SIMATIC S7-400H and S7-400F/FH Top-end controllers with fault-tolerant and fail-safe functionalities

Product Brief January 2003

Overview

The increasing degree of automation in industrial plants has resulted in the availability of systems becoming ever more important. Failures or downtimes caused by maintenance work are very expensive. Controllers with high availability reduce the risk of undesirable production downtimes drastically. The high costs of such systems are negligible in comparison to the savings potential. Furthermore, there are many applications which place special demands on the safety for man, machine, the environment and the process; fail-safe automation systems are necessary in such cases.
H system (for fault tolerance)

The SIMATIC S7-400H is a PLC with high availability for time-critical applications. A solution with SIMATIC software redundancy is appropriate for applications with a low-dynamic response. The S7-400H is a solution with optimized functions if high-availability PLCs are required. An S7-400H is appropriate for your applications if you require powerful CPUs need short switching times (< 100 ms - hot standby) wish to achieve additional fault tolerance.

Software redundancy is appropriate (see Product Brief "Software redundancy for S7-300/400") if you wish to also use CPUs with a lower performance (CPU 315-2DP or better) can tolerate longer switching times (approx. 1 s - warm standby) have no additional demands concerning fault tolerance.
F system (for fail-safety)

SIMATIC fail-safe controllers enter a safe state immediately when an error occurs, or remain in a safe mode. They therefore combine standard process automation and safety engineering in one single system. Both safety-related and standard communication between the central controller and the safety-related and standard I/O modules is carried out using PROFIBUS DP and the PROFIsafe profile. SIMATIC offers two fail-safe systems: SIMATIC S7-400F/FH for larger applications in production and process engineering SIMATIC S7-300F for distributed applications with main emphasis on production engineering and burner controls (see Product Brief "SIMATIC S7-300F") The SIMATIC S7-400F (fail-safe installation with one CPU) enters a safe state immediately when an error occurs, or remains in a safe mode, thus guaranteeing a high level of safety for man, machine, the environment and the process. If an error occurs in the controlling system of the S7-400FH (fail-safe and with high availability with two CPUs), redundant control sections take over and continue the production process.

Fail-safe systems are used wherever maximum safety must be guaranteed for man, machine or the environment, i.e. accidents and damage resulting from a fault must be avoided.

S7-400F/FH Introduction / benefits

Introduction

The safety-relevant functions of the S7-400F/FH are incorporated into the F program of the CPU and in the fail-safe signal modules. Both standard modules and fail-safe modules can be used on the S7-400F/FH. This means it is possible to set up a fully integrated control system for a plant where there are both safety-related and standard areas. The whole plant can be configured and programmed using the same standard tools. This means the SIMATIC S7-400F/FH can now be used for automation areas which were, up to a few years ago, the exclusive domain of electromechanical controllers, e.g. automobile shell construction with presses and robots, burner management systems, transportation of persons on cableways and, last but not least, process automation.
Benefits

The S7-400F/FH largely consists of standard components and is an integral part of Totally Integrated Automation (TIA) The S7-400F/FH is an integral part of Safety Integrated, the Siemens safety program for industrial applications The S7-400F/FH has a TV approval (TV = German Technical Inspectorate) and fulfils all relevant standards Hardware and engineering costs are reduced due to the fact that the fail-safe S7-400F/FH is largely built from standard components: There is no need for an additional F-CPU and the cabling to it. Engineering costs are lower because a standard CPU can be programmed normally instead of using an additional F-CPU. Programs from non-safety-related systems can also be adopted.

Fail-safe S7-400F/FH

Standards

The S7-400F/FH complies with the following safety requirements: Demand class: AK 1 to AK 6 according to DIN V 19250/DIN V VDE 0801 Safety demand class: SIL 1 to SIL 3 according to IEC 61508 Category: 2 to 4 according to EN954-1

S7-400F/FH Highlights
Hardware

The hardware of the S7-400F/FH is based on the CPUs of the fault-tolerant, redundant SIMATIC S7-400H system, plus an F-library. This F-library contains pre-assembled, TV-approved basic function blocks as well as a parameterization tool for the fail-safe I/O modules. In order to be able to run the S7-400F/FH, the F Copy License needs to be loaded into the CPU. The CPU checks that the controller is running properly by means of regular self-tests, instruction tests and a program execution test. The resulting safety functions enable response times from 100 ms upwards, which is fully adequate for most applications in the process industry and for many applications in the manufacturing industry with manually operated Emergency Stop devices. The S7-400F/FH also incorporates safety-related modules for the SIMATIC ET 200M distributed I/O system (from 03/2003 ET 200S PROFIsafe is also usable). These fail-safe I/O modules are parameterized using the parameterization tool, connected to PROFIBUS, and controlled by means of the new PROFISafe PROFIBUS profile for safety-related applications. At the moment, 4 modules are available:

Graphic configuring of the S7-400F/FH with the CFC engineering tool

Programming

Communication

Digital input modules: 24 x 24 V Digital input modules: 8 x NAMUR Digital output module: 10 x 24 V/2 A Analog input module: 6 x 13 bit

These modules can diagnose internal and external errors and have total internal redundancy, i.e. outputs have, for example, a second integrated disconnection facility. Using the safety protector, fail-safe and standard modules can be used together in one rack.

The S7-400F/FH is programmed in exactly the same way as a standard S7-400. The normal automation functions for the cyclic processing level (OB 1) are programmed using standard programming languages. The CFC engineering tool is required to call blocks from the F-library and to interconnect them. These blocks are called in a time level (e.g. OB 35) at a parameterizable time interval for reproducible disconnection times. The use of CFC makes configuring and programming the plant, and the final acceptance test, significantly easier. For programmers, there is a distinct advantage in the fact that they can concentrate on configuring the safety-related application. This noticeably reduces engineering costs, especially in combination with other components, e.g. other programmable controllers or control and monitoring devices.

Both safety-related and standard communication between the central controller and ET 200M go through PROFIBUS DP. The PROFISafe profile is characterized by the fact that the safety functions in the fail-safe end stations are implemented using the standard PROFIBUS functions. The useful data for the safety function and the safety measures are sent within a standard data frame. No additional hardware components are required. This means that standard communication and safety-related communication use the same basic hardwareautomation and fail-safety are getting closer together all the time! Transmission of PROFIsafe is independent of the transmission mechanisms, e.g. copper cables or fiber-optic cables.

S7-400F/FH Configurations
The S7-400F/FH has two basic configurations: Single operation of S7-400F/FH programmable controller in fail-safe setup (see Fig. 1): If an error occurs in the control system, the production process is interrupted and transferred into a safe mode. Partial processes independent of the error can continue to operate (from 03/2003).

Fail-safe and fault-tolerant setup of programmable controller S7-400F/FH (see Figs. 2 and 3): If an error occurs in the control system, redundant controller components continue to control the production process.

The plant requires a fail-safe controller. High availability is not required. The following are needed: 1 CPU 417-4H or CPU 414-4H with F Copy License 1 PROFIBUS DP master system ET 200M with IM 153-2 Fail-safe signal modules in non-redundant design In the event of a fault, the I/O is no longer available. The fail-safe signal modules are passivated.

S7-400F/FH programmable controller

Single-channel, single-sided distributed I/O ET 200M

Fail-safe signal modules

Fig. 1: SIMATIC S7-400F/FH with single-channel, single-sided I/O

Redundant DP master systems S7-400F/FH programmable controller Single-channel, switched distributed I/O ET 200M with 2 x IM 153-2

The plant requires a fail-safe controller. High availability is required on the CPU side. The following are needed: 2 CPU 417-4H or CPU 414-4H with F Copy License 2 DP master systems 1 ET 200M with 2 IM 153-2 (redundant) Fail-safe signal modules in non-redundant design If there is a fault in the CPU, IM 153-2 or DP master system, the controller is still available. If there is a fault in a fail-safe signal module or the ET 200M, the I/O is no longer available. The fail-safe signal modules are passivated.

Fail-safe signal modules Redundant PROFIBUS DP

Fig. 2: SIMATIC S7-400F/FH with single-channel, switched I/O

Redundant DP master systems S7-400F/FH programmable controller Redundant, switched distributed I/O 2 x ET 200M with 2 x IM 153-2 each Redundant, fail-safe signal modules

The plant requires a fail-safe controller. High availability is required on the CPU side and the I/O side. The following are needed: 2 CPU 417-4H or CPU 414-4H with F Copy License 2 DP master systems 2 ET 200M with 2 IM 153-2 (redundant) Fail-safe signal modules in redundant design If there is a fault in the CPU, IM 153-2, PROFIBUS DP line, the fail-safe signal modules or the ET 200M, the controller is still available.

Redundant PROFIBUS DP

Fig. 3: SIMATIC S7-400F/FH with redundant, switched I/O

S7-400H Highlights
Applications

The following list includes some application areas of SIMATIC S7-400H: Power generation and distribution Power stations Pipelines and district heating systems Chemical industry Mining Environment technology Water treatment Garbage incineration Steel and metal-working industries Transport Tunnel ventilation and air conditioning Marine automation Airport automation Baggage transport control Runway lighting The S7-400H is used in applications where downtimes are intolerable.
Benefits

Redundante Communication

Redundant Controller Redundant IM

Redundant PROFIBUS

NEW: Redundant I/O

Sensor / Control Element

Redundancy on all levels

The SIMATIC S7-400H is designed as a fully-fledged member of the SIMATIC S7 series and thus makes full use of Totally Integrated Automation. The S7-400 is designed in such a way that most of the redundancy-relevant functions are hidden to the user. This means in detail: Programming of the S7-400H as a non-redundant standard system Simple program porting: A program which was written for non-redundant systems can easily be ported to redundant systems, and vice versa Convenient parameterization of redundancy-specific functions and configurations with a STEP 7 option package All standard programming languages for SIMATIC S7 can be used without restriction Handling as for non-redundant systems: For example, the S7-400H can be programmed online like a standard system. All changes can be carried out during the current process. Both CPUs then are automatically updated. Use of all standard SIMATIC S7 components (with a few exceptions).

The advantages resulting from full system integration are obvious: in contrast to working with the usual redundant systems, you can concentrate fully on your own actual task automation. You can ignore redundancy-specific functions. This means that with S7-400H you need not bother about which data is to be transmitted to the standby unit, which commands are permitted and which not, etc.
Redundancy features

Smooth changeover Both sub-units are active in fault-free mode. In the case of a fault, the intact unit takes over processing at the interruption point in a manner without any data being lost. Integrated error detection and localization functions. Using the self-diagnostics function, the system detects and signals errors before they can affect the process. Since you can replace specific faulty components, repair time is shortened. Online repair during operation. You can replace all components during operation. When replacing a CPU, it is automatically updated with current programs and data. Configuration can be changed during operation e.g. DP slaves, modules or main memory modules can be added or removed.

Automatic event synchronization. The operating system ensures that all commands whose execution would cause different states in both systems run synchronously. It is unnecessary to update the data in the partner unit. Communication with high availability. Depending on the network topology, redundant connections are set up which are automatically activated in the event of a fault. Coupling of the CPUs by using Sync modules which can be directly plugged into the CPUs. Thus no rack slot is lost and communication is faster. Hot swapping of the Sync modules is possible.

CPU

The CPUs 417H and 414H each have 4 different interfaces each: 1 PROFIBUS DP interface which connects SIMATIC S7-400H as a master to the PROFIBUS DP. 1 interface which can be used as a PROFIBUS DP interface or as MPI (Multipoint Interface). You can use this interface to: - program and assign parameters, - control and visualize (operator), - set up simple network structures. 2 interfaces for accommodating the Sync modules.

S7-400H Configurations
Central controllers Communication

Redundant PROFIBUS

There are 2 configuration possibilities where the central controllers are concerned: Configuration with two standard subracks (UR1 and UR2) If the sub-units must be completely separate from one another for reasons of availability, this configuration is well suited. In each central controller one CPU and one power supply (PS) are plugged in. If a particularly high degree of availability is required, two redundant PS units can be used. Configuration with one UR2-H This is a new subrack with divided backplane bus in each case with a single or redundant PS. This permits a particularly compact design.
Connection of I/Os

The high-availability communication (Fig. 6) is already integrated in the S7-400H. Connection of the PC uses two CPs and the S7-REDCONNECT software package.

In the event of a fault, the high-availability communication can be continued automatically, invisible to the user.

Master input DI Both inputs are read in parallel. The correct value is automatically selected and processed.

DI

Redundant input

You can connect I/Os in accordance with availability requirements. Thus, the single-sided connection (normal availability), the switched connection (increased availability), and the redundant connection (with high availability) can be provided (Fig. 4). These configurations can also be mixed together. Highest availability is now made possible by redundant I/O. This means that the I/O modules are arranged in pairs. This arrangement can tolerate the loss of a CPU, a DP master system, and an I/O module (see Fig. 4). In normal operation both I/O modules, which must be of the same type are active and provide their signals. When the loss of a module is determined, the signals of the intact module are used. Many I/O modules of the S7-300 (for distributed use in ET 200M) can provide redundant operation. Prerequisites include the optionpackage "H systems", version 5.2 and STEP 7, version 5.2. With the Y link a lower-level I/O system with different field devices can easily be linked to a redundant PROFIBUS DP system, e.g. an S7-400H with two DP master systems. In the event of a fault, the Y link switches the complete I/O line bumplessly to the active bus channel of the redundant H system (Fig. 5).

Fig. 4: Connecting the fault-tolerant I/Os

S7-400H Redundant DP master system

Y coupler Y link

IM 157 Lower-level DP master system ET 200S Distributed I/O devices ET 200L Drive Other field devices ET 200X

Fig. 5: Coupling of the I/Os by using the Y link

PC with 2 x CP 1613 and S7-REDCONNECT

S7-400H

S7-400H

H-CPU in single mode

Fig. 6: High availability communication

S7-400H, S7-400F/FH Technical specifications

CPU

CPU 417-4H

CPU 414-4H 384 Kbyte each -256 Kbyte RAM Up to 64 Mbyte Up to 64 Mbyte 2048/2048 4095 8/8 Kbyte 2/2 Kbyte 6/6 Kbyte 8/8 Kbyte 256/256 byte 65536/65536 65536/65536 4096/4096 4096/4096

SM 326 F fail-safe digital input module Number of inputs Input voltage Alarms MLFB group 24 (single-channel), 12 (two-channel) 24 V DC Diagnostics alarm 6ES7326-1BK..

Main memory Integral (program/data) 2 Mbyte each Expandable (program/data) 8 Mbyte each

Load memory Integral Expandable FEPROM Expandable RAM FBs/FCs, max. Data blocks, max. I/O address range of which distributed - MPI/DP interface - DP interface

256 Kbyte RAM Up to 64 Mbyte Up to 64 Mbyte 6144/6144 8191 16/16 Kbyte 2/2 Kbyte 8/8 Kbyte 16/16 Kbyte 1024/1024 byte 131072/131072 131072/131072 8192/8192 8192/8192 Yes Yes No MPI Yes Yes No No DP master Yes

SM 326 F fail-safe digital output module Number of outputs Output voltage Alarms MLFB group 10 24 V DC Diagnostics alarm 6ES7326-2BF..

Output current with "1" signal 2 A per channel

Process image (adjustable) Default setting Digital channels of which centralized Analog channels of which centralized 1st interface MPI DP master DP save Default setting Isolated 2nd interface DP master DP slave Point-to-point connection Default setting Isolated Programming languages MLFB group

SM 326 NAMUR fail-safe Ex input module Number of inputs Input voltage Alarms MLFB group 8 (single-channel) 4 (two-channel) In accordance with DIN 19234 or NAMUR Diagnostics alarm 6ES7326-1RF..

SM 336 F fail-safe analog input module Number of inputs Alarms Integration time Resolution MLFB group 6; max. 4 (single-channel) or 3/2 (twochannel) with voltage measurements Diagnostics alarm (parameterizable) 20/16.66 ms 13 bit + sign 6ES7336-1HE..

STEP 7 V5, SP1 (LAD, FBD, STL); SCL, CFC, GRAPH, HiGraph 6ES7417-4H... 6ES7414-4H...

Option packages for S7 F systems F-Library F-Tool Requirements Approx. 50 certified basic function blocks For parameterization of fail-safe SMs

MLFB group Additional information on the SIMATIC controllers can be found in the Internet: www.siemens.com/simatic-controller For personal consultation you can find your local SIMATIC partner at: www.siemens.com/automation/partner

6ES7833-1CC.. Using the A&D Mall you can immediately and directly order electronically in the Internet: www.siemens.com/automation/mall

Siemens AG Automation and Drives Postfach 4848, D-90327 Nrnberg Federal Republic of Germany

www.siemens.com/simatic-controller Order No. 6ZB5310-0HY02-0BA5 Printed in the Federal Republic of Germany 26100/301305 SB 01036.

Siemens AG 2003 Subject to change without prior notice.

All designations marked in this Product Brief with are registered trademarks of Siemens AG.

STEP 7 V5.1 or higher CFC V5.2 or higher S7-SCL V5.0 or higher S7 H systems V5.1 (option for S7-400FH)