SAFETY. HIMax Safety Manual

Transcription

1 SAFETY HIMax Safety Manual

2 All HIMA products mentioned in this manual are protected by the HIMA trademark. Unless otherwise noted, this also applies to other manufacturers and their respective products referred to herein. HIMax, HIMatrix, SILworX, XMR, HICore and FlexSILon are registered trademarks of HIMA Paul Hildebrandt GmbH. All technical specifications and notes in this manual have been written with great care and effective quality assurance measures have been implemented to ensure their validity. For questions, please contact HIMA directly. HIMA appreciates any suggestion on which information should be included in the manual. Equipment subject to change without notice. HIMA also reserves the right to modify the written material without prior notice. For further information, refer to the HIMA DVD and our website and Copyright 2016, HIMA Paul Hildebrandt GmbH All rights reserved Contact HIMA contact details: HIMA Paul Hildebrandt GmbH P.O. Box Brühl, Germany Phone: Fax: Revision index Changes 7.00 Revised: HIMax V7/SILworX V7, cyber security, standards, forcing of data sources, watchdog time, response time Deleted: Protection against manipulation 7.01 New: Gas detectors Changed: Test conditions 8.00 New: Zone 2, HIPRO-S V2 Changed: Redundancy, fire alarm systems Type of change technical X editorial 8.01 Changed: Gas detectors (Chapter 14) X X X X X X X HI E Rev (1620)

3 HIMax Table of Contents Table of Contents 1 Safety Manual Validity and Current Version Objectives of the Manual Target Audience Writing Conventions Safety Notices Operating Tips 9 2 Usage Notes for HIMax Systems Intended Use Scope Environmental Conditions Tasks of Operators and Machine and System Manufacturers Connection of Communication Partners Use of Safety-Related Communication ESD Protective Measures Additional System Documentation 11 3 Safety Concept for Using the PES Safety and availability Calculating the PFD, PFH and SFF Values Self-Test and Fault Diagnosis PADT Redundancy Structuring Safety Systems in Accordance with the Energize-to-Trip Principle Time Parameters Important for Safety Process Safety Time Resource Watchdog Time Watchdog Time of the User Program Safety Time of the Resource User Program Safety Time Response Time Proof Test (in Accordance with IEC 61508) Proof Test Execution Frequency of Proof Tests Safety requirements Hardware Configuration Programming Communication Maintenance Work Cyber Security for HIMax Systems Certification Test Conditions 21 4 Processor Module Self-Tests Reactions to Faults in the Processor Module 24 HI E Rev Page 3 of 70

4 Table of Contents HIMax 4.3 Replacing Processor Modules Processor Module X-CPU Processor module X-CPU System Bus Module Rack ID Responsibility 26 6 Communication Module 29 7 Input Modules General Safety of Sensors, Encoders and Transmitters Reaction in the Event of a Fault Safety-Related Digital Inputs Test Routines Redundancy of Inputs Surges on Digital Inputs Safety-Related Analog Inputs and Proximity Switch Inputs Test Routines Redundancy of Analog Inputs State of LL, L, N, H, HH in X-AI and X-AI Safety-Related Counter Inputs Test Routines Important Information in Connection with the X-CI Counter Module Redundancy of Counter Inputs Checklists for Inputs 32 8 Output Modules General Safety of Actuators Reaction in the Event of a Fault Safety-Related Digital Outputs Test Routines for Digital Outputs Output Noise Blanking Behavior in the Event of External Short-Circuit or Overload Redundancy of Digital Outputs Safety-Related Relay Outputs Test Routines for Relay Outputs Redundancy of Relay Outputs Safety-Related Analog Outputs Test Routines for Analog Outputs Output Noise Blanking Behavior in the Event of External Open-Circuit Important Information in Connection with the Analog X-AO Output Module Redundancy of Analog Outputs Checklists for Outputs 36 9 Special I/O Modules 37 Page 4 of 70 HI E Rev. 8.01

5 HIMax Table of Contents 9.1 HART Module: X-HART Safety Function The HIMax Overspeed Trip Module X-MIO 7/ Safety Function Redundancy Software Safety-Related Aspects of the Operating System Safety-Related Aspects of Programming Safety Concept of SILworX Verifying the Configuration and the User Program Resource Parameters System Parameters of the Resource Forcing Forcing of Data Sources Safe Version Comparison User Program General Sequence Scope for Safety-Related Use Programming Basics Functions of the User Program System Parameters of the User Program Code Generation Loading and Starting the User Program Reload Online Test Test Mode Changing the System Parameters during Operation Project Documentation for Safety-Related Applications Multitasking Factory Acceptance Test and Test Authority Checklist for Creating a User Program Communication Configuration Standard Protocols Safety-Related Protocol: safeethernet Worst Case Reaction Time for safeethernet Calculating the Worst Case Reaction Time of 2 HIMax Controllers Calculating the Worst Case Reaction Time with 1 HIMatrix Controller Calculating the Worst Case Reaction Time with 2 HIMatrix Controllers or Remote I/Os Calculating the Worst Case Reaction Time with 2 HIMax and 1 HIMatrix Controller The HIPRO-S V2 Safety-Related Protocol Safety-Related Protocol: PROFIsafe Use in Fire Alarm Systems ATEX-Conform Use as Safety, Controlling and Regulating Device 61 HI E Rev Page 5 of 70

6 Table of Contents HIMax 15 Use of HIMax Devices in Zone 2 62 Appendix 65 Glossary 65 Index of Figures 66 Index of Tables 67 Index 68 Page 6 of 70 HI E Rev. 8.01

7 HIMax 1 Safety Manual 1 Safety Manual This manual contains information on how to operate the HIMax safety-related automation device in the intended manner. The following conditions must be met to safely install and start up the HIMax automation systems, and to ensure safety during their operation and maintenance: Knowledge of regulations. Proper technical implementation of the safety instructions detailed in this manual performed by qualified personnel. HIMA will not be held liable for severe personal injuries, damage to property or the environment caused by any of the following: Unqualified personnel working on or with the devices. De-activation or bypassing of safety functions. Failure to comply with the instructions detailed in this manual. HIMA develops, manufactures and tests the HIMax automation systems in compliance with the pertinent safety standards and regulations. The use of the devices is only allowed if the following conditions are met: They are only used for the intended applications. They are only operated under the specified environmental conditions. They are only operated in connection with the approved external devices. To provide a clearer exposition, this manual does not specify all details of all versions of the HIMax automation devices. Refer to the corresponding manuals for further details. This safety manual represents the "Original instructions" as of Machinery Directive (Directive 2006/42/EC). The "Original documentation" for the HIMA system is written in German language. The statements made in the German documentation shall apply. 1.1 Validity and Current Version Rev This safety manual is to be preferred when the following products are used: HIMax operating system V8 and higher, and SILworX V8 and higher The most current version of this safety manual, which is indicated by the highest revision number, is applicable and valid. The current version is available on the current HIMA DVD or can be downloaded from the HIMA website at For details on how to use previous HIMax and SILworX versions, refer to the corresponding previous versions of this manual. 1.2 Objectives of the Manual This manual contains information on how to operate the HIMax safety-related automation device in the intended manner. It provides an introduction to the safety concept of the HIMax system and should increase the reader's safety awareness. The safety manual is based on the contents of the certificate and of the test report for the certificate. HI E Rev Page 7 of 70

8 1 Safety Manual HIMax 1.3 Target Audience This manual addresses system planners, configuration engineers, programmers of automation devices and personnel authorized to start up, operate and maintain the devices and systems. Specialized knowledge of safety-related automation systems is required. 1.4 Writing Conventions To ensure improved readability and comprehensibility, the following writing conventions are used in this document: Bold Italics Courier RUN Chapter To highlight important parts. Names of buttons, menu functions and tabs that can be clicked and used in the programming tool. For parameters and system variables. Literal user inputs. Operating states are designated by capitals. Cross-references are hyperlinks even if they are not particularly marked. When the cursor hovers over a hyperlink, it changes its shape. Click the hyperlink to jump to the corresponding position. Safety notices and operating tips are particularly marked Safety Notices The safety notices are represented as described below. They must be strictly observed to ensure the lowest possible operating risk. The content is structured as follows: Signal word: warning, caution, notice Type and source of risk Consequences arising from non-observance Risk prevention SIGNAL WORD Type and source of risk! Consequences arising from non-observance Risk prevention The signal words have the following meanings: Warning indicates hazardous situations which, if not avoided, could result in death or serious injury. Caution indicates hazardous situations which, if not avoided, could result in minor or modest injury. Notice indicates a hazardous situation which, if not avoided, could result in property damage. NOTICE Type and source of damage! Damage prevention. Page 8 of 70 HI E Rev. 8.01

9 HIMax 1 Safety Manual Operating Tips Additional information is structured as presented in the following example: i The text corresponding to the additional information is located here. Useful tips and tricks appear as follows: TIP The tip text is located here. HI E Rev Page 9 of 70

10 2 Usage Notes for HIMax Systems HIMax 2 Usage Notes for HIMax Systems All safety information, notes and instructions specified in this manual must be strictly observed. The product may only be used if all guidelines and safety instructions are adhered to. 2.1 Intended Use Scope This chapter describes the conditions for using HIMax systems. The safety-related HIMax controllers are certified for use in process controllers, protective systems, burner systems and machine controllers. Redundant operation of HIMax modules does not preclude simultaneous operation of other nonredundant modules Application in Accordance with the De-Energize-to-Trip Principle The automation devices have been designed in accordance with the de-energize-to-trip principle. If a fault occurs, a system operating in accordance with the de-energize-to-trip principle enters the de-energized state to perform its safety function Application in Accordance with the Energize-to-Trip Principle The HIMax controllers can be used in applications that operate in accordance with the energizeto-trip principle. A system operating in accordance with the energize-to-trip principle switches on, for instance, an actuator to perform its safety function. When designing the controller system, the requirements specified in the application standards must be taken into account. For instance, line diagnosis for inputs and outputs or messages reporting a triggered safety function may be required Use in Fire Alarm Systems All HIMax systems with analog inputs are tested and certified for used in fire alarm systems in accordance with DIN EN 54-2 and NFPA Environmental Conditions All the environmental conditions specified in the safety manual (HI E) must be observed when operating the HIMax system. 2.2 Tasks of Operators and Machine and System Manufacturers Operators as well as machine and system manufacturers are responsible for ensuring that HIMax systems are safely operated in automated systems and plants. Machine and system manufacturers must sufficiently validate that the HIMax systems were properly programmed Connection of Communication Partners Only devices with safe electrical separation may be connected to the communications interfaces Use of Safety-Related Communication When implementing safety-related communications between various devices, ensure that the overall response time does not exceed the process safety time. All calculations must be performed in accordance with the rules given in Chapter 12 and in the communication manual (HI E). Page 10 of 70 HI E Rev. 8.01

11 HIMax 2 Usage Notes for HIMax Systems 2.3 ESD Protective Measures Only personnel with knowledge of ESD protective measures may modify or extend the system or replace a module. NOTICE Electrostatic discharge can damage the electronic components within the controllers! When performing the work, make sure that the workspace is free of static, and wear an ESD wrist strap. If not used, ensure that the module is protected from electrostatic discharge, e.g., by storing it in its packaging. Only personnel with knowledge of ESD protective measures may modify or extend the system wiring. 2.4 Additional System Documentation In addition to this manual, the following documents for configuring HIMax systems are also available: Name Content Document no. HIMax system manual Hardware description of the modular system HI E Certificates Test results Version list Versions of the operating systems certified by the TÜV Manuals for the components Description of the individual components Communication manual safeethernet and standard protocols HI E SILworX first steps manual Use of SILworX for engineering, starting up, HI E testing and operating the HIMA systems. SILworX online help Instructions on how to use SILworX Table 1: Overview of the System Documentation The documents are available as PDF files on HIMA website at (except for the SILworX online help). HI E Rev Page 11 of 70

12 3 Safety Concept for Using the PES HIMax 3 Safety Concept for Using the PES This chapter contains important general information on the functional safety of HIMax systems. Safety and availability Time parameters important for safety Proof test Safety requirements Certification 3.1 Safety and availability No imminent risk results from the HIMax systems. WARNING Possible physical injury caused by safety-related automation systems improperly connected or programmed. Check all connections and test the entire system for compliance with the specified safety requirements before start-up! HIMA strongly recommends replacing failed modules as soon as possible. A replacement module that is used instead of a failed one starts operation with no operator action. It adopts the function of the failed module, provided that is of the same type or is an approved replacement model Calculating the PFD, PFH and SFF Values The PFD, PFH and SFF values have been calculated for the HIMax systems in accordance with IEC The PFD, PFH and SFF values are provided by HIMA upon request. A proof test interval of 10 years has been defined for the HIMax systems (offline proof test, see IEC , Paragraph 3.8.5). The safety functions, consisting of a safety-related loop (input, processing unit, output and safety communication among HIMA systems), meet the requirements described above in all combinations Self-Test and Fault Diagnosis The operating system of the modules executes several self-tests at start-up and during operation. The following components are tested: Processors Memory areas (RAM, NVRAM) Watchdog Connections between modules Individual channels of the I/O modules If faults are detected during these tests, the defective module or the defective channel of the I/O module is switched off. If the tests detect a module fault while starting up the module, the module does not begin to operate. In non-redundant systems, this means that sub-functions or even the entire PES may be shut down. If a fault is detected in a redundant system, the redundant module or redundant channel assumes the function to be performed. Page 12 of 70 HI E Rev. 8.01

13 HIMax 3 Safety Concept for Using the PES All HIMax modules are equipped with LEDs to indicate that faults have been detected. This allows the user to quickly diagnose faults detected in a module or the external wiring. Additionally, the user program can evaluate various system variables displaying the module status. Extensive diagnostics of the system performance and detected faults are stored in the diagnostic memory of the processor module or other modules. The diagnostics can also be read after a system fault using the PADT. For more information on how to evaluate diagnostic messages, refer to the system manual (HI E). For a very few number of component failures that do not affect safety, the HIMax system does not provide any diagnostic information PADT Using the PADT, the user creates the program and configures the controller. The safety concept of the PADT supports the user in the proper implementation of the control task. The PADT implements numerous measures to check the entered information Redundancy To improve availability, all parts of the system containing active components can be set up redundantly and, if necessary, replaced while the system is operating. Redundancy does not impair safety. SIL 3 is still guaranteed even if system components are used redundantly Structuring Safety Systems in Accordance with the Energize-to-Trip Principle Safety systems operating in accordance with the energize-to-trip principle have the following function: 1. The safe state of a module is the de-energized state. This state is adopted, for instance, if a fault has occurred in the module. 2. The controller can trigger the safety function on demand by switching on an actuator Detection of Failed System Components Thanks to the automatic diagnostic function, the safety system is able to detect that modules have failed Safety Function in Accordance with the Energize-To-Trip Principle The safety function is performed when the safety system energizes one or several actuators, thus ensuring that the safe state is adopted. The user must plan the following actions: If I/O modules are used, redundancy groups must be configured. Line monitoring (short-circuits and open-circuits) with input and output modules. These must be configured accordingly. The operation of the actuators can be monitored through a position feedback Redundancy of Components It may be necessary to structure the components redundantly, refer to the system manual (HI E) for further details: Power supply of the controller. HIMax modules. Sensors and actuators. HI E Rev Page 13 of 70

14 3 Safety Concept for Using the PES HIMax If redundancy is lost, the controller must be repaired as soon as possible. It is not required to design the safety system modules redundantly if, in the event of a safety system failure, the required safety level can otherwise be achieved, e.g., by implementing organizational measures. 3.2 Time Parameters Important for Safety Time parameters important for safety are: Process Safety Time Watchdog Time Safety Time Response Time Process Safety Time The process safety time is a property of the process and describes the time interval during which the process allows faulty signals to exist before the system state becomes dangerous. A safety-related response of the HIMax PES including all delays due to sensors, actuators, input and output modules must occur within the process safety time Resource Watchdog Time The watchdog time is preset in SILworX in the dialog box for configuring the resource properties. This time is the maximum permissible duration of a RUN cycle (cycle time). If the cycle time exceeds the preset watchdog time, the processor module enters the ERROR STOP state. When determining the watchdog time, the following factors must be taken into account: Time required by the application, i.e., the duration of one user program cycle. Time required for process data communication. Time required to synchronize the redundant processor modules. Time internally required to perform a reload. The setting range for the watchdog time of the resource ranges from 6 ms to a maximum of ms. The default setting is 200 ms. The following must apply for the watchdog time: watchdog time ½ * safety time Estimating the Watchdog Time To ensure sufficient availability, HIMA strongly recommends the following setting: 2 * watchdog time + max. CPU cycle time + 2 * I/O cycle time safety time Replace a redundant processor module to measure the maximum cycle time in the actual application. Enter the determined maximum cycle time into the above formula. If no reliable assessment of the max. CPU cycle time can be made, set the watchdog time such that: 3 * watchdog time + 2 * I/O cycle time safety time 2 ms are set for the I/O cycle time. Page 14 of 70 HI E Rev. 8.01

15 HIMax 3 Safety Concept for Using the PES Precisely Determining the Watchdog Time For time-critical applications or very large systems, it may be necessary to precisely determine the watchdog time. The watchdog time for a project is precisely determined by performing a test on the entire system. During the test, all the modules are inserted in the rack. The system operates in RUN mode with full load. All communication links are operating (safeethernet and standard protocols). i To determine the watchdog time 1. Set the watchdog time high for testing. 2. Operate the system under full load. In the process, all communication connections must be operating both via safeethernet and standard protocols. Frequently read the cycle time in the Control Panel and note down the variations or load peaks of the cycle time. 3. In succession, remove and reinsert every processor module in the base plate. Prior to removing one processor module, wait that the processor module just inserted is synchronized. When a processor module is inserted in the base plate, it automatically synchronizes itself with the configuration of the existing processor modules. The time required for the synchronization process extends the controller cycle up to the maximum cycle time. The synchronization time increases with the number of processor modules that have already been synchronized. For more information on how to insert and remove a processor module, refer to the X-CPU 01 manual (HI E) or the X-CPU 31 manual (HI E). 4. In the diagnostic history for the non-synchronized module, read the synchronization time from n to n+1 processor modules in every synchronization process and note it down. The largest synchronization time value is used to determine the watchdog time. 5. Calculate the watchdog time T WD using the following equation: T WD = T Sync + T Marg + T Com + T Config + T Latency + T Peak where T Sync Time determined for the processor module's synchronization T Marg Safety margin 12 ms T Com The configured system parameter: Max. Com.Time Slice ASYNC [ms] Use the Control Panel to determine the current value. Refer to the communication manual (HI E) for details. T Config The configured system parameter Max. Duration of Configuration Connections [ms], refer to Chapter for further details. T Latency The configured system parameter: Maximum System Bus Latency [µs] * 4 T Peak Observed load peaks of the user programs A suitable value can thus be determined for the watchdog time. TIP The configured watchdog time can be used as maximum cycle time in the safeethernet configuration, see communication manual (HI E) Watchdog Time of the User Program Each user program has its own watchdog and watchdog time. The watchdog time for the user program cannot be set directly. To calculate the watchdog time for a user program, HIMax uses the resource-specific parameter Watchdog Time [ms] and the parameter Program's Maximum Number of CPU Cycles. Refer to Chapter 10.3 and Chapter for more details. HI E Rev Page 15 of 70

16 3 Safety Concept for Using the PES HIMax Make sure that the calculated watchdog time is not greater than the response time required for the process portion processed by the user program Safety Time of the Resource The safety time of the resource is the maximum permissible time within which the resource must react to a demand. The requirements are: Changes in process input signals from process. Faults occurring in the resource. The HIMax system responds to faults that may result in a safety-critical operating state within the configured safety time of the resource. It triggers predefined fault reactions that bring the faulty parts to the safe state. The requisites are: No input signal delay, caused by delay elements configured in the input modules (T on, T off). No delay within the user program. User program response within one PES cycle. The following factors prolong the safety time of the resource and must be taken into account: Physical delays at the inputs and outputs, e.g., the switching times of relays. Delays of output signals due to output noise blanking, see Chapter In HIMax resources, the safety time can be set anywhere in the range ms User Program Safety Time The safety time for the user program cannot be set. To calculate it, HIMax uses the parameters Safety Time of the resource and Maximum Number of Cycles. Refer to Chapter and Chapter for more details Response Time Assuming that no delay results from the configuration or the user program logic, the response time of HIMax controllers running in cycles is twice the system cycle time. 3.3 Proof Test (in Accordance with IEC 61508) A proof test is a periodic test performed to detect any hidden faults in a safety-related system so that, if necessary, the system can be restored to a state where it can perform its intended function. HIMA safety systems must be subject to a proof test in intervals of 10 years. This interval can often be extended by calculating and analyzing the implemented safety loops Proof Test Execution The execution of the proof test depends on how the system (EUC = equipment under control) is configured, its intrinsic risk potential and the standards applicable to the equipment operation and required for approval by the responsible test authority. According to IEC , IEC , IEC and VDI/VDE 2180 sheets 1 to 4, the operator of the safety-related systems is responsible for performing the proof tests. Page 16 of 70 HI E Rev. 8.01

17 HIMax 3 Safety Concept for Using the PES Frequency of Proof Tests The HIMA PES can be proof tested by testing the entire safety loop. In practice, shorter proof test intervals are required for the input and output field devices (e.g., every 6 or 12 months) than for the HIMax controller. Testing the entire safety loop together with a field device automatically includes the test of the HIMax controller. There is therefore no need to perform additional proof tests of the HIMax controller. If the proof test of the field devices does not include the HIMax controller, the HIMax controller must be tested for SIL 3 at least once every 10 years. This can be achieved by restarting the HIMax controller. 3.4 Safety requirements The safety requirements specified below must be met when using the safety-related PES of the HIMax system Hardware Configuration Personnel configuring the HIMax hardware must observe the safety requirements specified below. Product-Independent Requirements To ensure safety-related operation, only approved safety-related hardware modules and software components may be used. The approved hardware modules and software components are specified in the Version List of Modules and Firmware for HIMax Systems from HIMA Paul Hildebrandt GmbH. The latest versions can be found in the version list maintained together with the test authority. The operating requirements specified in this safety manual (see Chapter 2.1.2) about EMC, mechanical, chemical, climatic influences must be observed. Product-Dependent Requirements Only devices that are safely separated from the power supply may be connected to the system. The operating requirements detailed in the system manual, particularly those concerning supply voltage and ventilation, must be observed. Only safety-related modules may be used to process safety-related tasks. Only power supply units of type PELV or SELV may be used for power supply. The provided supply voltage must be 35 V even if a fault occurs! Programming Personnel developing user programs must observe the safety requirements specified below. Product-Independent Requirements In safety-related applications, proper configuration of the safety-relevant system parameters must be ensured. In particular, this applies to the system configuration, maximum cycle time and safety time. Requirements for Using the Programming Tool SILworX must be used for programming. The proper implementation of the application specifications must be validated, verified and documented. A complete test of the logic must be performed by trial. If the user program is changed, test at least all the parts of the logic concerned by the changes. HI E Rev Page 17 of 70

18 3 Safety Concept for Using the PES HIMax The system response to faults in the safe input and output modules must be defined in the configuration in accordance with the system-specific safety-related conditions. Examples: - Fault reaction in the user program. - Configuration of safe initial values for variables Communication When implementing safety-related communications between the various devices, ensure that the system's overall response time does not exceed the process safety time. All calculations must be performed in accordance with the rules given in During the transfer of (safety-related) data, IT security rules must be observed. The transfer of safety-relevant data through public networks like the Internet is only permitted if additional security measures such as VPN tunnel or firewall have been implemented. If data is transferred through company-internal networks, administrative or technical measures must be implemented to ensure sufficient protection against manipulation (e.g., using a firewall to separate the safety-relevant components of the network from other networks). Never use the standard protocols to transfer safety-related data. Only devices with safe electrical separation may be connected to the communication interfaces Maintenance Work Operators are responsible for ensuring proper maintenance work. They must take the required measures to guarantee safe operation during maintenance. Whenever necessary, the operator must consult with the test authority responsible for the factory acceptance test (FAT) and define administrative measures appropriate for regulating access to the systems Cyber Security for HIMax Systems Industrial controllers must be protected against IT-specific problem sources. Those problem sources are: Attackers inside and outside of the customer's plant Operating failures Software failures A HIMax installation consists of the following parts to be protected: HIMax PES PADT OPC server: X-OPC DA, X-OPC AE (optional) Communication connections to external systems (optional) The HIMax system with basic settings is already a system fulfilling the requirements for cyber security. The relevant modules were tested by the Canadian company Wurldtech Security Technologies Ind. in accordance with Achilles Level I. Protective mechanisms for preventing unintentional or unapproved modifications to the safety system are integrated into the PES and the programming tool: Each change to the user program or configuration results in a new configuration CRC. The operating options depend on the rights of the user logged into the PES. The programming tool prompts the user to enter a password in order to log in to the PES. PES data can only be accessed if the PADT is operating with the current version of the user project (archive maintenance!). Connection between the PADT and PES is not required in RUN and can be interrupted. Page 18 of 70 HI E Rev. 8.01

19 HIMax 3 Safety Concept for Using the PES The PADT can be shortly connected for maintenance work or diagnostic tasks. All requirements about protection against manipulation specified in the safety and application standards must be met. The operator is responsible for authorizing employees and implementing the required protective actions. WARNING Physical injury possible due to unauthorized manipulation of the controller! The controller must be protected against unauthorized access! For instance: Changing the default settings for login and password! Controlling the physical access to the controller and PADT! Careful planning should identify the measure to be taken. The required measures are only to be taken after the risk analysis is completed. Such measures are, for example: Meaningful allocation of user groups. Maintained network maps help ensuring that secure networks are permanently separated from public networks, and if required, only a well-defined connection exists (e.g., via a firewall or a DMZ). Use of appropriate passwords. A periodical review of the security measures is recommended, e.g., every year. The user is responsible for implementing the necessary measures in a way suitable for the plant! For more details, refer to the HIMA cyber security manual (HI E). HI E Rev Page 19 of 70

20 3 Safety Concept for Using the PES HIMax 3.5 Certification HIMA safety-related automation devices (programmable electronic systems, PES) of the HIMax system have been tested and certified by TÜV for functional safety in accordance with and the standards listed below: TÜV Rheinland Industrie Service GmbH Automation, Software und Informationstechnologie Am Grauen Stein Köln Certificate and test report safety-related automation devices HIMax Intended use: "Safety-related programmable electronic system for process control, burner management (BMS), emergency shutdown and machinery, where the demanded safe state is the de-energized state. Applications, where the demand state is the de-energized or energized state". International standards: EN / IEC 61508, Parts 1-7: 2010 SIL 3 EN / IEC 61511, Parts 1-3: 2004 SIL 3 EN / ISO : AC:2009 Performance level e EN / IEC 62061: AC: A1:2013 SIL CL 3 EN : 2004 SIL 3 EN : 2004 EN 298: 2012 EN 230: 2005 EN : 2007 EN 50495: 2010 NFPA 85: 2011 NFPA 86: 2011 EN / IEC : 2007 IEC :2008 EN 54-2: AC: A1:2006 NFPA 72: 2013 The following chapter contains a detailed list of all environmental and EMC tests performed. All devices have received the mark of conformity. Page 20 of 70 HI E Rev. 8.01

21 HIMax 3 Safety Concept for Using the PES To program the HIMax devices, a PADT is required, which is a PC running SILworX. This software helps the user operate the automation devices and create safety-related programs using function block diagrams (FBD) and sequential function charts (SFC) in accordance with IEC Refer to the SILworX online help and SILworX first steps manual (HI E) for further details Test Conditions The devices have been tested to meet the climatic and environmental requirements as of the following EMC standards: Standard Content IEC/EN Programmable controllers, Part 2 Equipment requirements and tests IEC/EN EMC Generic standards, Parts 6-2 Immunity for industrial environments IEC/EN Electromagnetic Compatibility (EMC) Generic standards Emission standard for industrial environments. EN 298 Automatic burner control systems for burners and appliances burning gaseous or liquid fuels EN Electrical equipment for measurement, control and laboratory use EMC requirements - Part 1: General requirements EN Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 3-1: Immunity requirements for safetyrelated systems and for equipment intended to perform safety-related functions (functional safety) - General industrial applications EN 54-2 Fire alarm systems Table 2: Standards for EMC, Climatic and Environmental Requirements Climatic Conditions The following table lists the most important tests and limits for climatic conditions: Standard Climatic tests IEC/EN Operating temperature: C (Test limits: C) Storage temperature: C Dry heat and cold resistance tests: +70 C / -40 C, 16 h, +85 C, 1 h Power supply not connected Temperature changes, withstand test: Fast temperature changes: -40 C / +70 C power supply not connected Immunity test Slow temperature changes: -10 C / +70 C power supply connected EN 54-2 Table 3: Climatic Conditions Cyclic damp-heat withstand tests: +25 C / +55 C, 95 % relative humidity, Power supply not connected Damp-heat 93 % relative humidity, 40 C, 4 days in operation 93 % relative humidity, 40 C, 21 days, power supply not connected HI E Rev Page 21 of 70

22 3 Safety Concept for Using the PES HIMax Mechanical Conditions The following table lists the most important tests and limits for mechanical conditions: IEC/EN Table 4: Mechanical Tests Mechanical tests Vibration immunity test: Hz / 3.5 mm amplitude Hz, 1 g, EUT in operation, 10 cycles per axis Shock immunity test: 15 g, 11 ms, EUT in operation, 3 shocks per axis and direction (18 shocks) EMC Conditions Higher interference levels are required for safety-related systems. HIMax systems meet these requirements in accordance with IEC and IEC Test standards Interference immunity tests Criterion IEC/EN ESD test: 6 kv contact discharge, 8 kv air discharge FS IEC/EN RFI test (20 V/m): 80 MHz...1 GHz, 80 % AM RFI test (10 V/m): 1 GHz...2 GHz, 80 % AM FS FS RFI test (3 V/m): 2 GHz...3 GHz, 80 % AM FS IEC/EN Burst test Supply voltage: 3 kv Signal lines: 2 kv FS FS IEC/EN IEC/EN IEC/EN Table 5: IEC/EN EN Class A Table 6: Surge: DC supply voltage: 2 kv CM, 1 kv DM Signal lines: 2 kv CM High frequency, asymmetrical FS FS 10 V, 150 khz...80 MHz, 80 % AM FS Supply and signal lines: 1 10 V, 20 db/decade ( khz) FS 10 V ( khz) FS 10 V constant (with DC, 16²/ 3 Hz, 50/60 Hz, FS 150/180 Hz) FS 100 V temporary (1 s, with DC, 16²/3 Hz, 50/60 Hz) Interference Immunity Tests Noise emission tests Emission test: radiated, conducted Noise Emission Tests Page 22 of 70 HI E Rev. 8.01

23 HIMax 3 Safety Concept for Using the PES Supply Voltage The following table lists the most important tests and limits for the device's supply voltage: IEC/EN Table 7: Verification of the DC supply characteristics Alternatively, the power supply must comply with the following standards: IEC/EN or SELV (Safety Extra Low Voltage) or PELV (Protective Extra Low Voltage) HIMax devices must be fuse protected as specified in the manual for the X-BASE PLATE (HI E) Voltage range test: 24 VDC, % ( V) Momentary external current interruption immunity test: DC, PS 2: 2 ms Reversal of DC power supply polarity test: Refer to corresponding chapter of the system manual or data sheet of power supply. Backup duration withstand test: Test B, 1000 h Verification of the DC Supply Characteristics HI E Rev Page 23 of 70

24 4 Processor Module HIMax 4 Processor Module The processor module's safety function is maintained by processing the user program with two processors that constantly compare their data. If a fault occurs, the watchdog sets the module to the safe state and reports the CPU state. Refer to the manual for further details about the processor modules. 4.1 Self-Tests The following section specifies the most important self-test routines of controllers' safety-related processor modules: Processor test Memory test Comparator test CRC test with non-volatile memories Watchdog test 4.2 Reactions to Faults in the Processor Module A hardware comparator within the processor module constantly checks whether the data from microprocessor system 1 is identical with the data from microprocessor system 2. If they are different, or if the test routines detect faults in the processor module, the processor module automatically enters the ERROR STOP state. If such a fault occurs for the first time, the controller is restarted (reboot). If a further internal fault occurs within the first minute after start-up, the controller enters the STOP/INVALID CONFIGURATION state and will remain in this state. If an automatic restart is not desired, set the resource parameter Autostart to OFF. 4.3 Replacing Processor Modules Prior to replacing a processor module, ensure that the replacement will not cause a running HIMax system to stop. In particular, this applies for systems running in accordance with the energize-to-trip principle. The failure of such systems causes the loss of the safety function. Redundant processor modules can be replaced during operation, provided that at least one processor module that can maintain safety-related operation while the other module is being replaced, is available. NOTICE Interruption of the safety-related operation possible! Replacing a processor module with a lit or blinking Ess LED can result in the interruption of a controller's operation. Do not remove processor modules with a lit or blinking Ess LED. A lit or blinking Ess LED indicates that the processor module is required for the system to function. Even if the LED is not lit or blinking, the system redundancies, which this processor module is part of, must be checked using SILworX. The communication connections processed by the processor module must also be taken into account. Refer to the processor module manuals (HI E and HI E) and to the system manual (HI E) for more details on how to replace processor modules. Page 24 of 70 HI E Rev. 8.01

25 HIMax 4 Processor Module 4.4 Processor Module X-CPU 01 The X-CPU 01 processor module can be operated with up to 4-fold redundancy. It may be inserted into racks 0 and 1, slots Processor module X-CPU 31 The X-CPU 31 processor module combines the functions of processor and system bus modules. For this reason, it can only be inserted into slots 1 or 2 of rack 0. If so, no further processor module can be used in slots of racks 0 and 1! HI E Rev Page 25 of 70

26 5 System Bus Module HIMax 5 System Bus Module A system bus module administrates one of the two safety-related system busses. The two system busses are redundant to one another. Each system bus interconnects the various modules and base plates. The system busses transfer safe data using a safety-related protocol. A HIMax system that only contains one processor module can be operated at a reduced availability level using one system bus only. Processor modules of type X-CPU 31 can also be used in rack 0 instead of system bus modules. The statements made in this chapter also apply for this type of modules. The X-CPU 31 modules require a special double-width connector board. 5.1 Rack ID The rack ID identifies a base plate within a resource and must be unique for each base plate. The rack ID is the safety parameter for addressing the individual base plates and the modules mounted on them! The rack ID is stored in the connector board of the system bus module. The procedure for configuring the rack ID is described in the system manual (HI E) and in the SILworX first steps manual (HI E). 5.2 Responsibility Only one of the system bus module contained in each system bus may receive the Responsible attribute and thus be configured as responsible for system bus operation. For system bus A, the Responsible attribute is reserved for the system bus module or the X-CPU 31 processor module in rack 0, slot 1. The following conditions apply for system bus B: - If X-SB 01 and X-CPU 01 are used, the attribute can be configured with SILworX. The Responsible system bus module must either be located in rack 0, slot 2, or in rack 1, slot 2. - If X-CPU 31 is used, the attribute is fixed for the module in rack 0, slot 2. Prior to starting safety-related operation, ensure the Responsible attribute is properly configured for both system busses. The procedure for setting the Responsible attribute is described in the SILworX first steps manual (HI E). WARNING Physical injury possible! SILworX must be used to verify the configuration. Proceed as follows: In SILworX, log in to the system module in rack 0, slot 2. In SILworX, log in to the system module in rack 1, slot 2. Check the Control Panels of both system bus modules to ensure that the Responsible attribute has only been set for the correct system bus module (see Figure 1 and Figure 2)! Page 26 of 70 HI E Rev. 8.01

27 HIMax 5 System Bus Module Recommended configurations: If processor modules are only contained in rack 0, both system bus modules in rack 0 must be set to Responsible (Figure 1). If processor modules are also contained in rack 1 (Figure 2), the following system bus modules must be set to Responsible. - In rack 0, the system bus module in slot 1 (automatically). - In rack 1, the system bus module in slot 2. R System Bus Module set to Responsible Figure 1: Recommended Configuration: All Processor Modules in Rack 0 R System Bus Module set to Responsible Figure 2: Recommended Configuration: Processor Modules X-CPU 01 in Rack 0 and Rack 1 HI E Rev Page 27 of 70

28 5 System Bus Module HIMax If X-CPU 31 processor modules are inserted in rack 0, slots 1 and 2 (Figure 3), they are always set to Responsible. In this case, the system bus module in rack 1, slot 2, must not be set to Responsible. R Processor Module is set to Responsible Figure 3: Configuration with X-CPU 31 Processor Modules in Rack 0, Slots 1 and 2 Page 28 of 70 HI E Rev. 8.01

29 HIMax 6 Communication Module 6 Communication Module Communication modules control both safety-related data transfer to other HIMA controllers and non-safety-related data transfer through fieldbuses and Ethernet. The processor module controls safety-related data traffic using the SIL 3-certified transfer protocol safeethernet. The communication module forwards the data packets to the other systems. The safety-related protocol ensures that corrupted messages are detected (blackchannel principle). This allows safety-related communication via non safety-related transmission paths, i.e., standard network components. The standard protocols are for instance: - Modbus - PROFIBUS master/slave - Send/Receive TCP - PROFINET IO - SNTP Refer to the following documents for further details on communication and communication modules: This manual, Chapter Communication module manual HI E Communication manual, HI E System manual, HI E HI E Rev Page 29 of 70

30 7 Input Modules HIMax 7 Input Modules Module Numbe r of channel s Safetyrelated Interference-free channels Remark Digital inputs X-DI SIL VAC X-DI SIL 3 24 VDC X-DI SIL 3 Proximity switch (NAMUR) X-DI SIL 3 48 VDC X-DI SIL 3 With sequence of events recording X-DI SIL 3 Proximity switches (NAMUR), with sequence of events recording X-DI VDC X-DI Proximity switch (NAMUR) X-DI SIL 3 24 VDC X-DI VDC Analog inputs 0/ ma X-AI SIL 1 Thermocouple X-AI SIL 3 X-AI SIL 3 With sequence of events recording X-AI Counter inputs X-CI SIL 3 X-CI Table 8: Overview of the Input Modules 7.1 General Safety-related inputs can be used for both safety-related signals and non-safety-related signals. Non-safety-related signals, however, may not be used for safety functions! Safety-related input modules automatically perform high-quality, cyclic self-tests during operation. If a fault occurs, the initial value is provided to the user program as a global variable and, if possible, detailed fault information is issued. The user program can read out the error code and thus evaluate this fault information. In addition to the diagnostic LEDs, the controllers generate and save error and status messages. The PADT can read the saved diagnostic messages. For more information on the input modules, refer to the individual module manuals. 7.2 Safety of Sensors, Encoders and Transmitters In safety-related applications, the PES and connected sensors, encoders and transmitters must all meet the safety requirements and achieve the specified SIL. For information on how to achieve the required SIL for sensors, see IEC , Section Page 30 of 70 HI E Rev. 8.01

31 HIMax 7 Input Modules 7.3 Reaction in the Event of a Fault If the test routines detect a faulty input, the user program processes the initial value of the global variables. The module activates the Error LED. Failure of the overall input module causes the user program to process the initial value of the global variables for all the inputs. The error code and other system variables can be used to program application-specific fault reactions. Refer to the module-specific manual for more details. 7.4 Safety-Related Digital Inputs The digital input module reads the values at its digital inputs and provides safe values in every processor module cycle. The module cyclically tests the inputs' safe operation Test Routines The online test routines check whether the input channels are able to forward both signal levels (L and H levels), irrespective of the signals actually present on the input. This functional test is performed whenever the input signals are read Redundancy of Inputs The digital inputs may be connected redundantly. The redundant connection is usually used to increase the availability of the module inputs Surges on Digital Inputs Due to the short cycle time of the HIMax systems, a surge pulse as described in EN can be read in to the digital inputs as a short-term high level. If shielded cables are used for digital inputs, no additional precautionary measures are required to protect against surges. If no shielded cables are used, the channel-specific time on and time off delay must be applied to avoid these types of faults. A signal must be present for at least a certain time period before it is evaluated. The configured delay + 2 * I/O cycle time must be added to the response time and to the safety time configured for the resource. 7.5 Safety-Related Analog Inputs and Proximity Switch Inputs Analog input channels convert the measured input currents to a value of type DINT (double integer), i.e., the raw value, and to a value of type REAL, i.e., the process value. The raw value contains the measured input signal, whereas the process value is a scaled value. Proximity switch inputs create a digital value by comparing the raw value with the configured thresholds Test Routines The module captures analog values in parallel along two paths and compares the results with one another. Additionally, it cyclically tests the input path function Redundancy of Analog Inputs The analog inputs may be connected redundantly. The redundant connection is usually used to increase the availability of the module inputs. The SIL value of the X-AI input module can be increased implementing the connection variants described in the module-specific manual (HI E). HI E Rev Page 31 of 70

32 7 Input Modules HIMax State of LL, L, N, H, HH in X-AI and X-AI For safety-related applications, if scalar events have been defined for the thresholds of a channel located in an analog module (X-AI or X-AI 32 02), the state variables -> State LL, -> State L, -> State N, -> State H, -> State HH must be connected to Channel OK! If faults occur, these state variables return FALSE. 7.6 Safety-Related Counter Inputs Depending on its configuration, a safety-related counter input can return the following process values: A counter reading as an integer value or as a scaled floating-point value. A rotation speed or frequency as an integer value or as a scaled floating-point value. Additional auxiliary values such as overflow. For further details, refer to the module-specific manual (HI E) Test Routines The module captures the counter values in parallel along three paths and compares the results with one another. Additionally, it cyclically tests the input path function Important Information in Connection with the X-CI Counter Module If the X-CI counter module is used, the following characteristic must be observed; also refer to the module-specific manual (HI E): While performing a reload, input pulses may be lost during the first 3 cycles, if the following parameters are changed during the process: - Counting Pulse Evaluation Type - Channel pairs in use If the channel sensor fails during the edge evaluation 2 Phases, 4 Edges, and no shortcircuit or open-circuit was detected, the module only registers half of the actual frequency value. Pulses to be counted can be lost during an automatic restart. Automatic or manual module restart must be considered as application-specific. Application recommendation: - To ensure detection of a sensor failure, HIMA recommends using redundant sensors for multiple-phase evaluation or for recognizing the rotation direction. - Configuring noise blanking while frequencies are measured does not impair safety Redundancy of Counter Inputs The counter inputs may be connected redundantly. The redundant connection is usually used to increase the availability of the module inputs. 7.7 Checklists for Inputs HIMA recommends using the available checklists for engineering, programming and starting up safety-related digital inputs. The checklists can be used for helping with planning as well as to demonstrate later on that the planning phase was carefully completed. When engineering or starting up the system, it is useful to fill out a checklist for each of the safety-related input channels used in the system to verify the requirements to be met. This is the only way to ensure that all requirements were considered and clearly recorded. The checklist also documents the relationship between the external wiring and the user program. The checklists are available in Microsoft Word format on the HIMA website. Page 32 of 70 HI E Rev. 8.01

33 HIMax 8 Output Modules 8 Output Modules Module Number of channels Safetyrelated Safely galvanically separated Remark Digital outputs X-DO SIL 3-24 VDC, 2 A X-DO SIL 3-24 VDC X-DO SIL 3-48 VDC X-DO SIL 3-24 VDC X-DO VDC Digital relay outputs X-DO SIL VAC X-DO VAC Analog outputs X-AO SIL 3 Pairwise X-AO Table 9: Overview of the Output Modules 8.1 General The safety-related output modules are written once per cycle, the generated output signals are read back and compared with the specified output data. The safe state of the outputs is 0 or an open relay contact. Using the corresponding error code, the user can program additional fault reactions in the user program. For more information on the output modules, refer to the individual module manuals. 8.2 Safety of Actuators In safety-related applications, the PES and connected actuators must all meet the safety requirements and achieve the specified SIL. For information on how to achieve the required SIL for sensors and actuators, see IEC , Section Reaction in the Event of a Fault If the test routines detect a faulty output, the controller switches off the output, i.e., it enters the safe state. The module activates the Error LED. Failure of the overall output module causes all outputs to enter the safe state. The error code and other system variables can be used to program application-specific fault reactions. Refer to the module-specific manual for more details. 8.4 Safety-Related Digital Outputs The safety-related output channels are equipped with three testable switches connected in series. This ensures compliance with the SIL 3 requirement for a second safe independent switch-off option. If a fault occurs, this integrated safety switch-off function safely de-energizes the individual channels of the defective output module (de-energized state). Additionally, the watchdog signal of the module is the second safety shutdown option: If the watchdog signal is lost, the module immediately enters the safe state. HI E Rev Page 33 of 70

34 8 Output Modules HIMax Test Routines for Digital Outputs The modules are tested automatically during operation. The main test functions are: Read back of the output signal. Checking the integrated redundant safety shutdown. Shutdown test of the outputs. Operating voltage monitoring Output Noise Blanking If the output noise blanking is activated, the output module delays the switch-off reaction of a channel. i If output noise blanking has been activated and transient interference has been suppressed, a potential delay in the reaction to safety time - watchdog time must be taken into account. In all cases, the module also indicates the fault through the Error LED on the front plate Behavior in the Event of External Short-Circuit or Overload If the output is short-circuited to L- or overloaded, the module is still safe. In this state, the outputs are checked every few seconds to determine whether the overload is still present. In a normal state, the outputs are switched on again Redundancy of Digital Outputs The digital outputs may be connected redundantly. The redundant connection is usually used to increase the availability of the module outputs. 8.5 Safety-Related Relay Outputs Relay output modules are connected to the actuator under any of the following circumstances: Electric separation is required. Higher amperages are used. Alternating currents are to be connected. The module outputs are equipped with two safety relays with forcibly guided contacts. The outputs can thus be used for safety shutdowns in accordance with SIL 3. Additionally, the watchdog signal of the module is the second safety switch-off function: If the watchdog signal is lost, the module immediately enters the safe state Test Routines for Relay Outputs The module is tested automatically during operation. The main test functions are: Reading the output signals back from the switching amplifiers located before the relays. Testing the switching of the relays with forcibly guided contacts. Checking the integrated redundant safety shutdown. Operating voltage monitoring Redundancy of Relay Outputs The digital relay outputs may be connected redundantly. The redundant connection is usually used to increase the availability of the module outputs. Page 34 of 70 HI E Rev. 8.01

35 HIMax 8 Output Modules 8.6 Safety-Related Analog Outputs They forward the values determined in the user program to the actuators. The safety-related analog outputs read back their output values and compare them to the values to be output. If the values differ, a fault reaction is triggered Test Routines for Analog Outputs The modules are tested automatically during operation. The main test functions are: Reading the output signals back. Checking the integrated redundant safety shutdown. If faults occur, the outputs are set to the safe value 0 ma Output Noise Blanking If the output noise blanking is activated, the output module delays the switch-off reaction of a channel. i If output noise blanking has been activated and transient interference has been suppressed, a potential delay in the reaction to safety time - watchdog time must be taken into account. In all cases, the module also indicates the fault through the Error LED on the front plate Behavior in the Event of External Open-Circuit If an open-circuit occurs, the module switches the current off for approx. 8 ms and checks if the open-circuit is still present. If this is the case, it switches off for approx. 10 s. This process can repeat indefinitely Important Information in Connection with the Analog X-AO Output Module If the analog output module is used, the following characteristic must be observed; also refer to the module-specific manual (HI E): Only the connection variants specified in the module-specific manual (HI E) may be used! If more than two modules are redundantly connected in series, the SELV voltage can be exceeded! With serial redundancy, only one channel of each group of two channels may be used! If HART communication occurs between the connected actuator and one HART terminal, the output signal can deviate from the full scale by up to 1 %! If a fault occurs, the time to reach the safe state can take up to 16 ms in the worst case. Take this time into account when defining the reaction and safety times! The user program may not write to analog outputs in cycles shorter than 6 ms. If faults occur, the module outputs the safe value 0 ma, even if the upper limit of the setting range is exceeded Redundancy of Analog Outputs The analog outputs may be connected redundantly. The redundant connection is usually used to increase the availability of the module outputs. HI E Rev Page 35 of 70

36 8 Output Modules HIMax 8.7 Checklists for Outputs HIMA recommends using the available checklists for engineering, programming and starting up safety-related digital outputs. The checklists can be used for helping with planning as well as to demonstrate later on that the planning phase was carefully completed. When engineering or starting up the system, it is useful to fill out a checklist for each of the safety-related output channels used in the system to verify the requirements to be met. This is the only way to ensure that all requirements were considered and clearly recorded. The checklist also documents the relationship between the external wiring and the user program. The checklists are available in Microsoft Word format on the HIMA website. Page 36 of 70 HI E Rev. 8.01

37 HIMax 9 Special I/O Modules 9 Special I/O Modules 9.1 HART Module: X-HART The HART module serves for communicating with HART-capable sensors and actuators. For further details, refer to the module-specific manual (HI E) Safety Function The safety function of the X-HART module includes the following points: HART Deactivation: If the module is shut down, the HART channels are safely deactivated in accordance with SIL 3. HART Filtering: HART access to HART transmitters or sensors is locked in accordance with SIL 3. HART communication influences the analog metrological accuracy by approx. 1 %. There are no additional repercussions for the analog modules. If the HART filtering function is deactivated on the HART module, the corresponding analog sensor or actuator can be reprogrammed. This can impair safety. 9.2 The HIMax Overspeed Trip Module X-MIO 7/6 01 The module serves for monitoring the rotation speed and the emergency stop function (trip function) of a turbine. For further details, refer to the module-specific manual (HI E). The module can be used to implement applications in accordance with API 670. The module complies with the turbine requirements for rotation speed monitoring and trip routines defined in API 670. The rotation speed monitoring and the trip routines are independent of the overall HIMax system and the user program Safety Function The module monitors the rotation speed of a turbine, independently of the HIMax overall system and the user program. The module trips the turbine via the digital outputs. Depending on the measuring input, the module measures the rotation speed and direction of a sensor with safety-related accuracy. To determine the rotation speed, one turbine is equipped with three sensors. The rotation speed values calculated for the three sensors are used by the module to perform a 2oo3 evaluation. The result is provided to the safety-related X-MIO 7/6 01 processor system and the user program. If a sensor signal fails, the module outputs a warning. If two of the three signals fail, the trip function is triggered. The module is equipped with safety-related digital outputs as described in Chapter 8.3. The safety function is performed for all inputs and outputs in accordance with SIL 3. The relay output is implemented as a potential-free, non-safety-related signaling contact (changeover) Redundancy To increase availability, the module must be used in a dual redundant structure. To this end, only dual redundant connector boards may be used. HI E Rev Page 37 of 70

38 10 Software HIMax 10 Software The software for the safety-related automation devices of the HIMax systems consists of the following components: Operating system. User program. SILworX programming tool in accordance with IEC The operating system is loaded into each module of the controller. HIMA recommends using the latest version valid for the safety-related applications. This chapter particularly describes the operating system of the processor module. The user program is created using the SILworX programming tool and contains the applicationspecific functions to be performed by the automation device. Parameters are also set using SILworX. The user program is compiled with the code generator and transferred to the non-volatile memory automation device through an Ethernet interface Safety-Related Aspects of the Operating System Each approved operating system is clearly identified by the revision number and the CRC signature. The valid versions of the operating system and corresponding signatures (CRCs) - approved by the TÜV for use in safety-related automation devices - are subject to a revision control and are documented in the Version List of Modules and Firmware for HIMax Systems from HIMA Paul Hildebrandt GmbH maintained by HIMA in co-operation with the TÜV. The current version of the operating system can be read using SILworX. The users must ensure that a valid version of the operating system has been loaded into the modules (see 11.3) Safety-Related Aspects of Programming When creating a user program, the requirements detailed in this section must be observed Safety Concept of SILworX The safety concept of SILworX: When SILworX is installed, a checksum (CRC) helps ensure the program package integrity on the way from the manufacturer to the user. SILworX performs validity checks to reduce the likelihood of faults while entering data. When starting up a safety-related controller for the first time, a comprehensive functional test must be performed to verify the safety of the entire system. Verify that the tasks to be performed by the controller were properly implemented using the data and signal flows. Perform a thorough functional test of the logic by trial (see Chapter ). If a user program is modified, only the program components affected by the change must be tested. To this end, the safe version comparator in SILworX can be used to determine and display all the changes concerning the previous version. Whenever the safety-related controller is started up, the verification and validation requirements specified in the application standards must be observed! Verifying the Configuration and the User Program To verify that the user program created performs the required safety function, the user must create suitable test cases for the required system specification. Page 38 of 70 HI E Rev. 8.01

39 HIMax 10 Software An independent test of each loop (consisting of input, the key interconnections in the application and output) is usually sufficient. Suitable test cases must also be created for the numerical evaluation of formulas. Equivalence class tests are useful. These are tests within defined ranges of values, at the limits of or within invalid ranges of values. The test cases must be selected such that the calculations can be proven to be correct. The required number of test cases depends on the formula used and must include critical value pairs. HIMA recommends actively performing a simulation with data sources, since this is the only way to prove that the sensors and actuators in the system (also those connected to the system via communication with remote I/Os) are properly wired. This is also the only way to verify the system configuration. SILworX can be used as testing aid for: checking inputs forcing outputs This procedure must be followed both when initially creating and when modifying the user program Resource Parameters Some parameters are defined in SILworX for actions permitted during the resource's safetyrelated operation and are referred to as safety parameters. WARNING Physical injury possible due to defective configuration! Neither the programming system nor the controller can verify project-specific parameters. For this reason, enter these safety parameters correctly and verify the whole entry upon completion of the PES load from within the PES itself. These parameters are: For the rack ID, refer to Chapter 5.1 and the system manual (HI E). Responsible attribute of system bus modules, see Chapter 5.2 The parameters marked in Table 10 Settings that may be defined for safety-related operation are not firmly bound to any specific requirement classes. Instead, each of these must be agreed upon together with the competent test authority for each separate implementation of the controller. HI E Rev Page 39 of 70

40 10 Software HIMax System Parameters of the Resource The system parameters of the resource can be set in SILworX, in the Properties dialog box of the resource. Parameter S 1) Description Setting for safe operation Name Name of the resource Arbitrary System ID [SRS] Safety Time [ms] Watchdog Time [ms] Target Cycle Time [ms] Target Cycle Time Mode Multitasking Mode Max.Com. Time Slice ASYNC [ms] Max. Duration of Configuration Connections [ms] Maximum System Bus Latency [µs] X X X System ID of the resource , default value: The value assigned to the system ID must differ from the default value, otherwise the project is not able to run! Safety time in milliseconds ms, default value: 600 ms (changeable online) Watchdog time in milliseconds: ms, default value: 200 ms (changeable online) Targeted or maximum cycle time, see Target Cycle Time Mode, ms, default value: 0 ms. The maximum target cycle time value may not exceed the configured Watchdog Time [ms] minus the minimum value that can be set for Watchdog Time [ms] (6 ms, see above); otherwise it is rejected by the PES. If the default value 0 ms is set, the target cycle time is not taken into account. See Chapter (changeable online) Use of Target Cycle Time [ms]. (changeable online), see Chapter Default value: Fixed-tolerant Mode 1 The duration of a CPU cycle is based on the required execution time of all user programs. Mode 2 The processor makes execution time, which lower priority user programs do not require, available to higher priority user programs. Operation mode for high availability. Mode 3 The processor waits until the execution time not needed by the user programs has expired, thus increasing the cycle. Default value: Mode 1 Highest value in ms for the time slice used for communication during a resource cycle, refer to communication manual (HI E), ms, default value 60 ms. It defines how much time within a CPU cycle is available for configuration connections, , default value: 12 ms See Chapter Maximum delay of a message between an I/O module and the processor module. 0, µs, Default value: 0 µs A license is required for setting the maximum system bus latency to a value > 0. i Unique value within the controller network. This network includes all controllers that can potentially be interconnected. Applicationspecific Applicationspecific Applicationspecific Applicationspecific Applicationspecific Applicationspecific Applicationspecific Applicationspecific Page 40 of 70 HI E Rev. 8.01

41 HIMax 10 Software Parameter S 1) Description Setting for safe operation Allow Online Settings X ON: All the switches/parameters listed below OFF can be changed online using the PADT. This is only valid if the system variable Read-only in RUN has the value OFF. OFF is recommended OFF: i The following parameters may not be changed online: System ID Autostart Global Forcing Allowed Global Force Timeout Reaction Load Allowed Reload Allowed Start Allowed The following parameters may be changed online if Reload Allowed is set to ON. Watchdog Time (for the resource) Safety Time Target Cycle Time Target Cycle Time Mode If Reload Allowed is set to OFF, they are not changeable online. Allow Online Settings can only be set to ON via reload or if the PES is stopped. Default value: ON Autostart X ON: If the processor module is connected to the supply voltage, the user program starts automatically. OFF: The user program does not start automatically after connecting the supply voltage. Default value: OFF Start Allowed X ON: A cold start or warm start permitted with the PADT in RUN or STOP OFF: Start not allowed. Applicationspecific Applicationspecific Default value: ON Load allowed X ON: Configuration download is allowed. Applicationspecific OFF: Configuration download is not allowed. Default value: ON Reload Allowed Global Forcing Allowed Global Force Timeout Reaction X ON: Configuration reload is allowed. Applicationspecific OFF: Configuration reload is not allowed. A running reload process is not aborted when switching to OFF. Default value: ON X ON: Global forcing is permitted for this resource. Applicationspecific OFF: Global forcing is not permitted for this resource. Default value: ON Specifies how the resource should behave when the global force timeout has expired: Stop Forcing Only Stop Resource Default value: Stop Forcing Only Applicationspecific HI E Rev Page 41 of 70

42 10 Software HIMax Minimum Configuration Version With this setting, code compatible with previous or newer HIMax operating system versions in accordance with the project requirements may be generated. Default value: SILworX V8 for new projects. See Chapter SILworX V2 The code is generated like in SILworX V2 for HIMax prior to V3. SILworX V3 The code is generated like in SILworX V3 for HIMax V3. SILworX V4 The code is generated like in SILworX V4 for HIMax V4. SILworX V5 The code is generated like in SILworX V5 for HIMax V5. SILworX V6 The code is generated like in SILworX V6.48 for HIMax V6. SILworX The code is generated like in SILworX V6.114 for HIMax V6b V6. SILworX V7 The code is generated like in SILworX V7 for HIMax V7. SILworX V8 The code is generated like in SILworX V8 for HIMax V8. Fast Start-Up Not applicable to HIMax. OFF 1) An X in the S column means that the parameter is safety-related. Table 10: Resource System Parameters Applicationspecific Use of the Parameters Target Cycle Time and Target Cycle Time Mode These parameters can be used to constantly maintain the cycle time as close to the Target Cycle Time [ms] value as possible. To do this, this parameter must be set to a value > 0. HIMax then limits tasks such as reload and synchronization on the redundant modules to ensure that the target cycle time is maintained. The following table describes the effect of Target Cycle Time Mode. Target Cycle Time Mode Fixed Fixed-tolerant Dynamic-tolerant Dynamic Effect on user programs. The PES maintains the target cycle time and extends the cycle if necessary. If the processing time of the user programs exceeds the target cycle time, the cycle duration is increased. HIMax executes the cycle as quickly as possible. Table 11: Effect of Target Cycle Time Mode Effect on reload, synchronization of processor modules. Reload or synchronization is not processed if the target cycle time is not sufficient. At most each 5th cycle may be prolonged during reload. One single cycle may be prolonged during synchronization. At most each 5th cycle may be prolonged during reload. One single cycle may be prolonged during synchronization. Reload or synchronization is not processed if the target cycle time is not sufficient Calculating the Maximum Duration of Configuration Connections [ms] If communication is not completely processed within a CPU cycle, it is resumed in the next following CPU cycle at the interruption point. This slows down communication, but it also ensures that all connections to external partners are processed equally and completely. For firmware HIMax CPU V3, the value of the maximum duration of configuration connections in SILworX is preset to 6 ms. The time required to process communication with external partners may, however, exceed the default value in a CPU cycle. For firmware HIMax CPU V4 and higher, the value of the maximum duration of configuration connections must be set taking the defined watchdog time into account. Page 42 of 70 HI E Rev. 8.01

43 HIMax 10 Software Suitable value: Select the value such that the cyclic processor tasks can be executed within the time resulting from Watchdog Time - Max. Duration of Configuration Connections. The volume of the configuration data to be communicated depends on the number of configured remote I/Os, the existing connections to PADTs and the system modules with an Ethernet interface. A first setting can be calculated as follows: For X-CPU 01: T Config = n Com + n RIO + n PADT * 0.25 ms + 2 ms + 4*T Latency/1000 i For X-CPU 31: T Config = n Com + n RIO + n PADT * 0.25 ms + n PADT + 2 ms + 4*T Latency/1000 Where: T Config System parameter Max. Duration of Configuration Connections [ms] n Com Number of modules with Ethernet interfaces {SB, CPU, COM} n RIO Number of configured remote I/Os n PADT Maximum number of PADT connections = 5 T Latency The system parameter Maximum System Bus Latency [µs] must be divided by 1000 to allow the calculation in ms. If the calculated time value is less than 6 ms, it is rounded up to 6 ms. The calculated time can either be modified in the properties of the resource or directly online based on the figure gathered in the online statistics. When generating the code or converting the project, a warning message is displayed in the PADT if the value defined for Max. Duration of Configuration Connections is less than the value resulting from the previous formula. If Max. Duration of Configuration Connections is set too low, communication between PADT and PES runs very slow and may even fail! Notices Concerning the Minimum Configuration Version Parameter: In a new project, the latest Minimum Configuration Version is selected. Verify that this setting is in accordance with the operating system version in use. In a project converted from a previous SILworX version, the value for Minimum Configuration Version remains the value set in the previous version. This ensures that the configuration CRC does not change during code generation and that the generated configuration is compatible with the operating systems of the modules. For this reason, the value of Minimum Configuration Version should only be changed in connection with other changes performed to the affected resource. If features only available in higher configuration versions are used in the project, SILworX automatically generates a higher configuration version than the preset Minimum Configuration Version. This is indicated by SILworX at the end of the code generation. The modules reject loading higher configuration versions that do not match their operating system. To remove such incompatibilities, it can be helpful to compare the information provided by the version comparator with the overview of the module data. If X-CPU 31 processor modules are used, Minimum Configuration Version must be set to SILworX V6 or higher. HI E Rev Page 43 of 70

44 10 Software HIMax Rack System Variables These variables are used to change the behavior of the controller while it is operating in specific states. Parameter Function Default setting Setting for safe operation Force Deactivation Used to prevent forcing and to stop it OFF immediately Application-specific Spare 0...Spare 16 No function - - Emergency Stop 1...Emergency To shut down the controller if faults Stop 4 are detected by the user program OFF Application-specific Read-only in RUN After starting the controller, the access permissions are downgraded OFF to Read-Only. Exceptions are forcing Application-specific and reload. Reload Deactivation Locks the execution of reload. OFF Application-specific Table 12: System Variables of Racks In the SILworX Hardware Editor, these system variables may be assigned global variables with a value that is modified by a physical input or the user program logic Simple Example: Locking and Unlocking the PES Locking the PES locks all functions and prevents users from accessing them during operation. This also protects against unauthorized manipulations to the user program. Unlocking the PES deactivates any locks previously set (e.g., to perform work on the controller). The three system variables Read-only in Run, Reload Deactivation and Force Deactivation may be used to lock the PES, see Table 12. If all three system variables are ON: no access to the controller is possible. In this case the controller can only be put into STOP state by restarting all processor modules with the mode switch in the Init position. Then loading a new user program is possible. The example describes a simple case, in which a single key is used to block or permit all interventions on the PES. Example: To make a controller lockable 1. Define a global variable of type BOOL and set its initial value to FALSE. 2. Assign the global variable as output variables to the three system variables Readonly in Run, Reload Deactivation, and Force Deactivation. 3. Assign the global variable to the channel value of a digital input. 4. Connect a key switch to the digital input. 5. Compile the program, load it on the controller, and start it. The owner of a corresponding key is able to lock and unlock the controller. If the corresponding digital input module fails, the controller is automatically unlocked. This simple example can be modified using multiple global variables, digital inputs and key switches. The permissions for forcing, reload and other operating functions can be distributed on different keys and persons Forcing Forcing is the procedure by which a variable's current value is replaced with a force value. The variable receives its current value from a physical input, communication or a logic operation. If the variable is forced, its value does no longer depend on the process, but is defined by the user. Page 44 of 70 HI E Rev. 8.01

45 HIMax 10 Software WARNING Failure of safety-related operation possible due to forced values possible! Forced value may lead to incorrect output values. Forcing prolongates the cycle time. This can cause the watchdog time to be exceeded. Forcing is only permitted after receiving consent from the test authority responsible for the acceptance test. When forcing values, the person in charge must take further technical and organizational measures to ensure that the process is sufficiently monitored in terms of safety. HIMA recommends setting a time limit for the forcing procedure. Refer to the system manual (HI E) for further details on forcing Forcing of Data Sources Changing the assignment of a forced global variable to one of the following data sources can lead to unexpected results: Physical inputs. Communication protocols. System variables. The following sequence of actions causes a variable to be unintentionally forced: 1. A global variable A is assigned to one of the forced data sources and therefore the variable is forced. This indeed causes the data source to be forced! 2. The assignment is removed. The data source maintains the property Forced. 3. The data source is assigned another global variable (global variable B). 4. A reload is performed to load the project change into the PES. The newly assigned variable B results to be forced, even if this was not intended! Workaround: First stop forcing variable A. Which channels have been forced is displayed in the channel view of the Force Editor. Global variables having the user program as data source retain the forced setting whenever an assignment is changed Safe Version Comparison The safe SILworX version comparison compares the following resource configuration types with one another: Resource configuration loaded into the controller. Resource configuration existing in the PADT. Exported (archived) resource configuration. The comparison result achieves SIL 3, since it is derived from loadable files and includes the CRCs. To verify the program changes, the safe version comparison must be started before loading the program into the controller. It exactly determines the changed parts of the resource configuration. This, in turn, facilitates testing the changes and identifying the test data, and may be submitted to the inspection authority as proof of the change. Structured programming and the use of significant names from the first configuration version on, facilitate understanding of the comparison result. For details on the safe version comparison, refer to the corresponding manual (HI E). HI E Rev Page 45 of 70

46 11 User Program HIMax 11 User Program This chapter describes the safety-related aspects that are important for the user programs General Sequence General sequence for programming HIMax automation devices for safety-related applications: 1. Specify the controller functionality. 2. Write the user program. 3. Compile the user program: the user program is error-free and can run. 4. Verify and validate the user program. Upon completing these steps, the user program can be tested and the PES can begin the safe operation Scope for Safety-Related Use (For more on specifications, regulations and explanation of safety requirements, see Chapter 3.4) The user program must be written using the SILworX programming tool. For further details on the operating system released for personal computer, refer to the release documentation for the SILworX version to be used. The SILworX programming tool includes the following functions: Input (Function Block Editor, Structured Text Editor), monitoring and documentation. Global variables with symbolic names and data types (BOOL, UINT, etc.) Assignment of HIMax controllers (Hardware Editor) Compilation of user program into a format that can be loaded into the PES Communication configuration Programming Basics The tasks to be performed by the controller should be defined in a specification or a requirements specification. This documentation serves as the basis for checking its proper implementation in the user program. The specification format depends on the tasks to be performed. These include: Combinational logic - Cause/effect diagram - Logic of the connection with functions and function blocks - Function blocks with specified characteristics Sequential controllers (sequence control system) - Written description of the steps and their enabling conditions and of the actuators to be controlled. - Flow charts - Matrix or table form of the step enabling conditions and the actuators to be controlled. - Definition of constraints, e.g., operating modes, EMERGENCY STOP, etc. Page 46 of 70 HI E Rev. 8.01

47 HIMax 11 User Program The I/O concept of the system must include the analysis of the field circuits, i.e., the type of sensors and actuators: Sensors (digital or analog) - Signals during normal operation (de-energize-to-trip principle with digital sensors, 'lifezero' with analog sensors). - Signals in the event of a fault: - Definition of safety-related redundancies required for safety (1oo2, 2oo3). - Monitoring of discrepancy and reaction. Actuators - Positioning and activation during normal operation. - Safe reaction/positioning at shutdown or after power loss. Programming objectives for user program Easy to understand. Easy to trace and follow. Easy to test. Easy to modify Functions of the User Program Programming is not subject to hardware restrictions. The user program functions can be freely programmed. When programming, account for the de-energize-to-trip principle for the physical inputs and outputs. Only elements complying with IEC together with their functional requirements are permitted within the logic. The physical inputs and outputs usually operate in accordance with the de-energize-to-trip principle, i.e., their safe state is 0. The user program may be built of logic and/or arithmetic functions irrespective of the deenergize-to-trip principle of the physical inputs and outputs. The program logic should be clear and easy to understand and well documented to assist in debugging. This includes the use of functional diagrams. To simplify the logic, the inputs and outputs of all function blocks and variables can be inverted in any given order. The programmer must evaluate the fault signals from the inputs/outputs or from logic blocks. HIMA recommends encapsulating functions to user-specific function blocks and functions based on standard functions. This ensures that a user program can be clearly structured in modules (functions, function blocks). Each module can be viewed and tested on an individual basis. By grouping smaller modules into larger ones and then all together into a single user program, the user is effectively creating a comprehensive, complex function. HI E Rev Page 47 of 70

48 11 User Program HIMax System Parameters of the User Program The following user program switches and parameters can be set in the Properties dialog box of the user program: Parameter Function Default Setting for value safe operation Name Name of the user program User-defined Program ID ID for identifying the program when displayed in SILworX, If Code Generation Compatibility is set to SILworX V2, only the value 1 is permitted. 0 Applicationspecific Max. Duration for Each Cycle [µs] Watchdog Time [ms] (calculated) Classification Allow Online Settings Autostart Maximum time in each processor module cycle for executing the user program: µs. Set to 0: No limitation. Monitoring time of the user program, calculated from the maximum number of cycles and the watchdog time of the resource Not changeable! Classification of the user program: Safety-related or Standard (for documentation only). It enables changes of other user program switches during operation. It only applies if the Allowed Online Settings switch for the resource is set to ON! Enabled type of Autostart: Cold Start, Warm Start, Off. Start Allowed ON: The PADT may be used to start the user program. OFF: The PADT may not be used to start the user program Test Mode Allowed ON The test mode is not permitted for the user program. OFF The test mode is permitted for the user program. Reload Allowed ON: User program reload is permitted OFF: User program reload is not permitted Local Forcing ON: Forcing permitted at program level Allowed OFF: Forcing not permitted at program level Local Force Timeout Reaction Behavior of the user program after the forcing time has expired: Stop Forcing Only. Stop Program. 0 µs ON - Cold Start ON OFF ON OFF Stop Forcing Only. Priority Priority of the user program: Applicationspecific Program's Maximum number of CPU cycles that a user program Applicationspecific Maximum Number cycle may encompass. 1 of CPU Cycles Applicationspecific Safetyrelated Applicationspecific Applicationspecific Applicationspecific Applicationspecific 1) Applicationspecific OFF is recommended - Page 48 of 70 HI E Rev. 8.01

49 HIMax 11 User Program Parameter Function Default value Code Generation Compatibility 1) Code generation is compatible with previous versions of SILworX. SILworX V7 and higher SILworX V4 V6b Code generation is compatible with SILworX V7. Code generation is compatible with SILworX V4 up to SILworX V6b. SILworX V3 Code generation is compatible with SILworX V3. SILworX V2 Code generation is compatible with SILworX V2. SILworX V7 and higher for new projects Setting for safe operation Applicationspecific Once test operation is completed, the program's cold start is necessary prior to starting safety-related operation! Table 13: System Parameters of the User Program Notes specific to the Code Generation Compatibility Parameter: In a new project, SILworX selects the latest value for the Code Generation Compatibility parameter. This ensures that the current, enhanced features are activated and the latest module and operating system versions are supported. Verify that this setting is in accordance with the hardware in use. In a project converted from a previous SILworX version, the value for Code Generation Compatibility remains the value set in the previous version. This ensures that the configuration CRC does not change during code generation and that the generated configuration is compatible with the operating systems of the modules. For this reason, the value of Code Generation Compatibility should not be changed for converted projects. If a Minimum Configuration Version of SILworX V4 and higher is set for a resource (see above), the Code Generation Compatibility parameter must be set to SILworX V4 in every user program Code Generation The code is generated after entering the complete user program and the I/O assignments of the controller. The code generator creates the configuration CRC. This is a signature for the entire configuration that is issued as a 32-bit, hexadecimal code. This includes all of the configurable or modifiable elements such as the logic, variables or switch parameter settings. Before loading a user program for safety-related operation, the user program must be first compiled twice. The two generated versions must have the same CRC. By default, SILworX automatically compiles the resource configuration twice and compares the checksums. The result of the CRC comparison is displayed in the Logbook. By compiling the user program twice and comparing the checksums of the generated code, the user can detect potential corruptions of the user program resulting from random faults in the hardware or operating system of the PC in use Loading and Starting the User Program The configuration can only be loaded into the PES of the HIMax system by performing a download, if it has been set to the STOP state beforehand. HI E Rev Page 49 of 70

50 11 User Program HIMax A load process includes all user programs of the resource configuration. The system monitors that the resource configuration is loaded completely. Afterwards, the user programs can be started, i.e., the routine begins to be processed in cycles. i The PADT is only able to operate the resource, e.g., by performing a reload and forcing, if the project loaded in the resource is opened in SILworX. Without the project in SILworX, only a STOP of the resource is possible! HIMA recommends performing a project data backup, e.g., on an external data storage medium, after the user programs are loaded into the controller, even in case of reload. This is done to ensure that the project data corresponding to the configuration loaded into the controller remains available even if the PADT fails. HIMA recommends performing a data backup on a regular basis also independently from the program load Reload If user programs were modified, the changes can be transferred to the PES during operation. After being tested by the operating system, the modified user program is activated and assumes the control task. i i Observe the following points when reloading step sequence: The reload information for step sequences does not take the current sequence status into account. The step sequence can be accordingly changed and set to an undefined state by performing a reload. The user is responsible for this action. Examples: Deleting the active step. As a result, no sequence step has the active state. Renaming the initial step while another step is active. As a result, a sequence has two active steps! Observe the following points when reloading actions: During the reload, actions are loaded with their corresponding data. All potential consequences must be carefully analyzed prior to performing a reload. Examples: If a timer action qualifier is deleted due to the reload, the timer expires immediately. Depending on the remaining settings, the Q outputs can therefore be set to TRUE. If the status action qualifier (e.g., the S action qualifier) is deleted for a set element, the element remains set. Deleting a P0 action qualifier set to TRUE actuates the trigger function. Prior to performing a reload, the operating system checks if the required additional tasks would increase the cycle time of the current user programs to such an extent that the defined watchdog time is exceeded. In this case, the reload process is aborted with an error message and the controller continues operation with the previous resource configuration. Page 50 of 70 HI E Rev. 8.01

51 HIMax 11 User Program i The controller can abort a reload. A successful reload is ensured by planning a sufficient reserve for the reload when determining the watchdog time or temporarily increasing the controller watchdog time by a reserve. Any temporary increases in the watchdog time must be agreed upon with the competent test authority. Also exceeding the target cycle time can result in a reload abort. The reload can only be performed if the Reload Allowed system parameter is set to ON and the Reload Deactivation system variable is set to OFF. i The user is responsible for ensuring that the watchdog time includes a sufficient reserve time. This should allow the user to manage the following situations: Variations in the user program's cycle time Sudden, strong cycle loads, e.g., due to communication. Expiration of time limits during communication. For more details on the watchdog time, refer to Chapter Online Test Online test fields (OLT fields) can be used in the user program logic to display variables while the controller is operating. For more information on how to use OLT fields, use OLT field as keyword in the SILworX online help and refer to the SILworX first steps manual (HI E) Test Mode To diagnose faults, the user program operating in test mode can be run in single steps, i.e., cycle for cycle. Each cycle is triggered by a command from the PADT. In the period between two cycles, the global variables written to by the user program remain frozen. The assigned physical outputs and communication data no longer respond to changes in the process accordingly! This function can only be used if the Test Mode Allowed system parameter is set to ON in the corresponding user program. State OFF ON Description Test mode is not possible (default setting). Test mode is possible. Table 14: User Program Switch Test Mode Allowed NOTICE Failure of safety-related operation possible! If the user program is frozen in test mode, it cannot provide a safety-related response to inputs and thus control the outputs! The values of the outputs cannot change in test mode. For this reason, test mode is not allowed during safety-related operation! For safety-related operation, the Test Mode Allowed parameter must be set to OFF! HI E Rev Page 51 of 70

52 11 User Program HIMax Changing the System Parameters during Operation The system parameters specified in Table 15 may be changed during operation (online). A typical application case is the temporary increase of the watchdog time to be able to perform a reload. Prior to using an online command to set parameters, make sure that this change will not result in a dangerous state of the plant. If required, organizational and/or technical measures must be taken to preclude any damage. The application standards must be observed! The safety time and watchdog time values must be checked and compared to the safety time required by the application and to the actual cycle time. These values cannot be verified by the PES! The controller ensures that the watchdog time is not set to a value less than the watchdog time value of the configuration loaded in the PES. Parameter System ID Watchdog Time (for the resource) Safety time Target Cycle Time Target Cycle Time Mode Allow Online Settings Autostart Start Allowed Load allowed. Reload Allowed Global Forcing Allowed Global Force Timeout Reaction Table 15: Online Changeable Parameters Changeable in this PES state STOP RUN, STOP/VALID CONFIGURATION RUN, STOP/VALID CONFIGURATION RUN, STOP/VALID CONFIGURATION RUN, STOP/VALID CONFIGURATION ON->OFF: All OFF->ON: STOP All All All All All All System parameters may also be changed during operation by performing a reload Project Documentation for Safety-Related Applications SILworX allows the user to automatically print the documentation for a project. The most important document types include: Interface declaration Signal list Logic Description of data types Configurations for system, modules and system parameters Network configuration List of signal cross-references This documentation is required for the factory acceptance test (FAT) of a system subject to approval by a test authority (e.g., TÜV) Multitasking Multitasking refers to the capability of the HIMax system to process up to 32 user programs within the processor module. The individual user programs can be started and stopped independently from one another. Page 52 of 70 HI E Rev. 8.01

53 HIMax 11 User Program A user program cycle can takes multiple processor module cycles. This can be controlled with the resource and user program parameters. SILworX uses these parameters to calculate the user program watchdog time: Watchdog Time User program = Watchdog Time Processor module * Maximum Number of Cycles Operation of the individual user programs is usually interference-free and independent of one another. However, reciprocal influence can be caused by: Use of the same global variables in several user programs. Unpredictably long runtimes can occur in individual user programs if no limit is configured with Max Duration for Each Cycle. The distribution of user program cycle over processor module cycles strongly affects the user program response time and the response time of the variables written by the user program! A user program evaluates global variables written by another user program after at least one processor module cycle. Depending on the value set in the programs for Program's Maximum Number of CPU Cycles, the reading process may be prolonged by many processor module cycles. The reaction to changes performed to such global variables is thus delayed! Refer to the system manual (HI E) for details on multitasking Factory Acceptance Test and Test Authority HIMA recommends involving the test authority as soon as possible when designing a system that is subject to approval. The factory acceptance test (FAT) only applies to the user functionality, but not to the safetyrelated modules and automation devices of the HIMax system that have already been approved Checklist for Creating a User Program To comply with all safety-related aspects during the programming phase, HIMA recommends using the following checklist prior to and after loading a new or modified program. The checklist can be used for helping with planning as well as to demonstrate later on that the planning phase was carefully completed. The checklist is available in Microsoft Word format on the HIMA website. HI E Rev Page 53 of 70

54 12 Communication Configuration HIMax 12 Communication Configuration In addition to using the physical input and output variables, variable values can also be exchanged with other system through a data connection. In this case, the variables are declared with SILworX, in the Protocols area of the corresponding resource Standard Protocols Many communication protocols only ensure a non-safety-related data transmission. These protocols can be used for the non-safety-related aspects of an automation task. WARNING Physical injury possible due to usage of unsafe import data! Do not use data imported from unsafe sources for the user program's safety functions. The following standard protocols are available: On the Ethernet interfaces on the communication module: - Modbus TCP (master/slave) - Modbus, redundant (slave) - SNTP - Send/Receive TCP - PROFINET IO (controller, device) On the fieldbus interfaces (RS485) of the communication module according to the device model: - Modbus (master/slave) - Modbus, redundant (slave) - PROFIBUS DP (master/slave) 12.2 Safety-Related Protocol: safeethernet Safety-related communication via safeethernet is certified up to SIL 3. Use the safeethernet Editor to configure how safety-related communication is monitored. Refer to the communication manual (HI E) for further details on safeethernet. i The safe state may be entered inadvertently Receive Timeout and Production Rate are safety-related parameters! Receive Timeout is the monitoring time within which a correct response from the other PES must be received. If a correct response is not received from the communication partner within Receive Timeout, HIMax terminates the safety-related communication. The input variables of this safeethernet connection react in accordance with the preset parameter Freeze Data on Lost Connection [ms]. The Use Initial Data setting may only be used for safety-related functions implemented via safeethernet. In the following equations for determining the worst case reaction time, the target cycle time can be used instead of the watchdog time, if it is guaranteed that process module maintains the target cycle time, even in case of reload and synchronization. Page 54 of 70 HI E Rev. 8.01

55 HIMax 12 Communication Configuration In this case, the following requirements apply to the Fixed-tolerant or Dynamic-tolerant settings of Target Cycle Time Mode: 1. Watchdog Time 1.5 * Target Cycle Time 2. Receive Timeout 5 * Target Cycle Time + 4 * Latency Latency refers to the delay on the transport path. 3. For reload, there is either just one user program or several user programs, the cycle of which is limited to a single processor module cycle Worst Case Reaction Time for safeethernet i In the following examples, the formulas for calculating the worst case reaction time only apply for a connection with HIMatrix controllers if their programming does not include noise blanking. These formulas always apply to HIMax controllers. The allowed worst case reaction time depends on the process and must be agreed upon together with the competent test authority. Terms Receive Timeout: Monitoring time of PES 1 within which a correct response from PES 2 must be received. Otherwise, safety-related communication is terminated after the time has expired. Production Rate: Minimum interval between two data transmissions. Watchdog Time: Maximum duration permitted for a controller's RUN cycle. The duration of the RUN cycle depends on the complexity of the user program and the number of safeethernet connections. The watchdog time (WDT) must be entered in the resource properties. Worst Case Reaction Time Delay: The worst case reaction time is the time between a change in a physical input signal (in) of PES 1 and a reaction on the corresponding output (out) of PES 2. Delay on a transport path, e.g., with a modem or satellite connection. For direct connections, one can assume an initial delay of 2 ms. The responsible network administrator can measure the actual delay on a transport path. The following conditions apply to the calculations of the maximum reaction times specified below: The signals transmitted over safeethernet must be processed in the corresponding controllers within one CPU cycle. The reaction time of the sensors and actuators must be added. The calculations also apply to signals in the opposite direction Calculating the Worst Case Reaction Time of 2 HIMax Controllers The worst case reaction time T R is the time between a change on the sensor input signal (in) of controller 1 and a reaction on the corresponding output (out) of controller 2. It is calculated as follows: HI E Rev Page 55 of 70

56 12 Communication Configuration HIMax Input HIMax Controller 1 Safety-Related Protocol HIMax Controller 2 Output Figure 4: Reaction Time with Interconnection of 2 HIMax Controllers T R = t 1 + t 2 + t 3 T R Worst Case Reaction Time t 1 Safety time of HIMax controller 1 t 2 Receive Timeout t 3 Safety time of HIMax controller Calculating the Worst Case Reaction Time with 1 HIMatrix Controller The worst case reaction time T R is the time between a change on the sensor input signal (in) of HIMax controller and a reaction on the corresponding output (out) of HIMatrix controller. It is calculated as follows: Input HIMax Controller Safety-Related Protocol HIMatrix Controller Output Figure 5: Response Time when 1 HIMax and 1 HIMatrix Controllers are Interconnected T R = t 1 + t 2 + t 3 T R t 1 t 2 t 3 Worst Case Reaction Time Safety time of HIMax controller Receive Timeout 2 * Watchdog time of the HIMatrix controller Page 56 of 70 HI E Rev. 8.01

57 HIMax 12 Communication Configuration Calculating the Worst Case Reaction Time with 2 HIMatrix Controllers or Remote I/Os The worst case reaction time T R is the time between a change on the sensor input signal (in) of the first HIMatrix controller or remote I/O (e.g., F3 DIO 20/8 01) and a reaction on the corresponding output (out) of the second HIMatrix controller or remote I/O (out). It is calculated as follows: Input Remote I/O 1 HIMax Controller Remote I/O 2 Output Figure 6: Response Time with 2 HIMatrix Controllers or Remote I/Os and 1 HIMax Controller T R = t 1 + t 2 + t 3 + t 4 + t 5 T R Worst Case Reaction Time t 1 2 * watchdog time of the HIMatrix controller or the remote I/O 1 t 2 Receive Timeout1 t 3 2 * watchdog time of the HIMax controller. t 4 Receive Timeout2 t 5 2 * watchdog time of the HIMatrix controller or the remote I/O 2 i Remote I/O 1 and remote I/O 2 can also be identical. The time values still apply if a HIMatrix controller is used instead of a remote I/O Calculating the Worst Case Reaction Time with 2 HIMax and 1 HIMatrix Controller The worst case reaction time T R is the time between a change on the sensor input signal (in) of the first HIMax controller and a reaction on the corresponding output (out) of the second HIMax controller. It is calculated as follows: Input HIMax Controller 1 HIMatrix Controller HIMax Controller 2 Output Figure 7: Response Time with 2 HIMax Controllers and 1 HIMatrix Controller T R = t 1 + t 2 + t 3 + t 4 + t 5 HI E Rev Page 57 of 70

58 12 Communication Configuration HIMax T R Worst Case Reaction Time t 1 Safety time of HIMax controller 1 t2 Receive Timeout1 t 3 2 * watchdog time of the HIMatrix controller t 4 Receive Timeout2 t 5 Safety time of HIMax controller 2 i Both HIMax controllers, 1 and 2, can also be identical. The HIMatrix controller can also be a HIMax controller The HIPRO-S V2 Safety-Related Protocol The HIPRO-S V2 protocol is used for safety-related SIL 3 communication between HIMax PES and HIMA PES of the HIQuad system family (H41q/H51q). The following operating systems are required for using HIPRO-S V2: For HIMax PES, operating system V8 or higher. For HIQuad PES, an operating system release BS41q/51q V7.0-8 (08.xx) or higher. The HIPRO-S V2 protocol may only be used for connecting HIQuad controllers to one another or to HIMax controllers. Connections between HIMax controllers with one another and with HIMatrix controllers must be established with safeethernet. Refer to the HIPRO-S V2 manual (HI E) for details Safety-Related Protocol: PROFIsafe The requirements for using the PROFIsafe protocols are specified in the communication manual (HI E). These requirements must be met. The equations for determining the worst case reaction time are also specified in the communication manual. Page 58 of 70 HI E Rev. 8.01

59 HIMax 13 Use in Fire Alarm Systems 13 Use in Fire Alarm Systems The HIMax systems may be used in fire alarm systems in accordance with DIN EN 54-2 and NFPA 72, if line monitoring is configured for the inputs and outputs. In this case, the user program must fulfill the requirements specified for fire alarm systems in accordance with the standards previously mentioned. DIN EN 54-2 requires 10 seconds as the maximum cycle time allowed for fire alarm systems. This value can be easily met with the HIMA systems since the cycle time for these systems is in the milliseconds range. This also applies to the safety time of 1 second (fault reaction time) required in certain cases. According to EN 54-2, the fire alarm system must enter the fault report state within 100 seconds after the HIMax system has received the fault message. The connection of fire alarms is performed in accordance with the energize-to-trip principle using the line short-circuit and open-circuit function. To this end, the following inputs and outputs may be used: digital and analog inputs of input modules supporting line monitoring digital and analog outputs of output modules supporting line monitoring Sensor Supply Analog Input Ground Detection Loop M Fire alarm R EOL Terminating Resistor on the Last Loop Sensor R L Limit for the Maximum Loop Current R Shunt Shunt (see the Module-Specific Manual) Figure 8: Wiring of Fire Alarms For the application, the R EOL, R L and R Shunt resistors must be calculated as dictated by the sensors in use and the number of sensors per detection loop. Refer to the data sheet from the sensor manufacturer for the necessary data. The alarm outputs for controlling lamps, sirens, horns etc. are operated in accordance with the energize-to-trip principle. These outputs must be monitored for short-circuits and open-circuits. Additionally, line monitoring for the output modules must be configured and processed in the user program. A suitable user program can be used to control visual display systems, indicator light panels, LED indicators, alphanumeric displays, audible alarms, etc. HI E Rev Page 59 of 70

60 13 Use in Fire Alarm Systems HIMax The routing of fault signal messages via input and output channels or to transmission equipment for fault signaling must occur in accordance with the de-energize-to-trip principle. Fire alarms can be transmitted from one HIMax system to a different system using the existing Ethernet communication standard (OPC). Any communication loss must be reported. HIMax systems that are used as fire alarm systems must have a redundant power supply. Precautionary measures must also be taken against power supply drops, e.g., the use of a battery-powered horn. Uninterrupted operation must be ensured while switching from the main power supply to the backup power supply. Voltage drops for up to a duration of 10 ms are permitted. If a system failure occurs, the operating system writes to the system variables defined in the user program. This allows the user to program fault signaling for faults detected by the system. If a fault occurs, the HIMax system switches off the safety-related inputs and outputs with the following effects: The low level is processed in all channels of the faulty inputs. All channels of the faulty outputs are switched off. Page 60 of 70 HI E Rev. 8.01

61 HIMax 14 ATEX-Conform Use as Safety, Controlling and Regulating Device 14 ATEX-Conform Use as Safety, Controlling and Regulating Device The following HIMax components are suitable for the intended use, i.e., for detecting and measuring flammable gases: X-BASE PLATE X-SB 01 X-CPU 01, X-CPU 31 X-AI 32 01, X-AI X-DO 24 01, X-DO The specified HIMax components were tested in accordance with the following standards: EN 50271:2010 EN 50495:2010 IEC / EN : A11:2013 IEC / EN :2008 The specified components meet the requirements of ATEX Directive 2014/34/EU and are safety devices, controlling devices and regulating devices in accordance with it. The specified components are suitable for monitoring ignition hazards in potentially explosive atmospheres as associated apparatus or, as stationary gas detection systems, for detecting and measuring flammable gases. The components' hardware and software were tested for compliance with the requirements of EN and EN Gas sensors meeting the requirements of EN must be connected to the ma signal inputs. The gas sensors must be wired in compliance with the documentation and the EU Type-Examination certificate. The safety-relevant user program must be created using the SILworX programming tool and taking the safety manual into account. The safety function must be proved by verification and validation. Specific safety information and operating instructions in accordance with ATEX Directive 2014/34/EU, Annex II (1.0.6) shall be created for the safety facility or gas warning system to be assembled. In an additional conformity assessment procedure, a complete EU Type-Examination certificate shall be issued for the safety facility or gas warning system under consideration of the above-mentioned points. HI E Rev Page 61 of 70

62 15 Use of HIMax Devices in Zone 2 HIMax 15 Use of HIMax Devices in Zone 2 HIMax components are suitable for mounting in the explosive atmospheres of Zone 2. In addition to the specific conditions, the mounting and installation instructions provided in the system manual (HI E) and in the module-specific manuals must be observed. The Declaration of Conformity for the HIMax components is available on the HIMA website, at and HIMax components meet the requirements of the following directives and standards: Directive Standard Description IECEx IEC :2011 Explosive atmospheres - Part 0: ATEX 2014/34/EU EN : A11:2013 Equipment - General requirements IECEx IEC :2010 Explosive atmospheres - Part 15: ATEX 2014/34/EU EN :2010 Equipment protection by type of protection "n" Table 16: Standard for HIMax Components in Zone 2 The HIMax components are provided with one of the following Ex marking: II 3G Ex na IIC T4 Gc II 3G Ex na nc IIC T4 Gc Marking II 3G Ex na nc IIC T4 Gc Description Explosion protection marking in accordance with directive. Equipment group, for all areas with explosive atmosphere, other than underground mines. Equipment category, for use in areas in which explosive gas atmosphere is unlikely to occur or, if it does occur, will persist for a short period only. Explosion protection marking in accordance with IECEx standard. Type of protection for non-sparking equipment. Type of protection for sparking equipment. Gas group for explosive gas atmospheres, typical gas is hydrogen. Temperature class T4, with a maximum surface temperature of 135 C. Equipment protection level, it corresponds to ATEX equipment category 3G Table 17: Ex Marking Description for HIMax Components Page 62 of 70 HI E Rev. 8.01

63 HIMax 15 Use of HIMax Devices in Zone 2 Specific Conditions 1. The HIMax components must be mounted in an enclosure that meets the EN /EN requirements with degree of protection IP54 or better. 2. The enclosure must be provided with the following label: WARNING: Work is only permitted in the de-energized state Exception: If a potentially explosive atmosphere has been precluded, work can be also performed when the device is under voltage. 3. The HIMax components are designed for operation not exceeding pollution degree The enclosure in use must be able to safely dissipate the generated heat. Refer to Table 18 for details on the power dissipation of HIMax components. 5. The supply voltages must be taken from power supply units with safe separation. Use power supply units of type PELV or SELV only. 6. The operating conditions specified in the module manuals must be observed. Applicable standards: IEC : 2013 Explosive atmospheres - Part 14: Electrical installations design, EN : 2014 selection and erection The requirements for type of protection "n" must be observed. HI E Rev Page 63 of 70

64 15 Use of HIMax Devices in Zone 2 HIMax Component CB / FTA for X-AI CB / FTA for X-DI CB / FTA for X-DI CB / FTA for X-AI X-AI X-AI X-AI X-AI X-AO X-AO X-BASE PLATE X-CI X-CI X-COM 01 X-CPU 01 X-CPU 31 X-DI X-DI X-DI X-DI X-DI X-DI X-DI X-DI X-DI X-DI X-DO X-DO X-DO X-DO X-DO X-DO X-DO X-FAN X-FAN X-FAN X-FAN X-FAN X-FAN X-FAN X-FAN X-FTA L (X-DO 12 01) X-HART X-MIO 7/6 01 X-SB 01 Table 18: Power Dissipation of the HIMax Components Max. power dissipation 3 W 3 W 3 W 3 W 11 W 21 W 21 W 14 W 38 W 13 W 15 W 21 W 12 W 9 W 41 W 21 W 33 W 15 W 23 W 17 W 15 W 23 W 13 W 10 W 21 W 15 W 51 W 38 W 32 W 29 W 34 W 34 W 31 W 28 W 7 W 41 W 41 W 9 W 9 W 55 W 12 W 7 W 9 W 45 W 21 W Page 64 of 70 HI E Rev. 8.01

65 HIMax Appendix Appendix Glossary Term Description AI Analog input AO Analog output ARP Address resolution protocol, network protocol for assigning the network addresses to hardware addresses COM Communication module Connector board Connector board for the HIMax module CRC Cyclic redundancy check DI Digital input DO Digital output EMC Electromagnetic compatibility EN European norm ESD Electrostatic discharge FB Fieldbus FBD Function block diagrams ICMP Internet control message protocol, network protocol for status or error messages IEC International electrotechnical commission Interference-free Inputs are designed for interference-free operation and can be used in circuits with safety functions. MAC Address Media access control address, hardware address of one network connection. PADT Programming and debugging tool (in accordance with IEC ) PC with SILworX PE Protective earth PELV Protective extra low voltage PES Programmable electronic system R Read R/W Read/Write Rack ID Base plate identification (number) r P Peak value of a total AC component SB System bus (module) SELV Safety extra low voltage SFF Safe failure fraction, portion of faults that can be safely controlled. SIL Safety integrity level (in accordance with IEC 61508) SILworX Programming tool for HIMax SNTP Simple network time protocol (RFC 1769) SRS System.Rack.Slot addressing of a module SW Software TMO Timeout W Write Watchdog (WD) Time monitoring facility for modules or programs. If the watchdog time is exceeded, the module or program enters the error stop state. WDT Watchdog time HI E Rev Page 65 of 70

66 Appendix HIMax Index of Figures Figure 1: Recommended Configuration: All Processor Modules in Rack 0 27 Figure 2: Recommended Configuration: Processor Modules X-CPU 01 in Rack 0 and Rack 1 27 Figure 3: Configuration with X-CPU 31 Processor Modules in Rack 0, Slots 1 and 2 28 Figure 4: Reaction Time with Interconnection of 2 HIMax Controllers 56 Figure 5: Response Time when 1 HIMax and 1 HIMatrix Controllers are Interconnected 56 Figure 6: Response Time with 2 HIMatrix Controllers or Remote I/Os and 1 HIMax Controller 57 Figure 7: Response Time with 2 HIMax Controllers and 1 HIMatrix Controller 57 Figure 8: Wiring of Fire Alarms 59 Page 66 of 70 HI E Rev. 8.01

67 HIMax Appendix Index of Tables Table 1: Overview of the System Documentation 11 Table 2: Standards for EMC, Climatic and Environmental Requirements 21 Table 3: Climatic Conditions 21 Table 4: Mechanical Tests 22 Table 5: Interference Immunity Tests 22 Table 6: Noise Emission Tests 22 Table 7: Verification of the DC Supply Characteristics 23 Table 8: Overview of the Input Modules 30 Table 9: Overview of the Output Modules 33 Table 10: Resource System Parameters 42 Table 11: Effect of Target Cycle Time Mode 42 Table 12: System Variables of Racks 44 Table 13: System Parameters of the User Program 49 Table 14: User Program Switch Test Mode Allowed 51 Table 15: Online Changeable Parameters 52 Table 16: Standard for HIMax Components in Zone 2 62 Table 17: Ex Marking Description for HIMax Components 62 Table 18: Power Dissipation of the HIMax Components 64 HI E Rev Page 67 of 70

68 Appendix Index CRC De-energize-to-trip principle Energize-to-trip principle ESD protection Fault reactions inputs outputs Functional test of the controller Hardware Editor LED Ess Multitasking Online test field Output noise blanking... 34, 35 Process safety time Proof test Rack ID Redundancy Response time HIMax Responsible Safety concept Safety function Safety time Self-test Specific conditions Test conditions climatic EMC mechanical supply voltage To make a controller lockable Version list Watchdog time determination resource user program Page 68 of 70 HI E Rev. 8.01

69

70 HI E 2016 HIMA Paul Hildebrandt GmbH HIMax and SILworX are registered trademark of: HIMA Paul Hildebrandt GmbH Albert-Bassermann-Str Brühl, Germany Phone: Fax: HIMax-info@hima.com