Pro

du

ct B

rie

f · J

an

ua

ry 2

00

3

SIMATIC S7-400H and S7-400F/FH Top-end controllers with fault-tolerantand fail-safe functionalities

2

The increasing degree of automation in industrial plants has resulted in the availability of systems becoming ever more important. Failures or downtimes caused by maintenance work are very expensive. Controllers with high avail-ability reduce the risk of undesirable production downtimes drastically. The high costs of such systems are negligi-ble in comparison to the savings poten-tial. Furthermore, there are many appli-cations which place special demands on the safety for man, machine, the envi-ronment and the process; fail-safe auto-mation systems are necessary in such cases.

H system (for fault tolerance)

The SIMATIC S7-400H is a PLC with high availability for time-critical applications.

A solution with SIMATIC software redundancy is appropriate for applica-tions with a low-dynamic response.

The S7-400H is a solution with opti-mized functions if high-availability PLCs are required.

An S7-400H is appropriate for your applications if you

· require powerful CPUs

· need short switching times (< 100 ms - hot standby)

· wish to achieve additional fault toler-ance.

Software redundancy is appropriate (see Product Brief "Software redun-dancy for S7-300/400") if you

· wish to also use CPUs with a lower performance (CPU 315-2DP or better)

· can tolerate longer switching times (approx. 1 s - warm standby)

· have no additional demands concern-ing fault tolerance.

F system (for fail-safety)

Fail-safe systems are used wherever maximum safety must be guaranteed for man, machine or the environment, i.e. accidents and damage resulting from a fault must be avoided.

SIMATIC fail-safe controllers enter a safe state immediately when an error occurs, or remain in a safe mode. They therefore combine standard pro-cess automation and safety engineering in one single system.

Both safety-related and standard com-munication between the central con-troller and the safety-related and stan-dard I/O modules is carried out using PROFIBUS DP and the PROFIsafe profile.

SIMATIC offers two fail-safe systems:

· SIMATIC S7-400F/FH for larger appli-cations in production and process engineering

· SIMATIC S7-300F for distributed applications with main emphasis on production engineering and burner controls (see Product Brief "SIMATIC S7-300F")

The SIMATIC S7-400F (fail-safe installa-tion with one CPU) enters a safe state immediately when an error occurs, or remains in a safe mode, thus guarantee-ing a high level of safety for man, machine, the environment and the pro-cess.

If an error occurs in the controlling sys-tem of the S7-400FH (fail-safe and with high availability with two CPUs), redun-dant control sections take over and con-tinue the production process.

Overview

3

Introduction

The safety-relevant functions of the S7-400F/FH are incorporated into the F program of the CPU and in the fail-safe signal modules.

Both standard modules and fail-safe modules can be used on the S7-400F/FH. This means it is possible to set up a fully integrated control system for a plant where there are both safety-related and standard areas. The whole plant can be configured and pro-grammed using the same standard tools.

This means the SIMATIC S7-400F/FH can now be used for automation areas which were, up to a few years ago, the exclusive domain of electromechanical controllers, e.g. automobile shell con-struction with presses and robots, burn-er management systems, transporta-tion of persons on cableways and, last but not least, process automation.

Benefits

· The S7-400F/FH largely consists of standard components and is an inte-gral part of Totally Integrated Auto-mation (TIA)

· The S7-400F/FH is an integral part of Safety Integrated, the Siemens safety program for industrial applica-tions

· The S7-400F/FH has a TÜV approval (TÜV = German Technical Inspec-torate) and fulfils all relevant stan-dards

Hardware and engineering costs are reduced due to the fact that the fail-safe S7-400F/FH is largely built from stan-dard components:

· There is no need for an additional F-CPU and the cabling to it.

· Engineering costs are lower because a standard CPU can be programmed normally instead of using an addi-tional F-CPU.Programs from non-safety-related systems can also be adopted.

Standards

The S7-400F/FH complies with the fol-lowing safety requirements:

· Demand class:AK 1 to AK 6 according to DIN V 19250/DIN V VDE 0801

· Safety demand class:SIL 1 to SIL 3 according to IEC 61508

· Category:2 to 4 according to EN954-1

S7-400F/FH - Introduction / benefits

Fail-safe S7-400F/FH

4

Hardware

The hardware of the S7-400F/FH is based on the CPUs of the fault-tolerant, redundant SIMATIC S7-400H system, plus an F-library. This F-library contains pre-assembled, TÜV-approved basic function blocks as well as a parameter-ization tool for the fail-safe I/O modules. In order to be able to run the S7-400F/FH, the F Copy License needs to be loaded into the CPU.

The CPU checks that the controller is running properly by means of regular self-tests, instruction tests and a pro-gram execution test.

The resulting safety functions enable response times from 100 ms upwards, which is fully adequate for most appli-cations in the process industry and for many applications in the manufacturing industry with manually operated Emer-gency Stop devices.

The S7-400F/FH also incorporatessafety-related modules for the SIMATIC ET 200M distributed I/O system (from 03/2003 ET 200S PROFIsafe is also usable).

These fail-safe I/O modules are parame-terized using the parameterization tool, connected to PROFIBUS, and controlled by means of the new PROFISafe PROFIBUS profile for safety-related applications.

At the moment, 4 modules are avail-able:

· Digital input modules: 24 x 24 VDigital input modules: 8 x NAMUR

· Digital output module: 10 x 24 V/2 A

· Analog input module: 6 x 13 bit

These modules can diagnose internal and external errors and have total inter-nal redundancy, i.e. outputs have, for example, a second integrated discon-nection facility.

Using the safety protector, fail-safe and standard modules can be used together in one rack.

Programming

The S7-400F/FH is programmed in exactly the same way as a standard S7-400. The normal automation func-tions for the cyclic processing level (OB 1) are programmed using standard programming languages. The CFC engi-neering tool is required to call blocks from the F-library and to interconnect them. These blocks are called in a time level (e.g. OB 35) at a parameterizable time interval for reproducible disconnection times.

The use of CFC makes configuring and programming the plant, and the final acceptance test, significantly easier.

For programmers, there is a distinct advantage in the fact that they can con-centrate on configuring the safety-related application. This notice-ably reduces engineering costs, espe-cially in combination with other compo-nents, e.g. other programmable con-trollers or control and monitoring devices.

Communication

Both safety-related and standard com-munication between the central con-troller and ET 200M go through PROFIBUS DP. The PROFISafe profile is characterized by the fact that the safety functions in the fail-safe end stations are implemented using the standard PROFIBUS functions. The useful data for the safety function and the safety mea-sures are sent within a standard data frame. No additional hardware compo-nents are required.

This means that standard communica-tion and safety-related communication use the same basic hardware���automa-tion and fail-safety are getting closer together all the time!

Transmission of PROFIsafe is indepen-dent of the transmission mechanisms, e.g. copper cables or fiber-optic cables.

S7-400F/FH - Highlights

Graphic configuring of the S7-400F/FH with the CFC engineering tool

5

The plant requires a fail-safe controller. High availability is required on the CPU side. The following are needed:· 2 CPU 417-4H or CPU 414-4H with

F Copy License· 2 DP master systems· 1 ET 200M with 2 IM 153-2

(redundant)· Fail-safe signal modules in

non-redundant designIf there is a fault in the CPU, IM 153-2 or DP master system, the controller is still available. If there is a fault in a fail-safe signal module or the ET 200M, the I/O is no longer available. The fail-safe sig-nal modules are passivated.

The plant requires a fail-safe controller. High availability is not required. The following are needed:· 1 CPU 417-4H or CPU 414-4H with

F Copy License· 1 PROFIBUS DP master system· ET 200M with IM 153-2· Fail-safe signal modules in

non-redundant designIn the event of a fault, the I/O is no longer available. The fail-safe signal modules are passivated.

The plant requires a fail-safe controller. High availability is required on the CPU side and the I/O side. The following are needed:· 2 CPU 417-4H or CPU 414-4H with

F Copy License· 2 DP master systems· 2 ET 200M with 2 IM 153-2

(redundant)· Fail-safe signal modules in redundant

designIf there is a fault in the CPU, IM 153-2, PROFIBUS DP line, the fail-safe signal modules or the ET 200M, the controller is still available.

S7-400F/FH - Configurations

Fig. 2: SIMATIC S7-400F/FH with single-channel, switched I/O

Fig. 3: SIMATIC S7-400F/FH with redundant, switched I/O

Fig. 1: SIMATIC S7-400F/FH with single-channel, single-sided I/O

S7-400F/FH programmable controller Single-channel, single-sided

distributed I/O ET 200M

Fail-safe signal modules

S7-400F/FHprogrammable controller

Fail-safe signal modules

Single-channel, switched distributed I/OET 200M with 2 x IM 153-2

Redundant DP master systems

Redundant PROFIBUS DP

S7-400F/FHprogrammable controller

Redundant DP master systems

Redundant PROFIBUS DP

Redundant, switched distributed I/O 2 x ET 200M with 2 x IM 153-2 each

Redundant, fail-safe signal modules

The S7-400F/FH has two basic configu-rations:

· Single operation of S7-400F/FH pro-grammable controller in fail-safe setup (see Fig. 1):

If an error occurs in the control sys-tem, the production process is inter-rupted and transferred into a safe mode. Partial processes independent of the error can continue to operate (from 03/2003).

· Fail-safe and fault-tolerant setup of programmable controller S7-400F/FH (see Figs. 2 and 3): If an error occurs in the control sys-tem, redundant controller compo-nents continue to control the production process.

6

Applications

The following list includes some applica-tion areas of SIMATIC® S7-400H:

· Power generation and distribution

· Power stations

· Pipelines and district heating systems

· Chemical industry

· Mining

· Environment technology

· Water treatment

· Garbage incineration

· Steel and metal-working industries

· Transport

· Tunnel ventilation and air conditioning

· Marine automation

· Airport automation

· Baggage transport control

· Runway lighting

The S7-400H is used in applications where downtimes are intolerable.

Benefits

The SIMATIC S7-400H is designed as a fully-fledged member of the SIMATIC S7 series and thus makes full use of Totally Integrated Automation. The S7-400 is designed in such a way that most of the redundancy-relevant functions are hid-den to the user. This means in detail:

· Programming of the S7-400H as a non-redundant standard system

· Simple program porting:A program which was written for non-redundant systems can easily be ported to redundant systems, and vice versa

· Convenient parameterization of redundancy-specific functions and configurations with a STEP 7® option package

· All standard programming languages for SIMATIC S7 can be used without restriction

· Handling as for non-redundant sys-tems: For example, the S7-400H can be pro-grammed online like a standard sys-tem. All changes can be carried out during the current process. Both CPUs then are automatically updated.

· Use of all standard SIMATIC S7 com-ponents (with a few exceptions).

The advantages resulting from full sys-tem integration are obvious:in contrast to working with the usual redundant systems, you can concen-trate fully on your own actual task - automation. You can ignore redun-dancy-specific functions. This means that with S7-400H you need not bother about which data is to be transmitted to the standby unit, which commands are permitted and which not, etc.

Redundancy features

· Smooth changeoverBoth sub-units are active in fault-free mode. In the case of a fault, the intact unit takes over processing at the interruption point in a manner with-out any data being lost.

· Integrated error detection and local-ization functions.Using the self-diagnostics function, the system detects and signals errors before they can affect the process. Since you can replace specific faulty components, repair time is short-ened.

· Online repair during operation.You can replace all components dur-ing operation. When replacing a CPU, it is automatically updated with cur-rent programs and data.

· Configuration can be changed during operation e.g. DP slaves, modules or main memory modules can be added or removed.

· Automatic event synchronization.The operating system ensures that all commands whose execution would cause different states in both systems run synchronously. It is unnecessary to update the data in the partner unit.

· Communication with high availability. Depending on the net-work topology, redundant connec-tions are set up which are automatically activated in the event of a fault.

· Coupling of the CPUs by using Sync modules which can be directly plugged into the CPUs. Thus no rack slot is lost and communication is faster. Hot swapping of the Sync modules is possible.

CPU

The CPUs 417H and 414H each have 4 different interfaces each:

· 1 PROFIBUS DP interface which con-nects SIMATIC S7-400H as a master to the PROFIBUS DP.

· 1 interface which can be used as a PROFIBUS DP interface or as MPI (Mul-tipoint Interface). You can use this interface to:

- program and assign parameters,

- control and visualize (operator),

- set up simple network structures.

2 interfaces for accommodating the Sync modules.

S7-400H - Highlights

Redundante Communication

Redundancy on all levels

Redundant Controller

NEW: Redundant I/O

Redundant PROFIBUS

Redundant IM

Sensor /Control Element

7

Central controllers

There are 2 configuration possibilities where the central controllers are con-cerned:

· Configuration with two standard subracks (UR1 and UR2)If the sub-units must be completely separate from one another for reasons of availability, this configuration is well suited. In each central controller one CPU and one power supply (PS) are plugged in. If a particularly high degree of availability is required, two redundant PS units can be used.

· Configuration with one UR2-HThis is a new subrack with divided backplane bus in each case with a sin-gle or redundant PS. This permits a particularly compact design.

Connection of I/Os

You can connect I/Os in accordance with availability requirements. Thus, the sin-gle-sided connection (normal availabil-ity), the switched connection (increased availability), and the redundant connec-tion (with high availability) can be pro-vided (Fig. 4). These configurations can also be mixed together.

Highest availability is now made possi-ble by redundant I/O. This means that the I/O modules are arranged in pairs. This arrangement can tolerate the loss of a CPU, a DP master system, and an I/O module (see Fig. 4). In normal operation both I/O modules, which must be of the same type are active and provide their signals. When the loss of a module is determined, the signals of the intact module are used. Many I/O modules of the S7-300 (for distributed use in ET 200M) can provide redundant opera-tion. Prerequisites include the option-package "H systems", version 5.2 and STEP 7, version 5.2.

With the Y link a lower-level I/O system with different field devices can easily be linked to a redundant PROFIBUS DP sys-tem, e.g. an S7-400H with two DP mas-ter systems.

In the event of a fault, the Y link switches the complete I/O line bump-lessly to the active bus channel of the redundant H system (Fig. 5).

Communication

The high-availability communication (Fig. 6) is already integrated in the S7-400H. Connection of the PC uses two CPs and the S7-REDCONNECT software package.

In the event of a fault, the high-availabil-ity communication can be continued automatically, invisible to the user.

PC with 2 x CP 1613 and S7-REDCONNECT

S7-400H S7-400H H-CPU in single mode

S7-400H

Redundant DP master system

Y coupler

IM 157

Distributed I/O devices

ET 200S ET 200X

ET 200L Drive Other field devices

Lower-level DP master system

S7-400H - Configurations

Fig. 4: Connecting the fault-tolerant I/Os

Fig. 6: High availability communication

Y link

Fig. 5: Coupling of the I/Os by using the Y link

DI

Redu

nda

nt

PRO

FIBU

S

DI

Master input

Redundant input

Both inputs are read in parallel. The correct value is automatically selected and processed.

N

S7-400H, S7-400F/FH - Technical specifications

CPU CPU 417-4H CPU 414-4H

Main memory· Integral (program/data)· Expandable (program/data)

2 Mbyte each8 Mbyte each

384 Kbyte each--

Load memory· Integral· Expandable FEPROM· Expandable RAM

256 Kbyte RAMUp to 64 MbyteUp to 64 Mbyte

256 Kbyte RAMUp to 64 MbyteUp to 64 Mbyte

FBs/FCs, max. 6144/6144 2048/2048

Data blocks, max. 8191 4095

I/O address range· of which distributed

- MPI/DP interface- DP interface

16/16 Kbyte

2/2 Kbyte8/8 Kbyte

8/8 Kbyte

2/2 Kbyte6/6 Kbyte

Process image (adjustable)· Default setting

16/16 Kbyte1024/1024 byte

8/8 Kbyte256/256 byte

Digital channels · of which centralized

131072/131072131072/131072

65536/6553665536/65536

Analog channels· of which centralized

8192/81928192/8192

4096/40964096/4096

1st interface· MPI· DP master· DP save· Default setting· Isolated

YesYesNoMPIYes

2nd interface· DP master· DP slave· Point-to-point connection· Default setting· Isolated

YesNoNoDP masterYes

Programming languages STEP® 7 V5, SP1 (LAD, FBD, STL); SCL, CFC, GRAPH, HiGraph®

MLFB group 6ES7417-4H... 6ES7414-4H...

SM 326 F fail-safe digital input module

Number of inputs 24 (single-channel), 12 (two-channel)

Input voltage 24 V DC

Alarms Diagnostics alarm

MLFB group 6ES7326-1BK..

SM 326 F fail-safe digital output module

Number of outputs 10

Output voltage 24 V DC

Alarms Diagnostics alarm

Output current with "1" signal 2 A per channel

MLFB group 6ES7326-2BF..

SM 326 NAMUR fail-safe Ex input module

Number of inputs 8 (single-channel)4 (two-channel)

Input voltage In accordance with DIN 19234 or NAMUR

Alarms Diagnostics alarm

MLFB group 6ES7326-1RF..

SM 336 F fail-safe analog input module

Number of inputs 6; max. 4 (single-channel) or 3/2 (two- channel) with voltage measurements

Alarms Diagnostics alarm (parameterizable)

Integration time 20/16.66 ms

Resolution 13 bit + sign

MLFB group 6ES7336-1HE..

Option packages for S7 F systems

F-Library Approx. 50 certified basic function blocks

F-Tool For parameterization of fail-safe SMs

Requirements · STEP 7 V5.1 or higher · CFC V5.2 or higher· S7-SCL V5.0 or higher· S7 H systems V5.1

(option for S7-400FH)

MLFB group 6ES7833-1CC..

All

desi

gnat

ion

s m

arke

d in

th

is P

rodu

ct

Brie

f w

ith

® a

re r

egis

tere

d tr

adem

arks

of

Siem

ens

AG

.

For personal consultation you can find your local SIMATIC partner at:

www.siemens.com/automation/partner

Using the A&D Mall you can immedi-ately and directly order electronically in the Internet:www.siemens.com/automation/mall

Additional information on the SIMATIC controllers can be found in the Internet:www.siemens.com/simatic-controller

Siemens AGAutomation and DrivesPostfach 4848, D-90327 NürnbergFederal Republic of Germany

Order No. 6ZB5310-0HY02-0BA5Printed in the Federal Republic of Germany26100/301305 SB 01036.

© Siemens AG 2003Subject to change without prior notice.

www.siemens.com/simatic-controller