HIMatrix Safety-Related Controller HIMatrix for Railway Applications

Transcription

1 HIMatrix Safety-Related Controller HIMatrix for Railway Applications HIMA Paul Hildebrandt GmbH + Co KG Industrial Automation Rev HI E

2 All HIMA products mentioned in this manual are protected by the HIMA trade-mark. Unless noted otherwise, this also applies to other manufacturers and their respective products referred to herein. HIMax, HIMatrix, SILworX, XMR and FlexSILon are registered trademarks of HIMA Paul Hildebrandt GmbH + Co KG. All of the instructions and technical specifications in this manual have been written with great care and effective quality assurance measures have been implemented to ensure their validity. For questions, please contact HIMA directly. HIMA appreciates any suggestion on which information should be included in the manual. Equipment subject to change without notice. HIMA also reserves the right to modify the written material without prior notice. For further information, refer to the HIMA DVD and our website at and Copyright 2013, HIMA Paul Hildebrandt GmbH + Co KG All rights reserved Contact HIMA contact details: HIMA Paul Hildebrandt GmbH + Co KG P.O. Box Brühl, Germany Phone: Fax: info@hima.com Revision index Revisions 1.00 The SILworX programming tool is taken into account The document layout was modified Updated edition for SILworX V5 Additional HIMatrix variants for railway applications added. Type of change technical editorial X X X X HI E Rev (1334)

3 HIMatrix Table of Contents Table of Contents 1 Introduction Structure and Use of the Document Validity and Current Version Target Audience Formatting Conventions Safety Notes Operating Tips 10 2 Usage Notes Intended Use Scope De-Energize to Trip Principle Energize to Trip Principle Non-Intended Use Test Conditions Climatic Requirements Mechanical Requirements EMC Requirements Power Supply ESD Protective Measures Additional Test Conditions for Railway Applications Climatic Requirements Derating of Digital Outputs Mechanical Requirements EMC Requirements Demanding Requirements Tasks and Responsibilities of the Operator and the Machine and System Manufacturers Additional System Documentation 18 3 Safety Concept for Using the PES Safety and Availability Calculating the THR Values Self-Test and Fault Diagnosis PADT Structuring Safety Systems in Accordance with the Energize to Trip Principle Detection of Failed System Components Safety Function in Accordance with the Energized to Trip Principle Time Parameters Important for Safety Fault Tolerance Time Safety Time User Program Safety Time Response Time Processor System Watchdog Time 22 HI E Rev Page 3 of 74

4 Table of Contents HIMatrix Watchdog Time of the User Program with F* Safety Requirements Hardware Configuration Product-Independent Requirements Product-Dependent Requirements Programming Product-Independent Requirements Product-Dependent Requirements - CPU OS V7 and Higher Product-Dependent Requirements - CPU OS up to V6.x Communication Requirements for Railway Applications 24 4 Central Functions Power Supply Units Functional Description of the Central Part Self-Tests Microprocessor Test Memory Areas Test Protected Memory Areas RAM Test Watchdog test Test of the I/O Bus Inside the Controller Reactions to Processor System Failures Fault Diagnosis 27 5 Inputs General Safety of Sensors, Encoders and Transmitters Safety-Related Digital Inputs General Test Routines Reaction in the Event of a Fault CPU OS V7 and Higher CPU OS up to V6.x Surges on Digital Inputs Configurable Digital Inputs Line Control Safety-Related Analog Inputs (F35, F3 AIO 8/4 01 and F60) Test Routines Reaction in the Event of a Fault CPU OS V7 and Higher CPU OS up to V6.x Safety-Related Counters (F35 and F60) General Reaction in the Event of a Fault 35 Page 4 of 74 HI E Rev. 2.00

5 HIMatrix Table of Contents 5.6 Checklist for Safety-Related Inputs 36 6 Outputs General Safety of Actuators Safety-Related Digital Outputs Test Routines for Digital Outputs Reaction in the Event of a Fault Behavior in the Event of External Short-Circuit or Overload Line Control Safety-Related 2-Pole Digital Outputs Reaction in the Event of a Fault Behavior in the Event of External Short-Circuit or Overload Relay Outputs Test Routines for Relay Outputs Reaction in the Event of a Fault Safety-Related Analog Outputs (F60) Test Routines Reaction in the Event of a Fault Analog Outputs with Safety-Related Shut-Down (F3 AIO 8/4 01) Test Routines Reaction in the Event of a Fault Checklist for Safety-Related Outputs 42 7 Software for HIMatrix Systems Safety-Related Aspects of the Operating System Operation and Functions of the Operating System Safety-Related Aspects of Programming Safety Concept for the Programming Tool Verifying the Configuration and the User Program Archiving a Project Options for Identifying the Program and the Configuration Resource Parameters Parameters - CPU OS V7 and Higher System Parameters of the Resource - CPU OS up to V6.x Protection against Manipulation Checklist for Creating a User Program 52 8 Safety-Related Aspects of the User Program Scope for Safety-Related Use Programming Basics Functions of the User Program Declaration of Variables and Signals Acceptance by Test Authority Procedures Assigning Variables to Inputs or Outputs 55 HI E Rev Page 5 of 74

6 Table of Contents HIMatrix Locking and Unlocking the Controller Code Generation Loading and Starting the User Program Reload - with F* Forcing Changing the System Parameters during Operation - CPU OS V7 and Higher Program Documentation for Safety-Related Applications Multitasking - with F* Acceptance by Test Authority 62 9 Configuring Communication Standard Protocols Safety-Related Protocol (safeethernet) ReceiveTMO Response Time Maximum Cycle Time of the HIMatrix Controller Calculating the Worst Case Reaction Time Calculating the Worst Case Reaction Time with two Remote I/Os Terms Assigning safeethernet Addresses 68 Appendix 69 Glossary 69 Index of Figures 70 Index of Tables 71 Index 72 Page 6 of 74 HI E Rev. 2.00

7 HIMatrix 1 Introduction 1 Introduction This manual contains information on how to operate the HIMatrix safety-related automation devices in the intended manner. The following conditions must be met to install and start up the HIMatrix automation systems, and to ensure safety during their operation and maintenance: Knowledge of regulations. Proper technical implementation of the safety instructions detailed in this manual performed by qualified personnel. HIMA will not be held liable for severe personal injuries, damage to property or the environment caused by any of the following: Unqualified personnel working on or with the devices. De-activation or bypass of safety functions. Failure to comply with the instructions detailed in this manual. HIMA develops, manufactures and tests the HIMatrix automation systems in compliance with the pertinent safety standards and regulations. The use of the devices is only allowed if the following conditions are met: They are only used for the intended applications. They are only operated under the specified environmental conditions. They are only operated in connection with the approved external devices. To provide a clearer exposition, this manual does not specify all details of all versions of the HIMatrix automation devices. Refer to the corresponding manuals for further details. 1.1 Structure and Use of the Document This safety manual examines the following topics: Intended use Safety concept Central functions Inputs Outputs Software Safety-related aspects of the user program Configuring communication Appendix: - Glossary - Indexes i This manual usually refers to compact controllers and remote I/Os as devices, and to the plugin cards of a modular controller as modules. Modules is also the term used in SILworX. HI E Rev Page 7 of 74

8 1 Introduction HIMatrix The following HIMatrix devices have additional functions: F60 CPU 03 F35 03 F31 03 F30 03 F10 PCI 03 All these devices are identified in this document with F*03. The additional features of these devices compared to standard devices are: Enhanced performance Sequence of events recording possible Multitasking possible Reload possible Two IP addresses This manual distinguishes between the following variants of the HIMatrix system: Programming tool Hardware Processor operating system Communication operating system SILworX F*03 CPU OS V8 and higher COM OS V13 and higher SILworX Standard CPU OS V7 and higher COM OS V12 and higher ELOP II Factory Standard CPU OS up to V6.x COM OS up to V11.x Table 1: HIMatrix System Variants The manual distinguishes among the different variants using: Separated chapters Tables differentiating among the versions i Projects created with ELOP II Factory cannot be edited with SILworX, and vice versa! 1.2 Validity and Current Version The most current version of this safety manual, indicated by the highest revision number, is applicable and valid. The current version is available on the current HIMA DVD or can be downloaded from the HIMA website at For details on how to use previous HIMatrix, ELOP II Factory and SILworX versions, refer to the corresponding previous versions of this manual. 1.3 Target Audience This document addresses system planners, configuration engineers, programmers of automation devices and personnel authorized to implement, operate and maintain the devices and systems. Specialized knowledge of safety-related automation systems is required. Page 8 of 74 HI E Rev. 2.00

9 HIMatrix 1 Introduction 1.4 Formatting Conventions To ensure improved readability and comprehensibility, the following fonts are used in this document: Bold To highlight important parts. Names of buttons, menu functions and tabs that can be clicked and used in the programming tool. Italics For parameters and system variables Courier Literal user inputs RUN Operating state are designated by capitals Chapter Cross-references are hyperlinks even if they are not particularly marked. When the cursor hovers over a hyperlink, it changes its shape. Click the hyperlink to jump to the corresponding position. Safety notes and operating tips are particularly marked Safety Notes The safety notes are represented as described below. These notes must absolutely be observed to reduce the risk to a minimum. The content is structured as follows: Signal word: warning, caution, notice Type and source of risk Consequences arising from non-observance Risk prevention SIGNAL WORD Type and source of risk! Consequences arising from non-observance Risk prevention The signal words have the following meanings: Warning indicates hazardous situation which, if not avoided, could result in death or serious injury. Caution indicates hazardous situation which, if not avoided, could result in minor or modest injury. Notice indicates a hazardous situation which, if not avoided, could result in property damage. NOTE Type and source of damage! Damage prevention HI E Rev Page 9 of 74

10 1 Introduction HIMatrix Operating Tips Additional information is structured as presented in the following example: i The text corresponding to the additional information is located here. Useful tips and tricks appear as follows: TIP The tip text is located here. Page 10 of 74 HI E Rev. 2.00

11 HIMatrix 2 Usage Notes 2 Usage Notes All safety information, notes and instructions specified in this manual must be strictly observed. The product may only be used if all guidelines and safety instructions are adhered to. 2.1 Intended Use Scope This chapter describes the conditions for using HIMatrix systems. The safety-related HIMatrix controllers can be used in applications up to SIL 4 in accordance with EN 50126, EN and EN The HIMatrix systems are certified for use in process controllers, protective systems, burner systems, and machine controllers. When implementing safety-related communications between the various devices, ensure that the system's overall response time does not exceed the fault tolerance time. All calculations must be performed in accordance with the rules given in Chapter 9. Only devices with safe electrical isolation may be connected to the communications interfaces De-Energize to Trip Principle The automation devices have been designed in accordance with the de-energize to trip principle. A system that operates in accordance with the de-energize to trip principle does not require any power to perform its safety function. If a fault occurs, the de-energized state is the safe state adopted by the input and output signals Energize to Trip Principle The HIMatrix controllers can be used in applications that operate in accordance with the energize to trip principle. A system operating in accordance with the energize to trip principle requires power (such as electrical or pneumatic power) to perform its safety function. When designing the controller system, the requirements specified in the application standards must be taken into account. For instance, line diagnosis for the inputs and outputs or messages reporting a triggered safety function may be required Non-Intended Use The transfer of safety-relevant data through public networks like the Internet is permitted provided that additional security measures such as VPN tunnel or firewall have been implemented to increase security. Fieldbus interfaces cannot ensure safety-related communication. HI E Rev Page 11 of 74

12 2 Usage Notes HIMatrix 2.2 Test Conditions The devices have been tested to ensure compliance with the following standards for EMC, climatic and environmental requirements: Standard IEC/EN : 2007 IEC/EN : 2005 IEC/EN : 2006 Table 2: Content Programmable controllers, Part 2: Equipment requirements and tests EMC Generic standard, Part 6-2 Immunity for industrial environments Electromagnetic compatibility (EMC) Generic emission standard, industrial environments Standards for EMC, Climatic and Environmental Requirements When using the safety-related HIMatrix control systems, the following general requirements must be met: Requirement type Requirement content Protection class Protection class III in accordance with IEC/EN Pollution Pollution degree II in accordance with IEC/EN Altitude < 2000 m Housing Standard: IP20 If required by the relevant application standards (e.g., EN 60204, EN ISO ), the device must be installed in an enclosure of the specified protection class (e.g., IP54). Table 3: General Requirements Climatic Requirements The following table lists the most important verifications and limits for climatic requirements: IEC/EN Table 4: Climatic Requirements Climatic tests Operating temperature: C (test limits: C) Storage temperature: C Dry heat and cold resistance tests: +70 C / -25 C, 96 h, power supply not connected Temperature change, resistance and immunity test: -40 C / +70 C und 0 C / +55 C, power supply not connected Cyclic damp-heat withstand tests: +25 C / +55 C, 95 % relative humidity, power supply not connected If the temperature limits are exceeded, see Chapter Page 12 of 74 HI E Rev. 2.00

13 HIMatrix 2 Usage Notes Mechanical Requirements The following table lists the most important tests and limits for mechanical requirements: IEC/EN Table 5: Mechanical Tests Mechanical tests Vibration immunity test: Hz / 3.5 mm Hz, 1 g, EUT in operation, 10 cycles per axis Shock immunity test: 15 g, 11 ms, EUT in operation, 3 shocks per axis (18 shocks) EMC Requirements Higher interference levels are required for safety-related systems. HIMatrix systems meet these requirements in accordance with IEC and IEC See column Criterion FS (Functional Safety). IEC/EN Interference immunity tests Criterion FS IEC/EN ESD test: 6 kv contact, 8 kv air discharge 6 kv, 8 kv IEC/EN RFI test (10 V/m): 80 MHz...2 GHz, 80 % AM - RFI test (3 V/m): 2 GHz...3 GHz, 80 % AM: - RFI test (20 V/m): 80 MHz...1 GHz, 80 % AM 20 V/m IEC/EN Burst test Power lines: 2 kv and 4 kv Signal lines: 2 kv 4 kv 2 kv IEC/EN IEC/EN Damped oscillatory wave test 2.5 kv L-, L+ / PE 1 kv L+ / L- High frequency, asymmetrical 10 V, 150 khz...80 MHz, AM 20 V, ISM frequencies, 80 % AM V - IEC/EN MHz pulses - IEC/EN Surge: Power lines: 2 kv CM, 1 kv DM Signal lines: 2 kv CM, 1 kv DM at AC I/O 2 kv /1 kv 2 kv Table 6: Interference Immunity Tests IEC/EN EN Class A Table 7: Noise Emission Tests Noise emission tests Emission test: radiated, conducted HI E Rev Page 13 of 74

14 2 Usage Notes HIMatrix Power Supply The following table lists the most important tests and limits for the HIMatrix systems' power supply: IEC/EN Table 8: Verification of the DC supply characteristics The power supply must comply with the following standards: IEC/EN : SELV (Safety Extra Low Voltage) or PELV (Protective Extra Low Voltage) HIMatrix systems must be fuse protected as specified in this manual Voltage range test: 24 VDC, % ( V) Momentary external current interruption immunity test: DC, PS 2: 10 ms Reversal of DC power supply polarity test: Refer to corresponding chapter of the system manual or data sheet of power supply. Verification of the DC Supply Characteristics ESD Protective Measures Only personnel with knowledge of ESD protective measures may modify or extend the system or replace a module. NOTE Electrostatic discharge can damage the electronic components within the HIMatrix systems! When performing the work, make sure that the workspace is free of static, and wear an ESD wrist strap. If not used, ensure that the modules are protected from electrostatic discharge, e.g., by storing them in their packaging. Page 14 of 74 HI E Rev. 2.00

15 HIMatrix 2 Usage Notes 2.3 Additional Test Conditions for Railway Applications The following table shows the HIMatrix variants for railway applications: Compact controllers F F F F Remote I/Os F1 DI F2 DO ) F2 DO F2 DO F2 DO ) F3 AIO 8/4 014 F3 DIO 8/8 014 F3 DIO 16/8 014 F3 DIO 20/8 023 F3 DIO 20/8 024 Modular System F60 PS 014 CPU 034 AI CIO 2/4 014 DI DI DIO 24/ MI GEH 014 1) Only approved for the temperature range of C Table 9: HIMatrix Variants Available for Railway Applications The HIMatrix variants for railway applications have been developed to meet the following additional standards for EMC, climatic and environmental requirements Climatic Requirements The HIMatrix variants for railway applications are designed for a temperature range of -25 C +70 C. The following climatic requirements are met: Standard Temperature class EN T1 and T2 1) EN T1, T2 1) and T3 EN T1, T2 1) and TX 1) 1) T2 and TX only when heating up to at least -25 C Table 10: Climatic Requirements with HIMatrix Variants for Railway Applications Derating of Digital Outputs With an operating temperature higher than 60 C the load of the digital outputs must be derated. In this case, each output can be loaded with a maximum of 0.5 A, see the device-specific manuals. HI E Rev Page 15 of 74

16 2 Usage Notes HIMatrix Mechanical Requirements The following table lists the most important tests and limits for mechanical requirements: EN Mechanical tests Vibration test: 2.3 m/s 2 between Hz, EUT in operation Shock immunity test: 20 m/s 2, 11 ms, EUT in operation Table 11: Mechanical Requirements with HIMatrix Variants for Signaling The devices and modules listed in Table 9 were mechanically tested in accordance with EN and are suitable for use on rolling stocks. Testing was performed in accordance with EN 61373, Category 1, Class B EMC Requirements The following table lists the most important tests and limits for EMC requirements: EN Interference immunity tests ESD test 6 kv contact, 8 kv air discharge EM-Field: 80 MHz 1 GHz: 10 V/m 80 MHz 3 GHz: 10 V/m MHz: 20 V/m Burst test Supply voltage: 2 kv I/O lines: 2 kv Ground: 1 V Surge 1) Supply voltage: 2 kv CM 1 kv DM Conducted Supply voltage: 10 V disturbances I/O lines: 10 V Ground: 10 V Power frequency 16 2/3 Hz, 50 Hz, 60 Hz: 100 A/m magnetic field DC 300 A/m Pulsed magnetic field 300 A/m 1) The H7013 external filter is absolutely required if HIMatrix compact systems are used. Surge absorbers from other manufacturers may be used, if the specifications provided in the data sheets are equivalent to or better than those specified for the H7013. Table 12: EMC Requirements with HIMatrix Variants for Signaling Page 16 of 74 HI E Rev. 2.00

17 HIMatrix 2 Usage Notes EN Interference immunity tests ESD test 6 kv contact, 8 kv air discharge EM-Field: 80 MHz 1 GHz: 20 V/m MHz: 10 V/m MHz: 5 V/m Burst test Supply voltage: 2 kv I/O lines: 2 kv Surge 1) Supply voltage: 2 kv CM 1 kv DM Conducted Supply voltage: 10 V disturbances I/O lines: 10 V 1) The H7013 external filter is absolutely required if HIMatrix compact systems are used. Surge absorbers from other manufacturers may be used, if the specifications provided in the data sheets are equivalent to or better than those specified for the H7013. Table 13: EMC Requirements with HIMatrix Variants for Rolling Stocks The devices and modules specified in Table 9 were successfully tested and met the EMC requirements in accordance with EN and EN Demanding Requirements The remote I/O F3 DIO 20/8 023 meets stricter requirements concerning salt mist in accordance with IEC (5 % for the duration of 96 hours). Compliance with the stricter requirements was demonstrated through an inspection. HI E Rev Page 17 of 74

18 2 Usage Notes HIMatrix 2.4 Tasks and Responsibilities of the Operator and the Machine and System Manufacturers The operator and the machine and system manufacturers are responsible for ensuring that HIMatrix systems are safely operated in automated systems and plants. The machine and system manufacturers must sufficiently validate that the HIMatrix systems were properly programmed. 2.5 Additional System Documentation In addition to this manual, the following documents for configuring HIMatrix systems are also available: Name Applicable Content Document no. HIMatrix All versions Safety functions of the HIMatrix system HI E Safety Manual HIMatrix System Manual Compact Systems All versions Description of the compact systems with the corresponding specifications HI E HIMatrix System Manual Modular System F60 All versions Description of the modular F60 system with the corresponding specifications HI E Certificate test report 1) All versions Test principles, safety requirements, results Communication Manual (configuration performed with SILworX) CPU OS V7 and higher Description of the communication protocols, ComUserTask and their configuration in SILworX HI E HIMatrix PROFIBUS DP CPU OS up to V6.x Description of the PROFIBUS protocol HI E Master/Slave Manual and its configuration in ELOP II Factory HIMatrix Modbus CPU OS up to V6.x Description of the Modbus protocol and HI E Master/Slave Manual its configuration in ELOP II Factory HIMatrix CPU OS up to V6.x Description of the TCP S/R protocol and HI E TCP S/R Manual its configuration in ELOP II Factory HIMatrix ComUserTask (CUT) Manual CPU OS up to V6.x Description of the ComUserTask and its configuration in ELOP II Factory HI E SILworX Online Help CPU OS V7 and higher Instructions on how to use SILworX - ELOP II Factory Online Help CPU OS up to V6.x Instructions on how to use ELOP II Factory, Ethernet IP protocol, INTERBUS protocol - SILworX First Steps Manual CPU OS V7 and higher Introduction to SILworX (using the HIMax HI E system as an example) ELOP II Factory First Steps Manual CPU OS up to V6.x Introduction to ELOP II Factory HI E 1) Only supplied with the HIMatrix system Table 14: Additional Valid Manuals For more details on the devices and modules, refer to the corresponding manuals. The latest manuals can be downloaded from the HIMA website at The revision index on the footer can be used to compare the current version of existing manuals with the Internet edition. Page 18 of 74 HI E Rev. 2.00

19 HIMatrix 3 Safety Concept for Using the PES 3 Safety Concept for Using the PES This chapter contains important general information about the functional safety of HIMatrix systems. Safety and availability Time parameters important for safety Safety requirements 3.1 Safety and Availability The automation devices have been designed in accordance with the de-energize to trip principle, i.e., the controller and peripherals consider the de-energized state as the safe state. If a fault occurs, the de-energized state is the safe state adopted by the input and output signals. No imminent risk results from the HIMatrix systems. WARNING Physical injury caused by safety-related automation systems improperly connected or programmed. Check all connections and test the entire system before starting up! Calculating the THR Values The THR values have been calculated for the HIMatrix systems in accordance with EN EN defines a THR of per hour (SIL 4). The safety functions, consisting of a safety-related loop (input, processing unit, output and safety communication among HIMatrix systems), meet the requirements described above in all combinations. The controllers, remote I/Os and modules meet these requirements Self-Test and Fault Diagnosis The operating system of the controllers executes comprehensive self-tests at start-up and during operation. The following components are tested: Processors Memory areas (RAM, non-volatile memory) Watchdog The individual I/O channels If faults are detected during the tests, the operating system switches off the defective device, module or faulty I/O channel. In non-redundant systems, this means that sub-functions or even the entire PES will shut down. All HIMatrix devices and modules are equipped with LEDs to indicate that faults have been detected. This allows the user to quickly diagnose faults in a device or the external wiring, if a fault is reported. Further, the user program can also be used to evaluate various system variables or system signals that report the device or module status. An extensive diagnostic record of the system's behavior and detected faults are stored in the diagnostic memory of the controllers. After a system fault, the recorded data can be read using the PADT. HI E Rev Page 19 of 74

20 3 Safety Concept for Using the PES HIMatrix For more details on how to evaluate the diagnostic messages, refer to the Manual for Compact Systems (HI E), or to the Manual for the Modular System F60 (HI E), Chapter Diagnosis. For a very few number of component failures that do not affect safety, the HIMatrix system does not provide any diagnostic information PADT Using the PADT, the user creates the program and configures the controller. The safety concept of the PADT supports the user in the proper implementation of the control task. The PADT takes numerous measures to check the entered information. The PADT is a personal computer installed with the programming tool. For the HIMatrix system, two programming tools are available depending on the operating system version loaded on the controller: SILworX must be used for CPU OS V7 and higher. ELOP II Factory must be used for CPU OS up to V6.x Structuring Safety Systems in Accordance with the Energize to Trip Principle Safety systems operating in accordance with the energize to trip principle have the following functions: 1. The safe state of a device is the de-energized state. This state is adopted, for instance, if a fault has occurred in the device. 2. The controller can trigger the safety function on demand by switching on an actuator Detection of Failed System Components Thanks to the automatic diagnostic function, the safety system is able to detect that devices have failed Safety Function in Accordance with the Energized to Trip Principle The safety function is performed when the safety system energizes one or several actuators, thus ensuring that the safe state is adopted. The user must plan the following actions: Line monitoring (short-circuits and open-circuits) within input and output devices. These must be configured accordingly. The actuators' operation can be monitored through a position feedback. Page 20 of 74 HI E Rev. 2.00

21 HIMatrix 3 Safety Concept for Using the PES 3.2 Time Parameters Important for Safety These are: Fault tolerance time Safety time Response time Watchdog time Fault Tolerance Time The fault tolerance time (FTT, see DIN VDE 0801, Appendix A ) is a property of the process and describes the span of time during which the process allows faulty signals to exist before the system state becomes safety-critical Safety Time The safety time is the time period after an internal fault occurred, during which the controller is in the RUN state and must provide a reaction. From the process view point, the safety time is the maximum time within which the safety system must provide a reaction on the output after a change of the input signals (response time). Operating system version Safety time - from... to CPU OS V7 and higher ms CPU OS up to V6.x ms Table 15: Range of Values for the Safety Time User Program Safety Time The safety time for the user program cannot be set directly. To calculate the safety time for a user program, HIMatrix uses the resource-specific parameter Max. Safety Time and the parameter Maximum Number of Cycles. Refer to Chapter for more details Response Time Assuming that no delay results from the configuration or the user program logic, the worst case reaction time of HIMatrix controllers running in cycles is twice the system cycle time. The cycle time of the controller consists of the following main components: Reading the inputs Processing the user program/s Writing to the outputs Process data communication Performing test routines With F*03 devices or modules, a user program cycle can include multiple processor system cycles. The response time for such user programs must be increased accordingly, see below. Further, the switching times of the inputs and outputs must be taken into account when determining the worst case for the overall system. The response time t Response is composed of the following elements: t Response = t Input + t In communication + 2*t WDT + t Out communication + t Output HI E Rev Page 21 of 74

22 3 Safety Concept for Using the PES HIMatrix t Input t In communication t WDT t Out communication t Output Switching/implementation time of the input With remote I/Os: Transmission time between controller and input within the remote I/O It depends on the device type: With standard devices or modules, this is the resource watchdog time With F*03 devices or modules, this is the user program's watchdog time and can be a multiple of the processor system's watchdog time With remote I/Os: Transmission time between controller and output within the remote I/O Switching/implementation time of the output Processor System Watchdog Time The watchdog time is set in the menu for configuring the PES properties. This time is the maximum permissible duration of a RUN cycle (cycle time). If the cycle time exceeds the preset watchdog time, the system is shut down. Afterwards, if Autostart was configured, the system restarts. If Autostart is not configured, the system enters the STOP/VALID CONFIGURATION state. The Processor system watchdog time may be set to: ½ * PES safety time. Operating system version HIMatrix Range of values for the watchdog time Default value for the controllers Default value for the remote I/Os CPU OS V8 and higher F* ms 200 ms 100 ms CPU OS V7 and higher Default ms 200 ms 100 ms CPU OS up to V6.x Standard ms 50 ms 10 ms Table 16: Range of Values for the Watchdog Time i Determine the safety time and the watchdog time for the system to be controlled Watchdog Time of the User Program with F*03. Each user program has its own watchdog time. The watchdog time for the user program cannot be set directly. To calculate the watchdog time for a user program, HIMatrix F*03 devices or modules use the resource-specific parameter Max. Watchdog Time and the parameter Maximum Number of Cycles. Make sure that the calculated watchdog time is not greater than the reaction time, which is required for the process portion processed by the user program. Page 22 of 74 HI E Rev. 2.00

23 HIMatrix 3 Safety Concept for Using the PES 3.3 Safety Requirements The following safety requirements must be met when using the safety-related components of the HIMatrix system: Hardware Configuration Personnel configuring the HIMatrix hardware must observe the following safety requirements Product-Independent Requirements To ensure safety-related operation, only approved fail-safe hardware and software may be used. The approved hardware and software are listed in the Version List of Devices and Firmware of HIMatrix Systems of HIMA Paul Hildebrandt GmbH + Co KG. The latest versions can be found in the version list maintained together with the test authority. The latest version list can be downloaded from the HIMA website at The operating requirements specified in this safety manual (see Chapter 2.2 and Chapter 2.3) about EMC, mechanical, chemical, climatic influences must be observed. Non fail-safe, interference-free hardware and software may be used for processing nonsafety-relevant signals, but not for handling safety-related tasks. The de-energized to trip principle must be applied to all safety circuits externally connected to the system Product-Dependent Requirements Only devices that are safely electrically isolated from the power supply may be connected to the system. The safe electrical separation of power supply must be ensured within the 24 V system supply. Only power supply units ensuring that the controllers and remote I/O modules are supplied with 24 V undervoltage may be used. To comply with the protective provisions for electrical safety and earthing, the manufacturer of the specific application must ensure that appropriate measures are taken for separating the indoor and outdoor equipment in accordance with EN This shall protect the HIMatrix systems against influences from the outdoor equipment in the overhead contact line zone or the pantograph zone, as well as against traction return currents. Power supply facilities allowed for railway applications must be used Programming Personnel developing user programs must observe the following safety requirements Product-Independent Requirements In safety-related applications, ensure that the safety-relevant system parameters are properly configured. The safety manual describes the possible configurations (see Chapter 7.4. In particular, this applies to the system configuration, maximum cycle time and safety time (see Chapter 3.2) Product-Dependent Requirements - CPU OS V7 and Higher Requirements for using the programming tool: SILworX must be used for programming. Once the application has been created, compile the program twice and compare the two resulting configuration CRCs to ensure that the program was compiled properly. The proper implementation of the application specification must be validated and verified. A complete test of the logic must be performed by trial. The system response to faults in the fail-safe input and output modules must be defined in the user program in accordance with the system-specific safety-related conditions. A feature of the SILworX programming tool shows which changes have been performed to the user program or system configuration. The analysis of the changes (change impact analysis IA) must define the required test scope. This impact analysis must take the HI E Rev Page 23 of 74

24 3 Safety Concept for Using the PES HIMatrix expected changes based on the performed modifications, the result of the SILworX comparison feature and the required regression tests into account Product-Dependent Requirements - CPU OS up to V6.x Requirements for using the programming tool: ELOP II Factory must be used for programming. Once the application has been created, compile the program twice and compare the two resulting configuration CRCs to ensure that the program was compiled properly. The proper implementation of the application specification must be validated and verified. A complete test of the logic must be performed by trial. The system response to faults in the fail-safe input and output modules must be defined in the user program in accordance with the system-specific safety-related conditions Communication When implementing safety-related communications between various devices, ensure that the overall response time does not exceed the fault tolerance time. All calculations must be performed in accordance with the rules given in 9.2. Data must be transferred over closed transmission systems (Category 1) in accordance with EN Open transmission systems (Category 2 and Category 3) in accordance with EN may be used, if additional measures are taken to guarantee that the transmission channel is secure (e.g., firewalls or encryption). At this stage, the serial interfaces may only be used for non-safety-related purposes. All devices to be connected to the communication interfaces must be equipped with safe electrical separation Requirements for Railway Applications The relevant standards must be used for railway applications. The digital outputs are equipped with line short-circuit monitoring. Reactions to detected short-circuits must be programmed in the application. The temperature state (operating temperature) of the HIMatrix systems must be evaluated by the application. Safety-related measures must be taken by the application, as well. For more information, refer to System Manual Compact Systems (HI E) and System Manual Modular System (HI E), Chapter Monitoring the Temperature State. Error messages must be evaluated by the application. Errors are signaled by state bits and are thus available to the application. Additionally, errors are stored in the diagnostic memory of the controller and can be evaluated using the programming tool. For more information, refer to System Manual Compact Systems (HI E) and System Manual Modular System (HI E), Chapter Diagnosis. Detection of short-circuits to earth must be configured externally. Page 24 of 74 HI E Rev. 2.00

25 HIMatrix 4 Central Functions 4 Central Functions The devices of type F1.., F2.., F3.. are compact systems that cannot be modified. The controllers of type F60 are modular systems that, when combined with a power supply module and a processor module, may be used with up to 6 I/O modules. 4.1 Power Supply Units The HIMatrix systems must be supplied by power supply units ensuring a 24 V low voltage to the controllers and remote I/Os. Observing the permitted voltage limits guarantees the controller's proper operation. 4.2 Functional Description of the Central Part The CPU is the central component of the controller. It is composed of the following function blocks: Fieldbus Interfaces Ethernet Interfaces I/O Bus Module Communication System nvsram Flash V CC and Temperature Monitoring Communication System SDRAM Communication System Processor Comparator Watchdog SDRAM 1 for the Processor System Processor 1 for the Processor System Processor 2 for the Processor System SDRAM 2 for the Processor System Safety-Related Processor System Real Time Clock Figure 1: Function Blocks of the F60 CPU 03 HI E Rev Page 25 of 74

26 4 Central Functions HIMatrix Characteristics of the Processor System: Two synchronous microprocessors (processor 1 and processor 2) Each microprocessor has its own SDRAM memory Testable hardware comparators for all external accesses of both microprocessors In the event of an error, the watchdog is set to a safe state Flash EPROM, the program memory for operating systems and user programs, suitable for at least memory cycles Data memory in nvsram Gold capacitor for buffering date/time Communication processor for fieldbus and Ethernet connections Interface for data transfer between devices, F60 controllers and the PADT, based on Ethernet. Optional interface(s) for data exchange via fieldbus LEDs for indicating the system statuses I/O bus logic for connection to I/O modules. Safe watchdog (WD) Monitoring of power supply units, testable (1.8 VDC / 3.3 VDC) Temperature monitoring 4.3 Self-Tests The self-test facilities detect individual faults that may lead to a safety-critical operating state and trigger, within the safety time of the controller, predefined fault reactions which bring the faulty components into a safe state. The following section specifies the most important self-test routines of safety-related processor systems Microprocessor Test The following is tested: All commands and addressing modes used The writability of the flags and the commands generated by them, The writability and crosstalk of the registers Memory Areas Test The operating system, user program, constants and parameters as well as the variable data are stored in memory areas of both processors and are tested by a hardware comparator Protected Memory Areas The operating system, user program and parameter area are each stored in a memory. They are protected by write protection and a CRC test RAM Test A write and read test is performed to check the modifiable RAM areas, in particular stuck-at and crosstalk Watchdog test The watchdog signal is switched off if it is not triggered by both CPUs within a defined time window or if the hardware comparator test fails. An additional test determines the watchdog signal switch-off ability of the watchdog signal. Page 26 of 74 HI E Rev. 2.00

27 HIMatrix 4 Central Functions Test of the I/O Bus Inside the Controller The connection between the CPU and the associated inputs and outputs (I/O modules) is tested Reactions to Processor System Failures A hardware comparator in the processor module constantly checks whether the data in microprocessor systems 1 and 2 are identical. If they differ, or if the test routines detect failures in the processor module, the watchdog signal is automatically switched off. This means that input signals are no longer processed and the outputs are switched off (i.e., de-energized). If such a fault occurs for the first time, the controller is restarted (reboot). If a further internal fault occurs within the first minute after start-up, the controller enters the STOP/INVALID CONFIGURATION state and will remain in this state. 4.4 Fault Diagnosis Each F60 module has an own LED for reporting module malfunctions or faults in the external wiring. This allows the user to quickly diagnose faults in a faulty module. In the compact systems F1.., F2.., F3.., these error messages are grouped in one common error message. Additionally, the user program can evaluate various system signals associated with the inputs, outputs or the controller. Faults are only signaled if they do not hinder communication with the processor system, i.e., the processor system must be still able to evaluate the faults. The user program logic can evaluate the error codes of the system signals and of all input and output signals. An extensive diagnostic record of the system's performance and detected faults are stored in the diagnostic memory of the processor and the communication system. After a system fault, the recorded data can be read using the PADT. For more details on how to evaluate the diagnostic messages, refer to the System Manual for Compact Systems (HI E) or the System Manual for the Modular System F60, (HI E), Chapter Diagnosis. HI E Rev Page 27 of 74

28 5 Inputs HIMatrix 5 Inputs Overview of the HIMatrix system inputs: Device Type Number Safety-related Interferencefree Electrically separated Compact systems F20 Digital 8 1) F30 Digital 20 1) F35 Digital 24 1) 24-bit counter 2 1) Analog 8 1) F1 DI Digital 16 1) F3 DIO 8/8 01 Digital 8 1) F3 DIO 16/8 01 Digital 16 1) F3 AIO 8/4 01 Analog 8 1) F3 DIO 20/8 02 Digital 20 1) Modular system F60 DIO 24/16 01 Digital 24 DI Digital 32 (configurable for line control) DI (110 V) Digital 24 CIO 2/ bit counter 2 AI 8 01 Analog 8 MI Analog or digital 24 1) Ground L- Table 17: Overview of the Inputs 5.1 General Safety-related inputs can be used for both safety-related signals and non-safety-related signals. The controllers provide status and fault information as follows: Through the diagnostic LEDs on the devices and modules. Using system signals or system variables that the user program is able to evaluate. Storing messages in the diagnostic memory that can be read by the PADT. Safety-related input modules automatically perform high-quality, cyclic self-tests during operation. These test routines are TÜV tested and monitor the safe functioning of the corresponding module. For a few number of component failures that do not affect safety, no diagnostic information is provided. Page 28 of 74 HI E Rev. 2.00

29 HIMatrix 5 Inputs 5.2 Safety of Sensors, Encoders and Transmitters In safety-related applications, the controller and its connected sensors, encoders and transmitters must all meet the safety requirements and achieve the specified SIL. The safety-related sensors, encoders and transmitters with the specified SIL can be connected to the inputs of the controller. If no sensors, encoders and transmitters with the specified SIL are available, the ones without SIL can also be used. If this is the case, the connection and monitoring of the signals must be planned within the user program. Refer to the IEC , Section 11.4, for more details about how to achieve the required SIL. 5.3 Safety-Related Digital Inputs The described properties apply to both digital input channels of F60 modules and digital input channels of all compact systems (unless stated otherwise) General The digital inputs are read once per cycle and saved internally; cyclic tests are performed to ensure their safe functioning. Input signals that are present for a time shorter than the time between two samplings, i.e., shorter than a cycle time, may not be detected Test Routines The test routines check whether the input channels are able to pass both signal levels (LOW and HIGH levels), regardless of the signals actually present on the input. This function test is performed each time the input signals are read Reaction in the Event of a Fault If the test routines for digital inputs detect a fault, a compact system activates the ERROR LED, an F60 module activates the ERR LED CPU OS V7 and Higher A user program processes the initial value of the global variables. The user program need not process the error code. The error code provides additional options for monitoring the external wiring and programming fault reactions in the user program. The name of the system variable containing the error code is: ->Error Code [Byte]. It can be accesses in the...channels tab located in the detail view of the module or device, in the line with the channel number CPU OS up to V6.x The user program processes a low level for the defective channel in accordance with the deenergize to trip mode. In addition to the channel signal value, the user program must also consider the corresponding error code. The error code provides additional options for monitoring the external wiring and programming fault reactions in the user program. The name of the system signal containing the error code is: Error Code DI[xx], where xx represents the channel number. It is accessible from within the Signal Connections... dialog box of the module or device. HI E Rev Page 29 of 74

30 5 Inputs HIMatrix Surges on Digital Inputs Due to the short cycle time of the HIMatrix systems, a surge pulse as described in EN can be read in to the digital inputs as a short-term high level. The following measures ensure proper operation in environments where surges may occur: 1. Install shielded input wires 2. Program noise blanking in the user program. A signal must be present for at least two cycles before it is evaluated. i The measures specified above are not necessary if the plant design precludes surges from occurring within the system. In particular, the design must include protective measures with respect to overvoltage, lightning, earth grounding and plant wiring in accordance with the relevant standards and the manufacturer's specifications Configurable Digital Inputs The digital inputs of the F35 controller and the MI module operate as analog inputs, but return digital values due to the configuration of switching thresholds. For configurable digital inputs, the test routines and safety-related functions for analog inputs apply as specified in Chapter Page 30 of 74 HI E Rev. 2.00

31 HIMatrix 5 Inputs Line Control Line control is used to detect short-circuits or open-circuits and can be configured for the HIMatrix systems with digital inputs (and not with configurable digital inputs), e.g., on EMERGENCY STOP devices. To this end, connect the digital outputs DO of the system to the digital inputs (DI) of the same system as follows (example): EMERGENCY STOP 1 EMERGENCY STOP 2 EMERGENCY STOP switches in accordance with EN and EN Figure 2: Line Control The controller pulses the digital outputs to detect the line short-circuits and open-circuits on the lines connected to the digital inputs. To do so, configure the Value [BOOL] -> system variable in SILworX or the DO[01].Value system signal in ELOP II Factory. The variables for the pulsed outputs must begin with channel 1 and reside in direct sequence, one after the other. See the section about system variables or system signals in the corresponding manuals. T 1 T 2 Configurable µs Figure 3: Pulsed Signal T1, T2 Line control detects the following faults: Cross-circuit between two parallel wires. Invalid connections of two lines (e.g., TO 2 to DI 3), Earth fault of a line (with earthed ground only), Open-circuit or open contacts, i.e., including when one of the two EMERGENCY STOP switches mentioned above has been engaged, the LED blinks and the error code is created. If such a fault occurs, the following reactions are triggered: The FAULT LED on the module's or controller's front plate blinks. The inputs are set to low level. An (evaluable) error code is created. HI E Rev Page 31 of 74

32 5 Inputs HIMatrix 5.4 Safety-Related Analog Inputs (F35, F3 AIO 8/4 01 and F60) The analog input channels convert the measured input currents into an INTEGER value. The values are available to the user program as variables associated with the following system variables or system signals: Operating system version CPU OS V7 and higher CPU OS up to V6.x Table 18: Value of Safety-Related Analog Inputs Value System variable -> Value [INT] System signal AI[xx].Value (xx = channel number). The safety-related accuracy is the guaranteed accuracy of the analog input without device or module fault reaction. This value must be taken into account when configuring the safety functions. Safety-related The value range for the inputs depend on the device or module: F35 controller Input Measuring Current, Range of values in the application channels method voltage FS1000 1) FS2000 1) accuracy 8 Unipolar V % 8 Unipolar 0 20 ma ) ) ) ) 2 % 1) can be configured by selecting the type in the PADT 2) with external 250 shunt adapter, part no.: ) with external 500 shunt adapter, part no.: Table 19: Analog Inputs of the F35 Controller Remote I/O F3 AIO 8/4 01: Input channels Measuring method Current, voltage Range of values in the application Safety-related accuracy 8 Unipolar V % 8 Unipolar 0/ ma ) ) 2 % 1) with external 250 shunt adapter, part no.: ) with external 500 shunt adapter, part no.: Table 20: Analog Inputs of the F3 AIO 8/4 01 Remote I/O Page 32 of 74 HI E Rev. 2.00

33 HIMatrix 5 Inputs F60 controller Input channels Measuring method Current, Range of values in the application Safety-related voltage FS1000 1) FS2000 1) accuracy AI Unipolar V % 8 Unipolar 0 20 ma ) ) 1 % 8 Unipolar 0 20 ma ) ) 4 % 4 Bipolar V % MI Unipolar 0 20 ma ) 1 % 1) 2) 3) 4) can be configured by selecting the type in the PADT (F60) with external 250 shunt adapter, part no.: with external 500 shunt adapter, part no.: (accuracy 0.05%, P 1 W) internal shunts Table 21: Analog Inputs of the F60 Controller The AI 8 01 module of the HIMatrix F60 can be configured in the user program for 8 unipolar or 4 bipolar functions. However, it is not allowed to combine functions on a module. The analog inputs of the F35 controller, the F3 AIO 8/4 01 remote I/O and the AI 8 01 module operate with voltage measurement. With the analog inputs of the HIMatrix F35 and F3 AIO 8/4 01, digital outputs of the own system (F35) or of other HIMatrix controllers can be monitored to detect open-circuits. Further information is available in the manuals of the corresponding HIMatrix controllers. If an open-circuit occurs (the line is not monitored by the system), any input signals is processed on the high-resistance inputs. The value resulting from this fluctuating input voltage is not reliable; with voltage inputs, the channels must be terminated with a 10 k resistor. The internal resistance of the source must be taken into account. To measure currents, the shunt is connected in parallel to an input; in doing so the 10 k resistor is not required. The inputs of the MI module are only current inputs, because of the internal shunts, and cannot be used as voltage inputs. If input channels are not used, the measurement input must be connected to the ground. If an open circuit occurs, negative influences (fluctuating input voltages) on other channels can thus be avoided. Operating system version CPU OS V7 and higher CPU OS up to V6.x Table 22: Configuration of Unused Inputs Procedure It is sufficient not to assign unused inputs global variables. For the unused input channel, set the corresponding signal AI[0x].Used to the default value FALSE or 0 in ELOP II Hardware Management. In doing so, the channel is masked out in the user program, i.e., no signals of this channel are available within the logic. HI E Rev Page 33 of 74

34 5 Inputs HIMatrix Test Routines The analog values are processed in parallel via two multiplexers and two analog/digital converters with 12-bit resolution and the results are compared. Additionally, test values are used by the existing digital/analog converters, converted back to digital values, and then compared with the default value Reaction in the Event of a Fault If channel faults occurs in the analog inputs, a compact system activates the FAULT LED, a F60 module the ERR LED CPU OS V7 and Higher The error code of the corresponding channel is set to a value > 0. If the entire module is faulty, the error code for the module is set to a value > 0. The user program processes the configured initial value. If the value 0 ma is within the valid measuring range, the user program must evaluate the error code in addition to the analog value. The error code provides additional options for monitoring the external wiring and programming fault reactions in the user program. The name of the system variable containing the error code is: ->Error Code [Byte]. It can be accesses in the...channels tab located in the detail view of the module or device, in the line with the channel number CPU OS up to V6.x The error code of the corresponding channel is set to a value > 0. If the entire module is faulty, the error code for the module is set to a value > 0. The user program processes the configured initial value. In addition to the analog value, the user program must also evaluate the error code. For values > 0, a safety-related reaction must be planned. The error code allows the user to monitor the external wiring and program additional fault reactions in the user program. The name of the system signal containing the error code is: Error Code AI[xx], where xx represents the channel number. It is accessible from within the Signal Connections... dialog box of the module or device. Page 34 of 74 HI E Rev. 2.00

35 HIMatrix 5 Inputs 5.5 Safety-Related Counters (F35 and F60) General Unless otherwise noted, the points previously mentioned apply for the CIO 2/4 01 counter module of the F60 as well as for the counters of the F35. A counter channel can be configured for operation as a high-speed up or down counter with 24-bit resolution or as a decoder in Gray code. If used as high-speed up or down counters, the pulse input and count direction input signals are required in the application. The counter is only reset in the user program. The CIO 2/4 01 counter module of the F60 has 4-bit or 8-bit encoder resolution, whereas the F35 has a 3-bit or 6-bit encoder resolution. A reset is possible. 2 independent 4-bit inputs may only be connected to an 8-bit input (example of F60) using the user program. No switching option is planned for this purpose. The encoder function monitors the change of the bit pattern on the input channels. The bit patterns on the inputs are directly transferred to the user program. They are represented in the PADT as decimal numbers corresponding to the bit pattern (Counter[0x].Value). Depending on the application, this number (which corresponds to the Gray code bit pattern) can be converted into, for example, the corresponding decimal value Reaction in the Event of a Fault If the test facilities detect a fault in the counter section of the device or module, they set a status bit for evaluation in the user program. Additionally, the user program can also consider the corresponding error code. A compact system activates the ERROR LED, a F60 module the ERR LED. The error code allows the user to monitor the external wiring and program additional fault reactions in the user program. Version Access to the error code Error code name CPU OS V7 and higher In the...channels tab located in the ->Error code [bytes] in the detail view of the module or device row with the channel number CPU OS up to V6.x Table 23: Error Codes with Counter Inputs In the Signal Connections... window of the module or device Counter[xx].error code, xx = channel number HI E Rev Page 35 of 74

36 5 Inputs HIMatrix 5.6 Checklist for Safety-Related Inputs HIMA recommends using the following checklist for engineering, programming and starting up safety-related inputs. It can be used for helping with planning as well as to demonstrate later on that the planning phase was carefully completed. When engineering or starting up the system, a checklist must be filled out for each of the safetyrelated input channels used in the system to verify the requirements to be met. This is the only way to ensure that all requirements were considered and clearly recorded. The checklist also documents the relationship between the external wiring and the user program. The checklist HIMatrix_Checklist_Inputs.doc is available as Microsoft Word document. The ZIP file HIMatrix_Checklists.zip contains all checklists and can be downloaded from the HIMA website at: Page 36 of 74 HI E Rev. 2.00

37 HIMatrix 6 Outputs 6 Outputs Overview of the HIMatrix system outputs: Device Type Number Safetyrelated Electrically separated Compact systems F20 Digital 8 1) Pulse 4-1) F30 (configurable for line control) Digital 8 1) F35 Digital 8-1) F1 DI Pulse 4 1) F2 DO 4 01 Digital 4 1) F2 DO 8 01 Digital 8 F2 DO Digital 16 1) F2 DO Relay 16 F3 DIO 8/8 01 Digital 1-pole 8 1) Digital 2-pole 2 F3 DIO 16/8 01 Digital 1-pole 16 1) Digital 2-pole 8 F3 AIO 8/4 01 Analog 4-1) F3 DIO 20/8 02 Digital 8 1) (configurable for line control) Modular System F60 DIO 24/16 01 Digital 16 (configurable for line control) DO 8 01 (110 V) Relay 8 CIO 2/4 01 Digital 4 AO 8 01 Analog 8 1) Ground L- Table 24: Overview of the Outputs 6.1 General The controller writes to the safety-related outputs once per cycle, reads back the output signals and compares them with the specified output data. The safe state of the outputs is the 0 value or an open relay contact. The safety-related output channels are equipped with three testable switches connected in series. Thus, a second independent shutdown function, which is a safety requirement, is integrated into the output module. If a fault occurs, this integrated safety shutdown function safely de-energizes all channels of the defective output module (de-energized state). The CPU watchdog signal is the second way to perform a safety shutdown: If the watchdog signal is lost, the safe state is immediately adopted. This function is only effective for all digital outputs and relay outputs of the controller. The error code allows the user to configure additional fault reactions in the user program. HI E Rev Page 37 of 74

38 6 Outputs HIMatrix 6.2 Safety of Actuators In safety-related applications, the controller and its connected actuators must all meet the safety requirements and achieve the specified SIL. 6.3 Safety-Related Digital Outputs The points listed below apply to both digital output channels of F60 modules and digital output channels of the compact devices. The relay modules are excluded in both cases, unless specified otherwise Test Routines for Digital Outputs The modules are tested automatically during operation. The main test functions are: Reading the output signals back from the switching amplifier. The switching threshold for a read-back low level is 2 V. The diodes used prevent a feed back of signals. Checking the integrated redundant safety shutdown. A shutdown test of the outputs is cyclically performed as background test for max. 200 µs. The minimum time between two tests is 20 s. The system monitors its operating voltage and de-energizes all outputs at a undervoltage of < 13 V Reaction in the Event of a Fault If the controller detects a faulty signal, it sets the affected device or module output to the safe, de-energized state using the safety switches. If a module fault occurs, all module outputs are switched off. A compact system additionally reports the two faults via the ERROR LED, a F60 module via the ERR LED Behavior in the Event of External Short-Circuit or Overload If the output is short-circuited to L- or overloaded, the device or module is still testable. A safety shutdown is not required. The controller monitors the device's or module's total current input and set all output channels to the safe state if the threshold is exceeded. In this state, the outputs are checked every few seconds to determine wether the overload is still present. In a normal state, the outputs are switched on again Line Control The controller can pulse safety-related digital outputs and use them with the safety-related digital inputs of the same system (but not the configurable digital inputs) to detect open-circuits and short-circuits (see Chapter 5.3.6). NOTE Malfunctions of the connected actuators are possible! Pulsed outputs must not be used as safety-related outputs (e.g., for activating safetyrelated actuators)! Relay outputs cannot be used as pulsed outputs. Page 38 of 74 HI E Rev. 2.00

39 HIMatrix 6 Outputs 6.4 Safety-Related 2-Pole Digital Outputs The following points apply to 2-pole digital outputs of the remote I/Os F3 DIO 8/8 01 and F3 DIO 16/8 01. The devices are tested automatically during operation. The main test functions are: Reading the output signals back from the switching amplifier. The diodes used prevent a feed back of signals. Checking the integrated (redundant) safety shutdown. A shutdown test of the outputs is cyclically performed as background test for max. 200 µs. The minimum time between two tests is 20 s. Line diagnosis with 2-pole connection F3 DIO 16/8 01: - Short-circuit to L+, L-. - Short-circuit between 2-pole connections. - Open-circuit in one of the 2-pole lines F3 DIO 8/8 01: - Short-circuit to L+, L-. The system monitors its operating voltage and de-energizes all outputs at a undervoltage of less than 13 V. With a 2-pole connection, observe the following notes: i A relay or actuator connected to the output may accidentally be switched on! A requirement for applications in machine safety is that the outputs DO+, DO- are switched off if an open-circuit is detected. i If the requirements previously described cannot be met, observe the following case: If a short-circuit occurs between DO- and L-, a relay may be energized or some other actuator may be set to a different switching state. Reason: During the monitoring time specified for line diagnosis, a 24 V level (DO+ output) is present on the load (relay, switching actuator) allowing it to receive enough electrical power to potentially switch to another state. The monitoring time must be configured such that an actuator cannot be activated by the line diagnosis test pulse. i Detection of open-circuits may be disturbed! In a 2-pole connection, no DI input must be connected to a DO output. This would inhibit the detection of open-circuits. HI E Rev Page 39 of 74

40 6 Outputs HIMatrix Reaction in the Event of a Fault DO- Outputs If a faulty signal is detected, the device sets the affected output to the safe, de-energized state. A device fault causes all outputs to switch off. Both types of faults are also indicated by the ERROR LED. DO+ Outputs If a faulty signal is detected, the device sets the affected output to the safe, de-energized state. A device fault causes all outputs to switch off. Both types of faults are also indicated by the ERROR LED Behavior in the Event of External Short-Circuit or Overload If the output is short-circuited to L-, L+ or overloaded, the device is still testable. A safety shutdown is not required. The total current input of the device is monitored. If the threshold is exceeded, the device sets all channels to the safe state. In this state, the device checks the outputs every few seconds to determine whether the overload is still present. In a normal state, the device switches on the outputs once again. 6.5 Relay Outputs The relay outputs correspond to functional digital outputs, but offer galvanic separation and higher electrical strength Test Routines for Relay Outputs The device or the module automatically tests its outputs during operation. The main test functions are: Reading the output signals back from the switching amplifiers located before the relays Testing the switching of the relays with forcibly guided contacts Checking the integrated redundant safety shutdown. The system monitors its operating voltage and de-energizes all outputs at a undervoltage of less than 13 V. With the DO 8 01 module and the F2 DO 8 01 and F2 DO remote I/Os, the outputs are equipped with three safety relays: Two relays with forcibly guided contacts. One standard relay. This enables the outputs to be used for safety shutdowns Reaction in the Event of a Fault If a faulty signal is detected, the device or module sets the affected output to the safe, deenergized state using the safety switches. If a module fault occurs, all module outputs are switched off. A compact system additionally reports the two faults via the ERROR LED, a F60 module via the ERR LED. Page 40 of 74 HI E Rev. 2.00

41 HIMatrix 6 Outputs 6.6 Safety-Related Analog Outputs (F60) The AO 8 01 module has an own safety-related 1oo2 A/D microprocessor system with safe communication. It writes to the analog outputs once per cycle and saves the values internally. The module itself tests the function. The DIP switches on the safety-related analog output modules can be used to set the outputs to voltage or current outputs. In doing so, ensure that the setting for use in the system comply with the configuration in the user program. If this is neglected, faulty module behavior may result. NOTE Module malfunctions are possible! Prior to inserting the module into the system, check the following: Module's DIP switch settings. Module configuration in the user program. Depending on the device type selected (...FS1000,...FS2000) during configuration, multiple values must be taken into account in the logic for the output signals to obtain identical output values (see the AO 8 01 Manual HI E, Chapter Signals and Error Codes for the Outputs). Each group of two analog outputs are galvanically connected: Outputs 1 and 2. Outputs 3 and 4. Outputs 5 and 6. Outputs 7 and 8. The analog output circuits have current or voltage monitoring, read back and test channels (even for parallel output circuits), as well as two additional safety switches for the safe disconnection of the output circuits in the event of a fault. This ensures that the safe state is achieved (current output: 0 ma, voltage output: 0 V) Test Routines The module is automatically tested during operation. The main test functions are: Dual read back of the output signal. Crosstalk test between the outputs. Check of the integrated safety shutdown Reaction in the Event of a Fault The module reads back the output signals once every cycle and compares them with the internally saved output signals. If the module detects a discrepancy, it switches off the faulty output channel via the two safety switches and reports a module fault via the ERR LED. The error code allows the user to configure additional fault reactions in the user program. To determine the worst case reaction time of the analog outputs, add the double watchdog time of the AO CPU (2 WDT AO-µC ) to the double watchdog time (2 WDT CPU ). The worst case reaction time is specified in the corresponding manual. HI E Rev Page 41 of 74

42 6 Outputs HIMatrix 6.7 Analog Outputs with Safety-Related Shut-Down (F3 AIO 8/4 01) The remote I/O writes to the analog outputs once per cycle and saves the values internally. All the outputs are non-safety-related, but all together they can be shut down safely. To achieve SIL 4, the output values must be read back via safety-related analog inputs and evaluated in the user program. Reactions to incorrect output values must also be specified in the user program Test Routines The remote I/O automatically tests the two safety switches used to shut down all four module outputs during operation Reaction in the Event of a Fault If an internal fault occurs, the remote I/O simultaneously switches off all 4 output channels via the two safety switches and reports the module fault via the FAULT LED on the front plate. The error code allows the user to configure additional fault reactions in the user program. 6.8 Checklist for Safety-Related Outputs HIMA recommends using this checklist for engineering, programming and starting up safetyrelated outputs. It can be used for helping with planning as well as to demonstrate later on that the planning phase was carefully completed. When engineering or starting up the system, a checklist must be filled out for each of the safetyrelated output channels used in the system to verify the requirements to be met. This is the only way to ensure that all requirements were considered and clearly recorded. The checklist also documents the relationship between the external wiring and the user program. The checklist HIMatrix_Checklist_Outputs.doc is available as Microsoft Word document. The ZIP file HIMatrix_Checklists.zip contains all checklists and can be downloaded from the HIMA website at: Page 42 of 74 HI E Rev. 2.00

43 HIMatrix 7 Software for HIMatrix Systems 7 Software for HIMatrix Systems The software for the safety-related automation devices of the HIMatrix systems can be divided into the following blocks: Operating system User program Programming tool in accordance with IEC The operating system is loaded into the controller's central unit (CPU) and must be used in the current version certified by TÜV for safety-related applications. The programming tool serves for creating the user program with the application-specific functions that should be performed by the automation device. The programming tool is also used to configure and operate the operating system functions. The code generator integrated in the programming tool translates the user program into a machine code. The programming tool uses the Ethernet interface to transfer this machine code to the flash EPROM of the automation device. 7.1 Safety-Related Aspects of the Operating System Each approved operating system is identified by a unique name. To help distinguish the systems from one another, the version number and the CRC signature are given. The valid versions of the operating system and corresponding signatures (CRCs) - approved by the TÜV for use in safety-related automation devices - are subject to a revision control and are documented in a list maintained by HIMA in co-operation with the TÜV. The current version of the operating system can be read using the programming tool. A control check performed by the user is required (see Chapter 7.6 ). 7.2 Operation and Functions of the Operating System The operating system executes the user program cyclically. In a simplified form, it performs the following functions: Reading of the input data Processing of the logic functions, programmed in accordance with IEC Writing of the output data The following basic functions are also executed: Comprehensive self-tests Tests of I/O modules during operation Data transfer Diagnosis HI E Rev Page 43 of 74

44 7 Software for HIMatrix Systems HIMatrix 7.3 Safety-Related Aspects of Programming Safety Concept for the Programming Tool The safety concept on which the two programming tools, ELOP II Factory and SILworX, are based on is: When the programming tool is installed, a CRC checksum helps ensure the program package's integrity on the way from the manufacturer to the user. The programming tool performs validity checks to reduce the likelihood of faults while entering data. Compiling the program twice and comparing the two CRC checksums ensures that data corruption resulting from random faults in the PC in use is detected. The programming tool and the measures defined in this safety manual make it sufficiently improbable that a code generated properly from a semantic and syntactic view point can still contain undetected systematic faults resulting from the code generation process. Functional test of the controller 1. Verify that the tasks to be performed by the controller were properly implemented using the data and signal flows 2. Perform a comprehensive functional test of the logic by trial (see Verifying the Configuration and the User Program). The controller and the application are sufficiently tested. CPU OS V7 and higher The safe revision comparator in SILworX can be used to determine and display all changes relative to the previous version. If a user program is modified, only the program components affected by the change must be tested. CPU OS up to V6.x Each user program change must be checked through a complete functional test Verifying the Configuration and the User Program To verify that the user program created performs the required safety function, suitable test cases must be created for the required system specification. An independent test of each loop (consisting of input, the key interconnections in the application and output) is usually sufficient. Suitable test cases must also be created for the numerical evaluation of formulas. Equivalence class tests are convenient, which are tests within defined ranges of values, at the limits of or within invalid ranges of values. The test cases must be selected such that the calculations can be proven to be correct. The required number of test cases depends on the formula used and must include critical value pairs. HIMA recommends to perform an active simulation with data sources. This allows one to prove that the system sensors and actuators are properly wired, even those connected via remote I/Os. This is the only way to verify the system configuration. This procedure must be followed both when creating the user program for the first time and when modifying it. Page 44 of 74 HI E Rev. 2.00

45 HIMatrix 7 Software for HIMatrix Systems Archiving a Project HIMA recommends archiving the project every time the program is loaded into the controller. The procedure for archiving a project is radically different in ELOP II Factory and SILworX. Archiving a Project - CPU OS V7 and Higher SILworX creates a project in a project file. This must be suitably stored, e.g., on a storage medium. Archiving a Project - CPU OS up to V6.x ELOP II Factory creates a project in a structure of sub-directories. To archive the project, ELOP II Factory can store the content of this structure to an archive file, the project archive. This project archives must be suitably stored, e.g., on a storage medium. Creating a Project Archive 1. Print the user project to compare the logic with the specifications. 2. Compile the user program for generating the CPU configuration CRC. 3. Verify the CRCs and note down the CPU configuration CRC version. To do so, right-click the controller in the Hardware Management and select Configuration Information to display the versions. The following information is required to determine a version: - rootcpu.config shows the safety-related CPU configuration, i.e., the CPU configuration CRC. - rootcom.config shows the non-safety-related COM configuration. - root.config shows the overall configuration, including the remote I/Os (CPU + COM). 4. Create a project archive with the user program name, the CPU configuration CRCs and date, and store it to a storage medium. This recommendation does not replace the user's internal documentation requirements. The project archive is complete Options for Identifying the Program and the Configuration The user programs are unambiguously identified with the configuration CRC of the project. This can be compared to the configuration CRC of the loaded projects. Project Files - CPU OS V7 and Higher To ensure that the saved project file remained unchanged, compile the corresponding resource and compare the configuration CRC with the loaded configuration's CRC. This CRC can be displayed with SILworX. Archive - CPU OS up to V6.x The archive name should contain the configuration CRCs of the root.config. To ensure that the the used archive did not change, compile the resource after restoring the project from the archive and compare the configuration CRC of root.config with the CRC of the loaded configuration that can be displayed with ELOP II Factory. To check them, open the Resource Consistency Check in the resource's Control Panel. i Perform a comprehensive functional test when starting up a safety-related controller for the first time or after modifying the user program. Create a project archive. HI E Rev Page 45 of 74

46 7 Software for HIMatrix Systems HIMatrix 7.4 Resource Parameters WARNING Physical injury possible due to defective configuration! Neither the programming tool nor the controller can verify certain project-specific parameters. For this reason, enter these parameters correctly and verify the whole entry. These parameters are: System ID Rack ID, refer to the system manuals (HI E and HI E). Safety Time Watchdog Time Allow Online Settings (prior to SILworX V5: Main Enable) Autostart Start Allowed Load Allowed Reload Allowed Global Forcing Allowed The following parameters are defined in the programming tool for actions permitted during the automation device's safety-related operation and are referred to as safety-related parameters. Parameters that may be defined for safety-related operation are not firmly bound to any specific requirement classes. Instead, each of these must be agreed upon together with the responsible test authority for each separate implementation of the controller Parameters - CPU OS V7 and Higher In CPU OS V7 and higher, the distinction between system parameter of the resource and system parameters of the hardware is made. System Parameters of the Resource These parameters define how the controller behaves during operation and are configured for the resource in the Properties dialog box in SILworX. Parameter / Switch Description Default value Setting for safe operation Name Resource name Arbitrary System ID [SRS] System ID of the resource The value assigned to the system ID must differ to the default value, otherwise the project is not able to run! Unique value within the controller network. This network includes all controllers that can potentially be interconnected Safety Time [ms] Safety time in milliseconds ms 600 ms/ 400 ms 1) Applicationspecific Watchdog Time [ms] Watchdog time in milliseconds ms for standard devices/modules ms for F*03 devices/modules 200 ms/ Applicationspecific 100 ms 1) Page 46 of 74 HI E Rev. 2.00

47 HIMatrix 7 Software for HIMatrix Systems Parameter / Switch Target Cycle Time [ms] Target Cycle Time Mode Multitasking Mode Max.Com. Time Slice ASYNC [ms] Max. Duration of Configuration Connections [ms] Maximum System Bus Latency [µs] Allow Online Settings Description Targeted or maximum cycle time, see Target Cycle Time Mode, ms. The maximum target cycle time value may not exceed the watchdog time - minimum watchdog time; otherwise it is rejected by the PES. If the default value 0 ms is set, the target cycle time is not taken into account. Use of Target Cycle Time [ms] see Table 26. With F*03 devices/modules, all the values can be used; with standard devices/modules, only fixed values! Only applicable with F*03 devices/modules! Mode 1 The duration of a CPU cycle is based on the required execution time of all user programs. Mode 2 The processor provides user programs with a higher priority the execution time not needed by user programs with a lower priority. Operation mode for high availability. Mode 3 The processor waits during the unneeded execution time of user programs to expire and thus increases the cycle. Highest value in ms for the time slice used for communication during a resource cycle, see the Communication Manual (HI E), ms Only applicable with F*03 devices/modules! It defines how much time within a CPU cycle is available for process data communication, ms Mode 1 Default Setting for safe value operation 0 ms Applicationspecific Fixedtolerant Applicationspecific Applicationspecific 60 ms Applicationspecific 6 ms Applicationspecific Not applicable for HIMatrix controllers! 0 µs - ON: OFF: i All the switches/parameters listed below OFF can be changed online using the PADT: These parameters may not be changed online System ID Autostart Global Forcing Allowed Global Force Timeout Reaction Load Allowed Reload Allowed Start Allowed These parameters may be changed online if Reload Allowed is set to ON. Resource Watchdog Time Safety Time Target Cycle Time Target Cycle Time Mode If Reload Allowed is set to OFF, they are not changeable online. Allow Online Settings can only be set to ON if the PES is stopped. ON OFF is recommended HI E Rev Page 47 of 74

48 7 Software for HIMatrix Systems HIMatrix Parameter / Switch Autostart Start Allowed Load Allowed Reload Allowed Description ON: If the processor system is connected to the supply voltage, the user program starts automatically OFF: The user program does not start automatically after connecting the supply voltage. ON: A cold start or warm start permitted with the PADT in RUN or STOP. OFF: Start not allowed ON: Configuration Download Allowed OFF: Configuration Download not Allowed Only applicable with F*03 devices/modules! ON: Configuration Reload Allowed OFF: Configuration Reload not Allowed. A running reload process is not aborted when switching to OFF ON: Global forcing permitted for this resource Global Forcing Allowed OFF: Global forcing not permitted for this resource Global Force Timeout Reaction Minimum Configuration Version safeethernet CRC 1) Specifies how the resource should behave when the global force timeout has expired: Stop Forcing Stop the Resource With this setting, code compatible to previous or newer CPU operating system versions in accordance with the project requirements may be generated. SILworX V2 SILworX V3 SILworX V4 SILworX V5 The code is generated as in SILworX V2. With this setting, the use of the code on standard devices and modules is supported for CPU operating system V7. Not applicable for HIMatrix controllers! The generated code is compatible to the CPU operating system V8. Corresponds to SILworX V4. This setting ensures the compatibility with future versions. In project converted from the previous version, this parameter is set to the value configured in the previous version. SILworX V Current Version The CRC for safeethernet is created as in SILworX version This setting is required for exchanging data with resources planned with SILworX V2.36 or previous versions. The CRC for safeethernet is created with the current algorithm. First value applies to controllers, second value applies to remote I/Os. Table 25: System Parameters of the Resource - CPU OS V7 and Higher Default value OFF ON ON ON ON Stop Forcing SILworX V5 with new projects Current Version Setting for safe operation Applicationspecific Applicationspecific Applicationspecific Applicationspecific Applicationspecific Applicationspecific Applicationspecific Page 48 of 74 HI E Rev. 2.00

49 HIMatrix 7 Software for HIMatrix Systems Target Cycle Time Mode Fixed The following table describes the effect of Target Cycle Time Mode. Effect on user programs The PES maintains the target cycle time and extends the cycle if necessary. If the processing time of the user programs exceeds the target cycle time, the cycle duration is increased. Effect on reload of processor modules Reload is not processed if the target cycle time is not sufficient. Fixed-tolerant Such as Fixed. At most, the duration of every fourth cycle is increased to allow reload. Dynamictolerant Such as Dynamic. At most, the duration of every fourth cycle is increased to allow reload. Dynamic HIMatrix maintains the target cycle time as well as possible and also executes the cycle as quickly as possible. Reload is not processed if the target cycle time is not sufficient. Table 26: Effect of Target Cycle Time Mode Notes on the Minimum Configuration Version Parameter: In a new project, the latest Minimum Configuration Version is selected. Verify that this setting is in accordance with the hardware in use, e.g., in HIMatrix standard devices, Minimum Configuration Version must be set to SILworX V2. In a project converted from a previous SILworX version, the value for Minimum Configuration Version remains the value set in the previous version. This ensures that the configuration CRC resulting from the code generation is the same as in the previous version and the generated configuration is compatible with the operating systems in the hardware. For this reason, the value of Minimum Configuration Version should not be changed for converted projects. If features only available in higher configuration versions are used in the project, SILworX automatically generates a higher configuration version than the preset Minimum Configuration Version. This is indicated by SILworX at the end of the code generation. The hardware deny loading a higher configuration version than that matching its operating system. For an help, compare the details provided by the version comparator with the module data overview. If a Minimum Configuration Version of SILworX V4 or higher is set for a resource, the Code Generation Compatibility parameter must be set to SILworX V4 in every user program (see below). HI E Rev Page 49 of 74

50 7 Software for HIMatrix Systems HIMatrix Hardware System Variables - CPU OS V7 and Higher These variables are used to change the behavior of the controller while it is operating in specific states. These variables can be set in the hardware detail view located in the SILworX Hardware Editor. Parameter / Switch Function Default setting Setting for safe operation Force Deactivation Used to prevent forcing and to stop it immediately FALSE Application-specific Spare 0...Spare 16 No function - - Emergency Stop 1... Emergency stop switch to shutdown the controller if FALSE Application-specific Emergency Stop 4 faults are detected by the user program Relay contact 1... relay contact 4 Read-only in RUN Reload Deactivation User-LED 1... User LED 2 Only applicable with F*03! It controls the corresponding relay contacts, if existing. After starting the controller, no operating action such as stop, start or download is permitted in SILworX, except for forcing and reload. Only applicable with F*03! It prevents the controller from being by performing a reload. Applicable only for special controllers! It controls the corresponding LED, if existing. Table 27: Hardware System Variables - CPU OS V7 and Higher FALSE FALSE FALSE FALSE - Application-specific Application-specific Application-specific Global variables can be connected to these system variables; the value of the global variables is modified using a physical input or the user program logic. Example: A key switch is connected to a digital input. The digital input is assigned to a global variable associated with the system variable Read only in Run. The owner of a key can thus activate or deactivate the operating actions Stop, Start and Download. Page 50 of 74 HI E Rev. 2.00

51 HIMatrix 7 Software for HIMatrix Systems System Parameters of the Resource - CPU OS up to V6.x Switch Function Default value Main Enable Autostart The following switches/parameters can be changed during operation (= RUN) using the PADT. Automatic start after powering on the controller. Cold start, warm start or hot start with PADT in RUN or STOP. Setting for safe operation ON OFF 1) OFF ON / OFF 2) Start/Restart Allowed ON OFF 1) Load Allowed Load enable for a user program. ON ON Test Mode OFF OFF Allowed Changing the variables in the OLT allowed Forcing Allowed Stop at Force Timeout 1) 2) 3) The test mode is permitted or not for the user program. During the test mode, the program processing is frozen. The outputs remain active and the program processing can be continued in single steps. The values of variables can be visualized and modified in the online test (OLT) fields of the logic. Entering and activating values for the PES variables/signals are allowed, irrespective of the current value of the process or logic signal. It stops the CPU upon expiration of the force time In the RUN state, it is only possible to switch to OFF. The setting ON or OFF is application-specific. In the RUN state, it is only possible to switch to ON. Table 28: Resource Parameter - CPU OS up to V6.x OFF OFF 3) OFF ON Defined by the test institute. Defined by the test institute. HI E Rev Page 51 of 74

52 7 Software for HIMatrix Systems HIMatrix 7.5 Protection against Manipulation Together with the responsible test authority, the user must define which measures should be implemented to protect the system against manipulation. Protective mechanisms for preventing unintentional or unapproved modifications to the safety system are integrated into the PES and the programming tool: Each change to the user program or configuration results in a new CRC. The changes can only be transferred to the controller via a download (the controller is then in the STOP state). The operating options depend on the user login into the PES. The programming tool prompts the user to enter a password in order to connect to the PES. No connection is required between the PADT and PES in RUN and can be interrupted. All requirements about protection against manipulation specified in the safety and application standards must be met. The operator is responsible for authorizing employees and implementing the required protective actions. NOTE Only authorized personnel may be granted access to the HIMatrix controller! Take the following measures to ensure protection against unauthorized changes to the controller: Change the default settings for user name and password! Users must keep their passwords secret. Upon completion of the start-up phase, disconnect the PADT from the controller and only connect it again if changes are necessary. PES data can only be accessed if the PADT in use is operating with the current version of the programming tool and the user project is available in the currently running version (archive maintenance!). The connection between PADT and PES is only required for downloading the user program or reading the variables or signals. The PADT is not required during normal operation. Disconnecting the PADT and PES during normal operation protects against unauthorized access 7.6 Checklist for Creating a User Program To comply with all safety-related aspects during the programming phase, HIMA recommends using the checklist prior to and after loading a new or modified program. The checklist HIMatrix_Checklist_Program.doc is available as Microsoft Word document. The ZIP file HIMatrix_Checklists.zip contains all checklists and can be downloaded from the HIMA website at: Page 52 of 74 HI E Rev. 2.00

53 HIMatrix 8 Safety-Related Aspects of the User Program 8 Safety-Related Aspects of the User Program General sequence for programming HIMatrix automation devices for safety-related applications: Specify the controller functionality. Write the user program. Use the C-code generator to compile the user program. Compile the user program a second time and compare the resulting CRCs. The program generated is error-free and can run. Verify and validate the user program. The PES can start the safety-related operation. 8.1 Scope for Safety-Related Use (Refer to Chapter 3.3 for more details about specifications, rules and explications to safety requirements) Enter the user program with the allowed programming tool: SILworX for CPU OS V7 and higher. ELOP II Factory for CPU OS up to V6.x. Which operating systems for personal computer have been released is specified in the release notes of the programming tool. The programming tool includes the following functions: Input (Function Block Editor), monitoring and documentation. Variables with symbolic names and data types (BOOL, UINT, etc.). Assignment of HIMatrix controllers. Code generator (for translating the user program into a machine code). Hardware configuration. Communication configuration Programming Basics The tasks to be performed by the controller must be defined in a specification or a requirements specification. This documentation serves as the basis for checking its proper implementation in the user program. The specification format depends on the tasks to be performed. These include: Combinational logic - Cause/effect diagram - Logic of the connection with functions and function blocks - Function blocks with specified characteristics Sequential controllers (sequence control system) - Written description of the steps and their enabling conditions and of the external components to be controlled. - Flow charts - Matrix or table form of the step enabling conditions and the external components to be controlled. - Definition of constraints, e.g., operating modes, EMERGENCY STOP, etc. HI E Rev Page 53 of 74

54 8 Safety-Related Aspects of the User Program HIMatrix The I/O concept of the system must include an analysis of the field circuits, i.e., the type of external components: External components (field devices) - Input signals during normal operation (de-energize-to-trip principle with digital field devices) - Input signals in the event of a fault: - Definition of required safety-related redundancies (1oo2, 2oo3) - Discrepancy monitoring and reaction - Positioning and activation during normal operation - Safe reaction/positioning at shutdown or after power loss Programming goals for user program: Easy to understand. Easy to trace and follow. Easy to modify. Easy to test Functions of the User Program Programming is not subject to hardware restrictions. The user program functions can be freely programmed. Only elements complying with IEC together with their functional requirements are permitted within the logic. The physical inputs and outputs usually operate in accordance with the de-energize-to-trip principle, i.e., their safe state is 0. This must be taken into account during programming. The user program includes meaningful logic and/or arithmetic functions irrespective of the de-energize to trip principle of the physical inputs and outputs. The program logic should be clear and easy to understand and well documented to assist in debugging. This includes the use of functional diagrams. Negations are permitted at all points within the logic. Fault signals from the inputs or outputs, or from logic blocks must be evaluated. It is important to encapsulate functions to user-specific function blocks and functions based on standard functions. This ensures that a program can be clearly structured in modules (functions, function blocks). Each module can be considered individually; the user can create a comprehensive, complex function by grouping the individual modules to form a single larger module or a single program Declaration of Variables and Signals A variable is a placeholder for a value within the program logic. The variable name is used to symbolically address the storage space containing the stored value. A variable is created in the variable declaration for the program or function block. Version Number of characters for the names of variables CPU OS V7 and higher 31 CPU OS up to V6.x 256 Table 29: Length for the Name of the Variable Page 54 of 74 HI E Rev. 2.00

55 HIMatrix 8 Safety-Related Aspects of the User Program Two essential advantages results from using symbolic names instead of physical addresses: The system denominations of inputs and outputs can be used in the user program. The modification of how the signals are assigned to the input and output channels does not affect the user program. In CPU OS V7 and higher, variables are used instead of signals. After a cold start, variables with no user-defined initial value are set to the default value 0 or FALSE. Variables with invalid source, e.g., due to a hardware fault in a physical input, adopt the configured initial value. Signals - CPU OS up to V6.x A signal is used for associating various areas of the overall controller. The signal is created in the Signal Editor and corresponds to the global level of a program's VAR_EXTERNAL, if the connection has been previously established. i Signals do not refer in this manual to optical, acoustic or photometric signals such as used in railway systems Acceptance by Test Authority HIMA recommends involving the test authority as soon as possible when designing a system that is subject to approval. 8.2 Procedures This chapter describes the procedures typically used for developing the user programs for safety-related HIMatrix controllers Assigning Variables to Inputs or Outputs The required test routines for safety-related I/O devices, I/O modules or I/O channels are automatically executed by the operating system. The procedure for assigning the variables used in the user program is different in ELOP II Factory and SILworX. CPU OS V7 and higher To assign a variable to an I/O channel 1. Define a global variable of a suitable type. 2. Enter an appropriate initial value, when defining the global variable. 3. Assign the global variable the channel value of the I/O channel. 4. In the user program, evaluate the error code -> Error Code [Byte] and program a safety-related reaction. The global variables is associated with an input/output channel. HI E Rev Page 55 of 74

56 8 Safety-Related Aspects of the User Program HIMatrix CPU OS up to V6.x Proceed as follows to assign the value of a variable to an I/O channel: To assign a signal to an I/O channel 1. In the Signal Editor located in the Hardware Management define a signal. 2. Drag the signal onto the program's variable declaration. VAR_EXTERNAL is automatically created. 3. Drag the signal onto the channel list associated with the I/O module. 4. In the user program, evaluate the error code and program a safety-related reaction. The system is assigned to an I/O channel. The system signal name for the error code depends on the I/O channel type Locking and Unlocking the Controller Locking the controller locks all functions and prevents users from accessing them during operation. This also protects against manipulations to the user program. The locking extent should be considered in connection with the safety requirements for the PES application, and can also be agreed upon with the test authority responsible for the final system acceptance test. Unlocking the controller deactivates any locks previously set (e.g., to perform work on the controller). i The locking and unlocking functions are only available with controllers and the F3 DIO 20/8 01 remote I/O, but not with the remaining remote I/Os! CPU OS V7 and higher Three system variables serve for locking: Variable Read only in Run Reload Deactivation Force Deactivation Function ON: Starting, stopping, and downloading the controller are locked. OFF: Starting, stopping, and downloading the controller are possible. ON: Reload is locked. OFF: Reload is possible. ON: Forcing is deactivated. OFF: Forcing is possible. Table 30: System Variables for Locking and Unlocking the PES If all three system variables are ON: no access to the controller is possible. In this case, the controller can only adopt the STOP/VALID CONFIGURATION state after a restart. Then loading a new user program is possible. Example for using these system variables: To make a controller lockable 1. Define a global variable of type BOOL and set its initial value to OFF. 2. Assign global variables to the three system variables Read only in Run, Reload Deactivation, and Force Deactivation. 3. Assign the global variable to the channel value of a digital input. 4. Connect a key switch to the digital input. 5. Compile the program, load it on the controller, and start it. The owner of a corresponding key is able to lock and unlock the controller. In case of a fault of the corresponding digital input device or input module, the controller is unlocked. CPU OS up to V6.x Locking procedure - Proceed as follows to lock the PES: Page 56 of 74 HI E Rev. 2.00

57 HIMatrix 8 Safety-Related Aspects of the User Program To lock the controller 1. Set the following values in the controller prior to compiling (see also Chapter 8.2.3): Main Enable for ON Forcing Allowed for OFF (depending on the application) Test Mode Allowed for OFF Start/Restart Allowed for ON Load Allowed for ON Autostart for ON / OFF Stop at Force Timeout for ON (depending on the application) 2. After loading and starting, change the switches in the online controller following the specified order: Start/Restart Allowed for OFF Load Allowed for OFF Main Enable for OFF i The following switches may only be set to different values after receiving consent from the test authority: Forcing Allowed for ON Stop at Force Timeout for ON / OFF Start/Restart Allowed for ON Autostart for ON The controller is locked. Unlocking procedure - To be able to unlock the controller (Main Enable set to ON), the controller must be in STOP. Main Enable cannot be activated while the controller is operating (RUN state), but it can be deactivated. To allow a restart after the CPU initialization (e.g., after voltage drops), proceed as follows when unlocking the PES: To unlock the controller 1. Set Main Enable to ON. 2. Set Start/Restart to ON. 3. Start the user program. The controller is unlocked. HI E Rev Page 57 of 74

58 8 Safety-Related Aspects of the User Program HIMatrix Code Generation After entering the complete user program and the I/O assignments of the controller, generate the code. The code generator creates the configuration CRC. This is a signature for the entire configuration of CPU, inputs, outputs and communication, and is issued as a 32-bit, hexadecimal code. The signature includes all of the configurable or modifiable elements such as the logic, variable or switch parameter settings. CPU OS V7 and higher By compiling the user program twice and comparing the checksums of the generated code, the user can detect potential corruptions of the user program resulting from sporadic faults in the hardware or operating system of the PC in use. Dual code generation with comparison of the checksums is an option that can be selected during the code generation. CPU OS up to V6.x To ensure that the non-safe PC has no influence on the process, generate the code a second time. The two resulting configuration CRCs must be identical. To generate the code for safety-related operation 1. Start the code generator to create the code with the configuration CRC. Executable code 1 with CRC Start the code generator once again to create the code with the configuration CRC. Executable code 2 with CRC Compare CRC 1 with CRC 2. The two CRCs are identical. The generated code may be used for safety-related operation and for the system's certification performed by the test authority Loading and Starting the User Program A PES in the HIMatrix system cannot be downloaded until it is set to the STOP state. Hardware Version Number of user programs in each controller Default 1 F* Table 31: Number of User Programs in a PES The system monitors that the user program is loaded completely. Afterwards, the user program can be started, i.e., the routine begins to be processed in cycles. i HIMA recommends backing up project data, e.g., on a removable medium, after loading a user program into the controller. This is done to ensure that the project data corresponding to the configuration loaded into the controller remains available even if the PADT fails. HIMA recommends a data back up on a regular basis also independently from the program load. Page 58 of 74 HI E Rev. 2.00

59 HIMatrix 8 Safety-Related Aspects of the User Program Reload - with F*03 If user programs were modified, the changes can be transferred to the PES during operation. The firmware checks and activates the modified user program which then assumes the control task. i Take the following point into account when reloading step chains: The reload information for step sequences does not take the current sequence status into account. The step sequence can be accordingly changed and set to an undefined state by performing a reload. The user is responsible for this action. Examples: Deleting the active step. As a result, no step of the step chain has the active state. Renaming the initial step while another step is active. As a result, a step chain has two active steps! i Take the following point into account when reloading actions: During the reload, actions are loaded with their corresponding data. All potential consequences must be carefully analyzed prior to performing a reload. Examples: If a timer action qualifier is deleted due to the reload, the timer expires immediately. Depending on the remaining settings, the Q outputs can therefore be set to TRUE. If the status action qualifier (e.g., the S action qualifier) is deleted for a set element, the element remains set. Deleting a P0 action qualifier set to TRUE actuates the trigger Forcing Forcing is the procedure by which a variable's current value is replaced with a force value. The variable receives its current value from a physical input, communication or a logic operation. If the variable is forced, its value does no longer depend on the process, but is defined by the user. WARNING Use of forced values can disrupt the safety integrity! Forced value may lead to incorrect output values. Forcing prolongates the cycle time. This can cause the watchdog time to be exceeded. Forcing is only permitted after receiving consent from the test authority responsible for the final system acceptance test. When forcing values, the person in charge must take further technical and organizational measures to ensure that the process is sufficiently monitored in terms of safety. HIMA recommends to setting a time limit for the forcing procedure. Refer to the System Manual for compact systems (HI E) and for modular systems (HI E) for more details on forcing. HI E Rev Page 59 of 74

60 8 Safety-Related Aspects of the User Program HIMatrix Changing the System Parameters during Operation - CPU OS V7 and Higher Some system parameters or switches may be changed during operation (online). An application case is the temporary increase of the watchdog time to be able to perform a reload. Parameters that can only be modified online Parameter Hardware Operating system version System ID All All Safety Time All All Resource Watchdog Time All All Target Cycle Time All CPU OS V8 and higher Target Cycle Time Mode F*03 CPU OS V8 and higher Allow Online Settings All CPU OS V8 and higher Main Enable Default CPU OS prior to V8 Autostart All All Start Allowed All All Load Allowed All All Reload Allowed F*03 CPU OS V8 and higher Global Forcing Allowed All All Global Force Timeout Reaction All All Table 32: Online Changeable Parameters Prior to using an online command to set parameters, make sure that this change will not result in a safety-critical state. If required, organizational and/or technical measures must be taken to prevent the accident from occurring. Allow Online Settings or Main Enable allows one to change the remaining parameters. Allow Online Settings or Main Enable can be set to TRUE in the STOP state. The safety time and watchdog time values must be checked and compared to the safety time required by the application and to the actual cycle time. These values cannot be verified by the PES! With F*03 devices or modules, system parameters may also be changed during operation by performing a reload Program Documentation for Safety-Related Applications The programming tool allows the user to automatically print the documentation for a project. The most important documentation includes: Interface declaration Signal list Logic Description of data types Configurations for system, modules and system parameters Network configuration List of signal cross-references Code generator details This documentation is required for the acceptance test of a system subjected to approval by a test authority (e.g., TÜV). This acceptance test only applies to the user functionality, but not to the safety-related modules and automation devices of the HIMatrix system that have already been approved. Page 60 of 74 HI E Rev. 2.00

61 HIMatrix 8 Safety-Related Aspects of the User Program Multitasking - with F*03 Multitasking refers to the capability of the HIMatrix F*03 systems to process up to 32 user programs within the processor module. The individual user programs can be started, stopped, loaded - also by reload - and deleted, independently from one another. A user program cycle can take multiple processor cycles. This can be controlled with the resource and user program parameters. SILworX uses these parameters to calculate the user program watchdog time: Watchdog time user program = watchdog time processor module * maximum number of cycles Usually, the individual user programs operate interference-free and independently to one another. However, reciprocal influence can be caused by: Use of the same global variables in several user programs. Unpredictably long runtimes can occur in individual user programs if a limit is not configured with Max Duration for Each Cycle. The distribution of user program cycle over processor module cycles strongly affects the user program response time and the response time of the variables written by the user program! A user program evaluates global variables written by another user program up to the number of processor system cycles that was defined for the program with the Program's Maximum Number of CPU Cycles system parameter. In the worst case, the following sequence is possible: - Program A writes global variables needed by program B. - Program A stops its cycle in the same processor system cycle in which program B starts its cycle. - Program B is only able to read the values written by program A when its next cycle starts. - The duration of the cycle just started by program B can be Program's Maximum Number of CPU Cycles. Only at this point, program B adopts the values written by program A. - It may take further Program's Maximum Number of CPU Cycles cycles of the processor system until B reacts to these values! NOTE Reciprocal influence of user programs is possible! The use of the same global variables in several user programs can lead to a variety of consequences caused by the reciprocal influence among the user programs. Carefully plan the use of the same global variables in several user programs. Use the cross-references in SILworX to check the use of global data. Global data may only be assigned values by one entity, either within a user program, from safetyrelated inputs or through safety-related communication protocols! The user is responsible to exclude any potential operation interferences due to reciprocal influence of user programs! Refer to the System Manual Compact Systems (HI E) or the System Manual Modular System F60 (HI E) for details about multitasking. HI E Rev Page 61 of 74

62 8 Safety-Related Aspects of the User Program HIMatrix Acceptance by Test Authority HIMA recommends involving the test authority as soon as possible when designing a system that is subject to approval. This acceptance test only applies to the user functionality, but not to the safety-related modules and devices of the HIMatrix system that have already been approved. Page 62 of 74 HI E Rev. 2.00

63 HIMatrix 9 Configuring Communication 9 Configuring Communication In addition to using the physical input and output variables, variables can also be exchanged with other system through a data connection. In this case, the variables of the corresponding resource are declared in the Protocols Editor of the programming tool. This data exchange can occur in either read-only or read/write mode. 9.1 Standard Protocols Many communication protocols only ensure a non-safety-related data transmission. These protocols can be used for the non-safety-related aspects of an automation task. CAUTION Physical injury due to usage of unsafe import data Do not use data imported from unsafe sources for the user program's safety functions. Depending on the controller variant, the following standard protocols are available: SNTP Send/Receive TCP Modbus (master/slave) PROFIBUS DP (master/slave) All standard protocols are interference-free on the safe processor system. 9.2 Safety-Related Protocol (safeethernet) For safety-related data exchange between components safeethernet must be used. As a system component of the HIMatrix system, safeethernet is certified up to SIL 4. Use the safeethernet Editor or P2P Editor to configure how safety-related communication is monitored. For determining the Receive Timeout and Response Time safeethernet parameters, the following condition applies: The communication time slice must be sufficiently high to allow all the safeethernet connections to be processed within one CPU cycle. The Use Initial Data setting may only be used for safety-related functions implemented via safeethernet. NOTE Unintentional transition to the safe state possible! ReceiveTMO is a safety-related parameter! If all values must be transferred, the value of a signal must either be present for longer than ReceiveTMO or it must be monitored using a loop back. HI E Rev Page 63 of 74

64 9 Configuring Communication HIMatrix ReceiveTMO ReceiveTMO is the monitoring time in milliseconds (ms) within which a correct response from the communication partner must be received. If a correct response is not received from the communication partner within ReceiveTMO, safety-related communication is terminated. The input variables of this safeethernet connection react in accordance with the preset parameter Freeze Data on Lost Connection [ms]. The Use Initial Data setting may only be used for safety-related functions implemented via safeethernet. Since ReceiveTMO is a safety-relevant component of the Worst Case Reaction Time T R (see Chapter et seqq.), its value must be determined as described below and entered in the safeethernet Editor. ReceiveTMO 4*delay + 5*max. cycle time Condition: The Communication Time Slice must be sufficiently high to allow all the safeethernet connections to be processed within one CPU cycle. Delay: Max. Cycle Time Delay on the transmission path, e.g., due to switch or satellite. Maximum cycle time of both controllers. i A wanted fault tolerance of communication can be achieved by increasing ReceiveTMO, provided that this is permissible in terms of time for the application process. NOTE The maximum value permitted for ReceiveTMO depends on the application process and is configured in the safeethernet Editor, along with the expected maximum response time and the profile. Page 64 of 74 HI E Rev. 2.00

65 HIMatrix 9 Configuring Communication Response Time ResponseTime is the time in milliseconds (ms) that elapses until the sender of the message receives acknowledgement from the recipient. When configuring using a safeethernet profile, a Response Time parameter must be set based on the physical conditions of the transmission path. The preset ResponseTime affects the configuration of all the safeethernet connection parameters and is calculated as follows: ResponseTime ReceiveTMO / n n = 2, 3, 4, 5, 6, 7, 8... The ratio between ReceiveTMO and ResponseTime influences the capability to tolerate faults, e.g., when packets are lost (resending lost data packets) or delays occur on the transmission path. In networks where packets can be lost, the following condition must be given: min. Response Time ReceiveTMO / 2 2*Delay + 2.5*max. Cycle Time If this condition is met, the loss of at least one data packet can be intercepted without interrupting the peer-to-peer connection. i If this condition is not met, the availability of a safeethernet connection can only be ensured in a collision and fault-free network. However, this is not a safety problem for the processor module! i Make sure that the communication system complies with the configured response time! If this conditions cannot always be ensured, a corresponding connection system variable for monitoring the response time is available. If more than on occasion the measured response time exceeds the ReceiveTMO by more than a half, the configured response time must be increased. The receive timeout must be adjusted according to the new value configured for response time. NOTE In the following examples, the formulas for calculating the worst case reaction time only apply for a connection with HIMatrix controllers if the parameter safety time = 2 * watchdog time has been set in the systems. HI E Rev Page 65 of 74

66 9 Configuring Communication HIMatrix Maximum Cycle Time of the HIMatrix Controller To determine the maximum cycle time for a HIMatrix controller, HIMA recommends proceeding as follows: To determine the maximum cycle time for the HIMatrix controller 1. Use the system under the maximum load. In the process, all communication connections must be operating both via safeethernet and standard protocols. Frequently read the cycle time in the Control Panel and note the maximum cycle time. 2. Repeat step 1 for the next communication partner (i.e., the second HIMatrix controller). 3. The required maximum cycle time is the greater of the two time values ascertained. The maximum cycle time was determined and is used in the following calculations Calculating the Worst Case Reaction Time The worst case reaction time T R is the time between a change in the field component input signal (in) of controller 1 and a reaction in the corresponding output (out) of controller 2. It is calculated as follows: Input Controller 1 Safety-Related Protocol Controller 2 Output Figure 4: Reaction Time with Interconnection of Two HIMatrix Controllers T R = t 1 + t 2 + t 3 T R Worst case reaction time t 1 2 watchdog time of controller 1. t 2 ReceiveTMO t 3 2 watchdog time of controller 2 The T R time value is displayed in the Worst Case column of the peer-to-peer Editor. The maximum worst case reaction time depends on the process and must be agreed upon together with the responsible test authority. Page 66 of 74 HI E Rev. 2.00

67 HIMatrix 9 Configuring Communication Calculating the Worst Case Reaction Time with two Remote I/Os The worst case reaction time T R is the time between a change in a field component input signal (in) of the first remote I/O module and the reaction on the corresponding output (out) of the second remote I/O module. It can be calculated as follows: Input Remote I/O 1 Controller Remote I/O 2 Output Figure 5: Reaction Time with Remote I/Os T R = t 1 + t 2 + t 3 + t 4 + t 5 T R Worst case reaction time t 1 2 watchdog time of remote I/O 1 t 2 ReceiveTMO 1 t 3 2 watchdog time of the controller t 4 ReceiveTMO 2 t 5 2 watchdog time of remote I/O 2 Note: The time values still apply if a HIMatrix controller is used instead of a remote I/O module Terms ReceiveTMO Monitoring time of controller 1 within which a correct response from controller 2 must be received. Once the time has expired, safetyrelated communication is terminated. Remote I/O 1 controller ReceiveTMO 1 ReceiveTMO 2 Controller remote I/O 2 Watchdog time Maximum permissible duration of a PES RUN cycle (cycle time). Worst case The worst case reaction time is the time between a change in a physical input (in) signal of controller 1 and a reaction in the corresponding output (out) of controller 2. The data are transferred using a safety-related protocol. HI E Rev Page 67 of 74

68 9 Configuring Communication HIMatrix Assigning safeethernet Addresses Take the following points into account when assigning network addresses (IP addresses) for safeethernet: The addresses must be unique within the network used. When connecting safeethernet to another network (company-internal LAN, etc.), make sure that no disturbances can occur. Potential sources of disturbances include: - Data traffic. - Coupling with other networks (e.g., Internet). In these cases, implement suitable measures to counteract against such disturbances using Ethernet switches, firewall and similar. i The operator is responsible for ensuring that the Ethernet used for peer-to-peer communication is sufficiently protected against manipulations (e.g., from hackers). The type and extent of the measures must be agreed upon together with the responsible test authority. Page 68 of 74 HI E Rev. 2.00

69 HIMatrix Appendix Appendix Glossary Term Description ARP Address resolution protocol: Network protocol for assigning the network addresses to hardware addresses AI Analog input AO Analog output COM Communication module CRC Cyclic redundancy check DI Digital input DO Digital output ELOP II Factory Programming tool for HIMatrix systems EMC Electromagnetic compatibility EN European norm ESD Electrostatic discharge FB Fieldbus FBD Function block diagrams FTT Fault tolerance time ICMP Internet control message protocol: Network protocol for status or error messages IEC International electrotechnical commission MAC address Media access control address: Hardware address of one network connection PADT Programming and debugging tool (in accordance with IEC ), PC with SILworX or ELOP II Factory PE Protective earth PELV Protective extra low voltage PES Programmable electronic system R Read: The system variable or signal provides value, e.g., to the user program Rack ID Base plate identification (number) Interference-free Supposing that two input circuits are connected to the same source (e.g., a transmitter). An input circuit is termed interference-free if it does not distort the signals of the other input circuit. R/W Read/Write (column title for system variable/signal type) SELV Safety extra low voltage SFF Safe failure fraction, portion of faults that can be safely controlled SIL Safety integrity level (in accordance with IEC 61508) SILworX Programming tool for HIMatrix systems SNTP Simple network time protocol (RFC 1769) SRS System.rack.slot addressing of a module SW Software TMO Timeout W Write: System variable/signal is provided with value, e.g., from the user program r PP Peak-to-peak value of a total AC component Watchdog (WD) Time monitoring for modules or programs. If the watchdog time is exceeded, the module or program enters the ERROR STOP state. WDT Watchdog time HI E Rev Page 69 of 74

70 Appendix HIMatrix Index of Figures Figure 1: Function Blocks of the F60 CPU Figure 2: Line Control 31 Figure 3: Pulsed Signal T1, T2 31 Figure 4: Reaction Time with Interconnection of Two HIMatrix Controllers 66 Figure 5: Reaction Time with Remote I/Os 67 Page 70 of 74 HI E Rev. 2.00

71 HIMatrix Appendix Index of Tables Table 1: HIMatrix System Variants 8 Table 2: Standards for EMC, Climatic and Environmental Requirements 12 Table 3: General Requirements 12 Table 4: Climatic Requirements 12 Table 5: Mechanical Tests 13 Table 6: Interference Immunity Tests 13 Table 7: Noise Emission Tests 13 Table 8: Verification of the DC Supply Characteristics 14 Table 9: HIMatrix Variants Available for Railway Applications 15 Table 10: Climatic Requirements with HIMatrix Variants for Railway Applications 15 Table 11: Mechanical Requirements with HIMatrix Variants for Signaling 16 Table 12: EMC Requirements with HIMatrix Variants for Signaling 16 Table 13: EMC Requirements with HIMatrix Variants for Rolling Stocks 17 Table 14: Additional Valid Manuals 18 Table 15: Range of Values for the Safety Time 21 Table 16: Range of Values for the Watchdog Time 22 Table 17: Overview of the Inputs 28 Table 18: Value of Safety-Related Analog Inputs 32 Table 19: Analog Inputs of the F35 Controller 32 Table 20: Analog Inputs of the F3 AIO 8/4 01 Remote I/O 32 Table 21: Analog Inputs of the F60 Controller 33 Table 22: Configuration of Unused Inputs 33 Table 23: Error Codes with Counter Inputs 35 Table 24: Overview of the Outputs 37 Table 25: System Parameters of the Resource - CPU OS V7 and Higher 48 Table 26: Effect of Target Cycle Time Mode 49 Table 27: Hardware System Variables - CPU OS V7 and Higher 50 Table 28: Resource Parameter - CPU OS up to V6.x 51 Table 29: Length for the Name of the Variable 54 Table 30: System Variables for Locking and Unlocking the PES 56 Table 31: Number of User Programs in a PES 58 Table 32: Online Changeable Parameters 60 HI E Rev Page 71 of 74

72 Appendix Index de-energize to trip principle...11 energize to trip principle...11 fault reaction analog outputs...41, 42 relay outputs...40 fault reactions 2-pole digital outputs...40 analog inputs...34 counter inputs...35 digital inputs...29 digital outputs...38 fault torerance time...21 functional test of the controller...44 Hardware Editor...50 Multitasking...61 HIMatrix operating requirements climatic EMC ESD protection mechanical power supply safety time test conditions to lock the controller - CPU OS up to V6.x. 57 to make a controller lockable - CPU OS V7 and higher to unlock the controller - CPU OS up to V6.x watchdog time user program Page 72 of 74 HI E Rev. 2.00

73

74 (1334) HIMA Paul Hildebrandt GmbH + Co KG P.O. Box Brühl, Germany Phone: Fax: info@hima.com Internet: HI E by HIMA Paul Hildebrandt GmbH + Co KG