SEN_FIELD4
Memory bit
Dummy
FIELD_BIT0
Bits of the cyclic output
data
–
FIELD_BIT1
FIELD_BIT2
A maximum of four zone pairs (one zone pair consists of a
safety and a warning zone) can be actively switched. However, only one zone pair must be active at any time. In this example zone pair 1 or 2 can be active. Zone pair 3 and 4 are not
Functional Example No. AS-FE-I-010-V11-EN
313
10
Ex. No.
Network 1 and Network 2
NW1
NW2
&
&
#SEN_FIELD
1
#SEN_FIELD
1
#SEN_FIELD
2
#SEN_FIELD
2
#SEN_FIELD
4
#FIELD_BIT
0
S
#SEN_FIELD
3
#FIELD_BIT
0
R
#SEN_FIELD
4
#FIELD_BIT
1
#FIELD_BIT
1
#FIELD_BIT
2
#FIELD_BIT
2
R
S
R
R
G_FB_XX_192
#SEN_FIELD
3
Bits of cyclic output data
Network 3 and Network 4
In these networks the zone pairs 3 and 4 can be switched active. To do this change the flags (dummies) against their sensors (input parameter in FC2) and parameterize the zone pairs
in LS4-4 with the LS4Soft software. In this example only zone
pair 1 and 2 are considered.
Sensor for zone pair 1 (NC)
t
Sensor for zone pair 2 (NC)
t
Note
The memory bits (dummys) are default in OB 100.
Sensor for zone pair 3 (NC)
(here: dummy)
Network 5 and Network 6
In this example a zone pair always becomes active when the
respective sensor (here NC) switches (i.e. is on "0" signal) AND
the other sensor (NC) or the dummy bits are on "1" signal. During switching (e.g. from zone pair 1 to zone pair 2) this condition is not true for a certain duration of time. During this time
the last set zone pair remains active!
t
Sensor for zone pair 4 (NC)
(here: dummy)
Zone pair 2 active
t
Zone pair 1
active
G_FB_XX_193
10
Switching time
This condition can (depending on the application) be a possible hazard (e.g. if the sensor to be switched does not react) In
this example the status is recorded and compared with a parameterized time. If this condition continues to be true after
this time has elapsed, this will be interpreted as an error and
the #ERR_SW_TIME bit will be set (see following figure).
314
Functional Example No. AS-FE-I-010-V11-EN
Ex. No.
#SEN_FIELD
1
10
&
#SEN_FIELD
2
#SEN_FIELD
3
>=1
#SEN_FIELD
4
#SEN_FIELD
1
&
#SEN_FIELD
2
#SEN_FIELD
3
#SEN_FIELD
4
#SEN_FIELD
1
&
#SEN_FIELD
2
#SEN_FIELD
3
#SEN_FIELD
4
&
#SEN_FIELD
2
#SEN_FIELD
3
#SEN_FIELD
4
"INSTANZ_F
B185_2"
"F_TON"
...
T# 1 S
EN
Q
IN
ET
EN0
PT
#ERR_SW_TI
ME
...
G_FB_XX_194
#SEN_FIELD
1
Configurable time
Warning!
The time to be parameterized at the parameter PT
depends on the application and can be changed.
Generally, however, it should be as small as possible.
For times larger than 1 sec additional safety measures should be considered.
&
#ERR_SW_TI
ME
#FIELD_BIT
0
R
#FIELD_BIT
1
For a set #ERR_SW_TIME bit, the bits 0, 1 and 2 of the cyclic
output data (determine which detection zone is active) are
then reset. At the LS4-4, in return, this bit combination causes
the OSSD bit to be reset. In this example, resetting the OSSD
bit causes the indicator light to be switched off (see FB 3 NW
1 and 2).
#FIELD_BIT
2
R
Functional Example No. AS-FE-I-010-V11-EN
G_FB_XX_195
R
315
Ex. No.
10
FC "REINTEGRATION" (FC 3)
Operating instructions
The reintegration applies for
■ the LS4 (network 1)
■ the F-DO
■ the F-DI
For the F-DO a memory bit REINT is prepared. With a positive
flank of REINT the F-DO will be reintegrated.
Warning!
In this example, the reintegration of passivated
modules occurs automatically. Only use the automatic reintegration for your applications if it does
not cause hazards.
A passivation is indicated via LED "SF" lighting up on the module. The reintegration of an F module may take approx. one
minute.
316
Functional Example No. AS-FE-I-010-V11-EN
Prerequisites:
■ Hardware configuration of STEP 7 as well as the fail-safe
and user program are located in the S7-CPU
■ No objects are currently in the detection zone of the LS4
■ Zone pair 1 has been set (via positioning switch)
■ The PC adapter has not been connected
■ LS4 has been parameterized
■ Zone pair 1 is active
No. Instruction
Result/Note
1
Press the acknowledgement Necessary prior to the first start.
button ACK (E 1.0)
2
Press the start button
START (E 0.0)
Indicator light goes ON
3
Place an object into the
detection zone
OSSD bit of LS4 becomes "0"
-> Indicator light goes OFF
4
Press the acknowledgement Necessary in case of error (here:
button ACK (E 1.0)
detection zone interrupted)
5
Press the START button
(E 0.0)
Indicator light goes ON
6
Now use the position
switches to switch from
zone pair 1 to zone pair 2:
FIELD_BIT0="0",
FIELD_BIT1="1"
Zone pair 2 is now active.
Switching must be performed
within the time parameterized
within FB4, NW5.
Passivation and Reintegration of F-I/O considering as example
the ET 200S
Ex. No.
Automation Function
Scope of validity of the functional example
The functional example applies for the following framework
conditions:
Hardware:
11
Note
In this functional example, the combination of type of
passivation (channels, entire module), type of F-module (F-DO, F-DI), and type of reintegration (manual,
automatic) is exemplary. Other combinations can also
be realized.
■ CPU 315F-2 DP, with PROFIsafe I/O modules ET 200S
Software:
■ STEP 7 V5.3 + SP3
■ S7 Distributed Safety V5.4, and S7 F Configuration Pack
V5.4 + SP1
Advantage / Customer benefits
The "passivation" and "reintegration" functions of "S7 Distributed Safety" have the following function:
■ Errors at the F-I/O-module are turned fail-safe.
■ F-modules can be passivated entirely or by channels.
Functionality of the functional example
■ If an F-module passivates, passivation of further F-modules
can be "forced".
Task
■ After the error has been removed, the reintegration occurs
only after acknowledgement by the user. In cases where an
automatic startup of the plant is not possible, reintegration
can also occur automatically.
The fail-safe system "S7 Distributed Safety" enables realizing
safety functions at machines. Proper functioning of the "S7
Distributed Safety" system is necessary as human health depends on it and it avoids damage to machines.
In case of an error, the "S7 Distributed Safety" system must behave so that the machine remains fail-safe or will be turned
fail-safe. An error at the F-I/O-module for example (e.g. wire
break at actuator or sensor) turns the affected F-I/O-module
fail-safe, i.e. it is "passivated".
This functional example demonstrates "passivation" and "reintegration" of fail-safe I/O modules in the "S7 Distributed
Safety" system.
Solution
A concrete example from practice illustrates the behavior of
"S7 Distributed Safety" in case of errors at the F-I/O-module:
■ Passivation channels due to wire-break at an F DO.
Manual reintegration after error has been removed.
■ Passivation entire module due to wire-break at an F DI.
Automatic reintegration after error has been removed.
■ Passivation of the F-I/O-module due to disconnecting F-CPU
and distributed station.
Reintegration after error has been removed.
Apart from the practical application, the functional example
provides extensive background knowledge on the topic of
"passivation" and "reintegration".
Functional Example No. AS-FE-I-011-V10-EN
317
Ex. No.
11
Required Components
In this chapter you find an overview of hardware and software
components required for the functional example.
Hardware components
Component
Type
MLFB / Order information
No.
Manufacturer
Power supply
PS307 5A
S7-CPU, can be used for safety
applications
CPU 315F-2DP
6ES73071EA00-0AA0
1
Siemens AG
6ES7315-6FF01-0AB0
1
Micro Memory Card
Interface module for ET 200S
MMC 512 kB
6ES7953-8LJ10-0AA0
1
IM 151 High Feature
6ES7151-1BA01-0AB0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Electronic module for ET 200S
4 DI, DC 24V, Standard
6ES7131-4BD01-0AA0
1
Electronic module for ET 200S
4 DO, DC 24V/0,5A, Standard
6ES7132-4BD01-0AA0
1
Electronic module for ET 200S
4/8 F-DI, DC 24V, PROFIsafe
6ES7138-4FA02-0AB0
1
Electronic module for ET 200S
4 F-DO, DC24V/2A, PROFIsafe
6ES7138-4FB02-0AB0
1
Terminal module for ET 200S
TM-P15C22-01
6ES7193-4CE10-0AA0
2
Terminal module for ET 200S
TM-E15C23-01
6ES7193-4CB10-0AA0
2
Terminal module for ET 200S
TM-E30C44-01
6ES7193-4CG30-0AA0
2
S7-300, mounting rail
Length 482.6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail for ET 200S 35 mm, length: 483 mm
6ES5710-8MA11
1
Indicator light including incandescent lamp
Yellow
3SB3217-6AA30
2
Indicator light including incandescent lamp
Green
3SB3217-6AA40
1
Indicator light including incandescent lamp
White
3SB3217-6AA60
2
Push button
Green, 1NO
3SB3801-0DA3
3
Emergency stop
Push button, 2NC
3SB3801-0DG3
1
Note
The functionality was tested with the listed hardware
components. Similar products not included in the
above list can also be used. Please note that in such a
case changes in the sample code (e.g. setting different
addresses) may become necessary.
Software components
Component
Type
MLFB / Order information
STEP 7
V5.3 + SP3
S7 Distributed Safety
V5.4
S7 F Configuration Pack
V5.4 + SP1
318
Functional Example No. AS-FE-I-011-V10-EN
No.
Manufacturer
6ES7810-4CC07-0YA5
1
Siemens AG
6ES7833-1FC02-0YA5
1
-
1
Ex. No.
11
Setup and Wiring
This chapter describes hardware setup and wiring of the functional example.
Overview of hardware configuration
The arrangement used to demonstrate passivation and reintegration consists of a PROFIBUS configuration. A fail-safe
S7-CPU is used as DP master, an ET 200S as DP slave. Passivation is triggered by means of disconnections (simulated wirebreak) at F-DI, F-DO or DP interface.
Functional Example No. AS-FE-I-011-V10-EN
319
Ex. No.
11
Wiring of hardware components
This chapter contains information on the setup of hardware
components. It contains the required address settings and the
wiring plan.
Wiring plan
Please wire the hardware components according to the wiring
plan (following figure).
Please include the following additional wiring settings:
Address settings
■ Power supply "PS 307" with 230V AC
The following addresses must be set at the DIL-switches of the
hardware components.
■ Connect the DP interface of the CPU 315F-2 DP with the
DP interface of the IM 151 HF.
Hardware com- Address to be
ponent
set at the DIL
switch
Note
IM 151
HIGHFEATURE
3 (PROFIBUS address)
You can change the
PROFIBUS address.
4/8 F-DI
0011001000
(PROFIsafe address)
4 F-DO
0011000111
(PROFIsafe address)
The PROFIsafe addresses are
automatically assigned when
configuring the fail-safe
modules in STEP 7.
Please ensure that the setting
at the address switch of the
F-I/O-module (DIP switch) on
the module side corresponds
to the PROFIsafe address in
the hardware configuration
of STEP7.
320
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
Overview of inputs and outputs
Overview of connected push buttons:
No. HW component (type)
Address
Symbolic address
Default
Function
1
Push button (NO)
E 0.0
START_ACTUATOR
"0"
This button switches on the
ACTUATOR indicator light .
2
Push button (NO)
E 0.1
ACK_ESTP_ACTUATOR
"0"
This button acknowledges the
emergency stop circuit.
3
Push button(NO
E 0.2
ACK_PASS_ACTUATOR
"0"
This button acknowledges the
manual reintegration of the
ACTUATOR indicator light.
4
Emergency stop push button at F-DI (NC/NC)
E 1.0
ESTP_ACTUATOR
"1"
This button switches off the
ACTUATOR indicator light .
Overview of connected indicator light:
No. HW component (color)
Address
Symbolic address
After startup
5
Indicator light
(white)
A 0.0
REQ_ACK_ESTP_ACTUATOR
"1"
Meaning
The switched on indicator light
indicates, that the emergency
stop circuit requires acknowledgement.
6
Indicator light
(white)
A 0.1
REQ_ACK_PASS_ACTUATOR
"0"
The switched on indicator light
indicates, that acknowledgement for manual reintegration
of the ACTUATOR indicator
light is necessary.
7
Indicator light
(green)
A 0.2
PASSIVATION_ON
"0"
The switched on indicator light
indicates the current passivation.
8
Indicator light at F DO
(yellow)
A 7.0
ACTUATOR
"0"
The indicator light simulates
the "hazardous loads".
The switched on indicator light
indicates the "hazardous
loads" being switched on
9
Indicator light at F DO
(yellow)
A 7.1
TEST
"1"
The indicator light is only used
to demonstrate the passivation of the entire module. The
indicator light has no other
function.
Normally, TEST is always
switched on. TEST is only
switched off if F-DI is passivated.
Functional Example No. AS-FE-I-011-V10-EN
321
Ex. No.
11
Function test
Note
After wiring the hardware components and loading the
STEP 7 project into the S7-CPU (see page 327), please test the
inputs (buttons) and the outputs (indicator lights) for correct
functioning.
A connection between the MPI interface of your PG/PC
and the MPI interface of the CPU 315F-2DP (MPI cable)
is required to download the STEP7 project to the
CPU 315F-2DP.
Please perform the steps of the table below successively. For
each step check whether the indicator light is switched on or
off.
No. Action
Indicator light (*2)
A: PASSIVATION_ON
B: REQ_ACK_PASS_ACTUATOR
C: REQ_ACK_ESTP-ACTUATOR
D: AKTUATOR
E: TEST
A
B
C
D
E (*3)
0 (*1)
0
1
0
1
ACK_ESTP_ACTUATOR
0
0
0
0
1
START_ACTUATOR
0
0
0
1
1
ESTP_ACTUATOR
0
0
0
0
1
Press:
ESTP_ACTUATOR
0
0
1
0
1
Press:
ACK_ESTP_ACTUATOR
0
0
0
0
1
1
Mode switch of the S7-CPU: Switch from STOP to RUN (startup)
2
Press:
3
Press:
4
Press:
5
6
Explanations on the table:
(*1): The PASSIVATION_ON indicator light briefly lights up in
step 1, as during startup the F-I/O-modules are passivated
shortly.
(*2): Switched on indicators are marked with "1". To recognize more clearly which bits change during a mode transition,
they are shaded in gray: If a bit is shaded gray, it has changed
compared with its previous state.
322
Functional Example No. AS-FE-I-011-V10-EN
(*3): One channel of F-DI is constantly set to "1". In the user
program this channel is read in, and it is output at the TEST indicator light.
Ex. No.
11
Important hardware component settings
Setting the CPU 315F 2 DP
Below, several important settings from the hardware configuration of STEP 7 are shown for your information. In the STEP 7
project (sample code, see page 327) of the functional example on hand, these settings have already been made.
You reach the input dialog in the HW configuration of STEP 7
by double-clicking "CPU 315F-2 DP".
Changes at the settings are possible (e.g. due to individual requirements). Should you implement the changes (e.g. add an
additional module), the sample code has to be adapted accordingly.
Overview of the configuration
"Cyclic Interrupts" tab:
The call time of OB35 is configured with "50ms".
Important:
The monitoring time of the F-I/O-modules must be larger than
the call time of OB35.
The PROFIBUS address is set at the IM 151 HF component via
DIP switches. In this functional example the address 3.
Please use the Cotia table for selecting the monitoring time
("min. F monitoring time" sheet). At page 326 you find the link
to the Cotia table.
"Protection" tab:
A "Password" must be allocated in order to be able to set the
parameter "CPU contains safety program". It is only in this case
that all required F blocks for safe operation of the F-I/O-modules are generated during the compilation of the STEP 7 hardware configuration.
Password used this functional example: siemens
Functional Example No. AS-FE-I-011-V10-EN
323
Ex. No.
11
"Short-circuit test":
"cyclic"
The two channel emergency stop button contains the power
supply via the module.
"Behavior after channel faults":
"Protection" tab:
"Passivate the entire module"
Mode used here is "Test Mode":
The Mode field is not relevant for safety operation.
"Channel 0.4":
"activate"
Settings of the F-DI
You reach the input dialog in the HW configuration of STEP 7
by double-clicking "4/8 F-DI DC24V" (see Figure „Overview of
the configuration“).
All input screens are available in the "Parameter" tab.
The two break contacts of the emergency stop push button
are polled with a 1oo2 evaluation.
"Channel 1.5":
"activate"
"1" is read at channel 1. This directly controls the TEST indicator light.
Unused channels:
"deactivate"
"DIP switch setting (9…0)":
The displayed value must be set at the F-DI.
"F-monitoring time (ms)":
"150 ms"
Important: The F-monitoring time must be larger than the call
time of OB35. Please use the Cotia table for selecting the monitoring time ("min. F-monitoring time" sheet). At page 326 you
find the link to the Cotia table.
"Channel 0.4":
"Evaluation of the sensors":
"1oo2 evaluation"
"Type of sensor interconnection":
"2 channel equivalent"
"Behavior of discrepancy":
"0-Supply value"
"Discrepancy time (ms)":
"10 ms"
324
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
"Channel 1.5":
"Evaluation of the sensors":
"1oo1 evaluation"
"Type of sensor interconnection":
"1 channel"
Settings of the F-DO
You reach the input dialog in the HW configuration of STEP 7
by double-clicking "4 F-DO DC24V/2A" (see Figure „Overview
of the configuration“). All input screens are available in the
"Parameter" tab.
"Channel 0" and "Channel 1":
"Read-back time":
"100 ms"
The read-back time defines the duration of the switch-off procedure for the channel. If the respective channel switches
high capacity loads, the read back time should be set sufficiently large.
We recommend specific tests for selecting the readback time
settings so that the following criteria are met:
As small as possible, however, large enough so that the output
channel is not passivated.
"DIP switch setting (9…0)":
The displayed value must be set at the F-DO.
"Diagnostics: wire break: "activated"
"F-monitoring time (ms)":
"150 ms"
Important: The F-monitoring time must be larger than the call
time of OB35. Please use the Cotia table for selecting the monitoring time ("min. F-monitoring time" sheet). In chapter 5 you
find the link to the Cotia table.
"Behavior after channel faults":
"Passivate the channel"
"Channel 0" and "Channel 1":
"activate"
Unused channels:
"deactivate"
Functional Example No. AS-FE-I-011-V10-EN
325
Ex. No.
11
Basic Performance Data
Load memory and main memory
Total
Standard
blocks
F blocks
(fail-safe)
Load Memory
56.5 KByte 1.2 KByte
55.3 KByte
Main Memory
39.1 KByte 0.5 KByte
38.6 KByte
Determining the memory parameters:
■ Open STEP 7 project of the functional example in the
SIMATIC Manager
■ Determine load memory and main memory for all blocks in
the block container
Runtimes
Total cycle time (standard
program and safety program)
Time
Note
minimum 1ms
Read from S7-CPU
maximum 12ms
Maximum runtime safety program
13ms
Calculated with
Cotia table
Determining the total cycle time:
■ Load STEP 7 project into S7-CPU, set S7-CPU to run, and
operate the functional example.
■ Read the measured cycle time in the "Module Information
CPU / Scan Cycle Time" tab
Determine max. runtime of the safety program:
■ The value is calculated with the Cotia table for
"S7 Distributed Safety" V5.4.
This file is available on the internet:
http://support.automation.siemens.com/ww/view/en/
21627074
326
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
Sample Code
In this chapter you learn how to download the sample code,
which functions are realized, how the STEP 7 program is structured and how the functions are operated.
The functional example consists of the documentation on
hand and a respective STEP 7 project, the "sample code".
Using the sample code and the setup described in chapter 4,
you can reproduce the functions described here. Fur further
problems you can use the sample code as a basis.
Scenario
Description
Normal operation
In "normal operation" no F-module has been
passivated. An output is switched at an F-DO
via a push button. This output can be switched
off via an emergency stop button connected at
an F-DI.
Manual reintegration
During wire-break at the F-DO only the affected
channel of the F-DO is passivated. After repairing the wire break and acknowledgement by
the user via a button, the channel is reintegrated.
Automatic reintegration
During wire-break at the F-DI, the entire F-DI is
passivated. After repairing the wire-break, the
F-DI is automatically reintegrated.
F-communication
errors
The connection between F-CPU and the decentralized station is interrupted. Thereafter, the
entire F-I/O is passivated. After restoring the
connection and acknowledgement by the user
via a button, the entire F-I/O is reintegrated.
Download sample code
The sample code is available on the HTML-page of this functional example as a ZIP-file. In order to use the sample code,
please proceed as follows:
Load sample code on PC/PG
■ Load ZIP-file into any directory on the PC/PG.
Name of the ZIP-file:
22304119_as_fe_i_011_v10_code_pass.zip
■ Open the SIMATIC Manager
■ Dearchive the ZIP-file into a STEP 7 project
Load STEP7 project to F-CPU
In the following chapters, the above scenarios are described in
greater detail. For clarification, in the "Overview hardware
configuration" view the respectively affected buttons and indicator lights are marked by a thick frame.
■ Activate the "Blocks" folder in the SIMATIC Manager
■ Load the hardware configuration into F-CPU
■ Select "Edit safety program" in the "Options" menu
■ Press "Download" in the "Safety Program" window
■ Press "Yes" in the "Cycle program download" window
■ Enter password "siemens" in the "Set Permission for the
Safety Program" window and press "OK"
■ Press "Close" in the "Safety Program" window
Note
In all cases, the password used for the safety-relevant
part of the sample code is: siemens
Functions realized in the sample code
In the sample code, a "hazardous load" is simulated via an indicator light. The indicator light can be switched on via a button and be switched off via an emergency stop button.
For demonstrating the passivation and reintegration of
F-I/O-modules, four scenarios have been realized in the sample code. The following table gives an initial overview. An
overview of all states and mode transitions is available at
page 334.
Functional Example No. AS-FE-I-011-V10-EN
327
Ex. No.
11
Scenario: Normal operation
The ACTUATOR indicator light is switched on if the
START_ACTUATOR button is pressed and the ESTP_ACTUATOR
emergency stop button is not activated.
The TEST indicator light is always switched on. It is controlled
with "1" via the input of the F-DI constant.
Pressing the ESTP_ACTUATOR emergency stop button
switches the ACTUATOR indicator light off.
After unlocking the ESTP_ACTUATOR emergency stop button
and acknowledgement via the ACK_ESTP_ACTUATOR button,
the ACTUATOR indicator light can be switched on again via the
START_ACTUATOR button.
Overview for hardware setup
PS
307
CPU
315F
IM
151 HF
PM-E
(1)
4 DI
4 DO
PM-E
(2)
4/8 F-DI
4 F-DO
START_ACTUATOR
Button (NO)
TEST
Light (yellow)
ACK_ESTP_ACTUATOR
Button (NO)
ACTUATOR
Light (yellow)
ACK_PASS_ACTUATOR
Button (NO)
REQ_ACK_PASS_ACTUATOR
Light (white)
PASSIVATION_ON
Light (green)
REQ_ACK_ESTP_ACTUATOR
Light (white)
Meaning of background colors:
Green: Buttons and indicator lights for normal operation
Orange: Buttons and indicator lights for demonstration of passivation and reintegration
328
Functional Example No. AS-FE-I-011-V10-EN
ESTP_ACTUATOR
Switch (NC/NC)
Ex. No.
11
Scenario: Manual reintegration
Disconnecting the F-DO and the switched on ACTUATOR indicator light (simulated wire-break) a channel error, hence passivation, is triggered. The PASSIVATION_ON indicator light is
switched on.
The F-DO is configured with "Passivate channels", therefore
not the entire F-DO is passivated, but only the affected channel. This is made clear by the fact that the TEST indicator light
remains switched on.
An acknowledgement is requested from the user by switching
on the REQ_ACK_PASS_ACTUATOR indicator light.
After the user has acknowledged via the
ACK_PASS_ACTUATOR button, the passivation of the channel
is cancelled. The channel however remains switched off.
The ACTUATOR indicator light is only switched on again after
the user has additionally acknowledged START_ACTUATOR
button.
After restoring the connection, the channel remains passivated, the ACTUATOR indicator light remains switched off.
Overview for hardware setup
PS
307
CPU
315F
IM
151 HF
PM-E
(1)
4 DI
4 DO
PM-E
(2)
4/8 F-DI
4 F-DO
x
START_ACTUATOR
Button (NO)
Wire-break
ACK_ESTP_ACTUATOR
Button (NO)
ACTUATOR
Light (yellow)
ACK_PASS_ACTUATOR
Button (NO)
REQ_ACK_PASS_ACTUATOR
Light (white)
TEST
Light (yellow)
PASSIVATION_ON
Light (green)
REQ_ACK_ESTP_ACTUATOR
Light (white)
ESTP_ACTUATOR
Switch (NC/NC)
Meaning of background colors:
Green: Buttons and indicator lights for normal operation
Orange: Buttons and indicator lights for demonstration of passivation and reintegration
Functional Example No. AS-FE-I-011-V10-EN
329
Ex. No.
11
Scenario: Automatic reintegration
Disconnecting an F-DI and the ESTP_ACTUATOR emergency
stop button, a channel error, hence passivation, is triggered.
After acknowledging the user via the ACK_ESTP_ACTUATOR
button, the ACTUATOR indicator light can be switched on via
the START_ACTUATOR button.
The PASSIVATION_ON indicator light is switched on, the
ACTUATOR indicator light is switched off. The F-DI is configured with "Passivate the entire module", which is why the entire F-DI is passivated. This is made clear by the fact that the
TEST1) indicator light is switched off.
Warning!
Automatic reintegration is only permitted if an automatic startup of the plant is not possible after the error
has been removed.
After restoring the connection, the module is automatically
reintegrated, the TEST indicator light is switched on.
Overview for hardware setup
PS
307
CPU
315F
IM
151 HF
PM-E
(1)
4 DI
4 DO
START_ACTUATOR
Button (NO)
PM-E
(2)
4/8 F-DI
4 F-DO
x
Wire-break
ACK_ESTP_ACTUATOR
Button (NO)
ACTUATOR
Light (yellow)
ACK_PASS_ACTUATOR
Button (NO)
REQ_ACK_PASS_ACTUATOR
Light (white)
PASSIVATION_ON
Light (green)
REQ_ACK_ESTP_ACTUATOR
Light (white)
Meaning of background colors:
Green: Buttons and indicator lights for normal operation
Orange: Buttons and indicator lights for demonstration of passivation and reintegration
1) TEST indicator light is controlled with "1" via the input of the
F-DI. Due to passivation of the entire module, the safety program now reads "0" at the input instead of "1".
330
TEST
Light (yellow)
Functional Example No. AS-FE-I-011-V10-EN
ESTP_ACTUATOR
Switch (NC/NC)
Ex. No.
11
Scenario: F-communication error
Disconnecting the F-CPU and the decentralized station (unplugging the PROFIBUS DP cable) causes passivation of the entire F-I/O-modules in the distributed station.
After restoring the connection (plugging the PROFIBUS DP
cable back in) the F-I/O-modules remain passivated. The
switched on PASSIVATION_ON indicator light indicates this.
If the user acknowledges via ACK_PASS_ACTUATOR, the F-I/O
is reintegrated.
Overview for hardware setup
PS
307
CPU
315F
Power Supply by PM-E (1)
Power Supply by PM-E (2)
x
Disconnect cable
IM
151 HF
PM-E
(1)
4 DI
4 DO
PM-E
(2)
4/8 F-DI 4 F-DO
START_ACTUATOR
Button (NO)
TEST
Light (yellow)
ACK_ESTP_ACTUATOR
Button (NO)
ACTUATOR
Light (yellow)
ACK_PASS_ACTUATOR
Button (NO)
REQ_ACK_PASS_ACTUATOR
Light (white)
PASSIVATION_ON
Light (green)
REQ_ACK_ESTP_ACTUATOR
Light (white)
ESTP_ACTUATOR
Switch (NC/NC)
Meaning of background colors:
Green: Buttons and indicator lights for normal operation
Orange: Buttons and indicator lights for demonstration of passivation and reintegration
Functional Example No. AS-FE-I-011-V10-EN
331
Ex. No.
11
Overview of the scenarios:
At page 334 indicates the states and mode transitions of the
sample code following scenarios:
The following figure shows you:
■ Startup
■ When do which indicator lights come on?
■ Normal operation
■ Manual reintegration
■ What effect pressing the button has?
The following figure explains the used representation
method, using the example of the "Startup" scenario.
■ Automatic reintegration
Symbolizes an event which causes one mode transition:
The mode switch at the S7-CPU is switched from STOP to RUN by
the user. There is a transition from state (1) to state (2).
Symbolizes the switch states of the five indicator lights and the
collective error display on the F-I/O:
All indicator lights are off except PASSIVATION_ON (PO).
All abbreviations are described in the following table.
332
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
Overview of buttons and indicator lights
Symbol
Abbreviations HW component
Function
START_ACTUATOR
---
Button
Switch on ACTUATOR indicator light
ACK_ESTP_ACTUATOR
---
Button
Acknowledge ACTUATOR emergency stop actuator
ACK_PASS_ACTUATOR
---
Button
Acknowledge ACTUATOR passivation
ESTP_ACTUATOR
---
Emergency stop push but- ACTUATOR emergency stop
ton at F-DI
REQ_ACK_ESTP_ACTUATOR
REA
Indicator light
Acknowledge ACTUATOR emergency stop requirement
REQ_ACK_PASS_ACTUATOR
RPA
Indicator light
Acknowledge ACTUATOR passivation requirement
PASSIVATION_ON
PO
Indicator light
Passivation exists
ACTUATOR
A
Indicator light at F-DO
Simulation of "hazardous load"
TEST
T
Indicator light at F-DO
Only switched off if F-DI passivated.
---
SF
LED on F-module
Collective error display
Meaning of background colors
Section
Color
Meaning
Mode transitions / actions
light blue
Action by user
light yellow
Action by F-system
white
Indicator light is switched on
gray
Indicator light is switched off
Overview of indicator light:
Functional Example No. AS-FE-I-011-V10-EN
333
Ex. No.
11
Overview of states and mode transitions of the sample code
334
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
Explanations for the STEP 7 program
Interaction of STEP 7 blocks
The following figure displays the interaction between the
STEP 7 blocks and the connection to the process I/O. The description of the process signals is available at page 321.
Program
Block
Name
Tasks
Standard program
OB1
---
Cyclic program: Call of FB1 (START)
OB35
---
Periodic call of F-runtime group (FCALL)
FB1
START
Operational switching:
Generating the start requirement (REQ_START)
FCALL
FCALL
F run-time group (FCALL)
F-PB
COORDINATION
F-program block:
Calls FB2 and FB3
FB2
MODE
Call FB215 (F_ESTOP1):
Controlling ACTUATOR and TEST
FB3
REINTEGRATION
Display passivation, automatic F-DI reintegration, manual F-DI
and F-DO reintegration,
FB215
F_ESTOP1
F-block from Distributed Safety library:
"Emergency stop up to stop category 1"
Creating ENABLE for emergency stop circuit
Safety program
Functional Example No. AS-FE-I-011-V10-EN
335
Ex. No.
11
Description: F-I/O-module data blocks
Function and design of the F-blocks:
■ See page 349
Overview of the signals of the network:
Signal
Source / Target
Meaning
START_ACTUATOR
From process (button)
Start button for
ACTUATOR
The following F-I/O-module data blocks are used in the sample
code:
INSTANCE_DB_FB2 From F-block FB215
.ENABLE
Enable from emergency-stop circuit
■ DB819: F-I/O-module data block of F-DI
F00007_4_F_DO_
DC24V_2A.QBAD
From F-I/O-module
data block of F-DO
Display, whether
F-DO has been passivated
REQ_START
To F-block FB2
Start request for
ACTUATOR
■ DB820: F-I/O-module data block of F-DO
Description: OB1
Description of the network function:
Function of the standard block:
Parameter of the standard block:
The standard requirement REQ_START for the ACTUATOR indicator light is generated if the following conditions are true at
the same time (AND):
■ None
■ The START_ACTUATOR start button was pressed
■ Cyclic call of FB1 (START)
Description: OB35
Function of the standard block:
■ Periodic call of F-runtime group (FCALL): The safety program is called every 50 msec.
Parameter of the standard block:
■ None
■ The ENABLE from the emergency-stop circuit (FB215)
exists
■ The F-DO is not passivated
The start requirement REQ_START is evaluated in the F-block
FB2. FB215 is a block from the Distributed Safety library.
Description: FCALL
Function of the F-block:
Description: FB1, DB2 (START)
■ F run-time group: Call of safety program
Parameter of the F-block:
Function of the standard block:
■ Operational switching: Generating the standard requirement REQ_START for the ACTUATOR indicator light.
Parameter of the standard block:
■ None
■ None
Description: F-PB (COORDINATION)
Function of the F-block:
■ Call of F-block FB2
FB1 / Network 1
■ Call of F-block FB3
Parameter of the F-block:
■ None
Description: FB2, DB3 (MODE)
Function of the F-block:
■ Realizing the emergency stop functionality for the
ACTUATOR indicator light
DB820.DBX 2.1
■ Controlling both indicator lights, ACTUATOR and TEST
Parameter of the F-block:
■ None
336
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
FB2 / Network 1
DB818.DBX 36.4
Overview of the signals of the networks:
Signal
Source / Target
Meaning
ACK_ESTP_ACTUATOR
From process (button)
Acknowledgement for emergency-stop circuit
ESTP_ACTUATOR
From process (button)
Emergency-stop button
F_GLOBDB.VKE1
From F-Global-DB
Result of logic operation "1"
ENABLE
To FB1 (standard block)
Enable for emergency-stop circuit
REQ_ACK_ESTP_ACTUATOR
To process (indicator light)
Acknowledgement for emergency-stop circuit
requirement
The F-Global-data block (F_GLOBDB) is a fail-safe data block,
which contains all global data of the safety program as well as
additional information for the F-system.
Amongst other things, VKE0 and VKE1 provided there.
Description of the network function:
Here the emergency stop functionality for the ACTUATOR indicator light is realized The FB215 is called for this. FB215 is an
F-block from the Distributed Safety library.
Functional Example No. AS-FE-I-011-V10-EN
337
Ex. No.
11
FB2 / Network 2
FB2 / Network 3
Overview of the signals of the network
Signal
Source / Target
Meaning
TEST_IN
From process („1“)
Signal from F-DI "1" is
constantly set at F-DI.
TEST
To process (indicator light)
Only for demonstration, no other function.
Overview of the signals of the network
Signal
Source / Target
Meaning
ENABLE
From network 1
Enable from emergency-stop circuit
REQ_START
From FB1 (standard
block)
Start requirement
for ACTUATOR
ACTUATOR
To process (indicator
light)
Representative for a
"hazardous load".
Description of the network function:
The ACTUATOR load is switched on if the ENABLE from the
emergency-stop circuit is pending and the start requirement
REQ_START is given.
338
Functional Example No. AS-FE-I-011-V10-EN
Description of the network function:
TEST is used to demonstrate passivation of the entire module.
When there is no passivation, TEST is always switched on, as
TEST_IN at the F DI is constantly supplied with "1".
The TEST indicator light is only switched off if F-DI is passivated.
Ex. No.
11
Description: FB3, DB4 (REINTEGRATION)
Function of the F-block:
■ Display of passivation at the PASSIVATION_ON indicator
light
■ Automatic reintegration of the F-DI
■ Manual reintegration of F-DI/F-DO
Parameter of the F-block:
■ None
FB3 / Network 1
F-DO
DB820.DBX 8.0
DB820.DBX 8.1
F-DI
DB819.DBX 2.1
Overview of the signals of the network:
Signal
Source / Target
Meaning
F00007_4_F_DO_DC24V_2A.QBAD_O_00
From F-I/O-module data block of F-DO
If "1": channel F-DO is passivated
F00007_4_F_DO_DC24V_2A.QBAD_O_01
If "1": channel 1 of F-DO is passivated
F00001_4_8_F_DI_DC24V.QBAD
From F-I/O-module data block of F-DI
If "1": At least one channel of the F-DI is passivated.
PASSIVATION_ON
To process (indicator light)
If "1": At least one channel of F-DI and/or
F-DO is passivated.
Functional Example No. AS-FE-I-011-V10-EN
339
Ex. No.
11
Description of the network function:
The PASSIVATION_ON indicator light indicates that at least
one channel of F DO and/or F-DI is passivated. Basically, there
are two different methods to test whether at least one channel of a module is passivated:
Method
Advantage
1
Polling all channels of the F-module:
• for F-DI: via the "QBAD_I_xx" variables
• for F-DO: via the "QBAD_O_xx" variables
The passivated channels can be identified individually.
2
Polling the entire F-module:
• via the "QBAD" variable.
Polling only possible
once.
In the sample code both methods are used for demonstration
purposes. "Method 2" can also be used here to detect whether
the F-DO is passivated.
FB3 / Network 2
DB819.DBX 0.1
DB818.DBX 36.3
Overview of the signals of the network:
Signal
Source / Target
Meaning
F_GLOBDB.VKE0
From F-Global-DB
Result of logic operation "0"
F00001_4_8_F_DI_DC24V.ACK_NEC
To F-I/O-module data block of F-DI
F-DI is automatically reintegrated
The F-Global data block (F_GLOBDB) is a fail-safe data block
which contains all global data of the safety program as well as
additional information for the F-system.
Amongst other things, VKE0 and VKE1 provided there.
Description of the network function:
Channel or module errors at the F-DI cause passivation of the
F-DI at the entire module. After removing the error, the F-DI is
automatically reintegrated.
340
Functional Example No. AS-FE-I-011-V10-EN
Warning
Automatic reintegration is only permitted if an automatic startup of the plant is not possible after the error
has been removed.
Ex. No.
11
FB3 / Netzwerk 3
DB820.DBX 2.2
Overview of the signals of the network:
Signal
Source / Target
Meaning
F00007_4_F_DO_DC24V_2A.ACK_REQ
From F-I/O-module data block of F-DO
If "1": The error that caused the passivation has
been removed. Acknowledgement for reintegration by the user is now possible.
REQ_ACK_PASS_ACTUATOR
To process (indicator light)
Indicates to the user, that reintegration requires acknowledgement.
Description of the network function:
A channel error at the F-DO in the sample code causes passivation of the F-DO channels. After removing the error, the FDO is manually reintegrated.
The REQ_ACK_PASS_ACTUATOR indicator light shows the user,
that reintegration requires acknowledgement.
FB3 / Network 4
DB820.DBX 0.2
DB819.DBX 0.2
Functional Example No. AS-FE-I-011-V10-EN
341
Ex. No.
11
Overview of the signals of the network:
Signal
Source / Target
Meaning
ACK_PASS_ACTUTOR
From process (button)
Acknowledgement by the user for manual reintegration
F00007_4_F_DO_DC24V_2A.ACK_REI
To F-I/O-module data block of F-DO
If "0->1":
F-DO is reintegrated.
F00001_4_8_F_DI_DC24V.ACK_REI
To F-I/O-module data block of F-DI
If "0->1":
F-DI is reintegrated.
Description of the network function:
F-DO and F-DI are reintegrated after acknowledgement by the
user:
■ Manual reintegration of the F-DO is necessary in the sample code after channel or F-communication error.
■ Manual reintegration of the F-DI is necessary in the sample
code only after F-communication error.
The following prerequisites must be fulfilled in order to operate the functional example:
■ The hardware configuration, the standard program, and
the safety program are located on the F-CPU
■ Emergency stop unlocked
As a description, tables with uniform structure are used below. The columns of the table have the following meaning:
Description: FB 215, DB1 (F_ESTOP1)
The block is a TÜV certified application block from the Distributed Safety library.
Function and parameter of the F-blocks:
■ See STEP 7 online-help
Operating instruction on the sample code
This chapter describes the operation of the functional example.
The operation is divided into different scenarios
Scenario
Page
Normal operation
343
Manual reintegration after wire-break at F-DO
344
Automatic reintegration after wire-break at
F-DI
345
Reintegration after F-communication error
346
342
Functional Example No. AS-FE-I-011-V10-EN
Column name
Column content
"Step"
Number of the operational step
"Action"
Action of user
"State"
The number marks the state reached after executing the action. An overview of all status is
available at page 334.
"Comment"
Comments on the step.
"Indicator
light"
Here the switch status of the five indicator
lights and the SF LED is depicted which is set
after executing the action. Switched indicator
lights are marked with "1". (*1)
"SF-LED"
The column indicates the status of the collective error display on the F-I/O-module (red
LED). (*1)
(*1): To recognize more clearly which bits change during a
mode transition, they are shaded in gray: If a bit is shaded
gray, it has changed compared with its previous state.
Ex. No.
11
Operation: Normal operation
Operation in the following table shows the procedure:
■ Start und emergency stop of the load
A more detailed description of the scenario, with overview image on the hardware setup, is available at page 328.
Comment
Indicator light / SF-LED
A:REQ_ACK_ESTP_ACTUATOR
B: PASSIVATION_ON
C: REQ_ACK_PASS_ACTUATOR
D:ACTUATOR
E:TEST
F:SF-LED of the F-modules
Step
State (*1)
Action
A
B
C
D
E
F
1
0
0
0
1
0
Always after starting the F-CPU
0
0
0
0
1
0
Switch on load
0
0
0
1
1
0
12
Press emergency stop
0
0
0
0
1
0
Unlock ESTP_ACTUATOR
13
Unlock emergency stop
1
0
0
0
1
0
6
Press ACK_ESTP_ACTUATOR
10
Acknowledge emergency stop
0
0
0
0
1
0
7
Press START_ACTUATOR
11
Switch load back on
0
0
0
1
1
0
1
Mode switch at the F-CPU from STOP
to RUN.
3
2
Press ACK_ESTP_ACTUATOR
10
3
Press START_ACTUATOR
11
4
Press ESTP_ACTUATOR
5
Explanations on the table:
(*1):
At page 334 you find an overview of statuses and mode transitions of the sample code. The area in the figure marked as
"Normal operation" is relevant here.
Functional Example No. AS-FE-I-011-V10-EN
343
Ex. No.
Operation: Manual reintegration
Operation in the following table shows the procedure:
■ Simulation of a wire-break at the load
■ Passivating an F-DO channel
■ Manual reintegration after removing the wire-break
Please observe the following:
■ A wire-break at F-DO is only recognized when the channel
is switched on.
■ Reintegration of an F-DO may take several minutes.
A more detailed description of the scenario, with overview image on the hardware setup, is available at page 329.
Comment
State (*1)
Action
Step
11
Indicator light / SF-LED
A: REQ_ACK_ESTP_ACTUATOR
B: PASSIVATION_ON
C: REQ_ACK_PASS_ACTUATOR
D: ACTUATOR
E: TEST
F: SF-LED of the F-DO module
A
B
C
D
E
F
---
---
11
This is the initial state for the following
operations.
0
0
0
1
1
0
1
Disconnect F-DO ACTUATOR indicator
light
30
Due to passivation of the channels the
TEST indicator light remains switched
on.
0
1
0
0
1
1
2
Restoring the connection
30
The state remains until the F-system recognizes that the wire-break has been removed.
0
1
0
0
1
1
31
The F-system requests acknowledgement for reintegration.
0
1
1
0
1
0
10
After acknowledgement by the user,
the F-DO channel is reintegrated.
0
0
0
0
1
0
3
Press ACK_PASS_ACTUATOR
Explanations on the table:
(*1):
At page 334 you find an overview of statuses and mode transitions of the sample code. The area in the figure marked as
"Manual reintegration of F-DO" is relevant here.
344
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
Operation: Automatic reintegration
Operation in the following table shows the procedure:
■ Simulating a wire-break at the emergency stop button.
■ Passivation of the entire F-DI
■ Automatic reintegration after removing the wire-break
A more detailed description of the scenario, with overview image on the hardware setup, is available at page 330.
Comment
Indicator light / SF-LED
A: REQ_ACK_ESTP_ACTUATOR
B: PASSIVATION_ON
C: REQ_ACK_PASS_ACTUATOR
D: ACTUATOR
E: TEST
F: SF-LED of the F-DI module
Step
State (*1)
Action
A
B
C
D
E
F
---
---
11
This is the initial state for the following
operations.
0
0
0
1
1
0
1
Disconnecting F-DI and
ESTP_ACTUATOR emergency stop
20
Due to passivation of entire module,
the TEST and ACTUATOR indicator
lights are switched off.
0
1
0
0
0
1
2
Restoring the connection
20
The state remains until the F-system recognizes that the wire-break has been removed.
0
1
0
0
0
1
13
The F-DI module is reintegrated.
1
0
0
0
1
0
Explanations on the table:
(*1):
At page 334 you find an overview of statuses and mode transitions of the sample code. The area in the figure marked as
"Automatic reintegration of F-DI" is relevant here.
Functional Example No. AS-FE-I-011-V10-EN
345
Ex. No.
Operation: F-communication error
Operating in the following table shows the procedure:
■ Pulling the PROFIBUS DP cable from the F-CPU
■ Restoring the connection
■ Reintegration
A more detailed description of the scenario, with overview image on the hardware setup, is available at page 331.
Comment
Zustand (*1)
Action
Step
11
A
B
C
D
E
F
0
0
0
1
1
0
-
0
0
0
0
0
0 (*2)
-
0
1
0
0
0
0 (*3)
1
0
0
0
1
0
---
---
11
1
Removing the PROFIBUS DP cable
2
Restoring the connection
Press ACK_PASS_ACTUATOR
10
This is the initial state for the following
operations.
After acknowledgement by the user,
the F-I/O-module is reintegrated.
Explanations on the table:
(*1):
At page 334 you find an overview of statuses and mode transitions of the sample code.
(*2):
The BF-LED at "IM 151 HF" lights up. The BF-LED at "IM 151 HF"
is blinking.
(*3):
The BF-LEDs are off.
346
Indicator light / SF-LED
A: REQ_ACK_ESTP_ACTUATOR
B: PASSIVATION_ON
C: REQ_ACK_PASS_ACTUATOR
D: ACTUATOR
E: TEST
F: SF-LED of F-DI and F-DO module
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
Background Knowledge on the Functional Example
This chapter provides background knowledge on "Passivation
and Reintegration" in the "S7 Distributed Safety" system.
All of the information given is taken from the "S7 Distributed
Safety" manuals and the STEP 7 online help.
Note
If already familiar with passivation and reintegration,
you won't need to read this chapter.
This chapter is not necessary for setup and operation
of this functional example.
Use the current "S7 Distributed Safety" manuals for
your current project.
The following topics are described:
Topic
Page
Content
F-I/O-module
348
What are fail-safe I/O-modules?
How does the user access inputs and outputs?
F-I/O-module data block
349
What is an F-I/O-module data block
What is an F-I/O-module data block used for?
What is the structure of an F-I/O-module data block?
Passivation
(of entire module or channel)
353
What happens during passivation?
What type of passivation exists?
How is the "passivation of channels" realized?
Reintegration
(of entire module or channel)
355
What happens during reintegration?
What type of reintegration exists?
Process: channel / module error
(automatic reintegration)
358
Description of variants of passivation and reintegration:
Process: channel / module error
(manual reintegration)
359
What is the principal procedure?
Which variables are involved in the F-I/O-module data block?
Process: F-communication error
360
Process: safety program
361
Process: group passivation
362
Functional Example No. AS-FE-I-011-V10-EN
347
Ex. No.
11
F-I/O-module
What are fail-safe I/O-modules?
Fail-safe I/O-modules differ from standard modules mainly by
their internal two channel structure. Two integrated processors mutually monitor and test the input and output circuits
automatically. The connected sensors and actuators are also
monitored (wire-break, discrepancy, etc.). In case of an error,
the processors turn the F-I/O-module fail-safe.
The F-CPU communicates with a distributed F-I/O-module via
the fail-safe PROFIsafe profile. The PROFIsafe profile is integrated in the PROFIBUS and PROFINET telegrams.
How does the user access inputs and outputs?
The inputs and outputs of an F-I/O-module are accessed via
the process image of the F-CPU:
Access to F-I/O-module
Process image
Inputs
Outputs
In standard program
read
read
In the safety program
read
write
The following figure illustrates the relationships.
348
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
F-I/O-module data block
What is an F-I/O-module data block
For every F-I/O-module one data block is automatically generated during compilation in the STEP 7 hardware configuration.
The F-I/O-module data block is the interface between the user
program and the F-system. Control and status information of
the F-I/O-module are exchanged via the interface.
The F-I/O-module data block contains variables which can be
accessed by the safety program as well as the standard program. The F-I/O-module data block does not contain any process values. The process values are located in the process image of the F-CPU.
Access to the F-I/O-module
data block
In standard program
read
In the safety program
read and write
The following figure illustrates the relationships.
Functional Example No. AS-FE-I-011-V10-EN
349
Ex. No.
11
What is the F-I/O-module data block used for?
The following functions can be realized with the variables of
the F-I/O-module data block:
■ Checking whether current F-I/O-modules or individual
F-I/O-module channels are passivated.
■ Manual or automatic reintegration of F-I/O-modules after
error recovery.
■ Passivation and reintegration of F-I/O-modules via the
safety program.
■ Reconfiguration of fail-safe DP-standard slaves.
What is the structure of an F-I/O-module data block?
The two following tables explain the variables of the F-I/Omodule data block. Both tables differ in the type of user access
to the variables:
■ Read and write access by the user: page 351
■ Read access by the user: page 352
The variables of the F-I/O-module data block can, for example,
be monitored with the variable table in STEP 7. The following
table gives examples:
Operand
Symbol
Comment
DB819.DBX 0.0
"F00001_4_8_F_DI_DC24V".PASS_ON
Variable "PASS_ON" der F-DI
DB820.DBX 2.1
"F00007_4_F_DO_DC24V_2A".QBAD
Variable "QBAD" der F-DO
350
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
IN
0.0
Default value
PASS_ON
(BOOL)
Address
Variable
(Type)
Declaration
The user has read and write access to the following variables
in the F-I/O-module data block.
What reactions can be triggered by the
user?
Reaction of the F-Systems
0
Passivation and reintegration of F-I/O-module via the safety program.
"PASS_ON = 1":
The F-I/O-module is reintegrated.
"PASS_ON = 0":
The F-I/O-module is reintegrated. The
passivation was previously triggered with
"PASS_ON = 1".
Comment:
PASS_OUT does not change its value
when writing PASS_ON.
The ACK_NEC and ACK_REI are not relevant here
ACK_NEC
(BOOL)
IN
0.1
1
Selecting the type of reintegration:
• Manual:
with user acknowledgement
• Automatic:
without user acknowledgement
"ACK_NEC = 1":
Reintegration occurs manually.
Reintegration requires user acknowledgement:
Positive edge at ACK_REI
"ACK_NEC = 0":
Reintegration occurs automatically without acknowledgement by the user.
For "F-communication error" automatic
reintegration is not possible!
Comment:
Reintegration is only possible when the
error causing the passivation has been
removed.
ACK_NEC is only relevant for "channel"
and "module" errors.
ACK_REI
(BOOL)
IN
0.2
0
Acknowledgement by the user at manual reintegration
"ACK_REI = 0->1" (positive edge):
Reintegration occurs after positive edge.
Comment:
Acknowledgement by the user is only
possible when the error causing the passivation has been removed.
For "F-communication errors" acknowledgement by the user must always occur
independent of ACK_NEC.
IPAR_EN
(BOOL)
IN
0.3
0
---
Reconfiguration of fail-safe DP-standard
slaves.
Functional Example No. AS-FE-I-011-V10-EN
351
Ex. No.
PASS_ON
(BOOL)
OUT
2.0
Default value
Variable
(Type)
Address
The user has only read access to the following variables in the
F-I/O-module data block.
Declaration
11
1
Which information does the user receive when reading the variables?
"PASS_OUT = 1":
The F-I/O-module is passivated.
Cause of the passivation:
"F-communication error", "module error", "channel error" (see page 354).
"PASS_OUT = 0 UND QBAD = 1":
The F-I/O-module is passivated.
Cause of the passivation:
"PASS_ON = 1" was set in the safety program.
Comment:
Depending on the settings in the hardware configuration of STEP 7 the entire module or
only faulty channels are passivated.
QBAD
(BOOL)
OUT
2.1
1
"QBAD = 1":
Currently the substitute value ("0") is used for at least one channel instead of the process
value. Which channels are passivated is indicated via the QBAD_I_xx or QBAD_O_xx variables (see below).
ACK_REQ
(BOOL)
OUT
2.2
0
"ACK_REQ = 1":
The error that caused the passivation has been removed.
Acknowledgement for manual reintegration (ACK_REI) by the user is now possible.
Cause of the passivation:
"F-communication error", "module error", "channel error" (see page 354).
Comment:
If the error causing the passivation has been removed, and this has been recognized by
the F-system, the F-system sets "ACK_REQ = 1".
After acknowledgement by the user, the F-operating system sets "ACK_REQ = 0".
IPAR_OK
(BOOL)
OUT
2.3
0
Reconfiguration of fail-safe DP-standard slaves.
DIAG
(BYTE)
OUT
3.0
0
Service information
QBAD_I_xx
(BOOL)
OUT
4.0 bis
7.7
1
"QBAD_I_xx = 1":
The input channel is passivated with number xx.
The substitute value ("0") is used at input
"xx".
Comment:
With the variables it can be detected
which channels are passivated.
The channel number xx has the value
range: 00 to 31
QBAD_O_xx
(BOOL)
OUT
8.0 bis
11.7
1
"QBAD_O_xx = 1":
The output channel is passivated with number xx.
The substitute value ("0") is used at output
"xx".
Example:
"QBAD_O_00 = 1" means:
Substitute value ("0") is currently output
at output channel.
352
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
Passivation (of entire module or channel)
What happens during passivation?
The entire F-I/O-module or individual channels of an F-I/Omodule can be passivated by the F-system or the safety program. The extent of passivation varies depending on the trigger of the passivation:
Cause of the passivation:
Extend of the passivation:
Safety program
The passivation affects the entire
F-module.
I.e. all channels of the F-I/O-module
are passivated.
F-System
Passivation affects either the entire
F-module, or only the faulty channels.
The desired behavior can be adjusted via settings in the STEP 7 hardware configuration.
Passivation has the following effect:
Passivation:
Effect of passivation:
F-input module (F-DI)
The safety program is not provided
with the process values pending at
the input.
The safety program is provided
with the substitute values ("0") in
the process image of the inputs.
F-output module (F-DO)
The output values provided by the
safety program in the process image of the outputs are not transmitted to the outputs.
At the outputs the substitute values
("0") are output.
Note
During passivation of F-input modules (F-DI) the process image of the respective inputs is only reset when
processing the safety program.
Functional Example No. AS-FE-I-011-V10-EN
353
Ex. No.
11
What type of passivation exists?
.
The following table gives an overview of the passivation:
Cause of the passivation
Effect of the passivation
Reaction in the
F-I/O-module data
block
Safety program
Setting "PASS_ON = 1" in the F-I/O-module
data block
Passivation of the F-module
QBAD = 1
All channels:
QBAD_I_xx = 1
QBAD_O_xx = 1
F-operating system
Startup of the F-CPU
Establishing communication between the FCPU and the F-I/O via the safety protocol according to PROFIsafe.
Passivation of the entire F-I/O
F-communication error
Error at fail-safe communication between FCPU and F-I/O.
Passivation of the F-module
QBAD = 1
PASS_OUT = 1
All channels:
QBAD_I_xx = 1
QBAD_O_xx = 1
F-I/O error
(*1)
Module error
• Configuration error
• Overtemperature
Passivation of the F-module
Channel error
• Wire break
• Short circuit
• Discrepancy
• Overload
Configuration:
(*2)
Explanations on the table:
(*1): "F-I/O faults" causes the following reaction:
■ The error is reported at the F-CPU (as standard reaction):
- The error is reported to the F-CPU via the slave diagnostics.
- OB82 for I/O errors is called in the F-CPU. If it does not
exist, it goes to the F-CPU in STOP.
■ Either the entire F-module or only the affected channels
are passivated (F-specific reaction).
(*2): In the hardware configuration of STEP 7 the project settings can be selected: "Passivate the entire module" or "Passivate the channels".
354
Functional Example No. AS-FE-I-011-V10-EN
"Passivation of entire
module"
"Passivation channel"
QBAD = 1
PASS_OUT = 1
Only affected channel:
QBAD_I_xx = 1
QBAD_O_xx = 1
Ex. No.
How is the "passivation of channels" realized?
Reintegration (of entire module or channel)
Precondition
What happens during reintegration?
Passivation of channels requires:
■ S7 Distributed Safety V5.4, and S7 F Configuration Pack
V5.4 + SP1
■ "F-modules which support the passivation of channels
Currently, the following F-modules support passivation of
channels:
11
Reintegration has the following effect:
Reintegration
Effect of reintegration:
F-input module (F-DI)
The safety program is provided
with the process values pending at
the input via the process image of
the inputs.
F-output module (F-DO)
The output values provided by the
safety program in the process image of the outputs are transmitted
to the outputs.
ET 200
F module
Description
ET 200 S
6ES7138-4FA02-0AB0
4/8 F-DI DC 24 V
PROFIsafe
6ES7138-4FB02-0AB0
4 F-DO DC 24 V/2 A
PROFIsafe
6ES7138-4CF02-0AB0
PM-E F pm DC 24 V
PROFIsafe
6ES7138-4CF41-0AB0
PM-E F pp DC 24 V
PROFIsafe
6ES7326-2BF01-0AB0
SM 326F; DO
10xDC 24 V/2 A
6ES7326-2BF40-0AB0
SM 326F; DO
8x DC 24 V/2 A P/M
6ES7326-1RF00-0AB0
SM 326F; DI 8xNAMUR
6ES7336-1HE00-0AB0
SM 336F; AI 6x13Bit
6ES7148-4FA00-0XB0
8/16 F-DI DC 24 V
PROFIsafe
6ES7148-4FC00-0XB0
4/8 F-DI 4 F-DO
DC 24 V/2 A PROFIsafe
During automatic reintegration, the F-system integrates the Fmodule if the error causing the passivation has been removed.
The user needs not acknowledge in the safety program.
6ES7148-3FA00-0XB0
4/8 F-DI DC 24 V
PROFIsafe
Whether reintegration occurs manually or automatically is
controlled via ACK_NEC (see page351 ):
ET 200 M
ET 200 PRO
ET 200 ECO
Configuration
In the hardware configuration of STEP 7 the following project
settings options exist:
Which types of reintegration exist?
The reintegration of an F-module can occur in two different
ways (see page 356):
■ manually:
■ automatically:
During manual reintegration, the user must acknowledge in
the safety program for the reintegration of the F-system to be
performed. ACK_REI (see page 351) must be provided with a
positive edge for this.
■ ACK_NEC = 1: Manual
(Default value)
■ ACK_NEC = 0: Automatic
(must be set in the safety program by the user)
■ "Passivate the entire module"
■ "Passivate channel".
Warning
The configuration is made in the following tab of the F-I/Omodule:
Automatic reintegration is only permitted if an automatic startup of the plant is not possible after the error
has been removed.
■ "Module parameter" -> "Behavior after channel error"
At page 323 you find two respective examples:
■ F-DI with "Passivate the entire module"
■ F-DI with "Passivate the channel"
The respective configurations are shaded.
Functional Example No. AS-FE-I-011-V10-EN
355
Ex. No.
11
The following table gives an overview of the reintegration.
Cause of the passivation:
Reintegration
Manual or automatic
Prerequisite for reintegration
Safety program
Setting "PASS_ON = 1" in the F-I/O-module data
block
automatic
"PASS_ON = 0"
F-operating system
Startup of the F-CPU
Startup of the F-CPU
Establishing communication between the F-CPU
and the F-I/O via the safety protocol according to
PROFIsafe.
automatic
Communication established
F-communication error
Error at fail-safe communication between F-CPU
and F-I/O.
manual
F-I/O error
Depending on ACK_NEC:
• If "0":
automatic
• "If "1":
manual
(Default value)
F-system has recognized
that the error causing the
passivation has been removed. (*1)
Module error
• Configuration error
• Overtemperature
Channel error
• Wire break
• Short circuit
• Discrepancy
• Overload
Explanations on the table:
(*1):
After removing the error, the SF-LED of the affected F-module
and the S7-message system does not indicate an error anymore.
The passivation of the F-module remains until reintegration
(see page 358 and 359).
356
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
Processes during passivation and reintegration
The following chapter describes the processes during passivation and reintegration. Considered are the following variants:
Variant
Page
Channel error and module error: automatic reintegration
358
Channel error and module error: manual reintegration
359
F-communication error: reintegration
360
Safety program
361
Group passivation
362
As a description, tables and figures with uniform structure are
used below. The columns of the table have the following
meaning:
Column name
Column content
"State"
The numbers correspond to the number of the
state.
"Description
of status and
events"
In the column the states and events are described. Events cause mode transitions. For better discrimination the events are given in italics.
"F-I/O-module data
block"
(*1)
The column lists the relevant variable of the
F-I/O-module data block.
The symbols in the columns have the following
meaning:
• "0", "1": Status of the bit
• "0->1": Positive edge
• "x": Status of the bit irrelevant
"SF-LED"
(*1)
The column indicates the status of the collective
error display on the F-I/O-module (red LED).
(*1): To recognize more clearly which bits change during a
mode transition, they are shaded in gray: If a bit is shaded
gray, it has changed compared with its previous state.
The following background colors are used in the figures:
■ Green background: the F-module is not passivated
■ Red background: the F-module is passivated
Functional Example No. AS-FE-I-011-V10-EN
357
Ex. No.
Process: Channel / module error
Process sequences
(automatic reintegration)
If an error is pending at the F-module (channel or module error), the F-module is passivated by the F-system. If the error
has been removed and "ACK_NEC = 0", the F-module of the
F-system is automatically reintegrated.
Precondition
The user has set "ACK_NEC = 0" in the safety program.
The following figure and table illustrates the process sequence.
F-module not passivated (1, 2)
Error occurs
Numbers in brackets indicate the state.
F-module passivated (3, 4)
Error removed
F-module reintegrated (5)
Description of status and events
State
11
1
F-module is not passivated.
F-I/O-module data block / SFLED
A: ACK_NEC
B: PASS_OUT
C: QBAD
D: SF-LED
A
B
C
D
0
0
0
0
0
0
0
1
0
1
1
1
0
1
1
0
0
0
0
0
Event: error occurs at the F-module.
2
F-module has recognized the error.
Event: F-system recognizes the error at the F-module.
3
F-system has passivated F-module.
Event: Removing the error at the F-module.
4
F-module has recognized that the error has been removed
Event: F-system recognizes that the error at the F-module has been removed.
5
358
F-system has reintegrated the F-module.
Functional Example No. AS-FE-I-011-V10-EN
Ex. No.
11
Process: Channel / module error (manual reintegration)
Precondition
In the safety program the user acknowledges the reintegration by providing ACK_REI with a positive edge.
Process sequences
F-module is only reintegrated after acknowledgement by the
user.
The following figure and table illustrates the process sequence.
If an error is pending at the F-module (channel or module error), the F-module is passivated by the F-system. If the error
has been removed and "ACK_NEC = 1"(default value), the
F-module not passivated (1, 2)
Number in brackets indicates the state
Error occurs
F-module passivated (3)
Error removed
F-module remains passivated (4, 5)
User acknowledged
F-module reintegrated (6)
F-I/O-module data block / SF-LED
A: ACK_NEC
B: ACK_REI
C: PASS_OUT
D: QBAD
E: ACK_REQ
F: SF-LED
State
Description of status and events
1
F-module is not passivated.
A
B
C
D
E
F
1
0
0
0
0
0
1
0
0
0
0
1
1
0
1
1
0
1
1
0
1
1
0
0
1
0
1
1
1
0
0
0
0
0
Event: error occurs at the F-module.
2
F-module has recognized the error.
Event: F-system recognizes the error at the F-module.
3
F-system has passivated the F-module.
Event: Removing the error at the F-module.
4
F-module has recognized that the error has been removed.
Event: F-system recognizes that the error at the F-module has been removed.
5
F-module remains passivated F-system requests user acknowledgement.
Event: User acknowledges (positive edge)
6
F-system has reintegrated the F-module
0->1
1
x
Functional Example No. AS-FE-I-011-V10-EN
359
Ex. No.
Process: F-communication error
Process sequences
Note
For "F-communication error" automatic reintegration
is not possible!
Precondition
In the safety program the user acknowledges the reintegration by providing ACK_REI with a positive edge.
F-I/O not passivated (1)
At F-communication error (e.g. due to disconnecting F-CPU
and ET200) the entire affected F-I/O is passivated. If the error
has been removed the F-I/O is only reintegrated after acknowledgement by the user. This applies irrespective of the
ACK_NEC value. The following figure and table illustrates the
process sequence.
Numbers in brackets indicate the state.
Error occurs
F-I/O passivated (2)
Error occurs
F-I/O remains passivated (3)
User acknowledged
F-I/O reintegrated (4)
Description of status and events
State
11
1
F-I/O is not passivated.
F-I/O data block
F-DI and F-DO / SF-LED
A: ACK_NEC
B: ACK_REI
C: PASS_OUT
D: QBAD
E: ACK_REQ
F: SF-LED
A
B
C
D
E
F
x
0
0
0
0
0
x
0
1
1
0
0 (*1)
x
0
1
1
1
0 (*2)
0
0
0
0
Event: Error occurs.
2
F-module is passivated.
Event: Error removed.
3
F-I/O has recognized that the error has been removed.
Event: User acknowledges (positive edge).
4
F-system has reintegrated the F-I/O.
Explanations for the table:
(*1): BF-LED at IM 151 HF is on. BF-LED at F-CPU is blinking.
(*2): The BF-LEDs are off.
360
Functional Example No. AS-FE-I-011-V10-EN
0->1
x
x
Ex. No.
11
Process: Safety program
Process sequences
Precondition
The F-module is passivated with "PASS_ON = 1". The F-module
is automatically reintegrated with "PASS_ON = 0".
The user can passivate and automatically reintegrate F-modules via the safety program. The PASS_ON variable is used for
this.
The following figure and table illustrates the process sequence.
F-module not passivated (1)
Number in brackets indicates the state.
In the safety program: PASS_ON = 1
F-module passivated (2)
In the safety program: PASS_ON = 0
F-module reintegrated (3)
State
Description of status and events
1
2
F-I/O data block
F-DI and F-DO / SF-LED
A: ACK_NEC
B: ACK_REI
C: PASS_OUT
D: QBAD
E: ACK_REQ
F: SF-LED
A
B
C
E
F-module is not passivated.
0
0
0
0
Event: User sets "PASS_ON = 1" in the safety program
1
F-system has passivated the F-module.
1
0
1
0
0
0
0
0
Event: User sets "PASS_ON = 0" in the safety program.
3
F-system has reintegrated the F-module.
Functional Example No. AS-FE-I-011-V10-EN
361
Ex. No.
11
■ All PASS_OUT variables of the F-module of this group must
have a OR logic operation
Process: Group passivation
What is group passivation?
Group passivation refers to simultaneous passivation of several G-modules. The following example explains the application of group passivation:
An end-switch has been connected at an F-DI. The end-switch
is used to monitor the position of an axis. The drive of this axis
is controlled via an F-DO. During wire-break at the end-switch,
the drive must be switched off for safety reasons. This can be
realized via the safety program: During passivation of F-DI, the
entire F-Do is passivated at the same time.
■ The result of the OR logic operation must be assigned to all
PASS_ON variables of the F-modules of this group
In the following example a group is realized. The group consists of an F-DI and an F-DO:
■ If the F-DI is passivated, F-DO should also be passivated at
the same time.
■ If the F-DI is reintegrated, F-DO should also be reintegrated
at the same time.
How is a group passivation realized?
In the safety program, individual F-modules can be grouped
together. The characteristic of a group is:
The example shows:
■ If 1 F-module "x" from this group is passivated, then all
other F-groups from this group are passivated.
■ How do the relevant bits in the F-I/O data block of F-DI and
F-DO behave?
■ After manual or automatic reintegration of this F-module
"x", the remaining F-modules of the group are automatically reintegrated.
The PASS_OUT and PASS_ON bits of the respective F-I/O data
blocks (page 349) are used for a group passivation:
Group not passivated (1)
■ What is the process of a group passivation?
■ What is the design of the respective safety program?
The following figure and table illustrates the process sequence.
The following figure shows the process of a group passivation.
F-DI not passivated
F-DO not passivated
F-DI passivated
F-DO not passivated
F-DI passivated
F-DO passivated
F-DI not passivated
F-DO passivated
Error at F-DI
F-DI passivated (2)
Passivating the group
Group passivated (3)
Remove error at F-DI
F-DI is reintegrated (4)
Reintegrating the group
Group reintegrated (5)
F-DI not passivated
The number in brackets indicates the state.
362
Functional Example No. AS-FE-I-011-V10-EN
F-DO not passivated
Ex. No.
11
Warning
Automatic reintegration is only permitted if an automatic startup of the plant is not possible after the error
has been removed.
The following table explains the process of a group passivation.
F-I/O-module data block / SF-LED
State
Description of status and events
1
Group is not passivated.
F-DI
F-DO
A: PASS_OUT
B: PASS_ON
C: QBAD
D: SF-LED
A: PASS_OUT
B: PASS_ON
C: QBAD
D: SF-LED
A
B
C
D
A
B
C
D
0
0
0
0
0
0
0
0
1
0
1
1
0
0
0
0
1
1
1
1
0
1
1
0
0
1
0
0
0
1
1
0
0
0
0
0
0
0
0
0
Event: F-operating system recognizes the error at the F-DI.
2
F-system has passivated the F-DI.
Event: Group is passivated via the safety program.
3
F-system has also passivated the F-DO.
Event: F-system recognizes that the wire-break at the F-DI has been removed.
4
F-system has reintegrated the F-DI.
Event: Group is reintegrated via the safety program.
5
Group is no longer passivated.
The figure below shows the setup of the safety program:
The above network is not realized in the sample code. It only
serves as an illustration.
Functional Example No. AS-FE-I-011-V10-EN
363
Safe Standstill Detection and Safely Reduced Speed with
F-CPU and MASTERDRIVES in Category 3 of EN 954-1 or
SIL 2 of IEC 62061
Ex. No.
12
Automation Function
■ Simulation of a safety door
Description of the functionality
■ Operating modes normal, "safe speed" (SG) and "drive
standstill"
Introduction
The actual speed value is determined in two different ways.
The speed values determined this way are checked for plausibility in the operating modes "normal" and "safe speed" (SG).
If one or several errors occur in "safe speed" (SG) mode, the
drive is switched off fail-safe.
To ensure, that a drive is not causing any hazards, it must be
detected safely when it is in standstill mode (speed n=0). Only
when the state of safe standstill is reached, must actions be
performed, as during normal operation they would otherwise
be detected as hazard and cause the actuator to be switched
off. Such actions may consist of:
■ Entering a danger zone
■ Opening a safety door
■ Enabling further technological processes
Apart from safe standstill and normal operation this example also illustrates the "safely reduced speed" (Sicher reduzierte Geschwindigkeit = SG) operating mode (in this document referred to as "safe speed (SG)").
When does a "safe standstill" take place?
Within an applicative solution a safe standstill is referred to if
■ a speed n=0 of the drive is recognized and
■ this result is confirmed by a further evaluation of the operating mode of the drive (independent of the first evaluation).
Functional example
This functional example illustrates two independent methods
of determining drive speed, and safe standstill in comparison
with speed n=0.
The plausibility check includes:
■ the actual speed value determined in two different ways
■ the comparison of the actual speed value with the N_MAX
speed value, whose value must not be exceeded.
■ To illustrate these functionalities, the example consists
mainly of three parts:
■ DP master CPU
■ DP slave (I-Slave)
■ DP slave (MASTERDRIVES)
These three blocks as well as the mentioned functionalities
are described in greater detail below.
Note
The PFH-Calculation is not a part of this example.
DP master CPU
Determining speed with PROFIBUS (method 1)
A CPU S7-400, connected with MASTERDRIVES via PROFIBUS,
is used as DP master. In the master CPU the operation related
switching is realized:
■ Start the drive
■ Stop the drive
■ Acknowledgement (e.g. after an error)
To forward these commands to MASTERDRIVES, the master
CPU describes the bits of the control word.
To detect the state of MASTERDRIVES, the master CPU reads
the bits of the control word.
■ Method 1: Determining speed via PROFIBUS
■ Method 2: Determining speed via standard count module
■ The following overall functionalities are prepared:
■ Emergency stop
364
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
This communication is realized via PROFIBUS. This enables
■ transferring the setpoint speed value to MASTERDRIVES
Reaching category 3 according to EN 954-1 requires two different methods for safe shut down:
■ detecting the actual speed value of MASTERDRIVES.
■ Option K80 for MASTERDRIVES
DP slave (I-Slave)
Option K80 (shut down method 1)
An ET 200S with intelligent and fail-safe interface (IM 151-7FCPU) is used.
Note
In this example, the IM 151-7F CPU has already been
configured as DP slave. However, if you require information for integrating an intelligent IM 151 interface
as DP slave, please refer to the manual "ET 200S - Interface Module IM 151-7 CPU" (Entry-ID: 12714722)
■ Shutdown by contactor
Option K80 for MASTERDRIVES contains a fail-safe relays with
positively driven feedback contact, which shuts down power
supply for controlling the power transistors (IGBTs). Pulse
blocking occurs
■ in case of an error with delay after fast stop (OUT3=0) via
the F-DO
■ in operating mode "safe speed" (SG) and drive standstill.
The I-Slave realizes the following functionalities:
Safe drive shut down
The drive is switched off safely for
■ Triggered emergency stop
■ Opening the safety door in normal operation
■ Error during speed monitoring in "safe speed" (SG) mode
If one of these cases occurs, the drive is stopped immediately:
The fail-safe output of the F-DO is connected with the OUT3
contact at MASTERDRIVES. At negative edge, OUT3 switches
off the operation as fast as possible (fast stop).
Shutdown by line contactor (shutdown method 2)
If an error is detected during evaluating the feedback contact
of option K80, the contactor disconnects the drive from the
network. If there is no readback error at option K80, the drive
remains connected to the network; category 3 according to
EN 954-1 remains true.
Note
Fast stop is generally no primary safety function.
However it enhances safety and helps reduce kinetic
energy. OUT3 can also be connected to MASTERDRIVES
via a standard module. The reason behind using OUT3
via an F-DO in this example is that otherwise an additional standard output module for ET 200S would be
required.
Functional Example No. AS-FE-I-012-V10-EN
365
12
Ex. No.
12
Further preconditions for the operating mode "safe speed"
(SG):
■ Emergency stop button unlocked
■ Mode switch set to SG
■ DMS (Dead Man Switch) remains continuously pressed.
■ Actual speed value of "safe speed" remains below limit
value N_SG
Signals of the mode switch and DMS are read into an F-DI.
.
Attention
When using a contactor, its design must allow for this.
In this example a contactor K2 was used for testing
without connection to a load circuit.
Determining speed with count module (method 2)
Emergency stop
ET 200S contains a standard count module which is connected with the SBM2 module (from module identification
0x95FF / EEPROM version 1.06) of MASTERDRIVES. The
SBM2module evaluates the signals of the optical sin-/cos encoders.
Emergency stop is read into the F-DI and when pressed
switches off the drive via the OUT3 parameter of the
MASTERDRIVES (fast stop) and option K80 (pulse blocking).
If a readback error occurs at option K80, the contactor (K2) additionally disconnects the drive from the network.
Safety door monitoring
The safety door is always monitored with a two channel safety
door contact to show that
■ during normal operation and opening of the safety door
the drive is safely switched off,
■ in "safe speed" (SG) mode an opening of the simulated
safety door does not cause the drive to be switched off.
Operating mode "safe speed" (SG)
The operating mode "safe speed" (SG) can only be activated
following drive standstill.
Attention
Depending on danger analysis and risk level assessment of the discussed machine, the drive can, in "safe
speed" (SG) mode, also be operated with an open
safety door.
366
Functional Example No. AS-FE-I-012-V10-EN
Attention
This example is not a complete solution of a safety
door monitoring. For a respective solution please refer
to Safety Function examples no. 2, 3 and 4.
Ex. No.
12
DP Slave (MASTERDRIVES)
The description of MASTERDRIVES here is restricted to information on interfaces X101 and SBM2.
Interface X101
Terminals -X101/3 to -X101/6 can be used as digital inputs or
outputs. In this example, contact 5 is configured as OUT3 and
(via contactor K1) connected with the F-DO of the ET 200S.
A "0" signal at OUT3 leads to fast stop of the drive.
Note
Fast stop is generally no primary safety function. However it enhances safety and helps reduce kinetic energy. OUT3 can also be connected to MASTERDRIVES
via a standard module. The reason behind using OUT3
via an F-DO in this example is that otherwise an additional standard output module would be required for
ET 200S.
Interface SBM2 module
The SBM2 module (from module identification 0x95FF /
EEPROM version 1.06) forms a pulse generator imitation from
the speedometer signal of the motor (e.g. sin/cos encoder),
which behaves like an incremental encoder located at the motor. This information is transmitted to the count module of the
ET 200S which is operated in "speed detection" measuring
mode.
Interface X533 (option K80)
This interface is used for safe shutdown (see page 365).
Functional Example No. AS-FE-I-012-V10-EN
367
Ex. No.
12
Flowchart
The flowchart below illustrates the functional relations.
"Check of plausibility OK?" in the flowchart involves:
Symbol
Function
Convention
■ checking whether the actual speed value does not exceed
a fixed speed value N_MAX.
ACK
Acknowledgement
Acknowledgement depending on edge evaluation
■ checking whether the actual speed value determined with
PROFIBUS and the actual speed value determined with the
ET 200S count module are equal.
START
Start request
1: Start request
STOP
Stop request
0: Stop request
ESTP
Emergency Stop
0: Activated emergency stop
SIM_FDOR
Simulated safety door
0: Opened safety door
DMS
Dead man switch
1: DMS pressed
OUT3
Parameter
MASTERDRIVES
0: Fast stop
K80
Contactor for controlling the option K80
1: Safety relay of K80
option is controlled
K2
Line contactor
1: activated
n
Speed list value
If both points can be answered with "YES", then the plausibility check is "OK". For "NO" and "safe speed" mode, the drive is
switched off safely.
Time sequence for different modes
The following time diagrams show the time sequence during:
■ Operational start and shutdown of the drive
■ Emergency stop
■ Operating mode "safe speed" (SG)
Before, the displayed parameters are explained. The names of
the signals correspond to the ones of the S7 program code.
368
Functional Example No. AS-FE-I-012-V10-EN
Operational start and shutdown of the drive
Time
Explanation
t1
Acknowledgement required prior to first start obligatory.
t2
Drive is started via START.
t3
Drive is stopped via STOP.
t4
Drive standstill
Ex. No.
12
Emergency stop
Time
Explanation
Note
t1
Acknowledgement required prior to first start obligatory
t2
Drive is started via START.
t3
Activates emergency stop: fast stop is triggered
(OUT3=0).
The above time curve for OUT3, K80, K2 and n would
also result if instead of triggering an emergency stop
at t3, the safety door (simulated here) would be
opened.
t4
Option K80: pulse blocking
t5
Separating drive from network (only for readback error
of option K80).
t6
Unlocking the emergency stop button.
Note
t7
Negative edge of acknowledgement signal: Activates the
contactor. OUT3 is reset to 1 signal. This is the prerequisite for the drive to be restarted with OUT1=1 (not depicted).
The drive is only separated from the network, if the
feedback contact of option K80 causes an error (see
time value t5).
Functional Example No. AS-FE-I-012-V10-EN
369
Ex. No.
12
Operating mode "safe speed" (SG)
The signal curves described below require the mode switch to
select "safe speed" (SG) mode.
Time
Explanation
t1
Acknowledgement required prior to first start obligatory.
t2
Pressing and keeping dead man switch (DMS=1) pressed
switches the safety relay of the K80 option. The drive
starts with SG.
t3
Opening...
t4
…and closing the (simulated) safety door does not cause
the drive to stop (OUT3=1, n>0).
t5
Releasing the dead man switch (DMS=0)…
t6
…causes a stop and subsequent pulse blocking of the
drive (n=0, K80=0)
t7
Renewed pressing and holding of the dead man switch
(DMS=1) switches the safety relay of the K80 option. The
drive starts with SG.
t8
Activates emergency stop: fast stop is triggered
(OUT3=0).
t9
Pulse blocking through option K80.
t10
Separating drive from network (only for readback error
of option K80).
370
Functional Example No. AS-FE-I-012-V10-EN
Note
As depicted in the time diagram, the drive is only separated from the network, if the feedback contact of option K80 causes an error (see time value t10).
Advantage / Customer benefits
■ No standstill monitor necessary.
■ The used speed values for operating modes "normal" and
"safely reduced speed" (SG) can be adjusted easily to the
individual requirements.
■ Use of prefabricated and certified failsafe blocks from the
Distributed Safety library.
Ex. No.
12
Required Components
Hardware components
Components
Type
MLFB / Order information
No.
Manufacturer
Power supply
PS 407 10A
407-0KA01-0AA0
1
Siemens AG
Power supply
PS 307 5A
6ES73071EA00-0AA0
1
CPU S7-400
CPU 412-2
6ES7412-2XG04-0AB0
1
S7F-CPU
IM 151-7F-CPU
6ES7151-7FA01-0AB0
1
S7-400 input module
DI 32xDC24V
6ES7421-1BL01-0AA0
1
Power module for ET 200S
PM-E DC24..48V AC24..230V
6ES7138-4CB10-0AB0
2
Count module for ET 200S
1COUNT 5V/500kHz
6ES7138-4DE02-0AB0
1
Electronic module for
ET 200S
4/8 F-DI DC24V
6ES7138-4FA02-0AB0
1
Electronic module for
ET 200S
4 F-DO DC24V/2A
6ES7138-4FB02-0AB0
1
Micro Memory Card
MMC 2MB
6ES7953-8LL11-0AA0
1
Terminal module for
ET 200S
TM-P15S23-A0
6ES7193-4CD20-0AA0
2
Terminal module for
ET 200S
TM-E30S44-01
6ES7193-4CG20-0AA0
1
Terminal module for
ET 200S
TM-E30C46-A1
6ES7193-4CF50-0AA0
2
6ES7193-4JA00-0AA0
1
Terminating module for
ET 200S
Emergency stop
Push button, 1NC
3SB3801-0DG3
1
Contact (for emergency
stop)
1NC, screw-type connection
3SB3420-0C
1
Position switch
Metal enclosed, 2NC
3SE2120-6XX
1
3SX3197
1
Actuator
Push button
Green, 1NO
3SB3801-0DA3
2
Push button
Red, 1NC
3SB3801-0DB3
1
Control element
With 2 switching elements (2NC)
3SB3400-0D
1
Knob switch complete
device
0-I snap-in, 1NC
3SB3202-2HA11
1
Universal-Rack
UR2
6ES7400-1JA01-0AA0
1
Mounting rail
482,6 mm
6ES7390-1AE80-0AA0
1
Standard mounting rail
35 mm, length 483 mm
6ES5710-8MA11
1
SIMOVERT MASTERDRIVES
Demonstration box
6SE7011-6EP60-Z
1
Sensor module for encoder
SBM2
Incl. connector and short instruction
6SX7010-0FE00
1
Servo motor
N(nominal)=6000 U/min
1FT6031-4AK7
1
Contactor
2NO +2NC
3RH1122-1BB40
2
Contactor
NC
3RT1015-2BB42
1
Functional Example No. AS-FE-I-012-V10-EN
371
Ex. No.
12
Overview picture
Note
The functionality was tested with the listed hardware
components. Similar products not included in the
above list can also be used. Please note that in this case
changes in the sample code (e.g. different addresses)
may become necessary.
Configuration software/tools
Component
Type
MLFB / Order
information
No.
Manufacturer
SIMATIC
STEP 7
V5.3 +
SP3
6ES78104CC07-0YA5
1
Siemens AG
SIMATIC Distributed
Safety
V5.4
6ES71
8331FC02-0YA5
Drive ES
BASIC
V5.3 +
SP3
6SW17005JA00-3AA0
1
Setup and Wiring
Regarding the use of SIMOVERT MASTERDRIVES, please consider the following safety note:
Notes on contactors and option K80
Comp.
Function
Note
K1
Contactor
Auxiliary contact (NO) switches parameter OUT3.
K2
Line contactor
Tested without connected load current circuit.
K80
Contactor
Auxiliary contact (NO) controls the
safety relay of option K80 (see following circuit diagram).
Warning
The MASTERDRIVE carries hazardous voltages and controls potentially dangerous rotating mechanical parts.
Non-compliance with warnings or failure to follow the
instructions contained in the MASTERDRIVE manual
can result in loss of life, severe personal injury, or serious damage to property.
Overview of the hardware configuration
Arrangement of the PROFIBUS configuration:
■ S7-400 CPU as DP-Master
■ ET 200S with IM157-7F-CPU as DP slave
■ SIMOVERT MASTERDRIVES as DP slave
372
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
12
Notes on configuring MASTERDRIVES
Note
Note
Configuration of SIMOVERT MASTERDRIVES is in this
example not discussed in detail.
The control signals and the setpoint speed value are forwarded to MASTERDRIVES using PROFIBUS. Signal OUT3 is
controlled indirectly via the connecting terminal plate of
MASTERDRIVES.
The wiring of the hardware is illustrated below. In the
following table, the hardware components occurring
several times are numbered so they can be allocated in
the subsequent wiring plan.
The following table affects the configuration of input OUT3 at
MASTERDRIVES (see contact X101/5 in the circuit diagram).
P.-Nr.
Name
Parameter value
P558
Q.1AUS3 (SHalt)
B14 Dig. Input 3
Wiring of hardware components
Prerequisite: The power supplies are supplied with 230 V AC.
First check the addresses set at the hardware components
listed below:
Hardware com- Address to be set
ponent
Note
IM 151-7F-CPU
6 (PROFIBUS address)
Can be changed.
F-DI
Switch position:
0011001000
F-DO
Switch position:
0011000111
The PROFIsafe addresses are automatically assigned when
configuring the fail-safe
modules in STEP 7. The
PROFIsafe addresses 1
to 1022 are permissible.
Please make sure that
the setting at the address switch (DIL
switch) on the side of
the module corresponds to the PROFIsafe
address in the hardware
configuration of STEP 7.
Note
The DP interfaces of S7-400-CPU, IM 151-7F-CPU and
SIMOVERT MASTERDRIVES must be inter-connected.
Note
The safety relay and the feedback contact of option
K80 are displayed separately in the wiring plan (on the
next page) for better clarity.
Functional Example No. AS-FE-I-012-V10-EN
373
Ex. No.
12
Note
Attention
A connection between the MPI interface of this S7-CPU
and the MPI interface of your PG/PC is required to
download the S7 project to the CPU 412-2.
When using a contactor the design must provide for
this. In this example a contactor K2 was used for testing without connection to a load circuit.
Function test
The inputs and outputs used can be checked with regard to
their functionality, if
■ the hardware components are wired
■ the S7 project is located in the DP Master CPU (CPU412-2)
■ the S7 project is located in the DP Slave CPU
(IM 151-7F-CPU)
■ MASTERDRIVES has been parameterized accordingly
374
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
12
Inputs and outputs used for the DP Master CPU
(CPU412-2)
No. HW component
Address
Symbol
Signal (default
value)
Note
Nr.
Push button (NO)
E 0.0
START
"0
Start request
1
Push button (NO)
E 0.1
ACK
"0
Acknowledgement
2
Push button (NO)
E 0.2
STOP
"1
Operational stop
3
Push button (NO)
E 0.0
START
"0
Start request
No. SW component
Address
Symbol
Signal (default
value)
Note
4
Output
DB2.DBX
3.0
OUT1
"0
Bit in control word for MASTERDRIVES (for 1: drive starts).
Software output
Inputs and outputs used for the DP Slave CPU
(IM 151-7F-CP)
No. HW component
Address
Symbol
Signal (default
value)
Note
1
Push button (NC/NC) E 0.0
ESTP
"1
Emergency-stop button
2
Push button (NC/NC) E 0.1
SIM_FDOR
"1
Position switch
3
Push button (NC/NC) E 0.2
DMS
"0
Dead Man Switch. Must remain pressed permanently in "safe
speed" (SG) mode.
4
Switch engages
E 0.3
REQ_SG
"0“
Mode switch
0: Normal operation
1: "safe speed" (SG)
No. SW component
Address
Symbol
Signal (default
value)
Note
5
F-DO
A 6.0
OUT3
"0“
Connection from F-DO (via K1) to MASTERDRIVES. At signal
change from 1->0 fast stop (immediate stop of the drive) is triggered.
6
F-DO
A 6.1
K2
"0“
Contactor (tested without connected load circuit).
7
F-DO
A 6.2
K80
"0“
Contactor for switching the safety relay of the K80 option of
MASTERDRIVES.
Testing inputs and outputs
Prerequisite: The inputs and outputs have the default values
specified under "Inputs/outputs used".
Functional Example No. AS-FE-I-012-V10-EN
375
Ex. No.
12
No. Instructions
Response
OUT1 OUT3 K2
K80
MASTERDRIVES
1
Press ACK and release
0
1
1
1
Standstill
2
Press START and release
1
1
1
1
Starts (normal operation)
3
Press STOP and release
0
1
1
1
Shuts down (operational stop)
4
Repetition No. 2
1
1
1
1
5
Press ESTP
0
0
1
1
time delay
• Shuts down (fast stop)
• Pulse blocking
• X: K2=1, if no readback error of option K80 (otherwise K2=0)
X
0
6
Unlock emergency-stop button
0
0
1
0
7
Press ACK and release
0
1
1
1
8
Repetition No. 2
1
1
1
1
9
SIM_FDOR=0: Open safety
0
door (simulated by pulling the
position switch)
0
1
1
X
0
• Shuts down (fast stop)
• Pulse blocking
• X: K2=1, if no readback error of option K80 (otherwise K2=0)
10
SIM_FDOR=1: Close safety
door
0
0
X
0
Standstill
11
Press ACK and release
0
1
1
1
Edge change from 0 to 1 at OUT3 is a prerequisite for OUT1 to be reset.
12
Set REQ_SG to 1
0
1
1
1
Operating mode "safe speed" (SG) has been set
13
Press DMS and keep it pressed 1
1
1
1
Operating mode "safe speed" (SG) active
14
SIM_FDOR=0: Open safety
1
door (simulated by pulling the
position switch)
1
1
1
In operating mode "safe speed" (SG) the safety door can also be
opened at active drive.
15
Release DMS
1
1
0
Shuts down to safe standstill
0
time delay
Edge change from 0 to 1 at OUT3 is a prerequisite for OUT1 to be reset.
Attention
Note
An acknowledgement signal is required for starting the
machine:
•
•
•
•
Prior to the first start (normal operation)
After triggering emergency stop
After opening the safety door in normal operation
After error recognition during plausibility checks for the
speed value
Important hardware component settings
Below, several important settings from the hardware configuration of STEP 7 are shown to provide you with an overview.
These settings are available in the included STEP 7 project. It
is basically possible to change these settings (e.g. due to individual requirements), but please consider the following note:
376
Functional Example No. AS-FE-I-012-V10-EN
The settings shown below contribute to meet the requirements of category 3 according to EN 954-1 and
SIL 2 of IEC 62061. Changes at the settings may cause
loss of the safety function.
If you implement changes (e.g. add an additional module),
the sample code has to be adapted accordingly.
Ex. No.
Overview hardware configuration of DP Master CPU
(CPU412-2)
12
Overview hardware configuration of the DP Slave
CPU (IM 151-7F-CP)
The view above (double-click ET 200S at the PROFIBUS line)
displays the address area via which the DP Master CPU (CPU
412-2) communicates with the DP Slave CPU (IM 151-7F-CPU)
(see screenshot below). In this example, bytes 14 to 45 are
used for this. The inputs of the DP Master CPU (e.g. E20.1) are
also the outputs of the DP Slave CPU (A20.1) and vice versa.
Functional Example No. AS-FE-I-012-V10-EN
377
Ex. No.
12
Settings of IM 151-7F-CPU
Settings of count module "1 COUNT"
The settings are displayed after double-clicking "IM 151-7FCPU" in the hardware configuration of STEP 7 (see "overview
picture").
The settings are displayed after double-clicking "IM 151-7FCPU" in the hardware configuration of STEP 7 (see "overview
picture").
Picture
Note
Default value: 100 ms. It must be ensured
that the F-module monitoring time must
be larger than the call time of OB 35.
Available in the "Protection" tab (Level of
protection).
A password has to be allocated in order to
be able to set the parameter "CPU Contains Safety Program". It is only in this case
that all required F blocks for safe operation of the F modules are generated during compiling the hardware configuration
of STEP 7.
Password used here: siemens
Set mode: "Test mode"
During Process Mode, the test functions
such as program status or monitor/modify
variable are restricted in such a way that
the set permitted increase in scan cycle
time is not exceeded. Testing with stoppoints and gradual program execution
cannot be performed.
During Test Mode, all test functions can be
used without restrictions via PG/PC which
can also cause larger extensions of the cycle time. Important: During test mode of
the CPU, you have to make sure that the
CPU or the process can "stand" large increases in cycle time.
378
Functional Example No. AS-FE-I-012-V10-EN
For accordingly parameterized measuring mode, the module
offers the option of speed measurement. This setting is default in our example (see figure above).
Ex. No.
12
Settings of the fail-safe F-DI
The settings are displayed after double-clicking "4/8 F-DI
DC24V" (see "Overview picture").
Picture
Note
DIL switch settings
This value has to be set on the module (F-DI).
F monitoring time
It has to be observed that the F monitoring time must be larger than
the call time of OB 35.
The connected sensors receive the power supply via the module.
In this example, the respective channel is passivated during a
channel error (not the entire module).
Channel 0
Emergency stop push button (ESTP)
Channel 1
Position switch (SIM_FDOR)
Channel 2
Dead man switch (DMS) for activating the operating mode "safe
speed" (SG)
Channel 3
Mode switch (REQ_SG)
0: Normal operation
1: "safe speed" (SG)
Channel 7
Readback contact of option K80 of MASTERDRIVES
Functional Example No. AS-FE-I-012-V10-EN
379
Ex. No.
12
Settings of the fail-safe F-DO
The settings are displayed after double-clicking "4 F-DO
DC24V/2A" (see "Overview picture").
Picture
Note
DIL switch settings
This value has to be set on the module (F-DO).
F monitoring time
It has to be observed that the F monitoring time must be larger than
the call time of OB 35.
Passivation
Passivation of channels in this example: ("Behavior after channel
faults").
The read-back time defines the duration of the switch-off procedure
for the respective channel. If the respective channel switches high
capacity loads, the read back time should be set sufficiently large.
We recommend setting the read back time as small as possible,
however large enough so that the output channel does not become
passive.
Unused channels: Deactivate
380
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
12
Basic Performance Data
DP Master:
Load and main memory (without program code)
Total
Load memory
approx. 0.5 k
Main memory
approx. 0.4 k
DP Slave (IM 151-7F-CPU):
Load and main memory (without program code)
Total
S7 standard
blocks
F blocks
(fail-safe)
Load memory
approx.
41.6 k
approx.
0.1 k
approx. 41.5 k
Main memory
approx.
31.8 k
approx.
0.05 k
approx. 31.7 k
DP Master:
Load and main memory (with program code)
Total
Load memory
approx. 8.9 k
Main memory
approx. 18.4 k
DP Slave (IM 151-7F-CPU):
Load and main memory (with program code)
Total
S7 standard
blocks
F blocks
(fail-safe)
Load memory
approx.
61.7 k
approx.
1.3 k
approx. 60.4 k
Main memory
approx.
44.5 k
approx.
0.5 k
approx. 44.0 k
Cycle time (IM 151-7F-CPU)
Total cycle time (typical)
approx. 3 ms
Standard and
safety program
Max. runtime of the safety
program
10 ms
approx. 0.5 k
Functional Example No. AS-FE-I-012-V10-EN
381
Ex. No.
12
Sample Code
General information
To download the project to the F-CPUs please proceed as follows:
No.
Instructions
1
Load the appropriate hardware configuration into the IM
151-7F-CPU.
2
Switch to the SIMATIC Manager
3
Select the "Blocks" folder (DP slave)
4
Menu "Options" -> Edit safety program
5
Click the "Download" button.
6
First load the hardware configuration to the DP-Master.
7
Switch to the SIMATIC Manager.
Password
8
Select the "Blocks" folder (DP master)
In all cases, the password used for the safety-relevant part is
siemens.
9
Menu "Zielsystem" (target system) -> "Laden" (download)
Preliminary Remarks
In the attachment, we offer you the STEP 7 project as sample
code with which you can reset the functionality described
here.
The sample code is always assigned to the components used
in the functional examples and implements the required functionality. Problems not dealt with in this document are to be
realized by the user; the sample code may serve as a basis.
Use of the STEP 7 project
The STEP 7 project shows how using MASTERDRIVES enables
realizing safe standstill monitoring.
Download
To call the corresponding project file, open the
"as_fe_i_012_v10_code_sstill.zip" file offered as a separate
download (on the HTML page) and extract it into a user defined directory.
The sample code with the given configurations enables the
following:
■ Operational start and stop respectively via one button
■ Emergency stop
■ Simulated safety door (position switch)
■ Safe speed (SG)
■ Safe standstill detection
Attention
The safety door simulated with the position switch
contains no complete safety door solution for a, but
serves merely as a demonstration of the following behavior: In operating mode "safe speed" (SG) the drive
may also be active at opened safety door.
Note
The example is designed for one rotational direction of
the drive and does not take into account a change of
direction.
382
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
12
Program sequence
General overview
The following figure shows the program structure of both
S7-CPUs (S7-400 as DP Master and IM 151-7F-CPU as
DP Slave).
Transfer area in the I/O address space
For an intelligent DP Slave (here: IM 151-7F-CPU) the DP Master does not access the connected inputs and outputs of the
intelligent DP slaves, but accesses a transfer area in the input/output address space of the "preprocessing CPU". The input addresses of the DP Master CPU (S7-400) are output addresses of the DP Slave CPU (here: IM 151-7F-CP) and vice
versa.
low as follows: In the hardware configuration of STEP 7 you
double-click the intelligent DP slave:
Note
The configured I/O areas for data exchange between
master and slaves must not be "assigned" by I/O modules.
In this example, a transfer area of 32 bytes was reserved each
for inputs and outputs (from byte 14). You reach the mask be-
Note
All variables of the respective example, which are addressed via the above described transfer area, start
their names with "C_" for "Couple" (e.g. C_OUT1).
Functional Example No. AS-FE-I-012-V10-EN
383
Ex. No.
12
S7 program of master CPU
DB "ENGINE SPEED" (DB 1)
DB 1 contains the setpoint speed value for normal operation.
This value is not given in 1/min but as follows:
4000 hex (=16384 dec) correspond to 100% of the maximum
speed
DB "PARAM_MDRIVE" (DB 2)
DB 2 contains the parameters of MASTERDRIVES.
OB 1
The S7 program of the master CPU consists mainly of the program sequences of OB 1. There the conditions for operational
control of MASTERDRIVES are defined.
Network 1: Status MASTERDRIVES
The status of MASTERDRIVES is stored in the temporary variables STATUS_MD.
For NW2 the Bit L25.4 is required.
Network 2: Start and stop requests
384
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
12
Symbol
Function
Explanation
START
Push button (NO)
1: start request
C_REQ_SG
Mode switch
Switch, which requests "safe speed" (SG) with "1" signal. Normal operation can only be started when
this bit is on "0" signal.
C_SW_FDO
R
Position switch
1: safety door closed
IMPULSE_
RELEASE
Impulse release for
MASTERDRIVES
See NW3
STOP
Push button (NC)
0: stop request
C_NERR_
Error bit for switch-on
ESTP_FDOR locking
This bit represents the status on a flip-flop in the F-program which safely switches MASTERDRIVES off
in the event of a failure. C_NERR_ESTP_FDOR=0, if at least one of the following events is true:
• Safety door is opened during normal operation
• Emergency stop push button is pressed
• In operating mode "safe speed" (SG) the actual speed value exceeds a comparison value N_SG.
• in "safe speed" (SG) mode, the actual speed value determined with PROFIBUS and the actual speed
value determined with the ET 200S count module are deviating.
• In operating mode "safe speed" (SG) the drive spins (SSTILL=0), even though no start request is
pending (OUT1=0).
• The readback signals from contactor K2 or option K80 are not pending correctly.
C_EN_SG
Enable "safe speed"
(SG)
1: operating mode "safe speed" (SG) active
OUT1
Enable start of
MASTERDRIVES)
Parameter of MASTERDRIVES, controlled by S7-400 (Master-CPU) via PROFIBUS.
"1" signal means: drive starts.
OUT1=1 for the operating modes
• Normal operation
• Safe speed" (SG)
OUT1=1 requires OUT3=1.
C_OUT1
Enable start of
MASTERDRIVES
Information for the F-CPU
Without the AND logic operation of C_EN_SG with L 254.4
(OUT2) the drive would in operating mode "safe speed" (SG)
not restart after standstill and pulse blocking. Reason: After
pulse blocking MASTERDRIVES resets the Bit OUT2 internally
to "0" signal and goes to "switch-on locking" mode. After
pressing the dead man switch the safety relay of option K80 is
controlled again, which causes MASTERDRIVES to reset the
OUT2 bit to "1" signal. Only now must the start command assign "1" signal to the OUT1 bit.
Note
After unplugging the PROFIBUS connector from
MASTERDRIVES (during runtime) the drives goes to
standstill. Renewed starting requires pressing not only
acknowledgement (ACK) but also the stop button
(STOP) to reset OUT1 in the Master-CPU.
Functional Example No. AS-FE-I-012-V10-EN
385
Ex. No.
12
Network 3: Acknowledgement
With ACK=1 the following parameters are acknowledged:
Symbol
Function
Explanation
ACK
Push button (NO)
Acknowledgement
• Necessary prior to the first start.
• After error recovery
C_INFO_ACK_FOR_F_PRG
Information exchange from
DP master to DP slave.
Acknowledgement signal for F-program
C_OUT3
Information exchange from
DP slave to DP master.
0: Fast stop of drive (e.g. after triggering emergency stop)
After standstill of the drive (determined by both CMP compare blocks) the pulse
blocking at the drive is removed (resetting the SR flip-flop).
IMPULSE_RELEASE
Impulse release for
MASTERDRIVES
0: Removing the pulse blocking for the drive
ACK_ERR
Acknowledgement
MASTERDRIVES
Error pending at MASTERDRIVES is acknowledged with ACK=1.
Note
Note
For resetting the pulse blocking of MASTERDRIVES it
is sufficient to determine the safe standstill via
PROFIBUS. Additional standstill detection via the count
module of the ET 200S is not required here.
When determining the standstill, the drive speed
(here: PEW258) is not compared with 0, but with 2
and -2. This takes into account, that the incremental
shaft encoder can also detect speeds not equal to 0
due to small movements of the drive. On average,
however, the speeds are 0. The comparison value must
be adjusted to your individual situation.
386
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
12
Network 4: Reading in the readback signals
The opening auxiliary contact of contactor K2 is connected
with the digital input module of the S7-400 (K2_HELP). The
readback signal is evaluated in the F-program. C_K2_HELP
makes the readback signal available to the F-CPU.
Network 5-7: Speeds for MASTERDRIVES
NW Task
Note/explanation
5
Conversion of
actual speed value in 1/min with
PROFIBUS
This network determines the actual speed value read
with PROFIBUS and provides this value to the DP slave for
standstill evaluation.
Maximum speed: 6000 1/min
Maximum value of MASTERDRIVES: 4000hex=16384dec
The ratio of both numbers make up a factor which initially is stored in a temporary variable #TEMP1. Via the PEW
258 the value representing the actual speed value is
read in by MASTERDRIVES. Multiplication of this value
with #TEMP1 results in the actual speed in 1/min. This
value is transmitted to the F-CPU with C_N_ACT.
Code
6
Converting the
setpoint speed
value for the operating mode
"safe speed"
(SG):
The value C_N_SG is provided by the F CPU in 1/min. After conversion (4000hex correspond to 6000 1/min) this
value is available in MASTERDRIVES as
N_SG_FOR_MDRIVE.
7
Normal operation or "safe
speed" (SG)
If C_EN_SG=1, the "safe speed" stored in the F-program
is transmitted to MASTERDRIVES (transfer command in
PAW 258). For C_EN_SG=0 the setpoint speed value
stored in DB1 is transferred to MASTERDRIVES for normal
operation.
OB "COMPLETE RESTART" (OB 100)
In OB 100 the values for MASTERDRIVES are default and become active on starting up the S7-CPU.
Functional Example No. AS-FE-I-012-V10-EN
387
Ex. No.
12
S7 program of DP Slave
Standard user program of the DP Slave CPU
(IM 151-7F-CP)
OB 1
The networks of OB1 of the F-CPU describe the address transfer area to provide necessary information to the master CPU.
Timed alarm (OB 35):
In OB 35 the program for the count module of ET 200S is
called up:
The count module receives pulses from the SBM2 module of
MASTERDRIVES. OB 35 forms the interface for the S7 program
by evaluating these pulses. The variable N_SBM2 delivers the
actual speed value which in the F-program is used for standstill detection of the drive. The speed value determined by the
count module is always displayed as a positive value.
Furthermore, the OB35 calls the F-runtime group (F-CALL).
F-program of the DP Slave (IM 151-7F-CP)
F-CALL (FC 1)
The F-runtime group F-CALL (FC 1) is called from the cyclic interrupt OB (OB 35). From here, the FC "COORDINATION" (FC 2)
is processed first.
FC "COORDINATION" (FC 2)
The FC2 successively processes the following F-blocks:
■ FB "STANDSTILL_AND_SAFETY_V" (FB 2, DB 2)
■ FB "EMSTP_AND_FDOOR" (FB 1, DB 1)
■ FC "REINT" (FC 10)
FB "STANDSTILL_AND_SAFETY_V" (FB 2, DB 2)
Tasks of the FB "STANDSTILL_AND_SAFETY_V" (FB 2, DB 2)
■ Standstill detection
■ Enable operating mode "safe speed" (SG)
■ Perform plausibility check of the determined actual speed
values (via PROFIBUS and count module of the ET 200S).
388
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
12
Variables of FB "STANDSTILL_AND_SAFETY_V" (FB 2, DB 2):
Formal
Data Type
parameters
Explanation
N_PB
INT
Actual speed value (determined via PROFIBUS). Provided by master CPU in 1/min.
N_COUNT
INT
Actual speed value (determined via SBM2 module of MASTERDRIVES and count module of the ET 200S). Provided
by OB35 of the F-CPU in 1/min.
DMS
BOOL
"Dead Man Switch": Button (NO) which can start the drive from standstill when "safe speed" (SG) mode is set.
SG remains active as long as
• the button (NO) stays pressed
• the operating mode "safe speed" (SG) is set
• the emergency stop push button is not pressed
• the plausibility checks of the speed is confirmative
• the readback signal of K2 is pending correctly
ACK
BOOL
Occurring errors are acknowledged with the acknowledge signal.
REQ_SG
BOOL
Mode switch
0: normal operation, 1: "safe speed" (SG)
N_MAX
INT
N_ERR1=1 for N_PB>N_MAX or N_COUNT> N_MAX. In operating mode SG this causes safe shutdown of the drive.
N_SG
INT
Maximum speed value in 1/min for "safe speed" (SG).
N_SG_TOL
INT
Tolerance range for N_SG. The drive is safely shut down in "safe speed" (SG) mode if the actual speed value is
larger than N_SG + N_SG_TOL.
N_DIFF
INT
Determined are
• the actual speed value determined via PROFIBUS and
• the actual speed value determined via the count module of ET 200S.
If the differential value of both determined actual speed values exceeds the parameterized value N_DIFF, this is
interpreted as plausibility error. N_ERR2 then becomes 1 and the drive is safely switched off.
N0_TOL
INT
When determining the standstill, the drive speed does not become 0, but is compared with the value parameterized at N0_TOL. This takes into account, that the incremental shaft encoder can also detect speeds not equal to 0
due to small movements of the drive. On average, however, the speeds are 0.
OUT1
BOOL
OUT1=1: start command for drive.
DELAY_ON
TIME
Switch-on delay. After the time has elapsed, the evaluation of the plausibility check becomes active. The delay is
due to the inertia of the mechanical contacts.
SSTILL
BOOL
1: drive in standstill
N_ERROR
BOOL
Collective error: is set to 1, if in "safe speed" (SG) mode one of the following errors occurs.
• the actual speed value exceeds a speed value N_MAX (N_ERR1=1)
• the speed determined via PROFIBUS and the speed determined with the ET 200S count module deviate
(N_ERR2=1).
• The drive is started in the DP master with OUT1=1. If there is a faulty transmission in the address transfer area
then DP Slave OUT1=0 but the drive remains active (SSTILL=0). If this condition is true, then N_ERR3=1.
• The actual speed value exceeds the set speed value for safe speed (N_ERR4=1).
EN_SG
BOOL
1: "Safe speed" (SG) is active.
Note
The parameterized count values are sample values and
must be adjusted according to their individual requirements.
Functional Example No. AS-FE-I-012-V10-EN
389
Ex. No.
12
Network 1 to 4
Network 8
In these networks, the value of the speed determined by
PROFIBUS is formed (N_PB -> N_PB_POS). This value is required further. The speed value determined via the count
module of ET 200S is always positive.
In this network it is checked whether the actual speed value
exceeds the limit value N_MAX. In this case N_ERR1=1 which
in "safe speed" (SG) mode causes a safe drive shutdown.
Network 5 to 7
In these networks the plausibility checks whether the actual
speed value determined with PROFIBUS and the actual speed
value determined with the ET 200S count module are deviating. First, the difference SUB_RES is formed of both determined values (NW5). This difference is in NW7 compared with
the tolerance value N_DIFF. If the difference is outside this
tolerance value, this is interpreted as error. In this case
N_ERR2=1 which, if "safe speed" (SG) mode is set, causes a
safe drive shutdown.
Network 9
In this network the safe standstill is defined.
Note
When determining the standstill, the drive speed
(here: N_PB_POS and N_COUNT) is not compared
with 0, but with N0_TOL (here: 2). This takes into
account, that the incremental shaft encoder can also
detect speeds not equal to 0 due to small movements
of the drive. On average, however, the speeds are 0.
The comparison value must be adjusted to your individual situation.
The switch-on delay CHECK_TON becomes 1
■ if the drive is not in standstill AND
■ the time parameterized at PT has elapsed.
In case of an error at CHECK_TON =1 during plausibility check
in "safe speed" (SG) mode, the drive is switched off safely.
Without the switch-on delay CHECK_TON the drive would stop
after switching on, as due to the inertia of the mechanical
contacts, the plausibility conditions at times t<DELAY_ON are
not fulfilled.
390
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
12
Network 10
Networks 12-13
In this network, the time delay is assigned to a variable Q1,
which in the last network determines the triggering a collective error N_ERROR.
The value of the actual speed value (N_PB_POS) determined
with PROFIBUS and the actual speed value determined with
the count module of ET 200S (N_COUNT) must not exceed the
defined speed value f#or safe speed N_SG. A (parameterizable) tolerance value N_SG_TOL is added to the N_SG value
(NW 12). The resulting value MAX_SG switches the drive off
safely when exceeded (N_ERR4 in NW 13).
Network 11
Operating mode "safe speed" (SG) active at EN_SG=1. SG is
only possible
■ from standstill (#SSTILL=1)
■ at set operating mode switch REQ_SG=1
■ if dead man switch remains DMS remains pressed
■ the plausibility check agrees with the actual speed value
■ if contactor K2 reports no readback error
Network 14
The constellation OUT1=0 (is no standard requirement) and
SSTILL=0 (drive spins) can occur in two occasions:
■ During operational stop (drive shutdown)
■ In case of an error (e.g. load causes spinning movement)
In case of an error a spinning movement of the drive detected
in "safe speed" (SG) mode causes a safe drive shutdown.
Note
An undesired electrical startup of the drive is in "safe
speed" (SG) mode prevented with the K80 option by
switching off the power supply for controlling the
power transistors (IGBTs) during standstill (pulse blocking). More detailed information is available in the description of the FB1.
Functional Example No. AS-FE-I-012-V10-EN
391
Ex. No.
12
Network 15
In this network, a collective error N_ERROR is defined which in
the FB1 causes safe shutdown of the drive. N_ERROR=1 only
occurs in "safe speed" (SG) mode and can be acknowledged
after error recovery and standstill of the drive.
FB "EMSTP_AND_FDOOR" (FB 1, DB 1)
Variables of FB "EMSTP_AND_FDOOR" (FB 1, DB 1):
Formal
parameters
Data
Type
Explanation
ACK
BOOL
Acknowledgement signal (from the master CPU)
ESTP
BOOL
Emergency stop push button (NC / NC)
SSTILL
BOOL
1: Operating mode "safe speed" (SG) active
SIM_FDOR
BOOL
1: safety door closed.
N_ERROR
BOOL
Collective error determined in FB2.
EN_SG
BOOL
1: "safe speed" active
K2_HELP
BOOL
Readback signal of contactor K2
REQ_SG
BOOL
Mode switch:
0: normal operation, 1: "safe speed" (SG)
DMS
BOOL
"Dead Man Switch": Button (NO) which
can start the drive from standstill when
"safe speed" (SG) mode is set.
OUT3
BOOL
MASTERDRIVES evaluates the signal
OUT3. If it changes its state from "1" to
"0" signal, the drive stops (fast stop).
K2
BOOL
Line contactor
K80
BOOL
Contactor whose auxiliary contact (NO)
controls the safety relay of the K80 option of MASTERDRIVES.
In case of an error, FB1 causes safe shutdown of the drive.
Network 1
Note
For a renewed start (OUT1=1) of the drive, OUT3=1
must be true.
392
Functional Example No. AS-FE-I-012-V10-EN
Ex. No.
12
Network 2
Network 4
With OUT3=0 the drive is brought to standstill with fast stop.
The subsequent safe shutdown becomes active with a time
delay (see figure below). Without time delay, the pulse blocking (Option K80) would be active immediately so that a fast
stop (with OUT3) would not be possible any more.
FB F_FDBACK (FB216) is a certified block from the Distributed
Safety block library.
FC "REINT" (FC 10)
NERR_ESTP_FDOR receives the state of the SR flip-flop from
NW1, which sets or resets OUT3. If OUT3 is reset, DELAY_80 is
also reset after the time parameterized at PT has elapsed.
Network 3
FB F_FDBACK (FB216) is a certified block from the Distributed
Safety block library.
The FC 10 causes the reintegration of F-DI and F-DO, in order
to depassivate them. This requires that:
■ the error that caused the passivation has been removed
and
■ a positive edge has been set at the parameter ACK_REI of
the respective F-Periphery DB.
Note
Further information on the FB216 is available for example by selecting it in the block editor and pressing
F1.
A passivation is indicated by an illuminated LED "SF" on the
module. The reintegration of an F module may take several
minutes.
Functional Example No. AS-FE-I-012-V10-EN
393
Ex. No.
12
Operating instruction
Note
The configuration of MASTERDRIVES is not discussed in
this example.
If the S7 projects in the S7-CPUs and MASTERDRIVES have
been parameterized accordingly, you can start the drive. The
following points should be checked before taking the actions
below:
■ Emergency stop button unlocked
■ Actuator in position switch (simulates closed safety door).
■ Neither F-DI nor F-DO are passivated.
■ Mode switch in "normal operation" (0-signal).
No.
Instructions
1
Press the acknowledgement push but- Necessary prior to
ton (NO) and release it.
the first start.
Result / Note
2
Press the start push button (NO) and
release it.
Drive starts.
3
Press the Stop button (NC).
Drive stops.
Note
An acknowledgement is required:
•
•
•
•
Prior to the first start (normal operation)
After triggering emergency stop
After opening the safety door in normal operation
After error recognition during plausibility checks for the
speed value
Note
For further help on commissioning this example please
refer to chapter 4.4 "Function test".
394
Functional Example No. AS-FE-I-012-V10-EN
Safety Drives System
1
SAFE STANDSTILL Category 3
acc. to EN 954-1 with
SIMOVERT MASTERDRIVES
396
1.1 Safe standstill with interlocked
protective doors, Emergency Stop
implemented using safety combinations
398
1.2 Safe standstill for non-interlocked
protective doors, Emergency Stop
implemented using safety combinations
400
1.3 Safe standstill for non-interlocked
protective doors, implemented
with one safety combination
402
1.4 Safe standstill for non-interlocked
protective doors, implemented
with one safety combination
404
1.5 Safe standstill for interlocked protective doors, Emergency Stop,
implemented with safety
combinations and standard PLC
406
1.6 Safe standstill for non-interlocked
protective doors, Emergency Stop,
implemented with a safety combination and standard PLC
408
1.7 Safe standstill for several noninterlocked protective doors and
several drives, Emergency Stop
implemented using safety
combinations
2
SAFE STANDSTILL Category 3
acc. to EN 954-1 with
SIMODRIVE 611universal
412
2.1 Safe standstill with interlocked
protective doors, Emergency Stop
implemented using safety
combinations
414
2.2 Safe standstill for non-interlocked
protective doors, Emergency Stop
implemented using safety
combinations
416
2.3 Safe standstill for non-interlocked
protective doors, implemented
with one safety combination
418
2.4 Safe standstill for non-interlocked
protective doors, implemented
with one safety combination
420
2.5 Safe standstill for interlocked protective doors, Emergency Stop,
implemented with safety
combinations and standard PLC
422
2.6 Safe standstill for non-interlocked
protective doors, Emergency Stop,
implemented with a safety
combination and standard PLC
424
2.7 Safe standstill for several noninterlocked protective doors and
several drives, Emergency Stop
implemented using safety
combinations
3
SAFE STANDSTILL Category 3
acc. to EN 954-1 with
SINAMICS S120
428
3.1 Safe standstill, Safe Stop 1 implemented using safety combination
432
3.2 Safe standstill, implemented with
one safety combination
434
3.3 Safe standstill for interlocked protective doors, Emergency Stop,
implemented with safety combination and standard
436
4
Safe Monitoring of
Drive Functions
SIMOTION D/ SIMATIC S7-F
5
SINAMICS G120 controlled via PROFIBUS
463
5.1 Safety functions using PROFIsafe,
Category 3 (EN 954-1) or SIL 2
(IEC 61508)
487
5.2 Safety functions via terminals,
Category 3 (EN 954-1) or SIL 2
(IEC 61508)
Safety Integrated · March 2007
SAFE STANDSTILL Category 3 acc. to EN 954-1
with SIMOVERT MASTERDRIVES
Safe standstill with interlocked protective doors, Emergency Stop implemented using safety combinations
Ex. No.
1.1
"Safe standstill" with MASTERDRIVES with interlocked protective door with safety combinations, Stop Category 1, Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3
and EN 1037 can be implemented using two SIGUARD safety
combinations for Emergency Stop and protective doors. The
drive is shut down (stopped) according to Stop function Category 1 according to EN 60204-1.
■ Safety combinations for Emergency Stop and protective
door monitoring functions correspond to Category 4
(instantaneous enable circuit) or Category 3 (delayed
enable circuit).
■ Switches S4, S5 and S6 are positively opening position
switches corresponding to EN 1088.
■ The drive is shut down using the internal safety relay.
■ On circuits of safety combinations A1 and A2 monitor
whether line contactor K1 has dropped-out after Emergency Stop or whether time relay K2a and contactor K3
have dropped-out after the protective door circuit has been
opened (this is necessary in the sense of control Category
3 according to EN 954-1!).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof
fashion.
396
Functional Example No. MC-FE-I-001-V11-EN
Behavior when Emergency Stop is issued
Button S3 ("Emergency Stop") is used to issue an Emergency
Stop command. This initiates that the drive is shut down according to stop Category 1 in compliance with EN 60204-1.
■ The internal safety relay of the drive is no longer energized
after the drop-out delay time of time relay K2a has expired
(1st shutdown path!).
■ A 0 signal is entered, via the enable contact of safety combination A1, at contact X101.X (OFF3) of the drive. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. At the same time, the drop-out delay of timer
relay K2a and the delay time of the safety relay A1 are
started; the drive must have come to a standstill before
they expire.
■ After opening the safely delayed enable contact of safety
combination A1, line contactor K1 is no longer energized
and the drive is electrically isolated from the line supply
(2nd shutdown path!).
■ The checkback signal from line contactor K1 is monitored in
the on circuit of safety combination A1. If the contactor
does not drop-out due to an erroneous function, a restart
after Emergency Stop is prevented.
Behavior when the protective doors are opened
Button S1 ("Off") requests that the protective doors are
opened. This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ Contactor K3 is longer energized. A 0 signal is entered, via
its contact (NO contact), at contact X101.X (OFF3) of the
drive. The drive is immediately braked down to 0 speed and
the pulses are cancelled. At the same time, the drop-out
delay of time relay K2a is started and before this time has
expired, the drive must have come to a standstill.
■ After the drop-out delay time of time relay K2a has expired,
the internal safety relay of the drive is no longer energized
(1st shutdown path!). At the same time, the latch (tumbler) Y1 of the protective doors is opened.
■ When the protective doors are opened the safety monitoring A2 of the safety circuit is interrupted. Before the
selected delay time of safety combination A2 has expired,
the internal safety relay of the drive must have already
dropped-out. Its checkback signal contacts X533.1/2 indicate that the drive is in a safe condition.
■ After the selected delay time has expired, the safely
delayed enable contacts of the safety combination A2
open.
■ If the internal safety relay of the drive is functioning correctly, its checkback signal contact X533.1/2 is closed, line
contactor K1 does not drop-out. If the internal safety relay
does not function correctly, its checkback signal contacts
X533.1/2 are not closed, line contactor K1 drops-out and
isolates the drive from the line supply (2nd shutdown
path!).
Powering-up the drive
The drive can be started when the protective doors are closed
and Emergency Stop button S3 is released.
■ When pressing button S2 ("On"), safety combination A1 is
brought into the operational state. The coil of latch (tumbler) Y1 is no longer energized, the protective doors are
interlocked. Safety combination A2 is again in an operational state. Line contactor K1 is energized..
■ Contactor K3 is energized and latches and at the same
time, time relay K2a is energized. The integrated safety
relay is energized, a 1 signal is entered at contact X101.X
(OFF3) of the drive. The drive restarts.
Functional Example No. MC-FE-I-001-V11-EN
397
Ex. No.
1.1
Safe standstill for non-interlocked protective doors, Emergency Stop implemented using safety combinations
Ex. No.
1.2
"Safe standstill" with MASTERDRIVES for a non-interlocked protective door with safety combinations, stop Category 1, Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3
and EN1037 can be implemented using two SIGUARD safety
combinations for Emergency Stop and protective doors. The
drive is shut down (stopped) according to stop function Category 1 according to EN 60204-1.
■ Safety combinations for Emergency Stop and protective
door monitoring functions corresponds to Category 4
(instantaneous enable circuit) or Category 3 (delayed
enable circuit).
■ The drive is shut down using the internal safety relay.
■ On circuits of safety combinations A1 and A2 monitor
whether line contactor K1 has dropped-out after Emergency Stop or whether time relay K2a and contactor K3
have dropped-out after the protective door circuit has been
opened (this is necessary in the sense of control Category
3 according to EN 954-1!).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof
fashion.
■ Switches S4 and S5 are positively opening position
switches corresponding to EN 1088.
398
Functional Example No. MC-FE-I-001-V11-EN
Behavior when Emergency Stop is issued
Button S3 ("Emergency Stop") is used to initiate an Emergency
Stop command. This initiates that the drive is shut down according to stop Category 1 in compliance with EN 60204-1.
■ The internal safety relay of the drive is no longer energized
after the drop-out delay time of time relay K2a has expired
(1st shutdown path!).
■ A 0 signal is entered, via the enable contact of safety combination A1, at contact X101.X (OFF3) of the drive. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. At the same time, the drop-out delay of timer
relay K2a and the delay time of the safety relay A1 are
started; the drive must have come to a standstill before
they expire.
■ After opening the safely delayed enable contact of safety
combination A1, line contactor K1 is no longer energized
and the drive is electrically isolated from the line supply
(2nd shutdown path!).
■ The checkback signal from line contactor K1 is monitored in
the on circuit of safety combination A1. If the contactor
does not drop-out due to an erroneous function, a restart
after Emergency Stop is prevented.
Behavior when the protective doors are opened
■ After the selected delay time has expired, the safely
delayed enable contacts of the safety combination A2
open.
When the protective doors are opened, it is initiated that the
drive is shut down according to Stop Category 1 in compliance
with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can
reach the potentially hazardous area!
■ A 0 signal is entered, via the enable contact of safety combination A2, at contact X101.X (OFF3) of the drive. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. At the same time, the drop-out delay time of
time relay K2a is started and before this time has expired,
the drive must have come to a standstill.
■ If the internal safety relay of the drive is functioning correctly, its checkback signal contact X533.1/2 is closed, line
contactor K1 does not drop-out. If the internal safety relay
does not function correctly, its checkback signal contacts
X533.1/2 are not closed, line contactor K1 drops-out and
isolates the drive from the line supply (2nd shutdown
path!).
■ The internal safety relay of the drive is no longer energized
after the drop-out delay time of time relay K2a has expired
(1st shutdown path!).
■ Before the selected delay time of safety combination A2
has expired, the internal safety relay of the drive must have
already dropped-out. Its checkback signal contacts
X533.1/2 indicate that the drive is in a safe condition.
Powering-up and powering-down the drive
The drive can be started or stopped when the protective doors
are closed and Emergency Stop button S3 is released.
■ When pressing button S2 ("On"), safety combination A1 is
brought into the operational state. Line contactor K1 is
energized.
■ When pressing button S2 ("On"), contactor K3 is energized
and latches; time relay K2a is simultaneously energized.
The internal safety relay is energized and a 1 signal is
entered at contact X101.X (OFF3) of the drive. The drive
restarts.
■ When button S1 ("Off") is pressed, contactor K3 is no longer
energized and the drop-out delay of time relay K2a is simultaneously started. When contactor K3 drops-out, a 0 signal
is entered at contact X101.X (OFF3). The drive is immediately braked down to 0 speed and the pulses are cancelled.
The internal safety relay of the drive is no longer energized
after the drop-out delay time of time relay K2a has expired.
The protective doors can be opened.
Functional Example No. MC-FE-I-001-V11-EN
399
Ex. No.
1.2
Safe standstill for non-interlocked protective doors, implemented with one safety combination
Ex. No.
1.3
"Safe standstill" with MASTERDRIVES for a non-interlocked protective door with safety combination, stop Category 1, Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3
and EN1037 can be implemented using one SIGUARD safety
combination for the protective door. The drive is shut down
(stopped) according to stop function Category 1 according to
EN 60204-1.
■ Safety combination for protective door monitoring functions corresponds to Category 4 (instantaneous enable circuit) or Category 3 (delayed enable circuit).
■ The drive is shut down via the internal safety relay and the
higher-level line contactor K1.
■ On circuit of safety combination A1 monitors whether the
line contactor K1 and internal safety relay of the drive have
dropped-out after the protective doors have been opened.
(This is necessary in the sense of control Category 3 in compliance with EN 954-1!).
■ Circuit for protective door monitoring is monitored through
2 channels in a cross-circuit proof fashion.
■ Switches S2 and S3 are positively opening position
switches corresponding to EN 1088.
400
Functional Example No. MC-FE-I-001-V11-EN
Behavior when the protective doors are opened
When the protective doors are opened, it is initiated that the
drive is shut down according to stop Category 1 in compliance
with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can
reach the potentially hazardous area!
■ The safely delayed enable contacts of safety combination
A1 open after the selected delay time has expired. This
means that the internal safety relay of the drive (1st shutdown path!) and line contactor K1 (2nd shutdown path!)
are no longer energized.
■ A 0 signal is entered, via the enable contact of safety combination A1, at contact X101.Y (OFF3) of the drive. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. The delay time of safety combination A1 is
simultaneously started and the drive must have come to a
standstill before it expires.
■ If the internal safety relay functions incorrectly or if line
contactor K1 has not dropped-out, then its checkback signal contacts X533.1/2 in the on circuit of the safety combination A1 do not close. The safety combination cannot be
switched-in.
Powering-up the drive
The drive can be restarted (powered-up again) when the protective doors are closed.
■ When pressing button S1 ("On"), safety combination A1 is
brought into an operational state. Contactor K1 and the
internal safety relay are energized. The drive restarts.
Functional Example No. MC-FE-I-001-V11-EN
401
Ex. No.
1.3
Safe standstill for non-interlocked protective doors, implemented with one safety combination
Ex. No.
1.4
“Safe standstill“ with MASTERDRIVES for a non-interlocked protective door with safety combination, stop Category 1,
Category 3 acc. to EN 954-1
402
Functional Example No. MC-FE-I-001-V11-EN
Function description
■ Switches S4 and S5 are positively opening position
switches corresponding to EN 1088.
A structure in compliance with EN 954-1 control Category 3
and EN1037 can be implemented using one SIGUARD safety
combination for the protective doors. The drive is shut down
(stopped) according to stop function Category 1 according to
EN 60204-1.
■ The drive is shut down via the internal safety relay and the
higher-level line contactor K1.
■ Safety combination for protective door monitoring functions corresponds to Category 4 (instantaneous enable circuit) or Category 3 (delayed enable circuit).
■ Circuit for protective door monitoring is monitored through
2 channels in a cross-circuit proof fashion.
■ On circuit of safety combination A1 monitors whether the
line contactor K1, the internal safety relay of the drive, as
well as contactor K2, have dropped-out after the protective
doors have been opened. (This is necessary in the sense of
control Category 3 in compliance with EN 954-1!).
Behavior when the protective doors are opened
When the protective doors are opened, it is initiated that the
drive is shut down according to stop Category 1 in compliance
with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can
reach the potentially hazardous area!
■ The safely delayed enable contacts of safety combination
A1 open after the selected delay time has expired. This
means that the internal safety relay of the drive (1st shutdown path!) and line contactor K1 (2nd shutdown path!)
are no longer energized.
■ A 0 signal is entered, via the enable contact of safety combination A1, at contact X101.X (OFF3) of the drive. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. The delay time of safety combination A1 is
simultaneously started and the drive must have come to a
standstill before it expires.
■ If the internal safety relay functions incorrectly or if line
contactor K1 has not dropped-out, then its checkback signal contacts X533.1/2 in the on circuit of the safety combination A1 are not closed. The safety combination cannot be
switched-in.
Powering-up and powering-down the drive
The drive can be started or stopped when the protective doors
are closed.
■ When the internal safety relay and line contactor K1 are in
the correct state, safety combination A1 is brought into an
operational state.
■ Line contactor K1 and the internal safety relay of the drive
are energized.
■ When pressing S2 ("On"), contactor K2 is energized and
latches. A 1 signal is entered at contact X101.X (OFF3) of
the drive and the drive starts.
■ When button S1 ("Off") is pressed, contactor K2 is no longer
energized and a 0 signal is entered at contact X101.X
(OFF3) of the drive. The drive is immediately braked down
to 0 speed and the pulses are cancelled. If the protective
doors are opened, the safely delayed enable contacts of
safety combination A1 open after the selected delay time
has expired. This means that the internal safety relay of the
drive (1st shutdown path!) and line contactor K1 (2nd
shutdown path!) are no longer energized.
Functional Example No. MC-FE-I-001-V11-EN
403
Ex. No.
1.4
Safe standstill for interlocked protective doors, Emergency Stop, implemented with safety combinations and standard PLC
Ex. No.
1.5
"Safe standstill" with MASTERDRIVES for interlocked protective door, standard PLC and protective safety combination, stop Category 1,
Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3
and EN1037 can be implemented using two SIGUARD safety
combinations for Emergency Stop and protective doors and a
standard PLC. The drive is shut down (stopped) with stop function Category 1 according to EN 60204-1.
■ The drive is shut down via the internal safety relay.
■ Safety combinations for Emergency Stop and protective
door monitoring correspond to Category 4 (instantaneous
enable circuit) or Category 3 (delayed enable circuit).
■ When implementing as higher-level circuit using contacts,
the "safe standstill" function is guaranteed even when the
PLC develops a fault or fails.
■ On circuit of safety combination A1 monitors whether line
contactor K1 has dropped-out after Emergency Stop (this is
necessary in the sense of control Category 3 in compliance
with EN 954-1!).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof
fashion.
■ Switches S4, S5 and S6 are positively opening position
switches corresponding to EN 1088.
404
Functional Example No. MC-FE-I-001-V11-EN
Behavior when Emergency Stop is issued
Emergency Stop is initiated using button S3 ("Emergency
Stop"). It is initiated that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ A 0 signal is entered, via the enable contact of safety combination A1, at contact X101.X (OFF3) of the drive. The
drive is immediately braked down to 0 speed and the pulses
are cancelled.
■ If the drive is stationary (speed = 0), then PLC output DA2
to the internal safety relay of the drive is reset. The internal
safety relay of the drive drops-out and its checkback signal
contacts X533.1/2 close (1st shutdown path!).
■ The safely delayed enable contacts of safety combination
A1 open after the selected delay time has expired. This
means that the line contactor K1 is no longer energized and
the drive is electrically isolated from the line supply (2nd
shutdown path!).
■ The checkback signal of line contactor K1 is monitored in
the on circuit of safety combination A1. If the contactor
does not drop-out due to an incorrect function, then the
drive is prevented from restarting after an Emergency Stop.
■ Before the selected delay time of safety combination A1
expires, the internal safety relay of the drive must have
already dropped-out and its checkback signal contacts
X533.1/2 indicate that the drive is in a safe condition.
Behavior when the protective doors are opened
Button S2 ("Off") requests that the protective doors are
opened. This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ A 0 signal is entered at contact X101.X (OFF3) of the drive
by resetting the PLC output DO3. The drive is immediately
braked down to 0 speed and the pulses are cancelled.
■ If the drive is stationary (speed = 0), the PLC output DO2 of
the PLC to the internal safety relay of the drive is reset. The
internal safety relay of the drive drops-out and its checkback signal contacts X533.1/2 close (1st shutdown path!).
■ The protective door interlocking is opened by setting PLC
output DO4 to energize coil Y1. When the protective doors
are opened the safety monitoring A2 of the safety circuit is
interrupted.
■ For a correctly functioning circuit, the internal safety relay
of the drive has already fallen out by this time and its checkback signals contacts X533.1/2 closed. Line contactor K1
does not drop-out. If the internal safety relay does not function correctly, its checkback signal contacts X533.1/2 are
not closed, the internal line contactor of the rectifier unit
drops-out and isolates the drive from the line supply (2nd
shutdown path!).
Note
If the protective door interlocking opens before the drive
has braked down to 0 speed as a result of an erroneous
PLC function, then a 0 signal is entered at contact
X101.X (OFF3) of the drive via the switch S6. The drive
is immediately braked down to speed = 0 and the pulses
cancelled. Opening of the protective doors initiates the
function "safe standstill". It must be ensured that potentially hazardous motion has come to a standstill before a
person can reach the potentially hazardous area!
Powering-up the drive
The drive can be started when the protective doors are closed
and Emergency Stop button S3 is released.
■ When pressing button S1 ("On"), safety combination A1 is
brought into the operational state. The coil of latch (tumbler) Y1 is no longer energized by resetting PLC output DO4
- the protective doors are interlocked. Safety combination
A2 is again in an operational state. Line contactor K1 is
energized.
■ The internal safety relay is energized (PLC output DO2), a 1
signal is entered (PLC output DO3) at contact X101.X
(OFF3) of the drive. The drive restarts.
Functional Example No. MC-FE-I-001-V11-EN
405
Ex. No.
1.5
Safe standstill for non-interlocked protective doors, Emergency Stop, implemented with a safety combination and
standard PLC
Ex. No.
1.6
"Safe standstill" with MASTERDRIVES for non-interlocked protective door, standard PLC and protective safety combination, stop Category 1,
Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3
and EN 1037 can be implemented using two SIGUARD safety
combinations for Emergency Stop and the protective doors
and a standard PLC. The drive is shut down (stopped) according to stop function Category 1 according to EN 60204-1.
■ Safety combinations for Emergency Stop and protective
door monitoring functions correspond to Category 4
(instantaneous enable circuit) or Category 3 (delayed
enable circuit).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof
fashion.
406
■ Switches S4 and S5 are positively opening position
switches corresponding to EN 1088.
■ The drive is shut down via the internal safety relay.
■ The on circuit of safety combination A1 monitors whether
line contactor K1 has dropped-out after an Emergency Stop
(this is necessary in the sense of control Category 3 in compliance with EN 954-1!).
■ When implementing as higher-level circuit using contacts,
the "safe standstill" function is guaranteed even when the
PLC develops a fault or fails.
Functional Example No. MC-FE-I-001-V11-EN
Behavior when Emergency Stop is issued
Emergency Stop is initiated using button S3 ("Emergency
Stop"). This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ A 0 signal is entered, via the enable contact of safety combination A1, at contact X101.X (OFF3) of the drive. The
drive is immediately braked down to 0 speed and the pulses
are cancelled.
■ If the drive is stationary (speed = 0), then PLC output DO2
to the internal safety relay of the drive is reset. The internal
safety relay of the drive drops-out and its checkback signal
contacts X533.1/2 close (1st shutdown path!).
■ Before the selected delay time of safety combination A1
expires, the internal safety relay of the drive must have
already dropped-out and its checkback signal contacts
X533.1/2 indicate that the drive is in a safe condition.
■ The safely delayed enable contacts of safety combination
A1 open after the selected delay time has expired. This
means that line contactor K1 is no longer energized and the
drive is electrically isolated from the line supply.
■ The checkback signal of line contactor K1 is monitored in
the on circuit of safety combination A1. If the contactor
does not drop-out due to an incorrect function, then the
drive is prevented from restarting after an Emergency Stop.
Behavior when the protective doors are opened
■ If the drive is stationary (speed = 0), then PLC output DO2
to the internal safety relay of the drive is reset. The internal
safety relay of the drive drops-out and its checkback signal
contacts X533.1/2 close. (1st shutdown path!)
When the protective doors are opened, it is initiated that the
drive is shut down according to stop Category 1 in compliance
with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can
reach the potentially hazardous area!
■ A 0 signal is entered, via the enable contact of safety combination A2, at contact X101.X (OFF3) of the drive. The
drive is immediately braked down to speed 0 and the pulses
are cancelled. At the same time, the state of the safety
combination is signaled to the control.
■ Before the selected delay time of safety combination A2
has expired, the internal safety relay of the drive must have
already dropped-out. Its checkback signal contacts
X533.1/2 indicate that the drive is in a safe condition.
■ The safely delayed enable contacts of safety combination
A2 open after the selected delay time has expired. This
delay time must be set so that the checkback signal of the
internal safety relay already indicates that the drive is in a
safe condition.
■ If the delay time of the contactor combination A2 has been
correctly set and the function of the internal drive safety
relay is correct, line contactor does not drop-out. If the
delay time has been set too short or the internal safety relay
is not functioning correctly, line contactor K1 drops-out and
isolates the drive from the line supply (2nd shutdown
path!).
Powering-up and powering-down the drive
The drive can be started when the protective doors are closed
and Emergency Stop button S3 is released.
■ When button S1 ("On") is pressed, safety combination A1 is
brought into the operational state. Safety combination A2
is again in an operational state. Line contactor K1 is energized.
■ The internal safety relay is energized (PLC output DO2), a 1
signal is entered (PLC output DO3) at contact X101.X
(OFF3) of the drive. The drive restarts.
■ When button S2 is pressed ("Off"), PLC output DO3 is reset
and a 0 signal is entered at contact X101.X (OFF3) of the
drive. The drive is immediately braked down to 0 speed and
the pulses are cancelled. If the drive is stationary (speed =
0), then the PLC output DO2 to the internal safety relay of
the drive is reset. If the protective doors are opened, the
safely delayed enable contacts of safety combination A2
open after the selected delay time has expired (1st shutdown path!). If the internal safety relay of the drive has still
not dropped-out as a result of an incorrect function or a
fault (PLC), line contactor K1 drops-out and isolates the
drive from the line supply (2nd shutdown path!).
Functional Example No. MC-FE-I-001-V11-EN
407
Ex. No.
1.6
Safe standstill for several non-interlocked protective doors and several drives, Emergency Stop implemented using
safety combinations
Ex. No.
1.7
"Safe standstill" with MASTERDRIVES for non-interlocked protective door, several drives, protective safety combination, stop Category 1,
Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3 and
EN1037 can be implemented using four SIGUARD safety combinations for Emergency Stop and protective doors. The drives are
shut down (stopped) according to stop function Category 1 according to EN 60204-1.
■ Safety combinations for Emergency Stop and protective
door monitoring correspond to Category 4 (instantaneous
enable circuit) or Category 3 (delayed enable circuit).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof
fashion.
408
■ Switches S3 and S8 are positively opening position
switches corresponding to EN 1088.
■ The drives are shut down via the internal safety relays.
■ The on circuits of the safety combinations A1 to A4 monitor
whether line contactor K1 has dropped-out after an Emergency Stop or whether time relay K2a/b and contactors
K3a/b have dropped-out after opening the protective door
circuits (this is necessary in the sense of control Category 3
according to EN 954-1!).
Functional Example No. MC-FE-I-001-V11-EN
■ This circuit principle is suitable for selectively shutting
down several drives. Protective door 1 acts on drive A, protective door 2 on drives A and B, protective door 3 on drive
B. When the internal safety relay of the drives functions correctly, line contactor K1 does not drop-out (also refer to the
block diagram above). The following table shows how the
two drives A and B are dependent on the state of the protective doors.
Drive A
Drive B
Protective door 1 open Safe standstill
Ready
Protective door 2 open Safe standstill
Safe standstill
Protective door 3 open Ready
Safe standstill
Ex. No.
1.7
Behavior when Emergency Stop is issued
Emergency Stop is initiated using button S9 ("Emergency
Stop"). This initiates that the drives are shut down according
to stop Category 1 in compliance with EN 60204-1.
■ After the drop-out delay time of time relay K2a/b has
expired, the internal safety relays of the drives are no
longer energized (1st shutdown path!).
■ A 0 signal is entered at contacts X101.X (OFF3) of the drive
via the enable contact of safety combination A4. The drives
are immediately braked down to 0 speed and the pulses
cancelled. At the same time, the drop-out delay of time
relay K2a/b and the delay time of the safety combination
A4 are started. The drives must have come to a standstill
before these delay times have expired.
■ After opening the safely delayed enable contact of safety
combination A4, line contactor K1 is no longer energized
and the drives are electrically isolated from the line supply
(2nd shutdown path!).
■ The checkback signal of line contactor K1 is monitored in
the on circuit of safety combination A4. If the contactor
does not drop-out due to an incorrect function, then the
drive is prevented from restarting after an Emergency Stop.
Behavior when the protective doors are opened
When protective doors 1-3 are opened, it is initiated that the
associated drives are shut down according to stop Category 1
in compliance with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can reach the potentially hazardous area!
■ A 0 signal is entered at contact X101.X (OFF3) of the
drive/drives via the enable contact of the safety combinations A1, A2 or A3. The drives are immediately braked
down to 0 speed and the pulses cancelled. At the same
time, the drop-out delay of time relays K2a and/or K2b are
started. The drive/drives must have come to a standstill
before these delay times have expired.
■ Before the selected delay times of safety combinations A13 expire, the internal safety relays of the drives must have
already dropped-out. Their checkback signal contacts
X533.1/2 indicate that the drives are in a safe condition.
■ After the selected delay time has expired, the safely
delayed enable contacts of the safety combinations open.
■ When the internal safety relays of the drives function correctly, their checkback signal contacts X533.1/2 are closed,
line contactor K1 does not drop-out.When an internal
safety relay does not function correctly, its checkback signal
contacts X533.1/2 are not closed and line contactor K1
drops-out (2nd shutdown path!).
■ After the drop-out delay time of time relay K2a/b has
expired, the internal safety relay of the drives are no longer
energized (1st shutdown path!).
Functional Example No. MC-FE-I-001-V11-EN
409
Powering-up and powering-down the drive
The drives can be started or stopped when the protective
doors are closed and Emergency Stop button S9 is released.
Ex. No.
1.7
■ When button S2a/b ("On") is pressed, safety combination
A4 is brought into the operational state. Line contactor K1
is energized.
■ When button S2a/b ("On") is pressed, contactor K3a/b is
energized and latches; time relay K2a/b is simultaneously
energized. The internal safety relay is energized and a 1 signal is entered at contact X101.X (OFF3) of the drive A/B.
The drive restarts.
410
■ When button S1a/b ("Off") is pressed, contactor K3a/b is no
longer energized. The drop-out delay of time relay K2a/b is
simultaneously started. When contactor K3a/b drops-out, a
0 signal is entered at contact X101.X (OFF3) of the drive
A/B. The drive is immediately braked down to 0 speed and
the pulses cancelled. The internal safety relay of the drive is
no longer energized after the drop-out delay time of time
relay K2a/b has expired. The protective doors can be
opened.
Functional Example No. MC-FE-I-001-V11-EN
Certificate
The examples shown in this document were examined and
certified by the German Berufsgenossenschaft Fachausschuss
Maschinenbau, Fertigungssystem, Stahlbau. (Certificate only
available in German!)
Ex. No.
Functional Example No. MC-FE-I-001-V11-EN
411
SAFE STANDSTILL Category 3 acc. to EN 954-1
with SIMODRIVE 611 universal
Safe standstill with interlocked protective doors, Emergency Stop implemented using safety combinations
Ex. No.
2.1
"Safe standstill" with SIMODRIVE with interlocked protective door with safety combinations, Stop Category 1, Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN954-1 control Category 3 and
EN1037 can be implemented using two SIGUARD safety combinations for Emergency Stop and protective doors. A stop function
Category 1 in compliance with EN 60204-1 is achieved.
■ Safety combinations for Emergency Stop and protective
door monitoring functions correspond to Category 4
(instantaneous enable circuit) or Category 3 (delayed
enable circuit).
■ The drive is shut down via the internal safety relay.
■ On circuits of safety combinations A1 and A2 monitor
whether the internal line contactor of the rectifier unit has
dropped-out after Emergency Stop or whether time relay
K2a and contactor K3 have dropped-out after the protective
door circuit has been opened (this is necessary in the sense
of control category 3 according to EN 954-1!).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof
fashion.
■ Switches S4, S5 and S6 are positively opening position
switches corresponding to EN 1088.
412
Functional Example No. MC-FE-I-002-V11-EN
Behavior when Emergency Stop is issued
Emergency Stop is initiated using button S3 ("Emergency
Stop"). This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ The internal safety relay of the drive is no longer energized
after the drop-out delay time of time relay K2a has expired
(1st shutdown path!).
■ A 0 signal is entered at contact 65 (controller enable RF) of
the drive via the enable contacts of safety combination A1.
The drive is immediately braked down to 0 speed and the
pulses are cancelled. At the same time, the drop-out delay
of timer relay K2a and the delay time of the safety relay A1
are started; the drive must have come to a standstill before
they expire.
■ After opening the safely delayed enable contact of safety
combination A1, the internal line contactor of the rectifier
unit is no longer energized and the drive is electrically isolated from the line supply (2nd shutdown path!).
■ The checkback signal of the internal line contactor of the rectifier unit is monitored in the on circuit of safety combination
A1. If the contactor does not drop-out due to an incorrect
function, then the drive is prevented from restarting after an
Emergency Stop.
Behavior when the protective doors are opened
Button S1 ("Off") requests that the protective doors are
opened. This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ Contactor K3 is no longer energized and a 0 signal is
entered at contact 65 (controller enable RF) of the drive via
its contact (NO contact). The drive is immediately braked
down to 0 speed and the pulses are cancelled. At the same
time, the drop-out delay of time relay K2a is started and
before this time has expired, the drive must have come to
a standstill.
■ After the drop-out delay time of time relay K2a has expired,
the internal safety relay of the drive is no longer energized
(1st shutdown path!). At the same time, the latch (tumbler) Y1 of the protective doors is opened.
■ When the protective doors are opened the safety monitoring A2 of the safety circuit is interrupted. Before the
selected delay time of safety combination A2 has expired,
the internal safety relay of the drive must have already
dropped-out. Its checkback signal contacts AS1/2 indicate
that the drive is in a safe condition.
■ After the selected delay time has expired, the safely
delayed enable contacts of the safety combination A2
open.
■ If the internal safety relay of the drive is functioning correctly, its checkback signal contacts AS1/2 are closed and
the internal line contactor of the rectifier unit does not
drop-out. If the internal safety relay does not function correctly, its checkback signal contacts AS1/2 are not closed,
the internal line contactor of the rectifier unit drops-out
and isolates the drive from the line supply (2nd shutdown
path!).
Powering-up the drive
The drive can be started when the protective doors are closed
and Emergency Stop button S3 is released.
■ When pressing button S2 ("On"), safety combination A1 is
brought into the operational state. The coil of latch (tumbler) Y1 is no longer energized, the protective doors are
interlocked. Safety combination A2 is again in an operational state. The internal line contactor of the rectifier unit
is energized.
■ Contactor K3 is energized and latches and at the same
time, time relay K2a is energized. The integrated safety
relay is energized and a 1 signal is entered at contact 65
(controller enable) of the drive. The drive restarts.
Functional Example No. MC-FE-I-002-V11-EN
413
Ex. No.
2.1
Safe standstill for non-interlocked protective doors, Emergency Stop implemented using safety combinations
Ex. No.
2.2
"Safe standstill" with SIMODRIVE for a non-interlocked protective door with safety combination, stop Category 1, Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN954-1 control Category 3 and
EN1037 can be implemented using two SIGUARD safety combinations for Emergency Stop and protective doors. The drive is
shut down (stopped) according to stop function Category 1 according to EN 60204-1.
■ Safety combinations for Emergency Stop and protective
door monitoring functions correspond to Category 4
(instantaneous enable circuit) or Category 3 (delayed
enable circuit).
■ Switches S4 and S5 are positively opening position
switches corresponding to EN 1088.
■ The drive is shut down via the internal safety relay.
■ On circuits of safety combinations A1 and A2 monitor
whether the internal line contactor of the rectifier unit has
dropped-out after Emergency Stop or whether time relay
K2a and contactor K3 have dropped-out after the protective
door circuit has been opened (this is necessary in the sense
of control Category 3 according to EN 954-1!).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof
fashion.
414
Functional Example No. MC-FE-I-002-V11-EN
Behavior when Emergency Stop is issued
Emergency Stop is initiated using button S3 ("Emergency
Stop"). This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ The internal safety relay of the drive is no longer energized
after the drop-out delay time of time relay K2a has expired
(1st shutdown path!).
■ A 0 signal is entered at contact 65 (controller enable) of the
drive via the enable contacts of safety combination A1. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. At the same time, the drop-out delay of timer
relay K2a and the delay time of the safety relay A1 are
started; the drive must have come to a standstill before
they expire.
■ After opening the safely delayed enable contact of safety
combination A1, the internal line contactor of the rectifier
unit is no longer energized and the drive is electrically isolated from the line supply (2nd shutdown path!).
■ The checkback signal of the internal line contactor of the rectifier unit is monitored in the on circuit of safety combination
A1. If the contactor does not drop-out due to an incorrect
function, then the drive is prevented from restarting after an
Emergency Stop.
Behavior when the protective doors are opened
■ Before the selected delay time of safety combination A2
has expired, the internal safety relay of the drive must have
already dropped-out. Its checkback signal contacts AS 1/2
indicate that the drive is in a safe condition.
When the protective doors are opened, it is initiated that the
drive is shut down according to stop Category 1 in compliance
with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can
reach the potentially hazardous area!
■ After the selected delay time has expired, the safely
delayed enable contacts of the safety combination A2
open.
■ A 0 signal is entered at contact 65 (controller enable) of the
drive via the enable contacts of safety combination A2. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. At the same time, the switch-out delay of
time relay K2a is started and before this time has expired,
the drive must have come to a standstill.
■ If the internal safety relay of the drive is functioning correctly, its checkback signal contacts AS1/2 are closed and
the internal line contactor of the rectifier unit does not
drop-out. If the internal safety relay does not function correctly, its checkback signal contacts AS1/2 are not closed,
the internal line contactor of the rectifier unit drops-out
and isolates the drive from the line supply (2nd shutdown
path!).
■ The internal safety relay of the drive is no longer energized
after the drop-out delay time of time relay K2a has expired
(1st shutdown path!).
Powering-up and powering-down the drive
The drive can be started or stopped when the protective doors
are closed and Emergency Stop button S3 is released.
■ When pressing button S2 ("On"), safety combination A1 is
brought into the operational state. The internal line contactor of the rectifier unit is energized
■ When pressing button S2 ("On"), contactor K3 is energized
and latches; time relay K2a is simultaneously energized.
The internal safety relay is energized and a 1 signal is
entered at contact 65 (controller enable) of the drive. The
drive restarts.
■ When button S1 ("Off") is pressed, contactor K3 is no longer
energized and the drop-out delay of time relay K2a is simultaneously started. When contactor K3 drops-out, a 0 signal
is entered at contact 65 (controller enable) of the drive. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. The internal safety relay of the drive is no
longer energized after the drop-out delay time of time relay
K2a has expired. The protective doors can be opened.
Functional Example No. MC-FE-I-002-V11-EN
415
Ex. No.
2.2
Safe standstill for non-interlocked protective doors, implemented with one safety combination
Ex. No.
2.3
"Safe standstill" with SIMODRIVE for a non-interlocked protective door with safety combination, stop Category 1, Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3
and EN1037 can be implemented using one SIGUARD safety
combination for the protective door. The drive is shut down
(stopped) according to stop function Category 1 according to
EN 60204-1.
■ Safety combination for protective door monitoring functions corresponds to Category 4 (instantaneous enable circuit) or category 3 (delayed enabled circuit).
■ Circuit for protective door monitoring is monitored through
2 channels in a cross-circuit proof fashion.
416
■ Switches S2 and S3 are positively opening position
switches corresponding to EN 1088.
■ The drive is shut down via the internal safety relay and the
internal line contactor of the rectifier unit.
■ The on circuit of safety combination A1 monitors whether
the internal line contactor of the rectifier unit and the internal safety relay of the drive have dropped-out after the protective doors have opened. (This is necessary in the sense
of control Category 3 in compliance with EN 954-1!).
Functional Example No. MC-FE-I-002-V11-EN
Behavior when the protective doors are opened
When the protective doors are opened, it is initiated that the
drive is shut down according to stop Category 1 in compliance
with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can
reach the potentially hazardous area!
■ The safely delayed enable contacts of safety combination
A1 open after the selected delay time has expired. This
means that the internal safety relay of the drive (1st shutdown path!) and the internal line contactor of the rectifier
unit (2nd shutdown path!) are no longer energized.
■ A 0 signal is entered at contact 65 (controller enable) of the
drive via the enable contacts of safety combination A1. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. The delay time of safety combination A1 is
simultaneously started and the drive must have come to a
standstill before it expires.
■ If the internal safety relay or the internal line contactor of
the rectifier unit have not dropped-out because of incorrect
behavior (e.g. fault), then their checkback signal contacts
in the on circuit of the safety combination A1 are not
closed. The safety combination cannot be switched-in.
Powering-up the drive
The drive can be restarted (powered-up again) when the protective doors are closed.
■ When button S1 ("On") is pressed, safety combination A1 is
brought into the operational state. The internal line contactor of the rectifier unit and the internal safety relay are
energized. The drive restarts.
Functional Example No. MC-FE-I-002-V11-EN
417
Ex. No.
2.3
Safe standstill for non-interlocked protective doors, implemented with one safety combination
Ex. No.
2.4
"Safe standstill" with SIMODRIVE for a non-interlocked protective door with safety combination, stop Category 1, Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3 and
EN1037 can be implemented using one SIGUARD safety combination for the protective doors. The drive is shut down (stopped)
according to stop function Category 1 according to EN 60204-1.
■ Switches S4 and S5 are positively opening position
switches corresponding to EN 1088.
■ Safety combination for protective door monitoring functions corresponds to Category 4 (instantaneous enable circuit) or category 3 (delayed enabled circuit).
■ The on circuit of safety combination A1 monitors whether
the internal line contactor of the rectifier unit and the internal safety relay of the drive as well as contactor K1 have
dropped-out after the protective doors have opened. (This
is necessary in the sense of control Category 3 in compliance with EN 954-1!).
■ Circuit for protective door monitoring is monitored through
2 channels in a cross-circuit proof fashion.
418
■ The drive is shut down via the internal safety relay and the
internal line contactor of the rectifier unit.
Functional Example No. MC-FE-I-002-V11-EN
Behavior when the protective doors are opened
When the protective doors are opened, it is initiated that the
drive is shut down according to stop Category 1 in compliance
with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can
reach the potentially hazardous area!
■ The safely delayed enable contacts of safety combination
A1 open after the selected delay time has expired. This
means that the internal safety relay of the drive (1st shutdown path!) and the internal line contactor of the rectifier
unit (2nd shutdown path!) are no longer energized.
■ A 0 signal is entered at contact 65 (controller enable) of the
drive via the enable contacts of safety combination A1. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. The delay time of safety combination A1 is
simultaneously started and the drive must have come to a
standstill before it expires.
■ If the internal safety relay or the internal line contactors of
the rectifier unit have not dropped-out because of incorrect
behavior (e.g. fault), then their checkback signal contacts
AS1/2 in the on circuit of the safety combination A1 are not
closed. The safety combination cannot be switched-in.
Powering-up and powering-down the drive
The drive can be started or stopped when the protective doors
are closed.
■ When the internal safety relay and the internal line contactor of the rectifier unit are in the correct state, safety combination A1 is brought into an operational state.
■ The internal line contactor of the rectifier unit and the
internal safety relay of the drive are energized.
■ When pressing S2 ("On"), contactor K1 is energized and
latches. A 1 signal is entered at contact 65 (controller
enable) of the drive and the drive starts.
■ When button S1 ("Off") is pressed, contactor K1 is no longer
energized and a 0 signal is entered at contact 65 (controller
enable) of the drive. The drive is immediately braked down
to 0 speed and the pulses are cancelled. If the protective
doors are opened, the safely delayed enable contacts of
safety combination A1 open after the selected delay time
has expired. This means that the internal safety relay of the
drive (1st shutdown path!) and the internal line contactor
of the rectifier unit (2nd shutdown path!) are no longer
energized.
Functional Example No. MC-FE-I-002-V11-EN
419
Ex. No.
2.4
Safe standstill for interlocked protective doors, Emergency Stop, implemented with safety combinations and standard PLC
Ex. No.
2.5
"Safe standstill" with SIMODRIVE for interlocked protective door, standard PLC and protective safety combination, stop Category 1, Category 3
acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3 and
EN1037 can be implemented using two SIGUARD safety combinations for Emergency Stop and protective doors and a standard
PLC. The drive is shut down (stopped) according to stop function
Category 1 according to EN 60204-1.
■ Safety combinations for Emergency Stop and protective
door monitoring functions correspond to Category 4
(instantaneous enable circuit) or Category 3 (delayed
enable circuit).
■ The circuits for Emergency Stop and protective door monitoring are monitored through 2 channels in a cross-circuit
proof fashion.
420
■ Switches S4, S5 and S6 are positively opening position
switches corresponding to EN 1088
■ The drive is shut down via the internal safety relay.
■ The on circuit of safety combination A1 monitors whether
the internal line contactor of the rectifier unit has droppedout after an Emergency Stop (this is necessary in the sense
of control Category 3 in compliance with EN 954-1!).
■ When implementing as higher-level circuit using contacts,
the "safe standstill" function is guaranteed even when the
PLC develops a fault or fails.
Functional Example No. MC-FE-I-002-V11-EN
Behavior when Emergency Stop is issued
■ Before the selected delay time of safety combination A1
expires, the internal safety relay of the drive must have
already dropped-out and its checkback signal contacts AS
1/2 indicate that the drive is in a safe condition.
Emergency Stop is initiated using button S3 ("Emergency
Stop"). This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ A 0 signal is entered at contact 65 (controller enable) of the
drive via the enable contacts of safety combination A1. The
drive is immediately braked down to 0 speed and the pulses
are cancelled.
■ The safely delayed enable contacts of safety combination A1
open after the selected delay time has expired. This means
that the internal line contactor of the rectifier unit is no
longer energized and the drive is electrically isolated from
the line supply (2nd shutdown path!).
■ If the drive is stationary (speed = 0), then PLC output DO2
to the internal safety relay of the drive is reset. The internal
safety relay of the drive drops-out and its checkback signal
contacts AS 1/2 close (1st shutdown path!).
■ The checkback signal of the internal line contactor of the rectifier unit is monitored in the on circuit of safety combination
A1. If the contactor does not drop-out due to an incorrect
function, then the drive is prevented from restarting after an
Emergency Stop.
Behavior when the protective doors are opened
Button S2 ("Off") requests that the protective doors are
opened. This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ A 0 signal is entered at contact 65 (controller enable) of the
drive by resetting the PLC output DO3. The drive is immediately braked down to 0 speed and the pulses are cancelled.
■ If the drive is stationary (speed = 0), then PLC output DO2
to the internal safety relay of the drive is reset. The internal
safety relay of the drive drops-out and its checkback signal
contacts AS1/2 close (1st shutdown path!).
Note
If the protective door interlocking opens before the drive
has braked down to 0 speed as a result of an erroneous
PLC function, then a 0 signal is entered at contact 65
(controller enable) of the drive via the switch S6. The
drive is immediately braked down to speed = 0 and the
pulses cancelled. Opening of the protective doors initiates the function "safe standstill". It must be ensured
that potentially hazardous motion must have come to a
standstill before a person can reach the potentially hazardous area!
■ The protective door interlocking is opened by setting PLC
output DO4 to energize coil Y1. When the protective doors
are opened the safety monitoring A2 of the safety circuit is
interrupted.
Powering-up the drive
The drive can be started when the protective doors are closed
and Emergency Stop button S3 is released.
■ When button S1 ("On") is pressed, safety combination A1 is
brought into the operational state. The coil of latch (tumbler) Y1 is no longer energized by resetting PLC output DO4
- the protective doors are interlocked. Safety combination
A2 is again in an operational state. Line contactor K1 is
energized.
■ For a correctly functioning circuit, the internal safety relay
of the drive has already fallen out by this time and its checkback signals contacts AS1/2 closed. The internal line contactor of the rectifier unit does not drop-out. If the internal
safety relay does not function correctly, its checkback signal
contacts AS1/2 are not closed, the internal line contactor of
the rectifier unit drops-out and isolates the drive from the
line supply (2nd shutdown path!).
■ The internal safety relay is energized (PLC output DO2), a 1
signal is entered (PLC output DO3) at contact 65 (controller
enable) of the drive. The drive restarts.
Functional Example No. MC-FE-I-002-V11-EN
421
Ex. No.
2.5
Safe standstill for non-interlocked protective doors, Emergency Stop, implemented with a safety combination and
standard PLC
Ex. No.
2.6
"Safe standstill" with SIMODRIVE for non-interlocked protective door, standard PLC and protective safety combination, stop Category 1,
Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3 and
EN1037 can be implemented using two SIGUARD safety combinations for Emergency Stop and protective doors and a standard
PLC. The drive is shut down (stopped) according to stop function
Category 1 according to EN 60204-1.
■ Safety combinations for Emergency Stop and protective
door monitoring functions correspond to Category 4
(instantaneous enable circuit) or Category 3 (delayed
enable circuit).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof
fashion.
422
■ Switches S4 and S5 are positively opening position
switches corresponding to EN 1088.
■ The drive is shut down via the internal safety relay
■ The on circuit of safety combination A1 monitors whether
the internal line contactor of the rectifier unit has droppedout after an Emergency Stop (this is necessary in the sense
of control Category 3 in compliance with EN 954-1!).
■ When implementing as higher-level circuit using contacts,
the "safe standstill" function is guaranteed even when the
PLC develops a fault or fails.
Functional Example No. MC-FE-I-002-V11-EN
Behavior when Emergency Stop is issued
■ Before the selected delay time of safety combination A1
expires, the internal safety relay of the drive must have
already dropped-out and its checkback signal contacts AS
1/2 indicate that the drive is in a safe condition.
Emergency Stop is initiated using button S3 ("Emergency
Stop"). This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1.
■ A 0 signal is entered at contact 65 (controller enable) of the
drive via the enable contacts of safety combination A1. The
drive is immediately braked down to 0 speed and the pulses
are cancelled.
■ The safely delayed enable contacts of safety combination
A1 open after the selected delay time has expired. This
means that the internal line contactor of the rectifier unit is
no longer energized and the drive is electrically isolated
from the line supply.
■ If the drive is stationary (speed = 0), then PLC output DO2
to the internal safety relay of the drive is reset. The internal
safety relay of the drive drops-out and its checkback signal
contacts AS1/2 close (1st shutdown path!).
■ The checkback signal of the internal line contactor of the
rectifier unit is monitored. If the contactor does not dropout due to an incorrect function, then the drive is prevented from restarting after an Emergency Stop.
Behavior when the protective doors are opened
■ If the drive is stationary (speed = 0), then PLC output DO2
to the internal safety relay of the drive is reset. The internal
safety relay of the drive drops-out and its checkback signal
contacts close (1st shutdown path!)
When the protective doors are opened, it is initiated that the
drive is shut down according to stop Category 1 in compliance
with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can
reach the potentially hazardous area!
■ The safely delayed enable contacts of safety combination
A2 open after the selected delay time has expired. This
delay time must be set so that the checkback signal of the
internal safety relay already indicates that the drive is in a
safe condition.
■ A 0 signal is entered at contact 65 (controller enable) of the
drive via the enable contacts of safety combination A2. The
drive is immediately braked down to 0 speed and the pulses
are cancelled. At the same time, the state of the safety
combination is signaled to the control.
■ If the delay time of the contactor combination A2 has been
correctly set and the function of the internal drive safety
relay is correct, the internal line contactor of the rectifier
unit does not drop-out. If the delay time is set too short or
if the internal safety relay does not function correctly, the
internal line contactor of the rectifier unit drops-out and
isolates the drive from the line supply (2nd shutdown
path!).
■ Before the selected delay time of safety combination A2
expires, the internal safety relay of the drive must have
already dropped-out and its checkback signal contacts
AS1/2 indicate that the drive is in a safe condition.
Powering-up and powering-down the drive
The drive can be started when the protective doors are closed
and Emergency Stop button S3 is released.
■ When pressing button S2 ("On"), safety combination A1 is
brought into the operational state. Safety combination A2
is again in an operational state. The internal line contactor
of the rectifier unit is energized.
■ The internal safety relay is energized (PLC output DO2), a 1
signal is entered (PLC output DO3) at contact 65 (controller
enable) of the drive. The drive restarts.
■ When button S2 is pressed ("Off"), PLC output DO3 is reset
and a 0 signal is entered at contact 65 (controller enable)
of the drive. The drive is immediately braked down to 0
speed and the pulses are cancelled. If the drive is stationary
(speed = 0), then the PLC output DO2 to the internal safety
relay of the drive is reset. If the protective doors are
opened, the safely delayed enable contacts of safety combination A2 open after the selected delay time has expired
(1st shutdown path!). If the internal safety relay of the
drive has still not dropped-out as a result of an incorrect
function or a fault (PLC), the internal line contactor of the
rectifier unit drops-out and isolates the drive from the line
supply (2nd shutdown path!).
Functional Example No. MC-FE-I-002-V11-EN
423
Ex. No.
2.6
Safe standstill for several non-interlocked protective doors and several drives, Emergency Stop implemented using
safety combinations
Ex. No.
2.7
Minimum circuit for the "safe standstill" with SIMODRIVE function
Function description
A structure in compliance with EN 954-1 control Category 3 and
EN 1037 can be implemented using four SIGUARD safety combinations for Emergency Stop and protective doors. The drives are
shut down (stopped) according to stop function Category 1 according to EN 60204-1.
■ Safety combinations for Emergency Stop and protective door
monitoring functions correspond to Category 4 (instantaneous enable circuit) or Category 3 (delayed enable circuit).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof fashion.
424
■ Switches S3 and S8 are positively opening position switches
corresponding to EN 1088.
■ The drives are shut down via the internal safety relays.
■ The on circuits of the safety combinations A1 to A4 monitor
whether the internal line contactor of the rectifier unit has
dropped-out after and Emergency Stop or whether time relay
K2a/b and contactors K3a/b have dropped-out after opening
the protective door circuits (this is necessary is the sense of
control Category 3 according to EN 954-1!).
Functional Example No. MC-FE-I-002-V11-EN
■ This circuit principle is suitable for selectively shutting down
several drives. Protective door 1 acts on drive A, protective
door 2 on drives A and B, protective door 3 on drive B. When
the internal safety relay of the drives functions correctly, the
internal line contactor of the rectifier unit does not drop-out
(also refer to the block diagram above). The following table
shows how the two drives A and B are dependent on the state
of the protective doors.
Drive A
Drive B
Protective door 1 open
Safe standstill
Ready
Protective door 2 open
Safe standstill
Safe standstill
Protective door 3 open
Ready
Safe standstill
Ex. No.
2.7
Behavior when Emergency Stop is issued
Emergency Stop is initiated using button S9 ("Emergency
Stop"). This initiates that the drives are shut down according
to stop Category 1 in compliance with EN 60204-1.
■ After the drop-out delay time of time relay K2a/b has
expired, the internal safety relays of the drives are no
longer energized (1st shutdown path!).
■ A 0 signal is entered at contacts 65 (controller enable) of
the drive via the enable contact of safety combination A4.
The drives are immediately braked down to 0 speed and the
pulses cancelled. At the same time, the drop-out delay of
time relay K2a/b and the delay time of the safety combination A4 are started. The drives must have come to a standstill before these delay times have expired.
■ After opening the safely delayed enable contact of safety
combination A4, the internal line contactor of the rectifier
unit is no longer energized and the drives are electrically
isolated from the line supply (2nd shutdown path!).
■ The checkback signal of the internal line contactor of the
rectifier unit is monitored in the on circuit of safety combination A4. If the contactor does not drop-out due to an
incorrect function, then the drive is prevented from restarting after an Emergency Stop.
Behavior when the protective doors are opened
When protective doors 1-3 are opened, it is initiated that the
associated drives are shut down according to stop Category 1
in compliance with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can reach the potentially hazardous area!
■ A 0 signal is entered at contact 65 (controller enable) of the
drive/drives via the enable contact of the safety combinations A1, A2 or A3. The drives are immediately braked
down to 0 speed and the pulses cancelled. At the same
time, the switch-out delay of time relays K2a and/or K2b
are started. The drive/drives must have come to a standstill
before these delay times have expired.
■ The internal safety relay of the drive is no longer energized
after the drop-out delay time of time relay K2a or K2b has
expired (1st shutdown path!).
■ Before the selected delay times of safety combinations A13 expire, the internal safety relays of the drives must have
already dropped-out. Their checkback signal contacts
AS1/2 indicate that the drives are in a safe condition.
■ After the selected delay time has expired, the safely
delayed enable contacts of the safety combinations open.
■ If the internal safety relay of the drives is functioning correctly, their checkback signal contacts AS1/2 are closed and
the internal line contactor of the rectifier unit does not
drop-out. If the internal safety relay does not function correctly, its checkback signal contacts AS1/2 are not closed,
the internal line contactor of the rectifier unit drops-out
(2nd shutdown path!).
Functional Example No. MC-FE-I-002-V11-EN
425
Powering-up and powering-down the drive
The drives can be started or stopped when the protective
doors are closed and Emergency Stop button S9 is released.
Ex. No.
2.7
■ When button S2a/b ("On") is pressed, safety combination
A4 is brought into the operational state. The internal line
contactor of the rectifier unit is energized.
■ When button S2a/b ("On") is pressed, contactor K3a/b is
energized and latches; time relay K2a/b is simultaneously
energized. The internal safety relay is energized and a 1 signal is entered at contact 65 (controller enable) of drive A/B.
The drive restarts.
426
■ When button S1a/b ("Off") is pressed, contactor K3a/b is no
longer energized. The drop-out delay of time relay K2a/b is
simultaneously started. When contactor K3a/b drops-out, a
0 signal is entered at contact 65 (controller enable) of the
drive A/B. The drive is immediately braked down to 0 speed
and the pulses cancelled. The internal safety relay of the
drive is no longer energized after the drop-out delay time
of time relay K2a/b has expired. The protective doors can be
opened.
Functional Example No. MC-FE-I-002-V11-EN
Certificate
The examples shown in this document were examined and
certified by the German Berufsgenossenschaft Fachausschuss
Maschinenbau, Fertigungssystem, Stahlbau (Certificate only
available in German!).
Ex. No.
Functional Example No. MC-FE-I-002-V11-EN
427
SAFE STANDSTILL Category 3 according EN 954-1
with SINAMICS S120
Application examples SINAMICS S120
Safe standstill, Safe Stop 1 implemented using safety combination
Bsp. -Nr.
3.1
In accordance with the standard prIEC61800-5-2, the designation Safe Standstill is replaced by Safe Torque Off (STO).
The Safe Stop 1 (SS1) function is integrated in SINAMICS S120
version V2.4 or later.
Schematic diagram
Power Unit
Control Unit
DRIVECLIQ
DCSupply
Channel 1
Monitoring
Diagnostic
M
Allocation
DI -> Drive
Channel 2
Controller
Controller
SH
Shut Down Path 1
AP
Shut Down Path 2
Schematic diagram of the internal control of both shutdown paths
428
Functional Example No. MC-FE-I-003-V12-EN
Driver
Powerelectronic
Power
connector
Bsp.- Nr.
3.1
"Safe standstill" with SINAMICS using safety combination and "Safe Stop 1", Stop category 1, Category 3 acc. to EN 954-1
and SIL 2 acc. IEC 61508
Description of functions
■ A structure in compliance with EN 954-1 control category 3
and EN1037 can be implemented using a SIGUARD safety
combination for the protective door. The drive is stopped
according to Stop function Category 1 acc. to EN 60204-1.
■ Switches S2 and S3 are positive-opening position switches
according to EN 1088.
■ A master line contactor is not required since the "Safe standstill" safety function integrated in the drive corresponds to Category 3 acc. to EN 954-1. Before performing work on the
motor or converter, the unit has to be deenergized via a (lockable) main switch.
■ The safety combination for the protective door monitoring
function corresponds to Category 4 (instantaneous enable circuit).
■ The circuits for protective door monitoring are monitored
through two channels using a cross-circuit proof connection.
Functional Example No. MC-FE-I-003-V12-EN
429
Behavior when the protective door is opened
Bsp. -Nr.
3.1
Opening of the protective door initiates that the drive is
stopped according to Stop category 1 acc. to EN 60204-1. It
must be ensured that potentially hazardous motion comes to
a standstill before a person can reach the potentially hazardous area !
■ A signal 0 is entered via the enable contacts of the safety
combination A1, at terminal X122.3 (DI 2: SH CU) of the
drive. The drive is immediately decelerated along the OFF3
ramp (p1135).
■ SH/SBC is triggered automatically after the delay time
(p9652/p9852) has expired.
Powering up the drive
The drive can be started when the protective door is closed:
■ Signal 1 is present both at the EP terminal of the power unit
and the digital input, the Safe standstill function is deselected. When actuating knob switch S1 ("OFF-ON"), the
drive is brought into the operational state via a rising edge
at input DI 0 (OFF1).
"Safe Stop 1" features
■ SS1 is activated by p9652 and p9852 (delay time) unequal
"0".
■ This function can only be activated in combination with
"safe standstill".
■ When selecting SS1, the drive is decelerated along the
OFF3 ramp (p1135) and SH/SBC is triggered automatically
after the delay time (p9652/p9852) has expired.
■ After activating the function, the delay time elapses even if
the function has been deselected before. In this case, the
SH/SBC function is selected and deselected again when the
delay time has elapsed.
■ SS1 is selected through two channels. The drive, however,
is decelerated along the OFF3 ramp through a single channel only.
430
Functional Example No. MC-FE-I-003-V12-EN
"Safety Integrated" settings
The delay time has to be specified for each path in the "Safe
Stop 1" input window. If this value is 0, Safe Stop 1 is deactivated. In this case, the pulses are disabled immediately.
Bsp.- Nr.
3.1
Settings for Safety Integrated STARTER/SIMOTION Scout
Functional Example No. MC-FE-I-003-V12-EN
431
Safe standstill, implemented with one safety combination
In addition to the SINAMICS version V2.4 (or later) described
above, the traditional OFF 3 circuit can still be used.
Bsp. -Nr.
3.2
Netz
Hauptschalter -Q1
P24
Not-Halt
-S3
U1 V1 W1
Digitale Ausgänge
Line Module
A1
DO1
DO2
DO3
DO4
Y10 Y11 Y12
Y21 Y22
13
23
31
47
57
3TK2827
-A1
Ein
Y33 Y34
PE
Control Unit
X122
1 DI0: AUS1
2 DI1: AUS3
3 DI2: SH CU
14
A2
24
32
48
58
-S1
7 DO8: n=0
8 DO9: SH aktiv
Motor
Module
SH
EP EP
24+ M
U2 V2 W2
3
Digitale Eingänge
Standard
-SPS
DI1
DI2
DI3
M
auf
-S4
P24
Ein
Aus
-S4
-Y1
-S2
-S5
-S6
zu
A1
DI4
DI5
DI6
DI7
DI8
Y10 Y11 Y12
Y21 Y22
13
23
31
47
57
14
24
32
48
58
3TK2828
-A2
Y33 Y34
PE
A2
M
"Safe Standstill" with SINAMICS using safety combination, Stop-Category 1, Category 3 acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3
and EN1037 can be implemented using one SIGUARD safety
combination for the protective door. The drive is shut down
(stopped) according to stop function Category 1 according to
EN 60204-1.
■ The integrated safety function "safe standstill" corresponds
to Category 3 according to EN 954-1 and SIL 2 according to
IEC 61508. Therefore a line contactor is not necessary. The
Emergency Stop function doesn't mandatory require an isolation from the line supply. When carrying-out work on the
motor or the frequency converter, the equipment must
432
always be isolated from the line supply with a (lockable)
main switch.
■ Safety combination for protective door monitoring functions corresponds to Category 4 (instantaneous enable circuit) or Category 3 (delayed enable circuit).
■ Circuit for protective door monitoring is monitored through
2 channels in a cross-circuit proof fashion.
■ Switches S2 and S3 are positively opening position
switches corresponding to EN 1088.
Functional Example No. MC-FE-I-003-V12-EN
Behavior, when the protective doors are opened
When the protective doors are opened, it is initiated that the
drive is shut down according to stop Category 1 in compliance
with EN 60204-1. It must be ensured that potentially hazardous motion must have come to a standstill before a person can
reach the potentially hazardous area!
Bsp.- Nr.
3.2
■ A 0 signal is entered, via the enable contact of safety combination A1, at contact X122.2 (DI 1: OFF3) of the drive.
The drive is immediately braked down to 0 speed and the
pulses are cancelled. The delay time of safety combination
A1 is simultaneously started and the drive must have come
to a standstill before it expires.
■ The safely delayed enable contacts of safety combination
A1 open after the selected delay time has expired. This
means that the EP-terminal of the line modul and the digital input (DI 2 SH) of the control unit are no longer energized. The safety function "safe standstill" is activated.
Powering-up the drive
The drive can be restarted (powered-up again) when the protective doors are closed.
■ A 1 signal is entered at the EP-terminal of the line modul
and the digital input (DI 2: SH) of the control unit. The function "safe standstill" is deactivated. When actuating the
knop-operated switch S1 ("Off-On"), the drive is brought
into an operational state with a rising edge at the digital
input DI0 (Out 1).
Functional Example No. MC-FE-I-003-V12-EN
433
Safe standstill for interlocked protective doors, Emergency Stop, implemented with safety combinations and standard
PLC
Netz
Bsp. -Nr.
Hauptschalter -Q1
P24
3.3
Not-Halt
-S3
U1 V1 W1
Digitale Ausgänge
Line Module
A1
DO1
DO2
DO3
DO4
Y10 Y11 Y12 Y21 Y22 13
23
31
47
57
3TK2827
-A1
Ein
Y33 Y34
Control Unit
X122
1 DI0: AUS1
2 DI1: AUS3
3 DI2: SH CU
PE A2
14
24
32
48
58
-S1
7 DO8: n=0
8 DO9: SH aktiv
Motor
Module
SH
EP EP
24+ M
U2 V2 W2
M
3
Digitale Eingänge
Standard
-SPS
DI1
DI2
DI3
auf
-S4
P24
Ein
Aus
-S4
-Y1
-S2
-S5
-S6
zu
A1
DI4
DI5
DI6
DI7
DI8
Y10 Y11 Y12 Y21 Y22 13
23
31
47
57
24
32
48
58
3TK2828
-A2
Y33 Y34
PE A2
14
M
"Safe Standstill" with SINAMICS for interlocked protective door, standard PLC and protective safety combination, stop Category 1, Category 3
acc. to EN 954-1
Function description
A structure in compliance with EN 954-1 control Category 3
and EN1037 can be implemented using two SIGUARD safety
combinations for Emergency Stop and protective doors and a
standard PLC. The drive is shut down (stopped) with stop function Category 1 according to EN 60204-1.
■ Switches S4, S5 and S6 are positively opening position
switches corresponding to EN 1088.
■ The integrated safety function "safe standstill" corresponds
to Category 3 according to EN 954-1 and SIL 2 according to
IEC 61508. A non-safety checkback signal "Safe Standstill
active" is sufficient.
■ The communication via digital in- and outputs between
drive and PLC can be displaced with a non-safe standard
communication (e.g. PROFIBUS).
■ Safety combinations for Emergency Stop and protective
door monitoring correspond to Category 4 (instantaneous
enable circuit) or Category 3 (delayed enable circuit).
■ Circuits for Emergency Stop and protective door monitoring
are monitored through 2 channels in a cross-circuit proof
fashion.
434
■ When implementing as higher-level circuit using contacts,
the "safe standstill" function is guaranteed even when the
PLC develops a fault or fails.
■ The Emergency Stop function doesn't mandatory require
an isolation from the line supply. When carrying-out work
on the motor or the frequency converter, the equipment
must always be isolated from the line supply with a (lockable) main switch.
Functional Example No. MC-FE-I-003-V12-EN
Behavior at Emergency Stop
Note
Emergency Stop is initiated using button S3 ("Emergency
Stop"). It is initiated that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1:
■ A 0 signal is entered, via the enable contact of safety combination A1, at contact X122.2 (DI 1: OFF3) of the drive.
The drive is immediately braked down to 0 speed and the
pulses are cancelled.
■ The safely delayed enable contacts of safety combination
A1 open after the selected delay time has expired. This
means that the function "safe standstill" of the drive is twochannel activated and given feedback via terminal S122.8
(DO 9: SH active).
If the protective door interlocking opens before the
drive has braked down to 0 speed as a result of an erroneous PLC function, then a 0 signal is entered at contact X122.2 (DI 1: OFF3) of the drive via the switch S6.
The drive is immediately braked down to speed = 0 and
the pulses cancelled. Opening of the protective doors
initiates the function "safe standstill". It must be ensured that potentially hazardous motion has come to a
standstill before a person can reach the potentially
hazardous area!
Powering-up the drive
■ The checkback signals of the safety combination and the
drives were monitored and evaluated by the PLC.
The drive can be started when the protective doors are closed
and Emergency Stop button S3 is released.
Behavior when the protective doors are opened
Button S2 ("Off") requests that the protective doors are
opened. This initiates that the drive is shut down according to
stop Category 1 in compliance with EN 60204-1:
■ A 0 signal is entered at contact X122.2 (DI 1:OFF3) of the
drive by resetting the PLC output DO3. The drive is immediately braked down to 0 speed and the pulses are cancelled.
■ If the drive is stationary (DO 8: speed = 0), then PLC output
DO2 to the drive is reset. This means that the EP-terminal
of the line modul and the digital input (DI 2: SH) of the control unit are no longer energized. The safety function "Safe
standstill" is activated.
■ When pressing button S1 ("On"), safety combination A1 is
brought into the operational state. The coil of latch (tumbler) Y1 is no longer energized by resetting PLC output DO4
- the protective doors are interlocked. Safety combination
A2 is again in an operational state.
■ A 1 signal is entered both at the PLC outputs DO2 and DO3,
the functions "safe standstill" and quick stop at terminal
X122.2 (DI 1: Out 3) are deactivated
■ Entering a rising edge at the PLC Output DO1 to the terminal X122.1 (DI 0: Out 1), the drive is set again in an operational state.
■ Detecting that the function "safe standstill" is active (PLC DI
7: SH active), the protective door interlocking is opened by
setting PLC output DO4 to energize coil Y1.
■ When the protective door is opened the safety monitoring
A2 of the safety circuit is interrupted
Functional Example No. MC-FE-I-003-V12-EN
435
Bsp.- Nr.
3.3
Safe Monitoring of Drive Functions
SIMOTION D/ SIMATIC S7-F
Overview
Concept
Ex. No.
4
Our objective is to introduce a safety concept comprising the
SIMOTION D motion controller, a sin/cos encoder equipped
with encoder module SMx20 and a fail-safe SIMATIC S7-F controller, which has been designed to implement the following
safety functions using an encoder system:
In this concept, the Simatic F-CPU controller - equipped
with the function block "F_DRIVE" certified according to
DIN EN 954-1 and IEC 61508 - monitors the above-mentioned
drive functions and activates the "Safe standstill" (SH) resp.
Safe Torque Off (STO) safety function in the drive each time
that a monitoring threshold is violated in order to bring the
drive into a safe state.
■ Safe standstill
■ Safely limited speed
■ Safe operating stop (standstill monitoring)
■ Safe shutdown (via Stop categories)
SIMATIC (z.B. IM151-7 F-CPU):
Applicative evaluation:
protective doors, EM. Stop
Safe drive function
SH is
monitoring
triggered in the event of an
error or when the limit
threshold is violated
PROFIBUS with secure data transmission
SIMOTION D:
Drive function
OFF3
monitoring
(rapid stop) selected
internally in the event of
an error or when the
limit threshold is violated
“Safe” actual encoder
value (redundant
coarse position)
SH selected via
terminal
S
DP Slave
S
DP MASTER
PROFIsafe: sign of life, CRC,
communication time
monitoring
DRIVE-CLiQ
“Safe” actual encoder
value (redundant
coarse position)
Protective doors
Emergency stop button
Valves
etc.
Safety concept
436
Function Example No. MC-FE-I-004-V11-EN
The safety requirements are fulfilled through the evaluation
of a "redundant coarse position" defining the encoder position
in the SIMOTION controller and the fail-safe SIMATIC S7-F controller. The encoder information (position data and redundant
coarse position) is checked for plausibility on both controllers.
If an error occurs, the corresponding shutdown responses are
triggered by both controllers.
Ex. No.
4
Safe encoder signal and communication data monitoring between the drive system and the F-CPU according to Cat. 3 is
performed by the SIMATIC F-CPU. To ensure swift error response, the encoder signal and communication data are monitored simultaneously in the SIMOTION CPU (by the SIMOTION
function block "C_DRIVE").
Safety functions such as the monitoring of emergency stop
buttons, protective doors resp. valve positions can be implemented with a fail-safe SIMATIC S7-F using approved function
blocks.
Function Example No. MC-FE-I-004-V11-EN
437
Overview of the Hardware Configuration (Minimum Configuration)
The following hardware components are used:
Ex. No.
4
SIMOTION/SINAMICS drive system
■ sin/cos encoder
■ SMx20 encoder module (the figure shows both - SMI20
and SMC20)
■ Fail-safe Distributed Safety System
These components have to be connected using the appropriate signal cables (see following figure).
1
3
4
2
5
Hardware components
1. The SIMOTION drive system and the fail-safe Simatic CPU
must be connected via a bus cable.
2. The SH in the drive system is controlled by the F-CPU via
terminals.
3. According to enumeration item 2, a fail-safe output module of the fail-safe Distributed Safety System has to be
used.
4. At least one fail-safe input module of the fail-safe
Distributed Safety System must be provided for signals
such as protective doors, acknowledgement buttons, etc.
438
Function Example No. MC-FE-I-004-V11-EN
5. In addition to this, the SH checkback signal transferred
within the drive system has to be connected to a digital
output which must then be connected to a digital SIMATIC
I/O input. This input can be implemented as a fail-safe input
or standard input since the checkback signal output by the
safe stop has been implemented as a standard function
rather than a safety function.
This document describes the example of a IM151-7 F-CPU
equipped with fail-safe ET 200S I/O components. These components can be replaced by Distributed Safety System components with identical functions.
Hardware components for the F-CPU controller (minimum requirements):
Caution
To ensure compliance with Cat.4 / SIL3 when setting
up an ET 200S station, the standard modules need to
be electrically isolated from the safety modules.
Ex. No.
Further information is provided in the Hardware Installation and User Manual ET 200S - Fail-Safe Modules.
Sample connection for ET 200S (F-CPU)
Order No.
Designation
Quantity
6ES5710-8MA11
Stand. sectional rail,width
35 mm, length 483 mm,
for 19“ cabinets
1,00
6ES7131-4BB01-0AB0
Electronic module, 2DI,
DC 24 V, High Feature
(5 pcs.)
0,20
6ES7138-4CB11-0AB0
Power module PM-E
DC 24...48 V,
AC 120...230 V f. elec.
mod. diag+fuse
2,00
6ES7138-4FA02-0AB0
Electronic module, 4/8F-DI,
DC 24 V, PROFIsafe (1 pc.)
1,00
6ES7138-4FB02-0AB0
Electronic module, 4F-DO,
DC 24 V/2 A, PROFIsafe
(1 pc.)
1,00
6ES7151-7FA01-0AB0
IM 151-7 F-CPU RS 485 for
ET 200S, with PROFIBUS DP
interface
1,00
6ES7193-4CA40-0AA0
Universal terminal module;
screw connection (5 pcs.)
0,20
6ES7193-4CD20-0AA0
Terminal module for AUX1
supply; screw connection
2,00
6ES7193-4CF40-0AA0
Terminal module for electronic module 30 mm:
screw term.; AUX1
2,0
Function Example No. MC-FE-I-004-V11-EN
439
4
Hardware component wiring
Ex. No.
4
Safe stop is activated in the drive system through the selection
of two terminals (motor module and CU). These two clamps
have to be connected to a fail-safe digital output module.
The following connection example illustrates the connection
of a positive switching ET 200 output with a CU input. Another
output switches the EP terminal at the motor module.
Component wiring
Software Required
Communication Configuration and Interface Description
The program supplied with the Installation Guide has been
created with the following software releases of the Engineering Tools resp. Runtime Systems:
The F-CPU controller communicates with SIMOTION via a bus
connection (slave) resp. via a transceiver. The scope of transmit and receive words per axis has to be set up as shown in the
following figure. It is configured in the HW Config of the
SIMATIC Manager.
■ STEP7 V5.4 SP1
■ Distributed Safety V5.4 (S7 F Configuration Pack V5.5)
■ SCOUT V4.0
■ STARTER V2.3
■ SIMOTION FW V4.0
■ SINAMICS FW V2.4.
440
Function Example No. MC-FE-I-004-V11-EN
Overview of interfaces and communication scope
Ex. No.
SIMATIC
S7 F-CPU
SIMOTION
1
receive
10 PZD consistent
send
10 PZD consistent
3
2
send
4 PZD consistent
receive
4 PZD consistent
4
SINAMICS
receive
4 PZD
send
1 PZD
4
SMx
send
4 PZD
receive
1 PZD
Bus interface
Detailed interface description
Explanation regarding 1
F-CPU Address
Data
SIMOTION Address
EWx (*)
Sign of life from the drive (INT)
ARRAY [x] ... PQW
Error message output by the drive (INT)
Control word from the drive (INT)
Redundant coarse position (INT)
Coarse position information (INT)
Actual speed from the drive (INT)
CRC via speed (INT)
Calculated encoder module start CRC (WORD)
CRC via redundant coarse position (INT)
EWx+ 9
Function block version from the SIMOTION function block (INT)
ARRAY [x+9] ... PQW
Detailed interface information
(*) If the data received are not displayed in the process image
of the F-CPU, communication in the standard program has to
be established using the emitter and receiver blocks SFC14
("DP_RD_DAT").
Bit memory address areas are required to transfer data into
the safety program.
Function Example No. MC-FE-I-004-V11-EN
441
Explanation regarding 2
Ex. No.
4
F-CPU Address
Data
SIMOTION Address
AWx
Sign of life to the SIMOTION / CU (INT)
ARRAY [x] ... PIW
Control word to the SIMOTION (WORD)
Speed reduced for monitoring in SIMOTION (WORD)
AWx+ 3
Max. delta of encoder increments for standstill monitoring (INT)
ARRAY [x+3] ...PIW
F-CPU transmit data
(*)If the data received are not displayed in the process image
of the F-CPU, communication in the standard program has to
be established using the emitter and receiver blocks SFC15
("DP_WR_DAT").
Bit memory address areas are to be used to transfer data into
the safety program.
Explanation regarding 3
SIMOTION Address
Data
SINAMICS Address
PIDx
Redundant coarse position (r484 ... DWORD)
P2061.x (Achse)
PIWz
Encoder status (r481 ... WORD)
P2051.y (Achse)
PIWy
Sign of life (INT)
P2051.z (CU)
SIMOTION Address
Data
SINAMICS Address
PQWx
Sign of life (INT)
r2050.x (CU)
SIMOTION receive data
Explanation regarding 4
SIMOTION transmit data
Overview of the STEP7 project
442
Function Example No. MC-FE-I-004-V11-EN
Overview of the network configuration
Ex. No.
4
Function Example No. MC-FE-I-004-V11-EN
443
Sample communication configuration for one axis
Ex. No.
4
Sample communication configuration
The F-CPU controller receives 10 consistent data words via the
I/O address 100; 4 words are transmitted. The input data are
processed as input words, the output data are processed as
output words.
The data are transferred resp. received by the SIMOTION controller using the I/O address 100 as well. They are postprocessed using ARRAY. The arrays are created in the I/O data.
444
Function Example No. MC-FE-I-004-V11-EN
SINAMICS Runtime System
Parametization of the SINAMICS drive system
The drive system is commissioned via the STARTER commissioning tool. The parameterization procedure is described in
the following.
3. SINAMICS Safety Integrated
The Safe standstill function has to be started up and checked
as described in the "SINAMICS S120
It is assumed that the motion application of the axis is functional. The safety-related Motion Control functions are not explained in this document.
Commissioning Manual", Chapt. 5.2 Safe standstill (SH).
The sample application included uses the example of a motor
encoder for a demonstration case to illustrate the configuration procedure.
The axis to be monitored has to be created as a positioning
axis!
1. Program example
The program example supplied describes how to configure an
axis (Servo_3...Achse_Blau).
The modifications described have to be integrated into the existing project.
4. SINAMICS Safety Integrated
The message "Safe standstill active" has to be connected to
the digital SIMOTION/SINAMICS output.
This output must be connected to the digital input of the Simatic I/O.
2. Program example
PROFIBUS configuration for demonstration case.
5. SINAMICS Safety integrated
Redundant coarse position sensing is activated as follows:
P430.0 = E0080000H
with Safety actual position value acquisition = yes
Function Example No. MC-FE-I-004-V11-EN
445
Ex. No.
4
Ex. No.
4
6. Axis communication startup
The redundant coarse position information has to be connected to the PROFIBUS and transferred to SIMOTION as follows: P2061.x = r484
The redundant coarse position information is required as a
double word.
7. Axis communication startup
The encoder status word has to be connected to the encoder
to be monitored (if not already done in the standard configuration):
P2051.x = r481
The coarse position information is only required as a word.
8. Control Unit (CU) startup
The sign of life signal is transferred via the Control Unit (see
Chapt. 6.4). That means, one transmit and receive word must
be configured for each axis
e.g. P2051.x = r2050.x
Note
The communication configuration in the HW Config
must be extended by the additional transmit and receive words.
446
Function Example No. MC-FE-I-004-V11-EN
SIMOTION Runtime System
Starting up the program section in the SIMOTION controller
The SIMOTION SCOUT tool is required for commissioning. The
drive has to be parameterized as described at page 440 before
the following steps can be performed successfully.
9. Axis technology object (TO)
The axis technology object is configured in the SIMOTION
SCOUT. In the example described, it is called Axis_blue and
connected to SERVO_3.
11. Integration of the program "C_DRIVE"
Only the function block "c_drive_V02" is required to call the
user.
Description of the function block "C_DRIVE"
Function block "c_drive_v02"
10. Integration of the function block "C_DRIVE"
The program "C_DRIVE" supplied has to be integrated into the
user project.
I/O variables for the function block "C_DRIVE"
I/O configuration of the sample application
Function Example No. MC-FE-I-004-V11-EN
447
Ex. No.
4
The following communication variables have to be created in
the I/O configuration:
Ex. No.
4
■ I/O input and output variables for sign-of-life monitoring
via the CU (position 1,2)
Possible responses in the SIMOTION application
Immediate stop in the event of an axis monitoring fault
■ Transmit and receive arrays for establishing communication with the safety control 10/4 words (position 3,4)
■ Redundant coarse position information from the axis
encoder module SMx (position 5)
■ Encoder status of the axis encoder module SMx (position 6)
Integration of the function block "C_DRIVE"
into the application
If the axis monitoring function has not been enabled, the axis
performs an emergency stop.
Default setting for stop command with active axis standstill
monitoring
Integration of c_drive
If the axis performs an operational stop, a cyclic stop command is preset.
448
Function Example No. MC-FE-I-004-V11-EN
SIMATIC Runtime System
Function Block "F_DRIVE" for safe monitoring of drive functions
The safety-related function block "F_DRIVE" requires the
safety-related Distributed Safety System. The system manual
Safety Engineering in SIMATIC S7" (s. Chapt. 2.2.1) provides a
detailed description of this safety system.
The function block "F_DRIVE" ensures safe monitoring of the
drive functions and establishes safety-related communication
between the SIMOTION/SINAMICS drive system and the failsafe Simatic CPU. A sin/cos encoder has to be connected to the
SMx20 module issuing signals that will be evaluated.
Note
Ex. No.
The constants "VKE0" and "VKE1" must be used in the
program block through fully qualified access to
"F_GLOBDB". "VKE0" is reproduced by
"F_GLOBDB".VKE0, "VKE1" by "F_GLOBDB".VKE1.
They are used to permanently connect the inputs of
the function block and may not be modified by the
safety program.
In the event of an error, safe drive standstill is activated via a
F-DO thus bringing the drive into a safe operational state.
The following safety functions can be implemented depending on the relevant application:
■ Safe standstill
■ Safe shutdown
■ Safe operating stop
■ Safely limited speed
Caution
Before inserting the fail-safe application block FB300
"F_DRIVE", you have to copy the fail-safe blocks FB186
"F_TOF", FC174 "F_SHL_W" and FC176 "F_BO_W" from
the block container F-Application Blocks of the fail-safe
Distributed Safety library (V1) into the block container
of your S7 program (if not already done).
The blocks must be assigned the above-mentioned
numbers and may not be renumbered.
Caution
The block functions are only ensured by setting the relevant parameters in the hardware configuration.
Caution
A function test is required to check the block functions.
Notice
The fail-safe monitoring time and the fail-safe mode of
the module are described analogously to the manual
"Safety Engineering in SIMATIC S7 System Description"!
Function Example No. MC-FE-I-004-V11-EN
449
4
Ex. No.
4
Block identification
Information on the formal operands
Before you can integrate the safety-relevant function block
"F_DRIVE" into the existing program structures, you may have
to change the block number resp. the symbolic name.
The names used for the individual formal operands of block
"F_DRIVE" are derived from English terms. In order to achieve
a better understanding, the related English term is added in
square brackets when using a formal operand for the first time
(refer to the Chapter Description of functions).
In order to unambiguously identify the blocks, the block
header and the block version of the relevant function block
have been designed as an input block.
Example:
This input block is always the second input block (after "EN").
The input name is composed as follows:
• "_Header_FB-NAME_FB-Version"
Input name of the function block "F_DRIVE"
Formal operands
The operands are described in detail in the FBD / LADDER editor using a hint.
Block identification
The input block used for identifying the block has no functional significance and is therefore connected to VKE0.
Formal operands with hint
450
Function Example No. MC-FE-I-004-V11-EN
Overview of the function block "F_DRIVE"
Header: F_DRIVE V0.2 / Date July 10, 2006 Time 15:50:59 /
Checksum: D2D2
Ex. No.
Parameter
Beschreibung
BOOL
Enable input, not used
4
IN
EN
F_DRIVEV0_3
Block name/block version
AREA_PROTECTED
BOOL
1 = Protection zone closed
0 = Standstill monitoring active
ENABLE_MOTION
BOOL
1 = safe state monitoring, Reduced speed
SAFE_STOP
BOOL
0 = Safe standstill active
ACK
BOOL
Acknowledgement
MAX_SPEED
INT
Maximum speed (see SIMOTION)
MAX_ENC_INC_PER_TIME
INT
Maximum encoder increments / End of cycle
DELTA_INC_STANDSTILL
INT
Delta of increments with Standstill monitoring
F_TIME
TIME
Sign of life time discrepancy
FD_LIVE_SIGN
INT
Sign of life
FD_FAULT_MESSAGE
INT
Error message from the drive
FD_CONTROL_MESSAGE
INT
Control word from the drive
FD_RED_ROUGH_POS
INT
Redundant coarse position (RGL)
FD_ROUGH_POS
INT
Standard coarse position (GL)
FD_SPEED_SIMO
INT
Actual drive speed
FD_CRC_SIMO
INT
CRC via "sign of life" and Actual drive speed"
FD_START_CRC
INT
Start CRC encoder module
FD_CRC_PSAFE
INT
CRC via "RGL"
FD_VERSION
INT
SIMOTION function block version
ENABLE_AXIS
BOOL
Safe standstill to SINAMICS
ERROR
WORD
Error
DIAG
WORD
Diagnostic information
TD_LIVE_SIGN
WORD
Sign of life to SIMOTION / CU
TD_CONTROL_MESSAGE
WORD
Control word to SIMOTION
TD_SPEED
WORD
red. V for SIMOTION monitoring
TD_DELTA_INC_SS
INT
Max delta of incr. for standstill monitoring
EN0
BOOL
Not used
OUT
Function Example No. MC-FE-I-004-V11-EN
451
Functionality of the function block "F_DRIVE"
Ex. No.
4
Sign of life
Protection zone closed
The sign of life is generated by the block and transmitted to
the output block TD_LIVE_SIGN [To Drive Live Sign]. The input
block FD_LIVE_SIGN [From Drive Live Sign] awaits the sign of
life. The "plausibility" of the sign of life transmitted and the
one received is checked. The sign of life in the drive system
must be incremented by 15 (function containing SIMOTION
function block).
If the protection zone is closed (AREA_PROTECTED=1), speed
or standstill monitoring is not performed. The sign of life, CRC
and the relevant position of the control signals with respect to
each other (AREA_PROTECTED and ENABLE_MOTION) are still
monitored.
The FB300 permanently converts the signs of life received into
new signs of life using the principle of serial numbers.
If a sign of life transmitted does not correspond to the sign of
life received, the sign of life expected is transmitted again.
This is tolerated until a time parameterized at input block
F_TIME has expired. Then, an error is output and the output
ENABLE_AXIS is reset. This principle corresponds to a time expected with acknowledgement.
Caution
The time set at input block F_TIME has to be set to the
lowest possible value to ensure that the function block
"F_DRIVE" immediately detects any errors arising during data transmission.
Error acknowledgement / enable of safe standstill
Errors can be reset only with AREA_PROTECTED =1 through a
rising edge at ACK [Acknowledgement].
ENABLE_AXIS only possible if AREA_PROTECTED =1, if no errors are pending and if a rising edge is applied to ACK.
Fail-safe output(s) of the fail-safe Distributed Safety system
must be controlled via the ENABLE_AXIS output. The "Safe
standstill" safety function of the SINAMICS drive system is triggered via this output.
452
Function Example No. MC-FE-I-004-V11-EN
The ENABLE_MOTION signal - which constitutes, for example,
the evaluated signal transmitted from an acknowledgement
button - may only include a high signal if
AREA_PROTECTED=0, which can be connected, for example,
to the evaluated signal transmitted from protective doors of a
certain protection zone. If this is not the case, ENABLE_AXIS is
set to 0.
Safe operating stop / standstill monitoring, e.g. protection
zone open
The actual position FD_RED_ROUGH_POS [From Drive Redundant Rough Position] is permanently stored in the block and
verified as the standstill position when axis standstill monitoring is requested (AREA_PROTECTED =0). The standstill monitoring function is activated when the AREA_PROTECTED signal
is changed from 1 to 0. When standstill monitoring is active,
the system tolerates position changes by the value entered in
FD_RED_ROUGH_POS +/- the value that can be parameterized
by the user DELTA_INC_STANDSTILL [Delta Increments Standstill]. This yields both a positive and a negative standstill limit.
If the encoder value does not exceed the limits specified, then
ENABLE_AXIS=1 and the drive can still be controlled even if it
has stopped.
If the position is changed and one of the above-mentioned
limits violated, the monitoring function is violated and the
safe standstill function on the drive triggered via the output
block ENABLE_AXIS = 0, thus setting a restart inhibit.
The maximum delta increments permissible during standstill
are transmitted to the output block TD_DELTA_INC_SS [To
Drive Delta Increments Standstill]. They can thus be simultaneously monitored in SIMOTION.
Überwachung auf sicher red. Geschwindigkeit z.B.
Schutzbereich offen und Zustimmung betätigt
Monitoring for safely limited speed, e.g. protection zone open
and enable function active
With AREA_PROTECTED=0 and ENABLE_MOTION=1, the minimum drive speed value is monitored. If this value is exceeded,
the block sets parameter ENABLE_AXIS =0.
FB300 must be called via the safety program using a time interrupt OB. The actual position of these two calls is saved via
FD_RED_ROUGH_POS yielding a delta. This delta may not exceed the value of MAX_ENC_INC_PER_TIME [Maximum Encoder Increments Per Time] parameterized at the input.
The following formula shows how to calculate the value to be
assigned to MAX_ENC_INC_PER_TIME from the speed to be
monitored:
Signals / values required:
■ a = max. speed;
J The SIMOTION controller can read out the max. speed
via the axis information entered in TypeOfAxis.SetPointDriverInfo.DriveData.maxSpeed
■ b=Leadscrew pitch
J The SIMOTION controller can read out the leadscrew
pitch via the axis information entered in LeadScrew.pitchVal
■ c=Gear ratio1
J The SIMOTION controller can read out the gear ratio 1
via the axis information entered in TypeOfAxis.NumberOfDataSets.DataSet_(n).Gear.numfactor
Calculation:
The maximum speed is calculated as follows:
Vmax [mm/sec] = a x b x c / d / 60
Ex. No.
4
The max. increments are calculated as follows:
Incmax [1/sec] = a x P408 (p423) / 60
The permissible increments are calculated as follows:
MAX_INC_PER_TIME = Incmax x (SLS / Vmax) x t / 1000
In addition, the block is notified about the maximum permissible speed in degrees resp. mm/s via the input MAX_SPEED
[Maximum Speed]. This value is compared with the value set
for FD_SPEED_SIMO [From Drive SIMOTION], analogously to
the speed monitoring function using increments.
FD_SPEED_SIMO is the speed which is transferred by the
SIMOTION controller to the FB300.
This value is stored using a CRC which has to be connected to
FD_CRC_SIMO [From Drive CRC SIMOTION]. The CRC is defined by the values FD_CRC_SIMO = "SIMOTION speed" and
FD_LIVE_SIGN = "sign of life".
The speed parameterized at MAX_SPEED is output by the output block TD_SPEED [To Drive Speed]. This speed is, for example, sent to the SIMOTION function block where it is monitored simultaneously.
■ d=Gear ratio2
J The SIMOTION controller can read out the gear ratio 2
via the axis information entered TypeOfAxis.NumberOfDataSets.DataSet_(n).Gear.denfactor
■ Number of increments per revolution (incremental
encoder) J The SIMOTION controller can read out the relevant value via P408
■ Number of increments per revolution (absolute encoder)
J The SIMOTION controller can read out the relevant value
via P423
■ Time interrupt (call interval of the function block "F_DRIVE"
in a time interrrupt OB) J The SIMOTION controller can
read out the time interrupt via OB3X_EX_FREQ
Function Example No. MC-FE-I-004-V11-EN
453
Unconditional trigger of safe standstill
The output ENABLE_AXIS can be directly set to 0 via the input
SAFE_STOP. This is achieved by setting SAFE_STOP to 0.
Ex. No.
4
PROFIsafe CRC
PROFIsafe CRC
The so-called PROFIsafe CRC has to be connected to the input
FD_CRC_PSAFE [From Drive CRC PROFIsafe]. This CRC is defined by the redundant coarse position and the START-CRC in
the SMx20 encoder module. The PROFIsafe CRC is simulated
in the function block "F_DRIVE" and compared with the CRC already transmitted. To simulate the PROFIsafe CRC, encoder information such as the redundant coarse position data has to
be transmitted to the formal operand FD_RED_ROUGH_POS
and the START-CRC to the operand FD_START_CRC.
Coarse position in relation to the redundant inverted coarse
position
In addition to the redundant coarse position, forwarded to
FD_RED_ROUGH_POS, the standard coarse position information of the encoder has to be transferred to the relevant block
parameter FD_ROUGH_POS. FB300 then checks whether
these two values match.
START-CRC
The START-CRC is applied to parameter FD_STRT_CRC. The
PROFIsafe CRC is again defined from the redundant coarse position.
The START-CRC consists of the one-to-one NODE-ID of the SMx
20 encoder module.
This information avoids incorrect resp. double addressing,
thus applying the PROFIsafe principle "Identification for transmitter resp. receiver".
SIMOTION CRC
The FD_SPEED_SIMO and FD_LIVE_SIGN data transmitted by
the SIMOTION controller are saved by the SIMOTION function
block using a CRC. This is expected at the input
FROM_DRIVE_8 and simulated resp. compared in FB300.
Version comparison
Stop categories
The delay times for Stop categorie 1 are to be stored in the
safety program by means of an application.
In SIMOTION Version V4.0 / SINAMICS 2.4 or later, OFF 3 can
be parameterized upon triggering of safe standstill stating a
delay time for the safe standstill.
454
Function Example No. MC-FE-I-004-V11-EN
The consistency of the function blocks "SIMOTION" and
"Simatic F-CPU" is checked by means of a certain number before they can be used. The correct version of the SIMOTION
function block has to be created at the input FD_VERSION
[From Drive Version].
Plausibility check: Motion command for the speed
The SIMOTION controller must transfer a motion command to
the block via the input FD_CONTROL_MESSAGE, where 1 corresponds to setpoint = 0 and 0 corresponds to setpoint 0. The
plausibility of these two signal states is checked by the block,
by opposing the signal FD_SPEED_SIMO. If the plausibility
check yields a negative result, the output ENABLE_AXIS is reset.
These two signals are checked for discrepancy by means of an
equivalent (identical signal states) evaluation. Non-equivalent
values (non-identical signal states) of up to 500ms are tolerated. When the time discrepancy has expired, the output
ENABLE_AXIS is set to 0. The output can only be reset after restarting the CPU. The current status of the inputs
ENABLE_AXIS and FEEDBACK can be visualized via the output
ERROR.
Plausibility check: Safe standstill and feedback
Safe drive standstill is triggered via the output ENABLE_AXIS.
The drive feedback stating that the Safe standstill function has
been activated has to be connected to the input block FEEDBACK.
ERROR = 0 J ENABLE_AXIS and FEEDBACK are equivalant
ERROR = 1 J ENABLE_AXIS and FEEDBACK show non-equivalent statuses when the time discrepancy of 500ms has expired.
Safe standstill feedback
Function Example No. MC-FE-I-004-V11-EN
455
Ex. No.
4
Information regarding parallel evaluation
Ex. No.
4
In order to implement the drive function monitoring option
also on the SIMOTION controller, the function block "F_DRIVE"
notifies the SIMOTION drive system about the functions required via the output TD_CONTROL_MESSAGE. These signals
are connected to the output DIAG for diagnostic purposes.
Diagnostic information from the F-CPU diagnostic word
Diagnosis message
456
Function Example No. MC-FE-I-004-V11-EN
Porting PROFIsafe to the application
Safe position detection is based on three signals:
■ Coarse position
Ex. No.
■ Redundant inverted coarse position
4
J Fail-safe principles: Two channels and diversity
■ CRC via the redundant coarse position
J Plausibility check
Before these safe signals can be transferred from the
SIMOTION controller to the F-CPU, you have to port the
PROFIsafe profile to the relevant application.
This is why the error detection measures are ported from
PROFIsafe to the communication between the SIMOTION controller and the F-CPU.
CRC via SIMOTION speed and runtime
CRC via coarse position
Start CRC / CRC via coarse position
Repetition
X
Loss
X
X
Insertion
X
X
Incorrect sequence
X
X
Corrupted data
X
Delay
X
Linking of safetyrelated and standard
messages (masquerade)
X
FIFO error
X
PROFIsafe principles
CRC data backup
Identifier for
transmitter
and receiver
Time expected with
acknowledgement
Serial number
Sign of life
X
X
Integration of F_DRIVE
Function Example No. MC-FE-I-004-V11-EN
457
Starting up the Program Section in the F-CPU
Ex. No.
4
Before you can start up this program section successfully, you
have to acquire the relevant safety knowledge and familiarize
yourself with the Distributed Safety tool.
Output variables
A sample start up is performed using the IM151 F-CPU module.
Hardware configuration of the fail-safe components
Fail-safe runtime group configuration
The configuration parameters for the fail-safe runtime group
must be set in order to provide swift response times.
The safety program has to be called in a time interrupt task
(time interrupt OB).
The configuration of the fail-safe program has to be performed and tested accordingly, as described in the manual
"Distributed Safety Configuring and Programming".
Module 4/8 F-DI:
Fail-safe input module for protective equipment, enabling and
acknowledgement.
Module 4 F-DO:
Fail-safe output module for activating the channels 1 and 2 for
the „Safe standstill" function of the SINAMICS drive system.
I/O variables for the function block "F_DRIVE"
Input variables
458
Function Example No. MC-FE-I-004-V11-EN
Input signal conditioning
The incoming operand AREA_PROTECTED can be linked to the
conditioned signal transmitted from one or several protective
doors (see page 452).
Ex. No.
4
You can use, for example, the function block "F_SFDOOR"
from the Distributed Safety library to evaluate the signals
transmitted from a protective door:
Function block "EN_SW1"
In order to transmit the axis enable of the function block
"F_DRIVE" via the output parameter ENABLE_AXIS (see fig.) to
two outputs of a fail-safe output module, you have to link a
static variable such as ENABLE_AXIS to the output block.
The subsequent network links this static variable to the appropriate outputs by means of parameter assignment.
Function block "SF_DOOR"
Axis enable link
Depending on the respective application, the incoming operand ENABLE_MOTION can be linked to the conditioned signal
of an acknowledgement button.
You can use, for example, the function block "EN_SW_1" from
the SIMATIC S7 F/P library to evaluate signals transmitted from
an acknowledgement button.
The block description of the SIMATIC S7 F/P V2.0 press safety
library provides a detailed description of this block.
Function Example No. MC-FE-I-004-V11-EN
459
Certificates
EC-type examination certificate for SINAMICS S120 booksize "SH/SBC"
Ex. No.
4
460
Function Example No. MC-FE-I-004-V11-EN
TÜV certificate (issued by the TUEV Group, German Technical Inspectorate) for SIMATIC S7 - Distributed Safety
TÜV Certificate No.: Z2 02 03 20411 009 "SIMATIC S7 Distributed Safety", March 26, 2002
Ex. No.
4
Function Example No. MC-FE-I-004-V11-EN
461
BG-Certificate for function block "F_DRIVE"
Ex. No.
4
462
Function Example No. MC-FE-I-004-V11-EN
SINAMICS G120 - controlled via PROFIbus
Safety functions using PROFIsafe, Category 3 (EN 954-1)
or SIL 2 (IEC 61508)
Automation function
Description of the functionality
Functionality of the function example
The SINAMICS G120 drive inverter is a modular drive inverter
system that essentially comprises the two function units Control Unit (CU) and Power Module (PM).
When using the Control Unit CU240S DP-F, you have access to
the follow-ing safety functions that are integrated in the drive
inverter:
Designation
Function
Description
STO
Safe Torque Off
Prevents the drive from accidentally starting
(acc. to EN 60204)
The drive is safely brought
into a no-torque condition
Preventing a restart does
not require electrical isolation between the motor
and drive inverter
SS1
Safe Stop 1
The drive is quickly stopped
and safely monitored
(acc. to EN 60204)
Independent and continuous monitoring guarantees
the shortest response times
when a fault occurs
A speed encoder is not required
SLS
Safety Limited
Speed
(acc. to EN 60204)
The drive speed is limited
and monitored
Independent and continuous monitoring guarantees
the shortest response times
when a fault occurs
A speed encoder is not required
SBC
Safe Brake Control
Task description
A SINAMICS G120 with its integrated safety functions is to be
controlled using an S7-300 F CPU via PROFIBUS.
Solution
In this particular function example, a specific program example will be used to demonstrate the control of a SINAMICS
G120 (control word and fre-quency setpoint) and the control
of the safety-relevant functions (STO, SLS and SS1) in an
S7-300-F CPU.
This program example comprises an S7 program to control
the SINAMICS G120, an S7 safety program and a configured
SINAMICS G120
Advantages / customer benefits
Combining safety-relevant and standard programs in one
common CPU and establishing communications between the
CPU and drive inverter via a common Profibus simplify the system design.
The safety functions are integrated in the drive inverter and
are imple-mented without any speed feedback signal. This
means that to some extent complex external shutdown and
monitoring devices can be eliminated.
A SINAMICS G120 with Safety Control Unit can replace an
existing drive inverter. This means that safety functions can
be added to an existing system with low associated costs and
expenditure.
An external brake is safely
controlled
In this case, it is necessary
to use the Safe Brake Relay
(all safety functions are certified according to EN 954-1, Cat. 3
and IEC 61508, SIL 2)
The safety functions are either controlled through two failsafe digital inputs (4 digital inputs, which are evaluated
through 2 channels in a fail-safe fash-ion in the CU 240S DP F)
or via PROFIsafe in conjunction with a fail-safe CPU.
Functional Example No. SD-FE-I-001-V11-EN
463
Ex. No.
5.1
Restrictions
Ex. No.
5.1
Caution
Please take careful note that the two safety functions
SLS and SS1 may not be used for loads that can drive
the motor or loads that are continually in the regenerative mode.
Elevating platforms, winders, wind turbines are examples of such loads that can drive motor or continually
regenerate in to the line supply.
An important prerequisite when using fail-safe functions is that the closed-loop control functions absolutely perfectly. The drive (system comprising the drive
inverter + motor + driven load) must be engineered so
that all operating situations of the particular application are always completely under control.
Caution
After the STO and SS1 safety functions have been activated there is no electrical isolation between the line
power supply of the SINAMICS G120 and the motor. If
this electrical isolation is required in your particular application, then you must install an appropriate line
contactor upstream of the SINAMICS G120.
464
Functional Example No. SD-FE-I-001-V11-EN
Required components
An overview of the hardware and software components
required for the function example is provided here.
Ex. No.
Hardware components
Component
Type
Power supply
PS307 5A
S7-F CPU
CPU 317F-2DP
Memory Card
Order No
Qty
Manufacturer
6ES7307-1EA00-0AA0
1
Siemens AG
6ES7317-6FF00-0AB0
1
MMC 2MB
6ES7953-8LL11-0AA0
1
DI / DO simulation module
SM374
6ES7374-2XH01-0AA0
1
Safety digital input
SM326
6ES7326-1BK01-0AB0
1
Front connector
40 pol
6ES7392-1AM00-0AA0
1
Profile rail
Profile rail
6ES7390-1AE80-0AA0
1
PROFIBUS connector
PROFIBUS connector
6ES7972-0BB50-0XA0
1
PROFIBUS cable
PROFIBUS cable
6XV1830-3BH10
2m
5.1
S7 control
Drive
SINAMICS G120 Control Unit*
CU240S DP F
6SL3244-0BA21-1PA0
1
SINAMICS G120 Power Module*
PM240
6SL3224-0BE21-5UA0
1
Basic Operator Panel*
BOP
6SL3255-0AA00-4BA1
1
Motor*
Three-phase induction motor
1LA7060-4AB10
1
PROFIBUS connector
PROFIBUS connector
6GK1500-0FC00
1
Siemens AG
Command devices
Empty enclosure
Empty enclosure with 4 command
sources (e.g. pushbuttons)
3SB3804-0AA3
1
Emergency Stop mushroom
pushbutton (to activate STO
and SS1)
Emergency Stop mushroom pushbutton
3SB3000-1HA20
2
Mushroom pushbutton (to
activate SLS)
Mushroom pushbutton, red
3SB3000-1DA21
1
Pushbutton (acknowledge
safety functions)
Pushbutton, red
3SB3000-0AA21
1
Contact
1NC, screw terminal
3SB3420-0C
6
Contact
1NO, screw terminal
3SB3420-0B
2
Siemens AG
As an alternative to the components marked with *, the
SINAMICS G120 training case can also be used that is additionally equipped with a 24V HTL encoder and a mechanical brake.
This training case can be ordered by specifying Order No.
6ZB2480-0CD00.
Note
The functionality was tested with the specified hardware components. Similar components that are different from those listed above can be used. Please note
that in such a case it may be necessary to change the
code example (e.g. setting other addresses).
Functional Example No. SD-FE-I-001-V11-EN
465
Software components
Component
Type
Order No
Qty
Manufacturer
Ex. No.
SIMATIC STEP 7
V5.3 + SP3
6ES7810-4CC07-0YA5
1
Siemens AG
5.1
SIMATIC Distributed
Safety
V5.4
6ES7833-1FC02-0YA5
1
Drive ES BASIC
V5.4
6SW1700-5JA00-4AA0
1
Configuration and wiring
The hardware configuration and connecting-up the function
example are described in this Chapter.
Please carefully observe the following safety information & instructions when using the SINAMICS G120:
Warning
The SINAMICS G120 has hazardous voltages and controls rotating mechanical parts that can also be potentially hazardous. If the warning information is not
observed or the information & instructions from the
instructions belonging to SINAMICS G120 are not
complied with this could result in death, severe bodily
injury or significant material damage.
Overview of the hardware configuration
466
Functional Example No. SD-FE-I-001-V11-EN
Connecting-up the hardware components
S7-300 control and CU240S DP F
Ex. No.
5.1
Functional Example No. SD-FE-I-001-V11-EN
467
PM240 and motor
Ex. No.
5.1
For more detailed information regarding the installation please refer to the SINAMICS G120 Hardware Installation Manual Power
Module PM240
468
Functional Example No. SD-FE-I-001-V11-EN
Fault 395 (acceptance test / acknowledgement present)
Fault F395 is output when powering-up for the first time and
after replacing the Control Unit CU or the Power Module PM.
Ex. No.
This fault does not represent an incorrect drive inverter function. The reason for this fault message is to monitor the individual drive inverter components (CU and PM) to prevent
them from being replaced by unauthorized personnel.
5.1
Acknowledging fault F395
To acknowledge the F395 in conjunction with a CU240S DP F,
proceed as follows:
■ Set parameter p0010 to 30
■ Enter the safety password (standard = 12345) into
parameter p9761
■ Set parameter p7844 to 0
■ F395 will no longer be displayed
■ For safety reasons you now have to run an acceptance test.
For more information see the G120 Operation Instructions,
Appendix, Acceptance Log.
For information:
For a CU without safety information it is sufficient to
acknowledge fault F395 using "acknowledge fault"
(SINAMICS G120 terminal strip or PROFIBUS).
Functional Example No. SD-FE-I-001-V11-EN
469
General I/O DIP switch
■ As shown in the following diagram set the function
switches to the setting 8 x Output 8 x Input.
Encoder Z
termination
Encoder B
termination
The function of the module is selected using a rotary switch
behind the front cover between the series of switches.
Encoder A
termination
ON
5 V Encoder
Supply
0-20 mA
24 V Encoder
Supply
SM374 simulation module
This module can be operated as 16 x DO (output via LED),
16 x DI (input via switch) or as combined 8 x DI / 8 x DO.
The last combination is used in this function description.
AI1
The modules/boards must be set with the control system in a
no-voltage state.
OFF
0-10 V
The Profibus address of the SINAMICS G120 can be set using
the lower DIP switch block. Alternatively, the PROFIBUS address can also be set using parameter p918. It should be noted
that the setting using DIP switches has priority over parameter
p918.
■ Set the DIP switches to address 10 as shown in the following diagram.
OFF
470
Functional Example No. SD-FE-I-001-V11-EN
(1)
(2)
(4)
(8)
(16)
(32)
(64)
Bit 4
Bit 5
Bit 6
ON
Bit 3
■ Set the DIL switches as shown in the following diagram.
PROFIBUS Address DIP switch
Bit 2
Safety digital input module SM326
Before installation, the PROFIsafe address must be set at the
rear of the module according to HW Config.
Bit 1
5.1
The upper DIP switch block is for general CU functions - and is
not relevant for this function example.
Bit 0
Ex. No.
Most of the module/board settings are made in the HW Config
in the software. Hardware settings are only required for the
following modules/boards.
SINAMICS G120, CU240S DP F
Two DIP switch blocks are located under the BOP (Operator
Panel) in the upper section of the module.
AI0
Important hardware component settings
Overview of inputs and outputs
Simulation module SM374
Ex. No.
5.1
Address
Function
Symbolic address
Default
Explanation
O 0.0
Indicator lamp Safety functions active or error
Safe_stop_or_error
0
Activated safety functions (flashing light) and faults (steady light)
are signaled via this output.
I 0.0
SINAMICS G120 start
Start_G120
0
The motor connected to SINAMICS
G120 is started by activating the
input.
I 0.7
Acknowledge error
ACK_error
0
Fault messages that are present
can be acknowledged using this
input.
Functional Example No. SD-FE-I-001-V11-EN
471
Safety digital input module SM326
Overview of the pushbuttons that are connected:
Ex. No.
Address
Function
Symbolic address
Default
Explanation
5.1
I 24.0
STO pushbutton
Safety_PB_STO
1
The safety function STO (Safe
Torque Off) is initiated using this
pushbutton
I 24.1
SS1 pushbutton
Safety_PB_SS1
1
The safety function SS1 (Safe Stop
1) is initiated using this pushbutton
I 24.2
SLS pushbutton
Safety_PB_SLS
1
The safety function SLS (Safely
Limited Speed) is initiated using
this pushbutton
I 24.3
Pushbutton for safety functions and acknowledging
faults
Safety_PB_ACK
0
The activated safety functions
and fault messages that may be
present are acknowledged
SINAMICS G120
The SINAMICS G120 is controlled and the feedback signals
read-in via the I/O addresses listed below.
Address
Designation
Function
S7 program -> SINAMICS G120
PQW256
STW1
Control word 1
PQW258
N_SOLL_A
Frequency setpoint
PQW260
M_LIM
Torque setpoint
PQW262
STW2
Control word 2
PQW264
- Reserve -
- Reserve -
PQW266
- Reserve -
- Reserve -
The safety functions of the SINAMICS G120 are controlled
from the S7 safety program and the status of the safety functions of the SINAMICS G120 is signaled back to the S7 safety
program using the following signals:
Address
Symbolic address
O 14.0
Safety_S7->G120_STO
By switching out this signal, the STO function (Safe
Torque Off) is activated in
the SINAMICS G120
O 14.1
Safety_S7->G120_SS1
By switching out this signal, the SS1 function (Safe
Stop 1) is activated in the
SINAMICS G120
O 15.0
Safety_S7->G120_SLS
By switching out this signal, the SLS function
(Safely Limited Speed) is
activated in the
SINAMICS G120
SINAMICS G120 -> S7 program
PIW256
ZSW1
Status word 1
PIW258
N_IST_A_GLATT
Frequency actual value
PIW260
I_IST_GLATT
Current actual value
PIW262
ZSW2
Status word 2
PIW264
FAULT_CODE
Fault number
PIW266
WARN_CODE
Alarm number
For more detailed information about the configuration of the
individual signals, please refer to SINAMICS G120 Operating
Instructions Control Unit CU240S, Chapter Commissioning
(software), Commissioning with PROFIBUS DP.
472
Functional Example No. SD-FE-I-001-V11-EN
Function
S7 safety program -> SINAMICS G120
SINAMICS G120 -> S7 safety program
I 14.0
Safety_G120->S7_STO
Feedback signal from
SINAMICS G120 to the
S7 safety program, STO
(Safe Torque Off) was activated
I 14.1
Safety_G120->S7_SS1
Feedback signal from
SINAMICS G120 to the
S7 safety program, SS1
(Safe Stop 1) was activated
I 15.0
Safety_G120->S7_SLS
Feedback signal from
SINAMICS G120 to the
S7 safety program, SLS
(Safely Limited Speed) was
activated
Download
S7 program
To download the S7 program, you will require a connection
between the MPI interface of your PG/PC and the MPI interface
of the S7 CPU.
Ex. No.
5.1
■ Start the SIMATIC Manager.
■ De-archive the function example supplied.
■ Open the Safety application G120 project.
■ Open HW-Config and download this into the control. After
the download re-close HW-Config.
■ In the SIMATIC Manager, select CPU 317F-2.
■ Open the Safety Program dialog box using Options > Edit
safety program.
■ Press the Download button and in the dialog window that
is then displayed, press Yes to download the standard
blocks.
■ Enter siemens as password in the dialog window
Password for Safety Program.
■ After you have successfully downloaded the standard
blocks you can re-close the Safety Program dialog box.
After the download, changeover the interface of your PC/PG
to PROFIBUS and changeover the connecting cable to the
PROFIBUS interface of the S7-CPU. You can access all of the devices of your configuration from this interface.
SINAMICS G120 configuration
When this has been completed, download the SINAMICS G120
configuration using the STARTER parameterizing tool.
■ Starting from the main path of the SIMATIC Manager, start
the STARTER parameterizing software by double clicking on
the SINAMICS_G120 icon
■ Then, in the Project Navigator of the STARTER parameterizing software select the object "SINAMICS_G120" (1.) and
press the button
(2.) to establish the online connection to the drive inverter.
■ After you have established the online connection, press
the button
to download the SINAMICS G120 drive
parameters.
■ Follow the instructions on the screen and acknowledge the
prompt "After loading, copy RAM to ROM".
■ "You must then enter the safety parameters of the
SINAMICS G120. These may not be - and cannot for safety
reasons - be transferred into the drive inverter by downloading from the PG / PC.
■ First, the PROFIsafe destination address must be entered
into parameter p9810. To do this, in the Project Navigator,
highlight the object "SINAMICS_G120" (1.) and after pressing the righthand mouse key, select the expert list using
Expert > Expert list. Then, enter a value of 200 into parameter p9810.
■ In the Project Navigator, select Functions and then open
the dialog box for the safety functions by double clicking on
Safety Integrated.
Functional Example No. SD-FE-I-001-V11-EN
473
■ Lower section: Here, the monitoring of the Safe brake control module can be activated; however, this is not used in
this particular function example.
Ex. No.
It should be noted that the parameterization is always carriedout twice (in this screen form this can be identified as a result
of the two switch symbols in series). The reason for this is that
for the two processors in SINAMICS G120 - that operate in parallel and must provide the same result - there are separate parameter sets for safety reasons.
5.1
After you have parameterized the enable signals, then select
the tab Safe Torque Off.
"Safe Torque Off (STO") tab
■ Then press the button Change settings and enter 12345
(standard password) in the password screen that then
opens.
■ From the following screen forms transfer the appropriate
values into your project. Take into consideration that in
certain instances there are different value formats for processor 1 and 2 (e.g. s and ms, Hz and kHz).
"Enables" tab
The shutdown paths of a safety-relevant plant or system must
be subject to a forced checking procedure at regular intervals.
This is in order to identify "dormant" errors. SINAMICS G120
automatically carries out a forced checking procedure of the
shutdown paths in the drive unit. This procedure is known as
the forced checking procedure.
A reduced form of the forced checking procedure limited to
self-test the brakes and processor is always automatically executed after "Safe Torque Off" (STO) is exited. This type of
forced checking procedure is known as the process checking
procedure.
In this screen form you parameterize the source from which
you activate the SINAMICS G120 safety functions. Please note
that the safety functions can either be controlled via
PROFIsafe or via the safety digital inputs.
■ Upper section: Path to activate via PROFIsafe (this is used in
this particular function example).
■ Center section: Path to activate via the Safe digital input 0
and 1.
474
Functional Example No. SD-FE-I-001-V11-EN
Further, by appropriately parameterizing the system, it is possible to initiate a forced checking procedure each time that
STO is exited.
■ Upper section: Using Test of the shutdown channels
when leaving STO, you can select how the forced checking
procedure for the shutdown channels is carried-out.
– Activated: A forced checking procedure is carried-out
each time the drive unit is powered-up and when exiting
"Safe Torque Off" (STO). Checking the shutdown chan-
nels takes approximately 2.4s. This delay time must be
taken into account at each On command.
– Deactivated: The shutdown channels are only checked
after the function "Latched Safe Torque Off" (LSTO) when
an error occurs. When exiting an STO, a delay time is not
incurred as only the process checking procedure is carried-out.
Safe Stop 1 (SS1) tab
Ex. No.
5.1
■ Center section: When activating the safety functions via the
safe digital inputs of the SINAMICS G120, a debounce time
and a filter for the response time can be set here. These
settings are not relevant for the function example
described here.
■ Lower section: The SINAMICS G120 automatically monitors
when a forced checking procedure was carried-out the last
time. Set the time up to the next forced checking procedure
in the field Test periods for shutdown paths. The time can
be selected between 0.1 and 8760 hours (6 min up to
1 year). The timer is re-started after each forced checking
procedure. Alarm A1699 is output in operation to flag you
that this monitoring time has expired. A process checking
procedure does not replace forced checking procedure and
therefore does not reset the timer.
After you have parameterized the Safe Torque Off function,
select the tab Safe Stop 1.
The parameters relevant for "Safe Stop 1" (SS1) are set in this
screen form.
■ (1.) Using the threshold value Standstill detection, define
the speed at which standstill (zero speed) is detected and
"Safe Torque Off" (STO) is activated. Please note that the
value should be entered once in kHz and once in Hz.
■ (2.) The Ramp-down time Tr for SS1 ... should then be
entered. Plea-se note that the value is entered once in s and
once in ms. The ramp-down time Tr always refers to the
safety reference frequency of 200Hz in the drive itself. This
ramp-down time is also used for the deceleration for
"Safely Lim-ited Speed" (SLS).
■ (3.) The monitoring tolerance is set using Delay Tv, until
monitoring active. The drive inverter continually monitors
- with tolerance Tv - the braking of the drive. If the tolerance is selected too low, then the monitoring function
could be incorrectly tripped. If the tolerance is too high,
then if an actual fault does develop, an unnecessarily long
time is wasted. Please note that the value is entered once
in s and once in ms.
After you have parameterized the function Safe Stop 1, select
the tab Safely Limited Speed.
Functional Example No. SD-FE-I-001-V11-EN
475
Safely Limited Speed (SLS) tab
Ex. No.
SLS
mode
Properties
Mode 2
Limiting to a safely limited speed - the speed can
be changed
If, when activating SLS, the actual frequency is greater
than the Upper tolerance limit for velocity monitoring, LSTO (safe torque shutdown with latching) is activated.
5.1
If, when activating SLS, the actual frequency lies below
the Upper tolerance limit for velocity monitoring,
the frequency is kept. The frequency can be changed
between 1 Hz and the Upper tolerance limit for velocity monitoring (Caution: For V/f, take into account
the slip compensation).
If the actual frequency drops below 1Hz or the Upper
tolerance limit for velocity monitoring is reached,
STO is activated. If the upper tolerance limit for
velocity monitoring is exceeded, then STO is latched i.e. LSTO.
The parameters relevant for "Safely Limited Speed" are entered in this screen form.
■ (1.) The SLS mode is defined here. The following three
modes - with the appropriate properties - are available:
SLS
mode
Properties
Mode 0
Limiting to a safely limited speed
If, when SLS is activated, the actual frequency is greater than the Upper tolerance limit for velocity monitoring, SS1 is activated and then LSTO (safe torque
shutdown with latching).
If, when SLS is activated, the actual frequency lies between the Upper tolerance limit for velocity monitoring and the Setpoint for SLS, then the Setpoint for
SLS is activated. The frequency cannot be changed.
If the actual frequency lies below the Setpoint for SLS,
the actual frequency is kept. The frequency cannot be
changed.
STO is activated if the actual frequency falls below 1Hz.
The drive can be stopped using OFF2, withdrawing/cancelling the function or by activating another
safety function.
Mode 1
Reducing to a safely limited speed
If, when activating SLS, the actual frequency is greater
than the Upper tolerance limit for velocity monitoring, the Setpoint for SLS is activated and the drive is
braked down to this setpoint using the safe braking
ramp.
If the actual frequency lies below the Setpoint for SLS,
the actual frequency is kept. The frequency cannot be
changed.
STO is activated if the actual frequency drops below
1Hz.
The drive can be stopped using OFF2, withdrawing the
function or by activating another safety function.
476
Functional Example No. SD-FE-I-001-V11-EN
The drive can be stopped with ON/OFF1 and the remaining OFF commands - but it can only be re-started
if SLS has been withdrawn.
Please refer to the Operating Instructions CU240S, Chapter
Functions under Fail-safe Functions for more detailed information about the SLS modes.
■ (2.) These input fields are displayed for SLS mode (1.) 0
and 1. Set-point for SLS is used to set the frequency to
which the frequency set-point is internally limited in the
drive unit after the function Safely Limited Speed SLS has
been selected. Please note that the value is en-tered once
in Hz and once in kHz.
■ (3.) The monitoring limit is set using the Upper tolerance
limit for velocity monitoring. If Safely Limited Speed SLS
is active and the actual speed exceeds this value, then
SINAMICS G120 outputs a fault mes-sage and goes into the
safe condition (Safe Torque Off, STO). Please note that the
value should be entered once in Hz and once in kHz.
■ After you have made all of the settings press the Accept
settings button.
■ You can now change the standard password. If you are still
not certain that your safety parameterization has been
completed, then you should press the Later button.
However, after you have completed the commissioning
phase, do not forget to change the standard password for a
password that only you know or a person that you trust.
Only then can you be sure that only authorized persons can
change/modify safety parameters.
■ To complete the parameterization of the safety functions
you must now acknowledge the checksums of the two processors. To do this, transfer the first checksum, processor 1
into the set checksum, processor 1. Do exactly the same for
the checksum of processor 2.
Please note that the two actual checksums and therefore
the two set checksums must be the same. If this is not the
case, then you must re-check your parameterization of the
safety functions and resolve the different values.
Function test
The function test can be carried-out, if
■ The hardware components are connected-up
Ex. No.
■ The hardware settings have been made
■ The S7 project is in the CPU
■ The configured software has been downloaded into the
SINAMICS G120 and the safety functions have been
parameterized
■ The CPU is in the RUN state.
■ If you don't wish to set any additional parameters, then you
can now exit the STARTER commissioning tool.
■ To do this first disconnect the PG/PC from SINAMICS G120
by pressing the
button.
No.
Action
1
If it is pressed, release the Emergency
Stop pushbutton
2
Press the pushbutton
"Acknowledge safety functions and
faults"
■ You can then exit STARTER using Project > Close or by
pressing the
button.
Response
The signal lamp (A0.0) for "Safety
functions activated or fault" goes
dark.
At SINAMICS G120 LEDs RDY, STO,
SS1 and SLS are bright -> the drive
and all of the safety functions are in
the ready state.
■ You'll now be prompted to save changes - acknowledge this
with Yes.
3
Press the switch
"SINAMICS G120
Start"
1
Press the Emergency Stop pushbutton
STO
The motor starts to run.
Safety function STO (Safe Torque Off)
The motor coasts down and is not
braked.
The signal lamp (A0.0) for "Safety
functions activated or fault" starts to
flash.
At the SINAMICS G120 the LED ES is
bright and LED STO flashes -> STO is
active, the motor is brought into a
no-torque condition.
At the SINAMICS G120 the alarm
A1696 is displayed -> this alarm is
displayed as long as the start signal
is still present.
2
De-activate the control of the SINAMICS
G120 using the
switch "SINAMICS
G120 Start".
At the SINAMICS G120 the alarm
A1696 is no longer displayed.
Functional Example No. SD-FE-I-001-V11-EN
477
5.1
No.
Action
Response
3
Release the Emergency Stop pushbutton STO and
press the pushbutton
"Acknowledge safety functions and
faults"
The signal lamp (A0.0) for "Safety
functions activated and fault" goes
dark.
Ex. No.
5.1
No.
Action
1
Press the pushbutton SLS and keep it
pressed
Press the switch
"SINAMICS G120
Start"
Press the Emergency Stop pushbutton
SS1
2
The motor follows the parameterized braking ramp down to the minimum frequency and stops.
The signal lamp (A0.0) for "Safety
functions activated and fault"
starts to flash.
At the SINAMICS G120 the LED ES is
bright and LED SS1 flashes -> SS1 is
active, the motor has been brought
into a no-torque condition.
At the SINAMICS G120 alarm A1696
is displayed -> this alarm is displayed
as long as the start signal is present.
2
3
478
Release pushbutton
SLS again
The motor accelerates back to the
normal speed.
At the SINAMICS G120 LEDs RDY,
STO, SS1 and SLS are bright -> the
drive and all safety functions are in
the ready state.
Acceptance test and acceptance report
An acceptance test must be carried-out when the machine is
commissioned for the first time and also if a completely saved
set of the safety-relevant parameters is changed. This procedure is used to verify the safety-relevant parameters. This acceptance test must be appropriately documented. The acceptance reports must be appropriately stored and archived.
De-activate the control of the SINAMICS
G120 using the
switch "SINAMICS
G120 Start".
The alarm A1696 is no longer displayed at the SINAMICS G120.
The checksum ensures that all subsequently made changes
are identified.
Release the Emergency Stop pushbutton SS1 and
press the pushbutton
"Acknowledge safety functions and
faults"
The signal lamp (A0.0) for "Safety
functions activated or fault" goes
dark.
Information about the acceptance test and the acceptance report are provided in SINAMICS G120 Operating Instructions
Control Units CU240S in the Chapter Commissioning (software).
An example of an acceptance report is provided in the
SINAMICS G120 Operating Instructions Control Units
CU240S in the Appendix.
At the SINAMICS G120 the LEDs RDY,
STO, SS1 and SLS are bright -> the
drive and all of the safety functions
are in the ready state.
4
At the SINAMICS G120 the LED ES is
bright and LED SLS flashes -> SLS is
active, the motor is monitored to ensure that it does not exceed the safely limited speed.
The motor starts to operate again.
Safety function SS1 (Safe Stop 1)
1
The motor follows the parameterized braking ramp down to the safely
limited speed.
The signal lamp (A0.0) for "Safety
functions activated and fault" is
not bright (is dark).
At the SINAMICS G120, the LEDs
RDY, STO, SS1 and SLS are bright ->
the drive and all safety functions are
in the ready state.
4
Response
Safety function SLS (Safely Limited Speed)
Press the switch
"SINAMICS G120
Start"
The motor starts to operate again.
Functional Example No. SD-FE-I-001-V11-EN
Key performance data
Load memory and working memory
Total
Load memory
approx. 54 k
Working memory
approx. 39 k
Properties of the CPU
Before the safety functions of the CPU can be used, they must
be released. The properties window of the CPU is opened by
double clicking on the CPU317F-2.
Cycle time
Total cycle time
(typical)
approx.
3ms
Standard and safety program
Example code
The example code supplied is fully functional for the described
application. The individual functions of the example code are
explained in the following Chapters so that you are in a position to implement your own projects.
Note
In this example code, passwords are used for the safety
functions. These are as follows:
S7 safety program and HW Config: siemens
STARTER Safety Screens: 12345
Under the Protection tab, the safety functions of the CPU are
enabled by selecting the following functions:
Settings in the hardware configuration
■ Level of protection; 1: Access protect for F CPU,
■ Activate Removable with password,
■ Enter a password (in this example code, siemens),
■ Activate CPU contains safety program.
Properties of the F-DI module
The signal sources for the safety functions (pushbuttons to
acknowledge STO, SS1, SLS and Emergency Stop) are read-in
using the fail-safe module DI24xDC24V (6ES7326-1BK010AB0). The Properties dialog box opens after double clicking
on the module. The properties of the module can be parameterized by selecting the Parameters tab.
Functional Example No. SD-FE-I-001-V11-EN
479
Ex. No.
5.1
selecting the module, pressing the righthand mouse key
and selecting Edit Symbols...
Ex. No.
5.1
Properties of the SINAMICS G120
The window of the SINAMICS G120 PROFIBUS properties (2) is
displayed by clicking once on the SINAMICS G120 icon (1).
■ (1.) Also for this module, safety-relevant operation must be
enabled by selecting Safety mode as the operating mode.
■ (2.) The binary code that is specified under DIL switch setting (9......0) must be set at the rear of the module.
DIL switch on the module:
■ (3.) The short-circuit and cross-circuit fault monitoring of
the channel group is activated by selecting the function
Sensor supply via module .
■ (4.) The properties of the individual channels of the
module are parameterized as shown under channel 0, 12.
For more detailed information please refer to the Manual
SIMATIC Automation System S7-300 Fail-Safe Signal
Modules.
■ "In order that the SINAMICS G120 safety functions can be
used in the safety program, symbolic addresses must be
assigned to the inputs of the safety input module. The
input window for the symbolic addresses is opened by
480
Functional Example No. SD-FE-I-001-V11-EN
The PROFIBUS telegram (2.) between the CPU and the
SINAMICS G120 comprises two components. On one hand the
PROFIsafe module for the safety functions - that must be first
entered - and the Siemens telegram to control the SINAMICS
G120 (control signals, status word, frequency set-point, frequency actual value etc.).
The individual telegram components are selected in the Catalog after pressing the following button
PROFIsafe module
PROFIBUS communications of the SINAMICS G120 safety
functions are realized using the PROFIsafe module.
The Properties window of the module is opened by double
clicking on the PROFIsafe module. Open the PROFIsafe tab.
■ The value of F_Dest_Add specified by HW Config
(PROFIsafe address of the SINAMICS G120) must be
entered into SINAMICS G120 parameter p9810.
■ For F_WD_Time (PROFIsafe Watchdog Time) twice the
value of the call environment cycle of the S7 safety program must be entered. In this particular function example
the S7 safety program is called every 100 ms in OB35 (refer
to HW Config, Properties CPU, Cyclic Interrupts).
For more detailed information about the different telegram
types please refer to SINAMICS G120 Operating Instructions
Control Units CU240S in the Chapter Commissioning (software), Commissioning with PROFIBUS DP.
Functional Example No. SD-FE-I-001-V11-EN
481
Ex. No.
5.1
Ex. No.
5.1
■ This means that a value of 200 must be entered for
F_WD_Time.
Siemens telegram 352, PZD 6/6
The standard control (control word, frequency setpoint etc.)
of SINAMICS G120 is implemented using the Siemens telegram.
In SINAMICS G120, instead of telegram 352 (fixed assignment
of the con-trol/feedback signal words), telegram 999 is used
(free assignment of the control/feedback signal words).
Only the inputs and outputs listed in this example are relevant
for communications.
Functions of the STEP 7 program (without safety program)
Program overview
In this case, in SINAMICS G120, to start, telegram type 350
should be selected in parameter p922. This pre-assigns the
BICO connections. Telegram type 999 (free interconnection
via BICO) should then be selected and the following interconnections made:
■ p2051[4] = r2131 (error number)
■ p2051[5] = r2110 (alarm number)
In order that SINAMICS G120 can use the safety functions in
the safety program, symbolic addresses must be assigned for
the inputs and outputs of the PROFIsafe module. The input
window for the symbolic addresses is opened by selecting the
PROFIsafe module, pressing the righthand mouse key and selecting Edit symbols...
482
Functional Example No. SD-FE-I-001-V11-EN
The STEP 7 program essentially comprises blocks FC10, FC100
and DB1 that are called in the cyclic program (OB1).
DB1, axis_DB
The axis_DB represents the interface between the S7 program
and the SINAMICS G120 via FC100.
Ex. No.
Axis_DB is generated from UDT 1 (Axis_DB_G120)
5.1
Principal structure of axis_DB
Address
Symbolic name
Type
Function
Internal data
DBW0
Basic_Data.Moduleadress
INT
I/O start address of the SINAMICS G120 (refer to HW Config)
DBB3
Basic_Data.Drivetyp
Byte
Drive type, must be 2
S7 -> SINAMICS G120
DBW4
Control_signals.STW2
Bool
Control word 2 (for details, refer to the S7 program)
DBW6
Control_signals.STW1
Bool
Control word 1 (for details, refer to the S7 program)
DBW8
Control_signals.Frequency_set
INT
Frequency setpoint in x.x %
DBW10
Control_signals.Torque_set
INT
Torque setpoint in x.x %
SINAMICS G120 -> S7
DBW14
Status_signals.ZSW2
Bool
Status word 2 (for details, refer to the S7 program)
DBW16
Status_signals.ZSW1
Bool
Status word 1 (for details, refer to the S7 program)
DBW18
Status_signals.Actual_frequency
INT
Frequency actual value in x.x %
DBW20
Status_signals.Actual_current
INT
Current actual value in x.xx A
Fehlermeldungen
DBW24
Faults.Drive_error_number
INT
Actual error number of the SINAMICS G120
DBW26
Faults.Drive_alarm_number
INT
Actual alarm number of the SINAMICS G120
In this function example the individual data of the DB1 are supplied in FC10.
FC10, organization
This block is called-up in absolute terms in OB1 and in turn
calls up FC100.
Principle of the FC10
Network
Function
1
Controls the SINAMICS G120 via the axis-DB, DB1.
Calls the SINAMICS G120 control block FC100.
This network can be used as template for additional
SINAMICS G120 control functions.
2
Controls the signal lamp for "Safety function
activated or fault".
FC100, control of SINAMICS G120
SINAMICS G120 is controlled using the FC100 via PROFIBUS.
Only signals from the axis_DB are used to control the block
- but no fixed addresses - this is the reason that instances can
be used.
This block can be used in the same way for both a standard
and a Safety SINAMICS G120.
Formal operands of the FC100
Formal operands
Type
Description
Nr_Achs_DB
IN
Number of the axis-DB generated
using UDT1
Internal_Error
OUT
Displays an internal error
0 = no error
1 = incorrect axis-DB type
Functional Example No. SD-FE-I-001-V11-EN
483
Principle structure of the FC100
Ex. No.
5.1
Principle structure of the FC201
Network
Function
Network
Function
1
Opens the axis_DB specified using the formal operands Nr_Axis_DB.
1
Safe Torque Off (STO)
Reads-in the Emergency Stop pushbutton
Safety_PB_STO (I 24.0), logically interlocked using
the F-Standard block FB215 (F_ESTOP1) and forms
auxiliary lag No_STO.
Generates the internal error message.
2
Reads-in the SINAMICS G120 status words, processes
these and saves them in the axis_DB.
3
Resets internal error messages.
4
Converts frequency and torque setpoint from the
axis_DB (entered in x.x %) into the SINAMICS G120
format (hex).
5
Enters SINAMICS G120 error and alarm number into
the axis_DB.
Safe Stop 1 (SS1)
Reads-in the Emergency Stop pushbutton
Safety_PB_SS1 (I 24.1), logically interlocked using
the F-Standard block FB215 (F_ESTOP1) and forms
auxil-iary flag No_SS1
6
Sends control words from the axis_DB to the
SINAMICS G120
Acknowledges the safety function using the
acknowledge button Safety_PB_ACK
Acknowledges the safety function using the acknowledge button Safety_PB_ACK
2
3
Controls the SINAMICS G120 safety function STO
(O 14.0).
Functions of the STEP 7 safety program
4
Controls the SINAMICS G120 safety function SS1
(O 14.1).
The basic programming of Distributed Safety - the S7 programming tool for F control systems - is not discussed in this
function example.
5
Controls the SINAMICS G120 safety function SLS
(O 15.0).
6
De-passivates the safety modules.
This function example only explains and discusses the FC201
user block for safety functions.
7
Acknowledges safety communication errors between
the S7-CPU and the SINAMICS G120 using the acknowledge button Safety_PB_ACK
Program overview
8
Acknowledges safety communication errors between
the S7-CPU and the safety digital input module
SM326 via the standard input ACK_error (I 0.7).
9
Emergency Stop ok -> standard program.
10
Signal "Emergency Stop acknowledge" -> standard
program.
11
Feedback signal STO from SINAMICS G120 -> standard program.
12
Feedback signal SS1 from SINAMICS G120 -> standard program.
13
Feedback signal SLS from SINAMICS G120 -> standard program.
SINAMICS G120 - parameterizing the safety functions
FC201, safety program
The individual safety sensors are read into the FC201,
interlocked with one another (logically combined) and the
SINAMICS G120 safety functions con-trolled.
It is necessary to enter the safety password to process/handle
the FC201. This password is siemens.
484
Functional Example No. SD-FE-I-001-V11-EN
Refer to page 485: „SINAMICS G120 parameterization“
SINAMICS G120 parameterization
In order that the basic SINAMICS G120 functions can be parameterized, the safety functions in the S7-CPU and in the
drive inverter itself must already have been commissioned.
The reason for this is that during parameterization a motor
identification routine is carried-out (the motor and cables are
measured) - and if vector control is activated - the controller is
optimized. Both of these functions require that the safety
functions are in the ready state.
■ Starting from the main path of the SIMATIC Manager, start
the STARTER parameterizing software by double clicking on
the SINAMICS_G120 icon
■ Enter the appropriate values into all of the screen forms.
■ In the screen form Drive functions, select for Motor identification, the function Ident. of al param. in standstill
incl. the saturation curve (3).
Ex. No.
■ In the screen form Calculation of the motor data, select
Restore factory setting and calculate motor data.
5.1
■ In the screen form Summary do not activate the function
RAM -> ROM, but instead press the Finish button.
■ After completing the quick commissioning, alarm A0541
(Motor data-identification active) is displayed. Please carefully note that when starting the motor identification routine current flows in the motor. For hanging (suspended)
axes the load must always be supported.
■ To start the motor data identification routine, in the Project
Navigator select the menu item Commissioning and activate by double clicking on Control panel.
■ "Then, in the Project Navigator of the STARTER
■ parameterizing software select the object
"SINAMICS_G120" (1.) and press button
(2.) to establish an online connection to the drive inverter.
■ Press Assume control priority and carefully note the security/safety information and instructions. Then activate
Enables.
■ The motor data identification routine is started by pressing
the
button. Do not exit the STARTER software and go to
another task as otherwise the motor data identification
routine will be interrupted for safety reasons.
■ The screen form with the actual configuration is opened by
double clicking on Configuration in the Project Navigator.
■ "The quick commissioning Wizard is started after pressing
the
button.
■ Please wait until the
button.
button changes back to the
■ Return the control priority to the S7 control by pressing the
button.
Functional Example No. SD-FE-I-001-V11-EN
485
Ex. No.
■ Finally, you only have to save the SINAMICS G120 configured software in the ROM memory of the drive inverter.
To do this in the Project Navigator select the menu item
SINAMICS_G120.
5.1
486
Functional Example No. SD-FE-I-001-V11-EN
■ In the function bar press the
button.
■ Please wait until the download operation has been completed.
SINAMICS G120 - controlled via PROFIBUS
safety functions via terminals, Category 3 (EN 954-1)
or SIL 2 (IEC 61508)
Automation function
Description of the functionality
Functionality of the function example
The SINAMICS G120 drive inverter is a modular drive inverter
system that essentially comprises the two function units Control Unit (CU) and Power Module (PM).
When using the Control Unit CU240S DP F, you have access to
the following safety functions that are integrated in the drive
inverter:
Task description
The SINAMICS G120 is to be controlled from an S7-300 CPU
via PROFIBUS.
The integrated safety functions of the SINAMICS G120 are to
be controlled via the fail-safe digital inputs of the SINAMICS
G120.
Designation
Function
Description
STO
Safe Torque Off
Prevents the drive from accidentally starting
(acc. to EN 60204)
The drive is safely brought
into a no-torque condition
Solution
In this function example, the control of a SINAMICS G120
(control word and frequency setpoint) will be demonstrated
using an S7-300 CPU and a specific program example.
Preventing a restart does
not require electrical isolation between the motor
and drive inverter
This program example comprises an S7 program to control the
SINAMICS G120 and the appropriate configuration in the
SINAMICS G120.
SS1
Safe Stop 1
The drive is quickly stopped
and safely monitored
(acc. to EN 60204)
Independent and continuous monitoring guarantees
the shortest response times
when a fault occurs
A speed encoder is not required
SLS
Safety Limited
Speed
(acc. to EN 60204)
The drive speed is limited
and monitored
Independent and continuous monitoring guarantees
the shortest response times
when a fault occurs
Advantages / customer benefits
The safety functions are integrated in the drive inverter and
are implemented without any speed feedback signal. This
means that to some extent complex external shutdown and
monitoring devices can be eliminated.
A SINAMICS G120 with Safety Control Unit can replace an existing drive inverter. This means that safety functions can be
added to an existing system with low associated costs and expenditure.
A speed encoder is not required
SBC
Safe Brake Control
An external brake is safely
controlled
In this case, it is necessary
to use the Safe Brake Relay
(all safety functions are certified according to EN 954-1, Cat. 3
and IEC 61508, SIL 2)
The safety functions are either controlled through two failsafe digital inputs (4 digital inputs, which are evaluated
through 2 channels in a fail-safe fashion in the CU 240S DP F)
or via PROFIsafe in conjunction with a fail-safe CPU.
Functional Example No. SD-FE-I-002-V10-EN
487
Ex. No.
5.2
Restrictions
Ex. No.
5.2
Caution
Please take careful note that the two safety functions
SLS and SS1 may not be used for loads that can drive
the motor or loads that are continually in the regenerative mode.
Elevating platforms, winders, wind turbines are examples of such loads that can drive motor or continually
regenerate in to the line supply.
An important prerequisite when using fail-safe functions is that the closed-loop control functions absolutely perfectly. The drive (system comprising the drive
inverter + motor + driven load) must be engineered so
that all operating situations of the particular application are always completely under control.
Caution
After the STO and SS1 safety functions have been activated there is no electrical isolation between the line
power supply of the SINAMICS G120 and the motor.
If this electrical isolation is required in your particular
application, then you must install an appropriate line
contactor upstream of the SINAMICS G120.
488
Functional Example No. SD-FE-I-002-V10-EN
Required components
An overview of the hardware and software components
required for the function example is provided here.
Ex. No.
Hardware components
Component
Type
Order No
Qty
Manufacturer
Power supply
PS307 5A
6ES7307-1EA00-0AA0
1
Siemens AG
S7 CPU
CPU 315-2DP
6ES7315-2AG10-0AB0
1
Memory Card
MMC 2MB
6ES7953-8LL11-0AA0
1
DI / DO simulation module
SM374
6ES7374-2XH01-0AA0
1
Profile rail
Profile rail
6ES7390-1AE80-0AA0
1
PROFIBUS connector
PROFIBUS connector
6ES7972-0BB50-0XA0
1
PROFIBUS cable
PROFIBUS cable
6XV1830-3BH10
2m
5.2
S7 control
Drive
SINAMICS G120 Control Unit*
CU240S DP F
6SL3244-0BA21-1PA0
1
SINAMICS G120 Power Module*
PM240
6SL3224-0BE21-5UA0
1
Basic Operator Panel*
BOP
6SL3255-0AA00-4BA1
1
Motor*
Three-phase induction motor
1LA7060-4AB10
1
PROFIBUS connector
PROFIBUS connector
6GK1500-0FC00
1
Empty enclosure*
Empty enclosure with 2 command
sources (e.g. pushbuttons)
3SB3802-0AA3
1
Emergency Stop mushroom
pushbutton (to activate SS1)*
Emergency Stop mushroom pushbutton
3SB3000-1HA20
1
Mushroom pushbutton (to activate SLS)*
Mushroom pushbutton, red
3SB3000-1DA21
1
Contact
1NC, screw terminal
3SB3420-0C
4
Siemens AG
Command devices
Siemens AG
As an alternative to the components marked with *, the
SINAMICS G120 training case can also be used that is additionally equipped with a 24V HTL encoder and a mechanical brake.
This training case can be ordered by specifying Order No.
6ZB2480-0CD00.
Note
The functionality was tested with the specified hardware components. Similar components that are different from those listed above can be used. Please note
that in such a case it may be necessary to change the
code example (e.g. setting other addresses).
Software components
Component
Type
Order No
Qty
Manufacturer
SIMATIC STEP 7
V5.3 + SP3
6ES7810-4CC07-0YA5
1
Siemens AG
Drive ES BASIC
V5.4
6SW1700-5JA00-4AA0
1
Functional Example No. SD-FE-I-002-V10-EN
489
Configuration and wiring
The hardware configuration and connecting-up the function
example are described in this Chapter.
Ex. No.
5.2
Please carefully observe the following safety information & instructions when using the SINAMICS G120:
Warning
The SINAMICS G120 has hazardous voltages and controls rotating mechanical parts that can also be potentially hazardous. If the warning information is not
observed or the information & instructions from the
instructions belonging to SINAMICS G120 are not
complied with this could result in death, severe bodily
injury or significant material damage.
Overview of the hardware configuration
490
Functional Example No. SD-FE-I-002-V10-EN
Connecting-up the hardware components
S7-300 control and CU240S DP F
Ex. No.
5.2
Functional Example No. SD-FE-I-002-V10-EN
491
PM240 and motor
Ex. No.
5.2
For more detailed information regarding the installation please refer to the SINAMICS G120 Hardware Installation Manual Power
Module PM240
492
Functional Example No. SD-FE-I-002-V10-EN
Fault 395 (acceptance test / acknowledgement present)
Fault F395 is output when powering-up for the first time and
after replacing the Control Unit CU or the Power Module PM.
Ex. No.
This fault does not represent an incorrect drive inverter function. The reason for this fault message is to monitor the individual drive inverter components (CU and PM) to prevent
them from being replaced by unauthorized personnel.
5.2
Acknowledging fault F395
To acknowledge the F395 in conjunction with a CU240S DP F,
proceed as follows:
■ Set parameter p0010 to 30
■ Enter the safety password (standard = 12345) into
parameter p9761
■ Set parameter p7844 to 0
■ F395 will no longer be displayed
■ For safety reasons you now have to run an acceptance test.
For more information see the G120 Operation Instructions,
Appendix, Acceptance Log.
For information
For a CU without safety information it is sufficient to
acknowledge fault F395 using "acknowledge fault"
(SINAMICS G120 terminal strip or PROFIBUS).
Functional Example No. SD-FE-I-002-V10-EN
493
Important hardware component settings
OFF
SINAMICS G120, CU240S DP F
Two DIP switch blocks are located under the BOP (Operator
Panel) in the upper section of the module.
The upper DIP switch block is for general CU functions - and is
not relevant for this function example.
General I/O DIP switch
Encoder Z
termination
Encoder B
termination
Encoder A
termination
5 V Encoder
Supply
ON
24 V Encoder
Supply
0-20 mA
OFF
0-10 V
494
Functional Example No. SD-FE-I-002-V10-EN
(2)
(4)
(8)
(16)
(32)
(64)
Bit 5
Bit 6
■ As shown in the following diagram set the function
switches to the setting 8 x Output 8 x Input.
(1)
Bit 4
ON
Bit 3
PROFIBUS Address DIP switch
Bit 2
The function of the module is selected using a rotary switch
behind the front cover between the series of switches.
■ Set the DIP switches to address 10 as shown in the following diagram.
Bit 1
SM374 simulation module
This module can be operated as 16 x DO (output via LED),
16 x DI (input via switch) or as combined 8 x DI / 8 x DO.
The last combination is used in this function description.
The PROFIBUS address of the SINAMICS G120 can be set using
the lower DIP switch block. Alternatively, the PROFIBUS address can also be set using parameter p918. It should be noted
that the setting using DIP switches has priority over parameter
p918.
Bit 0
The modules/boards must be set with the control system in a
no-voltage state.
AI1
5.2
AI0
Ex. No.
Most of the module/board settings are made in the HW Config
in the software. Hardware settings are only required for the
following modules/boards.
Overview of inputs and outputs
Simulation module SM374
Ex. No.
5.2
Address
Function
Symbolic address
Default
Explanation
O 0.0
Indicator lamp error
error
0
Faults are signaled via this output.
I 0.0
SINAMICS G120 start
Start_G120
0
The motor connected to SINAMICS
G120 is started by activating the input.
I 0.7
Acknowledge error
ACK_error
0
Fault messages that are present can be
acknowledged using this input.
Functional Example No. SD-FE-I-002-V10-EN
495
SINAMICS G120
The SINAMICS G120 is controlled and the feedback signals
read-in via the I/O addresses listed below.
Ex. No.
5.2
Address
Designation
Function
S7 program -> SINAMICS G120
Download
S7 program
To download the S7 program, you will require a connection
between the MPI interface of your PG/PC and the MPI interface
of the S7 CPU.
PQW256
STW1
Control word 1
PQW258
N_SOLL_A
Frequency setpoint
PQW260
M_LIM
Torque setpoint
■ De-archive the function example supplied.
PQW262
STW2
Control word 2
■ Open the Safety application2 G120 project.
PQW264
- Reserve -
- Reserve -
PQW266
- Reserve -
- Reserve -
PIW256
ZSW1
Status word 1
■ In SIMATIC Manager, select the block folder via CPU315-2 >
S7 Program > Blocks.
PIW258
N_IST_A_GLATT
Frequency actual value
■ Download all of the S7 program blocks into the CPU.
PIW260
I_IST_GLATT
Current actual value
PIW262
ZSW2
Status word 2
PIW264
FAULT_CODE
Fault number
PIW266
WARN_CODE
Alarm number
After the download, changeover the interface of your PC/PG
to PROFIBUS and changeover the connecting cable to the
PROFIBUS interface of the S7-CPU. You can access all of the devices of your configuration from this interface.
SINAMICS G120 -> S7 program
For more detailed information about the configuration of the
individual signals, please refer to SINAMICS G120 Operating
Instructions Control Unit CU240S, Chapter Commissioning
(software), Commissioning with PROFIBUS DP.
496
Functional Example No. SD-FE-I-002-V10-EN
■ Start the SIMATIC Manager.
■ Open HW-Config and download this into the control. After
the download re-close HW-Config.
SINAMICS G120 configuration
When this has been completed, download the SINAMICS G120
configuration using the STARTER parameterizing tool.
■ Starting from the main path of the SIMATIC Manager, start
the STARTER parameterizing software by double clicking on
the SINAMICS_G120 icon
■ Then, in the Project Navigator of the STARTER parameterizing software select the object "SINAMICS_G120" (1.) and
press the button
(2.) to establish the online connection to the drive inverter.
Ex. No.
5.2
■ Then press the button Change settings and enter 12345
(standard password) in the password screen that then
opens.
■ From the following screen forms transfer the appropriate
values into your project. Take into consideration that in
certain instances there are different value formats for processor 1 and 2 (e.g. s and ms, Hz and kHz).
"Enables" tab
■ After you have established the online connection, press
the button
to download the SINAMICS G120 drive
parameters.
■ Follow the instructions on the screen and acknowledge the
prompt "After loading, copy RAM to ROM".
■ You must then enter the safety parameters of the
SINAMICS G120. These may not be - and cannot for safety
reasons - be transferred into the drive inverter by downloading from the PG / PC.
■ In the Project Navigator, select Functions and then open
the dialog box for the safety functions by double clicking on
Safety Integrated.
In this screen form you parameterize the source from which
you activate the SINAMICS G120 safety functions. Please note
that the safety functions can either be controlled via
PROFIsafe or via the safety digital inputs.
■ Upper section: Path to activate via PROFIsafe.
■ Center section: Path to activate via the Safe digital input 0
and 1 (this is used in this particular function example).
Functional Example No. SD-FE-I-002-V10-EN
497
■ Lower section: Here, the monitoring of the Safe brake control module can be activated; however, this is not used in
this particular function example.
Ex. No.
5.2
It should be noted that the parameterization is always carriedout twice (in this screen form this can be identified as a result
of the two switch symbols in series). The reason for this is that
for the two processors in SINAMICS G120 - that operate in parallel and must provide the same result - there are separate parameter sets for safety reasons.
After you have parameterized the enable signals, then select
the tab Safe Torque Off.
"Safe Torque Off (STO") tab
nels takes approximately 2.4 s. This delay time must be
taken into account at each On command.
– Deactivated: The shutdown channels are only checked
after the function "Latched Safe Torque Off" (LSTO) when
an error occurs. When exiting an STO, a delay time is not
incurred as only the process checking procedure is carried-out.
■ Center section: When activating the safety functions via the
safe digital inputs of the SINAMICS G120, a debounce time
and a filter for the response time can be set here. These
settings are not relevant for the function example
described here.
■ Lower section: The SINAMICS G120 automatically monitors
when a forced checking procedure was carried-out the last
time. Set the time up to the next forced checking procedure
in the field Test periods for shutdown paths. The time can
be selected between 0.1 and 8760 hours (6 min up to
1 year). The timer is re-started after each forced checking
procedure. Alarm A1699 is output in operation to flag you
that this monitoring time has expired. A process checking
procedure does not replace forced checking procedure and
therefore does not reset the timer.
After you have parameterized the Safe Torque Off function,
select the tab Safe Stop 1.
The shutdown paths of a safety-relevant plant or system must
be subject to a forced checking procedure at regular intervals.
This is in order to identify "dormant" errors. SINAMICS G120
automatically carries out a forced checking procedure of the
shutdown paths in the drive unit. This procedure is known as
the forced checking procedure.
A reduced form of the forced checking procedure limited to
self-test the brakes and processor is always automatically executed after "Safe Torque Off" (STO) is exited. This type of
forced checking procedure is known as the process checking
procedure.
Further, by appropriately parameterizing the system, it is possible to initiate a forced checking procedure each time that
STO is exited.
■ Upper section: Using Test of the shutdown channels
when leaving STO, you can select how the forced checking
procedure for the shutdown channels is carried-out.
– Activated: A forced checking procedure is carried-out
each time the drive unit is powered-up and when exiting
"Safe Torque Off" (STO). Checking the shutdown chan-
498
Functional Example No. SD-FE-I-002-V10-EN
Safe Stop 1 (SS1) tab
Safely Limited Speed (SLS) tab
Ex. No.
5.2
The parameters relevant for "Safe Stop 1" (SS1) are set in this
screen form.
The parameters relevant for "Safely Limited Speed" are entered in this screen form.
■ (1.) Using the threshold value Standstill detection, define
the speed at which standstill (zero speed) is detected and
"Safe Torque Off" (STO) is activated. Please note that the
value should be entered once in kHz and once in Hz.
■ (1.) The SLS mode is defined here. The following three
modes - with the appropriate properties - are available:
■ (2.) The Ramp-down time Tr for SS1 ... should then be
entered. Please note that the value is entered once in s and
once in ms. The ramp-down time Tr always refers to the
safety reference frequency of 200 Hz in the drive itself. This
ramp-down time is also used for the deceleration for
"Safely Limited Speed" (SLS).
SLS mode
Properties
Mode 0
Limiting to a safely limited speed
If, when SLS is activated, the actual frequency is
greater than the Upper tolerance limit for velocity
monitoring, SS1 is activated and then LSTO (safe
torque shutdown with latching).
If, when SLS is activated, the actual frequency lies between the Upper tolerance limit for velocity monitoring and the Setpoint for SLS, then the Setpoint
for SLS is activated and the drive is braked down to
the Setpoint for SLS. The frequency cannot be
changed.
■ (3.) The monitoring tolerance is set using Delay Tv, until
monitoring active. The drive inverter continually monitors
- with tolerance Tv - the braking of the drive. If the tolerance is selected too low, then the monitoring function
could be incorrectly tripped. If the tolerance is too high,
then if an actual fault does develop, an unnecessarily long
time is wasted. Please note that the value is entered once
in s and once in ms.
After you have parameterized the function Safe Stop 1, select
the tab Safely Limited Speed.
If the actual frequency lies below the Setpoint for
SLS, the actual frequency is kept. The frequency cannot be changed.
STO is activated if the actual frequency falls below
1 Hz.
The drive can be stopped using OFF2, withdrawing/cancelling the function or by activating another
safety function.
Mode 1
Reducing to a safely limited speed
If, when activating SLS, the actual frequency is greater than the Upper tolerance limit for velocity monitoring, the Setpoint for SLS is activated and the
drive is braked down to this setpoint using the safe
braking ramp.
If the actual frequency lies below the Setpoint for
SLS, the actual frequency is kept. The frequency cannot be changed.
STO is activated if the actual frequency drops below
1Hz.
The drive can be stopped using OFF2, withdrawing
the function or by activating another safety function.
Functional Example No. SD-FE-I-002-V10-EN
499
SLS mode
Properties
Mode 2
Limiting to a safely limited speed - the speed
can be changed
Ex. No.
If, when activating SLS, the actual frequency is higher
than the Upper tolerance limit for velocity monitoring, LSTO (safe torque shutdown with latching) is
activated.
5.2
If, when activating SLS, the actual frequency lies below the Upper tolerance limit for velocity monitoring, the frequency is kept. The frequency can be
changed between 1 Hz and the Upper tolerance limit for velocity monitoring (Caution: For V/f, take into
account the slip compensation).
■ To complete the parameterization of the safety functions
you must now acknowledge the checksums of the two processors. To do this, transfer the first checksum, processor 1
into the set checksum, processor 1. Do exactly the same for
the checksum of processor 2.
Please note that the two actual checksums and therefore
the two set checksums must be the same. If this is not the
case, then you must re-check your parameterization of the
safety functions and resolve the different values.
If the actual frequency drops below 1 Hz or the Upper
tolerance limit for velocity monitoring is reached,
STO is activated. If the upper tolerance limit for velocity monitoring is exceeded, then STO is latched - i.e.
LSTO.
The drive can be stopped with ON/OFF1 and the remaining OFF commands - but it can only be re-started if SLS has been withdrawn.
Please refer to the Operating Instructions CU240S, Chapter
Functions under Fail-safe Functions for more detailed information about the SLS modes.
■ (2.) These input fields are displayed for SLS mode (1.) 0
and 1. Set-point for SLS is used to set the frequency to
which the frequency set-point is internally limited in the
drive unit after the function Safely Limited Speed SLS has
been selected. Please note that the value is entered once in
Hz and once in kHz.
■ (3.) The monitoring limit is set using the Upper tolerance
limit for velocity monitoring. If Safely Limited Speed SLS
is active and the actual speed exceeds this value, then
SINAMICS G120 outputs a fault message and goes into the
safe condition (Safe Torque Off, STO). Please note that the
value should be entered once in Hz and once in kHz.
■ After you have made all of the settings press the Accept
settings button.
■ You can now change the standard password. If you are still
not certain that your safety parameterization has been
completed, then you should press the Later button.
However, after you have completed the commissioning
phase, do not forget to change the standard password for a
password that only you know or a person that you trust.
Only then can you be sure that only authorized persons can
change/modify safety parameters.
500
Functional Example No. SD-FE-I-002-V10-EN
■ If you don't wish to set any additional parameters, then you
can now exit the STARTER commissioning tool.
■ To do this first disconnect the PG/PC from SINAMICS G120
by pressing the
button.
■ You can then exit STARTER using Project > Close or by
pressing the
button.
■ You'll now be prompted to save changes - acknowledge this
with Yes.
Function test
The function test can be carried-out, if
No.
■ The hardware components are connected-up
1
Action
Response
Safety function SLS (Safely Limited Speed)
■ The hardware settings have been made
Press the pushbutton
SLS and keep it
pressed
■ The S7 project is in the CPU
At the SINAMICS G120 the LED ES
is bright and LED SLS flashes -> SLS
is active, the motor is monitored to
ensure that it does not exceed the
safely limited speed.
■ The configured software has been downloaded into the
SINAMICS G120 and the safety functions have been
parameterized
■ The CPU is in the RUN state.
No.
Action
1
If it is pressed, release
the Emergency Stop
pushbutton
2
Press the pushbutton
"Acknowledge faults"
At SINAMICS G120 LEDs RDY, STO,
SS1 and SLS are bright -> the drive
and all of the safety functions are
in the ready state.
3
Press the switch
"SINAMICS G120
Start"
1
Press the Emergency
Stop pushbutton SS1
The motor starts to run.
Safety function SS1 (Safe Stop 1)
2
3
4
2
Release pushbutton
SLS again
Response
The signal lamp (A0.0) for "Error"
goes dark.
The motor follows the parameterized braking ramp down to the
minimum frequency and stops.
The motor accelerates back to the
normal speed.
At the SINAMICS G120 LEDs RDY,
SS1 and SLS are bright -> the drive
and all safety functions are in the
ready state.
Acceptance test and acceptance report
An acceptance test must be carried-out when the machine is
commissioned for the first time and also if a completely saved
set of the safety-relevant parameters is changed. This procedure is used to verify the safety-relevant parameters. This acceptance test must be appropriately documented. The acceptance reports must be appropriately stored and archived.
The checksum ensures that all subsequently made changes
are identified.
At the SINAMICS G120 the LED ES
is bright and LED SS1 flashes -> SS1
is active, the motor has been
brought into a no-torque condition.
Information about the acceptance test and the acceptance report are provided in SINAMICS G120 Operating Instructions
Control Units CU240S in the Chapter Commissioning (software).
At the SINAMICS G120 alarm
A1696 is displayed -> this alarm is
displayed as long as the start signal
is present.
An example of an acceptance report is provided in the
SINAMICS G120 Operating Instructions Control Units
CU240S in the Appendix.
De-activate the control
of the SINAMICS G120
using the switch
"SINAMICS G120
Start".
The alarm A1696 is no longer displayed at the SINAMICS G120.
Release the Emergency Stop pushbutton
SS1
At the SINAMICS G120 the LEDs
RDY, SS1 and SLS are bright
-> the drive and all of the safety
functions are in the ready state.
Press the switch
"SINAMICS G120
Start"
The motor follows the parameterized braking ramp down to the
safely limited speed.
Key performance data
Load memory and working memory
The motor starts to operate again.
Total
Load memory
approx. 4 k
Working memory
approx. 1 k
Cycle time
Total cycle time
(typical)
approx.
1-2 ms
Standard program
Functional Example No. SD-FE-I-002-V10-EN
501
Ex. No.
5.2
Example code
Ex. No.
5.2
The example code supplied is fully functional for the described
application. The individual functions of the example code are
explained in the following Chapters so that you are in a position to implement your own projects.
The individual telegram components are selected in the Catalog after pressing the following button
Settings in the hardware configuration
Properties of the SINAMICS G120
The window of the SINAMICS G120 PROFIBUS properties (2) is
displayed by clicking once on the SINAMICS G120 icon (1).
A standard telegram is used to establish communications between the CPU and the SINAMICS G120. In this particular
function example Siemens Telegram 352 (2.) with a length of
6 words is used to control the SINAMICS G120.
502
Functional Example No. SD-FE-I-002-V10-EN
For more detailed information about the different telegram
types please refer to SINAMICS G120 Operating Instructions
Control Units CU240S in the Chapter Commissioning (software), Commissioning with PROFIBUS DP.
Siemens telegram 352, PZD 6/6
The standard control (control word, frequency setpoint etc.)
of SINAMICS G120 is implemented using the Siemens telegram.
Ex. No.
5.2
In SINAMICS G120, instead of telegram 352 (fixed assignment
of the control/feedback signal words), telegram 999 is used
(free assignment of the control/feedback signal words).
In this case, in SINAMICS G120, to start, telegram type 350
should be selected in parameter p922. This pre-assigns the
BICO connections. Telegram type 999 (free interconnection
via BICO) should then be selected and the following interconnections made:
■ p2051[4] = r2131 (error number)
■ p2051[5] = r2110 (alarm number)
Functions of the STEP 7 program (without safety program)
Program overview
The STEP 7 program essentially comprises blocks FC10, FC100
and DB1 that are called in the cyclic program (OB1).
Functional Example No. SD-FE-I-002-V10-EN
503
DB1, axis_DB
The axis_DB represents the interface between the S7 program
and the SINAMICS G120 via FC100.
Ex. No.
Axis_DB is generated from UDT 1 (Axis_DB_G120)
5.2
Principal structure of axis_DB
Address
Symbolic name
Type
Function
Internal data
DBW0
Basic_Data.Moduleadress
INT
I/O start address of the SINAMICS G120 (refer to HW Config)
DBB3
Basic_Data.Drivetyp
Byte
Drive type, must be 2
S7 -> SINAMICS G120
DBW4
Control_signals.STW2
Bool
Control word 2 (for details, refer to the S7 program)
DBW6
Control_signals.STW1
Bool
Control word 1 (for details, refer to the S7 program)
DBW8
Control_signals.Frequency_set
INT
Frequency setpoint in x.x %
DBW10
Control_signals.Torque_set
INT
Torque setpoint in x.x %
SINAMICS G120 -> S7
DBW14
Status_signals.ZSW2
Bool
Status word 2 (for details, refer to the S7 program)
DBW16
Status_signals.ZSW1
Bool
Status word 1 (for details, refer to the S7 program)
DBW18
Status_signals.Actual_frequency
INT
Frequency actual value in x.x %
DBW20
Status_signals.Actual_current
INT
Current actual value in x.xx A
Fehlermeldungen
DBW24
Faults.Drive_error_number
INT
Actual error number of the SINAMICS G120
DBW26
Faults.Drive_alarm_number
INT
Actual alarm number of the SINAMICS G120
In this function example the individual data of the DB1 are supplied in FC10.
FC10, organization
This block is called-up in absolute terms in OB1 and in turn
calls up FC100.
Principle of the FC10
Network
Function
1
Controls the SINAMICS G120 via the axis-DB, DB1.
Calls the SINAMICS G120 control block FC100.
This network can be used as template for additional
SINAMICS G120 control functions.
2
504
Controls the signal lamp for "Safety function
activated or fault".
Functional Example No. SD-FE-I-002-V10-EN
FC100, control of SINAMICS G120
SINAMICS G120 is controlled using the FC100 via PROFIBUS.
Only signals from the axis_DB are used to control the block
- but no fixed addresses - this is the reason that instances can
be used.
This block can be used in the same way for both a standard
and a Safety SINAMICS G120.
Formal operands of the FC100
Formal operands
Type
Description
Nr_Axis_DB
IN
Number of the axis-DB generated
using UDT1
Internal_Error
OUT
Displays an internal error
0 = no error
1 = incorrect axis-DB type
Principle structure of the FC100
Network
Function
1
Opens the axis_DB specified using the formal operands Nr_Axis_DB.
Ex. No.
5.2
Generates the internal error message.
2
Reads-in the SINAMICS G120 status words, processes
these and saves them in the axis_DB.
3
Resets internal error messages.
4
Converts frequency and torque setpoint from the
axis_DB (entered in x.x %) into the SINAMICS G120
format (hex).
5
Enters SINAMICS G120 error and alarm number into
the axis_DB.
6
Sends control words from the axis_DB to the
SINAMICS G120
SINAMICS G120 - parameterizing the safety functions
Refer to Chapter SINAMICS G120 configuration on page
496.
SINAMICS G120 parameterization
■ The screen form with the actual configuration is opened by
double clicking on Configuration in the Project Navigator.
In order that the basic SINAMICS G120 functions can be parameterized, the safety functions in the S7-CPU and in the
drive inverter itself must already have been commissioned.
■ "The quick commissioning Wizard is started after pressing
the
button.
The reason for this is that during parameterization a motor
identification routine is carried-out (the motor and cables are
measured) - and if vector control is activated - the controller is
optimized. Both of these functions require that the safety
functions are in the ready state.
■ In the screen form Drive functions, select for Motor identification, the function Ident. of al param. in standstill
incl. the saturation curve (3).
■ Starting from the main path of the SIMATIC Manager, start
the STARTER parameterizing software by double clicking on
the SINAMICS_G120 icon
■ Enter the appropriate values into all of the screen forms.
■ In the screen form Calculation of the motor data, select
Restore factory setting and calculate motor data.
■ In the screen form Summary do not activate the function
RAM -> ROM, but instead press the Finish button.
■ After completing the quick commissioning, alarm A0541
(Motor data-identification active) is displayed. Please carefully note that when starting the motor identification routine current flows in the motor. For hanging (suspended)
axes the load must always be supported.
■ Then, in the Project Navigator of the STARTER
■ parameterizing software select the object
"SINAMICS_G120" (1.) and press button
(2.) to establish an online connection to the drive inverter.
Functional Example No. SD-FE-I-002-V10-EN
505
■ To start the motor data identification routine, in the Project
Navigator select the menu item Commissioning and activate by double clicking on Control panel.
Ex. No.
■ Please wait until the
button.
button changes back to the
■ Return the control priority to the S7 control by pressing the
button.
■ Finally, you only have to save the SINAMICS G120 configured software in the ROM memory of the drive inverter.
To do this in the Project Navigator select the menu item
SINAMICS_G120.
5.2
■ Press Assume control priority and carefully note the security/safety information and instructions. Then activate
Enables.
■ In the function bar press the
button.
■ Please wait until the download operation has been completed.
■ The motor data identification routine is started by pressing
the
button. Do not exit the STARTER software and go to
another task as otherwise the motor data identification
routine will be interrupted for safety reasons.
506
Functional Example No. SD-FE-I-002-V10-EN
Ex. No.
5.2
Functional Example No. SD-FE-I-002-V10-EN
507
Warranty, Liability and Support
Warranty, Liability and Support
We do not accept any liability for the information contained in
this document.
We do not accept liability, whatever the legal basis, for any
damages arising from the use of examples, notes, programs,
configuration and performance data etc. described in this
Safety Functional Example, except where we are obliged to by
the German Product Liability Act or in cases of willful damage
or gross negligence, injury to life, body or health, breach of
guarantee for the condition of products or items assumed by
us, fraudulent concealment of a defect or breach of a substantial contractual obligation. However, claims arising from a
breach of a condition which goes to the root of the contract
shall be limited to the foreseeable damage which is intrinsic to
the contract, unless caused by intent or gross negligence or
based on mandatory liability for injury of life, body or health.
The above conditions are not meant to change the burden of
proof to the detriment of the user.
Copyright© 2007 Siemens AG, A&D. Any form of duplication of these Safety Functional Examples or excerpts
hereof is prohibited without the expressed consent of
Siemens AG, A&D.
508
Contact partners
Contact partners for these documents are:
■ Technical Assistance for
low-voltage controls and distribution
In person from Mon. to Fri. 8.00 to 17.00 (CET)
Telephone: +49 (911)-895-5900
E-Mail: [email protected]
Internet:
www.siemens.com/lowvoltage/technical-assistance
By fax, 24 hours a day
Fax: +49 (911)-895-5907
■ Online Support Knowledge Management
A&D AS CS3 KM
D-90327 Nürnberg-Moorenbrunn
Internet: support.automation.siemens.com
■ Customer Support
A&D MC CS 2
COCS Safety Integrated
Frauenauracher Str. 80
D-91056 Erlangen
Telephone: +49 180 5050 222
Fax: +49 180 5050 223
E-Mail: [email protected]
Internet: www.siemens.com/automation/support-request
Subject to change without prior notice | Dispo 26100 | SO 0307 3. ROT 508 En / 715142 | Printed in Germany | © Siemens AG 2007
Siemens AG
Automation and Drives
Safety Integrated
Postfach 48 48
90327 NÜRNBERG
GERMANY
w w w.s i e me n s.c om/ safety-integrated
The information provided in this compendium contains descriptions or
characteristics of performance which in case of actual use do not always
apply as described or which may change as a result of further development
of the products. An obligation to provide the respective characteristics shall
only exist if expressly agreed in the terms of contract. Availability and
technical specifications are subject to change without notice.
All product designations may be trademarks or product names of
Siemens AG or supplier companies whose use by third parties for their own
purposes could violate the rights of the owners.
Order No. 6ZB5310-0MK02-0BA2
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement