Defining the Program Structure

Structure of Safety Program in Two F-Runtime Groups

Starting in S7 Distributed Safety V 5.3, you can divide your safety program into two F-runtime groups. By arranging for portions of your safety program (one F-runtime group) to run in a faster priority class, you achieve a faster safety circuit with short response times.

Note

You can improve the structure your safety program by dividing it into two F-runtime groups. However, note that the following actions cannot be performed for individual F-runtime groups, but only for the safety program as a whole:

• Specifying a password for the safety program • Compiling the safety program

• Downloading the safety program • Deactivating safety mode • Comparing safety programs • Printing a safety program

The collective signatures are formed across all F-blocks of the safety program (see Safety Program Acceptance Test).

For additional information on F-runtime groups, refer to Defining F-Runtime Groups.

Rules for the Program Structure

You must keep the following rules in mind when designing a safety program for S7 Distributed Safety:

• F-blocks must not be called directly in an OB; rather, they must be inserted into one or two F-runtime groups.

• The safety program consists of one or two F-runtime groups each with one F-CALL. A maximum of one F-program block can be assigned to each F-CALL. • The channels of an F-I/O can be accessed from only one F-runtime group. • Variables of the F-I/O DB in an F-I/O can only be accessed from one F-runtime

group and only from the F-runtime group from which the channels of this F-I/O are accessed (if access is made).

• For optimal use of local data, you must call the F-CALL blocks (the F-runtime groups) directly in OBs (cyclic interrupt OBs, to the extent possible); you should not declare any additional local data in these cyclic interrupt OBs.

• Certain resources must be reserved for the safety program. This is done during configuration of the F-CPU in HW Config in the Object Properties dialog box of the F-CPU. If you do not make any settings explicitly, meaningful default values are used (see Configuration).

• Create your program according to the general STEP 7 rules. Consider, for example, the data flow.

You will find additional information in the Differences between the F-FBD and F-LAD Programming Languages and the Standard FBD and LAD Languages . Note

You can improve performance by writing parts of the program that are not required for the safety function in the standard user program.

When determining which elements to include in the standard user program and the safety program, you should keep in mind that the standard user program can be modified and downloaded to the F-CPU more easily. In general,changes in the standard user program do not require an acceptance test.

5.3 F-I/O Access

Overview

This section describes how to access the F-I/O and the special characteristics you must consider for access programming.

Access by Means of Process Image

As with standard I/O, F-I/O (e.g., S7-300 F-SMs) are accessed by means of the

process image (PII and PIQ). The I/O cannot be accessed directly. The channels

of an F-I/O can be accessed from only one F-runtime group.

The process input image is updated at the beginning of the fail-safe runtime group, before the fail-safe program block is processed. The process output image is updated at the end of the F-runtime group, after the F-program block is processed (see figure in Structure of Safety Program in S7 Distributed Safety).

The actual communication between the F-CPU (process image) and the F-I/O to update the process image is hidden and takes place by means of a special safety protocol in accordance with PROFIsafe.

!

Due to its special safety protocol, F-I/O occupy a larger area of the process image than required for the channels that are actually present on the F-I/O. When the process image is accessed in the safety program, only the actually existing channels can be accessed.

Note that for certain F-I/O (such as S7-300 F-SMs and ET 200S fail-safe modules), a "1oo2 evaluation of the sensors" can be set. In this case, only the less significant of the channels grouped by the "1oo2 evaluation of the sensors" can be accessed in the safety program.

Signal Chart Figures

The signal charts presented in the "Signal Chart ..." figures in the following sections represent typical signal charts for the indicated behavior.

Actual signal charts and, in particular, the relative position of the status change of individual signals can deviate from the given signal charts within the scope of known distortion for cyclic program execution, depending on the following: • Which F-I/O are being used

(F I/O with inputs, F I/O with outputs, F I/O with inputs and outputs, S7-300 F-SMs, ET 200S F-modules, ET 200eco F-modules, or fail-safe DP standard slaves, version of PROFIsafe bus profile for the F I/O).

• Cycle time of OBs of safety program • Target rotation time of PROFIBUS DP

Note

The signal charts refer to the status of signals in the user's safety program. If the signals are evaluated in the standard user program before or after the safety program is called in the same OB, the status change of the signals can be displaced by one cycle.

Contrary to what is shown in the status charts, status changes between process and fail-safe values that are transmitted to the fail-safe outputs ("To Outputs" signal chart) can occur before the status change of the associated QBAD signal, if necessary. The timing of the status change is dependent on whether F I/O with outputs or F I/O with inputs and outputs were used.