SIMATIC S7-400H and S7-400F/FH

Top-end controllers with fault-tolerant

and fail-safe functionalities

Product Brief · April 2002

Overview

The increasing degree of automation in

industrial plants has resulted in the
availability of systems becoming ever
more important. Failures or downtimes
caused by maintenance work are very
expensive. Fault-tolerant controllers
reduce the risk of undesirable produc-
tion downtimes drastically. The high
costs of such systems are negligible in
comparison to the savings potential.
Furthermore, there are many applica-
tions which place special demands on
the safety for man, machine, the envi-
ronment and the process; fail-safe auto-
mation systems are necessary in such
cases.
H system (for fault tolerance)
A fault-tolerant PLC is included in the
SIMATIC S7-400 range for time-critical
applications.
A solution with SIMATIC software
Software redundancy is appropriate SIMATIC fail-safe controllers enter a
redundancy is appropriate for applica-
(see Product Brief "Software redun- safe state immediately when an error
tions with a low-dynamic response.
dancy for S7-300/400") if you occurs, or remain in a safe mode.
The S7-400H is a solution with opti- They therefore combine standard pro-
mized functions if fault-tolerant con-
· wish to also use CPUs with a lower
performance (CPU 315-2DP or better) cess automation and safety engineering
trols are required. in one single system.
An S7-400H is appropriate for your
· can tolerate longer switching times
(approx. 1 s - warm standby) Both safety-related and standard com-
applications if you munication between the central con-
· require powerful CPUs · have no additional demands concern- troller and the safety-related and stan-
ing fault tolerance. dard I/O modules is carried out using
· need short switching times PROFIBUS DP and the PROFIsafe profile.
(< 100 ms - hot standby) F system (for fail-safe)
· wish to achieve additional fault toler- Fail-safe systems are used wherever SIMATIC offers two fail-safe systems:
maximum safety must be guaranteed
ance.
for man, machine or the environment, · SIMATIC S7-400F/FH for larger appli-
i.e. accidents and damage resulting cations in production and process
from a fault must be avoided. engineering
· SIMATIC S7-300F for distributed
applications with main emphasis on
production engineering and burner
controls (see Product Brief "SIMATIC
S7-300F")
The SIMATIC S7-400F enters a safe state
immediately when an error occurs, or
remains in a safe mode, thus guarantee-
ing a high level of safety for man,
machine, the environment and the pro-
cess.
If an error occurs in the controlling sys-
tem of the S7-400FH, redundant con-
trol sections take over and continue the
production process.

2
S7-400F/FH -
Introduction / benefits

Introduction
The safety-relevant functions of the
S7-400F/FH are incorporated into the F
program of the CPU and in the fail-safe
signal modules.
Both standard modules and fail-safe
modules can be used on the
S7-400F/FH. This means it is possible to
set up a fully integrated control system
for a plant where there are both
safety-related and standard areas. The
whole plant can be configured and pro-
grammed using the same standard
tools.
This means the SIMATIC S7-400F/FH can
now be used for automation areas
which were, up to a few years ago, the
exclusive domain of electromechanical
controllers, e.g. automobile shell con-
struction with presses and robots, burn-
er management systems, transporta-
tion of persons on cableways and, last
but not least, process automation.
Benefits
· The S7-400F/FH largely consists of Fail-safe S7-400F
standard components and is an inte-
gral part of Totally Integrated Auto-
mation (TIA) Standards
· The S7-400F/FH is an integral part of The S7-400F/FH complies with the fol-
Safety Integrated, the Siemens lowing safety requirements:
safety program for industrial applica- · Demand class:
tions AK 1 to AK 6 according to
· The S7-400F/FH has a TÜV approval DIN V 19250/DIN V VDE 0801
(TÜV = German Technical Inspecto- · Safety demand class:
rate) and fulfils all relevant standards SIL 1 to SIL 3 according to IEC 61508
Hardware and engineering costs are · Category:
reduced due to the fact that the fail-safe 2 to 4 according to EN954-1
S7-400F/FH is largely built from stan-
dard components:
· There is no need for an additional
F-CPU and the cabling to it.
· Engineering costs are lower because
a standard CPU can be programmed
normally instead of using an addi-
tional F-CPU.
Programs from non-safety-related
systems can also be adopted.

3
S7-400F/FH -
Highlights

Hardware
The hardware of the S7-400F/FH is
based on the CPUs of the fault-tolerant,
redundant SIMATIC S7-400H system,
plus an F-library. This F-library contains
pre-assembled, TÜV-approved basic
function blocks as well as a parameter-
ization tool for the fail-safe I/O modules.
In order to be able to run the
S7-400F/FH, the F Copy License needs
to be loaded into the CPU.
The CPU checks that the controller is
running properly by means of regular
self-tests, instruction tests and a pro-
gram execution test.
The resulting safety functions enable
response times from 100 ms upwards,
which is fully adequate for most appli-
cations in the process industry and for
many applications in the manufacturing
industry with manually operated Emer-
gency Stop devices.
The S7-400F/FH also incorporates Graphic configuring of the S7-400F/FH with the CFC engineering tool
safety-related modules for the
SIMATIC ET 200M distributed I/O
system.
Programming Communication
These fail-safe I/O modules are parame-
terized using the parameterization tool, The S7-400F/FH is programmed in Both safety-related and standard com-
connected to PROFIBUS, and controlled exactly the same way as a standard munication between the central con-
by means of the new PROFISafe S7-400. The normal automation func- troller and ET 200M go through
PROFIBUS profile for safety-related tions for the cyclic processing level PROFIBUS DP. The PROFISafe profile is
applications. (OB 1) are programmed using standard characterized by the fact that the safety
programming languages. The CFC engi- functions in the fail-safe end stations
At the moment, 4 modules are avail- neering tool is required to call blocks are implemented using the standard
able: from the F-library and to interconnect PROFIBUS functions. The useful data for
· Digital input modules: 24 x 24 V them. the safety function and the safety mea-
Digital input modules: 8 x NAMUR These blocks are called in a time level sures are sent within a standard data
(OB 35) at a parameterizable time inter- frame. No additional hardware compo-
· Digital output module: 10 x 24 V/2 A
val for reproducible disconnection nents are required.
· Analog input module: 6 x 13 bit times. This means that standard communica-
These modules can diagnose internal The use of CFC makes configuring and tion and safety-related communication
and external errors and have total inter- programming the plant, and the final use the same basic hardware

automa-
nal redundancy, i.e. outputs have, for acceptance test, significantly easier. tion and fail-safety are getting closer
example, a second integrated discon- For programmers, there is a distinct together all the time!
nection facility. advantage in the fact that they can con- Transmission of PROFIsafe is indepen-
Using the safety protector, fail-safe and centrate on configuring the dent of the transmission mechanisms,
standard modules can be used together safety-related application. This notice- e.g. copper cables or fiber-optic cables.
in one rack. ably reduces engineering costs, espe-
cially in combination with other compo-
nents, e.g. other programmable con-
trollers or control and monitoring
devices.

4
S7-400F/FH -
Configurations

The S7-400F/FH has two basic configu- · S7-400F fail-safe programmable con-
rations: troller (see Fig. 1):
If an error occurs in the control sys-
tem, the production process is inter-
rupted and transferred into a safe
mode.
· S7-400F fail-safe and fault-tolerant
programmable controller (see Figs. 2
and 3):
If an error occurs in the control sys-
tem, redundant controller compo-
nents are activated and take over
control of the production process.

The plant requires a fail-safe controller.

Fault-tolerance is not required. The follow-
S7-400F
ing are needed:
programmable controller
· 1 CPU 417-4H or CPU 414-4H with Single-channel, single-sided
F Copy License distributed I/O
· 1 PROFIBUS DP line ET 200M
· ET 200M with IM 153-2
· Fail-safe signal modules in non-redun-
dant design
In the event of a fault, the I/O is no longer
Fail-safe
available. The fail-safe signal modules are
signal modules
passivated.

Fig. 1: SIMATIC S7-400F with single-channel, single-sided I/O

Redundant DP master
The plant requires a fail-safe controller. systems
Fault-tolerance is required on the CPU side.
S7-400FH
The following are needed:
programmable controller
· 2 CPU 417-4H or CPU 414-4H with Single-channel, switched
F Copy License distributed I/O
· 2 PROFIBUS DP lines ET 200M with 2 x IM 153-2

· 1 ET 200M with 2 IM 153-2 (redundant)

· Fail-safe signal modules in non-redun-
dant design
If there is a fault in the CPU, IM 153-2 or
Fail-safe
PROFIBUS DP line, the controller is still signal modules
available. If there is a fault in a fail-safe sig-
nal module or the ET 200M, the I/O is no
longer available. The fail-safe signal mod- Redundant
ules are passivated. PROFIBUS DP

Fig. 2: SIMATIC S7-400FH with single-channel, switched I/O

Redundant DP master
The plant requires a fail-safe controller. systems
Fault-tolerance is required on the CPU side
and the I/O side. The following are needed: S7-400FH
programmable controller
· 2 CPU 417-4H or CPU 414-4H with Redundant, switched
F Copy License distributed I/O
· 2 PROFIBUS DP lines 2 x ET 200M with 2 x IM 153-2 each

· 2 ET 200M with 2 IM 153-2 (redundant)

Redundant,
· Fail-safe signal modules in redundant fail-safe
design signal modules
If there is a fault in the CPU, IM 153-2,
PROFIBUS DP line, the fail-safe signal mod-
ules or the ET 200M, the controller is still Redundant
available. PROFIBUS DP

Fig. 3: SIMATIC S7-400FH with redundant, switched I/O

5
S7-400H -
Highlights
Applications
The following list includes some applica-
tion areas of SIMATIC® S7-400H:
· Power generation and distribution
· Power stations
· Pipelines and district heating systems
· Chemical industry
· Mining
· Environment technology
· Water treatment
· Garbage incineration
· Steel and metal-working industries
· Transport
· Tunnel ventilation and air conditioning
· Marine automation
· Airport automation
· Baggage transport control
· Runway lighting
The S7-400H is used in applications
where downtimes are intolerable.
Benefits
The SIMATIC S7-400H is designed as a
fully-fledged member of the SIMATIC S7
series and thus makes full use of Totally
Integrated Automation. The S7-400 is
designed in such a way that most of the
redundancy-relevant functions are hid-
den to the user. This means in detail:
· Programming of the S7-400H as a
non-redundant standard system
· Simple program porting:
A program which was written for
non-redundant systems can easily be
ported to redundant systems, and
vice versa
· Convenient parameterization of
redundancy-specific functions and
configurations with a STEP 7® option
package
· All standard programming languages
for SIMATIC S7 can be used without
restriction
· Handling as for non-redundant sys-
tems:
For example, the S7-400H can be pro-
grammed online like a standard sys-
tem. All changes can be carried out
during the current process. Both CPUs
then are automatically updated.
6
S7-400H
Synchronization,
exchange of informa-
tion and status
Process control
Centralized or
distributed
I/Os
High or
normal
availability
Process
Active redundancy with smooth changeover
· Use of all standard SIMATIC S7 com-
ponents (with a few exceptions).
The advantages resulting from full sys-
tem integration are obvious:
in contrast to working with the usual
redundant systems, you can concen-
trate fully on your own actual task -
automation. You can ignore redun-
dancy-specific functions. This means
that with S7-400H you need not bother
about which data is to be transmitted to
the standby unit, which commands are
permitted and which not, etc.
Redundancy features
· Smooth changeover
Both sub-units are active in fault-free
mode. In the case of a fault, the intact
unit takes over processing at the
interruption point in a manner with-
out any data being lost.
· Integrated error detection and local-
ization functions.
Using the self-diagnostics function,
the system detects and signals errors
before they can affect the process.
Since you can replace specific faulty
components, repair time is short-
ened.
S7-400H
ET 200M
Process control
Centralized or
distributed
I/Os
High or
Process control
Distributed I/Os normal
High availability availability
· Online repair during operation.
You can replace all components dur-
ing operation. When replacing a CPU,
it is automatically updated with cur-
rent programs and data.
· Configuration can be changed during
operation e.g. DP slaves, modules or
main memory modules can be added
or removed.
· Automatic event synchronization.
The operating system ensures that all
commands whose execution would
cause different states in both systems
run synchronously. It is unnecessary
to update the data in the partner unit.
· Fault-tolerant communication.
Depending on the network topology,
redundant connections are set up
which are automatically activated in
the event of a fault.
·
Coupling of the CPUs by using Sync
modules which can be directly
plugged into the CPUs.
Thus no rack slot is lost and communi-
cation is faster. Hot swapping of the
Sync modules is possible.
S7-400H -
Configurations

CPU Communication In the event of a fault, the high-availabil-

The CPUs 417H and 414H each have 4 The high-availability communication ity communication can be continued
different interfaces: (Fig. 6) is already integrated in the automatically, invisible to the user.
· 1 PROFIBUS DP interface which con- S7-400H. Connection of the PC uses two
nects SIMATIC S7-400H as a master to CPs and the S7-REDCONNECT software
the PROFIBUS DP. package.
· 1 interface which can be used as a
PROFIBUS DP interface or as MPI (Mul-
tipoint Interface). You can use this
interface to:
- program and assign parameters,
S7-400H S7-400H
- control and visualize (operator),
- set up simple network structures.
· 2 interfaces for accommodating the
Sync modules.
Central controllers
There are 2 configuration possibilities
where the central controllers are con-
cerned:
· Configuration with two standard ET 200 ET 200M
subracks (UR1 and UR2) with
If the sub-units must be completely IM 153-3
separate from one another for Fig. 4: Single side (left) or switched (right) connection of I/Os
reasons of availability, this
configuration is well suited. In each
central controller one CPU and one S7-400H
power supply (PS) are plugged in. If a
particularly high degree of availability Redundant DP master system
is required, two redundant PS units
can be used.
Y coupler
· Configuration with one UR2-H
This is a new subrack with divided
backplane bus in each case with a sin- Y link
gle or redundant PS. This permits a
particularly compact design. IM 157
Lower-level DP master system
Connection of I/Os
You can connect I/Os in accordance with ET 200S ET 200X
availability requirements (Fig. 4). Thus Distributed
the single-sided connection (normal I/O devices
availability) or the switched connection ET 200L Drive Other field devices
(increased availability) can be provided.
These configurations can also be mixed Fig. 5: Coupling of the I/Os by using the Y link
together.
Using the Y link a lower-level I/O system
with different field devices can easily be PC with 2 x CP 1613
linked to a redundant PROFIBUS DP sys- and S7-REDCONNECT
tem, e.g. an S7-400H with two DP lines.
In the event of a fault, the Y link
switches the complete I/O line bump-
lessly to the active bus channel of the
redundant H system (Fig. 5).

S7-400H S7-400H H-CPU in single mode

Fig. 6: High availability communication

7
S7-400H, S7-400F/FH -
Technical specifications

CPU CPU 417-4H CPU 414-4H SM 326 F fail-safe digital input module
Main memory Number of inputs 24 (single-channel), 12 (two-channel)
·Integral (program/data) 2 Mbyte each 384 Kbyte each
Input voltage 24 V DC
·Expandable (program/data) 8 Mbyte each --
Alarms Diagnostics alarm
Load memory
· Integral 256 Kbyte RAM 256 Kbyte RAM MLFB group 6ES7326-1BK..
· Expandable FEPROM Up to 64 Mbyte Up to 64 Mbyte
· Expandable RAM Up to 64 Mbyte Up to 64 Mbyte
SM 326 F fail-safe digital output module
FBs/FCs, max. 6144/6144 2048/2048
Number of outputs 10
Data blocks, max. 8191 4095
Output voltage 24 V DC
I/O address range 16/16 Kbyte 8/8 Kbyte
· of which distributed Alarms Diagnostics alarm
- MPI/DP interface 2/2 Kbyte 2/2 Kbyte Output current with "1" signal 2 A per channel
- DP interface 8/8 Kbyte 6/6 Kbyte
MLFB group 6ES7326-1BF..
Process image (adjustable) 16/16 Kbyte 8/8 Kbyte
· Default setting 1024/1024 byte 256/256 byte
Digital channels 131072/131072 65536/65536 SM 326 NAMUR fail-safe Ex input module
· of which centralized 131072/131072 65536/65536 Number of inputs 8 (single-channel)
Analog channels 8192/8192 4096/4096 4 (two-channel)
· of which centralized 8192/8192 4096/4096 Input voltage In accordance with DIN 19234 or
NAMUR
1st interface
· MPI Yes Alarms Diagnostics alarm
· DP master Yes
MLFB group 6ES7326-1RF..
· DP save No
· Default setting MPI
· Isolated Yes SM 336 F fail-safe analog input module
2nd interface Number of inputs 6; max. 4 (single-channel) or 3/2 (two-
· DP master Yes channel) with voltage measurements
· DP slave No
· Point-to-point connection No Alarms Diagnostics alarm (parameterizable)
· Default setting DP master Integration time 20/16.66 ms
· Isolated Yes
Resolution 13 bit + sign
Programming languages STEP® 7 V5, SP1 (LAD, FBD, STL);
SCL, CFC, GRAPH, HiGraph® MLFB group 6ES7336-1HE..
MLFB group 6ES7417-4H... 6ES7414-4H...
Option packages for S7 F systems
F-Library Approx. 50 certified basic function
blocks
F-Tool For parameterization of fail-safe SMs
Requirements · STEP 7 V5.1 or higher
· CFC V5.2 or higher
· S7-SCL V5.0 or higher
· S7 H systems V5.1
(option for S7-400FH)
All designations marked in this Prod-
uct Brief with ® are registered trade-

MLFB group 6ES7658-.....

Additional information on the For personal consultation you can Using the A&D Mall you can immedi-
SIMATIC controllers can be found in the find your local SIMATIC partner at: ately and directly order electronically
Internet: www.siemens.de/automation/partner in the Internet:
marks of Siemens AG.

www.siemens.de/simatic-controller www.siemens.de/automation/mall

Siemens Aktiengesellschaft www.siemens.de/simatic-controller © Siemens AG 2002

Order No. 6ZB5310-0HY02-0BA4 Subject to change without prior notice.
Automation and Drives
Printed in the Federal Republic of Germany
Industrial Automation Systems 26100/201474 WE 04022.
P.O. Box 4848, D-90327 Nuremberg
Federal Republic of Germany