08088e cms ssd 01 fds r2 submit

FUNCTIONAL DESIGN SPECIFICATION (SSD/FGS)

Project: RC-4 Wellhead Platform System: Control and Monitoring System Contractor : Technics Offshore Engineering Owner: Vietsovpetro JV Doc. No.: 08088E-CMS-SSD-01 Rev. No.: 2 Sht. No.: 2 of 23

TABLE OF CONTENTS

1. INTRODUCTION ........................................................................................................... 4

1.1 Document Scope ......................................................................................................... 4

1.2 Project Information ..................................................................................................... 4

1.3 Abbreviations .............................................................................................................. 5

2. PROJECT OVERVIEW .................................................................................................... 6

3. SYSTEM OVERVIEW ..................................................................................................... 7

3.1 Introduction ................................................................................................................. 7

3.2 System Features .......................................................................................................... 8

3.2.1 Flexible Modular Redundancy™ .......................................................................... 8

3.2.2 Safety-Fieldbus ..................................................................................................... 8

3.2.3 Redundant Controllers ......................................................................................... 9

3.2.4 Redundant Bus Systems ..................................................................................... 10

3.2.5 Redundant I/O ................................................................................................... 10

3.2.6 Safety Software .................................................................................................. 10

3.2.7 Safety Function .................................................................................................. 11

3.2.8 Self-Tests ............................................................................................................ 12

3.2.9 Password Protection for F-Systems ................................................................... 12

4. SYSTEM DESIGN ........................................................................................................ 13

4.1 LEVEL “0” – FIELD Devices ......................................................................................... 13

4.2 LEVEL “1” – PLC ......................................................................................................... 14

4.2.1 Introduction ....................................................................................................... 14

4.2.2 System I/O Count ............................................................................................... 15

4.2.3 System Hardware ............................................................................................... 16

4.2.4 Cabinet Design ................................................................................................... 17

4.2.5 Electrical Distribution ......................................................................................... 18

4.2.6 System Power Requirements ............................................................................. 19

4.2.7 System I/O Connections ..................................................................................... 20

4.2.8 Field Cable Termination ..................................................................................... 20

4.2.9 Cable Colour Codes ............................................................................................ 21

4.2.10 System Grounding .............................................................................................. 21

4.3 LEVEL “2” – SCADA .................................................................................................... 22



4.3.1 SCADA ................................................................................................................ 22

4.3.1.1 Introduction ................................................................................................ 22 4.3.2 DCI ...................................................................................................................... 23

4.3.2.1 Introduction ................................................................................................ 23 APPENDIX A Control System Block Diagram APPENDIX B System Power Single Line Diagram APPENDIX C Typical Earthing Arrangement Diagram APPENDIX D Power / Heat Dissipation Calculation APPENDIX E TUV Certificates APPENDIX F System Hardware Datasheets



1. INTRODUCTION

1.1 Document Scope

This Functional Design Specification (FDS) defines the system design for the SIL3 certified SIMATIC S7-414FH PLC based combined Safety Shutdown and Fire & Gas Detection (SSD/FGS) system for the RC-4 platform owned by Vietsovpetro JV (VSP) in Vietnam. The SSD/FGS PLC is part of the Control and Monitoring System as supplied for the RC-4 platform by Technics Offshore Engineering Pte Ltd. The overall system configuration is shown in the Control System Block Diagram (Dwg. No. 08088E-CMS-SYS-01) in App. A. The other systems included in the supply are discussed in the following specifications:

• Process Control System (PCS) – Doc. No. 08088E-CMS-PCS-01;

• SCADA – Doc. No. 08088E-CMS-HMI-01;

• Data Communication Interface – Doc. No. 08088E-CMS-DCI-01.

The system as described in this manual is based on sound practices and recommended solutions as documented in Siemens reference manuals with respect to project requirements.

1.2 Project Information

• Project Title : RC-4 Wellhead Platforms

• Project Location : Vietnam

• Equipment : Control and Monitoring Systems

• End User : Vietsovpetro JV (VSP)

• Client : Technics Offshore Engineering Pte Ltd (TOEPL)

• Client’s Project Ref. : 08088

• Vendor Project Ref. : 0814



1.3 Abbreviations

1-oo-2 One-out-of-two 2-oo-2 Two-out-of-two 2-oo-3 Two-out-of-three DCI Data Communication Interface EMC Electromagnetic Compatibility EMI Electromagnetic Interference ES PCS7 Engineering System ESD Emergency Shutdown EWS Engineering Workstation FB Function Block FBD Function Block Diagram FGS Fire and Gas Detection System HIFT Hardware Implemented Fault Tolerance I/O Input/Output IMB Inter-Module Bus IS Intrinsically Safe MCB Miniature Circuit Breaker MCC Motor Control Centre MTTR Mean Time to Repair OPC OLE for Process Control OS PCS7 Operating System PCS Process Control System PSD Process Shutdown PSU Power Supply Unit SCADA Supervisory Control and Data Acquisition SIL Safety Integrity Level SOE Sequence of Events SSD Safety Shutdown TÜV Technischer Überwachungs-Verein TMR Triple Modular Redundant UPS Uninterruptable Power Supply



2. PROJECT OVERVIEW

The proposed Control and Monitoring System is based on Siemens SIMATIC PCS7 solution which consists of the S7-414H Controllers, ET-200M I/O System with S7-300 I/O Modules, and PCS7 OS software. Please refer to the Control System Block Diagram in Appendix A for more details. Each of the SSD/FGS and PCS control systems has its own dedicated and independent fully redundant S7-414H Controller, ET-200M I/O System and S7-300 I/O modules. The S7-414H Controllers are the same for all PLC systems. The SIL3 S7-414FH Controllers for the SSD/FGS system shall be installed with additional TUV SIL3 certified Failsafe Library Blocks. The S7-414H Controller communicates with the ET-200M I/O System via the redundant PROFIBUS DP buses. The PROFIBUS DP communication port is integrated in the CPU and no additional module is required on the Controller. On the ET-200M station, the PROFIBUS interface is provided via dual IM153-2 modules. Each of the S7-414H Controller set comes with two no. of CP443-1 Ethernet Communication Processors (CP). These CP’s are connected to the redundant Industrial Ethernet (IE) networks compliant to compliant to IEEE802.3 standard. Peer-to-Peer communication between the Controllers is carried out via the CP443-1 Ethernet CP’s. The PCS7 OS station (WS-1) communicates with the S7-414H Controller via the redundant IE networks. A local A4 black & white laser printer shall be provided for alarm and report printing. The PCS7 Engineering Station (ES-1) is installed with the SIMATIC Manager software and connected to the S7-414H Controller via the IE networks. The configuration and programming for all Controllers shall be carried in the SIMATIC Manager software under one project. The Step7 software also supports online diagnostic of PLC systems. The DCI Controller set is installed with two additional no. of CP441-2 Point-to-Point Communication Processor for redundant RS-232 connections to the Microwave Radio station.



3. SYSTEM OVERVIEW

3.1 Introduction

The SSD/FGS system is based on SIMATIC SIL3 certified S7-414FH Failsafe Hot-Standby PLC and ET-200M I/O Subsystem with S7-300 Failsafe-I/O Modules with TUV certificates as attached in Appendix E. The SSD/FGS PLC system provided is a full redundant system including power supplies, CPUs, Ethernet communication processors (CP443-1) and ET-200M I/O subsystems. The SSD/FGS system provides emergency shutdown for the safe operation of each equipment unit operating area and the detection of the presence of fire and gas leakage. Control philosophy will be programmed according to client provided Cause & Effect diagrams. The field signals are connected to the field terminal blocks or IS. Isolators in the marshalling cabinets and routed via multi-core cables to the redundant S7-300 F-I/O modules located in separate ET-200M stations. Communication with the PCS7 OS Workstation (WS-1) and the S7-414H based DCI PLC is carried out through the redundant CP443-1 Industrial Ethernet processors via dual Ethernet (IE) networks compliant to IEEE802.3 standard. The PCS7 Engineering Station (ES-1) is installed with the SIMATIC Manager software and connected to the S7-414FH Controller via the IE networks. The SIMATIC Manager software supports the configuration, programming and on-line troubleshooting for the full S7-414FH system. Additional 30% spare I/O points have been taken into consideration for the quantities of I/O modules provided.



3.2 System Features

The proposed S7-414FH Failsafe Controllers for the SSD/FGS system use the same hardware and therefore share the same characteristics as the standard S7-414H Controllers as proposed for the PCS and DI systems. To use the standard S7-414 CPU for safety application, only additional S7-F Systems software package is required. The S7 FH Systems are certified for safety shutdown systems according to IEC 61511 (SIL3) and fire and gas applications according to EN 54 and NFPA 72.

3.2.1 Flexible Modular Redundancy™

The SIMATIC S7-414FH system features a unique design that is flexible, modular and redundant and which enables the assembly of extremely fault-tolerant architectures. Unlike traditional leg-based architectures, where the failure of a single component causes shutdown of an entire leg of the system, the SIMATIC S7-414FH system integrates certified safety-fieldbus technology, allowing each module to function independently of the other modules in the system. The level of fault-tolerance can be tailored to match the needs of the application by mixing and matching single, dual and triple redundancy in the same system. As a result, the SIMATIC S7-414FH architecture tolerates multiple faults with no degradation in safety since every component of the system is certified to SIL 3. Third-party system reliability modeling has shown that Siemens Flexible Modular Redundancy™ delivers higher levels of availability than traditional dual and triple redundant architectures.

3.2.2 Safety-Fieldbus

Failsafe communication between the safety program in the F-CPU and the fail-safe inputs and outputs takes place via the "standard" PROFIBUS DP with superimposed PROFIsafe safety profile.



Specially developed, the PROFISafe PROFIBUS profile allows useful data of the safety function to be transferred within the standard data message frame. Additional hardware components, e.g., special safety buses, are not necessary. The necessary software is either integrated in the hardware components as an extension of the operating system or loaded as a certified software block into the CPU. PROFIsafe utilizes the standard services of the lower-level bus system to implement safe communication. When transmitting messages, PROFIsafe comes up with four measures against any possible faults or errors such as corrupted addresses, loss, delay, etc.:

• PROFIsafe is consecutively numbered

• The time is monitored (watchdog)

• Authenticity is monitored using "passwords"

• An optimized CRC (Cyclic Redundancy Check) detects corrupted data bits in a message frame

With SIL 3 (Safety Integrity Level), it fulfills the highest requirements in the process industries. PROFIsafe permits standard and safety-related communications on one and the same bus.

3.2.3 Redundant Controllers

SIMATIC S7-414FH controllers, with redundant controllers are used for extended system availability in order to satisfy safety and fault-tolerance demands. All individual components are certified according to SIL 3 with no degraded mode and the safety not bound to redundancy, which means when a controller fails, the standby controller is still certified to run the safety applications alone.



3.2.4 Redundant Bus Systems

For the fail-safe, fault-tolerant communication Siemens applies the PROFIsafe profile, certified according to IEC 61508. The bus is redundantly configured, i.e. failure in the bus can also be tolerated. The bus changeover takes place automatically in the event of a fault.

3.2.5 Redundant I/O

The ET 200M fail-safe I/Os are used in the redundant design for the distributed expansion of the SIMATIC S7-414FH. Together with the redundant PROFIBUS connection, it is the base of the Flexible Modular Redundancy. This creates the greatest possible availability, because in this way the system can withstand the failure of a CPU, a PROFIBUS line or a signal module or a combination of different failures. The fail-safe I/Os are internally redundant, can diagnose internal and external faults and carry out numerous self-tests and field-wiring diagnostics (e.g. short-circuiting, wire-break). In addition, fail-safe and standard I/O modules (critical and non-critical I/Os) can be combined in one ET 200M/S station.

3.2.6 Safety Software

The standard and safety programs are generated in the proven SIMATIC Manager. TÜV-certified function blocks from the library in S7-F Systems are used for the S7 FH Systems. The S7-F systems software package enhances the S7-414FH controller by adding the safety functions. A library with TUV certified functions is added. All safety functions blocks can be identified by their yellow color.



S7 F Systems is the engineering tool for configuration of failsafe applications, integrated in SIMATIC Manager. This tool enables you to:

• Parameterize CPUs and F signal modules, and

• Generate failsafe applications in CFC.

Preprogrammed CFC software blocks approved by TUV are available for this purpose. The failsafe blocks relieve the user from having to individually create programs for fault identification and error response. Program changes during continuous operation are possible, e.g. changing and reloading components. During compilation, certain fault detection and fault reaction functions are automatically added to the Safety Program. The S7 F Systems optional package also provides functions for comparing Safety Programs and supporting the acceptance of Safety Programs.

3.2.7 Safety Function

Functional safety is implemented principally through safety functions in the S7-F systems software. Safety functions are executed by S7 FH Systems to restore or maintain a safe state in a system when a dangerous event occurs. Safety functions are contained mainly in the following components:

• In the safety-related user program (Safety Program) in the fail-safe CPU (F-CPU)

• In the fail-safe inputs and outputs (F-I/O)

The F-I/O ensures safe processing of field information. They have all of the required hardware and software components for safe processing, in accordance with the required safety class. The user only programs the user safety function. The safety function for the process can be provided through a user safety function or a fault reaction function. In the event of a fault, if the F-system can no longer execute its actual user safety function, it executes the fault reaction function; for



example, the associated outputs are deactivated, and the F-CPU switches to STOP mode, if necessary.

3.2.8 Self-Tests

Self-tests are carried out in the S7 FH system to detect faults. The frequency of the cyclic self-tests can be set during configuration (the default is 90 mins). Only settings of up to 12 hours are permitted for the S7 F/FH Systems. Execution (program run, entire safety-related hardware) and the test result are checked in the Safety Program by an F test block that is inserted automatically when the Safety Program is compiled.

3.2.9 Password Protection for F-Systems

Password protection protects the S7 F/FH Systems from unauthorized access, e.g. from unwanted downloads to the CPU from the engineering system (ES). In addition to the standard password for the CPU, an additional password is also required for S7 F/FH Systems for the Safety Program (F password).



4. SYSTEM DESIGN

The design and implementation of the SSD/FGS system is based on three Control System Levels philosophy as per VSP specifications and as in shown in the Control System Block Diagram in Appendix A.

4.1 LEVEL “0” – FIELD Devices

Level “0” refers to field sensors and execution units. Level “0” field devices are to be supplied by client TOEPL. Field signals basically segregated into 3 different groups: Process, ESD/F&G, and Auxiliary. The critical Process and Auxiliary signals, as well as the ESD/F&G signals, are connected to the SSD/FGS PLC. The non-critical Process and Auxiliary signals are connected to the PCS PLC. Field digital and analogue signals (classified as Exd or Safe type) are wired directly onto the terminal blocks and the Intrinsic Safe (IS.) digital and analogue signals are wired directly to the safety barriers provided in the respective Marshalling Cabinets. The IS. and non-IS. signals are to be fully segregated and routed in separate trunkings in the Marshalling Cabinets. The trunkings and wirings for the IS. signals are blue in colour.



4.2 LEVEL “1” – PLC

Level “1” refers to the SSD/FGS and PCS PLCs and its respective I/O subsystems complete with cabinets and field termination interfaces. This specification only describes in details for the SSD/FGS PLC. Please refer to the “PCS – Functional Design Specification” (Doc. No. 08088E-CMS-PCS-01) for more details on the respective PLC systems. Level “1” PLC cabinets are to be installed in the Control Room shelter.

4.2.1 Introduction

The SSD/FGS PLC system provided is a full redundant system including power supplies, CPUs, Ethernet communication processors and Failsafe ET-200M F-I/O subsystems. The DCI PLC is configured as the master with its PLC communication partners. It polls data from the S7-414H SSD/FGS and PCS PLCs via the dual Ethernet networks using the SIMATIC S7 protocol through the redundant CP443-1 Ethernet processors. The SIL3 S7-414FH SSD/FGS Controllers interface with the Failsafe ET-200M F-I/O Subsystems via the redundant Profibus DP I/O Networks. The interface from the field devices to the SSD/FGS PLC are via the S7-300 F-I/O modules located at each ET-200M station.



4.2.2 System I/O Count

The system I/O count is based on the Process and Utility I/O lists as provided by the Client as is summarized in the table below.

Item Area AI (IS.)

AI (Non-IS.)

DI (IS.)

DI (Non-IS., 24VDC)

DO (Non-IS., 24VDC)

DO (Non-IS.,

VF.)

1. SSD 54 0 0 19 88 3

2. FGS 2 52 12 55 29 2

Total 104 86 122

Total + 30% Spare 136 112 159

Below table shows the system I/O modules and I/O points provided for simplex configuration. Actual quantities of I/O modules provided are double.

Item Description AI DI DO

1. No. of points per I/O module 6 12/6* 10

2. No. of modules provided (SSD) 12 2 13

3. No. of modules provided (FGS) 12 15* 4

Total I/O points provided 144 114 170

* FGS DI is implemented using AI module for line monitoring.



4.2.3 System Hardware

Datasheets on the major hardware components are as attached in Appendix F and summarized in the table below:-

Item Qty. Model No. Description

Controller Hardware

1. 1 6ES7656-8CF31

SIMATIC PCS 7, Pre-Assembled & Tested: with 2X CPU 414-4H Incl. F-Runtime License, 2X 4MB RAM Memory Card (UP TO ~300 POS), 2X2 10M Sync Module (IF960), 2X 1M FO, 2X CP443-1 Industrial Ethernet Module, 1X UR2-H (2X9 Slots), 2X 230VAC 10A, And 4X Backup Battery

ET-200M I/O Hardware

2. 18 6ES7153-2AR03 ET200M-RED.-Bundle with 2X IM153-2HF

3. 14 6ES7195-1GA Rail for ET-200M, 483 mm Long

4. 2 6ES7195-1GG Rail for ET-200M, 620 mm Long

5. 78 6ES7336-4GE S7F, Failsafe Analog Input, SIL3, 6 AI, 15 Bit, 20 Pin

6. 4 6ES7326-1BK01 S7F, Failsafe Digital Input, SIL3, 24 DI, DC 24V, 40 Pin

7. 34 6ES7326-2BF01 S7F, Failsafe Digital Output, 10 DO, DC 24 V / 2A, 40 Pin

8. 39 6ES7195-7HC00 Bus Unit for ET200M F. 2X 40mm Wide I/O Submodules

9. 40 6ES7195-7HC00 Bus Unit for ET200M F. 1X 80mm Wide I/O Submodules

10. 78 6ES7392-1AJ00 Front Connector with Screw Contacts, 20-Pin

11. 36 6ES7392-1AJ00 Front Connector with Screw Contacts, 40-Pin

12. 18 6ES7195-7KF00 S7F, Separator Mod. Between F- And Standard Modules

13. 18 6ES7195-7HG00 S7F, Separator Bus Mod. Between F- And Standard Modules

Hazardous Area Isolators

14. 4 KFD2-EB2.R4A.B Pepperl & Fuchs, Power Feed Module

15. 89 KCD2-STC-EX 1 Pepperl & Fuchs, AI (IS), Single Channel



4.2.4 Cabinet Design

A total of five (5) no. of Rittal TS8 cabinets rated for IP52 and suitable for indoor installation are provided. One cabinet is reserved for SSG/FGS system components, one for the PCS/DCI system components, and the rest for signal interface and marshalling components including relays, IS. Isolators and field terminal blocks. Each of the cabinets is installed with a 19” swing-frame of 40U height for mounting ET-200M I/O stations to minimize internal cross cabling between cabinets and to optimize cabinet space usage. Please refer to the General Arrangement and Layout Drawings (Doc. no. 08088E-CMS-CAB-01) for more details. The Rittal cabinets provided come with the following standard features:-

• Dimensions: 800mm (Width) x 2000mm (Height) x 800mm (Depth) with a

100mm (Height) plinth.

• Ingress protection shall be category IP52

• RAL7035 colour

• Front access only with key lock

• Bottom field cable entry

• Filter ventilation Unit

• Panel lighting

• Door switch

In addition, the system cabinets are to be installed with the following:

• Roof-mounted Fan

• Thermostat

• Hygrostat



4.2.5 Electrical Distribution

Dual 220VAC UPS feeders are to be provided and installed by client and to be landed at the PCS/DCI system cabinet. Separate redundant UPS feeders are to be provided for SSD/FGS functions and to be landed at SSD/FGS system cabinet. Please refer to the System Power Single Drawing (Dwg. No. 08088E-CMS-SYS-05) in Appendix B. ET-200M I/O Subsystem equipment requires 24VDC power. Redundant Phoenix Contact Quint rectifiers are to be provided to convert AC feeders to 24VDC power to cater for both system and field instrument. The power supplies do not require external blocking diodes for 1+1 redundancy operation as they come built-in with power blocking diodes. Circuit breaks and fused terminals are to be used to provide protection to the system components and powered circuits. Each breaker is to be installed with an auxiliary contact to operate in trip condition. Group of breakers and power supplies for each of the redundant power supply circuit is wired as a common signal to be monitored by the OS. The rectifier units, circuit breakers and fuses are sized to provide full load of the system requirement inclusive of 30% spare for future expansion. A simplex 220VAC utility feeder is to be provided to power the panel lightings, AC outlet socket, roof fan and heater.



4.2.6 System Power Requirements

System power requirements inclusive of the 30% I/O spares are summarized in the table below. Please refer Power Consumption (Doc. No. 08088E-CMS-SYS-06) in Appendix D for details.

Item Description Power (Watts / Amp @ 220VAC)

1 AS414-4-2H Controller Set 115

Power

(Watts / Amp @ 24VDC)

2 ET-200M I/O Subsystem 579

3 Panel Devices (IS. Isolators & Relays) 175

4 Field Power 1620

TOTAL (Watts @ 24VDC) 2374

The system power catered above is the maximum requirement for the controller set inclusive of modules to be added in the spare slot in the future. Two units of Phoenix Contact Quint 220VAC/24VDC rectifiers rated for 1000W/40A and one unit rated for 480W/20A that provide a total of 2480W/100A @ 24VDC are to be employed to provide the power required for a single power line. Total quantities of power supplies are doubled in order to provide full 1+1 power redundancy to the system requirements.



4.2.7 System I/O Connections

Wires from the field terminal blocks are first connected to the interface terminal blocks before onward connection to the ET-200M I/O modules. Interface terminal blocks are diode and resistor terminals which are necessary for the correct operation of the redundant ET-200M I/O configuration. Please refer to SSD/FGS I/O Schematics Drawings (Dwg. No. 08088E-CMS-SSD-02) for more details.

4.2.8 Field Cable Termination

Terminal blocks are provided for termination of non-IS. type field digital and analogue signals. The field terminal blocks are to be grouped and layout according to the field multi-core cables to facilitate site installation works. Fused terminal blocks with LED indication, Entrelec M4/6.SFD, are to be provided for each 24VDC current carrying circuit. Disconnect terminal blocks, MA2.5/5, are provided for 0VDC or volt-free circuit. The Pepperl & Fuchs KC series of rail powered IS. isolators are provided for direct termination of IS. type field digital analog signals. The IS. and non-IS. cables are not to be mixed and the respective cable routings in the cabinet to be segregated in separate trunkings. The trunkings for the IS. signals are blue in colour. The trunkings for the non-IS. signals are grey in colour.



4.2.9 Cable Colour Codes

The following colour codes are to be adopted for the internal wirings in the cabinets:-

• 220VAC – L : Brown

• 220VAC – N : Blue

• 24VDC : Red

• 0VDC : Black

• Non-IS. Signal : Grey

• IS. Signal : Blue

• Safety Earth : Yellow/Green

• Instrument Earth : Green

4.2.10 System Grounding

Separate grounding systems are provided for Equipment Safety Earth and Instrument Earth. Dedicated solid Tinned Copper bus-bars with a minimum size of 6mm x 25mm x (nominal length) are provided. Each bus bar is provided with a compression type lug fixed to each end to allow for connection to other bus bars or to the incoming platform earth cables. Please refer Typical Earthing Arrangement Drawing (Dwg. No. 08088E-CMS-SYS-04) in Appendix C for more information. The Safety Earth bus-bar in each cabinet is directly connected to all exposed metal surfaces of cabinets, racks, chassis ground connections etc. All doors are to be electrically bonded to the main cabinet by a tinned copper braided ground strap. The 220VAC Utility feed Safety Ground is to be connected to the cabinet Safety Earth bus-bar. The Instrument Earth is to be fully isolated from the cabinet metal works. All field cable screens are to be terminated onto the Instrument Earth bus-bar directly.



4.3 LEVEL “2” – SCADA

Level “2” refers to the SCADA Workstations and the DCI PLC as shown in the Control System Block Diagram in Appendix A. The SCADA Workstations are based on redundant SIMATIC PCS7 OS configuration and is discussed in details in the “HMI – Functional Design Specification” (Doc. No. 08088E-CMS-HMI-01). The PCS7 OS Workstations are located in the Control Room. The DCI PLC is based on SIMATIC S7-414H Fault-Tolerant PLC and is discussed in details in the “DCI – Functional Design Specification” (Doc. No. 08088E-CMS-DCI-01). The DCI PLC installed in the PCS/DCI System Cabinet as shown in the Cabinet General Arrangement Drawing (Dwg. No. 08088-CMS-CAB-01).

4.3.1 SCADA

4.3.1.1 Introduction

Each of the redundant OS Workstations communicates in parallel simultaneously with the SIMATIC S7-414H Controllers via the redundant Industrial Ethernet (IE) networks. This ensures the availability of data to the OS system if any of the data network fails. The PCS7 OS Workstations are responsible for synchronizing the alarm and trend data automatically between each other. The OS Workstations communicate with the S7-414H Controllers using the fault-tolerant SIMATIC S7-Ethernet protocol. The PCS7 OS Workstations connect to the PLC systems via the redundant SMIATIC Scalance X-208 Ethernet Switches through the CP-1613 PCI network cards. OS Network failover is automatically taken care of by the SIMATIC S7-RECONNECT software without further script writing.



4.3.2 DCI

4.3.2.1 Introduction

The S7-414H DCI PLC serves as a data concentrator for directing process data between the RC-4 and CPP-2 via the Duons HC-24 redundant Microwave Radio Station. The DCI PLC provided is a full redundant system including power supplies, CPU, Ethernet communication processors (CP443-1) and Serial communication processors (CP441-2). The DCI PLC provided is a full redundant system including power supplies, CPU, Ethernet communication processors (CP443-1) and Serial communication processors (CP441-2). The DCI PLC communicates with the SSD/FGS and PCS PLC using the Ethernet communication processors via the redundant Ethernet networks. Communication between the DCI PLC and the HC-24 radio system is using dual RS-232 Point-to-Point link. It sends and receives data with its radio partner cyclically.


Project: RC-4 Wellhead Platform System: Control and Monitoring System Contractor : Technics Offshore Engineering Owner: Vietsovpetro JV Doc. No.: 08088E-CMS-SSD-01 Rev. No.: 2 Sht. No.: -

APPENDIX – A Control System Block Diagram



APPENDIX – B System Power Line Diagram



APPENDIX – C Typical Earthing Arrangement Diagram



APPENDIX – D Power / Heat Dissipation Calculation

System:

Owner:

2 ET200M F-I/O (DC) : (Note 1 & 2)

SUB-TOTAL:

(Note 1)PANEL DEVICES (DC) :

Project : VSP - RC4 WELLHEAD PLATFORM CONTROL & MONITORING SYSTEM

SEMiTECHPOWER / HEAT DISSIPATION CALCULATION

2. SSD / FGS PLC

Contractor: TECHNICS OFFSHORE ENGINEERING PTE LTD VIETSOVPETRO JV

Doc. No.: 08088E-CMS-SYS-06 Rev. No. : 2 Date: 15-Jan-10 Sht. No. 2 OF 3

Item Description Part No. Qty

Unit Power Power Heat

220VAC 24VDC Consumption Dissipation

(Watts) (Watts) (Watts) (BTU/HR)

1 SSD/FGS PLC (AC) : (Note 1)

A AS414-4-2H Controller 6ES7656-8CF31-1BA0 1 115.00 115.00 392.36

115.00 392.36

172.80 589.56

187.20 638.69

A IM 153-2 Interface Module 6ES7153-2BA02-0XB0 12 14.40

B Failsafe Analog Input, 6 AI, 15 Bit 6ES7336-4GE00-0AB0 39 4.80

103.68 353.74

C Failsafe Digital Input, 24 DI, DC 24V 6ES7326-1BK01-0AB0 2 10.80

485.28 1655.68

21.60 73.69

D Failsafe Digital Output, 10 DO, DC24V 6ES7326-2BF01-0AB0 16 6.48

SUB-TOTAL:

3

A IS. Isolator (AI) KCD2-STC-EX 1 91 1.80 163.80 558.85

B IS. Isolator (AO) KCD2-SCD-EX 1 0 1.08 0.00 0.00

C Relay MY4N 10 2.00 20.00 68.24

Note:

1) PLC, ET-200M I/O and Panel Devices are already inclusive of the 30% spare.

2) Only quantity for one side of redundant pair is considered as they are fully supported by redundant power supply.

14.40

H

0.48

SUB-TOTAL:

SUB-TOTAL + 30% SPARE FIELD I/O:

G Digital Input (PSLL, HS, PSL/H, LS, etc) 30

SUB-TOTAL: 183.80 627.09

4 FIELD I/O (DC) :

A Solenoid Valve 62 10.00 620.00 2115.32

B Flame Detector 16 14.00 224.00 764.24

C Gas Detector 36 7.00 252.00 859.77

D Heat/Smoke Detector 18 0.96 17.28 58.96

E Visual-Audio Alarm (Indoor) 7 1.00 7.00 23.88

2288.46 392.36

1245.68

Digital Output (MCC Relay) 17 3.00 51.00

TOTAL UPS POWER (220VAC)/HEAT DISSIPATION: 2403.46 392.36

174.00

TOTAL PLC POWER (24VDC)/HEAT DISSIPATION:

60.00 204.71

4250.02

49.13

1619.38 266.12

F Visual-Audio Alarm (Outdoor) 6 10.00



APPENDIX – E TUV Certificates

Reportto the

Certificate

Z2 03 04 38282 002

Safety-Related Programmable Systems

SIMATIC 87 F/FH Systems

(formerly 87-400F and S7-400FH)

Manufacturer:

Siemens AGWerner-von-Siemens Str. 50

0-92224 Amberg

Report No.: 10042360Revision 1.7 dated 28. September 2007

Testing Body:TÜV SÜD Automotive GmbH

Electronic SystemsRidlerstraße 57

0-80339 München

Accredited Testing Body for Functional Safety

DeutscherAkkredftJerungsRat

./Z...........LY~'--II....-~

DAT-P-217191-03

Dissemination, distribution, copying or any other use of information in this report in partis strictly prohibited

Revision Log

Version Name Date Changes/History1.0 R. Faller 30.11.1999 Initial1.1 P. Müller 18.12.2000 LS 21.3 P. Müller 15.11.2001 Section 5.4 added and modified1.4 A. Beer 23.04.2003 Product name

Definition of terms; 1001 D and 1002D addedSection 2.2General application condition added

M.Weber New software version V5.2 addedRestriction 5.4.1 modified

1.5 A. Beer 03.06.2004 Make reference to "Annexes" (instead a particular an-M.Weber nex) when the annex refers to a software component

revision information.1.6 F. Rauch 30.06.2005 SP2: The standards EN 54-2:1997, EN 54-4:1997,

NFPA72:2002 and NFPA 85:2004 were included andEN 298 was updated to 2003 in section 3.7.

1.7 P. Weiß 28.09.2007 LayoutMake reference to "Annexes" (instead a particular an-nex) when the annex refers to a hardware componentrevision informationIn chapter 2.2 "rückwirkungsfrei" deleted

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 2 0122

Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited

Content Page

1 PURPOSE AND SCOPE 4

1.1 DEFINITION OF TERMS 4

2 SYSTEM OVERVIEW 6

2.1 SYSTEM ARCHITECTURE , 62.2 HARDWARE COMPONENTS UNDER CERTIFICATION 82.3 SOFTWARE COMPONENTS UNDER CERTIFICATION 82.4 SAFETY MANUAL. 9

3 CERTIFICATION REQUIREMENTS 10

3.1 BASIS OF CERTIFICATION 103.2 CERTIFICATION DOCUMENTATION 113.3 EUROPEAN DIRECTIVES 123.4 FUNCTIONAL SAFETY 123.5 BASIC SAFETY 133.6 ELECTROMAGNETIC COMPATIBILITY 133.7 ApPLICATION STANDARDS 14

4 RESULTS 16

4.1 FUNCTIONAL SAFETY 164.2 BASIC SAFETY AND ELECTROMAGNETIC COMPATIBILlTY 184.3 PRODUCT SPECIFIC QUALITY ASSURANCE AND CONTROL.. 19

5 IMPLEMENTATION CONDITIONS AND RESTRICTIONS 20

5.1 GENERAL APPLICATION CONDITIONS 205.2 GENERAL COMMISSIONING CONDITIONS 205.3 GENERAL RUN-TIME CONDITIONS 215.4 PRODUCT-RELATED CONDITIONS 21

6 CERTIFICATE NUMBER 22

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. WeißD-80339 MOnchen 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 3 of22

Dissemination, distribution, copying or any other use of information in this report in part is striclly prohibited

1 Purpose and Scope

TÜV Automotive GmbH has been contracted by Siemens AG to certify the Safety-RelatedProgrammable Systems SIMATIC S7 F/FH Systems.

This report summarizes the user related results of the tests and inspections performed on theSIMATIC S7 F/FH Systems based on the certification requirements outlined under clause 3.1and reported by the documentation Iisted under clause 3.2.

1.1 Definition of Terms

The following terms are used in this report with a meaning defined as folIows:

Functional Safety The ability of a safety-related system to carry out the actions necessaryto achieve a (defined) safe state for the equipment under control (EUC)or to maintain the safe state for the EUC.

CJ=C Continuous Function Chart

Degraded operation Denotes the system operating mode when a fault has been detectedand localized in one of the critical components.

Multiple fault occurrence The multiple-fault occurrence period denotes a time frame, in which thetime probability for the appearance of combination-wise safety-critical multi-

ple faults is sufficiently low for the considered requirement class. Theperiod of time begins with the last point in time, at which the consideredsystem was in a fault-free assumed condition according to the consid-ered requirements class.

The definition of this time is not system specific. A general recommen-dation is to assume this time to be magnitudes (2 to 3) below the speci-fied MTBF time.

Fault tolerance time The fault-tolerance time denotes a characteristic of the process anddescribes the period of time, in which the process can be controlled bya faulty control-output signal, without entering a dangerous condition.

Interference free Property of a unit not to cause faulty state in connected units even if itfails

Probability of Failure on De- Average probability of failure of a system to perform its design functionsmand (PFD) on demand.

Proven-in-use A sufficient number of installations in various application fields withProven-by-operation available fault history of the installed systems did not show the presenceField tested of a safety-related systematic error

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. Weiß0·80339 MOnehen 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 4 of22


10020 This architecture consists of two channels connected in parallel. Ouringnormal operation, both channels need to demand the safety functionbefore it can take place. In addition, if the diagnostic tests in eitherchannel detect a fault then the output voting is adapted so that theoverall output state then follows that given by the other channel. If thediagnostic tests find faults in both channels or a discrepancy that cannotbe allocated to either channel, then the output goes to the safe state. Inorder to detect a discrepancy between the channels, either channel candetermine the state of the other channel via a means independent of theother channel.

10010 This architecture consists of a single channel connected to an inde-. pendent diagnostic circuit (not self-diagnostics). If the diagnostic circuitdetects a hidden fault in the channel it asserts the safe state via ameans independent of the channel.

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 5 of 22


2 System Overview

2.1 System Architecture

The SIMATIC S7 F/FH Systems are safety-related fail-safe programmable electronic systems(PES) that are suitable for safety-related applications with a high level of potential danger, e.g.controllers for offshore processes, chemical processes.

Operator Station(System visualization)

F=~

D/ \

! If-----------1--f1~

~

Programming device

S7-400F programmable controller

Fail-safe 110 modules(optionally redundant)

Standard 110 modules(optionally redundant)

System Architecture for S7 F

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Electronic SystemsRidlerstraße 57 . Mr. WeißD-80339 München 28. September 2007Phone: ++49 895791-1393; Fax: -4438 Page 9of 22


Redundant system bus (PROFIBUS or Ethernet)

"l

Operator Station S7-400FH programmable controller(System visualization)

10// \'

1 00 1 1 001~,1 ~~1-/ \ Fail-safe 110 modules

(optionally redundant)

~..~ ~ ~ ~ IRedundantPROFIBUS-DP -------\ Standard 110 modules

(optionally redundant)

~ ~~~~I

System Architecture for 57 FH

The SIMATIC S7 F/FH Systems consist of 1 or 2 "S7-400 CPUs" (central processing units) respectively that are suitable for safety-related applications and "Fail-Safe 1/0 Modules" (F-SM orF-I/O).

Safety critical input signals are read from the process with the F-I/O or read from other F-CPU'svia safety-related communication.

Safety critical output signals are sent from the F-CPU to the F-I/O or to other F-CPU's viasafety-related communication. The F-I/O is responsible for the safety-related output to the process.

The S7-400 F-CPU implements a 1001D structure with diverse application software on a singlechannel hardware. Fault detection is implemented by camparisan of the diverse applicationsoftware results in the CPU and the independent F-I/O, internal self-tests and program and dataflow monitoring in the CPU and fault monitoring by the F-I/O.

TÜV 5ÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Electronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 7 of22


The following failure control measures are implemented in the CPU:

• redundant execution with data and code redundancy and diversity and comparison of the di-verse results

• self-test of safety-related operations in each cycle

• program and data flow monitoring

Checking of this and fault reaction is done directly by the CPU itself as weil as indirectly by therecipients of the CPU's safety-related outputs, Le. the fail-safe output modules and other CPUs.

In addition the CPU performs self-tests in the background and uses two independent timebases. One CPU is sufficient to achieve the certified functional safety. In the S7 FH two redundant CPUs are used in 2002 of 1001 D configuration to increase availability. The second channelof the 1/0 module implements an independent comparison and diagnostic entity and allows theD designator for the 1001 hardware CPU architecture.

The F-I/O modules are in an internal1002 structure (two channels with comparison). One F-I/Omodule is sufficient to achieve the certified functional safety. Optional two redundant F-I/O modules are used in 2002 of 1002 configuration to increase availability.

2.2 Hardware Components under Certification

The system components which are certified 'safety-related' are Iisted in the current revision ofthe applicable Annexes to this report. This allows the components to be used to process safetycritical signals and functions.

All other components of the S7 -400 and S7-300 family are 'interference-free' and allowed to beused; however, they are not certified for process safety critical signals and functions. Usingthese components does not interfere with the proper functioning of the safety-related modules.

For details on architectural, configuration and implementation requirements please refer to themanuals of the SIMATIC S7 F/FH Systems documentation package.

2.3 Software Components under Certification

A list of the software components with the valid version numbers is shown in the current revisionof the applicable Annexes to this report.

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 8 of22


2.3.1 Safety-related Software Components

The following software components have been certified 'safety-related' allowing the softwarecomponents to be used for processing safety critical signals and executing critical functions:

• Add-on option package S7 F Systems• F-FBs• Firmware of the Failsafe 1/0 modules

For the specific versions see the current revision of the Annexes to this report

2.3.2 Interference-Free Software Components

Other software components than those mentioned in 2.3.1 are not the subject of this certification. Absence of impact of non certified components on 'safety-related' components is enforceddue to the intrinsic safety features provided by the diverse logic implementation followed by the1002 F-I/O modules.

2.3.3 Communication

Safety-related communication between F-CPUs and F-I/O is based on the Profibus DP/PA protocol but implements an additional safety shell on top (ProfiSafe).Safety-related communication between F-CPUs is based on a standard protocol Iike MPI,Profibus or Ethernet but implements an additional safety shell on top.

2.3.4 Programming environment

Safety application programming is performed by connection of function blocks using the Step7CFC language. Only special certified function blocks shall be used for safety applications. Useof standard function blocks for safety applications is prevented by their own safety data types.Edit, compile and load use the standard STEP7 programming environment of the S7-400 andS7-300 family. An add-on option package S7 F Systems provides the following properties required to improve the standard programming environment for safety programming:

• Library with safety-related function blocks (F-FBs)• Integration of fault detection measures (self-tests, program and data flow monitoring, data

redundancy) into the application program• Additional access protection for the safety program in the F-CPU• Add-on option package S7 F Systems checks

2.4 Safety manual

The conditions and rules for safe use of the SIMATIC S7 F/FH Systems are laid down within theuser documentation:

• Programmable Controllers, S7 F/FH Systems• ET 200S Distributed 1/0 System, Fail-Safe Modules• Automation System S7-300, Fail-Safe Signal Modules

TÜV SÜD Aulomotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerslraße 57 Mr. Weiß0-80339 MOnehen 28. September 2007Phone: ++49895791-1393; Fax: -4438 Page 9 of22

Dissemination, distribution, copying or any other use of information in this report in part is striclly prohibiled

3 Certification Requirements

3.1 Basis of Certification

The certification of the controller will be according to the regulations and standards Iisted indause 3.3 to 3.6 of this document. This will certify the successful completion of the following testsegments:

I. Functional Safety

A. Fault investigations for the hardware components listed in the current revision ofthe Annexes to this report and of the system configurations as described in themanuals of the SIMATIC S7 F/FH Systems and S7 Distributed Safety documentation packages.

B. Software analysis for the software components Iisted in the current revision of theAnnexes to this report

C. Descriptive safety as given by the safety sections of the user documentation, indicated in section 2.4 of this report.

11. Basic Safety including electrical safety- EN 61131-2

111. Environmental Stress Testing

A. Climatic and temperature stress

B. Mechanical stress

IV. Electromagnetic compatibility

A. Electromagnetic susceptibility

B. Electromagnetic emission

V. Product-related Quality Management in manufacturing and product care

Certification is dependent on successful completion of all of the above test segments. The testing follows the basic certification scheme for safety-related programmable electronic systems ofTÜV Product Service GmbH.

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclrcnic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49895791-1393; Fax: -4438 Page 10 cf 22


3.2 Certification Documentation

Documentation of this certification is based in the following reports:

• Technical ReportReport No.: SA58199Report No.: SA60720Report No.: T-10042360-01Report No.: SA66281

• EMC Test ReportReport No.: 10.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 11.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 12.99 prepared by Siemens andreviewed by TÜV PS lOSEReport No.: 25.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 21.00 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 22.00 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 33.00 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 38.00 prepared by Siemens and reviewed by TÜV PS lOSE

• Environmental Test ReportReport No.: 10.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 11.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 12.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 25.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 21.00 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 22.00 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 33.00 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 38.00 prepared by Siemens and reviewed by TÜV PS lOSE

• Test Report on IEC 1131-2Report No.: 10.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 11.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 12.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 25.99 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 21.00 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 22.00 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 33.00 prepared by Siemens and reviewed by TÜV PS lOSEReport No.: 38.00 prepared by Siemens and reviewed by TÜV PS lOSE

• Calculation of Probability of Failure on Demand:Internal Report of the "Probability-of-Failure-on-Demand" of S7-F Safety-ProgrammableSystem, Rev. 4.1 from 12. December 2000

• Manuals:" Programmable Controllers, S7 F/FH Systems" and "S7-300 Programmable Controller, Fail-Safe Signal Modules"

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Electronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49895791-1393; Fax: -4438 Page 11 of22


Based on the specified purpose of use of the SIMATIC S7 F/FH Systems in safety critical process protection applications the certification is based on the following set of standards. The issuance of the certificate states compliance with these references unless specifically noted otherwise.

3.3 European Directives

The fulfillment of the essential requirements of the following European Oirectives is mandatoryfor an electronic device such as the SIMATIC S7 F/FH Systems.

73/23/EEC Council Oirective of 19 February 1973 on the harmonization of the93/68/EEC laws of Member States relating to electrical equipment designed for

use within certain voltage limits.

98/37/EEC Council Oirective of 22 June 1998 on the approximation of the lawsof the Member States relating to machinery(to the extend applicable to programmable electronic safety de-vices)

3.4 Functional Safety

The testing for functional safety is to be performed using the following standards and guidelines:

OIN V 19250: 1994, Fundamental aspects to be considered for measurement and con-AK6 trol equipment

OIN V VOE 0801: Principles for computers in safety-related systems1990, AK1-6, includingamendmentA1: 1994

IEC 61508-1: 12/1998 Functional safety; Safety-related systemsIEC 61508-2: 05/2000IEC 61508-3: 12/1998IEC 61508-4: 11/1998IEC 61508-5: 11/1998IEC 61508-6: 04/2000IEC 61508-7: 03/2000SIL1-3(as applicable to PES)

prEN 50159-1:1996 Railway Applications; Safety-Related Communication In Closed(as applicable) Transmission Systems (as applicable)

prEN 50159-2: 1996 Railway Applications; Safety-Related Communication In Openclass 1 to 5 Transmission Systems (as applicable)(as applicable)

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49895791-1393; Fax: -4438 Page 12 of 22


3.5 Basic Safety

To complete and to specify the technical requirements resulting from the Essential Requirements of the Directives listed above the testing of Basic Safety is to cover the following standards:

EN 61131-2: 1995 Programmable controllers - equipment requirements and tests

EN 50178: 1997 Electronic equipment for use in power installations

DIN VDE 0110: Insulation co-ordination for equipment within low-voltages systems1989

EN 60068 Environmental Testing

OSHIOSE Ouality Manual of TÜV Product Service lOSEVersion 1.4

3.6 Electromagnetic Compatibility

To complete and to specify the technical requirements resulting from the Essential Requirements of the Directives listed above, the testing of Electromagnetic Compatibility is to cover thefollowing standards:

EN 61131-2: 1995 Programmable controllers - equipment requirements and tests

EN 55011: 1997 Limits and methods of measurement of radio disturbance characteris-tics of industrial, scientific and medical (lSM) radio-frequency equip-ment.

EN 50081-2: 1993 Electromagnetic compatibility (EMC); Generic emission standardPart 2: Industrial environment

EN 50082-2: 1995 Electromagnetic compatibility (EMC); Generic immunity standard -Part 2: Industrial environment

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Electronic SystemsRicllerstraße 57 Mr. Weiß0·80339 München 28. September 2007Phone: ++49895791·1393; Fax: -4438 Page 13 of 22


erD~~ .... ~.•..

3.7 Application Standards

Because of the expected applications of the system following additional standards and regulations should be considered:

Machinery Applications

EN 60204-1: 1997 Safety of machinery - Electrical equipment of machines(as applicable)prEN 60204-11 prA1:1998

EN 954-1: 1997 Safety of machinery; Safety-related parts of control systemscategories 2 to 4 Part 1 "General principles for design"

Process Industry

OIN V 19251: 1995 Process control technology- Me protection equipment- Requirementsand measures for safeguarded function

VOll VOE 2180: Safeguarding of industrial processing plants by means of instrumenta-1996 tion and control technologypart 1, 2 and 5

NE 31: 1993 NAMUR Recommendation

ANSI - ISA S84.01: Application of safety instrumented system for the Proeess Industry1996(as applicable)

Burner Systems

EN 230: 1991 Monobloc oil burnersclause 7.3

EN 298: 2003 Automatie gas burner control systems for gas burners and gas burning(clause 7.3, 8, 9 and appliances with or without fans10)

ENV 1954: Internal and external fault behavior of safety-related eleetronic parts of1996 gas appliances(as applicable)

OIN VOE 0116: Electrical equipment of furnaees1989dause 8.7

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 14 of 22


prEN 50156-1: 1997 Electrical equipment of furnaces(as applicable)

NFPA 85:2004 Boiler and Combustion Systems Hazards Code

Fire Detection and Fire Alarm Systems

EN 54-2: 1997 Fire detection and fire alarm systems - Part 2: Control and indicatingequipment

EN 54-4: 1997 Fire detection and fire alarm systems - Part 4: Power supply equip-ment

NFPA 72: 2002 National Fire Alarm Code

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. Weiß0·80339 München 28. September 2007Phone: ++49 89 5791·1393; Fax: ·4438 Page 15 of22


4 Results

4.1 Functional Safety

The tests performed and quality assurance measures implemented by the manufacturer haveshown that the SIMATIC S7 F/FH Systems in conjunction with their system software complywith the testing criteria specified in clause 3 subject to the conditions defined in c1ause 5 and itssubsections, and are suitable for safety-related use in applications of requirement c1asses AK 1to 6 in accordance with DIN V 19250:1994, categories 2 to 4 in accordance with EN 954, andsafety integrity levels SIL 1 to 3 in accordance with IEC 61508, for intermittent or continuous operation, as weil as for operation with or without continuous supervision, on condition that the "0state" (closed-circuit principle) is defined as the safe state for the binary inputs and outputs.

4.1.1 Fault Reaction and Timing

Fault reactions of F-CPU:

1. Faults in the cyclic communication between the F-CPU and the F-I/O input modules are detected by the F-CPU. Either '0' or configured substitute values are handed to the applicationprogram. A specific fault reaction must be implemented by the application program developer.

2. Faults in the cyclic communication between the F-CPU and the F-I/O output modules are detected by the F-DO. If a fault occurs all outputs of the affected F-I/O are driven to '0'.

3. Faults in the cyclic communication between two F-CPUs are detected by the receiving FCPU. If a fault occurs the application program is notified and configured substitute values arehanded to the receiving application program. A specific fault reaction must be implementedby the application program developer.

4. Faults within the safety data types, within data or control flow of the application program leadto blocking of the cyclic transmissions to output modules and other F-CPUs or signaling ofthe fault to them. If a fault occurs all outputs of the affected output modules are driven to '0'and the affected receiving F-CPUs use the configured substitute values.

5. Faults detected by built-in self-test lead to blocking of the cyclic transmissions to output modules and other F-CPUs or signaling of the fault to them. If a fault occurs all outputs of the affected output modules are driven to '0' and the affected receiving F-CPUs use the configuredsubstitute values.

6. In the FH-system structure one of the CPUs is running as master whereas the other CPU isrunning as standby. Faults in the Master-CPU detected by self-tests or other fault controlmechanism inside the CPU lead to master changeover before failure effects the F-DO. Faultsin the Standby-CPU detected by self-tests or other fault control mechanism inside the CPUlead to blocking of master changeover before failure effects the F-DO.

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 16 of22

Dissemination, distribution, copying or any other use of information in this report in part is striclly prohibited

Fault reactions of F-I/O:

Faults detected by built-in self-test or diagnostics are either safely communicated to the application program or in case communication is affected faults are detected as described insection 1. and 2. above. If the faulty module is an input module, the process data transmittedto the F-CPU is set to '0' with binary inputs and 7FFFH with analog inputs for all inputs or thefaulty inputs. If the faulty module is an output module, all outputs or the faulty outputs aredriven to '0'.

The fault tolerance period ofthe process controlled by the SIMATIC S7 F/FH Systems shall begreater than the worst case response time, determined with the help of the Excel-SheetS7ftime?xls (? is a letter for language coding)

The results of the concept and the technical requirements analysis of the Profibus based communication safety shell (Profisafe) are subject of the Evaluation Report PK55299T, revision 1.0of 30. March 1999.

4.1.2 Application Development

The SIMATIC S7 F/FH Systems can treat and execute programmed safety and non-safetyrelated functions independently from each other at the same time. An intended safety function ofthe SIMATIC S7 F/FH Systems can be enforced either by application programmed functions orby built in fault reaction functions. The application programmed safety function lies with the application program developer.

Acceptance of programmed safety function requires complete functional testing. After that completefunctional testing is only necessary for changed parts of the programmed safety function.

Loading and changing of safety-related programs in the CPU need authorization by password.Non safety-related programs can be changed at any time without impact on programmed andbuilt-in safety functions of the SIMATIC S7 F/FH Systems.

4.1.3 Online loading of safety applications

In general, responsibility for monitoring the process during and after the on-line modification liesentirely with the organization and person responsible for the on-line modification. Since on-linemodifications are generally associated with an increased level of risk the approval of on-linemodifications is at the discretion of the testing and inspection center responsible for approval ofthe system's application.

The procedure for on-line modifications and existing restrictions are described in the manuals ofthe SIMATIC S7 F/FH Systems and S7 Distributed Safety documentation packages.

Loading of safety program changes and changes of safety related constant parameters whilethe process is running in observed mode requires at least:

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Electronic SystemsRidlerstraße 57 Mr. WeißD-80339 MUnchen 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 17 of22


- off-line verification and I or

- simulation and I or

- online testing on a hot standby CPU and I or

- similar IEC 61508 compliant verification activities within a weil defined modification pro-cedure

of the changes prior to downloading them into the CPU controlling the safety critical process.

4.1.4 Simulation of safety applications

Offline simulation of safety applications can be performed on a virtual CPU, emulated by an additional software package either on the programming station or the engineering station. If anonline connection to a running safety system exists, the "safety mode" shall not be deactivatedand the password protected access to the 57-F-CPU shall not be granted.

4.2 Basic Safety and Electromagnetic Compatibility

4.2.1 Basic Safety

The tests of the electrical safety and the environmental stress tests executed by TÜV ProductService show that the standards specified in clause 3 are covered.

The tests performed and the quality assurance measures implemented by the manufacturerhave shown that the 51MATIC 57 F/FH Systems comply with the testing criteria specified inclause 3 subject to the conditions defined in c1ause 5 and its subsections.

4.2.2 Electromagnetic Compatibility

The documentation of the electromagnetic compatibility tests executed by independent testlaboratories has been reviewed for completeness. The testing executed has covered the requirements of the standards specified in c1ause 3.

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Electronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 18 of22


4.3 Product Specific Quality Assurance and Control

All software and hardware components developed and manufactured in course of the safetyevaluation are governed by an ISO 9001 certified quality assurance and control system. Someolder components have been developed under the manufacturer's internal quality procedures.

The European procedures for demonstrating conformity (93/465/EEC "Council Resolution of22 July 1993 on the modules to be used in the technical harmonization directives for the variousphases of conformity assessment procedures and the rules for attaching and usingCE conformity marks") provide similar significance to the type testing and the manufacturer'squality assurance in production and product maintenance. As part of the certification processTÜV Product Service also performs a procedure that is tailored to the assessed product in orderto assess the consistency of product quality while accounting for product modifications and theiridentifiably (follow-up service).

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Electronic SystemsRidlerstraße 57 Mr. Weiß0-80339 MUnchen 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 19 of22


5 Implementation Conditions and Restrietions

The use of the SIMATIC S7 F/FH Systems shall comply with the current version of the Safetyparts of the manuals of the SIMATIC S7 F/FH Systems and S7 Distributed Safety documentation packages., and the following implementation and installation requirements have to be followed if the SIMATIC S7 F/FH Systems are used in safety-related installations.

5.1 General application conditions

5.1.1. The guidelines specified in the user's manuals shall be followed. Specifically the safetynotes in the user's manuals shall be followed.

5.1.2. Only hardware modules certified for safety-related operation, as listed in Annexes of thisreport shall be used for safety-critical signals. Not certified standard modules (defined as"interference-free") may be used for non-safety-critical signals only.

5.1.3. Only software modules Iisted in Annexes of this report shall be used to process safetycritical data.

5.1.4. The fault tolerance period of the process controlled by the system shall be greater thanthe worst-case reaction time of the system, determined with the help of the Excel-Sheets7ftime?xls (? is a letter for language coding).

5.1.5. A weil defined shutdown procedure shall be specified.

5.1.6. Non-safety-related blocks in the application program shall not control or affect data usedby any safety-critical block unless with safety-related function blocks for data conversionand plausibility checks in the safety-related program.

5.1.7. Operator alarms as exclusive means of shutdown are only permitted under supervisedoperation and if the fault tolerance time of the controlled process is sufficiently long toensure a safe manual reaction and shutdown and the operator has sufficient independentmeans to supervise the process.Installations that must react to shutdown conditions quicker than achievable with manualintervention or installations running unsupervised shall incorporate an automatie fault reaction procedure.

5.1.8. The operating conditions as specified in the user manuals shall be met.

5.2 General commissioning conditions

5.2.1. Prior to commissioning, a complete functional test of all safety-relevant functions shall beperformed. The programming of the application shall ensure that modules are small andself contained, sufficient to permit full functional testing.

5.2.2. All timing requirements shall be validated, including fault detection time, fault reactiontime, throughput delay for shutdown logic and cycle time.

TÜV SÜD Automotive GmbH 10042360_V1.7.doc Revision 1.7Electronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 20 of 22

Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibiled

5.2.3. Any application software modification after commissioning shall result in are-validation ofthe entire application software system. The commissioning can be reduced if the changecan be shown by use of a revision checker to be limited to a specific area of program.

5.2.4. The proper fail-safe configuration of all safety-critical F-I/O shall be verified. Only configurations covered by the User's manual are covered by the certification.

5.3 General run-time conditions

5.3.1. Failed modules that are safety-related and in redundant configurations should be replaced as quickly as practical to minimize the probability of multiple fault accumulationand potential (safe) nuisance shutdown. As a maximum, failed modules should be replaced within the multiple fault occurrence time.

5.3.2. Application program modification during run-time should only be permitted underend-user responsibility.

5.3.3. The procedure described in the user manual has to be followed.

5.3.4. The application program modifications shall be Iimited and simple to verify and validate.

5.3.5. The modifications and their interaction with existing program sections shall be thoroughlytested, e.g. using simulation.

5.3.6. The modification shall be granted by the approval authority for the plant assessment.

5.3.7. Maintenance override is to be Iimited (time-restriction and number) of logical points. TheTÜV guidelines for maintenance overrides are to be followed. TUV certification does notcover output override.

5.3.8. The use of F-Function Blocks for SIMATICS7 F/FH Systems F/FH is only permitted if forthe specific target system (F or FH system) an official F-Copy License with the ordernumber 6ES7 833 1CCOO 6YXO is available.The F-Copy License consists of:- the F-Copy License contract- the copy of the TUV-Certificate- two labels to mark up the CPU (or CPU's on a FH system) of the used F-Copy License

5.4 Product-Related conditions

5.4.1. The Safety Protector allows use of failsafe-modules in combination with standardmodules. Purpose of theSafety Protector is to isolate the failsafe-modules from overvoltages up to a maximum of 250 Volt AC/OC caused by not-safety related standardmodules. No field voltage higher than 250V is allowed.

TÜV SÜD Automolive GmbH 10042360_V1.7.doc Revision 1.7Eleclronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 21 of22


6 Certificate Number

This report specifies technical details and implementation conditions required for the applicationof the Safety-Related Programmable Systems SIMATIC S7 F/FH Systems by Siemens AG tothe certificate:

Z2 03 04 38282 002

Munieh, 28. September 2007

~ißf!uITechnical Certifier

TüV SÜD Automolive GmbH 10042360_V1.7.doc Revision 1.7Electronic SystemsRidlerstraße 57 Mr. Weiß0-80339 München 28. September 2007Phone: ++49 89 5791-1393; Fax: -4438 Page 22 of22


Annex 1 ofthe Reporton the

Certificate

Z2 03 04 38282 002

Safety-Related Programmable Systems

SIMATIC S7 F/FH Systems(formerly SIMATIC S7-400F and S7-400FH)

Manufacturer:

Siemens AGWerner-von-Siemens Str. 50

0-92224 Amberg

Report No.: 10042360-A1Revision 2.17 dated 2008-09-19

Testing Body:

TÜV SÜD Automotive GmbHElectronics Safety

Ridlerstraße 57

0-80339 München

Accredited Testing Body for Functional Safety

Dissemination, distribution, copying or any other use of information in this Annex ofthe report in part is strictly prohibited

Revision Log

Version Name Date Changes/History

1.1 P. Müller 18.12.2000 Initial

1.2 P. Müller 18.09.2001 Seperator module has been added

Version of Option Package S7 F Systems

Version of F_R_R

Version of F_R_BO

Version of F_CH_AI

1.3 P. Müller 15.11.2001 Section 2.2, comment has been added

1.4 P. Müller 08.02.2002 Version of Option Package S7 F Systems

Version of F_F_TRIG

Version of F_R_TRIG

Version of F-SM added

1.5 A. Beer 22.07.2002 Integration of a Revision Log

Version of SM 326 00 10xOC24V/2A

Version of SM 326 01 24xOC24V

1.6 A. Beer 02.12.2002 Firmware version of SM 326 00 10xOC24V/2A

1.7 A. Beer 25.04.2003 4/8 F-OI OC24V, 4 F-OO OC24V2A, PM-E F024V, PM-O F 024V added

Section 2.2 deleted

Table of section 1

New software versions added

1.8 A. Beer 13.10.2003 Certification number, Version of SM 326, 00 10 xOC24V/2A deleted

1.9 A. Beer 25.11.2003 Version of SM 326, 00 10 x OC24V/2A added

2.0 A. Beer 03.03.2004 Added new CPU FW version with EOC RAMoption; added new Version of SM 326, 00 10 xOC24V/2A.

2.1 A. Beer 16.12.2004 Added new ET200S modules for use in S7 F/FH:

6ES7 148-3FAOO-OXBO

6ES7 138-4CF01-0ABO

6ES7 138-4CF40-0ABO

Added new FB for V5.2, SP1 in section 2.1.3;

Added signature changes for FB for V5.2, Sp1 insection 2.1.4

TÜV SÜD Aulomolive GmbHEleclronics SafetyRidlerslraße 57D-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438

Report No. 10042360-A1Revision 2.17

P. Weiß2008-09-19

Page 2of20

Version Name

2.2 A. Beer

2.3 F. Rauch

2.4 F. Rauch

J. Blum

Date

28.02.2005

30.06.2005

30.11.2005

Changes/History

4/8 F-DI DC24V, 4 F-DO DC24V/2A, SM 326,Da 8 x DC24V/2A, CPU 417-4H and CPU 414-4Hadded

Added new F-FBs for V5.2 SP2 (Safety DataWrite) in section 2.1.5

RESTRICTION: "Safety Data Write" handling ofBoolean parameters shall not be used with theOCX Faceplate of S7 F Systems HMI V5.2, whichis part of the optional package 87 F SystemsV5.2+SP2. F_CH_BO shall be used with theassociated OCX of S7 F Systems HMI V5.2+SP3or higher only.

Modules added:

SM326, DI24 x DC24V, 6ES7 326-1BK01-0ABO

4/8 F-DI DC24V, 6ES7 138-4FA02-0ABO

4 F-DO DC24V/2A, 6ES7 138-4FB02-0ABO

PM-E F DC24V, 6ES7 138-4CF02-0ABO


PM-D F DC24V, 3RK1 903-3BA01

Release number of:

SM 326, DI 24 x DC24V, 6ES7 326-1 BKOOOABO

SM 326, DI8 x NAMUR, 6EST326-1RFOOOABO

SM 326, Da 10 x DC24V/2A, 6E87 326-2BF01OABO

SM 336, AI 6 x 13 Bit, 6ES7 336-1 HEOO-OABO



2.5

2.6

A. Beer

F. Rauch

19.01.2006 Release number of

SM 336, AI 6 x 13 Bit, 6ES7 336-1 HEOO-OABO

SM 326, Da 8 x DC24V/2A PM, 6ES7 3262BF40-0ABO

ET200eco 4/8 F-DI, 6ES7148-3FAOO-OXBO

20.02.2006 Added new F-FBs for V5.2 SP4 in section 2.1.6

Correction of signature of F-FBs



P. Weiß2008-09-19

Page 3of20

Version Name Date Changes/Historv

2.7 A. Beer 31.03.2006 Release number of

ET200S-F-Modul PM-E F pm, 6ES7138-4CF02-OABO

2.8 A. Beer 23.06.2006 Release number of

SM 326 00 10xDC24V/2A, 6ES7326-2BF01-OABO

2.9 A. Beer 11.08.2006 Module added:

0 ET200S 1F-RO DC24V/SA, AC24..230V/SA(6ES7 138-4FROO-OAAO)

2.10 M. Rau 09.01.2007 Module added:

• ET200S 4/8 F-DI DC24V (6ES7 138-4FA03-OABO)

Release Number of

• ET200S 4 F-DO DC24V/2A (6ES7 138-4FB02-OABO)

• ET200S PM-E F pp DC24V (6ES7 138-4CF41-OABO)

• ET200S PM-D F DC24V (3RK1903-3BA01)

2.11 P. Weiß 14.08.2007 Modules added:

• ET200S 4F-DI/3F-DO DC24V(6ES7 138-4FCOO-OABO)

• ET200pro-F 8/16 F-DI DC24V(6ES7 148-4FAOO-OABO)

• ET200pro-F 4/8 F-DI DC24V 14 F-DODC24V/2A (6ES7 148-4FCOO-OABO)

• ET200pro F-Switch (6ES7 148-4FSOO-OABO)

New version V6.0 of Option Package S7 FSystems (S7 F Systems Lib V1_3) added

2.12 P. Weiß 28.09.2007 F-CPUs added:

• CPU 417-4H (6ES7 417-4HT14-0ABO)

• CPU 414-4H (6ES7 414-4HM14-0ABO)

• CPU 412-3H (6ES7 412-3HJ14-0ABO)

2.13 M. Rau 04.04.2008 Version VS.S SP4 of S7 ConfigurationPack added

Module added:

• SM336, F-AI 6 x 0/4 .. 20 mA HART(6ES7 336-4GEOO-OABO)

TÜV SÜD Automolive GmbHElectronics SaletyRidlerstraße 570-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438


P. Weiß2008-09-19

Page 40120

Version Name Date Changes/History

2.14 M. Rau 26.06.2008 Version of ET200eco 4/8F-DI 6ES7148-3FAOO-OXBO

Remark 6) ET200M SM 326,01 8 x NAMUR 6ES7 326-1 RFOO-OABO

2.15 Jürgen Blum 14.08.2008 Release Number of

• SM 326 Da 10 x DC24V/2A(6ES7 326-2BF01-0ABO)

2.16 Jürgen Blum 22.08.2008 Version V5.5 SP5 of S7 ConfigurationPack added

2.17 Jürgen Blum 19.09.2008 Modules added:

• ET200S 4/8 F-DI DC24V(6ES7 138-4FA04-0ABO)

• ET200S 4 F-DO DC24V/2A(6ES7 138-4FB03-0ABO)

• ET200S PM-E F pm DC24V(6ES7138-4CF03-0ABO)

• ET200S PM-E F pp DC24V(6ES7 138-4CF42-0ABO)

Release Number of

• ET200S 1F-RO DC24V/5A, AC24..230V/5A(6ES7 138-4FROO-OAAO)

TÜV SÜD Automotive GmbHElectronics SaletyRidlerstraße 57D-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438

Report No. 10042360·A1Revision 2.17

P. Weiß2008-09-19

Page 50120

Safety-Certified and Interference-Free Components

1 Hardware and Firmware Components

The following system components are certified 'safety-related'. This allows the components tobe used to process safety critical signals and functions:

Module Order Release Module DescriptionNumber Number

CPUs:

CPU 417-4H 6ES7 1 or higher CPU which is suitable for safety-related applications3) 417-4HT14- by using a fail-safe-application program.

OABO

CPU 417-4H 6ES7 1 or higher3) 417-4HL04-

OABO 1

CPU 414-4H 6ES7 1 or higher3) 414-4HM14-

OABO

CPU 414-4H 6ES7 1 or higher3) 414-4HJ04-

OABO 1

CPU 412-3H 6ES7 1 or higher3) 412-3HJ14-

OABO

Signal Modules S7-300:

SM 326, 6ES7 02 24 channel digital input module 24VDCDI24x 326-1BK01-DC24V OABO

SM 326, 6ES7 01 to 07 24 channel digital input module 24VDCDI24x 326-1 BKOO-DC24V OABO

1 Unlike the values given in earlier versions of the user manuals the average probability of fai/ureon demand is 1,9E-04 and the probability of a dangerous fai/ure per hour is 4,3E-09

TÜV SÜD Aulomolive GmbHEleclronics SaletyRidlerslraße 570-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438


P. Weiß2008-09-19

Page 60120


SM 326, 6ES7 01 to 06 8 channel NAMUR digital input module forDI8x 326-1RFOO- intrinsically-safe sensorsNAMUR OAB06

)

SM 326, 6ES7 01 to 06 10 channel digital output module 24VDC/2A,D010x 326-2BF01- P-switchDC24V/2A OABO

SM 326, 6ES7 01 to 03,07 10 channel digital output module 24VDC/2A,D010x 326-2BFOO- P-switchDC24V/2A OABO

SM 326, 6ES7 01 1) 02 8 channel digital output module 24VDC/2A,,DO 8x 326-2BF40- P/M-switchDC24V/2A OABOPM

SM 336, 6ES7 01 to 06 6 channel analog input moduleAI 6 x 13 Bit 336-1 HEOO-

OABO

SM 336, 6ES7 01 1V1.0.1 6 channel analog input module, HARTF-AI6 x 0/4 336-4GEOO-.. 20 mA OABOHART

Safety 6ES7 01 to 03 safety protector protects the fail-safe signal modulesProtector 195-7KFOO- from possible overvoltage

OXAO

Modules ET 200S:

4/8 F-DI 6ES7 01 4/8 channel digital input module 24VDCDC24V 138-4FA04-

OABO 1)


OABO 1)


OABO

4/8 F-DI 6ES7 01 4/8 channel digital input module 24VOCDC24V 138-4FA01-

OABO

TÜV SÜD Aulomolive GmbHEleclronics SaletyRidlerslraße 57D-80339 MünchenPhone: ++49895791-1393; Fax: -4438


P. Weiß2008-09-19

Page 70120


4/8 F-DI 6ES7 01 to 03 4/8 channel digital input module 24VDCDC24V 138-4FAOO-

OABO

4 F-DO 6ES7 01 4 channel digital output module 24VDC/2A;DC24V/2A 138-4FB03- P/M switch

OABO

4 F-DO 6ES7 01 to 02 4 channel digital output module 24VDC/2A;DC24V/2A 138-4FB02- P/M switch

OABO

4 F-DO 6ES7 01 4 channel digital output module 24VDC/2A;DC24V/2A 138-4FB01- P/M switch

OABO

4 F-DO 6ES7 01 to 03 4 channel digital output module 24VDC/2A;DC24V/2A 138-4FBOO- P/M switch

OABO

4F-DI/3F-DO 6ES7138- 01 4 channel digital input I 3 channel digital output4FCOO- module 24VDC/2AOABO 4)

1F-RO 6ES7 01 to 02 1 channel digital relay output module DC24V/SA,DC24V/SA, 138-4FROO- AC24..230V/SAAC24...230V OMOISA 5)

PM-E F pm 6ES7 01 Power module 24VDC; P/M switchDC24V 138-4CF03-

OABO

PM-E F pm 6ES7 01 to 02 Power module 24VDC; P/M switchDC24V 138-4CF02-

OABO

PM-E F pm 6ES7 01 to 02 Power module 24VDC; P/M switchDC24V 138-4CF01-

OABO

PM-E F pm 6ES7 01 to 04 Power module 24VDC; P/M switchDC24V 138-4CFOO-

OABO

TÜV SÜD Automotive GmbHElectronics SafetyRidlerstraße 57D-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438


P. Weiß2008-09-19

Page 8of 20


PM-E F pp 6ES7 01 Power module 24VDC; P/P switchDC24V 138-4CF42-

OABO

PM-E F pp 6ES7 01 to 02 Power module 24VDC; P/P switchDC24V 138-4CF41-

OABO

PM-E F pp 6ES7 01 to 03 Power module 24VDC; P/P switchDC24V 138-4CF40-

OABO

PM-D F 3RK1903- 01 to 02 Power module 24VDC for failsafe motor startersDC24V 3BA01

PM-D F 3RK1903- 04 Power module 24VDC for failsafe motor startersDC24V 3BAOO

Modules ET 200eco:


OXBO 2)

Modules ET 200pro:


OABO 2)

4/8 F-DI/4 F- 6ES7 01 to 03 4/8 channel digital input 24VDC and 4 channel digitalDO 148-4FCOO- output module 24VDC/2A P- 1M-switch (combined)DC24V/2A OABO 2)

F-Switch 6ES7 01 2 channel digital input 24VDC and 3 channel digital148-4FSOO- P- 1P-switch module 24VDC (combined).OABO 2)

1) no certification according to EN298:2003, ENV 1954

2) EN298: 2003 fulfilled with the exception of permissible environmental temperature -25 to +55 degree centigrade(instead of 0 to +60 degree centigrade)

3) the sinusoidal vibrations service conditions does not comply with the increased requirements of lEG 61131 2nd Ed.The requirements of lEG 61131-2:1992 are fulfilled.

4) classified SIL 2 in accordance to lEG 61508 and GAT 3 in accordance to EN 954 and no certification according EN298



P. Weiß2008-09-19

Page 9of 20

5) EN 50178:1997; in difference to all other modules with overvoltage category 111 the 1 channel digital relay outputmodule DC24V/5A, AC24..230V/5A fulfills the requirements of overvoltage category 11.

6) The requirement of EN 298 2003: fulfilled only with shielded signal cables

Remark: For the 1/0 modules EN 298, 2003 is fulfilled with external surge protection; seerelated manuals.

All other components of the S7-400 and S7-300 family are 'interference-free' and allowed to beused, however, they are not certified for process safety critical signals and functions. Usingthese components does not interfere with the proper functioning of the safety-related modules.

For details on architectural, configuration and implementation requirements please refer to theSiemens manuals of the SIMATIC S7 F/FH Systems documentation package.

TÜV SÜD Aulomolive GmbHEleclronics SafetyRidlerslraße 57D-80339 MünchenPhone: +149895791-1393; Fax: -4438

Report No. 10042360·A1Revision 2.17

P.Weiß2008-09-19

Page 10 of 20

2 Safety-Relevant Software Components

2.1 Option Package S7 F Systems

S7 F Systems V6.0 consists of the following certified installation units

S7 F Systems (Engineering Tool) V6.0

S7 F Systems Lib V1.3 S7 F Systems Lib (V1_3)

S7 F Systems HMI V5.2 + SP3

S7 F ConfigurationPack V5.5 + SP3, V5.4 + SP1

S7 F Systems V6.0 is also certified in combination with

S7 F Library V1.2 + SPx Failsafe Blocks (V1_2)

S7 F Library V1.1 Failsafe Blocks (V1_1)

S7 F ConfigurationPack V5.5 + SP5, V5.5 + SP4

S7 F Systems V5.2 + SPx is certified in combination with

S7 F Library V1.2 + SPx Failsafe Blocks (V1_2)

S7 F Library V1.1 Failsafe Blocks (V1_1)

S7 F ConfigurationPack V5.5 + SPx, V5.4 + SPx,V5.3 + SPx, V5.2 + SPx

2.1.1 S7 F Systems Lib (V1_3)

F-FB Function Signature Initial ValueSignature

OB_INIT F-Control block N/A N/A

OB RES F-Control block N/A N/AF 1002AI F-User block 0130 OCE3F_1002_R F-User block OA53 AA5AF 20UT3 F-User block 340E 079FF 2003AI F-User block 4580 CE7EF 200301 F-User block 5323 04AO

F 2003 R F-User block AB9F 112CF ABS R F-User block 7E90 4885

TÜV SÜD Automotive GmbHElectronics SafetyRidlerstraße 57D-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438

Report No, 10042360-A1Revision 2,17

P. Weiß2008-09-19

Page 11 of20


F AOO R F-User block OFBF B10FF_AN04 F-User block 89BO 6837F AVEX R F-User block E570 9470F_BO_FBO F-User block 27AB 870AF CHG BO F-User block 1) 0042 E5F2F_CHG_R F-User block E4CO 50B5F_CHG_WS F-Control block N/A N/AF CH AI F-User block 0846 3A31F_CH_BI F-User block E888 5FA7F_CH_BO F-User block A8C7 A5E4F CH 01 F-User block 3119 EA57F_CH_OO F-User block F967 4F58F CMP R F-User block 689A 602EF_CTUO F-User block 609B 188CF CYC CO F-Control block 7010 424EF OIAG F-Control block 40FC 00F4F OIV_R F-User block 43F6 COB8F FBO BO F-User block N/A N/AF_FI_FR F-User block 672A 9FOEF FI I F-User block N/A N/AF FR FI F-User block 2B3C B269F_FR_R F-User block N/A N/AF FTI TI F-User block N/A N/AF F TRIG F-User block 75E7 8F11F I_FI F-User block 4871 870AF UM HL F-User block A43A 1E14F UM I F-User block 4845 409BF UM LL F-User block 1451 1E14F UM R F-User block B300 3957F UM TI F-User block 6E64 680CF MAX3 R F-User block C14F F93FF MI03 R F-User block EC2C EA98F MIN3 R F-User block 0007 E12AF MOV R F-User block 652F C02BF MOVRWS F-Control block N/A N/AF MUL R F-User block AAOF B10FF MUX16R F-User block AF74 EEFE



P.Weiß2008-09-19

Page 120120


F MUX2 R F-User block BFE3 9CB1F_NOT F-User block 9C08 0006F_OR4 F-User block 50CA 6B42F PA AI F-User block 8409 B5A7F_PA_OI F-User block 2FC7 E4F2F PLK F-Control block C005 A650F_PLK_O F-Control block 45F2 7B78F PS 12 F-Control block A56A B87AF_PS_MIX F-Control block A087 N/AF PSG_M F-User block N/A N/AF QUITES F-User block 797A B027F_RCVBO F-User block 004B 8360F RCVR F-User block 3209 B103F ROS BO F-User block 4389 E009F_REPCYC F-User block 8F66 61F4F ROT F-User block 7ECA 73FOF_RS_FF F-User block 6257 B560F R BO F-User block CC9E E882F R FR F-User block 4278 6BCEF_R_R F-User block AC9C 237EF R TRIG F-User block BFC8 8F11F_SOS_BO F-User block C804 662AF SENOBO F-User block 8063 5812F SENOR F-User block 2FE2 678BF SHUTON F-Control block N/A N/AF SMP AV F-User block 5659 EEOAF_SQRT F-User block E621 6BOFF SR FF F-User block 9EBE B560F START F-User block 5791 2151F SUB R F-User block E217 B10FF S BO F-User block 5905 1110F S R F-User block 7394 1FC2F TEST F-Control block EC5F EB03F TESTC F-Control block 680A 38BAF TESTM F-Control block 8B5A 9A74F TI FTI F-User block A060 6BCE

TÜV SÜD Automotive GmbHElectronics SaletyRidlerstraße 57D-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438


P. Weiß2008-09-19

Page 130120


F_TOF F-User block E45B 22F6F_TON F-User block 380A 22F6F TP F-User block E671 22F6F_VFSTP1 F-Control block N/A N/AF_VFSTP2 F-Control block N/A N/AF XOR2 F-User block 6040 069AFyOUTY F-User block 68AO 68BERTGLOGIC F-Control block N/A N/A

1) RESTRICTlON: "Safety Data Write" handling of Boolean parameters shall not be used with the OCXFaceplate of S7 F Systems HMI V5.2, which is part of the optional package S7 F SystemsV5.2+SP2. F_CH_BO shall be used with the associated OCX of S7 F Systems HMI V5.2+SP3 orhigher only.

2.1.2 Failsafe Blocks (V1_2)


OB INIT F-Control block N/A N/AOB RES F-Control block N/A N/AF_1oo2_R F-User block 0100 6717 1

)

2E06F 20UT3 F-User block 340E 079FF_2oo3_R F-User block FC09 3043 ')

36CBF ABS R F-User block 7E90 4885F AOO R F-User block B495 B10FF AN04 F-User block 89BO 6837F AVEX R F-User block BE40 1CB3F BO FBO F-User block 27AB 870AF CHG BO 4) F-User block 6) 0042 E5F2F CHG R 4) F-User block E4CO 50B5F CHG WS 4) F-Control block N/A N/AF_CHßI F-User block 8F67 0784

741E 2) 804B 2)

F_CH_OI F-User block 2346 F504A47F 2) EC21 2)

F_CH_OO F-User block EOB9 07FO92C1 2) OA68 2

)

TÜV SÜD Aulomolive GmbHEleclronics SaletyRidlerslraße 570-80339 MünchenPhone: -49 89 5791-1393; Fax: -4438


P. Weiß2008-09-19

Page 14 0120

F_CTUO F-User block EF97 F701F_CYC_CO F-Control block E895 6769F OIV R F-User block 07A8 COB8F FBO BO F-User block N/A N/AF FI FR 'J) F-User block 672A 9FOEF_FU F-User block N/A N/AF FR R F-User block N/A N/AF FTI TI F-User block N/A N/AF F TRIG F-User block 75E7 8F11F I FI F-User block 4871 870AF UM HL F-User block 5116 7656F UM I F-User block OBOC F4F9F UM LL F-User block AF69 7656F UM R F-User block 4017 B4BEF UM TI F-User block 3ABB 7CAB

F_M_AI6 F-User block AF64 ECOO1E41 2) 0818 2

)

F_M_0124 F-User block EB16 1FE2F887 2

) 2EAC 2)

F_M_018 F-User block 8FA4 90225078 2

) 940C 2)

F_M_0010 F-User block 22E8 EB446CA7 2

) 4A6E 2)

F_M_008 F-User block 7337 3B1F86EF 2) B024 2

)

F MAX3 R F-User block 780B 5833F MI03 R F-User block 0596 6ACFF MIN3 R F-User block 551B 2950F MPA 10

) F-User block F001 381BF MUL R F-User block 360C B10FF MUX2 R F-User block 70EO 5B43F NOT F-User block 9C08 0006F OR4 F-User block 50CA 6B42F PA AI 0) F-User block 9046 14F5F PA 01 0

) F-User block BC04 9564



P.Weiß2008-09-19

Page 15 0120

F PLK F-Control block A234 5FAOF PLK 0 F-Control block 0690 834CF PSG M;j) F-User block N/A N/AF QUITES F-User block B433 B027F RCVBO F-User block A2B9 DCF4F RCVR F-User block B854 14C1F RS FF F-User block 3A1A 069AF R BO F-User block 6CE1 B9A5F R FR F-User block 4278 6BCEF R R F-User block 64A1 543AF R TRIG F-User block BFC8 8F11F SENOBO F-User block E223 F301F SENOR F-User block 7B16 5B90F SHUTON F-Control block N/A N/AF SMP_AV F-User block 9024 9COFF_SQRT F-User block 593F COOBF_SR_FF F-User block 61BC 069AF_START F-User block 5791 2151F SUB R F-User block 5C35 B10FF_S_BO F-User block F353 1110F_S_R F-User block 372C 1FC2F TEST F-Control block 5B60 38AFF TESTC F-Control block 5A93 08MF TESTM F-Control block 2983 BE02F TI FTI F-User block A060 6BCEF TOF F-User block 31A9 7CFCF TON F-User block F8E5 7CFCF TP F-User block 6400 7CFCF XOR2 F-User block 6040 069AF XOUTY F-User block 6A1C C510FAlL MSG F-Control block N/A N/ARTG LOGIC F-Control block N/A N/A

1) displayed in S7 F Systems up to V5.2 SP3, if these F-FBs are the only F-FBs in a S7 program2) signature of F-FB in S7 F Library V1.2 + SP1 or higher3) F-FB added in 87 F Library V1.2 + SP14) F-FB added in S7 F Library V1.2 + SP25) F-FB added in 87 F Library V1.2 + SP46) RESTRICTION: "Safety Data Write" handling of Boolean parameters shall not be used with the OCX

Faceplate of S7 F Systems HMI V5.2, which is part of the optional package S7 F SystemsV5.2+SP2. F_CH_BO shall be used with the associated OCX of S7 F Systems HMI V5.2+SP3 orhigher only.

TÜV SÜD Automotive GmbHElectronics SafetyRidlerstraße 570-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438


P. Weiß2008-09-19

Page 16 0120

AttentionlContrary to the Siemens 57 user's manual "Programmable Controllers 57 F/FHSystems" (Edition 2/2003) the F_FR_FI function block of 57 F Library V1.2 is NOTcertified for safety applications and shall NOT be used to process safety criticaldata.

2.1.3 Failsafe Blocks (V1_1)


DB RES F-Control block N/A N/AF 20UT3 F-User block 34DE D79FF ABS R F-User block 7E9D 4885F ADD_R F-User block 643F 206CF_AND4 F-User block 89BO 6837F_AVEX_R F-User block 9926 8CE8F BO FBO F-User block 27AB 87DAF_CH_AI** F-User block 296D C540

or orAA4F C540

F CH DI F-User block E41B F504F CH_DO F-User block 6E6A 18CFF_CTUD F-User block 9928 F7D1F_CYC_CO F-Control block 3263 CB5DF DIV R F-User block 9CF2 4A67F_F_TRIG** F-User block 75E7 2000 UI:!t>

or8F11 HF1

F FBO BO F-User block N/A N/AF FI I F-User block N/A N/AF FR R F-User block N/A N/AF FTI TI F-User block N/A N/AF_'-FI F-User block 4871 87DAF UM HL F-User block 435E CB3F

F UMJ F-User block 5219 F4F9F_UM_LL F-User block FB73 CB3FF UM R F-User block C92F OA10F UM TI F-User block 13AO 7CAB

TÜV SÜD Automotive GmbHElectronics SafetyRidlerstraße 57D-80339 MünchenPhone: ++49895791-1393; Fax: -4438


P. Weiß2008-09-19

Page 17 of20


F_M AI6 F-User block 3CC4 75CFF_M_0124 F-User block 70A1 0091F_M_018 F-User block 4996 6400F_M_0010 F-User block A89E EE4EF MAX3 R F-User block AEA9 9A67F MI03 R F-User block 5422 6A94F_MIN3_R F-User block A524 31E1F_MUL_R F-User block B7AC 206CF MUX2 R F-User block 5911 5B43F NOT F-User block 9C08 0006F_OR4 F-User block 50CA 6B42F_PLK F-Control block E5B4 02F9F PLK 0 F-Control block 53BE 3E43F QUITES F-User block 89EC B027F_R_BO** F-User block 3E82 B9A5

or or0775 B9A5

F R FR F-User block 6E03 6BCE

F_R_R** F-User block 6C69 543Aor or

6F8F 543AF_R_TRIG** F-User block 3E5E 2000 00S

or8F11 HF1

F RCVBO F-User block 6FFB OCF4F RCVR F-User block F6F3 14C1F_RS_FF F-User block 5A81 069A

F S BO F-User block CC75 1110

F S R F-User block 0897 1FC2

F SENOBO F-User block B204 F301

F SENOR F-User block 3BA4 5B90

F SMP AV F-User block FB42 5B98

F SQRT F-User block C412 8950

F SR FF F-User block 7F12 069A

F START F-User block 5791 2151

F SUB R F-User block 46B5 206C

F TEST F-Control block 0774 A04B

TÜV SÜD Automotive GmbHElectronics SafetyRidlerstraße 570-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438


P. Weiß2008-09-19

Page 18 of20


F_TESTC F-Control block E7ES 711CF_TESTM F-Control block 29S3 BED2

F TI FTI F-User block A06D 6BCE

F TOF F-User block FS99 7CFC

F_TON F-User block DD31 7CFC

F_TP F-User block D60S 7CFC

F_XOR2 F-User block 6D4D 069A

F XOUTY F-User block 5FS6 C51DF IN D24") F-User block 903C 7A60F_IN DS") F-User block CCCF 6AS1F_OU_D10

0

) F-User block E93D 9FED

*) These F-FBs are not included in Option Package S7 F Systems V5.1. They are delivered tocustomers of Option Package S7 F Systems V5.0 on request.

**) The certified F-FB has two valid signatures.

obs) These F-FBs are included in Option Package S7 F Systems V5.1. They may cause awrong overall signature and problems starting the CPU. Thus it is recommended to use theFBs delivered with the V5.1+SP1+HF1.

HF1) These F-FBs are included in Option Package S7 F Systems V5.1 +SP1 +HF1. It isdelivered to customers of Option Package S7F Systems V5.1 on request.

The Option Package S7 F Systems V5.1 may be used together with F-FBs with version number1.0 of Option Package S7 F Systems V5.0 listed in Revision 1.0 of this Annex. However mixingof version 1.0 and version 2.0 F-FBs in the same program is not possible.

TÜV SÜD Aulomolive GmbHEleclronics SaletyRidlerslraße 57D-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438


P.Weiß2008-09-19

Page 19 0120

3 Non-Safety Relevant Software Components

Function Version

CPU 417-4H (6ES7 417-4HL01-0ABO) Firmware V2.1.x, where x=O or higheronly in combination with 87 F Library V1_1

CPU 417-4H (6ES7 417-4HL01-0ABO) Firmware V3.1.0 or higher

CPU 417-4H (6ES7 417-4HL01-0ABO) Firmware V3.11.x, where x=3 or higherin combination with EDC RAM module6ES7 955-2AM1O-OAAO

CPU 417-4H (6ES7 417-4HL04-0ABO) Firmware V4.0.3 or higher

CPU 417-4H (6ES7 417-4HT14-0ABO) Firmware V4.5.0 or higher

CPU 414-4H (6ES7 414-4HJOO-OABO) Firmware V2.1. X, where x=O or higheronly in combination with 87 F Library V1_1

CPU 414-4H (6ES7 414-4HJOO-OABO) Firmware V3.1.0 or higher

CPU 414-4H (6ES7 414-4HJ04-0ABO) Firmware V4.0.3 or higher

CPU 414-4H (6ES7 414-4HM14-0ABO) Firmware V4.5.0 or higher

CPU 412-3H (6ES7 412-3HJ14-0ABO) Firmware V4.5.0 or higher

CFC 1) V5.2 or higher

STEP 7 1) V5.2 or higher

1) Further restrietions specific to modules or versions of the optional package S7 F Systems canbe found in the corresponding user documentation.

Munieh, 2008-09-19

Jürgen BlumTechnical Certifier

TÜV SÜD Aulomolive GmbHEleclronics SaletyRidlerslraße 57D-80339 MünchenPhone: ++49 89 5791-1393; Fax: -4438


P. Weiß2008-09-19

Page 20 0120



APPENDIX – F System Hardware Datasheets

1. PCS7 Engineering System (ES) 2. Automation System (S7-414FH) 3. ET-200M F-I/O Subsystem 4. Failsafe Analog Input Module (SM336-4GE00-0AB0) 5. Failsafe Digital Input Module (SM326-1BK01-0AB0) 6. Failsafe Digital Output Module (SM326-2BF01-0AB0) 7. Pepperl & Fuchs, Power Feed Module 8. Pepperl & Fuchs, AI (IS), Single Channel 9. Pepperl & Fuchs, DI (IS), Single Channel 10. Phoenix Contact Power Supply Units 11. Phoenix Contact Relays

Operator system

Introduction

5/2 Siemens ST PCS 7 · March 2007

5

■ Overview

User interface of the OS process control system with freely positionable windows

The operator system of the SIMATIC PCS 7 process control sys-tem permits user-friendly and secure execution of the process by the operating personnel. The operator can observe the pro-cess sequence by means of various views and intervene to con-trol the system when necessary.

The operator system architecture is extremely variable and can be flexibly adapted to different plant architectures and customer requirements.

The basis is formed by perfectly coordinated operator stations for single-user systems (OS single stations) and for multi-user systems with client/server architecture.

The system software of the operator stations is available in differ-ent levels based on the number of process objects (PO) used:• 250, 1000, 2000, 3000 or 5000 POs per OS single station• 250, 1000, 2000, 3000, 5000 or 8500 POs per OS server (with

client/server architecture)

The number of POs for an operator station can be increased up to 5000 (OS single station) or 8500 (OS server) at any time by means of PowerPacks to allow for higher requirements or system expansions.

■ Benefits

7 Flexible, modular architecture with scalable hardware and software components for single-user and multi-user systems

7 High-performance operated stations based on standard PC technology with Microsoft Windows XP Professional / Server 2003, can be used in office or industrial environments

7 Client/server multi-user systems with up to 12 OS serv-ers/pairs of servers, each for 8500 process objects (PO) and up to 32 OS clients per server/pair of servers

7 High-performance archive system based on Microsoft SQL server with cyclic archives and integral data backup, option-ally with long-term archiving via StoragePlus/central archive server (CAS)

7 OS health check for monitoring important server applications7 Integration of modifications without interrupting runtime oper-

ations, and online testing through selective loading of redun-dant servers

7 Optimized AS/OS communication:data transmission only following change in data, independent of AS reply cycle; suppression of nuisance alarms

7 User-friendly process control and high operational reliability, also in conjunction with multi-screen technology

7 Extended status displays through combination of status and analog values with alarm information

7 Alarm suppression during startup or on malfunction of a sen-sor/actuator

7 Dynamic or manual hiding of visual and acoustic alarms that are unimportant depending on the plant status, e.g. during plant startup (however, all messages are recorded and ar-chived); with manual hiding, the duration until display takes place again can be set.

7 Alarm priorities as additional attribute for filtering important messages

7 Central user management, access control, electronic signa-ture

7 Sign-of-life monitoring for subordinate systems connected to the plant bus

7 System-wide time synchronization based on UTC (Universal Time Coordinated)

© Siemens AG 2007

CHH0

Rectangle

CHH0

Rectangle

Engineering systemES software

Standard engineering software

4/5Siemens ST PCS 7 · March 2007

4

■ Overview

The standard engineering software provides the basic function-ality for configuration of SIMATIC PCS 7 plants with automation systems, process I/Os, communications networks, operator sys-tems and SIMATIC BATCH.

Licensing of the standard engineering software depends on use of the engineering station as:• a classical, exclusive engineering station (not suitable for pro-

ductive operation as an operator station), or as• a combined engineering/operator station for small applica-

tions (suitable for productive operation as an operator station).

Classical, exclusive engineering station with unlimited number of process objects (POs)

Three software versions with unlimited POs are available for the classical engineering station:• AS/OS - for engineering of automation systems (AS) and oper-

ator systems (OS)• OS - only for OS engineering• AS - only for AS engineering

With the OS and AS/OS software versions, the OS configuration can be tested in an OS test mode limited to 2 hours. This OS test mode is not suitable for productive operation. After 2 hours, the engineering station automatically switches to demonstration mode.

The AS/OS software version is additionally upgraded by adding an AS runtime license for 600 POs.

By means of a Rental License limited to 30 days for AS engineering or OS engineering (unlimited POs in each case), a cost-effective alternative is offered for short-term projects or short-term capacity bottlenecks.

Combined engineering/operator station for small applica-tions (scalable POs)

To support compact process control plants, an ES/OS software combination of limited volume is offered with 250, 1,000 or 2,000 POs. In addition to the engineering licenses, these "All-in-one Licenses" also contain runtime licenses for AS and OS with the corresponding volumes.

PowerPacks enable further expansion of the volume:• from 250 POs to 1,000 POs, • from 1,000 to 2,000 POs (in each case including AS/OS runt-

ime license) and • from 2,000 POs to unlimited POs (only with OS runtime li-

cense).

■ Function

Essential tools of the standard engineering software and their functions:

SIMATIC Logon

Together with the versatile recording facilities provided by the modification logbook, SIMATIC Logon, the user administration and access control function used in the engineering system, of-fers plant owners exceptional system support when complying with FDA requirements.

Using SIMATIC Logon, the administrator can assign specific ac-cess privileges to groups of users, thus controlling the possibili-ties for data access. Operator interventions in the engineering system as well as all online modifications which affect the auto-mation systems, operator systems, SIMATIC BATCH or SIMATIC Route Control can be recorded in the modification reports.

If the modification reports are linked to the data of SIMATIC Logon during evaluation, it can be clearly proven who has car-ried out a specific modification and at what time.

SIMATIC Manager

The SIMATIC Manager is the control center for engineering of the SIMATIC PCS 7 process control system. All aspects of the SIMATIC PCS 7 project are created, managed, archived and documented here. The tools for engineering of the hardware components, communication and application software are also called from here.

The hardware required for use in a SIMATIC project, such as au-tomation systems, communications components and process I/O, is stored in an electronic catalog. The hardware is config-ured and parameterized using the HW-Config tool.

To create the automation logic, standardized function blocks are combined with one another in the graphic configuration tool CFC according to technological specifications. Predefined blocks (process tag types) or charts (example solutions) can be used for this purpose simply by selecting them from a catalog and then positioning, graphically interconnecting and parameteriz-ing them in the working area. No detailed programming knowl-edge is required, users can completely concentrate on the tech-nological aspects of configuration. The process tag data relevant to operation and monitoring, such as messages and variables, are generated at the same time as configuration of the automation functions.

Sequential controls permit control and selective processing of the basic automation functions created per CFC by means of changes in operating mode and status. Powerful test and com-missioning functions for the graphic configuration and commis-sioning of sequential controls are offered by the SFC editor.

Complete SIMATIC PCS 7 projects or all project modifications can be compiled in one working step and downloaded to the tar-get systems involved, e.g. automation systems, operator system or SIMATIC BATCH. The engineering system automatically en-sures that the sequence is correct. The procedure is displayed and controlled in a central dialog.

Selective configuration modifications can be downloaded online to the corresponding target systems. Short turnaround times re-sult in short waiting times for the commissioning engineer, and have a favorable effect on the commissioning costs. Program modifications relevant to automation systems can be initially de-bugged in a test system prior to downloading to the target sys-tem of the running plant.

© Siemens AG 2007

CHH0

Line

CHH0

Line

CHH0

Rectangle

CHH0

Line

CHH0

Rectangle




4

Multi-project engineering

Multi-project engineering permits division of a large complex project into several subprojects in accordance with technologi-cal criteria in order to allow several teams to work on the project in parallel. To achieve this, a host "Multi-project" is defined in the SIMATIC Manager. Individual (sub)projects can be inserted into or removed from a multi-project at any time. Similarly, projects can be divided or combined (Branch & Merge).

Central configuration functions for multi-projects help to reduce the configuration overhead. For example, a hierarchy folder can be created in the current project and also automatically in all other projects. It cannot be modified there, but objects can be inserted. All block types used in a multi-project can also be up-dated centrally.

The (sub)projects belonging to a multi-project are saved on a central server and can be sent to local engineering stations for editing. The engineering performance is then not affected by network access.

Branch & Merge

Branch & Merge supports the division and combination of projects from the technological viewpoint.

Charts or plant units can be copied into another project and ed-ited there. Interconnections which are not specific to a project, typically for interlocking, become text interconnections. When merging, charts with the same name are overwritten in the origi-nal object, and text interconnections – even those which you have entered yourself – can be closed by pressing a button.

Project views

The SIMATIC Manager supports the various tasks for creating a plant project by means of the following project views:• Component view (HW-Config)

for configuration of hardware such as automation systems, bus components or process I/O

Component view: hardware configuration in the SIMATIC Manager with HW-Config

• Process object view as the central development environment for all aspects of pro-cess tags/objects

The process object view of the SIMATIC Manager supports the work of a process engineer by providing a universal view of the process tag. It shows the technological hierarchy of the plant (presented in tree form) in combination with a tabular view of all aspects of the process tag/object (general data, parameters, signals, messages, image objects and measured value ar-chives). This provides the technologist with fast orientation.

All objects in the marked branch of the hierarchy are displayed in the table so that they can be directly processed with user-friendly edit, filter, replace, import and export functions. A spe-cial test mode offers the facility for testing process tags and CFCs online and for starting them up.

The OS areas and the image hierarchy for process control, as well as the SIMATIC PCS 7 asset management, can be derived from the technological hierarchy. Furthermore, it also forms the basis for the plant-oriented identification of process objects.

Common displays can be positioned in pictures by means of the image hierarchy, and automatically linked to subordinate im-ages. The configuration engineer is only responsible for the cor-rect positioning. Since the number of common display fields and their semantics can be configured, it is also possible to imple-ment customized alarm configurations.

Using the process object view, "Smart Alarm Hiding" can also be configured This refers to the dynamic hiding of alarms of blocks technologically grouped in a plant unit that, depending on the operating state of this plant unit, are of less importance, e.g. startup, servicing etc. By checking various option boxes in the alarm matrix of the process object view, you can define the show/hide status of the alarms individually for as many as 32 op-erating states. Although hidden alarms are not signaled visually and audibly, they are still logged and archived as before.

Process object view

© Siemens AG 2007




4

Continuous function chart (CFC)

The CFC editor is the tool for graphical configuration and com-missioning of continuous automation functions. Preengineered function blocks can be positioned, configured and intercon-nected within CFCs with the support of powerful autorouting and integral configuration of HMI messages. Special configuration techniques such as chart-in-chart for implementing hierarchical plans or the multiple usage of chart block types (chart compiled as block type) or SFC types (standardized sequential controls) in the form of instances offer an additional rationalization poten-tial.

When creating a new CFC, a new runtime group with the same name as the chart is created. All the blocks that are subse-quently entered in the chart are automatically added to this runt-ime group. Each block is therefore already assigned runtime properties when inserting, and these properties can be opti-mized by means of modifications in the runtime editor or by us-ing algorithms.

The algorithm first determines the optimum block sequence sep-arately for each runtime group, and then the optimum sequence of runtime groups.

In addition to convenient editing functions, the scope of CFC functions also includes powerful test and commissioning func-tions as well as individually configurable documentation func-tions

Continuous function chart

Sequential function chart (SFC)

The SFC editor is used for the graphical configuration and com-missioning of sequential controls for batch production opera-tions. It possesses convenient editing functions as well as pow-erful test and commissioning functions.

Using a sequential control, basic automation functions usually created using CFC are controlled and selectively processed by means of changes in operating mode and status. Depending on the subsequent use, the sequential controls can be created ei-ther as a SFC plan or SFC type

SFC plan

The SFC plan can be used to implement sequential controls which can be applied once and which access several partial ar-eas of the production plant. Each SFC plan contains standard-ized inputs and outputs for status information and for control by the user program or the user. The SFC plan can be positioned and linked as a block in the CFC. The required CFC block con-nections are selected by simple operations and connected to the steps or transitions of the step chains. An ISA 88-conform status manager enables the configuration of up to 8 separate se-quence chains within a single SFC, e.g. for states such as HOLDING or ABORTING, for SAFE STATE or for different operat-ing modes.

SFC type

SFC types are standardized sequential controls which can be applied repeatedly and which access one partial area of the pro-duction plant. They can be organized in libraries, and handled like normal function blocks, i.e. they can be selected from a cat-alog and positioned, interconnected and parameterized as an instance in a CFC plan.

Changes to the original automatically result in corresponding changes in all instances. An SFC type may contain up to 32 sequences. Using the function "Create/update block sym-bols", a block symbol is automatically positioned and intercon-nected in the associated process display for all SFC instances with HMI features.

Sequential function chart

© Siemens AG 2007

CHH0

Line




4

I&C libraries

Preconfigured and tested blocks, faceplates and symbols are organized in I&C libraries and form the basic elements for the graphic configuration of automation solutions. The use of these library elements plays a major role in minimizing the engineering input and project costs.

The comprehensive range of blocks includes simple logic and driver blocks, technological blocks with integral alarming and HMI features such as PID controllers, motors or valves, and also blocks for the integration of PROFIBUS field devices according to the PROFIBUS PA profile 3.0 (including standardized evalua-tion of the process value status).

Examples of editable OS standard displays (faceplates) from the PCS 7 library

PID Tuner

The PID Tuner is a function integrated in the CFC for optimization of the CTRL_PID and CTRL_S software controllers. The optimum parameters for a control loop can then be determined for PID, PI and P control modes in defined steps.

The tool is suitable for optimizing controlled systems with or with-out an integral component. Optimization can be carried out in manual or automatic mode. The transient response of the con-trollers with the determined parameters can be checked by de-fining jumps. The controller parameters can be saved, and re-called as required.

During determination of the controller parameters, the typical controller values (actual value, setpoint, manipulated variable) are recorded by a trend function.

Graphics designer and faceplate designer

The project data for the engineering of the operator systems are organized with the SIMATIC Manager. All the data relevant to op-eration and monitoring of a process tag, such as messages and HMI variables, are generated automatically during definition of the automation function. A powerful graphics designer is avail-able for the generation of process displays.

In addition to the standard faceplates, the faceplate designer is used to simply generate customized faceplates for operation and monitoring of process tags or plant components. Block sym-bols can be conveniently interconnected to process tags using Drag & Drop.

DOCPRO

DOCPRO is a tool for effective generation and management of plant documentation in accordance with defined standards. DOCPRO permits you to structure your project data in any man-ner, to process them in the form of standardized circuit manuals, and to print them in a uniform layout. You can incorporate your own cover sheets, layouts, graphics, logos or title block data. It is easy to control printing, i.e. you can specifically output individ-ual parts of the project or all project data on the printer.

© Siemens AG 2007

CHH0

Line

Automation systems

Safety-related automation systems


10

■ Overview

Safety-related automation systems are used for critical applica-tions where a fault could endanger life or result in damage to the plant or the environment. These F/FH systems frequently re-ferred to as "fail-safe automation systems" detect both faults in the process and their own internal faults in association with the safety-related F modules of the ET 200 distributed I/O systems or fail-safe transmitters connected directly via the fieldbus. They automatically transfer the plant to a safe state in the event of a fault.

The safety-related SIMATIC PCS 7 automation systems are ba-sed on the hardware of the AS 414H and AS 417H automation systems which has been expanded by safety functions by means of the S7 F Systems software package. Two design ver-sions are available:• Single-channel AS 414F or AS 417F (with one CPU, safety-re-

lated)• Fault-tolerant AS 414FH or AS 417FH (with two redundant

CPUs, safety-related and felt-tolerant)

All F/FH systems listed are TÜV-certified and comply with the safety requirements up to SIL 3 according to IEC 61508.

In the systems with multitasking capability, several programs can be executed simultaneously in one CPU – basic process control (BPCS) applications or also safety-related applications. The programs are without feedback, i.e. faults in BPCS applica-tions have no effect on safety-related applications, and vice versa. Special tasks with very short response times can also be implemented.

The redundant FH systems operating according to the 1-out-of-2 principle consist of two subsystems of identical design. These are electrically isolated from each other to achieve optimum EMC, and are synchronized with each other via fiber-optic ca-bles. A bumpless switchover is made from the active subsystem to the standby subsystem in the event of a fault. The two sub-systems can be present in the same rack or separated by up to 10 km. The spatial separation provides additional security in the case of extreme influences in the environment of the active sub-system, e.g. resulting from a fire.

The redundancy of the FH systems is only used to increase the availability. It is not relevant to processing of the safety functions and the associated fault detection.

© Siemens AG 2007

CHH0

Line

CHH0

Line

CHH0

Line

Automation systems



10

■ Design

Design versions for safety-related systems

In general, two design versions are differentiated across all ar-chitectural levels of a system based on Safety Integrated for Pro-cess Automation:• Single-channel, non-redundant design• Redundant, fault-tolerant design

These two design versions are very variable and offer a wide scope for design with regard to different customer requirements. Standard (basic process control) and safety-related functions can be combined flexibly, not only in the area of the distributed I/O. Even at the controller level, they can combined in one sys-tem or separate. In addition, there are numerous possibilities arising from the use of flexible modular redundancy.

At the individual architectural levels (controller, fieldbus, distrib-uted I/O) the configuration alternatives shown in the figure are available depending on the distributed I/O used (ET 200M and ET 200S remote I/O stations or PROFIBUS PA devices accord-ing to Profile 3.0).

F-modulesF-modules

Active fieldsplitter

Active field distributors

F- and standard modulesF- and standard modules

Flexible Modular Redundancy at module or device level

F- and standard modules

F- and standardmodules

Standard modules

Standard modules

Module or channel redundancy over several separate stations

ET 200MET 200M

DP/PA Link

DP/PA Linkwith redundant DP/PA couplers

DP/PA Linkwith redundant DP/PA couplers

ET 200M

ET 200M

ET 200MET 200M

PROFIBUS PA

PROFIBUS PA

PROFIBUS PA

PROFIBUS PA

ET 200S

DP/PA Link

ET 200S

Y-Link

ET 200M

Distributed I/O and direct fieldbus interfacing

Direct fieldbus interfacingDistributed I/O

AS 414F/AS 417F

AS 414FH/AS 417FH

AS 414FH/AS 417FH

PR

OFI

BU

S D

P

PR

OFI

BU

S D

P

PR

OFI

BU

S D

P

Redundant, high-availability and fault-tolerant configuration

Single-channel,non-redundant configuration

© Siemens AG 2007

CHH0

Line

CHH0

Line

CHH0

Polygonal Line

CHH0

Line

Automation systems



10

■ Function

Safety functions

The safety functions of an application are implemented by the safety-related program executed in the CPU of the F/FH systems together with the safety-related F-modules of the ET 200 distrib-uted I/O systems or directly by failsafe transmitters connected via the fieldbus.

The PROFIsafe profile is used for the safe PROFIBUS DP com-munication between CPU and process I/O. PROFIsafe expands the message frames by additional information with which the PROFIsafe communications partners can recognize and com-pensate transmission errors such as delays, incorrect se-quences, repetitions, losses, faulty addressing or data falsifica-tion.

Standard modules can be used in F/FH systems in addition to safety-related F-modules - mixed in a remote I/O station or in separate stations, in a common PROFIBUS segment or in sepa-rate PROFIBUS segments. Basic process control (BPCS) appli-cations and safety applications can be automated in such mixed configurations with one and the same system and configured with uniform standard tools.

One CPU processes BPCS and safety functions in parallel. Mu-tual interference during processing is prevented by ensuring that the BPCS programs and the safety-related programs are kept strictly separate and that the data exchange is by means of special conversion function blocks. The safety functions are pro-cessed twice in different sections of a CPU by means of redun-dant, diverse instruction processing. Potential errors are de-tected by the system during the subsequent comparison of results.

The S7 F Systems engineering tool as a component of the SIMATIC Manager allows parameterization of the F/FH systems and the safety-related F-modules from the ET 200 series. It sup-ports configuration by means of functions for:• Comparison of safety-related F-programs• Recognition of changes in the F-program using the checksum• Separation of safety-related and standard functions.

Access to the F-functions can be password-protected.

The F-block library integrated in S7 F Systems contains pre-defined function blocks for generation of safety-related applica-tions with the CFC or the SIMATIC Safety Matrix based on it. The certified F-blocks are extremely robust and intercept program-ming errors such as division by zero or out-of-range values. They avoid the need for diverse programming tasks for detecting and reacting to errors.

■ Options

Ordering information

An AS 414H or AS 417H system is required as the hardware for a safety-related automation system.

The following H systems can be used depending on the type and structure of the safety-related automation system:• For single-channel AS 414F or AS 417F safety-related sys-

tems: one AS 414-1H or AS 417-1H each• For fault-tolerant and safety-related AS 414FH or AS 417FH

systems:- With both subsystems in one rack: one AS 414-2H or

AS 417-2H each- With the two subsystems in different racks: two AS 414-1H or

AS 417-1H each

You require the following components in addition:• S7 F Systems

F programming tool with F block library for programming safety-related user programs on the engineering system (see Section "Engineering system")

• F Runtime licenseFor processing safety-related user programs, for one AS 414F/FH or AS 417F/FH system

• Option: SIMATIC Safety Matrix The convenient safety lifecycle tool for configuration of opera-tion and servicing (see Section "Engineering system")

■ Selection and Ordering Data Order No.

F-Runtime licenseFor processing safety-related application programs, for one AS 414F/FH or AS 417F/FH sys-tem

6ES7 833-1CC00-6YX0

AS 414F/FH and AS 417F/FH engineering (see Chapter "Engineering system")

S7 F Systems V5.2F programming toolwith F block library for program-ming safety-related user pro-grams on the engineering system, comprising F program software and function block library, single license2 languages (German, English)Type of delivery: Certificate of license and authori-zation diskette; software and electronic documentation on CD

6ES7 833-1CC00-0YX0

© Siemens AG 2007

CHH0

Line

CHH0

Line

CHH0

Line

CHH0

Line

CHH0

Line

CHH0

Line

CHH0

Line

CHH0

Line

CHH0

Line

CHH0

Line

CHH0

Line

Process I/OET 200M distributed I/O

Introduction


11

■ Overview

Within the ET 200 range, ET 200M represents the main series of distributed I/O systems for process control applications with SIMATIC PCS 7.

The ET 200M has a versatile range of I/O modules of S7-300 de-sign, including ones with special I&C functions.• Standard analog and digital modules• Redundant I/O modules (DI 16 x DC 24 V, with diagnostics ca-

pability; DO 32 x DC 24 V/0.5 A; AI 8 x 12 bit)• I/O modules with enhanced diagnostics capability• Ex I/O modules• Controller and counter modules• HART modules• F-modules for safety-related applications

When using active bus modules, faulty I/O modules can be re-placed while the plant is in operation (RUN) without influencing adjacent modules (hot swapping function).

The following actions are possible with the automation system in RUN:• Addition of new modules within a station• Reparameterization of modules• Addition of ET 200M stations

The connected HART field devices can be parameterized using SIMATIC PDM.

Note:Apart from these selected modules it is also possible to use - with limita-tions in functions - all other I/O modules from the current range of S7-300 signal modules.

■ Design

An ET 200M remote I/O station comprises • 1 or 2 (redundant) power supply modules (can be omitted in

the case of a central 24 V DC supply for the plant), • 1 or 2 (redundant) IM 153 interface modules for connection via

PROFIBUS DP with transmission rates of up to 12 Mbit/s, as well as

• up to 8 I/O modules for connection of sensors/actuators.

All I/O modules have optical electrical isolation from the back-plane bus. Up to 8 modules can be connected to an interface module. The interface modules can also have a redundant de-sign if required.

In addition to the standard SIMATIC S7 I/O modules, special I/O modules with diagnostics capability offer the following functions, among others:

• Channel-based diagnostics, e.g. open-circuit, short-circuit, limit violations

• Internal module monitoring, e.g. parameterization error, RAM error, tripped fuse

• Flatter monitoring for sensors• Pulse stretching• Output of a selectable substitute value on failure of the central

processing unit

In the event of a fault, the modules with diagnostics capability automatically pass on the corresponding message to the opera-tor station, permitting fast and simple troubleshooting.

The ET 200M can be used in standard environments and also in Ex zones 2 and 22. The actuators/sensors can be positioned in Ex zones 1 and 21 when suitable Ex input/output modules are used. Hot swapping of I/O modules within Ex zone 2 and 22 is allowed with the right permit (e.g. fire certificate).

■ Technical specifications

You can find detailed technical data on the ET 200M and S7-300 I/O modules • in Catalog ST 70 or • in the Mall / Catalog CA 01 under "Industrial automation sys-

tems / Controllers / SIMATIC S7"

■ Options

SIPLUS extreme range for extended temperature ranges and corrosive environments

The "standard" properties of an individual device or system are often insufficient for harsh environmental conditions, applica-tions in corrosive environments or extreme temperature ranges. Depending on the location of use, the result could be limitations in functionality or operational safety or even total failure of the plant.

The SIPLUS extreme range offers individually adapted standard products which permit retention of the functionality of your plant or process even under extreme conditions of use. These in-clude:• Ambient temperature range from -25 °C to +60/+70 °C • Condensation, high humidity • Increased mechanical stress • Extreme loading by media, e.g. toxic atmospheres • Voltage ranges deviating from the standard • Increased degree of protection (dust, water)

You can find a summary of the available range of products clas-sified according to their special properties on the Internet. The corresponding SIPLUS product is assigned there to the stan-dard product. Note: SIPLUS products are also included in the Catalog ST 70.

Additional informationen is available in the Internet under:

http://www.siemens.com/siplus

© Siemens AG 2007

http://www.siemens.com/siplus

CHH0

Line


Interface module


11

■ Overview

An IM 153-2 High Feature interface module is needed to connect the ET 200M to the PROFIBUS DP fieldbus. It supports the fol-lowing functions:7 HART configuring of intelligent field devices,7 configuration of ET 200M I/Os in RUN mode of the automation

system,7 connection to redundant AS 414H / AS 417H automation sys-

tems,7 use of ET 200M function modules (controller and counter mod-

ules).

This interface module is also available in a fiberoptic (FO) ver-sion for connecting to an optical PROFIBUS.

Note:Additional plastic fiberoptic cables and an assembly set for Sim-plex connectors are required in order to use the IM 153-2 FO (see "Plastic fiberoptic cables in the Section "Communica-tions/PROFIBUS")In order to use the hot swapping function, you must also use the active bus module and the profile rail for hot swapping (see fol-lowing Section "Accessories").

B) Subject to export regulations: AL: N, ECCN: EAR99H


IM 153-2 High FeatureSlave interface module for con-nection of an ET 200M to PROFIBUS DP, with time stamp (accuracy 1 ms), support of HART functionality, F modules, FM modules, "Configuration in RUN" function; also for use in redundant systems

6ES7 153-2BA01-0XB0

IM 153-2 FO High FeatureSlave interface module for con-nection of an ET 200M to optical PROFIBUS DP; support of HART functionality, F modules, FM mod-ules, "Configuration in RUN" func-tion; also for use in redundant systems

6ES7 153-2BB00-0XB0 B)

© Siemens AG 2007

CHH0

Line


Bundles


11

■ Overview

The following preassembled bundles are available for the ET 200M:• I/O subsystem ZuS for ET 200M with hot swapping function,

comprising- DIN rail for active bus modules, - PS/IM bus module and- IM 153-2 High Feature bus interface module

• IM 153 redundancy bundle: comprising two IM 153-2 High Feature bus modules and one active IM/IM bus module for operating the ET 200M on the fault-tolerant AS 414H / AS 417H automation system

B) Subject to export regulations: AL: N, ECCN: EAR99H


I/O Subsystem ZuSET 200M with hot swapping of modules, comprising profile rail for 482-mm (19-inch) active bus modules, PS/IM bus module and

• IM 153-2 High Feature bus inter-face modulefor support of HART functional-ity, F modules, FM modules, "Configuration in RUN" function; also for use in redundant sys-tems

6ES7 654-0XX07-1XA0 B)

IM 153 Redundancy Bundleconsisting of two IM 153-2 High Feature modules and one IM/IM active bus module,for operation of the ET 200M on the AS 414H / AS 417H fault-toler-ant automation system

6ES7 153-2AR02-0XA0

© Siemens AG 2007

CHH0

Line

CHH0

Line


F-modules


11

■ Overview

The safety functions of the AS 414F/FH and AS 417F/FH automa-tion systems are matched to the safety-related I/O modules (F-modules) of the ET 200M distributed I/O system. The F-signal modules (DI/DO/AI) in the ET 200M remote I/O stations are able to guarantee plant safety even in the event of a CPU failure. They are of redundant design, and can diagnose both internal and ex-ternal faults. They carry out self-tests for this purpose, e.g. for short-circuit or wire breakage, and automatically monitor the dis-crepancy time defined in the parameter settings. They comply with the requirements up to SIL 3 (IEC 61508) or AK 6 (VDE 0801).

The input modules operate internally with single-channel evalu-ation (SIL 2 sensors), 2-out-of-2 evaluation (SIL 3 sensors) or 2-out-of-3 channel evaluation (only F-AI module). A safety re-sponse is triggered immediately there are any differences. The type of evaluation influences the number of usable inputs (chan-nels). For example, only half of the existing inputs are available in the case of 2-out-of-2 channel evaluation.

The digital output modules enable safe disconnection through a second disconnect path in the event of a faulty output.


SM 326F failsafe digital input modulefor floating contacts

• 24 inputs, 24 V DC,floating in groups of 12, redun-dant design possible- 4 short-circuit-resistant sen-

sor power supplies, each for 6 channels, isolated in groups of 3:

- External sensor power supply possible

- SIL 2: single-channel evalua-tion, 24 channels

- SIL 3: 2-out-of-2 evaluation on the module, 12 channels (ad-justable discrepancy time)

- Short-circuit monitoring to L+- Discrepancy monitoring- Diagnostics inside module- PROFIsafe telegram- Front connector required:

40-contact

6ES7 326-1BK01-0AB0

• 8 inputs, NAMUR [EEx ib]isolated by channel, redundant design possible- 8 short-circuit-resistant sen-

sor power supplies, each for 1 channel, mutually isolated

- SIL 2: single-channel evalua-tion, 8 channels

- SIL 3: 2-out-of-2 evaluation on the module, 4 channels (ad-justable discrepancy time)

- Wire break and short-circuit monitoring (for contacts with external resistor circuit)

- Discrepancy monitoring- Diagnostics inside module- PROFIsafe telegram- Front connector required:

40-contact

6ES7 326-1RF00-0AB0

SM 326F failsafe digital output,suitable for solenoid valves, DC contactors and signal lamps

• 10 outputs, 24 V DC, 2 A, floating in groups of 5, redun-dant design possible (outputswith internal diode) - SIL 2, SIL 3 parameterizable

(10 channels)- P/P-switching (for non-floating

loads; ground and earth con-nected together)

- Wire break and short-circuit monitoring

- Diagnostics inside module- PROFIsafe telegram- Front connector required:

40-contact

6ES7 326-2BF01-0AB0

• 8 outputs, 24 V DC, 2 A, floating in groups of 4 - SIL 2, SIL 3 parameterizable

(8 channels)- P/M-switching (for floating

loads; ground and earth sepa-rate)

- Wire break and short-circuit monitoring

- Diagnostics inside module- PROFIsafe telegram- Front connector required:

40-contact

6ES7 326-2BF40-0AB0

© Siemens AG 2007

CHH0

Line

CHH0

Line

CHH0

Line

CHH0

Line


F-modules


11

■ Options

Isolating module

The following components are available as accessories for the F modules:• Isolating module

- For isolation of F and standard modules in an ET 200M re-mote I/O station

- For signal isolation when using a copper bus connection (only F modules in an ET 200M remote I/O station with IM 153-2)

• Isolating bus submodule for isolating module, when using an active backplane bus

Note:The isolating module for F modules and the isolating bus submodule can only be used together. The 40-mm wide gap cannot be used for other modules.

SM 336F failsafe analog input module• 6 inputs, 4...20 mA, redundant

design possible- Isolated from the backplane

bus- 2-wire or 4-wire connection- SIL 2: two-channel evaluation,

6 sensors- SIL 3: two-channel evaluation,

12 sensors (adjustable toler-ance window)

- Wire break monitoring- Tolerance monitoring between

2 sensors (SIL 3)- Diagnostics inside module- PROFIsafe telegram- Front connector required:

40-contact

6ES7 336-1HE00-0AB0

Isolating moduleFor F modules, 40 mm wide• For isolation of F and standard

modules in an ET 200M rack• For signal isolation when using a

copper bus connection (only F modules in a rack with IM 153-2)

6ES7 195-7KF00-0XA0

Isolating bus module80 mm wide, for isolating module, when using an active backplane bus

6ES7 195-7HG00-0XA0


F-modules

ET 200 rackonly for SIL 3 operation, SIL 2 also possible without isolating module

ET 200 rack

Isolating bus submodule for active backplane bus

Isolating module for isolation of standard and F-modules

PROFIBUScopper connection

PROFIBUScopper connectionor fiber-optic cable

IM 153-2

IM 153-2

Isolatingmodule

© Siemens AG 2007

CHH0

Text Box

6ES7 336-4GE00-0AB0

PHOENIX CONTACT GmbH & Co. KG Page 1 / 7http://www.phoenixcontact.de May 29, 2009

Extract from the onlinecatalog

QUINT-PS-100-240AC/24DC/40Order No.: 2938879

http://eshop.phoenixcontact.de/phoenix/treeViewClick.do?UID=2938879

DIN rail power supply unit 24 V DC/40 A, primary switched-mode, 1-phase

Commercial data

EAN 4017918987091

Pack 1 pcs.

Customs tariff 85044081

Weight/Piece 3.785 KG

Catalog page information Page 563 (IF-2009)

Product notes

WEEE/RoHS-compliant since:09/15/2006

http://www.download.phoenixcontact.comPlease note that the data givenhere has been taken from theonline catalog. For comprehensiveinformation and data, please referto the user documentation. TheGeneral Terms and Conditions ofUse apply to Internet downloads.

Product description

QUINT POWER is the high-capacity DC current supply of 60 - 960 watts for universal use worldwide. This is ensuredby the wide-range input, one and three-phase versions as well as an international approval package that has yet tobe matched. QUINT POWER stands for guaranteed supply: Generously dimensioned capacitors guarantee a mainsbuffering of more than 20 ms under full load. All three-phase devices provide the full output power, even in the event ofa continuous phase failure. The Power Boost power reserve easily starts loads with high inrush currents and ensuresthat fuses are reliably triggered. A preventive function monitoring diagnoses improper operating states and minimizesdowntime in your system. Remote monitoring is provided by an active transistor switching output and a floating relaycontact. All devices are protected against idling and short circuits and are available with a regulated and adjustableoutput voltage of 12, 24 and 48 volts DC with output currents of 2.5, 5, 10, 20, 30 and 40 A. The comprehensive range of

QUINT-PS-100-240AC/24DC/40 Order No.: 2938879http://eshop.phoenixcontact.de/phoenix/treeViewClick.do?UID=2938879


products is rounded off by power supplies for use in the Ex zone 2, uninterruptible solutions, AS-i power supplies and aQuint diode.

Technical data

Input data

Nominal input voltage 110 V AC ... 240 V AC

AC input voltage range 85 V AC ... 264 V AC (Derating < 100 V DC: 2.5%/V)

DC input voltage range 90 V DC ... 350 V DC (Derating < 110 V DC: 2.5%/V)

AC frequency range 45 Hz ... 65 Hz

DC frequency range 0 Hz

Current consumption Approx. 11 A (120 V AC)

Approx. 4.5 A (230 V AC)

Nominal power consumption 960 W

Inrush surge current < 15 A (typical)

Power failure bypass > 20 ms (120 V AC)

> 20 ms (230 V AC)

Input fuse 20 A (fast blow, internal)

Recommended backup fuse 16 A

25 A (characteristic B)

Name of protection Transient surge protection

Protective circuit/component Varistor

Output data

Nominal output voltage 24 V DC ±1%

Setting range of the output voltage 22.5 V DC ... 29.5 V DC (> 24 V constant capacity)

Output current 40 A (-25°C ... 70°C)

45 A (with POWER BOOST, -25°C ... 40°C permanent)

Connection in parallel Yes, for redundancy and increased capacity

Connection in series Yes

Max. capacitive load Unlimited

Current limitation Approx. IBOOST = 45 A (for short circuit)

Control deviation < 1 % (change in load, static 10% ... 90%)

< 2 % (change in load, dynamic 10% ... 90%)

< 0.1 % (change in input voltage ±10%)

Residual ripple < 30 mVPP (with nominal values)

Peak switching voltages nominal load < 50 mVPP (20 MHz)

Maximum power dissipation idling 28 W



Power loss nominal load max. 80 W

General data

Width 240 mm

Height 130 mm

Depth 125 mm

Weight 3.5 kg

Operating voltage display LED green

Efficiency > 92 % (for 230 V AC and nominal values)

Insulation voltage input/output 3 kV AC (type test)

2 kV AC (routine test)

Degree of protection IP20

Class of protection I, with PE connection

MTBF > 500 000 h in acc. with IEC 61709 (SN 29500)

Ambient temperature (operation) -25 °C ... 70 °C (> 60 °C derating)

Ambient temperature (storage/transport) -40 °C ... 85 °C

Max. permissible relative humidity (operation) 95 % (at 25°C, no condensation)

Mounting position Horizontal DIN rail NS 35, EN 60715

Assembly instructions Can be aligned: Horizontal 0 cm, vertical 5 cm

Electromagnetic compatibility Conformance with EMC guideline 2004/108/EC and for low-voltage guideline 2006/95/EC

Emitted interference EN 50081-2

Immunity to interference EN 61000-6-2:2005

Standard – Electrical equipment of machines EN 60204

Standard - Safety of transformers EN 61558-2-17

Standard - Electrical safety EN 60950/VDE 0805 (SELV)

EN 61558-2-17

Standard – Shipbuilding German Lloyd, ABS, DNV

Standard – Electronic equipment for use inelectrical power installations and their assemblyinto electrical power installations

EN 50178/VDE 0160 (PELV)

Standard – Safety extra-low voltage EN 60950 (SELV)

EN 60204 (PELV)

Standard - Safe isolation DIN VDE 0100-410

DIN VDE 0106-1010

Standard – Protection against electric shock DIN 57100-410



Standard – Protection against shock currents,basic requirements for protective separation inelectrical equipment

DIN VDE 0106-101

Standard – Limitation of mains harmonic currents EN 61000-3-2

Standard – Equipment safety GS (tested safety)

Certificate CB Scheme

UL approvals UL/C-UL listed UL 508

UL/C-UL Recognized UL 60950

UL/C-UL Listed UL 1604 Class I, Division 2, Groups A, B, C, D

Surge voltage category III

Connection data, input

Type of connection Screw connection

Conductor cross section solid min. 0.2 mm²

Conductor cross section solid max. 6 mm²

Conductor cross section stranded min. 0.2 mm²

Conductor cross section stranded max. 4 mm²

Conductor cross section AWG/kcmil min. 24

Conductor cross section AWG/kcmil max 10

Stripping length 8 mm

Screw thread M3

Connection data, output









Signaling

Output name DC OK active

Output description UOUT > 0.9 x UN: High signal

Maximum switching voltage ≤ 24 V

Output voltage + 24 V DC (signal)

Maximum inrush current ≤ 40 mA (short circuit resistant)



Continuous load current ≤ 20 mA

Status display "DC OK" LED green

Note on status display UOUT < 0.9 x UN: LED flashing







Tightening torque, min 0.5 Nm

Tightening torque max 0.6 Nm

Screw thread M3

Output name DC OK floating

Output description Relay contact, UOUT > 0.9 x UN: Contact closed

Maximum switching voltage ≤ 30 V AC/DC

Maximum inrush current ≤ 1 A

Continuous load current ≤ 1 A


Certificates / Approvals

Certification ABS, CUL, CUL Listed, DNV, GL, GOST, UL, UL Listed

Certification Ex: CUL-EX LIS, UL-EX LIS

Accessories

Item Designation Description

General

2938235 UWA 182/52 Universal wall adapter



Drawings

Block diagram

Circuit diagram



Address

PHOENIX CONTACT GmbH & Co. KGFlachsmarktstr. 832825 Blomberg,GermanyPhone +49 5235 3 00Fax +49 5235 3 41200http://www.phoenixcontact.de

© 2009 Phoenix ContactTechnical modifications reserved;



QUINT-PS-100-240AC/24DC/20Order No.: 2938620


DIN rail power supply unit 24 V DC/20 A, primary switched-mode, 1-phase

Commercial data

EAN 4017918890544

Pack 1 pcs.




Product notes



Product description

QUINT POWER is the high-capacity DC current supply of 60 - 960 watts for universal use worldwide. This is ensuredby the wide-range input, one and three-phase versions as well as an international approval package that has yet tobe matched. QUINT POWER stands for guaranteed supply: Generously dimensioned capacitors guarantee a mainsbuffering of more than 20 ms under full load. All three-phase devices provide the full output power, even in the event ofa continuous phase failure. The Power Boost power reserve easily starts loads with high inrush currents and ensuresthat fuses are reliably triggered. A preventive function monitoring diagnoses improper operating states and minimizesdowntime in your system. Remote monitoring is provided by an active transistor switching output and a floating relaycontact. All devices are protected against idling and short circuits and are available with a regulated and adjustableoutput voltage of 12, 24 and 48 volts DC with output currents of 2.5, 5, 10, 20, 30 and 40 A. The comprehensive range of



products is rounded off by power supplies for use in the Ex zone 2, uninterruptible solutions, AS-i power supplies and aQuint diode.

Technical data

Input data

Nominal input voltage 100 V AC ... 240 V AC

AC input voltage range 85 V AC ... 264 V AC

DC input voltage range 90 V DC ... 350 V DC

AC frequency range 45 Hz ... 65 Hz

DC frequency range 0 Hz

Current consumption Approx. 4.76 A (120 V AC)

Approx. 2.3 A (230 V AC)

Nominal power consumption 480 W

Inrush surge current < 15 A (typical)

Power failure bypass > 25 ms (120 V AC)

> 25 ms (230 V AC)

Input fuse 12 A (slow-blow, internal)

Recommended backup fuse 10 A

16 A (characteristic B)

Name of protection Transient surge protection

Protective circuit/component Varistor

Output data

Nominal output voltage 24 V DC ±1%

Setting range of the output voltage 22.5 V DC ... 28.5 V DC

Output current 20 A (up to 60°C)

26 A (with POWER BOOST)

Connection in parallel Yes, for redundancy and increased capacity

Connection in series Yes

Max. capacitive load Unlimited

Current limitation Approx. IBOOST = 26 A (for short circuit)

Control deviation < 1 % (change in load, static 10% ... 90%)

< 2 % (change in load, dynamic 10% ... 90%)

< 0.1 % (change in input voltage ±10%)

Residual ripple < 10 mVPP (with nominal values)

Peak switching voltages nominal load < 30 mVPP (20 MHz)

Maximum power dissipation idling 3 W



Power loss nominal load max. 44 W

General data

Width 157 mm

Height 130 mm

Depth 125 mm

Weight 2.5 kg

Operating voltage display LED green

Efficiency > 92 %

Insulation voltage input/output 4 kV AC (type test)

2 kV AC (routine test)

Degree of protection IP20

Class of protection I, with PE connection

MTBF > 500 000 h in acc. with IEC 61709 (SN 29500)

Ambient temperature (operation) -25 °C ... 70 °C (> 60 °C derating)


Max. permissible relative humidity (operation) 95 % (at 25°C, no condensation)

Mounting position Horizontal DIN rail NS 35, EN 60715

Assembly instructions Can be aligned: Horizontal 0 cm, vertical 5 cm

Electromagnetic compatibility Conformance with EMC directive 89/336/EEC

Emitted interference EN 50081-2

Immunity to interference EN 61000-6-2:2005

Standard – Electrical equipment of machines EN 60204

Standard - Safety of transformers EN 61558-2-17

Standard - Electrical safety EN 60950/VDE 0805 (SELV)

EN 61558-2-17

Standard – Shipbuilding German Lloyd, ABS

Standard – Electronic equipment for use inelectrical power installations and their assemblyinto electrical power installations

EN 50178/VDE 0160 (PELV)

Standard – Safety extra-low voltage EN 60950 (SELV)

EN 60204 (PELV)

Standard - Safe isolation DIN VDE 0100-410

DIN VDE 0106-1010

Standard – Protection against electric shock DIN 57100-410



Standard – Protection against shock currents,basic requirements for protective separation inelectrical equipment

DIN VDE 0106-101

Standard – Limitation of mains harmonic currents EN 61000-3-2

Standard – Equipment safety GS (tested safety)

Certificate CB Scheme

UL approvals UL/C-UL listed UL 508

UL/C-UL Recognized UL 60950

UL/C-UL Listed UL 1604 Class I, Division 2, Groups A, B, C, D

Surge voltage category III

Connection data, input









Screw thread M3

Connection data, output









Signaling

Output name DC OK active

Output description UOUT > 0.9 x UN: High signal

Maximum switching voltage ≤ 24 V

Output voltage + 24 V DC (signal)

Maximum inrush current ≤ 40 mA



Continuous load current ≤ 40 mA


Note on status display UOUT < 0.9 x UN: LED flashing







Tightening torque, min 1.2 Nm

Tightening torque max 1.5 Nm

Screw thread M4

Output name DC OK floating

Output description Relay contact, UOUT > 0.9 x UN: Contact closed

Maximum switching voltage ≤ 30 V AC/DC

Maximum inrush current ≤ 1 A

Continuous load current ≤ 1 A



Certification ABS, CB, CUL, CUL Listed, DNV, GL, GOST, UL, UL Listed

Certification Ex: CUL-EX LIS, UL-EX LIS

Accessories


General

2938235 UWA 182/52 Universal wall adapter



Drawings

Block diagram



Address





PR2-BSC3/4X21Order No.: 2833576


Relay socket PR2-B, for industrial relay REL-IR with 2 or 4 PDT,1/3-level version, screw connections, connection facility for input/interference suppression modules, for mounting on NS 35/7.5

Commercial data

EAN 4017918933807

Pack 10 pcs.




Product notes



Technical data

Connection data


Conductor cross section solid max. 1.5 mm²


PR2-BSC3/4X21 Order No.: 2833576http://eshop.phoenixcontact.de/phoenix/treeViewClick.do?UID=2833576


Conductor cross section stranded max. 1.5 mm²



2 conductors with same cross section, solid max. 1.50 mm²

2 conductors with same cross section, strandedmax.

1.50 mm²

2 conductors with same cross section, AWG max. 14



Screw thread M3

General data

Width 27 mm

Depth 78.5 mm

Height with retaining bracket 86 mm (EL2-P35)

Color green

Ambient temperature (operation) -25 °C ... 85 °C



Certification CSA, UL

Accessories


General

2833592 EL2-P35 Relay retaining bracket, with eject function and integratedequipment marking area (8 x 25 mm), to suit relay socket PR2, for35 mm high industrial relay

2833644 MP 2 Equipment marker, labeling surface 9 x 25 mm

PR2-BSC3/4X21 Order No.: 2833576http://eshop.phoenixcontact.de/phoenix/treeViewClick.do?UID=2833576


Address



08088e cms ssd 01 fds r2 submit

Documents

system design

system overview

system features

system hardware

system io count

monitoring system contractor

wellhead platform system

project overview