Tailored redundancy
... with integrated security

High-availability and safety in one system

S7-400FH combines high availability and safety technology in a single automation system.
The fail-safe and highly available controllers are based on the tried-and-tested S7-400H CPUs, the engineering F-system, the fail-safe I/O modules of ET 200 and fail-safe communication via PROFIsafe.

Upon occurrence of a safety-relevant fault, only the affected safety circuit switches to a safe state, the plant/machine continues operation.

The architecture of SIMATIC S7-400FH tolerates faults while maintaining safety.

The system is TÜV certified and complies with all relevant standards for production and process automation.

Controllers

The SIMATIC S7-400FH controllers, with matching I/O, offer a maximum degree of safety, fault-tolerance and availability for your applications

Engineering

The standard and safety programs are generated in the proven SIMATIC Manager. You design the safety section of the program using the Continuous Function Chart (CFC) or the SIMATIC Safety Matrix, the innovative and convenient tool for safety lifecycle engineering and management. To this end, you use TÜV-certified function blocks from the library in
S7 F Systems. The SIMATIC Safety Matrix uses the Cause&Effect method to significantly reduce the overhead for engineering, commissioning and maintenance.

Flexible Modular Redundancy (FMR)

Depending on the automation task and safety requirements, FMR allows the configuring engineer to separately define the degree of redundancy for the individual architecture levels comprising controller, fieldbus and I/O. Each component within a level can be provided with a redundant configuration, and also physically separated. All components also meet the requirements of safety integrity level SIL 3.

You can then implement individual, fault-tolerant architectures exactly tailored to the individual tasks which can tolerate several simultaneously occurring faults.

As shown in the example of a plant with ET 200M distributed I/O system, the totality of the tasks can result in a mixture of different degrees of redundancy within an architecture level (1oo1, 1oo2,2oo3).

Fault-tolerant controllers

Time redundancy and multiple channels instead of structural redundancy

The SIMATIC S7-400FH controllers, with matching I/O, offer a maximum degree of safety, fault-tolerance and availability for your applications.

Error detection and error control are executed by the safety program in the CPU in conjunction with the fail-safe I/O modules.

The fail-safe and high-availability controllers are based on the proven S7-400H CPUs.
Fail-safe processing is executed on the basis of time redundancy and diverse program processing instead of using structural redundancy.

The control blocks required for this step are created automatically by the fail-safe systems during the generation of the safety program and are loaded together with the user program into the CPU. The control blocks ensure that software errors and hardware faults in the CPU are detected and corresponding reactions are triggered. This transfers the automation system to a safe state and keeps it in this state.

If a safety relevant error occurs only the affected safety circuit goes into a safe state, the rest of the system continues to operate as before.

Fail-safe I/O modules

With SIMATIC ET 200, a highly diverse range of distributed I/O systems with fail-safe modules is available for selection - for solutions in the control cabinet or even in potentially explosive areas.

The fail-safe modules have a two-channel internal design, have their own self-tests, and detect both internal and external errors.

Fault-tolerant communication

Fault tolerant communication

PROFIsafe supports fail-safe communication between two partners to deliver:

  • correct data

  • to the right destination

  • just in time.

When messages are transmitted across complex network topologies, errors can occur due to hardware failure, electromagnetic interference, or other factors. Messages can be lost, be inserted from somewhere else, duplicated, or delayed. They can also be sent in the wrong order or contain corrupt data.

The four key countermeasures provided by PROFIsafe are:

  • consecutive numbering of F messages ("sign-of-life")

  • expected time with acknowledgement ("watchdog")

  • an ID between the sender and receiver ("F address")

  • data integrity check (CRC = cyclic redundancy check)


The PROFIsafe profile enables safe communication for the open standard buses PROFIBUS and PROFINET based on standard network components. In conjunction with PROFINET, PROFIsafe also supports fail-safe wireless communication via IWLAN.

Engineering in SIMATIC Manager

Engineering mit CFC

The standard and safety programs are generated in the provenSIMATIC Manager. You design the safety section of the program using the Continuous Function Chart (CFC) or the SIMATIC Safety Matrix, the innovative and convenient tool for safety lifecycle engineering and management. To this end, you use TÜV-certified function blocks from the library in S7 F Systems.

It supports configuration by means of functions for:

  • Comparison of safety-related F-programs

  • Recognition of changes in the F-program using the checksum

  • Separation of safety-related and standard functions

  • Protection of access to fail-safe functions through password


SIMATIC Safety Matrix

SIMATIC Safety Matrix: assigning causes to effects

The SIMATIC Safety Matrix not only means that programming of the safety logic is significantly simpler and more convenient, but also much faster than in the conventional manner. During the risk analysis of a plant, the configuration engineer can assign specific reactions (effects) to events (causes) which may occur during a process.

In the horizontal lines of a matrix table comparable to a spreadsheet, the engineer

  • initially enters possible process events (inputs)

  • configures their type and quantity

  • configures logic operations

  • defines any delays and interlocks

  • and configures any tolerable faults.

The reactions (outputs) to a particular event are then definedin the vertical columns.

The events and reactions are linked by simply clicking the cell at the intersection point of line and column. Using this procedure, the Safety Matrix automatically generates complex, safety-related CFC programs. Configuration engineers require no special programming knowledge, and can concentrate fully on the safety requirements of their plants.