08088e Cms SSD 01 Fds r2 Submit

FUNCTIONAL DESIGN SPECIFICATION
(SSD/FGS)
Project:
Contractor :
Doc. No.:
RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01
System: Owner: Rev. No.:
Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 2 of 23
TABLE OF CONTENTS
1. INTRODUCTION........................................................................................................... 4 1.1 Document Scope ......................................................................................................... 4 1.2 Project Information ..................................................................................................... 4 1.3 Abbreviations .............................................................................................................. 5 PROJECT OVERVIEW.................................................................................................... 6 SYSTEM OVERVIEW ..................................................................................................... 7 3.1 Introduction................................................................................................................. 7 3.2 System Features .......................................................................................................... 8 3.2.1 Flexible Modular Redundancy .......................................................................... 8 3.2.2 Safety-Fieldbus ..................................................................................................... 8 3.2.3 Redundant Controllers ......................................................................................... 9 3.2.4 Redundant Bus Systems ..................................................................................... 10 3.2.5 Redundant I/O ................................................................................................... 10 3.2.6 Safety Software .................................................................................................. 10 3.2.7 Safety Function .................................................................................................. 11 3.2.8 Self-Tests ............................................................................................................ 12 3.2.9 Password Protection for F-Systems ................................................................... 12 SYSTEM DESIGN ........................................................................................................ 13 4.1 LEVEL 0 FIELD Devices ......................................................................................... 13 4.2 LEVEL 1 PLC ......................................................................................................... 14 4.2.1 Introduction ....................................................................................................... 14 4.2.2 System I/O Count ............................................................................................... 15 4.2.3 System Hardware ............................................................................................... 16 4.2.4 Cabinet Design ................................................................................................... 17 4.2.5 Electrical Distribution......................................................................................... 18 4.2.6 System Power Requirements ............................................................................. 19 4.2.7 System I/O Connections..................................................................................... 20 4.2.8 Field Cable Termination ..................................................................................... 20 4.2.9 Cable Colour Codes ............................................................................................ 21 4.2.10 System Grounding .............................................................................................. 21 4.3 LEVEL 2 SCADA .................................................................................................... 22
2. 3.
4.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.3.1 SCADA ................................................................................................................ 22 4.3.1.1 Introduction ................................................................................................ 22 4.3.2 DCI ...................................................................................................................... 23 4.3.2.1 Introduction ................................................................................................ 23 APPENDIX A Control System Block Diagram APPENDIX B System Power Single Line Diagram APPENDIX C Typical Earthing Arrangement Diagram APPENDIX D Power / Heat Dissipation Calculation APPENDIX E APPENDIX F TUV Certificates System Hardware Datasheets
(SSD/FGS)
Project:
Contractor :
Doc. No.:
1. INTRODUCTION 1.1 Document Scope

This Functional Design Specification (FDS) defines the system design for the SIL3 certified SIMATIC S7-414FH PLC based combined Safety Shutdown and Fire & Gas Detection (SSD/FGS) system for the RC-4 platform owned by Vietsovpetro JV (VSP) in Vietnam. The SSD/FGS PLC is part of the Control and Monitoring System as supplied for the RC-4 platform by Technics Offshore Engineering Pte Ltd. The overall system configuration is shown in the Control System Block Diagram (Dwg. No. 08088E-CMS-SYS-01) in App. A. The other systems included in the supply are discussed in the following specifications: Process Control System (PCS) Doc. No. 08088E-CMS-PCS-01; SCADA Doc. No. 08088E-CMS-HMI-01; Data Communication Interface Doc. No. 08088E-CMS-DCI-01. The system as described in this manual is based on sound practices and recommended solutions as documented in Siemens reference manuals with respect to project requirements.
1.2 Project Information

Project Title Project Location Equipment End User Client Clients Project Ref. Vendor Project Ref. : RC-4 Wellhead Platforms : Vietnam : Control and Monitoring Systems : Vietsovpetro JV (VSP) : Technics Offshore Engineering Pte Ltd (TOEPL) : 08088 : 0814
(SSD/FGS)
Project:
Contractor :
Doc. No.:
1.3 Abbreviations
1-oo-2 2-oo-2 2-oo-3 DCI EMC EMI ES ESD EWS FB FBD FGS HIFT I/O IMB IS MCB MCC MTTR OPC OS PCS PSD PSU SCADA SIL SOE SSD TV TMR UPS One-out-of-two Two-out-of-two Two-out-of-three Data Communication Interface Electromagnetic Compatibility Electromagnetic Interference PCS7 Engineering System Emergency Shutdown Engineering Workstation Function Block Function Block Diagram Fire and Gas Detection System Hardware Implemented Fault Tolerance Input/Output Inter-Module Bus Intrinsically Safe Miniature Circuit Breaker Motor Control Centre Mean Time to Repair OLE for Process Control PCS7 Operating System Process Control System Process Shutdown Power Supply Unit Supervisory Control and Data Acquisition Safety Integrity Level Sequence of Events Safety Shutdown Technischer berwachungs-Verein Triple Modular Redundant Uninterruptable Power Supply
(SSD/FGS)
Project:
Contractor :
Doc. No.:
2. PROJECT OVERVIEW
The proposed Control and Monitoring System is based on Siemens SIMATIC PCS7 solution which consists of the S7-414H Controllers, ET-200M I/O System with S7-300 I/O Modules, and PCS7 OS software. Please refer to the Control System Block Diagram in Appendix A for more details. Each of the SSD/FGS and PCS control systems has its own dedicated and independent fully redundant S7-414H Controller, ET-200M I/O System and S7-300 I/O modules. The S7-414H Controllers are the same for all PLC systems. The SIL3 S7-414FH Controllers for the SSD/FGS system shall be installed with additional TUV SIL3 certified Failsafe Library Blocks. The S7-414H Controller communicates with the ET-200M I/O System via the redundant PROFIBUS DP buses. The PROFIBUS DP communication port is integrated in the CPU and no additional module is required on the Controller. On the ET-200M station, the PROFIBUS interface is provided via dual IM153-2 modules. Each of the S7-414H Controller set comes with two no. of CP443-1 Ethernet Communication Processors (CP). These CPs are connected to the redundant Industrial Ethernet (IE) networks compliant to compliant to IEEE802.3 standard. Peer-to-Peer communication between the Controllers is carried out via the CP443-1 Ethernet CPs. The PCS7 OS station (WS-1) communicates with the S7-414H Controller via the redundant IE networks. A local A4 black & white laser printer shall be provided for alarm and report printing. The PCS7 Engineering Station (ES-1) is installed with the SIMATIC Manager software and connected to the S7-414H Controller via the IE networks. The configuration and programming for all Controllers shall be carried in the SIMATIC Manager software under one project. The Step7 software also supports online diagnostic of PLC systems. The DCI Controller set is installed with two additional no. of CP441-2 Point-to-Point Communication Processor for redundant RS-232 connections to the Microwave Radio station.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
3. SYSTEM OVERVIEW 3.1 Introduction

The SSD/FGS system is based on SIMATIC SIL3 certified S7-414FH Failsafe Hot-Standby PLC and ET-200M I/O Subsystem with S7-300 Failsafe-I/O Modules with TUV certificates as attached in Appendix E. The SSD/FGS PLC system provided is a full redundant system including power supplies, CPUs, Ethernet communication processors (CP443-1) and ET200M I/O subsystems. The SSD/FGS system provides emergency shutdown for the safe operation of each equipment unit operating area and the detection of the presence of fire and gas leakage. Control philosophy will be programmed according to client provided Cause & Effect diagrams. The field signals are connected to the field terminal blocks or IS. Isolators in the marshalling cabinets and routed via multi-core cables to the redundant S7-300 F-I/O modules located in separate ET-200M stations. Communication with the PCS7 OS Workstation (WS-1) and the S7-414H based DCI PLC is carried out through the redundant CP443-1 Industrial Ethernet processors via dual Ethernet (IE) networks compliant to IEEE802.3 standard. The PCS7 Engineering Station (ES-1) is installed with the SIMATIC Manager software and connected to the S7-414FH Controller via the IE networks. The SIMATIC Manager software supports the configuration, programming and on-line troubleshooting for the full S7-414FH system. Additional 30% spare I/O points have been taken into consideration for the quantities of I/O modules provided.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
3.2 System Features

The proposed S7-414FH Failsafe Controllers for the SSD/FGS system use the same hardware and therefore share the same characteristics as the standard S7-414H Controllers as proposed for the PCS and DI systems. To use the standard S7-414 CPU for safety application, only additional S7-F Systems software package is required. The S7 FH Systems are certified for safety shutdown systems according to IEC 61511 (SIL3) and fire and gas applications according to EN 54 and NFPA 72.
3.2.1
Flexible Modular Redundancy
The SIMATIC S7-414FH system features a unique design that is flexible, modular and redundant and which enables the assembly of extremely fault-tolerant architectures. Unlike traditional leg-based architectures, where the failure of a single component causes shutdown of an entire leg of the system, the SIMATIC S7414FH system integrates certified safety-fieldbus technology, allowing each module to function independently of the other modules in the system. The level of fault-tolerance can be tailored to match the needs of the application by mixing and matching single, dual and triple redundancy in the same system. As a result, the SIMATIC S7-414FH architecture tolerates multiple faults with no degradation in safety since every component of the system is certified to SIL 3. Third-party system reliability modeling has shown that Siemens Flexible Modular Redundancy delivers higher levels of availability than traditional dual and triple redundant architectures.
3.2.2
Safety-Fieldbus
Failsafe communication between the safety program in the F-CPU and the fail-safe inputs and outputs takes place via the "standard" PROFIBUS DP with superimposed PROFIsafe safety profile.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
Specially developed, the PROFISafe PROFIBUS profile allows useful data of the safety function to be transferred within the standard data message frame. Additional hardware components, e.g., special safety buses, are not necessary. The necessary software is either integrated in the hardware components as an extension of the operating system or loaded as a certified software block into the CPU. PROFIsafe utilizes the standard services of the lower-level bus system to implement safe communication. When transmitting messages, PROFIsafe comes up with four measures against any possible faults or errors such as corrupted addresses, loss, delay, etc.: PROFIsafe is consecutively numbered The time is monitored (watchdog) Authenticity is monitored using "passwords" An optimized CRC (Cyclic Redundancy Check) detects corrupted data bits in a message frame With SIL 3 (Safety Integrity Level), it fulfills the highest requirements in the process industries. PROFIsafe permits standard and safety-related communications on one and the same bus.
3.2.3
Redundant Controllers
SIMATIC S7-414FH controllers, with redundant controllers are used for extended system availability in order to satisfy safety and fault-tolerance demands. All individual components are certified according to SIL 3 with no degraded mode and the safety not bound to redundancy, which means when a controller fails, the standby controller is still certified to run the safety applications alone.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
3.2.4
Redundant Bus Systems
For the fail-safe, fault-tolerant communication Siemens applies the PROFIsafe profile, certified according to IEC 61508. The bus is redundantly configured, i.e. failure in the bus can also be tolerated. The bus changeover takes place automatically in the event of a fault.
3.2.5
Redundant I/O
The ET 200M fail-safe I/Os are used in the redundant design for the distributed expansion of the SIMATIC S7-414FH. Together with the redundant PROFIBUS connection, it is the base of the Flexible Modular Redundancy. This creates the greatest possible availability, because in this way the system can withstand the failure of a CPU, a PROFIBUS line or a signal module or a combination of different failures. The fail-safe I/Os are internally redundant, can diagnose internal and external faults and carry out numerous self-tests and field-wiring diagnostics (e.g. shortcircuiting, wire-break). In addition, fail-safe and standard I/O modules (critical and non-critical I/Os) can be combined in one ET 200M/S station.
3.2.6
Safety Software
The standard and safety programs are generated in the proven SIMATIC Manager. TV-certified function blocks from the library in S7-F Systems are used for the S7 FH Systems. The S7-F systems software package enhances the S7-414FH controller by adding the safety functions. A library with TUV certified functions is added. All safety functions blocks can be identified by their yellow color.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
S7 F Systems is the engineering tool for configuration of failsafe applications, integrated in SIMATIC Manager. This tool enables you to: Parameterize CPUs and F signal modules, and Generate failsafe applications in CFC. Preprogrammed CFC software blocks approved by TUV are available for this purpose. The failsafe blocks relieve the user from having to individually create programs for fault identification and error response. Program changes during continuous operation are possible, e.g. changing and reloading components. During compilation, certain fault detection and fault reaction functions are automatically added to the Safety Program. The S7 F Systems optional package also provides functions for comparing Safety Programs and supporting the acceptance of Safety Programs.
3.2.7
Safety Function
Functional safety is implemented principally through safety functions in the S7-F systems software. Safety functions are executed by S7 FH Systems to restore or maintain a safe state in a system when a dangerous event occurs. Safety functions are contained mainly in the following components: In the safety-related user program (Safety Program) in the fail-safe CPU (FCPU) In the fail-safe inputs and outputs (F-I/O) The F-I/O ensures safe processing of field information. They have all of the required hardware and software components for safe processing, in accordance with the required safety class. The user only programs the user safety function. The safety function for the process can be provided through a user safety function or a fault reaction function. In the event of a fault, if the F-system can no longer execute its actual user safety function, it executes the fault reaction function; for
(SSD/FGS)
Project:
Contractor :
Doc. No.:
example, the associated outputs are deactivated, and the F-CPU switches to STOP mode, if necessary.
3.2.8
Self-Tests
Self-tests are carried out in the S7 FH system to detect faults. The frequency of the cyclic self-tests can be set during configuration (the default is 90 mins). Only settings of up to 12 hours are permitted for the S7 F/FH Systems. Execution (program run, entire safety-related hardware) and the test result are checked in the Safety Program by an F test block that is inserted automatically when the Safety Program is compiled.
3.2.9
Password Protection for F-Systems
Password protection protects the S7 F/FH Systems from unauthorized access, e.g. from unwanted downloads to the CPU from the engineering system (ES). In addition to the standard password for the CPU, an additional password is also required for S7 F/FH Systems for the Safety Program (F password).
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4. SYSTEM DESIGN
The design and implementation of the SSD/FGS system is based on three Control System Levels philosophy as per VSP specifications and as in shown in the Control System Block Diagram in Appendix A.
4.1 LEVEL 0 FIELD Devices

Level 0 refers to field sensors and execution units. Level 0 field devices are to be supplied by client TOEPL. Field signals basically segregated into 3 different groups: Process, ESD/F&G, and Auxiliary. The critical Process and Auxiliary signals, as well as the ESD/F&G signals, are connected to the SSD/FGS PLC. The non-critical Process and Auxiliary signals are connected to the PCS PLC. Field digital and analogue signals (classified as Exd or Safe type) are wired directly onto the terminal blocks and the Intrinsic Safe (IS.) digital and analogue signals are wired directly to the safety barriers provided in the respective Marshalling Cabinets. The IS. and non-IS. signals are to be fully segregated and routed in separate trunkings in the Marshalling Cabinets. The trunkings and wirings for the IS. signals are blue in colour.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.2 LEVEL 1 PLC

Level 1 refers to the SSD/FGS and PCS PLCs and its respective I/O subsystems complete with cabinets and field termination interfaces. This specification only describes in details for the SSD/FGS PLC. Please refer to the PCS Functional Design Specification (Doc. No. 08088E-CMS-PCS-01) for more details on the respective PLC systems. Level 1 PLC cabinets are to be installed in the Control Room shelter.
4.2.1
Introduction
The SSD/FGS PLC system provided is a full redundant system including power supplies, CPUs, Ethernet communication processors and Failsafe ET-200M F-I/O subsystems. The DCI PLC is configured as the master with its PLC communication partners. It polls data from the S7-414H SSD/FGS and PCS PLCs via the dual Ethernet networks using the SIMATIC S7 protocol through the redundant CP443-1 Ethernet processors. The SIL3 S7-414FH SSD/FGS Controllers interface with the Failsafe ET-200M F-I/O Subsystems via the redundant Profibus DP I/O Networks. The interface from the field devices to the SSD/FGS PLC are via the S7-300 F-I/O modules located at each ET-200M station.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.2.2
System I/O Count
The system I/O count is based on the Process and Utility I/O lists as provided by the Client as is summarized in the table below.
Item Area AI (IS.) 54 2 Total Total + 30% Spare 104 136 AI (Non-IS.) 0 52 DI (IS.) 0 12 86 112 DI (Non-IS., 24VDC) 19 55 DO (Non-IS., 24VDC) 88 29 122 159 DO (Non-IS., VF.) 3 2
1. 2.
SSD FGS
Below table shows the system I/O modules and I/O points provided for simplex configuration. Actual quantities of I/O modules provided are double.
Item 1. 2. 3. Description No. of points per I/O module No. of modules provided (SSD) No. of modules provided (FGS) Total I/O points provided AI 6 12 12 144 DI 12/6* 2 15* 114 DO 10 13 4 170
* FGS DI is implemented using AI module for line monitoring.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.2.3
System Hardware
Datasheets on the major hardware components are as attached in Appendix F and summarized in the table below:Item Qty. Model No. Description Controller Hardware SIMATIC PCS 7, Pre-Assembled & Tested: with 2X CPU 414-4H Incl. F-Runtime License, 2X 4MB RAM Memory Card (UP TO ~300 POS), 2X2 10M Sync Module (IF960), 2X 1M FO, 2X CP443-1 Industrial Ethernet Module, 1X UR2-H (2X9 Slots), 2X 230VAC 10A, And 4X Backup Battery ET-200M I/O Hardware 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 18 14 2 78 4 34 39 40 78 36 18 18 6ES7153-2AR03 6ES7195-1GA 6ES7195-1GG 6ES7336-4GE 6ES7326-1BK01 6ES7326-2BF01 6ES7195-7HC00 6ES7195-7HC00 6ES7392-1AJ00 6ES7392-1AJ00 6ES7195-7KF00 6ES7195-7HG00 ET200M-RED.-Bundle with 2X IM153-2HF Rail for ET-200M, 483 mm Long Rail for ET-200M, 620 mm Long S7F, Failsafe Analog Input, SIL3, 6 AI, 15 Bit, 20 Pin S7F, Failsafe Digital Input, SIL3, 24 DI, DC 24V, 40 Pin S7F, Failsafe Digital Output, 10 DO, DC 24 V / 2A, 40 Pin Bus Unit for ET200M F. 2X 40mm Wide I/O Submodules Bus Unit for ET200M F. 1X 80mm Wide I/O Submodules Front Connector with Screw Contacts, 20-Pin Front Connector with Screw Contacts, 40-Pin S7F, Separator Mod. Between F- And Standard Modules S7F, Separator Bus Mod. Between F- And Standard Modules Hazardous Area Isolators 14. 15. 4 89 KFD2-EB2.R4A.B KCD2-STC-EX 1 Pepperl & Fuchs, Power Feed Module Pepperl & Fuchs, AI (IS), Single Channel
1.
6ES7656-8CF31
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.2.4
Cabinet Design
A total of five (5) no. of Rittal TS8 cabinets rated for IP52 and suitable for indoor installation are provided. One cabinet is reserved for SSG/FGS system components, one for the PCS/DCI system components, and the rest for signal interface and marshalling components including relays, IS. Isolators and field terminal blocks. Each of the cabinets is installed with a 19 swing-frame of 40U height for mounting ET-200M I/O stations to minimize internal cross cabling between cabinets and to optimize cabinet space usage. Please refer to the General Arrangement and Layout Drawings (Doc. no. 08088ECMS-CAB-01) for more details. The Rittal cabinets provided come with the following standard features: Dimensions: 800mm (Width) x 2000mm (Height) x 800mm (Depth) with a 100mm (Height) plinth. Ingress protection shall be category IP52 RAL7035 colour Front access only with key lock Bottom field cable entry Filter ventilation Unit Panel lighting Door switch In addition, the system cabinets are to be installed with the following: Roof-mounted Fan Thermostat Hygrostat
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.2.5
Electrical Distribution
Dual 220VAC UPS feeders are to be provided and installed by client and to be landed at the PCS/DCI system cabinet. Separate redundant UPS feeders are to be provided for SSD/FGS functions and to be landed at SSD/FGS system cabinet. Please refer to the System Power Single Drawing (Dwg. No. 08088E-CMS-SYS-05) in Appendix B. ET-200M I/O Subsystem equipment requires 24VDC power. Redundant Phoenix Contact Quint rectifiers are to be provided to convert AC feeders to 24VDC power to cater for both system and field instrument. The power supplies do not require external blocking diodes for 1+1 redundancy operation as they come built-in with power blocking diodes. Circuit breaks and fused terminals are to be used to provide protection to the system components and powered circuits. Each breaker is to be installed with an auxiliary contact to operate in trip condition. Group of breakers and power supplies for each of the redundant power supply circuit is wired as a common signal to be monitored by the OS. The rectifier units, circuit breakers and fuses are sized to provide full load of the system requirement inclusive of 30% spare for future expansion. A simplex 220VAC utility feeder is to be provided to power the panel lightings, AC outlet socket, roof fan and heater.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.2.6
System Power Requirements
System power requirements inclusive of the 30% I/O spares are summarized in the table below. Please refer Power Consumption (Doc. No. 08088E-CMS-SYS-06) in Appendix D for details.
Item 1 Description AS414-4-2H Controller Set Power (Watts / Amp @ 220VAC) 115 Power (Watts / Amp @ 24VDC) 2 3 4 ET-200M I/O Subsystem Panel Devices (IS. Isolators & Relays) Field Power TOTAL (Watts @ 24VDC) 579 175 1620 2374
The system power catered above is the maximum requirement for the controller set inclusive of modules to be added in the spare slot in the future. Two units of Phoenix Contact Quint 220VAC/24VDC rectifiers rated for 1000W/40A and one unit rated for 480W/20A that provide a total of 2480W/100A @ 24VDC are to be employed to provide the power required for a single power line. Total quantities of power supplies are doubled in order to provide full 1+1 power redundancy to the system requirements.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.2.7
System I/O Connections
Wires from the field terminal blocks are first connected to the interface terminal blocks before onward connection to the ET-200M I/O modules. Interface terminal blocks are diode and resistor terminals which are necessary for the correct operation of the redundant ET-200M I/O configuration. Please refer to SSD/FGS I/O Schematics Drawings (Dwg. No. 08088E-CMS-SSD-02) for more details.
4.2.8
Field Cable Termination
Terminal blocks are provided for termination of non-IS. type field digital and analogue signals. The field terminal blocks are to be grouped and layout according to the field multi-core cables to facilitate site installation works. Fused terminal blocks with LED indication, Entrelec M4/6.SFD, are to be provided for each 24VDC current carrying circuit. Disconnect terminal blocks, MA2.5/5, are provided for 0VDC or volt-free circuit. The Pepperl & Fuchs KC series of rail powered IS. isolators are provided for direct termination of IS. type field digital analog signals. The IS. and non-IS. cables are not to be mixed and the respective cable routings in the cabinet to be segregated in separate trunkings. The trunkings for the IS. signals are blue in colour. The trunkings for the non-IS. signals are grey in colour.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.2.9
Cable Colour Codes
The following colour codes are to be adopted for the internal wirings in the cabinets: 220VAC L 220VAC N 24VDC 0VDC Non-IS. Signal IS. Signal Safety Earth Instrument Earth : Brown : Blue : Red : Black : Grey : Blue : Yellow/Green : Green
4.2.10 System Grounding Separate grounding systems are provided for Equipment Safety Earth and Instrument Earth. Dedicated solid Tinned Copper bus-bars with a minimum size of 6mm x 25mm x (nominal length) are provided. Each bus bar is provided with a compression type lug fixed to each end to allow for connection to other bus bars or to the incoming platform earth cables. Please refer Typical Earthing Arrangement Drawing (Dwg. No. 08088E-CMS-SYS-04) in Appendix C for more information. The Safety Earth bus-bar in each cabinet is directly connected to all exposed metal surfaces of cabinets, racks, chassis ground connections etc. All doors are to be electrically bonded to the main cabinet by a tinned copper braided ground strap. The 220VAC Utility feed Safety Ground is to be connected to the cabinet Safety Earth bus-bar. The Instrument Earth is to be fully isolated from the cabinet metal works. All field cable screens are to be terminated onto the Instrument Earth bus-bar directly.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.3 LEVEL 2 SCADA

Level 2 refers to the SCADA Workstations and the DCI PLC as shown in the Control System Block Diagram in Appendix A. The SCADA Workstations are based on redundant SIMATIC PCS7 OS configuration and is discussed in details in the HMI Functional Design Specification (Doc. No. 08088E-CMS-HMI-01). The PCS7 OS Workstations are located in the Control Room. The DCI PLC is based on SIMATIC S7-414H Fault-Tolerant PLC and is discussed in details in the DCI Functional Design Specification (Doc. No. 08088E-CMS-DCI-01). The DCI PLC installed in the PCS/DCI System Cabinet as shown in the Cabinet General Arrangement Drawing (Dwg. No. 08088-CMS-CAB-01). 4.3.1 SCADA
4.3.1.1 Introduction Each of the redundant OS Workstations communicates in parallel simultaneously with the SIMATIC S7-414H Controllers via the redundant Industrial Ethernet (IE) networks. This ensures the availability of data to the OS system if any of the data network fails. The PCS7 OS Workstations are responsible for synchronizing the alarm and trend data automatically between each other. The OS Workstations communicate with the S7-414H Controllers using the faulttolerant SIMATIC S7-Ethernet protocol. The PCS7 OS Workstations connect to the PLC systems via the redundant SMIATIC Scalance X-208 Ethernet Switches through the CP-1613 PCI network cards. OS Network failover is automatically taken care of by the SIMATIC S7-RECONNECT software without further script writing.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
4.3.2
DCI
4.3.2.1 Introduction The S7-414H DCI PLC serves as a data concentrator for directing process data between the RC-4 and CPP-2 via the Duons HC-24 redundant Microwave Radio Station. The DCI PLC provided is a full redundant system including power supplies, CPU, Ethernet communication processors (CP443-1) and Serial communication processors (CP441-2). The DCI PLC provided is a full redundant system including power supplies, CPU, Ethernet communication processors (CP443-1) and Serial communication processors (CP441-2). The DCI PLC communicates with the SSD/FGS and PCS PLC using the Ethernet communication processors via the redundant Ethernet networks. Communication between the DCI PLC and the HC-24 radio system is using dual RS-232 Point-toPoint link. It sends and receives data with its radio partner cyclically.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
Control and Monitoring System Vietsovpetro JV 2 Sht. No.: -
APPENDIX A Control System Block Diagram
(SSD/FGS)
Project:
Contractor :
Doc. No.:
APPENDIX B System Power Line Diagram
(SSD/FGS)
Project:
Contractor :
Doc. No.:
APPENDIX C Typical Earthing Arrangement Diagram
(SSD/FGS)
Project:
Contractor :
Doc. No.:
APPENDIX D Power / Heat Dissipation Calculation
POWER / HEAT DISSIPATION CALCULATION
SEMiTECH
Project : Contractor: Doc. No.:
2. SSD / FGS PLC

System: Owner: Date: CONTROL & MONITORING SYSTEM VIETSOVPETRO JV 15-Jan-10 Sht. No. 2 OF 3 Unit Power Power 220VAC 24VDC Consumption (Watts) (Watts) (Watts) Heat Dissipation (BTU/HR)
VSP - RC4 WELLHEAD PLATFORM TECHNICS OFFSHORE ENGINEERING PTE LTD 08088E-CMS-SYS-06 Rev. No. : 2
Item
Description
Part No.
Qty
1 A 2 A B C D 3 A B C 4 A B C D E F G H
SSD/FGS PLC (AC) : AS414-4-2H Controller
(Note 1)
6ES7656-8CF31-1BA0
115.00 SUB-TOTAL: 14.40 4.80 10.80 6.48 SUB-TOTAL: 1.80 1.08 2.00 SUB-TOTAL:
115.00 115.00 172.80 187.20 21.60 103.68 485.28 163.80 0.00 20.00 183.80 620.00 224.00 252.00 17.28 7.00 60.00 14.40 51.00 1245.68 1619.38 2288.46 2403.46
392.36 392.36 589.56 638.69 73.69 353.74 1655.68 558.85 0.00 68.24 627.09 2115.32 764.24 859.77 58.96 23.88 204.71 49.13 174.00 4250.02 266.12 392.36 392.36
(Note 1 & 2) ET200M F-I/O (DC) : IM 153-2 Interface Module Failsafe Analog Input, 6 AI, 15 Bit Failsafe Digital Input, 24 DI, DC 24V Failsafe Digital Output, 10 DO, DC24V
6ES7153-2BA02-0XB0 6ES7336-4GE00-0AB0 6ES7326-1BK01-0AB0 6ES7326-2BF01-0AB0
12 39 2 16
PANEL DEVICES (DC) : IS. Isolator (AI) IS. Isolator (AO) Relay
(Note 1)
KCD2-STC-EX 1 KCD2-SCD-EX 1 MY4N
91 0 10
FIELD I/O (DC) : Solenoid Valve Flame Detector Gas Detector Heat/Smoke Detector Visual-Audio Alarm (Indoor) Visual-Audio Alarm (Outdoor) Digital Input (PSLL, HS, PSL/H, LS, etc) Digital Output (MCC Relay)
10.00 14.00 7.00 0.96 1.00 10.00 0.48 3.00 SUB-TOTAL: SUB-TOTAL + 30% SPARE FIELD I/O:
62 16 36 18 7 6 30 17
TOTAL PLC POWER (24VDC)/HEAT DISSIPATION: TOTAL UPS POWER (220VAC)/HEAT DISSIPATION:
Note: 1) PLC, ET-200M I/O and Panel Devices are already inclusive of the 30% spare. 2) Only quantity for one side of redundant pair is considered as they are fully supported by redundant power supply.
(SSD/FGS)
Project:
Contractor :
Doc. No.:
APPENDIX E TUV Certificates
Report
to the
Certificate
Z2 03 04 38282 002
Safety-Related Programmable Systems SIMATIC 87 F/FH Systems (formerly 87-400F and S7-400FH) Manufacturer: Siemens AG Werner-von-Siemens Str. 50 0-92224 Amberg Report No.: 10042360 Revision 1.7 dated 28. September 2007 Testing Body: TV SD Automotive GmbH Electronic Systems Ridlerstrae 57 0-80339 Mnchen
Accredited Testing Body for Functional Safety
Deutscher AkkredftJerungs
'--II....-~
./Z........... LY~
Rat
DAT-P-217191-03
Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
Revision Log
Version 1.0 1.1 1.3 1.4 Name R. Faller P. Mller P. Mller A. Beer Date 30.11.1999 18.12.2000 15.11.2001 23.04.2003 Changes/History Initial LS 2 Section 5.4 added and modified Product name Definition of terms; 1001 D and 1002D added Section 2.2 General application condition added New software version V5.2 added Restriction 5.4.1 modified Make reference to "Annexes" (instead a particular annex) when the annex refers to a software component revision information. SP2: The standards EN 54-2:1997, EN 54-4:1997, NFPA72:2002 and NFPA 85:2004 were included and EN 298 was updated to 2003 in section 3.7. Layout Make reference to "Annexes" (instead a particular annex) when the annex refers to a hardware component revision information In chapter 2.2 "rckwirkungsfrei" deleted
M.Weber 1.5 A. Beer M.Weber F. Rauch 03.06.2004
1.6
30.06.2005
1.7
P. Wei
28.09.2007
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 2 0122 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
Content
1
2 PURPOSE AND SCOPE
Page
4
4 6
,
1.1
DEFINITION OF TERMS
SYSTEM OVERVIEW
2.1 2.2 2.3 2.4
SYSTEM ARCHITECTURE HARDWARE COMPONENTS UNDER CERTIFICATION SOFTWARE COMPONENTS UNDER CERTIFICATION SAFETY MANUAL.
6 8 8 9 10
10 11 12 12 13 13 14
CERTIFICATION REQUIREMENTS
3.1 3.2 3.3 3.4 3.5 3.6 3.7

4
BASIS OF CERTIFICATION CERTIFICATION DOCUMENTATION EUROPEAN DIRECTIVES FUNCTIONAL SAFETY BASIC SAFETY ELECTROMAGNETIC COMPATIBILITY ApPLICATION STANDARDS
RESULTS
16
4.1 4.2 4.3

5
FUNCTIONAL SAFETY BASIC SAFETY AND ELECTROMAGNETIC COMPATIBILlTY PRODUCT SPECIFIC QUALITY ASSURANCE AND CONTROL..
16 18 19
20
IMPLEMENTATION CONDITIONS AND RESTRICTIONS
5.1 5.2 5.3 5.4

6
GENERAL APPLICATION CONDITIONS GENERAL COMMISSIONING CONDITIONS GENERAL RUN-TIME CONDITIONS PRODUCT-RELATED CONDITIONS NUMBER
20 20 21 21
22
CERTIFICATE
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei D-80339 MOnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 3 of22 Dissemination, distribution, copying or any other use of information in this report in part is striclly prohibited
Purpose and Scope
TV Automotive GmbH has been contracted by Siemens AG to certify the Safety-Related Programmable Systems SIMATIC S7 F/FH Systems. This report summarizes the user related results of the tests and inspections performed on the SIMATIC S7 F/FH Systems based on the certification requirements outlined under clause 3.1 and reported by the documentation Iisted under clause 3.2.
1.1
Definition of Terms
The following terms are used in this report with a meaning defined as folIows: Functional Safety The ability of a safety-related system to carry out the actions necessary to achieve a (defined) safe state for the equipment under control (EUC) or to maintain the safe state for the EUC. Continuous Function Chart Denotes the system operating mode when a fault has been detected and localized in one of the critical components. The multiple-fault occurrence period denotes a time frame, in which the probability for the appearance of combination-wise safety-critical multiple faults is sufficiently low for the considered requirement class. The period of time begins with the last point in time, at which the considered system was in a fault-free assumed condition according to the considered requirements class. The definition of this time is not system specific. A general recommendation is to assume this time to be magnitudes (2 to 3) below the specified MTBF time. Fault tolerance time The fault-tolerance time denotes a characteristic of the process and describes the period of time, in which the process can be controlled by a faulty control-output signal, without entering a dangerous condition. Property of a unit not to cause faulty state in connected units even if it fails Average probability of failure of a system to perform its design functions on demand. A sufficient number of installations in various application fields with available fault history of the installed systems did not show the presence of a safety-related systematic error
CJ=C Degraded operation Multiple fault occurrence time
Interference free Probability of Failure on Demand (PFD) Proven-in-use Proven-by-operation Field tested
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei 080339 MOnehen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 4 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
10020
This architecture consists of two channels connected in parallel. Ouring normal operation, both channels need to demand the safety function before it can take place. In addition, if the diagnostic tests in either channel detect a fault then the output voting is adapted so that the overall output state then follows that given by the other channel. If the diagnostic tests find faults in both channels or a discrepancy that cannot be allocated to either channel, then the output goes to the safe state. In order to detect a discrepancy between the channels, either channel can determine the state of the other channel via a means independent of the other channel. This architecture consists of a single channel connected to an inde. pendent diagnostic circuit (not self-diagnostics). If the diagnostic circuit detects a hidden fault in the channel it asserts the safe state via a means independent of the channel.
10010
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 5 of 22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
2
2.1
System Overview
System Architecture
The SIMATIC S7 F/FH Systems are safety-related fail-safe programmable electronic systems (PES) that are suitable for safety-related applications with a high level of potential danger, e.g. controllers for offshore processes, chemical processes.
Operator Station (System visualization) F=~
S7-400F programmable controller
f-----------1--f1~
! I
~
Fail-safe 110 modules (optionally redundant)
Programming device
Standard 110 modules (optionally redundant)
System Architecture for S7 F
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Electronic Systems Ridlerstrae 57 . Mr. Wei D-80339 Mnchen 28. September 2007 Phone: ++49 895791-1393; Fax: -4438 Page 9 of 22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
Redundant system bus (PROFI BUS or Ethernet)

"l
Operator Station (System visualization)
S7-400FH programmable controller

\'
10
/
//
~,1
1 00 1
~~1
1 001
Fail-safe 110 modules (optionally redundant)
~ .~ ~ ~ ~ I
Redundant PROFIBUS-DP - -
-----
Standard 110 modules (optionally redundant)
~ ~~~~I
System Architecture for 57 FH
The SIMATIC S7 F/FH Systems consist of 1 or 2 "S7-400 CPUs" (central processing units) respectively that are suitable for safety-related applications and "Fail-Safe 1/0 Modules" (F-SM or F-I/O). Safety critical input signals are read from the process with the F-I/O or read from other F-CPU's via safety-related communication. Safety critical output signals are sent from the F-CPU to the F-I/O or to other F-CPU's via safety-related communication. The F-I/O is responsible for the safety-related output to the process. The S7-400 F-CPU implements a 1001D structure with diverse application software on a single channel hardware. Fault detection is implemented by camparisan of the diverse application software results in the CPU and the independent F-I/O, internal self-tests and program and data flow monitoring in the CPU and fault monitoring by the F-I/O.
TV 5D Automotive GmbH 10042360_V1.7.doc Revision 1.7 Electronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 7 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
The following failure control measures are implemented in the CPU: redundant execution with data and code redundancy and diversity and comparison of the diverse results
self-test of safety-related operations in each cycle program and data flow monitoring Checking of this and fault reaction is done directly by the CPU itself as weil as indirectly by the recipients of the CPU's safety-related outputs, Le. the fail-safe output modules and other CPUs. In addition the CPU performs self-tests in the background and uses two independent time bases. One CPU is sufficient to achieve the certified functional safety. In the S7 FH two redundant CPUs are used in 2002 of 1001 D configuration to increase availability. The second channel of the 1/0 module implements an independent comparison and diagnostic entity and allows the D designator for the 1001 hardware CPU architecture. The F-I/O modules are in an internal1002 structure (two channels with comparison). One F-I/O module is sufficient to achieve the certified functional safety. Optional two redundant F-I/O modules are used in 2002 of 1002 configuration to increase availability.
2.2
Hardware Components under Certification
The system components which are certified 'safety-related' are Iisted in the current revision of the applicable Annexes to this report. This allows the components to be used to process safety critical signals and functions. All other components of the S7 -400 and S7-300 family are 'interference-free' and allowed to be used; however, they are not certified for process safety critical signals and functions. Using these components does not interfere with the proper functioning of the safety-related modules. For details on architectural, configuration and implementation requirements please refer to the manuals of the SIMATIC S7 F/FH Systems documentation package.
2.3
Software Components under Certification
A list of the software components with the valid version numbers is shown in the current revision of the applicable Annexes to this report.
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 8 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
2.3.1
Safety-related Software Components
The following software components have been certified 'safety-related' allowing the software components to be used for processing safety critical signals and executing critical functions: Add-on option package S7 F Systems F-FBs Firmware of the Failsafe 1/0 modules
For the specific versions see the current revision of the Annexes to this report
2.3.2
Interference-Free Software Components
Other software components than those mentioned in 2.3.1 are not the subject of this certification. Absence of impact of non certified components on 'safety-related' components is enforced due to the intrinsic safety features provided by the diverse logic implementation followed by the 1002 F-I/O modules.
2.3.3
Communication
Safety-related communication between F-CPUs and F-I/O is based on the Profibus DP/PA protocol but implements an additional safety shell on top (ProfiSafe). Safety-related communication between F-CPUs is based on a standard protocol Iike MPI, Profibus or Ethernet but implements an additional safety shell on top.
2.3.4
Programming environment
Safety application programming is performed by connection of function blocks using the Step7 CFC language. Only special certified function blocks shall be used for safety applications. Use of standard function blocks for safety applications is prevented by their own safety data types. Edit, compile and load use the standard STEP7 programming environment of the S7-400 and S7-300 family. An add-on option package S7 F Systems provides the following properties required to improve the standard programming environment for safety programming: Library with safety-related function blocks (F-FBs) Integration of fault detection measures (self-tests, program and data flow monitoring, data redundancy) into the application program Additional access protection for the safety program in the F-CPU Add-on option package S7 F Systems checks
2.4
Safety manual
The conditions and rules for safe use of the SIMATIC S7 F/FH Systems are laid down within the user documentation: Programmable Controllers, S7 F/FH Systems ET 200S Distributed 1/0 System, Fail-Safe Modules Automation System S7-300, Fail-Safe Signal Modules
TV SD Aulomotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerslrae 57 Mr. Wei 0-80339 MOnehen 28. September 2007 Phone: ++49895791-1393; Fax: -4438 Page 9 of22 Dissemination, distribution, copying or any other use of information in this report in part is striclly prohibiled
3
3.1
Certification Requirements
Basis of Certification
The certification of the controller will be according to the regulations and standards Iisted in dause 3.3 to 3.6 of this document. This will certify the successful completion of the following test segments:
I.
Functional Safety
A.
Fault investigations for the hardware components listed in the current revision of the Annexes to this report and of the system configurations as described in the manuals of the SIMATIC S7 F/FH Systems and S7 Distributed Safety documentation packages. Software analysis for the software components Iisted in the current revision of the Annexes to this report Descriptive safety as given by the safety sections of the user documentation, indicated in section 2.4 of this report.
B.
C.
11. 111.
Basic Safety including electrical safety- EN 61131-2 Environmental Stress Testing
A.
B. IV.
Climatic and temperature stress Mechanical stress
Electromagnetic compatibility
A.
B. V.
Electromagnetic susceptibility Electromagnetic emission
Product-related Quality Management in manufacturing and product care
Certification is dependent on successful completion of all of the above test segments. The testing follows the basic certification scheme for safety-related programmable electronic systems of TV Product Service GmbH.
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclrcnic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49895791-1393; Fax: -4438 Page 10 cf 22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
3.2
Certification Documentation
Documentation of this certification is based in the following reports: Technical Report Report No.: SA58199 Report No.: SA60720 Report No.: T-10042360-01 Report No.: SA66281 EMC Test Report Report No.: 10.99 prepared Report No.: 11.99 prepared Report No.: 12.99 prepared Report No.: 25.99 prepared Report No.: 21.00 prepared Report No.: 22.00 prepared Report No.: 33.00 prepared Report No.: 38.00 prepared Environmental Test Report Report No.: 10.99 prepared Report No.: 11.99 prepared Report No.: 12.99 prepared Report No.: 25.99 prepared Report No.: 21.00 prepared Report No.: 22.00 prepared Report No.: 33.00 prepared Report No.: 38.00 prepared by Siemens and reviewed by Siemens and reviewed by Siemens andreviewed by Siemens and reviewed by Siemens and reviewed by Siemens and reviewed by Siemens and reviewed by Siemens and reviewed by Siemens by Siemens by Siemens by Siemens by Siemens by Siemens by Siemens by Siemens and and and and and and and and reviewed reviewed reviewed reviewed reviewed reviewed reviewed reviewed reviewed reviewed reviewed reviewed reviewed reviewed reviewed reviewed by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS by TV PS lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE lOSE
Test Report on IEC 1131-2 Report No.: 10.99 prepared by Siemens and Report No.: 11.99 prepared by Siemens and Report No.: 12.99 prepared by Siemens and Report No.: 25.99 prepared by Siemens and Report No.: 21.00 prepared by Siemens and Report No.: 22.00 prepared by Siemens and Report No.: 33.00 prepared by Siemens and Report No.: 38.00 prepared by Siemens and
Calculation of Probability of Failure on Demand: Internal Report of the "Probability-of-Failure-on-Demand" of S7-F Safety-ProgrammableSystem, Rev. 4.1 from 12. December 2000
Manuals:" Programmable Controllers, S7 F/FH Systems" and "S7-300 Programmable Controller, Fail-Safe Signal Modules"
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Electronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49895791-1393; Fax: -4438 Page 11 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
Based on the specified purpose of use of the SIMATIC S7 F/FH Systems in safety critical process protection applications the certification is based on the following set of standards. The issuance of the certificate states compliance with these references unless specifically noted otherwise.
3.3
European Directives
The fulfillment of the essential requirements of the following European Oirectives is mandatory for an electronic device such as the SIMATIC S7 F/FH Systems.
73/23/EEC 93/68/EEC 98/37/EEC
Council Oirective of 19 February 1973 on the harmonization of the laws of Member States relating to electrical equipment designed for use within certain voltage limits. Council Oirective of 22 June 1998 on the approximation of the laws of the Member States relating to machinery (to the extend applicable to programmable electronic safety devices)
3.4
Functional Safety
The testing for functional safety is to be performed using the following standards and guidelines: OIN V 19250: 1994, AK6 OIN V VOE 0801: 1990, AK1-6, including amendment A1: 1994 IEC 61508-1: 12/1998 IEC 61508-2: 05/2000 IEC 61508-3: 12/1998 IEC 61508-4: 11/1998 IEC 61508-5: 11/1998 IEC 61508-6: 04/2000 IEC 61508-7: 03/2000 SIL1-3 (as applicable to PES) prEN 50159-1:1996 (as applicable) prEN 50159-2: 1996 class 1 to 5 (as applicable) Fundamental aspects to be considered for measurement and control equipment Principles for computers in safety-related systems
Functional safety; Safety-related systems
Railway Applications; Safety-Related Communication In Closed Transmission Systems (as applicable) Railway Applications; Safety-Related Communication In Open Transmission Systems (as applicable)
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49895791-1393; Fax: -4438 Page 12 of 22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
3.5
Basic Safety
To complete and to specify the technical requirements resulting from the Essential Requirements of the Directives listed above the testing of Basic Safety is to cover the following standards: EN 61131-2: 1995 EN 50178: 1997 DIN VDE 0110: 1989 EN 60068 OSHIOSE Version 1.4 Programmable controllers - equipment requirements and tests Electronic equipment for use in power installations Insulation co-ordination for equipment within low-voltages systems Environmental Testing Ouality Manual of TV Product Service lOSE
3.6
Electromagnetic Compatibility
To complete and to specify the technical requirements resulting from the Essential Requirements of the Directives listed above, the testing of Electromagnetic Compatibility is to cover the following standards: EN 61131-2: 1995 EN 55011: 1997 Programmable controllers - equipment requirements and tests Limits and methods of measurement of radio disturbance characteristics of industrial, scientific and medical (lSM) radio-frequency equipment. Electromagnetic compatibility (EMC); Generic emission standard Part 2: Industrial environment Electromagnetic compatibility (EMC); Generic immunity standard Part 2: Industrial environment
EN 50081-2: 1993 EN 50082-2: 1995
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Electronic Systems Ricllerstrae 57 Mr. Wei 080339 Mnchen 28. September 2007 Phone: ++498957911393; Fax: -4438 Page 13 of 22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
~~ erD
....
...
3.7
Application Standards
Because of the expected applications of the system following additional standards and regulations should be considered:
Machinery Applications
EN 60204-1: 1997 (as applicable) prEN 60204-11 prA1: 1998 EN 954-1: 1997 categories 2 to 4 Process Industry OIN V 19251: 1995 VOll VOE 2180: 1996 part 1, 2 and 5 NE 31: 1993 ANSI - ISA S84.01: 1996 (as applicable) Burner Systems EN 230: 1991 clause 7.3 EN 298: 2003 (clause 7.3, 8, 9 and 10) ENV 1954: 1996 (as applicable) OIN VOE 0116: 1989 dause 8.7 Monobloc oil burners Automatie gas burner control systems for gas burners and gas burning appliances with or without fans Internal and external fault behavior of safety-related eleetronic parts of gas appliances Electrical equipment of furnaees Process control technology- Me protection equipment- Requirements and measures for safeguarded function Safeguarding of industrial processing plants by means of instrumentation and control technology NAMUR Recommendation Application of safety instrumented system for the Proeess Industry Safety of machinery - Electrical equipment of machines
Safety of machinery; Safety-related parts of control systems Part 1 "General principles for design"
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 14 of 22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
prEN 50156-1: 1997 (as applicable) NFPA 85:2004
Electrical equipment of furnaces Boiler and Combustion Systems Hazards Code
Fire Detection and Fire Alarm Systems EN 54-2: 1997 EN 54-4: 1997 NFPA 72: 2002 Fire detection and fire alarm systems - Part 2: Control and indicating equipment Fire detection and fire alarm systems - Part 4: Power supply equipment National Fire Alarm Code
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei 080339 Mnchen 28. September 2007 Phone: ++49 89 57911393; Fax: 4438 Page 15 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
4
4.1
Results
Functional Safety
The tests performed and quality assurance measures implemented by the manufacturer have shown that the SIMATIC S7 F/FH Systems in conjunction with their system software comply with the testing criteria specified in clause 3 subject to the conditions defined in c1ause 5 and its subsections, and are suitable for safety-related use in applications of requirement c1asses AK 1 to 6 in accordance with DIN V 19250:1994, categories 2 to 4 in accordance with EN 954, and safety integrity levels SIL 1 to 3 in accordance with IEC 61508, for intermittent or continuous operation, as weil as for operation with or without continuous supervision, on condition that the "0 state" (closed-circuit principle) is defined as the safe state for the binary inputs and outputs.
4.1.1
Fault Reaction and Timing
Fault reactions of F-CPU: 1. Faults in the cyclic communication between the F-CPU and the F-I/O input modules are detected by the F-CPU. Either '0' or configured substitute values are handed to the application program. A specific fault reaction must be implemented by the application program developer. 2. Faults in the cyclic communication between the F-CPU and the F-I/O output modules are detected by the F-DO. If a fault occurs all outputs of the affected F-I/O are driven to '0'. 3. Faults in the cyclic communication between two F-CPUs are detected by the receiving FCPU. If a fault occurs the application program is notified and configured substitute values are handed to the receiving application program. A specific fault reaction must be implemented by the application program developer. 4. Faults within the safety data types, within data or control flow of the application program lead to blocking of the cyclic transmissions to output modules and other F-CPUs or signaling of the fault to them. If a fault occurs all outputs of the affected output modules are driven to '0' and the affected receiving F-CPUs use the configured substitute values. 5. Faults detected by built-in self-test lead to blocking of the cyclic transmissions to output modules and other F-CPUs or signaling of the fault to them. If a fault occurs all outputs of the affected output modules are driven to '0' and the affected receiving F-CPUs use the configured substitute values. 6. In the FH-system structure one of the CPUs is running as master whereas the other CPU is running as standby. Faults in the Master-CPU detected by self-tests or other fault control mechanism inside the CPU lead to master changeover before failure effects the F-DO. Faults in the Standby-CPU detected by self-tests or other fault control mechanism inside the CPU lead to blocking of master changeover before failure effects the F-DO.
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 16 of22 Dissemination, distribution, copying or any other use of information in this report in part is striclly prohibited
Fault reactions of F-I/O: Faults detected by built-in self-test or diagnostics are either safely communicated to the application program or in case communication is affected faults are detected as described in section 1. and 2. above. If the faulty module is an input module, the process data transmitted to the F-CPU is set to '0' with binary inputs and 7FFFH with analog inputs for all inputs or the faulty inputs. If the faulty module is an output module, all outputs or the faulty outputs are driven to '0'. The fault tolerance period ofthe process controlled by the SIMATIC S7 F/FH Systems shall be greater than the worst case response time, determined with the help of the Excel-Sheet S7ftime?xls (? is a letter for language coding) The results of the concept and the technical requirements analysis of the Profibus based communication safety shell (Profisafe) are subject of the Evaluation Report PK55299T, revision 1.0 of 30. March 1999. 4.1.2 Application Development
The SIMATIC S7 F/FH Systems can treat and execute programmed safety and non-safetyrelated functions independently from each other at the same time. An intended safety function of the SIMATIC S7 F/FH Systems can be enforced either by application programmed functions or by built in fault reaction functions. The application programmed safety function lies with the application program developer. Acceptance of programmed safety function requires complete functional testing. After that completefunctional testing is only necessary for changed parts of the programmed safety function. Loading and changing of safety-related programs in the CPU need authorization by password. Non safety-related programs can be changed at any time without impact on programmed and built-in safety functions of the SIMATIC S7 F/FH Systems. 4.1.3 Online loading of safety applications
In general, responsibility for monitoring the process during and after the on-line modification lies entirely with the organization and person responsible for the on-line modification. Since on-line modifications are generally associated with an increased level of risk the approval of on-line modifications is at the discretion of the testing and inspection center responsible for approval of the system's application. The procedure for on-line modifications and existing restrictions are described in the manuals of the SIMATIC S7 F/FH Systems and S7 Distributed Safety documentation packages. Loading of safety program changes and changes of safety related constant parameters while the process is running in observed mode requires at least:
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Electronic Systems Ridlerstrae 57 Mr. Wei D-80339 MUnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 17 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
off-line verification and I or simulation and I or online testing on a hot standby CPU and I or similar IEC 61508 compliant verification activities within a weil defined modification procedure
of the changes prior to downloading them into the CPU controlling the safety critical process.
4.1.4
Simulation of safety applications
Offline simulation of safety applications can be performed on a virtual CPU, emulated by an additional software package either on the programming station or the engineering station. If an online connection to a running safety system exists, the "safety mode" shall not be deactivated and the password protected access to the 57-F-CPU shall not be granted.
4.2 4.2.1
Basic Safety and Electromagnetic Compatibility Basic Safety
The tests of the electrical safety and the environmental stress tests executed by TV Product Service show that the standards specified in clause 3 are covered. The tests performed and the quality assurance measures implemented by the manufacturer have shown that the 51MATIC 57 F/FH Systems comply with the testing criteria specified in clause 3 subject to the conditions defined in c1ause 5 and its subsections.
4.2.2
Electromagnetic Compatibility
The documentation of the electromagnetic compatibility tests executed by independent test laboratories has been reviewed for completeness. The testing executed has covered the requirements of the standards specified in c1ause 3.
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Electronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 18 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
4.3
Product Specific Quality Assurance and Control
All software and hardware components developed and manufactured in course of the safety evaluation are governed by an ISO 9001 certified quality assurance and control system. Some older components have been developed under the manufacturer's internal quality procedures. The European procedures for demonstrating conformity (93/465/EEC "Council Resolution of 22 July 1993 on the modules to be used in the technical harmonization directives for the various phases of conformity assessment procedures and the rules for attaching and using CE conformity marks") provide similar significance to the type testing and the manufacturer's quality assurance in production and product maintenance. As part of the certification process TV Product Service also performs a procedure that is tailored to the assessed product in order to assess the consistency of product quality while accounting for product modifications and their identifiably (follow-up service).
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Electronic Systems Ridlerstrae 57 Mr. Wei 0-80339 MUnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 19 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
Implementation Conditions and Restrietions
The use of the SIMATIC S7 F/FH Systems shall comply with the current version of the Safety parts of the manuals of the SIMATIC S7 F/FH Systems and S7 Distributed Safety documentation packages., and the following implementation and installation requirements have to be followed if the SIMATIC S7 F/FH Systems are used in safety-related installations.
5.1
General application conditions
5.1.1. The guidelines specified in the user's manuals shall be followed. Specifically the safety notes in the user's manuals shall be followed. 5.1.2. Only hardware modules certified for safety-related operation, as listed in Annexes of this report shall be used for safety-critical signals. Not certified standard modules (defined as "interference-free") may be used for non-safety-critical signals only. 5.1.3. Only software modules Iisted in Annexes of this report shall be used to process safety critical data. 5.1.4. The fault tolerance period of the process controlled by the system shall be greater than the worst-case reaction time of the system, determined with the help of the Excel-Sheet s7ftime?xls (? is a letter for language coding). 5.1.5. A weil defined shutdown procedure shall be specified. 5.1.6. Non-safety-related blocks in the application program shall not control or affect data used by any safety-critical block unless with safety-related function blocks for data conversion and plausibility checks in the safety-related program. 5.1.7. Operator alarms as exclusive means of shutdown are only permitted under supervised operation and if the fault tolerance time of the controlled process is sufficiently long to ensure a safe manual reaction and shutdown and the operator has sufficient independent means to supervise the process. Installations that must react to shutdown conditions quicker than achievable with manual intervention or installations running unsupervised shall incorporate an automatie fault reaction procedure. 5.1.8. The operating conditions as specified in the user manuals shall be met.
5.2
General commissioning conditions
5.2.1. Prior to commissioning, a complete functional test of all safety-relevant functions shall be performed. The programming of the application shall ensure that modules are small and self contained, sufficient to permit full functional testing. 5.2.2. All timing requirements shall be validated, including fault detection time, fault reaction time, throughput delay for shutdown logic and cycle time.
TV SD Automotive GmbH 10042360_V1.7.doc Revision 1.7 Electronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 20 of 22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibiled
5.2.3. Any application software modification after commissioning shall result in are-validation of the entire application software system. The commissioning can be reduced if the change can be shown by use of a revision checker to be limited to a specific area of program. 5.2.4. The proper fail-safe configuration of all safety-critical F-I/O shall be verified. Only configurations covered by the User's manual are covered by the certification.
5.3
General run-time conditions
5.3.1. Failed modules that are safety-related and in redundant configurations should be replaced as quickly as practical to minimize the probability of multiple fault accumulation and potential (safe) nuisance shutdown. As a maximum, failed modules should be replaced within the multiple fault occurrence time. 5.3.2. Application program modification during run-time should only be permitted under end-user responsibility. 5.3.3. The procedure described in the user manual has to be followed. 5.3.4. The application program modifications shall be Iimited and simple to verify and validate. 5.3.5. The modifications and their interaction with existing program sections shall be thoroughly tested, e.g. using simulation. 5.3.6. The modification shall be granted by the approval authority for the plant assessment. 5.3.7. Maintenance override is to be Iimited (time-restriction and number) of logical points. The TV guidelines for maintenance overrides are to be followed. TUV certification does not cover output override. 5.3.8. The use of F-Function Blocks for SIMATICS7 F/FH Systems F/FH is only permitted if for the specific target system (F or FH system) an official F-Copy License with the order number 6ES7 833 1CCOO 6YXO is available. The F-Copy License consists of: - the F-Copy License contract - the copy of the TUV-Certificate - two labels to mark up the CPU (or CPU's on a FH system) of the used F-Copy License
5.4
Product-Related conditions
5.4.1. The Safety Protector allows use of failsafe-modules in combination with standardmodules. Purpose of theSafety Protector is to isolate the failsafe-modules from overvoltages up to a maximum of 250 Volt AC/OC caused by not-safety related standard modules. No field voltage higher than 250V is allowed.
TV SD Automolive GmbH 10042360_V1.7.doc Revision 1.7 Eleclronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 21 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
Certificate Number
This report specifies technical details and implementation conditions required for the application of the Safety-Related Programmable Systems SIMATIC S7 F/FH Systems by Siemens AG to the certificate:
Z2 03 04 38282 002
Munieh, 28. September 2007
Technical Certifier
~if!uI
TV SD Automolive GmbH 10042360_V1.7.doc Revision 1.7 Electronic Systems Ridlerstrae 57 Mr. Wei 0-80339 Mnchen 28. September 2007 Phone: ++49 89 5791-1393; Fax: -4438 Page 22 of22 Dissemination, distribution, copying or any other use of information in this report in part is strictly prohibited
Annex 1 ofthe Report

on the
Certificate
Z2 03 04 38282 002
Safety-Related Programmable Systems SIMATIC S7 F/FH Systems (formerly SIMATIC S7-400F and S7-400FH) Manufacturer: Siemens AG Werner-von-Siemens Str. 50 0-92224 Amberg Report No.: 10042360-A1 Revision 2.17 dated 2008-09-19 Testing Body: TV SD Automotive GmbH Electronics Safety Ridlerstrae 57 0-80339 Mnchen
Accredited Testing Body for Functional Safety
Dissemination, distribution, copying or any other use of information in this Annex of the report in part is strictly prohibited
Revision Log
Version Name Date Changes/History
1.1 1.2
P. Mller P. Mller
18.12.2000 18.09.2001
Initial Seperator module has been added Version of Option Package S7 F Systems Version of F_R_R Version of F_R_BO Version of F_CH_AI
1.3 1.4
P. Mller P. Mller
15.11.2001 08.02.2002
Section 2.2, comment has been added Version of Option Package S7 F Systems Version of F_F_TRIG Version of F_R_TRIG Version of F-SM added
1.5
A. Beer
22.07.2002
Integration of a Revision Log Version of SM 326 00 10xOC24V/2A Version of SM 326 01 24xOC24V
1.6 1.7
A. Beer A. Beer
02.12.2002 25.04.2003
Firmware version of SM 326 00 10xOC24V/2A
4/8 F-OI OC24V, 4 F-OO OC24V2A, PM-E F 024V, PM-O F 024V added
Section 2.2 deleted Table of section 1 New software versions added
1.8 1.9 2.0
A. Beer A. Beer A. Beer
13.10.2003 25.11.2003 03.03.2004
Certification number, Version of SM 326, 00 10 x OC24V/2A deleted Version of SM 326, 00 10 x OC24V/2A added Added new CPU FW version with EOC RAM option; added new Version of SM 326, 00 10 x OC24V/2A. Added new ET200S modules for use in S7 F/FH: 6ES7 148-3FAOO-OXBO 6ES7 138-4CF01-0ABO 6ES7 138-4CF40-0ABO Added new FB for V5.2, SP1 in section 2.1.3; Added signature changes for FB for V5.2, Sp1 in section 2.1.4
2.1
A. Beer
16.12.2004
TV SD Aulomolive GmbH Eleclronics Safety Ridlerslrae 57 D-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
Report No. 10042360-A1 Revision 2.17 P. Wei 2008-09-19 Page 2 of20
Version Name
2.2
Date
28.02.2005
Changes/History
4/8 F-DI DC24V, 4 F-DO DC24V/2A, SM 326, Da 8 x DC24V/2A, CPU 417-4H and CPU 414-4H added Added new F-FBs for V5.2 SP2 (Safety Data Write) in section 2.1.5 RESTRICTION: "Safety Data Write" handling of Boolean parameters shall not be used with the OCX Faceplate of S7 F Systems HMI V5.2, which is part of the optional package 87 F Systems V5.2+SP2. F_CH_BO shall be used with the associated OCX of S7 F Systems HMI V5.2+SP3 or higher only. Modules added: SM326, DI24
A. Beer
2.3 2.4
F. Rauch F. Rauch
J. Blum
30.06.2005 30.11.2005
x DC24V, 6ES7 326-1BK01-0ABO
4/8 F-DI DC24V, 6ES7 138-4FA02-0ABO 4 F-DO DC24V/2A, 6ES7 138-4FB02-0ABO PM-E F DC24V, 6ES7 138-4CF02-0ABO PM-E F DC24V, 6ES7 138-4CF41-0ABO PM-D F DC24V, 3RK1 903-3BA01 Release number of: SM 326, DI 24 OABO SM 326, DI8 OABO
x DC24V, 6ES7 326-1 BKOO-
x NAMUR, 6EST326-1RFOO-
SM 326, Da 10 x DC24V/2A, 6E87 326-2BF01OABO SM 336, AI 6
x 13 Bit, 6ES7 336-1 HEOO-OABO
PM-E F DC24V, 6ES7 138-4CF01-0ABO PM-E F DC24V, 6ES7 138-4CF40-0ABO 2.5
A. Beer
19.01.2006
Release number of
x 13 Bit, 6ES7 336-1 HEOO-OABO SM 326, Da 8 x DC24V/2A PM, 6ES7 326SM 336, AI 6 2BF40-0ABO ET200eco 4/8 F-DI, 6ES7148-3FAOO-OXBO 2.6 F. Rauch 20.02.2006 Added new F-FBs for V5.2 SP4 in section 2.1.6 Correction of signature of F-FBs
TV SD Aulomolive GmbH Eleclronics Safety Ridlerslrae 57 D-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438 Report No. 10042360-A1 Revision 2.17 P. Wei 2008-09-19 Page 3 of20
Version Name
2.7
Date
31.03.2006
Changes/Historv
Release number of ET200S-F-Modul PM-E F pm, 6ES7138-4CF02OABO
A. Beer
2.8
A. Beer
23.06.2006
Release number of SM 326 00 10xDC24V/2A, 6ES7326-2BF01OABO
2.9
A. Beer
11.08.2006
Module added:
0
ET200S 1F-RO DC24V/SA, AC24..230V/SA (6ES7 138-4FROO-OAAO) ET200S 4/8 F-DI DC24V (6ES7 138-4FA03OABO) ET200S 4 F-DO DC24V/2A (6ES7 138-4FB02OABO) ET200S PM-E F pp DC24V (6ES7 138-4CF41OABO) ET200S PM-D F DC24V (3RK1903-3BA01) ET200S 4F-DI/3F-DO DC24V (6ES7 138-4FCOO-OABO) ET200pro-F 8/16 F-DI DC24V (6ES7 148-4FAOO-OABO) ET200pro-F 4/8 F-DI DC24V 1 4 F-DO DC24V/2A (6ES7 148-4FCOO-OABO) ET200pro F-Switch (6ES7 148-4FSOO-OABO)
2.10
M. Rau
09.01.2007
Module added:
Release Number of

2.11 P. Wei 14.08.2007
Modules added:
2.12 P. Wei 28.09.2007
New version V6.0 of Option Package S7 F Systems (S7 F Systems Lib V1_3) added F-CPUs added:

2.13 M. Rau 04.04.2008
CPU 417-4H (6ES7 417-4HT14-0ABO) CPU 414-4H (6ES7 414-4HM14-0ABO) CPU 412-3H (6ES7 412-3HJ14-0ABO)
Version VS.S SP4 of S7 ConfigurationPack added Module added:
TV SD Automolive GmbH Electronics Salety Ridlerstrae 57 0-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
SM336, F-AI 6 x 0/4 .. 20 mA HART (6ES7 336-4GEOO-OABO)

Report No. 10042360-A1 Revision 2.17 P. Wei 2008-09-19 Page 4 0120
Version Name
2.14 M. Rau
Date
26.06.2008
Changes/History
Version of ET200eco 4/8F-DI 6ES7148-3FAOOOXBO Remark 6) ET200M SM 326, 01 8 x NAMUR 6ES7 326-1 RFOO-OABO
2.15
Jrgen Blum
14.08.2008
Release Number of
2.16 2.17 Jrgen Blum Jrgen Blum 22.08.2008 19.09.2008
SM 326 Da 10 x DC24V/2A (6ES7 326-2BF01-0ABO)
Version V5.5 SP5 of S7 ConfigurationPack added Modules added:
ET200S 4/8 F-DI DC24V (6ES7 138-4FA04-0ABO) ET200S 4 F-DO DC24V/2A (6ES7 138-4FB03-0ABO) ET200S PM-E F pm DC24V (6ES7138-4CF03-0ABO) ET200S PM-E F pp DC24V (6ES7 138-4CF42-0ABO) ET200S 1F-RO DC24V/5A, AC24 ..230V/5A (6ES7 138-4FROO-OAAO)
Release Number of
TV SD Automotive GmbH Electronics Salety Ridlerstrae 57 D-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
Report No. 10042360A1 Revision 2.17 P. Wei 2008-09-19 Page 5 0120
Safety-Certified and Interference-Free Components

1 Hardware and Firmware Components
The following system components are certified 'safety-related'. This allows the components to be used to process safety critical signals and functions:
Module
CPUs:
Order Number
Release Number
Module Description
CPU 417-4H 6ES7 1 or higher 3) 417-4HT14OABO

3)
CPU which is suitable for safety-related applications by using a fail-safe-application program.
CPU 417-4H 6ES7 417-4HL04OABO 1
1 or higher
3)
CPU 414-4H 6ES7 1 or higher 414-4HM14OABO CPU 414-4H 6ES7 414-4HJ04OABO 1 CPU 412-3H 6ES7 412-3HJ14OABO Signal Modules S7-300: SM 326, DI24x DC24V SM 326, DI24x DC24V 6ES7 02 326-1BK01OABO 6ES7 01 to 07 326-1 BKOOOABO 24 channel digital input module 24VDC 1 or higher
3)
1 or higher
3)
24 channel digital input module 24VDC
Unlike the values given in earlier versions of the user manuals the average probability of fai/ure on demand is 1,9E-04 and the probability of a dangerous fai/ure per hour is 4,3E-09
TV SD Aulomolive GmbH Eleclronics Salety Ridlerslrae 57 0-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
Module
SM 326, DI8x NAMUR SM 326, D010x DC24V/2A SM 326, D010x DC24V/2A SM 326, DO 8x DC24V/2A PM SM 336, AI 6 x 13 Bit SM 336, F-AI6 x 0/4 .. 20 mA HART Safety Protector
Order Number
Release Number
Module Description
8 channel NAMUR digital input module for intrinsically-safe sensors 10 channel digital output module 24VDC/2A, P-switch
6ES7 01 to 06 326-1RFOOOAB0 6) 6ES7 326-2BF01OABO 01 to 06
6ES7 01 to 03,07 10 channel digital output module 24VDC/2A, P-switch 326-2BFOOOABO 01 6ES7 326-2BF40OABO
1)
, 02
8 channel digital output module 24VDC/2A, P/M-switch
6ES7 01 to 06 336-1 HEOOOABO 6ES7 01 1 V1.0.1 336-4GEOOOABO 6ES7 01 to 03 195-7KFOOOXAO
6 channel analog input module
6 channel analog input module, HART
safety protector protects the fail-safe signal modules from possible overvoltage
Modules ET 200S:
4/8 F-DI DC24V 4/8 F-DI DC24V 4/8 F-DI DC24V 4/8 F-DI DC24V
6ES7 01 138-4FA04OABO 1) 01 6ES7 138-4FA03OABO 1) 01 6ES7 138-4FA02OABO 6ES7 01 138-4FA01OABO
4/8 channel digital input module 24VDC
4/8 channel digital input module 24VOC
TV SD Aulomolive GmbH Eleclronics Salety Ridlerslrae 57 D-80339 Mnchen Phone: ++49895791-1393; Fax: -4438
Module
4/8 F-DI DC24V
Order Number
Release Number
Module Description
6ES7 01 to 03 138-4FAOOOABO 6ES7 01 138-4FB03OABO 6ES7 01 to 02 138-4FB02OABO 6ES7 01 138-4FB01OABO 01 to 03 6ES7 138-4FBOOOABO 01
4 F-DO DC24V/2A 4 F-DO DC24V/2A 4 F-DO DC24V/2A 4 F-DO DC24V/2A
4 channel digital output module 24VDC/2A; P/M switch 4 channel digital output module 24VDC/2A; P/M switch 4 channel digital output module 24VDC/2A; P/M switch 4 channel digital output module 24VDC/2A; P/M switch 4 channel digital input I 3 channel digital output module 24VDC/2A 1 channel digital relay output module DC24V/SA, AC24..230V/SA
4F-DI/3F-DO 6ES71384FCOOOABO 4)
6ES7 01 to 02 1F-RO 138-4FROODC24V/SA, AC24... 230V OMO ISA 5) PM-E F pm DC24V PM-E F pm DC24V PM-E F pm DC24V PM-E F pm DC24V 6ES7 01 138-4CF03OABO 01 to 02 6ES7 138-4CF02OABO 01 to 02 6ES7 138-4CF01OABO 01 to 04 6ES7 138-4CFOOOABO
Power module 24VDC; P/M switch
TV SD Automotive GmbH Electronics Safety Ridlerstrae 57 D-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
Report No. 10042360-A1 Revision 2.17 P. Wei 2008-09-19 Page 8 of 20
Module
PM-E F pp DC24V PM-E F pp DC24V PM-E F pp DC24V PM-D F DC24V PM-D F DC24V
Order Number
Release Number
Module Description
Power module 24VDC; P/P switch
6ES7 01 138-4CF42OABO 01 to 02 6ES7 138-4CF41OABO 01 to 03 6ES7 138-4CF40OABO 3RK19033BA01 3RK19033BAOO 01 to 02
Power module 24VDC for failsafe motor starters
04
Power module 24VDC for failsafe motor starters
Modules ET 200eco:
4/8 F-DI
DC24V
01 to 04 6ES7 148-3FAOOOXBO 2)
Modules ET 200pro:
8/16 F-DI
DC24V
6ES7 01 to 03 148-4FAOOOABO 2) 01 to 03 148-4FCOOOABO 2) 01 6ES7 148-4FSOOOABO 2)
4/8 F-DI/4 F- 6ES7

DO
4/8 channel digital input 24VDC and 4 channel digital output module 24VDC/2A P- 1 M-switch (combined)
2 channel digital input 24VDC and 3 channel digital P- 1 P-switch module 24VDC (combined).
DC24V/2A
F-Switch
1)
no certification according to EN298:2003, ENV 1954 EN298: 2003 fulfilled with the exception of permissible environmental temperature -25 to +55 degree centigrade (instead of 0 to +60 degree centigrade) the sinusoidal vibrations service conditions does not comply with the increased requirements of lEG 61131 2 The requirements of lEG 61131-2:1992 are fulfilled.
nd
2)
3)
Ed.
4)
classified SIL 2 in accordance to lEG 61508 and GAT 3 in accordance to EN 954 and no certification according EN 298
Report No. 10042360-A1 Revision 2.17 P. Wei 2008-09-19 Page 9 of 20
TV SD Aulomolive GmbH Eleclronics Safety Ridlerslrae 57 D-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
5)
EN 50178:1997; in difference to all other modules with overvoltage category 111 the 1 channel digital relay output module DC24V/5A, AC24..230V/5A fulfills the requirements of overvoltage category 11. The requirement of EN 298 2003: fulfilled only with shielded signal cables
6)
Remark: For the 1/0 modules EN 298, 2003 is fulfilled with external surge protection; see related manuals.
All other components of the S7-400 and S7-300 family are 'interference-free' and allowed to be used, however, they are not certified for process safety critical signals and functions. Using these components does not interfere with the proper functioning of the safety-related modules. For details on architectural, configuration and implementation requirements please refer to the Siemens manuals of the SIMATIC S7 F/FH Systems documentation package.
TV SD Aulomolive GmbH Eleclronics Safety Ridlerslrae 57 D-80339 Mnchen Phone: +149895791-1393; Fax: -4438
Report No. 10042360A1 Revision 2.17 P.Wei 2008-09-19 Page 10 of 20
2 Safety-Relevant Software Components

2.1 Option Package S7 F Systems S7 F Systems V6.0 consists of the following certified installation units
S7 F Systems (Engineering Tool) S7 F Systems Lib S7 F Systems HMI S7 F ConfigurationPack V6.0 V1.3 V5.2 + SP3 V5.5 + SP3, V5.4 + SP1 S7 F Systems Lib (V1_3)
S7 F Systems V6.0 is also certified in combination with S7 F Library S7 F Library S7 F ConfigurationPack V1.2 + SPx V1.1 V5.5 + SP5, V5.5 + SP4 Failsafe Blocks (V1_2) Failsafe Blocks (V1_1)
S7 F Systems V5.2 + SPx is certified in combination with S7 F Library S7 F Library S7 F ConfigurationPack V1.2 + SPx V1.1 V5.5 + SPx, V5.4 + SPx, V5.3 + SPx, V5.2 + SPx Failsafe Blocks (V1_2) Failsafe Blocks (V1_1)
2.1.1 S7 F Systems Lib (V1_3) F-FB

OB_INIT OB RES F 1002AI F_1002_R F 20UT3 F 2003AI F 200301 F 2003 R F ABS R
Function
F-Control block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block
Signature
N/A N/A 0130 OA53 340E 4580 5323 AB9F 7E90
Initial Value Signature

N/A N/A OCE3 AA5A 079F CE7E 04AO 112C 4885
Report No, 10042360-A1 Revision 2,17 P. Wei 2008-09-19 Page 11 of20
TV SD Automotive GmbH Electronics Safety Ridlerstrae 57 D-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
F-FB F AOO R F_AN04 F AVEX R F_BO_FBO F CHG BO F_CHG_R F_CHG_WS F CH AI F_CH_BI F_CH_BO F CH 01 F_CH_OO F CMP R F_CTUO F CYC CO F OIAG F OIV_R F FBO BO F_FI_FR F FI I F FR FI F_FR_R F FTI TI F F TRIG F I_FI F UM HL F UM I F UM LL F UM R F UM TI F MAX3 R F MI03 R F MIN3 R F MOV R F MOVRWS F MUL R F MUX16R
Function F-User block F-User block F-User block F-User block F-User block 1) F-User block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-Control block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-Control block F-User block F-User block
Signature OFBF 89BO E570 27AB 0042 E4CO N/A 0846 E888 A8C7 3119 F967 689A 609B 7010 40FC 43F6 N/A 672A N/A 2B3C N/A N/A 75E7 4871 A43A 4845 1451 B300 6E64 C14F EC2C 0007 652F N/A AAOF AF74
Initial Value Signature B10F 6837 9470 870A E5F2 50B5 N/A 3A31 5FA7 A5E4 EA57 4F58 602E 188C 424E 00F4 COB8 N/A 9FOE N/A B269 N/A N/A 8F11 870A 1E14 409B 1E14 3957 680C F93F EA98 E12A C02B N/A B10F EEFE
Report No. 10042360-A1 Revision 2.17 P.Wei 2008-09-19 Page 120120
F-FB
Function
Signature
F MUX2 R F_NOT F_OR4 F PA AI F_PA_OI F PLK F_PLK_O F PS 12 F_PS_MIX F PSG_M F QUITES F_RCVBO F RCVR F ROS BO F_REPCYC F ROT F_RS_FF F R BO F R FR F_R_R F R TRIG F_SOS_BO F SENOBO F SENOR F SHUTON F SMP AV F_SQRT F SR FF F START F SUB R F S BO F S R F TEST F TESTC F TESTM F TI FTI
F-User block F-User block F-User block F-User block F-User block F-Control block F-Control block F-Control block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-Control block F-Control block F-Control block F-User block
BFE3 9C08 50CA 8409 2FC7 C005 45F2 A56A A087 N/A 797A 004B 3209 4389 8F66 7ECA 6257 CC9E 4278 AC9C BFC8 C804 8063 2FE2 N/A 5659 E621 9EBE 5791 E217 5905 7394 EC5F 680A 8B5A A060
9CB1 0006 6B42 B5A7 E4F2 A650 7B78 B87A N/A N/A B027 8360 B103 E009 61F4 73FO B560 E882 6BCE 237E 8F11 662A 5812 678B N/A EEOA 6BOF B560 2151 B10F 1110 1FC2 EB03 38BA 9A74 6BCE
TV SD Automotive GmbH Electronics Salety Ridlerstrae 57 D-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
Report No. 10042360-A1 Revision 2.17 P. Wei 2008-09-19 Page 130120
F-FB F_TOF F_TON F TP F_VFSTP1 F_VFSTP2 F XOR2 FyOUTY RTGLOGIC

1)
Function F-User block F-User block F-User block F-Control block F-Control block F-User block F-User block F-Control block
Signature E45B 380A E671
Initial Value Signature 22F6 22F6 22F6
N/A N/A
6040 68AO
N/A N/A
069A 68BE
N/A
N/A
RESTRICTlON: "Safety Data Write" handling of Boolean parameters shall not be used with the OCX Faceplate of S7 F Systems HMI V5.2, wh ich is part of the optional package S7 F Systems V5.2+SP2. F_CH_BO shall be used with the associated OCX of S7 F Systems HMI V5.2+SP3 or higher only.
2.1.2 Failsafe Blocks (V1_2) F-FB OB INIT OB RES F_1oo2_R F 20UT3 F_2oo3_R F F F F F F F F ABS R AOO R AN04 AVEX R BO FBO CHG BO 4) CHG R 4) CHG WS 4) Function F-Control block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block 6) F-User block F-Control block F-User block F-User block F-User block Signature Initial Value Signature
N/A N/A
0100 340E FC09 7E90 B495 89BO BE40 27AB 0042 E4CO
N/A N/A
6717 1) 2E06 079F 3043 ') 36CB 4885 B10F 6837 1CB3 870A E5F2 50B5
N/A
8F67 741E 2) 2346 A47F 2) EOB9 92C1 2)
N/A
0784 804B 2) F504 EC21 2) 07FO OA68 2 )
F_CHI F_CH_OI F_CH_OO
TV SD Aulomolive GmbH Eleclronics Salety Ridlerslrae 57 0-80339 Mnchen Phone: -49 89 5791-1393; Fax: -4438
F_CTUO F_CYC_CO F OIV R F FBO BO F FI FR 'J) F_FU F FR R F FTI TI F F TRIG F I FI F UM HL F UM I F UM LL F UM R F UM TI F_M_AI6 F_M_0124 F_M_018 F_M_0010 F_M_008 F F F F F F F F F F MAX3 R MI03 R MIN3 R MPA 10 ) MUL R MUX2 R NOT OR4 PA AI 0) PA 01 0 )
F-User block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User F-User F-User F-User F-User F-User F-User F-User F-User F-User block block block block block block block block block block
EF97 E895 07A8
F701 6769 COB8
N/A
672A
N/A
9FOE
N/A N/A N/A

75E7 4871 5116 OBOC AF69 4017 3ABB AF64 1E41 2) EB16 F887 2) 8FA4 5078 2) 22E8 6CA7 2) 7337 86EF 2) 780B 0596 551B F001 360C 70EO 9C08 50CA 9046 BC04
N/A N/A N/A

8F11 870A 7656 F4F9 7656 B4BE 7CAB ECOO 0818 2) 1FE2 2EAC 2) 9022 940C 2) EB44 4A6E 2) 3B1F B024 2) 5833 6ACF 2950 381B B10F 5B43 0006 6B42 14F5 9564
Report No. 10042360-A1 Revision 2.17 P.Wei 2008-09-19 Page 15 0120
F PLK F PLK 0 F PSG M;j) F QUITES F RCVBO F RCVR F RS FF F R BO F R FR F R R F R TRIG F SENOBO F SENOR F SHUTON F SMP_AV F_SQRT F_SR_FF F_START F SUB R F_S_BO F_S_R F TEST F TESTC F TESTM F TI FTI F TOF F TON F TP F XOR2 F XOUTY FAlL MSG RTG LOGIC
1)
2)
F-Control block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-Control block F-Control block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-Control block F-Control block
A234 0690
5FAO 834C
N/A
B433 A2B9 B854 3A1A 6CE1 4278 64A1 BFC8 E223 7B16
N/A
B027 DCF4 14C1 069A B9A5 6BCE 543A 8F11 F301 5B90
N/A
9024 593F 61BC 5791 5C35 F353 372C 5B60 5A93 2983 A060 31A9 F8E5 6400 6040 6A1C
N/A
9COF COOB 069A 2151 B10F 1110 1FC2 38AF 08M BE02 6BCE 7CFC 7CFC 7CFC 069A C510
N/A N/A
N/A N/A
3) 4)
5)
6)
displayed in S7 F Systems up to V5.2 SP3, if these F-FBs are the only F-FBs in a S7 program signature of F-FB in S7 F Library V1.2 + SP1 or higher F-FB added in 87 F Library V1.2 + SP1 F-FB added in S7 F Library V1.2 + SP2 F-FB added in 87 F Library V1.2 + SP4 RESTRICTION: "Safety Data Write" handling of Boolean parameters shall not be used with the OCX Faceplate of S7 F Systems HMI V5.2, which is part of the optional package S7 F Systems V5.2+SP2. F_CH_BO shall be used with the associated OCX of S7 F Systems HMI V5.2+SP3 or higher only.
TV SD Automotive GmbH Electronics Safety Ridlerstrae 57 0-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
Attentionl Contrary to the Siemens 57 user's manual "Programmable Controllers 57 F/FH Systems" (Edition 2/2003) the F_FR_FI function block of 57 F Library V1.2 is NOT certified for safety applications and shall NOT be used to process safety critical data. 2.1.3 Failsafe Blocks (V1_1) F-FB DB RES F 20UT3 F ABS R F ADD_R F_AND4 F_AVEX_R F BO FBO F_CH_AI** Function F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block Signature N/A 34DE 7E9D 643F 89BO 9926 27AB 296D or AA4F E41B 6E6A 9928 3263 9CF2 75E7 Initial Value Signature N/A D79F 4885 206C 6837 8CE8 87DA C540 or C540 F504 18CF F7D1 CB5D 4A67 2000 UI:!t> or 8F11 HF1 N/A N/A N/A N/A 87DA CB3F F4F9 CB3F OA10 7CAB
F CH DI F CH_DO F_CTUD F_CYC_CO F DIV R F_F_TRIG**
F-User block F-User block F-User block F-Control block F-User block F-User block
F FBO BO F FI I F FR R F FTI TI F_'-FI F UM HL F UMJ F_UM_LL F UM R F UM TI
F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block
N/A N/A N/A N/A 4871 435E 5219 FB73 C92F 13AO
TV SD Automotive GmbH Electronics Safety Ridlerstrae 57 D-80339 Mnchen Phone: ++49895791-1393; Fax: -4438
F-FB
Function
Signature
F_M AI6 F_M_0124 F_M_018 F_M_0010 F MAX3 R F MI03 R F_MIN3_R F_MUL_R F MUX2 R F NOT F_OR4 F_PLK F PLK 0 F QUITES F_R_BO**
F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-Control block F-Control block F-User block F-User block
F R FR F_R_R**
F-User block F-User block
F_R_TRIG**
F-User block
3CC4 70A1 4996 A89E AEA9 5422 A524 B7AC 5911 9C08 50CA E5B4 53BE 89EC 3E82 or 0775 6E03 6C69 or 6F8F 3E5E
75CF 0091 6400 EE4E 9A67 6A94 31E1 206C 5B43 0006 6B42 02F9 3E43 B027 B9A5 or B9A5 6BCE 543A or 543A 00S 2000 or 8F11 HF1 OCF4 14C1 069A 1110 1FC2 F301 5B90 5B98 8950 069A 2151 206C A04B
F RCVBO F RCVR F_RS_FF F S BO F S R F SENOBO F SENOR F SMP AV F SQRT F SR FF F START F SUB R F TEST
TV SD Automotive GmbH Electronics Safety Ridlerstrae 57 0-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-Control block
6FFB F6F3 5A81 CC75 0897 B204 3BA4 FB42 C412 7F12 5791 46B5 0774
F-FB
F_TESTC F_TESTM F TI FTI F TOF F_TON F_TP F_XOR2 F XOUTY F IN D24") F_IN DS")
0
Function
F-Control block F-Control block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block F-User block
Signature
E7ES 29S3 A06D FS99 DD31 D60S 6D4D 5FS6 903C CCCF E93D

711C BED2 6BCE 7CFC 7CFC 7CFC 069A C51D 7A60 6AS1 9FED
F_OU_D10
*)
These F-FBs are not included in Option Package S7 F Systems V5.1. They are delivered to customers of Option Package S7 F Systems V5.0 on request.
**) The certified F-FB has two valid signatures. obs) These F-FBs are included in Option Package S7 F Systems V5.1. They may cause a wrong overall signature and problems starting the CPU. Thus it is recommended to use the FBs delivered with the V5.1+SP1+HF1. HF1) These F-FBs are included in Option Package S7 F Systems V5.1 +SP1 +HF1. delivered to customers of Option Package S7F Systems V5.1 on request. It is
The Option Package S7 F Systems V5.1 may be used together with F-FBs with version number 1.0 of Option Package S7 F Systems V5.0 listed in Revision 1.0 of this Annex. However mixing of version 1.0 and version 2.0 F-FBs in the same program is not possible.
TV SD Aulomolive GmbH Eleclronics Salety Ridlerslrae 57 D-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
Report No. 10042360-A1 Revision 2.17 P.Wei 2008-09-19 Page 19 0120
3 Non-Safety Relevant Software Components

Function
CPU 417-4H (6ES7 417-4HL01-0ABO) Firmware CPU 417-4H (6ES7 417-4HL01-0ABO) Firmware CPU 417-4H (6ES7 417-4HL01-0ABO) Firmware in combination with EDC RAM module 6ES7 955-2AM 1O-OAAO CPU 417-4H (6ES7 417-4HL04-0ABO) Firmware CPU 417-4H (6ES7 417-4HT14-0ABO) Firmware CPU 414-4H (6ES7 414-4HJOO-OABO) Firmware CPU 414-4H (6ES7 414-4HJOO-OABO) Firmware CPU 414-4H (6ES7 414-4HJ04-0ABO) Firmware CPU 414-4H (6ES7 414-4HM14-0ABO) Firmware CPU 412-3H (6ES7 412-3HJ14-0ABO) Firmware CFC
1 )
Version
V2.1.x, where x=O or higher
only in combination with 87 F Library V1_1
V3.1.0 or higher V3.11.x, where x=3 or higher
V4.0.3 or higher V4.5.0 or higher V2.1. X, where x=O or higher

only in combination with 87 F Library V1_1
V3.1.0 or higher V4.0.3 or higher V4.5.0 or higher V4.5.0 or higher V5.2 or higher
STEP 7
V5.2 or higher
1) Further restrietions specific to modules or versions of the optional package S7 F Systems can be found in the corresponding user documentation.
Munieh, 2008-09-19
Jrgen Blum Technical Certifier
TV SD Aulomolive GmbH Eleclronics Salety Ridlerslrae 57 D-80339 Mnchen Phone: ++49 89 5791-1393; Fax: -4438
(SSD/FGS)
Project:
Contractor :
Doc. No.:
APPENDIX F System Hardware Datasheets

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. PCS7 Engineering System (ES) Automation System (S7-414FH) ET-200M F-I/O Subsystem Failsafe Analog Input Module (SM336-4GE00-0AB0) Failsafe Digital Input Module (SM326-1BK01-0AB0) Failsafe Digital Output Module (SM326-2BF01-0AB0) Pepperl & Fuchs, Power Feed Module Pepperl & Fuchs, AI (IS), Single Channel Pepperl & Fuchs, DI (IS), Single Channel Phoenix Contact Power Supply Units Phoenix Contact Relays
Siemens AG 2007
Operator system
Introduction
Overview
Benefits
7 7
7 7
User interface of the OS process control system with freely positionable windows
7 7 7 7
The operator system of the SIMATIC PCS 7 process control system permits user-friendly and secure execution of the process by the operating personnel. The operator can observe the process sequence by means of various views and intervene to control the system when necessary. The operator system architecture is extremely variable and can be flexibly adapted to different plant architectures and customer requirements. The basis is formed by perfectly coordinated operator stations for single-user systems (OS single stations) and for multi-user systems with client/server architecture. The system software of the operator stations is available in different levels based on the number of process objects (PO) used: 250, 1000, 2000, 3000 or 5000 POs per OS single station 250, 1000, 2000, 3000, 5000 or 8500 POs per OS server (with client/server architecture) The number of POs for an operator station can be increased up to 5000 (OS single station) or 8500 (OS server) at any time by means of PowerPacks to allow for higher requirements or system expansions.
7 7 7 7
Flexible, modular architecture with scalable hardware and software components for single-user and multi-user systems High-performance operated stations based on standard PC technology with Microsoft Windows XP Professional / Server 2003, can be used in office or industrial environments Client/server multi-user systems with up to 12 OS servers/pairs of servers, each for 8500 process objects (PO) and up to 32 OS clients per server/pair of servers High-performance archive system based on Microsoft SQL server with cyclic archives and integral data backup, optionally with long-term archiving via StoragePlus/central archive server (CAS) OS health check for monitoring important server applications Integration of modifications without interrupting runtime operations, and online testing through selective loading of redundant servers Optimized AS/OS communication: data transmission only following change in data, independent of AS reply cycle; suppression of nuisance alarms User-friendly process control and high operational reliability, also in conjunction with multi-screen technology Extended status displays through combination of status and analog values with alarm information Alarm suppression during startup or on malfunction of a sensor/actuator Dynamic or manual hiding of visual and acoustic alarms that are unimportant depending on the plant status, e.g. during plant startup (however, all messages are recorded and archived); with manual hiding, the duration until display takes place again can be set. Alarm priorities as additional attribute for filtering important messages Central user management, access control, electronic signature Sign-of-life monitoring for subordinate systems connected to the plant bus System-wide time synchronization based on UTC (Universal Time Coordinated)
5/2
Siemens ST PCS 7 March 2007
Siemens AG 2007
Engineering system
ES software
Standard engineering software
Overview
The standard engineering software provides the basic functionality for configuration of SIMATIC PCS 7 plants with automation systems, process I/Os, communications networks, operator systems and SIMATIC BATCH. Licensing of the standard engineering software depends on use of the engineering station as: a classical, exclusive engineering station (not suitable for productive operation as an operator station), or as a combined engineering/operator station for small applications (suitable for productive operation as an operator station). Classical, exclusive engineering station with unlimited number of process objects (POs) Three software versions with unlimited POs are available for the classical engineering station: AS/OS - for engineering of automation systems (AS) and operator systems (OS) OS - only for OS engineering AS - only for AS engineering With the OS and AS/OS software versions, the OS configuration can be tested in an OS test mode limited to 2 hours. This OS test mode is not suitable for productive operation. After 2 hours, the engineering station automatically switches to demonstration mode. The AS/OS software version is additionally upgraded by adding an AS runtime license for 600 POs. By means of a Rental License limited to 30 days for AS engineering or OS engineering (unlimited POs in each case), a cost-effective alternative is offered for short-term projects or short-term capacity bottlenecks. Combined engineering/operator station for small applications (scalable POs) To support compact process control plants, an ES/OS software combination of limited volume is offered with 250, 1,000 or 2,000 POs. In addition to the engineering licenses, these "All-inone Licenses" also contain runtime licenses for AS and OS with the corresponding volumes. PowerPacks enable further expansion of the volume: from 250 POs to 1,000 POs, from 1,000 to 2,000 POs (in each case including AS/OS runtime license) and from 2,000 POs to unlimited POs (only with OS runtime license).
Function
Essential tools of the standard engineering software and their functions: SIMATIC Logon Together with the versatile recording facilities provided by the modification logbook, SIMATIC Logon, the user administration and access control function used in the engineering system, offers plant owners exceptional system support when complying with FDA requirements. Using SIMATIC Logon, the administrator can assign specific access privileges to groups of users, thus controlling the possibilities for data access. Operator interventions in the engineering system as well as all online modifications which affect the automation systems, operator systems, SIMATIC BATCH or SIMATIC Route Control can be recorded in the modification reports. If the modification reports are linked to the data of SIMATIC Logon during evaluation, it can be clearly proven who has carried out a specific modification and at what time. SIMATIC Manager The SIMATIC Manager is the control center for engineering of the SIMATIC PCS 7 process control system. All aspects of the SIMATIC PCS 7 project are created, managed, archived and documented here. The tools for engineering of the hardware components, communication and application software are also called from here. The hardware required for use in a SIMATIC project, such as automation systems, communications components and process I/O, is stored in an electronic catalog. The hardware is configured and parameterized using the HW-Config tool. To create the automation logic, standardized function blocks are combined with one another in the graphic configuration tool CFC according to technological specifications. Predefined blocks (process tag types) or charts (example solutions) can be used for this purpose simply by selecting them from a catalog and then positioning, graphically interconnecting and parameterizing them in the working area. No detailed programming knowledge is required, users can completely concentrate on the technological aspects of configuration. The process tag data relevant to operation and monitoring, such as messages and variables, are generated at the same time as configuration of the automation functions. Sequential controls permit control and selective processing of the basic automation functions created per CFC by means of changes in operating mode and status. Powerful test and commissioning functions for the graphic configuration and commissioning of sequential controls are offered by the SFC editor. Complete SIMATIC PCS 7 projects or all project modifications can be compiled in one working step and downloaded to the target systems involved, e.g. automation systems, operator system or SIMATIC BATCH. The engineering system automatically ensures that the sequence is correct. The procedure is displayed and controlled in a central dialog. Selective configuration modifications can be downloaded online to the corresponding target systems. Short turnaround times result in short waiting times for the commissioning engineer, and have a favorable effect on the commissioning costs. Program modifications relevant to automation systems can be initially debugged in a test system prior to downloading to the target system of the running plant.
4/5
Siemens AG 2007
Engineering system
ES software
Multi-project engineering Multi-project engineering permits division of a large complex project into several subprojects in accordance with technological criteria in order to allow several teams to work on the project in parallel. To achieve this, a host "Multi-project" is defined in the SIMATIC Manager. Individual (sub)projects can be inserted into or removed from a multi-project at any time. Similarly, projects can be divided or combined (Branch & Merge). Central configuration functions for multi-projects help to reduce the configuration overhead. For example, a hierarchy folder can be created in the current project and also automatically in all other projects. It cannot be modified there, but objects can be inserted. All block types used in a multi-project can also be updated centrally. The (sub)projects belonging to a multi-project are saved on a central server and can be sent to local engineering stations for editing. The engineering performance is then not affected by network access. Branch & Merge Branch & Merge supports the division and combination of projects from the technological viewpoint. Charts or plant units can be copied into another project and edited there. Interconnections which are not specific to a project, typically for interlocking, become text interconnections. When merging, charts with the same name are overwritten in the original object, and text interconnections even those which you have entered yourself can be closed by pressing a button. Project views The SIMATIC Manager supports the various tasks for creating a plant project by means of the following project views: Component view (HW-Config) for configuration of hardware such as automation systems, bus components or process I/O Process object view as the central development environment for all aspects of process tags/objects The process object view of the SIMATIC Manager supports the work of a process engineer by providing a universal view of the process tag. It shows the technological hierarchy of the plant (presented in tree form) in combination with a tabular view of all aspects of the process tag/object (general data, parameters, signals, messages, image objects and measured value archives). This provides the technologist with fast orientation. All objects in the marked branch of the hierarchy are displayed in the table so that they can be directly processed with userfriendly edit, filter, replace, import and export functions. A special test mode offers the facility for testing process tags and CFCs online and for starting them up. The OS areas and the image hierarchy for process control, as well as the SIMATIC PCS 7 asset management, can be derived from the technological hierarchy. Furthermore, it also forms the basis for the plant-oriented identification of process objects. Common displays can be positioned in pictures by means of the image hierarchy, and automatically linked to subordinate images. The configuration engineer is only responsible for the correct positioning. Since the number of common display fields and their semantics can be configured, it is also possible to implement customized alarm configurations. Using the process object view, "Smart Alarm Hiding" can also be configured This refers to the dynamic hiding of alarms of blocks technologically grouped in a plant unit that, depending on the operating state of this plant unit, are of less importance, e.g. startup, servicing etc. By checking various option boxes in the alarm matrix of the process object view, you can define the show/hide status of the alarms individually for as many as 32 operating states. Although hidden alarms are not signaled visually and audibly, they are still logged and archived as before.
Component view: hardware configuration in the SIMATIC Manager with HW-Config Process object view
4/6
Siemens AG 2007
Engineering system
ES software
Continuous function chart (CFC) The CFC editor is the tool for graphical configuration and commissioning of continuous automation functions. Preengineered function blocks can be positioned, configured and interconnected within CFCs with the support of powerful autorouting and integral configuration of HMI messages. Special configuration techniques such as chart-in-chart for implementing hierarchical plans or the multiple usage of chart block types (chart compiled as block type) or SFC types (standardized sequential controls) in the form of instances offer an additional rationalization potential. When creating a new CFC, a new runtime group with the same name as the chart is created. All the blocks that are subsequently entered in the chart are automatically added to this runtime group. Each block is therefore already assigned runtime properties when inserting, and these properties can be optimized by means of modifications in the runtime editor or by using algorithms. The algorithm first determines the optimum block sequence separately for each runtime group, and then the optimum sequence of runtime groups. In addition to convenient editing functions, the scope of CFC functions also includes powerful test and commissioning functions as well as individually configurable documentation functions Sequential function chart (SFC) The SFC editor is used for the graphical configuration and commissioning of sequential controls for batch production operations. It possesses convenient editing functions as well as powerful test and commissioning functions. Using a sequential control, basic automation functions usually created using CFC are controlled and selectively processed by means of changes in operating mode and status. Depending on the subsequent use, the sequential controls can be created either as a SFC plan or SFC type SFC plan The SFC plan can be used to implement sequential controls which can be applied once and which access several partial areas of the production plant. Each SFC plan contains standardized inputs and outputs for status information and for control by the user program or the user. The SFC plan can be positioned and linked as a block in the CFC. The required CFC block connections are selected by simple operations and connected to the steps or transitions of the step chains. An ISA 88-conform status manager enables the configuration of up to 8 separate sequence chains within a single SFC, e.g. for states such as HOLDING or ABORTING, for SAFE STATE or for different operating modes. SFC type SFC types are standardized sequential controls which can be applied repeatedly and which access one partial area of the production plant. They can be organized in libraries, and handled like normal function blocks, i.e. they can be selected from a catalog and positioned, interconnected and parameterized as an instance in a CFC plan. Changes to the original automatically result in corresponding changes in all instances. An SFC type may contain up to 32 sequences. Using the function "Create/update block symbols", a block symbol is automatically positioned and interconnected in the associated process display for all SFC instances with HMI features.
Continuous function chart
Sequential function chart
4/7
Siemens AG 2007
Engineering system
ES software
I&C libraries Preconfigured and tested blocks, faceplates and symbols are organized in I&C libraries and form the basic elements for the graphic configuration of automation solutions. The use of these library elements plays a major role in minimizing the engineering input and project costs. PID Tuner
The comprehensive range of blocks includes simple logic and driver blocks, technological blocks with integral alarming and HMI features such as PID controllers, motors or valves, and also blocks for the integration of PROFIBUS field devices according to the PROFIBUS PA profile 3.0 (including standardized evaluation of the process value status).
The PID Tuner is a function integrated in the CFC for optimization of the CTRL_PID and CTRL_S software controllers. The optimum parameters for a control loop can then be determined for PID, PI and P control modes in defined steps. The tool is suitable for optimizing controlled systems with or without an integral component. Optimization can be carried out in manual or automatic mode. The transient response of the controllers with the determined parameters can be checked by defining jumps. The controller parameters can be saved, and recalled as required. During determination of the controller parameters, the typical controller values (actual value, setpoint, manipulated variable) are recorded by a trend function. Graphics designer and faceplate designer The project data for the engineering of the operator systems are organized with the SIMATIC Manager. All the data relevant to operation and monitoring of a process tag, such as messages and HMI variables, are generated automatically during definition of the automation function. A powerful graphics designer is available for the generation of process displays. In addition to the standard faceplates, the faceplate designer is used to simply generate customized faceplates for operation and monitoring of process tags or plant components. Block symbols can be conveniently interconnected to process tags using Drag & Drop. DOCPRO DOCPRO is a tool for effective generation and management of plant documentation in accordance with defined standards. DOCPRO permits you to structure your project data in any manner, to process them in the form of standardized circuit manuals, and to print them in a uniform layout. You can incorporate your own cover sheets, layouts, graphics, logos or title block data. It is easy to control printing, i.e. you can specifically output individual parts of the project or all project data on the printer.
Examples of editable OS standard displays (faceplates) from the PCS 7 library
4/8
Siemens AG 2007
Automation systems
Safety-related automation systems
Overview
In the systems with multitasking capability, several programs can be executed simultaneously in one CPU basic process control (BPCS) applications or also safety-related applications. The programs are without feedback, i.e. faults in BPCS applications have no effect on safety-related applications, and vice versa. Special tasks with very short response times can also be implemented. The redundant FH systems operating according to the 1-out-of2 principle consist of two subsystems of identical design. These are electrically isolated from each other to achieve optimum EMC, and are synchronized with each other via fiber-optic cables. A bumpless switchover is made from the active subsystem to the standby subsystem in the event of a fault. The two subsystems can be present in the same rack or separated by up to 10 km. The spatial separation provides additional security in the case of extreme influences in the environment of the active subsystem, e.g. resulting from a fire. Safety-related automation systems are used for critical applications where a fault could endanger life or result in damage to the plant or the environment. These F/FH systems frequently referred to as "fail-safe automation systems" detect both faults in the process and their own internal faults in association with the safety-related F modules of the ET 200 distributed I/O systems or fail-safe transmitters connected directly via the fieldbus. They automatically transfer the plant to a safe state in the event of a fault. The safety-related SIMATIC PCS 7 automation systems are based on the hardware of the AS 414H and AS 417H automation systems which has been expanded by safety functions by means of the S7 F Systems software package. Two design versions are available: Single-channel AS 414F or AS 417F (with one CPU, safety-related) Fault-tolerant AS 414FH or AS 417FH (with two redundant CPUs, safety-related and felt-tolerant) All F/FH systems listed are TV-certified and comply with the safety requirements up to SIL 3 according to IEC 61508. The redundancy of the FH systems is only used to increase the availability. It is not relevant to processing of the safety functions and the associated fault detection.
10
10/11
Siemens AG 2007
Automation systems
Design
Single-channel, non-redundant configuration
Distributed I/O and direct fieldbus interfacing AS 414F/ AS 417F ET 200M ET 200M
F-modules F-modules
Redundant, high-availability and fault-tolerant configuration

Distributed I/O
Flexible Modular Redundancy at module or device level
Direct fieldbus interfacing
AS 414FH/ AS 417FH
AS 414FH/ AS 417FH DP/PA Link PROFIBUS PA
ET 200M
PROFIBUS DP PROFIBUS DP
F- and standard modules
PROFIBUS DP
ET 200M
DP/PA Link
with redundant DP/PA couplers Active field splitter
ET 200M
Standard modules
ET 200M
Standard modules
PROFIBUS PA
ET 200S
ET 200M
Module or channel redundancy over several separate stations F- and standard modules
DP/PA Link
with redundant DP/PA couplers Active field distributors
DP/PA Link PROFIBUS PA
ET 200S Y-Link PROFIBUS PA
10
Design versions for safety-related systems
In general, two design versions are differentiated across all architectural levels of a system based on Safety Integrated for Process Automation: Single-channel, non-redundant design Redundant, fault-tolerant design These two design versions are very variable and offer a wide scope for design with regard to different customer requirements. Standard (basic process control) and safety-related functions can be combined flexibly, not only in the area of the distributed I/O. Even at the controller level, they can combined in one system or separate. In addition, there are numerous possibilities arising from the use of flexible modular redundancy.
At the individual architectural levels (controller, fieldbus, distributed I/O) the configuration alternatives shown in the figure are available depending on the distributed I/O used (ET 200M and ET 200S remote I/O stations or PROFIBUS PA devices according to Profile 3.0).
10/12
Siemens AG 2007
Automation systems
Function
Safety functions The safety functions of an application are implemented by the safety-related program executed in the CPU of the F/FH systems together with the safety-related F-modules of the ET 200 distributed I/O systems or directly by failsafe transmitters connected via the fieldbus. The PROFIsafe profile is used for the safe PROFIBUS DP communication between CPU and process I/O. PROFIsafe expands the message frames by additional information with which the PROFIsafe communications partners can recognize and compensate transmission errors such as delays, incorrect sequences, repetitions, losses, faulty addressing or data falsification. Standard modules can be used in F/FH systems in addition to safety-related F-modules - mixed in a remote I/O station or in separate stations, in a common PROFIBUS segment or in separate PROFIBUS segments. Basic process control (BPCS) applications and safety applications can be automated in such mixed configurations with one and the same system and configured with uniform standard tools. One CPU processes BPCS and safety functions in parallel. Mutual interference during processing is prevented by ensuring that the BPCS programs and the safety-related programs are kept strictly separate and that the data exchange is by means of special conversion function blocks. The safety functions are processed twice in different sections of a CPU by means of redundant, diverse instruction processing. Potential errors are detected by the system during the subsequent comparison of results. The S7 F Systems engineering tool as a component of the SIMATIC Manager allows parameterization of the F/FH systems and the safety-related F-modules from the ET 200 series. It supports configuration by means of functions for: Comparison of safety-related F-programs Recognition of changes in the F-program using the checksum Separation of safety-related and standard functions. Access to the F-functions can be password-protected. The F-block library integrated in S7 F Systems contains predefined function blocks for generation of safety-related applications with the CFC or the SIMATIC Safety Matrix based on it. The certified F-blocks are extremely robust and intercept programming errors such as division by zero or out-of-range values. They avoid the need for diverse programming tasks for detecting and reacting to errors.
Selection and Ordering Data

F-Runtime license For processing safety-related application programs, for one AS 414F/FH or AS 417F/FH system
Order No. 6ES7 833-1CC00-6YX0
AS 414F/FH and AS 417F/FH engineering (see Chapter "Engineering system") S7 F Systems V5.2 F programming tool with F block library for programming safety-related user programs on the engineering system, comprising F program software and function block library, single license 2 languages (German, English) Type of delivery: Certificate of license and authorization diskette; software and electronic documentation on CD 6ES7 833-1CC00-0YX0
Options
Ordering information An AS 414H or AS 417H system is required as the hardware for a safety-related automation system. The following H systems can be used depending on the type and structure of the safety-related automation system: For single-channel AS 414F or AS 417F safety-related systems: one AS 414-1H or AS 417-1H each For fault-tolerant and safety-related AS 414FH or AS 417FH systems: - With both subsystems in one rack: one AS 414-2H or AS 417-2H each - With the two subsystems in different racks: two AS 414-1H or AS 417-1H each You require the following components in addition: S7 F Systems F programming tool with F block library for programming safety-related user programs on the engineering system (see Section "Engineering system") F Runtime license For processing safety-related user programs, for one AS 414F/FH or AS 417F/FH system Option: SIMATIC Safety Matrix The convenient safety lifecycle tool for configuration of operation and servicing (see Section "Engineering system")
10
10/13
Siemens AG 2007
Process I/O
ET 200M distributed I/O
Introduction
Overview
Channel-based diagnostics, e.g. open-circuit, short-circuit, limit violations Internal module monitoring, e.g. parameterization error, RAM error, tripped fuse Flatter monitoring for sensors Pulse stretching Output of a selectable substitute value on failure of the central processing unit In the event of a fault, the modules with diagnostics capability automatically pass on the corresponding message to the operator station, permitting fast and simple troubleshooting. The ET 200M can be used in standard environments and also in Ex zones 2 and 22. The actuators/sensors can be positioned in Ex zones 1 and 21 when suitable Ex input/output modules are used. Hot swapping of I/O modules within Ex zone 2 and 22 is allowed with the right permit (e.g. fire certificate).
Technical specifications
Within the ET 200 range, ET 200M represents the main series of distributed I/O systems for process control applications with SIMATIC PCS 7. The ET 200M has a versatile range of I/O modules of S7-300 design, including ones with special I&C functions. Standard analog and digital modules Redundant I/O modules (DI 16 x DC 24 V, with diagnostics capability; DO 32 x DC 24 V/0.5 A; AI 8 x 12 bit) I/O modules with enhanced diagnostics capability Ex I/O modules Controller and counter modules HART modules F-modules for safety-related applications When using active bus modules, faulty I/O modules can be replaced while the plant is in operation (RUN) without influencing adjacent modules (hot swapping function). The following actions are possible with the automation system in RUN: Addition of new modules within a station Reparameterization of modules Addition of ET 200M stations The connected HART field devices can be parameterized using SIMATIC PDM.
Note: Apart from these selected modules it is also possible to use - with limitations in functions - all other I/O modules from the current range of S7-300 signal modules.
You can find detailed technical data on the ET 200M and S7-300 I/O modules in Catalog ST 70 or in the Mall / Catalog CA 01 under "Industrial automation systems / Controllers / SIMATIC S7"
Options
SIPLUS extreme range for extended temperature ranges and corrosive environments The "standard" properties of an individual device or system are often insufficient for harsh environmental conditions, applications in corrosive environments or extreme temperature ranges. Depending on the location of use, the result could be limitations in functionality or operational safety or even total failure of the plant. The SIPLUS extreme range offers individually adapted standard products which permit retention of the functionality of your plant or process even under extreme conditions of use. These include: Ambient temperature range from -25 C to +60/+70 C Condensation, high humidity Increased mechanical stress Extreme loading by media, e.g. toxic atmospheres Voltage ranges deviating from the standard Increased degree of protection (dust, water) You can find a summary of the available range of products classified according to their special properties on the Internet. The corresponding SIPLUS product is assigned there to the standard product. Note: SIPLUS products are also included in the Catalog ST 70. Additional informationen is available in the Internet under:
11
Design
An ET 200M remote I/O station comprises 1 or 2 (redundant) power supply modules (can be omitted in the case of a central 24 V DC supply for the plant), 1 or 2 (redundant) IM 153 interface modules for connection via PROFIBUS DP with transmission rates of up to 12 Mbit/s, as well as up to 8 I/O modules for connection of sensors/actuators. All I/O modules have optical electrical isolation from the backplane bus. Up to 8 modules can be connected to an interface module. The interface modules can also have a redundant design if required. In addition to the standard SIMATIC S7 I/O modules, special I/O modules with diagnostics capability offer the following functions, among others:
http://www.siemens.com/siplus
11/9
Siemens AG 2007
Process I/O
Interface module
Overview

IM 153-2 High Feature Slave interface module for connection of an ET 200M to PROFIBUS DP, with time stamp (accuracy 1 ms), support of HART functionality, F modules, FM modules, "Configuration in RUN" function; also for use in redundant systems IM 153-2 FO High Feature Slave interface module for connection of an ET 200M to optical PROFIBUS DP; support of HART functionality, F modules, FM modules, "Configuration in RUN" function; also for use in redundant systems
Order No. 6ES7 153-2BA01-0XB0
6ES7 153-2BB00-0XB0
B)
B) Subject to export regulations: AL: N, ECCN: EAR99H
An IM 153-2 High Feature interface module is needed to connect the ET 200M to the PROFIBUS DP fieldbus. It supports the following functions: 7 HART configuring of intelligent field devices, 7 configuration of ET 200M I/Os in RUN mode of the automation system, 7 connection to redundant AS 414H / AS 417H automation systems, 7 use of ET 200M function modules (controller and counter modules). This interface module is also available in a fiberoptic (FO) version for connecting to an optical PROFIBUS. Note: Additional plastic fiberoptic cables and an assembly set for Simplex connectors are required in order to use the IM 153-2 FO (see "Plastic fiberoptic cables in the Section "Communications/PROFIBUS") In order to use the hot swapping function, you must also use the active bus module and the profile rail for hot swapping (see following Section "Accessories").
11
11/11
Siemens AG 2007
Process I/O
Bundles
Overview
The following preassembled bundles are available for the ET 200M: I/O subsystem ZuS for ET 200M with hot swapping function, comprising - DIN rail for active bus modules, - PS/IM bus module and - IM 153-2 High Feature bus interface module IM 153 redundancy bundle: comprising two IM 153-2 High Feature bus modules and one active IM/IM bus module for operating the ET 200M on the fault-tolerant AS 414H / AS 417H automation system

I/O Subsystem ZuS ET 200M with hot swapping of modules, comprising profile rail for 482-mm (19-inch) active bus modules, PS/IM bus module and IM 153-2 High Feature bus interface module for support of HART functionality, F modules, FM modules, "Configuration in RUN" function; also for use in redundant systems IM 153 Redundancy Bundle consisting of two IM 153-2 High Feature modules and one IM/IM active bus module, for operation of the ET 200M on the AS 414H / AS 417H fault-tolerant automation system
Order No.
6ES7 654-0XX07-1XA0
B)
6ES7 153-2AR02-0XA0
B) Subject to export regulations: AL: N, ECCN: EAR99H
11
11/13
Siemens AG 2007
Process I/O
F-modules
Overview

SM 326F failsafe digital input module for floating contacts 24 inputs, 24 V DC, floating in groups of 12, redundant design possible - 4 short-circuit-resistant sensor power supplies, each for 6 channels, isolated in groups of 3: - External sensor power supply possible - SIL 2: single-channel evaluation, 24 channels - SIL 3: 2-out-of-2 evaluation on the module, 12 channels (adjustable discrepancy time) - Short-circuit monitoring to L+ - Discrepancy monitoring - Diagnostics inside module - PROFIsafe telegram - Front connector required: 40-contact 8 inputs, NAMUR [EEx ib] isolated by channel, redundant design possible - 8 short-circuit-resistant sensor power supplies, each for 1 channel, mutually isolated - SIL 2: single-channel evaluation, 8 channels - SIL 3: 2-out-of-2 evaluation on the module, 4 channels (adjustable discrepancy time) - Wire break and short-circuit monitoring (for contacts with external resistor circuit) - Discrepancy monitoring - Diagnostics inside module - PROFIsafe telegram - Front connector required: 40-contact SM 326F failsafe digital output, suitable for solenoid valves, DC contactors and signal lamps 10 outputs, 24 V DC, 2 A, floating in groups of 5, redundant design possible (outputs with internal diode) - SIL 2, SIL 3 parameterizable (10 channels) - P/P-switching (for non-floating loads; ground and earth connected together) - Wire break and short-circuit monitoring - Diagnostics inside module - PROFIsafe telegram - Front connector required: 40-contact 8 outputs, 24 V DC, 2 A, floating in groups of 4 - SIL 2, SIL 3 parameterizable (8 channels) - P/M-switching (for floating loads; ground and earth separate) - Wire break and short-circuit monitoring - Diagnostics inside module - PROFIsafe telegram - Front connector required: 40-contact
Order No.
6ES7 326-1BK01-0AB0
The safety functions of the AS 414F/FH and AS 417F/FH automation systems are matched to the safety-related I/O modules (F-modules) of the ET 200M distributed I/O system. The F-signal modules (DI/DO/AI) in the ET 200M remote I/O stations are able to guarantee plant safety even in the event of a CPU failure. They are of redundant design, and can diagnose both internal and external faults. They carry out self-tests for this purpose, e.g. for short-circuit or wire breakage, and automatically monitor the discrepancy time defined in the parameter settings. They comply with the requirements up to SIL 3 (IEC 61508) or AK 6 (VDE 0801). The input modules operate internally with single-channel evaluation (SIL 2 sensors), 2-out-of-2 evaluation (SIL 3 sensors) or 2-out-of-3 channel evaluation (only F-AI module). A safety response is triggered immediately there are any differences. The type of evaluation influences the number of usable inputs (channels). For example, only half of the existing inputs are available in the case of 2-out-of-2 channel evaluation. The digital output modules enable safe disconnection through a second disconnect path in the event of a faulty output.
6ES7 326-1RF00-0AB0
6ES7 326-2BF01-0AB0
11
6ES7 326-2BF40-0AB0
11/23
Siemens AG 2007
Process I/O
F-modules

SM 336F failsafe analog input module 6 inputs, 4...20 mA, redundant design possible - Isolated from the backplane bus - 2-wire or 4-wire connection - SIL 2: two-channel evaluation, 6 sensors - SIL 3: two-channel evaluation, 12 sensors (adjustable tolerance window) - Wire break monitoring - Tolerance monitoring between 2 sensors (SIL 3) - Diagnostics inside module - PROFIsafe telegram - Front connector required: 40-contact Isolating module For F modules, 40 mm wide For isolation of F and standard modules in an ET 200M rack For signal isolation when using a copper bus connection (only F modules in a rack with IM 153-2) Isolating bus module 80 mm wide, for isolating module, when using an active backplane bus
Order No.
Options
Isolating module IM 153-2 ET 200 rack only for SIL 3 operation, SIL 2 also possible without isolating module F-modules
6ES7 336-4GE00-0AB0
6ES7 336-1HE00-0AB0
PROFIBUS copper connection
Isolating bus submodule for active backplane bus
IM 153-2 ET 200 rack
6ES7 195-7KF00-0XA0
PROFIBUS copper connection or fiber-optic cable
Isolating module for isolation of standard and F-modules
6ES7 195-7HG00-0XA0
Isolating module The following components are available as accessories for the F modules: Isolating module - For isolation of F and standard modules in an ET 200M remote I/O station - For signal isolation when using a copper bus connection (only F modules in an ET 200M remote I/O station with IM 153-2) Isolating bus submodule for isolating module, when using an active backplane bus
Note: The isolating module for F modules and the isolating bus submodule can only be used together. The 40-mm wide gap cannot be used for other modules.
11
11/24
Extract from the online catalog
QUINT-PS-100-240AC/24DC/40
Order No.: 2938879
http://eshop.phoenixcontact.de/phoenix/treeViewClick.do?UID=2938879
DIN rail power supply unit 24 V DC/40 A, primary switched-mode, 1phase
Product notes Commercial data EAN Pack Customs tariff Weight/Piece Catalog page information 4017918987091 1 pcs. 85044081 3.785 KG Page 563 (IF-2009) http:// www.download.phoenixcontact.com Please note that the data given here has been taken from the online catalog. For comprehensive information and data, please refer to the user documentation. The General Terms and Conditions of Use apply to Internet downloads. WEEE/RoHS-compliant since: 09/15/2006
Product description QUINT POWER is the high-capacity DC current supply of 60 - 960 watts for universal use worldwide. This is ensured by the wide-range input, one and three-phase versions as well as an international approval package that has yet to be matched. QUINT POWER stands for guaranteed supply: Generously dimensioned capacitors guarantee a mains buffering of more than 20ms under full load. All three-phase devices provide the full output power, even in the event of a continuous phase failure. The Power Boost power reserve easily starts loads with high inrush currents and ensures that fuses are reliably triggered. A preventive function monitoring diagnoses improper operating states and minimizes downtime in your system. Remote monitoring is provided by an active transistor switching output and a floating relay contact. All devices are protected against idling and short circuits and are available with a regulated and adjustable output voltage of 12, 24 and 48 volts DC with output currents of 2.5, 5, 10, 20, 30 and 40 A. The comprehensive range of
PHOENIX CONTACT GmbH & Co. KG http://www.phoenixcontact.de
Page 1 / 7 May 29, 2009
QUINT-PS-100-240AC/24DC/40 Order No.: 2938879
products is rounded off by power supplies for use in the Ex zone 2, uninterruptible solutions, AS-i power supplies and a Quint diode. Technical data Input data Nominal input voltage AC input voltage range DC input voltage range AC frequency range DC frequency range Current consumption Nominal power consumption Inrush surge current Power failure bypass Input fuse Recommended backup fuse Name of protection Protective circuit/component Output data Nominal output voltage Setting range of the output voltage Output current Connection in parallel Connection in series Max. capacitive load Current limitation Control deviation 24 V DC 1% 22.5 V DC ... 29.5 V DC (> 24 V constant capacity) 40 A (-25C ... 70C) 45 A (with POWER BOOST, -25C ... 40C permanent) Yes, for redundancy and increased capacity Yes Unlimited Approx. IBOOST = 45 A (for short circuit) < 1 % (change in load, static 10% ... 90%) < 2 % (change in load, dynamic 10% ... 90%) < 0.1 % (change in input voltage 10%) Residual ripple Peak switching voltages nominal load Maximum power dissipation idling < 30 mVPP (with nominal values) < 50 mVPP (20 MHz) 28 W 110 V AC ... 240 V AC 85 V AC ... 264 V AC (Derating < 100 V DC: 2.5%/V) 90 V DC ... 350 V DC (Derating < 110 V DC: 2.5%/V) 45 Hz ... 65 Hz 0 Hz Approx. 11 A (120 V AC) Approx. 4.5 A (230 V AC) 960 W < 15 A (typical) > 20 ms (120 V AC) > 20 ms (230 V AC) 20 A (fast blow, internal) 16 A 25 A (characteristic B) Transient surge protection Varistor
Page 2 / 7 May 29, 2009
Power loss nominal load max. General data Width Height Depth Weight Operating voltage display Efficiency Insulation voltage input/output Degree of protection Class of protection MTBF Ambient temperature (operation) Ambient temperature (storage/transport) Max. permissible relative humidity (operation) Mounting position Assembly instructions Electromagnetic compatibility Emitted interference Immunity to interference Standard Electrical equipment of machines Standard - Safety of transformers Standard - Electrical safety Standard Shipbuilding Standard Electronic equipment for use in electrical power installations and their assembly into electrical power installations Standard Safety extra-low voltage Standard - Safe isolation Standard Protection against electric shock
80 W
240 mm 130 mm 125 mm 3.5 kg LED green > 92 % (for 230 V AC and nominal values) 3 kV AC (type test) 2 kV AC (routine test) IP20 I, with PE connection > 500 000 h in acc. with IEC 61709 (SN 29500) -25 C ... 70 C (> 60 C derating) -40 C ... 85 C 95 % (at 25C, no condensation) Horizontal DIN rail NS 35, EN 60715 Can be aligned: Horizontal 0 cm, vertical 5 cm Conformance with EMC guideline 2004/108/EC and for lowvoltage guideline 2006/95/EC EN 50081-2 EN 61000-6-2:2005 EN 60204 EN 61558-2-17 EN 60950/VDE 0805 (SELV) EN 61558-2-17 German Lloyd, ABS, DNV EN 50178/VDE 0160 (PELV)
EN 60950 (SELV) EN 60204 (PELV) DIN VDE 0100-410 DIN VDE 0106-1010 DIN 57100-410
Page 3 / 7 May 29, 2009
Standard Protection against shock currents, basic requirements for protective separation in electrical equipment Standard Limitation of mains harmonic currents Standard Equipment safety Certificate UL approvals
DIN VDE 0106-101
EN 61000-3-2 GS (tested safety) CB Scheme UL/C-UL listed UL 508 UL/C-UL Recognized UL 60950 UL/C-UL Listed UL 1604 Class I, Division 2, Groups A, B, C, D
Surge voltage category Connection data, input Type of connection Conductor cross section solid min. Conductor cross section solid max. Conductor cross section stranded min. Conductor cross section stranded max. Conductor cross section AWG/kcmil min. Conductor cross section AWG/kcmil max Stripping length Screw thread Connection data, output Type of connection Conductor cross section solid min. Conductor cross section solid max. Conductor cross section stranded min. Conductor cross section stranded max. Conductor cross section AWG/kcmil min. Conductor cross section AWG/kcmil max Stripping length Signaling Output name Output description Maximum switching voltage Output voltage Maximum inrush current
III
Screw connection 0.2 mm 6 mm 0.2 mm 4 mm 24 10 8 mm M3
Screw connection 0.5 mm 16 mm 0.5 mm 10 mm 20 6 10 mm
DC OK active UOUT > 0.9 x UN: High signal 24 V + 24 V DC (signal) 40 mA (short circuit resistant)
Page 4 / 7 May 29, 2009
Continuous load current Status display Note on status display Conductor cross section solid min. Conductor cross section solid max. Conductor cross section stranded min. Conductor cross section stranded max. Conductor cross section AWG/kcmil min. Conductor cross section AWG/kcmil max Tightening torque, min Tightening torque max Screw thread Output name Output description Maximum switching voltage Maximum inrush current Continuous load current Status display Certificates / Approvals
20 mA "DC OK" LED green UOUT < 0.9 x UN: LED flashing 0.2 mm 6 mm 0.2 mm 4 mm 24 10 0.5 Nm 0.6 Nm M3 DC OK floating Relay contact, UOUT > 0.9 x UN: Contact closed 30 V AC/DC 1A 1A "DC OK" LED green
Certification Certification Ex: Accessories Item General 2938235 UWA 182/52 Designation
ABS, CUL, CUL Listed, DNV, GL, GOST, UL, UL Listed CUL-EX LIS, UL-EX LIS
Description
Universal wall adapter
Page 5 / 7 May 29, 2009
Drawings Block diagram
Circuit diagram
Page 6 / 7 May 29, 2009
Address
PHOENIX CONTACT GmbH & Co. KG Flachsmarktstr. 8 32825 Blomberg,Germany Phone +49 5235 3 00 Fax +49 5235 3 41200 http://www.phoenixcontact.de
2009 Phoenix Contact Technical modifications reserved;
Page 7 / 7 May 29, 2009
QUINT-PS-100-240AC/24DC/20
Order No.: 2938620
DIN rail power supply unit 24 V DC/20 A, primary switched-mode, 1phase
Product description QUINT POWER is the high-capacity DC current supply of 60 - 960 watts for universal use worldwide. This is ensured by the wide-range input, one and three-phase versions as well as an international approval package that has yet to be matched. QUINT POWER stands for guaranteed supply: Generously dimensioned capacitors guarantee a mains buffering of more than 20ms under full load. All three-phase devices provide the full output power, even in the event of a continuous phase failure. The Power Boost power reserve easily starts loads with high inrush currents and ensures that fuses are reliably triggered. A preventive function monitoring diagnoses improper operating states and minimizes downtime in your system. Remote monitoring is provided by an active transistor switching output and a floating relay contact. All devices are protected against idling and short circuits and are available with a regulated and adjustable output voltage of 12, 24 and 48 volts DC with output currents of 2.5, 5, 10, 20, 30 and 40 A. The comprehensive range of
Page 1 / 7 May 29, 2009
products is rounded off by power supplies for use in the Ex zone 2, uninterruptible solutions, AS-i power supplies and a Quint diode. Technical data Input data Nominal input voltage AC input voltage range DC input voltage range AC frequency range DC frequency range Current consumption Nominal power consumption Inrush surge current Power failure bypass Input fuse Recommended backup fuse Name of protection Protective circuit/component Output data Nominal output voltage Setting range of the output voltage Output current Connection in parallel Connection in series Max. capacitive load Current limitation Control deviation 24 V DC 1% 22.5 V DC ... 28.5 V DC 20 A (up to 60C) 26 A (with POWER BOOST) Yes, for redundancy and increased capacity Yes Unlimited Approx. IBOOST = 26 A (for short circuit) < 1 % (change in load, static 10% ... 90%) < 2 % (change in load, dynamic 10% ... 90%) < 0.1 % (change in input voltage 10%) Residual ripple Peak switching voltages nominal load Maximum power dissipation idling < 10 mVPP (with nominal values) < 30 mVPP (20 MHz) 3W 100 V AC ... 240 V AC 85 V AC ... 264 V AC 90 V DC ... 350 V DC 45 Hz ... 65 Hz 0 Hz Approx. 4.76 A (120 V AC) Approx. 2.3 A (230 V AC) 480 W < 15 A (typical) > 25 ms (120 V AC) > 25 ms (230 V AC) 12 A (slow-blow, internal) 10 A 16 A (characteristic B) Transient surge protection Varistor
Page 2 / 7 May 29, 2009
Power loss nominal load max. General data Width Height Depth Weight Operating voltage display Efficiency Insulation voltage input/output Degree of protection Class of protection MTBF Ambient temperature (operation) Ambient temperature (storage/transport) Max. permissible relative humidity (operation) Mounting position Assembly instructions Electromagnetic compatibility Emitted interference Immunity to interference Standard Electrical equipment of machines Standard - Safety of transformers Standard - Electrical safety Standard Shipbuilding Standard Electronic equipment for use in electrical power installations and their assembly into electrical power installations Standard Safety extra-low voltage Standard - Safe isolation Standard Protection against electric shock
44 W
157 mm 130 mm 125 mm 2.5 kg LED green > 92 % 4 kV AC (type test) 2 kV AC (routine test) IP20 I, with PE connection > 500 000 h in acc. with IEC 61709 (SN 29500) -25 C ... 70 C (> 60 C derating) -40 C ... 85 C 95 % (at 25C, no condensation) Horizontal DIN rail NS 35, EN 60715 Can be aligned: Horizontal 0 cm, vertical 5 cm Conformance with EMC directive 89/336/EEC EN 50081-2 EN 61000-6-2:2005 EN 60204 EN 61558-2-17 EN 60950/VDE 0805 (SELV) EN 61558-2-17 German Lloyd, ABS EN 50178/VDE 0160 (PELV)
EN 60950 (SELV) EN 60204 (PELV) DIN VDE 0100-410 DIN VDE 0106-1010 DIN 57100-410
Page 3 / 7 May 29, 2009
Standard Protection against shock currents, basic requirements for protective separation in electrical equipment Standard Limitation of mains harmonic currents Standard Equipment safety Certificate UL approvals
DIN VDE 0106-101
EN 61000-3-2 GS (tested safety) CB Scheme UL/C-UL listed UL 508 UL/C-UL Recognized UL 60950 UL/C-UL Listed UL 1604 Class I, Division 2, Groups A, B, C, D
Surge voltage category Connection data, input Type of connection Conductor cross section solid min. Conductor cross section solid max. Conductor cross section stranded min. Conductor cross section stranded max. Conductor cross section AWG/kcmil min. Conductor cross section AWG/kcmil max Stripping length Screw thread Connection data, output Type of connection Conductor cross section solid min. Conductor cross section solid max. Conductor cross section stranded min. Conductor cross section stranded max. Conductor cross section AWG/kcmil min. Conductor cross section AWG/kcmil max Stripping length Signaling Output name Output description Maximum switching voltage Output voltage Maximum inrush current
III
Screw connection 0.2 mm 6 mm 0.2 mm 4 mm 24 10 8 mm M3
Screw connection 0.5 mm 16 mm 0.5 mm 10 mm 20 6 10 mm
DC OK active UOUT > 0.9 x UN: High signal 24 V + 24 V DC (signal) 40 mA
Page 4 / 7 May 29, 2009
Continuous load current Status display Note on status display Conductor cross section solid min. Conductor cross section solid max. Conductor cross section stranded min. Conductor cross section stranded max. Conductor cross section AWG/kcmil min. Conductor cross section AWG/kcmil max Tightening torque, min Tightening torque max Screw thread Output name Output description Maximum switching voltage Maximum inrush current Continuous load current Status display Certificates / Approvals
40 mA "DC OK" LED green UOUT < 0.9 x UN: LED flashing 0.5 mm 16 mm 0.5 mm 10 mm 20 6 1.2 Nm 1.5 Nm M4 DC OK floating Relay contact, UOUT > 0.9 x UN: Contact closed 30 V AC/DC 1A 1A "DC OK" LED green
Certification Certification Ex: Accessories Item General 2938235 UWA 182/52 Designation
ABS, CB, CUL, CUL Listed, DNV, GL, GOST, UL, UL Listed CUL-EX LIS, UL-EX LIS
Description
Universal wall adapter
Page 5 / 7 May 29, 2009
Drawings Block diagram
Page 6 / 7 May 29, 2009
Address
Page 7 / 7 May 29, 2009
PR2-BSC3/4X21
Order No.: 2833576
Relay socket PR2-B, for industrial relay REL-IR with 2 or 4 PDT, 1/3-level version, screw connections, connection facility for input/ interference suppression modules, for mounting on NS 35/7.5
Technical data Connection data Conductor cross section solid min. Conductor cross section solid max. Conductor cross section stranded min. 0.2 mm 1.5 mm 0.2 mm
Page 1 / 3 May 29, 2009
PR2-BSC3/4X21 Order No.: 2833576
Conductor cross section stranded max. Conductor cross section AWG/kcmil min. Conductor cross section AWG/kcmil max 2 conductors with same cross section, solid max. 2 conductors with same cross section, stranded max. 2 conductors with same cross section, AWG max. Type of connection Stripping length Screw thread General data Width Depth Height with retaining bracket Color Ambient temperature (operation) Ambient temperature (storage/transport) Certificates / Approvals
1.5 mm 26 16 1.50 mm 1.50 mm 14 Screw connection 7 mm M3
27 mm 78.5 mm 86 mm (EL2-P35) green -25 C ... 85 C -25 C ... 85 C
Certification Accessories Item General 2833592 EL2-P35 Designation
CSA, UL
Description
Relay retaining bracket, with eject function and integrated equipment marking area (8 x 25 mm), to suit relay socket PR2, for 35 mm high industrial relay Equipment marker, labeling surface 9 x 25 mm
2833644
MP 2
Page 2 / 3 May 29, 2009
PR2-BSC3/4X21 Order No.: 2833576
Address
Page 3 / 3 May 29, 2009

08088e Cms SSD 01 Fds r2 Submit

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

08088e Cms SSD 01 Fds r2 Submit

Uploaded by

Copyright:

Available Formats

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 2 of 23

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 3 of 23

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 4 of 23

1. INTRODUCTION 1.1 Document Scope

1.2 Project Information

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 5 of 23

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 6 of 23

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 7 of 23

3. SYSTEM OVERVIEW 3.1 Introduction

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 8 of 23

3.2 System Features

Flexible Modular Redundancy

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 9 of 23

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 10 of 23

Redundant Bus Systems

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 11 of 23

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 12 of 23

Password Protection for F-Systems

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 13 of 23

4.1 LEVEL 0 FIELD Devices

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01

System: Owner: Rev. No.:

Control and Monitoring System Vietsovpetro JV 2 Sht. No.: 14 of 23

4.2 LEVEL 1 PLC

FUNCTIONAL DESIGN SPECIFICATION

RC-4 Wellhead Platform Technics Offshore Engineering 08088E-CMS-SSD-01