S7-400F/FH

SIMATIC S7-400F/FH safety-related automation systems are used in plants with increased safety requirements. They control processes where immediate shutdown presents no danger to personnel or the environment. Two designs are available and they differ as follows:

• S7-400F:
  Safety-related automation system with a single CPU (AS Single Station). If a fault occurs in the control system, the production process is brought to a safe state and interrupted.
• S7-400FH:
  Safety-related and high-availability automation system with two redundant CPUs (AS Redundancy Station). In the event of a fault in the control system, redundant control sections intervene and continue control of the production process.

The additional use of standard modules makes it possible to establish a fully integrated control system for a plant where non-safety-related tasks and safety-related tasks co-exist. The overall plant is configured and programmed with the same standard tools.

• Failsafe automation system for plants with increased safety requirements
• Complies with safety requirements to SIL 3 in accordance with IEC 61508, AK6 in accordance with DIN V 19250 and Cat. 4 in accordance with EN 954-1
• If required, also fault tolerant through redundant design
• Without additional wiring of the safety-related I/O
• Safety-related communication via PROFIBUS DP, PROFIBUS PA and PROFINET with PROFIsafe profile
• Based on S7-400H and ET 200M, ET 200iSP, ET 200S with safety-related F-modules
• Standard modules can be used in addition for non-safety-related applications

Catalog ST 70

You can also find information about SIMATIC S7-400 in Catalog ST 70:

http://www.automation.siemens.com/salesmaterial-as/catalog/en/simatic-st70-chap06-english-2015.pdf

Different design versions can be implemented according to requirements. These are illustrated below using the example of ET 200M distributed I/O:

Single-channel, one-sided I/O for S7-400F

The plant requires a safety-related controller. Fault tolerance is not required. The following are required:

• 1 CPU S7‑400H with F‑Runtime license
• 1 PROFIBUS DP or PROFINET line
• ET 200M with IM 153‑2 (PB DP) or IM 153‑4 (PN)
• Safety-related signal modules in non-redundant design.

In the event of a fault, the I/O is no longer available. The safety-related signal modules are passivated.

Single-channel, switched I/O for S7-400FH

The plant requires a safety-related controller. Fault tolerance is required on the CPU side. The following are required:

• 2 CPU S7‑400H with F-Runtime license.
• 2 PROFIBUS DP lines.
• 1 ET 200M with 2 IM 153-2 (redundant).
• Safety-related signal modules in non-redundant design.

If the CPU, IM 153-2 or PROFIBUS DP line fails, the controller remains available. Failure of the safety-related signal modules or the ET 200M station means the I/O is no longer available. The safety-related signal modules are passivated.

Redundant, switched I/O for S7-400FH

The plant requires a safety-related controller. Fault tolerance is required on the CPU side and the I/O side. The following are required:

• 2 CPU S7‑400H with F-Runtime license.
• 2 PROFIBUS DP lines.
• 2 ET 200M with 2 IM 153-2 (redundant).
• Redundant version, safety-related signal modules.

In the event of failure of the CPU, IM 153-2, PROFIBUS DP line, safety-related signal modules or ET 200M station, the controller remains available.

Communication

Standard and safety-related communication between the central controller and the ET 200M takes place via PROFIBUS DP or PROFINET. The PROFIsafe profile specially developed for safety-related communication supports the transfer of user data for the safety functions within the standard data message frame. Additional hardware components such as special safety buses are not required. The necessary software is either integrated in the hardware components as an expansion of the operating system or loaded into the CPU later as a certified software block.

S7-400F/FH meet the following safety requirements:

• Requirement classes AK 1 to AK 6 in accordance with DIN V 19250/DIN V VDE 0801
• Safety requirement classes SIL 1 to SIL 3 in accordance with IEC 61508
• Categories 1 to 4 according to EN 954-1

Mode of operation

The safety functions of the S7-400F/FH are contained in the F program of the CPU and in the safety-related signal modules (F-modules).

The signal modules monitor output and input signals by means of discrepancy analyses and test signal injections.

The CPU checks the proper operation of the controller with regular self-tests, command tests, and logical and chronological program execution checks. In addition, the I/O is checked by means of sign-of-life requests.

If a fault is diagnosed in the system, the system is brought to a safe state.

F-Runtime license

The S7 F-Runtime license must be loaded onto the CPU S7-400H to operate the S7-400F/FH. One license is required for each S7-400F/FH.

Programming

The S7-400F/FH is programmed in the same way as the other SIMATIC S7 systems. The user program for non-safety-related plant sections is created with time-tested programming tools such as STEP 7.

S7 F Systems option package

The option package "S7 F Systems" is required for programming the safety-related program sections. The package contains all the necessary functions and blocks for creating the F program. The following software packages must be loaded onto the PG/PC for S7 F Systems to run:

• STEP 7 as of V5.4 SP3 HF7
• CFC as of V7.0 SP1 HF7
• Optional: SIMATIC PCS 7 as of V7.0 SP3

For the F program with the safety functions, special function blocks from the F library are called up with CFC and interconnected. The CFC simplifies the configuring, programming and the acceptance testing of the system. Programmers can concentrate fully on the safety-related application without having to use additional tools.