S7F FHSystemsManual

Important Information List of Safety Notes
Contents
SIMATIC
Programmable Controllers
S7 F/FH Systems
Manual
Product Overview
Getting Started
Safety Mechanisms
Configuration
Programming
Operation and Maintenance
Safety
Fail-Safe Function Blocks
Appendices
Check Lists
References
Glossary, Index
This manual is part of the documentation

package with the order number:
6ES7988-8FA10-8BA0
Edition 02/2003
A5E00085588-03
Safety Guidelines
This manual contains notices intended to ensure personal safety, as well as to protect the products and
connected equipment against damage. These notices are highlighted by the symbols shown below and
graded according to severity by the following texts:
Safety Note
Warning
Caution
Contains important information on the acceptance and safety-related use of the product.
indicates that death, severe personal injury or substantial property damage can result if proper
precautions are not taken.
indicates that minor personal injury can result if proper precautions are not taken.
Note
draws your attention to particularly important information on the product, handling the product, or to a
particular part of the documentation.
Qualified Personnel
Only qualified personnel should be allowed to install and work on this equipment. Qualified persons are
defined as persons who are authorized to commission, to ground and to tag circuits, equipment, and
systems in accordance with established safety practices and standards.
Correct Usage
Note the following:
Warning
This device and its components may only be used for the applications described in the catalog or the
technical description, and only in connection with devices or components from other manufacturers
which have been approved or recommended by Siemens.
This product can only function correctly and safely if it is transported, stored, set up, and installed
correctly, and operated and maintained as recommended.
Trademarks
SIMATIC, SIMATIC HMI and SIMATIC NET are registered trademarks of SIEMENS AG.
Some of the other designations used in these documents are also registered trademarks; the owners rights
may be violated if they are used by third parties for their own purposes.
Copyright Siemens AG 2003 All rights reserved
Disclaimer of Liability
The reproduction, transmission or use of this document or its

contents is not permitted without express written authority.
Offenders will be liable for damages. All rights, including rights
created by patent grant or registration of a utility model or design,
are reserved.
We have checked the contents of this manual for agreement with

the hardware and software described. Since deviations cannot be
precluded entirely, we cannot guarantee full agreement. However,
the data in this manual are reviewed regularly and any necessary
corrections included in subsequent editions. Suggestions for
improvement are welcomed.
Siemens AG
Automation and Drives
Industrial Automation Systems
Postfach 4848, D- 90327 Nuernberg
Siemens AG 2003
Technical data subject to change.
Siemens Aktiengesellschaft
A5E00085588-03
Important Information
Purpose of the Manual
The information contained in this manual enables you to configure and program S7
F/FH Systems using S7 F Systems V5.2.
Target Group
This manual is intended for system planners, configuration engineers and
programmers. Knowledge of STEP 7 and CFC is assumed in most areas.
Contents
This manual describes how to work with the S7 F/FH Systems using S7 F-Systems
V5.2 software. It consists of instructive chapters and reference chapters
(descriptions of the fail-safe function blocks and check lists for acceptance). The
manual covers the following topics:
Safety Mechanisms
Configuration
Programming
Maintenance
Safety
Fail-Safe Blocks
Scope of the Manual

Module
Order Number
As of Version
The S7 F Systems V5.2

Options Package including
Authorization License V5.0
6ES7 833 1CC00 0YX0
V5.2
F-Copy License
6ES7 833 1CC00 6YX0
V5.0
Fail-Safe Systems
A5E00085588-03
iii
Whats New?
The following changes are new in the S7 F Systems V5.2:
Topic
Chapter
New Fail-Safe Blocks
Fail-Safe Blocks
Introduction to the F_Shutdown Logic
Getting Started
Support of the new ET 200S failsafe modules to the S7 F/FH

Systems
Throughout the
document
Enhanced usability
Programming
Standards, Certificates and Approvals

The S7 FH System and the fail-safe F-I/Os are certified for use in safety mode up
to the following levels:
Requirement classes AK1 to AK6 in accordance with DIN V 19250/

DIN V VDE 0801
SIL1 to SIL3 (Safety Integrity Level) in accordance with IEC 61508
Categories 1 to 4 in accordance with EN 954-1
Place in the Information Landscape

This manual is part of the documentation package for the S7 F/FH System.
System
S7 F Systems
Documentation Package
Safety Engineering in SIMATIC S7
Programmable Controllers,
S7 F/FH Systems
ET200 S Distributed I/O System FailSafe Modules
Automation Systems S7-300 Fail-Safe

Signal Modules
Order Number
6ES7988-8FB10-8BA0
CD-ROM
You can also obtain all the SIMATIC S7 documentation as a dedicated SIMATIC
S7 collection on CD-ROM.
iv
Fail-Safe Systems
A5E00085588-03
How to Use this Manual

To help you find specific information quickly, the manual contains the following
aids:
There is a complete table of contents at the beginning of the manual.
A heading indicating the contents of each section is provided in the left-hand

column on each page of each chapter.
Following the appendices, you will find a glossary in which important technical
terms used in the manual are defined.
At the end of the manual you will find a detailed index, which makes it easy for
you to find the information you are looking for.
Additional Support
For any unanswered questions about the use of products presented in this manual,
contact your local Siemens representative:
http://www.siemens.com/automation/partner
Training Center
We offer courses to help you get started with the S7 automation system. Contact
your regional training center or the central training center in Nuremberg (90327),
Federal Republic of Germany.
Telephone:
+49 (911) 8953200
http://www.sitrain.com
H/F Competence Center
The H/F Competence Center in Nuremberg offers special workshops on SIMATIC
S7 fail-safe and fault-tolerant automation systems. The H/F Competence Center
can also provide assistance with onsite configuration, commissioning, and
troubleshooting.
Telephone:
Fax:
+49 (911) 895-4759

+49 (911) 895-5193
For questions about workshops, etc., contact: hf-cc@nbgm.siemens.de

For Safety Integrated questions (system, wiring, etc.), contact:
cocsi@nbgm.siemens.de
Fail-Safe Systems
A5E00085588-03
A&D Technical Support

Available worldwide, 24 hours a day:
Nuernberg
Beijing
Johnson City
Worldwide (Nuremberg)
Technical Support
Local time: 24 hours per day/365 days
per year
Telephone: +49 (0) 180 5050222
Fax:
+49 (0) 180 5050-223
E-mail:
adsupport@
siemens.com
GMT:
+1:00
Europe/Africa (Nuremberg)
United States (Johnson City)
Asia/Australia (Beijing)
Authorization
Technical Support and

Authorization
Technical Support and

Authorization
Local time: M - F 8:00 a.m. to

5:00 p.m.
Local time: M - F 8:00 a.m. to 5:00 p.m.
Local time: M - F 8:00 a.m. to

5:00 p.m.
Telephone: +49 (0) 180 5050-222
Fax:
+1 (0) 770 7403699
Fax:
+49 (0) 180 5050-223
E-mail:
isd-callcenter@
E-mail:
adsupport@
siemens.com
GMT:
+1:00
Telephone: +1 (0) 770 7403505
sea.siemens.com
GMT:
Telephone: +86 10 64 75 75 75
Fax:
+86 10 64 74 74 74
E-mail:
adsupport.asia@
siemens.com
-5:00
GMT:
+8:00
In general, English and German are spoken by Technical Support and Authorization staff.
vi
Fail-Safe Systems
A5E00085588-03
Service & Support on the Internet

In addition to our paper documentation, we also provide all of our technical
information on the Internet at:
http://www.siemens.com/automation/service&support
Here, you will find the following information:
Newsletter providing the latest information on your products
Exact documents for your requirements, which you can access by performing
an online search in Service & Support
Forum in which users and experts worldwide exchange ideas
Your local Automation & Drives contact, who can be accessed in our Contacts
database
Information about local service, repair, and replacement parts. Much more
information can be found under "Services.
Fail-Safe Systems
A5E00085588-03
vii
viii
Fail-Safe Systems
A5E00085588-03
Safety Notes
Keep Safety and Standard Functions Separate .............................................................1-19
Public Network Safety F-CPU Communication Not Allowed..........................................3-12
Safety Rules for Safety Operation ....................................................................................4-2
CPU containing safety program must have a password ..................................................4-3
I/O Group Diagnosis .........................................................................................................4-5
Modify Variables can cause Shutdown ............................................................................4-7
Limiting Access through ES..............................................................................................4-8
Password Protection.........................................................................................................4-8
Safety Program and CPU Passwords should be different ...............................................4-9
Authorized use of Password...........................................................................................4-10
Compiler Generated Values off-limits...............................................................................5-5
Comparison Changes Signature ......................................................................................5-6
Symbol Table Entries for F-Blocks cannot be changed .................................................5-10
Do not change automatically inserted F-Control Blocks. ...............................................5-11
Incorrect changes to fail-safe blocks input parameters may result in the
Safety Program and its outputs being disabled. .............................................5-12
During simulation of Input Channels the Simulation value is always available
on the blocks output. ......................................................................................5-22
Automatic Reintegration may not always be possible ....................................................5-25
Startup Protection to handle short power failures in the F-I/O. ......................................5-26
Automatic Reintegration through F_QUITES .................................................................5-27
Default MAX_CYC ..........................................................................................................5-30
Safety Program must be re-compiled if S7 connections used for CPU-CPU
Communication have changed........................................................................5-32
Use F_LIM_R for plausibility check of standard to F-data conversion ...........................5-37
When Deactivating Safety Mode ....................................................................................5-40
F-Blocks outputs always use the preset initial values. ..................................................5-44
Safety Program on Memory Card...................................................................................5-48
Downloading ...................................................................................................................5-49
OB Cycle Times Changes Restricted .............................................................................5-50
Password Protection Level .............................................................................................5-54
Download Operation Aborted .........................................................................................5-55
Safety Program disable if change to failsafe outputs .....................................................5-56
ES changes can change signature.................................................................................5-56
Simulation Warning (V5.0 and below) ............................................................................5-59
Simulation Warning (V5.1 and above)............................................................................5-61
Allowable F Control Block comparison changes ............................................................5-75
Checking online comparison output ...............................................................................5-76
Simulation of PROFIsafe devices not permitted...............................................................6-1
Duplicate Masters must be avoided .................................................................................6-2
Safety measures must be followed...................................................................................6-2
Pulse Detection.................................................................................................................7-9
Archive STEP 7 Projects ................................................................................................7-14
Do Not Change PAR_ID and COMPLEM parameters .....................................................8-2
Do not change automatically supplied FB inputs .............................................................8-4
Fail-safe FB numbers .......................................................................................................8-7
Fail-Safe Systems
A5E00085588-03
ix
Safety Notes
Safety Program can be installed in OB 3x ONLY.............................................................8-8

Do NOT change CRC_IMP input....................................................................................8-26
Use F_LIM_R for plausibility check of standards to F-data conversion .........................8-35
Reintegration through User Acknowledgement with F_QUITES....................................8-45
PD_FLAG not to be interconnected................................................................................8-56
F_SHUTDN in slowest configured OB............................................................................8-74
Fail-Safe Systems
A5E00085588-03
Contents
Product Overview
1.1
1.2
1.3
1.4
1.5
1.6
1.6.1
1.6.2
1.7
Overview ...........................................................................................................1-1
Basic Configuration Variants.............................................................................1-4
Components of an S7 F System .......................................................................1-7
Hardware Components .....................................................................................1-8
Software Components.....................................................................................1-10
Installing the S7 F Systems Optional Package ...............................................1-11
Getting Started Information Applicable to All Use-Case-Scenarios................1-11
Use-case-scenarios ........................................................................................1-12
Working with F-Systems .................................................................................1-19
Getting Started
2.1
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
3.9.2
3.9.3
3.9.4
Fail-Safe Systems
A5E00085588-03
2-1
Introduction........................................................................................................2-1
S7 F System - Getting Started ..........................................................................2-4
S7 F System, Setting up the Hardware.............................................................2-4
Configuring the S7 F System ............................................................................2-6
S7 F System, Creating a Fail-Safe User Program ............................................2-8
Starting Up the S7 F System ..........................................................................2-11
S7 F System, Monitoring Errors ......................................................................2-12
Fault-Tolerant S7 FH System - Getting Started ..............................................2-13
Fault-Tolerant S7 FH System, Setting Up the Hardware................................2-13
Configuring the Fault-Tolerant S7 FH System ................................................2-15
Fault-Tolerant S7 FH System, Creating a Fail-Safe User Program................2-16
Starting Up a Fault-Tolerant S7 FH System ...................................................2-16
Fault-Tolerant S7 FH System, Monitoring Errors............................................2-17
Safety Mechanisms
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.9.1
1-1
3-1
Introduction to the Safety Mechanisms.............................................................3-1

Safety Mode ......................................................................................................3-2
Fault Reactions .................................................................................................3-3
Startup of an F-System .....................................................................................3-4
Self-Tests and Command Tests .......................................................................3-5
Logical and Timed-Based Program Execution Monitoring................................3-5
Fail-Safe User Times ........................................................................................3-7
Password Protection for F-Systems..................................................................3-8
Safety-Related Communication ........................................................................3-9
Communication Between the Safety Program and the
Standard User Program ..................................................................................3-10
Communication Between F-Run-Time Groups ...............................................3-11
Communication Between the F-CPU and F-I/Os ............................................3-11
Safety-Related Communication Between F-CPUs .........................................3-12
xi
Contents
Configuration
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.8.1
4.8.2
4.8.3
4.9
xii
Overview ...........................................................................................................4-1
Hardware Configuration and Parameter Assignment .......................................4-1
CPU Parameter Assignment .............................................................................4-3
Parameter Assignment of F-I/Os.......................................................................4-4
Configuring Redundant F-I/Os ..........................................................................4-6
Configuring the Networks and Connections......................................................4-6
Programming Device Functions in STEP 7......................................................4-7
Setting up, Modifying and Cancelling Access Rights........................................4-8
Setting up Access Rights for the CPU ..............................................................4-8
Entering/Changing the Password for the Safety Program ................................4-9
Cancelling Access Rights for the Safety Program ..........................................4-10
Configuration in Run .......................................................................................4-11
Programming
5.1
5.1.1
5.1.2
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.4.13
5.4.14
5.4.15
5.4.16
5.4.17
4-1
5-1
Overview ...........................................................................................................5-1
Structure of the Safety Program .......................................................................5-1
Blocks of the Safety Program............................................................................5-2
Creating Safety Programs.................................................................................5-4
Creating a Safety Program - Basic Procedure.................................................5-4
Safety Notes for Programming..........................................................................5-5
Defining the Program Structure.........................................................................5-7
Inserting CFC Charts ........................................................................................5-8
Inserting Run-Time Groups...............................................................................5-9
Inserting and Interconnecting Fail-Safe Blocks...............................................5-10
Inserting Fail-Safe Blocks ...............................................................................5-10
Automatically Inserted F-Blocks......................................................................5-11
Interconnecting and Assigning Parameters to F-Blocks .................................5-12
Defining the Run Sequence ............................................................................5-14
Interconnecting F-Driver Blocks ......................................................................5-16
Passivation and Reintegration of the Input and Output Channels ..................5-24
Programming Startup Protection.....................................................................5-28
Example: Reintegration after Startup of the Safety Program..........................5-29
Assigning Parameters to the F Cycle Time Monitoring...................................5-30
Interconnecting F Communication Blocks.......................................................5-31
Processing of the Safety Program ..................................................................5-39
Managing Safety Programs.............................................................................5-39
Deactivating Safety Mode ...............................................................................5-40
Activating Safety Mode ...................................................................................5-42
Compiling a Safety Program ...........................................................................5-43
Creating Fail-Safe Block Types.......................................................................5-44
Downloading a Safety Program ......................................................................5-47
Downloading the Entire Safety Program .........................................................5-48
Changes to the Safety Program in RUN Mode ..............................................5-49
Downloading Changes ....................................................................................5-54
Testing the Safety Program ............................................................................5-56
Testing a Safety Program Offline with S7-PLCSim.........................................5-57
Changing Fail-Safe Constants in CFC Test Mode..........................................5-62
Displaying Information.....................................................................................5-65
Saving reference data .....................................................................................5-66
Comparing Safety Programs...........................................................................5-67
Logging the Safety Program ...........................................................................5-76
Printing the Safety Program ............................................................................5-77
Fail-Safe Systems
A5E00085588-03
Contents

6.1
6.2
6.3
6.4
6.5
6.6
Operation and Maintenance of the F-Systems .................................................6-1

Rules for Operation ...........................................................................................6-1
Working with the Safety Program .....................................................................6-2
Changing the Safety Program...........................................................................6-3
Replacing Software and Hardware Components..............................................6-4
Uninstalling the S7 F/FH System ......................................................................6-5
Safety
7.1
7.2
7.3
7.4
7.4.1
7.4.2
7.5
7.5.1
7.5.2
7.5.3
7.5.4
7-1
Standards, Certificates and Approvals..............................................................7-1
Safety Requirements.........................................................................................7-4
System Configuration........................................................................................7-7
Monitoring Times...............................................................................................7-8
Configuring the Monitoring Times for F/FH Systems........................................7-8
Calculation of the Minimum Monitoring Times ................................................7-10
Acceptance of an F-System ............................................................................7-14
Initial Acceptance of a Safety Program...........................................................7-15
Acceptance of Changes to the Safety Program..............................................7-20
Acceptance of F-Block Types .........................................................................7-22
Responsibilities and Qualifications .................................................................7-22
Fail-Safe Blocks
8.1
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.2
8.2.1
8.2.2
8.2.3
8.2.4
8.3
8.3.1
8.3.2
8.3.3
8.3.4
8.4
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
8.4.7
8.4.8
8.4.9
8.4.10
8.5
8.5.1
8.5.2
8.5.3
8.5.4
Fail-Safe Systems
A5E00085588-03
6-1
8-1
Overview ...........................................................................................................8-1
Fail-Safe Blocks ................................................................................................8-1
F-Data Types.....................................................................................................8-2
Block I/Os ..........................................................................................................8-4
Block Numbers..................................................................................................8-6
Installation in Cyclic Interrupt OBs ....................................................................8-8
Driver Blocks for F-I/Os.....................................................................................8-9
F_CH_DI .........................................................................................................8-10
F_CH_DO........................................................................................................8-13
F_CH_AI..........................................................................................................8-16
Common Features of the Driver Blocks ..........................................................8-22
Blocks for F Communication Between CPUs..................................................8-25
F_SENDBO .....................................................................................................8-27
F_RCVBO .......................................................................................................8-29
F_SENDR........................................................................................................8-31
F_RCVR ..........................................................................................................8-33
Blocks for Converting Data .............................................................................8-35
F_BO_FBO......................................................................................................8-36
F_I_FI ..............................................................................................................8-37
F_R_FR...........................................................................................................8-38
F_TI_FTI..........................................................................................................8-39
F_FBO_BO......................................................................................................8-40
F_FI_I ..............................................................................................................8-41
F_FR_R...........................................................................................................8-42
F_FR_FI ..........................................................................................................8-43
F_FTI_TI..........................................................................................................8-44
F_QUITES.......................................................................................................8-45
F-System Blocks .............................................................................................8-47
F_S_BO...........................................................................................................8-48
F_R_BO ..........................................................................................................8-49
F_S_R .............................................................................................................8-51
F_R_R .............................................................................................................8-52
xiii
Contents
8.5.5
8.6
8.6.1
8.6.2
8.6.3
8.6.4
8.6.5
8.6.6
8.6.7
8.6.8
8.6.9
8.6.10
8.6.11
8.6.12
8.6.13
8.6.14
8.6.15
8.6.16
8.6.17
8.7
8.7.1
8.7.2
8.7.3
8.7.4
8.7.5
8.7.6
8.8
8.8.1
8.8.2
8.8.3
8.8.4
8.9
8.9.1
8.9.2
8.10
8.10.1
8.10.2
8.10.3
8.10.4
8.11
8.11.1
8.11.2
8.11.3
8.12
8.12.1
8.13
8.13.1
8.13.2
8.13.3
8.13.4
8.13.5
8.13.6
8.13.7
8.13.8
xiv
F_START ........................................................................................................8-54
F Control Blocks ..............................................................................................8-55
F_CYC_CO .....................................................................................................8-56
F_M_DI8..........................................................................................................8-58
F_M_DI24........................................................................................................8-61
F_M_DO8........................................................................................................8-64
F_M_DO10......................................................................................................8-66
F_M_AI6..........................................................................................................8-68
F_PLK .............................................................................................................8-70
F_PLK_O.........................................................................................................8-71
F_SHUTDN .....................................................................................................8-72
F_TEST ...........................................................................................................8-77
F_TESTC ........................................................................................................8-78
F_TESTM ........................................................................................................8-79
DB_RES ..........................................................................................................8-80
DB_INIT...........................................................................................................8-81
FAIL_MSG.......................................................................................................8-82
RTG_LOGIC....................................................................................................8-83
SFC F_CTRL...................................................................................................8-84
Logic Blocks with the BOOL Data Type..........................................................8-85
F_AND4...........................................................................................................8-85
F_OR4.............................................................................................................8-87
F_XOR2 ..........................................................................................................8-88
F_NOT.............................................................................................................8-89
F_2OUT3.........................................................................................................8-89
F_XOUTY........................................................................................................8-91
Comparison Blocks for Two Input Values of the Same Type .........................8-92
F_LIM_HL........................................................................................................8-92
F_LIM_LL ........................................................................................................8-94
F_2oo3_R........................................................................................................8-96
F_1oo2_R........................................................................................................8-98
Flip-Flop Blocks.............................................................................................8-100
F_RS_FF.......................................................................................................8-100
F_SR_FF.......................................................................................................8-102
IEC Pulse and Counter Blocks......................................................................8-103
F_CTUD ........................................................................................................8-103
F_TP..............................................................................................................8-105
F_TON...........................................................................................................8-107
F_TOF ...........................................................................................................8-109
Pulse Blocks..................................................................................................8-111
F_F_TRIG .....................................................................................................8-111
F_R_TRIG .....................................................................................................8-112
F_LIM_TI .......................................................................................................8-113
Arithmetic Blocks with the INT Data Type.....................................................8-114
F_LIM_I .........................................................................................................8-114
Arithmetic Blocks with the REAL Data Type .................................................8-115
F_ADD_R ......................................................................................................8-115
F_SUB_R ......................................................................................................8-116
F_MUL_R ......................................................................................................8-117
F_DIV_R........................................................................................................8-118
F_ABS_R ......................................................................................................8-119
F_MAX3_R....................................................................................................8-120
F_MID3_R .....................................................................................................8-121
F_MIN3_R .....................................................................................................8-122
Fail-Safe Systems
A5E00085588-03
Contents
8.13.9
8.13.10
8.13.11
8.13.12
8.14
8.14.1
8.15
8.15.1
8.15.2
8.15.3
8.15.4
8.16
8.16.1
A
Check Lists
A.1
A.2
A.3
A.4
F_LIM_R........................................................................................................8-123
F_SQRT ........................................................................................................8-124
F_AVEX_R ....................................................................................................8-125
F_SMP_AV....................................................................................................8-127
Multiplex Blocks ............................................................................................8-128
F_MUX2_R....................................................................................................8-128
Error Handling ...............................................................................................8-129
Error Handling of Driver Blocks.....................................................................8-130
Error Information at the Outputs of the Driver Blocks ...................................8-132
Errror Information in the Diagnostic Buffer....................................................8-134
Error Information at the Output RETVAL ......................................................8-140
Run Times .....................................................................................................8-141
Run Times of the Fail-Safe Blocks................................................................8-141
Life Cycle of the Fail-Safe Programmable Controllers..................................... A-1

Check List of the Certified Modules ................................................................. A-5
Check List of the Certified F-Blocks................................................................. A-7
Check List of the Safety Parameters of the F-Drivers ................................... A-10
References
Glossary
Index
Fail-Safe Systems
A5E00085588-03
A-1
B-1
Glossary-1
Index-1
xv
Contents
xvi
Fail-Safe Systems
A5E00085588-03
1.1
Product Overview
Overview
SIMATIC S7 F/FH Systems

The S7 F/FH Programmable Controllers (F-Systems) are used in systems with
increased safety requirements. The aim of the S7 F/FH System is to control
processes that can immediately be returned to a safe state. In other words, when
these processes are suddenly shut down, it represents no danger to either man or
the environment.
Safety Requirements
The S7 F/FH System fulfills the following safety requirements:
Requirement classes AK1 to AK6 in accordance with DIN V 19250/DIN V VDE

0801
Principle Behind the Safety Functions

Fail-safe behavior is achieved by means of safety functions primarily in the
software. Safety functions are executed by the S7 F/FH programmable controller in
order to return the system to a safe state, or keep it in a safe state when a
hazardous event occurs.
The safety function for the process can be executed by means of a user safety
function or a fault reaction function. If the F-System can no longer execute its
actual user safety function in the event of a fault, it executes the fault reaction
function. For example, the associated outputs are switched off and the Safety
Program or parts of the Safety Program are disabled, if necessary.
For example: The F-System has to open a valve when there is excess pressure
(user safety function). In the event of a dangerous fault occurring in the CPU, all
the outputs are switched off (fault reaction function), thus opening the valve and
returning the other actuators to a safe state. If the F-System were intact, only the
valve would be opened.
Fail-Safe Systems
A5E00085588-03
1-1
Product Overview
The safety functions are primarily incorporated in the following components:
In the safety-related user program on the central processing unit
In the fail-safe input/output modules
Safety and Availability

To increase the availability of the automation system and consequently avoid
process downtimes as a result of failures in the F-System, fail-safe systems can be
optionally configured for high availability (fault tolerance). This increased
availability can be achieved by means of redundant components (power supply,
central processing unit and communication and I/O systems).
The fail-safe and fault-tolerant S7 F/FH Systems allow production to continue
without causing any harm to people or the environment.
Use in Process Engineering

The figure below shows integration options for the S7 F/FH Systems in process
automation systems with PCS 7.
1-2
Fail-Safe Systems
A5E00085588-03
Product Overview
Operator Stations (OS)

PC
PC
Central engineering system (ES)
...
PC
PC
Standard Ethernet
Industrial Ethernet or PROFIBUS
S7 F Sys
S7-400H
F-SMs
F-SMs
Standard SMs
Standard SMs
S7 FH Sys
F-SMs
ET 200M
ET 200M
S7-400 Standard
ET 200M
ET 200M
Standard SMs
Boiler prot.
Emerg. stop
ET 200S
Burner,
coal mill
Fail-Safe Systems
A5E00085588-03
1-3
Product Overview
1.2
Basic Configuration Variants

This section describes the two basic configuration variants of F-Systems:
Fail-safe S7 F System
Fail-safe, fault-tolerant S7 FH System
S7 F System
The S7 F System is a fail-safe automation system consisting of at least the
following components:
An F-capable CPU module such as CPU 417-4 H that can run a fail-safe (F)
user program
One or more fail-safe inputs/outputs (F-I/Os) in a distributed I/O device

(redundancy optional)
The following figure shows the hardware and software components of an F

System. You can expand the configuration with standard S7-400 and S7-300
modules.
Operator Station
(system visualization)
Programmable controller
S7 F System
Programming device
ET 200M distributed I/O device
Fail-safe signal modules
(optionally redundant)

Standard modules
ET 200S distributed I/O device

Standard modules
1-4
Fail-Safe Systems
A5E00085588-03
Product Overview
S7 FH System
The S7 FH System is a fail-safe, fault-tolerant automation system consisting of at
least the following components:
A fault-tolerant S7 400H system (master and standby) running a fail-safe (F)

user program
One or more fail-safe inputs/outputs (F-I/Os) in a distributed I/O device

(redundancy optional)
The following figure shows an example of an S7 FH configuration with a redundant

CPU, shared, switched distributed I/O modules connected via a redundant system
bus.
Redundant system bus (PROFIBUS or Ethernet)
Operator station
(System visualization)
Programmable controller
S7 FH System

Redundant
PROFIBUS-DP
Fail-Safe Systems
A5E00085588-03

Standard modules
1-5
Product Overview
Combination of Standard, Fault-Tolerant and Fail-Safe Components

Standard, fault-tolerant (H) and fail-safe (F) components and systems can be used
together as follows:
Standard systems, H systems, F Systems and FH Systems can be used

together in a single system.
Standard modules and F-I/Os can be used together in a single automation

system.
A safety-related F user program can be run together with a non-safety-related

standard user program in a fail-safe (F) or fail-safe, fault-tolerant (FH) system.
The fact that fail-safe (F), fault-tolerant (H) and standard components can be
combined has the following advantages:
1-6
You can set up a fully integrated automation system in which you can make
use of the innovation of the standard CPUs and, at the same time, use fail-safe
components independently of standard components such as FMs or CPs. You
can configure and program the whole system using standard tools such as
HWCONFIG and CFC.
The fact that you can combine standard and fail-safe program parts in a single
CPU reduces acceptance costs because only fail-safe program parts are
subject to acceptance procedures. Maintenance costs can also be reduced by
locating as many functions as possible in the standard section, which can be
modified during operation.
Fail-Safe Systems
A5E00085588-03
Product Overview
1.3
Components of an S7 F System
The figure below shows the hardware and software components required for the
configuration and operation of the S7 F.
S7 F programmable controller
F user program
F run - time license
Programming device
distributed I/O device

Optional package
S7 F Systems with
Configuration tool
F library
Safety program
editing
F - I /Os
Interaction of the Components

The S7 F System consists of hardware and software components that have to be
combined with one another in order to configure an S7 F System.
Wiring the F-I/Os
The F-I/Os must be wired with the sensors and actuators in such a way as to
ensure that the desired safety level can be achieved.
Configuring the Hardware
The configuration set using HWCONFIG must correspond to the hardware
configuration; in other words, the circuit diagram of the I/O system must be
reflected in the parameter settings. The F-capable CPU must be configured.
Creating the F User Program
You create the fail-safe user program in CFC using fail-safe blocks from the
"Failsafe Blocks" library. For the connection to the F-I/Os you use F Channel and
Module driver blocks, to which you have to assign parameters. Some of the
parameters are assigned automatically as a result of the hardware configuration of
the F-I/Os.
When the executable F user program is generated, safety tests are carried out
automatically and additional fault detection functions incorporated.
Fail-Safe Systems
A5E00085588-03
1-7
Product Overview
Compatibility of standard and fail-safe components in a programmable logic

controller
If you use a safety protector in the ET 200M, then you can operate fail-safe signal
modules with the S7-300 standard signal modules in an ET 200M even in safety
mode in SIL 3.
The safety protector protects the fail-safe signal modules from possible overvoltage
in the event of a fault. To do this, the fail-safe signal modules must be inserted in
the ET 200M configuration to the right of the safety protector, and all the standard
signal modules must be inserted to the left of the safety protector.
1.4
Hardware Components
An F System consists of hardware components that fulfill certain safety
requirements, such as:
A CPU such as the CPU 417-4H with an F-Copy License
F-I/Os
You can also expand the F System with standard components.
F-Capable CPUs
For S7 F/FH Systems, the CPU (e.g. the CPU 417-4 H as of V2.0) with an F-Copy
License is used either individually or as a fault-tolerant master/standby system.
The F-Copy License permits you to use the CPU as an F-CPU (i.e. to run a failsafe user program on it).
An F-capable CPU is a CPU that is approved for use in the S7 F/FH. It only
becomes an F-CPU if there is an F user program running on it. Otherwise, a
standard S7 program runs on the CPU. A combination of standard and F user
programs is possible because the safety-related data of the F user program is
protected from the influence of non-safety-related data. The CPU must be
configured as an F-CPU in this case as well.
Safety-relevant sections of the user program must be password-protected on the
CPU and in the ES/programming device against unauthorized access. In addition,
comprehensive self-tests run on the CPU. These ensure a high rate of fault
detection.
F-I/Os
The following F-I/Os are available:
For ET 200M:
1-8
SM 326; DI 24 x 24 V DC; with Diagnostic Interrupt
SM 326; DI 8 x NAMUR; with Diagnostic Interrupt
SM 326; DO 10 x 24 V DC/2A, with Diagnostic Interrupt
SM 336; AI 6 x 13Bit, with Diagnostic Interrupt
Fail-Safe Systems
A5E00085588-03
Product Overview
ET 200M F-I/Os can be used in a single-channel or redundant configuration:

Please refer to the manual: Automation System S7-300 Fail-Safe Signal Modules
For ET 200S:
PM-E F 24 VDC PROFIsafe Power Module
4/8 F-DI 24 VDC PROFIsafe Digital Electronic Module
4 F-DO 24 VDC/2 A PROFIsafe Digital Electronic Module
PM-D F PROFIsafe Power Module
Please refer to the manual: ET 200S Distributed I/O System, Fail-Safe Modules
Standard Components
The restrictions for fault-tolerant systems apply to the use of standard components.
You will find the restrictions for standard components in safety mode of fail-safe
signal modules in the safety information in Chapter 3 of the "S7-300 Programmable
Controller, Fail-Safe Signal Modules".
Additional Information
You can find detailed descriptions of the hardware components for the S7 F/FH
Systems in the following manuals:
S7-400, M7-400 Programmable Controllers, Installation and Module Data
S7-400H Programmable Controller, Fault-Tolerant Systems
S7-300 Programmable Controller, Fail-Safe Signal Modules
ET 200S Distributed I/O System, Fail-Safe Modules
Fail-Safe Systems
A5E00085588-03
1-9
Product Overview
1.5
Software Components
The S7 F Systems have the following software components:
S7 F Systems (Programming)
S7 F Configuration Pack (Configuration of the F-I/Os)
The fail-safe user program (F user program) on the CPU
The S7 F Systems Optional Package

The S7 F Systems optional package is available for the configuration and
programming of the S7 F System. This gives you:
Support for the configuration of the F-I/Os with HWCONFIG.
The "Failsafe Blocks" library for the programming of fail-safe user programs.
Support for the processing of the F user program and for the integration of fault
detection functions in the F user program.
Fail-Safe User Program

A fail-safe user program is referred to below simply as a Safety Program.
You create Safety Programs with CFC using the fail-safe blocks contained in a
library shipped with the S7 F Systems optional package. The fail-safe blocks
contain fault detection and fault reaction functions, as well as functions for
programming safety functions. In other words, they ensure that failures and faults
are detected and that an appropriate reaction is initiated that will keep the Fsystem in a safe state or return it to a safe state.
The user program on the CPU can be made up of safety-related sections (Safety
Program) and not safety-related sections (Standard Program). The Safety Program
is written in separate CFC charts. A combination of F and standard blocks in one
chart is not permissible and is detected during compilation. Data transfers between
the standard and the Safety Program are carried out via conversion blocks.
During compilation, certain fault detection and fault reaction functions are
automatically added to the Safety Program. The S7 F Systems optional package
also provides functions for comparing Safety Programs and supporting the
acceptance of Safety Programs.
You can find detailed information in the following sections.
Configuration
Programming
Fail-Safe Blocks
and in the context-sensitive help information.
1-10
Fail-Safe Systems
A5E00085588-03
Product Overview
1.6
Installing the S7 F Systems Optional Package

Before using an existing project with S7 F Systems V5.2, please read this entire
section which provides you with:
getting started information applicable to the three use-case-scenarios

described below.
the three use-case-scenarios are as follows, please select the one that best
suits your needs:
1. Compiling/editing current projects based on Failsafe Blocks (V1_1)

a. Upgrading a PC/Programming Device/Workstation containing S7 F
Systems V5.1 Optional Package
b. Installing S7 F Systems V5.2 Optional Package on a new
PC/Programming Device/Workstation
2. Upgrading current projects based on Failsafe Blocks (V1_1) to Failsafe Blocks
(V1_2)
3. Modifying or creating projects based on Failsafe Blocks (V1_2)
1.6.1
Getting Started Information Applicable to All Use-Case-Scenarios
Installing the Optional Package

1. Start the PC/Programming Device/Workstation that has the STEP 7 basic
software package installed. Make sure that there are no open STEP 7
applications.
2. Insert the optional package product CD.
3. Run the SETUP.EXE program on the CD.
4. Follow the setup program instructions.
Reading the Readme File

The readme file (S7 F Systems Readme) contains important, up-to-date
information about the software. You can display this file on completion of the setup
program, or open it later using the Start > Simatic > Product Notes > English
menu command. It is located in the S7ftl directory of STEP 7.
Starting the Optional Package

The optional package does not contain any applications that have to be started
explicitly. Support for configuration and programming of the F-Systems is
integrated in SIMATIC Manager, HWCONFIG and CFC.
Fail-Safe Systems
A5E00085588-03
1-11
Product Overview
Displaying the Integrated Help System

Context-sensitive help information is available for the optional package dialog
boxes. Help can be displayed at any time during configuration or programming by
pressing F1, or clicking the Help button. You can obtain more help information by
choosing the Help > Contents > Calling Help on Optional Packages > S7400F/FH Working with F Systems.
Authorization
Authorization is required for the S7 F Systems optional package. Authorization can
be installed in the same way as STEP 7 and the optional packages. You can find
information on how to install and work with the authorization component in the
readme file and in STEP 7s main help system.
Note
SIMATIC S7 F Systems V5.0 license also supports V5.2
F-Copy License
An F-Copy License permits you to use the CPU as an F-CPU (e.g. to run a Safety
Program on it).
1.6.2
Use-case-scenarios
Scenario 1: Compiling/Editing Current Projects based on Failsafe Blocks (V1_1)

1. a. Upgrading From S7 F-Systems V5.1 to S7 F-Systems V5.2 to Support
Failsafe Blocks (V1_1) Projects
Use this scenario if you have:
An existing PC/Programming Device/Workstation with S7 F Systems V5.1 Optional
Package installed, and you wish to use existing projects based on Failsafe Blocks
(V1_1).
1-12
Fail-Safe Systems
A5E00085588-03
Product Overview
Software Requirements
The following software packages must be installed on the PC/programming device
in order to use, modify, or create projects based on Failsafe Blocks (V1_1) library
with S7 F Systems V5.2:
S7 F Systems V5.2
STEP 7 V5.1.3 or higher
CFC V5.2.4
S7 H Systems Optional Package V5.1or higher (required for S7 FH Systems)
Procedure
If S7 F Systems V5.1 is already installed, the projects based on Failsafe Blocks
(V1_1) library are supported without any additional procedures.
1.b. Installing S7 F Systems V5.2 on a New PC to Support Failsafe Blocks (V1_1)

Projects
Use this scenario if you have:
Purchased a new PC/Programming Device/Workstation, and you wish to use
projects based on Failsafe Blocks (V1_1) library.
Software Requirements
The following software packages must be installed on the PC/programming device
in order to use, modify, or create projects based on Failsafe Blocks (V1_1) library
with S7 F Systems V5.2:
S7 F Systems V5.2
STEP 7 V5.1.3 or higher
CFC V5.2.4
S7 H Systems Optional Package V5.1or higher (required for S7 FH Systems)
Procedure
1. If S7 F Systems V5.2 is installed, uninstall it.
2. Install S7 F Systems V5.1
3. Install S7 F Systems V5.2
4. If you had PCS7 Driver Blocks or PCS7 Library installed, you must also install
these.
Fail-Safe Systems
A5E00085588-03
1-13
Product Overview
Scenario 2: Upgrading Failsafe Blocks (V1_1) Projects to Failsafe Blocks (V1_2)

Use this scenario if you wish to:
Upgrade current projects based on Failsafe Blocks (V1_1) to the new Failsafe
Blocks (V1_2) library contained in S7 F Systems V5.2. You must have the
minimum software requirements to allow this.
Software/Firmware Requirements
The following software packages must be installed on the PC/Programming
Device/Workstation in order to upgrade projects based on Failsafe Blocks (V1_1)
library to Failsafe Blocks (V1_2):
S7 F Systems V5.2
STEP7 V5.2 or higher
S7 H Systems Optional Package V5.1 or higher (required for S7 FH Systems)
CFC V5.2.4
CPU S7-417F/FH V3.1 or higher
ET 200S fail-safe module drivers are available, but this requires CFC V6.0.
1-14
Fail-Safe Systems
A5E00085588-03
Product Overview
Procedure: Updating Failsafe Blocks (V1_1) Project to Failsafe Blocks (V1_2)

1. Ensure the above software requirements are met.
2. Ensure Failsafe Blocks (V1_2) is available within the Manage dialog box in
SIMATIC Manager.
a. Within SIMATIC Manager open the Manage dialog box by choosing File
>Manage
b. Verify Failsafe Blocks (V1_2) is in the list. If it is, then go to step 3.
c.
Open the library within SIMATIC Manager by choosing File > Open and
press the Browse button.
d. Open the folder \SIEMENS\STEP7\S7LIBS and select Failsafe Blocks

(V1_2) and press OK. This will open the Failsafe Blocks (V1_2) library.
Fail-Safe Systems
A5E00085588-03
1-15
Product Overview
e. Close the library.

f.
Go back to step 2.a.
3. Choose the Options > Edit Safety Program menu command.

4. Press the Library Version... Button.
5. Select the Library to which you wish to upgrade to, and press the OK button.
6. Open a CFC Chart from the Program.

7. Choose the Options > Block Types menu command.
8. Select all blocks in the Charts Folder pane.
1-16
Fail-Safe Systems
A5E00085588-03
Product Overview
9. Press the New Version... Button to import.

10. Recompile the program.
Important Note
You must Import the new Block Type after upgrading the library to insure all blocks
are up to date. Failure to Import new block types may result in a failed compile.
Important Note
Unplaced F-Blocks from the block container are automatically deleted when the
safety program is compiled.
Important Note
Run-time groups containing F-Blocks in task OB1 must be moved to OB3x
because OB1 is no longer supported.
Fail-Safe Systems
A5E00085588-03
1-17
Product Overview
Scenario 3: Modifying or Creating Projects Based on Failsafe Blocks (V1_2)

Use this scenario if you wish to:
Modify or create projects based on Failsafe Blocks (V1_2) library contained in S7 F
Systems V5.2. You must have the minimum software requirements to allow this.
Software/Firmware Requirements
The following software packages must be installed on the PC/Programming
Device/Workstation in order to modify or create projects based on Failsafe Blocks
(V1_2) library:
S7 F Systems V5.2
STEP7 V5.2 or higher
S7 H Systems Optional Package V5.1 or higher (required for S7 FH Systems)
CFC V5.2.4
CPU S7-417F/FH V3.1 or higher
ET 200S fail-safe module drivers are available, but this requires CFC V6.0.
Procedure
There are no additional procedures beyond this.
1-18
Fail-Safe Systems
A5E00085588-03
Product Overview
1.7
Working with F-Systems

This section describes the basic procedure for working with fail-safe systems. Only
those steps that are relevant to F-Systems and differ from the standard procedure
are included.
Planning the System

Process-dependent planning tasks such as defining a piping and instrumentation
diagram, creating a flowchart, creating a measuring point list, defining a structure,
etc. are not described here. When you plan the system, specify the required safety
functions with the corresponding Safety Integrity Levels (SILs). From these, derive
the demands on the components in order to implement the safety functions (PLCs,
sensors, actuators). These decisions affect other tasks such as hardware
installation, configuration, and programming.
Safety Note Keep Safety and Standard Functions Separate

It is important to separate standard (e.g. not safety-related) and safety (e.g. safetyrelated) functions rigorously during planning.
Fail-Safe Systems
A5E00085588-03
1-19
Product Overview
Basic Procedure
Configure S7 F/FH hardware

Set addresses on the F-I/Os via DIP switches
Wire modules according to required circuit program
Configure system
Parameterize CPU for safety program
Parameterize F-I/Os according to safety class and circuit diagram
Create Safety Program

Place, interconnect, and parameterize F function blocks
Generate executable code and load to the CPU of the S7 F/FH
Commission the system

Have safety-related sections accepted by expert before safety mode
is operational
Maintain system
Replace hardware components
Change Safety Program
Update operating system
1-20
Fail-Safe Systems
A5E00085588-03
Product Overview
Compiling as a Program
To compile the Safety Program, proceed as follows:
1. Carry out a consistency check by choosing the Chart > Check Consistency
>Charts as Program menu command. (This step is optional.)
2. Choose the Chart > Compile > Charts as Program menu command.
3. Select one of the following options in the "Compile Charts as Program" dialog
box:
Entire Program, if the whole program is to be compiled.
Changes, if only the changes are to be compiled.
4. If the F module drivers are not yet placed, select the "Generate Module
Drivers" check box in the "Compile Charts as Program" dialog box. This
automatically inserts and interconnects the required F module drivers in
separate charts @Fx.
Result: The Safety Program is compiled and can be downloaded to the CPU.
Safety functions are added to the charts of the Safety Program automatically. The
automatically added elements, such as additional blocks and interconnections, are
partially visible in the CFC charts, but must on no account be changed or deleted.
Graphical moving of blocks within the same chart is permissible
Fail-Safe Systems
A5E00085588-03
1-21
Product Overview
1-22
Fail-Safe Systems
A5E00085588-03
2.1
Getting Started
Introduction
This introduction uses concrete examples to walk you through the steps required to
create a working application, which will enable you to discover how a fail-safe
automation system works, and how it behaves in the event of a fault/error.
The following two systems will be used as examples to lead you through the initial
commissioning phase to an actual working application.
A fail-safe, S7 F system, and
A fail-safe, fault-tolerant S7 FH system
Terminology
The following table describes terminology used in the example projects.
F_SHUTDN
A standard function block used to manage the shutdown and

restart of the Safety Program. Please see chapter 8 for more
information on the F_SHUTDN function block.
F-run-time
group
This is a run-time group that has F-Blocks within it. The Step 7
definition of run-time groups: (Run-time groups are used to
structure tasks. The blocks are installed sequentially in the runtime groups. Run-time groups can be activated and deactivated
separately. If a run-time group is deactivated, the blocks it
contains will no longer be activated.)
Safety
Program
This is the collection of all F-run-time groups within the project.
Force Full
Shutdown
The user may force the manual shutdown of the entire Safety
Program through the RQ_FULL input of the F_SHUTDN function
block.
Full
Shutdown
The Shutdown logic responds to an internal diagnostic that has

detected a failure by disabling the entire Safety Program (Please
note that CPU will remaining running). This is configured on the
F_SHUTDN SHUTDOWN input.
Partial
Shutdown

detected a failure by disabling only that F-run-time group that
encountered the failure (Please note that CPU will remain
running). This is configured on the F_SHUTDN SHUTDOWN
input.
Fail-Safe Systems
A5E00085588-03
2-1
Getting Started
Restart
The shutdown logics F_SHUTDN RESTART input allows you to

restart the Safety Program that has been shutdown.
Reintegration of I/O may be necessary after this action.
Shutdown

detected a failure by disabling either the entire Safety Program
(Full Shutdown) or the isolated F-run-time group (Partial
Shutdown). The shutdown logic response depends on how you
configured the shutdown logic, either Partial Shutdown or Full
Shutdown.
S7 F Systems V5.2 Shutdown Logic

S7 F Systems V5.2 is packaged with an enhancement that allows you to manage
shutdown and restart of the Safety Program. When an F-run-time group is created
by the user, and the project is compiled, the shutdown logic is automatically placed
by the CFC Editor. The CFC Editor creates charts to contain this logic:
@F_ShutDn and @F_DbInit1. Please note that the @ is used by the CFC editor to
denote automatically created and is a reserved name. There are other charts that
are automatically placed that are used to provide information to the shutdown logic
and these include: @F_Init1, @F_CycCo-OB35, and @F_TestMode.
At the center of the shutdown logic is the F_SHUTDN function block in the
@F_ShutDn chart. The F_SHUTDN block provides you with the following action:
You can force a manual shutdown of the entire Safety Program or you can
restart the shutdown Safety Program.
You can use the SHUTDOWN input to set either Full Shutdown or Partial
Shutdown.
You can use the FAILURE input of the F_SHUTDN function block to identify
that a failure occurs and observe the FULL_SD output if a failure is detected
while SHUTDOWN = Full Shutdown.
The F_SHUTDN block also has an input F_PRG_SI to provide you with the overall
Safety Program Signature, and an output SAFE_M to provide you with the current
safety mode status of the Safety Program.
The F_SHUTDN function block also reports error events to the Diagnostic Buffer.
The events reported are Restart, Full Shutdown, and Partial Shutdown. Similarly,
alarm messages are also reported to WinCC under these three conditions.
Basic Procedure
Carry out the following tasks step by step:
2-2
Set up the hardware (F-I/O and CPU).
Configure the F-system.
Create a fail-safe program using CFC charts.
Commission the F-system, and check if the fail-safe program is operational.
Fail-Safe Systems
A5E00085588-03
Getting Started
You will then be able to configure a fault-tolerant F-system.
Sample Projects Provided

Note
The sample projects require Step 7 V5.2 and the S7 H Systems Optional Package
Version 5.1.
You can find two sample projects in step7\Examples:
ZEN32 01_FSystem_Fproj For an F System
ZEN32 02_FHSystem_FHProj For a fault-tolerant FH System
You can use the examples to check the results of similar project sessions
described below.
Passwords
The passwords for the projects provided are:
CPU password: anna
Safety Program password: otto
Fail-Safe Systems
A5E00085588-03
2-3
Getting Started
2.2
2.2.1
S7 F System - Getting Started

S7 F System, Setting up the Hardware
The following figure shows you an example of a hardware configuration.
S7 F programmable
controller
Single-channel, one-sided
ET 200M Distributed I/O
Fail-safe
signal modules
Profibus DP Cable
Safety Protector
Module
For this example, you need the following hardware components:
A programmable logic controller consisting of:

-
1 mounting rack (UR2-H)
1 power supply (PS 407 10A)
1 CPU 417-4H
An ET 200M distributed I/O device with an active backplane bus consisting of:
-
1 power supply (PS307 5A)
1 IM 153-2 Bus Interface Module
1 Safety Protector Module
1 fail-safe digital input module (SM 326F DI 24xDC24V)
1 fail-safe digital output module (SM 326F DO10xDC24V/2A)
Other accessories
-
PROFIBUS cables and connectors
Set the DIL switches for the individual components as follows:
2-4
IM153-2 PROFIBUS address 3
SM 326F DI 24 Module address 8

(Only found on the reverse side; only in steps of 8)
SM 326F DO10 Module address 24

Fail-Safe Systems
A5E00085588-03
Getting Started
Connect actuators, or alternatively terminating resistors, to the output module (e.g.

between 12 and 3.4 k with 1 watt), or disable group diagnosis for unused
channels in the hardware configuration.
Interface restrictions between S7-400 CPU and ET 200M I/O

The ET 200M components which can be used in safety mode depend on the safety
class and the use of a safety protector in the ET 200M configuration:
If you comply with the requirements of safety class SIL 2 or use a safety
protector in SIL 3 in ET 200M, you can use all the available IM 153-2 interface
modules and you can set up the PROFIBUS-DP with the copper cable (as in
standard mode).
If you dont use a safety protector in SIL 3 in ET 200M, you must connect the
PROFIBUS-DP lines - the S7 F System and the S7 400H programmable
controllers with fiber optic cables as described in the S7 F/FH Programmable
Controllers.
You can find detailed descriptions of the hardware components in the following
manuals:
S7-400, M7-400 Programmable Controllers, Installation and Module

Specifications
Fail-Safe Systems
A5E00085588-03
2-5
Getting Started
2.2.2
Configuring the S7 F System

The following steps show you how to create a new project and configure the
hardware setup described above.
Procedure
1. Open SIMATIC Manager, and create a new project called "FProject" using the
File > New menu command.
2. Insert a new S7-400 station: Insert > Station > SIMATIC 400 Station.
3. Open the hardware configuration (HWCONFIG) of the SIMATIC 400(1) station
created (you can change the name) by double-clicking the hardware object (or
right-click the Open Object pop-up menu command).
4. Insert the individual hardware components of the SIMATIC 400 from the
"Hardware Catalog" window (you can open the catalog with View > Catalog)
by dragging and dropping them to the station window.
5. First place the UR2 mounting rack from the RACK 400 catalog.
6. Insert the standard power supply (PS 407 10 A) in slot 1 of the mounting rack.
7. Place the CPU 417-4H V3.1 in slot 3: Create a subnet (which will subsequently
be connected to the ET 200M) in the "Properties - PROFIBUS Interface DP
Master" dialog box by clicking New.
2-6
Fail-Safe Systems
A5E00085588-03
Getting Started
8. Select the CPU, and choose the Edit > Object Properties menu command (or
double-click the CPU): The "Properties - CPU 417-4H" dialog box appears:
Enter a password for the CPU on the "Protection" tab, and select the
"CPU Contains Safety Program" check box.
9. From the PROFIBUS-DP catalog, insert the IM 153-2 directly in the
"PROFIBUS(1): DP Master System (1)" in the station window: Enter the
address 3 on the "Parameters" tab in the "Properties - Profibus Interface ET
200M IM153-2" dialog box.
10. Insert the input module SM 326F DI24xDC24V from the DI-300 catalog of the
IM 153-2 in slot 4 of the ET 200M (you can see a detailed view in the lower
part of the station window).
11. Select the module. Right-click to choose Edit Symbols from the pop-up menu
and enter symbolic names for all the channels: You will need the symbolic
names for the channels to create the user program.
12. Double-click to open the properties dialog box, and select "Enable Diagnostic
Interrupt" and "Safety Mode" with "1oo1 Evaluation" on the "Inputs" tab.
13. Insert the output module SM 326F DO10xDC24V/2A from the DO-300 catalog
of the IM 153-2 in slot 5 of the ET 200M.
14. Assign symbolic names to all the channels (e.g. by using "Add to Symbol").
15. Open the properties dialog box, select "Safety Mode in Accordance with SIL2 /
AK4" on the "Outputs" tab.
This completes hardware configuration.
16. Save the current configuration by choosing the Station > Save and Compile
menu command: The system blocks are generated and stored in the program
container.
17. Download the hardware configuration to the CPU by means of the PLC >
Download to Module menu command.
Fail-Safe Systems
A5E00085588-03
2-7
Getting Started
2.2.3
S7 F System, Creating a Fail-Safe User Program

In the following steps you create a fail-safe CFC user program that interconnects
the fail-safe inputs with the fail-safe outputs.
The Safety Program consists of several charts:
At least one chart for user logic program interconnection (F-Blocks)
System charts automatically created for diagnostics:
Charts for the Safety Critical Diagnostic blocks
Charts for the Safety Program Shutdown and Restart Logic
Creating CFC Charts

1. Open SIMATIC Manager, and open the 400 Station in your project.
2. Expand the selections S7 Program to display Source, Blocks and Charts. If the
Charts folder does not exist, create one by right clicking on S7 Program and
select "Insert New Object, Chart Folder.
3. Right click on the Charts folder.
4. Choose a new Chart, and call it "F Blocks".
Creating the Run Sequence

The F function blocks must be inserted in run-time groups. Function Blocks have
not been placed yet. However, you can setup a run-time group to be the default
destination for new F-Blocks.
1. Within your project in SIMATIC Manager, click on the Charts folder.
2. Open the F-Blocks chart by double-clicking on it.
3. Open the Run Sequence either by pressing Control-F11 or selecting Edit>Run
Sequence within the CFC Editor.
4. Select the OB3x that you wish to contain the F-Blocks (OB35 is the most
common) by clicking on the OB3x, in this example, OB35.
5. If the run-time group has not already been added, insert a run-time group by
right clicking on the OB35 and selecting "Insert Run-Time Group". The
Insert Run-Time Group dialog box will appear.
6. Enter the name of the Run-Time group, in this case call it "F Blocks". Enter a
comment if you desire. Do not change the Scan rate or Phase Offset. Press
OK.
7. Select the run-time group and right-click.
8. Select Predecessor for Installation from the pop-up menu or press F11. By
selecting this option, all newly created F-Blocks will automatically be placed
into this F-run-time group.
2-8
Fail-Safe Systems
A5E00085588-03
Getting Started
Inserting F-Blocks
1. Close the Run Sequences either by closing the window within CFC editor, or
pressing Control-F11.
2. Insert user logic such as F_ADD_R, F_LIM_R etc Refer to section Inserting
and Interconnecting Fail-Safe Blocks for details.
Note 1
The fail-safe blocks of the Failsafe Blocks library are yellow to differentiate them
from standard blocks.
Note 2
Previously a chart needed to be added manually by the user with the F_CYC_CO.
This is no longer necessary or allowed. The Placement of the F_CYC_CO blocks
is now a system function.
3. Insert two F_CH_DI F channel drivers to read in the fail-safe input module,
channels 0 and 1 (input value is at the Q output of the F_CH_DI FB).
4. Interconnect the VALUE input with the symbolic names for channel 0 (e.g.
E24.0) and channel 1 (e.g. E24.1) using the right mouse button and
Interconnection to Address.
5. Assign a value of 1 to the ACK_NEC input: in the event of an error, user
acknowledgment (at ACK_REI) is required for reintegration.
6. Place two F_CH_DO F channel drivers (values are at the I input) to write to the
fail-safe output module.
7. Interconnect the VALUE output with the symbolic name for channel 0 (e.g.
A.8.0) and channel 1 (e.g. A.8.1).
8. Assign the value 1 to the ACK_NEC input.
9. Connect the Q outputs of the two F_CH_DI with the I inputs of the
corresponding F_CH_DOs.
10. Insert the F_QUITES block (fail-safe acknowledgment) from the library and
connect the OUT output to the ACK_REI inputs of the two F_CH_DI and the
two F_CH_DOs.
Fail-Safe Systems
A5E00085588-03
2-9
Getting Started
11. Check again in the run-time group overview whether all the F-blocks are in the
F-blocks run-time groups as required.
Compilation of the Blocks

Choose the Chart > Compile > Charts as Program menu command to compile
your program. Activate the Generate Module Drivers option.
You will be prompted to enter a password for the safety program (see above under
Passwords). This password will be requested on future compiles.
You will be prompted for MAX_CYC time for every OB3x with a failsafe program.
After the charts have been compiled, the following control blocks are integrated
automatically by the "S7 F Systems" option package:
2-10
In the F-CycCo-Obxx chart F_CYC_CO, F_TEST, and F_TESTC (for tests)
In chart @F_TestMode the F_TESTM for Test Mode management
In chart @F_RtgDiagxx the F_PLK and F_PLK_O (for program execution

monitoring)
In a separate chart @F1 F_M_DI24 and F_M_DO10 (F module driver)
In a separate chart @F_ShutDn, the shutdown logic is created containing the

F_SHUTDN, RTG LOGIC, and standard logic blocks.
Fail-Safe Systems
A5E00085588-03
Getting Started
In a separate chart @F_DbInit contains the DB_INIT function blocks required

for performing an F-run-time group coldstart.
All the required error OBs have also been inserted in the block container in
SIMATIC Manager.
Note
The CFC charts with fail-safe blocks are yellow and marked with an "F" to
distinguish them from standard charts.
Downloading the Program to the CPU

Download the CFC charts to the CPU by means of the PLC > Download to
Module menu command.
2.2.4
Starting Up the S7 F System

Start the programmable controller by switching the mode selector to RUN-P and
carrying out a warm restart on the CPU (PLC > Operating Mode).
If you apply voltage to inputs 1 or 2, the corresponding output is set. Get the
voltage from the Vs terminal (Sensor Supply).
Fail-Safe Systems
A5E00085588-03
2-11
Getting Started
2.2.5
S7 F System, Monitoring Errors
Removing the Front Connector

1. Remove the front connector of the SM 326F DI24xDC24V.
You have triggered an error at the SM 326F DI24xDC24V. The SF LED comes
on and the SAFE LED goes out. The EXTF LED of the CPU comes on, but the
CPU remains in RUN.
2. Go into the diagnostic buffer of the CPU (PLC > Module Information >
Diagnostic Buffer). The signal module with the address 8 is reported as
defective, but because OB82 is present, the diagnostic interrupt does not result
in CPU stop.
3. You can read out detailed information on defective modules by choosing PLC
> Hardware Diagnostics. Double-click DI 24 in the open ONLINE hardware
configuration, and look at the diagnostic buffer in the module state.
4. Go to the "F blocks" CFC chart, and switch to test mode. The QBAD output of
the F_CH_DI F channel driver blocks are set to TRUE: There is an error.
QUALITY=16#48 indicates that there are substitute values at Q output.
5. Now insert the front connector in the SM 326F DI24xDC24V again. After a
reintegration time of approx. 1 minute, the SAFE LED comes on again and the
SF LED goes out. The EXTF LED on the CPU goes out.
The module is reported as OK in the diagnostic buffer of the CPU.
In test mode you can still see that the driver block is reporting an error: If, for
example, you apply voltage at terminal 5 for input 8.0, the Q output of the
driver block remains at 0. The SM 326F DI24xDC24V must therefore be
reintegrated first: The ACK_REQ=1 output requests an acknowledgment at the
fail-safe ACK_REI input.
6. In our case, you can output a signal of 1 for one cycle via the F_QUITES F FB,
whose input can be connected to a non-fail-safe engineering system (ES).
Double-click the IN input, and enter the value 6; then double-click (within a
minute) IN again, and enter 9 - you can also use the Apply button - (see
Chapter 8, Fail-Safe Function Blocks F_QUITES). The driver block now no
longer reports an error, and the Q output changes from 0 to 1.
Additional Errors
Trigger the following two errors, and display the diagnostic buffer of the CPU:
Interruption in the PROFIBUS connection
Remove and insert the SM 326F DI24xDC24V
Then reintegrate the signal module again.
2-12
Fail-Safe Systems
A5E00085588-03
Getting Started
2.3
2.3.1
Fault-Tolerant S7 FH System - Getting Started

Fault-Tolerant S7 FH System, Setting Up the Hardware
The following figure shows you an example of a hardware configuration.
S7 FH programmable controller
Single-channel, switched
ET 200M Distributed I/O
Fail-safe
signal modules
Redundant DP
master systems
Profibus DP Cable
Safety Protector
Module
For this example, you need the following hardware components:
A programmable logic controller consisting of:

-
1 mounting rack (UR2-H)
2 power supplies (PS 407 10A)
2 CPU 417-4H
4 synchronization modules
2 fiber-optic cables
An ET 200M distributed I/O device with an active backplane bus consisting of:
-
1 power supply (PS307 5A)
2 IM 153-2 Bus Interface Modules
1 Safety Protector Module
1 fail-safe digital input module (SM 326F DI 24xDC24V)
1 fail-safe digital output module (SM 326F DO10xDC24V/2A)
Other accessories
-
Fail-Safe Systems
A5E00085588-03
PROFIBUS cables and connectors
2-13
Getting Started
Set the DIL switches for the individual components as follows:
IM153-2 FO PROFIBUS address 3
SM 326F DI 24 Module address 8

SM 326F DO 10 Module address 24

Set the mounting rack numbers 0 and 1 for the synchronization modules.
Connect actuators, or alternatively terminating resistors, to the output module (e.g.
between 12 and 3.4 k with 1 watt), or disable group diagnosis for unused
channels in the hardware configuration.
Interface restrictions between S7-400 CPU and ET 200M IO

The ET 200M components which can be used in safety mode depends on the
safety class and the use of a safety protector in the ET 200M configuration:
protector in SIL 3 in ET 200 M, you can use the IM 153-2 for S7 F/FH
Systems or the IM 153-3 only for the S7 FH Systems and you can set up the
PROFIBUS-DP with the copper cable (as in standard mode).
PROFIBUS-DP lines of the S7 F/FH Systems with fiber optic cables. You can
only use the IM 153-2FO.
You can find detailed descriptions of the hardware components in the following
manuals:
2-14
S7-400, M7-400 Programmable Controllers, Installation and Module

Specifications
Fail-Safe Systems
A5E00085588-03
Getting Started
2.3.2
Configuring the Fault-Tolerant S7 FH System

Proceed in the same way as when you configure the S7 F Systems. You create a
new project in SIMATIC Manager for the hardware setup described above.
Procedure
1. Create a new project called "FHProject".
2. Insert a new SIMATIC H Station.
3. Open the hardware configuration of the SIMATIC H station(1).
4. Begin by placing the UR2-H mounting rack.

5. Insert the standard power supply (PS 407 10 A) in slot 1.
6. Place the CPU 417-4H V3.1 in slot 3 and create a subnet.
Insert two synchronization modules (H Sync module) at IF1 and IF2.
7. Open the properties dialog box of the CPU, enter a password for the CPU on
the "Protection" tab, and select the "CPU Contains Safety Program" check box.
8. Duplicate the entire mounting rack, and connect the CPU to a second
PROFIBUS subnet.
9. Add the IM 153-2 directly onto one of the two PROFIBUS subnets, and enter
the address 3: The ET 200M is connected to both subnets automatically.
(There is a "Redundancy" tab in the properties dialog box of the ET 200M.)
Fail-Safe Systems
A5E00085588-03
2-15
Getting Started
10. Insert the input module SM 326FDI24xDC24V in slot 4 of the ET 200M.

11. Assign symbolic names for all the channels.
12. On the "Inputs" tab of the properties dialog box, select "Enable Diagnostic
Interrupt" and "Safety Mode" with "1oo1 Evaluation".
13. Now insert the output module SM 326F DO10xDC24V/2A.
14. Assign symbolic names for all the channels.
15. On the "Outputs" tab of the properties dialog box, select "Enable Diagnostic
Interrupt" and "Safety Mode in Accordance with SIL2 / AK4". This completes
hardware configuration.
16. Save the current configuration by choosing the Station > Save and Compile
menu command: The system blocks are generated and stored in the program
container.
17. Download the hardware configuration to the CPU of rack 0 (or CPU0 for short).
Note that in SIMATIC Manager all the blocks are stored only in CPU0 (the upper
one of the two).
2.3.3
Fault-Tolerant S7 FH System, Creating a Fail-Safe User Program
Procedure
1. Create the same fail-safe CFC user program as described for the S7 F
Systems.
2. After the charts have been compiled, download them to CPU0.
2.3.4
Starting Up a Fault-Tolerant S7 FH System

Start the programmable controller by first switching the mode selector to RUN-P for
CPU0 and carrying out a warm restart (PLC > Operating Mode). Then switch the
mode selector to RUN-P for CPU1.
CPU0 starts up as the master CPU. CPU1 then starts up and becomes the standby
CPU after it has been linked up and updated.
The first IM 153-2 connected to CPU0 is active: The ACT LED lights up.
2-16
Fail-Safe Systems
A5E00085588-03
Getting Started
2.3.5
Fault-Tolerant S7 FH System, Monitoring Errors
Interruption in the PROFIBUS Connection

1. Remove the PROFIBUS cable from CPU0. The BUS2F LED flashes and the
REDF LED lights up on CPU0.
The second IM 153-2 is now active, and the first one indicates a bus fault.
2. Read out the diagnostic buffer of CPU0. Although there is a loss of redundancy
on the DP slave, your I/O system still continues to operate without error.
3. Now insert the PROFIBUS cable into CPU0 again. All the error LEDs go out
again. However, the second IM 153-2 remains active.
Wire Break on the SM 326F DO10xDC24V/2A with User Acknowledgment

1. Break the connection to your actuator or load resistor, for example on channel
0.
2. Apply voltage to channel 0 of the input module (e.g. from the terminal Vs). Your
output should be set now, but if the output module reports a fault, the SF LED
comes on and the channel LED is off.
3. Display the diagnostic buffer of the CPU and of the output module by means of
Diagnose Hardware: A wire break on channel 0 is reported.
4. Go to the "F blocks" CFC chart, and switch to test mode. The QBAD output of
the F_CH_DO F channel driver blocks are set: The entire module has a fault.
5. Eliminate the wire break.
6. As soon as the output ACK_REQ=1 is set, reintegrate the output module via
F_QUITES (as described for the F-system): The error I/Os no longer report an
error and the SF LED of the module goes out.
Fail-Safe Systems
A5E00085588-03
2-17
Getting Started
2-18
Fail-Safe Systems
A5E00085588-03
3.1
Safety Mechanisms
Introduction to the Safety Mechanisms

This chapter describes the safety-related mechanisms of the S7 F/FH Systems.
This information serves as background knowledge when you configure the FSystem and create and test the Safety Program. Only the functions in which the
behavior of an S7 F System differs from that of a standard S7 system are
described. The standard behavior is described in the STEP 7 and hardware
manuals.
Which Safety Mechanisms Are Relevant to You?

The safety-related mechanisms in the CPU (hardware and operating system) are:
Access protection for F-Systems which helps to avoid faults
Self-tests which help to detect and identify faults
The safety-related functions for fault detection and fault reaction are mainly located
in the Safety Program and in the F-I/Os. These functions are implemented by
means of appropriate fail-safe blocks and supported by the hardware and the CPU
operating system.
The safety-related functions of the F-I/Os are described in manual /1/. (Please
refer to the references in Appendix B.)
Fail-Safe Systems
A5E00085588-03
3-1
Safety Mechanisms
3.2
Safety Mode
The safety-related functions for fault detection and fault reaction are activated in
safety mode.
In the F-I/Os
In the Safety Program of the CPU
Safety Mode of the F-I/Os

When configuring the F-I/Os in HWCONFIG, you can use the "Safety Mode"
parameter to set standard mode or safety mode for them, if this feature is
supported:
To set standard mode, do not select the "Safety Mode" parameter.
To set safety mode, select the "Safety Mode" parameter.
You can find additional information on standard mode and safety mode in manual
/1/. (Please refer to the references in Appendix B.) You can find information on the
parameter assignment of the F-I/Os in the online help system and in the section
"Configuring, Parameter Assignment of F-I/Os".
Safety Mode of the Safety Program

The Safety Program usually runs on the CPU in safety mode. In other words, all
the safety mechanisms for fault detection and fault reaction are activated. It is not
possible to change the Safety Program during operation when it is in safety mode.
Safety mode of the Safety Program in the CPU can be switched off and on again to
allow changes to the Safety Program during RUN mode. You can switch safety
mode on and off for the Safety Program in the CPU in SIMATIC Manager by
choosing the Options > Edit Safety Program menu command. You can find
further information on changing the Safety Program in RUN mode in the chapters
entitled "Programming, Deactivating Safety Mode" and "Changing the Safety
Program in RUN Mode".
3-2
Fail-Safe Systems
A5E00085588-03
Safety Mechanisms
3.3
Fault Reactions
Safe State
The basis of the safety concept is that there must be a safe, neutral position for all
process variables. In the case of binary signal modules, this is always the value
"0".
Fault Reactions in the CPU and Operating System

If the CPU detects a fault by means of the hardware (time monitoring) or operating
system (self-tests etc.), the Safety Program may become disabled or a switchover
may occur if the fault occurs on the master side in a redundant system.
Fault Reactions in the Safety Program

All the fault reactions of the Safety Program lead to a safe state:
Note
When a failure is detected, Full Shutdown occurs and all F-run-time groups in the
Safety Program are disabled.
When a failure is detected, Partial Shutdown occurs and an F-run-time group
(where the failure occurs) is disabled, leaving other run-time groups activated.
Full and Partial Safety Program Shutdown (F_SHUTDN input

SHUTDOWN=Full and all F-run-time groups disabled). This state can be
reversed by two methods: restarting the shutdown logic through the RESTART
input on the F_SHUTDN block or by stopping the F-CPU and forcing a
coldstart. You can find information on restart behavior, startup protection and
restartup protection in section, "Startup of an F-System".
Power failure-proof disabling of the safety-related outputs. I/O or

communication faults lead to the affected outputs being disabled. The outputs
can be enabled after user acknowledgment via an ACK_REI input on the F
channel driver.
Typically, in reaction to the detection of faults, non-safety-related diagnostic and

report functions can be executed.
A master/standby switchover is initiated in the S7 FH system if the master is
switched to STOP mode.
You will find a list of causes of F-run-time group shutdown in the section "Error
Information After F-Run-time group shutdown".
Fail-Safe Systems
A5E00085588-03
3-3
Safety Mechanisms
3.4
Startup of an F-System
Operating Modes of an S7 F/FH Systems

The operating modes of an S7 F System differ from the normal ones only in their
startup characteristics and behavior in HOLD mode. Otherwise, the system states
of the fault-tolerant system and the operating modes of the master CPU and
standby CPU occur in an S7 FH System as described in Chapter 4.
Startup Characteristics
The startup characteristics are determined by the Safety Program as follows. After
each interruption of the user program, by means of power off CPU STOP, or Safety
Program disable, startup of the Safety Program is only possible with the initial
values of the fail-safe blocks.
If a warm restart is requested during startup, a warm restart is only carried out for
the standard section of the user program. A warm restart for the fail-safe section of
the user program is not possible; the Safety Program starts up with the initial
values of the fail-safe blocks in the same way as after a cold restart.
To handle Warm or Cold Start of the Safety Program, additional blocks (DB_RES)
and calls that must not be changed are automatically inserted in the OB 100 and
blocks DB_INIT are automatically placed into @F_DbInit at compile time.
Startup Protection
A startup of the Safety Program using the initial values can also be triggered by a
handling error or an internal error. If the process does not permit this, a reaction to
this must be programmed in the Safety Program. The F_START block is available
to signal a startup of the Safety Program with the initial values (see the section
entitled "Programming the Startup Characteristics).
Hot Restart Protection

If a hot restart (Power Off > Power On) of the process is not permissible after the
reaction of the S7 F System to an internal fault, manual enabling of the outputs
after the startup of the Safety Program with the initial values (see above) must be
programmed.
HOLD Mode
HOLD mode is not supported for the S7 F/FH systems. If the execution of the user
program is stopped by a HOLD request, the F-I/Os go to failsafe (Outputs
disabled). Once the CPU is back in RUN mode, the Safety Program performs a
Full Shutdown. The Shutdown logic must be Restarted and the F-I/Os
reintegrated.
See Also
Programming the Startup Characteristics
3-4
Fail-Safe Systems
A5E00085588-03
Safety Mechanisms
3.5
Self-Tests and Command Tests
Self-Tests
Self-tests are carried out in the S7 F/FH system to detect faults. The duration of the
cyclic self-tests can be set during configuration (the default is 90 mins).
Note
Only settings of up to 12 hours are permitted for the S7 F/FH Systems.
You cannot modify safety-relevant self-tests for the S7 F/FH Systems with the
SFC 90 "H_CTRL". If you do, the Safety Program will become disabled at the
latest after 24 hours. It is not permitted to switch test components off or on
(submode 0 .. 5 from mode 20, 21 and 22).
For the same reason, you must not disable updating with SFC 90 "H_CTRL" for
too long.
Execution (program run, entire safety-related hardware) and the test result are
checked in the Safety Program by an F test block (F_TESTC) that is inserted
automatically when the Safety Program is compiled.
Command Tests
Some commands are tested in the quickest cycle of the Safety Program. These
command tests are implemented in the F_TEST block, which is included
automatically when the Safety Program is compiled.
3.6
Logical and Timed-Based Program Execution Monitoring
Program Execution Monitoring

CPU or RAM Faults can corrupt the correct execution of the program. Logical and
timed program execution monitoring and data flow monitoring can detect this.
Logical Program Execution and Data Flow Monitoring

During compilation, fail-safe blocks are automatically inserted in the CFC chart for
logical program execution monitoring and data flow monitoring: In each run-time
group with fail-safe blocks, one F_PLK block and one F_PLK_O block is inserted.
The F_PLK is called before the outputs, and the F_PLK_O after them.
Fail-Safe Systems
A5E00085588-03
3-5
Safety Mechanisms
When a hazardous fault is detected, the logical program execution check performs
the following:
In a non-redundant system or in a situation that is a common cause (e.g. both

CPUs encounter fault). The Safety Program will be disabled.*
In a redundant system, if the failure is detected on the master CPU, a switch to

the Standby will occur. If the failure is on a reserve CPU or if the failure is on
both CPUs, a switch will not be performed and a portion or all of the Safety
Program will be disabled.*
*This is configurable by the shutdown logic. If a fault is detected in an F-run-time

group, depending on the configured response in the shutdown logic, the F-run-time
group will be disabled or the entire Safety Program will be disabled and all
associated outputs revert to the safe state.
Time-Based Program Execution Monitoring

Time-based program execution monitoring takes place through monitoring of the F
cycle time by the F_CYC_CO within each OB3x.
Monitoring of the F Cycle Time
The maximum F cycle time (cyclic interrupt time for OBs with F-run-time groups) is
assigned in CFC as an input parameter of the F-Block F_CYC_CO. An F_CYC_CO
F-Block must be present in each F cycle (i.e. in each cyclic interrupt OB with FBlocks). This Block is placed automatically during compilation.
In the event of an F cycle time overrun, the associated F-run-time groups will
become disabled causing all associated outputs to revert to the safe state.
Live Monitoring During Safety-Related Communication

The Safety Program communicates cyclically with the F-I/Os and with Safety
Programs on other CPUs using special safety protocols. The receivers implement
the fault reaction function in the event of a problem:
F output modules switch the outputs off.
The fail-safe blocks F_RCVBO and F_RCVR in Safety Programs on other

CPUs output parameterizable substitute values.
The fail-safe blocks F_R_BO and F_R_R used for RTG to RTG
communications, output parameterizable substitue values.
After the problem has been eliminated, user acknowledgment on the F channel
driver block or the F-Block F_RCVBO or F_RCVR or a Restart of the Shutdown
Logic is required. The fail-safe blocks F_R_BO and F_R_R, used for RTG to RTG
communications, are automatically reintegrated.
See Also
Interconnecting F Cycle Time Monitoring
F_PLK_O, F_PLK, F_CYC_CO
3-6
Fail-Safe Systems
A5E00085588-03
Safety Mechanisms
3.7
Fail-Safe User Times

Time values generated in the Safety Program with the F_TP, F_TON and F_TOFF
blocks are monitored by means of safety mechanisms of the CPU. To do this, two
mutually independent time counters are compared. As long as the discrepancy
between the two counters is less than 10 ms within a time period of 50 s, the time
is considered correct. If the discrepancy is larger, a hardware fault is assumed and
the Safety Program is disabled.
The maximum inaccuracy of user times can be calculated on the basis of the
following table:
User Times From
To
Max. Inaccuracy
10 ms
50 s
5 ms
> 50 s
100 s
10 ms
...
...
...
> n* 50 s
(n+1)*50 s
(n+1)*5 ms
The actual inaccuracy is considerably less than this. Also note the time inaccuracy
that occurs due to processing in the cyclic interrupt scan cycle.
Fail-Safe Systems
A5E00085588-03
3-7
Safety Mechanisms
3.8
Password Protection for F-Systems

Password protection protects the S7 F/FH Systems from unauthorized access, e.g.
from unwanted downloads to the CPU from the engineering system (ES) or the
programming device (PG). In addition to the standard password for the CPU, an
additional password is also required for S7 F/FH Systems for the Safety Program
(F password).
The following tables describe the CPU password and the password for the Safety
Program.
CPU Password
User Input
In HWCONFIG, during configuration of the CPU, "Protection" tab in the

"Properties" dialog box
User Requested
Downloading of the whole program from CFC or SIMATIC Manager
Downloading of Safety Program changes from CFC
Downloading and deletion of F-Blocks from SIMATIC Manager
Downloading to the EPROM memory card on the CPU from SIMATIC

Manager
Memory reset from CFC or SIMATIC Manager
Modification of F constants in CFC test mode
Password
Validity
Legitimization is valid without restrictions, until explicitly withdrawn via the

corresponding SIMATIC Manager function or until all Step 7 applications
have been terminated.
User Input
In SIMATIC Manager, Options > Edit Safety Program
Password for Safety Program

User Requested
Password
Validity
Compilation of changes to the Safety Program
Switching safety mode on and off
Downloading of changes to the data of the Safety Program when safety

mode is inactive
An hour after the password has been entered or until the access rights are
explicitly canceled
You can find additional information on password protection in the section on setting
up, changing and canceling access rights.
3-8
Fail-Safe Systems
A5E00085588-03
Safety Mechanisms
3.9
Safety-Related Communication
Communication Overview
The following figure shows the communication options available to an F-system:
Standard or F-CPU
F-CPU
Standard program
Standard program
6
1
F-Programm
Safety
Program
F-CPU
F-run-time
F-Ablaufgruppe
group
F-Programm
Safety
Program
3
F-run-time
F-Ablaufgruppe
group
F-Treiber
F
driver
Legend:
Safety-related
Non-safety-related
F-SM
F-I/O
Number
Communication Between
And
Safety-Related
1
2
Safety Program in F-CPU
Standard program
No
Standard program
Safety Program
No
F-run-time group (RTG)
F-run-time group (RTG) Yes
F-I/O
Yes
Safety Program in FCPU
Yes
Standard program in standard Standard program in

or F-CPU
standard or F-CPU
Fail-Safe Systems
A5E00085588-03
No
3-9
Safety Mechanisms
3.9.1
Communication Between the Safety Program and the Standard

User Program
The standard and Safety Programs use different data formats. Special conversion
blocks must therefore be used for the data exchange.
F-CPU
Safety Program
Non-safety-related
Standard program
From
To
Block
SafetyRelated
Safety Program
Standard program
F_Fdata type_data type
No
Standard program
Safety Program
F_data type_Fdata type
No
The following data types are supported: BOOL, REAL, INT and TIME.
Parameters are passed as safety-related F-data types in the Safety Program. If the
standard user program has to process data from the Safety Program, for
monitoring purposes, for example, then a block for the conversion of data (F_Fdata
type_data type) must be inserted in CFC to convert the F-data types to standard
data types.
These blocks can be found in the Failsafe Blocks, User Blocks library.
The F_Fdata type_data type blocks must be called in the standard user program
(CFC chart, standard run-time group).
If data from the standard user program has to be processed in the Safety Program,
safety-related F-data types must be created from the standard data types using
F_data type_Fdata type blocks for data conversion and, if necessary, then
subjected to a plausibility check programmed using fail-safe blocks. The F_data
type_Fdata type data conversion blocks must only be used in the Safety Program
(CFC chart, F-run-time group).
See Also
Programming Communication Between F User Programs and Standard User
Programs
3-10
Fail-Safe Systems
A5E00085588-03
Safety Mechanisms
3.9.2
Communication Between F-Run-Time Groups

Run-time groups that contain fail-safe blocks are referred to as F-run-time groups.
Data transmission between the F-run-time groups of a user program must be
safety-related. The fail-safe blocks F_S_BO, F_S_R and F_R_BO, F_R_R are
available for safety-related communication between F-run-time groups. This
enables you to transfer a fixed number of parameters of the same F-data type.
The following data types are supported: BOOL, REAL.
To permit communication between F-run-time groups in different cyclic interrupt
OBs, the cyclic interrupt with the shorter cycle must be configured with a higher
priority.
The F_S_BO (BOOL), F_S_R (REAL) blocks are integrated in the sending F-runtime group, and its F input parameters are interconnected to the sending
parameters of other fail-safe blocks. The F_R_BO (BOOL), F_R_R (REAL) blocks
are inserted in the receiving F-run-time group, and its F output parameters are
interconnected to the inputs of other fail-safe blocks. The connection between
F_S_BO and F_R_BO or F_S_R and F_R_R is established by means of
interconnection in CFC.
The F_R_BO and F_R_R blocks have inputs to supply substitute values for the
ouptuts when a fault is detected (e.g. Timeout).
See Also
Programming Communication Between F Run-Time Groups Within a CPU
3.9.3
Communication Between the F-CPU and F-I/Os
Safety-Related Communication Between the F-CPU and F-I/Os Via PROFIsafe

The Safety Program communicates with the F-I/Os via PROFIsafe, the safetyrelated bus profile of PROFIBUS DP/PA. This safety protocol is implemented in the
Safety Program in the F module driver blocks, as well as in the firmware of the FI/Os.
Safety-related communication between the Safety Program and the F-I/Os takes
place via cyclic user data transfer. An important parameter for this is the monitoring
time specified during configuration of the F-I/Os and automatically passed to the F
module driver blocks as an input parameter.
Non Safety-Related Communication Between the F-CPU and F-I/Os

For non safety-related communication between the F-CPU and the F-I/Os, the
usual mechanisms - direct access, access to process image or records - can be
used. For example, non-safety-relevant diagnostic information is transferred
acyclically from the F-I/Os by means of record transfers.
Fail-Safe Systems
A5E00085588-03
3-11
Safety Mechanisms
See Also
Interconnecting F-Driver Blocks and Driver Blocks for F-Signal Modules
3.9.4
Safety-Related Communication Between F-CPUs
Communication Options
1
S7 FH Systems
S7-400FH
S7 FH Systems
S7-400FH
S7 F Systems
S7 F Systems
Safety-related communication between CPUs takes place via configured standard or

fault-tolerant S7 connections.
Number Communication
From...
To
Connection Type
SafetyRelated
S7 FH Systems
S7 FH Systems
S7 connection, fault-tolerant
Yes
S7 F/FH Systems
S7 F Systems
S7 connection, fault-tolerant
Yes
S7 F Systems
S7 F Systems
S7 connection
Yes
The fail-safe blocks F_SENDBO <-> and F_RCVBO or F_SENDR <-> F_RCVR are
available for safety-related communication between safety programs on different FCPUs. This means a fixed number of parameters of BOOLs or REALs can be safely
transferred.
3-12
Safety Note Public Network Safety F-CPU Communication Not Allowed

Safety-related communication between F-CPUs is not permissible via public
networks.
Fail-Safe Systems
A5E00085588-03
Safety Mechanisms
Note
Multiproject is a new feature of STEP7 V5.2, with this feature, you do not need to
maintain all CPUs in the same project; and you may have several projects in which
CPU to CPU communication is shared between them.
Communication with Standard CPUs

Direct communication between a Safety Program and a standard CPU is not
possible. Communication can only take place in a standard program on the F-CPU
after the F-data types have been converted into standard data types by means of a
conversion block. Communication in the standard program uses the standard
communication functions.
See Also
Programming Communication Between Safety Programs on Different CPUs
Fail-Safe Systems
A5E00085588-03
3-13
Safety Mechanisms
3-14
Fail-Safe Systems
A5E00085588-03
4.1
Configuration
Overview
This section describes the main differences between the configuration of a fail-safe
system and that of a standard S7 system. It also deals with the special features of
the programming device functions that you must watch out for when working with a
fail-safe system.
4.2
Hardware Configuration and Parameter Assignment

The basic procedure for configuring a fail-safe system doesnt differ from that of a
standard S7 system, e.g. it comprises the following steps:
Creating projects and stations
Configuring hardware and the network
Downloading the system data to the PLC
The individual steps required for configuration are also largely identical with those
of the S7-400. Authorization is always required to change the parameter
assignment of an F-System.
Rules for F-Systems

In addition to the rules that generally apply to the arrangement of modules in an
S7-400, the following conditions must be complied with in the case of an F-System:
Note: An ET 200S can contain Fail-Safe Modules and Standard Modules.
In safety mode, fail-safe signal modules can only be used in an ET 200M with
the IM 153-2 FO or a Safety Protector Module. Exception: The S7-300
standard module SM 331; AI 2 x 12Bit (order no. 6ES7 331-7TB00-0AB0) can
be used together with fail-safe signal modules in safety mode in an ET 200M.
Fail-safe operation of the F-SMs is only possible in the address area 8 to 8191.
The address used must be set on the F-SM by means of switches and must
match the configured address.
To run a CPU with a Safety Program, the appropriate option must be activated
for the CPU and a password configured.
If the configuration of an F-I/O or the CPU (cycle times of the cyclic interrupt
OBs) is changed, the Safety Program must be compiled again and downloaded
to the CPU.
Fail-Safe Systems
A5E00085588-03
4-1
Configuration
Before downloading the Safety Program, you must download the configuration
to the CPU.
If you use a safety protector in the ET 200M, then you can operate fail-safe
signal modules with the S7-300 standard signal modules in an ET 200M even
in safety mode in SIL 3.
The safety protector protects the fail-safe signal modules from possible
overvoltage in the event of a fault. To do this, the fail-safe signal modules
must be inserted in the ET 200M configuration to the right of the safety
protector, and all the standard signal modules must be inserted to the left of
the safety protector.
The ET 200M components which can be used in safety mode depends on the
safety class and the use of a safety protector in the ET 200M configuration:
protector in SIL 3 in ET 200M, you can use the IM 153-2 for S7 F/FH Systems
or the IM 153-3 only for the S7 FH Systems and you can set up the
PROFIBUS-DP with the copper cable (as in standard mode).
PROFIBUS-DP lines of the S7 F/FH Systems with fiber optic cables, you can
only use the IM 153-2FO.
You can find a full description of the safety protector in the S7-300 Programmable
Controller, Fail-Safe Signal Modules; A5E00048969-03; edition 02/2001.
4-2
Safety Note Safety Rules for Safety Operation

A safe operation is not possible if these rules are not complied with.
Fail-Safe Systems
A5E00085588-03
Configuration
4.3
CPU Parameter Assignment
Rules for Configuration as an F-CPU
Safety Note CPU containing safety program must have a password

The user must comply with the following rules:
The "CPU Contains Safety Program" option must be selected.
A password must always be assigned.
You must make these settings via the CPUs object properties in HWCONFIG.
Procedure
1. Select the desired CPU in HWCONFIG, and then choose the Edit > Object
Properties menu command.
2. Select the protection level you want for the CPU, and then enter a password in
the text boxes provided.
3. Select the "CPU Contains Safety Program" option on the "Protection" tab.
Important Parameters for the CPU in the S7 FH System

To prevent time monitoring during a master/standby switchover, you must
configure the OB3x provided for Safety Programs with a priority > 15 on the "Cyclic
Interrupts" tab.
The cyclic interrupt OB of the Safety Program must be configured as a "Cyclic
Interrupt OB with Special Handling". Only then will this cyclic interrupt be called
during updating of the standby for priority classes > 15 directly before the start of
the blocking time. To do this, go to the "H Parameters" tab in the CPU properties,
and then enter in the "Cyclic Interrupt OB with Special Handling" text box the
number of the highest priority cyclic interrupt OB to which blocks of the Safety
Program section are assigned in CFC.
Fail-Safe Systems
A5E00085588-03
4-3
Configuration
4.4
Parameter Assignment of F-I/Os

Additional options are available for parameter assignment of F-I/Os that are not
available for parameter assignment of comparable standard SMs:
You can select between safety mode (different levels to a certain extent) and
standard mode.
You can operate F-I/Os redundantly in safety mode to increase availability

(fault tolerance). Redundant modules can be inserted either in the same
mounting rack or in different ones for increased availability. Note: redundancy
is only available in modules which support it.
An F-I/O cannot be addressed directly in safety mode. It can only be addressed via
the fail-safe driver blocks.
Only in the F-I/O can you choose between Safety and Standard-Mode, but not in
the ET 200S F modules.
Dynamic parameter assignment by means of SFC calls is only possible in standard
mode for the F-SM. It is not possible to change to safety mode in this way.
You can find more information on the parameter assignment of F-I/Os in manual /1/
(refer to the references in Appendix B) and in the context-sensitive help information
in HWCONFIG.
Symbolic Names
Note
Enter a symbolic name for each input or output channel of the configured F-I/Os.
In the case of F-I/Os in safety mode, in CFC you must assign the symbolic name of
the associated channel to the VALUE input of each F channel driver block.
This enables automatic assignment between the module parameters configured in
HWCONFIG (addresses, monitoring times, etc.) and the I/Os of the associated F
channel driver blocks in CFC.
If you configure 1oo2 sensor evaluation for the digital input modules, we
recommend that you mark the channels that are unavailable (4 to 7 in the SM 326;
DI 8 x NAMUR and 12 to 23 in the SM 326; DI 24 x DC 24 V and the
corresponding channel in the 4/8 F-DI 24 VDC PROFIsafe) as reserved in the
symbol table.
4-4
Fail-Safe Systems
A5E00085588-03
Configuration
Entering Module Names

You can enter a module name for an F-I/O In HWCONFIG. This name is copied for
the instance of the associated F module driver (F_Name_x) if the associated F
module driver is placed automatically. This enables the link between the F module
driver and the F-I/O to be seen and checked more easily.
The name entered can have a maximum of 12 characters if the associated
instance names of the F module driver are to be unique.
To do this, proceed as follows:
1. Select the desired F-I/O in HWCONFIG, and then choose the Edit > Object
Properties menu command.
2. Under Name, enter a name for the F-I/O using a maximum of 12 characters.
If the instance name of the F module driver is not unique, you will subsequently
only be able to check the link between the F module driver and the F-I/O via the
logical address.
Group Diagnosis for F-SM

This section is only valid for F-SM. Group Diagnosis in the ET 200S F-Modules
cannot be switched off.
The "Group Diagnosis" parameter switches on and off the transmission of channelspecific diagnostic messages (e.g. wire break, short circuit) of the F-signal modules
to the CPU. The group diagnosis can be switched off on unused input or output
channels in the interests of availability. This results in the following behavior:
Fail-Safe Input Modules:

If the group diagnoses of the input channels are switched off, safe 0 values are
also sent to the CPU in the event of a fault, but no error messages are sent to the
CPU.
Fail-Safe Output Modules:
The following occurs if there are channel faults at outputs with group diagnosis
switched off:
In the case of faults with channel-specific switch-off, the affected channels of

the module are not switched off.
In the case of faults at which the affected module half (DO0...DO4 or

DO5...DO9) is switched off, the affected module half is switched off.
The CPU does not receive a diagnostic message, and the outputs are not
passivated, depending on the setting on the F-driver block.
Safety Note I/O Group Diagnosis

In the case of fail-safe input and output modules in safety mode, group diagnosis
must be set for all the connected channels.
Please check that the switching off of the group diagnosis has really only been set
for unused input and output channels.
Fail-Safe Systems
A5E00085588-03
4-5
Configuration
4.5
Configuring Redundant F-I/Os

(only in supported modules)
Note
In the case of redundantly configured modules, you must make sure of the
following:
That the two modules are of the same type and have the same parameter
assignment.
That the same monitoring time is parameterized for both modules.
That the "Safety Mode" option is selected on the "Inputs" tab.
For example, to configure two ET 200M fail-safe input modules redundantly,

proceed as follows:
1. In HWCONFIG, insert the two F-SMs in the ET 200M(s).
2. Assign parameters to the first module: Select the "Safety Mode" option on the
"Inputs" tab and set any additional parameters.
3. Assign parameters to the second module: Select the "Safety Mode" option on
the "Inputs" tab and set the same parameters as for the first module.
4. For the second module, set the "Redundancy 2x" option on the "Redundancy"
tab.
5. In the "Find Redundant Module" dialog box, select the module you want.
6. You can set the discrepancy time for redundant digital input modules, if
required.
4.6
Configuring the Networks and Connections

The configuration of networks and connections in a fail-safe system only differs
from that in a standard S7 system in one respect:
The fail-safe function blocks are required for safety-related communication
between CPUs. It is therefore only possible between the Safety Programs on FCPUs.
4-6
Fail-Safe Systems
A5E00085588-03
Configuration
4.7
Programming Device Functions in STEP 7

The same functions are available for working with a fail-safe system in STEP 7 as
for a standard S7 system.
Safety-Relevant Programming Device Functions

Safety-relevant programming device functions are only executed if you have set up
access rights for yourself. The following programming device functions are safetyrelevant and can only be executed once authorization has been obtained with a
CPU password, irrespective of the protection level set:
Downloading of the whole program from CFC or SIMATIC Manager
Downloading of Safety Program changes from CFC
Downloading and deletion of F-Blocks from SIMATIC Manager
Downloading to the EPROM memory card on the programming device
Memory reset from CFC or SIMATIC Manager
Safety Note Modify Variables can cause Shutdown

You cannot change variables and values on F-Block I/Os online using the PLC >
Monitor/Modify Variables menu command, for example. If such a modification to
an F function block is detected, the Safety Program may be shutdown which will
result in your outputs being disabled.
Setting Breakpoints
Note
After the HOLD mode has been requested, a Restart of the Shutdown Logic is
required.
Fail-Safe Systems
A5E00085588-03
4-7
Configuration
4.8
4.8.1
Setting up, Modifying and Cancelling Access Rights

Setting up Access Rights for the CPU
To set up access rights for the CPU, proceed as follows:
1. Select the CPU or its S7 program in SIMATIC Manager.
2. Choose the PLC > Access Rights > Setup menu command. In the dialog
tab box that appears, locate the protection tab and enter the password
assigned during parameter assignment of the CPU.
Access rights are valid until they are canceled (PLC > Access Rights > Cancel)
or until the last S7 application has been terminated.
Safety Note Limiting Access through ES

If access to the ES or programming device is not limited by means of access
protection to those individuals authorized to modify Safety Programs, the efficacy
of the password protection must be ensured by means of the following
organizational measures on the ES/programming device:
The password must only be accessible to people with authorization.
People with authorization must explicitly cancel the authorization when they
exit the ES/programming device. If this is not rigorously adhered to, a screen
saver with a password accessible only to authorized people must also be used.
When the standard program is changed in safety mode, access rights should not
be obtained using the CPU password because otherwise the Safety Program can
also be changed. The protection level must instead be set accordingly.
After access rights have been canceled, check, if safety mode is active, whether
the overall signature of the Safety Program online and the overall signature of the
accepted Safety Program are identical. If not, download the correct Safety
Program to the CPU again (see sections "Downloading Changes" and "Comparing
Safety Programs".
4-8
Safety Note Password Protection

After an unbuffered cold restart, the current password is deleted from the RAM
load memory and the old password from the flash EPROM memory card is valid
again. To prevent this old password on the flash EPROM memory card being
known to too many people, you should take organizational measures.
Fail-Safe Systems
A5E00085588-03
Configuration
Changing the Password

A password can only be changed by changing the configuration.
To do this for the S7 F System, you must switch the CPU to STOP.
It is possible to change the password (configuration change) for the S7 FH System
without interrupting the process (in RUN mode).
4.8.2
Entering/Changing the Password for the Safety Program

To enter or change the password for the safety program, proceed as follows:
3. Select the "Password..." button in the Safety Program dialog box that appears,
and perform the appropriate action as listed below:
Enter the password for the Safety Program for the first time. In this case,
ignore the "Old Password" field.
Change the existing password for the Safety Program. You must enter the
existing password in the "Old Password" field.
Use the Cancel Access Rights button to immediately stop the one-hour persistence
of Access Rights since the last time the password was entered. Following this, any
user must provide the Safety Program Password explicitly for any operation that
normally requires it, regardless of how much time has passed since the last entry
of the password.
Safety Note Safety Program and CPU Passwords should be different

We recommend you use different passwords for the CPU and for the safety
program for improved access protection.
If you havent already entered a password, you will be requested to enter one when
you compile the Safety Program for the first time (see below, "Request for the
Password for the Safety Program".)
You can change the password in the same way as usual under Windows 95/98/NT
by entering the old password once and the new password twice.
The password for the Safety Program is stored offline in the ES/programming
device together with the safety program.
Fail-Safe Systems
A5E00085588-03
4-9
Configuration
Request for the Password for the Safety Program

A dialog box to request the password for the safety program is displayed in the
following cases:
4.8.3
Compilation of changes to the Safety Program
Switching safety mode on and off
Downloading of changes to the data of the Safety Program when safety mode
is switched off
Cancelling Access Rights for the Safety Program
Validity of the Password for the Safety Program

After the password for the safety program has been entered (following a request or
a change), it is valid for an hour. In a session to edit the safety program
(modification, compilation, deactivation of safety mode, downloading of changes),
you only have to enter it once. After an hour you have to enter it again.
You also have to enter the password again if the last of the specified actions during
a session is more than an hour ago.
Safety Note Authorized use of Password

If access to the ES or programming device is not limited by means of access
protection to those individuals authorized to modify Safety Programs, the efficacy
of the password protection must be ensured by means of the following
organizational measures on the ES/programming device:
The password must only be accessible to people with authorization.
People with authorization must explicitly cancel the authorization when they
exit the ES/programming device. If this is not rigorously adhered to, a screen
saver with a password accessible only to authorized people must also be used.
Cancelling Access Rights

You can cancel access rights at any time using the password for the Safety
Program. To do this, proceed as follows:
2. Choose the Options > Edit Safety Program menu command
3. Click the "Password..." button in the dialog box that appears.
4. In the "Password" dialog box that appears, click the "Cancel Access Rights"
button.
4-10
Fail-Safe Systems
A5E00085588-03
Configuration
4.9
Configuration in Run
There are process control systems that may not be switched off during operation,
e.g. due to the complexity of the automated process, or expensive restart costs.
Nevertheless, a change or expansion of the process control system may be
required. Configuration in Run (CiR) makes this possible. The program execution
will be stopped for a certain time up to 2500 ms. During this time, the process
outputs keep their current value. In particular, in process control systems, this has
no effect on the process.
Before using the information below, please review the CiR procedures in the
manual How to Modify the System during Operation with CiR.
Calculate the Monitoring Times

When loading a safety program, it is necessary to calculate all safety monitoring
times within the F-System including the CiR Synchronization time in order to
determine which monitoring time settings are necessary to use with CIR. If these
values are unacceptable for the process, you can recalculate the monitoring time
by reducing the CiR Synchronization Time. To reduce the CiR Synchronization
Time, you have the following possibilities:
reduce the amount of input and output bytes of the master system
reduce the amount of guaranteed slaves of the master systems to be changed
reduce the amount of changing master systems within one CiR event
To calculate the safety monitoring times use the spreadsheet:

\\Step7\S7BIN\S7FTIMEB.XLS
Limitation of the CiR Synchronization Time
The F-CPU compares the actual calculated CiR Synchronization Time with the
current upper limit of the CiR Synchronization Time. If the calculated value is less
than the upper limit, the CiR is carried out. The default value of the upper limit of
the CiR Synchronization Time within the CPU is 1 second. This value can be
changed by using the SFC104 to reduce or to enlarge the upper limit in the range
of 200ms to 2500ms. You can find the detailed description of the SFC 104 in the
manual "SIMATIC System Software for S7300/400 System and Standard
Functions.
Configuration of F-I/Os via CiR

With CiR you can add a new F-I/O to your System or you can delete an existing FI/O from your System. The following procedures show you how to do this:
Fail-Safe Systems
A5E00085588-03
4-11
Configuration
Adding F-I/Os via CIR

To add a new F-I/O to your System follow these steps:
Configure the new F-I/O within HWCONFIG according to the manual, How to
Modify the System during Operation wth CiR (handle it like a standard module)
Calculate the Monitoring Time for this F-Module (see Calculate the Monitoring
Time for Communication between the F-CPU and the F-I/O) and use it to
update the Monitoring Time for this F-Module in HWCONFIG.
Modify your safety program (add safety logic, channel driver and module driver
for this module)
Deactivate safety mode (see Deactivating Safety Mode)
Download your safety program
Download your configuration via CiR
Activate safety mode (see Activating Safety Mode)
Deleting F-I/Os via CiR

To delete an already existing F-I/O from your System follow these steps:
Delete the F-I/O within HWCONFIG according to the manual, How to Modify
the System during Operation with CiR (handle it like a standard module)
Modify your safety program (delete safety logic, channel driver and module
driver for this module)
Deactivate safety mode (see Deactivating Safety Mode)
Download your safety program
Download your configuration via CiR
Activate safety mode (see Activating Safety Mode)
Note
You can only delete an existing F-I/O via CiR if the module was added to the
system via CiR.
Changing of an exisiting configuration of an F-I/O is not possible.
4-12
Fail-Safe Systems
A5E00085588-03
5.1
5.1.1
Programming
Overview
Structure of the Safety Program
The following figure illustrates the structure of a Safety Program in the
programming device/ES and CPU schematically:
Programming device / ES
User
STEP 7 project
Safety
Program
Hardware
CFC
Standard
F-System
S7 F System
Failsafe Blocks V1_2
Standard
Program
Control Blocks
Simulation Blocks
F Users
User Blocks
Charts
Libraries
F-SMs
Standard
SMs
The user program in the CPU is usually made up of a standard and a fail-safe
section. The safety functions are programmed in CFC using fail-safe blocks.
Fail-Safe Systems
A5E00085588-03
5-1
Programming
5.1.2
Blocks of the Safety Program
Fail-Safe Blocks
A Safety Program can contain the following fail-safe blocks:
Fail-safe blocks that can be inserted by the user (F user blocks)
F User Blocks
Function
F-Driver
F_CH_DI
F_CH_AI
F_CH_DO
Channel driver for the input and output signals of the F-I/Os
Conversion
F_BO_FBO
F_I_FI
F_R_FR
F_TI_FTI
Conversion from standard to F-data types
F_FBO_BO
F_FI_I
F_FR_R
F_FTI_TI
Conversion from F to standard data types
F_QUITES
Fail-safe acknowledgment via the ES/OS
F_FR_FI
Conversion from F_REAL to F_INT.
RTG RTG
Communication
F_S_BO, F_S_R
F_R_BO, F_R_R
Communication between F-run-time groups
CPU CPU
Communication
5-2
F_SENDBO,
F_SENDR
F_RCVBO, F_RCVR
Communication with Safety Programs on other CPUs
F_START
Signals a cold restart or warm restart.
Fail-Safe Systems
A5E00085588-03
Programming
In addition, fail-safe blocks are also available for standard functions such as
arithmetic, logic, multiplexing, etc. You can find a complete list of the fail-safe
blocks in Appendix.
F Control blocks are automatically inserted during compilation and are never
to be inserted by user.
F Control Blocks
Function
F_CYC_CO
F cycle time monitoring
F_M_DI4
F_M_DI8
F_M_AI6
F_M_DO10
Fmodule driver for PROFIsafe communication with F-I/Os
F_M_DO8
F_PLK
F_PLK_O
Logical program execution monitoring and data flow monitoring
F_TESTC
Monitoring of the self-tests of the operating system
F_TEST
Self-tests executed in each cyclic interrupt cycle
F_TESTM
Switching of safety mode on and off
F_SHUTDN, DB_INIT,
RTG_LOGIC,
FAIL_MSG
Safety Program shutdown and restart logic blocks
Simulation blocks (F-simulation blocks) that are used in the offline simulation
of the Safety Program with PLCSim 5.0. PLCSim 5.1 does not use the
simulation blocks.
Libraries with Different Versions

Several versions of the "Failsafe Blocks" library can exist on a programming
device/engineering system at the same time. However, a Safety Program can only
contain blocks of the same version. Programs that contain blocks from libraries
with different versions cannot be compiled.
Fail-Safe Systems
A5E00085588-03
5-3
Programming
5.2
5.2.1
Creating Safety Programs

Creating a Safety Program - Basic Procedure
Prerequisites
The project structure must be created in SIMATIC Manager. The Safety

Program must be assigned to an F-capable CPU (e.g. a CPU 417- 4H).
A chart folder must be created for CFC under the S7 program.
The hardware components of the project and, in particular, the CPU and the Fsignal modules must be configured and assigned parameters.
Basic Procedure
The following basic procedure applies when creating a Safety Program:
Define program structure
Insert CFC charts
Insert run-time groups (applies to CFC V5.2)
Insert F-function blocks

Parameterize and interconnect F-function blocks
Compile Safety Program

Load Safety Program
Test Safety Program
Yes
OK?
No
Change Safety
Program
On-site acceptance of the Safety Program

e.g. by an expert
5-4
Fail-Safe Systems
A5E00085588-03
Programming
5.2.2
Safety Notes for Programming
A Safety Program can only be compiled to be executable under an F-capable

CPU (e.g. CPU 417-4H).
The Safety Program must be created in CFC using special F-Blocks from the
Failsafe Blocks library. The name of the library must not be changed.
During compilation the Safety Program is changed automatically, and Fspecific sections are added. These are modified parameter values and
additional blocks. These modifications are visible in the CFC chart.
Safety Note Compiler Generated Values off-limits

Placements, interconnections and parameter assignments of F-Blocks
automatically executed during compilation must not be changed!
The COMPLEM and PARID structural components of F-data types must not be
manipulated.
Control blocks inserted automatically must not be changed.
Parameters not visible in F blocks and parameters marked as noninterconnectable (UDA s7_visible, s7_link) must not be interconnected or
parameterized.
Fail-safe blocks must not be manipulated (deleted, inserted) offline or online in the
block container.
Online modifications of the fail-safe I/Os in SIMATIC Manager made, for example,
by controlling variables or forcing are not permissible and will result in a Safety
Progam disable if fail-safe blocks (V1.2) or greater is used.
You must not operate Safety Programs directly when safety mode is activated! You
can enter safety parameters for unconnected inputs:
from the standard program, using fail-safe conversion blocks with an

additional plausibility check
in CFC test mode and with safety mode deactivated.
If you dont comply with these safety guidelines, you also risk the Safety Program
becoming disabled.
Fail-Safe Systems
A5E00085588-03
5-5
Programming
Notes on Working With CFC
Safety Note Compression Changes Signature

Compressing CFC programs changes the overall signature of the program!
If the program has to be compressed, carry out the compression before it is
accepted.
The fail-safe blocks in the Fail-safe Blocks library are highlighted in color in the
CFC chart. They are colored yellow to indicate that it is a safety program.
The CFC charts and run-time groups with F-Blocks are yellow and marked with an
"F" to differentiate them from the charts and run-time groups of the standard
program.
5-6
Fail-Safe Systems
A5E00085588-03
Programming
5.2.3
Defining the Program Structure
Rules for the Program Structure

You must comply with the following rules when you design a user program for the
S7 F/FH Systems:
You can combine standard and Safety Program sections within a CPU.
Multiple charts with fail-safe blocks are permissible for each priority class (task
or OB).
Run-time groups with fail-safe blocks can only be assigned to OB3x cyclic
interrupts (OB 30 to OB 38).
It is recommended to place all the blocks in a chart, with the exception of the
module driver, in the same run-time group whenever possible. A run-time
group can, however, contain blocks from several charts.
A chart may contain both F-blocks and standard blocks, as long as the Fblocks are in separate run-time groups from the standard blocks, and as long
as the charts are not compiled as block types.
You can only access the F-I/Os in the Safety Program via the F channel
drivers, which make the process signals available in the safe data format.
As of about 1000 blocks, you have to distribute the Safety Program to several
F-run-time groups; otherwise, it cant be compiled.
110 Run-time groups maximum.
Specifications for the Safety Program

When you design a user program for the S7 F/FH Systems, you must also make
the following decisions in addition to what is required for a standard system:
Which sections of the user program have to be fail-safe?

You must create separate CFC charts and run-time groups for these sections
of the user program.
Which OB3x cyclic interrupts do the fail-safe sections of the user program have
to be assigned to? With which priorities and cycle times?
You must configure these OBs for the CPU.
Note
You can improve the performance by removing the non-safety-related functions
from the Safety Program section and leaving them in the standard program
section. This particularly includes functions such as reporting, monitoring etc.
When distributing functions between the standard and fail-safe section of the
program, note that it is easier to change the standard section of the program and
download it to the CPU. Changes to the standard section do not normally require
acceptance.
Fail-Safe Systems
A5E00085588-03
5-7
Programming
For Fault-Tolerant Systems

In fail-safe and fault-tolerant S7 FH Systems, one or more separate cyclic
interrupts with a high priority should be reserved for the Safety Program. This is
necessary to prevent time monitoring being initiated in the case of a
master/standby switchover. To do this, you must configure the OB3x cyclic
interrupts provided for the Safety Program on the "Cyclic Interrupts" tab in the CPU
properties with a priority > 15. No standard blocks should then be placed in these
OBs.
5.2.4
Inserting CFC Charts
Rules for the CFC Charts of the Safety Program

Please note that separate charts must be created for the fail-safe section of the
user program.
Procedure
You can create individual CFC charts in the chart folder in the usual way:
By choosing the Insert > S7 Software > CFC menu command in SIMATIC
Manager
By choosing the Chart > New menu command in the CFC editor
Chart in Chart
In order to structure a program according, for example, to process-related aspects,
you can use a CFC chart within a CFC chart (Chart in Chart). This enables you to
use solutions already in existence as often as you want. You can find out how to
create Chart in Chart charts, assign them I/Os and insert them in other CFC charts
in the CFC online help system.
Note
If you nest a chart in another chart, you must make sure that the blocks of the
lower-level chart are in the same run-time group as those of the higher-level chart
(of the basic chart). If necessary, move them. Otherwise, you will receive an error
message when the Safety Program is compiled.
Chart outputs of a lower-level chart that are not interconnected internally cannot be
interconnected further in the higher-level chart.
5-8
Fail-Safe Systems
A5E00085588-03
Programming
5.2.5
Inserting Run-Time Groups
(applies to CFC V5.2 only)

Rules for the Run-Time Groups of the Safety Program
The F-blocks must not be inserted directly in tasks/OBs; instead, they must be
inserted in run-time groups.
A separate CFC chart containing the F_CYC_CO block is required for F cycle
time monitoring. In every cyclic interrupt OB to which F-run-time groups are
assigned, this chart must be in a separate run-time group. In the run sequence
of an OB, this run-time group must be called before all the other run-time
groups with F-Blocks of this OB. This is created automatically during
compilation.
We recommend the following to achieve F cycles of an equal length: If F and

standard run-time groups are combined in a cyclic interrupt OB, the F-run-time
groups should be executed before the standard run-time groups.
Note
A Failsafe Run-time group must keep the default values for the Scan and Offset
Run-Time Properties as follows:
Scan = 1
Offset = 0
It is unsafe to change these values, therefore attempting to do this will cause an
error to be posted.
Procedure
Insert the run-time groups in the CFC run sequence editor in the usual way:
by choosing the Insert > Run-Time Group menu command, or
by choosing the pop-up menu command Insert Run-Time Group (right mouse
button)
Specify the run sequence by selecting a run-time group, a chart or a block as

"Predecessor for Installation", using the right mouse button or shift+F11.
Fail-Safe Systems
A5E00085588-03
5-9
Programming
5.3
Inserting and Interconnecting Fail-Safe Blocks
5.3.1
Inserting Fail-Safe Blocks

Blocks are inserted in the chart by dragging and dropping them from the F User
Blocks folder of the Failsafe Blocks library. Each block can be inserted as often
as you want.
Note
If a block type has already been inserted from the library, it can be inserted more
quickly the next time from the "CFC Catalog". Note that although fail-safe blocks
and conversion blocks that convert F-data types to standard data types are
distributed to the usual block groups, they are easy to recognize because they are
colored yellow and their names always begin with F_.
Rules for Fail-Safe Blocks
Fail-safe blocks must be inserted in separate charts in which there must not be
any standard blocks.
The F blocks in the F Control Blocks folder are automatically inserted when
the chart is compiled; you must not insert these blocks. Exception: Manual
insertion of the F module drivers.
Fail-safe blocks instances must not be placed in multiple F-run-time groups.

This may occur due to an F-run-time group being copied to or inserted in
another task.
You must not use the names of the fail-safe blocks for other blocks or rename
the fail-safe blocks.
Safety Note Symbol Table Entries for F-Blocks cannot be changed

The names of the fail-safe blocks in the "Symbol" column of the symbol table of
your user program must not be changed or deleted.
If a change to the block names in the symbol table is detected, the compilation of
the Safety Program is rejected with the following error message:
"Block type xxx does not correspond to the standard in the "Fail-safe Blocks
library [Import the block again from the "Fail-safe Blocks" library into the block
catalog and the chart folder of the program]
This also applies to changes in the symbol table assigned to the "Fail-safe Blocks"
block library.
If changes to F-Block names are detected, you can correct the names of the failsafe blocks in the symbol table. You can find the correct names in the "Name
(Header)" text box on the "General" tab in the "Object Properties" dialog box for the
block.
See Also
Fail-Safe Blocks
5-10
Fail-Safe Systems
A5E00085588-03
Programming
5.3.2
Automatically Inserted F-Blocks

When a CFC chart with fail-safe blocks is compiled, the following F-Control blocks
are inserted automatically in the Safety Program:
F_SHUTDN
DB_INIT
RTG_LOGIC
FAIL_MSG (part of RTG_LOGIC block type)
DB_RES
F_CYC_CO
F_PLK
F_PLK_O
F_TEST
F_TESTC
F_TESTM
The following F module drivers can be inserted automatically (through generate

module drivers) or manually:
F_M_DI24
F_M_DI8
F_M_AI6
F_M_DO8
F_M_DO10
Safety Note Do not change automatically inserted F-Control Blocks.

The automatically inserted F-Control Blocks are visible after compilation. You must
not delete or change these blocks in any way. This may result in errors at the next
compilation.
Fail-Safe Systems
A5E00085588-03
5-11
Programming
5.3.3
Interconnecting and Assigning Parameters to F-Blocks

You can assign parameters to the inputs and outputs of the F-Blocks or
interconnect them with other blocks.
Rules for Interconnecting F-Blocks
Safety Note Incorrect changes to fail-safe blocks input parameters may

result in the Safety Program and its outputs being disabled.
Changes to fail-safe block input parameters with F-data types can be made in the
following ways:
Using CFC offline.
Using CFC test mode with safety mode deactivated.
Online changes made to F-data types when safety mode is activated or by means
other than CFC test mode, will result in a Safety Program and its outputs being
disabled.
Certain inputs and outputs of the fail-safe blocks are automatically supplied
when the charts are compiled. By default, these I/Os are not visible, but they
can be made visible.
You must not change the I/Os that are supplied automatically. You can find out
whether an I/O is automatically supplied in the block description under FailSafe Blocks or in the online help system.
EN/ENO I/Os of the F-blocks and run-time group enables must not be
interconnected. EN must not be assigned the value 0 (FALSE).
We recommend that you do not configure a phase offset or a scan rate for runtime groups. If you do, you must take this into consideration when configuring
the monitoring times.
Only I/Os with standard data types can be interconnected using global
operands.
The F-data types are implemented in the program as structures in which only
the first component, Data, has the relevant value.
Note
When you assign parameters to an I/O to which an F-data type is assigned, you
can only assign a value to the first component, DATA. The other components of
the structure are automatically supplied with values during compilation of the
program.
5-12
Fail-Safe Systems
A5E00085588-03
Programming
Recommendation: meaningful names for placed blocks

Give each block placed a meaningful name. You can choose any name.
Assigning a Value to a Fail-Safe I/O

To assign a value to a fail-safe I/O of an F-Block, proceed as follows:
1. Open the sheet view of the F-Block.
2. Select the I/O and open Object Properties by double-clicking it, for example.
Result: The "Select Structure Element" dialog box appears.
3. Double-click the first structure element in the "Select Structure Element" dialog
box.
Result: The "Properties Inputs/Outputs" dialog box appears.
4. Enter the desired value in the "Value" text box and confirm with "OK".
Fail-Safe Systems
A5E00085588-03
5-13
Programming
5. Close the "Select Structure Element" dialog box.

Result: The new value is displayed on the I/O.
See Also
F-Data Types
5.3.4
Defining the Run Sequence
Run-Time Properties
The run-time properties of a block define the position of this block in the
chronological processing sequence within the overall structure of the PLC. These
properties are decisive in the behavior of the PLC with regard to response times,
dead times or the stability of time-dependent structures such as control loops.
Each block receives default run-time properties when it is inserted. To do this, you
put it into a task at a position you can set. You can change this installation position
and other attributes to suit your requirements at a later date.
Run Sequence Within a Run-time Group

Note
The run sequence is checked at the beginning of compilation of the Safety
Program. The following F-Blocks are placed in the correct run sequence
automatically when the Safety Program is compiled:
F Control Blocks including F Module Driver Blocks
Blocks for F Communication Between CPUs
F-System Blocks
Blocks for Converting Data Between Standard and Safety

Sections
You must arrange your blocks in following sequence:
F Input Channel Drivers (F_CH_DI, F_CH_AI)
All other F-Blocks not listed in the Note above
F Output Channel Drivers (F_CH_DO)
After the program is compiled for the first time (or modified), the CFC editor will
automatically place (or adjust) system level run-time groups necessary for the
Safety Program operation. These run-time groups have the @ symbol preceding
the name of the run-time groups. These run-time groups contain the following
function blocks that are placed automatically:
5-14
Fail-Safe Systems
A5E00085588-03
Programming
F_TESTM: Automatic placement of the F_TESTM block and associated chart in

the slowest OB that contains a piece of the failsafe program.
F_CYC_CO: Automatic placement of a F_CYC_CO block and associated chart in
each OB that contains a piece of the failsafe program. The user will be requested
to enter the maximum cycle time (MAX_CYC) at the first compile.
F_TEST/F_TESTC: Automatic placement of the F_TEST and F_TESTC blocks and
associated chart in each OB that contains a piece of the failsafe program.
Shutdown Logic: Automatic placement of the Shutdown Logic for the failsafe
program. This would include all necessary blocks and charts and any connections
to the failsafe RTGs.
Note
Please note that although the CFC Editor automatically creates the necessary
logic for the users Safety Program, it may not delete it once the user deletes the
Safety Program. If the user wishes to delete the Safety Program, the user may
have to manually delete the Safety Programs system level run-time groups.
You may arrange your fail-safe user logic in any run-time order (following the
above guidelines). You may mix standard and fail-safe run-time groups, as shown
in the graphic below. In the example below, there are three user standard run-time
groups, which are S1, S2, and S3. There are two fails-afe user run-time groups
that are placed and the CFC Editor automatically places the @ run-time groups.
You should place the fail-safe run-time groups before the standard run-time groups
in the run sequence if possible. This will avoid any variable amounts of delay
encountered when executing the standard run-time groups before the execution of
the fail-safe diagnostics.
Fail-Safe Systems
A5E00085588-03
5-15
Programming
Note
Please be aware that by mixing standard and fail-safe run-time groups, you
could possibly jeopardize your MAX_CYC maximum cycle time. The more
logic you add to the other run-time groups in the fail-safe OB3xs, the greater
the chance of encountering a scan overrun if care isnt taken.
Defining the Run Sequence

Define the run sequence in CFC in the usual way:
1. Choose the Edit > Run Sequence menu command to open the run sequence
view.
2. Drag and drop the blocks in the run-time groups in the required sequence.
5.3.5
Interconnecting F-Driver Blocks
Available F-Driver Blocks

The Fail-safe Blocks (V1_2) library has two types of driver blocks to access the FI/Os:
F channel drivers to access the input/output channels of the F-I/Os. One F

channel driver block is required for each input or output channel of an F-signal
module used. Exception: Only one F channel driver is required for two
redundant channels. You must insert the required F channel drivers in the CFC
chart.
F module drivers for PROFIsafe communication between the safety program

and the F-I/Os. One F module driver is required for each module. You can
insert and interconnect the required F module drivers manually or
automatically.
The following F module driver blocks are available:

F-Signal Module
F Module Drivers
F Channel Drivers
SM 326 DI 8xNAMUR
F_M_DI8
F_CH_DI
SM 326 DI 24xDC24V
F_M_DI24
F_CH_DI
SM 336 AI 6x13Bit
F_M_AI6
F_CH_AI
SM 326 DO 10xDC24V/2A
F_M_DO10
F_CH_DO
ET 200S F-DI
F_M_DI8
F_CH_DI
ET 200S F-DO
F_M_DO8
F_CH_DO
ET 200S PM-E F
F_M_DO8
F_CH_DO
ET 200S PM-DF
F_M_DO8
F_CH_DO
The F channel drivers must be interconnected with the associated F module driver
via the CHADDRxx I/O. One MOD_D1/D2 module diagnostic block can also be
inserted for each F module driver (see the figures below).
5-16
Fail-Safe Systems
A5E00085588-03
Programming
Example: F-Driver for Digital Input Module SM 326 DI 8xNAMUR

F channel driver
F module driver
F_CH_DI
F_M_DI8
TIMEOUT
Logical address
of the module
LADDR
LADDR_R
CHADDR00
...
CHADDR07
Symb. addr.
Chan. 00
DIAG_1
DIAG_2
Channel 00
CHADDR
VALUE
QN
...
F_CH_DI
Symb. addr.
Chan. 07
Channel 07
CHADDR
VALUE
QN
MOD_D1
Module
diagnostic
The F-drivers for the digital input module SM 326 DI 24xDC24V and for the analog
input module SM 336 AI 6x13Bit normally have the same configuration with the
corresponding number of channels.
Example: F-Driver for Digital Output Module SM 326 DO 10xDC24V/2A

F channel driver
F module driver
F_CH_DO
Channel 00
F_M_DO10
CHADDR
VALUE
CHADDR00
...
Symb. addr.
Chan. 00
CHADDR09
...
TIMEOUT
F_CH_DO
Channel 09
LADDR
LADDR_R
CHADDR
VALUE
DIAG_1
DIAG_2
Symb. addr.
Chan. 09
Logical addr.
of modules
Module
diagnostic
You can find descriptions of the blocks under "Driver Blocks for F-I/Os" or in the
online help system.
Fail-Safe Systems
A5E00085588-03
5-17
Programming
Drivers for the F-I/Os in Standard Mode

If you use the F-I/Os in standard mode, you can use the standard channel drivers
from the PCS 7 Driver Blocks library.
Rules for F-Driver Blocks
The VALUE I/O of the F channel driver must be interconnected with the
symbolic address of the channel. In the case of redundant channels, the
VALUE I/O must be interconnected with the symbolic address of the channel
with the lower address .
A fail-safe signal on the ACK_REI input of each channel driver is required to

reintegrate an input or output channel. The signal must come from a fail-safe
digital input module or via the F_QUITES F block from an ES or OS.
Sequence: See Defining the Run Sequence.
Prerequisite
Symbolic names: Enter a symbolic name for each channel used. You must
allocate this name to the VALUE I/O of the associated F channel driver. We
recommend, for the sake of clarity, that you also enter the unused channels in the
symbol table as reserved or not used.
Procedure
When working with F-driver blocks, proceed as follows:
1. Insert the correct F channel driver for each configured input/output channel.
You only have to insert one F channel driver for each pair of redundant
channels.
2. Interconnect the VALUE I/O in each F channel driver with the symbolic name
of the associated channel. This step is required for all F channel drivers
placed. In the case of redundant modules, interconnect the VALUE I/O with the
lower channel address.
3. Interconnect the following with the required signals:
- the I inputs of the F channel drivers F_CH_DO
- the Q outputs of the F channel drivers F_CH_DI
- the V outputs of the F channel drivers F_CH_AI
These I/Os are F_BOOL or F_REAL types and should only be interconnected with I/Os of
the same type belonging to other fail-safe blocks.
4. Set the relevant ACK_NEC input to "1" if user acknowledgment is required with
automatic reintegration of the channel. The ACK_NEC input is preset with "0"
(optional, see "Passivation and Reintegration").
5. Optional: Evaluate the ACK_REQ output in the standard program or on the OS
to find out if user acknowledgment is required.
5-18
Fail-Safe Systems
A5E00085588-03
Programming
6. Optional: Interconnect the QBAD output to find out if a substitute value or valid
process value is output. Value status (quality code) of the process value
7. Optional: Evaluate the QUALITY output in the standard program or on the OS
to obtain or find out the quality code of the process value.
8. Interconnect the relevant ACK_REI input with the signal for the
acknowledgment of reintegration (see "Passivation and Reintegration").
9. Interconnect the simulation I/Os (optional, see "Simulation Mode").
10. Interconnect the diagnostic outputs DIAG_1/DIAG_2 of the F module drivers
F_M_DI8 or F_M_DI24 if you want to evaluate in the standard program
whether discrepancy errors have occurred (optional, see Descriptions of the F
Driver Blocks). You can use this information to program messages about
discrepancy errors to the OS.
11. Place and interconnect the F module drivers manually or automatically.
Note
You can read out byte 0 of DIAG_1/DIAG_2 for service purposes in the event of an
error in CFC test mode.
Placing and Interconnecting the F Module Drivers Automatically

You have two options:
Fail-Safe Systems
A5E00085588-03
At any time before you compile the Safety Program :

In Simatic Manager, choose the Options > Charts > Generate Module
Drivers menu command. Open the Properties dialog box and make sure that
the PCS 7 Drivers\PCS 7 Drivers\Blocks library is set. Confirm by clicking OK
twice.
5-19
Programming
5-20
At compilation of the Safety Program:

In CFC, choose the Chart > Compile > Charts as Program menu command.
Select the "Generate Module Drivers" check box in the dialog box. Confirm
with OK.
Fail-Safe Systems
A5E00085588-03
Programming
In both cases, the necessary F module drivers and module diagnostic blocks are
automatically inserted into separate CFC charts called @F1, @F2, ... and
interconnected. The instances of the F module drivers automatically receive the
name you have entered in HWCONFIG for the associated F-I/O (F_Name_x). See
the chapter entitled "Parameterization of the F-I/Os".
Placing and Interconnecting the F Module Drivers Manually

Proceed as follows:
1. Insert the appropriate F module driver in any F chart for each configured Failsafe signal module. Only one F module driver is required for the two modules
when Fail-safe signal modules are in a redundant configuration.
2. For each F channel driver, interconnect the CHADDR I/O with the
corresponding CHADDRxx I/O of the F module driver, as shown in the
examples above. Make sure that the channel number xx of the CHADDRxx I/O
corresponds to the channel number of the F channel driver.
3. Allocate the logical start address of the Fail-safe signal module to the LADDR
I/O for each F module driver. In the case of redundant modules, allocate the
logical start address of the second module to the LADDR_R I/O in addition.
We recommend that you use the same instance name for the F-module as you
used in HWCONFIG for the associated F-I/O (F_Name_x). See the chapter
entitled "Parameterization of the F-I/Os".
Simulation Mode
For each input channel, you can specify a simulation value instead of the current
one received from the F-I/O. At an output, a simulation value can also be output
instead of the value at input I (e.g. for hardware tests). To output simulation values
on a channel, proceed as follows:
1. Activate the output of simulation values by interconnecting the SIM_ON input
with a constant 1 or a signal.
2. Interconnect the SIM_I input for F_CH_DI or F_CH_DO and SIM_V for
F_CH_AI with the desired signal, or parameterize it with the desired value.
Substitute Values
If the F-I/O or an F-driver block detects an error, substitute values are output from
the F-driver or from the F-I/O. In the case of digital input and digital output drivers,
the substitute value 0 is output, and the output QBAD=1 is set. In the case of
analog input drivers, depending on the parameter assignment, the substitute value
SUBS_V or the last valid value is output, and the output QBAD=1 is set (see the
description of F_CH_AI).
Fail-Safe Systems
A5E00085588-03
5-21
Programming
Safety Note During simulation of Input Channels the Simulation value is

always available on the block's output.
In the event of an error with digital or analog input channels, if SIM ON=TRUE then
simulation values are placed on the blocks output instead of the substitute values.
Error Handling and Diagnostics

You can find information on the diagnostic outputs of the F driver blocks under:
5-22
Error Handling of Driver Blocks
Error Information at the Outputs of the Driver Blocks
Fail-Safe Systems
A5E00085588-03
Programming
Configuring Messages
The same module diagnostic blocks are used for the F-I/Os as for the standard
modules. The following MOD, SUBNET and RACK blocks are inserted
automatically when you choose the Options > Charts > Generate Module
Drivers menu command:
Block
No.
SM 326F DI 8xNAMUR
MOD_D1
FB 93
SM 326F DI 24xDC24V
MOD_D2
FB 93
Per Fail-safe signal module
SM 336F AI 6x13Bit
MOD_D1
FB 93
SM 326F DO 10xDC24V/2A
MOD_D1
FB 93
SUBNET
FB 106
RACK
FB 107
Per DP master system

Per rack
In contrast to the standard drivers, the F-driver blocks are not interconnected with
the PCS 7 blocks.
Note
Messages about the following are issued from the MOD, SUBNET and RACK
blocks: parameter assignment errors, module removed, module errors, channel
errors, rack failures and DP master system failures. I/O access errors cannot be
detected and reported by the diagnostic blocks.
Fail-Safe Systems
A5E00085588-03
5-23
Programming
5.3.6
Passivation and Reintegration of the Input and Output Channels
Passivation
Passivation means that, in the event of a fault/error, one or more channels of an FI/O are switched to the safe state.
When a channel fault occurs (e.g. sensor defective), only the affected channel is
passivated. In the event of a module fault/error (e.g. communication error), all the
channels of the F-I/O are passivated. The messages on the ES/OS indicate
whether all channels or only specific channels of a fail-safe module are passivated.
Passivation can be triggered by the F-I/O, the F module driver or F channel driver
or by the user in the safety program.
If an F-I/O detects a fault/error, it switches the affected channel or all its channels
to the safe state. In other words, channels of this module are passivated. The F-I/O
reports detected error to the F driver block.
Passivation of output channels means that the outputs are de-energized.

The F channel driver of a passivated digital output channel outputs a substitute
value with the quality code (QUALITY) 16#48 and the output QBAD = 1 is set.
Passivation of input channels means that substitute values are forwarded to

the safety program regardless of the current process signal. The F channel
driver of a passivated digital input channel outputs the substitute value 0 with
the quality code (QUALITY) 16#48 and the output QBAD = 1 is set. Depending
on the parameterization at the input SUBS_ON, the F channel driver of an
analog input channel outputs a substitute value with the quality code
(QUALITY) 16#48 or the last valid value with the quality code (QUALITY)
16#44 . In addition, the output QBAD = 1 is set and, if a substitute value is
output, the output QSUBS = 1 is set as well.
Via the input PASS_ON, you can also switch the passivation of a channel on and
off in the safety program (e.g. depending on certain conditions in the execution of
the program). If PASS_ON = 1 is set, the channel is passivated as described
above. If PASS_ON = 0, passivation is canceled.
Group Passivation
In the event of a fault or error, other channels (of the same or different modules)
can be passivated by interconnecting the input PASS_ON with the output
PASS_OUT of another channel. For a group shutdown of several channels, all the
PASS_OUT outputs of the channels in this group are ORed, and the result is sent
to the PASS_ON inputs of all the channels in this group.
A group shutdown by means of PASS_OUT/PASS_ON can also be used to force a
simultaneous switchover to process values after a startup (cold or warm restart).
5-24
Fail-Safe Systems
A5E00085588-03
Programming
Reintegration After Error Correction

Reintegration means:
Valid process values are output again on the output channels of the fail-safe
output modules.
The F channel drivers of the fail-safe input modules forward valid process
values to the safety program again.
After an error/fault is corrected, a channel of a fail-safe module can be reintegrated

automatically or after a user acknowledgment. At the input ACK_NEC of an F
channel driver, you can specify whether a user acknowledgment is required:
Value 0: automatic reintegration without user acknowledgment
Value 1: request of user acknowledgment for reintegration after fault/error

correction
If passivation is caused by setting PASS_ON = 1, no user acknowledgment is

required for reintegration.
Automatic Reintegration
If the input ACK_NEC is not set, after the correction of the fault/error (with the
exception of communication errors) reintegration (depassivation) of the affected
channel is carried out automatically:
In the case of input modules - immediately
In the case of output modules - within minutes, due to the need for test signal
application
Note
After PROFIsafe communication errors, a user acknowledgement is always
required for reintegration (output ACK REQ set), even when ACK NEC is not set.
Safety Note Automatic Reintegration may not always be possible

The parameterization of the input ACK_NEC=0 is only permitted if automatic
reintegration is permissible for the process from a safety point of view.
The permissibility of automatic reintegration depends on the process and must be
agreed with the acceptance authority.
Fail-Safe Systems
A5E00085588-03
5-25
Programming
Safety Note Startup Protection to handle short power failures in the F-I/O.
Following a power failure in the F-I/O that is shorter than the watchdog time set for
the F-I/O in HW Config (See Safety Engineering in SIMATIC S7 system
description), automatic reintegration can occur, as is the case when ACK NEC = 0,
regardless of your setting for ACK NEC. If automatic reintegration for the affected
process is not permitted for this case, you must program startup protection by
evaluating the variables QBAD or PASS_OUT (see Programming Startup
Protection).
When a power failure occurs in the F-I/O and lasts longer than the watchdog time
set for the F-I/O in HW Config, the F-system detects a communication error (see
Passivation and Reintegration of the F-I/O after Communication Errors).
Reintegration After User Acknowledgment

If the input ACK_NEC is set, the reintegration of the input or output channel does
not take place until after a user acknowledgment with a positive edge at the input
ACK_REI of the F channel drivers. At the output ACK_REQ of the F channel driver,
a value of 1 indicates that the error has gone and that a user acknowledgment of
the reintegration is possible.
You can implement the user acknowledgment of reintegration in the Safety
Program as follows:
A manual input using OS/ES (see below) or
A hardware switch connected to a fail-safe input module.
Note
In the event of a PROFIsafe communication error on the fail-safe input module with
the hardware switch, manual acknowledgment of the input ACK_REI is no longer
possible. This can lead to blocking, which can only be corrected by means of a
startup (cold or warm restart).
We therefore recommend that the acknowledgment is also always possible via
ES/OS.
5-26
Fail-Safe Systems
A5E00085588-03
Programming
User Acknowledgment by Means of OS/ES

You can use the F_QUITES block in the following way for fail-safe
acknowledgment using a non-fail-safe Engineering System or Operator Station:
1. Insert the F_QUITES block in the run-time group of the F channel driver.
2. Interconnect the ACK_REI input of the F channel driver with the OUT output of
F_QUITES.
Safety Note Automatic Reintegration through F_QUITES

The non-safety-related input IN of F_QUITES must not be interconnected with a
signal or defined by a signal that automatically produces the above mentioned
condition (change from 6 to 9 within a minute) for a fail-safe acknowledgment. The
fail-safe acknowledgment can only be produced by means of conscious, manual
input on the ES/OS, not automatically in the program.
Behavior in the Case of Module Redundancy

In the case of module redundancy, user acknowledgment after reintegration is only
required if both redundant modules have a fault at the same time.
See Also
Error_Handling_of_Driver Blocks
Fail-Safe Systems
A5E00085588-03
5-27
Programming
5.3.7
Programming Startup Protection

After startup (cold restart or complete restart (warm restart)), the Safety Program
automatically starts up with the initial values .
Note
When the Safety Program is compiled, additional blocks and calls that must not be
changed are inserted automatically at the beginning of the run sequence in OB
100.
If the process doesnt permit the Safety Program to start up with the initial values
after an error automatically, a response to startup must be programmed. The
F_START fail-safe block is available to signal a startup of the Safety Program with
the initial values.
The COLDSTRT output parameter signals the occurrence of a startup (cold restart
or warm restart).
Examples
Possible measures for responding to a startup of the Safety Program with the initial
values are as follows:
Programming an interlock of the outputs after startup via the passivation

inputs PASS_ON at F_CH_DO. This entails the COLDSTRT output of the F FB
F_START being interconnected with the S input of an SR flipflop (F_SR_FF)
and the Q output of F_SR_FF being interconnected with PASS_ON of
F_CH_DO. This interlock can then be enabled manually:
Using a switch that is requested via a fail-safe digital input module or
Via input at ES/OS via the F_QUITES F FB.
The Q output of the F_CH_DI of the switch or the OUT output of F_QUITES
must be interconnected with the R input of F_SR_FF.
5-28
Programming of a wait loop so that the internal states of the Safety Program
correspond to the process state again (see the example of reintegration after
startup of the Safety Program).
Programming using multiplexers: The output of an F_MUX2_R multiplexer is

controlled by the COLDSTRT output of the F_START F FB fail-safe block. As a
result, a different program branch to that in the F cycle can be executed after
startup.
Fail-Safe Systems
A5E00085588-03
Programming
5.3.8
Example: Reintegration after Startup of the Safety Program

After startup (cold restart or warm restart) the following occurs for a short time:
The substitute value 0 is output from the F channel driver for digital input.
The parameterized substitute value is output from the F channel driver for
analog input
The substitute value 0 is transferred from the F channel driver for digital output
to the F-I/O.
The output of substitute values is signaled at the output QBAD=1 and can last up
to 3 cyclic interrupt cycles.
The following example shows you how, using group passivation and/or a wait loop,
you can ensure that all the F channel drivers in a group output substitute values for
an identical length of time after startup of the Safety Program with the initial values
(see also group passivation).
If you dont want group passivation, dont interconnect PASS_OUT outputs with
F_OR4, and only use the wait loop via F_START and F_TP. If you use group
passivation, you only need the wait loop via F_START and F_TP if the substitute
values are to be output after the last channel has switched over to process values.
F_START
COLDSTRT
F_CH_DO
F_TP
PASS_ON
IN
Q
PT
PASS_OUT
F_CH_DO
PASS_ON
F_OR4
IN1
PASS_OUT
IN2
F_OR4
IN3
IN4
OUT
F_CH_DO
IN1
PASS_ON
IN2
IN3
IN4
OUT
PASS_OUT
Set the minimum time at the PT input for which substitute values are to be output
after a cold restart. F_START, F_TP and F_OR4 must be called before the F
channel drivers.
Fail-Safe Systems
A5E00085588-03
5-29
Programming
5.3.9
Assigning Parameters to the F Cycle Time Monitoring

The F_CYC_CO Block is automatically placed and configured during compilation.
If a Task is found to be missing, the F_CYC_CO a Chart and Run-time group will
be placed with the F_CYC_CO block. During this compilation and any further
compilations where the MAX_CYC parameter is invalid, a dialog box will be
presented to request a valid value. The default value of the dialog box will be a
suggested value.
Safety Note Default MAX_CYC

The default setting for the maximum cycle monitoring time is 3s. Please check
whether this setting is suitable for your process and, if required, change it.
Changing the F Cycle Time

After the OB3x cycle times have been changed, the Safety Program must be
recompiled. This is necessary at least if, as a result, an F_TESTM block might
have to be moved to another OB. (At compilation the F_TESTM block is always
automatically placed in the OB with the longest cycle time.)
Note
It is not possible to download changes in RUN mode after changes have been
made to the F cycle time.
5-30
Fail-Safe Systems
A5E00085588-03
Programming
5.3.10
Interconnecting F Communication Blocks

You can insert and interconnect the following types of communication blocks in the
Safety Program:
Blocks for communication between Safety Programs on different CPUs
Blocks for communication between F-run-time groups
Blocks for communication between the F user program and the standard user
program
5.3.10.1 Programming Communication Between Safety Programs on

Different CPUs
Available Fail-Safe Blocks
The following fail-safe blocks are available for communication between Safety
Programs on different CPUs:
Block
Description
F_SENDBO/F_RCVBO
Safe transfer of 20 parameters of the F data type F_BOOL
F_SENDR/F_RCVR:
Safe transfer of 20 parameters of the F data type F_REAL
This means a fixed number of up to 20 F parameters of the F-data type F_BOOL or

F_REAL can be safely transferred.
Prerequisites
The following prerequisites must be fulfilled for communication between F-capable
CPUs:
The two CPUs must be configured as F-CPUs: The "CPU Contains Safety
Program" option must be selected and the password set.
An S7 connection must be configured between the CPUs.
Fail-Safe Systems
A5E00085588-03
5-31
Programming
Procedure
Proceed as follows:
1. Insert the send block (F_SENDBO/F_SENDR) in the Safety Program from
which data is to be transferred.
2. Insert the receive block (F_RCVBO/F_RCVR) in the Safety Program to which
data is to be transferred.
3. Assign parameters to the ID inputs with the relevant identifiers of the
configured S7 connections.
4. Assign parameters to the R_ID inputs. This establishes that the send and
receive blocks belong together: The associated fail-safe blocks contain the
same (freely selectable, odd) value for R_ID. Note that the value R_ID+1 is
filled automatically when this happens.
5. Interconnect the SD_BO_xx and SD_R_xx inputs of the F_SENDBO and
F_SENDR F blocks with the send signals.
6. Interconnect the RD_BO_xx and RD_R_xx outputs of the F_RCVBO and
F_RCVR F blocks with the F-Blocks for further processing the receive signals.
7. Assign parameters to the TIMEOUT inputs of the send and receive blocks with
the desired monitoring time.
You can find information on how to calculate this in the section entitled
"Configuring the Monitoring Times for S7 F/FH Systems".
Note
It can only be guaranteed (with fail safety) that a signal level to be transferred will
be detected on the sender side and transferred to the recipient if it is present for at
least as long as the specified monitoring time (TIMEOUT).
8. Interconnect the ACK_NEC outputs of the F-blocks F_RCVBO and F_RCVR

to find out whether it is necessary to acknowledge reintegration after an error
has been eliminated.
9. Interconnect the relevant ACK_REI inputs of the F-blocks F_RCVBO F_RCVR
with the signal for the reintegration acknowledgment.
Safety Note Safety Program must be re-compiled if S7 connections used

for CPU-CPU Communication have changed.
If the Safety Program contains blocks for safe CPU-CPU communication:
After a CPU has been copied or a program or chart has been copied to another
CPU, or after a communication partner of an S7 connection has been changed, the
program must be compiled again to update the connection data.
5-32
Fail-Safe Systems
A5E00085588-03
Programming
Examples:
Receive Block:
Send Block:
Fail-Safe Systems
A5E00085588-03
5-33
Programming
5.3.10.2 Programming Communication Between F-Run-Time Groups

Within a CPU
Rules for Communication Between F-Run-Time Groups
If data has to be exchanged between two F-run-time groups, you cannot

interconnect the inputs and outputs directly. Instead, you must use separate
fail-safe blocks for these functions.
Available Fail-Safe Blocks

You must use the following fail-safe blocks for data exchange between F-run-time
groups:
Block
Description
F_S_R / F_R_R
Safe transfer of 5 parameters of the F-data type F_REAL
F_S_BO / F_R_BO
Safe transfer of 10 parameters of the F-data type F_BOOL
Procedure
1. Insert an F-Block of the type F_S_x (F_S_R or F_S_BO) in the F-run-time
group from which data is to be transferred.
2. Insert an F-Block of the type F_R_x (F_R_R or F_R_BO) in the F-run-time
group to which data is to be transferred.
3. Interconnect the SD_R_xx input of the F_S_R or the SD_BO_xx input of the
F_S_BO with the send data.
4. Interconnect the RD_R_xx outputs of the F_R_R or the RD_BO_xx outputs of
the F_R_BO with the inputs of the F-Blocks for further processing of the
received data.
5. Interconnect the S_DB output of the send block with the S_DB input of the
corresponding receive block.
6. Assign parameter to the TIMEOUT inputs of the F_R_R and F_R_BO receive
blocks with the desired monitoring time.
You can find information on how to calculate this in the section entitled
"Configuring the Monitoring Times for S7 F/FH Systems".
5-34
Fail-Safe Systems
A5E00085588-03
Programming
Example: Extract from the Chart of the Sender Run-Time Group
Example: Extract from the Chart of the Receiving Run-Time Group
Fail-Safe Systems
A5E00085588-03
5-35
Programming
5.3.10.3 Programming Communication Between the F User Program and

the Standard User Program
Available F Conversion Blocks
The following F conversion blocks are available:
Block
Description
F_BO_FBO
Converts from standard BOOL to F_BOOL
F_I_FI
Converts from standard INT to F_INT
F_R_FR
Converts from standard REAL to F_REAL
F_TI_FTI
Converts from standard TIME to F_TIME
F_FBO_BO
Converts from F_BOOL to standard BOOL
F_FR_R
Converts from F_REAL to standard REAL
F_FI_I
Converts from F_INT to standard INT
F_FTI_TI
Converts from F_TIME to standard TIME
Rules for F Conversion Blocks

If data is to be exchanged between the F and the standard user programs, you
must not interconnect the inputs and outputs directly. Instead, you must use
separate F conversion blocks from the F library for these functions that can convert
to and from the safety data type.
Please comply with the following rules when you insert and interconnect F
conversion blocks:
5-36
The F-Blocks used to convert F-data types into standard data types
(F_FBO_BO, F_FR_R, F_FI_I or F_FTI_TI) must be placed in the standard
program.
The blocks used to convert standard data types to F-data types (F_BO_FBO,
F_I_FI, F_R_FR, F_TI_FTI) must be placed in the Safety Program.
You can only operate the Safety Program by means of F conversion blocks,
which you must insert explicitly.
Fail-Safe Systems
A5E00085588-03
Programming
Procedure
Proceed as follows:
1. Insert the F-Blocks of the type F_FBO_BO, F_FR_R, F_FI_I or F_FTI_TI in the
charts of the standard user program.
2. Insert the blocks of the type F_BO_FBO, F_I_FI, F_TI_FTI or F_R_FR in the
charts of the Safety Program. These blocks can also be found in the Fail-safe
Blocks library.
3. Interconnect the inputs and outputs of the type F_data type with the same
types of signals from the Safety Program in each case.
4. Interconnect the inputs and outputs of the standard data type with the same
type of signals from the standard user program in each case.
Safety Note Use F_LIM_R for plausibility check of standard to F-data

conversion
The F_BO_FBO, F_I_FI, F_TI_FTI and F_R_FR blocks only carry out data
conversion. This means you must program additional measures for plausibility
checks in the Safety Program, for example using F_LIM_R, to ensure that only
safe operation is possible.
Plausibility Checking
The simplest form of plausibility check is a specified range with fixed upper and
lower limits. Not all input parameters can be checked for plausibility simply
enough. These input parameters cannot be changed during operation.
Fail-Safe Systems
A5E00085588-03
5-37
Programming
Example: Converting Standard Data Types to F-Data Types

Section from an F chart, showing conversion from REAL to F_REAL
Example: Converting F-Data Types to Standard Data Types

Section from a standard chart, showing conversion from F_BOOL to BOOL
5-38
Fail-Safe Systems
A5E00085588-03
Programming
5.4
5.4.1
Processing of the Safety Program

Managing Safety Programs
The following sections tell you how to do the following:
Deactivating Safety Mode
Activating Safety Mode
Compiling a Safety Program
Creating Fail-Safe Block Types
Downloading a Safety Program
Downloading the Entire Safety Program
Changes to the Safety Program in RUN Mode
Downloading Changes
Testing the Safety Program
Displaying Information
Saving reference data
Comparing Safety Programs
Logging the Safety Program
Printing the Safety Program
Fail-Safe Systems
A5E00085588-03
5-39
Programming
5.4.2

The Safety Program usually runs on the CPU in safety mode. In other words, all
the safety mechanisms for fault detection and fault reactions are activated. It is not
possible to change the Safety Program during operation (RUN) when it is in safety
mode. To download changes to the Safety Program in RUN or to change F
constants in CFC test mode, you must deactivate safety mode for the Safety
Program .
Safety Note When Deactivating Safety Mode

Since modifications to the Safety Program can be made in RUN mode when safety
mode is deactivated by downloading the changes, you must observe the following:
You should deactivate safety mode for test purposes, commissioning, etc.
When safety mode is deactivated, the safety of the system must be ensured by
means of other organizational measures (e.g. monitored operation and manual
safety shutdown).
When you make changes to the Safety Program in RUN mode with safety mode
deactivated, switchover effects can occur. The information on the downloading
sequence for download changes in the section entitled "Changing the Safety
Program in RUN Mode" will give you an overview of this.
Wherever possible, the standard program and the Safety Program should only
be changed separately, and the changes downloaded, because otherwise an error
could be downloaded at the same time into the standard program, and the required
protection function in the Safety Program could be destroyed, or switchover effects
could occur in both programs.
Deactivation of safety mode must be detectable. Logging is necessary, if
possible by recording messages to the OS, or if necessary by means of
organizational measures. It is also recommended that deactivation of safety mode
should be indicated on the OS.
Safety mode can only be deactivated CPU-wide. In the case of safety-related
CPU-CPU communication, note that the data sent by an F_SENDBO or F_SENDR
with safety mode deactivated and the outputs obtained from must be included in
monitored operation.
Note
If simulation mode is activated, you cannot deactivate safety mode or download
changes.
Prerequisites
5-40
The CPU is in RUN mode (the mode selector is on RUN or RUN-P).
Safety mode is activated.
Fail-Safe Systems
A5E00085588-03
Programming
Procedure
3. Select the online view in the dialog box that appears.
4. Enter the CPU password, if it is requested.

5. Check whether "Active" is displayed in the "Safety Mode" text box. If yes,
continue to the next step; if not, terminate the procedure because safety mode
is already inactive.
6. Click the "Safety Mode" button, and enter the password for the safety program,
if necessary.
Note
If the validity time of one hour has elapsed, the password for the safety program is
requested again the next time safety mode is deactivated and is then valid after
entry for another hour or until access rights are explicitly canceled.
Fail-Safe Systems
A5E00085588-03
5-41
Programming
7. If the password is entered correctly, a further request is made (next step); if the
password is invalid, safety mode is not switched off and remains active.
8. Confirm that safety mode is to be deactivated with OK.
Result: Safety mode is deactivated.
You can then download changes to the Safety Program to the CPU during
operation (RUN).
5.4.3
Activating Safety Mode

After you have downloaded the changes, you must activate safety mode again to
guarantee the safe execution of the Safety Program.
Procedure
3. Select the online view in the dialog box that appears.
4. Enter the CPU password, if it is requested.
5. Check whether "Inactive" is displayed in the "Safety Mode" text box. If yes,
continue to the next step; if not, terminate the procedure because safety mode
is already active.
6. Click the "Safety Mode" button.
7. Confirm that safety mode is to be activated again with OK.
Result: Safety mode is activated again and "Active" is displayed in the "Safety
Mode" box.
Note
If you are unable to reactivate safety mode using the procedure described, either
switch the line voltage off and then on or switch the CPU to STOP and then to
RUN.
Note on Activation or Deactivation of Safety Mode

The F_TESTM block sets the TEST output when safety mode is deactivated. In
addition, it is recommended that the safety mode status is indicated on the OS by
means of the TEST output parameter of the F_TESTM.
5-42
Fail-Safe Systems
A5E00085588-03
Programming
5.4.4
Compiling a Safety Program

There are two compilation options:
Compile all the CFC charts as a program. The charts are converted into
machine code that you can download to the CPU and run there.
Compile a chart as a block type in order to use it again.
Note
Use hierarchical CFC charts or create new block types to use existing charts
repeatedly.
At compilation of the Safety Program, the password for the safety program is
requested when changes are detected in fail-safe blocks.
Unplaced F-Blocks from the block container are automatically deleted when the
safety program is compiled.
Password Protection During Compilation of the Safety Program

If changes to fail-safe blocks are detected at compilation, the password for the
safety program is requested.
If the password entered is correct, the entire Safety Program is compiled or,
alternatively, only the changes. Authorization is valid for an hour after the
password has been entered.
If authorization is not granted, the entire compilation is terminated with an error

message.
If no changes have to be made to the Safety Program section, compilation is

executed without a password request.
Fail-Safe Systems
A5E00085588-03
5-43
Programming
5.4.5
Creating Fail-Safe Block Types

You can create a fail-safe block type that can be reused in other safety programs
from the CFC chart of a safety program.
Rules for Fail-Safe Block Types

To create a new block type with fail-safe blocks, proceed as you would normally.
The same rules apply as in the standard case, with the following additional points:
The new block type must be a function block (FB).
The new block type can only contain fail-safe blocks. Standard blocks are not
permissible.
The fail-safe blocks that are to be called in the new block type and the FBlocks of the entire Safety Program in which the block type is to be used must
come from one and the same library version. Blocks from different versions of
the "Fail-safe Blocks" library are not permitted.
The fail-safe blocks must not be used in new block types:

-
The system blocks F_S_BO, F_S_R, F_R_BO, F_R_R
All control blocks
Nesting of newly created fail-safe block types is not permitted.
An output of an F-Block must not be connected to two chart I/Os.
The run sequence is not corrected automatically at compilation. The sequence

defined during creation is retained.
Note
If the run sequence is different to the data flow due to feedback, for example, an
error is reported when the F-Block type is compiled.
5-44
The chart I/Os of the new block type can be F-data types and standard data
types.
You can use the following names for F-Blocks that are called in a block type:
-
Numerals only, as specified by CFC
Alphanumeric names that must always begin with F_.
Safety Note F-Blocks outputs always use the preset initial values.
When F-block types are created, none of the initial values at outputs of fail-safe
blocks may be changed. CFC will permit them to be changed and will display the
change, but the preset initial values, as specified in the library, are always used.
Fail-Safe Systems
A5E00085588-03
Programming
Procedure
1. Create the CFC chart in a separate S7 program assigned to an F-capable
CPU.
2. Open the chart you want.
3. Choose the Chart > Compile > Chart as Block menu command. A dialog box
for entering the block properties appears.
4. Enter the properties of the new block type. Select the options "Compile for PLC
- S7 400" and "Optimize Code for - Downloading Changes in RUN Mode" and
confirm with OK.
Result: A new block type is created that can be used in safety programs.
5. Insert the new block type in a Safety Program and test it there.
6. Accept the Safety Program of the new F-Block type.
Using a New Block Type in the Safety Program

If you use a fail-safe block of a newly created type, you must recompile the Safety
Program and download the whole program or the changes to the CPU.
Fail-Safe Systems
A5E00085588-03
5-45
Programming
Changing a Fail-Safe Block Type

Changes to a block type require acceptance.
Modified block types must be entered using the Options > Block Types menu
command. After using a modified block type, you must recompile the safety
program and download it to the CPU. It is not always possible to download the
changes in RUN. In the case of changes to chart I/Os or modified block calls, for
example, it is not possible to download the changes.
Both the rules for the standard case and the rules for Safety Programs apply to the
downloading of changes.
When you use a new version of the Fail-safe Blocks library, you must also
recompile the F-Block type after you have imported the new blocks. In this way,
you ensure that the F-Blocks in the Safety Program all have the same library
version.
F Channel Drivers in F-Block Types

If F channel drivers are used in a block type, the VALUE, ADDR_CODE, CHADDR
I/Os at least must be defined as chart I/Os, because these I/Os have to be
interconnected outside of the F-Block type with the symbolic name of the
associated channel or with the F module driver, or they have to be supplied
automatically.
5-46
Fail-Safe Systems
A5E00085588-03
Programming
5.4.6
Downloading a Safety Program

After compilation you can download the CFC program to the PLC. Depending on
whether or not safety mode is activated, you can download the entire Safety
Program or just changes to the Safety Program as follows:
Downloading
CPU in
STOP
CPU in RUN, Safety

Mode Active
CPU in RUN, Safety

Mode Inactive
Of the entire Safety

Program
Possible
Not possible
Not possible
Of changes to the
standard program
Not
possible
Possible
Possible
Of changes to the
Safety Program
Not
possible
Not possible
Possible
Prerequisites
Before the entire Safety Program is downloaded, there should be a memory

reset of the CPU if it contains an old Safety Program.
The hardware configuration data of the station is downloaded to the CPU.
The user program is compiled without error.
You have access rights to the PLC.
There is an online connection between the CPU and your programming

device/ES.
Rules for Downloading
The Safety Program can only be downloaded from CFC, not from SIMATIC
Manager.
In the S7 FH Systems, the two CPUs must have the same (F) user program.
Both CPUs have either a RAM or a flash EPROM memory card.
When an accepted Safety Program is downloaded, you must check the overall
signature after downloading in the same way as you must after acceptance
(see "Checking the Overall Signatures" in the section entitled "Initial
Acceptance of a Safety Program").
Fail-Safe Systems
A5E00085588-03
5-47
Programming
5.4.7
Downloading the Entire Safety Program
Procedure
To download the Safety Program to the PLC, proceed as follows:
1. Switch the CPU to STOP mode.
2. Choose the PLC > Download > Entire Program menu command in CFC.
Note
Before the Safety Program is downloaded, the CPU password is requested if
changes are detected in the fail-safe program section.
Result: If you enter the correct password, the Safety Program is downloaded to the
CPU to which the program container is assigned. If the password is entered
incorrectly, the download operation is not executed.
After the program has been downloaded to the CPU, you have to compare the
overall signature of the program in the CPU with the overall signature in the
accepted printout (see "Checking the Overall Signatures" in the section entitled
"Initial Acceptance of a Safety Program"). In the case of S7 FH systems, you have
to make this comparison for both CPUs.
Working With Programs on a Memory Card

If you use the Safety Program on a memory card, remember the following:
5-48
Safety Note Safety Program on Memory Card
Before you switch the S7 F System to RUN mode, compare the

overall signature of the program on the flash EPROM memory
card with the overall signature of the reference data. If necessary,
identify the memory card with the overall signature.
In the case of a fault-tolerant S7 FH System, make sure that the

memory cards of the redundant CPUs are of the same type - RAM
or flash EPROM and that the same Safety Program is on the
redundant flash EPROM memory cards.
Ensure there is access protection regulating the removal and

insertion of memory cards.
Fail-Safe Systems
A5E00085588-03
Programming
5.4.8
Changes to the Safety Program in RUN Mode

You can only make changes to the Safety Program during operation (RUN) if
safety mode is deactivated. You have the following options for changing the Safety
Program during operation:
Change the CFC charts, and compile and download the changes to the CPU.
Change fail-safe constants (I/Os that are interconnected ) in CFC test mode.
Notes on the Run Sequence During the Downloading of Changes

Time stamps are not taken into account when changes are downloaded. Instead,
all changes detected (i.e. caused by editing operations) are downloaded.
Safety Note - Downloading

Downloading the changes is executed in two stages:
All complete blocks are downloaded first. These are newly placed blocks, new
instance DBs or newly generated FCs (for modified run-time groups or tasks).
These blocks are downloaded in sequence in such a way that called blocks are
available for every phase (i.e. the CPU continues to run). (For example, new
run-time group FCs are only downloaded when newly called blocks in them
have already been downloaded.)
All blocks that are no longer required are deleted during this downloading
phase.
All changed input or output parameters of blocks are then downloaded. These
changes are downloaded by only writing the parameters that have been
changed (not the whole block) to the CPU. This can take several cyclic
interrupt cycles. The order in which the parameters are written cannot be
predicted. Make sure that parameters are not changed in such a way that
downloading across several cyclic interrupt cycles and/or in a particular order
can result in temporary dangerous states. You can avoid this by separating
control functions (in the standard program) from protection functions (in the
Safety Program) and by making changes to standard and Safety Programs
separately.
Fail-Safe Systems
A5E00085588-03
5-49
Programming
Permissible Changes
Below you can find a list of the permissible program changes. These changes can
be downloaded when safety mode is deactivated, without the Safety Program
going into shutdown mode. The restrictions listed below, however, continue to
apply:
Any local changes to run-time groups.

Local changes are changes that do not involve changes to the communication
between run-time groups or CPUs. Within the run-time group any
interconnections and constants can be changed and blocks can be deleted,
reinserted or moved in the run sequence within the run-time group.
Deletion of complete run-time groups:

Run-time groups must only be deleted individually. After a run-time group has
been deleted, you must recompile the program and download the changes.
Insertion of new run-time groups
Changes to the priority classes.

The monitoring times must be taken into consideration (see below).
-
Changes to the OB cycle time (parameter assignment of the CPU is

supported for the S7-400FH with the CPU 417-4H, V2.0 and above).
Movement of run-time groups (deletion and insertion) to new tasks/OBs.
Safety Note OB Cycle Times Changes Restricted

You must not change OB cycle times or move run-time groups unless the time and
speed relationships change as well. This means that the tasks that used to be the
slowest and fastest must continue to be so after the changes have been
downloaded.
If they are not, it may not be possible to deactivate safety mode, or the Safety
Program might shutdown when changes are downloaded. In this case, any
changes cannot be reversed, and you have to revert to a previously saved Safety
Program ).
It is possible to move run-time groups to another task. The monitoring times

must be taken into consideration (see below).
Some operations require several steps because the new Safety Program cannot
be activated all at once. Instead, it has to be activated in several steps (see below).
5-50
Fail-Safe Systems
A5E00085588-03
Programming
Changing the Time Conditions or Monitoring Times

This is possible, but you must ensure that such changes dont initiate any cyclic
measures. For example:
Changing the OB cycle time: All monitoring times (F_CYC_CO, F module

driver, F communication) must be greater than the new OB cycle time. If this
isnt the case, you must increase these times beforehand and download them
before the new OB cycle time is brought in. Only in the second step can the
parameter assignment of the execution time of the cyclic interrupt OBs be
adapted in the S7 FH System. The monitoring times of F-I/Os cannot be
changed during operation (see "Impermissible Changes").
Note: If the MAX_CYC parameter of the F_CYC_CO is invalid, a new value will be
requested at compile time.
Moving run-time groups: This corresponds to changing the OB cycle time for
the run-time group to be moved (see above).
Direct changing of monitoring times for F-Blocks: The monitoring times must fit
the OB cycle time. In the case of F-driver blocks, it is not possible to make
changes during operation (see "Impermissible Changes").
First Call and Restart Characteristics

Newly inserted F-Blocks behave for a first call or a warm restart as for a cold
restart. For example:
Module drivers or communication blocks output substitute values.
The F_START block indicates a cold restart in the first cycle.
It may be necessary in such cases to place these blocks initially without

interconnecting them and to download them to the CPU by means of change
downloading. These blocks can only be interconnected and then downloaded to
the CPU as changes in the second step.
Fail-Safe Systems
A5E00085588-03
5-51
Programming
Communication Between Run-Time Groups or CPUs

You must proceed in several steps if the communication is to continue in all
phases. In one step, only the change for one communication partner can be
introduced. Changes must not be downloaded for both partners simultaneously.
Inserting new F-Blocks for communication between run-time groups: Substitute

values are output until the newly created connections are synchronized.
The sending side must always be programmed and downloaded first.
The receiving block can be placed and immediately interconnected with the
send block only as of the second step.
The data sources and sinks can be changed (i.e. the interconnections from/to
the output/input parameters of the blocks). Such a change should, however,
never be made for a data value at the same time for the sender and the
receiver because simultaneous activation of the new interconnections cannot
be guaranteed. If it is absolutely necessary, proceed as follows:
5-52
On the sending side, attach the desired interconnection to a new,

previously unused input parameter of the end block and download this
change. The new value at the receiver is now correctly available.
In the next step, the new interconnection on the receiver side can be made
using the new output parameter of the receiving block rather than the old
one as the source. This change can be downloaded and results in a
consistent switch to the new data paths.
Finally, the now superfluous interconnection to the old input parameter of

the send block can be deleted on the sending side.
The situation is particularly crucial if a communication partner is replaced, i.e. if

communication is supposed to go to another run-time group or to another CPU.
This is only possible if a second channel is set up for the new communication
partner and a switchover is then made to it. This applies when data is to be
received from a different CPU than before. However, the principle is just as
valid for communication between run-time groups.
-
Configure the new connection in NetPro and download the connection data
in RUN mode (this step is required only for CPU-CPU communication)
Place new communication blocks on the sending side and assign the data
of the new connection (ID, R_ID). Interconnect, compile and download the
data to be sent to the send block.
Place new communication blocks on the receiving side, assign the data of
the new connection (ID, R_ID), and then compile and download them. The
data of the old and new sender is now available in the receiver.
The interconnections can now be switched over from the old to the new
receive block and the old receive block can be deleted. When the changed
program is downloaded, a switchover immediately takes place to the new
sender.
Finally, the now superfluous send block of the old sender can be deleted
and perhaps also the corresponding connection from NetPro.
Fail-Safe Systems
A5E00085588-03
Programming
Deletion of run-time groups: If a run-time group is moved to another task, you

must not delete the run-time group of the F_CYC_CO in the old task at the
same time. If you want to do that in order to delete the old task completely, for
example, proceed as follows in two steps:
-
Move, compile and download the run-time group to the new task.
Then delete, compile and download the run-time group of the F_CYC_CO
from the old task.
Impermissible Changes
Some changes must not be carried out even when safety mode is deactivated,
because continuous (bumpless) execution of the user program cannot be
guaranteed. The following changes can cause the execution of the user program to
be interrupted or the Safety Program to shutdown, or even prevent the changes to
the Safety Program from being downloaded:
Changes to the parameter assignment of F-I/Os are not possible during

operation in the current product version. The modules can only receive the
modified parameter assignment in the S7 FH System as well after removal and
insertion. The F-I/Os detect a CRC error after the first change has been
downloaded and output substitute values.
Like parameter changes in HWCONFIG, changes to the properties of existing

CPU-CPU connections are not bumpless if properties are modified that go to
the network addresses. In this case, as well, substitute values are output until
the state of the F communication blocks is consistent. It is, possible to achieve
this in several steps by means of an additional connection (see
"Communication Between Run-Time Groups or CPUs"). Changing the ID and
R_ID I/Os of the F-SENDR/BO and F-RCVR/BO is not permitted.
Deletion and reinsertion of the automatically inserted F control blocks and the
F_CYC_CO F-system block will result in Safety Program disable.
The same thing applies to F_S_BO and F_S_R: If such an F-Block is deleted,
reinserted and interconnected, the associated F_R_BO or F_R_R F-Block
outputs substitute values.
Moving an F-run-time group to another priority class is not permitted.
Interface changes to fail-safe blocks cause the Safety Program to disable.
Fail-Safe Systems
A5E00085588-03
5-53
Programming
5.4.9
Downloading Changes
Changes to the Standard Program

You can download changes when the CPU is in RUN mode irrespective of whether
safety mode is active or not.
Note
If you make changes to the fail-safe section of the user program, you cant
download changes for the standard section in safety mode either. A change to the
fail-safe program that is reversed is also considered to be a change.
Safety Note Password Protection Level

When the standard program is changed in safety mode, access rights should not
be obtained using the CPU password because otherwise the Safety Program can
also be changed. The protection level must instead be set accordingly.
Changes to the Safety Program

You can only download changes to the CPU in RUN mode if safety mode is
inactive.
Note
If simulation mode is activated, you cannot switch off safety mode or download
changes.
Before downloading, a check is carried out to find out if there are any simulation
blocks in the Safety Program. If there are, downloading is terminated.
5-54
Fail-Safe Systems
A5E00085588-03
Programming
Procedure
1. Change the Safety Program and compile it (see "Compiling a Safety
Program").
2. If simulation mode is activated, deactivate it (see "Testing a Safety Program
Offline with S7-PLCSim").
3. Deactivate safety mode (see Deactivating Safety Mode).
4. Choose the PLC > Download > Changes Only menu command in CFC.
Always respond with "Yes" when you are asked to confirm that you want to
register the CPU for a test.
5. If necessary, repeat steps 1 to 4 to download changes step by step, for
example.
6. Activate safety mode (see "Activating Safety Mode").
7. Choose the Options > Edit Safety Program menu command in SIMATIC
Manager.
In the "Safety Program S7 Program" dialog box, activate the "Online" and
"Offline" options one after another and check whether the overall signatures (online
and offline) match (see "Checking the Overall Signatures" in the section entitled
"Initial Acceptance of a Safety Program"). If they match, downloading has been
successfully completed. If not, repeat step 4 of the download operation. In the case
of S7 FH systems you must carry out this comparison for the two CPUs.
Safety Note Download Operation Aborted

If the download operation is terminated, you must repeat downloading the changes
(step 4) and check the overall signatures online and offline (step 7) to ensure the
consistency of the data in the load memory and the working memory.
Fail-Safe Systems
A5E00085588-03
5-55
Programming
5.4.10
Testing the Safety Program

After compilation and downloading, you can test the program. You can test Safety
Programs by switching to test mode in CFC using the Test > Test Mode menu
command. In test mode you are connected to the automation system (CPU) online.
Rules for Testing
Safety Note Safety Program disable if change to failsafe outputs
Safety Note ES changes can change signature
5-56
You can observe the Safety Programs in CFC test mode and change noninterconnected inputs of fail-safe blocks. Online changes to fail-safe outputs and
automatically assigned I/Os are not permitted and result in a Safety Program
disable.
When you use the ES, changes to non-safety-related parameters can result in a
change to the overall signature of the offline Safety Program. This means that the
Safety Program might have to be accepted again after the test. To ensure that the
overall signature of the Safety Program remains unchanged, you must undo any
parameter changes by reassigning the original values to the parameters.
Fail-Safe Systems
A5E00085588-03
Programming
5.4.11
Testing a Safety Program Offline with S7-PLCSim

It is not always possible to test Safety Programs in a real system. The PLCSim
software package is intended to help you test Safety Programs by simulating a
CPU on the PC/programming device.
5.4.11.1 Using PLCSim V5.0 (and below)

Prerequisite: Copying the Project
It is not possible to carry out the offline test with the original project. The project
must be copied, and the simulation can only be carried out using this copied
project.
The changes can then be transferred to the original project and with the safety
mode deactivated, transferred to the CPU using "Download Changes".
To make sure that all the changes made in the test project have been made
correctly in the original project as well, you can use the chart comparison function
in the F add-on package to compare the original project with the simulation project
(in SIMATIC Manager via Options - Edit Safety Program, see Comparing Safety
Programs). Depending on the editing sequence, it may be that differences are
displayed in parameters that are automatically assigned (e.g. F_PLK/SIG_I etc.).
These differences can be ignored.
If PLCSim is used with the original project, it is no longer possible to
download in RUN.
Starting Simulation
Proceed as follows:
1. Select the program folder (e.g. S7 Program) in SIMATIC Manager.
Fail-Safe Systems
A5E00085588-03
5-57
Programming
Result: The "Safety Program S7 Program" dialog box appears.

3. Select the "Password..." button and cancel the access rights for the safety
program. This means the password for the safety program will be requested
again in the case of operations such as the compilation or downloading of
changes to the Safety Program.
4. If safety mode is inactive, activate it (see "Activating Safety Mode").
5. Click the "Simulation..." button and, in response to the query that appears,
confirm that you want the F-Blocks to be replaced by the simulation blocks.
6. In the "Copy" dialog box that appears, confirm that individual objects are to be
overwritten with "Yes" or that all objects are to be overwritten with "All".
Result: The F-Blocks of the Safety Program are overwritten by simulation
blocks of the same name from the Failsafe Blocks: F-Simulation Blocks
library. "Inactive" is displayed in the text box under the button.
7. Activate the simulation by clicking the button for the simulation

on the
toolbar of SIMATIC Manager or by choosing the Options > Simulate Modules
menu command. All the programming device functions, such as downloading,
module status, etc., are then processed by PLCSim instead of the real
modules.
5-58
Fail-Safe Systems
A5E00085588-03
Programming
You can find information on working with S7-PLCSim in manual /12/. (Please
refer to the references in Appendix B.)
To carry out a test, download the Safety Program to the virtual CPU of PLCSim.
Changes to the Safety Program can only be downloaded with the whole program
when the virtual CPU is in STOP mode. In test mode, the Safety Program can be
monitored as with a real CPU.
Note
If the virtual CPU of PLCSim goes into STOP mode or the Safety Program
becomes disabled, you must do the following:
Reset the memory of the virtual CPU of PLCSim.
Download the configuration data and the S7 program again.
What to Remember When You Simulate Safety Programs
Safety Note Simulation Warning

This is not a substitute for a function test!
If the simulation takes place on a programming device or ES with a physical online
connection to the CPU, you must not deactivate safety mode and you must not
have access rights by means of the CPU password.
When the simulation is switched on, all the F-Blocks in the offline block container of
the program are replaced with a simulation-capable version from the Fail-safe
Blocks: F-Simulation Blocks library. The blocks in this library are only suitable for
simulation purposes and must not be downloaded to the CPU.
These blocks have the same interface as the normal F-Blocks, but they have
limited functionality determined by the functional scope of PLCSim.
When you carry out program changes in simulation mode, you can only place new
blocks from the "F-Simulation Blocks" library. A combination of F and simulation
blocks is not permissible and is reported at the next compilation of the Safety
Program.
The driver blocks do not access the I/O.
Input signals of F input modules can be modified in the process input image (PII) of
PLCSim.
Communication between CPUs cannot be simulated.
In the "Edit Safety Program" dialog box, a CRC is not displayed for the simulation
blocks. An overall signature is not calculated for the Safety Program if the Safety
Program contains simulation blocks.
Fail-Safe Systems
A5E00085588-03
5-59
Programming
Downloading the Safety Program After Simulation

Before you download the tested Safety Program to the CPU you must do the
following:
1. Switch off the simulation by clicking the "Simulation Off" button in the "Safety
Program S7 Program" dialog box.
Result: The blocks from the Fail-safe Blocks: F User Blocks library are
copied to the block container.
2. Recompile CFC charts if there have been any changes.
5.4.11.2 Using PLCSim V5.1 (and above)

Starting with PLCSim V5.1, the F User Blocks library is supported directly; there is
no need to replace the blocks in the programs offline blocks container with blocks
from the F Simulation library.
In the "Edit Safety Program" dialog box, the Simulation button is not displayed if
PLCSim V5.1 or above is detected on the ES.
Starting Simulation
Proceed as follows:
on the
1. Activate the simulation by clicking the button for simulation
toolbar of SIMATIC Manager or by choosing the Options > Simulate Modules
menu command. PLCSim then processes all the programming device
functions, such as downloading, module status, etc., instead of the real
modules. You can find information on working with S7-PLCSim in manual /12/.
2. The system data must be downloaded to PLCSIM via HWCONFIG.
3. When downloading the Safety Program into PLCSim, a Setup Access Rights
dialog box will appear requesting a password for the CPU. You MUST enter
plcsim (all lower case) regardless of the password you assigned the CPU in
HWCONFIG.
Changes to the Safety Program can only be downloaded with the whole program
when the virtual CPU is in STOP mode. In test mode, the Safety Program can be
monitored as with a real CPU.
Note
If the virtual CPU of PLCSim goes into STOP mode or the Safety Program
becomes disabled, you must do the following:
Reset the memory of the virtual CPU of PLCSim.
Download the configuration data and the S7 program again.
This also applies to either a Partial (isolated F Run-time groups shutdown) or Full
(entire Safety Program shutdown).
5-60
Fail-Safe Systems
A5E00085588-03
Programming
What to Remember When You Simulate Safety Programs
Safety Note Simulation Warning

This is not a substitute for a function test!
If the simulation takes place on a programming device or ES with a physical online
connection to the CPU, you must not deactivate safety mode and you must not
have access rights by means of the CPU password.
The driver blocks do not access the I/O.
Input signals of F input modules can be modified in the process input image (PII) of
PLCSim.
Communication between CPUs cannot be simulated.
Fail-Safe Systems
A5E00085588-03
5-61
Programming
5.4.12
Changing Fail-Safe Constants in CFC Test Mode

It is possible in CFC test mode (V5.2 and above) to change fail-safe constants
(non-interconnected I/Os of fail-safe blocks) during operation (RUN). In the case of
safety programs, this is only permitted when safety mode is deactivated. There are
no restrictions on changing standard parameters.
Rules for Changing Fail-Safe Constants
In the case of parameters in the safety data format, you can only change the
DATA components, not COMPLEM or PARID.
You must not change output parameters and automatically supplied I/Os.
Prerequisites
Before you switch on CFC test mode, make sure that the following prerequisites
are met:
The CPU must be in RUN.
Safety mode of the Safety Program must be deactivated. If it is not, you will be
requested to deactivate safety mode when you try to change the first
parameter.
Note
Changing fail-safe constants in safety mode will always result in a safe state
(Safety Program disabled).
To change fail-safe constants, you must enter the F password. The password is
the same one used for the compilation and downloading of changes. Irrespective of
the protection level set for the CPU, it might be necessary to provide legitimation
for the online connection to the CPU.
5-62
Fail-Safe Systems
A5E00085588-03
Programming
Changing a Fail-Safe Block I/O

1. Activate test mode for the chart in CFC using the Test > Test Mode menu
command.
2. Open the sheet view of the F-Block.
3. Select the block I/O that you want to change, and open Object Properties with
a double-click, for example.
Result: The "Select Structure Element" dialog box appears.
4. Double-click the DATA structure element in the "Select Structure Element"

dialog box.
Result: The "Properties Inputs/Outputs" dialog box appears.
5. Enter the desired value in the "Value" text box and confirm with "OK".
Fail-Safe Systems
A5E00085588-03
5-63
Programming
6. Close the "Select Structure Element" dialog box. If the change is possible, a
check box appears with the changed value, which you have to confirm with
OK.
7. If the change is not possible, you will receive a message requesting you to
eliminate the cause of the error. You then have to repeat steps 3 to 6.
Result: The new value is downloaded to the CPU and displayed at the I/O.
It is not possible to compile and download changes after CFC test mode has been
deactivated until safety mode has been activated, because all the necessary
changes were made when each individual parameter was changed.
5-64
Fail-Safe Systems
A5E00085588-03
Programming
5.4.13
Displaying Information
To display information on the Safety Program
1. Select the program folder (e.g. "S7 Program") in SIMATIC Manager.
Result: The "Safety Program S7 Program" dialog box appears. The following
information on the online (on the CPU) or offline (in the programming device/ES)
Safety Program is displayed:
A list of all the blocks with signatures and signatures of the initial values
Date and signature of the last compilation and the most recently saved
reference data
An indication of whether the source code, load memory and working memory
match
Fail-Safe Systems
A5E00085588-03
5-65
Programming
5.4.14
Saving reference data

You can save all the data of a program (charts, parameters, etc.) as reference data
in order to use it for comparisons, as required.
Procedure
To save the reference data of a Safety Program, proceed as follows:
2. Choose the Options > Edit Safety Program menu command. The "Safety
Program S7 Program" dialog box appears.
3. Click the "Save Reference" button. You will then be asked again if you want to
save the reference data. You have two options:
5-66
Confirm with "Yes" if you want all the information on the blocks of the
current project to be saved as reference information. Any existing
reference data will be overwritten.
Cancel with "No" if you do not want to save reference data.
Fail-Safe Systems
A5E00085588-03
Programming
5.4.15

This dialog assists you in comparing two Safety Programs, displaying and printing
the differences between them. (See the procedure below entitled Comparing
Safety Programs.) Programs available for comparison include the online program
in the F-CPU, the current offline program, the previous compilation of the current
program, and the saved reference program. This dialog may be used as a tool to
indicate that a program has not changed, for example, when compared to a saved
reference program.
Program/Reference
Choose one of these option buttons to specify whether the current program or the
reference program is to be compared.
Fail-Safe Systems
A5E00085588-03
5-67
Programming
Compare with:
Use this drop-down selection box to choose the second program to compare.
If you selected the Program option button above, choose one from the following:
Reference
Before Last Generation (the previous compilation of this program)
Online
(this program as currently loaded in the F-CPU)
Other Project
(any offline program, use Browse button to select)
(the last saved reference of this program)
If you selected the Reference option button, choose one from the following:
Current Project
Before Last Generation (the previous compilation of this program)
Online
(this program as currently loaded in the F-CPU)
Other Project
(any offline program, use Browse button to select)
(the current offline program)
Browse Button
Use this button and the Open dialog box to select the offline program of any
project that you want to compare.
Start Button
Click this button to start the comparison.
View Options
If both of the compared programs are offline, you can toggle between these two
options by selecting the appropriate option button:
5-68
Block view: a list of the blocks that differ.
Chart view: a hierarchical view showing Task, Runtime Group, Block and
parameter for all differences. With this view option, the Go To button is
enabled.
Fail-Safe Systems
A5E00085588-03
Programming
Result of the Comparison of the Safety Blocks (both programs offline)
An indication is given of whether the overall signatures across all blocks are
identical or different.
Difference Display, Block View:
Any blocks whose signatures have changed are displayed, along with the signature
of each. No task or run-time group information is available.
Difference Display, Chart View:
The differences between the two charts are displayed in a hierarchical structure, as
in Explorer. All the blocks in this structure are displayed under the assigned task
and run-time group. Information on possible differences is displayed for each block.
These differences refer to the task/run-time group in which the block is used, the
parameterization and interconnection of the block and the run sequence.
Only tasks, run-time groups, blocks and parameters in which differences were
found are displayed.
Fail-Safe Systems
A5E00085588-03
5-69
Programming
The differences are described as follows:

Text
Meaning
Deleted
Block only exists in the source
Added
Block only exists in the comparison object
Task changed from Task1 to Task2
Block in another task/priority class
Run-time group changed from Group1 to Block in another run-time group

Group2
Instance DB changed from I-DB1 to IDB2
Block has another instance DB
Run position changed
Block in different run position within the run-time

group
Interface changed
Number of parameters changed
Interconnection changed from Connect1 Interconnection of a parameter changed

to Connect2
Result of the Comparison of the Safety Blocks (online program)

If the Compare with: field selects the online program, only the Block View
difference output is shown. There are two additional viewing options available by
use of the check boxes:
5-70
Show unconnected F-FB input parameter differences
Filter F-System checksums
Fail-Safe Systems
A5E00085588-03
Programming
As with the offline Block View, a window shows any blocks whose signatures differ.
View option Show unconnected F-FB input parameter differences:
This option forces a complete comparison of values of constants connected to the
inputs of F-Blocks between the online and an offline program, and displays
differences in an upper pane in the dialog.
Note that normally this option is only used when the overall signatures already
match, indicating that the offline program has not changed since the last download
to the F-CPU. Checking this option allows the more thorough check for any
parameters that may have been changed online by a method other than compile
and download.
View option Filter F-System checksums
This option suppresses the display of expected differences that will occur when the
F-CPU writes to input parameters of certain F-Blocks (e.g. checksum values at
inputs of F_PLK, F_PLK_O). This option is only valid when you have checked the
option for Show unconnected F-FB input parameter differences.
Fail-Safe Systems
A5E00085588-03
5-71
Programming
5-72
Fail-Safe Systems
A5E00085588-03
Programming
Comparison of Overall Signatures:

This group displays attributes for each of the two programs selected for
comparison:
Program type (Current program, reference program, Before Last Program,

Online Program, Other Project program).
Overall Signature: The identifying overall signature, generated at the most

recent compilation.
Program name: A string combining the project name, the CPU type, and the
program name.
The words, IDENTICAL or NOT IDENTICAL, are appended to the caption of this
group of windows, to indicate clearly whether the overall signatures of the two
programs match or differ.
Print Button
Click this button to print the result of the comparison.
Go to Button
When Chart View is selected, you may select any block or parameter in the
displayed differences window, and click this button to go to the block in question in
the CFC editor.

You can compare two statuses of the Safety Program in the programming
device/ES or online on the basis of the following criteria:
Overall signature
Individual signatures
Parameter values
Modified or deleted blocks and interconnections, etc.
Fail-Safe Systems
A5E00085588-03
5-73
Programming
What Can You Compare?

You can compare the following, irrespective of whether you have selected
"Program" or "Reference":
Program
Compare with
Reference
(Reference of this program)
Before Last Generation (Status before the last generation of this

program)
Reference
Online
(Online status of this program)
Program
(Any offline program)
Compare with
Current project
(Offline program)
Before Last Generation (Status before the last generation of this

program)
5-74
Online
(Online status of this program)
Program
(Any offline program)
Fail-Safe Systems
A5E00085588-03
Programming
Procedure
To compare two Safety Programs, proceed as follows:
3. Select the "Compare..." button. The "Compare Programs" dialog box appears.
4. Select the programs you want to compare. If necessary, use the "Browse..."
button to enter the path.
5. Select the "Start" button.
The result is displayed in a dialog box at block or chart level and can be printed out
using the "Print" button. The signatures of the individual blocks are displayed in the
block view. The changes to charts, blocks and run-time groups are displayed in the
chart view. You can also see here if the signatures of the F-Blocks have changed.
Safety Note Allowable F Control Block comparison changes

At the F_CNT_W input of the F_TESTC block, the number of F code blocks (FB
and run-time group FC) in working memory is displayed. If changes are made to
the Safety Program, changes to this parameter can be expected in the section of
the program that has already been accepted.
The differences in the chart comparison of the following block I/Os can be ignored
because they are due to internal changes in the Safety Program. These changes
can be caused, for example, by compressing the data blocks in CFC.
Block
I/O
F_TESTC
TESTM_DB, CYC_DB
F_PLK
SIG, SIG_I, CYC_DB, TEST_DB, TESTC_DB,

TESTM_DB
F_PLK_O
SIG_O, SIG_O_I
The overall signature still changes, of course, and differences must be taken into
consideration at acceptance.
The overall signature is visible at the F_SHUTDN function blocks F_PRG_SIG
input.
Fail-Safe Systems
A5E00085588-03
5-75
Programming
Comparison with the Online Safety Program
5.4.16
Safety Note Checking online comparison output

When a comparison with the online program is made, it is indicated whether the
source, load memory and working memory match up (this enables the detection of
impermissible data manipulation to non-interconnected fail-safe input parameters
in the working memory). See "Checking the Overall Signatures" in the section
entitled "Initial Acceptance of a Safety Program".
Logging the Safety Program

To request logs on the Safety Program, proceed as follows:
3. Select the "Log..." button. The "Logs" dialog box appears. The following logs
are displayed on the individual tabs:
-
Consistency check Log of the last consistency check
Compilation Log of the last compilation
Download Log of the last download
4. Select the one of the following options for the display:

-
Only errors
Only errors and warnings
All
5. Click the "Page Setup" button to specify the print format (optional).
6. If necessary, print out the desired log using the "Print" button.
5-76
Fail-Safe Systems
A5E00085588-03
Programming
5.4.17
Printing the Safety Program

To print all the important project data, proceed as follows:
3. Press the "Print" button. You can then select the parts of the project that you
want to print:
-
The CFC charts
The fail-safe program (all F-blocks and all data blocks from the F-run-time
groups).
The hardware configuration with the module parameters
Chart data: all the charts of the program are printed graphically
Safety Program data, printed report contains:
Fail-Safe Systems
A5E00085588-03
Offline/Online report status
Safety Program name
Current Safety Program datestamp and overall signature (of Safety

Program blocks in the Safety Program block folder)
Reference program datestamp and overall signature
Blocks in the Safety Program (as shown in the dialog list box)
Safety-related parameter values
The document footer on each page shows:

-
The current release version of the F-System software
The overall signature (of Safety Program blocks in the CFC).
Hardware Configuration: all or part of the hardware configuration. The Print

dialog will appear to allow you to specify what module information to print.
5-77
Programming
The overall signature and the date of the last compilation appear in the printout of
the fail-safe program, which is important for the on-site acceptance of the Safety
Program (e.g. by an outside expert). The overall signature of the compiled Safety
Program appears twice in the printout: once in the program information section as
a value of the block container and once in the footer as a value from the source
(see "Checking the Overall Signatures" in the section entitled "Initial Acceptance of
a Safety Program").
5-78
Fail-Safe Systems
A5E00085588-03
6.1
Operation and Maintenance of the F-Systems

The following sections describe:
6.2
Rules for the operation of the fail-safe S7 F/FH Systems
How to work with the Safety Program
How to change the Safety Program
How to replace software and hardware components
How to uninstall the S7 F/FH Systems
Rules for Operation

Below you can find the rules and safety notes for the operation of the S7 F/FH
Systems.
PROFIsafe Nodes
Safety Note Simulation of PROFIsafe devices not permitted

No devices that simulate PROFIsafe nodes can be used on PROFIsafe in safety
mode. A log analyzer must not, for example, execute a function to play back
recorded frame sequences with the correct dynamic response.
Fail-Safe Systems
A5E00085588-03
6-1
Fiber-Optic Cables Between the Synchronization Modules in the S7-400 FH
Safety Note Duplicate Masters must be avoided

In a fail-safe and fault-tolerant S7 FH System, you must prevent both CPUs from
being master at the same time, since this may result in hazardous faults.
Such a state (the two CPUs are both masters at the same time) can occur if the
two fiber-optic cables used to connect the CPUs are removed or interrupted
simultaneously when the S7-400 FH is in a redundant configuration. This must be
prevented by laying separate fiber-optic cables.
This state (two CPUs both masters at the same time) can also occur after a CPU is
repaired if the CPUs have not been connected via both fiber-optic cables before
the power supply is switched back on.
Take organizational steps to ensure that, after a CPU has been replaced, both
fiber-optic cable connections are established before the power supply is switched
on.
You can find information on replacing components in fault-tolerant systems in

manual /4/. Please refer to the references in Appendix B.)
6.3
Working with the Safety Program

You must take into account the following when working with the Safety Program:
6-2
You must not operate Safety Programs directly when safety mode is activated!
You can enter safety parameters:
-
by means of fail-safe conversion blocks.
in CFC test mode.
Access to the CPU must be protected with a password.
The offline project in the programming device/ES must always be kept

consistent with the CPU. In other words, no old programs, charts or blocks
should be copied to a project.
Safety Note Safety measures must be followed

If you dont follow the above safety measures, this may result in errors in the
execution of the safety program and in the Safety Program Shutdown.
Fail-Safe Systems
A5E00085588-03
6.4
Changing the Safety Program
Rules for Changes to the Safety Program
Changes to fail-safe input parameters are only possible in safety mode by

using or downloading changes in the standard user program with the help of
conversion blocks F_BO_FBO, F_R_FR, etc. and a plausibility check
programmed with fail-safe blocks.
The simplest form of plausibility check is when a range is specified with fixed
upper and lower limits. The on-site technical expert must always be consulted
about a plausibility check.
Not all the input parameters can be checked for plausibility in a sufficiently
simple way. You cant change these input parameters during operation.
The following changes to the Safety Program can be made during operation
(RUN) only if safety mode is deactivated:
-
Changing the CFC charts, compiling and downloading the changes to the
CPU.
Changing fail-safe constants in CFC test mode.
Changing the Safety Program

After making changes to the Safety Program, proceed as follows:
1. Compile the modified Safety Program.
2. Test the Safety Program.
3. Check whether the signatures of the blocks in the block container and the CFC
charts are the same.
4. Check the safety parameters.
5. Carry out acceptance of the changes.
6. Download the entire program or the changes only to the CPU.
7. Archive the entire modified project. The accepted Safety Program must be
saved.
Batch Programming
Parameters that are not safety-related can be changed in the standard program in
a batch process. Safety-related checks of these parameters (e.g. permissible
range, consistency of parameter sets, etc.) must be carried out in the Safety
Program.
Fail-Safe Systems
A5E00085588-03
6-3
See Also
You can find additional information on modifying the Safety Program in the
following sections:
6.5
Changes to the Safety Program in RUN
Downloading Changes
Changing Fail-Safe Constants in CFC Test Mode
Replacing Software and Hardware Components
Replacing Software Components

When you replace software components on your programming device/ES, for
example in new PCS 7 or STEP 7 versions, you must comply with the guidelines
on upward and downward compatibility contained in the documentation and in the
readme files of these products.
Installing New Versions of the Software Packages

After you have installed a new version of STEP 7 or add-on packages such as
CFC or SCL, proceed as follows:
1. Compile the Safety Program in the new environment (new compiler or new
libraries).
Compare the overall signature of the newly compiled Safety Program with the
overall signature of the accepted Safety Program (see "Checking the Overall
Signatures" in the section entitled "Initial Acceptance of a Safety Program").
2. If the overall signatures are identical, the programs are the same.
3. If the overall signatures are not identical, the program has been changed.
Proceed in the same way as when there is a change to the Safety Program.
Replacing Hardware Components

The replacement of hardware components for the S7-400 FH (modules, cards,
batteries, etc.) is carried out in the usual way. You can find descriptions in manuals
/1/, /2/, /5/ and /7/. (Please refer to the references in Appendix B.)
Duration of the Repair with the S7 FH Systems

For redundant components in S7 FH Systems, repairs should be organized in
such a way that, in the event of a failure, repairs do not take longer than 24 hours,
if possible. On weekends, repairs can last up to 72 hours for unattended systems.
As a general principle, availability increases as the duration of the repair is
reduced.
6-4
Fail-Safe Systems
A5E00085588-03
Fiber-Optic Cables in S7 FH Systems

After a CPU of the S7-400 FH has been repaired, the fiber-optic cables must not
be disconnected from the CPUs at the same time. This must be prevented by
laying separate fiber-optic cables.
Preventative Maintenance (Proof Test)

The probability values specified in the section entitled "Safety" for the certified
components of the F-Systems ensure a proof test interval of 10 years for the
usual configurations. The proof test for complex electronic components usually
means they are replaced with unused ones. If there are special reasons why you
require an even longer proof test interval than 10 years, please contact your
Siemens advice center.
A shorter proof test interval is normally required for sensors and actuators.
Passivating Fail-Safe Output Modules Passive over the Long Term

If a fail-safe output module is passivated for an extended period (> 72h) and the
fault is not eliminated, it is possible for the module to be activated by a second
fault, thus putting the system in a dangerous state. Although the probability of such
hardware faults occurring is very slight, such unwanted activation of passivated F
output modules due to switching or organizational measures must be prevented.
One possibility is to switch off the power supply to the passivated module(s) for a
period of time (e.g. 72 hours).
In the case of systems for which there are product standards, the required
measures are standardized. In the case of all other systems, the expert accepting it
must approve the concept for the required measures put forward by the system
operator.
6.6
Uninstalling the S7 F/FH System

Uninstalling the software and disassembling and disposing of the hardware of an
F-System are carried out as normal.
Fail-Safe Systems
A5E00085588-03
6-5
6-6
Fail-Safe Systems
A5E00085588-03
7.1
Safety
Standards, Certificates and Approvals
Safety Certification
When you order an F-Copy License, a copy of the TV certificate for the fail-safe
components of the S7 F/FH System will be included with the product.
You can obtain additional copies of the certificate, the accompanying report and
Annex 1 of the certificate report entitled
"Safety-Related Programmable Systems SIMATIC S7-400F and S7-400FH"
on request from:
Ms. Petra Bleicher
A&D AS RD 423
Fax no.: ++49 9621 80 3146
Note
Annex 1 of the certificate report contains permissible version numbers and
signatures of fail-safe components of the S7 F/FH System that have to be checked
when the program is accepted.
The certificate report contains conditions that currently have to be complied with
when using the S7 F/FH System.
Fail-Safe Systems
A5E00085588-03
7-1
Safety
Standards Relating to Functional Safety

The following tables list the standards taken into account when developing the S7
F/FH System.
The current statuses and versions of the standards and the currently applicable
conditions can be found in the safety certification report.
Standard
Title/Description
DIN V 19250
Fundamental Aspects to be Considered for Measurement and

Control Equipment
DIN V VDE 0801
Principles for Computers in Safety-Related Systems
Including modification A1
IEC 61508 - 1 to 7
Functional Safety; Safety-Related Systems
prEN 50159-1
Railway Applications; Requirements for Safety-Related

Communication in Closed Transmission Systems
prEN 50159-2
Railway Applications; Requirements for Safety-Related

Communication in Open Transmission Systems
Process Engineering
Standard
Title/Description
DIN V 19251
Process and Control Technology - MC Protection Equipment Requirements and Measures for Safeguarded Function
VDI / VDE 2180 - 1, 2

and 5
Safeguarding of Industrial Processing Plants by Means of Process

Instrumentation and Control Technology
NE 31
NAMUR recommendation
Equipment Safety Using Process Instrumentation and Control
Technology
ISA S 84.01
Application of Safety Instrumented Systems for Process Industries
Furnace Engineering
7-2
Standard
Title/Description
EN 230 no. 7.3
Monobloc Oil Burners
EN 298 no. 7.3, 8,

9, 10
Automatic Gas Burner Control Systems for Gas Burners and Gas
Burning Appliances with or without Fans
DIN V ENV 1954
Internal and External Fault Behavior of Safety-Related Electronic Parts

of Gas Appliances
DIN VDE 0116 no.

8,9
Electrical Equipment of Furnaces
pr EN 50156-1
Electrical Equipment of Furnaces

Part 1: Regulations for Application Planning and Construction
Fail-Safe Systems
A5E00085588-03
Safety
Safety of Machinery
Standard
Title/Description
EN 60204-1
Safety of Machinery - Electrical Equipment of Machines; Part 1:

General Requirements
EN 954-1 cat. 2 to
4
Safety of Machinery - Safety-Related Parts of Control Systems - Part 1:

General Principles for Design
Standards and Directives Relating to Other Aspects

Standard
Title/Description
DIN EN 61131-2
Programmable Controllers - Equipment Requirements and Tests
EN 50178
Electronic Equipment for Use in Power Installations
DIN VDE 0110
Insulation Coordination for Equipment within Low-Voltage Systems
EN 60068
Environmental Testing
EN 55011
Limits and Methods of Measurement of Radio Disturbance

Characteristics of Industrial, Scientific and Medical (ISM) RadioFrequency Equipment
EN 50081-2
Electromagnetic Compatibility (EMC); Generic Emission Standard; Part

2: Industrial environment
EN 50082-2
Electromagnetic Compatibility (EMC); Generic Immunity Standard; Part

2: Industrial environment
Fail-Safe Systems
A5E00085588-03
7-3
Safety
7.2
Safety Requirements
Standardized Safety Requirements

The S7 F/FH System fulfills the following safety requirements:
Requirement classes AK1 to AK6 in accordance with DIN V 19250/VDE 0801
Risk Graph and Requirement Classes (AK) to DIN V 19250

Requirement classes (AK) assigned to particular risks are defined in DIN V 19250.
The requirements of the process can be worked out using the risk parameters. The
requirement class (AK) to be complied with by the controller can be established
using the risk chart.
This procedure results in an AK requirement class for applications without a
product standard. Using DIN V VDE 0801, the basic safety requirements can then
be established. If there is a product standard for an application, the safety
requirements are noted in it.
Requirement classes
W3 W2 W1
S1
S2
A1
A2
S3
S1-4
A1-2
G1-2
W1-3
7-4
G1
G2
G1
G2
A1
A2
S4
Extent of damage
Length of stay
Avoidance of danger
Probability of undesired
event occurring
Fail-Safe Systems
A5E00085588-03
Safety
Risk Parameters
The risk parameters have the following meaning in accordance with DIN V 19250:
Parameters
Meaning
Extent of injury or
damage
S1
Minor injuries; minor harmful effects on the environment
S2
Serious irreversible injuries of one or more persons or fatality of

a person;
Temporary, seriously harmful effects on the environment
S3
Several fatalities;
Lasting, seriously harmful effects on the environment
S4
Catastrophic repercussions, large number of fatalities
Frequency and exposure time

A1
Rare to more often
A2
Frequent to continuous
Possibility of avoiding hazard

G1
Possible in certain circumstances
G2
Rarely possible
Probability of the unwanted occurrence

W1
Very low
W2
Low
W3
Relatively high
Safety Integrity Level in Accordance with IEC 61508

For each Safety Integrity Level (SIL), IEC 61508 defines the probability of failure of
a safety function allocated to a safety-related system as a target measure.
Safety integrity
level
Low Demand Mode of Operation

(Average probability of failure to
perform its design function on
demand)
High Demand or Continuous

Mode of Operation
(Probability of a hazardous
failure per hour)
10 to < 10
-4
10 to < 10
-8
10 to < 10
-3
10 to < 10
-7
10 to < 10
-2
10 to < 10
-6
10 to < 10
-1
10 to < 10
-5
-5
-4
-3
-2
-9
-8
-7
-6
The actuators and sensors generally contribute most to these failure probabilities.
Each safety function always comprises the entire chain, from the collection and
processing of information to the intended action.
The equipment involved, such as the S7 F/FH programmable controller, sensors
and actuators, must in its entirety fulfill the AK and SIL determined as a result of
risk assessment.
If control functions and associated protection functions are implemented together in
the same S7 F/FH, this is said to be high-demand or continuous mode.
Fail-Safe Systems
A5E00085588-03
7-5
Safety
The following table lists the probability values of individual components of the S7
F/FH Systems:
Low Demand Mode of
Operation
(Average probability of
failure to perform its
design function on
demand)
High Demand or
Continuous Mode
of Operation
Proof test
interval
(Probability of a
dangerous failure
per hour)
F-capable CPU
1,24E-04
1,42E-09
10 years
SM 326; DO 10 x DC
24V/2A; with diagnostic
interrupt
6,97E-06
7,96E-11
10 years
ET 200S PM-E F 24 VDC

PROFIsafe Power Module
<< 1.00 E-05
<< 1.00 E-10
10 years
ET 200S EM 4/8 F-DI 24

VDC PROFIsafe Digital
Electronic Module
<<1.00 E-03 at SIL 2
<<1.00 E-08 at SIL 2 10 years
<<1.00 E-05 at SIL 3
<<1.00 E-10 at SIL 3
ET 200S EM 4 F-DO 24
VDC/2 A PROFIsafe Digital
Electronic Module
<<1.00 E-05
<<1.00 E-10
10 years
ET 200S PM-D F 24VDC

PROFIsafe Power Module
<<1.00 E-05
<<1.00 E-10
10 years
SM 326; DI 24 x DC 24V;
with diagnostic interrupt
1,55E-06 at SIL 2
1,77E-11 at SIL 2
10 years
4,99E-08 at SIL 3
5,70E-13 at SIL 3
2,74E-06 at SIL 2
3,13E-11 at SIL 2
4,83E-08 at SIL 3
5,51E-13 at SIL 3
4,96E-08 at SIL 3
5,66E-13 at SIL 3
1,00E-05
1,00E-09
6ES7 326-2BF00-0AB0
6ES7 326-1BK00-0AB0
SM 326; DI 8 x NAMUR;
10 years
6ES7 326-1RF00-0AB0
SM 336; AI 6 x 13Bit;
10 years
6ES7 336-1HE00-0AB0
Safety-related
communication
You can obtain the contribution of the S7 F/FH System to the failure probability of a
safety function by adding up the failure probabilities of all the CPUs and F-SMs of
the S7 F/FH System that are involved. Redundant CPUs are counted singly
redundant F-SMs are counted double. The contribution of safety-related
communication must then be added. Several S7 F/FH Systems can be involved in
a safety function.
7-6
Fail-Safe Systems
A5E00085588-03
Safety
Example:
A safety function is implemented with an S7 FH System. The CPUs and F-SMs
involved in the safety function are listed in the table below. These CPUs and FSMs are used in a redundant configuration. Their proof test interval is 10 years.
The F-SMs are in safety mode for SIL 3. Operation is in high demand mode:
CPUs, F SMs and SafetyRelated Communication
Equipment Involved in the
Safety Function.
Number
Redundancy
Probability of a
Hazardous Failure
per Hour
F-capable CPU
Yes
1,42E-09
SM 326; DO 10 x DC 24V/2A;
Yes
1,59E-10
Yes
2,28E-12
6ES7 326-2BF00-0AB0
SM 326; DI 24 x DC 24V; with
diagnostic interrupt
6ES7 326-1BK00-0AB0
7.3
Safety-related communication
1,00E-09
Total
2,58E-09
System Configuration
The limits for the system configuration of the S7 F/FH System are set mainly by the
CPU used. You can find the relevant values in the technical specifications of the
CPU in /3/, Chapter 5.
You will find any restrictions that apply to the S7 FH System in the readme file in
the "S7 H Systems" optional package.
In Appendix A you will find the certified hardware and software components of an
F-system in the form of check lists.
Fail-Safe Systems
A5E00085588-03
7-7
Safety
7.4
7.4.1
Monitoring Times
Configuring the Monitoring Times for F/FH Systems
Rules for Monitoring Times

When you configure the monitoring times, you must take into consideration both
the availability and the safety of the F/FH system:
Availability: To ensure that the temporal monitoring is not triggered when there
is no error, the monitoring times selected must be sufficiently long.
Safety: To ensure that the process safety time is not exceeded, the monitoring
times selected must be sufficiently short.
Monitoring Times of an F System

You must configure the following monitoring times for the F-system:
Parameters of the fail-safe blocks:
Monitoring
Block
Parameter
Monitoring of the F cycle time of the cyclic interrupt OB

that contains the safety program
F_CYC_CO
MAX_CYC
Monitoring of safety-related communication between F

run-time groups
F_R_R
TIMEOUT
Monitoring Safety-Related Communication Between

CPUs
F_RCVR,
F_RCVBO
F_R_BO
TIMEOUT
F_SENDR,
F_SENDBO
7-8
Parameters of the F-I/Os
Monitoring
Parameter
Monitoring Safety-Related Communication

Between F-CPU and F-I/Os via PROFIsafe
Monitoring time (properties dialog in

HWCONFIG)
Fail-Safe Systems
A5E00085588-03
Safety
Basic Procedure
To configure the monitoring times, proceed as follows:
1. Configure the standard or fault-tolerant system. You can find the necessary
information in the relevant hardware manuals and online help systems.
2. Configure the specific monitoring times of the F-system with regard to
availability: The times should be considerably longer than the minimum
monitoring times. You can find approximation formulas in the information on
calculating the minimum monitoring times or in the Excel table
STEP7\S7BIN\S7ftimeb.xls.
3. Use the Excel table STEP7\S7BIN\S7ftimeb.xls to calculate the maximum
response time, and check whether the maximum fault tolerance time for the
process has been exceeded.
Safety Note Pulse Detection

To enable pulses to be detected reliably, the time between two signal changes
(pulse duration) must be longer than the corresponding monitoring time.
Fail-Safe Systems
A5E00085588-03
7-9
Safety
7.4.2
Calculation of the Minimum Monitoring Times
7.4.2.1
Monitoring the F Cycle Time

The monitoring time is assigned parameters at the MAX_CYC input parameter of
the F_CYC_CO fail-safe blocks.
To ensure monitoring is not triggered when there is no fault, MAX_CYC must be
greater than the maximum cycle time TCImax of the relevant cyclic interrupt OB:
MAX_CYC > TCImax
TCImax is at least as large as the configured cycle time TCI of the cyclic interrupt
OB. In the FH system, the maximum disabling time for priority classes > 15 (TP15)
at updating must also be taken into consideration. Thus the following
approximation formulae apply:
TCImax TCI + MIN(TCiR, 2500)
In the F system
TCImax MAX (TCI; TP15) + MIN(TCiR,

2500)
In the FH system with cyclic interrupt OB with

special handling
TCImax TCI + TP15 + MIN(TCiR, 2500)
In the FH system with cyclic interrupt OB

without special handling
Note the following:

Time
Description
Where to Find it?
TCI
Configured cycle time of the HWCONFIG

cyclic interrupt OB
CPU properties, "Cyclic Interrupt, Execution"
TP15
Maximum disabling time for

priority classes > 15
TCiR
CiR Synchronization Time:

Properties of the CiR_Object in HWCONFIG.
-From the CiR-Object
For additional information, refer to section 4.8.4
parameters in STEP7
"Configuration in Run (CiR)".
-Summarize all CiR-Object
synchronization times of the
simultaneously changing DP
buses and place total here.
If CiR is not used, enter 0.
HWCONFIG
CPU Properties, "H Parameters"
"Cyclic Interrupt OB with Special Handling" is an H parameter of the CPU in the S7

FH system. The parameter contains the number of the cyclic interrupt OB that is
called separately by the operating system when the standby is updated, after all
the interrupts have been locked. Usually the number of the cyclic interrupt OB with
the highest priority is entered, to which F-blocks of the Safety Program are
assigned in CFC.
Note
To activate the monitoring of the maximum disabling time for priority classes > 15,
you must assign this parameter a value in HWCONFIG (CPU properties, "H
Parameters" tab).
7-10
Fail-Safe Systems
A5E00085588-03
Safety
7.4.2.2
Monitoring Safety-Related Communication Between the F-CPU

and F-I/Os
PROFIsafe time monitoring is executed in the F-I/Oand F driver with the same
PROFIsafe monitoring time. The value is entered in HWCONFIG as the monitoring
time of the F-I/O and assigned (monitoring time) and automatically assigned to the
F drivers at compilation (TIMEOUT).
To ensure that monitoring is not triggered in either the F driver or the F-I/O when
there are no faults, the PROFIsafe monitoring time TPSTO selected must be
sufficiently long:
TPSTO > 2* TTR + TF-I/O, ACK + MAX(TCImax ; TCI + TDP_FD) + TDP_SO +

TSLAVE_SO + 2* TDP_DLY
Note the following:
Time
Description
Where to Find it?
TCI
Configured cycle time of

the cyclic interrupt OB
HWCONFIG
CPU properties, "Cyclic Interrupt,
Execution"
TCImax
Maximum cycle time of the Monitoring the F Cycle Time section

relevant cyclic interrupt OB
TTR
Max. target rotation time

for the DP master system
Properties of the DP master system,

bus parameters in HWCONFIG
TDP_FD
Max. DP fault detection

time

bus parameters, "H Parameters" tab
in HWCONFIG
TDP_SO
Max. DP switchover time

bus parameters, "H Parameters" tab
in HWCONFIG
TSLAVE_SO
Maximum switchover time

for the active
communication channel in
a switched I/O system
In the technical specifications of the

switched DP slave (ET 200M)
TF-I/O, ACK
Maximum acknowledgment You can find this time in the technical

time of the F-I/Oin safety
specifications of the fail-safe I/O
mode
manuals.
TDP_DLY
Additional DP Delay Time, Properties of the External DP

External DP Interface (DP) Interface (CP), Operating Mode tab in
HWCONFIG.
Fail-Safe Systems
A5E00085588-03
7-11
Safety
Note
To check during operation whether the configured PROFIsafe monitoring times are
too short, you can insert in an ET 200M with fail-safe signal modules in safety
mode additional fail-safe signal modules in safety mode in which the configured
PROFIsafe monitoring time is lower. This is particularly advisable if the configured
PROFIsafe monitoring time that has to be checked is not much longer than the
minimum possible PROFIsafe monitoring time.
See Also
Configuring the Monitoring Times for F/FH Systems
7.4.2.3
Monitoring of Safety-related Communication between CPUs

Time monitoring takes place in the F_SENDR and F_RCVR and F_SENDBO and
F_RCVBO blocks respectively with the same monitoring time, which has to be
assigned parameters on both blocks (TIMEOUT).
To ensure that monitoring is not triggered in F_SENDR and F_SENDBO or in
F_RCVR and F_RCVBO when there are no errors, the TIMEOUT monitoring time
selected must be sufficiently long:
TIMEOUT > T CI,F_SEND + T CI,F_RCV + MAX(TDelay,F_SEND;

TDelay,F_RCV) + 2*TUSEND + MAX(MIN(TCiR, F_SEND;2500), MIN(TCiR,
F_RCV;2500))
Note the following:
Time
Description
TCI,F_SEND
Configured cycle time of the cyclic interrupt OB with the HWCONFIG

call of F_SENDBO or F_SENDR
CPU properties, "Cyclic
Interrupt, Execution"
TCI,F_RCV
Configured cycle time of the cyclic interrupt OB with the HWCONFIG

call of F_RCVBO or F_RCVR
CPU properties, "Cyclic
Interrupt, Execution"
TDelay,F_SEND
Maximum communication delay when the standby in

the FH system is updated with the call of F_SENDBO
or F_SENDR
Properties of the sender

CPU, "H Parameters" tab
TDelay,F_RCV
Maximum communication delay when the standby in

the FH system is updated with the call of F_RCVBO or
F_RCVR
Properties of the receiving

CPU, "H Parameters" tab
Maximum response time of USEND
You can find information on

the Internet (see below)
TUSEND
7-12
With 48 bytes of user data for F_SENDBO
With 88 bytes of user data for F_SENDR
Where to Find it?
Fail-Safe Systems
A5E00085588-03
Safety
Time
Description
Where to Find it?
TCiR,F_SEND
CiR Synchronization Time of the CPU with the call of

F_SENDBO or F_SENDR:
Properties of the CiR_Object

in HWCONFIG.
- From the CiR-Object parameters in STEP7

- Summarize all CiR-Object synchronization times of
the simultaneously changing DP buses and place total
here. If CiR is not used, enter 0.
For additional information,

refer to section 4.8.4
CiR Synchronization Time of the CPU with the call of

F_RCVBO or F_RCVR:
Properties of the CiR_Object

in HWCONFIG.
TCiR,F_RCV
-From the CiR-Object parameters in STEP7
For additional information,

-Summarize all CiR-Object synchronization times of the refer to section 4.8.4
simultaneously changing DP buses and place total
here. If CiR is not used, enter 0.
Finding TUSEND
You can download a tool for calculating the TUSEND value from the Internet at:
http://www4.ad.siemens.de/view/cs/de/1651770
Contribution ID 1651770
Note
To activate the monitoring of the maximum communication delay
when the standby in the FH system is updated, you must assign this
parameter a value in HWCONFIG (CPU properties, "H Parameters"
tab).
Simultaneous updating in both CPUs is not assumed.
7.4.2.4
Monitoring of Safety-Related Communication Between F-run-time

Groups
Time monitoring takes place in the FBs F_R_BO and F_R_R and is assigned there
at the TIMEOUT input parameter.
To ensure that time monitoring is not triggered when there are no faults, the
TIMEOUT monitoring time must be at least as large as the larger of the two
maximum cyclic interrupt cycle times of F_S_R and F_S_BO or F_R_R and
F_R_BO:
TIMEOUT > MAX(TCimax, F_S; TCImax, F_R)

Note the following:
Time
Description
Where to Find it?
TCImax, F_S
Maximum cycle time of the cyclic interrupt OB with the

call of F_R_BO or F_R_R

section
TCImax, F_R
Maximum cycle time of the cyclic interrupt OB with the

call of F_S_BO or F_S_R

section
Fail-Safe Systems
A5E00085588-03
7-13
Safety
7.5
Acceptance of an F-System
An F system is usually accepted by an independent expert.
During acceptance of an F-System you are supported by special functions in
SIMATIC Manager. This enables you to:
Compare Safety Programs
Log Safety Programs
Print Safety Programs
You can find information on these topics in Section 5.4.
Safety Note Archive STEP 7 Projects

Version management must be available for the purpose of archiving the S7 F/FH
Systems project. Apart from that, we recommend you archive each accepted
project in STEP 7 and create a new project for changes.
When the system is accepted, all requirements contained in the report on the
certificate that require approval must be taken into account.
You can archive all data relevant to the acceptance of the F-System in SIMATIC
Manager (File > Archive) and print it out, as required.
Check Lists for Acceptance

You can find the following check lists in the appendix. These can be used when
you accept S7 F/FH Systems:
7-14
Check list for the life cycle of the fail-safe programmable controllers contains
a summary of the activities in the life cycle of S7 F/FH Systems, as well as
references to the requirements and rules that must be complied with.
Check list of the certified modules
Check list of the certified blocks
Fail-Safe Systems
A5E00085588-03
Safety
7.5.1
Initial Acceptance of a Safety Program
Basic Procedure for the Initial Acceptance of a Safety Program

1. Optional: advance acceptance of the configuration of the F-I/Os
2. Saving the program
3. Checking the printout
4. Downloading the program to the CPU
5. Carrying out a complete function test
Optional Advance Acceptance of the Configuration of the F-I/Os

After hardware configuration and parameter assignment of the F-I/Os, you can
carry out initial acceptance of the configuration of the F-I/Os.
The hardware configuration data must be printed out, saved and archived along
with the whole STEP 7 project.
Print the Safety Program from SIMATIC Manager using the File > Print menu
command. Select the print range and options as illustrated below to receive a
complete printout:
After a check of the safety-relevant module parameters of an F-I/O, the parameter

CRCs in the printout of the module parameters of the F-I/Os are sufficient as a
reference for subsequent acceptance. These are as follows:
Parameter CRC (incl. address):
12345
Parameter CRC (without address):
54321
Fail-Safe Systems
A5E00085588-03
7-15
Safety
F-I/Os that are supposed to have the same safety-relevant module parameters can
be copied during configuration. Their safety-relevant module parameters no longer
have to be checked individually: It is enough to compare the Parameter CRC
(without address) of the copied F-I/Os with the Parameter CRC (without address)
of the already checked F-I/Os and to check the logical start addresses.
Saving the Program

The Safety Program to be accepted must be saved and archived with the whole
STEP 7 project. All the project data (program information, CFC charts, hardware
configuration data and logs) must be printed out and archived together with the
STEP 7 project. You can find out how to save and archive S7 projects in the basic
STEP 7 help system.
Checking the Printout

Print out the whole project as described in the section entitled Printing the Safety
Program.
The printout contains the overall signature as a reference. The overall signature
appears twice in the printout, once in the program information section as the value
of the block container and once in the footer as a value from the source. The
values must match up.
The version number of the S7 F Systems optional package appears in the footer of
the printout and must be checked.
If the overall signature is not printed in the footer, this means that the Safety
Program or the configuration (HWCONFIG or NetPro) has changed. In this case
the Safety Program has to be recompiled.
7-16
Fail-Safe Systems
A5E00085588-03
Safety
Configuration
F-I/Os that are supposed to have the same safety-relevant module parameters
can be copied during configuration. Their safety-relevant module parameters
no longer have to be checked individually: It is enough to compare the
Parameter CRC (without address) of the copied F-I/Os with the Parameter
CRC (without address) of the already checked F-I/Os and to check the logical
start addresses.
After advance acceptance of the configuration of an F-I/O, it is sufficient to

compare the Parameter CRC (incl. address) in the new printout and the one in
the accepted printout of the configuration.
Programming
The following parameters of fail-safe blocks must be checked in the printout:
Any safety-related input parameters that are not automatically assigned must
be checked in the printout either in the CFC charts or in the section on
safety-related parameters. Input parameters that are not visible in the CFC
charts are printed out in the section on safety-related parameters. If it is easier
to check the parameters in the chart than in the section on safety-related
parameters, the parameters should not be hidden.
At each F module driver, the assignment to the F channel drivers at the

CHADDRxx I/Os must be checked using function tests or by looking at the
printout.
The initial values of safety-related output parameters must be checked if the

run sequence does not correspond to the flow of data, i.e. if the block is only
called after the output parameter has been transferred to another block. This
happens, for example, in the case of feedback. These output parameters are
printed out in the safety-related parameters section and marked with an (*).
Fail-Safe Systems
A5E00085588-03
7-17
Safety
The specified I/Os must be checked in the case of the following fail-safe
blocks:
Fail-Safe Block
I/O
Description
F_CYC_CO
MAX_CYC
Maximum permissible
F cycle time
F_SENDBO, F_RCVBO
TIMEOUT
Monitoring time during

communication between FCPUs
F_R_R, F_R_BO
TIMEOUT
Monitoring time during

communication between Frun-time groups
F_M_DI8
TIMEOUT
Monitoring time for

PROFIsafe communication
with F-I/O
LADDR
Logical address of the

module (SM1)
LADDR_R
Logical address of the

redundant module (SM2)
F_M_AI6
MODE_00 to MODE_05
Measurement range coding

in the case of an analog
input module
F_CH_DI,
ACK_NEC
Acknowledgment required
for reintegration
F_SENDR, F_RCVR
F_M_DI24
F_M_DO10
F_M_DO8
F_M_AI6
F_M_DI8
F_M_DI24
F_M_DO10
F_M_DO8
F_M_AI6
F_CH_DO, F_CH_AI
F_LIM_HL
QH
1: Upper limit violated
F_LIM_LL
QL
1: Lower limit violated
F_RS_FF
Output
F_SR_FF
Output
F_CTUD
CV
Current count value
Switched output parameters are marked with an asterisk (*) on the printout.
Checking the Signatures

Overall signature: After the program has been downloaded to the CPU (see the
sections entitled "Downloading the Whole Safety Program" and "Downloading
Changes"), you have to compare the overall signature of the program in the CPU
with the overall signature in the accepted printout. In the case of S7 FH systems,
you have to make this comparison for both CPUs.
Signatures and initial-value signatures of the F-Blocks: The signatures and
initial-value signatures of all the fail-safe blocks must be identical with those in
Annex 1 of the certificate report. When you use newly created F-Block types, you
must carry out this comparison for all the F-Blocks called in the F-Block type.
7-18
Fail-Safe Systems
A5E00085588-03
Safety
You can obtain the overall signature of the program and the signatures of the
blocks in the CPU by choosing the Options > Edit Safety Program menu
command. When a comparison with the online program is made, it is indicated
whether the source, load memory and working memory match up (this enables
impermissible data manipulation to non-interconnected fail-safe input parameters
in the working memory to be detected).
You can check whether a Safety Program in the CPU is really the one you
expected by carrying out the following steps:
1. Choose the Options > Edit Safety Program menu command in SIMATIC
Manager and activate "Online" in the dialog box. The signature displayed in the
dialog box must match the signatures in the accepted printout (in the text and
in the footer).
2. To detect impermissible manipulation (e.g. via test mode in CFC) in the
working memory of the CPU, choose "Compare..." and compare the accepted
program with the online program in the dialog box. Any manipulated
parameters are displayed there. This step is imperative for acceptance.
3. In the case of fault-tolerant S7 FH systems, the above steps must be carried
out for both CPUs in the online view of SIMATIC Manager.
When you repeat downloading or repeat checks of the Safety Program, carry
out this overall signature check again.
Please note that the overall signature is also available from F_PRG_SI input the
F_SHUTDN function block within the @F_ShutDn CFC.
Fail-Safe Systems
A5E00085588-03
7-19
Safety
7.5.2
Acceptance of Changes to the Safety Program

To accept changes to the Safety Program, proceed as follows:
1. Save the program
2. Compare the new program with the accepted one (see the section entitled
"Comparing Safety Programs").
3. Check the changes in the printout
4. Download the new program to the CPU
5. Carry out a functional test of the changes
When you check the printout and carry out the functional test, only the new
sections and sections with changes have to be checked.
To identify these, the new program is compared with the accepted program.
The accepted program must be saved in another project. Click "Browse", and enter
the path of the accepted program.
Changes to the safety-relevant configuration of F-I/Os can be recognized by the
change to the CRC_IMP1 and CRC_IMP2 parameters of the relevant F module
driver (F_M_xx).
7-20
Fail-Safe Systems
A5E00085588-03
Safety
Changes to the addresses or symbolic names of signals can be recognized by the

change to the ADDR_CODE parameter of the relevant F channel driver
(F_CH_xx).
Changes to the network configuration in NetPro can be recognized by the change
to the CRC_IMP parameter of the relevant F communication blocks (F_RCVxx and
F_SENDxx).
You can find rules and information on how to proceed in the case of changes to the
Safety Program in the section entitled "Operation and Maintenance, Modifying the
Safety Program".
Fail-Safe Systems
A5E00085588-03
7-21
Safety
7.5.3
Acceptance of F-Block Types
Initial Acceptance
A newly created F-Block type is accepted for the first time in the same way as a
Safety Program. The function test of the F-Block type must take place in a different
Safety Program to the test environment.
At the acceptance of new F-Block types, the signature and initial-value signature of
the new F-Block are relevant. These signatures must be compared with the
acceptance printout. The signatures and initial-value signatures of the called FBlocks must also be checked.
The overall signatures in the footers of the printouts of the safety program and the
CFC chart of the F-Block type must match up or the block type will have to be
recompiled.
Acceptance of Changes
Acceptance of changes to an F-Block type is carried out in the same way as for a
Safety Program. All the points in the F test program at which the new F-Block type
is called must also be checked by means of a function test. Changed signatures of
F-Blocks are displayed in the chart view when the Safety Program s are compared.
7.5.4
Responsibilities and Qualifications

Safety requirements relating to the system-specific use of the S7 F/FH Systems
can be met by allocating responsibilities as follows:
7-22
The process experts and the operators for the safety concept of the system,
including the definition of safety-relevant and non-safety-relevant functions.
The (independent) expert for the safety-related acceptance testing of the

system.
The planners of the S7 F/FH Systems for the implementation of the safety
concept of the system in function, configuration and wiring charts/diagrams, for
the planning of the interfaces of the F-System, the compliance with and
implementation of regulations from the report on the certificate, and the entry of
passwords in STEP 7.
The installation and commissioning technicians of the S7 F/FH Systems for the
implementation of and compliance with the requirements placed on the
environment at the installation location, the error-free implementation of the
wiring charts/diagrams, the downloading of the enabled Safety Program to the
CPU, and the assignment of a password to the CPU.
The commissioning technician of the S7 F/FH Systems for the functional tests
of the acceptance with simulation of the switch-off criteria in accordance with
the safety concept of the system and measurement of the required safety
times.
Fail-Safe Systems
A5E00085588-03
8.1
8.1.1
Fail-Safe Blocks
Overview
Fail-Safe Blocks
All the fail-safe blocks are contained in the Failsafe Blocks library in the catalog of
libraries
If possible, the F-Blocks are assigned to the existing families of standard blocks in
the catalog of the blocks used
. Since the names of the F-Blocks always
begin with "F_", they appear together as a group.
Fail-safe blocks are available in the following block families:
DRIVER
Driver Blocks for F-I/Os
COM_FUNC
F_SYSTEM
F system blocks
CONVERT
Blocks for converting data between standard and

safety sections
F_CTRL
F Control Blocks
BIT_LGC
Logic blocks with the BOOL data type
COMPARE
Comparison blocks for two input values of the same

type
FLIPFLOP
Flipflop blocks
IEC_TC
IEC pulse and counter blocks
IMPULS
Pulse blocks
MATH_INT
Arithmetic blocks with the INT data type
MATH_FP
Arithmetic blocks with the REAL data type
MULTIPLX
Multiplex blocks
Fail-Safe Systems
A5E00085588-03
8-1
Fail-Safe Blocks
8.1.2
F-Data Types
Special F-data types in a safety data format are used for fail-safe block I/Os. The
safety data format is used to expose data and address corruptions.
The F-data types are programmed as structures and appear in the CFC chart with
the prefix "ST". The structures always consist of three components, of which the
first component, DATA, determines the data type. The PAR_ID and COMPLEM
components are included for safety reasons and are automatically assigned values
at compilation of the CFC chart.
For example, in the structure of the F_BOOL data type, DATA is of the type BOOL:
F_BOOL:
STRUCT
DATA
BOOL
PAR_ID
WORD
COMPLEM
WORD
END_STRUCT
Note
Only I/Os with the same F-data type can be interconnected.
Safety Note Do Not Change PAR_ID and COMPLEM parameters

You must not change the PAR_ID and COMPLEM components after the Safety
Program has been compiled since this might result in serious errors remaining
undetected. If errors are detected in the safety data format during execution of the
Safety Program, the Safety Program will be disabled and may require the Safety
Program to be recompiled and downloaded to the CPU.
Possible Data Types

The data types F_REAL and F_BOOL are possible for calculations.
If the F blocks have parameters with the data types F_INT, F_DINT, F_BYTE,
F_WORD, F_DWORD and F_TIME, these parameters can only be assigned
constants. You can use F_FR_FI to convert to F_INT.
Note
Output parameters of the types F_TIME and F_INT can be converted by
conversion blocks into the associated elementary data types for further processing
in the standard program. Conversely, elementary data types of the types TIME and
INT can be converted into F data types and processed further in the Safety
Program with the appropriate plausibility check.
8-2
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Default
The default only specifies the first structural component, DATA. The other two
structure elements required for safety are automatically added when CFC charts
are compiled.
The same applies to the assignment of constants.
See Also
Blocks for Converting Data Between Standard and Safety Sections
Fail-Safe Systems
A5E00085588-03
8-3
Fail-Safe Blocks
8.1.3
Block I/Os
In the case of fail-safe blocks, there are some points to note concerning the block
I/Os:
Although the I/Os EN and ENO appear in the CFC chart, they are neither
evaluated nor assigned by the program code of the F-Block and you must not
interconnect them.
Each F-Block has three inputs (DB_ID, DB_INIT and PLK_DB) that are
required to ensure safety. These inputs are automatically supplied with
constants at compilation. You must not change these settings either.
The F-Blocks have additional inputs or outputs, which are switched to invisible
in the CFC chart. There are some that you must not change. Some of the
others must be switched to visible for input, for modification or monitoring (e.g.
for diagnostic purposes).
The CRC_IMP, CRC_IMP1 and CRC_IMP2 I/Os are automatically supplied.

You must not change them.
Note
You must not change any I/Os that have the entry "Supplied Automatically" in the
"Default" column. You can rectify any changes made to I/Os that are supplied
automatically by recompiling the Safety Program.
Safety Note Do not change automatically supplied FB inputs

Online changes to inputs that are supplied automatically can result in a disabling of
the Safety Program or in undetected errors in CPU-CPU communication!
Description of the EN, ENO, DB_ID, DB_INIT and PLK_DB Block I/Os
The following description explains the block I/Os of the individual fail-safe blocks.
The block I/Os that cannot be changed (EN, ENO, DB_ID, DB_INIT and PLK_DB)
are not listed or mentioned again.
Note
Although the I/Os EN and ENO appear in the CFC chart, they are neither
evaluated nor assigned by the program code of the F block and you must not
interconnect them.
EN must not be assigned the value 0 or FALSE!
8-4
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Signal State 1 or 0
Signal state 1 at the block I/O of the data type BOOL always means that the event
described (e.g. error on channel x) is active.
Making Block I/Os Visible

Proceed as follows:
1. Double-click the blocks header.
2. Select the "Inputs/Outputs" tab in the "Properties" dialog box.
3. Scroll to the right until the "Invisible" column appears.
4. Right-click the "Invisible" selection cross of the block I/O.
Result: The invisible block I/O becomes visible in CFC.
Fail-Safe Systems
A5E00085588-03
8-5
Fail-Safe Blocks
8.1.4
8-6
Block Numbers
Block Number
Block Name
FC 180
DB_INIT
FC 181
FAIL_MSG
FC 301
DB_RES
FC 303
F_FBO_BO
FC 304
F_FR_R
FC 305
F_FI_I
FC 306
F_FTI_TI
FB 301
F_AND4
FB 302
F_OR4
FB 303
F_XOR2
FB 304
F_NOT
FB 305
F_2OUT3
FB 306
F_XOUTY
FB 307
F_RS_FF
FB 308
F_SR_FF
FB 314
F_LIM_HL
FB 315
F_LIM_LL
FB 321
F_ADD_R
FB 322
F_SUB_R
FB 323
F_MUL_R
FB 324
F_DIV_R
FB 325
F_ABS_R
FB 326
F_MAX3_R
FB 327
F_MID3_R
FB 328
F_MIN3_R
FB 329
F_LIM_R
FB 330
F_SQRT
FB 331
F_AVEX_R
FB 332
F_MUX2_R
FB 333
F_SMP_AV
FB 341
F_CTUD
FB 342
F_TP
FB 343
F_TON
FB 344
F_TOF
FB 345
F_LIM_TI
FB 346
F_R_TRIG
FB 347
F_F_TRIG
FB 350
F_LIM_I
FB 361
F_BO_FBO
FB 362
F_R_FR
FB 367
F_QUITES
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Block Number
Block Name
FB 368
F_TI_FTI
FB 369
F_I_FI
FB 370
F_SENDBO
FB 371
F_RCVBO
FB 372
F_SENDR
FB 373
F_RCVR
FB 377
F_CH_DI
FB 378
F_CH_DO
FB 379
F_CH_AI
FB 384
F_M_DI8
FB 385
F_M_DI24
FB 386
F_M_DO10
FB 387
F_M_AI6
FB 388
F_M_DO8
FB 390
F_S_BO
FB 391
F_R_BO
FB 392
F_S_R
FB 393
F_R_R
FB 394
F_START
FB 395
F_CYC_CO
FB 396
F_PLK
FB 397
F_PLK_O
FB 398
F_TEST
FB 399
F_TESTC
FB 400
F_TESTM
FB 456
F_2oo3_R
FB 457
F_1oo2_R
FB 458
F_SHUTDN
FB 459
RTG_LOGIC
FB 461
F_FR_FI
Safety Note Fail-safe FB numbers

Numbers FB396 to FB400 must be kept free.
The numbers of the fail-safe blocks must not be changed.
Fail-Safe Systems
A5E00085588-03
8-7
Fail-Safe Blocks
8.1.5
Installation in Cyclic Interrupt OBs

Safety Note Safety Program can be installed in OB 3x ONLY
Fail-safe blocks can only be installed in a cyclic interrupt OB 3x. Installation in the
OB 1 is not permissible.
The cycle time of the cyclic interrupt OB is assigned parameters in HWCONFIG

(CPU parameters "Cyclic Interrupts, Execution". See "Monitoring the F Cycle
Time").
8-8
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.2
Driver Blocks for F-I/Os

To ensure fail-safe data exchange between the Safety Program and F-I/Os,
additional safety-related information is also transmitted in addition to the actual
user data (process values).
The following driver blocks are available for the transfer of user data with a safety
protocol:
F Channel Drivers
Block
Description
F_CH_DI
F channel driver for digital input
F_CH_DO
F channel driver for digital output
F_CH_AI
F channel driver for analog input
F Module Drivers
Block
Description
F_M_DI8
F module driver for 8-channel digital input
F_M_DI24
F_M_DO10
F module driver for 10-channel digital output
F_M_DO8
F_M_AI6
F module driver for 6-channel analog input
The F module drivers belong to the group of F control blocks.
See Also
Common Features of the Driver Blocks
Fail-Safe Systems
A5E00085588-03
8-9
Fail-Safe Blocks
8.2.1
F_CH_DI
Function
The block reads the digital value of the input channel whose symbolic name is
linked to the input VALUE from the associated F module driver (F_M_DIx). The F
module driver has read the digital value via a safety frame from the digital input
module (or possibly a module that is redundant to this one). The connection to the
associated F module driver (F_M_DIx) is automatically established by means of the
interconnection at the input CHADDR.
If the digital value is valid, it is made available at the output Q.
If the digital value is invalid, the substitute value 0 is output at the output Q. For the
reintegration of a process value after an error is corrected, a user acknowledgment
is required depending on the parameterization and error type.
Alternatively, a simulation value can be output at the output Q.
For the process value at the output Q, a value status (quality code) is generated at
the output QUALITY that can take on the following states:
State
Quality Code
Valid value
16#80
Simulation value 16#60

Substitute value
16#48
I/Os
Name
Inputs:
Data Type Explanation
Default
ADDR_CODE DWORD
Address code for VALUE

interconnection
Supplied
automatically
CHADDR
F_WORD
Address of the channel in the F

module driver
Interconnected
automatically
VALUE
BOOL
Must be interconnected with the 0

symbolic address of the channel
from HWCONFIG across the
margin of the chart
SIM_I
F_BOOL
Simulation value
SIM_ON
F_BOOL
1= activate simulation value
0= deactivate simulation value

PASS_ON
F_BOOL
1= activate passivation
0= deactivate passivation
ACK_NEC
F_BOOL
User acknowledgment for

reintegration after error
1 = required
0 = not required
ACK_REI
8-10
F_BOOL
Reintegration acknowledgment
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Name
Outputs:
Default
PASS_OUT
F_BOOL
Passivation output
QBAD
F_BOOL
1=process value invalid, value

substitution active
QSIM
F_BOOL
1=simulation active
F_BOOL
Process value
QN
F_BOOL
Negating process value
Q_DATA
BOOL
DATA component of the process 0

value (for visualization)
QUALITY
BYTE
Value status (quality code) of

the process value
ACK_REQ
BOOL
Acknowledgment required for

reintegration
Addressing
You must assign the symbol of the corresponding digital input channel to the input
VALUE of the F channel driver.
Normal Value
The digital value is output at the output Q with the quality code (QUALITY) 16#80.
Simulation Value
A simulation value can be output at the output Q instead of the normal value read
from the module.
When the input parameter SIM_ON = 1, the value of the input parameter SIM_I is
output with the quality code (QUALITY) 16#60 and the output QSIM = 1 is set.
In the event of an error, the output of the simulation value takes precedence over
the output of the substitute value.
Substitute Value
In the case of an invalid digital value as a result of a communication error
(PROFIsafe) or channel fault (e.g. wire break), in the case of passivation and
during a startup (cold or warm restart), the substitute value 0 is output with the
quality code (QUALITY) 16#48 and the output QBAD = 1 is set. If the substitute
value is not caused by passivation, the output PASS_OUT = 1 is set as well to
passivate other channels.
Fail-Safe Systems
A5E00085588-03
8-11
Fail-Safe Blocks
After a startup (cold restart or warm restart), communication must first be
established between the F module driver and the digital input module. In this time,
the substitute value 0 is output with the quality code (QUALITY) 16#48, and the
outputs QBAD = 1 and PASS_OUT = 1 are set as well.
Error Handling
In the event of an error that is critical to safety, the system function SFC F_CTRL
is called. This records the event in the Diagnostic Buffer and requests a switch to
the reserve CPU if the error occurred only on the master CPU. For non-redundant
systems or a common-cause error occurring in both CPUs, the shutdown logic can
be configured to either disable the erred F-run-time group or the entire Safety
Program.
Error Information in Diagnostic Buffer

Error Code (W#16#...)
Description
75DAH
Error in the safety data format (error due to online modification

of the Safety Program or internal CPU fault)
Report Characteristics
The block has no reporting behavior.
See Also
Passivation and Reintegration
8-12
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.2.2
F_CH_DO
Function
The F channel driver makes the process value at the input I available to the
associated F module driver (F_M_DOx). The F module driver reads the value from
the F channel driver F_CH_DO and writes it via a safety frame to the channel of
the digital output module addressed via the output VALUE (and possibly of a
module that is redundant to this). The connection to the associated F module driver
(F_M_DOx) is automatically established by means of the interconnection at the
output CHADDR.
If the F channel driver detects at the next call that errors have occurred, the
substitute value 0 is made available for the associated F module driver at the next
call instead of the process value at the input I. For the reintegration of the process
value after an error is corrected, a user acknowledgment is required depending on
the parameterization and error type.
Alternatively, a simulation value can be output at the module output if there is no
error.
For the digital value I output to the module, a value status (quality code) is
generated at the QUALITY output that can take on the following states:
State
Quality Code
Valid value
16#80
Simulation value
16#60
Substitute Value
16#48
I/Os
Name
Inputs:
Default
ADDR_CODE DWORD

interconnection
Supplied
automatically
F_BOOL
Process value
SIM_I
F_BOOL
Simulation value
SIM_MOD
F_BOOL
1=Simulate I/O Module
SIM_ON
F_BOOL
0= deactivate simulation
value
PASS_ON
F_BOOL
ACK_NEC
F_BOOL
1 = required
0 = not required
ACK_REI
Fail-Safe Systems
A5E00085588-03
F_BOOL
Reintegration
acknowledgment
8-13
Fail-Safe Blocks
Name
Outputs:
Default
PASS_OUT
F_BOOL
Passivation output
QBAD
F_BOOL
1=process value invalid,

value substitution active
QSIM
F_BOOL
1=simulation active
CHADDR
F_WORD
Address of the channel in

the F module driver
Interconnected
automatically
VALUE
BOOL
Must be interconnected with 0

the symbolic address of the
channel from HWCONFIG
across the margin of the
chart
QUALITY
BYTE
Value status (quality code) of 0

the output value
ACK_REQ
BOOL
Acknowledgment required
for reintegration
Addressing
You must assign the symbol of the corresponding digital output channel to the
output VALUE of the F channel driver.
Normal Value
The process value at the input I is made available for the associated F module
driver (F_M_DOx). 16#80 is output as the quality code (QUALITY).
Simulation Value
At the output, a simulation value can be output instead of the value at the input I
(e.g. for hardware tests).
When the input parameter SIM_ON = 1, the value of the input parameter SIM_I is
made available to the associated F module driver (F_M_DOx). 16#80 is output as
the quality code (QUALITY), and the output QSIM = 1 is set.
When SIM_MOD=0, the output of the simulation value takes precedence over the
output of the normal value and passivation, but not over the substitution value 0 in
the event of an error.
When SIM_MOD=1, the output of the simulation values always takes precedence
over the output of the normal value and passivation, regardless of any module
error. (QBAD=0) This mode would be useful to simulate error-free operation even
without the hardware DO modules.
8-14
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Substitute Value
In the event of communication errors (PROFIsafe) or channel faults (e.g. wire
break), in the case of passivation and during a startup (cold or warm restart), the
substitute value 0 is made available for the associated F module driver
(F_M_DOx). 16#48 is output as the quality code (QUALITY), and the output QBAD
= 1 is set.
If the substitute value is not caused by passivation, the output PASS_OUT = 1 is
set as well to passivate other channels. In the event of an error, the output of the
substitute value has the highest priority.
established between the F module driver and the digital output module. In this time,
the substitute value 0 is output with the quality code (QUALITY) 16#48, and the
outputs QBAD = 1 and PASS_OUT = 1 are set as well. At ACK_REQ = 1 the
ACK_REI acknowledgement must follow, even if ACK_NEC = 0.
Error Handling
Program.

Description
75DAH

See Also
Fail-Safe Systems
A5E00085588-03
8-15
Fail-Safe Blocks
8.2.3
F_CH_AI
Function
The block reads the analog non-linearized value of the input channel whose
symbolic name is linked to the input VALUE from the associated F module driver
(F_M_AIx). The F module driver has read the non-linearized value via a safety
frame from the analog input module (or possibly a module that is redundant to this
one). The connection to the associated F module driver (F_M_AIx) is automatically
established by means of the interconnection at the input CHADDR.
If the non-linearized value is valid, it is adapted to its physical size and made
available at the output V as a process value.
If the non-linearized value is invalid, a substitute value or the last valid value is
output at the output V, depending on the parameterization. For the reintegration of
a process value after an error is corrected, a user acknowledgment is required
depending on the parameterization and error type.
Alternatively, a simulation value can be output at the output V.
For the process value at the output V, a value status (quality code) is generated at
the output QUALITY that can take on the following states:
State
Quality Code
Valid value
16#80
Simulation value
16#60
Substitute value
16#48
Last valid value
16#44
I/Os
Name
Inputs:
8-16
Default
ADDR_CODE DWORD

interconnection
Supplied
automatically
CHADDR
F_WORD
Address of the channel in the F

module driver
Interconnected
automatically
VALUE
WORD
Must be interconnected with the

symbolic address of the channel
from HWCONFIG across the
margin of the chart
VHRANGE
F_REAL
Upper limit of the process value
0.0
VLRANGE
F_REAL
Lower limit of the process value
0.0
CH_F_ON
F_BOOL
1=activate limit-value monitoring
CH_F_HL
F_REAL
Overrange limit of the input value

(mA)
0.0
CH_F_LL
F_REAL
Underrange limit of the input value 0.0

(mA)
SIM_V
F_REAL
Simulation value
0.0
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Name
Default
SIM_ON
F_BOOL

0= deactivate simulation value
SUBS_ON
F_BOOL
1=enable value substitution
SUBS_V
F_REAL
Substitute value
0.0
PASS_ON
F_BOOL
ACK_NEC
F_BOOL
1 = required
0 = not required
Outputs:
ACK_REI
F_BOOL
Reintegration acknowledgment
PASS_OUT
F_BOOL
Passivation output
QCHF_HL
F_BOOL
1=input value in overrange
QCHF_LL
F_BOOL
1=input value in underrange
QBAD
F_BOOL
1=process value invalid
QSIM
F_BOOL
1=simulation active
QSUBS
F_BOOL
1=value substitution active
OVHRANGE
F_REAL
Upper limit of the process value

(copy)
0.0
OVLRANGE
F_REAL
Lower limit of the process value

(copy)
0.0
F_REAL
Process value
0.0
V_DATA
REAL
DATA process value
0.0
QUALITY
BYTE
Value status (quality code) of the

process value
ACK_REQ
BOOL
Acknowledgment required for

reintegration
Addressing
You must assign the symbol of the corresponding analog input channel to the input
VALUE of the F channel driver.
Fail-Safe Systems
A5E00085588-03
8-17
Fail-Safe Blocks
Non-Linearized Value Checking

Depending on the measurement type and measurement range, there is a rated
range of the analog input module, in which the analog signal is converted to a
digitized non-linearized value. To this end, there is an overrange and an
underrange in which the analog signal can still be converted. Overflow and
underflow apply beyond these limits. The F channel driver indicates whether the
non-linearized value lies within the rated range of the module. If the value lies
under the rated range, the output parameter QCHF_LL = 1 is set. If the value lies
above the rated range, the output parameter QCHF_HL = 1 is set. In the case of
overflow or underflow, the output QBAD = 1 is also set, and, depending on the
parameter assignment, a substitute value or the last valid value is output.
In the event of channel faults (e.g. wire break), the module outputs 16#7FFF
(overflow) as a non-linearized value. Accordingly, the F channel driver F_CH_AI
detects an overflow and sets the output QCHF_HL = 1 and QBAD = 1.
NAMUR Limit Value Checking

In the NAMUR guidelines for analog signal processing, limit values are defined for
life zero (4 to 20 mA) analog signals where there is a channel fault:
3.6 mA < analog signal < 21 mA.
By default, the above NAMUR limits are set for limit value checking. If other limit
values are to be set, the input parameter CH_F_ON = 1 must be set and the input
parameters CH_F_HL and CH_F_LL must be set in mA with corresponding new
limit values. In the event of overflow or underflow of the active limit values, the
output QBAD = 1 is set, and, in the case of a life zero analog signal, a substitute
value or the last valid value is output, depending on the parameter assignment
(input SUBS_ON).
Note
The selectable limit values must be under the upper limit of the overrange and
above the lower limit of the underrange of the module. Values outside the NAMUR
range are thus also possible, unless the module automatically limits the measured
values.
8-18
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Normal Value
The non-linearized value is adapted to its physical size using the input parameters
VLRANGE and VHRANGE and the measurement range and measurement type
(MODE) set in HWCONFIG. To enable the settings for VLRANGE and VHRANGE
to be switched to other block parameters, these are written to the outputs
OVLRANGE and OVHRANGE.
The conversion algorithm assumes a linear input signal.
When VLRANGE = 0.0 and VHRANGE = 100.0, you receive a percentage value.
When VHRANGE = VLRANGE is set, you receive the input signal of the analog
input module (e.g. mA) in accordance with the MODE setting.
16#80 is output as the quality code (QUALITY).
Measurement Range Coding of the Analog Input Module

The block is only released for the analog input module SM 336; AI 6 13Bit; with
diagnostic interrupt. Only a measurement range of 4 to 20 mA is supported with a
measurement type of 2- or 4-wire measuring transducer. The coding of the
measurement range of the analog input module is carried out in HWCONFIG and
is applied at compilation automatically to the parameter MODE_xx of the
associated F module driver (F_M_AIx). F_CH_AI reads the value from the
associated F module driver. MODE can take on the following values:
Measurement Type
Measurement MODE (Decimal/Hex.)

Range
4-wire measuring
transducer
4 to 20 mA
515 / 16#0203
2-wire measuring
transducer
4 to 20 mA
771 / 16#0303
Simulation Value
A simulation value can be output at the output V instead of the normal value.
When the input parameter SIM_ON = 1, the value of the input parameter SIM_V is
output with the quality code (QUALITY) 16#60 and the output QSIM = 1 is set.
The output of the simulation value has the highest priority.
If a simulation value is selected that would result from a non-linearized value below
the rated range of the module, the output parameter QCHF_LL = 1 is set. If a
corresponding non-linearized value would exceed the rated range, the output
parameter QCHF_HL = 1 is set. In the event of overflow or underflow or violation of
the active limits, the output QBAD = 1 is also set, and then, depending on the
parameter assignment for the input SUBS_ON, a substitute value or the last valid
value is output.
Fail-Safe Systems
A5E00085588-03
8-19
Fail-Safe Blocks
Substitute Value/Keep Last Value

In the case of an invalid non-linearized value as a result of a communication error
(PROFIsafe), channel fault, overflow/underflow or violation of channel fault limits
and in the case of passivation, depending on the parameter assignment (input
parameter SUBS_ON), a substitute value or the last valid value is output, and the
output QBAD = 1 is set. During a startup (cold or warm restart), there is no last
valid value yet available, and, regardless of the parameter assignment, the
substitute value configured at the input SUBS_V is output.
If the output of the substitute value or the last valid value is not caused by
passivation, the output PASS_OUT = 1 is set additionally to passivate other
channels.
When the input parameter SUBS_ON = 0, the last valid value of V is output with
the quality code (QUALITY) 16#44.
When the input parameter SUBS_ON = 1, the substitute value SUBS_V is output
with the quality code (QUALITY) 16#48, and the output QSUBS = 1 is set.
established between the F module driver and the analog input module. In this time,
regardless of the parameter assignment at the input SUBS_ON, the substitute
value SUBS_V is output with the quality code (QUALITY) 16#48, and the outputs
QBAD = 1, QSUBS = 1 and PASS_OUT = 1 are set.
Error Handling
If the value for measurement range and measurement type (MODE) is invalid, an
invalid non-linearized value is assumed.
Program.
8-20
Description
75DAH

75D9H
Invalid REAL number (DATA component)
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Error in the Case of Module Redundancy

In the event of an error, a switch is made to the analog value of the redundant
module. After the error is corrected, there is no switch back; instead, work
continues with the last valid analog value. If an error only occurs on one of the
redundant modules, automatic reintegration takes place in the F channel driver
F_CH_AI after the error is corrected.
See Also
Fail-Safe Systems
A5E00085588-03
8-21
Fail-Safe Blocks
8.2.4
F Module Drivers
Safety frame
Fail-safe data exchange between a Safety Program and an F-I/O occurs via safety
frames. In addition to user data (i.e. process values), information on safety is also
transferred.
Monitoring Time TIMEOUT

See "Configuring the Monitoring Times for F/FH Systems".
Redundancy
The driver blocks support the following types of redundancy:
Signal redundancy in the case of digital input modules as a result of 1oo2

sensor evaluation: If a digital input module is run with 1oo2 sensor evaluation,
only F channel drivers can be placed for channels 0 to 3 of the digital input
module SM 326; DI 8 x NAMUR and channels 0 to 11 of the SM 326; DI 24 x
DC 24 V.
Module redundancy: The F module drivers are able to address two redundant
signal modules.
The settings necessary for this are made when parameters are assigned to the
modules in HWCONFIG.
Module redundancy
The processing of redundant modules comprises the following functions:
8-22
In the case of problem-free operation:

-
In the case of digital input modules, the input signals are ORed per
channel.
In the case of digital output modules, the digital value at I/O I of the
channel driver is forwarded to both modules in parallel.
In the case of analog input modules, the input signals of the module that is
available first after startup are forwarded to the F channel drivers.
If a fault occurs on one of the redundant channels:

-
In the case of digital input modules and analog input modules, a

switchover takes place to the channel of the other module.
In the case of digital output modules, the substitute value 0 is sent to the
channel with the fault.
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
If a fault occurs on both of the redundant channels:

-
In the case of digital input modules, the substitute value 0 is output on the
F channel driver.
In the case of digital output modules, the substitute value 0 is sent to both
channels.
In the case of analog input modules, the substitute value or the last valid
value is output on the F channel driver, depending what is configured.
As long as both redundant channels dont fail, an acknowledgment is not

necessary for reintegration after the problem has been dealt with.
Note
In the case of analog input modules, after a problem is corrected there is no switch
back to the channel of the original module. This can lead to the presence of active
channels on both modules.
When an analog input modules is replaced, a switchover to the second module
takes place automatically.
Discrepancy Analysis In the Case of Module Redundancy

In the case of redundant, fail-safe digital input modules with single-channel or twochannel non-equivalent sensor interconnection, the F module driver carries out a
discrepancy analysis to increase availability. For this purpose, the input DISC_ON
is assigned automatically and the assigned discrepancy time is stored at the input
DISCTIME when CFC charts are compiled.
In the discrepancy analysis, the F module driver compares two corresponding input
signals in each case. If a discrepancy between the signals lasts longer than the
configured discrepancy time, it detects a discrepancy error for the channel that
supplies the 0 signal and sets the corresponding bit in the diagnostic information at
the DIAG_1/2 output.
As long as it is only discrepancy errors that occur for a channel, the output QBAD
is not set on the F channel driver and the process value remains valid.
Reintegration after an error has been eliminated occurs automatically without
acknowledgment at the F channel driver.
In the case of redundant analog input modules, a discrepancy analysis is not
carried out.
A distinction should be drawn between this and discrepancy analysis in the case
of 1oo2 sensor evaluation, which is carried out by the module rather than the
driver block. A discrepancy error in the case of 1oo2 evaluation is handled in the
same way as a channel fault. You can find additional information on discrepancy
analysis and sensor interconnection in the Fail-Safe Signal Modules manual,
sections 3.2, 9.1 and 9.2.
Fail-Safe Systems
A5E00085588-03
8-23
Fail-Safe Blocks
Error Handling
The F module drivers can detect errors as well as respond to errors reported by the
module. Each block has several options for signaling and handling errors.
F Channel Drivers
Installation in Cyclic Interrupt OBs
Every F channel driver block must be installed in a cyclic interrupt OB3x. Multiple
installation of an instance in different cyclic interrupts is not permissible. The cyclic
interrupt interval must be coordinated with the monitoring time configured for the
module in HWCONFIG.
When the Safety Program is compiled, a check is carried out to establish whether
an F channel driver has been installed in more than one cyclic interrupt OB. If
appropriate, a corresponding error message is output.
All the F channel drivers that belong to a module must be integrated into the same
F-run-time group.
established between the F module driver and the F-I/O. Until this happens,
substitute values are output with the quality code (QUALITY) 16#48 and the
outputs QBAD and PASS_OUT of the F channel drivers are set.
As soon as PROFIsafe communication has been established without any errors
and no more module or communication faults/errors occur, valid process values
are output.
If PROFIsafe communication cannot be established within the configured
monitoring time, a TIMEOUT error is detected.
See Also
"Error Handling of Driver Blocks"
8-24
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.3

To ensure additional safety-related data exchange between Safety Programs on
different CPUs, additional fail-safety-related information is also transferred as well
as the actual user data. This information and the associated mechanisms remain
hidden to the user.
The following blocks are available for F communication:
Block
Description
F_SENDBO
Send F_BOOL data to another CPU
F_RCVBO
Receive F_BOOL data from another CPU
F_SENDR
Send F_REAL data to another CPU
F_RCVR
Receive F_REAL data from another CPU
ID and R_ID Addressing Parameters for F Communication Blocks
ID is the reference to the local connection description. ID is assigned during

connection configuration (NetPro). The I/O ID must be assigned parameters on
the sending side (F_SENDBO, F_SENDR) and on the receiving side
(F_RCVBO, F_RCVR).
Via R_ID you can define that a sending and a receiving fail-safe block belong
together: The associated fail-safe blocks receive the same value for R_ID. The
value R_ID is a freely selectable odd number, but it must be unique for a
sending/receiving F block pair.
Note
The value R_ID + 1 is also assigned and must not be used.
TIMEOUT Parameter
All four blocks for F communication have the TIMEOUT parameter for vital-sign
monitoring of the communication between the CPUs. You can find out how to
calculate TIMEOUT in the section entitled "Configuring the Monitoring Times for
F/FH Systems".
Note
Data transfer takes place cyclically. It can only be guaranteed that a signal level to
be transferred will be detected on the sender side and transferred to the recipient if
it is present for at least as long as the configured monitoring time (TIMEOUT).
Fail-Safe Systems
A5E00085588-03
8-25
Fail-Safe Blocks
RETVAL Parameter
Return values (RET_VAL) of the system functions are indicated at the RETVAL
parameter of the blocks for F communication. The return values are error codes
that give you additional assistance in finding the error (see the section entitled
"Error Information at the Output RETVAL").
CRC_IMP Parameter
8-26
Safety Note Do NOT change CRC_IMP input

Do not make any changes to the CRC_IMP I/O because this I/O is supplied
automatically. As a result of online changes to this I/O, errors can occur during
transmission of fail-safe data when the Safety Program is executed. For example,
data may be sent to the wrong recipient or may not be recognized as coming from
an incorrect sender.
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.3.1
F_SENDBO
Function
This block safely sends 20 data items of the F_BOOL data type to another CPU.
The data can be received there by the F_RCVBO block.
The data to be sent (e.g. outputs from other blocks) is stored at the inputs
SD_BO_xx.
The data is transferred via safety frames.
If you want to temporarily switch off a data interchange that has been established
between two CPUs in order to reduce the load on the bus, you can assign the
value FALSE to the input EN_SEND. In this case, no more data is sent to the
recipient, and the recipient outputs the configured substitute values. If
communication between the connection partners was already established, when
data interchange restarted with EN_SEND = TRUE, an acknowledgment is
required on the recipients side before the values sent are output again.
established between the communication partners. F_SENDBO indicates this at the
SUBS_ON parameter with "1". The recipient (F_RCVBO) outputs substitute values
during this time until communication between F_SENDBO and F_RCVBO has
started up via the safety frame and any acknowledgment required for reintegration
at F_RCVBO has been made.
I/Os
Inputs:
Name
Data Type
Explanation
Default
EN_SEND
BOOL
1 = switch transmission on
0 = switch transmission off

ID
WORD
ID addressing parameter
0000
R_ID
DWORD
R_ID addressing parameter
00000000
SD_BO_00
F_BOOL
Send date 00
...
Outputs:
Fail-Safe Systems
A5E00085588-03
...
SD_BO_19
F_BOOL
Send date 19
CRC_IMP
DWORD
Address reference CRC
Supplied
automatically
TIMEOUT
F_TIME
Monitoring time in ms for vital- T#0 ms

sign monitoring
ERROR
F_BOOL
Transmission error
SUBS_ON
F_BOOL
Recipient outputs substitute

values
RETVAL
WORD
Error code
0000
8-27
Fail-Safe Blocks
TIMEOUT Parameter
The input TIMEOUT cannot be interconnected and must be assigned a constant
value. See "Monitoring Safety-Related Communication Between CPUs".
Error Handling
If a connection partner (recipient) acknowledges receipt via an invalid safety frame
(e. g. due to a check value error (CRC) or watchdog error) or does not
acknowledge it within the TIMEOUT monitoring time, the outputs ERROR and
SUBS_ON are set. The recipient (F_RCVBO) then outputs substitute values. An
error code is displayed at the output RETVAL. Communication between the
connection partners is reestablished.
Note
Once communication has been set up without errors, compliance with the assigned
monitoring time (TIMEOUT parameter) is checked.
Program.
8-28
Description
75DAH

Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.3.2
F_RCVBO
Function
This block safely receives 20 data items of the F_BOOL data type sent by the
F_SENDBO block from another CPU.
The received data is stored at the outputs RD_BO_xx for further processing by
other blocks.
established between the communication partners. As long as the recipient does not
receive a safety frame from the sender, it sets the output SUBS_ON and outputs
the substitute values at the outputs RD_BO_xx.
The substitute values can be stored at the inputs SUBBO_xx.
I/Os
Inputs:
Name
Data Type
Explanation
Default
ID
WORD
0000
R_ID
DWORD
00000000
CRC_IMP
DWORD
Supplied
automatically
TIMEOUT
F_TIME

sign monitoring
ACK_REI
F_BOOL
Acknowledgment for
0
reintegration of process values
after transmission errors
SUBBO_00
F_BOOL
Substitute value for receipt

data 00
...
Outputs:
...
SUBBO_19
F_BOOL

data 19
ACK_REQ
BOOL
Acknowledgment for
0
required
ERROR
F_BOOL
Transmission error
SUBS_ON
F_BOOL
Substitution values are output 1
RD_BO_00
F_BOOL
Receipt data 00
...
Fail-Safe Systems
A5E00085588-03
0
0
...
RD_BO_19
F_BOOL
Receipt data 19
RETVAL
WORD
Error code
0000
8-29
Fail-Safe Blocks
TIMEOUT Parameter
It can only safely be guaranteed that a signal level to be transferred will be
detected on the sender side and transferred to the recipient if it is present for at
Error Handling
If a connection partner receives an invalid safety frame (e.g.: due to a check value
error (CRC) or watchdog error) or doesnt receive a valid safety frame within the
TIMEOUT monitoring time, the outputs ERROR and SUBS_ON are set and the
substitute values are output. An error code is displayed at the output RETVAL.
Note
Communication between the connection partners is reestablished. The data

received with valid safety frames is not applied to the outputs (= reintegrated) until
the input ACK_REI had a rising edge (e.g. via F_QUITES).
The block sets the output ACK_REQ to indicate that acknowledgment is required.
Program.
8-30
Description
75DAH

Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.3.3
F_SENDR
Function
This block safely sends 20 data items of the F_REAL data type to another CPU. It
can be received there by the F_RCVR block.
SD_R_xx.
If you want to temporarily switch off a data interchange that has been established
between two CPUs in order to reduce the load on the bus, you can assign the
value 0 to the input EN_SEND. In this case, no more data is sent to the recipient,
and the recipient outputs the configured substitute values. If communication
between the connection partners was already established, when data interchange
restarted with EN_SEND = 1, an acknowledgment is required on the recipients
side before the values sent are output again.
established between the communication partners. The F_SENDR signals this at
the SUBS_ON parameter with "1". The recipient (F_RCVR) outputs substitute
values during this time until communication between F_SENDR and F_RCVR via
the safety frame has started up and any acknowledgment required for reintegration
at F_RCVR has been made.
I/Os
Inputs:
Name
Data Type
Explanation
Default
EN_SEND
BOOL
1 = switch transmission on
0 = switch transmission off

ID
WORD
0000
R_ID
DWORD
00000000
SD_R_00
F_REAL
Send date 00
...
Outputs:
Fail-Safe Systems
A5E00085588-03
...
SD_R_19
F_REAL
Send date 19
TIMEOUT
F_TIME

sign monitoring
CRC_IMP
DWORD
Supplied
automatically
ERROR
F_BOOL
Transmission error
SUBS_ON
F_BOOL
Recipient outputs substitute

values
RETVAL
WORD
Error code
0000
8-31
Fail-Safe Blocks
TIMEOUT Parameter
It can only safely be guaranteed that a signal level to be transferred will be
detected on the sender side and transferred to the recipient if it is present for at
Error Handling
If a connection partner (recipient) acknowledges receipt via an invalid safety frame
(e. g. due to a check value error (CRC) or watchdog error) or does not
acknowledge it within the TIMEOUT monitoring time, the outputs ERROR and
SUBS_ON are set. The recipient (F_RCVR) then outputs substitute values. An
error code is displayed at the output RETVAL. Communication between the
connection partners is reestablished.
Note
Program.
8-32
Description
75DAH

Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.3.4
F_RCVR
Function
This block safely receives 20 data items of the F_REAL data type sent by the
F_SENDR block from another CPU.
The received data comes to the outputs RD_R_xx for further processing by other
blocks.
established between the communication partners. As long as the recipient does not
receive a safety frame from the sender, it sets the output SUBS_ON and outputs
the substitute values at the outputs RD_R_xx.
The substitute values can be applied at the inputs SUBR_xx.
I/Os
Inputs:
Name
Data Type
Explanation
Default
ID
WORD
0000
R_ID
DWORD
00000000
CRC_IMP
DWORD
Supplied
automatically
TIMEOUT
F_TIME

sign monitoring
ACK_REI
F_BOOL
Acknowledgment for
0
after transmission errors
SUBR_00
F_REAL

data 00
...
Outputs:
...
SUBR_19
F_REAL

data 19
ACK_REQ
BOOL
Acknowledgment for
0
required
ERROR
F_BOOL
Transmission error
SUBS_ON
F_BOOL
RD_R_00
F_REAL
Receipt data 00
...
Fail-Safe Systems
A5E00085588-03
0
0
...
RD_R_19
F_REAL
Receipt data 19
RETVAL
WORD
Error code
0000
8-33
Fail-Safe Blocks
TIMEOUT Parameter
Error Handling
If a connection partner receives an invalid safety frame (e.g.: due to a check value
error (CRC) or watchdog error) or doesnt receive a valid safety frame within the
TIMEOUT monitoring time, the outputs ERROR and SUBS_ON are set and the
substitute values are output. An error code is displayed at the output RETVAL.
Note
Communication between the connection partners is reestablished. The data

received with valid safety frames is not applied to the outputs (= reintegrated) until
the input ACK_REI had a rising edge (e.g. via F_QUITES).
The block sets the output ACK_REQ to indicate that acknowledgment is required.
Program.
8-34
Description
75DAH

Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.4
Blocks for Converting Data

Block
Description
F_BO_FBO
Convert from BOOL to F_BOOL
F_I_FI
Convert from INT to F_INT
F_R_FR
Convert from REAL to F_REAL
F_TI_FTI
Convert from TIME to F_TIME
F_FBO_BO
Convert from F_BOOL to BOOL
F_FI_I
Convert from F_INT to INT
F_FR_R
Convert from F_REAL to REAL
F_FR_FI
Convert from F_REAL to F_INT
F_FTI_TI
Convert from F_TIME to TIME
F_QUITES
Safety Note Use F_LIM_R for plausibility check of standards to F-data

conversion
The F_BO_FBO, F_I_FI, F_TI_FTI and F_R_FR blocks only carry out data
conversion. This means you must program additional measures for plausibility
checks in the Safety Program, for example using F_LIM_R, to ensure that only
safe operation is possible.
Plausibility Checking
The simplest form of plausibility check is to specify a range with fixed upper and
lower limits, e.g. with the F_LIM_R block. Not all the input parameters can be
checked for plausibility simply enough. These input parameters cannot be
modified during operation.
Fail-Safe Systems
A5E00085588-03
8-35
Fail-Safe Blocks
8.4.1
F_BO_FBO
Function
This block converts the BOOL data type into the corresponding F_BOOL F data
type. This enables signals formed in the standard program section to be further
processed in the safety program section following a plausibility check.
I/Os
Name
Data Type
Explanation
Default
Input:
IN
BOOL
Input variable
Output:
OUT
F_BOOL
Output variable
Error Handling
None
8-36
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.4.2
F_I_FI
Function
This block converts the INT data type into the corresponding F_INT F data type.
This enables signals formed in the standard program section to be processed
further in the safety program section following a plausibility check (to be added by
the user with F-block F_LIM_I, for example).
I/Os
Name
Data Type
Explanation
Default
Input:
IN
INT
Input variable
Output:
OUT
F_INT
Output variable
Error Handling
None
Fail-Safe Systems
A5E00085588-03
8-37
Fail-Safe Blocks
8.4.3
F_R_FR
Function
This block converts the REAL data type into the corresponding F_REAL F data
processed in the safety program section following a plausibility check (to be added
in the Safety Program with F-block F_LIM_R, for example).
I/Os
Name
Data Type
Explanation
Default
Input:
IN
REAL
Input variable
0.0
Output:
OUT
F_REAL
Output variable
0.0
Error Handling
None.
8-38
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.4.4
F_TI_FTI
Function
This block converts the TIME data type into the corresponding F_TIME F data
processed in the safety program section following a plausibility check (to be added
by the user with F-block F_LIM_TI, for example).
I/Os
Name
Data Type
Explanation
Default
Input:
IN
TIME
Input variable
T#0 ms
Output:
OUT
F_TIME
Output variable
T#0 ms
Error Handling
None
Fail-Safe Systems
A5E00085588-03
8-39
Fail-Safe Blocks
8.4.5
F_FBO_BO
Function
This block converts the F-data type F_BOOL into the standard data type BOOL,
since individual structure elements of the F-data type cannot be accessed
separately in the CFC chart. This enables signals formed in the Safety Program
section to be further processed in the standard program section.
This block must be placed in the standard program section.
I/Os
Name
Data Type
Explanation
Default
Input:
IN
F_BOOL
Input variable
Output:
OUT
BOOL
Output variable
Error Handling
None
8-40
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.4.6
F_FI_I
Function
This block converts the F-data type F_INT into the standard data type INT, since
individual structure elements of the F-data type cannot be accessed separately in
the CFC chart. This enables signals formed in the Safety Program section to be
further processed in the standard program section.
I/Os
Name
Data Type
Explanation
Default
Input:
IN
F_INT
Input variable
Output:
OUT
INT
Output variable
Error Handling
None
Fail-Safe Systems
A5E00085588-03
8-41
Fail-Safe Blocks
8.4.7
F_FR_R
Function
This block converts the F-data type F_REAL into the standard data type REAL,
I/Os
Name
Data Type
Explanation
Default
Input:
IN
F_REAL
Input variable
0.0
Output:
OUT
REAL
Output variable
0.0
Error Handling
None
8-42
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.4.8
F_FR_FI
Function
The block converts the F data type F_REAL data type into the F_INT F data type.
This enables signals formed within the safety program section to be converted and
maintain the safety data format.
I/Os
Input:
Name
Data Type
Explanation
Default
IN
F_REAL
Input variable
0.0
F_INT
Output variable
...
Output:
OUT
Error Handling
None
Fail-Safe Systems
A5E00085588-03
8-43
Fail-Safe Blocks
8.4.9
F_FTI_TI
Function
This block converts the F-data type F_TIME into the standard data type TIME,
I/Os
Name
Data Type
Explanation
Default
Input:
IN
F_TIME
Input variable
T#0 ms
Output:
OUT
TIME
Output variable
T#0 ms
Error Handling
None
8-44
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.4.10
F_QUITES
Function
This block enables fail-safe acknowledgment from a non-fail-safe ES/OS. This
allows reintegration of F-I/Os to be controlled via the ES/OS, for example. An
acknowledgment comprises two steps:
1. Changing the input IN to the value 6
2. Changing the input IN from the value 6 to the value 9 within a minute
The block evaluates whether, after the input IN has changed to the value 6 after a
second at the earliest or a minute at the latest, a change to the value 9 has
taken place. The signal 1 is then output at the output OUT (output for
acknowledgment) for the duration of a single cycle.
If an invalid value is entered or if the change to 9 does not take place within a
minute or before a second has elapsed, the input IN is reset to 0 and the two steps
specified above have to be carried out again.
During the time in which the change from 6 to 9 must occur, the non-fail-safe
output Q is set to 1. As soon as the input IN has accepted the value 9, or if there
has not been a change within a minute, Q is reset to 0.
Note
Because the fail-safe output OUT is only set for one cycle, a separate F_QUITES
is required for each cyclic interrupt.
If there is only one block for different run-time groups in a cyclic interrupt, the
blocks F_S_BO and F_R_BO must be used for the exchange of data between the
run-time groups.
Safety Note Reintegration through User Acknowledgement with F_QUITES

The non-safety-related input IN must not be interconnected with a signal or defined
by a signal that automatically produces the above mentioned condition (change
from 6 to 9 within a minute) for a fail-safe acknowledgment. The fail-safe
acknowledgment can only be produced by means of conscious, manual input on
the ES/OS, not automatically in the program.
Changing the Overall Signature of the Offline Safety Program

If the above two acknowledgment steps are entered directly via the ES in CFC test
mode rather than via the OS, the overall signature of the offline Safety Program
changes as a result of the acknowledgment. To avoid this, you must ensure that a
zero is entered after a 9 or an invalid value.
Fail-Safe Systems
A5E00085588-03
8-45
Fail-Safe Blocks
Timing Diagram
Min. 1s
Max. 1min
9
6
IN
Max. 1min
Q
One cycle
OUT
t
: Possible time for a signal change
I/Os
Name
Data Type
Explanation
Default
Input:
IN
INT
Input variable from the ES
Outputs:
OUT
F_BOOL
Output for acknowledgment
BOOL
Status of the time evaluation
Error Handling
Program.

Description
75DAH

Operation and Monitoring

Parameters IN and Q have the system attribute S7_m_c. They can therefore be
directly operated and monitored from an operator interface system (OS).
8-46
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.5
F-System Blocks
Block
Description
F_S_BO
Fail-safe transmission of 10 data items of the data type F_BOOL

to another F-run-time group.
F_R_BO
Fail-safe receipt of 10 data items of the data type F_BOOL from

another F-run-time group
F_S_R
Fail-safe transmission of 5 data items of the data type F_ to

F_R_R
Fail-safe receipt of 5 data items of the data type F_REAL from

F_START
Startup detection (cold restart or warm restart)
Integration in Block Types

With the exception of F_START, the system blocks must not be integrated in block
types.
Fail-Safe Systems
A5E00085588-03
8-47
Fail-Safe Blocks
8.5.1
F_S_BO
Function
This block safely transfers 10 data items of the data type F_BOOL to another Frun-time group. It can be received there by the F_R_BO block.
SD_BO_xx.
The output S_DB must be connected with the input of the same name in the
received block.
I/Os
Inputs:
Name
Data Type
SD_BO_00
F_BOOL
...
Output:
Explanation
Default
Send date 00
...
SD_BO_09
F_BOOL
Send data 09
S_DB
F_WORD
Separate instance DB no.
Error Handling
None
8-48
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.5.2
F_R_BO
Function
This block safely receives 10 data items of the data type F_BOOL sent from
another F-run-time group from the F_S_BO block.
The received data is stored at the outputs RD_BO_xx for further processing by
other blocks.
The input S_DB must be connected with the output of the same name of the
sending block.
The input TIMEOUT must be assigned a value for monitoring the safety-related
communication. If an updated frame is not received during this time, the system
function SFC F_CTRL is called. See "Monitoring Safety-Related Communication
Between F Run-Time Groups".
In the first cycle after a cold or warm restart, the block outputs the substitute values
configured at the SUBBO_xx inputs. The output of the substitute values depends
on the configured execution times of the cyclic interrupts and occurs as long as the
value F_TRUE is at the output SUBS_ON, but only until the monitoring time
TIMEOUT elapses.
I/Os
Inputs:
Name
Data Type
Explanation
TIMEOUT
F_TIME

sign monitoring
S_DB
F_WORD
Instance DB no. of the

associated F_S_BO
SUBBO_00
F_BOOL

data 00
...
SUBBO_09
Outputs:
...
F_BOOL

data 09
SUBS_ON
F_BOOL
RD_BO_00
F_BOOL
Receipt data 00
...
RD_BO_09
Fail-Safe Systems
A5E00085588-03
Default
...
F_BOOL
Receipt data 09
8-49
Fail-Safe Blocks
Error Handling
Program.
8-50
Description
75DAH
Error in the safety data format of the input TIMEOUT (error

due to online modification of the Safety Program or internal
CPU fault)
75DCH
Internal CPU fault
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.5.3
F_S_R
Function
This block safely transfers 5 data items of the data type F_REAL to another F-runtime group. It can be received there by the F_R_R block.
SD_R_xx.
The output S_DB must be connected with the input of the same name in the
received block.
I/Os
Inputs:
Name
Data Type
SD_R_00
F_REAL
...
Output:
Explanation
Default
Send date 00
...
SD_R_04
F_REAL
Send data 04
S_DB
F_WORD
Separate instance DB no.
Error Handling
None
Fail-Safe Systems
A5E00085588-03
8-51
Fail-Safe Blocks
8.5.4
F_R_R
Function
This block safely receives 5 data items of the data type F_REAL sent from another
F-run-time group from the F_S_R block.
The received data comes to the outputs RD_R_xx for further processing by other
blocks.
The input S_DB must be connected with the output of the same name of the
sending block.
The input TIMEOUT must be assigned a value for monitoring the safety-related
communication. If an updated frame is not received during this time, the system
function SFC F_CTRL is called. See "Monitoring Safety-Related Communication
Between F Run-Time Groups".
In the first cycle after a cold or warm restart, the block outputs the substitute values
configured at the SUBR_xx inputs. The output of the substitute values depends on
the configured execution times of the cyclic interrupts and occurs as long as the
value F_TRUE is at the output SUBS_ON, but only until the monitoring time
TIMEOUT elapses.
I/Os
Inputs:
Name
Data Type
Explanation
TIMEOUT
F_TIME

sign monitoring
S_DB
F_WORD
Instance DB no. of the

associated F_S_R
SUBR_00
F_REAL

data 00
...
SUBR_04
Outputs:
...
F_REAL

data 04
SUBS_ON
F_BOOL
RD_R_00
F_REAL
Receipt data 00
...
RD_R_04
8-52
Default
...
F_REAL
Receipt data 04
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Error Handling
Program.

Description
75DAH
Error in the safety data format of the input TIMEOUT (error

due to online modification of the Safety Program or internal
CPU fault)
75DCH
Internal CPU fault
Fail-Safe Systems
A5E00085588-03
8-53
Fail-Safe Blocks
8.5.5
F_START
Function
In the first cycle of the cyclic interrupt cycle after a cold or warm restart, the block
indicates by means of a value of 1 at the output COLDSTRT that a startup (cold or
warm restart) has been carried out. COLDSTRT remains present until the next call
of F_START.
The F_START must be called before the evaluating blocks.
I/Os
Output:
Name
Data Type
Explanation
Default
COLDSTRT
F_BOOL
Startup identifier (cold restart

or warm restart)
Error Handling
None
8-54
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.6
F Control Blocks
To ensure that a Safety Program is executable, the F control blocks are necessary
to check the program execution time. These F control blocks are automatically
inserted and interconnected at compilation of CFC charts.
Block
Description
F_CYC_CO
F_M_DI8
F_M_DI24
F_M_DO8
F_M_DO10
F_M_AI6
F_PLK
Program execution monitoring before output blocks
F_PLK_O
Program execution monitoring after output blocks
F_SHUTDN
Manage F-run-time group shutdown and restart in the

event shutdown errors occur.
F_TEST
Self-test for commands not backed up by diversity
F_TESTC
Control block for the background self-test of the CPU
F_TESTM
Activate/deactivate safety mode
DB_RES
Support of the startup characteristics for cold

restart/warm restart
DB_INIT
FC used to restart (cold start) shutdown one or more

F-run-time groups
FAIL_MSG
FC used to report a shutdown F-run-time group.
RTG_LOGIC
Logic used to interface between F_SHUTDN,

DB_INIT, and the F-run-time groups.
Integration in Block Types

The control blocks must not be integrated in block types.
Fail-Safe Systems
A5E00085588-03
8-55
Fail-Safe Blocks
8.6.1
F_CYC_CO
Function
This block monitors the cycle time of its priority class (cyclic interrupt OB 3x) and
provides a fail-safe time base for other F blocks.
At compilation, the block is inserted automatically into a F-run-time group named
@F_CycCo-OB3x, where x is 0 through 8 that correspond to the OB3x containing
F-Blocks, that contain the blocks F_TESTC and F_TEST.
If the value of MAX_CYC is invalid, a new value will be requested at compile time.
See "Configuring the Monitoring Times for F/FH Systems".
Safety Note PD_FLAG not to be interconnected

The invisible output PD_FLAG must not be interconnected.
I/Os
Inputs:
Outputs:
Name
Data Type
Explanation
Default
MAX_CYC
F_TIME
Maximum permissible
F cycle time
T# 0s
PD OFF
F_BOOL
Power Down Monitoring
PD FLAG
F_BOOL
Power-off code
DIFF
F_DINT
Time difference since the last

cycle in ms
CYC_SQ
F_INT
Sequence number
FAILED
BOOL
Failure of the OB Indicator
Error Handling
Program.
8-56
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks

Description
75DAH
Error in the safety data format of the input MAX_CYC or

the output DIFF (error due to online modification of the
Safety Program or internal CPU fault)
75E1H
Power failure
75E1H
Internal CPU fault
...
75E1H
75E1H
Maximum permissible F cycle time exceeded or internal

CPU fault
75E1H
Internal CPU fault
Fail-Safe Systems
A5E00085588-03
8-57
Fail-Safe Blocks
8.6.2
F_M_DI8
Function
The F module driver reads the digital values and error information of an 8-channel,
fail-safe digital input module and makes the data available to the associated F
channel driver (F_CH_DI).
If there is a redundant module, the digital values of both modules are evaluated.
The F module driver is automatically inserted at the beginning of the run-time
group which also contains the associated F channel driver F_CH_DI. The I/Os of
the F module driver are automatically interconnected and supplied with values.
The outputs DIAG_1 and DIAG_2, at which error information is output, are
important.
I/Os
Inputs:
Name
Data Type
Explanation
Default
CRC_IMP1
WORD
CRC via implicit data SM1
Supplied
automatically
CRC_IMP2
WORD

(only when RED = 1)
Supplied
automatically
DISC_ON
BOOL
Carry out discrepancy analysis Supplied

automatically
DISCTIME
DINT
Discrepancy time in ms
TIMEOUT
F_DINT
Monitoring time in ms for vital- Supplied

sign monitoring
automatically
SENS_RED
F_BOOL
1=1oo2 evaluation of the

sensors
Supplied
automatically
RED
F_BOOL
Module Redundancy
Supplied
automatically
0: SM configured as nonredundant
Supplied
automatically
1: SM configured as redundant
8-58
LADDR
INT
Logical address of the module Supplied

(SM1)
automatically
LADDR_R
INT
Address of the configured

redundant SM2 module (only
when RED = 1)
Supplied
automatically
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Outputs:
Name
Data Type
Explanation
Default
CHADDR00
F_WORD
Interconnection with the F

channel driver of channel 0
Interconnected
automatically
CHADDR07
F_WORD

Interconnected
automatically
DIAG_1
DWORD
Diagnostic information for

SM1, see table below
DIAG_2
DWORD

PROFIsafe1
F_BOOL
Identify failure on a specific

PROFIsafe bus
PROFIsafe2
F_BOOL
Identify failure on a specfic

PROFIsafe bus
...
SM1, SM2 redundant modules
Error Information at the Output DIAG_1/2

DIAG_1
DIAG_2
Byte 0
Byte 0
Bit 0: TIMEOUT error on SM1
Bit 1: Common error on SM1
Bit 2: CRC value/watchdog error on SM1
Bit 3: Reserved
Bit 3: Reserved
Bit 4: TIMEOUT error on CPU
Bit 5: Watchdog error on CPU
Bit 6: Check value error (CRC) on CPU
Bit 7: Reserved
Bit 7: Reserved
Byte 1
Byte 1
Bit 0: Discrepancy error on channel 0 of SM1
...
...
Byte 2
Byte 2
Reserved
Reserved
Byte 3
Byte 3
Reserved
Reserved
Note
In byte 0 of DIAG_1/2, the most recent error information remains stored until a new
error occurs, even if the error has already been eliminated.
Fail-Safe Systems
A5E00085588-03
8-59
Fail-Safe Blocks
Error Handling
In the event of an error that is critical to safety, the system function SFC_F_CTRL
Program.
8-60
Description
75DAH

Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.6.3
F_M_DI24
Function
The F module driver reads the digital values and error information of a 24-channel,
fail-safe digital input module and makes the data available to the associated F
channel driver (F_CH_DI).
If there is a redundant module, the digital values of both modules are evaluated.
group which also contains the associated F channel driver F_CH_DI. The I/Os of
the F module driver are automatically interconnected and supplied with values.
important.
I/Os
Inputs:
Name
Data Type
Explanation
Default
CRC_IMP1
WORD
Supplied
automatically
CRC_IMP2
WORD

(only when RED = 1)
Supplied
automatically
DISC_ON
BOOL
Carry out discrepancy analysis Supplied

automatically
DISCTIME
DINT
Discrepancy time in ms
TIMEOUT
F_DINT

sign monitoring
automatically
SENS_RED
F_BOOL
1=1oo2 evaluation of the

sensors
Supplied
automatically
RED
F_BOOL
Module Redundancy
Supplied
automatically
Supplied
automatically
Fail-Safe Systems
A5E00085588-03
LADDR
INT

(SM1)
automatically
LADDR_R
INT

when RED = 1)
Supplied
automatically
8-61
Fail-Safe Blocks
Outputs:
Name
Data Type
Explanation
Default
CHADDR00
F_WORD

Interconnected
automatically
CHADDR23
F_WORD

Interconnected
automatically
DIAG_1
DWORD

DIAG_2
DWORD

PROFIsafe1
F_BOOL

PROFIsafe bus
PROFIsafe2
F_BOOL

PROFIsafe bus
...

DIAG_1
DIAG_2
Byte 0
Byte 0
Bit 3: Reserved
Bit 3: Reserved
Bit 7: Reserved
Bit 7: Reserved
Byte 1
Byte 1
...
...
Byte 2
Byte 2
...
...
Byte 3
Byte 3
...
...
8-62
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Note
error occurs, even if the error has already gone.
Error Handling
In the event of an error that is critical to safety, the system function SFC_F_CTRL
Program.

Description
75DAH
Error in the safety data format (error due to online modification of the Safety
Program or internal CPU fault)
Fail-Safe Systems
A5E00085588-03
8-63
Fail-Safe Blocks
8.6.4
F_M_DO8
Function
The F module driver reads the digital output values from the associated F channel
drivers (F_CH_DO) and writes them to an 8-channel, fail-safe digital output
module. In addition, it reads the error information of the module and makes the
data available to the associated F channel driver (F_CH_DO).
If there is a redundant module, the digital values are written to both modules.
The F module driver is automatically inserted at the end of the run-time group
which also contains the associated F channel driver F_CH_DO. The I/Os of the F
module driver are automatically interconnected and supplied with values.
important.
I/Os
Inputs:
Name
Data Type
Explanation
Default
CHADDR00
F_WORD

Interconnected
automatically
CHADDR07
F_WORD

Interconnected
automatically
CRC_IMP1
WORD
Supplied
automatically
CRC_IMP2
WORD

(only when RED = 1)
Supplied
automatically
TIMEOUT
F_DINT

sign monitoring
automatically
RED
F_BOOL
...
Module Redundancy
Supplied
automatically
8-64
LADDR
INT

(SM1)
automatically
LADDR_R
INT

when RED = 1)
Supplied
automatically
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Outputs:
Name
Data Type
Explanation
Default
DIAG_1
DWORD

DIAG_2
DWORD

PROFIsafe1
F_BOOL

PROFIsafe bus
PROFIsafe2
F_BOOL

PROFIsafe bus

DIAG_1
DIAG_2
Byte 0
Byte 0
Bit 3: Reserved
Bit 3: Reserved
Bit 7: Reserved
Bit 7: Reserved
Byte 1
Byte 1
Reserved
Reserved
Byte 2
Byte 2
Reserved
Reserved
Byte 3
Byte 3
Reserved
Reserved
Note
Error Handling
Program.
Fail-Safe Systems
A5E00085588-03
8-65
Fail-Safe Blocks

Description
75DAH
8.6.5
F_M_DO10
Function
The F module driver reads the digital output values from the associated F channel
drivers (F_CH_DO) and writes them to a 10-channel, fail-safe digital output
module. In addition, it reads the error information of the module and makes the
data available to the associated F channel driver (F_CH_DO).
If there is a redundant module, the digital values are written to both modules.
The F module driver is automatically inserted at the end of the run-time group
which also contains the associated F channel driver F_CH_DO. The I/Os of the F
module driver are automatically interconnected and supplied with values.
important.
I/Os
Inputs:
Name
Data Type
Explanation
Default
CHADDR00
F_WORD

Interconnected
automatically
CHADDR09
F_WORD

Interconnected
automatically
CRC_IMP1
WORD
Supplied
automatically
CRC_IMP2
WORD

(only when RED = 1)
Supplied
automatically
TIMEOUT
F_DINT

sign monitoring
automatically
RED
F_BOOL
...
Module Redundancy
Supplied
automatically
8-66
LADDR
INT

(SM1)
automatically
LADDR_R
INT

when RED = 1)
Supplied
automatically
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Outputs:
Name
Data Type
Explanation
Default
DIAG_1
DWORD

DIAG_2
DWORD

PROFIsafe1
F_BOOL

PROFIsafe bus
PROFIsafe2
F_BOOL

PROFIsafe bus

DIAG_1
DIAG_2
Byte 0
Byte 0
Bit 3: Reserved
Bit 3: Reserved
Bit 7: Reserved
Bit 7: Reserved
Byte 1
Byte 1
Reserved
Reserved
Byte 2
Byte 2
Reserved
Reserved
Byte 3
Byte 3
Reserved
Reserved
Note
Error Handling
Program.
Fail-Safe Systems
A5E00085588-03
8-67
Fail-Safe Blocks
8.6.6
Description
75DAH

F_M_AI6
Function
The F module driver reads the analog values (non-linearized values) and error
information of a 6-channel, fail-safe analog input module and makes the data
available to the associated F channel driver (F_CH_AI).
If there is a redundant module, the analog values of both modules are evaluated.
group which also contains the associated F channel driver F_CH_AI. The I/Os of
the F block driver are automatically interconnected and supplied with values.
important.
I/Os
Inputs:
Name
Data Type
Explanation
Default
CRC_IMP1
WORD
Supplied
automatically
CRC_IMP2
WORD

(only when RED = 1)
Supplied
automatically
TIMEOUT
F_DINT

sign monitoring
automatically
MODE_00
F_WORD
Measurement range coding,

channel 0
Supplied
automatically
MODE_05
F_WORD
Measurement range coding,

channel 5
Supplied
automatically
RED
F_BOOL
Module Redundancy
Supplied
automatically
...
8-68
LADDR
INT

(SM1)
automatically
LADDR_R
INT

when RED = 1)
Supplied
automatically
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Outputs:
Name
Data Type
Explanation
Default
CHADDR00
F_WORD

Interconnected
automatically
CHADDR05
F_WORD

Interconnected
automatically
DIAG_1
DWORD

DIAG_2
DWORD

PROFIsafe1
F_BOOL

PROFIsafe bus
PROFIsafe2
F_BOOL

PROFIsafe bus
...

DIAG_1
DIAG_2
Byte 0
Byte 0
Bit 3: Reserved
Bit 3: Reserved
Bit 7: Reserved
Bit 7: Reserved
Byte 1
Byte 1
Reserved
Reserved
Byte 2
Byte 2
Reserved
Reserved
Byte 3
Byte 3
Reserved
Reserved
Note
Error Handling
In the event of an error, the system function SFC F_CTRL is called.
Fail-Safe Systems
A5E00085588-03
8-69
Fail-Safe Blocks

Description
75DAH
8.6.7
F_PLK
Function
This block executes, among other things, logical program and data flow control
before the output blocks and provides a corresponding enable signal for this.
The block is inserted automatically into each F-run-time group before the output
blocks at compilation.
The block output FAILED is for internal use only.
I/Os
Outputs:
Name
Data Type
Explanation
Default
FAILED
BOOL
F-run-time group failure

indication
Error Handling
Program.

Description
75DAH
Internal CPU fault
75E1H
Error during processing of F_CYC_CO
75E1H
Error during processing of F_TEST
75E1H
Error during processing of F_TESTC
75E1H
Internal CPU fault
75E1H
Error during program execution monitoring: error due to online modification of

the Safety Program or internal CPU fault
8-70
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.6.8
F_PLK_O
Function
This block executes, among other things, logical program and data flow control
after the output blocks and provides a corresponding enable signal for this.
The block is inserted automatically into each F-run-time group after the output
blocks at compilation.
I/Os
The block has no visible I/Os.
Error Handling
Program.

Description
75E1H
Internal CPU fault
75E1H
Error during program execution monitoring: error due to online modification of

the Safety Program or internal CPU fault
Fail-Safe Systems
A5E00085588-03
8-71
Fail-Safe Blocks
8.6.9
F_SHUTDN
Function
The F_SHUTDN function block, which is a standard function block packaged in the
Failsafe Blocks library, provides new functionality to control and manage F-run-time
group shutdown and reinitialization.
The F_SHUTDN function block:
is automatically placed by the compiler in a CFC named @F_ShutDn.
interfaces to other blocks within the Safety Program.
has two separate interfaces: shutdown logic interface and restart logic
interface.
is connected to the shutdown logic through the RTG_LOGIC blocks to the

F_PLK, F_PLK_O, F_TEST, F_TESTC, and F_CYC_CO.
is connected to the restart logic through the RTG_LOGIC connected to the

DB_INIT functionsstored in the @F_DbInit1.
is placed in the slowest Organizational Block (OB3x) in a run-time group

named @F_ShutDn.
Note
No other logic shall be permitted to be placed within the @F_ShutDn CFC.
Connections may only be made to specified inputs and outputs of the F_SHUTDN
function block (see the table of I/Os below). Any logic placed within the
@F_ShutDn CFC will automatically be deleted during the compile.
I/Os
Inputs:
8-72
Name
Data Type
Explanation
Default
RESTART
BOOL
Used to restart any F Run-time 0

group that is shutdown. A
rising edge will trigger the
reinitialization process that
may take several seconds to
complete. This input may be
connected to external logic.
FAILURE
BOOL
Combination of logical OR of
all F Run-time group
Shutdown requests (FAILED
output of F_PLK, F_TEST,
F_TESTC, and F_CYC_CO).
This input cannot be
connected to external logic.
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Outputs:
Fail-Safe Systems
A5E00085588-03
Name
Data Type
Explanation
Default
SHUTDOWN
BOOL
Defines the response to a

detected FAILURE (rising
edge). Either a Partial
(isolated F Run-time groups
shutdown) or Full (entire
Safety Program shutdown).
Full (1)
RQ_FULL
BOOL
Manual request for entire

0
Safety Program shutdown. A
rising edge will force a full
shutdown. User may connect
external logic to this input.
F_PRG_SIG
DWORD
Safety Program Overall

Signature (created during
compile only not updated
online)
ALARM_EN
BOOL
Alarm messaging enabled

1
allows messages to be
reported to the HMI (WINCC).
The messages (incoming and
outgoing) reported are Full
Shutdown, Partial Shutdown,
Restart of Shutdown Logic,
and Safety Mode (enabled or
disabled).
FULL_SD
BOOL
Entire Safety Program

shutdown when TRUE.
Latched output resettable
through RESTART input.
EN_INIT
BOOL
Required for Safety Program

initialization logic.
Immediately following the
RESTART request, EN_INIT
will remain TRUE while the
function block initialization
logic executes.
SAFE_M
BOOL
Indication of the current

0
system mode of operation.
1=Safety Mode, 0=Test Mode.
This output may be connected
to external logic.
MSG_ERR
BOOL
Return of SFB 34 ALARM_8

ERROR output.
MSG_STAT
WORD

STATUS output.
W#16#0000
MSG_ACK
WORD

ACK output.
W#16#0000
NFY_DONE
BOOL
Return of SFB 31 NOTIFY_8P 0

DONE output.
NFY_ERR
BOOL
Return of SFB 31 NOTIFY_8P 0

ERROR output.
8-73
Fail-Safe Blocks
Name
Data Type
Explanation
Default
NFY_STAT
WORD
Return of SFB 31 NOTIFY_8P W#16#0000

STAT output.
Partial Shutdown Configuration

When SHUTDOWN =Partial, the F-run-time groups that have a detected failure will
automatically become disabled, not affecting other fault free F-run-time groups.
For each F-run-time group with a detected failure, a diagnostic buffer event will be
reported indicating that a failure was detected.
Full Shutdown Configuration

When SHUTDOWN =Full, the shutdown logic will respond to the first detected Frun-time group failure. All F-run-time groups will become disabled under this
condition. A diagnostic buffer event will be reported indicating that the entire
Safety Program was disabled.
Safety Note F_SHUTDN in slowest configured OB

This note pertains to users who utilize the Full shutdown. Please note that the
F_SHUTDN will be configured in the slowest running OB3x that contains an F Runtime group. If OB35 and OB34 were configured with F Blocks, the F_SHUTDN
would be placed in OB34 since it is the slowest out of the two (by default OB34 is
200ms and OB35 is 100ms). The consequence of this is that a shutdown for the
faster F Run-time group may not occur until the next scan of the slowest
configured OB, in this example OB34.
The F Run-time group that encounters the detected fault, regardless of the
SHUTDOWN value will be shutdown.
Request Safety Program Shutdown

Under certain circumstances, the user may wish to manually request a complete
shutdown. This can be accomplished by providing a rising edge to the RQ_FULL
input. It will force FULL_SD output to be TRUE, which will disable the entire Safety
Program. When this request is detected and the Safety Program is forced to
shutdown, a diagnostic buffer event will be reported. The FULL_SD output is
latched and is only resettable through an entire system cold/warm start or through
the RESTART input.
Restart Safety Program

The restart is triggered when a rising edge is detected on the RESTART input.
Restart may only be triggered if there exists disabled F-run-time groups.
Otherwise, the restart is ignored. When the restart is initiated, the EN_INIT output
triggers a series of DB_INIT functions that coldstart initialize only those F Function
Blocks within disabled F-run-time groups. During Safety Program coldstart
initialization, the disabled F-run-time groups will remain disabled. The DB_INIT
8-74
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
functions may take several seconds to complete. Upon completion, the disabled Frun-time groups will become reenabled and if the FULL_SD was TRUE indicating a
Safety Program shutdown, this output will be set to FALSE.
Note
After restarting the Safety Program, reintegration of your I/O may be necessary
through the use of the F_QUITES function block.
Note
If all Safety Programs are deleted except for the shutdown logic @F_ShutDn, the
@F_ShutDn will not be removed. This must be removed manually.
Alarm and Notify Messages

The F_SHUTDN function block generates Alarm Messages and Notify Messages
captured by an HMI (using WinCC) when a state transition occurs within the
shutdown logic. However, these messages are only reported if the F_SHUTDN
function blocks ALARM_EN input is TRUE. The state transitions are as follows:
Full Shutdown Incoming (Alarm Message) F_SHUTDN block entered the Full
Shutdown state either through manual request of a full shutdown or an F-Block
tripped diagnostic.
Full Shutdown Outgoing (Alarm Message) F_SHUTDN block exited the Full
Shutdown state because of a user requested restart.
Partial Shutdown Incoming (Alarm Message) If the F_SHUTDN function

block is configured with RQ_FULL set to FALSE, the first detected shutdown Frun-time group will be alarmed as a FAILURE. While there remain shutdown Frun-time groups, subsequent failures of this F-run-time group will not be
alarmed.
Partial Shutdown Outgoing (Alarm Message) F_SHUTDN block restarted the

shutdown F-run-time groups.
Restart Incoming (Notify Message) The user requested a restart of the

F_SHUTDN function block while it was in a full or partial shutdown state.
Restart Outgoing (Notify Message) The shutdown logic completed the restart
sequence.
Safety Mode Incoming (Notify Message) Safety Mode has been enabled
(Test Mode exited).
Safety Mode Outgoing (Notify Message) Safety Mode has been disabled
(Test Mode entered).
The F_SHUTDN function block calls the SFB 34 ALARM_8 to report the Alarm
Messages and SFB 31 NOTIFY_8P to report the Notify Messages. When an
Alarm Message is reported, the MSG_XXX outputs return the status of the
ALARM_8 SFB call. To obtain help on the ALARM_8 error outputs, obtain help for
Fail-Safe Systems
A5E00085588-03
8-75
Fail-Safe Blocks
the block by opening the Blocks folder of your F-Project and select the ALARM_8
block and press F1 for help.
Similarly, when a Notify Message is reported, the NFY_XXX outputs will return the
status of the NOTIFY_8P SFB call. To obtain help on the NOTIFY_8P error
outputs, obtain help for the block by opening the Blocks folder of your F-Project
and select the NOTIFY_8P block and press F1 for help.
Error Handling
Diagnostic events will be posted to the CPU Diagnostic Buffer when the transition
to a different shutdown logic state occurs: Partial shutdown, Full shutdown,
Restart, or Safety Mode Activated or Deactivated.
If the F_SHUTDN function block is configured with RQ_FULL set to FALSE (Partial
Shutdown), each detected shutdown F-run-time group will be reported as a
FAILURE. Those F-run-time groups that are shutdown may be restarted by
providing a rising edge to the RESTART input, which will also trigger an event to
be reported in the Diagnostic Buffer indicating a restart has been requested. If the
RQ_FULL is TRUE and a FAILURE is detected, the Safety Program will be
disabled through the FULL_SD output and this will also trigger an event indicating
a full system shutdown.
The F_SHUTDN function block is intended to be available upon startup with the
entire Safety Program enabled.

Description
72DDH & 73DDH
Safety Mode Activated/Deactivated.
75DDH & 74DDH
Partial Safety Program shutdown state entered (one or more F-run-time

groups are shutdown but SHUTDOWN is configured as Partial). The
FAIL_MSG block (contained within the RTG_LOGIC block) reports this
event. The DB# of the RTG_LOGIC block is included as extra information in
this diagnostic event. This will allow you to quickly identify the shutdown Frun-time group (once you identify the RTG_LOGIC block that reported the
event, you can follow the connection from the FAILED input of the
RTG_LOGIC block to the F_PLK, F_CYC_CO, F_TEST, or F_TESTC
FAILED outputs.).
75DEH & 74DEH
Full Safety Program shutdown state entered (one or more F-run-time groups
shutdown and the configured response of SHUTDOWN was Full
75DFH & 74DFH
RESTART rising edge detected while in a Partial or Full shutdown.
8-76
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.6.10
F_TEST
Function
This block executes a command test.
F-Blocks, that contain the blocks F_CYC_CO and F_TESTC.
Note
A project based on Fail-safe Blocks (V1_1) the user must follow the manual
procedure for creating a CFC chart with the F_CYC_CO function block. A Runtime group must also be created and the user must place the F_CYC_CO function
block within this new Run-time group.
Again, for a project based on Fail-safe Blocks (V1_2) or higher the manual
procedure has been eliminated. The user is no longer allowed to manually place
the F_CYC_CO function blocks it is now a system function.
I/Os
The inputs and outputs will not be explained here since this is logic that the system
automatically generates.
Error Handling
be configured to either disable the F-run-time group with the error or the entire
Safety Program.

Description
75E1H
Internal CPU fault
Fail-Safe Systems
A5E00085588-03
8-77
Fail-Safe Blocks
8.6.11
F_TESTC
Function
This block checks whether the background self-tests of the CPU have been carried
out fully and without errors and that this did not take place more than 24 hours ago.
The tests must not be switched off by the SFC 90.
F-Blocks, that contain the blocks F_CYC_CO and F_TEST.
I/Os
Error Handling
be configured to either disable the F-run-time group with the error or the entire
Safety Program.

Description
75DAH
Error in the safety data format of the input F_CNT_W (error due to online
modification of the Safety Program or internal CPU fault)
75E1H
Errors at CPU self-tests or error due to online modification of the Safety

Program or internal CPU fault
...
75E1H
8-78
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.6.12
F_TESTM
Function
This block is for activating/deactivating safety mode.
@F_TestMode.
I/Os
Error Handling
None
Operation and Monitoring

The invisible TEST parameter has the system attribute S7_m_c. It can therefore be
monitored directly from an operator interface system (OS). You can thus see on
your display whether safety mode is active or inactive.
0: Safety mode active
1: Safety mode inactive
When safety mode is activated/deactivated, the block issues the message "PLC
not in safety mode" to the OS using SFB 33 (ALARM).
The messages can be switched off via the (invisible) input EN_MSG = 0
(MSG_STAT output parameter remains unchanged) if a suitable report system is
not available.
The ALARM block is called if message suppression is not activated. ALARM error
information (messages cannot be issued) is displayed in the (invisible) MSG_STAT
output parameter.
Error information of the MSG_STAT output parameter is described in detail in the
online help system for SFB 33 (ALARM).
General message text: Safety program is not in safety mode
Message class: process message with acknowledgment
Fail-Safe Systems
A5E00085588-03
8-79
Fail-Safe Blocks
8.6.13
DB_RES
Function
This block supports the startup characteristics in the event of a cold restart/warm
restart of the CPU.
The block is inserted automatically at compilation.
I/Os
8-80
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.6.14
DB_INIT
Function
The DB_INIT function, which is a standard function packaged in the Failsafe
Blocks library, provides new functionality to initialize F-run-time groups at the
direction of the F_SHUTDN function block.
The DB_INIT function block is automatically placed by the compiler in a CFC chart
named @F_DbInit. Connections between the DB_INIT function and the shutdown
logic are also created automatically.
Note
No other logic shall be permitted to be placed within the @F_DbInit CFC.
Connections may not be made to any inputs or outputs of these blocks. Any logic
placed within the @F_DbInit CFC will automatically be deleted during the
compile.
I/Os
Fail-Safe Systems
A5E00085588-03
8-81
Fail-Safe Blocks
8.6.15
FAIL_MSG
Function
This block is used by the RTG_LOGIC block type.
The block is inserted automatically at compilation.
I/Os
8-82
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.6.16
RTG_LOGIC
Function
The RTG_LOGIC function block, which is a standard function packaged in the
Failsafe Blocks library, provides new functionality to interface the F-run-time groups
and the shutdown logic.
The RTG_LOGIC function block is automatically placed by the compiler in a CFC
chart named @F_ShutDn.
Note
No other logic shall be permitted to be placed within the @F_ShutDn CFC.
Connections may not be made to any inputs or outputs of these blocks. Any logic
placed within the @F_ShutDn CFC will automatically be deleted during the
compile.
I/Os
Fail-Safe Systems
A5E00085588-03
8-83
Fail-Safe Blocks
8.6.17
SFC F_CTRL
SFC F_CTRL is a System Function Call in the CPU that is called in the event an
internal diagnostic determines there is a failure of the hardware or a diagnostic
used to determine timeouts is tripped. SFC F_CTRL is called from function blocks
that have diagnostics for such conditions. These include, but are not limited to, the
function blocks F_M_DO10, F_M_DO8, F_M_DI8, F_M_DI24, F_M_AI6, F_PLK,
F_PLK_O, etc. SFC F_CTRL has two purposes.
1. To report a diagnostic failure to the diagnostic buffer for users to observe as
the cause of failure
2. In an S7 F/H system, to force a switchover if the fault is detected in the master
only
As you can see from the two purposes above, SFC F_CTRL is used for diagnostic
purposes and for availability by forcing the CPU with the detected failure to
become the reserve CPU.
SFC F_CTRL is not responsible for any switchover actions in an S7 F (single
CPU), in a redundant S7 F/H in which the fault occurs on both CPUs (common
cause), or in the case of the detected failure in the reserve CPU in a redundant S7
F/H system.
The shutdown logic located in the @F_Shutdn chart is responsible for disabling the
F-run-time group with the detected failure.
8-84
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.7
Logic Blocks with the BOOL Data Type

Block
Description
F_AND4
AND logic operation on four inputs
F_OR4
OR logic operation on four inputs
F_XOR2
XOR logic operation on two inputs
F_NOT
NOT logic operation
F_2OUT3
Binary selection 2 out of 3
F_XOUTY
Binary selection X out of Y
8.7.1
F_AND4
Function
This block links the inputs by means of AND. The output OUT is 1 if all the inputs
are 1. Otherwise, the output is 0. The output OUTN corresponds to the negating
output OUT.
Truth Table
IN1
IN2
IN3
IN4
OUT
OUTN
Fail-Safe Systems
A5E00085588-03
8-85
Fail-Safe Blocks
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
IN1
F_BOOL
Input 1
IN2
F_BOOL
Input 2
IN3
F_BOOL
Input 3
IN4
F_BOOL
Input 4
OUT
F_BOOL
Output
OUTN
F_BOOL
Negating output
Error Handling
None
8-86
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.7.2
F_OR4
Function
This block links the inputs by means of OR. The output OUT is 1 if at least one
input is 1. If all outputs are 0, the output is 0. The output OUTN corresponds to the
negating output OUT.
Truth Table
IN1
IN2
IN3
IN4
OUT
OUTN
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
IN1
F_BOOL
Input 1
IN2
F_BOOL
Input 2
IN3
F_BOOL
Input 3
IN4
F_BOOL
Input 4
OUT
F_BOOL
Output
OUTN
F_BOOL
Negating output
Error Handling
None
Fail-Safe Systems
A5E00085588-03
8-87
Fail-Safe Blocks
8.7.3
F_XOR2
Function
This block links the inputs by means of XOR (exclusive OR). The output OUT is 1 if
exactly one input is 1. The output OUTN corresponds to the negating output OUT.
Truth Table
IN1
IN2
OUT
OUTN
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
IN1
F_BOOL
Input 1
IN2
F_BOOL
Input 2
OUT
F_BOOL
Output
OUTN
F_BOOL
Negating output
Error Handling
None
8-88
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.7.4
F_NOT
Function
The block inverts the input.
Truth Table
IN
OUT
I/Os
Name
Data Type
Explanation
Default
Input:
IN
F_BOOL
Input
Output:
OUT
F_BOOL
Output
Error Handling
None
8.7.5
F_2OUT3
Function
This block monitors three binary inputs for signal state 1. The output OUT is 1 if at
least two inputs are 1. Otherwise, the output is 0. The output OUTN corresponds to
the negating output OUT.
Truth Table
IN1
IN2
IN3
OUT
OUTN
Fail-Safe Systems
A5E00085588-03
8-89
Fail-Safe Blocks
I/Os
Name
Inputs:
Output:
Data Type
Explanation
Default
IN1
F_BOOL
Input 1
IN2
F_BOOL
Input 2
IN3
F_BOOL
Input 3
OUT
F_BOOL
Output
OUTN
F_BOOL
Negating output
Error Handling
None
8-90
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.7.6
F_XOUTY
Function
The block monitors up to 16 binary inputs for signal state 1. The input signals are
monitored starting with the input IN1 up to and including the input INY for signal
state 1. The number of binary inputs to be monitored can be set with the Y
parameter. The output OUT is 1 if at least X inputs are 1. Otherwise, the output is
0. The output OUTN corresponds to the negating output OUT.
The binary inputs must be occupied continuously starting with IN1. When X>Y,
X<=0, X>16, Y<=0, the output OUT is 0. When Y>16, the output OUT behaves in
the same way as when Y=16.
I/Os
Inputs:
Name
Data Type
Explanation
Default
IN1
F_BOOL
Input 1
IN2
F_BOOL
Input 2
IN3
F_BOOL
Input 3
...
Output:
...
IN16
F_BOOL
Input 16
F_INT
Minimum number of inputs with

1: 0 < X <= 16
F_INT
Number of inputs to be
monitored: 0 < Y <= 16
OUT
F_BOOL
Output
OUTN
F_BOOL
Negating output
Error Handling
Program.

Description
75DAH
Error in the safety data format of the inputs IN1 to IN6, X or Y

(Error due to online modification of the Safety Program or
internal CPU fault)
Fail-Safe Systems
A5E00085588-03
8-91
Fail-Safe Blocks
8.8
Comparison Blocks for Two Input Values of the Same

Type
8.8.1
Block
Description
F_LIM_HL
Monitoring for upper limit violation of a REAL value
F_LIM_LL
Monitoring for lower limit violation of a REAL value
F_2oo3_R
Selects median of 3 REAL values
F_1oo2_R
Selects between 2 REAL values based on diagnostics
F_LIM_HL
Function
This block monitors the input variable U for limit violation (U_HL). A hysteresis can
also be specified to avoid fluttering of the output QH in the event of fluctuations of
the input value.
U U_HL: In the event of violation of the upper limit, the output QH = 1.
(U_HL HYS) U < U_HL: QH remains unchanged in this range.
U < (U_HL HYS): In the event of violation of the lower limit (hysteresis), the
output QH = 0.
The limit and hysteresis are also available as non-fail-safe data at the outputs
U_HL_O and HYS_O for further processing in the standard program. The
hysteresis can be used to avoid fluttering of QH if the input value U fluctuates by
the limit value U_HL.
If either input variable U, U-HL or HYS contains an invalid REAL number, the
Substitute Input (SUBS_IN) will be passed directly to the output (QH).
If an invalid REAL number is generated during the calculations involving U, U-HL
and HYS, the output QH=1.
The output QHN corresponds to the negating output QH.
Note
The non-fail-safe outputs can be made available to the standard program without a
conversion block.
8-92
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
I/Os
Inputs:
Outputs:
Name
Data Type
Explanation
Default
F_REAL
Input variable
0.0
U_HL
F_REAL
Upper limit
100.0
HYS
F_REAL
Hysteresis
0.0
SUBS_IN
F_BOOL
Substitute Input
QH
F_BOOL
1: Upper limit violation
QHN
F_BOOL
Negating output QH
U_HL_O
REAL
Upper limit
100.0
HYS_O
REAL
Hysteresis
Note
If, when you create the program, you preset the QH output in CFC the initial value
1, it will remain set after startup (cold restart or warm restart) if (U_HL - HYS) <= U
< U_HL.
It is only reset if U < (U_HL - HYS).
Note that the initial values of the output parameters do not appear in the printout of
the CFC chart. They must be checked in the printout of the safety program.
Error Handling
Program.

Description
75D9H
Invalid REAL number generated during the calculations involving U, U_HL,

HYS and SUBS_IN
75DAH
Error in the safety data format of the inputs U, U_HL, HYS

(Error due to online modification of the Safety Program or internal CPU
fault)
Fail-Safe Systems
A5E00085588-03
8-93
Fail-Safe Blocks
8.8.2
F_LIM_LL
Function
This block monitors the input variable U for violation of the lower limit (U_LL). A
hysteresis can also be specified to avoid fluttering of the output QL in the event of
fluctuations in the input value.
U U_LL: In the event of violation of the lower limit, the output QL = 1.
U_LL < U (U_LL + HYS): QL remains unchanged in this range.
U > (U_LL + HYS): In the event of upper limit violation + hysteresis, the output
QL = 0.
The limit and hysteresis are also available as non-fail-safe data at the outputs
U_LL_O and HYS_O for further processing in the standard program. The
hysteresis can be used to avoid fluttering of QL if the input value U fluctuates by
the limit value U_LL.
If either input variable U, U_LL or HYS contains an invalid REAL number, the
Substitute Input (SUBS_IN) will be passed directly to the output (QL).
If an invalid REAL number is generated during the calculations involving U, U-LL
and HYS, the output QL=1.
The output QLN corresponds to the negating output QL.
Note
The non-fail-safe outputs can be made available to the standard program without a
conversion block.
I/Os
Name
Inputs:
Outputs:
8-94
Data Type
Explanation
Default
F_REAL
Input variable
0.0
U_LL
F_REAL
Lower limit
100.0
HYS
F_REAL
Hysteresis
0.0
SUBS_IN
F_BOOL
Substitute Input
QL
F_BOOL
1: Lower limit violated
QLN
F_BOOL
Negating output QL
U_LL_O
REAL
Upper limit
100.0
HYS_O
REAL
Hysteresis
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Note
If, when you create the program, you preset the QL output in CFC with the initial
value 1, it will remain set after startup (cold restart or warm restart) if U_LL < U
<= (U_LL + HYS).
It is only reset if U > (U_LL + HYS).
Note that the initial values of output parameters do not appear in the printout of the
CFC chart. They must be checked in the printout of the safety program.
Error Handling
Program.

Description
75D9H
Invalid REAL number at the inputs U, U_LL, HYS (DATA component) or,
generated during the calculations involving U, U_LL, HYS and SUBS_IN
75DAH
Error in the safety data format of the inputs U, U_LL, HYS

(Error due to online modification of the Safety Program or internal CPU
fault)
Fail-Safe Systems
A5E00085588-03
8-95
Fail-Safe Blocks
8.8.3
F_2oo3_R
Function
This block selects the median value from three inputs and places the result at the
output. The QBAD output will be set if two or more of the three inputs present a
QBAD input.
Note
This function block is supplied as a block type. This adds one restriction to the
usage of this block: It may not be placed within another block type.
Note
The OUT output is always the median value of the inputs. Inputs with bad quality
(QBADx=TRUE) are not masked from the selection calculation. The OUT
calculation is NOT directly affected by QBAD.
I/Os
Name
Inputs:
Outputs:
Data Type
Explanation
Default
IN1
F_REAL
Input variable 1
0.0
IN2
F_REAL
Input variable 2
0.0
IN3
F_REAL
Input variable 3
0.0
QBAD1
F_BOOL
IN1 invalid
QBAD2
F_BOOL
IN2 invalid
QBAD3
F_BOOL
IN3 invalid
DELTA
REAL
Allowable difference
0.0
OUT
F_REAL
Median value
0.0
QBAD
BOOL
Invalid median value
DIS1
BOOL
IN1 DELTA Discrepancy
DIS2
BOOL
DIS3
BOOL
The block employs a two-out-of-three selection scheme and is often used to detect
the failure of sensors and input processing subsystems. Typical use of this block
would have the V and QBAD outputs of three F_CH_AI blocks connected to the
F_2oo3_Rs respective IN and QBAD inputs.
At least two of the three inputs must have their QBAD input clear for QBAD output
to be clear.
The DIS outputs indicate a discrepancy between the respective input, the DELTA
input and the selected median (the difference between IN and OUT is greater than
DELTA).
8-96
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Interaction with Channel Drivers

For proper operation of the F_2oo3_R block when the three analog inputs are
provided by F_CH_AI channel drivers, it is important to coordinate the
configuration parameters of the channel drivers and the F_2oo3_R block. The key
is to determine a typical, expected operating value for the values feeding the
F_2oo3_R block and set all three channel drivers SUBS_V inputs to a value that is
greater than the expected value by more than the F_2oo3_R blocks DELTA input.
The channel drivers SUBS_ON input must be set to 1 to enable outputting the
SUBS_V value when a channel fault is detected.
If one channel driver detects a failure, that F_CH_AI block will provide the
F_2oo3_R block with both the process value bad indicator (QBAD) and the
substitute value (SUBS_V). The F_2oo3_R block would set the corresponding DIS
output (since the substitute value differs from the F_2oo3_R blocks current analog
output by more than DELTA) and select one of the other two analog inputs as the
F_2oo3_R blocks analog output.
If two or more channel drivers detect a failure (output their SUBS_V value and set
their QBAD to 1), the F_2oo3_R blocks QBAD output will be 1 indicating that the
selected analog output V is no longer valid.
Therefore, a configuration using the F_CH_AI and F_2oo3_R blocks would have
the following connections:
The V outputs of the three F_CH_AI connected to the three IN inputs of the
F_2oo3_R
The QBAD outputs of the three F_CH_AI connected to the three QBAD inputs
of the F_2oo3_R
The SUBS_ON inputs of the three F_CH_AI blocks set to 1
The F_2oo3_R blocks DELTA input set to the largest acceptable difference
from the expected value
The SUBS_V inputs of the three F_CH_AI blocks set larger than the F_2oo3_R
blocks DELTA input
The F_2oo3_R blocks QBAD output connected to program logic to annunciate

2oo3 failure
The F_2oo3_R blocks three DIS outputs connected to program logic to

annunciate a sensor failure
Error Handling
Program.
Fail-Safe Systems
A5E00085588-03
8-97
Fail-Safe Blocks

Description
0x75D9
Invalid REAL number
0x75DA
Error in the safety data format (error due to online modification of the
8.8.4
F_1oo2_R
Function
This block selects its output from one of two inputs based on the QBAD inputs.
IN1 will be output unless QBAD1 is set, which selects IN2 as the output. The
QBAD output will be set if both QBAD inputs are set.
Note
This function block is supplied as a block type. This adds one restriction to the
usage of this block: It may not be placed within another block type.
I/Os
Name
Inputs:
Outputs:
Data Type
Explanation
Default
IN1
F_REAL
Input variable 1
0.0
IN2
F_REAL
Input variable 2
0.0
QBAD1
F_BOOL
IN1 invalid
QBAD2
F_BOOL
IN2 invalid
DELTA
REAL
Allowable difference
0.0
OUT
F_REAL
Selected value
0.0
QBAD
BOOL
Invalid selected value
DIS1
BOOL
DIS2
BOOL
The block employs a one-out-of-two selection scheme and is often used to detect
the failure of sensors and input processing subsystems. Typical use of this block
would have the V and QBAD outputs of two F_CH_AI blocks connected to the
F_1oo2_Rs respective IN and QBAD inputs.
At least one of the two inputs must have their QBAD input clear for QBAD output to
be clear.
The DIS outputs indicate a discrepancy between the respective input, the DELTA
input and the selected output (the difference between IN and OUT is greater than
DELTA).
8-98
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Interaction with Channel Drivers

For proper operation of the F_1oo2_R block when the two analog inputs are
provided by F_CH_AI channel drivers, it is important to coordinate the
configuration parameters of the channel drivers and the F_1oo2_R block. The key
is to determine a typical, expected operating value for the values feeding the
F_1oo2_R block and set all two channel drivers SUBS_V inputs to a value that is
greater than the expected value by more than the F_1oo2_R blocks DELTA input.
The channel drivers SUBS_ON input must be set to 1 to enable outputting the
SUBS_V value when a channel fault is detected.
If one channel driver detects a failure, that F_CH_AI block will provide the
F_1oo2_R block with both the process value bad indicator (QBAD) and the
substitute value (SUBS_V). The F_1oo2_R block would set the corresponding DIS
output (since the substitute value differs from the F_1oo2_R blocks current analog
output by more than DELTA). If the failed channel driver is connected to the first
F_1oo2_R input (IN1, QBAD1), the F_1oo2_R block will select the other analog
input (IN2) as its analog output.
If both channel drivers detect a failure (output their SUBS_V value and set their
QBAD to 1), the F_1oo2_R blocks QBAD output will be 1 indicating that the
selected analog output V is no longer valid.
Therefore, a configuration using the F_CH_AI and F_1oo2_R blocks would have
the following connections:
The V outputs of the two F_CH_AI connected to the two IN inputs of the
F_1oo2_R
The QBAD outputs of the two F_CH_AI connected to the two QBAD inputs of
the F_1oo2_R
The SUBS_ON inputs of the two F_CH_AI blocks set to 1
The F_1oo2_R blocks DELTA input set to the largest acceptable difference
from the expected value
The SUBS_V inputs of the two F_CH_AI blocks set larger than the F_1oo2_R
blocks DELTA input
The F_1oo2_R blocks QBAD output connected to program logic to annunciate

1oo2 failure
The F_1oo2_R blocks two DIS outputs connected to program logic to

annunciate a sensor failure
Error Handling
Program.
Fail-Safe Systems
A5E00085588-03
8-99
Fail-Safe Blocks

Description
0x75D9
Invalid REAL number
0x75DA
Error in the safety data format (error due to online modification of the
8.9
Flip-Flop Blocks
8.9.1
Block
Description
F_RS_FF
RS flipflop, resetting dominant
F_SR_FF
SR flipflop, setting dominant
F_RS_FF
Function
The block executes the function of an RS flipflop (resetting dominant).
The RS flipflop is reset if the signal state at the input R = 1 and at the input S =
0. The flipflop is set if the input R = 0 and the input S = 1. If the result of the logic
operation is 1 at both inputs, the flipflop is reset.
Truth Table
R
QN
QNn
Qn-1
QNn-1
I/Os
Inputs:
Outputs:
8-100
Name
Data Type
Explanation
Default
F_BOOL
Reset
F_BOOL
Set
F_BOOL
Output
QN
F_BOOL
Negating output
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Note
If, when you create the program, you preset the Q output in CFC with the initial
value 1, it will remain set after startup (cold restart or warm restart) until the signal
state at the R input changes to 1.
Error Handling
Program.

Description
75DAH
Error in the safety data format of inputs S and R (error due to

online modification of the Safety Program or internal CPU
fault)
Fail-Safe Systems
A5E00085588-03
8-101
Fail-Safe Blocks
8.9.2
F_SR_FF
Function
The block executes the function of an SR flipflop (setting dominant).
The SR flipflop is set if the signal state at the input R = 0 and at the input S = 1.
The flipflop is reset if the input R = 1 and the input S = 0. If the result of the logic
operation is 1 at both inputs, the flipflop is set.
Truth Table
R
QN
QNn
Qn-1
QNn-1
I/Os
Inputs:
Outputs:
Name
Data Type
Explanation
Default
F_BOOL
Reset
F_BOOL
Set
F_BOOL
Output
QN
F_BOOL
Negating output
Note
If, when you create the program, you preset the Q output in CFC with the initial
value 1, it will remain set after startup (cold restart or warm restart) until the signal
state at the R input changes to 1 (at input S = 0).
Error Handling
Program .
8-102
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.10
Description
75DAH
Error in the safety data format of inputs S and R (error due to

fault)
IEC Pulse and Counter Blocks
8.10.1
Block
Description
F_CTUD
Up and down counter
F_TP
Timer pulse
F_TON
Timer on-delay
F_TOF
Timer off-delay
F_CTUD
Function
This block is an edge-controlled up/down counter.
The CV count value responds to rising edges of the inputs CU and CD as well as
to the level of the inputs LOAD and R:
CU: CV is increased by 1.
If the count value reaches the upper limit (32,767), it is not increased any
further.
CD: CV is decreased by 1.
If the count value reaches the lower limit (32,768), it is not decreased any
further.
LOAD = 1: CV is preset with the value of the input PV.

The values at the inputs CU and CD are ignored.
R = 1: CV is reset to 0.
The values at the inputs CU, CD and LOAD are ignored.
If in a cycle there is a rising edge at the input CU and the input CD, the counter
keeps its current value.
The QU output is set if the count value is greater than or equal to the preset value
PV. The output QD is set if the count value is less than or equal to zero.
In the first cycle after a cold or warm restart or in the case of a first call, the counter
is reset.
Fail-Safe Systems
A5E00085588-03
8-103
Fail-Safe Blocks
I/Os
Inputs:
Outputs:
Name
Data Type
Explanation
Default
CU
F_BOOL
Up-counting input
CD
F_BOOL
Down-counting input
F_BOOL
Reset input (R dominates over 0

LOAD)
LOAD
F_BOOL
Load input (LOAD dominates

over CU and CD)
PV
F_INT
Preset value
Name
Data Type
Explanation
Default
QU
F_BOOL
Status of the up counter
QU has the value

1 if CV >= PV
0, otherwise
QD
F_BOOL
Status of the down counter
QD has the value

1 if CV <= 0
0, otherwise
CV
F_INT
Current count value
Note
If, when you create the program, you preset the CV output in CFC with an initial
value of < 0 or > 0, the counter is incremented or decremented as of this value.
Error Handling
Program.
8-104
Description
75DAH
Error in the safety data format of the input CU, CD, R, LOAD
or PV (error due to online modification of the Safety Program
or internal CPU fault)
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.10.2
F_TP
Function
The block generates a pulse with the duration PT at the output Q.
The pulse is started by a rising edge at the input IN. The output Q remains set for
the duration PT, irrespective of the subsequent pattern of the input signal.
The output ET indicates how long the output Q has already been set. The
maximum value it can adopt is that of the input PT. It is reset if the input IN
changes to 0, but not before the time PT has elapsed.
If PT < 0, the outputs Q and ET are reset.
Timing Diagram
scasc
IN
Q
PT
PT
PT
ET
PT
In the first cycle after a cold or warm restart or in the case of a first call, the timer is
reset.
I/Os
Inputs:
Outputs:
Fail-Safe Systems
A5E00085588-03
Name
Data Type
Explanation
Default
IN
F_BOOL
Start input
PT
F_TIME
Duration of the pulse
T#0 ms
F_BOOL
Pulse output
ET
F_TIME
Elapsed time
T#0 ms
8-105
Fail-Safe Blocks
Error Handling
Program.

Error Code (W#16#...) Description
75DAH
Error in the safety data format of the inputs PT and IN and the
output ET (error due to online modification of the Safety Program
See Also
8-106
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.10.3
F_TON
Function
The block delays a rising edge by the time PT.
A rising edge at the input IN results in a rising edge at the output Q after the time
PT has elapsed. Q remains set until the input IN changes to 0.
If the input IN changes to 0 before PT has elapsed, Q remains at 0.
The output ET indicates the time that has elapsed since the last rising edge at the
input IN, but only up to the value of the input PT. ET is reset if the input IN changes
to 0.
Timing Diagram
scasc
IN
Q
PT
PT
ET
PT
reset.
I/Os
Inputs:
Outputs:
Fail-Safe Systems
A5E00085588-03
Name
Data Type
Explanation
Default
IN
F_BOOL
Start input
PT
F_TIME
Length of the delay
T#0 ms
F_BOOL
Pulse output
ET
F_TIME
Elapsed time
T#0 ms
8-107
Fail-Safe Blocks
Error Handling
Program.

Description
75DAH
output ET (error due to online modification of the Safety
See Also
8-108
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.10.4
F_TOF
Function
The block delays a falling edge by the time PT.
A rising edge at the input IN results in a rising edge at the output Q. A falling edge
at IN results in a falling edge at Q after PT has elapsed.
If the input IN changes to 1 before PT has elapsed, Q remains on 1.
The output ET indicates the time that has elapsed since the last falling edge at the
input IN, but only up to the value at the input PT. ET is reset if the input IN changes
to 1.
Timing Diagram
IN
Q
PT
PT
ET
PT
reset.
I/Os
Inputs:
Outputs:
Fail-Safe Systems
A5E00085588-03
Name
Data Type
Explanation
Default
IN
F_BOOL
Start input
PT
F_TIME
Length of the delay
T#0 ms
F_BOOL
Pulse output
ET
F_TIME
Elapsed time
T#0 ms
8-109
Fail-Safe Blocks
Error Handling
Program.

Error Code (W#16#...) Description
75DAH
output ET (error due to online modification of the Safety Program
See Also
8-110
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.11
Pulse Blocks
8.11.1
Block
Description
F_F_TRIG
Detection of the falling edge
F_R_TRIG
Detection of the rising edge
F_LIM_TI
Asymmetrical limiter of TIME values
F_F_TRIG
Function
The block checks the input variable for the occurrence of a falling edge and indicates at
the output whether an edge has been detected. At a falling edge of the input pulse CLK,
the output Q is set to 1 until the next call of the block.
Timing Diagram
CLK
In the first cycle after a cold or warm restart or in the case of a first call, no edge is
detected.
I/Os
Name
Data Type
Explanation
Default
Input:
CLK
F_BOOL
Input pulse
Output:
F_BOOL
Output pulse
Fail-Safe Systems
A5E00085588-03
8-111
Fail-Safe Blocks
Error Handling
None
8.11.2
F_R_TRIG
Function
The block checks the input variable for the occurrence of a rising edge and
indicates at the output whether an edge has been detected. At a rising edge of the
input pulse CLK, the output Q is set to 1 until the next call of the block.
Timing Diagram
CLK
If the input CLK has a value of 1 in the first cycle after a cold or warm restart, a
rising edge is detected and the output Q is set to 1 until the next call of the block.
I/Os
Name
Data Type
Explanation
Default
Input:
CLK
F_BOOL
Input pulse
Output:
F_BOOL
Output pulse
Error Handling
None
8-112
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.11.3
F_LIM_TI
Function
This block compares the input variables IN, MAX and MIN. It checks whether IN is
within or outside the interval between MIN and MAX. If the lower limit (MIN) of the
interval is greater than or equal to the upper limit (MAX), the output OUT = MAX
and the outputs OUTU and OUTL are set to 1. If IN is > MAX, the upper limit has
been violated, OUT = MAX, OUTU = 1 and OUTL = 0. If IN is < MIN, the lower limit
has been violated, OUT = MIN, OUTU = 0 and OUTL = 1. If IN is between MIN and
MAX, OUT = IN, OUTU = 0 and OUTL = 0 are set.
I/Os
Name
Inputs:
Outputs:
Data Type
Explanation
Default
IN
F_TIME
Input variable
T#0 ms
MIN
F_TIME
Lower limit
T#0 ms
MAX
F_TIME
Upper limit
T# 24d 20h 31m 23s 647ms
OUT
F_TIME
Output variable
T#0 ms
OUTU
F_BOOL
Upper limit violation
OUTL
F_BOOL
Lower limit violation
Error Handling
None
Fail-Safe Systems
A5E00085588-03
8-113
Fail-Safe Blocks
8.12
8.12.1
Arithmetic Blocks with the INT Data Type

Block
Description
F_LIM_I
Asymmetrical limiter of INT values
F_LIM_I
Function
and the outputs OUTU and OUTL are set to 1. If IN is > MAX, the upper limit has
been violated, OUT = MAX, OUTU = 1 and OUTL = 0. If IN is < MIN, the lower limit
has been violated, OUT = MIN, OUTU = 0 and OUTL = 1. If IN is between MIN and
I/Os
Name
Inputs:
Outputs:
Data Type
Explanation
Default
IN
F_INT
Input variable
MIN
F_INT
Lower limit
-32768
MAX
F_INT
Upper limit
32767
OUT
F_INT
Output variable
OUTU
F_BOOL
OUTL
F_BOOL
Error Handling
None
8-114
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.13
8.13.1
Arithmetic Blocks with the REAL Data Type

Block
Description
F_ADD_R
Addition of two REAL values
F_SUB_R
Subtraction of two REAL values
F_MUL_R
Multiplication of two REAL values
F_DIV_R
Division of two REAL values
F_ABS_R
Calculation of the absolute value
F_MAX3_R
Maximum of three REAL values
F_MID3_R
Medium of three REAL values
F_MIN3_R
Minimum of three REAL values
F_LIM_R
Asymmetrical limiter of REAL values
F_SQRT
Calculation of the square root
F_AVEX_R
Mean value of a maximum of nine REAL values
F_SMP_AV
Sliding mean value
F_ADD_R
Function
This block adds the inputs and outputs the sum at the output.
OUT = IN1 + IN2
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
IN1
F_REAL
Addend 1
0.0
IN2
F_REAL
Addend 2
0.0
OUT
F_REAL
Sum
0.0
Error Handling
If the operation generates an invalid REAL number the event will be recorded in
the Diagnostic Buffer.
Fail-Safe Systems
A5E00085588-03
8-115
Fail-Safe Blocks
8.13.2
Description
75D9H
Invalid REAL number generated by the operation.
F_SUB_R
Function
This block subtracts the input IN2 from the input IN1 and outputs the difference at
the output.
OUT = IN1 IN2
I/Os
Name
Inputs:
Output:
Data Type
Explanation
Default
IN1
F_REAL
Minuend
0.0
IN2
F_REAL
Subtrahend
0.0
OUT
F_REAL
Difference
0.0
Error Handling
8-116
Description
75D9H
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.13.3
F_MUL_R
Function
This block multiplies the inputs and outputs the product at the output.
OUT = IN1 * IN2
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
IN1
F_REAL
Multiplicand
0.0
IN2
F_REAL
Multiplier
0.0
OUT
F_REAL
Product
0.0
Error Handling

Description
75D9H
Fail-Safe Systems
A5E00085588-03
8-117
Fail-Safe Blocks
8.13.4
F_DIV_R
Function
This block divides the input IN1 by the input IN2 and outputs the quotient at the
output.
OUT = IN1 / IN2
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
IN1
F_REAL
Dividend
0.0
IN2
F_REAL
Divisor
1.0
OUT
F_REAL
Quotient
0.0
Error Handling

Description
75D9H
Note
Use the F block F_LIM_R to prevent errors as a result of division by 0.
8-118
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.13.5
F_ABS_R
Function
This block outputs the absolute value (amount) of the input at the output.
OUT = | IN |
I/Os
Name
Data Type
Explanation
Default
Input:
IN
F_REAL
Input value
0.0
Output:
OUT
F_REAL
Absolute value
0.0
Error Handling
None
Fail-Safe Systems
A5E00085588-03
8-119
Fail-Safe Blocks
8.13.6
F_MAX3_R
Function
This block compares three inputs and then outputs the maximum value at the
output. All the inputs are preset with a value of -3,402823e+38 (largest negative
REAL number), so that even a maximum value can be formed from only two
inputs.
OUT = MAX {IN1, IN2 , IN3}
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
IN1
F_REAL
Input variable 1
-3.402823e+38
IN2
F_REAL
Input variable 2
-3.402823e+38
IN3
F_REAL
Input variable 3
-3.402823e+38
OUT
F_REAL
Maximum value
-3.402823e+38
Error Handling
8-120
Description
75D9H
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.13.7
F_MID3_R
Function
This block compares three inputs and then outputs the median value at the output.
OUT = mean value {IN1, IN2, IN3}
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
IN1
F_REAL
Input variable 1
0.0
IN2
F_REAL
Input variable 2
0.0
IN3
F_REAL
Input variable 3
0.0
OUT
F_REAL
Mean value
0.0
Error Handling

Description
75D9H
Fail-Safe Systems
A5E00085588-03
8-121
Fail-Safe Blocks
8.13.8
F_MIN3_R
Function
This block compares three inputs and then outputs the minimum value at the
output. All the inputs are preset with a value of 3,402823e+38 (largest positive
REAL number), so that even a minimum value can be formed from only two inputs.
OUT = MIN {IN1, IN2, IN3}
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
IN1
F_REAL
Input variable 1
3.402823e+38
IN2
F_REAL
Input variable 2
3.402823e+38
IN3
F_REAL
Input variable 3
3.402823e+38
OUT
F_REAL
Minimum value
3.402823e+38
Error Handling
8-122
Description
75D9H
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.13.9
F_LIM_R
Function
and the outputs OUTU and OUTL are set to 1. If IN is > MAX or IN represents a
positive overflow, the upper limit has been violated, OUT = MAX, OUTU = 1 and
OUTL = 0. If IN is < MIN or IN represents a negative overflow, the lower limit has
been violated, OUT = MIN, OUTU = 0 and OUTL = 1. If IN is between MIN and
If the input variable (IN) contains an invalid REAL number, the Substitute Input
(SUBS_IN) will be passed directly to the output (OUT) and both OUTH=1 and
OUTL=1.
I/Os
Inputs:
Outputs:
Name
Data Type
Explanation
Default
IN
F_REAL
Input variable
0.0
MIN
F_REAL
Lower limit
-100.0
MAX
F_REAL
Upper limit
100.0
SUBS_IN
F_REAL
Substitute Input
0.0
OUT
F_REAL
Output variable
0.0
OUTU
F_BOOL
OUTL
F_BOOL
Error Handling
In the event of an error that is critical to safety, the system function SFC F_CTRL is
called. This records the event in the Diagnostic Buffer and requests a switch to the
reserve CPU if the error occurred only on the master CPU. For non-redundant
Program.

Description
75D9H
Invalid REAL number generated during the calculations

involving IN, MIN, MAX.
75DAH
Error in the safety data format of the inputs IN, MIN, MAX,
SUBS_IN.
Fail-Safe Systems
A5E00085588-03
8-123
Fail-Safe Blocks
8.13.10 F_SQRT
Function
This block calculates the square root of the input and then outputs it at the output.
OUT =
IN
The input IN must be positive.
I/Os
Name
Data Type
Explanation
Default
Input:
IN
F_REAL
Radicand
0.0
Output:
OUT
F_REAL
Root
0.0
Error Handling
8-124
Description
75D9H
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.13.11 F_AVEX_R
Function
This block calculates the mean value from a maximum of nine inputs and then
outputs the result at the output. Inputs without a set validity bit are not included in
the mean value calculation. At least MIN inputs must be valid, otherwise the output
VALIDOUT will be reset.
I/Os
Name
Inputs:
Outputs:
Fail-Safe Systems
A5E00085588-03
Data Type
Explanation
Default
IN1
F_REAL
Input variable 1
0.0
IN2
F_REAL
Input variable 2
0.0
IN3
F_REAL
Input variable 3
0.0
IN4
F_REAL
Input variable 4
0.0
IN5
F_REAL
Input variable 5
0.0
IN6
F_REAL
Input variable 6
0.0
IN7
F_REAL
Input variable 7
0.0
IN8
F_REAL
Input variable 8
0.0
IN9
F_REAL
Input variable 9
0.0
VALIDIN1
F_BOOL
IN1 valid
VALIDIN2
F_BOOL
IN2 valid
VALIDIN3
F_BOOL
IN3 valid
VALIDIN4
F_BOOL
IN4 valid
VALIDIN5
F_BOOL
IN5 valid
VALIDIN6
F_BOOL
IN6 valid
VALIDIN7
F_BOOL
IN7 valid
VALIDIN8
F_BOOL
IN8 valid
VALIDIN9
F_BOOL
IN9 valid
MIN
F_INT
Minimum number of valid

channels
OUT
F_REAL
Mean value
0.0
VALIDOUT
F_BOOL
Valid mean value
8-125
Fail-Safe Blocks
Error Handling
Program.
8-126
Description
75D9H
75DAH
Error in the safety data format of the input MIN or from

VALIDIN1 to VALIDIN 9 (error due to online modification of the
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.13.12 F_SMP_AV
Function
This block outputs the mean value of the last N input values at the output.
OUT = (INk+INk-1+ ... +INk-N+1) / N
INk is the current input value.
The number N of input values must fulfill the condition 0 < N < 33.
I/Os
Inputs:
Outputs:
Name
Data Type
Explanation
Default
IN
F_REAL
Input variable
0.0
F_INT
Number of input variables

monitored
OUT
F_REAL
Mean value
0.0
As long as N input values have not been read in after a cold or warm restart or in
the case of a first call, only the available input values (< N) are taken into account
for mean value formation. Input values saved before the startup are not taken into
account.
Error Handling
If the condition 0 < N < 33 is not fulfilled, OUT = INk is set.
Program.

Description
75DAH
Error in the safety data format of the IN input (error due to

fault)
75D9H
Fail-Safe Systems
A5E00085588-03
8-127
Fail-Safe Blocks
8.14
Multiplex Blocks
8.14.1
Block
Description
F_MUX2_R
Multiplexer 1 out of 2 for REAL values
F_MUX2_R
Function
This block outputs one of the inputs IN0 or IN1, depending on the selection input K,
at the output OUT:
K = 0: OUT = IN0
K = 1: OUT = IN1
I/Os
Inputs:
Output:
Name
Data Type
Explanation
Default
F_BOOL
Selection input
IN0
F_REAL
Value 1
0.0
IN1
F_REAL
Value 2
0.0
OUT
F_REAL
Output
0.0
Error Handling
Program.
8-128
Description
75DAH
Error in the safety data format of the input K (error due to online
modification of the Safety Program or internal CPU fault)
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.15
Error Handling
Safety-Relevant Errors
If safety-relevant errors are detected in fail-safe blocks, the system function SFC
F_CTRL is called. SFC F_CTRL records the event in the Diagnostic Buffer and
requests a switch to the reserve CPU if the error only occurred on the master CPU.
The shutdown logic should be configuration for partial or full shutdown to handle
features in non-redundant systems or common cause faults on redundant systems
(both CPUs encounter a fault at the same time).
Errors in the Event of Value Range Violations

REAL data type values of Underflow (very small real numbers) and Overflow are
not considered a range violation for REAL data values. They are simply
considered very small and very large values and will be accepted, used and
generated by the fail-safe blocks without incident. If a fail-safe block generates an
invalid REAL number, the system function SFC 65097 (WRSYMSG) is called to
record the event in the Diagnostic Buffer. Once generated, invalid REAL numbers
will be accepted and used by subsequent fail-safe blocks without incident.
Remedy: check the values using, for example, F_LIM_R.

In the event of an error, error information is written into the Diagnostic Buffer. By
reading the Diagnostic Buffer you can find out:
The data block number of the fail-safe block that triggered the error.
An error code and thus the cause of the error.
The error codes and their causes are described for each of the fail-safe blocks.
Error Information at the Output RETVAL

Return values of the system functions (RET_VAL) are indicated at the output
RETVAL for the blocks for F communication between CPUs. The return values are
error codes that give you additional assistance in finding the error.
See Also
Fail-Safe Systems
A5E00085588-03
8-129
Fail-Safe Blocks
8.15.1
Error Handling of Driver Blocks

The driver blocks can respond to the following errors:
Communication errors, such as

-
TIMEOUT errors
The module has not received a new frame from the CPU or has not
responded to it within the configured monitoring time (TIMEOUT).
Check value error (CRC):

The check sum of the transferred data doesnt match the check sum
supplied.
Watchdog error (incorrect consecutive number)

The module has not received the frame with the expected consecutive
number from the CPU or sent the expected response to the CPU with the
new consecutive number.
Discrepancy errors in the case of redundant digital input modules
Module faults reported by the F-I/Os.
Channel faults reported by the F-I/Os (ET 200M: only if the "Group Diagnosis"
parameter is set).
Error Reaction
F channel drivers for digital input modules output the substitute value 0 at the
outputs.
F channel drivers for analog input modules output at the outputs the substitute
value or the last valid value, depending on the parameterization.
F channel drivers for digital output modules output the substitute value 0 to the
module instead of the process values.
Note
The output of simulation values has priority over the output of substitute values in
the case of input modules.
8-130
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Error Signaling
The following block outputs are activated:
DIAG_1, DIAG_2 at the F_M_xx F module drivers: diagnostic information for

the whole SM 1 or SM 2 module
QUALITY at the F_CH_xx F channel drivers: quality code of the process value
per channel
QBAD at the F_CH_xx F channel drivers: The output is set if substitute values
are output.
ACK_REQ at the F_CH_xx F channel drivers: The output is set if a user

acknowledgment is required.
You can find an overview of diagnostic messages and possible remedies in the
section entitled "Error Information at the Outputs of the Driver Blocks".
Error in the Safety Data Format

If an error is detected in the safety data format, the system function SFC F_CTRL
is called automatically. The system function SFC F_CTRL records the event in the
Diagnostic Buffer and requests a switch to the reserve CPU if the error occurred
only on the master CPU. By reading the Diagnostic Buffer you can find out:
The number of the fail-safe block that triggered the error.
An error code and thus the cause of the error.
The error codes and their causes are described for each of the fail-safe blocks.
See Also
Fail-Safe Systems
A5E00085588-03
8-131
Fail-Safe Blocks
8.15.2

The following errors are detected at the outputs of the F module drivers (F_M_DI8,
F_M_DI24, F_M_DO10, F_M_DO8 and F_M_AI6):
Output
Cause
DIAG_n
Diagnostic information for SM n:
Remedies
Byte 0
Bit 0: TIMEOUT error on SMn
Check the set monitoring time in

HWCONFIG
Check the PROFIBUS connection between
the CPU and F-I/O
Read out the module diagnosis
Bit 1: Common error on SMn
Check the wiring

Bit 2: CRC value/watchdog error on SMn Compare the CRC_IMPx parameter with
the corresponding CRC check sum
parameters from HWCONFIG
Download the configuration from
HWCONFIG, compile the changes to the
Safety Program , download them again,
and carry out a cold restart.
Switch the voltage off and on at the F-I/O
the CPU and F-I/O
Bit 3: Reserved

or internal CPU fault

the CPU and F-I/O
Safety Program , download them again,
or replace the CPU


the CPU and F-I/O
or replace the CPU

Compare the CRC_IMPx parameter with

the corresponding CRC check sum
parameters from HWCONFIG
Safety Program, download them again,
Switch the voltage off and on at the F-I/O
or replace the CPU
8-132
Bit 7: Reserved
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Output
Cause
Remedies
n = 1: Diagnostic information for module SM1

n = 2: Diagnostic information for redundant module SM2
Output
Cause
Remedies
Byte 1 (in the case of F_M_DI8 and F_M_DI24 only)
Bit 0: Discrepancy error on channel 0 of

SMn
...

SMn
Check sensor
Byte 2 (in the case of F_M_DI24 only)

SMn
...

SM1
Byte 3 (in the case of F_M_DI24 only)

SM1
...

SMn
n = 1: Diagnostic information for module SM1

n = 2: Diagnostic information for redundant module SM2
Note
Fail-Safe Systems
A5E00085588-03
8-133
Fail-Safe Blocks
8.15.3
Errror Information in the Diagnostic Buffer

The table below contains all the causes for an error entry in the Diagnostic Buffer.
Which errors are detected in which block is described for each fail-safe block.
The error code and thus the cause of the error can also be obtained.
Error Codes in Diagnostic Buffer

Invalid Number
Error Code (W#16#...) Cause
75D9H
This event is posted to notify the user

that a floating point math calculation
within a function block resulted in an
invalid floating point value. This value is
typically represented as 1.#QNAN or
1.#IND. Typically the result of
unexpected results of previous function
blocks calculations, such as +/- infinity
Remedies
This event contains the Instance DB
number of the function block that
encountered this invalid calculation. Use
the DB number to identify the function
block within the project that has this
failure.
1.
Open the CFC Editor and click on

the cross reference button.
2.
Choose Edit Find and enter DB

xxx, where xxx is the DB number
being reported in the error event.
Once you identify the line in the
cross reference list, double click on
it. It will automatically open up the
chart containing the function block
that reported the error.
Please check the input values for the

valid number range.
F-specific error
75DAH
Remedies
An incorrect online modification of the

Safety Program.
The fault due to an internal failure of the

RAM or F-CPU.
Restart the Shutdown logic.

-orStop and ColdStart F-CPU.
-or-
Full Download of the complete

program to F-CPU.
-or-
8-134
Replace the F-CPU.
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Safety Mode Activated/Deactivated Events Reported From Shutdown Logic

73DBH
That Safety Mode was activated. That

means all the safety mechanisms for
fault detection and fault reactions are
activated.
72DBH
The Safety Mode is deactivated. The

safety of the system must be ensured by
means of other organizational measures
(e.g. monitored operation and
manualsafety shutdown).
Remedies
Shutdown of Failsafe Runtime Group Activated Reported from Shutdown Logic F_SHUTDN
75DDH
A Fail-safe run-time Group has detected

a critical fault and will be disabled. The
RTG_LOGIC identified by DBxx is the
Data Block number of the F-FB which
detected the fault. The RTG_LOGIC FBs
are in the CFC chart @F_ShutDn. The
number at the end of the RTG_LOGIC
FBs Name is the instance DB number,
finding the F-FB with the DB xx reported
in event will lead to discovering the Runtime Group Name and chart location.
Remedies
Identify the failure in the F-runtime Group.
-and-or
Stop and ColdStart F-CPU.

-or-
Full Download of the complete

program to F-CPU.
Identify the cause of the shutdown and

resolve the issue. You may restart all of
the shutdown F-run-time Groups through
the RESTART input of the FB
F_SHUTDN located in the CFC chart
@F_ShutDn.
Shutdown of Failsafe Runtime Group Deactivated Reported from Shutdown Logic F_SHUTDN
74DDH
Fail-Safe Systems
A5E00085588-03
The RTG_LOGIC identified by DBxx has

re-enabled its Fail-safe run-time Group.
A Fault was cleared following a
initialization of the F-run-time Group. This
would happen after the User causes a 0 > 1 transition on the RESTART input of
the FB F_SHUTDN located in the CFC
chart @F_ShutDn
8-135
Fail-Safe Blocks
Safety Mode Activated/Deactivated Events Reported From Shutdown Logic

Full Shutdown of Entire Safety Program Activated Reported from Shutdown Logic F_SHUTDN
Block
75DEH
Remedies
One or more F-run-time groups have detected a

critical fault and all F-run-time groups in the
Safety Program will be disabled.
Identify the failure in the

Run-time group.
Identify the cause of the shutdown and resolve

the issue. You may restart all of the shutdown Frun-time groups through the RESTART input of
the F-FB F_SHUTDN located in the CFC chart
@F_ShutDn.
Restart the Shutdown

logic.
-and-
-orStop and ColdStart FCPU.

-or-
Full Download to F-CPU.
Full Shutdown of Entire Safety Program Deactivated Reported from Shutdown Logic F_SHUTDN
74DEH
Remedies
The FB F_SHUTDN has completed a reinitialization of the whole Safety Program, all Frun-time groups are enabled.
This would happen after the User causes a 0 ->
1 transition on the RESTART input of the FB
@F_ShutDn.
Safety Program Initialization Start/End Reported from Shutdown Logic F_SHUTDN

75DFH
Remedies
This would happen after the User causes a 0 ->

1 transition on the RESTART input of the FB
@F_ShutDn. The FB F_SHUTDN begins a reinitialization of all F-FBs in disabled F-run-time
groups.
Reinitialization may take several seconds
depending on the size of your Safety Program
and your slowest configured OB3x containing an
F-run-time Group.
74DFH
The FB F_SHUTDN has completed a reinitialization of the Safety Program, all F-runtime groups are enabled.
You may have to Reintegrate your I/O through
the F_QUITES function block this is only
necessary if the F-run-time Group that was
shutdown contains F Module Driver blocks...
8-136
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Errors in Runtime Communications Protocol Fault

75DCH
Remedies
This fault results in disabling of the F-run-time
group that contains the faulted F-FB and

possibly disabling of the entire Safety Program
(depending upon the configuration of FULL_SD
input of the FB F_SHUTDN , either Full
Shutdown or Partial Shutdown). The fault due
to an internal failure of the RAM or F-CPU.

-orStop and ColdStart F-CPU.
-orFull Download of the
complete program to F-CPU.
-or-
Replace the F-CPU.
Error Detected in F_PLK Program/Data Flow Control Error Before Output Blocks
75E1H
Remedies
Error processing F_CYC_CO, internal CPU fault

-or-
Error processing F_TEST, internal CPU fault

Error processing F_TESTC, internal CPU fault
Error due to online modification of the Safety

Full Download of the

Replace the F-CPU.
-or-
-orError Detected in F_PLK_O Program/Data Flow Control Error After Output Blocks
75E1 H
Error due to online modification of the Safety

Remedies

-or-

-or-

-or-
Replace the F-CPU.
Error Detected in F_CYC_CO Exceeding of the F Cycle Time by...

75E1H
Power failure,
Remedies
Internal CPU fault

-or-

Replace the F-CPU.
-or-
-or-
Fail-Safe Systems
A5E00085588-03
8-137
Fail-Safe Blocks

75E1H
Remedies
Maximum permissible F cycle time exceeded or

internal CPU fault

logic.
-or-
Stop and ColdStart FCPU.

-or-

complete program to FCPU.
-or-
Replace the F-CPU.

-or-
Increase the cycle time of

the OB3x containing your
F-run-time Group
experiencing the
maximum cycle time
exceeded
-or-
Move functionality out of

the OB3x to another
OB3x. This includes
standard and F-Blocks
that are running within
said F- run-time the OB3x.
Error Detected in F_TEST Command Test

75E1H
Internal CPU fault
Remedies

logic.
-or-

-or-

Replace the F-CPU.
-or-
8-138
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Remedies
Error Detected in F_TESTC Background Self-Tests of the CPU

75E1H
Remedies
Check
whether tests of the FError during self-test of the CPU, or Error due to
CPU
have
been switched off
online modification of the Safety Program, or
by SFC90 H_CTRL. The tests
internal CPU fault
must not be switched off.
Insure that the F-CPUs Test
Cycle Time has been set <
12h in CPUs H Parameters
properties.
-or

logic.
-or-

-or-

Replace the F-CPU.
-or-
Fail-Safe Systems
A5E00085588-03
8-139
Fail-Safe Blocks
8.15.4

The blocks for F communication between CPUs (F_SENDBO, F_RCVBO,
F_SENDR and F_RCVR) call the SFBs 8 (USEND) and 9 (URCV) internally. In the
event of communication problems, these SFBs indicate the possible causes in their
STATUS. This STATUS is entered in the high byte of RETVAL if ERROR=1
(USEND or URCV).
The STATUS of the SFBs and thus the configuration of the high byte of RETVAL is
described in the System Software for S7-300/400, System and Standard Functions
reference manual.
The low byte of RETVAL has the following configuration:
Bit
Cause
Reserved
Recipient outputs substitute values
ERROR bit of USEND set
Remedies
Read out the cause in RETVAL on the receiving side
Communication problems: see high byte
Check the connection configuration, and download it
again
Check the connecting cable
ERROR bit of USEND set

again
ERROR bit of URCV set

again
Check value error (CRC) or internal error in Check whether CRC_IMP is identical on the send and
the sender or recipient CPU or in the CP
receive sides; if not, recompile the Safety Program ,
download it to the CPU, and execute a cold restart, or
again
or replace the CPU or CP
Watchdog error or
internal error in the sender or recipient
CPU or in the CP

again
TIMEOUT error or
Increase the TIMEOUT monitoring time, if necessary
internal error in the sender or recipient

CPU or in the CP

again
8-140
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
8.16
Run Times
8.16.1
Run Times of the Fail-Safe Blocks
The Principle of Run-Time Measurement

In order to obtain practical run times, all the fail-safe blocks were measured with a
dynamic circuit. In other words, the stored input variables of the blocks were
changed (dynamically) during measurement.
The run times in the table below are maximum values.
5XQ7LPHVRIWKH)DLO6DIH%ORFNVLQ V
Block
Name
Block
Number
Function
Maximum Run
Time with
Dynamically
Connected Inputs
in V
Driver Blocks
F_M_AI6
F_M_DI8
F_M_DI24
F_M_DO8
F_M_DO10
F_CH_DI
FB 383
FB 384
FB 385
FB 388
FB 386
FB 377
Fail-Safe Systems
A5E00085588-03
One CPU/one F-I/O
465
Redundant CPU/one F-I/O
520
One CPU/redundant F-I/O
740
Redundant CPU/redundant F-I/O
814
One CPU/one F-I/O
518
570
1046
1155
One CPU/one F-I/O
847
1727
1830
789
One CPU/one F-I/O
488
542
One CPU/one F-I/O
570
1210
1598
519
51
8-141
Fail-Safe Blocks
Block
Name
Block
Number
Function
Maximum Run
Time with
Dynamically
Connected Inputs
in V
F_CH_DO
FB 378
44
F_CH_AI
FB 379
130
Further Blocks (in Alphabetical Order)

F_1oo2_R
FB 457
1 out of 2 analog voter block (block type)
5900
F_2OUT3
FB 305
F_2oo3_R
FB 456
2 out of 3 analog voter block (block type)
F_ABS_R
FB 325
12
F_ADD_R
FB 321
16
F_AND4
FB 301
13
F_AVEX_R
FB 331
Mean value of a maximum of nine REAL values
98
F_BO_FBO
FC 303
10
F_CTUD
FB 341
Up and down counter
28
F_CYC_CO FB 395
280
F_DIV_R
FB 324
18
F_F_TRIG
FB 347
13
16
7650
F_FBO_BO
FC 363
F_FI_I
FC 305
F_FR_FI
FB 461
13
F_FR_R
FC 304
10
F_FTI_TI
FC 306
10
F_I_FI
FB 369
Converts from INT to F_INT
11
F_LIM_HL
FB 314
Monitoring of upper limit value violation of a REAL value
24
F_LIM_I
FB 350
21
F_LIM_LL
FB 315
Monitoring of lower limit violation of a REAL value
24
F_LIM_R
FB 329
40
F_LIM_TI
FB 345
26
F_MAX3_R
FB 326
18
F_MID3_R
FB 327
21
F_MIN3_R
FB 328
18
F_MUL_R
FB 323
18
F_MUX2_R
FB 332
17
F_NOT
FB 304
NOT logic operation
11
F_OR4
FB 302
F_PLK
FB 396
Program execution monitoring before output blocks
To be supplied
F_PLK_O
FB 397
Program execution monitoring after output blocks
To be supplied
F_QUITES
FB 367
24
F_R_BO
FB 391
Fail-safe receipt of 10 data items of the data type

F_BOOL from another F run-time group
44
F_R_FR
FB 362
11
8-142
15
Fail-Safe Systems
A5E00085588-03
Fail-Safe Blocks
Block
Name
Block
Number
Function
F_R_R
FB 393
Fail-safe receipt of 5 data items of the data type F_REAL

from another F-run-time group
F_R_TRIG
FB 346
F_RCVBO
FB 371
Receives F_BOOL data from another CPU
1250
F_RCVR
FB 373
Receives F_REAL data from another CPU
770
F_RS_FF
FB 307
16
F_S_BO
FB 390
Fail-safe transmission of 10 data items of the data type

F_BOOL to another F run-time group.
12
F_S_R
FB 392
Fail-safe transmission of 5 data items of the data type F_

to another F run-time group
12
F_SENDBO FB 370
F_SENDR
FB 372
Maximum Run
Time with
Dynamically
Connected Inputs
in V
40
13
Sends F_BOOL data to another CPU
1320
Sends F_REAL data to another CPU
1420
F_SHUTDN FB 458
F Run-time group shutdown and restart management
21
F_SMP_AV
Sliding mean value
391
FB 333
F_SQRT
FB 330
58
F_SR_FF
FB 308
16
F_START
FB 394
11
F_SUB_R
FB 322
16
F_TEST
FB 398
Self-test for commands not backed up by diversity
362
F_TESTC
FB 399
Control block for the background self-test of the CPU
445
F_TESTM
FB 400
Switching of Safety Mode on and off
178
F_TI_FTI
FB 368
Converts from TIME to F_TIME
12
F_TOF
FB 344
Timer off-delay
24
F_TON
FB 343
Timer on-delay
24
F_TP
FB 342
Timer pulse
24
F_XOR2
FB 303
13
F_XOUTY
FB 306
74
DB_INIT
FC 180
F-run-time group coldstart initialization logic
DB_RES
FC 301
Supports the startup characteristics in the event of a cold

restart/warm restart of the CPU
FAIL_MSG
FC 181
F-run-time group shutdown diagnostic error reporting
Included in
RTG_LOGIC
RTG_LOGIC FB 459
F-run-time group shutdown and restart logic interface
12
11
To be supplied
Run times of F block types

For a first estimate, add the run times of the called blocks. An exact run time can
only be obtained by measurement.
Fail-Safe Systems
A5E00085588-03
8-143
Fail-Safe Blocks
8-144
Fail-Safe Systems
A5E00085588-03
Check Lists
A.1
Life Cycle of the Fail-Safe Programmable Controllers

The following table gives you a summary in the form of a check list of the activities
in the life cycle of S7 F/FH Systems as well as the requirements and rules that
must be complied with. You can find detailed safety guidelines in the sections
referred to in the Refer to column, e.g.:
F-SYS: Sect. 5.2.3 means section 5.3.2. of the "Fail-Safe Systems" manual.
F-SM: Chap. 3 means Chapter 3 of the "Fail-Safe Signal Modules" manual.
F ET 200S: Chap. 5 means Chapter 5 of the ET 200S Distributed I/O System,
Fail-Safe Modules
Check List
Phase
Note
Refer to
Prerequisite: A "Safety
requirements specification"
must be available for the
planned application
Depends on the
process
Specification of the system

architecture
Depends on the
process
Allocation of functions and

subfunctions to the system
components
Depends on the
process
F-SYS: Sect. 1.7
Selection of the sensors and

actuators
Requirements placed
on the actuators
F SM: Sect. 3.5,
Check
Planning
F-SYS: Sect. 7.3
F-SYS: Sect. 7.2

F ET200 S Sect. 6.5
Definition of the necessary

safety properties of the
individual components
DIN V 19 250
F-SYS: Sect. 7.1, 7.2
IEC 61508
Configuration
Installation of the add-on
package
Prerequisites for
installation
F-SYS: Sect. 1.6
Selection of S7 components
Rules for physical

configuration
F-SYS: Sect. 1.3, 7.3

F SM: Sect. 3.1
F ET200 S Sect. 3.2
Fail-Safe Systems
A5E00085588-03
A-1
Check Lists
Phase
Note
Configuration of the hardware Rules for F-Systems
Refer to
Check
F-SYS: Sect. 4.2
Verification of the
hardware components F-SYS: App. A.2
used on the basis of the
check list of the certified
modules
Parameter assignment of the
CPU
Parameter assignment of the

F-I/Os
CPU contains the

safety program
F-SYS: Sect. 4.3
Password
Settings for safety
mode
F-SYS: Sect. 4.4, 4.5,

7.4
Configuration of the F SM: Chap. 3 and 9

monitoring times
F ET 200S Chap. 4 and
Module redundancy 9
(optional)
Programming
Program design
Safety notes for

programming
F-SYS: Sect. 5.2.1
Verification of the
F-SYS: App. A.3
hardware components
used on the basis of the
check list of the certified
F function blocks
Creation of the CFC charts.
Rules for the CFC

charts of the Safety
Program
F-SYS: Sect. 5.2.4
Creation of the run-time

groups
Rules for the run-time

groups of the Safety
Program
F-SYS: Sect. 5.2.5
Placement and
interconnection of the F
function blocks
Rules for F function

blocks
F-SYS: Sect. 5.3.15.3.4, Chap. 8
F-SYS: Sect. 5.3.5

Rules for F driver blocks F-SYS: Sect. 5.3.9, 7.4
Rules for the
interconnection of the
F-SYS: Sect. 5.3.10
F_CYC_CO fail-safe
F-SYS: Sect. 7.4
block
F-SYS: Sect. 5.3.7,
Rules for the
5.3.8
communication of failsafe blocks
F-SYS: Sect. 5.3.6
Configuration of the
monitoring times
Passivation and
reintegration
A-2
Fail-Safe Systems
A5E00085588-03
Check Lists
Phase
Note
Refer to
Processing of the Safety

Program
Rules for compilation
F-SYS: Sect. 5.4.4
Rules for downloading
F-SYS: Sect. 5.4.7
Rules for testing
F-SYS: Sect. 5.4.11,

5.4.12
Creating Block Types
F-SYS: Sect. 5.4.6
Rules for installation
F SM: Chap. 4
Rules for wiring

6
Check
Installation
Hardware setup
F SM: Chap. 4
6
Downloading of the fail-safe
program
Fail-Safe Systems
A5E00085588-03
Rules for downloading
F-SYS: Sect. 5.4.7 to

5.4.10
A-3
Check Lists
Commissioning
Switching on
Rules for commissioning

as in the standard case
Standard S7-300 and

S7-400(H)
Checking of the safetyrelated parameters
Rules for parameter

assignment
F-SYS: Sect. 7.5

F SM: Chap. 6 and 9
F ET 200S Chap. 4
and 9
Acceptance
Rules and notes on

acceptance
F-SYS: Sect. 7.5
Rules for operation
F-SYS: Sect. 6.2
Operation, maintenance
Operation, general
Access protection
F-SYS: Sect. 4.8
Diagnostics
Responses to faults/errors
and events
Replacement of hardware
components
Rules for the replacement of F SM: Sect. 3.6

modules
F ET 200S Sect. 6.4
Modifications to the Safety

Program
Rules for deactivating safety F SYS: Sect. 5.4.2

mode
Rules for modifying the
Safety Program
F-SYS: Sect. 8.15
F-SYS: Sect. 6.3
Updating of the operating

system
Rules for the updating of the Standard S7-400(H)

operating system as in the
standard case
Modifications of software
components
Rules for updating software

components
Deinstallation, disassembly
Notes on the deinstallation of F SYS: Sect. 6.6

the SW components
F SYS: Sect. 6.5
Notes on disassembly of the F SM: Sect. 3.6

modules
F ET 200S Sect. 6.4
A-4
Fail-Safe Systems
A5E00085588-03
Check Lists
A.2
Check List of the Certified Modules

The fail-safe modules listed in the table below are certified.
Please compare the order number and firmware version with those in Annex 1 of
the report for the "Safety-Related Programmable Systems SIMATIC S7-400F and
S7-400FH" certificate.
Module
Description
Order Number
SM 326; DI 8xNAMUR
Digital input module
6ES7 326-1RF00-0AB0
SM 326; DI24x DC24V
Digital input module
6ES7 326-1BK00-0AB0
SM 326; DO10xDC24V/2A Digital output module
6ES7 326-2BF00-0AB0
SM 336; AI 6x13Bit
Analog input module
6ES7 336-1HE00-0AB0
PM-E F 24 VDC
PROFIsafe Power Module 6ES7 1384CF00-0AB0
4/8 F-DI 24 VDC
PROFIsafe Digital
Electronic Module
6ES7 138-4FA00-0AB0
4 F-DO 24 VDC/2 A
PROFIsafe Digital
Electronic Module
6ES7 1384FB00-0AB0
PM-D F 24 VDC
PROFIsafe Power Module 3RK 1903-3BA00
Check
F-Copy License
Downloading F blocks to an F or FH destination system is only permitted if you
have an official F-Copy License (order number: 6ES7 833 1CC00 6YX0) for this F
or FH destination system.
The F-Copy License consists of:
The F-Copy License contract
A copy of the TV certificate
Two stickers to identify the CPU (or CPUs in the case of S7 FH systems) for
which the F copy license has been obtained.
S7-400F
Place the stickers next to the key-operated switch.

Fail-Safe Systems
A5E00085588-03
A-5
Check Lists
Sensors and Actuators

The sensors and actuators used in F-systems are not described in this
documentation. All the usual sensors and actuators are supported by S7 F/FH
Systems and the usual operating modes (single-channel, two-channel, nonequivalent, etc.) can be selected during configuration.
Since sensors and actuators are decisive factors to be included in safety
considerations, the following check list ought to be of assistance when you
configure the F-system with sensors and actuators.
Demands on Sensors and Actuators
Check
Are your sensors and actuators of adequate quality and suitable for
environments with polluted air and corrosive fumes?
Do you make use of the possibilities of double redundancy for sensors,
where appropriate?
Do you make use, where appropriate, of the possibilities for actuators of
reading back auxiliary contacts or process-linked sensors?
Have you set sufficiently short proof test intervals, if necessary
individually?
A-6
Fail-Safe Systems
A5E00085588-03
Check Lists
A.3
Check List of the Certified F-Blocks

Only the F-Blocks listed below can be used to program the F user program. These
blocks are fail-safe and certified.
Please compare the signature and initial value signature of these F-Blocks with
those in the current Annex 1 of the report for the "Safety-Related Programmable
Systems SIMATIC S7-400F and S7-400FH" certificate.
If the initial value signature is not in the printout of the safety program, the
signature must be compared with the CRC in Revision 1.0 of Annex 1 and checked
in SIMATIC Manager to see if the F FB is Version 1.0.
Block
Block
Name
Number
Function
Check
Driver Blocks
F_M_AI6
FB 383
F_M_DI8
FB 384
F_M_DI24
FB 385
F_M_DO8
FB 388
F_M_DO10
FB 386
F_CH_DI
FB 377
F_CH_DO
FB 378
F_CH_AI
FB 379
Further Blocks (in Alphabetical Order)

F_1oo2_R
FB 457
1 out of 2 analog voter block (Block Type)
F_2OUT3
FB 305
F_2oo3_R
FB 456
2 out of 3 analog voter block (Bock Type)
F_ABS_R
FB 325
F_ADD_R
FB 321
F_AND4
FB 301
F_AVEX_R
FB 331
Mean value of a maximum of nine REAL

values
F_BO_FBO
FC 303
F_CTUD
FB 341
Up and down counter
F_CYC_CO
FB 395
F_DIV_R
FB 324
F_F_TRIG
FB 347
F_FBO_BO
FC 363
F_FI_I
FC 305
F_FR_FI
FB 461
F_FR_R
FC 304
F_FTI_TI
FC 306
F_I_FI
FB 369
Converts from INT to F_INT
F_LIM_HL
FB 314
Monitoring of upper limit value violation of a

REAL value
Fail-Safe Systems
A5E00085588-03
A-7
Check Lists
A-8
Block
Block
Name
Number
Function
F_LIM_I
FB 350
F_LIM_LL
FB 315
Monitoring of lower limit violation of a REAL

value
F_LIM_R
FB 329
F_LIM_TI
FB 345
F_MAX3_R
FB 326
F_MID3_R
FB 327
F_MIN3_R
FB 328
F_MUL_R
FB 323
Check
F_MUX2_R
FB 332
F_NOT
FB 304
NOT logic operation
F_OR4
FB 302
F_PLK
FB 396
Program execution monitoring before output

blocks
F_PLK_O
FB 397
Program execution monitoring after output

blocks
F_QUITES
FB 367
F_R_BO
FB 391
Fail-safe receipt of 10 data items of the data

type F_BOOL from another F-run-time group
F_R_FR
FB 362
F_R_R
FB 393
Fail-safe receipt of 5 data items of the data

type F_REAL from another F-run-time group
F_R_TRIG
FB 346
F_RCVBO
FB 371
Receives F_BOOL data from another CPU
F_RCVR
FB 373
Receives F_REAL data from another CPU
F_RS_FF
FB 307
F_S_BO
FB 390
Fail-safe transmission of 10 data items of the

data type F_BOOL to another F-run-time
group.
F_S_R
FB 392
Fail-safe transmission of 5 data items of the

data type F_ to another F-run-time group
F_SENDBO
FB 370
Sends F_BOOL data to another CPU
F_SENDR
FB 372
Sends F_REAL data to another CPU
F_SHUTDN*
FB 458
F-run-time group shutdown and restart

management
F_SMP_AV
FB 333
Sliding mean value
F_SQRT
FB 330
F_SR_FF
FB 308
F_START
FB 394
F_SUB_R
FB 322
F_TEST
FB 398
Self-test for commands not backed up by

diversity
F_TESTC
FB 399
Control block for the background self-test of

the CPU
Fail-Safe Systems
A5E00085588-03
Check Lists
Block
Block
Name
Number
F_TESTM
FB 400
Function
Check
Switching of Safety Mode on and off
F_TI_FTI
FB 368
Converts from TIME to F_TIME
F_TOF
FB 344
Timer off-delay
F_TON
FB 343
Timer on-delay
F_TP
FB 342
Timer pulse
F_XOR2
FB 303
F_XOUTY
FB 306
DB_INIT*
FC 180
F-run-time group coldstart initialization logic
DB_RES*
FC 301
Supports the startup characteristics in the

event of a cold restart/warm restart of the
CPU
FAIL_MSG*
FC 181
F-run-time group shutdown diagnostic error

reporting
RTG_LOGIC*
FB 459
F-run-time group shutdown and restart logic

interface
* Even though these blocks arent yellow, they are safety critical and are placed
automatically by the CFC editor. The user may not place or remove these blocks.
Changes are not permitted except for connections to the F_SHUTDN block (see
the F_SHUTDN block description in the Fail-Safe Block section for further
description).
Newly created accepted F block types can be added to the list of certified F-Blocks.
Fail-Safe Systems
A5E00085588-03
A-9
Check Lists
A.4
Check List of the Safety Parameters of the F-Drivers

You must complete the following table at acceptance. The listed safety parameters
of the F driver blocks must be compared with the parameters of the F-I/Os from the
hardware configuration.
F Driver
Type
Safety Parameter
Value
<Call of the F
driver block>
F_M_DI8,
LADDR
F_M_DI24,
F_M_AI6,
LADDR_R
<Value from the

printout of the
Safety Program
information>
TIMEOUT, etc.
F_M_DO10, or
Check
F_M_D08
Example
F Driver
Type
Safety Parameter
Value
Check
F/1
F_M_DI8
TIMEOUT
1000
LADDR
24
LADDR_R
TIMEOUT
2000
LADDR
16
LADDR_R
F/4
A-10
F_M_DI24
Fail-Safe Systems
A5E00085588-03
References
1. S7-300 Programmable Controller, Fail-Safe Signal Modules
2. S7-400, M7-400 Programmable Controllers, Installation Manual
3. S7-400, M7-400 Programmable Controllers, Reference Manual
4. S7-400H Programmable Controller, Fault-Tolerant Systems
5. S7-300 Programmable Controllers, Hardware and Installation
6. S7-300 Programmable Controllers, Reference Manual
7. ET 200M Distributed I/O Device
8. ET 200S Distributed I/O System Fail-Safe Modules
9. STEP 7 manuals
10. PCS 7 manuals
11. CFC manuals
12. Testing S7 Programs with S7-PLCSIM
You can find manuals 2 to 8 in the "SIMATIC Electronic Manuals" collection on CD
ROM. Manuals 9 to 12 are included with the products in electronic form. Some of
them can be obtained by choosing the Start > Simatic > Documentation >
English menu command.
You can download all the manuals from the Internet at:
http://www.ad.siemens.de/simatic-cs
Fail-Safe Systems
A5E00085558-03
B-1
References
B-2
Fail-Safe Systems
A5E00085558-03
Glossary
1oo1 evaluation
Type of sensor evaluation: In 1oo1 evaluation, there is one sensor and it

is connected to the module via a single channel.
1oo2 evaluation
Type of sensor evaluation - In 1oo2 evaluation, the signal states of the

inputs are compared internally (equivalence or non-equivalence).
A
Acceptable risk
The acceptable risk is the highest acceptable risk of a certain technical

procedure or state.
AK requirement classes
Requirement classes (AK) in accordance with DIN V 19250 (DIN V VDE

0801)
Categories or levels describing safety requirements in order to avoid and
deal with faults. The fail-safe signal modules can be used in safety mode
up to requirement class AK6.
C
Channel fault
Channel-related fault (e.g. wire break or short circuit). In channel-specific

passivation, the relevant channel is automatically depassivated after the
problem is eliminated.
Cyclic redundancy check

(CRC)
A test procedure to check the integrity of data. By means of a generator

polynominal, a check sum is formed that is characteristic for the relevant
data volume in the sense of being a signature. A CRC check sum is
formed, for example, for the process values contained in the safety frame
or for the safety-related parameters of the fail-safe signal modules.
D
Dark period
Dark periods occur during switch-off tests and complete bit pattern tests.
This involves test-related 0 signals being switched to the output by the
fail-safe output module while the output is active. The output is then
switched off briefly (dark period). A sufficiently slow actuator does not
respond to this and remains switched on.
Diagnostic coverage level
Percentage of hardware faults that are detected by automatic diagnostic

tests.
Diagnostic test interval (DTI)
Interval between online tests that detect faults in a fail-safe system with a
specific diagnostic coverage level.
Fail-Safe Systems
A5E00085588-03
Glossary-1
Glossary
1oo1 evaluation

Discrepancy analysis
The discrepancy analysis is used to determine errors in the time

sequence of two signals with the same functionality. The discrepancy
analysis is started if different levels are detected in two associated input
signals. After a configurable interval (discrepancy time) has elapsed, a
check is carried out to establish whether the discrepancy has
disappeared. If not, there is a discrepancy error.
There are two different types of discrepancy analysis for fail-safe input
modules:
Discrepancy Time
In the case of 1oo2 evaluation:

The discrepancy analysis is carried out between the two input
signals of the 1oo2 evaluation in the fail-safe input module.
In the case of redundant I/O modules:

The discrepancy analysis is carried out between the two input
signals of the redundant input modules by means of the fail-safe
driver blocks.
Configurable time for the discrepancy analysis
E
ES
Engineering system
F
F
Abbreviation for fail-safe
F-Copy License
Formal permission to use the CPU as an F-compatible CPU for

S7 F/FH systems.
F CPU
F-capable CPU containing a safety program
F cycle time
Cyclic interrupt time for OBs with F-run-time groups
F-Data Types
Fail-safe data types
F-FBs
Fail-safe function blocks
F-I/Os
Fail-safe Input/Output modules
F program
Fail-safe user program or Safety Program consisting of the fail-safe

blocks of the "Fail-safe Blocks" library.
F-run-time groups
Run-time groups in which fail-safe function blocks are called
F-SMs
F-Systems
Fail-safe systems
Fail-safe
Capability of a technical system to remain in or revert to a safe state

immediately after certain failures occur.
Signal modules that can be used for safety-related operation (safety

mode) in the fail-safe S7 F/FH systems. These modules have integrated
functions for fault/error detection and responses.
Fail-safe systems
Fail-safe systems are characterized by the fact that they remain in or

revert to a safe state immediately after certain failures occur.
Fault reaction time
The time between detection of an error and arrival at a safe state.
Glossary-2
Fail-Safe Systems
A5E00085588-03
Glossary
1oo1 evaluation

Fault tolerance time (i. e.

process safety time)
The time in which the effectiveness of the safety equipment can be

impaired without producing a hazard.
The fault tolerance times are determined by the relevant process
functions.
F-capable CPU
CPU permitted for use in the S7 F/FH
I
I&C
Instrumentation and control
Internal fault
-> Module error
L
Light period
Light periods occur during complete bit pattern tests. This involves testrelated 1 signals being switched to the output by the fail-safe output
module while the output is inactive (output signal "0"). The output is then
switched on briefly (light period). A sufficiently slow actuator will not
respond to this and remains switched off.
M
Module fault
Module-wide fault Module faults can be external faults (e. g. no load

voltage) or internal faults (e.g. processor failure). An internal error always
requires module replacement.
Module redundancy
An additional, identical module is operated redundantly to increase

availability.
O
OS
Operator station
P
Passivation
Passivation of digital output channels means that the outputs are

deenergized.
Passivation of digital input channels occurs when the inputs transfer the
value "0" to the CPU (via the fail-safe drivers), irrespective of the current
process signal.
Passivation of analog input channels occurs when the inputs transfer a
substitute value or the last valid value to the CPU (via the fail-safe
drivers), irrespective of the current process signal.
PROFIsafe
Safety-related bus profile of PROFIBUS DP/PA for communication

between the fail-safe user program and the fail-safe signal modules in S7
F/FH Systems.
Proof test interval
The period of time after which a component must be put into an error-free
state (i.e. replaced by an unused component or demonstrated to be
completely error-free).
Fail-Safe Systems
A5E00085588-03
Glossary-3
Glossary
1oo1 evaluation

R
Redundancy, AvailabilityEnhancing
Multiple availability of components with the aim of ensuring the

components continue to function even in the event of hardware faults.
Redundancy, SafetyEnhancing
Multiple availability of components with the aim of compensating for

revealing hardware faults through comparison (e.g. 1oo2 evaluation in S7
F/FH Systems).
S
Safety Program
Fail-safe user program or F Program consisting of the fail-safe blocks of

the "Failsafe Blocks" library.
Safe state
State of a unit in which safety is assured. In other words, the risk is

acceptably low because it has been established that safety-related
malfunctions do not occur or because of the safety measures taken to
prevent possible safety-related malfunctions.
Safety
Safety is a state in which the risk is not higher than the acceptable risk.
Safety frame
In safety mode, data is transferred in a safety frame between the CPUs

or between the CPU and the fail-safe signal modules.
Safety function
In accordance with IEC 61508: A function implemented by a safety

system to ensure that the system is kept in a safe state or brought into a
safe state in the event of a problem.
All of the hardware and software components that are involved in
implementing a certain process subfunction.
Safety integrity level
Safety level between 4 and 1 in accordance with IEC 61508 and prEN
50129. The higher the safety integrity level, the more comprehensive are
the measures to avoid systematic errors and control systematic errors
and hardware failures.
Safety mode
Safety mode of the fail-safe signal modules

Operating mode of the fail-safe signal modules used in S7 F/FH
Systems. In safety mode, access to the inputs and outputs of the fail-safe
signal modules is only permitted via the fail-safe driver blocks of the
"Failsafe Blocks" library.
Safety mode of the safety program
Operating mode of the safety program in S7 F/FH Systems. All the safety
mechanisms for fault detection and fault responses are activated in
safety mode of the safety program. It is not possible to change the safety
program during operation when it is in safety mode.
Safety note
Glossary-4
Important information relating to the acceptance and safety-related use of

the product.
Fail-Safe Systems
A5E00085588-03
Glossary
1oo1 evaluation

Safety system
A system (including all devices, units and safety circuits) that protects
people and the system. This particularly includes systems for flame
control, the interruption of fuel infeed and the ventilation of combustion
chambers.
If this is achieved with multi-channel systems, the safety system consists
of all the channels and monitoring equipment that contribute to safety.
Safety-related
-> Fail-safe
Sensor Evaluation
There are two types of sensor evaluation:
1oo1 evaluation: The sensor signal is read once
1oo2 evaluation: To increase availability, the sensor signal is read in

twice from the same module and compared internally.
SIL
-> Safety integrity level
Standard mode
Operating mode of the fail-safe signal modules

In standard mode, the fail-safe signal modules behave in the same way
as the SIMATIC S7-300 standard signal modules.
Fail-Safe Systems
A5E00085588-03
Glossary-5
Glossary
Glossary-6
Fail-Safe Systems
A5E00085588-03
Index
A
Acceptance of an F system ..........................7-14
Acceptance of Changes to the
Safety Program ........................................7-20
Acceptance of F block types ........................7-22
Access protection ...........................................3-8
Access rights
setting up....................................................4-7
Access rights for the CPU ..............................4-7
ACK_NEC ...........................................5-25, 5-26
Address area..................................................4-1
Allocating addresses ....................................5-16
Arithmetic Blocks with the INT Data Type ..8-114
Arithmetic Blocks with the REAL Data
Type .......................................................8-115
Assigning parameters to F blocks ................5-12
Assigning parameters to the CPU ..................4-3
Authorization ................................................1-12
Automatically Inserted F Blocks ...................5-11
B
Binary selection ...................................8-89, 8-91
Block I/Os................................................8-4, 8-5
Block Numbers ...............................................8-6
Blocks for converting data between
the standard and safety sections..............8-35
Blocks for F Communication Between
CPUs ........................................................8-25
Blocks of the Safety Program .........................5-2
C
Certification ....................................................7-2
CFC charts
inserting......................................................5-8
Changing a Safety Program .........................5-39
Changing fail-safe constants in CFC test mode562
Changing the Safety Program ........................6-3
Changing the Safety Program in
RUN Mode................................................5-49
Check list of F blocks .................................... A-7
Check list of the hardware components ........ A-5
Check List of the Safety Parameters
of the F Drivers........................................ A-10
Cold restart............................................3-4, 5-28
Command tests ..............................................3-5
Common features of the driver blocks..........8-22
Fail-Safe Systems
A5E00085588-03
Communication between F run-time groups 3-11

Communication between standard
and Safety Program s .............................. 5-31
Communication between the CPU
and F-I/Os................................................ 3-11
Compare Safety Programs .......................... 5-67
Comparison Blocks for Two Input Values
of the Same Type .................................... 8-92
Compiling a Safety Program ........................ 5-43
COMPLEM component.................................. 8-2
Components of an S7 F System .................... 1-7
Configuration and parameter assignment
of hardware................................................ 4-1
Configuring CIR ........................................... 4-11
Configuring redundant F signal modules ....... 4-6
Configuring the F System .............................. 2-6
Configuring the Fault-Tolerant F System ..... 2-15
Configuring the Networks and Connections... 4-6
Control blocks ................................................ 5-3
Converting
BOOL to F_BOOL.................................... 8-36
F_BOOL to BOOL.................................... 8-40
F_REAL to REAL..................................... 8-42
REAL to F_REAL..................................... 8-38
CPU ............................................................... 1-8
CPU-CPU communication ........................... 3-12
Creating a fail-safe user program .................. 2-8
Creating Fail-Safe Block Types ................... 5-44
Cyclic interrupt OB3x ..................................... 5-7
Cyclic interrupt OBs installation ..................... 8-8
D
DATA component .......................................... 8-2
Data exchange between the Safety
Program and the standard user program . 3-10
DB_INIT ....................................................... 8-81
DB_RES ...................................................... 8-80
Defining the program structure ...................... 5-7
Disassembly .................................................. 6-5
Discrepancy analysis in the case
of module redundancy ............................. 8-22
Displaying Information ................................. 5-65
Disposal......................................................... 6-5
Downloading an Safety Program ................. 5-47
Downloading changes ................................. 5-47
Downloading Changes................................. 5-54
Downloading in RUN mode ......................... 5-47
Downloading the Entire Safety Program ...... 5-48
Downloading the Safety Program after
simulation................................................. 5-57
Downloading the user program.................... 5-47
Index-1
Index
Driver Blocks for F-I/Os.................................. 8-9

Duration of the repair ..................................... 6-4
E
Error Handling............................................ 8-129
Error Handling of Driver Blocks.................. 8-130
Error information at the output RETVAL .... 8-140
Error information in ACCU 1 after
CPU STOP............................................. 8-134
Error messages and remedies................... 8-132
Example of reintegration after startup
of the Safety Program .............................. 5-29
Exclusive OR logic operation ....................... 8-88
F
F block names ............................................. 5-10
F block types
acceptance .............................................. 7-22
F control blocks.............................................. 5-2
F Control Blocks........................................... 8-55
F conversion blocks ..................................... 5-36
F cycle time........................................... 3-6, 5-30
F cycle time monitoring .................................. 5-9
F data types .......................................... 5-12, 8-2
F run-time groups........................................... 5-9
F run-time license ..........................................A-5
F simulation blocks ............................... 5-2, 5-57
F System
monitoring errors...................................... 2-12
F System Blocks .......................................... 8-47
F user blocks ................................................. 5-2
F_1oo2_R .................................................... 8-99
F_2oo3_R .................................................... 8-97
F_2OUT3 ..................................................... 8-89
F_ABS_R................................................... 8-119
F_ADD_R .................................................. 8-115
F_AND4AND logic operation ....................... 8-85
F_AVEX_R................................................. 8-125
F_BO_FBO ................................5-36, 5-37, 8-36
F_CH_AI ..................5-18, 5-21, 8-18, 8-19, 8-21
F_CH_DI....................................5-18, 5-21, 8-10
F_CH_DO .........................5-16, 5-18, 5-21, 8-13
F_CTUD..................................................... 8-103
F_CYC_CO......................................... 5-30, 8-56
F_DIV_R .................................................... 8-118
F_F_TRIG .................................................. 8-111
F_FBO_BO ................................5-36, 5-37, 8-40
F_FI_I ........................................5-36, 5-37, 8-41
F_FR_FI....................................................... 8-43
F_FR_R .....................................5-36, 5-37, 8-42
F_FTI_TI ....................................5-36, 5-37, 8-44
F_I_FI .......................................................... 8-37
F_LIM_HL .................................................... 8-92
F_LIM_I...................................................... 8-114
F_LIM_LL..................................................... 8-94
F_LIM_R .................................................... 8-123
F_LIM_TI.................................................... 8-113
F_M_AI6 ...................................................... 8-68
Index-2
F_M_DI24.....................................................8-61
F_M_DI8.......................................................8-58
F_M_DO10...................................................8-66
F_M_DO8.....................................................8-64
F_MAX3_R.................................................8-120
F_MID3_R ..................................................8-121
F_MIN3_R ..................................................8-122
F_MUL_R ...................................................8-117
F_MUX2_R.................................................8-128
F_NOT..........................................................8-89
F_OR4..........................................................8-87
F_PLK ..........................................................8-70
F_PLK_O......................................................8-71
F_QUITES....................................................8-45
F_R_BO ............................................. 5-34, 8-49
F_R_FR..................................... 5-36, 5-37, 8-38
F_R_R ................................................ 5-34, 8-52
F_R_TRIG ..................................................8-112
F_RCVBO .......................................... 5-32, 8-29
F_RCVR ............................................. 5-32, 8-33
F_RS_FF....................................................8-100
F_S_BO.............................................. 5-34, 8-48
F_S_R ................................................ 5-34, 8-51
F_SENDBO ........................................ 5-32, 8-27
F_SENDR........................................... 5-32, 8-31
F_SHUTDN ...................... 8-72, 8-74, 8-75, 8-76
F_SMP_AV.................................................8-127
F_SQRT .....................................................8-124
F_SR_FF....................................................8-102
F_START ........................................... 5-28, 8-54
F_SUB_R ...................................................8-116
F_TEST ........................................................8-77
F_TESTC .....................................................8-78
F_TESTM .....................................................8-79
F_TI_FTI.......................................................8-39
F_TOF ........................................................8-109
F_TON........................................................8-107
F_TP...........................................................8-105
F_XOR2 .......................................................8-88
F_XOUTY.....................................................8-91
FAIL_MSG....................................................8-82
Fail-Safe Blocks .............................................8-1
Fail-safe systems ................................... 1-2, 3-8
access protection .......................................3-8
Fail-safe user program .................................1-10
Fail-safe user times ........................................3-7
Fault-tolerant F system
creating a fail-safe user program ..............2-16
monitoring errors ......................................2-17
setting up the hardware ............................2-13
Fault-tolerant systems ....................................5-7
F-capable CPU...............................................1-8
F-I/Os ..................................................... 1-8, 1-9
Flipflop Blocks ............................................8-100
Functioning of the fail-safe systems ...............3-1
G
Getting Started ...............................................2-1
Group diagnosis .............................................4-5
Fail-Safe Systems
A5E00085588-03
Index
H
Hardware components ............................1-8, 1-9
Hierarchical charts..........................................5-8
HOLD
operating mode ..........................................3-4
How to work with the Safety Program ............6-2
I
IEC pulse and counter blocks.....................8-103
Inclusion in cyclic interrupt OB .....................8-22
Initial acceptance of a Safety Program.........7-15
Inserting F blocks .........................................5-10
Inserting run-time groups ...............................5-9
Installing the optional package .....................1-11
Interconnecting F blocks ..............................5-12
Interconnecting F cycle time monitoring .......5-30
Interconnecting F driver blocks ....................5-16
L
Life Cycle of the Fail-Safe Programmable
Controllers ................................................. A-1
Limit violation ......................................8-92, 8-93
Live monitoring...............................................3-6
Logging the Safety Program.........................5-76
Logic Blocks with the BOOL Data Type .......8-85
Logical program execution and data flow
monitoring ..................................................3-5
Lower limit violation ......................................8-94
M
Maintenance of the F systems .......................6-1
Memory card ................................................5-47
Messages
configuring................................................5-23
Module redundancy......................................8-22
Monitoring of safety-related communication
between CPUs .........................................7-12
Monitoring of Safety-Related Communication
Between F Run-Time Groups...................7-13
Monitoring Safety-Related Communication
Between F CPU and F-I/Os via
PROFIsafe ...............................................7-11
Monitoring the F Cycle Time ........................7-10
Monitoring times ......................................7-8, 7-9
Multiplex Blocks .........................................8-128
O
Operating modes............................................3-4
Operation in frequent requirement or
continuous mode ........................................7-4
Operation in low requirement mode ...............7-4
Optional package
installing ..........................................1-11, 1-13
OR logic operation........................................8-87
Fail-Safe Systems
A5E00085588-03
Overview........................................................ 4-1
Overview of fault control measures................ 3-3
P
Parameter assignment of F-I/Os.................... 4-4
Passivating fail-safe output modules ............. 6-5
Passivation ................................ 5-24, 5-25, 5-26
Password ....................................... 3-8, 4-3, 5-47
Performance enhancement ........................... 5-7
Placing and interconnecting F blocks ..... 5-4, 5-5
Plausibility check .................................. 6-3, 8-35
Plausibility checking..................................... 5-36
PLCSim ...................5-57, 5-58, 5-59, 5-60, 5-61
Preventative maintenance (proof test) ........... 6-4
Printing the Safety Program......................... 5-77
Product overview ........................................... 1-4
PROFIsafe nodes .......................................... 6-1
Programming communication between
F and standard user programs................. 5-36
F run-time groups .................................... 5-34
Safety Program s on different CPUs........ 5-31
Programming device functions in STEP 7 ..... 4-7
Proof test ....................................................... 6-5
Pulse Blocks .............................................. 8-111
Q
Qualifications ............................................... 7-22
R
Receiving
F_BOOL data........................................... 8-29
F_REAL data ........................................... 8-33
Redundant F signal modules
configuring ................................................. 4-6
References .................................................... B-1
Reintegration ............................. 5-25, 5-26, 5-27
Repair ............................................................ 6-4
Replacing hardware components .................. 6-4
Replacing software components.................... 6-4
Requirements
installation................................................ 1-11
Response time............................................... 7-8
Response to cold restart.............................. 5-28
Responsibilities............................................ 7-22
Responsibilities and qualifications ............... 7-22
Restart protection ................................. 3-4, 5-28
Risk chart....................................................... 7-4
Risk parameters...................................... 7-4, 7-5
RTG_LOGIC ................................................ 8-83
Rules for CFC charts ..................................... 5-8
Rules for changing the Safety Program ......... 6-3
Rules for communication between
F run-time groups .................................... 5-34
Rules for compilation ................................... 5-43
Rules for downloading ................................. 5-47
Index-3
Index
Rules for F blocks ........................................ 5-10

Rules for F conversion blocks...................... 5-36
Rules for F driver blocks .............................. 5-16
Rules for interconnecting F blocks ............... 5-12
Rules for operation......................................... 6-1
Rules for testing ........................................... 5-56
Rules for the program structure ..................... 5-7
Rules for the run-time groups ........................ 5-9
Run sequence within a run-time group ........ 5-14
Run Times of the Fail-Safe Blocks............. 8-141
Run-time groups
scan rate .................................................. 5-12
Run-time properties of the Safety Program.. 5-14
S
S7 F Systems optional package .................. 1-10
S7-400FH
both CPUs master at the same time .......... 6-1
fiber-optic cables between
synchronization modules ....................... 6-1
Safe state....................................................... 3-3
Safety certification.......................................... 7-1
Safety data format.......................................... 8-2
Safety function ............................................... 1-1
Safety Integrity Level .............................. 1-1, 7-5
Safety level ............................................. 1-1, 7-4
Safety mechanisms........................................ 3-1
Safety mode................................................... 3-2
Safety mode of the F-I/Os.............................. 3-2
Safety mode of the Safety Program ............... 3-2
Safety program ............................................ 1-10
Safety Program ............................................ 1-10
testing ...................................................... 5-56
Safety Program
compiling.................................................. 5-43
Safety Program on the memory card ........... 5-47
Safety Program s
managing ................................................. 5-39
Safety requirements....................................... 7-4
Safety-Related Communication ..................... 3-9
Safety-related communication between
CPUs ....................................................... 3-12
Safety-related parameters ........................... 7-17
Save reference data..................................... 5-66
Self-tests........................................................ 3-5
Sending
F_BOOL data........................................... 8-27
F_REAL data ........................................... 8-31
Setting up Access Rights for the CPU ........... 4-8
Setting up the hardware................................. 2-4
SFC F_CTRL ............................................... 8-84
Index-4
Simulating an Safety Program with

S7-PLCSIM...............................................5-57
Simulating PROFIsafe nodes .........................6-1
Simulating Safety Programs .........................5-57
Simulation................ 5-57, 5-58, 5-59, 5-60, 5-61
Simulation blocks ...........................................5-3
Simulation mode...........................................5-16
Software architecture .....................................5-1
Software components...................................1-10
Standard run-time groups...............................5-9
Standards
certificates and approvals...........................7-1
Starting Up a Fault-Tolerant F System .........2-16
Starting Up the F System .............................2-11
Startup (cold restart or warm restart)............5-29
Startup characteristics ..................................8-22
Startup protection ................................. 3-4, 5-28
Step-by-step acceptance of the
configuration.............................................7-14
Structure element
selecting ...................................................5-12
Structure of the Safety Program .....................5-1
Substitute values ................................ 5-21, 5-22
Switching safety mode on.............................5-42
Switching safety mode on and off.................5-40
Symbolic names .............................................4-4
System Configuration .....................................7-7
T
Testing offline ...............................................5-57
Testing the Safety Program..........................5-56
Time-based program execution monitoring ....3-6
U
Uninstallation of the S7-400F/FH ...................6-5
User acknowledgment ............... 5-25, 5-26, 5-27
User times
inaccuracy ..................................................3-7
V
Version management system .......................7-14
W
Warm restart...................................................3-4
Working with F-Systems...............................1-19
Fail-Safe Systems
A5E00085588-03

S7F FHSystemsManual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

S7F FHSystemsManual

Uploaded by

Copyright:

Available Formats

Important Information List of Safety Notes

Operation and Maintenance

Fail-Safe Function Blocks

This manual is part of the documentation

Copyright Siemens AG 2003 All rights reserved

The reproduction, transmission or use of this document or its

We have checked the contents of this manual for agreement with

Scope of the Manual

The S7 F Systems V5.2

6ES7 833 1CC00 0YX0

6ES7 833 1CC00 6YX0

New Fail-Safe Blocks

Introduction to the F_Shutdown Logic

Support of the new ET 200S failsafe modules to the S7 F/FH

Standards, Certificates and Approvals

Requirement classes AK1 to AK6 in accordance with DIN V 19250/

SIL1 to SIL3 (Safety Integrity Level) in accordance with IEC 61508

Categories 1 to 4 in accordance with EN 954-1

Place in the Information Landscape

Safety Engineering in SIMATIC S7

ET200 S Distributed I/O System FailSafe Modules

Automation Systems S7-300 Fail-Safe

How to Use this Manual

There is a complete table of contents at the beginning of the manual.

A heading indicating the contents of each section is provided in the left-hand

+49 (911) 8953200

+49 (911) 895-4759

For questions about workshops, etc., contact: hf-cc@nbgm.siemens.de

A&D Technical Support

+49 (0) 180 5050-223

United States (Johnson City)

Technical Support and

Technical Support and

Local time: M - F 8:00 a.m. to

Local time: M - F 8:00 a.m. to 5:00 p.m.

Local time: M - F 8:00 a.m. to

Telephone: +49 (0) 180 5050-222

+1 (0) 770 7403699

+49 (0) 180 5050-223

Telephone: +1 (0) 770 7403505

Service & Support on the Internet

Newsletter providing the latest information on your products

Forum in which users and experts worldwide exchange ideas

Safety Program can be installed in OB 3x ONLY.............................................................8-8

Introduction to the Safety Mechanisms.............................................................3-1

Operation and Maintenance

Operation and Maintenance of the F-Systems .................................................6-1

Life Cycle of the Fail-Safe Programmable Controllers..................................... A-1

SIMATIC S7 F/FH Systems

Requirement classes AK1 to AK6 in accordance with DIN V 19250/DIN V VDE

SIL1 to SIL3 (Safety Integrity Level) in accordance with IEC 61508

Categories 1 to 4 in accordance with EN 954-1

Principle Behind the Safety Functions

The safety functions are primarily incorporated in the following components:

In the safety-related user program on the central processing unit

In the fail-safe input/output modules

Safety and Availability

Use in Process Engineering

Operator Stations (OS)

Central engineering system (ES)

Basic Configuration Variants

Fail-safe, fault-tolerant S7 FH System

One or more fail-safe inputs/outputs (F-I/Os) in a distributed I/O device