Many industrial automation solutions comprise data structures in
which a control station communicates with various substations:
Figure 01: Task (general)
The control station can select one or several substations to
execute various actions there (specify setpoints, request actual
values, etc.). The selection of these substations is often made via
an HMI (panel).
The general requirements described
above are now to apply to the following safety-related task:
- A substation is to be selected via an HMI (panel) of the
- An emergency stop triggered in the control station is to affect
the selected substation only.
- SIL 3 in accordance with IEC 62061 is to be achieved.
Thus, a fail-safe action (triggering of an emergency stop) is
required, which is based on a not safe action (selection of the
substation via a non-safety HMI).
Figure 02: Fail-safe action on the basis of a non-safety HMI
For this safety-related task, additional measures are required
as compared with the general task.
The following solution concept has been realized:
From the HMI of the control station, the substation (here in the
following figure 3) is selected via a button. A signature (ABC) is
transmitted to the F-CPU of the control station (path 1).
Via a second button, a masked signature (ABC-1) is transmitted
to the F-CPU of the selected substation (path 2). In the F-CPU of
the substation, the transmitted signature is demasked again (ABC+1)
and compared for equality with a signature setpoint placed in the
substation. In the case of equality the signature is transmitted,
in the case of unequality an error information, by fail-safe
communication via a S7 connection to the F-CPU of the control
station (path 2).
In the F-CPU of the control station, the signatures received via
path 1 and path 2 are compared for equality. In the case of
equality, the correct substation has been selected.
Figure 03: Solution concept
Practical application options
The requested concept of
allowing a fail-safe action on the basis of a non-safety HMI can be
applied in various applications, e.g.:
- Ship locks and weirs
- Fail-safe actions can be triggered from a spatially far off
(several kilometers) control station, affecting solely selected
- Selection of various (container) cranes from the driver's
What does this safety function example offer?
STEP 7 project comprises
- the safety concept implemented in the program of the three
F-CPUs (control station, substation 1, substation 2). In each
F-CPU, the F-program is clearly programmed in a state machine.
- the fail-safe communication via an S7 connection (F_SENDS7 /
- prepared visualization user interfaces in WinCC flexible for
the control station and the two substations.
Figure 04: Prepared visualization user interface for the control
The documentation (PDF) explains in detail the implemented
safety concept and the implementation in the program of the HMI and
in the STEP 7 program.
Achieved SIL in accordance with IEC 62061
documentation (PDF) explains in detail the standards calculations
made and demonstrates that SIL 3 in accordance with IEC 62061 is
This safety function example offers the
- Application of a safety concept on the basis of the use of a
non-safety HMI in order to realize a safety function
- Tested code
- Step-by-step instructions
- Detailed description of the safety concept with background
- Modular program structure including a state machine
- Defined interfaces
- Detailed standards calculation
For you, these advantages mean the
- Simple realization of safety functions
- Transferability of the safety concept to a wide range of
- Shorter training period
- Simple expandability
- Support for proofing compliance with the requirements of IEC
|Content of the
The functions and solutions described in this
article confine themselves to the realization of the automation
task predominantly. Please take into account furthermore that
corresponding protective measures have to be taken up in the
context of Industrial Security when connecting your equipment to
other parts of the plant, the enterprise network or the Internet.
Further information can be found under the Entry-ID 50203404.
Safety Integrated, Distributed
Safety, failsafe, boat lift, ship lift, ship hoist