Wiring Voting AI V30 en

Application example  08/2016
Wiring and Voting Architectures for

failsafe Analog Input Modules (F AI)
of the ET 200M
SIMATIC Safety Integrated for process automation
https://support.industry.siemens.com/cs/ww/en/view/24690377
Warranty and liability
Warranty and liability
Note The Application Examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The Application
Examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible for ensuring that
the described products are used correctly. These Application Examples do not
relieve you of the responsibility to use safe practices in application, installation,
operation and maintenance. When using these Application Examples, you
recognize that we cannot be made liable for any damage/claims beyond the
liability clause described. We reserve the right to make changes to these
Application Examples at any time without prior notice.
If there are any deviations between the recommendations provided in these
Application Examples and other Siemens publications – e.g. Catalogs – the
contents of the other documents have priority.
We do not accept any liability for the information contained in this document.
Any claims against us – based on whatever legal reason – resulting from the use of
the examples, information, programs, engineering and performance data etc.,
described in this Application Example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life,
body or health, guarantee for the quality of a product, fraudulent concealment of a
 Siemens AG 2016 All rights reserved
deficiency or breach of a condition which goes to the root of the contract

(“wesentliche Vertragspflichten”). The damages for a breach of a substantial
contractual obligation are, however, limited to the foreseeable damage, typical for
the type of contract, except in the event of intent or gross negligence or injury to
life, body or health. The above provisions do not imply a change of the burden of
proof to your detriment.
Any form of duplication or distribution of these Application Examples or excerpts
hereof is prohibited without the expressed consent of the Siemens AG.
Security Siemens provides products and solutions with industrial security functions that
informa- support the secure operation of plants, systems, machines and networks.
tion In order to protect plants, systems, machines and networks against cyber
threats, it is necessary to implement – and continuously maintain – a holistic,
state-of-the-art industrial security concept. Siemens’ products and solutions only
form one element of such a concept.
Customer is responsible to prevent unauthorized access to its plants, systems,
machines and networks. Systems, machines and components should only be
connected to the enterprise network or the internet if and to the extent necessary
and with appropriate security measures (e.g. use of firewalls and network
segmentation) in place.
Additionally, Siemens’ guidance on appropriate security measures should be
taken into account. For more information about industrial security, please visit
http://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them
more secure. Siemens strongly recommends to apply product updates as soon
as available and to always use the latest product versions. Use of product
versions that are no longer supported, and failure to apply latest updates may
increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial
Security RSS Feed under http://www.siemens.com/industrialsecurity.
Wiring and Voting Architectures for failsafe F AIs

Entry ID: 24690377, V3.0, 08/2016 2
Table of contents
Table of contents
Warranty and liability ................................................................................................... 2
1 Automation functions ........................................................................................ 6
1.1 Functionality of the functional example ................................................ 6
1.2 Presented architectures ....................................................................... 8
1.3 Properties of the fail-safe analog input module .................................... 9
2 Structure and wiring for one sensor (1oo1) .................................................. 12
2.1 Calculation of PFD ............................................................................. 13
2.2 Wiring ................................................................................................. 13
2.2.1 Conventional wiring ............................................................................ 13
2.2.2 Wiring using Marshalled Termination Assemblies (MTAs) ................ 17
2.3 Parameters for hardware configuration .............................................. 18
2.4 Configuring the logic ........................................................................... 21
2.4.1 Configuring using Safety Matrix ......................................................... 21
2.4.2 Configuring using CFC ....................................................................... 24
Logic without evaluation of the channel error (1oo1) ......................... 24
Logic with evaluation of the channel error (1oo1D) ........................... 25
3 Structure and wiring for a (1oo1) sensor with redundant I/O modules ..... 26
3.2 Wiring ................................................................................................. 27

3.4 Creating the logic ............................................................................... 35
4 Structure and wiring for two sensors (1oo2) Evaluation in the F-AI .......... 38
4.2 Wiring ................................................................................................. 40
Logic without evaluation of the channel error (1oo2 on the F-AI) ...... 51
5 Structure and wiring for two sensors (1oo2) with redundant I/O
modules: Evaluation in the F-AI ..................................................................... 54
5.2 Wiring ................................................................................................. 56

Entry ID: 24690377, V3.0, 08/2016 3
Table of contents
6 Structure and wiring for two sensors (1oo2) Evaluation in the user
program ............................................................................................................ 64
6.1 Option 1 .............................................................................................. 65
6.1.1 Calculation of PFD (option 1) ............................................................. 66
6.2 Option 2 .............................................................................................. 66
6.2.1 Calculation of PFD (option 2) ............................................................. 67
6.3 Wiring ................................................................................................. 68
7 Structure and wiring for two sensors (1oo2) with redundant I/O
modules: Evaluation in the user program..................................................... 87
7.2 Wiring ................................................................................................. 89

8 Structure and wiring for three sensors (1oo3) Evaluation in the user
program ............................................................................................................ 97
8.2 Wiring ............................................................................................... 100
8.2.1 Conventional wiring .......................................................................... 100
8.3 Parameters for hardware configuration ............................................ 104
8.4 Creating the logic ............................................................................. 107
8.4.1 Configuring using Safety Matrix ....................................................... 107
8.4.2 Configuring using CFC ..................................................................... 110
9 Structure and wiring for three sensors (1oo3) with redundant I/O
modules: Evaluation in the user program................................................... 118
9.1 Calculation of PFD ........................................................................... 120
Calculation formula for PFD ............................................................. 120
9.2 Wiring ............................................................................................... 121
9.2.1 Conventional wiring .......................................................................... 121
9.3 Parameters for hardware configuration ............................................ 122
9.4 Creating the logic ............................................................................. 124
9.4.1 Configuring using Safety Matrix ....................................................... 124
9.4.2 Configuring using CFC ..................................................................... 125
Logic without evaluation of the channel error (2oo3) ....................... 125
Logic with evaluation of the channel error (2oo3D) ......................... 128
APPENDIX ................................................................................................................. 130
10 Calculation of the PFD value ........................................................................ 130
11 Recommendations for power supply and grounding measures .............. 131
11.1 Power supply .................................................................................... 131
11.1.1 Power input ...................................................................................... 131
11.1.2 System power supply ....................................................................... 131

Entry ID: 24690377, V3.0, 08/2016 4
Table of contents
11.2 Grounding ......................................................................................... 132

11.2.1 Objectives ......................................................................................... 132
11.2.2 Implementation ................................................................................. 132
12 MTA (Marshalled Termination Assembly) ................................................... 135
13 References ..................................................................................................... 138
14 History............................................................................................................. 138

Entry ID: 24690377, V3.0, 08/2016 5
1 Automation functions
1.1 Functionality of the functional example
Task
It is intended to monitor several analog signals in a plant on a safety-related basis.
Depending on the importance and risk of failure, there are several options for
wiring and evaluating signals. This means that you can carry out evaluation in
the analog input module and/or the user program, for example.
Figure 1-1 shows an example of a plant section in which valves

(BV-100A and BV-100B) must be closed on a fail-safe basis in dependence on
 the pressure
 the fill level and
 the temperature
Figure 1-1: Example 1 - Overview

PT- 400A
3 Pressure Transmitters
 Failsafe Analog Input 2 Block Valves

Signals PT- 400B Failsafe Discrete

 2 oo3 Voting in the Output Signals
CPU  Valves in Series
(Normally -Open,
PT- 400C 1 Pair of Fail -Close)
S7-400FH CPUs  1 oo2 Voting
 Redundant Arrangement
 Failsafe
2 Temperature TT-200A
Transmitters
 Failsafe Analog Input Safety BV-100A BV-100B
Signals
TT-200B Logic
 1 oo2 Voting in the
CPU
LSH-100A
3 Level Switches
 Failsafe Discrete
Input Signals LSH-100B
 2 oo3 Voting in the
CPU
LSH-100C
This functional example demonstrates the different options for wiring and
evaluating safety-relevant signals.
The solution
Figure 1-2 shows a possible implementation of this plant section in which different
connection and evaluation architectures and analog signals are used.

Entry ID: 24690377, V3.0, 08/2016 6
Figure 1-2: Example 1 – System setup

PT-100A F-AI
0 CPU
TT-200A PT-100 Voting Logic
1 F_CH_AI
2oo3
PT-100B F-AI
0
TT-200B
1 F-DO BV-100A
0
PT-100C F-AI
TT-200 Voting Logic BV-100 Voting Logic 1
0
F_CH_AI F_CH_DO
1oo2 OR
F-DO
0
LSH-100A F-DI
LSH-100 Voting Logic BV-100B
0
F_CH_DI 1
2oo3
LSH-100B F-DI
0
LSH-100C F-DI
0
Note In all the functional examples, we use fail-safe analog input module SM 336; F-AI
6 x 0/4 … 20 mA HART with order number 6ES7 336-4GE00-0AB0. This will be
referred to from now on as F-AI.

Entry ID: 24690377, V3.0, 08/2016 7
1.2 Presented architectures

Recommended architectures
In this functional example, the following architectures will be presented:
 One sensor (1oo1)
A typical application for cases in which an individual sensor has the necessary
Safety Integrity Level and increased availability is not needed (explanation in
chapter 2).
 Two sensors (1oo2) evaluation in the F-AI
A typical application for cases in which an individual sensor does not have
the necessary Safety Integrity Level and increased availability is not needed
(explanation in chapter 3).
 Two sensors (1oo2) evaluation in the user program
A typical application for cases in which an individual sensor does not have the
necessary Safety Integrity Level and the data of both sensors must be visible
in the automation system. This architecture can also be configured as 2oo2 for
increased availability if an individual sensor has the necessary Safety Integrity
Level (explanation in chapter 4).
 Three sensors (2oo3) evaluation in the user program
A typical application for cases in which several sensors are necessary to
achieve the required Safety Integrity Level and increased availability is needed
(explanation in chapter 5).

Entry ID: 24690377, V3.0, 08/2016 8
1.3 Properties of the fail-safe analog input module

Properties of the F-AI
 6 analog inputs with electrical isolation between the channels and the
backplane bus
 Input ranges:
– 0 to 20 mA
– 4 to 20 mA
 Shortcircuit-proof power supply of 2- or 4-wire transmitters via the module
 external encoder supply possible
 group fault display (SF)
 safety mode display (SAFE)
 display for channel-specific fault (Fx)
 Display for HART status (Hx) (If you have activated HART communication for
one channel and HART communication is running, the green HART status
display lights up.)
 configurable diagnostics
 configurable diagnostics in safety mode only
 SIL3/Cat.4/PLe can be achieved without safety protector

 HART communication
 Firmware update via HW config
 I&M identification data
 can be used with PROFIBUS DP and PROFINET IO
Using inputs
You can use the inputs as follows:
 Each of the six channels for current measurement
– 0 to 20 mA (without HART utilization)
– 4 to 20 mA (with/without HART utilization)
– Functional range of HART communication: 1.17 to typically 35 mA
Wiring diagrams of the F-AI

The figures below give you an overview of the address and connection diagrams
of the F-AI (SM 336) considered here.

Entry ID: 24690377, V3.0, 08/2016 9
Figure 1-3: Address assignment of SM 336; F-AI 6 x 0/4...mA HART
Figure 1-4: Front view of SM 336; F-AI 6 x 0/4...mA HART


Entry ID: 24690377, V3.0, 08/2016 10
Figure 1-5: Wiring and schematic diagram of SM 336; F-AI 6 x 0/4...mA HART
Figure 1-6: Channel numbers of SM336; F-AI 6 x 0/4...20mA HART
Recommendation
You are strongly advised to use the shortcircuit-proof internal sensor supply of
the module. This internal sensor supply is monitored and its status is indicated
by the Fx LED (see Figure Front view of SM 336; F-AI 6 x 0/4 ... 20 mA HART).

Entry ID: 24690377, V3.0, 08/2016 11
2 Structure and wiring for one sensor (1oo1)

The one-sensor evaluation schematic (or 1oo1) refers to the applications that
do not need sensor redundancy. 1oo1 evaluation means that only one sensor
is present. If the sensor displays a trigger condition, the safety logic will trip.
Note The I/O module in this architecture is certified for Safety Integrity Level SIL3.
However, to be SIL-compliant, the entire safety instrumented function – including
the field devices – must be evaluated according to IEC 61508 / IEC 61511.
In the 1oo1 basic architecture, a sensor is wired to one of the F-AI channels in
Figure 2-1 to channel 0).
Figure 2-1: Overview (1oo1)
F-AI
Ch 0..5
Sensor 1
0
CPU
1oo1
Voting
F_CH_AI Logic
Using the structure shown in Figure 2-1 it is possible to achieve a maximum of

SIL3.
The table below shows when the safety function trips.
Table 2-1: Failure modes

Component failed? Tripping of
Sensor 1 F-AI safety function?
No No No
X Yes Yes
Yes X Yes

Entry ID: 24690377, V3.0, 08/2016 12
2.1 Calculation of PFD

The Probability of Failure on Demand (PFD) value describes the probability of
failure of the safety function
Calculation formula for PFD

You calculate the PFD value for this architecture of wiring and evaluation using this
formula:
PFD(Ein) = PFDSensor + PFDF-AI + PFDCPU
You can find the PFDF-AI and PFDCPU values in Section 10.
1
You calculate the PFDSensor value for a 1oo1 sensor using the following formula :
TI
PFD1oo1  DU 
2
2.2 Wiring
2.2.1 Conventional wiring
In the 1oo1 evaluation schematic, the sensor can be supplied with voltage as
follows:
 internally via the F-AI
 via an external power source
Internal voltage supply

Special features in the case of internal voltage supply of the F-AI:
 Short-circuiting is controlled between the sensor supply voltage Vsn and Mn+
 Due to read back of the sensor voltage in the F-AI, undervoltage detection on
the transmitter is possible.
Wiring examples
Figure 2-2 shows a wiring example for a 2-wire sensor.
Figure 2-3 shows a wiring example for a 4-wire sensor.
In both illustrations, the transmitter is wired to channel 0 (terminals 3, 4, 5) and is
supplied by the F-AI
1
The formula was taken from IEC61508, IEC 61511 and VDI 2180 Sheet 4

Entry ID: 24690377, V3.0, 08/2016 13
Example of wiring a 2-wire sensor

Figure 2-2: Wiring for a 2-wire transmitter (internal sensor supply)
2-Wire
Current
Sensor
Example of wiring a 4-wire sensor
Figure 2-3: Wiring for a 4-wire transmitter (internal sensor supply)
4-Wire
Current
Sensor

Entry ID: 24690377, V3.0, 08/2016 14
External power supply (2-wire sensor)

Figure 2-4 shows an external voltage source on a 2-wire sensor. The sensor is
wired to channel 0 (terminals 4, 5). You are advised to connect the M potentials to
one another.
CAUTION The F-AI cannot detect an undervoltage on the transmitter. This means that
you should use a measuring transducer with undervoltage detection.
Figure 2-4: External voltage for a 2-wire transmitter
2-Wire
Current
Sensor

Entry ID: 24690377, V3.0, 08/2016 15

Figure 2-5 shows an external voltage source with a 4-wire sensor. The sensor is
wired to channel 0 (terminals 4, 5). You are advised to connect the M potentials to
one another.
CAUTION The F-AI cannot detect an undervoltage on the transmitter. This means that
you should use a measuring transducer with undervoltage detection.
Figure 2-5: External voltage for a 4-wire transmitter
4-Wire
Current
Sensor

Entry ID: 24690377, V3.0, 08/2016 16
2.2.2 Wiring using Marshalled Termination Assemblies (MTAs)
Siemens offers Marshalled Termination Assemblies (MTAs) Using an F-AI-MTA for

this evaluation scheme makes wiring between the sensors and the ET 200M signal
modules much easier, since it already includes the necessary diodes and Zener
diodes
You can find more information on this topic in the section entitled "Marshalled
Termination Assembly (MTA)"
Figure 2-6: MTA


Entry ID: 24690377, V3.0, 08/2016 17
2.3 Parameters for hardware configuration

To carry out configuration, highlight the F-AI in the STEP 7 hardware catalog and
insert it into an existing ET 200M station. To make configuration easier, choose
meaningful symbol names for the analog channels.
You can see an example of a hardware configuration using one F-AI in Figure 2-7
In this example, the sensor signal is wired to channel 0 of the F-AI. Note that the
use of an F-AI MTA is not taken into account in the HW config.
You can find more information about the HW configuration in the chapter entitled
“References” under \4\.
Figure 2-7: Symbol editing

In the object properties of the inserted F-AI, you set the necessary parameters for
operating the F-AI (see Figure 2-8).
The parameters are grouped in Table 2-2.

Entry ID: 24690377, V3.0, 08/2016 18
Figure 2-8: Hardware parameters

Table 2-2: Hardware configuration parameters

Parameters Description/recommendations Desired setting
or permissible
value range
F-parameter
F_target_address PROFIsafe address of the 1-1022 or
F-signal module (set using DIL switches). 0000000001...
1111111110
F_monitoring_time Monitoring time for safety-related 0...65535ms

(ms) communication between the CPU and Default 2500ms
the F-AI.
Comment: A table is available on the
Siemens Support website to help users
to calculate
F-monitoring times (see the chapter entitled
“References” under \10\).
Module parameters
Diagnostic interrupt Various error events trigger a diagnostic Enable/disable
interrupt, which the module can detect.
These events are then reported to the CPU.
Comment:
If the diagnostic interrupt is enabled at the
module level, then individual diagnostics
events must be activated at the channel
level.

Entry ID: 24690377, V3.0, 08/2016 19

or permissible
value range
Behavior after Passivation of the entire Module/
channel faults module/passivation of the channel. Channel
Comment:
Not relevant for F systems
HART_Gate Works on a cross-module basis as off/
a failsafe “main switch”. on/
With “OFF”, HART communication is Selectable
disabled.
With “ON”, HART communication is
enabled.
With "selectable”, the HART modem can
be switched from the safety program for
maintenance.
Interference Selection for balancing the integration time 50/60 Hz
frequency of the A/D converter to the network that is
suppression being used.
(Hz) The integration time is:
– 20 ms at 50 Hz
– 16.66 ms at 60 Hz
Evaluation of the Activation of the channel by specifying 1oo1 (1v1)
sensors the sensor evaluation.

– Disabled
– 1oo1 (1v1)
– 1oo2 (2v2)
If 1oo1 is selected, the following
parameters are not available:
– Discrepancy time
– Tolerance
– Standard value
Measuring range Selection of the measuring range for the 0...20 mA
channel. 4...20 mA
F_Wire_break Selection of whether wire break monitoring Enable/disable
detection is to be carried out for the channel or not.
Smoothing Number of measuring cycles for which 1, 4, 16, 64
smoothing is to be carried out.
Note Depending on the versions of the module and the hardware configuration pack,
the hardware parameters and the configuration window may differ from the
information in this section. You can find further information in the documentation
of the module.

Entry ID: 24690377, V3.0, 08/2016 20
2.4 Configuring the logic

2.4.1 Configuring using Safety Matrix
After you have configured the hardware, you can use the SIMATIC Safety Matrix
Engineering Tool (for more information on this topic, see the chapter entitled
Figure 2-9 shows how to configure a cause to monitor an input TAG in the Safety
Matrix. Use the following settings:
 Type analog input
 1 input
 Function type: Normal (1oo1 evaluation)
 Enter the signal name at Tag1 (e.g. F_TAG1001_X) or use the “I/O”
pushbutton to choose the symbol from the symbol table.
Figure 2-9: Safety Matrix – configuring


Entry ID: 24690377, V3.0, 08/2016 21
As Figure 2-10 shows, there are additional analog parameters that you must
configure for the cause:
 Necessary parameters:
– Limit value type: MAX or MIN
– Limit value
 Optional parameters:
– Prealarm
– Hysteresis
– Units of measurement:
Figure 2-10: Safety Matrix – analog parameters

If the input TAG is fallen short of or exceeded, the cause is activated and triggers
the corresponding effect(s).

Entry ID: 24690377, V3.0, 08/2016 22
Depending on the process application, you can activate additional options

(e.g. time delay and bypass option).
One of the configuration options that is highlighted in Figure 2-11 is switch off in
the case of a channel error. If this option is activated, a channel error has the
effect of a limit value violation and – in the case of a 1oo1 (function type: Normal) –
triggers the corresponding effect(s).
Figure 2-11: Safety Matrix – options


Entry ID: 24690377, V3.0, 08/2016 23
2.4.2 Configuring using CFC
As an alternative to using the Safety Matrix Tool, you can also implement the CPU
logic for reading the input signal using the STEP 7 CFC Editor.
There are two options for implementing the CFC logic:
 Without evaluation of the channel error (1oo1)
 With evaluation of the channel error (1oo1D)
Logic without evaluation of the channel error (1oo1)

Figure 2-12 shows a sample logic that was created in the CFC Editor for reading
an input signal that does not take into account a channel error. Please note that
this example assumes a MAX limit value and that the evaluation logic output for
reaching the safe state is switched off (normal state = 1, safe state = 0).
Note In the configuration that is shown (SUBS_ON = 0 on the F channel driver), the
last valid value is used if there is an error. It is not possible to predict whether
this value is above or below the limit value.
Figure 2-12: CFC Logic – Without channel error evaluation

The sample logic in Figure 2-12 functions as follows:

 If the process value is in the normal range (in this case, less than 90),
the output of the evaluation logic is 1 (i.e. no trigger command).
 If the process value exceeds the limit value (in this case, greater than or equal
to 90), the output of the evaluation logic is 0 (i.e. trigger command).
 The output of the logic should be linked to the corresponding shutdown logic.
To create the logic, generate an F_CH_AI F channel driver for the analog input
signal and link it to the symbol or address of the sensor that is linked to the F-AI
(e.g. F_TAG1001_X). Use a limit value block (F_LIM_HL or F_LIM_LL) to compare
the signal to the triggering limit value.

Entry ID: 24690377, V3.0, 08/2016 24
Logic with evaluation of the channel error (1oo1D)
an individual input signal that takes into account a channel error. Please note that
reaching
the safe state is switched off (normal state = 1, safe state = 0).
Figure 2-13: CFC logic – With channel error evaluation

The sample logic in

Figure 2-13 functions as follows:
 In the normal range (here: less than 90) and with an undisturbed process
value, the output of the evaluation logic is 1 (i.e. no trigger command).
 If the limit value is exceeded (here: greater than or equal to 90) and with an
undisturbed process value, the output of the evaluation logic is 0 (i.e. trigger
command).
 If there is a channel error, the output of the evaluation logic is 0 (i.e. trigger
command).
The necessary steps to generate the logic are described below:
 Create an F_CH_AI channel driver for the analog input signal and link it to
the address of the sensor that is linked to the F-AI (e.g. F_TAG1001_X).
Use a limit value block (F_LIM_HL or F_LIM_LL) to compare the signal to
the triggering limit value.
 Logically AND the following signals to generate the signal for the -trigger
command:
– Negated value of the limit value block (QHN or QLN)
– Negated value of the channel error output (QBAD) of the
channel driver block

Entry ID: 24690377, V3.0, 08/2016 25
3 Structure and wiring for a (1oo1) sensor with redundant I/O modules
3 Structure and wiring for a (1oo1) sensor

with redundant I/O modules
To increase the availability of the I/O modules, you implement the single-sensor
evaluation scheme with a pair of redundant F-AIs.
The sensor has a 1oo1 evaluation and the I/O modules have a 2oo2 one.
Note The I/O modules of this architecture are certified to achieve Safety Integrity Level
SIL3. However, to be SIL-compliant, the entire safety instrumented function –
including the field devices –
must be evaluated according to IEC 61508 / IEC 61511.
In the redundant 1oo1 architecture, a single sensor is wired to a redundant F-AI.

You can see a block diagram in Figure 2-17.
In Figure 3-1 the sensor is wired to channel 0 of both F-AIs. The F-AIs are
configured as redundant in the HW Config. Only one analog F-channel driver
is supported. The F-Channel driver selects from the incoming analog signals.
Figure 3-1: Redundant F-AI – 1oo1 overview

F-AI
Ch 0..5
0
CPU
1oo1
Voting
F_CH_AI Logic
Sensor 1
F-AI
Ch 0..5
Using the structure shown in Figure 3-1 it is possible to achieve a maximum of

SIL3.

Entry ID: 24690377, V3.0, 08/2016 26
The table below shows when the safety function trips:

safety function?
Sensor 1 F-AI 1 F-AI 2
No No No No
No No Yes No
No Yes No No
X Yes Yes Yes
Yes X X Yes
Note Redundancy does not increase the Safety Integrity Level.


formula:
PFD(Ein) = PFDSensor + 2 PFDF-AI + PFDCPU
2
You calculate the PFDSensor value for a 1oo1 sensor using the following formula
TI
PFD1oo1  DU 
2
3.2 Wiring
An example of the 1oo1 evaluation scheme with redundant F-AI is shown in

Figure 3-2 and Figure 3-3 The sensor is wired to channel 0 (terminals 3, 4, 5) of
both F-AIs.
2
The formula was taken from IEC61508, IEC 61511 and VDI 2180 Sheet 4

Entry ID: 24690377, V3.0, 08/2016 27
Special feature
 Short-circuiting is controlled between the sensor supply voltage Vsn and Mn+
 Due to read back of the sensor voltage in the F-AI, undervoltage detection on
the transmitter is possible.
 It is necessary to include the external elements considering application-specific
safety issues, i.e.: you must include the external elements that are needed to
implement redundancy (e.g. Zener diodes) in your safety considerations).
Figure 3-2: Redundant F-AI modules – 1oo1 wiring (2-wire transmitter)

SM336; SM336;
AI 6x 0/4...20mA HART AI 6x 0/4...20mA HART
L+ 1 1 L+
1L+ 1L+
M 2 2 M
1M 1M
Vs0 3 Vs0
3
+ 2-Wire
2-Draht
CH0 M0+
Mess-
Current M0+ CH0
4 - umformer 4
Sensor
M0- 5 M0-
5
Vs1
Vs1 6 6
CH1 M1+ 7 M1+ CH1

7
M1- 8 8 M1-
Vs2 9 9 Vs2
CH2 M2+ 10 10 M2+ CH2

M2- 11 11 M2-
Vs3 12 12 Vs3
CH3 M3+ 13 13 M3+ CH3
M3- 14 14 M3-
Vs4 15 15 Vs4
CH4 M4+ 16 16 M4+ CH4
M4- 17 17 M4-
Vs5 18 18 Vs5
CH5 M5+ 19 19 M5+ CH5
M5- 20 20 M5-

Entry ID: 24690377, V3.0, 08/2016 28
Figure 3-3: Redundant F-AI modules – 1oo1 wiring (4-wire transmitter)

SM336; SM336;
L+ 1 1 L+
1L+ 1L+
M 2 2 M
1M 1M
Vs0 3 3 Vs0
CH0 M0+ M0+ CH0

4 4
+ 4-Wire
4-Draht
5 M0-
M0- 5 Current
Mess-
- umformer
Sensor Vs1
Vs1 6 6
CH1 M1+ 7 M1+ CH1

7
M1- 8 8 M1-
Vs2 9 9 Vs2
CH2 M2+ 10 10 M2+ CH2
M2- 11 11 M2-
Vs3 12 12 Vs3
CH3 M3+ 13 13 M3+ CH3
M3- 14 14 M3-
Vs4 15 15 Vs4
CH4 M4+ 16 16 M4+ CH4
M4- 17 17 M4-
Vs5 18 18 Vs5
CH5 M5+ 19 19 M5+ CH5

M5- 20 20 M5-

Entry ID: 24690377, V3.0, 08/2016 29

Figure 3-4 shows an external voltage source on a 2-wire sensor. The sensor signal
is looped via channel 0 (terminals 4, 5) of both redundant assemblies. You are
advised to connect the M potentials to one another.
Figure 3-4: Redundant F-AI modules – 1oo1 wiring (2-wire transmitter), supplied externally
SM336; SM336;
L+ 1 1 L+
1L+ 1L+
M 2 2 M
1M 1M
Vs0 2L+ 3 Vs0
3
+ 2-Wire
2-Draht
CH0 M0+ 4
Current
Mess- M0+ CH0
- umformer 4
Sensor
M0- 5 M0-
5
2M
Vs1
Vs1 6 6
CH1 M1+ 7 M1+ CH1

7
M1- 8 8 M1-
Vs2 9 9 Vs2
CH2 M2+ 10 10 M2+ CH2
M2- 11 11 M2-
Vs3 12 12 Vs3
CH3 M3+ 13 13 M3+ CH3
M3- 14 14 M3-
Vs4 15 15 Vs4
CH4 M4+ 16 16 M4+ CH4
M4- 17 17 M4-
Vs5 18 18 Vs5
CH5 M5+ 19 19 M5+ CH5
M5- 20 20 M5-

Entry ID: 24690377, V3.0, 08/2016 30

Figure 3-5 shows an external voltage source with a 4-wire sensor. The sensor
signal is looped via channel 0 (terminals 4, 5) of both redundant assemblies.
You are advised to connect the M potentials to one another. You are advised
to connect the M potentials to one another.
Figure 3-5 Redundant F-AI modules – 1oo1 wiring (4-wire transmitter), supplied externally
SM336; SM336;
L+ 1 1 L+
1L+ 1L+
M 2 2 M
1M 1M
Vs0 2L+ Vs0
3 3
CH0 M0+ M0+ CH0

4 4-Draht
4-Wire 4
+
M0-
Mess-
Current 5 M0-
5 - umformer
Sensor
Vs1
Vs1 6 6
CH1 M1+ 2M 7 M1+ CH1

7
M1- 8 8 M1-
Vs2 9 9 Vs2
CH2 M2+ 10 10 M2+ CH2
M2- 11 11 M2-
Vs3 12 12 Vs3
CH3 M3+ 13 13 M3+ CH3
M3- 14 14 M3-
Vs4 15 15 Vs4
CH4 M4+ 16 16 M4+ CH4
M4- 17 17 M4-
Vs5 18 18 Vs5
CH5 M5+ 19 19 M5+ CH5
M5- 20 20 M5-

Entry ID: 24690377, V3.0, 08/2016 31

diodes
Figure 3-6: MTA


Entry ID: 24690377, V3.0, 08/2016 32

For the 1oo1 evaluation scheme with redundant F-AI, the F-AIs are configured in
STEP 7 HW Config. Figure 3-7 shows an example of a hardware configuration.
In this example, there is one ET 200M rack (with interface module IM153-2 for
PROFIBUS) with PROFIBUS address 3 and a second ET 200M rack with
PROFIBUS address 4. Each ET 200M includes one F-AI in slot 4. You can find
more information about the HW configuration in the chapter entitled “References”
under \4\.
Figure 3-7: Redundant F-AI – 1oo1 layout

In the HW Config, you must configure the two F-AIs as a redundant pair. You can
access the F-AI redundancy settings via the object properties of one of the F-AIs.
In the case of the hardware set-up example shown in Figure 3-7 the redundancy
setting is made on the F-AI that is located in the ET 200M rack
with PROFIBUS address 3. Figure 3-8 shows the interface for the redundancy
settings with Table 3-2 grouping the settings.

Entry ID: 24690377, V3.0, 08/2016 33
Figure 3-8: Redundant F-AI – 1oo1 redundancy parameters

Table 3-2: Redundant F-AI – 1oo1 redundancy parameters

or permissible
value range
Redundancy Indication of whether or not the F-AI Two modules/
functions as part of a redundant pair. assemblies
Comment:
For redundancy, you must set the
parameter on two modules/assemblies.
Redundant module This is used to choose the redundant
partner module.
of the module.
When you have made the redundancy settings, you can set the other hardware
parameters in one of the redundant F-AIs. The system automatically applies
the settings on the redundant assembly.

Entry ID: 24690377, V3.0, 08/2016 34
3.4 Creating the logic

Even though this evaluation scheme uses redundant F-AIs, only one F_CH_AI
F channel driver is needed in the logic. It is possible to add and configure the
F channel driver either automatically by means of the SIMATIC Safety Matrix or
manually using the STEP 7 CFC Editor. In both cases, the F channel driver must
be linked to the analog sensor signal of the F-AI with the lower I/O address.
When you have configured the F channel driver and the logic is completely
available, the system compiles the logic. If the option to generate module drivers
is enabled at compilation, then the system automatically adds and configures the
corresponding F_PS_12 module drivers to the logic at compilation. The F channel
driver selects the valid signal and switches to the signal of the redundant module
if there is a disturbance. The driver does not carry out delta monitoring of the
redundant signals.
After you have added the sensor to the hardware configuration, you can implement
the evaluation logic for the signal in the CPU. One of the methods for doing this
is to use the SIMATIC Safety Matrix Engineering Tool (for more information on
this topic, see the chapter entitled “References” under \5\).
The actual evaluation logic for monitoring an individual sensor using redundant
F-AIs is the same as is described in section 2.4.1 (Configuring using Safety Matrix).

Entry ID: 24690377, V3.0, 08/2016 35
As an alternative to using the Safety Matrix Tool, you can also implement the CPU
logic for reading the input signal using the STEP 7 CFC Editor.

Figure 3-9 shows a sample logic that was created in the CFC Editor for reading an
input signal of redundant F modules that does not take into account a channel
error. Please note that this example assumes a MAX limit value and that the
evaluation logic output for reaching the safe state is switched off (normal state = 1,
safe state = 0).
Note In the logic that is shown (SUBS_ON = 0 on the F channel driver), the last valid
value is used if there is an error. It is not possible to predict whether this value
is above or below the limit value.

 The F_CH_AI F channel driver evaluates both sensor signals and returns
a value to the logic for further-processing.
 If the process value exceeds the limit value (in this case, greater than or equal
To create the logic, generate an F_CH_AI F channel driver for the analog input
signal and link it to the symbol on the F-AI with the lower address (e.g.
F_TAG1001_X on EW512). Use a limit value block (F_LIM_HL or F_LIM_LL)
to compare the signal to the triggering limit value.

Entry ID: 24690377, V3.0, 08/2016 36

an input signal of redundant F-AIs that takes into account a channel error. Please
note that this example assumes a MAX limit value and that the evaluation logic
output for reaching the safe state is switched off (normal state = 1, safe state = 0).

 With normal range (here: less than 90) and with an undisturbed process value,

 If the limit value is exceeded (here: greater than or equal to 90) and with an
undisturbed process value, the output of the evaluation logic is 0 (i.e. trigger
command).
 If both F-AIs report a channel error, the output of the evaluation logic is 0
(i.e. trigger command).
 Generate an F_CH_AI F channel driver for the analog input signal and link it
to the symbol on the F-AI with the lower address (e.g. F_TAG1001_X on
EW512). Use a limit value block (F_LIM_HL or F_LIM_LL) to compare the
signal to the triggering limit value.
command:
– Negated value of the channel error output (QBAD) of the F channel driver

Entry ID: 24690377, V3.0, 08/2016 37
4 Structure and wiring for two sensors (1oo2) Evaluation in the F-AI
4 Structure and wiring for two sensors

(1oo2) Evaluation in the F-AI
The two-sensor or 1oo2 evaluation scheme refers to applications that need two
sensors to achieve the necessary Safety Integrity Level. 1oo2 evaluation means
only one of the sensors needs to trigger; i.e. if one of the sensors displays a trigger
condition, the safety logic will trigger. In this evaluation scheme, 1oo2 evaluation
is carried out in the F-AI.
Note The I/O module in this architecture is certified for Safety Integrity Level SIL3.
In the 1oo2 architecture with evaluation in the F-AI, two sensors are wired to one
F-AI. Figure 4-1 shows a block diagram.
If 1oo2 evaluation is activated for a channel pair (0/3, 1/4, 2/5), the F-AIs carry out
discrepancy analysis of the two input signals. Depending on the parameterization,
one of the process values (MIN / MAX) is transferred to the CPU.
The system uses the address of the channel with the lower number. In Figure 4-1
the first sensor is wired to channel 0 of the F-AIs. The second sensor must then be
wired to channel 3.
Figure 4-1: 1oo2 evaluation in the F-AI – overview
F-AI CPU
Voting
Sensor 1, CH 0 F_CH_AI Logic
Evalution
1002
Sensor 2, CH 3
Using the structure shown in Figure 4-1 it is possible to achieve a maximum

of SIL3.

safety function?
Sensor 1 Sensor 2 F-AI
No No No No
X X Yes Yes
X Yes X Yes
Yes X X Yes

Entry ID: 24690377, V3.0, 08/2016 38


formula:
3
DU
2
TI2 TI
PFD1oo 2     DU 
3 2
3
The formula was taken from IEC61508, IEC 61511 and VDI 2180 Sheet 4, see Appendix

Entry ID: 24690377, V3.0, 08/2016 39
4.2 Wiring
In the 1oo2 evaluation scheme, the F-AI or an external power supply can supply
power to the sensors.
Figure 4-2 shows a wiring example for 2-wire sensors.
In the figure, the first sensor is wired to channel 0 (terminals 3 and 4) with the
second one being wired to channel 3 (terminals 12 and 13).
Figure 4-2: 1oo2 evaluation in the F-AI (wiring for two-wire sensors)
SM336;
AI 6x 0/4...20mA HART
L+ 1
1L+
M 2
1M
Vs0 3
+ 2-Draht
2-Wire
CH0 M0+ Mess-
Current
4
- umformer
Sensor
M0- 5
Vs1 6
CH1 M1+ 7
M1- 8
Vs2 9
CH2 M2+ 10
M2- 11
Vs3 12
+ 2-Draht
2-Wire
CH3 M3+ 13 Mess-
Current
- umformer
Sensor
M3- 14
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20
Fehler! Ungültiger Eigenverweis auf Textmarke. shows a wiring example for 4-

wire sensors.
In Figure 4-3 the first sensor is wired to channel 0 (terminals 4 and 5) with
the second one being wired to channel 3 (terminals 13 and 14).

Entry ID: 24690377, V3.0, 08/2016 40
Figure 4-3: 1oo2 evaluation in the F-AI (wiring for 4-wire sensors)
SM336;
L+ 1
1L+
M 2
1M
Vs0 3
CH0 M0+ 4
+ 4-Draht
4-Wire
M0- 5 Mess-
Current
- umformer
Sensor
Vs1 6
CH1 M1+ 7
M1- 8
Vs2 9
CH2 M2+ 10
M2- 11
Vs3 12
CH3 M3+ 13
+ 4-Draht
4-Wire
M3- 14 Mess-
Current
- umformer
Sensor
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20
Figure 4-4 shows a wiring example for 2-wire sensors with an external power
supply with Figure 4-5 showing a wiring example for 4-wire sensors with an
external power supply.
In both figures, the first sensor is wired to channel 0 (terminals 4 and 5) with the
second one being wired to channel 3 (terminals 13 and 14). You are advised to
connect the M potentials to one another.

Entry ID: 24690377, V3.0, 08/2016 41
Figure 4-4: 1oo2 evaluation in the F-AI (external power supply for two-wire sensors)
SM336;
L+ 1
1L+
M 2
1M
Vs0 3
+ 2-Draht
2-Wire
CH0 Mess-
Current + 24 V
M0+ 4
- umformer
Sensor
-
M0- 5
Vs1 6
CH1 M1+ 7
M1- 8
Vs2 9
CH2 M2+ 10
M2- 11
Vs3 12
+ 2-Draht
2-Wire
+ 24 V
CH3 M3+ 13 Mess-
Current
- umformer
Sensor -
M3- 14
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20

Entry ID: 24690377, V3.0, 08/2016 42
Figure 4-5: 1oo2 evaluation in the F-AI (external power supply for 4-wire sensors)
SM336;
L+ 1
1L+
M 2
1M
Vs0 3
CH0 M0+ 4
+ 4-Draht
4-Wire + 24 V
M0- 5 Mess-
Current
-
- umformer
Sensor
Vs1 6
CH1 M1+ 7
M1- 8
Vs2 9
CH2 M2+ 10
M2- 11
Vs3 12
CH3 M3+ 13
+ 4-Draht
4-Wire + 24 V
M3- 14 Mess-
Current
- umformer
Sensor -
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20

Entry ID: 24690377, V3.0, 08/2016 43

diodes
Figure 4-6 MTA


Entry ID: 24690377, V3.0, 08/2016 44

To carry out configuration, highlight the F-AI in the STEP 7 hardware catalog and
insert it into an existing ET 200M station. To make configuration easier, choose
a meaningful symbol name for the analog channel. Note that when selecting the
1oo2 signal for the F-AIs, only an analog sensor signal is made available to the
CPU logic.
You can see an example of a hardware set-up using one F-AI in Figure 4-7
The signal that consists of the two sensors (channels 0 and 3) is transferred to
the CPU on the first symbol address (EW512). You can find more information
about the HW configuration in the chapter entitled “References” under \4\.
Figure 4-7: F-AI – 1oo2 (evaluation in the F-AI) symbol editing

The parameters are grouped in Table 4-2

Entry ID: 24690377, V3.0, 08/2016 45
Figure 4-8: 1oo2 evaluation in the F-AI (hardware parameters)

Table 4-2: 1oo2 evaluation in the F-AI (parameters for hardware configuration)
or permissible
value range
F-parameter
1111111110
F_monitoring_ Monitoring time for safety-related 0...65535ms
time communication between the CPU and Default 2500ms
(ms) the F-AI.
to calculate
Module parameters
Comment:
level.

Entry ID: 24690377, V3.0, 08/2016 46

or permissible
value range
channel fault module/passivation of the channel. Channel
Comment:
With “OFF”, HART communication” Selectable
is disabled.
With “ON”, HART communication”
is enabled.
maintenance.
frequency of the A/D converter to the network that is
suppression being used.
– 20 ms at 50 Hz
– 16.66 ms at 60 Hz
Evaluation of the Activation of the channel by specifying the 1oo2 (2v2)
sensors sensor evaluation.

– Disabled
– 1oo1 (1v1)
– 1oo2 (2v2)
– Tolerance
– Standard value
channel. 4...20 mA
F_open- Selection of whether wire break monitoring Enable/disable
circuit_detection is to be carried out for the channel or not.
Discrepancy time Selection of the discrepancy time 0…30000ms
(ms)
Tolerance window Specification of the maximum difference 0.2…20.0%
% abs. between both signals
Tolerance window Specification of the maximum difference 0.2…20.0%
% rel. between both signals
Standard value Value that is passed to the CPU. Must MIN/MAX
be specified in dependence on the
downstream limit value function.
of the module.

Entry ID: 24690377, V3.0, 08/2016 47

After 1oo2 evaluation has been configured in the F-AI, it is possible to

implement the CPU logic to read an individual sensor. We have already stated that
once the F-AI is handling 1oo2 signal selection and only one analog sensor signal
of the
CPU logic is available, 1oo1 evaluation takes place in the user program. One of
the methods implementation is to use the SIMATIC Safety Matrix Engineering Tool
(for more information on this topic, see the chapter entitled “References” under \5\).
Figure 4-9 shows how to configure a cause to monitor an input TAG in the matrix.
Use the following settings:
 1 input
 Function type: Normal (1oo1 evaluation)
 Enter the signal name at Tag1 (e.g. F_TAG1001_X) or use the “I/O”
pushbutton to choose the symbol from the symbol table.
The cause is configured with function type “standard”.

Entry ID: 24690377, V3.0, 08/2016 48
– Limit value
– Prealarm
– Hysteresis

If the input TAG is fallen short of or exceeded, the cause is activated and triggers
the corresponding effect(s).

Entry ID: 24690377, V3.0, 08/2016 49
Depending on the process application, you can activate additional options

One of the configuration options that is highlighted in Figure 4-11 is switch off in
the case of a channel error. If this option is activated, a channel error is evaluated
at one of the sensor inputs as a trigger signal. Depending on the number of signals
and the function type, the cause can be activated and trigger the effect(s).


Entry ID: 24690377, V3.0, 08/2016 50
As an alternative to using the Safety Matrix Tool, you can implement the CPU logic
for reading the input signal using the STEP 7 CFC Editor. After both the sensor
signals have been added to the hardware configuration and the F-AI has carried
out 1oo2 evaluation, you can generate the evaluation logic in the CFC Editor.
Logic without evaluation of the channel error (1oo2 on the F-AI)

Figure 4-12 shows a sample logic for reading an individual input signal that in the
CFC Editor that does not take into account a channel error. Please note that this
example assumes a MAX limit value and that the evaluation logic output for

value is used if there is an error. It is not possible to predict whether this value is
above or below the limit value.

Entry ID: 24690377, V3.0, 08/2016 51

 The F-AI evaluates both sensor signals and returns a value to the F channel
driver for further-processing. Depending on the setting of the “Standard value”
parameter in the hardware configuration, this value corresponds to the higher
or lower sensor signal or &H7FFF in the case of a discrepancy.
 If the process value is in the normal range (in this case: less than 90),
 If the process value exceeds the limit value (in this case: greater than or
equal to 90), the output of the evaluation logic is 0 (i.e. trigger command).
 The output of the logic must be linked to the corresponding shutdown logic.
To create the configuration, generate an F_CH_AI F channel driver for the analog
input signal and link it to the symbol on the address with the lower address
(e.g. F_TAG1001_X on EW512). Use a limit value block (F_LIM_HL or F_LIM_LL)

an individual input signal that takes into account a channel error. Please note that

Entry ID: 24690377, V3.0, 08/2016 52

 The F-AI evaluates both sensor signals and returns a value to the F channel
driver for further-processing. Depending on the setting of the “Standard value”
or lower sensor signal or &H7FFF in the case of a discrepancy.
 If the undisturbed process value exceeds the limit value (in this case: greater
than or equal to 90), the output of the evaluation logic is 0 (i.e. trigger
command).
 If the F-AI reports a channel error, the output of the evaluation logic is 0

 Generate an F_CH_AI F channel driver for the analog input signal and link it to
the symbol on the address with the lower channel number (e.g. F_TAG1001_X
on EW512). Use a limit value block (F_LIM_HL or F_LIM_LL) to compare the
command:

– Negated value of the channel error output (QBAD) of the F channel driver

Entry ID: 24690377, V3.0, 08/2016 53
5 Structure and wiring for two sensors (1oo2) with redundant I/O modules: Evaluation in the F-AI

(1oo2) with redundant I/O modules:
Evaluation in the F-AI
To increase the availability of the I/O modules, you can implement the 2-sensor
evaluation scheme with two sensors and a pair of redundant F-AIs.
The sensors have a 1oo2 evaluation and the I/O modules have a 2oo2 evaluation.
Note The I/O modules of this architecture are certified to achieve Safety Integrity
Level SIL3. However, to be SIL-compliant, the entire safety instrumented
function – including the field devices – must be evaluated according to
IEC 61508 / IEC 61511.
In the redundant 1oo2 architecture, two sensors are wired to a redundant pair of
F-AIs. Figure 5-1 shows a block diagram.
In the figure, the first sensor is wired to channel 0 with the second one being wired
to channel 3 of both modules. The modules are configured as redundant in the
HW Config. Each F-AI carries out 1oo2 1oo2 evaluation of both sensors. Only
one analog F-channel driver is supported. The F-Channel driver selects from the
incoming analog signals.
Figure 5-1: F-AI redundant module – 1oo2 (evaluation in the F-AI) – overview
F-AI
Sensor 1, CH 0
Evalution
1002
Ch0...5
Sensor 2, CH 3 CPU
Voting
F_CH_AI Logic
F-AI
Evalution
1002
Ch0...5
The set-up shown in Figure 5-1 is suitable for achieving SIL3.


Entry ID: 24690377, V3.0, 08/2016 54

safety function?
Sensor 1 Sensor 2 F-AI 1 F-AI 2
No No No X No
No No X No No
X Yes X X Yes
Yes X X X Yes
X X Yes Yes Yes


You calculate the PFD value for this architecture of wiring and evaluation using
this formula:
4
DU
2
TI2 TI
PFD1oo 2     DU 
3 2
4

Entry ID: 24690377, V3.0, 08/2016 55
5.2 Wiring
An example of the 1oo1 evaluation scheme with redundant F-AI is shown in

Figure 5-2
The first sensor is wired to channel 0 (terminals 3, 4, 5) with the second one being
wired to channel 3 (terminals 12, 13, 14) of both F-AIs.
Note that this architecture additionally needs two Zener diodes for each sensor.
The first Zener diode has a breakdown voltage of 6.2 V and the second one has
a breakdown voltage of 5.6 V. Apart from this, two diodes each are used to
decouple the power supply. The diodes and Zener diodes are needed for cases
in which an F-AI is out of service (e.g. in the case of a module failure, routine
maintenance, etc.)
Figure 5-2: F-AI redundant module – 1oo2 (evaluation in the F-AI) – wiring
SM336; SM336;
L+ 1 1 L+
1L+ 1L+
M 2 2 M
1M 1M
Vs0 3 3 Vs0
+ 2-Draht
2-Wire
CH0 M0+ Mess-
Current M0+ CH0
4 4
- umformer
Sensor 5 M0-
M0- 5
Vs1
Vs1 6 6
CH1 M1+ 7 M1+ CH1

7
M1- 8 8 M1-
Vs2 9 9 Vs2
CH2 M2+ 10 10 M2+ CH2
M2- 11 11 M2-
Vs3 12 12 Vs3
+ 2-Wire
2-Draht
CH3 M3+ 13
Mess-
Current 13 M3+ CH3
- umformer
Sensor
M3- 14 14 M3-
Vs4 15 15 Vs4
CH4 M4+ 16 16 M4+ CH4
M4- 17 17 M4-
Vs5 18 18 Vs5
CH5 M5+ 19 19 M5+ CH5
M5- 20 20 M5-

Entry ID: 24690377, V3.0, 08/2016 56

diodes
Figure 5-3: MTA


Entry ID: 24690377, V3.0, 08/2016 57

For the 1oo2 evaluation scheme with evaluation in the redundant F-AIs, the F-AIs
are configured in STEP 7 HW Config.
Figure 5-4 shows an example of a hardware configuration. An ET 200M with
PROFIBUS address 3 and a second ET 200M with PROFIBUS address 4 are
used. Each ET 200M includes one F-AI in slot 4. You can find more information
about the HW configuration in the chapter entitled “References” under \4\.
Figure 5-4: Redundant F-AI – 1oo2 (evaluation in the F-AI) design diagram
access the F-AI redundancy settings via the object properties of one of the F-AIs
in each case.
In the example of the hardware set-up shown in Figure 5-4 the redundancy
setting is made using the F-AI that is in the ET 200M with PROFIBUS address 3.
Figure 5-5 shows the interface for the redundancy settings with Table 5-2 grouping
the settings.

Entry ID: 24690377, V3.0, 08/2016 58
Figure 5-5: Redundant F-AI – 1oo2 evaluation in the F-AI (redundancy parameters)
Table 5-2: Redundant module – 1oo2 evaluation in the F-AI (redundancy parameters))
or permissible
value range
Redundancy Indication of whether or not the F-AI Two modules/
Comment:
For redundancy, you must set the
parameter on two modules/assemblies.
Redundant module This is used to choose the redundant
partner module.
the names of the parameters and the configuration window may differ from the
of the module.
After making the redundancy settings, you can set the rest of the hardware
parameters for the redundant F-AI as described at the end of Section 4.3
The settings are applied automatically on the redundant partner.

Entry ID: 24690377, V3.0, 08/2016 59

Even though this evaluation scheme uses redundant F-AIs, only one F_CH_AI
F channel driver is needed in the logic configuration. It is possible to add and
configure the F channel driver either automatically by means of the SIMATIC
Safety Matrix or manually using the STEP 7 CFC Editor. In both cases, the F
channel driver must be linked to the analog sensor signal of the F-AI with the lower
I/O address.
When you have configured the F channel driver and the evaluation logic is
complete, the system compiles the logic. If the option to generate module drivers
is activated at compilation, then the system automatically adds and configures the
corresponding F_PS_12 module drivers to the logic at compilation. The F channel
driver selects the valid signal and switches to the signal of the redundant module
if there is a disturbance. The driver does not carry out delta monitoring of the
redundant signals.
After 1oo2 evaluation has been configured in the F-AI, it is possible to

implement the CPU logic to read an individual sensor. One of the methods
implementation is to use the SIMATIC Safety Matrix Engineering Tool (for more
information on this topic, see the chapter entitled “References” under \5\).
The actual evaluation logic for the 1oo2 evaluation scheme using redundant F-AIs
is the same as is described in section 4.4.1 (Configuring using Safety Matrix).

Entry ID: 24690377, V3.0, 08/2016 60
As an alternative to using the Safety Matrix Tool, you can implement the CPU logic
for reading the input signal using the STEP 7 CFC Editor. After the F-AI has carried
out 1oo2 evaluation, you can generate the evaluation logic in the CFC Editor.
Logic without evaluation of the channel error (1oo2 on the F-AI)Figure 5-6 shows a
sample logic for reading an individual input signal that in the CFC Editor that does
not take into account a channel error. Please note that this example assumes a
MAX limit value and that the evaluation logic output for reaching the safe state is
switched off (normal state = 1, safe state = 0).

Entry ID: 24690377, V3.0, 08/2016 61

 The redundant F-AI evaluates both sensor signals and returns a value to the
CPU for further-processing. Depending on the setting of the “Standard value”
or lower value of one of the sensors or &H7FFF in the case of a discrepancy.
 The F_CH_AI F channel driver evaluates both sensor signals and returns
a value to the logic for further-processing.
 If the process value exceeds the limit value (in this case: greater than or equal
To create the configuration, generate an F_CH_AI F channel driver for the analog
input signal and link it to the symbol on the F-AI with the lower channel number
(e.g. F_TAG1001_X on EW512). Use a limit value block (F_LIM_HL or F_LIM_LL)

Figure 5-7 shows a sample logic that was created in the CFC Editor for reading an
input signal that takes into account a channel error. Please note that this example
assumes a MAX limit value and that the evaluation logic output for reaching the
safe state is switched off (normal state = 1, safe state = 0).
Figure 5-7: CFC logic – Channel error evaluation

Entry ID: 24690377, V3.0, 08/2016 62

 The F-AI evaluates both sensor signals and returns a value to the CPU for
further-processing. Depending on the setting of the “Standard value” parameter
in the hardware configuration, this value corresponds to the higher or lower
value of one of the sensors or &H7FFF in the case of a discrepancy.
 If the undisturbed process value exceeds the limit value (in this case: greater
than or equal to 90), the output of the evaluation logic is 0 (i.e. trigger
command).
 If both F_AIs report a channel error, the output of the evaluation logic is 0

 Generate an F_CH_AI F channel driver for the analog input signal and link it
to the symbol on the F-AI with the lower channel number (e.g. F_TAG1001_X
on EW512). Use a limit value block (F_LIM_HL or F_LIM_LL) to compare the
command:

Negated value of the channel error output (QBAD) of the F channel driver

Entry ID: 24690377, V3.0, 08/2016 63
6 Structure and wiring for two sensors (1oo2) Evaluation in the user program

(1oo2) Evaluation in the user program
The 2-sensor or 1oo2 evaluation scheme refers to applications that need two
sensors to achieve the required Safety Integrity Level. 1oo2 evaluation means
that only one of the two sensors must fail for the safety function to be triggered.
By contrast with evaluation in the F-AI, evaluation in the user program is carried
out to have available the visibility of both signals and their quality in the application
logic. This makes possible more flexible evaluation schemes (e.g. 1oo2D or 2oo2).
Note This architecture can achieve Safety Integrity Level SIL3. However, to be SIL-
compliant, the entire safety instrumented function – including the field devices –
We recommend two fundamentally different 1oo2 architectures as options:

 Option 1:
As shown in Figure 6-1 both sensors are wired to one F-AI. In this figure, one
sensor is wired to channel 0 of the F-AI with the second one being wired to its
channel 3.
 Option 2:
As shown in Figure 6-2 both sensors are wired to two F-AIs. In this figure, one
sensor is wired to channel 0 of the first F-AI with the second one being wired
to channel 0 of the second F-AI.

Entry ID: 24690377, V3.0, 08/2016 64
6.1 Option 1
Figure 6-1: 1oo2 evaluation in the user program
F -AI
Ch 0..5
Sensor 1
0
CPU
Sensor 2
3
F _CH _ AI 1oo 2
Voting
Logic


safety function?
Sensor 1 Sensor 2 F-AI
No No No No
X Yes X Yes
Yes X X Yes
X X Yes Yes

Entry ID: 24690377, V3.0, 08/2016 65
6.1.1 Calculation of PFD (option 1)


formula:
5
DU
2
TI2 TI
PFD1oo 2     DU 
3 2
6.2 Option 2
Figure 6-2: 1oo2 evaluation in the user program

F-AI
Ch 0..5
Sensor 1
0
CPU
F_CH_AI 1oo2
Voting
Logic
F-AI
Ch 0..5
Sensor 2
0
5

Entry ID: 24690377, V3.0, 08/2016 66

safety function?
No No No No No
X X X Yes Yes
X X Yes X Yes
X Yes X X Yes
Yes X X X Yes
6.2.1 Calculation of PFD (option 2)


formula:
6
DU
2
TI2 TI
PFD1oo 2     DU 
3 2
6

Entry ID: 24690377, V3.0, 08/2016 67
6.3 Wiring
The illustrations below show the wiring for 2-wire and 4-wire transmitters that
supplied via the F-AI or an external power supply.
In the illustrations below, the transmitters are wired to two channels of one F-AI.
The first sensor is wired to channel 0 (terminals 3, 4, 5 – bridge to 1M) with the
second one being wired to channel 3 (terminals 12, 13, 14 – bridge to 1M).
Power is supplied to the F-AI via 1L+/1M (terminals 1 and 2); depending on the
channel, the power of the sensors is supplied via Vs0... Vs5 (terminals 3, 6, 9, 12, 15,
18) or by an external power supply.
Figure 6-3: 2-wire transmitter (with own power supply)

2-Wire
Current
Sensor
2-Wire
Current
Sensor

Entry ID: 24690377, V3.0, 08/2016 68
SM336;
L+ 1
1L+
M 2
1M
Vs0 3
+ 2-Draht
2-Wire
CH0 M0+ Current
Mess-
4
- Sensor
umformer
M0- 5
Vs1 6
CH1 M1+ 7
M1- 8
Vs2 9
+ 2-Draht
2-Wire
CH2 M2+ 10 Mess-
Current
- Sensor
umformer
M2- 11
Vs3 12
CH3 M3+ 13
M3- 14
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20

Entry ID: 24690377, V3.0, 08/2016 69

SM336;
L+ 1
1L+
M 2
1M
Vs0 3
CH0 M0+ 4 4-Draht
+ 4-Wire
M0- 5
Mess-
Current
- umformer
Sensor
Vs1 6
CH1 M1+ 7
M1- 8
Vs2 9
CH2 M2+ 10
+ 4-Draht
4-Wire
Mess-
Current
M2- 11 - umformer
Sensor
Vs3 12
CH3 M3+ 13
M3- 14
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20

Entry ID: 24690377, V3.0, 08/2016 70
4-Wire
Current
Sensor
4-Wire
Current
Sensor

Entry ID: 24690377, V3.0, 08/2016 71
Figure 6-5 shows an example in which an external power supply is used with 2-wire
sensors:
Figure 6-5: 2-wire transmitter supplied externally

SM336;
L+ 1
1L+
M 2
1M
Vs0 3
+ 2-Draht
2-Wire
+ 24 V
CH0 M0+ 4 Mess-
Current
- umformer
Sensor -
M0- 5
Vs1 6
CH1 M1+ 7
M1- 8
Vs2 9
+ 2-Draht
2-Wire
+ 24 V
CH2 M2+ 10 Mess-
Current
- umformer
Sensor
-
M2- 11
Vs3 12
CH3 M3+ 13
M3- 14
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20

Entry ID: 24690377, V3.0, 08/2016 72
2-Wire
Current
Sensor
2-Wire
Current
Sensor

Entry ID: 24690377, V3.0, 08/2016 73
Figure 6-6 shows an external voltage source with 4-wire sensors.
Figure 6-6: 4-wire transmitter (supplied externally)

SM336;
L+ 1
1L+
M 2
1M
Vs0 3
CH0 M0+ 4
+ 4-Draht
4-Wire + 24 V
M0- 5 Mess-
Current
-
- umformer
Sensor
Vs1 6
CH1 M1+ 7
M1- 8
Vs2 9
CH2 M2+ 10
+ 4-Draht
4-Wire + 24 V
M2- 11 Mess-
Current -
- umformer
Sensor
Vs3 12
CH3 M3+ 13
M3- 14
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20

Entry ID: 24690377, V3.0, 08/2016 74
4-Wire
Current
Sensor
4-Wire
Current
Sensor

Entry ID: 24690377, V3.0, 08/2016 75

diodes
Figure 6-7: MTA


Entry ID: 24690377, V3.0, 08/2016 76

To carry out configuration, highlight the F-AI in the HW Config hardware catalog
and insert it into an existing ET 200M station. To make configuration easier,
choose meaningful symbol names for the channels.
You can see an example of a hardware set-up using one F-AI in Figure 6-8 In this
example, the two sensor signals are wired to the first two channels of the F-AI.
Note that the use of an F-AI MTA does not need special consideration of the
software configuration.
Figure 6-8
operating the F-AI (see Figure 6-9 and Figure 6-10).

Entry ID: 24690377, V3.0, 08/2016 77
The parameters are grouped in Table 6-3
Figure 6-9: Parameters part 1

Figure 6-10: Parameters part 2

Entry ID: 24690377, V3.0, 08/2016 78
Table 6-3: 1oo2 evaluation in the user program (parameters for hardware configuration)
or permissible
value range
F-parameter
1111111110
F_monitoring_ Monitoring time for safety-related 0...65535ms
time communication between the CPU and the Default 2500ms
(ms) F-AI.
to calculate
Module parameters
Comment:

level.
Behavior after channel Passivation of the entire Module/
faults module/passivation of the channel. Channel
Comment:
With “OFF”, HART communication” Selectable
is disabled.
With “ON”, HART communication”
is enabled.
maintenance.
Interference frequency Selection for balancing the integration time 50/60 Hz
suppression of the A/D converter to the network that is
(Hz) being used.
The integration time is:
– 20 ms at 50 Hz
– 16.66 ms at 60 Hz
Evaluation of Activation of the channel by specifying 1oo1 (1v1)
the sensors the sensor evaluation.
– Disabled
– 1oo1 (1v1)
– 1oo21 (2v2)
– Tolerance
– Standard value

Entry ID: 24690377, V3.0, 08/2016 79

or permissible
value range
channel. 4...20 mA
F_open- Selection of whether wire break monitoring Enable/disable
circuit_detection is to be carried out for the channel or not.
of the module.

Entry ID: 24690377, V3.0, 08/2016 80

After the sensor signals for hardware configuration have been added, you can
implement the 1oo2 evaluation logic in the user program. One of the options
for doing this is to use the SIMATIC Safety Matrix Engineering Tool (for more
Figure 6-11 shows how to configure a cause for 1oo2 evaluation in the matrix. Use
the following settings:
 2 inputs
 Function type: OR (1oo2)
 You must enter Tag1 and Tag2 and they should match the symbolic I/O name
of the encoder (e.g. F_TAG1001_X and F_TAG1002_X). You can make the
input by selecting the signal from the symbol table. To do this, use the “I/O”
key.
The cause is configured with function type OR (1oo2). If at least one encoder
matches for triggering, the cause is activated and triggers the corresponding
effect(s).
Figure 6-11: 1oo2 evaluation in the user program (Safety Matrix – configuration)

Entry ID: 24690377, V3.0, 08/2016 81
– Limit value
– Prealarm
– Hysteresis
– Delta
Figure 6-12: 1oo2 evaluation in the user program (Safety Matrix – analog parameters)
Depending on the process application, there are additional available attributes

One of the configuration options that is highlighted in Figure 6-13 is switch-off
behavior in the case of a channel error. If this option is activated, a channel error
on a sensor input has the effect of a limit value violation. In the case of an OR
(1oo2), with a channel error and the option activated, then the system activates
the cause and it triggers the corresponding effect(s).

Entry ID: 24690377, V3.0, 08/2016 82
Figure 6-13: 1oo2 evaluation in the user program (Safety Matrix – options)
As an alternative to using the Safety Matrix Tool, you can implement the 1oo2
evaluation logic for the input signals using the STEP 7 CFC Editor. After the sensor
signals for hardware configuration have been added, you can generate the 1oo2
evaluation logic using the CFC Editor.
Note that by using the corresponding logic blocks, you can also implement 2oo2
evaluation in the user program.

Entry ID: 24690377, V3.0, 08/2016 83
Figure 6-14 shows a sample logic that was created in the CFC Editor for 1oo2
evaluation that does not take into account the channel errors.
Please note that this example assumes a MAX limit value and that the evaluation
logic output for reaching the safe state is switched off (normal state = 1, safe
state = 0).

The sample logic in

 If both analog sensors return a process value in the normal range (in this case
a process value of less than 90), the output of the evaluation logic is 1 (i.e. no
trigger command).
 If the process value of one or both analog sensors exceeds the limit value
(in this case, a process value greater than or equal to 90), the output of the
evaluation logic is 0 (i.e. trigger command).

Entry ID: 24690377, V3.0, 08/2016 84

 Create an F_CH_AI channel driver for the first analog sensor and link it to
the address of the sensor that is linked to the F-AI (e.g. F_TAG1001_X on
 Create an F_CH_AI channel driver for the second analog
sensor and link it to the address of the sensor that is linked to the F-AI (e.g.
 Logically AND the negated output values of the limit value blocks (QHN or
QLN).
Figure 6-15 shows a sample logic that was created in the CFC Editor for 1oo2D
evaluation that takes into account the channel errors.
logic output for reaching the safe state is switched off (normal state = 1, safe state
= 0).
The sample logic in

 If both analog sensors return a process value in the normal range without
channel errors (in this case a process value of less than 90), the output of
the evaluation logic is 1 (i.e. no trigger command).

Entry ID: 24690377, V3.0, 08/2016 85
(in this case, a process value greater than or equal to 90) and the sensor does
not report a channel error, the output of the evaluation logic is 0 (i.e. trigger
command).
 If at least one of the two analog sensors reports a channel error, the output of
the evaluation logic is 0 (i.e. trigger command).

 Create an F_CH_AI F channel driver for the first analog sensor and link it to
the address of the sensor that is linked to the F-AI (e.g. F_TAG1001_X on
 Create an F_CH_AI F channel driver for the second analog sensor and link it
to the address of the sensor that is linked to the F-AI (e.g. F_TAG1002_X on
 Logically AND the three outputs of the subsequent logic to generate the signal
for the -trigger command:
– Use the negated output of the limit value block (QHN or QLM) of the first
F channel driver.
– Use the negated output of the limit value block (QHN or QLM) of the
second F channel driver.
– Use an OR block to link outputs QBAD of both F channel drivers and use
the output signal (OUTN) of the OR block.

Entry ID: 24690377, V3.0, 08/2016 86
7 Structure and wiring for two sensors (1oo2) with redundant I/O modules: Evaluation in the user
program

Evaluation in the user program
To increase the availability of the I/O modules, you can implement the 2-sensor
evaluation scheme using two sensors and a pair of redundant F-AIs.
Note The I/O modules of this architecture are certified to achieve Safety Integrity Level
SIL3. However, to be SIL-compliant, the entire safety instrumented function –
including the field devices – must be evaluated according to IEC 61508 / IEC
61511.
In the redundant 2(1oo2) architecture, two sensors are wired to a redundant pair of
F-AIs. Figure 7-1 shows a block diagram.
In the Figure, the first sensor is wired to channel 0 of both F-AIs. The second
sensor is wired to channel 1 of both F-AIs. The F-AIs are configured as redundant
modules in the HW Config. Only one analog input channel driver block is needed
per sensor. The driver block selects one signal from the incoming signals of the
redundant F-AI.
Figure 7-1: 2(1oo2) evaluation in the user program (redundant module)

F-AI
Ch0...5
Sensor 1, CH 0 0
CPU
1
1oo2
F_CH_AI
Voting
Logic
F-AI
Ch0...5
0
Sensor 2, CH 1 1


Entry ID: 24690377, V3.0, 08/2016 87
program

safety function?
No No No X No
No No X No No
Yes X X X Yes
X Yes X X Yes
X X Yes Yes Yes
Note Redundancy does not increase the Safety Integrity Level


formula:
7
DU
2
TI2 TI
PFD1oo 2     DU 
3 2
7

Entry ID: 24690377, V3.0, 08/2016 88
program
7.2 Wiring
A simplified example of the 2(1oo2) evaluation scheme with evaluation in the user
program and redundant F-AI is shown in Figure 7-2 The first sensor is wired to
channel 0 (terminals 3, 4, 5) of both F-AIs with the second one being wired to
channel 1 (terminals 6, 7, 8) of both F-AIs.
Note that this architecture additionally needs two Zener diodes for each sensor.
The first Zener diode has a breakdown voltage of 6.2 V and the second one
has a breakdown voltage of 5.6 V. Apart from this, two diodes each are used to
decouple the power supply. The diodes and Zener diodes are needed for cases
in which one of the F-AIs is out of service (e.g. in the case of a module failure,
routine maintenance, etc.)
Figure 7-2: 2(1oo2) evaluation in the user program (redundant F-AI)

SM336; SM336;
L+ 1 1 L+
1L+ 1L+
M 2 2 M
1M 1M
Vs0 3 3 Vs0
+ 2-Wire
2-Draht
CH0 M0+ 4 Current
Mess- 4
M0+ CH0
- umformer
Sensor
M0- 5 M0-
5
Vs1
Vs1 6 6
CH1 M1+ 7 M1+ CH1

7
M1- 8 8 M1-
+ 2-Wire
2-Draht
Vs2 9 Current
Mess- 9 Vs2
- umformer
CH2 M2+ 10 Sensor 10 M2+ CH2
M2- 11 11 M2-
Vs3 12 12 Vs3
CH3 M3+ 13 13 M3+ CH3
M3- 14 14 M3-
Vs4 15 15 Vs4
CH4 M4+ 16 16 M4+ CH4
M4- 17 17 M4-
Vs5 18 18 Vs5
CH5 M5+ 19 19 M5+ CH5
M5- 20 20 M5-

diodes

Entry ID: 24690377, V3.0, 08/2016 89
program
Figure 7-3: MTA


For the 2(1oo2) evaluation scheme with evaluation in the user program and
redundant F-AIs, the F-AIs themselves are configured in STEP 7 HW Config.
Figure 7-4 shows an example of a hardware set-up.
In this example, there is an ET 200M (with IM153-2 PROFIBUS interface module)
with PROFIBUS address 3 and a second ET 200M with PROFIBUS address 4.
Each ET 200M includes one F-AI in slot 4.

Entry ID: 24690377, V3.0, 08/2016 90
program
Figure 7-4: 2(1oo2) evaluation in the user program (redundant module) –

Installation plan
access the F-AI redundancy settings via the object properties of one of the F-AIs in
each case.
You can find more information about HW in the chapter entitled “References”
under \4\.
In Figure 7-4 the redundancy setting is made using the F-AI that is in the ET 200M
with PROFIBUS address 3. The settings are grouped in Table 7-2

Entry ID: 24690377, V3.0, 08/2016 91
program
Figure 7-5: 2(1oo2) evaluation in the user program (redundant F-AI) –

redundancy parameters
Table 7-2: 2(1oo2) evaluation in the user program (redundant F-AI) – redundancy
parameters
Parameters Description/recommendations Desired setting or
permissible value
range
Redundancy Indication of whether or not the F-AI 2 modules/
Comment:
For redundancy, you must set the parameter
on two modules/assemblies.
Redundant This is used to choose the redundant partner
module module
of the module.
parameters in one of the redundant F-AIs. The system automatically applies
the settings on the redundant assembly.

Entry ID: 24690377, V3.0, 08/2016 92
program

Even though this evaluation scheme uses redundant F-AIs, only one F_CH_AI F
channel driver is needed in the logic configuration (one F channel driver for each
of the two sensors). It is possible to add and configure the F channel drivers either
automatically by means of the SIMATIC Safety Matrix or manually using the
STEP 7 CFC Editor. In both cases, the drivers must be linked to the analog
sensor signal of the F-AI with the lower I/O address.
When you have configured the F channel drivers and the evaluation logic is
complete, the system compiles the logic.
If the option to generate module drivers is activated at compilation, then the system
automatically adds and configures the corresponding F_PS_12 module drivers to
the logic at compilation. The F channel driver selects the valid signal and switches
to the signal of the redundant module if there is a disturbance. The driver does not
carry out delta monitoring of the redundant signals.
After the sensor signals for hardware configuration have been added, you can
implement the 1oo2 evaluation logic in the user program. One of the options
The actual evaluation logic for the 2(1oo2) evaluation scheme with evaluation
in the user program and redundant F-AIs is the same as described
in Section 6.5.1 (Configuring using Safety Matrix).

Entry ID: 24690377, V3.0, 08/2016 93
program
evaluation logic for the input signals using the STEP 7 CFC Editor. After the sensor
Note that by using the corresponding logic blocks, you can also implement 2oo2
evaluation in the user program.
Figure 6-14 shows a sample logic that was created in the CFC Editor for 1oo2
evaluation that does not take into account the channel errors.
state = 0).

Entry ID: 24690377, V3.0, 08/2016 94
program

 If both analog sensors return a process value in the normal range (in this
case a process value of less than 90), the output of the evaluation logic is 1
(i.e. no trigger command).

 Generate an F_CH_AI channel driver for the first analog sensor and link it
 Generate an F_CH_AI channel driver for the second analog
sensor and link it to the symbol on the F-AI with the lower address (e.g.
 Logically AND the negated output values of the limit value blocks (QHN or
QLN).

Figure 7-7 shows a sample logic that was created in the CFC Editor for 1oo2D
evaluation that takes into account the channel errors.
state = 0).

Entry ID: 24690377, V3.0, 08/2016 95
program


 If both analog sensors return a process value in the normal range without
 If at least one of the two analog sensors reports a channel error, the output
of the evaluation logic is 0 (i.e. trigger command).

 Create an F_CH_AI F channel driver for the first analog sensor and link it
EW512). Use a limit value block (F_LIM_HL or F_LIM_LL) to compare
the signal to the triggering limit value.
 Generate an F_CH_AI channel driver for the second analog sensor and link
it to the symbol on the F-AI with the lower address (e.g. F_TAG1002_X on
 Logically AND the three outputs of the subsequent logic to generate the signal
for the -trigger command:
– Use the negated output of the limit value block (QHN or QLM) of the first
channel driver block.
– Use the negated output of the limit value block (QHN or QLM) of the
second channel driver block.
– Use an OR block to link outputs QBAD of both channel driver blocks and
use the output signal (OUTN) of the OR block.

Entry ID: 24690377, V3.0, 08/2016 96
8 Structure and wiring for three sensors (1oo3) Evaluation in the user program
8 Structure and wiring for three sensors

(1oo3) Evaluation in the user program
The three-sensor (or 2oo3 evaluation scheme) refers to applications that need
two sensors to achieve the required Safety Integrity Level and a third one for higher
availability. 2oo3 evaluation means that two of the three sensors must trigger.
Note The I/O modules in this architecture are certified for Safety Integrity Level SIL3.
The 2oo3 basic architecture with evaluation in the user program uses three
sensors and three F-AIs. Figure 8-1 shows a block diagram. In the Figure, each
sensor is wired to channel 0 of one F-AI. In this example, the F-AIs are installed
in one ET 200M.
Please note that, due to the system flexibility, other architectures are possible,
which differ from the described variants with regard to the availability of the
modules and the ET 200M racks, e.g.:
 Lower availability:
All three sensors are connected to one assembly.
 Similar availability of the assemblies:
All three sensors are connected to two assemblies that are redundant from
one another. The two assemblies are installed in the same ET 200M Rack
(see chapter 9).
 Higher availability of the assemblies and ET 200M Racks:
All three sensors are connected to two assemblies that are redundant from
one another. The two assemblies are installed in different ET 200M Racks.
 Higher availability of the assemblies and ET 200M Racks:
Each sensor is connected to one assembly. The assemblies are installed in
different ET 200M Racks.

Entry ID: 24690377, V3.0, 08/2016 97
Figure 8-1: 2oo3 – Overview

F-AI
Ch 0..5
Sensor 1
0
F-AI
Ch 0..5
Sensor 2 CPU
0
F_CH_AI 2oo3
Voting
Logic
F-AI
Ch 0..5
Sensor 3

Entry ID: 24690377, V3.0, 08/2016 98

safety function?
Sensor Sensor Sensor F-AI 1 F-AI 2 F-AI 3
1 2 3
Yes No No Yes No No No
No Yes No Yes
No No Yes Yes
No Yes No Yes No No Yes
No Yes No No
No No Yes Yes
No No Yes Yes No No Yes
No Yes No Yes
No No Yes No
X Yes Yes X X X Yes
Yes X Yes
Yes Yes X
X X X X Yes Yes
Yes X Yes
Yes Yes X


formula:
8
TI
PFD2 oo 3  DU
2
TI2    DU 
2
8

Entry ID: 24690377, V3.0, 08/2016 99
8.2 Wiring
Figure 8-2 shows a wiring example for 2-wire sensors and
Figure 8-3 shows a wiring example for 4-wire sensors.
In both Figures, each transmitter is wired to channel 0 of one F-AI.
Figure 8-2: 2oo3 wiring for 2-wire sensors.

2-Wire
2-Draht- 2-Wire
2-Draht- 2-Wire
2-Draht-
Current
Mess- Current
Mess- Current
Mess-
Sensor
Umformer Sensor
Umformer Sensor
Umformer
+ - + - + -
SM336; SM336; SM336;

AI 6x 0/4...20mA HART AI 6x 0/4...20mA HART AI 6x 0/4...20mA HART
1L+ 1L+ 1L+
L+ 1 L+ 1 L+ 1
M
M 2 M 2 M M 2 M
Vs0 3 Vs0 3 Vs0 3
CH0 M0+ CH0 M0+ CH0 M0+

4 4 4
M0- 5 M0- 5 M0- 5
Vs1 6 Vs1 6 Vs1 6

CH1 M1+ 7 CH1 M1+ 7 CH1 M1+ 7
M1- 8 M1- 8 M1- 8
Vs2 9 Vs2 9 Vs2 9
CH2 M2+ 10 CH2 M2+ 10 CH2 M2+ 10
M2- 11 M2- 11 M2- 11
Vs3 12 Vs3 12 Vs3 12
CH3 M3+ 13 CH3 M3+ 13 CH3 M3+ 13
M3- 14 M3- 14 M3- 14
Vs4 15 Vs4 15 Vs4 15
CH4 M4+ 16 CH4 M4+ 16 CH4 M4+ 16
M4- 17 M4- 17 M4- 17
Vs5 18 Vs5 18 Vs5 18
CH5 M5+ 19 CH5 M5+ 19 CH5 M5+ 19
M5- 20 M5- 20 M5- 20

Entry ID: 24690377, V3.0, 08/2016 100
Figure 8-3: 2oo3 wiring for 4-wire sensors.

SM336;
1L+
L+ 1
M
M 2
Vs0 3
CH0 M0+ 4 4-Draht-

4-Wire
+ Mess-
Current
M0- 5 - umformer
Sensor
Vs1 6
CH1 M1+ 7
SM336;
M1- 8 AI 6x 0/4...20mA HART
L+ 1 1L+
Vs2 9
M 2 M
CH2 M2+ 10
Vs0 3
CH0 M0+ 4-Wire

4-Draht-
4
M2- 11
+ Current
Mess-
M0- 5 - umformer
Vs3 12 Sensor
Vs1 6
CH3 M3+ 13
CH1 M1+ 7
M3- 14
SM336;
M1- 8 AI 6x 0/4...20mA HART
Vs4 15 1L+
L+ 1
Vs2 9
CH4 M4+ 16
M 2 M
CH2 M2+ 10
M4- 17
Vs0 3
Vs5 18 CH0 4-Wire
M0+ 4 4-Draht-
M2- 11
CH5
+ Current
Mess-
M5+ 19
Vs3 12
M0- 5 - Sensor
umformer
M5- 20
Vs1 6
CH3 M3+ 13
CH1 M1+ 7
M3- 14
M1- 8
Vs4 15
Vs2 9
CH4 M4+ 16
CH2 M2+ 10
M4- 17
Vs5 18
M2- 11
CH5 M5+ 19
Vs3 12
M5- 20
CH3 M3+ 13
M3- 14
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20

Entry ID: 24690377, V3.0, 08/2016 101
Figure 8-4 shows a wiring example for 2-wire sensors with an external power
supply with Figure 8-5 showing a wiring example for 4-wire sensors with an
external power supply.
In both Figures, each transmitter is wired to channel 0 of one F-AI.
Figure 8-4: 2oo3 wiring for 2-wire sensors (external power supply)
2-Wire
2-Draht- 2-Wire
2-Draht- 2-Wire
2-Draht-
M Current
Mess- M Current
Mess- M Current
Mess-
Sensor
Umformer Umformer
Sensor Sensor
Umformer
2L+ 2L+ 2L+
+ - + - + -
SM336; SM336; SM336;

AI 6x 0/4...20mA HART AI 6x 0/4...20mA HART AI 6x 0/4...20mA HART
1L+ 1L+ 1L+
L+ 1 L+ 1 L+ 1
M
M 2 M 2 M M 2 M
Vs0 3 Vs0 3 Vs0 3
CH0 M0+ CH0 M0+ CH0 M0+

4 4 4
M0- 5 M0- 5 M0- 5
Vs1 6 Vs1 6 Vs1 6
CH1 M1+ 7 CH1 M1+ 7 CH1 M1+ 7
M1- 8 M1- 8 M1- 8
Vs2 9 Vs2 9 Vs2 9

CH2 M2+ 10 CH2 M2+ 10 CH2 M2+ 10
M2- 11 M2- 11 M2- 11
Vs3 12 Vs3 12 Vs3 12
CH3 M3+ 13 CH3 M3+ 13 CH3 M3+ 13
M3- 14 M3- 14 M3- 14
Vs4 15 Vs4 15 Vs4 15
CH4 M4+ 16 CH4 M4+ 16 CH4 M4+ 16
M4- 17 M4- 17 M4- 17
Vs5 18 Vs5 18 Vs5 18
CH5 M5+ 19 CH5 M5+ 19 CH5 M5+ 19
M5- 20 M5- 20 M5- 20

Entry ID: 24690377, V3.0, 08/2016 102
Figure 8-5: 2oo3 wiring for 4-wire sensors (external power supply)
SM336;
1L+
L+ 1
M
M 2
Vs0 3
CH0 M0+ 4
+ 4-Wire
4-Draht- 2L+
Mess-
Current
M0- 5
- umformer
Sensor M
Vs1 6
CH1 M1+ 7
SM336;
M1- 8 AI 6x 0/4...20mA HART
L+ 1 1L+
Vs2 9
M 2 M
CH2 M2+ 10
Vs0 3
CH0
M2- 11
M0+ 4
+
4-Wire
4-Draht- 2L+
Current
Mess-
M0- 5
Vs3 12 - umformer
Sensor M
Vs1 6
CH3 M3+ 13
CH1 M1+ 7
M3- 14
SM336;
M1- 8 AI 6x 0/4...20mA HART
Vs4 15 1L+
L+ 1
Vs2 9
CH4 M4+ 16
M 2 M
CH2 M2+ 10 2L+
M4- 17
Vs0 3
Vs5 18 CH0
11
M0+ 4 4-Wire
4-Draht-
M2- +
CH5 M5+ 19 Current
Mess-
M0- 5
Vs3 12 - umformer
Sensor
M5- 20
Vs1 6
CH3 M3+ 13 M
CH1 M1+ 7
M3- 14
M1- 8
Vs4
15
Vs2 9
CH4 M4+ 16
CH2 M2+ 10
M4- 17
Vs5 18
M2- 11
CH5 M5+ 19
Vs3 12
M5- 20
CH3 M3+ 13
M3- 14
Vs4 15
CH4 M4+ 16
M4- 17
Vs5 18
CH5 M5+ 19
M5- 20

Entry ID: 24690377, V3.0, 08/2016 103

The three F-AIs that are needed for the 2oo3 evaluation scheme are configured
in STEP 7 HW Config. To carry out configuration, highlight the F-AI in the STEP 7
hardware catalog. Add it i times to the existing hardware configuration. Configure
the channels that are used and assign meaningful symbol names.
Figure 8-6: Symbol editing

You can see an example of a hardware set-up using three F-AIs in Figure 8-6
In this example, the ET 200M (IM153-2) contains one F-AI in slots 4, 5 and 6.
One of the three sensor signals is wired to the first channel of an F-AI. You can find
more information about the HW configuration in the chapter entitled “References”
under \4\.
The parameters themselves are grouped in Table 8-1

Entry ID: 24690377, V3.0, 08/2016 104
Figure 8-7: F-AI hardware parameters

Table 8-1: F-AI hardware configuration parameters

or permissible
value range
F-parameter
F_target_address PROFIsafe address of the 1-1022
1111111110
F_monitoring_time Monitoring time for safety-related 0...65535 ms

(ms) communication between the CPU and Default 2500 ms
the F-AI.
Comment:
A table is available on the Siemens Support
website to help users to calculate

Entry ID: 24690377, V3.0, 08/2016 105

or permissible
value range
Module parameters
Comment:
level.
channel faults module/passivation of the channel. Channel
Comment:
With “OFF”, HART communication Selectable
is disabled.
With “ON”, HART communication is
enabled.

maintenance.
frequency of the A/D converter to the network that
suppression is being used.
– 20 ms at 50 Hz
– 16.66 ms at 60 Hz
Evaluation of Activation of the channel by specifying 1oo1 (1v1)
the sensors the sensor evaluation.
– Disabled
– 1oo1 (1v1)
– 1oo2 (2v2)
– Tolerance
– Standard value
Measuring range Selection of the measuring range for 0...20 mA
the channel. 4...20 mA
F_Wire_break Selection of whether wire break monitoring Enable/disable
detection is to be carried out for the channel or not.

of the module.

Entry ID: 24690377, V3.0, 08/2016 106

After the three sensor signals for hardware configuration have been added, you
can implement the 2oo3 evaluation logic in the user program. One of the options
Figure 8-8 shows how to configure a cause for 2oo3 monitoring in the matrix.
Use the following settings:
 3 inputs
 Function type: Majority evaluation (2oo3 evaluation)
 You must enter Tag1, Tag2, and Tag2 and they should match the symbolic I/O
name of the encoder (e.g. F_TAG1001_X, F_TAG1002_X, and F_TAG
1003_X). You can make the input by selecting the signal from the symbol
table. To do this, use the “I/O” key.
The cause is configured with a majority evaluation (2oo3 evaluation). If at least
two of the three encoders match for triggering, the cause is activated and triggers
the corresponding effect(s). Note that you can also configure different evaluation
architectures, i.e. 1oo3 (OR) or 3oo3 (AND).

Entry ID: 24690377, V3.0, 08/2016 107
As Figure 8-9 shows, there are additional analog parameters that you must set for
the cause:
– Limit value
– Prealarm
– Hysteresis
– Delta
– Unit of measurement
The system reports exceeding of the delta value. It is not evaluated as a shutdown
criterion.

Depending on the process application, there are additional available attributes


Entry ID: 24690377, V3.0, 08/2016 108
One of the configuration options that is highlighted in Figure 8-10 is switch-off

behavior in the case of a channel error.
If this option is activated, a channel error is evaluated at one of the sensor inputs
as a trigger signal. In a majority evaluation (2oo3) with the option activated, two
channel errors or one channel error and one limit value violation of another channel
lead to the activation of the cause and triggering of the corresponding effect(s).

Entry ID: 24690377, V3.0, 08/2016 109
evaluation logic for the CPU using the STEP 7 CFC Editor. After the three sensor

The logic corresponds to the Safety Matrix configuration in which the “Trip on
bad quality” function is not activated. The input signals are not monitored for
a maximum delta.

Entry ID: 24690377, V3.0, 08/2016 110
Figure 8-11 shows a sample logic for 2oo3 evaluation in the CFC Editor that does
not take into account channel errors. Please note that this example assumes
a MAX limit value and that the evaluation logic output for reaching the safe state
is switched off (normal state = 1, safe state = 0).
a maximum delta.

Entry ID: 24690377, V3.0, 08/2016 111

a maximum delta.

Entry ID: 24690377, V3.0, 08/2016 112

 If at least two of the three analog sensors report a normal value (in this case
a process value of less than 90), the output of the evaluation logic is 1
 If at least two analog sensors report a limit value violation (in this case
a process value greater than or equal to 90), the output of the evaluation logic
is 0 (i.e. trigger command).

 Generate an F_CH_AI F channel driver for the first analog sensor and link
the corresponding I/O signal to the block. Use a limit value block (F_LIM_HL
or F_LIM_LL) to compare the signal to the triggering limit value.
 Generate an F_CH_AI F channel driver for the second analog sensor and link
 Generate an F_CH_AI F channel driver for the third analog sensor and link
 Link the negated outputs of the limit value blocks (QHN or QLN) to the inputs
of an F_2OUT3 block to generate the signal for the trigger command.

Entry ID: 24690377, V3.0, 08/2016 113
Figure 8-12 shows a sample logic for 2oo3D evaluation in the CFC Editor that
takes into account channel errors. Please note that this example assumes a MAX
limit value and that the evaluation logic output for reaching the safe state is
switched off (normal state = 1, safe state = 0).
The logic corresponds to the Safety Matrix configuration in which the “Trip on bad
quality” function is activated. The input signals are not monitored for a maximum
delta.

Entry ID: 24690377, V3.0, 08/2016 114

The logic corresponds to the Safety Matrix configuraion in which the “Trip on bad
quality” function is activated. The input signals are not monitored or a maximum
delta.
delta.

Entry ID: 24690377, V3.0, 08/2016 115

 If at least two of the three analog sensors report a normal value without
 If two or more of the analog sensors report a limit value violation without
channel errors (in this case a process value greater than or equal to 90),
the output of the evaluation logic is 0 (i.e. trigger command).
 If two or more of the analog sensors report a channel error, the output of
 If one sensor reports a channel error and the other two do not, the system only
uses the values of the sensors without a channel error for the evaluation logic.

Entry ID: 24690377, V3.0, 08/2016 116

 Generate an F_CH_AI channel driver for the first analog sensor and link the
corresponding I/O signal to the block. Use a limit value block (F_LIM_HL or
F_LIM_LL) to compare the signal to the triggering limit value.
 Generate an F_CH_AI channel driver for the second analog sensor and link
 Generate an F_CH_AI channel driver for the third analog sensor and link the
corresponding I/O signal to the block. Use a limit value block (F_LIM_HL or
F_LIM_LL) to compare the signal to the triggering limit value.
 Implement the evaluation logic by interconnecting the inputs of an F_2OUT3
block with the outputs of the following AND logic operations:
– The negated output QBAD (F_NOT) of the first channel driver with the
negated value of the first limit value block output (QHN or QLN).
– The negated output QBAD (F_NOT) of the second channel driver with
the negated value of the second limit value block output (QHN or QLN).
– The negated output QBAD (F_NOT) of the third channel driver with the
negated value of the third limit value block output (QHN or QLN).

Entry ID: 24690377, V3.0, 08/2016 117
9 Structure and wiring for three sensors (1oo3) with redundant I/O modules: Evaluation in the
user program
9 Structure and wiring for three sensors

Evaluation in the user program
There are additional 2oo3 evaluation architectures in which the three sensors
are wired to redundant F-AIs.
As with the previous architectures, this 2oo3 evaluation scheme refers to
applications that need two sensors to achieve the necessary Safety Integrity Level.
In this architecture, the third sensor increases availability. Two of the three sensors
must function. If at least two sensors display a trigger condition, the safety logic
is tripped.
Note These architectures are in a position to achieve Safety Integrity Level SIL3,
since the three signals are evaluated in the user program. However, to be SIL-
compliant, the entire safety instrumented function – including the field devices –
Figure 9-1 shows a block diagram with redundant F-AIs. This optional 2oo3
architecture uses three sensors and two F-AIs. In the Figure, the three sensors
are wired to channels 0, 1, and 2 of both F-AIs.

Entry ID: 24690377, V3.0, 08/2016 118
user program
Figure 9-1: Optional architecture – overview
F-AI
Ch 0.. 5
Sensor 1
0
Sensor 2
1
Sensor 3 CPU
2
F _ CH _AI
2 oo 3
Voting
Logic
F-AI
Ch 0.. 5
0
This redundant 2oo3 architecture is one possible variant.

Even though this architecture uses one less F-AI than the one that we described
before, it has similar availability. If you only need a few failsafe analog inputs,
this variant is more favorably priced.
The non-redundant version is also a possible option if you only have available
one F-AI. It makes possible higher availability of the sensors; however, it forfeits
the higher availability on the F-AI.

Entry ID: 24690377, V3.0, 08/2016 119
user program
The table below shows the status that occurs if one or two components fail

Component failed? Tripping
of safety
Sensor 1 Sensor 2 Sensor 3 F-AI 1 F-AI 2 function?
X No No X No No
No X No
No No X
X No No No X
No X No
No No X
X X X Yes Yes Yes
X Yes Yes X X
Yes X Yes
Yes Yes X



formula:
PFD(2oo3) = PFDSensor + 2 PFDF-AI + PFDCPU
9
TI
PFD2oo3  DU
2
TI2    DU 
2
9

Entry ID: 24690377, V3.0, 08/2016 120
user program
9.2 Wiring
A simplified example of the 2(2oo3) evaluation scheme with evaluation in the user
program and redundant F-AI is shown in Figure 9-2 The first sensor is wired to
channel 0 (terminals 3, 4, 5) of both F-AIs, the second one is wired to channel 1
(terminals 6, 7, 8) and the third one wired to channel 2 (terminals 9, 10, 11) of both
F-AIs. Note that this architecture additionally needs two Zener diodes for each
sensor. The first Zener diode has a breakdown voltage of 6.2 V and the second
one has a breakdown voltage of 5.6 V. Apart from this, two diodes each are used
to decouple the power supply. The diodes and Zener diodes are needed for cases
in which one of the F-AIs is out of service (e.g. in the case of a module failure).
Figure 9-2: 2oo3(2v3) evaluation, redundant F-AI, three-channel transmitter

SM336; SM336;
L+ 1 1 L+
1L+ 1L+
M 2 2 M
1M 1M
Vs0 3 3 Vs0
+ 2-Draht
2-Wire
CH0 M0+ 4
Mess-
Current M0+ CH0
- umformer 4
Sensor M0-
M0- 5 5
Vs1
Vs1 6 6
+ 2-Wire
2-Draht
CH1 M1+ 7 Mess-
Current 7 M1+ CH1
- umformer
Sensor
M1- 8 8 M1-
Vs2 9 9 Vs2
+ 2-Wire
2-Draht
CH2 M2+ 10 Mess-
Current 10 M2+ CH2
- umformer
Sensor
M2- 11 11 M2-
Vs3 12 12 Vs3
CH3 M3+ 13 13 M3+ CH3
M3- 14 14 M3-
Vs4 15 15 Vs4
CH4 M4+ 16 16 M4+ CH4
M4- 17 17 M4-
Vs5 18 18 Vs5
CH5 M5+ 19 19 M5+ CH5
M5- 20 20 M5-

Entry ID: 24690377, V3.0, 08/2016 121
user program

For the 2(2oo3) evaluation scheme with evaluation in the user program and
redundant F-AIs, the F-AIs themselves are configured in STEP 7 HW Config.
Figure 9-3 shows an example of a hardware set-up.
In this example, there is an ET 200M (IM153-2) with PROFIBUS address 3 and
a second ET 200M with PROFIBUS address 4. Each ET 200M includes one F-AI
in slot 4.

installation plan
access the F-AI redundancy settings via the object properties of one of the F-AIs
in each case.
In the example of the hardware set-up shown in Figure 9-4 the redundancy setting
is made using the F-AI of the ET 200M with PROFIBUS address 3. The settings
are grouped in Table 9-2

Entry ID: 24690377, V3.0, 08/2016 122
user program

redundancy parameters
Table 9-2: 2(2oo3) evaluation in the user program (redundant module) – redundancy
parameters
Parameters Description/recommendations Desired setting or
permissible value
range
Redundancy Indication of whether or not the F-AI 2 modules/
Comment:
For redundancy, you must set the parameter
on two modules/assemblies.
Redundant This is used to choose the redundant partner
module module
of the module.
parameters in one of the redundant F-AIs. The system automatically applies the
settings on the redundant assembly.
You will find a description of the hardware parameters at the end of section 0.

Entry ID: 24690377, V3.0, 08/2016 123
user program

Even though this evaluation scheme uses redundant F-AIs, only three F_CH_AI F
channel drivers are needed in the logic. It is possible to add and configure the
F channel drivers either automatically by means of the SIMATIC Safety Matrix or
manually using the STEP 7 CFC Editor. In both cases, the F channel drivers must
be linked to the analog sensor signal of the F-AI with the lower I/O address.
When you have configured the F channel drivers and the evaluation logic is
complete, the system compiles the logic.
If the option to generate module drivers is activated at compilation, then the system
automatically adds and configures the corresponding F_PS_12 module drivers to
the logic at compilation. The F channel driver selects the valid signal and switches
to the signal of the redundant module if there is a disturbance. The driver does not
carry out delta monitoring of the redundant signals.
After the three sensor signals for hardware configuration have been added, you
can implement the 2oo3 evaluation logic in the user program. One of the options
The actual evaluation logic for the 2(2oo3) evaluation scheme with evaluation in
the user program and redundant F-AIs is the same as described in Section 8.4.1
(Configuring using Safety Matrix).

Entry ID: 24690377, V3.0, 08/2016 124
user program
evaluation logic for the CPU using the STEP 7 CFC Editor. There are two options
for implementing the CFC logic:
The logic for both options corresponds to the solutions that are described in
Chapter 8.4.2.

a maximum delta.
Figure 9-5 shows a sample logic for 2oo3 evaluation in the CFC Editor that does
not take into account channel errors. Please note that this example assumes
a MAX limit value and that the evaluation logic output for reaching the safe state
is switched off (normal state = 1, safe state = 0).

Entry ID: 24690377, V3.0, 08/2016 125
user program

a maximum delta.

 If at least two of the three analog sensors report a normal value (in this case
a process value of less than 90), the output of the evaluation logic is 1
 If at least two analog sensors report a limit value violation (in this case a
process value greater than or equal to 90), the output of the evaluation logic
is 0 (i.e. trigger command).

Entry ID: 24690377, V3.0, 08/2016 126
user program

 Link the negated outputs of the limit value blocks (QHN or QLN) to the inputs
of an F_2OUT3 block to generate the signal for the trigger command.

Entry ID: 24690377, V3.0, 08/2016 127
user program

delta.
Figure 9-6 shows a sample logic for 2oo3D evaluation in the CFC Editor that takes
into account channel errors. Please note that this example assumes a MAX limit
value and that the evaluation logic output for reaching the safe state is switched off
(normal state = 1, safe state = 0).


 If at least two of the three analog sensors report a normal value without
 If two or more of the analog sensors report a limit value violation without
channel errors (in this case a process value greater than or equal to 90),
the output of the evaluation logic is 0 (i.e. trigger command).
 If two or more of the analog sensors report a channel error, the output of

Entry ID: 24690377, V3.0, 08/2016 128
user program
 If one sensor reports a channel error and two sensors do not, the system only
uses the values of the sensors without a channel error for the evaluation logic.
 Implement the evaluation logic by interconnecting the inputs of an F_2OUT3
block with the outputs of the following AND logic operations:
– The negated output QBAD (F_NOT) of the first channel driver with
the negated value of the first limit value block output (QHN or QLN).
– The negated output QBAD (F_NOT) of the second channel driver with
the negated value of the second limit value block output (QHN or QLN).
– The negated output QBAD (F_NOT) of the third channel driver with
the negated value of the third limit value block output (QHN or QLN).

Entry ID: 24690377, V3.0, 08/2016 129
10 Calculation of the PFD value
APPENDIX
10 Calculation of the PFD value

You can find the PFD value for the F-AIs in the manual entitled "Automation
System S7-300 Fail-safe signal modules" (see the chapter entitled “References”
under \6\). In the technical data of the SM 336; F-AI 6 x 0/4 ... 20 mA HART or as a
download on the Internet (“see the chapter entitled “References” under Fehler!
Verweisquelle konnte nicht gefunden werden.).
Table 10-1: PFD value for the F-AIs

Failsafe performance characteristics
With a service life of 20 years 1-channel 2-channel

Low demand mode < 1.00E-05 < 1.00E-05
(average probability of failure on demand) SIL 3
You can find the PFD value for the F-CPU in the manual entitled "Safety
Engineering in SIMATIC S7" (see the chapter entitled “References” under \8\“) or
as a download on the Internet (see the chapter entitled “References” under
Fehler! Verweisquelle konnte nicht gefunden werden.).
Table 10-2: PFD value for F-CPUs

CPU Order number Low demand mode (average
probability of failure on demand)
Proof test interval 10 years 20 years
CPU 410-5H 6ES7410-5HX08-0AB0 < 1.9 E-04 < 3.8 E-04

CPU 412-3H 6ES7412-3HJ14-0AB0 < 1.9 E-04 < 3.8 E-04
CPU 412-5H PN/DP 6ES7412-5HK06-0AB0 < 1.9 E-04 < 3.8 E-04
6ES7 414-4HJ00-0AB0 < 1.24 E-04 < 2.48 E-04
CPU 414-4H 6ES7 414-4HJ04-0AB0 < 1.9 E-04 < 3.8 E-04
6ES7 414-4HM14-0AB0 < 1.9 E-04 < 3.8 E-04
CPU 414-5H PN/DP 6ES7414-5HM06-0AB0 < 1.9 E-04 < 3.8 E-04
CPU 416-5H PN/DP 6ES7416-5HS06-0AB0 < 1.9 E-04 < 3.8 E-04
6ES7 417-4HL00-0AB0 < 1.24 E-04
6ES7 417-4HL01-0AB0 < 1.24 E-04 2.48 E-04
CPU 417-4H
6ES7 417-4HL04-0AB0 < 1.9 E-04 < 3.8 E-04
6ES7 417-4HT14-0AB0 < 1.9 E-04 < 3.8 E-04
CPU 417-5H PN/DP 6ES7417-5HT06-0AB0 < 1.9 E-04 < 3.8 E-04

Entry ID: 24690377, V3.0, 08/2016 130
11 Recommendations for power supply and grounding measures
11 Recommendations for power supply and

grounding measures
This section describes basic guidelines for power supply and grounding measures
for SIMATIC S7-400 F/FH systems. For more information on this topic, refer to the
chapter entitled “References” under \9\, \6\ and \7\).
11.1 Power supply

11.1.1 Power input
The power input should be routed onto a power input unit that is installed as part of
the cabinet system. Note that each power input should have an independent power
input unit. The power input unit should have a row of terminals with overcurrent
protection. To increase system availability, you should use a circuit breaker for
overcurrent protection. It is possible to use a second power input to increase
system availability (this requires a second power input unit in the cabinet).
The power input unit should have a connection for each cable of the power input:
 Cable
 neutral/return conductor and
 ground
The ground connection for power input should be marked or color-coded such that
it is possible to recognize it as the protective earth. This ground connection must
be connected to the housing on a low-resistance basis. The grounding terminal
should be mechanical to ensure ground protection.
The power input should have individual distributor terminals to connect the loads in
the cabinet. The distributor terminals should be laid out in groups with one ground
terminal each for ground connections. Additional ground connections are needed
to ground the racks that are used for mounting system components.
11.1.2 System power supply
Depending on the cabinet, the system power supply outputs 24 V DC to the

cabinet’s consumers. The system power supply should have several outputs with
connections for each cable. The system supply should be isolated all the other
ground potentials and any other load with that is supplied with system current.
System power supply can be carried out using discrete power supply that is
connected to the power input (this is described in Section 11.1.1). Normally,
the power supply is integrated per rack.
The power supply supplies the controllers and I/O modules with 24 V DC current.
Power is supplied to the assemblies for communication and communication is
carried out via the backplane modules. If you use electrically isolated assemblies,
the backplane current and communication are galvanically isolated from the field
I/O. Isolation has two advantages:
 Isolation of the control and field levels
 Protection of the control level from noise and overvoltages
Relatively large systems can use the system power supply for the field level as
well as a rack-specific power supply for the control level. This is an advantage
if the field devices need more power than SIMATIC standard power supply units
provide. In cases like these, the design should support redundant power supplies.
Redundant power supply architectures increase system reliability in the case

Entry ID: 24690377, V3.0, 08/2016 131
of online repairs if you avoid common components (like a common miniature

circuit breaker).
You can use other technologies like uninterruptible power supplies or DC backup
systems to increase system availability. Using technologies like these requires
a knowledge of the system (e.g. buffer times of the power supply, responses of
the controller and the peripherals to power outages, etc.)
11.2 Grounding
11.2.1 Objectives
Grounding a system has three basic objectives:

 Personal protection
 Protection from lightning or other sources of voltage peaks
 Switching off of electrical interference
Preventing undesirable effects due to electrical interference is based on the linear
ground path method. The flow of non-static, electrical energy needs a loop in which
the sum of the currents to one node is equal to zero. To prevent currents flowing
(i.e. electro-magnetic noise), the system design should not include any loops.
The concept of linear grounding (or a common reference point) includes a direct
connection that prevents any loops from being formed. There should only be one
path from any point in a system with a ground connection that leads from this point
to the grounding point.
The linear grounding method is limited if distributed process control systems
are used. A distributed system is one in which the locations of components are
distributed around a plant. With this type of architecture, you can use the linear
grounding method efficiently on system components that are referred to as
subsystems (subsystem functions) (or isolated islands). A subsystem can be
defined as follows:
 Electrical isolation from other subsystems
 Physical isolation from other subsystems (subsystem functions) such that
electrical disturbances are dissipated locally
In systems with subsystems, each section uses a local, linear grounding bar to
reduce lightning and electronic noise.
11.2.2 Implementation
The grounding recommendations in this section are intended specifically for

cabinets with power supply units that supply the system components with 24 V DC.
Placing the system supply in the individual cabinets makes the grounding rules
easier. If the energy is distributed between the cabinets, you should set up the
equipment in the immediate vicinity to maintain a single ground reference point
and the connections. A system with a central power supply should be located
within a lightning protection zone (normally inside a building or structure). In the
case of all systems outside a normal lightning protection zone, you should use
insulation techniques to reduce interference susceptibility. Typical insulation
barriers include local power supplies, optical communication for data highways
and electrically isolated signal transfer technologies (e.g. relay contacts, etc.)

Entry ID: 24690377, V3.0, 08/2016 132
Grounding
The design of the cabinet should make possible energy supply that is isolated from
other access openings. The current should be connected to a single distributor unit
inside the cabinet. As part of the power input unit, there should be a connection
point for cabinet grounding. This connection should include the necessary cables
for correct operation of the protection devices and for personal protection.
The ground connection of the cabinet should be marked or color-coded. If you use
several current sources (e.g. for redundancy), you should use independent power
input units and each current source should have its own cabinet ground
connection.
Shielding connections
You should use shielding connections for field wiring as standard for I/O modules.
The physical connections of the shielding should be present on the cable
connections for the field signal in the form of a shielding bus. The shielding bus
should be isolated from the mounting plates and the mounting rails. Shielding
buses must have a ground connection. The ground connection connects the
shielding bus to the local grounding point (LEPG).
For final shield installation, the LEPG bus must be connected to a grounding
potential. The preferred ground connection is to a grounding system that is also
used to ground the neutral conductor of the power supply system. Most industrial
systems support a central grounding point to connect grounding systems that are
dissipated “locally”. You should connect to the ground potential as follows:
 Lower impedance (0.5 Ohm or less)

 Physical connection as short as possible
 Separate and independent of the ground protection connections that are
needed for personal protection
Note that grounding shielding on one side guarantees protection from low-
frequency noise in industrial environments. You should ensure that no other
ground connections result for the shielding.
DC grounding
Normally, the power supply is installed in the cabinets to provide the 24 V DC
operating voltage. The power supply is not connected to ground or to the power
input. Depending on the user’s requirements, the system is operated either on
a floating basis or connected to a user-specified reference point.
System setup
S7-400 F/FH systems (including the controls and I/O modules) can be operated
either grounded or on a floating basis. To make possible both operating modes,
the system setup has a bridge that makes a connection from the reference
potential to ground. If the bridge is removed, the reference potential is separated
from the housing ground.
Depending on the product, the bridge is either part of the hardware module
(see Figure 11-1) or of the system backplane (see Figure 11-2).

Entry ID: 24690377, V3.0, 08/2016 133
Figure 11-1: Installation location of the bridge with IM-153 (ET 200M interface module)
Lage
Jumper der Brücke
location on S7- Entfernen Sie die to
Remove jumper Brücke
eliminate
beiIM-153
300 and IM-153 Modulen
modules für erdfreien Aufbau
frame connection
Figure 11-2: Location of grounding for S7-400 modules

Ungrounded configuration Grounded configuration
Rack
Galvanic connection
Reference point
Connection Connection
Spring lock washer Spring lock washer
Original screw M4x8 Original screw M4x8
Anschluss
Connection to rackder
for
DC groundingder
Masse S7-400
Lastspannung
modules

Entry ID: 24690377, V3.0, 08/2016 134
12 MTA (Marshalled Termination Assembly)

As interface modules, MTA (Marshalled Termination Assemblies) terminal modules
allow you to connect field devices, sensors and actuators quickly and safely to the
signal modules of the ET 200M. They can be used to significantly reduce the time
and effort needed for cabling and commissioning and to prevent wiring errors.
The individual MTA terminal modules are each tailored to specific I/O modules
from the ET 200M range.
The F-AI HART module that is described in this documentation can be combined
with the “6-Channel F Analog Input HART MTA” (6ES7650-1AH62-5XX0).
This MTA can be used for redundant safety-relevant applications.
Properties
MTAs are characterized by the following properties:
 A redundant DC 24 V power supply with LED display
 Screw-type terminals for direct (1:1) connection of field devices, sensors and
actuators
 A fuse with LED indicator for each I/O channel
 A pre-assembled cable to connect the MTA with the I/O module
 With a 50/25-pin SUB-D plug on the MTA side,

 and a Siemens 40/20-pin front connector for the ET 200M module
 On-board simulation capabilities (wire break, to switch a channel ON/OFF)
 Tested as a PCS 7 system component and released with appropriate
approvals (FM, UL, CE, ATEX, TÜV (German Technical Inspectorate))
Figure 12-1: F-AI MTA – Layout

Entry ID: 24690377, V3.0, 08/2016 135
The F-AI MTA and the F-AI module are connected by means of a pre-assembled
connecting cable. The cable that is available in tailor-made lengths is shown below
in Figure 12-2
Figure 12-2: F-AI MTA – Connecting cable
Figure 12-3 shows an example of how you wire a 4-wire sensor (with its own power
supply) to the F-AI MTA.

Figure 12-4 shows an example of how you wire a 4-wire sensor (supplied
externally) to the F-AI MTA.
Figure 12-4: 4-wire transmitter (supplied externally)

Entry ID: 24690377, V3.0, 08/2016 136
Figure 12-5 shows an example of how you wire a 2-wire sensor to the F-AI MTA.
Figure 12-5: 2-wire transmitter
In the case of voting architectures that contain a redundant module, an additional

connecting cable is connected to the additional module connection on the MTA.
You can find additional information on this topic in the section entitled “References”
under \3\.

Entry ID: 24690377, V3.0, 08/2016 137
13 References
13 References
Table 13-1
Topic
\1\ Siemens Industry Online Support
http://support.industry.siemens.com
\2\ F Systems: Wiring and Voting Architectures for ET 200M F-AIs
\3\ ET 200M Marshalled Termination Assemblies Remote I/O Modules
\4\ SIMATIC Configuring Hardware and Communication Connections STEP 7 V5.5
\5\ SIMATIC Industrial Software Safety Matrix
\6\ SIMATIC Automation System S7-300 ET 200M Distributed I/O Device Fail-safe
signal modules
\7\ Automation System S7-400 Hardware and Installation
\8\ SIMATIC Industrial Software Safety Engineering in SIMATIC S7
\9\ SIMATIC Process Control System PCS 7 Engineering System (V8.1)

\10\ SIMATIC S7 F Systems: Execution Times of Failsafe Software Blocks, Runtime of
the F Shutdown Group, Monitoring and Response Times
\11\ SIMATIC Industrial Software PFDavg and PFH values for components with use in
SIMATIC Safety, Distributed Safety and F/FH Systems
\12\ SIMATIC Industrial software S7 F/FH Systems - Configuring and Programming
14 History
Table 14-1
Version Date Modifications
V1.0 04/2007 First edition
V2.0 12/2007 Hardware and software considered, added MTA
V2.1 05/2009 Updating
V3.0 08/2016 Complete revision

Entry ID: 24690377, V3.0, 08/2016 138

Wiring Voting AI V30 en

Uploaded by

Copyright:

Available Formats

You might also like

Wiring Voting AI V30 en

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wiring Voting AI V30 en

Uploaded by

Copyright:

Available Formats

Application example  08/2016

Wiring and Voting Architectures for

Warranty and liability

deficiency or breach of a condition which goes to the root of the contract

Wiring and Voting Architectures for failsafe F AIs

3.2.2 Wiring using Marshalled Termination Assemblies (MTAs) ................ 32

Wiring and Voting Architectures for failsafe F AIs

7.4.2 Configuring using CFC ....................................................................... 94

Wiring and Voting Architectures for failsafe F AIs

11.2 Grounding ......................................................................................... 132

Wiring and Voting Architectures for failsafe F AIs

Figure 1-1 shows an example of a plant section in which valves

Figure 1-1: Example 1 - Overview

Signals PT- 400B Failsafe Discrete

Wiring and Voting Architectures for failsafe F AIs

Figure 1-2: Example 1 – System setup

Wiring and Voting Architectures for failsafe F AIs

1.2 Presented architectures

(explanation in chapter 5).

Wiring and Voting Architectures for failsafe F AIs

1.3 Properties of the fail-safe analog input module

 SIL3/Cat.4/PLe can be achieved without safety protector

Wiring diagrams of the F-AI

Wiring and Voting Architectures for failsafe F AIs

Figure 1-3: Address assignment of SM 336; F-AI 6 x 0/4...mA HART

Figure 1-4: Front view of SM 336; F-AI 6 x 0/4...mA HART

Wiring and Voting Architectures for failsafe F AIs

Figure 1-6: Channel numbers of SM336; F-AI 6 x 0/4...20mA HART

Wiring and Voting Architectures for failsafe F AIs

2 Structure and wiring for one sensor (1oo1)

Figure 2-1: Overview (1oo1)

Using the structure shown in Figure 2-1 it is possible to achieve a maximum of

Table 2-1: Failure modes

Wiring and Voting Architectures for failsafe F AIs

2.1 Calculation of PFD

Calculation formula for PFD

PFD(Ein) = PFDSensor + PFDF-AI + PFDCPU

Internal voltage supply

Wiring and Voting Architectures for failsafe F AIs

Example of wiring a 2-wire sensor

Example of wiring a 4-wire sensor

Figure 2-3: Wiring for a 4-wire transmitter (internal sensor supply)

Wiring and Voting Architectures for failsafe F AIs

External power supply (2-wire sensor)

Figure 2-4: External voltage for a 2-wire transmitter

Wiring and Voting Architectures for failsafe F AIs

External power supply (4-wire sensor)

Figure 2-5: External voltage for a 4-wire transmitter

Wiring and Voting Architectures for failsafe F AIs

2.2.2 Wiring using Marshalled Termination Assemblies (MTAs)

Siemens offers Marshalled Termination Assemblies (MTAs) Using an F-AI-MTA for

Figure 2-6: MTA

Wiring and Voting Architectures for failsafe F AIs

2.3 Parameters for hardware configuration

Figure 2-7: Symbol editing

Wiring and Voting Architectures for failsafe F AIs

Figure 2-8: Hardware parameters