Home

Report Certificate Z2 03 04 38282 002

1. nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 18 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND 4 3 Product Specific Quality Assurance and Control All software and hardware components developed and manufactured in course of the safety evaluation are governed by an ISO 9001 certified quality assurance and control system Some older components have been developed under the manufacturer s internal quality procedures The European procedures for demonstrating conformity 93 465 EEC Council Resolution of 22 July 1993 on the modules to be used in the technical harmonization directives for the various phases of conformity assessment procedures and the rules for attaching and using CE conformity marks provide similar significance to the type testing and the manufacturer s quality assurance in production and product maintenance As part of the certification process TUV Product Service also performs a procedure that is tailored to the assessed product in order to assess the consistency of product quality while accounting for product modifications and their identifiably follow up service TUV Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 19 of 22 Dissemination distribution copying or any other use
2. 0116 Electrical equipment of furnaces 1989 clause 8 7 prEN 50156 1 1997 Electrical equipment of furnaces as applicable TUV Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 14 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND NFPA 85 2004 Boiler and Combustion Systems Hazards Code Fire Detection and Fire Alarm Systems EN 54 2 1997 Fire detection and fire alarm systems Part 2 Control and indicating equipment EN 54 4 1997 Fire detection and fire alarm systems Part 4 Power supply equip ment NFPA 72 2002 National Fire Alarm Code TUV Automotive GmbH Automation Software and Electronics QSE RidlerstraBe 65 Revision 1 6 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 15 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND 4 Results 4 1 Functional Safety The tests performed and quality assurance measures implemented by the manufacturer have shown that the SIMATIC S7 F FH Systems in conjunction with their system software comply with the testing criteria specified in clause 3 subject to the conditions defined in cl
3. 93 68 EEC laws of Member States relating to electrical equipment designed for use within certain voltage limits 98 37 EEC Council Directive of 22 June 1998 on the approximation of the laws of the Member States relating to machinery to the extend applicable to programmable electronic safety de vices 3 4 Functional Safety The testing for functional safety is to be performed using the following standards and guidelines DIN V 19250 1994 Fundamental aspects to be considered for measurement and con AK6 trol equipment DIN V VDE 0801 Principles for computers in safety related systems 1990 AK1 6 including amendment A1 1994 IEC 61508 1 12 1998 Functional safety Safety related systems IEC 61508 2 05 2000 IEC 61508 3 12 1998 IEC 61508 4 11 1998 IEC 61508 5 11 1998 IEC 61508 6 04 2000 IEC 61508 7 03 2000 SIL1 3 as applicable to PES prEN 50159 1 1996 Railway Applications Safety Related Communication In Closed as applicable Transmission Systems as applicable prEN 50159 2 1996 Railway Applications Safety Related Communication In Open class 1 to 5 Transmission Systems as applicable as applicable TUV Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 12 of 22 Dissemination distribution copying or any other use of information in thi
4. of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND 5 Implementation Conditions and Restrictions The use of the SIMATIC S7 F FH Systems shall comply with the current version of the Safety parts of the manuals of the SIMATIC S7 F FH Systems and S7 Distributed Safety documenta tion packages and the following implementation and installation requirements have to be fol lowed if the SIMATIC S7 F FH Systems are used in safety related installations 5 1 General application conditions 5 1 1 The guidelines specified in the user s manuals shall be followed Specifically the safety notes in the user s manuals shall be followed 5 1 2 Only hardware modules certified for safety related operation as shown in Annex 1 of this report shall be used for safety critical signals Not certified standard modules defined as interference free may be used for non safety critical signals only 5 1 3 Only software modules listed in Annexes of this report shall be used to process safety critical data 5 1 4 The fault tolerance period of the process controlled by the system shall be greater than the worst case reaction time of the system determined with the help of the Excel Sheet s7ftime xls is a letter for language coding 5 1 5 A well defined shutdown procedure shall be specified 5 1 6 Non safety related blocks in the application program shall not control or affect data used by any safety critical block
5. 1508 compliant verification activities within a well defined modification pro cedure of the changes prior to downloading them into the CPU controlling the safety critical process 4 1 4 Simulation of safety applications Offline simulation of safety applications can be performed on a virtual CPU emulated by an ad ditional software package either on the programming station or the engineering station If an online connection to a running safety system exists the safety mode shall not be deactivated and the password protected access to the S7 F CPU shall not be granted 4 2 Basic Safety and Electromagnetic Compatibility 4 2 1 Basic Safety The tests of the electrical safety and the environmental stress tests executed by TUV Product Service show that the standards specified in clause 3 are covered The tests performed and the quality assurance measures implemented by the manufacturer have shown that the SIMATIC S7 F FH Systems comply with the testing criteria specified in clause 3 subject to the conditions defined in clause 5 and its subsections 4 2 2 Electromagnetic Compatibility The documentation of the electromagnetic compatibility tests executed by independent test laboratories has been reviewed for completeness The testing executed has covered the re quirements of the standards specified in clause 3 T V Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M
6. 42360 01 SA66281 EMC Test Report Report No Report No Report No Report No Report No Report No Report No Report No 10 99 prepared by Siemens and reviewed by TUV PS IQSE 11 99 prepared by Siemens and reviewed by TUV PS IQSE 12 99 prepared by Siemens and reviewed by TUV PS IQSE 25 99 prepared by Siemens and reviewed by TUV PS IQSE 21 00 prepared by Siemens and reviewed by TUV PS IQSE 22 00 prepared by Siemens and reviewed by TUV PS IQSE 33 00 prepared by Siemens and reviewed by TUV PS IQSE 38 00 prepared by Siemens and reviewed by TUV PS IQSE Environmental Test Report Report No Report No Report No Report No Report No Report No Report No Report No 10 99 prepared by Siemens and reviewed by TUV PS IQSE 11 99 prepared by Siemens and reviewed by TUV PS IQSE 12 99 prepared by Siemens and reviewed by TUV PS IQSE 25 99 prepared by Siemens and reviewed by TUV PS IQSE 21 00 prepared by Siemens and reviewed by TUV PS IQSE 22 00 prepared by Siemens and reviewed by TUV PS IQSE 33 00 prepared by Siemens and reviewed by TUV PS IQSE 38 00 prepared by Siemens and reviewed by TUV PS IQSE Test Report on IEC 1131 2 Report No Report No Report No Report No Report No Report No Report No Report No 10 99 prepared by Siemens and reviewed by TUV PS IQSE 11 99 prepared by Siemens and reviewed by TUV PS IQSE 12 99 prepared by Siemens and reviewed by TUV PS IQSE 25 99 prepared by Siemens and revie
7. E RidlerstraBe 65 D 80339 M nchen Phone 49 89 5791 1393 Fax 4438 Revision 1 6 Habicht Wei Weber 30 June 2005 Page 2 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND Content Page 1 PURPOSE AND SCOPE aaa eam e a eaa aaea aeaaaee ma dant aseanctaneauccactaunstounsecnbeusducasudeaecucucvasseduets 4 1 1 DEFINITION OF TERMS as cisco AEE E AEAT 4 2 SYSTEM OVERVIEW iio ii 6 2 1 SYSTEM ARCHITECTURE a e aea a a 6 2 2 HARDWARE COMPONENTS UNDER CERTIFICATION ccoooccccccccncccnnonononancnnnannnonononanananonanonononnnnnananacccnncnns 8 2 3 SOFTWARE COMPONENTS UNDER CERTIFICATION oocccccccncccnnnnnncnnnnncnnnnnnnnnananancnnnnnnnnnnnnnan anna n cnn nnnnnnnns 8 2 4 SAFETY MANUAL os total e a a a aa de Race She 9 3 CERTIFICATION REQUIREMENTS sscccscscscsseeceeeeceeeeeseeeeeeeessensasesaasnsneessesassseaseeeaseesecseses 10 3 1 BASIS OF GERTIFIGATION Siz cei a adas te ln at tae 10 3 2 CERTIFICATION DOCUMENTATION ccccccccccccceeeeeeecccccceeeesueeeaeeeueceeseeeeeeauueasseseeeeeeeeueueaueeeseseeeeeeeauaanes 11 3 3 EUROPEAN DIRECTIVES 00vicicica E eaten lidia 12 3 4 EUNCTONAESA EE Va 12 3 5 BASIC SAFE TV a e Ll a ld 13 3 6 ELECTROMAGNETIC COMPATIBILIT Y occcccccccnncnnncncncnnnnnoncnnnnancnnnnnononononnn anna n cnn nn cnn conan nana n nana nn cnn nn 13 3 7 APPLICATION STANDARDS a aid 14 4 RESULTS rosie st
8. Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 13 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV S DDEUTSCHLAND 3 7 Application Standards Because of the expected applications of the system following additional standards and regula tions should be considered Machinery Applications EN 60204 1 1997 Safety of machinery Electrical equipment of machines as applicable prEN 60204 1 prA1 1998 EN 954 1 1997 Safety of machinery Safety related parts of control systems categories 2 to 4 Part 1 General principles for design Process Industry DIN V 19251 1995 Process control technology MC protection equipment Requirements and measures for safeguarded function VDI VDE 2180 Safeguarding of industrial processing plants by means of instrumenta 1996 tion and control technology part 1 2 and 5 NE 31 1993 NAMUR Recommendation ANSI ISA 84 01 Application of safety instrumented system for the Process Industry 1996 as applicable Burner Systems EN 230 1991 Monobloc oil burners clause 7 3 EN 298 2003 Automatic gas burner control systems for gas burners and gas burning clause 7 3 8 9 and appliances with or without fans 10 ENV 1954 Internal and external fault behavior of safety related electronic parts of 1996 gas appliances as applicable DIN VDE
9. SCHLAND 5 2 3 Any application software modification after commissioning shall result in a re validation of the entire application software system The commissioning can be reduced if the change can be shown by use of a revision checker to be limited to a specific area of program 5 2 4 The proper fail safe configuration of all safety critical F 1 O shall be verified Only configu rations covered by the User s manual are covered by the certification 5 3 General run time conditions 5 3 1 Failed modules that are safety related and in redundant configurations should be re placed as quickly as practical to minimize the probability of multiple fault accumulation and potential safe nuisance shutdown As a maximum failed modules should be re placed within the multiple fault occurrence time 5 3 2 Application program modification during run time should only be permitted under end user responsibility 5 3 3 The procedure described in the user manual has to be followed 5 3 4 The application program modifications shall be limited and simple to verify and validate 5 3 5 The modifications and their interaction with existing program sections shall be thoroughly tested e g using simulation 5 3 6 The modification shall be granted by the approval authority for the plant assessment 5 3 7 Maintenance override is to be limited time restriction and number of logical points The TUV guidelines for maintenance overrides are to be followe
10. TUV SUDDEUTSCHLAND Report to the Certificate Z2 03 04 38282 002 Safety Related Programmable Systems SIMATIC S7 F FH Systems formerly S7 400F and S7 400FH Manufacturer Siemens AG Werner von Siemens Str 50 D 92224 Amberg Report No 10042360 Revision 1 6 dated 30 June 2005 _ Testing Body TUV Automotive GmbH T V S ddeutschland Group Automation Software and Electronics IQSE Certification Body T V Product Service GmbH T V S ddeutschland Group RidlerstraBe 65 D 80339 Munchen Dissemination distribution copying or any other use of information in this report in part is strictly prohibited Revision Log TUV SUDDEUTSCHLAND Version Name Date Changes History 1 0 R Faller 30 11 1999 Initial 1 1 P M ller 18 12 2000 LS 2 1 3 P Muller 15 11 2001 Section 5 4 added and modified 1 4 A Beer 23 04 2003 Product name Definition of terms 1001D and 1002D added Section 2 2 General application condition added M Weber New software version V5 2 added Restriction 5 4 1 modified 1 5 A Beer 03 06 2004 Make reference to Annexes instead a particular an M Weber nex when the annex refers to a software component revision information 1 6 F Rauch 30 06 2005 SP2 The standards EN 54 2 1997 EN 54 4 1997 NFPA72 2002 and NFPA 85 2004 were included and EN 298 was updated to 2003 in section 3 7 T V Automotive GmbH Automation Software and Electronics QS
11. ause 5 and its subsections and are suitable for safety related use in applications of requirement classes AK 1 to 6 in accordance with DIN V 19250 1994 categories 2 to 4 in accordance with EN 954 and safety integrity levels SIL 1 to 3 in accordance with IEC 61508 for intermittent or continuous op eration as well as for operation with or without continuous supervision on condition that the 0 state closed circuit principle is defined as the safe state for the binary inputs and outputs 4 1 1 Fault Reaction and Timing Fault reactions of F CPU 1 Faults in the cyclic communication between the F CPU and the F I O input modules are de tected by the F CPU Either 0 or configured substitute values are handed to the application program A specific fault reaction must be implemented by the application program devel oper 2 Faults in the cyclic communication between the F CPU and the F I O output modules are de tected by the F DO If a fault occurs all outputs of the affected F I O are driven to 0 3 Faults in the cyclic communication between two F CPUs are detected by the receiving F CPU If a fault occurs the application program is notified and configured substitute values are handed to the receiving application program A specific fault reaction must be implemented by the application program developer 4 Faults within the safety data types within data or control flow of the application program lead to blocking of the cycl
12. d TUV certification does not cover output override 5 3 8 The use of F Function Blocks for SIMATIC S7 F FH Systems F FH is only permitted if for the specific target system F or FH system an official F Copy License with the order number 6ES7 833 1CC00 6YXO0 is available The F Copy License consists of the F Copy License contract the copy of the TUV Certificate two labels to mark up the CPU or CPU s on a FH system of the used F Copy License 5 4 Product Related conditions 5 4 1 The Safety Protector allows use of failsafe modules in combination with standard modules Purpose of the Safety Protector is to isolate the failsafe modules from over voltages up to a maximum of 250 Volt AC DC caused by not safety related standard modules No field voltage higher than 250V is allowed T V Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 21 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND 6 Certificate Number This report specifies technical details and implementation conditions required for the application of the Safety Related Programmable Systems SIMATIC S7 F FH Systems by Siemens AG to the certificate Z2 03 04 38282 002 Munich 30 June 2005 T V Automotive GmbH TUV SUD Group Automati
13. ecviscds ads asscsasszaacbaccasteassecuactsacsuses poten neces rallies 16 4 1 FUNCTIONAL SAFE Visita taa 16 4 2 BASIC SAFETY AND ELECTROMAGNETIC COMPATIBILITY occccccccccnnnnnccncccnnnnonononanann nana nancnn non nnnnnnaannanns 18 4 3 PRODUCT SPECIFIC QUALITY ASSURANCE AND CONTROL c0ooccccccccccnononnnannnncnnnnonononanananannncnananononnninnns 19 5 IMPLEMENTATION CONDITIONS AND RESTRICTIONG ccccceesceeeseeeeseessesssssessseessseeeeeeceeses 20 5 1 GENERAL APPLICATION CONDITIONS ooocccccccccccnnncnnnnnncncnonononnnnannnnnnncnnncnnnnn a nn ana anna a e 20 5 2 GENERAL COMMISSIONING CONDITIONS cccccccccnnncnnnncncccnnnnncnnnnanananananonononon nana ana nnnnnnnnnnnnn anna n acacia nnnnnns 20 5 3 GENERAL RUN TIME CONDITIONS cisco crc ferctteccettutavevaacenctcencacasdabedegeled lena re E ao a loaded coandetus 21 5 4 PRODUCT RELATED CONDITIONS c ccccccsceccccceccceeceeeeceeeesceceeeeeeeeeueuaueeesceceeeeeeaauaaauauueeeeeeeeeeeauaaaaeeess 21 6 CERTIFICATE NUMBER win cocidas diia AEREAS svedasusuvetecenbecessescees 22 T V Automotive GmbH Revision 1 6 Automation Software and Electronics QSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 3 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND 1 Purpose and Scope TUV Automotive GmbH has been contracted by Siemens AG to certi
14. fy the Safety Related Programmable Systems SIMATIC S7 F FH Systems This report summarizes the user related results of the tests and inspections performed on the SIMATIC S7 F FH Systems based on the certification requirements outlined under clause 3 1 and reported by the documentation listed under clause 3 2 1 1 Definition of Terms The following terms are used in this report with a meaning defined as follows Functional Safety The ability of a safety related system to carry out the actions necessary to achieve a defined safe state for the equipment under control EUC or to maintain the safe state for the EUC CFC Continuous Function Chart Degraded operation Denotes the system operating mode when a fault has been detected and localized in one of the critical components Multiple fault occurrence The multiple fault occurrence period denotes a time frame in which the time probability for the appearance of combination wise safety critical multi ple faults is sufficiently low for the considered requirement class The period of time begins with the last point in time at which the considered system was in a fault free assumed condition according to the consid ered requirements class The definition of this time is not system specific A general recommen dation is to assume this time to be magnitudes 2 to 3 below the speci fied MTBF time Fault tolerance time The fault tolerance time denotes a characteristic of the proces
15. he following software components have been certified safety related allowing the software components to be used for processing safety critical signals and executing critical functions e Add on option package S7 F Systems e F FBs e Firmware of the Failsafe I O modules For the specific versions see the current revision of the Annexes to this report 2 3 2 Interference Free Software Components Other software components than those mentioned in 2 3 1 are not the subject of this certifica tion Absence of impact of non certified components on safety related components is enforced due to the intrinsic safety features provided by the diverse logic implementation followed by the 1002 F I O modules 2 3 3 Communication Safety related communication between F CPUs and F I O is based on the Profibus DP PA pro tocol but implements an additional safety shell on top ProfiSafe Safety related communication between F CPUs is based on a standard protocol like MPI Profibus or Ethernet but implements an additional safety shell on top 2 3 4 Programming environment Safety application programming is performed by connection of function blocks using the Step7 CFC language Only special certified function blocks shall be used for safety applications Use of standard function blocks for safety applications is prevented by their own safety data types Edit compile and load use the standard STEP7 programming environment of the S7 400 and S7 300 fami
16. ic transmissions to output modules and other F CPUs or signaling of the fault to them If a fault occurs all outputs of the affected output modules are driven to 0 and the affected receiving F CPUs use the configured substitute values 5 Faults detected by built in self test lead to blocking of the cyclic transmissions to output mod ules and other F CPUs or signaling of the fault to them If a fault occurs all outputs of the af fected output modules are driven to 0 and the affected receiving F CPUs use the configured substitute values 6 In the FH system structure one of the CPUs is running as master whereas the other CPU is running as standby Faults in the Master CPU detected by self tests or other fault control mechanism inside the CPU lead to master changeover before failure effects the F DO Faults in the Standby CPU detected by self tests or other fault control mechanism inside the CPU lead to blocking of master changeover before failure effects the F DO TUV Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 16 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND Fault reactions of F I O Faults detected by built in self test or diagnostics are either safely communicated to the ap plication program o
17. le is sufficient to achieve the certified functional safety Optional two redundant F I O mod ules are used in 2002 of 1002 configuration to increase availability 2 2 Hardware Components under Certification The system components which are certified safety related are listed in the current revision of the Annex 1 to this report This allows the components to be used to process safety critical sig nals and functions All other components of the S7 400 and S7 300 family are interference free r ckwirkungs frei and allowed to be used however they are not certified for process safety critical signals and functions Using these components does not interfere with the proper functioning of the safety related modules For details on architectural configuration and implementation requirements please refer to the manuals of the SIMATIC S7 F FH Systems documentation package 2 3 Software Components under Certification A list of the software components with the valid version numbers is shown in the current revision of the applicable Annexes to this report T V Automotive GmbH Revision 1 6 Automation Software and Electronics QSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 8 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND 2 3 1 Safety related Software Components T
18. lerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 6 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND Redundant system bus PROFIBUS or Ethernet E Operator Station System visualization S7 400FH programmable controller AY Fail safe I O modules optionally redundant Hull Redundant PH PROFIBUS DP A Standard I O modules optionally redundant i iil System Architecture for S7 FH The SIMATIC S7 F FH Systems consist of 1 or 2 S7 400 CPUs central processing units re spectively that are suitable for safety related applications and Fail Safe I O Modules F SM or F I O Safety critical input signals are read from the process with the F I O or read from other F CPU s via safety related communication Safety critical output signals are sent from the F CPU to the F I O or to other F CPU s via safety related communication The F I O is responsible for the safety related output to the proc ess The S7 400 F CPU implements a 1001D structure with diverse application software on a single channel hardware Fault detection is implemented by comparison of the diverse application software resul
19. ly An add on option package S7 F Systems provides the following properties re quired to improve the standard programming environment for safety programming e Library with safety related function blocks F FBs e Integration of fault detection measures self tests program and data flow monitoring data redundancy into the application program e Additional access protection for the safety program in the F CPU e Add on option package S7 F Systems checks 2 4 Safety manual The conditions and rules for safe use of the SIMATIC S7 F FH Systems are laid down within the user documentation e Programmable Controllers S7 F FH Systems e ET 200S Distributed I O System Fail Safe Modules e Automation System S7 300 Fail Safe Signal Modules TUV Automotive GmbH Revision 1 6 Automation Software and Electronics QSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 9 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND 3 Certification Requirements 3 1 Basis of Certification The certification of the controller will be according to the regulations and standards listed in clause 3 3 to 3 6 of this document This will certify the successful completion of the following test segments l Functional Safety A Fault investigations for the hardware components listed in the current revision of
20. on Software and Electronics QSE Technical Certifier A lun J Blum TUV Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 22 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited
21. r in case communication is affected faults are detected as described in section 1 and 2 above If the faulty module is an input module the process data transmitted to the F CPU is set to 0 with binary inputs and 7FFFH with analog inputs for all inputs or the faulty inputs If the faulty module is an output module all outputs or the faulty outputs are driven to 0 The fault tolerance period of the process controlled by the SIMATIC S7 F FH Systems shall be greater than the worst case response time determined with the help of the Excel Sheet S7ftime xls is a letter for language coding The results of the concept and the technical requirements analysis of the Profibus based com munication safety shell Profisafe are subject of the Evaluation Report PK55299T revision 1 0 of 30 March 1999 4 1 2 Application Development The SIMATIC S7 F FH Systems can treat and execute programmed safety and non safety related functions independently from each other at the same time An intended safety function of the SIMATIC S7 F FH Systems can be enforced either by application programmed functions or by built in fault reaction functions The application programmed safety function lies with the ap plication program developer Acceptance of programmed safety function requires complete functional testing After that com plete functional testing is only necessary for changed parts of the programmed safety function Loading and changing of safet
22. s and describes the period of time in which the process can be controlled by a faulty control output signal without entering a dangerous condition Interference free Property of a unit not to cause faulty state in connected units even if it fails Probability of Failure on De Average probability of failure of a system to perform its design functions mand PFD on demand Proven in use A sufficient number of installations in various application fields with Proven by operation available fault history of the installed systems did not show the presence Field tested of a safety related systematic error T V Automotive GmbH Revision 1 6 Automation Software and Electronics QSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 4 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND 1002D This architecture consists of two channels connected in parallel During normal operation both channels need to demand the safety function before it can take place In addition if the diagnostic tests in either channel detect a fault then the output voting is adapted so that the overall output state then follows that given by the other channel If the diagnostic tests find faults in both channels or a discrepancy that cannot be allocated to either channel then the output goes to the safe sta
23. s report in part is strictly prohibited TUV SUDDEUTSCHLAND 3 5 Basic Safety To complete and to specify the technical requirements resulting from the Essential Require ments of the Directives listed above the testing of Basic Safety is to cover the following stan dards EN 61131 2 1995 Programmable controllers equipment requirements and tests EN 50178 1997 Electronic equipment for use in power installations DIN VDE 0110 Insulation co ordination for equipment within low voltages systems 1989 EN 60068 Environmental Testing QSH IQSE Quality Manual of T V Product Service IQSE Version 1 4 3 6 Electromagnetic Compatibility To complete and to specify the technical requirements resulting from the Essential Require ments of the Directives listed above the testing of Electromagnetic Compatibility is to cover the following standards EN 61131 2 1995 Programmable controllers equipment requirements and tests EN 55011 1997 Limits and methods of measurement of radio disturbance characteris tics of industrial scientific and medical ISM radio frequency equip ment EN 50081 2 1993 Electromagnetic compatibility EMC Generic emission standard Part 2 Industrial environment EN 50082 2 1995 Electromagnetic compatibility EMC Generic immunity standard Part 2 Industrial environment TUV Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65
24. te In order to detect a discrepancy between the channels either channel can determine the state of the other channel via a means independent of the other channel 1001D This architecture consists of a single channel connected to an inde pendent diagnostic circuit not self diagnostics If the diagnostic circuit detects a hidden fault in the channel it asserts the safe state viaa means independent of the channel TUV Automotive GmbH Revision 1 6 Automation Software and Electronics QSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 5 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND 2 System Overview 2 1 System Architecture The SIMATIC S7 F FH Systems are safety related fail safe programmable electronic systems PES that are suitable for safety related applications with a high level of potential danger e g controllers for offshore processes chemical processes Operator Station System visualization S7 400F programmable controller Fail safe I O modules optionally redundant Programming device 1 Standard I O modules optionally redundant System Architecture for S7 F TUV Automotive GmbH Revision 1 6 Automation Software and Electronics QSE Rid
25. the Annex 1 to this report and of the system configurations as described in the manuals of the SIMATIC S7 F FH Systems and S7 Distributed Safety documenta tion packages B Software analysis for the software components listed in the current revision of the Annexes to this report C Descriptive safety as given by the safety sections of the user documentation in dicated in section 2 4 of this report Il Basic Safety including electrical safety EN 61131 2 III Environmental Stress Testing A Climatic and temperature stress B Mechanical stress IV Electromagnetic compatibility A Electromagnetic susceptibility B Electromagnetic emission V Product related Quality Management in manufacturing and product care Certification is dependent on successful completion of all of the above test segments The test ing follows the basic certification scheme for safety related programmable electronic systems of TUV Product Service GmbH T V Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 10 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited 3 2 Certification Documentation Documentation of this certification is based in the following reports Technical Report Report No Report No Report No Report No SA58199 SA60720 T 100
26. ts in the CPU and the independent F I O internal self tests and program and data flow monitoring in the CPU and fault monitoring by the F I O TUV Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 7 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND The following failure control measures are implemented in the CPU e redundant execution with data and code redundancy and diversity and comparison of the di verse results e self test of safety related operations in each cycle e program and data flow monitoring Checking of this and fault reaction is done directly by the CPU itself as well as indirectly by the recipients of the CPU s safety related outputs i e the fail safe output modules and other CPUs In addition the CPU performs self tests in the background and uses two independent time bases One CPU is sufficient to achieve the certified functional safety In the S7 FH two redun dant CPUs are used in 2002 of 1001D configuration to increase availability The second channel of the I O module implements an independent comparison and diagnostic entity and allows the D designator for the 1001 hardware CPU architecture The F I O modules are in an internal 1002 structure two channels with comparison One F I O modu
27. unless with safety related function blocks for data conversion and plausibility checks in the safety related program 5 1 7 Operator alarms as exclusive means of shutdown are only permitted under supervised operation and if the fault tolerance time of the controlled process is sufficiently long to ensure a safe manual reaction and shutdown and the operator has sufficient independent means to supervise the process Installations that must react to shutdown conditions quicker than achievable with manual intervention or installations running unsupervised shall incorporate an automatic fault re action procedure 5 1 8 The operating conditions as specified in the user manuals shall be met 5 2 General commissioning conditions 5 2 1 Prior to commissioning a complete functional test of all safety relevant functions shall be performed The programming of the application shall ensure that modules are small and self contained sufficient to permit full functional testing 5 2 2 All timing requirements shall be validated including fault detection time fault reaction time throughput delay for shutdown logic and cycle time TUV Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 20 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUT
28. wed by TUV PS IQSE 21 00 prepared by Siemens and reviewed by TUV PS IQSE 22 00 prepared by Siemens and reviewed by TUV PS IQSE 33 00 prepared by Siemens and reviewed by TUV PS IQSE 38 00 prepared by Siemens and reviewed by TUV PS IQSE Calculation of Probability of Failure on Demand TUV SUDDEUTSCHLAND Internal Report of the Probability of Failure on Demano of S7 F Safety Programmable System Rev 4 1 from 12 December 2000 e Manuals Programmable Controllers S7 F FH Systems and S7 300 Programmable Con troller Fail Safe Signal Modules Based on the specified purpose of use of the SIMATIC S7 F FH Systems in safety critical proc ess protection applications the certification is based on the following set of standards The issu T V Automotive GmbH Automation Software and Electronics IQSE RidlerstraBe 65 Revision 1 6 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 11 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND ance of the certificate states compliance with these references unless specifically noted other wise 3 3 European Directives The fulfillment of the essential requirements of the following European Directives is mandatory for an electronic device such as the SIMATIC S7 F FH Systems 73 23 EEC Council Directive of 19 February 1973 on the harmonization of the
29. y related programs in the CPU need authorization by password Non safety related programs can be changed at any time without impact on programmed and built in safety functions of the SIMATIC S7 F FH Systems 4 1 3 Online loading of safety applications In general responsibility for monitoring the process during and after the on line modification lies entirely with the organization and person responsible for the on line modification Since on line modifications are generally associated with an increased level of risk the approval of on line modifications is at the discretion of the testing and inspection center responsible for approval of the system s application The procedure for on line modifications and existing restrictions are described in the manuals of the SIMATIC S7 F FH Systems and S7 Distributed Safety documentation packages Loading of safety program changes and changes of safety related constant parameters while the process is running in observed mode requires at least TUV Automotive GmbH Revision 1 6 Automation Software and Electronics IQSE RidlerstraBe 65 Habicht Wei Weber D 80339 M nchen 30 June 2005 Phone 49 89 5791 1393 Fax 4438 Page 17 of 22 Dissemination distribution copying or any other use of information in this report in part is strictly prohibited TUV SUDDEUTSCHLAND Off line verification and or simulation and or online testing on a hot standby CPU and or similar IEC 6

Report Certificate Z2 03 04 38282 002

Contents

Download Pdf Manuals

Related Search

Related Contents