Điều khiển dự phòng an toàn SIMATIC AS 410 FH

Safety-related automation systems are used for critical applications where a fault could endanger life or result in damage to the plant or the environment. These F/FH systems also referred to as "fail-safe automation systems" detect both faults in the process and their own internal faults in association with the safety-related F modules of the ET 200 distributed I/O systems or fail-safe transmitters connected directly via the fieldbus. They automatically transfer the plant to a safe state in the event of a fault.



The PROFIsafe profile allows safety-related communication between the automation system (controller) and the process I/O via both PROFIBUS and PROFINET. The decision for choosing either PROFINET IO or the PROFIBUS DP/PA fieldbuses has a significant influence on the architecture of the safety-related system.

For information on the safety-related design versions with PROFIBUS DP/PA and PROFINET IO, refer to the section "Introduction" in the "Safety Integrated for Process Automation" chapter.

The safety-related SIMATIC PCS 7 automation systems are based either on the hardware of the AS 410S standard automation system (F systems) or the hardware of the AS 410H high availability automation system (FH systems), which have been supplemented with safety functions using S7 F systems.

In accordance with the design variant, they are categorized as:

  • AS Single Station AS 410F with only one CPU (safety-related)
  • AS Redundancy Station AS 410FH with two redundant CPUs (safety-related and high availability)

The availability can be flexibly increased with a redundant design for the power supply or the Industrial Ethernet communications module (for details, see the section "Modular S7-400 systems" under "Flexible and scalable availability").

All AS 410F/FH systems are TÜV-certified and comply with the safety requirements up to SIL 3 according to IEC 61508.

In these systems with multitasking capability, several programs can be executed simultaneously in one CPU – basic process control (BPCS) applications or also safety-related applications. The programs are reaction-free, i.e. faults in BPCS applications have no effect on safety-related applications, and vice versa. Special tasks with very short response times can also be implemented.

The redundant FH systems operating according to the 1-out-of-2 principle consist of two subsystems of identical design. These are electrically isolated from each other to achieve optimum EMC, and are synchronized with each other via fiber-optic cables. A bumpless switchover is made from the active subsystem to the standby subsystem in the event of a fault. The two subsystems can be present in the same rack or separated by up to 10 km. The spatial separation provides additional security in the case of extreme influences in the environment of the active subsystem, e.g. resulting from a fire.

The redundancy of the FH systems is only used to increase the availability. It is not relevant to processing of the safety functions and the associated fault detection.

Individual configuration of AS bundles

The configuration of the safety-related automation systems and their article numbers can be defined by selecting pre-configured ordering units.

Typical combinations for the respective system can be selected using tables in the section "Selection and ordering data". These are divided into:

  • AS Single Station AS 410F with one CPU
  • AS Redundancy Station AS 410FH with two redundant CPUs, mounted on one common rack (UR2-H) or two separate racks (UR2)

The complete range for selection is available using two correspondingly structured online configurators in the Industry Mall (www.siemens.com/industrymall):

  • SIMATIC PCS 7 AS 410 Single Station configurator
  • SIMATIC PCS 7 AS 410 Redundancy Station configurator

System expansion cards including an S7 F systems Runtime license should be selected here for safety-related AS 410 F/FH automation systems.

FO sync cables longer than 1 m must always be ordered separately (2 cables required in each case).

The components suitable for engineering the safety-related applications can be ordered in the section "Safety Integrated for Process Automation":

  • S7 F Systems
    F programming tool with F block library for programming safety-related user programs on the engineering system
  • SIMATIC Safety Matrix 
    Convenient safety lifecycle tool for configuration, operation and servicing
I/O connection via PROFIBUS DP

The distributed process I/O can be integrated into a PROFIBUS DP segment either directly or via a lower-level PROFIBUS PA fieldbus. Several PROFIBUS DP segments with distributed process I/Os can be operated on an AS 410F/FH automation system.

A PROFIBUS DP interface is already integrated in each CPU 410‑5H Process Automation. Using the online configurator in the Industry Mall or in the selection and ordering data, up to four additional PROFIBUS DP interfaces can be configured with additive CP 443-5 PROFIBUS DP interfaces (conformal coating) for each AS 410F as well as for each subsystem of the AS 410FH.

Connection of the process I/Os to two redundant PROFIBUS DP lines of an FH system (AS Redundancy Station) is carried out as described in the section "High availability automation systems".

The FOUNDATION Fieldbus (FF) H1 and the FF devices are not supported by Safety Integrated for Process Automation.

I/O connection via PROFINET IO

Safety-related AS 410F/FH automation systems can be connected via PROFINET IO with remote I/O stations, for example, ET 200M remote I/O stations. Only the PROFINET interface (2‑port switch) integrated in the CPU can be used for this on the automation system. For additional information, refer to section "Introduction" in the "Safety Integrated for Process Automation" chapter.

Communication over the plant bus

If the PROFINET interface integrated in the CPU of the safety-related automation systems is not used for PROFINET IO, it is available for connection to the Industrial Ethernet plant bus. Otherwise, the AS 410F and the two subsystems of the AS 410FH can be connected to the plant bus via one CP 443‑1 (conformal coating) communication module each.

The plant bus can be implemented in the form of a ring structure, which can also be configured with redundant architecture if the availability requirements are high. When there are two redundant rings, it makes sense to use two communication modules per AS (AS 410F) or AS subsystem (AS 410FH) and to distribute their connections over the two rings (4‑way connection). Double faults such as failure of the switch on ring 1 with simultaneous interruption of the bus cable on ring 2 can thus be tolerated.

Runtime licenses

In the factory state, safety-related automation systems come with a SIMATIC PCS 7 AS Runtime license for 100 process objects (PO), SIMATIC PCS 7 Industry Library Runtime and the S7 F systems RT license. The 100 POs of the SIMATIC PCS 7 AS Runtime license can be expanded by additional Runtime licenses for 100, 1 000 or 10 000 POs. The process objects of additional Runtime licenses can be added to process objects which already exist. The number and type (e.g. 100 or 1000) of additional Runtime licenses are irrelevant.


Bài liên quan