Professional Documents
Culture Documents
Safety Manual
SAFETY
All HIMA products mentioned in this manual are protected by the HIMA trade-mark. Unless noted
otherwise, this also applies to other manufacturers and their respective products referred to herein.
All of the instructions and technical specifications in this manual have been written with great care and
effective quality assurance measures have been implemented to ensure their validity. For questions,
please contact HIMA directly. HIMA appreciates any suggestion on which information should be
included in the manual.
Equipment subject to change without notice. HIMA also reserves the right to modify the written material
without prior notice.
For further information, refer to the HIMA DVD and our website at http://www.hima.de and
http://www.hima.com.
Contact
HIMA Address
HIMA Paul Hildebrandt GmbH + Co KG
P.O. Box 1261
68777 Brühl, Germany
Phone: +49 6202 709-0
Fax: +49 6202 709-107
E-mail: info@hima.com
Table of Contents
1 Safety Manual .......................................................... 7
1.1 Validity and Current Version................................................................................. 7
1.2 Objectives of the Manual....................................................................................... 7
1.3 Target Audience..................................................................................................... 7
1.4 Formatting Conventions ....................................................................................... 7
1.4.1 Safety Notes ............................................................................................................ 8
1.4.2 Operating Tips ......................................................................................................... 8
Appendix ............................................................... 59
Increasing the SIL of Sensors and Actuators.................................................... 59
Definitions and Abbreviations............................................................................. 60
Index of Figures.................................................................................................... 61
Index of Tables ..................................................................................................... 62
Index ...................................................................................................................... 63
1 Safety Manual
Knowledge of regulations and the proper technical implementation of the safety instructions
detailed in this manual performed by qualified personnel are prerequisites for safely
planning, engineering, programming, installing and starting up the HIMax automation
devices, as well as for ensuring safety during their operation and maintenance.
HIMA will not be held liable for severe personal injuries, damage to property or the
surroundings caused by any of the following: unqualified personnel working on or with the
devices, de-activation or bypassing of safety functions, or failure to comply with the
instructions detailed in this manual (resulting in faults or impaired safety functionality).
HIMax automation devices have been developed, manufactured and tested in compliance
with the pertinent safety standards and regulations. They must only be used for the
intended applications under the specified environmental conditions.
SIGNAL WORD
Type and source of danger!
Consequences arising from the danger
Danger prevention
NOTICE
Type and source of damage!
Damage prevention
2 Intended Use
This chapter describes the conditions for using HIMax systems.
2.1 Scope
The safety-related HIMax controllers are certified for use in process controllers, protective
systems, burner systems and machine controllers.
All HIMax input and output modules (I/O modules) can be operated with an individual
processor module or with several redundant processor modules.
When implementing safety-related communications between various devices, ensure that
the overall response time does not exceed the fault tolerance time. All calculations must be
performed in accordance with the rules specified in Safety Manual HI 800 003 E.
Only connect devices with safe electrical isolation to the communications interfaces.
The use under environmental conditions other than those specified in the following section
is not permitted.
When using the safety-related HIMax control systems, the following general requirements
must be met:
Requirement type Requirement content
Protection class Protection class II in accordance with IEC/EN 61131-2
Pollution Pollution degree II in accordance with IEC/EN 61131-2
Altitude < 2000 m
Housing Standard: IP20/IP00
If required by the relevant application standards (e.g., EN 60204),
the device must be installed in an enclosure of the specified
protection class (e.g., IP54).
Table 2: General requirements
NOTE
Electrostatic discharge can damage the electronic components within the
controllers!
When performing the work, make sure that the workspace is free of static, and
wear an ESD wrist strap.
If not used, ensure that the module is protected from electrostatic discharge, e.g.,
by storing it in its packaging.
Only personnel with knowledge of ESD protective measures may modify or extend
the system wiring.
2.4 Requirements to be met by the operator and the machine and system
manufacturers
The operator and the machine and system manufacturers are responsible for ensuring that
HIMax systems are safely operated in automated systems and plants.
The machine and system manufacturers must validate that the HIMax systems are correctly
programmed.
DANGER
Physical injury caused by safety-related automation systems improperly connected
or programmed.
Check all connections and test the entire system before starting up!
All HIMax modules are equipped with LEDs to indicate that faults have been detected. This
allows the user to quickly diagnose faults in a module or the external wiring, if a fault is
reported.
Further, the user program can also be used to evaluate various system variables that report
the module status.
An extensive diagnostic record of the system's performance and detected faults are logged
and stored in the diagnostic memory of the processor module or that of other modules.
After a system fault, the recorded data can be read using the PADT.
For more information on evaluating diagnostic messages, see "Diagnostics“ in the System
Manual (HI 801 001 E).
For a very few number of component failures that do not affect safety, the HIMax system
does not provide any diagnostic information.
3.1.3 PADT
Using the PADT, the user creates the program and configures the controller. The safety
concept of the PADT supports the user in the correct implementation of the control task.
The PADT takes numerous measures to check the entered information.
3.1.4 Redundancy
To improve availability, all parts of the system containing active components can be set up
redundantly and, if necessary, replaced while the system is operating.
Redundancy does not impair safety. SIL 3 is still guaranteed even if system components
are used redundantly.
The watchdog time for a project is determined by a test on a complete system. During the
test, all the processor modules are inserted in the base plate. The system operates in RUN
mode with full load.
All communication links are operating (safeethernet and standard protocols).
i When a processor module is inserted in the base plate, it automatically synchronizes itself
with the configuration of the existing processor modules. The time required for the
synchronization process extends the controller cycle up to the maximum cycle time.
The synchronization time increases with the number of processor modules that have
already been synchronized.
For more information on how to insert and remove a processor module, refer to the
X-CPU 01 (HI 801 009 E).
4. In the diagnostic history for the non synchronized module, read the synchronization time
from n to n+1 processor modules in every synchronization process and note it down.
The greatest synchronization time value is used to determine the watchdog time.
5. Calculate the minimum watchdog time from the longest synchronization time + 12 ms
spare + spare for the noted variations of the cycle time.
6. Calculate the watchdog time TWD using the following equation:
TWD = .TSync + TMarg + TCom + TConfig + TLatency + TPeak where
TSync Time determined for the processor module's synchronization
TMarg Safety margin 12 ms
TCom The configured system parameter: Max. Com.Time Slice ASYNC [ms]
TConfig The configured system parameter: Max. Duration of Configuration Connections
[ms]
TLatency The configured system parameter: Maximum System Bus Latency [µs] * 4
TPeak Observed load peak of the user programs
This equation allows one to calculate a suitable value for the watchdog time.
i In particular cases, the watchdog time calculated as described above might be too short for
performing a reload.
TIP The determined watchdog time can be used as maximum cycle time in the safeethernet
configuration, see Communication Manual (HI 801 101 E).
When determining the safety time, the effects of the following factors must be taken into
account:
If input modules are used, consider the following:
Time-on/time-off delay settings for input channels:
enter maximum delay time setting in μs + 2* cycle time of the I/O module
Noise blanking also needs time reserves.
Choose a safety time that is long enough to account for the most significant factor
mentioned above, but still lower than the FTT of the process. It is important not to neglect
the sensor and actuator time parameters for the safety function.
The safety time for the controller is:
Safety time > 2 * watchdog time + maximum cycle time + 2 * cycle time of the I/O
modules
In the actual application, the user should measure the maximum cycle time by replacing a
redundant processor module. Enter the maximum cycle time determined for the entire
system into the above formula. The cycle time of the I/O modules is equal to 2 ms.
This reaction time applies for user programs with a cycle duration equal to one processor
module cycle. If the user program cycle is distributed over multiple processor module
cycles, the reaction time increases up to the number of cycles multiplied by the doubled
cycle duration. Refer to Chapter 10.2.3 and Chapter 10.2.11 for more details.
3.4.2 Programming
Personnel developing user programs must observe the following safety requirements.
Product-Independent Requirements
In safety-related applications, ensure that the safety-relevant system parameters are
properly configured.
In particular, this applies to the system configuration, maximum cycle time and safety
time.
3.4.4 Communication
When implementing safety-related communications between the various devices,
ensure that the system's overall response time does not exceed the fault tolerance time.
All calculations must be performed in accordance with the rules given in 11.2.
The transfer of safety-relevant data through public networks like the Internet is not
permitted unless additional security measures have been implemented such as VPN
tunnel.
If data are transferred through company-internal networks, administrative or technical
measures must be implemented to ensure sufficient protection against manipulation
(e. g. using a firewall to separate the safety-relevant components of the network from
other networks).
Never use the standard protocols to transfer safety-related data.
All devices to be connected to the communication interfaces must be equipped with safe
electrical isolation.
3.5 Certification
HIMA safety-related automation devices (Programmable Electronic Systems, PES) of the
HIMax system have been tested and certified by TÜV for functional safety in accordance
with and the standards listed below:
Chapter 'Operating Requirements' contains a detailed list of all environmental and EMC
tests performed.
All devices have received the mark of conformity.
4 Processor Modules
The processor module's safety function is maintained by processing the user program with
two processors that constantly compare their data. If a fault occurs, the watchdog sets the
module to the safe state and reports the CPU state.
Refer to the manuals for further details about the processor modules.
4.1 Self-Tests
The following section specifies the most important self-test routines of controllers' safety-
related processor modules:
Processor test
Memory test
Comparator test
CRC test with non-volatile memories
Watchdog test
NOTE
Interruption of the safety-related operation possible!
Replacing a processor module with a lit or blinking Ess LED can result in the
interruption of a controller's operation.
Do not remove processor modules with a lit or blinking Ess LED.
A lit or blinking Ess LED indicates that the processor module is required for the system to
function.
Even if the LED is not lit or blinking, the system redundancies which this processor module
is part of, must be checked using SILworX. The communication connections processed by
the processor module must also be taken into account.
Refer to the Processor Module Manual (HI 801 009 E) and to the System Manual
(HI 801 001 E) for more details on how to replace processor modules.
5.1 Rack ID
The rack ID identifies a rack within a resource and must be unique for each rack.
The rack ID is the safety parameter for addressing the individual racks and the modules
mounted on them!
The rack ID is stored in the connector bioard of the system bus module and must be
modified using the system bus module. Whenever the rack ID must be changed, e.g., when
installing a new HIMax system, follow the instructions given in the system manual.
The procedure for configuring the Rack ID is described in the System Manual
(HI 801 001 E) and in the SILworX First Step Manual (HI 801 103 E).
5.2 Responsibility
Only one of the system bus modules contained in each system bus may receive the
Responsible attribute and thus be configured as Responsible for the system bus operation.
For system bus A, the Responsible attribute is reserved for the system bus module in
rack 0, slot 1.
For system bus B, the attribute can be set using SILworX.
The responsible system module must be either located in rack 0 or rack 1.
Make sure that this requirements are met prior to starting safety-related operation.
The procedure for setting the Responsible attribute is described in the SILworX First Step
Manual (HI 801 103 E).
WARNING
Physical injury possible!
SILworX must be used to verify the configuration.
Proceed as follows:
In SILworX, log in to the system module on rack 0, slot 2.
In SILworX, log in to the system module on rack 1, slot 2.
Check the Control Panels of both system bus modules to ensure that the
Responsible attribute has only been set for the correct system bus module (see
Figure 1 and Figure 2)!
Recommended configurations:
If processor modules are only contained in rack 0, both system bus modules in rack 0
must be set to Responsible (Figure 1).
If processor modules are also contained in rack 1 (Figure 2), the following system bus
modules must be set to Responsible.
- In rack 0, the system bus module in slot 1.
- In rack 1, the system bus module in slot 2.
Rack 0 Rack 1
R System Bus Module set to Responsible
Rack 0 Rack 1
R System Bus Module set to Responsible
6 Communication Module
Communication modules control both safety-related data transfer to other HIMA controllers
and non-safety-related data transfer through field busses and Ethernet.
The processor module controls the safety-related data traffic using the SIL 3-certified
transfer protocol safeethernet. The communication module forwards the data packets to
the other systems. The safety-related protocol ensures that corrupted messages are
detected (black-channel principle).
This allows safety-related communication via non safety-related transmission paths, i.e.,
standard network components.
The standard protocols are for instance:
- Modbus
- PROFIBUS master/slave
A HIMax system can be equipped with a maximum of 20 communication modules.
For more information, see Chapter 11.1, the COM Module Manual (HI 801 011 E) and the
Communication Manual (HI 801 101 E).
7 Input Modules
Module Number of Safety- Non-reactive Remark
channels related channels
Digital inputs
X-DI 16 01 16 SIL 3 • 120 VAC
X-DI 32 01 32 SIL 3 •
X-DI 32 02 32 SIL 3 • Proximity switches
(NAMUR)
X-DI 32 03 32 SIL 3 • 48 VDC
X-DI 32 04 32 SIL 3 • With sequence of events
recording
X-DI 32 05 32 SIL 3 • Proximity switches
(NAMUR), with sequence
of events recording
X-DI 32 51 32 - •
X-DI 32 52 32 - • Proximity switches
(NAMUR)
X-DI 64 01 64 SIL 3 •
X-DI 64 51 64 - •
Analog inputs 0/4...20 mA
X-AI 16 51 16 SIL 1 •
X-AI 32 01 32 SIL 3 •
X-AI 32 02 32 SIL 3 • With sequence of events
recording
X-AI 32 51 32 - •
Counter inputs
X-CI 24 01 24 SIL 3 •
X-CI 24 51 24 - •
Table 9: Overview of the Input Modules
7.1 General
Safety-related inputs can be used for both safety-related signals and non-safety-related
signals. Non-safety-related signals, however, may not be used for safety functions!
In addition to the the diagnostic LEDs, the controllers generate and save error and status
messages. The PADT can read the saved diagnostic messages.
Safety-related input modules automatically perform high-quality, cyclic self-tests during
operation.
If a fault occurs, the initial value is provided to the user program as a global variable and, if
possible, a fault information is issued. The user program can read out the error code and
thus evaluate this fault information.
For more information on the input modules, refer to the individual module manuals.
7.3.4 Redundancy
It is allowed to connected the digital inputs redundantly. The redundant connection is
usually used to increase availability.
If other connection variants, e.g., to increase the SIL value, should be used, fault states
must be handled in the user program logic.
NOTE
If shielded cables are used for digital inputs, no additional precautionary measures are
required to protect against surges.
If shielded cables are not used, surge pulses (as defined in EN 61000-4-5) on digital inputs
may be read as a temporary high level due to the short cycle time of HIMax systems.
Use the channel-specific time on and time off delay the to avoid these types of faults: a
signal must be present for at least a certain time period before it is evaluated. In the
process, the watchdog time must not be exceeded.
7.4.4 Redundancy
It is allowed to connected the analog inputs redundantly. The redundant connection is
usually used to increase availability.
If other connection variants, e.g., to increase the SIL value, should be used, fault states
must be handled in the user program logic.
7.5.5 Redundancy
It is allowed to connected the counter inputs redundantly. The redundant connection is
usually used to increase availability.
If other connection variants, e.g., to increase the SIL value, should be used, fault states
must be handled in the user program logic.
The checklists are available in Microsoft® Word® format on the HIMA website.
8 Output Modules
Module Number Safety- Safely Remark
of related electrically
channels isolated
Digital outputs
X-DO 12 02 12 SIL 3 -
X-DO 24 01 24 SIL 3 -
X-DO 24 02 24 SIL 3 - 48 VDC
X-DO 32 01 32 SIL 3 -
X-DO 32 51 32 - -
Ddigital relay outputs
X-DO 12 01 12 SIL 3 • 230 VAC
X-DO 12 52 12 - •
Analog outputs
X-AO 16 01 16 SIL 3 Pairwise
X-AO 16 51 16 - -
Table 10: Overview of the Input Modules
8.1 General
The safety-related output modules are written once per cycle, the generated output signals
are read back and compared with the specified output data.
The safe state of the outputs is 0 or an open relay contact.
Using the corresponding error codes, additional options exist for programming fault
reactions in the user program.
For more information on the output modules, refer to the individual module manuals.
NOTE
System malfunction possible!
The voltage induced during switching off inductive loads could cause faults in the
controller or in other electronical systems close to the actor's input leads.
Therefore, it is a good practice to connect inductive loads with a suitable free-
wheeling circuit at the actuator to counteract these disturbances.
8.3.5 Redundancy
It is allowed to connected the digital outputs redundantly. The redundant connection is
usually used to increase availability.
If other connection variants, e.g., to increase the SIL value, should be used, fault states
must be handled in the user program logic.
NOTE
System malfunction possible!
The voltage induced during switching off inductive loads could cause faults in the
controller or in other electronical systems close to the actor's input leads.
Therefore, it is a good practice to connect inductive loads with a suitable free-
wheeling circuit at the actuator to counteract these disturbances.
8.4.4 Redundancy
It is allowed to connect the digital relay outputs redundantly. The redundant connection is
usually used to increase availability.
If other connection variants, e.g., to increase the SIL value, should be used, fault states
must be handled in the user program logic.
If faults occur, the outputs are set to the safe value 0 mA.
8.5.4 Observe the following points when using the analog X-AO 16 01 output
module!
If the analog output module is used, the following particularities must absolutely be
observed, also refer to the module-specific manual (HI 801 111 E):
Only the connection variants specified in the module manual (HI 801 111 E) may be
used!
If more than two modules are redundantly connected in series, the SELV voltage can be
exceeded!
With serial redundancy, only one channel of each group of two channels may be used!
If HART communication occurs between the connected actuator and one HART
terminal, the output signal can deviate from the final value by up to 2 % !
If a fault occurs, the time to reach the safe state can take up to 16 ms in the worst case.
Take this time into account when defining the reaction and safety times!
The user program may not write to analog outputs in cycles shorter than 6 ms.
If faults occur, the module outputs the safe value 0 mA, even if the upper limit of the
setting range is exceeded.
8.5.6 Redundancy
It is allowed to connected the analog outputs redundantly. The redundant connection is
usually used to increase availability.
If other connection variants, e.g., to increase the SIL value, should be used, fault states
must be handled in the user program logic.
9 Software
The software for the safety-related automation devices of the HIMax systems consist of the
following components:
Operating system
User program
SILworX programming system in accordance with IEC 61131-3.
The operating system is loaded into each controller's module. HIMA recommends using the
latest version valid for the safety-related applications. This chapter particularly describes
the operating system of the processor module.
The user program is created using the SILworX programming system and contains the
application-specific functions to be performed by the automation device. SILworX is also
used to configure it.
The user program is compiled with the code generator and transferred to the non-volatile
memory automation device through an Ethernet interface.
When starting up a safety-related controller for the first time, a comprehensive function test
to verify the safety of the entire system must be performed.
2. Perform a thorough functional test of the logic by trial (see Chapter 9.2.2).
The controller and the application are sufficiently tested.
If a user program is modified, only the program components affected by the change must
be tested. To do this, the safe revision comparator in SILworX can be used to determine
and display all changes relative to the previous version.
This procedure must be followed both when initially creating and when modifying the user
program.
DANGER
Physical injury possible due to incorrect configuration!
Neither the programming system nor the controller can verify certain project-specific
parameters. For this reason, enter these parameters correctly and verify the whole
entry.
These parameters are set to 0.
System ID
Rack ID, see 5.1 and System Manual (HI 801 001).
Responsible attribute of system bus modules, see 5.2
Safety Time
Watchdog Time
Main Enable
Autostart
Start Allowed
Load Allowed
Reload Allowed
Global Forcing Allowed
The following parameters are defined in SILworX for the operations permissible in the
safety-related operation of the resource and are referred to as safety-related parameters.
Parameters that may be defined for safety-related operation are not firmly bound to any
specific requirement classes. Instead, each of these must be agreed upon together with the
responsible test authority for each separate implementation of the automation device.
If the calculated time value is less than 6 ms, it is rounded up to 6 ms. The online statistics
can be used to modify the calculated time either later in the resource properties or
immediately online.
i When generating the code or converting the project, a warning message is displayed in the
PADT if the defined Max. Duration of Configuration Connections is less than the value
resulting from the previous formula.
In the SILworX Hardware Editor, these system variables may be assigned global variables
with a value that is modified by a physical input or the user program logic.
Example: Locking and Unlocking the PES
Locking the PES locks all functions and prevents users from accessing them during
operation. This also protects against unauthorized manipulations to the user program.
Unlocking the PES: Deactivates any locks previously set (e.g., to perform work on the
controller).
The three system variables Read only in Run, Reload Deactivation and Force Deactivation
may be used to lock the PES.
If all three system variables are ON: no access to the controller is possible. In this case the
controller can only be put into STOP state by restarting a processor module with the mode
switch in the Init position. Then loading a new user program is possible.
9.4 Forcing
Forcing is the procedure by which a variable's current value is replaced with a force value.
The variable receives its current value from a physical input, communication or a logic
operation. If the variable is forced, its value does no longer depend on the process, but is
defined by the user.
WARNING
Use of forced values can disrupt the safety integrity!
Forced value may lead to incorrect output values.
Forcing prolongates the cycle time. This can cause the watchdog time to be
exceeded.
Forcing is only permitted after receiving consent from the test authority responsible
for the final system acceptance test.
When forcing values, the person in charge must take further technical and organizational
measures to ensure that the process is sufficiently monitored in terms of safety. HIMA
recommends to setting a time limit for the forcing procedure.
Refer to the System Manual (HI 801 001 E) for further details on forcing.
The safe version comparator must be used to verify the changes performed to the program
prior to loading it into the controller.
It exactly determines the changed parts of the resource configuration. This, in turn,
facilitates testing the changes and identifying the test data.
Structured programming and the use of significant names from the first configuration
version on, facilitate understanding of the comparison result.
All requirements about protection against manipulation specified in the safety and
application standards must be met. The operator is responsible for authorizing employees
and implementing the required protective actions.
DANGER
Danger: Physical injury due to unauthorized manipulation of the controller!
The controller must be protected against unauthorized access!
For instance:
Changing the default settings for login and password!
Controlling the physical access to the controller and PADT!
PES data can only be accessed if the PADT in use is operating with the current version of
SILworX and the user project is available in the currently running version (archive
maintenance!).
The user only need to connect the PADT to the PES when loading the user program or
performing diagnostics. The PADT is not required during normal operation. Disconnecting
the PADT and PES during normal operation helps to prevent against unauthorized access.
10 User Program
This chapter describes the safety-related aspects that are important for the user programs.
Upon completing these steps, the user program can be tested and the PES can begin the
safe operation.
The user program must be written using the SILworX programming software. For further
details on the operating system released for personal computer, refer to the release
documentation for the SILworX version to be used.
The I/O concept of the system must include an analysis of the field circuits, i.e. the type of
sensors and actuators:
Actuators
Positioning and activation during normal operation
Safe reaction/positioning at shutdown or after power loss
NOTE
Faulty operation of controller possible!
Before loading a user program for safety-related operation, the user program must
be first compiled twice. Both versions generated must have the same CRC.
By compiling the user program twice and comparing the checksums of the generated code,
the user can detect potential corruptions of the user program resulting from sporadic faults
in the hardware or operating system of the PC in use .
i HIMA recommends backing up project data, e.g., on a data storage medium, after loading
user programs into the controller, even by performing a reload.
This is done to ensure that the project data corresponding to the configuration loaded into
the controller remains available even if the PADT fails.
HIMA recommends a data back up on a regular basis also independently from the program
load.
10.2.6 Reload
If user programs were modified, the changes can be transferred to the PES during
operation. After being tested by the operating system, the modified user programs are
activated and it assumes the control task.
i Take the following point into account when reloading step chains:
The reload information for step sequences does not take the current sequence status into
account. The step sequence can be accordingly changed and set to an undefined state by
performing a reload.
The user is responsible for this action.
Examples:
Deleting the active step. As a result, no step of the step chain has the active state.
Renaming the initial step while another step is active.
As a result, a step chain has two active steps!
Prior to performing a reload, the operating system checks if the required additional tasks
would increase the cycle time of the current user programs to such an extent that the
defined watchdog time is exceeded. In this case, the reload process is aborted with an error
message and the controller continues operation with the previous project configuration.
The reload can only be performed if the Reload Allowed system parameter is set to ON and
the Reload Deactivation system variable is set to OFF.
i The user is responsible for ensuring that the watchdog time includes a sufficient reserve
time. This should allow the PES to manage the following situations:
Variations in the user program's cycle time
Sudden, strong cycle loads, e.g., due to communication.
Expiration of time limits during communication
NOTE
Failure of safety-related operation possible!
The single step mode must not be used in safety-related operation!
Prior to using an online command to set parameters, make sure that this change will not
result in a dangerous state. If required, organizational and/or technical measures must be
taken to exclude the accident.
The safety time and watchdog time values must be checked and compared to the safety
time required by the application and to the actual cycle time. These values cannot be
verified by the PES!
Table 11 specifies the parameters that can be changed during operation.
This documentation is required for the acceptance test of a system subjected to approval
by a test authority (e.g., TÜV).
10.2.11 Multitasking
Multitasking refers to the capability of the HIMax system to process up to 32 user programs
within the processor module.
The individual user programs can be started, stopped and loaded (even reloaded)
independently from one another.
A user program cycle can take multiple processor module cycles. This can be controlled
with the parameters of the resource and user program. SILworX uses these parameters to
calculate the user program watchdog time:
Watchdog timeuser program = watchdog timeprocessor module * maximum number of cycles
Usually, the individual user programs run concurrently in a non-reactive manner. However,
reciprocal influence can be caused by:
Use of the same global variables in several user programs.
Unpredictably long runtimes can occur in individual user programs if no limit is
configured with Max Duration for Each Cycle.
The distribution of user program cycle over processor module cycles strongly affects the
user program response time and the response time of the variables written by the user
program!
A user program evaluates global variables written by another user program after at least
one processor module cycle. In the worst case, the evaluation is performed with a delay
of 32 processor module cycles. The reaction to changes performed to such global
variables is thus delayed!
NOTE
Reciprocal influence of user programs is possible!
The use of the same global variables in several user programs can lead to a variety
of consequences caused by the reciprocal influence among the user programs.
Carefully plan the use of the same global variables in several user programs.
Use the cross-references in SILworX to check the use of global data. Global data
may only be assigned values by one entity, either within a user program, from
safety-related inputs or through safety-related communication protocols!
The user is responsible to exclude any potential operation interferences due to
reciprocal influence of user programs!
Refer to the System Manual (HI 801 001 E) for details on multitasking
11 Configuring Communication
In addition to using the physical input and output variables, variable values can also be
exchanged with other system through a data connection. In this case, the variables are
declared with the programming system SILworX, from within the Protocols area of the
corresponding resource.
DANGER
Physical injury due to usage of unsafe import data
Do not use any data imported from unsafe sources for safety functions in the user
program.
NOTE
Unintentional transition to the safe state possible!
ReceiveTMO is a safety-related parameter!
ReceiveTMO is the monitoring time of PES 1 within which a correct response from PES 2
must be received.
If a correct response is not received from the communication partner within ReceiveTMO,
HIMax terminates the safety-related communication. The input variables of this
safeethernet connection react in accordance with the preset parameter Freeze Data on
Lost Connection [ms]. The Use Initial Data setting may only be used for safety-related
functions implemented via safeethernet.
i In the following equations for determining the worst case reaction time, the target cycle time
can be used instead of the watchdog time, if the target cycle time mode is set to auf Fix or
Fixed-tolerant.
i The allowed worst case reaction time depends on the process and must be agreed upon
together with the test authority responsible for the final inspection.
Terms
ReceiveTMO: Monitoring time of PES 1 within which a correct response from PES 2
must be received. Otherwise, safety-related communication is
terminated after the time has expired.
Production Rate: Minimum interval between two data transmissions.
Watchdog Time: Maximum duration permitted for a controller's RUN cycle. The
duration of the RUN cycle depends on the complexity of the user
program and the number of safeethernet connections. The watchdog
time (WDT) must be entered in the resource properties.
Worst Case The worst case reaction time is the time between a change in a
Reaction Time physical input signal (in) of PES 1 and a reaction on the
corresponding output (out) of PES 2.
Delay: Delay of a transmission path e.g., with a modem or satellite
connection.
For direct connections, an initial delay of 2 ms can be assumed.
The responsible network administrator can measure the actual delay
on a transmission path.
To the calculations of the maximum reaction times specified below, the following conditions
apply:
The signals transmitted over safeethernet must be processed in the corresponding
controllers within one CPU cycle.
Further, the reaction time of the sensors and actuators must be added.
11.3.1 Calculating the Worst Case Reaction Time of Two HIMax controllers
The worst case reaction time TR is the time between a change on the sensor input signal
(in) of controller 1 and a reaction on the corresponding output (out) of controller 2. It is
calculated as follows:
TR = t1 + t2 + t3
TR Worst case reaction time
t1 Safety time of HIMax controller 1.
t2 ReceiveTMO
t3 Safety time of HIMax controller 2.
11.3.2 Calculating the Worst Case Reaction Time in Connection with One HIMatrix
controller
The worst case reaction time TR is the time between a change on the sensor input signal
(in) of HIMax controller and a reaction on the corresponding output (out) of HIMatrix
controller. It is calculated as follows:
Figure 4: Reaction Time for Connection between One HIMax and One HIMatrix Controller
TR = t1 + t2 + t3
TR Worst case reaction time
t1 Safety time of HIMax controller
t2 ReceiveTMO
t3 2 * Watchdog time of the HIMatrix controller
11.3.3 Calculating the Worst Case Reaction Time with two HIMatrix Controllers or
Remote I/Os
The worst case reaction time TR is the time between a change on the sensor input signal
(in) of the first HIMatrix controller or remote I/O (e.g., F3 DIO 20/8 01) and a reaction on the
corresponding output (out) of the second HIMatrix controller or remote I/O (out). It is
calculated as follows:
Figure 5: Reaction Time with Two Remote I/Os and One HIMax controller
TR = t1 + t2 + t3 + t4 + t5
TR Worst case reaction time
t1 2 * watchdog time of remote I/O 1
t2 ReceiveTMO1
t3 2 * watchdog time of the HIMax controller.
t4 ReceiveTMO2
t5 2 * watchdog time of remote I/O 2
i Remote I/O 1 and Remote I/O 2 can also be identical. The time values still apply if a
HIMatrix controller is used instead of a remote I/O.
11.3.4 Calculating the Worst Case Reaction Time with two HIMax and one
HIMatrix Controller
The worst case reaction time TR is the time between a change on the sensor input signal
(in) of the first HIMax controller and a reaction on the corresponding output (out) of the
second HIMax controller. It is calculated as follows:
Figure 6: Reaction Time with Two HIMax Controllers and One HIMatrix controller
TR = t1 + t2 + t3 + t4 + t5
TR Worst case reaction time
t1 Safety time of HIMax controller 1.
t2 ReceiveTMO1
t3 2 * watchdog time of the HIMatrix controller
t4 ReceiveTMO2
t5 Safety time of HIMax controller 2.
11.3.5 Calculating the Worst Case Reaction Time of Two HIMatrix Controllers
The worst case reaction time TR is the time between a change on the sensor input signal of
controller 1 and a reaction on the corresponding output of controller 2. It is calculated as
follows:
TR = t1 + t2 + t3
TR Worst case reaction time
t1 2 * watchdog time of the HIMatrix controller 1.
t2 ReceiveTMO
t3 2 * watchdog time of the HIMatrix controller 2.
11.3.6 Calculating the Worst Case Reaction Time with two Remote I/Os
The worst case reaction time TR is the time between a change on the sensor input signal
(in) of the first HIMatrix controller or remote I/O (e.g., F3 DIO 20/8 01) and a reaction on the
corresponding output of the second HIMatrix controller or remote I/O (out). It is calculated
as follows:
TR = t1 + t2 + t3 + t4 + t5
TR Worst case reaction time
t1 2 * watchdog time of remote I/O 1
t2 ReceiveTMO1
t3 2 * watchdog time of the HIMatrix controller.
t4 ReceiveTMO2
t5 2 * watchdog time of remote I/O 2
Note: Remote I/O 1 and remote I/O 2 can also be identical. The time values still apply if a
HIMatrix controller is used instead of a remote I/O.
11.3.7 Calculating the Worst Case Reaction Time with two HIMatrix and one
HIMax Controller
The worst case reaction time TR is the time between a change on the sensor input signal
(in) of the first HIMatrix controller and a reaction on the corresponding output (out) of the
second HIMatrix controller. It is calculated as follows:
Figure 9: Reaction Time with Two HIMatrix Controllers and One HIMax Controller
TR = t1 + t2 + t3 + t4 + t5
TR Worst case reaction time
t1 2 * watchdog time of the HIMatrix controller 1.
t2 ReceiveTMO1
t3 2 * watchdog time of the HIMax controller.
t4 ReceiveTMO2
t5 2 * watchdog time of the HIMatrix controller 2.
Appendix
Increasing the SIL of Sensors and Actuators
The safety-related HIMax controllers can be used in applications up to SIL 3. This requires
that the sensors and actuators (signalers and actuating elements) in use also achieve the
required SIL.
In some cases, sensors or actuators may not be available for the requirements defined in
the application, such as process value, range of value, SIL, etc. In this case, use the
following workaround:
For inputs: Use any of the available sensors that meet all of the requirements with the
exception of the SIL value. Use enough of them such that their combination provide an
input signal with the required SIL.
For outputs: Use any of the available actuators that meet all of the requirements with the
exception of the SIL. Use enough of them such that their combination affects the
process with the required SIL.
With inputs, associate the values of the individual sensors and their status information with
a part of the user program such that a global variable with the required SIL results from this
combination.
With outputs, distribute the value of a global variable among multiple outputs such that the
process adopts the safe state if a fault occurs. Further, the combination of actuators must
be able to affect the process in the required manner (for example, the serial or parallel
connection of valves).
For both inputs and outputs, design the system to have the required number of sensors and
actuators for a given process variable until the greatest possible degree of safety is
achieved for the process. Us a calculation tool to determine the SIL.
i The use of multiple sensors and actuators for inputting or outputting a single signal as
described here is only intended as a means of increasing the SIL. Do not confuse this with
the use of redundant inputs or outputs for improving availability
For information on how to achieve the required SIL for sensors and actuators, see IEC
61511-1, Section 11.4.
Index of Figures
Figure 1: Recommended Configuration: All Processor Modules in Rack 0 25
Figure 2: Recommended Configuration: Processor Modules in Rack 0 and Rack 1 25
Figure 3: Reaction Time with Interconnection of Two HIMax Controllers 54
Figure 4: Reaction Time for Connection between One HIMax and One HIMatrix Controller 54
Figure 5: Reaction Time with Two Remote I/Os and One HIMax controller 55
Figure 6: Reaction Time with Two HIMax Controllers and One HIMatrix controller 55
Figure 7: Reaction Time with Interconnection of Two HIMatrix Controllers 56
Figure 8: Reaction Time with Remote I/Os 57
Figure 9: Reaction Time with Two HIMatrix Controllers and One HIMax Controller 57
Index of Tables
Table 1: Standards for EMC, Climatic and Environmental Requirements 10
Table 2: General requirements 10
Table 3: Climatic Requirements 10
Table 4: Mechanical Tests 11
Table 5: Interference Immunity Tests 11
Table 6: Noise Emission Tests 11
Table 7: Review of the DC Supply Characteristics 12
Table 8 Overview System Documentation 13
Table 9: Overview of the Input Modules 27
Table 10: Overview of the Input Modules 32
Table 11: Resource System Parameters 40
Table 12: Hardware System Variables 41
Table 13: System Parameters of the User Program 46
Table 14: User Program Switch Freeze Allowed 48
Index
CRC......................................................... 46 EMC..................................................... 11
'de-energize to trip' principle' ..................... 9 ESD protection .................................... 12
'energize to trip' principle' .......................... 9 mechanical .......................................... 11
Ess LED................................................... 23 power supply ....................................... 12
fault reaction proof test ................................................. 19
analog inputs........................................ 29 rack ID..................................................... 24
analog outputs ..................................... 34 Redundanz.............................................. 15
counter inputs ...................................... 30 response time.......................................... 19
digital inputs ......................................... 28 responsible.............................................. 24
digital outputs....................................... 33 safety concept ......................................... 36
fault tolerance time .................................. 16 safety time............................................... 18
function test of the controller ................... 36 self-test.................................................... 14
Hardware Editor....................................... 41 SIL of sensores and actuators ................ 59
make a controller lockable....................... 41 version list ............................................... 36
multitasking.............................................. 49 watchdog time
online test field......................................... 48 resource............................................... 16
operating requirements to determine......................................... 17
climatic ................................................. 10 user program ....................................... 18
Albert-Bassermann-Str. 28
68782 Brühl, Germany
Phone: +49 6202 709-0
Fax +49 6202 709-107
HIMax-info@hima.com
www.hima.com