S7-1200 Functional Safety Manual
Manual, 02/2015, A5E03470344-AA
115
Fail-Safe signal module (SM) diagnostics
Reactions to faults
Reactions to startup of the fail-safe system and to faults
The fail-safe concept depends on the identification of a safe state for all process variables.
The value "0" (de-energized) represents this safe state for digital fail-safe signal modules
(SM). This applies to both sensors and actuators.
The safety function requires that safe state values be applied to the fail-safe signal module
(SM) or channel(s) instead of process values (passivation of the fail-safe SM or channel(s))
in the following situations:
● When the fail-safe system is started up
● If SM module faults are detected, such as RAM or processor failures
● If errors are detected during safety-related communication between the fail-safe CPU and
the fail-safe SM through the PROFIsafe safety protocol (communication error)
● If SM channel faults occur (for example, short-circuit and discrepancy errors)
The fail-safe CPU enters detected system faults into the diagnostic buffer.
Automatic safety measures and the PROFIsafe protocol ensure that the safe state is set if
the system detects a fault.
Fail-Safe SMs do not remember errors upon power cycle. When the system is powered
down and then restarted, any faults still existing are detected again.
Fail-Safe value for fail-safe signal modules
If channels are passivated in fail-safe DI SMs, the fail-safe system always provides safe
state values ("0") for the safety program instead of the process values applied to the fail-safe
inputs.
If channels are passivated in the F-DQ DC or F-RLY, the fail-safe system always transfers
safe state values "0" to the fail-safe outputs instead of the output values provided by the
safety program. The output channels are de-energized.
The passivation safe state value and the output state value in CPU STOP mode are always
"0", de-energized. You cannot select or program a default "ON" state for passivation or
STOP mode.
Passivation is applied to individual channels when a channel-specific diagnostic failure is
detected. Failures that can affect the entire module result in passivation of all channels.
To Next Page
Loading...
