SIEMENS
2/690
Siemens IK PI · 2015
PROFINET/Industrial Ethernet
SIMATIC PCS 7 process control systems
Safety-related automation systems
2
■
Overview
AS Single Station AS 410F
Safety-related automation systems are used for critical applica-
tions where a fault could endanger life or result in damage to the
plant or the environment. These F/FH systems also referred to as
"fail-safe automation systems" detect both faults in the process
and their own internal faults in association with the safety-related
F modules of the ET 200 distributed I/O systems or fail-safe
transmitters connected directly via the fieldbus. They automati-
cally transfer the plant to a safe state in the event of a fault.
■
Design
The PROFIsafe profile allows safety-related communication
between the automation system (controller) and the process I/O
via both PROFIBUS and PROFINET. The decision for choosing
either PROFINET IO or the PROFIBUS DP/PA fieldbuses has a
significant influence on the architecture of the safety-related
system.
For information on the safety-related design versions with
PROFIBUS DP/PA and PROFINET IO, refer to the section
"Introduction" in the "Safety Integrated for Process Automation"
chapter.
The safety-related SIMATIC PCS 7 automation systems are
based either on the hardware of the AS 410S standard auto-
mation system (F systems) or the hardware of the AS 410H high
availability automation system (FH systems), which have been
supplemented with safety functions using S7 F systems.
In accordance with the design variant, they are categorized as:
•
AS Single Station AS 410F
with only one CPU (safety-related)
•
AS Redundancy Station AS 410FH
with two redundant CPUs (safety-related and high availability)
The availability can be flexibly increased with a redundant
design for the power supply or the Industrial Ethernet communi-
cations module (for details, see the section "Modular S7-400
systems" under "Flexible and scalable availability").
All AS 410F/FH systems are TÜV-certified and comply with the
safety requirements up to SIL 3 according to IEC 61508.
In these systems with multitasking capability, several programs
can be executed simultaneously in one CPU – basic process
control (BPCS) applications or also safety-related applications.
The programs are reaction-free, i.e. faults in BPCS applications
have no effect on safety-related applications, and vice versa.
Special tasks with very short response times can also be imple-
mented.
The redundant FH systems operating according to the 1-out-of-
2 principle consist of two subsystems of identical design. These
are electrically isolated from each other to achieve optimum
EMC, and are synchronized with each other via fiber-optic ca-
bles. A bumpless switchover is made from the active subsystem
to the standby subsystem in the event of a fault. The two sub-
systems can be present in the same rack or separated by up to
10 km. The spatial separation provides additional security in the
case of extreme influences in the environment of the active
subsystem, e.g. resulting from a fire.
The redundancy of the FH systems is only used to increase the
availability. It is not relevant to processing of the safety functions
and the associated fault detection.
© Siemens AG 2014