HIMax Safety Manual - Tuv-fs.com

SAFETYHIMax ®Safety Manual

HIMaxTable of contentsTable of contents1 Safety Manual.......................................................... 71.1 Validity and Current Version................................................................................. 71.2 Objectives of the Manual....................................................................................... 71.3 Target Audience..................................................................................................... 71.4 HIMA Address ........................................................................................................ 71.5 Glossary.................................................................................................................. 81.6 Formatting Conventions ....................................................................................... 91.6.1 Safety Notes ............................................................................................................ 91.6.2 Operating Tips ....................................................................................................... 102 Intended Use ......................................................... 112.1 Scope .................................................................................................................... 112.2 Non-Intended Use ................................................................................................ 112.3 Operating Requirements ..................................................................................... 112.3.1 Climatic Requirements........................................................................................... 122.3.2 Mechanical Requirements ..................................................................................... 132.3.3 EMC Requirements................................................................................................ 132.3.4 Power Supply......................................................................................................... 142.3.5 ESD Protective Measures...................................................................................... 142.4 Requirements to be met by Machine and System Manufacturers .................. 142.5 Further System Documentation ......................................................................... 153 Safety Concept for Using the PES ......................... 163.1 Safety and Availability......................................................................................... 163.1.1 Calculating the PFD and the PFH Values.............................................................. 163.1.2 Self-Test and Fault Diagnosis................................................................................ 173.1.3 PADT ..................................................................................................................... 173.1.4 Redundancy........................................................................................................... 173.2 Time Parameters Important for Safety............................................................... 183.2.1 Fault Tolerance Time (FTT) ................................................................................... 183.2.2 Resource Watchdog Time ..................................................................................... 183.2.3 Safety Time (of PES) ............................................................................................. 193.2.4 Response Time...................................................................................................... 193.3 Proof Test ............................................................................................................. 193.3.1 Proof Test Execution.............................................................................................. 203.3.2 Frequency of Proof Tests....................................................................................... 203.4 Safety Requirements ........................................................................................... 203.4.1 Hardware Configuration ......................................................................................... 203.4.2 Programming ......................................................................................................... 203.4.3 Requirements for Using the Programming Tool..................................................... 203.4.4 Communication ...................................................................................................... 213.4.5 Maintenance Work ................................................................................................. 21HI 801 003 D Rev.2.0 Page 3 of 70

Table of contentsHIMax3.5 Certification ..........................................................................................................224 Processor Modules................................................ 234.1 Self-Tests ..............................................................................................................234.1.1 Reactions to Faults in the Processor Module......................................................... 234.2 Slots Permitted for Processor Modules ............................................................. 234.3 Availability of Processor Modules......................................................................244.4 Replacing Processor Modules ............................................................................245 System Bus Module ............................................... 255.1 Slots Permitted for System Bus Modules .......................................................... 255.2 Rack ID ..................................................................................................................255.3 Responsibility.......................................................................................................256 Communication Module ......................................... 286.1 Slots Permitted for Communication Modules.................................................... 287 Input Modules........................................................ 297.1 General ..................................................................................................................297.2 Safety of Sensors, Encoders and Transmitters.................................................297.3 Redundancy of Inputs and Input Modules .........................................................297.4 Slots Permitted for Input Modules......................................................................297.5 Safety-Related Digital Inputs...............................................................................307.5.1 Use of Digital Input .................................................................................................307.5.2 Test Routines .........................................................................................................307.5.3 Reaction in the Event of a Fault .............................................................................307.5.4 Surges on Digital Inputs .........................................................................................317.6 Checklists for Safety-Related Digital Inputs......................................................327.6.1 Checklist for the X-DI 32 01 Digital Input Module................................................... 327.6.2 Checklist for the X-DI 32 02 Digital Input Module................................................... 337.6.3 Checklist for the X-DI 32 04 Digital Input Module................................................... 347.6.4 Checklist for the X-DI 32 05 Digital Input Module................................................... 357.7 Safety-Related Analog Inputs..............................................................................367.7.1 Use of Analog Inputs ..............................................................................................367.7.2 Test Routines .........................................................................................................367.7.3 Reaction in the Event of a Fault .............................................................................377.8 Checklist for Safety-Related Analog Inputs.......................................................387.8.1 Checklist for the X-DI 32 01 Analog Input Module.................................................. 387.8.2 Checklist for the X-DI 32 02 Analog Input Module.................................................. 39Page 4 of 70HI 801 003 D Rev.2.0

HIMaxTable of contents8 Output Modules ..................................................... 408.1 General.................................................................................................................. 408.2 Safety of Actuators .............................................................................................. 408.3 Redundancy of Outputs and Output Modules .................................................. 408.4 Slots Permitted for Output Modules .................................................................. 408.5 Safety-Related Digital Outputs ........................................................................... 418.5.1 Use of Digital Input................................................................................................. 418.5.2 Test Routines for Digital Outputs ........................................................................... 418.5.3 Reaction in the Event of a Fault............................................................................. 418.5.4 Behavior in the Event of External Short-Circuit or Overload.................................. 418.6 Safety-Related Relay Outputs............................................................................. 428.6.1 Use of Digital Relay Output.................................................................................... 428.6.2 Test Routines for Relay Outputs............................................................................ 428.6.3 Reaction in the Event of a Fault............................................................................. 428.7 Checklists for Safety-Related Digital Outputs .................................................. 448.7.1 Checklist for the X-DI 24 01 Digital Output Module ............................................... 448.7.2 Checklist for the X-DI 12 01 Relay Output Module ................................................ 459 Software................................................................ 469.1 Safety-Related Aspects of the Operating System ............................................ 469.2 Operation and Functions of the Operating System.......................................... 469.3 Safety-Related Aspects of Programming .......................................................... 469.3.1 Safety Concept of SILworX.................................................................................... 469.3.2 Verifying the Configuration and the User Program ................................................ 479.4 Resource Parameters .......................................................................................... 489.4.1 System Parameters of the Resource ..................................................................... 489.4.2 Hardware System Variables .................................................................................. 499.5 Forcing.................................................................................................................. 509.5.1 Time Limits............................................................................................................. 509.5.2 Restricting the Use of Forcing................................................................................ 509.5.3 Force Editor ........................................................................................................... 519.6 Protection against Manipulation ........................................................................ 519.7 Locking and Unlocking the PES......................................................................... 5210 User program ........................................................ 5310.1 General Sequence................................................................................................ 5310.2 Scope for Safety-Related Use............................................................................. 5310.2.1 Programming Basics.............................................................................................. 5310.2.2 Functions of the User Program .............................................................................. 5410.2.3 System Parameters of the User Program .............................................................. 5410.2.4 Code Generation.................................................................................................... 5510.2.5 Downloading and Starting the User Program ........................................................ 5610.2.6 Reload.................................................................................................................... 5610.2.7 Online Test / Single Step Mode ............................................................................. 5610.2.8 Program Documentation for Safety-Related Applications...................................... 57HI 801 003 D Rev.2.0 Page 5 of 70

Table of contentsHIMax10.2.9 Acceptance by Test Authority................................................................................. 5710.2.10 Checklist for Creating a User Program...................................................................5811 Configuring Communication .................................. 5911.1 Standard Protocols ..............................................................................................5911.2 Safety-Related Protocol (safeethernet) ..............................................................5911.2.1 Calculating the Worst Case Reaction Time............................................................ 6011.2.2 Calculating the Worst Case Reaction Time in case of a Connection to One HIMatrixPES ........................................................................................................................6111.2.3 Calculating the Worst Case Reaction Time with two HIMatrix Controllers or RemoteI/Os.........................................................................................................................6111.2.4 Calculating the Worst Case Reaction Time with two HIMax Controllers and oneHIMatrix PES..........................................................................................................6211.2.5 Assigning safeethernet Addresses........................................................................6311.2.6 Redundant safeethernet Connections................................................................... 63Appendix............................................................... 65Increasing the SIL of Sensors and Actuators....................................................65Index of Figures....................................................................................................66Index of Tables .....................................................................................................67Index ......................................................................................................................68Page 6 of 70HI 801 003 D Rev.2.0

HIMax1 Safety Manual1 Safety ManualKnowledge of regulations and the proper technical implementation of the safety instructionsdetailed in this manual performed by qualified personnel are prerequisites for safelyplanning, engineering, programming, installing and starting up the HIMax automationdevices, as well as for ensuring safety during their operation and maintenance.HIMA will not be held liable for severe personal injuries, damage to property or thesurroundings caused by any of the following: unqualified personnel working on or with thedevices, de-activation or bypassing of safety functions, or failure to comply with theinstructions detailed in this manual (resulting in faults or impaired safety functionality).HIMax automation devices have been developed, manufactured and tested in compliancewith the pertinent safety standards and regulations. They may only be used for the intendedapplications under the specified ambient conditions.1.1 Validity and Current VersionVersion Rev.2.0 This revision of the safety manual must be used from Version V2. ofthe HIMax System.The most current version of the Safety Manual, indicated by the highest version number, isapplicable and valid. The most current version is available on the HIMA Homepage .1.2 Objectives of the ManualThis manual contains information on how to operate the HIMax safety-related automationdevice in the intended manner. It provides an introduction to the safety concept of theHIMax system and should increase the reader's safety awareness.The Safety Manual is based upon the contents of the certificate and of the test report forthe certificate.1.3 Target AudienceThis manual addresses system planners, configuration engineers, programmers ofautomation devices and personnel authorized to start up, operate and maintain the devicesand systems. Specialized knowledge of safety-related automation systems is required.1.4 HIMA AddressThis documentation may not be reproduced in any form, in whole or in part, without theexpress written consent of HIMA.All rights reserved. Equipment subject to change without notice.© HIMA Paul Hildebrandt GmbH + Co KGP.O. Box 1261D-68777 Brühl near MannheimTelephone (+49) 06202 709-0Fax (+49) 06202 709-107E-Mail info@hima.comInternet http://www.hima.comHI 801 003 D Rev.2.0 Page 7 of 70

1 Safety Manual HIMax1.5 GlossaryTermDescriptionSFCSequential Function ChartAIAnalog InputCOMCommunication ModuleCRCCyclic Redundancy CheckDIDigital InputDODigital OutputEMCElectromagnetic CompatibilityENEuropean NormESDElectrostatic DischargeFBFieldbusFBDFunction Block DiagramFTAField Termination AssemblyFTTFault Tolerance TimeHWHardwareIECInternational Electrotechnical CommissionPADT Programming and Debugging Tool (in accordance with IEC 61131-3),PC with SILworXPEProtective EarthPESProgrammable Electronic SystemPFDProbability of Failure on Demand, Probability of failure on demand of asafety functionPFHProbability of Failure per Hour: Probability of a dangerous failure perhourRReadNon-reactive Assuming two input circuits are connected to the same source (e.g., atransmitter). An input circuit is termed "non-reactive" if it does notdistort the signals of the other input circuit.R/WRead/WriteSBSystem Bus (Module)SFFSafe Failure Fraction, portion of safely manageable faultsSIL Safety Integrity Level (in accordance with IEC 61508)SILworXProgramming tool for HIMaxSNTP Simple Network Time Protocol (RFC 1769)SRSSystem.Rack.SlotSWSoftwareTMOTimeoutWWriteWDWatchdogWDTWatchdog TimePage 8 of 70HI 801 003 D Rev.2.0

HIMax2 Intended Use2 Intended Use2.1 ScopeThe HIMax safety-related controllers can be used in applications up to SIL 3 in accordancewith IEC 61508.The HIMax systems are certified for use in process controllers, protective systems, burnersystems and machine controllers.All HIMax input and output modules (I/O modules) can be operated with an individualprocessor module or with several redundant processor modules.When implementing safety-related communications between various devices, ensure thatthe overall response time does not exceed the fault tolerance time. All calculations must beperformed in accordance with the rules given in the Safety Manual.Only connect devices with safe electrical isolation to the communications interfaces.Application in accordance with the 'De-Energize to Trip Principle'The automation devices have been designed in accordance with the 'de-energize to trip'principle.A system that operates in accordance with the 'de-energize to trip principle' does notrequire any power to perform its safety function.Thus, if a fault occurs, the input and output signals adopt a de-energized, safe state.Application in accordance with the Energize to Trip PrincipleThe HIMax controllers can be used in applications that operate in accordance with the'energize to trip' principle.A system operating in accordance with the 'energize to trip' principle requires power (suchas electrical or pneumatic power) to perform its safety function.Therefore, the HIMax controllers are tested and certified for use in fire alarm and firefightingsystems in accordance with EN 54 and NFPA 72. To contain the hazard, thesesystems must be able to adopt an active state on demand.When designing the controller system, the requirements specified in the applicationstandards must be taken into account. For instance, line diagnosis for the inputs andoutputs may be required.Use in Fire Alarm SystemsAll HIMax systems with analog inputs can be used in fire alarm systems in accordance withDIN EN 54-2 and NFPA 72.The operating requirements must be observed!2.2 Non-Intended UseThe transfer of safety-relevant data via public networks (e.g., the Internet) is not permittedunless additional measures are taken to increase security (e.g., VPN tunnel, firewall, etc.).With fieldbus interfaces, it is impossible to implement safety-related communications ifsafety-related fieldbus protocols are not used.2.3 Operating RequirementsThe devices have been developed to meet the following standards for EMC, climatic andenvironmental requirements:HI 801 003 D Rev.2.0 Page 11 of 70

2 Intended Use HIMaxStandardEC/EN 61131-2:2006IEC/EN 61000-6-2:2005IEC/EN 61000-6-4:2006Table 1:ContentProgrammable controllers, Part 2Equipment requirements and testsEMCGeneric standards, Parts 6-2Immunity for industrial environmentsElectromagnetic Compatibility (EMC)Generic emission standard, industrial environmentsStandards for EMC, Climatic and Environmental RequirementsWhen using the safety-related HIMax control systems, the following general requirementsmust be met:Requirement type Requirement contentProtection class Protection class II in accordance with IEC/EN 61131-2Pollution Verschmutzungsgrad II nach IEC/EN 61131-2Altitude< 2000 mEnclosure Standard: IP 20If required by the relevant application standards (e.g., EN 60204, EN954-1), the device must be installed in an enclosure of the specifiedprotection class (e.g., IP 54).Table 2: General requirements2.3.1 Climatic RequirementsThe following table lists the key tests and limit values for climatic requirements:IEC/EN 61131-2Table 3:Climatic testsOperating temperature: 0...+60 °C(test limits: -10...+70 °C)Storage temperature: -40...+85 °CDry heat and cold resistance tests:+70 °C / -25 °C, 96 h, power supply not connectedTemperature change, resistance and immunity test:-25 °C / +70 °C und 0 °C / +55 °C,power supply not connectedCyclic damp-heat withstand tests:+25 °C / +55 °C, 95 % relative humidity,power supply not connectedClimatic RequirementsPage 12 of 70HI 801 003 D Rev.2.0

HIMax2 Intended Use2.3.2 Mechanical RequirementsThe following table lists the key tests and limit values for mechanical requirements:IEC/EN 61131-2Mechanical testsVibration immunity test:5...9 Hz / 3.5 mm9...150 Hz, 1 g, EUT in operation, 10 cycles per axisShock immunity test:Table 4:Mechanical Tests15 g, 11 ms, EUT in operation, 2 cycles per axis2.3.3 EMC RequirementsHigher interference levels are required for safety-related systems. HIMax systems meetthese requirements in accordance with IEC 62061 and IEC 61326-3-1 (DIS). See column"Criterion FS“ (Functional Safety).IEC/EN 61131-2 Interference immunity tests CriterionFSIEC/EN 61000-4-2 ESD test: 6 kV contact, 8 kV air discharge -IEC/EN 61000-4-3RFI test (10 V/m): 26 MHz...1 GHz, 80 % AMRFI test (20 V/m): 26 MHz...2.7 GHz, 80 % AM: EN298-20 V/MIEC/EN 61000-4-4 Burst test: 2 kV power supply-, 1 kV signal lines 4 kVIEC/EN 61000-4-12 Damped oscillatory wave test2.5 kV L-,L+ / PE1 kV L+ / L -Table 5:Interference Immunity TestsIEC/EN 61000-6-2 Interference immunity tests CriterionFSIEC/EN 61000-4-6 High frequency, asymmetrical10 V, 150 kHz...80 MHz, AM20 V, 150 kHz...80 MHz, AM: EN 298 20 VIEC/EN 61000-4-3 900 MHz pulsesIEC/EN 61000-4-5 Surge: 2 kV, 1 kV 2 kV /1 kVTable 6:IEC/EN 61000-6-4EN 55011Class ATable 7:Interference Immunity TestsNoise emission testsEmission test:radiated, conductedNoise Emission TestsHI 801 003 D Rev.2.0 Page 13 of 70

2 Intended Use HIMax2.3.4 Power SupplyThe following table lists the key tests and limit values for the device's power supply:IEC/EN 61131-2Table 8:Review of the DC supply characteristicsAlternatively, the power supply must comply with the followingstandards:IEC/EN 61131-2 orSELV (Safety Extra Low Voltage) orPELV (Protective Extra Low Voltage)HIMax devices must be fuse protected as specified in this manualVoltage range test:24 VDC, -20 %...+25 % (19.2 V...30.0 V)Momentary external current interruption immunity test:DC, PS 2: 10 msReversal of DC power supply polarity test:Refer to corresponding chapter of the system manual or data sheet ofpower supply.Backup duration withstand test:Test B, 1000 hReview of the DC Supply Characteristics2.3.5 ESD Protective MeasuresOnly personnel with knowledge of ESD protective measures may modify or extend thesystem or replace a module.NOTEElectrostatic discharge can damage the electronic components within thecontrollers!• Touch a grounded object to discharge any static in your body.• When performing the work, make sure that the working area is free of static andwear an ESD wrist strap.• If not used, ensure that the module is protected from electrostatic discharge, e.g.,by storing it in its packaging.Only personnel with knowledge of ESD protective measures may modify or extendthe system wiring.2.4 Requirements to be met by Machine and System ManufacturersThe machine and system manufacturers are responsible for ensuring the safe application ofHIMax systems in automation systems and overall plants.The correct programming of the HIMax systems must be sufficiently validated by themachine and system manufacturers.Page 14 of 70HI 801 003 D Rev.2.0

HIMax2 Intended Use2.5 Further System DocumentationIn addition to this manual, the following documents for configuring HIMax systems are alsoavailable:Name Content Document no.D = GermanE = EnglishHIMaxSystem ManualCertified test report 1)Hardware description of the modularsystemTest principles,safety requirements, resultsDescription of the individual componentsHI 801 000 DHI 801 001 EManuals for theComponentsCommunication Manual safeethernet and standard protocols HI 801 100 DHI 801 101 E1) * Only supplied with the HIMax systemTable 9:Overview System DocumentationThe documents are available as PDF files on the internet site www.hima.com.HI 801 003 D Rev.2.0 Page 15 of 70

3 Safety Concept for Using the PES HIMax3 Safety Concept for Using the PESThis chapter contains important general items on the fuctional safety of HIMax systems.• Safety and Availability• Time Parameters Important for Safety• Proof Test• Safety Requirements• Certification3.1 Safety and AvailabilityThe HIMax systems are certified for use in process controllers, protective systems, burnercontrollers and machine controllers.They can be used in applications up to safety integrity level SIL 3 in accordance with IEC61508 or up to safety category Cat. 4 and up to performance level PL e in accordance withEN ISO 13849.All input and output modules (I/O modules) can be used with an individual processormodule or with several redundant processor modules.The HIMax systems have been tested and certified for use in fire alarm and fire-fightingsystems in accordance with EN54 and NFPA72.No imminent danger results from the HIMax systems.DANGERPhysical injury caused by safety-related automation systems improperly connectedor programmed.Check all connections and test the entire system before starting up!NOTICESystem damage!System damage caused by safety-related automation systems improperly connectedor programmed.Check all connections and test the entire system before starting up!3.1.1 Calculating the PFD and the PFH ValuesThe PFD and the PFH values have been calculated for the HIMax systems in accordancewith IEC 61508.IEC 61508-1 defines SIL 3 to have a PFD of 10 -4 ...10 -3 and a PFH value of 10 -8 ...10 -7 perhour.HIMA will gladly provide the PFD, PFH and SFF values upon request. The "SILence“ tool isavailable for more detailed calculations.A proof test interval of 10 years has been defined for the HIMax systems (offline proof test,see IEC 61508-4, paragraph 3.8.5).The safety functions, consisting of a safety-related loop (input, processing unit, output andsafety communication among HIMA systems), meet the requirements described above inall combinations.Page 16 of 70HI 801 003 D Rev.2.0

HIMax3 Safety Concept for Using the PES3.1.2 Self-Test and Fault DiagnosisThe operating system of the modules executes several self-tests at start-up and duringoperation.• Processors• Memory areas (RAM, non-volatile memory)• Watchdog• Connections between modules• Individual channels of the I/O modulesIf faults are detected during these tests, the defective module or the defective channel ofthe I/O module is switched off. If the tests detect a module fault while starting up themodule, the module will not begin to operate.In non-redundant systems, this means that sub-functions or even the entire PES will shutdown. In case of a detected failure within a redundant system, the redundant module orredundant channel takes over the function to be performedAll HIMax modules are equipped with LEDs to indicate that faults have been detected. Thisallows the user to quickly diagnose faults in a module or the external wiring, if a fault isreported.Further, the user program can also be used to evaluate various system variables that reportthe module status.An extensive diagnostic record of the system's performance and detected faults are loggedand stored in the diagnostic memory of the processor module or that of other modules.After a system fault, the recorded data can be read using the PADT.For more information on evaluating diagnostic messages, see "Diagnostics“ in the SystemManual HI 801 001.For a very few number of component failures that do not affect safety, no diagnosticinformation is provided.3.1.3 PADTUsing the PADT, the user creates the program and configures the controller. The safetyconcept of the PADT supports the user in the correct implementation of the control task.The PADT takes numerous measures to check the entered information.3.1.4 RedundancyTo improve availability, all parts of the system containing active components can be set upredundantly and, if necessary, replaced while the system is operating.• The system bus has been designed to allow the use of redundant components. Tworedundant system bus modules can be installed into each base plate (rack). Tworedundant cables are used to connect the base plates.• All processor modules can be used up to fourfold redundancy. Two variants arepossible:- All processor modules can be operated in the same base plate.- Processor modules can also be operated in two different base plates. In doing so,processor modules and I/O modules located in different places, can also be operatedredundantly.• With input and output modules, two modules can be defined as redundant to each other.A redundant channel will thus exist on each module for each corresponding channel onthe other module.• The power supply can be designed for (two-fold) redundancy. The base plates contain awiring for redundant supply of all modules.• Using the safeethernet certified by TÜV, it is possible to implement redundantcommunication connections between HIMax systems.HI 801 003 D Rev.2.0 Page 17 of 70

3 Safety Concept for Using the PES HIMaxDefective modules can be replaced during operation. To do this, the defective module isremoved from the base plate, and a new module is inserted. The new module automaticallystarts operation. A new processor module assumes the user program from the redundantprocessor module and is thus quickly ready for operation.3.2 Time Parameters Important for SafetyThese are:• Fault Tolerance Time• Watchdog Time• Safety Time• Response Time3.2.1 Fault Tolerance Time (FTT)The fault tolerance time (FTT) is a property of the process and describes the span of timeduring which the process allows faulty signals to exist before the system state becomesdangerous. A dangerous state can result if the fault exists for longer than the FTT.3.2.2 Resource Watchdog TimeThe watchdog time is set in the dialog for configuring the resource properties. This time isthe maximum permissible duration of a RUN cycle (cycle time). If the cycle time exceedsthe preset watchdog time, the processor module adopts the error stop state.When determining the watchdog time, the following factors must be taken into account:• Time required by the application, e.g., the duration of a cycle in the user program.• Time required to manage the redundant processor modules.• Time required to perform a reload.The setting range for the watchdog time of the resource rangesfrom 2 ms to maximum 50 000 ms.The default setting is 200 ms.When setting the watchdog time, the following must apply: watchdog time ≤ ½ * safety timeThe watchdog time for a project is determined by a test on a complete system. During thetest, all the processor modules are inserted in the base plate. The system operates in RUNmode with full load.All communication links are operating (safeethernet and standard protocols).To determine the watchdog time1. Set the watchdog time high for testing.2 Use the system under the maximum load: In the process read the cycle time in theControl Panel and note the variations of the cycle time.3. Remove and re-insert the processor module. To do this, choose the processor modulethat is located furthermost from Slot 3 in Base Plate 0.4 In the diagnostic history, determine the synchronization time from n to n+1 processormodules.5 Calculate the watchdog time fromsynchronization time + 12 ms spare + spare for the noted variations of the cycle time.By this, a suitable value for the watchdog time is determined.Page 18 of 70HI 801 003 D Rev.2.0

HIMax3 Safety Concept for Using the PES3.2.3 Safety Time (of PES)The safety time is the maximum permissible time within which the PES must react to asafety requirement event. Safety requirement events include:• Changes in input signals from process• Faults occurring in the controllerIn HIMax controllers, the safety time can be set anywhere between 20 ms and 100 000 ms.Within the safety time of the controller, the self-test facilities detect whether there are anypotentially dangerous faults. They trigger predefined fault reactions that set the faultycomponents to a safe state.When determining the safety time, the effects of the following factors must be taken intoaccount:• With input modules, consider the following:Time-on/time-off delay settings for input channels:enter maximum delay time setting in μs + 4 ms• Noise blanking also needs time reserves.Choose a safety time that is long enough to account for the most significant factormentioned above, but still lower than the FTT of the process. It is important not to neglectthe sensor and actuator time parameters for the safety function.The safety time for the controller is:Safety time = 2 * watchdog time + reserve XIn the actual application, the user should measure reserve X by replacing a redundantprocessor module. Enter the average cycle time determined for the entire system as thereserve X into the above formula. This ensures maximum availability for the system.3.2.4 Response TimeAssuming that no delay results from the configuration or the user program logic, theresponse time of HIMax controllers running in cycles is twice the system cycle time.The cycle time of the controller consists of the following main components:• Input processing- Processing input data on input module- Reading process data from communication interfaces- Reading process data from input modules• Processing user program logic• Output processing- Writing process data to output modules- Writing process data to communication interfaces- Processing output data on output modules• Additional processing of final actions for reloading, additional processor modules, etc.3.3 Proof TestA proof test is a periodic test performed to detect any hidden faults in a safety-relatedsystem so that, if necessary, the system can be restored to a state where it can perform itsintended functionality.HIMA safety systems must be subjected to a proof test in intervals of 10 years. It is oftenpossible to extend this interval using the SILence calculation tool from HIMA to analyze theimplemented safety loops.HI 801 003 D Rev.2.0 Page 19 of 70

3 Safety Concept for Using the PES HIMax3.3.1 Proof Test ExecutionThe execution of the proof test depends on how the system (EUC = equipment undercontrol) is configured, its intrinsic risk potential and the standards applicable to theequipment operation and required for approval by the responsible test authority.According to IEC 61508 1-7, IEC 61511 1-3, IEC 62061 and VDI/VDE 2180 sheets 1 to 4,the operator of the safety-related systems is responsible for performing the proof tests.3.3.2 Frequency of Proof TestsThe HIMA PES can be proof tested by testing the entire safety loop.In practice, shorter proof test intervals are required for the input and output field devices(e.g., every 6 or 12 months) than for the HIMax controller. Testing the entire safety looptogether with a field device automatically includes the test of the HIMax controller. There istherefore no need to perform additional proof tests of the HIMax controller.If the proof test of the field devices does not include the HIMax controller, the HIMaxcontroller must be tested for SIL 3 at least once every 10 years. This can be achieved byrestarting the HIMax controller.3.4 Safety RequirementsThe following safety requirements must be met when using the safety-related PES of theHIMax system:3.4.1 Hardware ConfigurationPersonnel configuring the HIMax hardware must observe the following safety requirements.Product-Independent Requirements• To ensure safety-related operation, only approved fail-safe hardware modules andsoftware components may be used. The approved hardware modules and softwarecomponents are specified in theVersionsliste der Module und der Firmware der HIMax-Systeme der Firma HIMA PaulHildebrandt GmbH + Co KG (version list of modules and firmware for HIMax systemsfrom HIMA Paul Hildebrandt GmbH + Co KG). The latest versions can be found in theversion list maintained together with the test authority.• The operating requirements specified in this safety manual (see Chapter 'OperatingRequirements') about EMC, mechanical, chemical, climatic influences must beobserved.Product-Dependent Requirements• Only connect devices to the system that are safely electrically isolated from the powersupply.• The operating requirements detailed in the system manual, particularly those concerningsupply voltage and ventilation, must be observed.3.4.2 ProgrammingPersonnel developing user programs must observe the following safety requirements.Product-Independent Requirements• In safety-related applications, ensure that the safety-relevant system parameters areproperly configured.• In particular, this applies to the system configuration, maximum cycle time and safetytime.3.4.3 Requirements for Using the Programming Tool• SILworX must be used for programming.Page 20 of 70HI 801 003 D Rev.2.0

HIMax3 Safety Concept for Using the PES• Compiling the program twice in SILworX and comparing both of the created filesensures that the program was properly compiled.• The correct implementation of the application specifications must be validated, verifiedand documented. A complete test of the logic must be performed by trial.• In case of a change of the user program, at minimum test all the parts of the logicconcerned by the changes.• The system response to faults in the safe input and output modules must be defined inthe user program in accordance with the system-specific safety-related conditions.3.4.4 Communication• When implementing safety-related communications between the various devices,ensure that the system's overall response time does not exceed the fault tolerancetime.All calculations must be performed in accordance with the rules given in 11.2.• The transfer of safety-relevant data through public networks like the Internet is notpermitted unless additional security measures have been implemented such as: VPNtunnel.• If data are transferred through company-internal networks, administrative or technicalmeasures must be implemented to ensure sufficient protection against manipulation (e.g. using a firewall to separate the safety-relevant components of the network from othernetworks).• Never use the standard protocols to transfer safety-related data.• All devices to be connected to the communication interfaces must be equipped with safeelectrical isolation.3.4.5 Maintenance Work• Maintenance work must be performed in accordance with the current version of thedocument "Maintenance Override“ document published by TÜV Rheinland and TÜVProduct Service.• Whenever necessary, the operator must consult with the test authority responsible forthe final inspection of the system and define administrative measures appropriate forregulating access to the systems.HI 801 003 D Rev.2.0 Page 21 of 70

3 Safety Concept for Using the PES HIMax3.5 CertificationHIMA safety-related automation devices (Programmable Electronic Systems, PES) of theHIMax system have been tested and certified by TÜV for functional safety in accordancewith and the standards listed below:TÜV Rheinland Industrie Service GmbHAutomation, Software und InformationstechnologieAm Grauen Stein51105 KölnSafety-related automation devices HIMaxIntended application: Safety Related Programmable Electronic System for process control,Burner Management (BMS), emergency shut down and machinery, where the demand safestate is the de-energized state.Applications, where the demand state is the de-energized or energized state.International standards:EN / IEC 61508, Parts 1-7: 2000 SIL 3EN / IEC 61511: 2004 SIL 3EN 954-1: 1996 Category 4EN / ISO 13849-1: 2006Performance level eEN / IEC 62061: 2005EN 50156-1: 2004EN 12067-2: 2004EN 298: 2003EN 230: 2005NFPA 85: 2007NFPA 86: 2007EN / IEC 61131-2: 2003EN / IEC 61000-6-2: 2001EN 61000-6-4: 2001EN 54-2: 1997NFPA 72: 2002Chapter 'Operating Requirements' contains a detailed list of all environmental and EMCtests performed.All devices have received the mark of conformity.To program the HIMax devices, a PADT is required, that it a PC runningSILworXprogramming software. This software helps the user operate the automation devices andcreate safety-related programs using Function Block Diagrams (FBD) and SequentialFunction Charts (SFC) in accordance with IEC 61131-3. F For more details, refer to theSILworX documentation.Page 22 of 70HI 801 003 D Rev.2.0

HIMax4 Processor Modules4 Processor ModulesThe processor module's safety function is maintained by processing the user program withtwo processors that constantly compare their data. If a fault occurs, the watchdog sets themodule to the safe state and reports the CPU state.Please refer to the manual for further details about the processor modules.4.1 Self-TestsThe following section specifies the most important self-test routines of controllers' safetyrelatedprocessor modules and the coupling to the I/O level.• Prozessor test• Memory test• Comparator test• CRC test with non-volatile memories• Watchdog test4.1.1 Reactions to Faults in the Processor ModuleA hardware comparator within the processor module permanently compares the data of themicroprocessor system 1 to those of the microprocessor system 2. If they are different, or ifthe test routines detect failures in the processor module, the controller automaticallyassumes the error stop state and the watchdog signal is switched off. The processormodule does no longer process the user program and sets the outputs into the deenergized,switched-off state.4.2 Slots Permitted for Processor ModulesOnly slots 3 to 6 in base plate 0 and slots 3 to 4 in base plate 1 are permitted for processormodules. In the Hardware Editor, assign these slots according to one of the variantsdescribed in Table 10.Variant Base plate 0Processor module(s) in slot:Rack 1Processor module(s) in slot:Requiredsystembusses1 3 for mono operation 1) - A2 3 - A + B3 3, 4 - A + B4 3, 4, 5 - A + B5 3, 4, 5, 6 - A + B6 3 3 A + B7 3, 4 3, 4 A + B1) Mono operation: This project is configured in SILworX for mono operation. Thus, the system contains just one processor module in slot3, at least one system bus module in slot 1, I/O modules, and possibly communication modules. The switch for mono start-up must beset in SILworX. It is always possible (and recommended!) to configure the system bus modules redundantly. All other variants arebased on a redundant configuration.Table 10: Slot Positions Permitted for Processor ModulesiHIMA recommends using variant 2 even if variant 1 would be possible.HI 801 003 D Rev.2.0 Page 23 of 70

4 Processor Modules HIMaxNOTESystem malfunction possible!Only use the variants specified here!4.3 Availability of Processor ModulesOne to four redundant processor modules can be used on a system base plate. Even if onlyone processor modules is available, the system is still functional.If a new processor module is plugged in to replace one that has failed, it copies the userprogram from the still functioning processor module (self education) and initiates redundantoperation.The availability can be also increased during operation by adding additional processormodules – up to a total of four processor modules.In this scenario, the user program must be configured for redundant operation.4.4 Replacing Processor ModulesRedundant processor modules can be replaced during operation, provided that at least oneprocessor module is available that can maintain safety-related operation while the othermodule is being replaced.NOTICEDisruption of the safety-related operation possible!The operation of the controller can be interupted by exchanging a processor module,on which the Ess LED is flashing.Do not remove processor modules with flashing Ess LED.A blinking Ess LED indicates that the processor module is required for the system tofunction.Even if the LED is not blinking, the system redundancies which this processor module ispart of, must be checked using SILworX. The communication connections processed by theprocessor module must also be taken into account.Please refer to the manual of the processor module HI 801 009 and to the system manualHI 801 001 for more details about replacing processor modules.Page 24 of 70HI 801 003 D Rev.2.0

HIMax5 System Bus Module5 System Bus ModuleA system bus module administrates one of the two safety-related system busses. The twosystem busses are redundant to one another. Each system bus interconnects the variousmodules and base plates. The system busses transfer data using a safety-related protocol.A HIMax system containing only one processor module can be operated at a reducedavailability level using only one system bus.5.1 Slots Permitted for System Bus ModulesOnly slots 1 and 2 of each base plate are permitted for the system bus modules. No othermodules may (nor can) be plugged in to these slots.If just one system bus is being used, the system bus modules must be inserted into slotnumber 1 of each base plate. In such a case, a blank module must be inserted in Slot 2.NOTICESystem malfunction possible!Slot configurations, other than those specified here, are not permitted for systembus modules!5.2 Rack IDThe rack ID identifies a base plate within a resource and must be unique for each baseplate.The rack ID is the safety parameter for addressing the individual base plates and themodules mounted on them!The rack ID is stored in the Connector Board of the system bus module and must bemodified using the system bus module. Whenever the rack ID must be changed, e.g., wheninstalling a new HIMax system, follow the instructions given in the system manual.5.3 ResponsibilityOnly one of the system bus module contained in each system bus may receive the"responsible" attribute and thus be configured as "responsible" for the system busoperation.• For System Bus A, the "responsible" attribute is reserved for the system bus module inBase Plate 0, Slot 1.• For system bus B, the user can use SILworX to set the attribute.The responsible system module must be either located in Base Plate 0 or Base Plate 1.Make sure that this requirements are met prior to starting safety-related operation.HI 801 003 D Rev.2.0 Page 25 of 70

5 System Bus Module HIMaxWARNINGPhysical injury possible!SILworX must be used to verify the parameterization.Proceed as follows:• In SILworX, log in to the system module located in Base Plate 0, Slot 2.• In SILworX, log in to the system module on Base Plate 1, Slot 2.• Check the Control Panels of both system bus modules to ensure that the"responsible" attribute has only been set for the correct system bus module (seeFigure 1 and Figure 2)!Recommended Configurations:• If processor modules are only contained on Base Plate 0, both system bus modules onBase Plate 0 must be set to 'responsible' (Figure 1).• If processor modules are also contained on Base Plate 1 (Figure 2), the followingsystem bus modules must be set to 'responsible'.- on Base Plate 0, the system bus module in Slot 1.- on Base Plate 1, the system bus module in Slot 2.Base Plate 0: Base Plate 0R System Bus Module set to ResponsibleBase Plate 1: Base Plate 1Figure 1: Recommended Configuration: All Processor Modules on Base Plate 0Page 26 of 70HI 801 003 D Rev.2.0

HIMax5 System Bus ModuleBase Plate 0: Base Plate 0R System Bus Module set to ResponsibleBase Plate 1: Base Plate 1Figure 2: Recommended Configuration: Processor Modules on Base Plate 0 and on BasePlate 1HI 801 003 D Rev.2.0 Page 27 of 70

6 Communication Module HIMax6 Communication ModuleCommunication modules control both non-safety-related data transfer through field bussesand Ethernet, and safety-related data transfer to other HIMA controllers.• The processor module controls safety-related data transfer using the safeethernettransfer protocol. The communication module forwards the data packets to the othersystems. The safety-related protocol ensures that message any corrupted data inmessages are detected.• The standard protocols are for instance:- Modbus- PROFIBUS master/slaveA HIMax system can be equipped with a maximum of 20 communication modules.For more information, see Chapter 11.1, the module manual HI 801 011 and theCommunication Manual HI 801 101.6.1 Slots Permitted for Communication ModulesThe output modules can be plugged in to any slot in any base plate with the exception ofthe following:• Slots 1 and 2 of each base plate, which are reserved for the system bus modules• Slots used for processor modules. Depending on the system configuration, these can beslots 3, 4, 5 and 6 of Base Plate 0 and slots 3 and 4 of Base Plate 1.NOTICESystem malfunction possible!The slots reserved for processor and system bus modules must not be used forcommunication modules!!Page 28 of 70HI 801 003 D Rev.2.0

HIMax7 Input ModulesModuleNumberofchannelsSafety-relatedDigital inputsX-DI 32 01 32 SIL 3 •X-DI 32 02 32 SIL 3 •X-DI 32 04 32 SIL 3 •X-DI 32 05 32 SIL 3 •Analog inputsX-AI 32 01 32 SIL 3 •X-AI 32 02 32 SIL 3 •Table 11: Overview of the Input ModulesNon-reactivechannels7 Input ModulesRemarke.g., for initiators7.1 GeneralSafety-related inputs can be used for both safety-related signals and non-safety-relatedsignals. Non-safety-related signals, however, may not be used for safety functions!In addition to the diagnostic LEDs for the module, the controllers also generate statusmessages for the user program that can be evaluated. I/O faults stored in the diagnosticmemory can be read using the PADT.Safety-related input modules automatically perform stringent, cyclic self-tests duringoperation.If a fault occurs, a 0 signal is sent to the user program and, if possible, fault information isissued. The user program can read out the error code and evaluate this fault information.For more information on the input modules, refer to the individual module manuals.7.2 Safety of Sensors, Encoders and TransmittersIn safety-related applications, the PES and its connected sensors, encoders andtransmitters must all meet the safety requirements and achieve the specified SIL. Also referto Annex "Increasing the SIL Value of Sensors and Actuators".7.3 Redundancy of Inputs and Input ModulesTo increase availability, the input channels can be defined redundant to one another fromwithin the SILworX Hardware Editor. The following conditions must be ensured:• Input channels are located on different input modules of the same type.• Input channels have the same channel number.Both input channels are assigned to the same variable. If a sensor or an input module fails,the redundant channel supplies the values to the variable.It is permitted to assign all of the input module channels or only a few of them to thecorresponding channels of another input module.7.4 Slots Permitted for Input ModulesThe input modules can be plugged in to any slot in any base plate with the exception of thefollowing:• Slots 1 and 2 of each base plate, which are reserved for the system bus modules• Slots used for processor modules. Depending on the system configuration, these can beslots 3, 4, 5 and 6 of Rack 0 and slots 3 and 4 of Rack 1.HI 801 003 D Rev.2.0 Page 29 of 70

7 Input Modules HIMaxNOTICESystem malfunction possible!The slots reserved for processor and system bus modules must not be used forinput modules!!7.5 Safety-Related Digital InputsThe digital input module reads its digital inputs one time per module cycle and stores thevalue internally. The module cyclically checks that the inputs are safely functioning.Input signals that exist for a time shorter than the time between two samplings, i.e. shorterthan a cycle time of the input module, are not be detected.7.5.1 Use of Digital InputPerform the following steps to use the value of a digital input in the user program1. Define a global variable of type BOOL.2. When defining the global variable, enter the initial value as safe value.3. Assign the global variable to the channel value of the input.The global variable provides the safe value to the user program.For digital input modules for proximity switch internally operating in analog mode, the rawvalue can also be used and the safe value can be calculated in the user program. Refer toChapter 7.7.1 for more information.To get additional options for diagnosing the external wiring and programming fault reactionsin the user program, assign global variable to Channel OK and to further diagnosticstatuses. For more information on the individual diagnostic statuses such as line shortcircuitsand line breaks, refer to the manual of the corresponding module.7.5.2 Test RoutinesThe online test routines check whether the input channels are able to pass both signallevels (0 and 1 signals), regardless of the signals actually present on the input. Thisfunction test is performed each time the input signals are read.7.5.3 Reaction in the Event of a FaultIf the test routines detect a fault of a digital input, the module sets the channel value in away that the global variable assigned to the channel assumes the following values:• For the most faults, the global variable assumes its configured initial value..• For certain types of faults the module is able to put the channel into the safe state, butthe module cannot issue a diagnosis entry.For these faults, the global variable adopts the value 0.The module sets the status Channel OK to FALSE.If the test routines detect a module or submodule fault, the module sets the Module OK orSubmodule OK status to FALSE. Additionally, the module or submodule sets Channel OKto FALSE for all its channels.In all these cases, the module activates the Error LED on the front plate.Page 30 of 70HI 801 003 D Rev.2.0

HIMax7 Input Modules7.5.4 Surges on Digital InputsNOTICEIf shielded cables are used for digital inputs, no additional precautionary measures arerequired to protect against surges.If shielded cables are not used, surge pulses (as defined in EN 61000-4-5) on digital inputsmay be read as a temporary 1 signal due to the short cycle time of HIMax systems.Use noise blanking to avoid these types of faults: a signal must be present for at least twocycles before it is evaluated. At the same time, the safety time must not be exceeded.HI 801 003 D Rev.2.0 Page 31 of 70

7 Input Modules HIMax7.6 Checklists for Safety-Related Digital InputsHIMA recommends using the following checklists for engineering, programming andstarting up safety-related digital inputs. The checklists can be used for helping with planningas well as to demonstrate later on that the planning phase was carefully completed.When engineering or starting up the system, the user can fill out a checklist for each of thesafety-related input channels used in the system to verify the requirements to be met. Thisis the only way to ensure that all requirements were considered and clearly recorded. Thechecklist also documents the relationship between the external wiring and the userprogram.7.6.1 Checklist for the X-DI 32 01 Digital Input ModuleHIMaxChecklist for Engineering, Programming and Start-upCompanyV.1.0LocationDesignationSRSInput no.Safety-Related Digital Inputs of the X-DI 32 01 ModuleSeq. no. Requirement Yes No Remark1. Is this input used for safety functions? 2. Is the fault signal processed within the userprogram?3. Does the input have a redundant input? 4. Were the filters properly configured?Time on delay Ton =μs Time off delay Toff =μs5. Is noise blanking activated? 6. Is a shielded cable used for connecting thesensor? 7. Has forcing been activated for the globalvariable assigned to this input? Page 32 of 70HI 801 003 D Rev.2.0

HIMax7 Input Modules7.6.2 Checklist for the X-DI 32 02 Digital Input ModuleCompanyHIMaxChecklist for Engineering, Programming and Start-up V1.0LocationDesignationSRSInput no.Safety-Related Digital Inputs of the X-DI 32 02 ModuleSeq. no. Requirement Yes No Remark1. Is this input used for safety functions? 2. Is the fault signal processed within the userprogram?3. Does the input have a redundant input? 4. Is an initiator connected to this input? 5. If a contatc maker is connected, is it wiredcorrectly?6. If an initiator is connected, is it a safetyinitiator?7. Is the connected initiator a standardinitiator (NAMUR)?8. Were the filters properly configured?Time on delay Ton =Time off delay Toff =μsμs9. Is a shielded cable used for connecting thesensor/initiator?10. Has forcing been activated for the globalvariable assigned to this input?HI 801 003 D Rev.2.0 Page 33 of 70

7 Input Modules HIMax7.6.3 Checklist for the X-DI 32 04 Digital Input ModuleCompanyHIMaxChecklist for Engineering, Programming and Start-upV.1.0LocationDesignationSRSInput no.Safety-Related Digital Inputs of the X-DI 32 04 ModuleSeq. no. Requirement Yes No Remark1. Is this input used for safety functions? 2. Is the fault signal processed within the userprogram?3. Does the input have a redundant input? 4. Were the filters properly configured?Time on delay Ton =Time off delay Toff =μsμs5. Is noise blanking activated? 6. Is a shielded cable used for connecting thesensor?7. Has forcing been activated for the globalvariable assigned to this input?8. Have events been configured for the globalvariable assigned to this input?Page 34 of 70HI 801 003 D Rev.2.0

HIMax7 Input Modules7.6.4 Checklist for the X-DI 32 05 Digital Input ModuleCompanyHIMaxChecklist for Engineering, Programming and Start-up V1.0LocationDesignationSRSInput no.Safety-Related Digital Inputs of the X-DI 32 02 ModuleSeq. no. Requirement Yes No Remark1. Is this input used for safety functions? 2. Is the fault signal processed within the userprogram?3. Does the input have a redundant input? 4. Is an initiator connected to this input? 5. If a contatc maker is connected, is it wiredcorrectly?6. If an initiator is connected, is it a safetyinitiator?7. Is the connected initiator a standardinitiator (NAMUR)?8. Were the filters properly configured?Time on delay Ton =Time off delay Toff =μsμs9. Is a shielded cable used for connecting thesensor/initiator?10. Has forcing been activated for the globalvariable assigned to this input?11. Have events been configured for the globalvariable assigned to this input?HI 801 003 D Rev.2.0 Page 35 of 70

7 Input Modules HIMax7.7 Safety-Related Analog InputsFor analog input channels, the measured input currents are converted to a value of typeDINT (double integer). This value is made available to the user program as a "raw value".Here, 1 mA corresponds to a value of 10 000 and the range of values is 0...240 0000.Instead of the "raw value", the user can also use the "process value" of the REAL datatype. Please refer to the module manual for more details.The safety-related precision is the guaranteed accuracy of the analog input without modulefault reaction. This value must be taken into account when configuring the safety functions.Unused inputs need not be wired.7.7.1 Use of Analog InputsThere are two possibilities to use the values of analog inputs in the user program.• Use of the process valueIf an analog input is configured correctly, its process value provides the value includingthe safe fault reaction.• Using the raw valuethe raw value is the measuring value without the safe fault reaction. You must programa safe fault reaction as appropriate for the project.Perform the following steps to use the process value1. Define a global variable of type REAL.2. When defining the global variable, enter the initial value as safe value.3. Assign the global variable to the process value of the input.4 Specify the measuring range of the channel by giving a REAL value for 4 mA and for20 mA.The global variable provides the safe value to the user program.Perform the following steps to use the raw value:1 Define a global variable of type DINT.2 Define a global variable of a type needed in the user program.3 Program a suitable conversion function in the user program to convert the raw value intoa used type and consider the measurement range.4 In the user program, program a safety-related fault reaction using the statusesChannel OK, LS, LB (if necessary others).The user program can process the measuring in a safety-related manner.If the value 0 for a channel is within the valid measuring range, the user program must, at aminimum, evaluate the parameter Channel OK in addition to the process value.To get additional options for diagnosing the external wiring and programming fault reactionsin the user program, assign global variables to Channel OK, Submodule OK, Module OKand to further diagnostic statuses.For more information on the individual diagnosticstatuses such as line short-circuits and line breaks, refer to the manual of thecorresponding module.7.7.2 Test RoutinesThe analog values are captured in parallel along two paths and the results are comparedwith one another. Additionally, the function for the input path is tested cyclically.Page 36 of 70HI 801 003 D Rev.2.0

HIMax7 Input Modules7.7.3 Reaction in the Event of a FaultIf the test routines detect a fault of a digital input, the module sets the channel value in away that the global variable assigned to the channel assumes the following values:• For the most faults, the global variable assumes its initial value configured.• For certain types of faults the module is able to put the channel into the safe state, butthe module cannot issue a diagnosis entry.The module sets the status Channel OK to FALSEIf the test routines detect a module or submodule fault, the module sets the Module OK orSubmodule OK status to FALSE.In all these cases, the module activates the Error LED on the front plate.HI 801 003 D Rev.2.0 Page 37 of 70

7 Input Modules HIMax7.8 Checklist for Safety-Related Analog InputsHIMA recommends using the following checklist for engineering, programming and startingup safety-related analog inputs. The checklists can be used for helping with planning aswell as to demonstrate later on that the planning phase was carefully completed.When engineering or starting up the system, you can fill out a checklist for each of thesafety-related input channels used in the system to verify the requirements to be met. Thisis the only way to ensure that all requirements were considered and clearly recorded. Thechecklist also documents the relationship between the external wiring and the userprogram.7.8.1 Checklist for the X-DI 32 01 Analog Input ModuleHIMaxCheck list for Project Planning, Programming and StartupCompanyV.0.1LocationDesignationSRSInput no.Safety-Related Analog Inputs of the X-AI 32 01 ModuleSeq. no. Requirement Yes No Remark1. Is this input safety-related? 2. Is the fault signal processed within theapplication program? 3. Does the input have a redundant input? 4. Does the sensor measuring rangecorrespond to the channel configuration? 5. If necessary, is the transmitter feedparameterized? 6. Has safety-related accuracy been takeninto account? 7. Is forcing for this input not activated? 8. Does the measuring range used include 0mA? Page 38 of 70HI 801 003 D Rev.2.0

HIMax7 Input Modules7.8.2 Checklist for the X-DI 32 02 Analog Input ModuleCompanyHIMaxChecklist for Engineering, Programming and Start-upV.1.0LocationDesignationSRSInput no.Safety-Related Analog Inputs of the X-AI 32 02 ModuleSeq. no. Requirement Yes No Remark1. Is this input used for safety functions? 2. Is the fault signal processed within the userprogram?3. Does the input have a redundant input? 4. Does the sensor measuring rangecorrespond to the channel configuration?5. If necessary, is the transmitter supplyconfigured?6. Has safety-related accuracy been takeninto account?7. Has forcing been activated for the globalvariable assigned to this input?8. Does the measuring range used include 0mA?(If yes, take Channel OK into account)9. Have events been configured for the globalvariable assigned to this input?HI 801 003 D Rev.2.0 Page 39 of 70

8 Output Modules HIMax8 Output ModulesModule8.1 GeneralNumber ofchannelsSafety-relatedDigital OutputsX-DO 24 01 24 SIL 3 -Digital Relay OutputsX-DO 12 01 12 SIL 3 •Table 12: Overview of the Output ModulesSafely electricallyisolatedThe safety-related output modules are written once per cycle, the generated output signalsare read back and compared with the specified output data.The safe state of the outputs is "0" or an open relay contact.Using the corresponding error codes, the user has additional options for programming faultreactions in the user program.For more information on the output modules, refer to the individual module manuals.8.2 Safety of ActuatorsIn safety-related applications, the PES and its connected actuators must all meet the safetyrequirements and achieve the specified SIL. Also refer to Annex "Increasing the SIL Valueof Sensors and Actuators".8.3 Redundancy of Outputs and Output ModulesTo increase availability, the output channels can be defined redundant to one another fromwithin the SILworX Hardware Editor. The following conditions must be ensured:• Output channels are located on different output modules of the same type.• Output channels have the same channel number.Both output channels are assigned to the same variable. If an actuator or one of the outputmodules fails, the redundant channel takes up the function.It is permitted to assign all of the output module channels or only a few of them to thecorresponding channels of another output module.8.4 Slots Permitted for Output ModulesThe input modules can be plugged in to any slot in any base plate with the exception of thefollowing slots:• Slots 1 and 2 of each base plate, which are reserved for the system bus modules• Slots used by the processor modules. Depending on the system configuration, thesecan be slots 3, 4, 5 and 6 of Rack 0 and slots 3 and 4 of Rack 1.Page 40 of 70HI 801 003 D Rev.2.0

HIMax8 Output ModulesNOTICESystem malfunction possible!The slots reserved for processor and system bus modules must not be used forinput modules!!8.5 Safety-Related Digital OutputsThe safety-related output channels are equipped with three testable switches connected inseries. By this, the requirement for a safe, independent, second way of de-energizing isfulfilled. If a fault occurs, this integrated safety shutdown function safely de-energizes allchannels of the defective output module (de-energized state).Furthermore, the watchdog signal of the module provides a second way of safetyshutdown: If the watchdog signal is lost, the module immediately adopts the safe state.8.5.1 Use of Digital InputPerform the following steps to write a value in the user program to a digital output:1. Define a global variable of type BOOL.2. When defining the global variable, enter the initial value as safe value.3 Assign the global variable to the channel value of the output.The global variable provides the safe value to the digital output.To get additional options for diagnosing the external wiring and programming fault reactionsin the user program, assign global variable to Channel OK and to further diagnosticstatuses. For more information on the individual diagnostic statuses such as line shortcircuitsand line breaks, refer to the manual of the corresponding module.8.5.2 Test Routines for Digital OutputsThe modules are tested automatically during operation.The main test functions are:• Reading the output signals back from the switching amplifier. The switching threshold ofa 0 signal that has been read back is below the valid voltage value for the type of output.The diodes used prevent a feed back of signals.• Checking the integrated redundant safety shutdown.• A shutdown test of the outputs is performed cyclically for max. 200 µs. The minimuminterval between two tests can be set from within the SILworX Hardware Editor.If faults occur, the outputs are set to the safe value.8.5.3 Reaction in the Event of a FaultIf the test routines detect a fault in one or several channels, the module switches thosechannels off and by this brings them into the safe state. The parameter Channel OK is setto FALSE for these channels.If the test routines detect a module or submodule fault, the module sets the Module OK orSubmodule OK status to FALSE.In all cases, the module also indicates the fault by the Error LED on the faceplate.8.5.4 Behavior in the Event of External Short-Circuit or OverloadIf the output is short-circuited to L- or overloaded, the module is still testable. It is notnecessary to transfer the module to the safe state.HI 801 003 D Rev.2.0 Page 41 of 70

8 Output Modules HIMaxIn this state, the outputs are checked every few seconds to determine wether the overloadis still present. In a normal state, the outputs are switched back on.NOTICESystem malfunction possible!The voltage induced during switching off inductive loads could cause faults in thecontroller or in other electronical systems close to the actor's input leads.Therefore, it is a good practice to connect inductive loads with a suitable freewheelingcircuit at the actuator, to counteract these disturbances.8.6 Safety-Related Relay OutputsRelay output cards are connected to the actuator under any of the following circumstances:• Electric isolation is required.• Higher amperages are used.• Alternating currents are to be connected.The module outputs are equipped with two safety relays with forcibly guided contacts. Theoutputs can thus be used for safety shutdowns in accordace with SIL 3.Furthermore, the watchdog signal of the module provides a second means of safetyshutdown: If the watchdog signal is lost, the module immediately adopts the safe state.8.6.1 Use of Digital Relay OutputPerform the following steps to write a value in the user program to a digital relayoutput:1. Define a global variable of type BOOL.2. When defining the global variable, enter the initial value as safe value.3 Assign the global variable to the channel value of the output.The global variable provides the safe value to the digital output.To get additional options for diagnosing the external wiring and programming fault reactionsin the user program, assign global variable to Channel OK and to further diagnosticstatuses. For more information on the individual diagnostic statuses such as line shortcircuitsand line breaks, refer to the manual of the corresponding module.8.6.2 Test Routines for Relay OutputsThe module is tested automatically during operation.The main test functions are:• Reading the output signals back from the switching amplifiers located before the relays• Testing the switching of the relays with forcibly guided contacts• Checking the integrated redundant safety shutdown.8.6.3 Reaction in the Event of a FaultIf a faulty signal is detected, the affected module output is set to the safe, de-energizedstate using the safety switches. If a module fault occurs, all module outputs are switchedoff. Both types of faults are also indicated by the Error LED.Page 42 of 70HI 801 003 D Rev.2.0

HIMax8 Output ModulesNOTICESystem malfunction possible!The voltage induced during switching off inductive loads could cause faults in thecontroller or in other electronical systems close to the actor's input leads.Therefore, it is a good practice to connect inductive loads with a suitable freewheelingcircuit at the actuator to counteract these disturbances.HI 801 003 D Rev.2.0 Page 43 of 70

8 Output Modules HIMax8.7 Checklists for Safety-Related Digital OutputsHIMA recommends using the following checklists for engineering, programming andstarting-up safety-related digital outputs. The checklists can be used for helping withplanning as well as to demonstrate later on that the planning phase was carefullycompleted.When engineering or starting up the system, you can fill out a checklist for each of thesafety-related output channels used in the system to verify the requirements to be met. Thisis the only way to ensure that you have considered and clearly recorded all requirements.The checklist also documents the relationship between the external wiring and the userprogram.8.7.1 Checklist for the X-DI 24 01 Digital Output ModuleHIMaxChecklist for Engineering, Programming and Start-upCompanyV.1.0LocationDesignationSRSOutput no.Safety-Related Digital Outputs of the X-DO 24 01 ModuleSeq. RequirementYes Nono.1. Is this output used for safety functions? Remark2. Is the fault signal processed within the userprogram?3. Does the channel load value correspond tothe maximum value permitted?4. Does the module load value correspond tothe maximum value permitted?5. Are protective circuits (free-wheel circuits)provided for the actuators?6. Are the actuators wired in accordance withthe data sheet specifications? (two poleconnection)7. Has forcing been activated for the globalvariable assigned to this output?Page 44 of 70HI 801 003 D Rev.2.0

HIMax8 Output Modules8.7.2 Checklist for the X-DI 12 01 Relay Output ModuleCompanyHIMaxChecklist for Engineering, Programming and Start-upV.1.0LocationDesignationSRSOutput no.Safety-Related Relay Outputs of the X-DO 12 01 ModuleSeq.no.RequirementYes1. Is this output used for safety functions? NoRemark2. Is the fault signal processed within the userprogram?3. Does the channel load value correspond tothe maximum value permitted?4. Does the module load value correspond tothe maximum value permitted?5. Are protective circuits (free-wheel circuits)provided for the actuators?6. Are the actuators wired in accordance withthe data sheet specifications? (two poleconnection)7. Has forcing been activated for the globalvariable assigned to this output?8. Is the output sufficiently fused? HI 801 003 D Rev.2.0 Page 45 of 70

9 Software HIMax9 SoftwareThe software for the safety-related automation devices of the HIMax systems consist of thefollowing components:• Operating system• User program• SILworX programming system in accordance with IEC 61131-3.The operating system is loaded into the controller's processor module. HIMA recommendsusing the latest version valid for the safety-related applications.The user program is created using the SILworX programming system and contains theapplication-specific functions to be performed by the automation device. SILworX is alsoused to configure it.The user program is compiled with the code generator and transferred to the non-volatilememory automation device through an Ethernet interface.9.1 Safety-Related Aspects of the Operating SystemEach approved operating system is clearly identified by the revision number and the CRCsignature. The valid versions of the operating system and corresponding signatures (CRCs)- approved by the TÜV for use in safety-related automation devices - are subject to arevision control and are documented in a list maintained together with TÜV,The current version of the operating system can be read using SILworX. You have tocheck if an approved operating system version is loaded into the modules (cf. 10.3Checklist for creating an user program).9.2 Operation and Functions of the Operating SystemThe operating system executes the user program cyclically. Basically, this involvesperforming the following functions:• Reading of input data• Processing of the logic functions, programmed in accordance with IEC 61131-3,• Writing of output dataThe following basic functions are also executed:• Comprehensive self-tests• Test of I/O modules during operation,• Data transfer• Diagnosis• Handling redundancy if processor modules are added or removed.Fore more information, see HIMax System Manual HI 801 001. For more information, seeHIMax System Manual HI 801 001.9.3 Safety-Related Aspects of ProgrammingWhen creating a user program, the requirements detailed in this section must be observed.9.3.1 Safety Concept of SILworXThe safety concept of SILworX:• When SILworX is installed, a CRC checksum helps ensure the program package'sintegrity on the way from the manufacturer to the user.• SILworX performs validity checks to reduce the likelihood of faults while entering data.Page 46 of 70HI 801 003 D Rev.2.0

HIMax9 Software• Compiling the program twice and comparing the two CRC checksums ensures that datacorruption in the application is detected that can result from random faults in the PC inuse.When starting up a safety-related controller for the first time, a comprehensive function testto verify the safety of the entire system must be performed.Function Test of the Controller1 Verify that the tasks to be performed by the controller were properly implemented usingthe data and signal flows.2. Perform a comprehensive function test of the logic by trial (see Testing the configurationand the appl.).The controller and the application are sufficiently tested.If a user program is modified, only the program components affected by the change mustbe tested. To do this, the safe revision comparator in SILworX can be used to determineand display all changes relative to the previous version.9.3.2 Verifying the Configuration and the User ProgramTo verify that the user program created performs the required safety function, the user mustcreate suitable test cases for the required system specification.An independent test of each loop (consisting of input, the key interconnections in theapplication and output) is usually sufficient.Suitable test cases must also be created for the numerical evaluation of formulas.Equivalence class tests are reasonable . These are tests within defined ranges of values, atthe limits of or within invalid ranges of values. The test cases must be selected such thatthe calculations can be proven to be correct. The required number of test cases dependson the formula used and must include critical value pairs.HIMA reccommends not to do without performing an active simulation with data sources,since this is the only way to prove that the sensors and actuators in the system (also thoseconnected to the system via communication with remote I/Os) are properly wired. This isalso the only way to verify the system configuration.This procedure must be followed both when initially creating and when modifying the userprogram.HI 801 003 D Rev.2.0 Page 47 of 70

9 Software HIMax9.4 Resource ParametersDANGERPhysical injury possible due to erroneous configuration!Neither the programmining system nor the controller are able to check some projectspecificparameters. Therefore, it is mandatory to enter those parameters correctlyinto the programming system, and to check the entries afterwards.These parameters are:• System ID• Rack ID, see 5.2 and the system manual HI 801 001.• The attribute "responsible" of System bus modules, see 5.3.• Safety time• Watchdog time• Main Enable• Autostart• Start allowed• Loading allowed• Global Forcing allowedThe following parameters are defined in SILworX for the operations permissible in thesafety-related operation of the resource and are referred to as safety-related parameters.Parameters that may be defined for safety-related operation are not firmly bound to anyspecific requirement classes. Instead, each of these must be agreed upon together with theresponsible test authority for each separate implementation of the automation device.9.4.1 System Parameters of the ResourceThese parameters define how the controller behave during operation and are configured forthe resource in the Properties dialog box in SILworX.Page 48 of 70HI 801 003 D Rev.2.0

HIMax9 SoftwareParameter / Switch Function DefaultsettingSetting forsafe operationName Resource name - ArbitrarySystem ID [SRS] System ID of the resource1...65 53560 000Unique value withinthe controller network.This network includesall controllers that canpotentially beinterconnectedSafety time [ms] Safety time in milliseconds20...100 000600 Application-specificWatchdog time [ms] Watchdog time in milliseconds2...50 000 ms200 Application-specificMain Enable The following switches/parameters can beONchanged during operation (= RUN) using theOFF is recommendedPADT. When OFF, the parameters are"frozen“ as they areAutostartAutomatic start allowed after Power ON of OFFCPUApplication-specificStart Allowed A cold start, warm start or hot start permitted ONwith the PADT in RUN or STOPApplication-specificLoading allowed Load of the user program permitted ON Application-specificReload Allowed Release to reload of a user program. Thereload process currently running is not ON Application-specificaborted when switching to OFFGlobal ForcingAllowedReleases global forcing for this resource OFF Application-specificGlobal Force TimeoutReactionMax.Com. Time SliceASYNC [ms]Determines how the resource should behaveon expiry of the global force time-out: Onlystop forcing, Stop resourceHighest value in ms for the time slice usedfor communication,2...5000 msTable 13: System Parameters of the ResourceOnly stopforcingApplication-specific10 Application-specific9.4.2 Hardware System VariablesThese variables are used to change the behavior of the controller during operation inspecific states. These variables can be set in the detailed view of the hardware, in theSILworX Hardware Editor.Parameter / Switch Function DefaultsettingSetting forsafe operationForce Deactivation Used to prevent forcing and to stop itimmediatelyOFF Application-specificEmpty 0 ... Empty 16 No function - -Emergency Stop 1 ...Emergency Stop 4Read-only in RUNEmergency stop switch to shutdown thecontroller if faults are detected by the userprogramWith the exception of forcing and reload, it isnot possible to perform any operations (stop,start, download) with SILworXOFFOFFReload deactivation Prevents execution of reload OFFTable 14: Hardware System VariablesApplication-specificApplication-specificApplication-specificGlobal variables can be assigned to these system variables; the value of the globalvariables is modified using a physical input or the user program logic.HI 801 003 D Rev.2.0 Page 49 of 70

9 Software HIMaxExample: A key switch is connected to a digital input. The digital input is assigned to aglobal variable associated with the system variable "Read only in Run“. The owner of a keycan thus activate or deactivate the operating actions "stop", "start" and "download".9.5 ForcingForcing is the procedure for replacing a variable's current value with a force value. Thevariable receives its current value from a physical input, communication or a logicoperation. If the variable is forced, its value does no longer depend on the process, but isdefined by the user.Forcing is used for the following purposes:• Testing the user program; especially under special circumstances or conditions thatcannot otherwise be tested.• Simulating unavailable sensors in cases where the initial values are not appropriate.WARNINGUse of forced values can disrupt the safety integrity!Forcing is only permitted after receiving consent from the test authority responsiblefor the final system acceptance test.When forcing values, the person in charge must take further technical and organizationalmeasures to ensure that the process is sufficiently monitored in terms of safety aspects.HIMA recommends to set a time limit for the forcing procedure, see 9.5.1.Forcing can operate on two levels:• Global forcing: Global variables are forced for all applications.• Local forcing: Values of local variables are forced for an individual user program.9.5.1 Time LimitsTime limits can be set both for global and local forcing. Once the defined time has expired,the controller stops forcing values.It is also possible to define how the HIMax system behaves on completion of the forcingprocedure:• With global forcing, the resource is stopped or continues to run.• With local forcing, the user program is stopped or continues to run.It is also possible to use forcing without time limit. In this case, the forcing procedure mustbe stopped manually.The person responsible for forcing must clarify what effects stopping forcing have on theentire system!9.5.2 Restricting the Use of ForcingThe following measures can be configured to limit the use of forcing and thus avoidpotential faults in the safety functionality due to improper use of forcing:• Configuring different user profiles with or without forcing authorization• Prohibit global forcing for a resource• Prohibit local forcing• Forcing can also be stopped immediately using a key switch.To do so, the system variable "Force deactivation“ must be linked to a digital inputconnected to a key switch.Page 50 of 70HI 801 003 D Rev.2.0

HIMax9 SoftwareWARNINGUse of forced values can disrupt the safety integrity!Only remove existing forcing restrictions with the consent of the test authorityresponsible for the final system acceptance test.9.5.3 Force EditorSILworX Force Editor lists all variables, grouped in global and local variables.For each variable, the following can be set:• Force value• Switch-on or off a force switch to prepare for forcing variablesForcing can be started and stopped for both local and global variables.When starting, set a time limit or start forcing for an indefinite time period. If none of therestrictions apply, all variables with an active force switch are set to their force values.If forcing is stopped manually or because the time limit has expired, the variables will againreceive their values from the process or the user program.For more information about the Force Editor and forcing, refer to the SILworX Online Help.Basic information about forcing can be found in the TÜV document "MaintenanceOverride“.This document is available on the TÜV homepage:http://www.tuv-fs.com orhttp://www.tuvasi.com.9.6 Protection against ManipulationTogether with the responsible test authority, the user must define which measures shouldbe implemented to protect the system against manipulation.Protective mechanisms for preventing unintentional or unapproved modifications to thesafety system are integrated into the PES and SILworX:• Each change to the user program or configuration creates a new CRC. These changescan only be transferred to the PES via download or reload.• The operating options depend on the user login into the PES.• SILworX prompts the user to enter a password in order to connect to the PES.• No connection is required between the PADT and PES in RUN.All requirements about protection against manipulation specified in the safety andapplication standards must be met. The operator is responsible for authorizing employeesand implementing the required protective actions.DANGERDanger: Personal injury due to unauthorized manipulation of the controller!Protect the controller against unauthorized access!For instance, change the default settings for login and password!PES data can only be accessed if the PADT in use is operating with the current version ofSILworX and the user project is available in the currently running version (archivemaintenance!).HI 801 003 D Rev.2.0 Page 51 of 70

9 Software HIMaxThe user only need to connect the PADT to the PES when loading the user program orperforming diagnostics. The PADT is not required during normal operation. Disconnectingthe PADT and PES during normal operation helps to prevent against unauthorized access.9.7 Locking and Unlocking the PES"Locking“ the PES locks all functions and prevents users from accessing them duringoperation. This also protects against unauthorized manipulations to the user program."Unlocking“ the PES: Deactivates any locks previously set (e.g., to perform work on thecontroller).Three system variables serve for locking:VariableRead only in RunReloaddeactivationForceDeactivationFunctionON: Starting, stopping, and downloading the controller are locked.OFF: Starting, stopping, and downloading the controller are possible.ON: Reload is locked.OFF: Reload is possible.ON: Forcing is deactivated.OFF: Forcing is possible.Table 15: System Variables for Locking and Unlocking the PESIf all three system variables are ON: no access to the controller is possible. In this case thecontroller can only be put into STOP state by restarting a processor module with the modeswitch in the Init position. Then loading a new user program is possible.Example for using these system variables:Make a controller lockable1 Define a global variable of type BOOL and set its initial value to FALSE.2 Assigne the global variable to the three system variables Read only in Run,Reload Deactivation, and Force Deactivation.3 Assign the global variable to the channel value of a digital input.4 Connect a key switch to the digital input.5 Compile the program, lod it on the controller, and start it.The owner of a corresponding key is able to lock and unlock the controller. In case of a faultof the corresponding digital input module, the controller is unlocked.Page 52 of 70HI 801 003 D Rev.2.0

HIMax10 User program10 User programThis chapter describes the safety-related aspects that are important for the user program.10.1 General SequenceGeneral sequence for programming HIMax automation devices for safety-relatedapplications:1 Specify the controller functionality2 Write the user program3 Compile the user program:the user program is error-free and can run4 Verify and validate the user program.Upon completing these steps, the user program can be tested and the PES can begin thesafe operation.10.2 Scope for Safety-Related Use(For more on specifications, regulations and explanation of safety requirements, seeChapter 3.4 "Safety Requirements")The user program must be written using the SILworX programming software. This programruns on Windows XP® Servicepack 2 for PCs.Essentially, SILworX includes:• Input (Program Editor), monitoring and documentation• Global variables with symbolic names and data types (BOOL, UINT, etc.)• Assignment of HIMax controllers (Hardware Editor)• Compilation of user program into a format that can be loaded into the PES• Configuration of communication10.2.1 Programming BasicsThe tasks to be performed by the controller should be defined in a specification or arequirements specification. This documentation serves as the basis for checking its properimplementation in the user program. The specification format depends on the tasks to beperformed. These include:Combinational logic• Cause/effect diagram• Logic of the connection with functions and function blocks• Function blocks with specified characteristicsSequential controllers (sequence control system)This is a written description of the steps and their enabling conditions, and a description ofthe actuators to be controlled.• Sequential function charts• Matrix or table form of the step enabling conditions and the actuators to be controlled• Definition of constraints, e.g., operating modes, EMERGENCY STOP, etc.The I/O concept of the system must include an analysis of the field circuits, i.e. the type ofsensors and actuators:HI 801 003 D Rev.2.0 Page 53 of 70

10 User program HIMaxSensors (digital or analog)• Signals during normal operation ('de-energize-to-trip' principle with digital sensors, 'lifezero'with analog sensors)• Signals in the event of a fault:Definition of required safety-related redundancies (1oo2, 2oo3)(see Chapter )• Discrepancy monitoring and reactionActuators• Positioning and activation during normal operation• Safe reaction/positioning at shutdown or after power lossProgramming goals for user program• Easy to understand.• Easy to trace and follow.• Easy to test.• Easy to modify.10.2.2 Functions of the User ProgramProgramming is not subject to hardware restrictions. The user program functions can befreely programmed.When programming, account for the 'de-energize-to-trip' principle for the physical inputsand outputs. Only elements complying with IEC 61131-3 together with their functionalrequirements are permitted within the logic.• The physical inputs and outputs usually operate in accordance with the 'de-energize-totrip'principle, i.e. their safe state is "0“.• The user program includes meaningful logic and/or arithmetic functions irrespective ofthe 'de-energize-to-trip' principle of the physical inputs and outputs.• The program logic should be clear and easy to understand and well documented toassist in debugging. This includes the use of functional diagrams.• To simplify the logic, the inputs and outputs of all function blocks and variables can beinverted in any given order.• The programmer must evaluate the fault signals from the inputs/outputs or from logicblocks.The "packaging" of functions in self-created function blocks and functions consisting ofstandard functions is reccommended. This ensures that a user program can be clearlystructured in modules (functions, function blocks). Each module can be viewed and testedon its own. By grouping smaller modules into larger ones and then all together into a singleuser program, the user is effectively creating a comprehensive, complex function.10.2.3 System Parameters of the User ProgramThe following user program switches and parameters can be set in the Properties dialogbox of the user program:Page 54 of 70HI 801 003 D Rev.2.0

HIMax10 User programSwitchParameterFunctionDefaultsettingSetting forsafe operationName Name of the user program ArbitrarySafety Integrity Level Safety integrity level: SIL0 ... SIL3(for documentation only)SIL3 Application-specificStartON: The PADT may be used to startthe user programOFF: The PADT may not be used toON Application-specificstart the user programProgram Main Enable It enables changes of other user programswitches:ONOnly the enable switch of the resource is-relevant!Autostart Enable Enabled type of Autostart: Cold Start,Warm Start, OffCold start Application-specificFreeze Allowed ON The test mode is permitted forthe user program.OFF The test mode is not permittedON Application-specificfor the user program.Local Forcing Allowed ON: Forcing permitted at programlevelOFF is recommendedONOFF: Forcing not permitted at programlevelReload EnableON: User program reload is permittedOFF: User program reload is not ON Application-specificpermittedUP Execution Time [µs] Maximum time in each processor modulecycle for executing the user program: 0 µs Application-specific1...4 294 967 µsLocal Force TimeoutReactionBehavior of the user program after theforcing time has expired:• Only stop forcing• Stop ProgramTable 16: System Parameters of the User ProgramStopProgram10.2.4 Code GenerationAfter entering the complete user program and the I/O assignments of the controller, thecode is generated. During these steps, the configuration CRC, i.e. the checksum for theconfiguration file, is created.This is a signature for the entire configuration that is isused as a 32-bit, hexadecimal code.This includes all of the configurable or modifiable elements such as the logic, variables orswitch parameter settings.NOTICEFaulty operation of controller possible!Before loading a user program for safety-related operation, the user program mustbe first compiled twice. Both versions generated must have the same CRC.-By compiling the user program twice and comparing the checksums of the generated code,the user can detect possible corruptions of the user program resulting from sporadic faultsin the hardware or operating system of the PC in use.HI 801 003 D Rev.2.0 Page 55 of 70

10 User program HIMax10.2.5 Downloading and Starting the User Program10.2.6 ReloadA PES in the HIMax system cannot be downloaded until it is set to the STOP state.Currently, only one user program can be loaded into a given PES. The system monitorsthat the user program is loaded completely. Afterwards, the user program can be started,i.e. the routine begins to be processed in cycles.If the user program was modified, the changes can be transferred to the PES duringoperation. After being tested by the operating system, the modified user program isactivated and it assumes the control task.iNote that the reload does not take the current state into account if changes are performedto user programs containing a finite state machine. This can lead to an unpredictableprogram behavior after the reload process. A program contains a finite state machine if it iscomposed of sequential function chart elements such as steps, or function blocks withstorage capacity, e.g., RS Flipflops.In such a case, the execution of a reload must be planned thoroughly!Prior to performing a reload, the operating system checks if the required additional taskswould increase the cycle time of the current user program to such an extent that the definedwatchdog time is exceeded. In this case, the reload process is aborted with an errormessage and the controller continues operation with the previous user program.iReload can be abortedA successful reload is ensured by planning a sufficient reserve for the reload whendetermining the watchdog time or temporarily increasing the controller watchdog time by areserve of at least 30% and by at least 4*X ms.Any temporary increases in the watchdog time must be coordinated with the responsibletest authority.The reload can only be performed if the "Reload permitted“ system parameter is set to ONand the "Reload deactivation“ system variable is set to OFF.iThe user is responsible for ensuring that the watchdog time includes a sufficient reservetime. This should allow the user to manage the following situations:• Variations in the user program's cycle time• Sudden, strong overloads in a cycle, e.g., due to communication• Expiration of time limits during communication10.2.7 Online Test / Single Step ModeOnline test fields (OLT fields) can be used in the user program logic to display variableswhile the controller is operating.For more information on how to use OLT fields, enter "OLT field" in the SILworX onlinehelp.To diagnose faults during the online test, the user program can be run in single steps, i.e.,cycle for cycle. Each cycle is triggered by a command from the PADT.This function can only be used if the Freeze allowed system parameter is set to ON in thecorresponding user program.Page 56 of 70HI 801 003 D Rev.2.0

HIMax10 User programState DescriptionOFF The online test is not possibleON The online test is possible (default setting)Table 17: User Program Switch Freeze AllowedNOTICEDisruption of the safety-related operation possible!The single step mode must not be used in safety-related operation!10.2.8 Program Documentation for Safety-Related ApplicationsSILworX allows the user to automatically print the documentation for a project. The mostimportant documentation includes:• Interface declaration• Signal list• Logic• Description of data types• Configurations for system, modules and system parameters• Network configuration• List of signal cross-references• Code generator detailsThis documentation is required for the acceptance test of a system subjected to approvalby a test authority (e.g., TÜV).10.2.9 Acceptance by Test AuthorityHIMA recommends involving the test authority as soon as possible when designing asystem that is subject to approval.This acceptance test only applies to the user functionality, but not to the safety-relatedmodules and automation devices of the HIMax system that have already been approved.HI 801 003 D Rev.2.0 Page 57 of 70

10 User program HIMax10.2.10 Checklist for Creating a User ProgramTo comply with all safety-related aspects during the programming phase, HIMArecommends using the following checklist prior to and after loading a new or modifiedprogram.CompanyHIMaxChecklist for Creating a User ProgramV.1.0LocationObjectiveFile/ArchiveChecks Yes No RemarkWhile creating the program / Before modifying the programAre the user program and PES configurations based on asafety analysis? Are programming guidelines usedwhile creating the user program? Are functionally independent parts of the programencapsulated in functions and function blocks? Are only safe signals used for all safety functions? Does each safety-related signal source properly reach theuser program (also through communication)? Is each safety-related signal drain properly written (alsothrough communication)? After modifying the program – Before loading the programDid a person not involved in creating the program check thatthe user program complies with the mandatory system specifications?Is the test result documented and released (date/signature)? Was the user program compiled twice and were the tworesulting configuration CRCs compared upon completion? Has a copy of the entire project been archived? After modifying the program – After loading the programWas a sufficient number of tests performed for all safetyrelevantlogic operations (including I/O) and for all mathematic operations?Was all force information reset before starting safe operation? Do the enable switches "Readonly in Run" and "Reloaddeactivation" correspond to the settings for the maximum / defined protection?Were the versions (CRCs) of the operating systems of themodules officially approved and certified by the TÜV? Page 58 of 70HI 801 003 D Rev.2.0

HIMax11 Configuring Communication11 Configuring CommunicationIn addition to using the physical input and output variables, variables can also beexchanged with other system through a data connection. In this case, the variables aredeclared with the programming system SILworX , from within the Protocols area of thecorresponding resource.11.1 Standard ProtocolsMany communication protocols only ensure a non-safety-related data transmission. Theseprotocols can be used for the non-safety-related aspects of an automation task.DANGERPersonal injury due to usage of unsafe import dataDo not use any data imported from unsafe sources for safety functions in the userprogram.The following standard protocols are available:• On the Ethernet interfaces on the communication module- Modbus TCP (master/slave)- SNTP- Send/Receive TCP• On the fieldbus interfaces (RS 485) of the communication module according to thedevice model- Modbus (master/slave)- PROFIBUS DP (master/slave)11.2 Safety-Related Protocol (safeethernet)Use the safeethernet Editor to configure how safety-related communication is monitored.To do this, enter the monitoring time "ReceiveTMO“. If no variables are written within thedefined time period, they are set in the PES according to the Freeze Values on LostConnection [ms].For safety-related functions implemented via safeethernet, only the Use Initial Data settingmay be used.NOTICEUnintentional transition to the safe state possible!ReceiveTMO is a safety-related parameter!If all of the values must be transferred, the value of a given signal must be present forlonger than the "ReceiveTMO“ or it must be monitored using a loop-back function.ReceiveTMO is the monitoring time of PES 1 within which a correct response from PES 2must be received.HI 801 003 D Rev.2.0 Page 59 of 70

11 Configuring Communication HIMaxNOTICEReceiveTMO also applies in the other direction from PES 2 to PES 1!Since ReceiveTMO is a safety-relevant component of the worst case reaction time TR (see11.2.1), its value must be calculated and manually entered in the safeethernet Editor.ReceiveTMO = 4*Delay + 5*maxZZWhere:DelaymaxZZDelay on the transmission path, e.g., due to specific hardwareMaximum cycle time of both controllers.If a correct response is not received from the communication partner within the"ReceiveTMO", safety-related communication is terminated and any variables importedthrough the communication channel are reset to their user-defined initial values.In networks where packets can be lost, the following condition must be given:ReceiveTMO ≥ 2 * Response Time (minimum)(valid for "Fast & Noisy" profile)If this condition is met, the loss of at least one data packet can be intercepted withoutinterrupting the safeethernet connection.If this condition is not met, the availability of a safeethernet connection can only be ensuredin a collision and fault-free network. However, this is not a safety problem for the processormodule!NOTICEThe maximum value permitted for ReceiveTMO depends on the application processand is configured in the safeethernet Editor, along with the expected maximumresponse time and the profile.NOTICEIn the following examples, the formulas for calculating the worst case reaction timeonly apply for a connection with HIMatrix controllers if the parametersafety time = 2 * watchdog timehas been set in the systems.11.2.1 Calculating the Worst Case Reaction TimeThe worst case reaction time TR is the time between a change on the sensor input signal(in) of PES 1 and a reaction in the corresponding output (out) of PES 2. It is calculated asfollows:Page 60 of 70HI 801 003 D Rev.2.0

HIMax11 Configuring CommunicationInHIMaxPES 1Sicherheitsgerichtetes ProtokollHIMaxPES 2OutFigure 3: Reaction Time With Interconnection of Two HIMax ControllersT R = t 1 + t 2 + t 3 + t 4T RWorst Case Reaction Timet 1 Safety Time of PES 1t 2 t2 0 ms, if Production Rate = 0 (normal case),otherwise ReceiveTMO + Watchdog Time of PES 1t 3 ReceiveTMOt 4 Safety Time of PES 2The worst case reaction time depends on the process and must be agreed upon togetherwith the test authority responsible for the final inspection.11.2.2 Calculating the Worst Case Reaction Time in case of a Connection to OneHIMatrix PESThe worst case reaction time TR is the time between a change on the sensor input signal(in) of PES 1 and a reaction in the corresponding output (out) of PES 2. It is calculated asfollows:Figure 4: Reaction Time for Connection between One HIMax and One HIMatrix ControllerTR = t1 + t2 + t3 + t4T RWorst Case Reaction Timet 1 Safety Time of PES 1t 2 0 ms, if Production Rate = 0 (normal case),otherwise ReceiveTMO + Watchdog Time of PES 1t 3 ReceiveTMOt 4 Safety Time of HIMatrix PES 2The worst case reaction time depends on the process and must be agreed upon togetherwith the test authority responsible for the final inspection.11.2.3 Calculating the Worst Case Reaction Time with two HIMatrix Controllers orRemote I/OsThe worst case reaction time TR is the time between a change on the sensor input signal(in) of the first HIMatrix PES or Remote I/O (e.g., F3 DIO 20/8 01) and a reaction in thecorresponding output (out) of the second HIMatrix PES or Remote I/O. It is calculated asfollows:HI 801 003 D Rev.2.0 Page 61 of 70

11 Configuring Communication HIMaxFigure 5: Reaction Time with Remote I/OsTR = t 1 + t 2 + t 3 + t 4 + (input path)+ t 5 + t 6 + t 7 (output path)T R Worst Case Reaction Timet 1 Safety Time of tRmote I/O 1t 2 0 ms, if Production Rate = 0 (normal case),otherwise ReceiveTMO + Watchdog Time of Remote I/O 1t 3 ReceiveTMO 1t 4 2 ** Watchdog Time of HIMax PESt 5 ReceiveTMO 2t 6 0 ms, if "Production Rate“ = 0 (normal case),otherwise "ReceiveTMO2“ + Watchdog Time of PESt 7 Safety time of Remote I/O 2Note: Remote I/O 1 and Remote I/O 2 can also be identical. The time values still apply if aHIMatrix PES is used instead of a remote I/O.11.2.4 Calculating the Worst Case Reaction Time with two HIMax Controllers andone HIMatrix PESThe worst case reaction time TR is the time between a change on the sensor input signal(in) of the first HIMax PES and a reaction in the corresponding output (out) of the secondHIMax PES. It is calculated as follows:Figure 6: Reaction Time with Two HIMax Controllers and One HIMatrix PEST R = t 1 + t 2 + t 3 + t 4 + (input path)+ t 5 + t 6 + t 7 (output path)T RWorst Case Reaction Timet 1 Safety Time of HIMax PES 1t 2 0 ms, if Production Rate = 0 (normal case),otherwise ReceiveTMO 1 + Watchdog Time of HIMax PES 1t 3 ReceiveTMO 1t 4 2 ** Watchdog Time of HIMatrix PES 2t 5 ReceiveTMO 2t 6 0 ms, if "Production Rate“ = 0 (normal case),otherwise ReceiveTMO 2 + Watchdog Time of HIMatrix PES 2t 7 Safety Time of HIMax PES 3Remark: HIMax PES 1 and HIMax PES 3 can also be identical.TermsPage 62 of 70HI 801 003 D Rev.2.0

HIMax11 Configuring CommunicationReceiveTMO Monitoring time of PES 1 within which a correct response from PES2 must be received. Once the time has expired, safety-relatedcommunication is terminated.Production Rate Minimum interval between two data transmissions.Watchdog Time Maximum permissible duration of a PES RUN cycle (cycle time).Worst Case The worst case reaction time is the time between a change in aReaction Time physical input signal (in) of PES 1 and a reaction in thecorresponding output (out) of PES 2.11.2.5 Assigning safeethernet AddressesThe following points must be taken into account when assigning network addresses (IPaddresses) for safeethernet:• The addresses must be unique within the network used.• If safeethernet is connected to another network (company-internal LAN, etc.), makesure that no disturbances can occur. Potential sources of disturbances include:- The data traffic.- Coupling with other networks (e.g., Internet).In these cases, implement suitable measures to counteract against such disturbancesusing Ethernet switches, firewall and similar.11.2.6 Redundant safeethernet ConnectionsConnections between HIMax systems via safeethernet can be designed redundantly.• If two connections are identical, e.g., through both terminals of the processor module orcommunication module, they can be operated redundantly.• If two connections are not identical, e.g., if one terminal is used on the processormodule and one terminal on the communication module, one can be defined as thedefault connection and the other as a backup connection.Data traffic will only pass through the backup connection if the standard connection isinterrupted.When configuring the time parameters "ReceiveTMO", "ResendTMO" and "AckTMO", takethe slowest connection into account!The transfer rate must be considered as specified in the current manuals of the processorand communication modules in use.HI 801 003 D Rev.2.0 Page 63 of 70

11 Configuring Communication HIMaxPage 64 of 70HI 801 003 D Rev.2.0

HIMaxAppendixAppendixIncreasing the SIL of Sensors and ActuatorsSafety-related HIMax controllers are used in safety applications up to SIL 3. This requiresthat the sensors and actuators (signalers and actuating elements) in use also achieve therequired SIL.In some cases, sensors or actuators may not be available for the requirements defined inthe application, such as process value, range of value, SIL, etc. If this is the case, proceedas follows:• For inputs: Use any of the available sensors that meet all of the requirements with theexception of the SIL value. Use enough of them such that their combination provide aninput signal with the required SIL.• For outputs: Use any of the available actuators that meet all of the requirements with theexception of the SIL. Use enough of them such that their combination affects theprocess with the required SIL.With inputs, associate the values of the individual sensors and their status information witha part of the user program such that a global variable with the required SIL results from thiscombination.With outputs, distribute the value of a global variable among multiple outputs such that theprocess adopts the safe state if a fault occurs. Further, the combination of actuators mustbe able to affect the process in the required manner (for example, the serial or parallelconnection of valves).For both inputs and outputs, design the system to have the required number of sensors andactuators for a given process variable until the greatest possible degree of safety isachieved for the process. SILence, the calculation tool manufactured by HIMA, can be usedto calculate the SIL.iThe use of multiple sensors and actuators for inputting or outputting a single signal asdescribed here is only intended as a means of increasing the SIL. Do not confuse this withthe use of redundant inputs or outputs for improving availability!For information on how to achieve the required SIL for sensors and actuators, see IEC61511-1, Section 11.4.HI 801 003 D Rev.2.0 Page 65 of 70

AppendixHIMaxIndex of FiguresFigure 1: Recommended Configuration: All Processor Modules on Base Plate 0 26Figure 2:Recommended Configuration: Processor Modules on Base Plate 0 and on Base Plate1 27Figure 5: Reaction Time With Interconnection of Two HIMax Controllers 61Figure 6: Reaction Time for Connection between One HIMax and One HIMatrix Controller 61Figure 7: Reaction Time with Remote I/Os 62Figure 8: Reaction Time with Two HIMax Controllers and One HIMatrix PES 62Page 66 of 70HI 801 003 D Rev.2.0

HIMaxAppendixIndex of TablesTable 1: Standards for EMC, Climatic and Environmental Requirements 12Table 2: General requirements 12Table 3: Climatic Requirements 12Table 4: Mechanical Tests 13Table 5: Interference Immunity Tests 13Table 6: Interference Immunity Tests 13Table 7: Noise Emission Tests 13Table 8: Review of the DC Supply Characteristics 14Table 9: Overview System Documentation 15Table 10: Slot Positions Permitted for Processor Modules 23Table 11: Overview of the Input Modules 29Table 12: Overview of the Output Modules 40Table 13: System Parameters of the Resource 49Table 14: Hardware System Variables 49Table 15: System Variables for Locking and Unlocking the PES 52Table 16: System Parameters of the User Program 55Table 17: User Program Switch Freeze Allowed 57HI 801 003 D Rev.2.0 Page 67 of 70

AppendixHIMaxIndexanalog inputsuse .............................................................. 36'de-energize to trip' principle........................... 11digital inputsuse .............................................................. 30digital outputsuse .............................................................. 41digital relay outputsuse .............................................................. 42'energize to trip' principle ................................ 11fault tolerance time ......................................... 18function test of controller ................................ 47make controller lockable................................. 52operating requirementsclimatic........................................................ 12EMC............................................................ 13ESD protection ........................................... 14mechanical ................................................. 13power supply .............................................. 14proof test......................................................... 19ReceiveTMO................................................... 59responsible ..................................................... 25safety time ...................................................... 19watchdog time ................................................ 18to determine................................................ 18Page 68 of 70HI 801 003 D Rev.2.0

HIMA Paul Hildebrandt GmbH + Co KG I P.O. Box 1261 I 68777 Brühl I GermanyPhone +49 6202 709-0 I Fax +49 6202 709-107 I HIMax-info@hima.com I www.hima.comHI 801 003 E © by HIMA Paul Hildebrandt GmbH + Co KG