Preface Overview and definition of terms 1 ______________ SIMATIC HMI Fail-safe operation of the Mobile Panel 277F IWLAN Safety instructions, standards and notes 2 ______________ SIMATIC HMI 3 Application Planning ______________ Fail-safe operation of the Mobile Panel 277F IWLAN 4 Configuration ______________ 5 System commissioning ______________ Function Manual 6 Operation ______________ 7 Diagnostics ______________ The following supplement is part of this documentation: No.
Legal information Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.
Preface Purpose of the function manual This function manual provides all information required for operation of the Mobile Panel 277F IWLAN in fail-safe systems. Readership of this function manual: ● Plant designers ● Project engineers ● Commissioning engineers ● Users ● Service technicians ● Maintenance technicians Please pay particular attention to the "Safety instructions, standards and notes" chapter.
Preface Documentation for fail-safe systems ● System description "Safety technology in SIMATIC S7" – Provides general information on the use, structure, and mode of operation of the failsafe automation systems S7 Distributed Safety and S7 F/FH Systems – Contains detailed technical information which can be represented for the fail-safe technology both in S7-300 and S7-400.
Preface Online availability The link below guides you to the multilingual technical documentation offered for the SIMATIC products and systems. "http://www.automation.siemens.com/simatic/portal/html_76/techdoku.htm" Screens The HMI device is sometimes represented in the form of photographs in this function manual. The photographs of the HMI device may differ slightly from the factory state of the HMI device.
Preface Representatives and offices If you have any further questions relating to the products described in this manual, please contact your local representative at the Siemens branch nearest you. Your Siemens representative can be found at "http://www.automation.siemens.com/partner". Training center Siemens AG offers a variety of training courses to familiarize you with automation systems.
Table of contents Preface ...................................................................................................................................................... 3 1 2 3 4 Overview and definition of terms.............................................................................................................. 11 1.1 Using the Mobile Panel 277F IWLAN ..........................................................................................11 1.2 Areas in the plant ..................
Table of contents 5 6 7 8 9 8 4.4 4.4.1 4.4.2 4.4.3 4.4.4 S7 Distributed Safety .................................................................................................................. 58 Checklist: Creation of the safety program................................................................................... 59 Using F-FBs ................................................................................................................................
Table of contents A Application example: Safety Functions .................................................................................................. 113 A.1 Configuration and operation.......................................................................................................113 A.2 Components and settings used .................................................................................................116 A.3 Safety program S7 Distributed Safety ...............................
Table of contents 10 Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0
1 Overview and definition of terms 1.1 Using the Mobile Panel 277F IWLAN Use The Mobile Panel 277F IWLAN offers the possibility of having the mobile safety functions of emergency stop and enable available at any point of a machine or plant. An effective range limit has been implemented for the Mobile Panel 277F IWLAN. Depending on his location, the operator obtains a safe, electronically monitored operator control enable. The HMI device communicates with an access point via WLAN.
Overview and definition of terms 1.2 Areas in the plant 1.2 Areas in the plant WLAN area The WLAN area is the area in the plant where the HMI device communicates with other communication nodes over a wireless local area network. 352),VDIH ① Access point is the network transition from WLAN to LAN ② WLAN area in which communication with the access point is possible ③ Mobile panel in the WLAN area; the emergency stop button is active, the enabling buttons are without function.
Overview and definition of terms 1.2 Areas in the plant Effective range An effective range is the range in which sections of the plant, e.g. a machine can be operated with the enabling buttons of the HMI device. An effective range is formed physically with transponders that are mounted in the vicinity of the machine. Each transponder has a unique ID. The transponder emits this ID in a lobe-shaped area.
Overview and definition of terms 1.2 Areas in the plant Note In addition to the effective ranges you can define zones in your project. The zones are not relevant for fail-safe operation. They are used merely to control the project depending on the location of the operator. For example a picture change can be configured for zone entry or zone exit. Zones and effective range are independent of each other. Additional information on zones is provided in the Operating instructions for the HMI device.
Overview and definition of terms 1.
Overview and definition of terms 1.3 Switch-off behavior 1.3 Switch-off behavior Introduction Different switch-off behavior is possible depending on the situation in the plant: ● Emergency stop ● Shutdown ● Local rampdown. ● Global rampdown Plant switch-off differs in its triggers and effects. DANGER No switch off triggering In the plant the described switch-off behavior is only triggered if the F-CPU has been programmed accordingly.
Overview and definition of terms 1.3 Switch-off behavior Global rampdown Global rampdown is triggered if the F-CPU detects a communication error on an HMI device which is integrated in the PROFIsafe communication. Global rampdown is the defined shutdown of the machines assigned in the safety program within a defined time period. Global rampdown is independent of the effective ranges.
Overview and definition of terms 1.4 Integration and segregation 1.4 Integration and segregation Introduction In fail-safe operation a safety program runs in the F-CPU. This safety program communicates with the HMI device. The F-CPU monitors this communication for errors and analyzes the signals. The terms "integrate" and "segregate" refer to the integration and segregation of the HMI device in/from the safety program of the F-CPU.
Overview and definition of terms 1.5 Log on and log off at the effective range 1.5 Log on and log off at the effective range Introduction An effective range is the range within which plant units, e.g. a machine, can be operated with the enabling buttons of the HMI device. The prerequisite for this is that the operator must log the HMI device on at the effective range.
Overview and definition of terms 1.6 Safety-oriented operator controls 1.6 Safety-oriented operator controls Introduction The Mobile Panel 277F IWLAN has the following elements for safe operation of a process cell: ● Emergency stop button ● Enabling button 1.6.1 Emergency stop button Introduction The emergency stop button is designed with 2-channels and enables an emergency stop of the configured system. The emergency stop button satisfies the requirements specified in DIN IEC 60947-5-5;1997 Annex K.
Overview and definition of terms 1.6 Safety-oriented operator controls Due to its position, the emergency stop button is equally accessible for both left-handed and right-handed individuals. Due to its profiled design, the emergency stop button is easily accessible. A collared enclosure is used to protect the operator controls against damage. This applies in particular to the emergency stop button The emergency stop button may still trigger if the HMI device falls and hits the floor.
Overview and definition of terms 1.6 Safety-oriented operator controls 1.6.2 Enabling button Introduction The enabling device consists of the two enabling buttons mounted on both sides of the Mobile Panel 277F IWLAN. The switch setting of the two enabling buttons is determined by electrical momentary contact switches. Note The HMI device analyzes the switch settings of the two enabling buttons in the form of an OR gate.
Overview and definition of terms 1.6 Safety-oriented operator controls ● Panic: The "Panic" switch setting is reached as soon as one of the two enabling buttons is fully pressed. The switch setting of the other enabling button is unimportant in this case. The "Panic" switch setting has the same effect as releasing the enabling button, namely, it revokes the enable. You only have to activate one enabling button.
Overview and definition of terms 1.7 "Override" mode 1.7 "Override" mode Introduction The effective range functionality of the HMI device can be extended through the "override" mode. Applications "Override" mode can be used in the following cases: ● Use of existing protective measures instead of the effective range functionality If protective measures, such as protective fences are already available in your plant, then you can integrate them in your safety concept with the "override" mode.
Overview and definition of terms 1.7 "Override" mode Sample configuration 352),VDIH ① Protective fence ② Switch for activating "override" mode ③ Transponder for logging on at the effective range ④ Foot grating for access monitoring ⑤ HMI device ⑥ Machine that will be operated Activation of the "override" mode The operator activates "Override" mode in the following manner: 1. The operator enters the protected area through a light barrier or across a foot grating.
Overview and definition of terms 1.7 "Override" mode Operating principle In the following figure you see the plant area for which "override" mode is active. 352),VDIH If "override" mode is activated the operator can safely operate the associated plant area with the enabling buttons. The HMI device is considered to be permanently logged on in the effective range, without analyzing the transponder signals. Deactivation of "override" mode The operator deactivates "override" mode in the following manner: 1.
Safety instructions, standards and notes 2.1 2 Safety instructions Safety regulations WARNING Injury or material damage Strictly observe all instructions in this document at all times. Otherwise, hazardous situations can arise or the safety functions integrated in the HMI device can be rendered ineffective. Observe the safety and accident prevention instructions applicable to your application in addition to the safety instructions given in this manual.
Safety instructions, standards and notes 2.1 Safety instructions Safety measures during operation WARNING Non-functional emergency stop button The emergency stop button must be checked annually for proper function. WARNING HMI device failure After a hard impact to the HMI device, check the safety-relevant features for functional capability, for example in the event that the HMI device is dropped.
Safety instructions, standards and notes 2.1 Safety instructions Information for handling the battery: CAUTION Charging and discharging the battery In the following cases, there is a risk of fire and, in extreme cases, explosion! • Incorrect charging and discharging of the battery • Reverse polarity • Short-circuit Only charge the bridging battery in the HMI device. Only charge the main battery in the HMI device or in the charging compartment of the charging station.
Safety instructions, standards and notes 2.2 Guidelines, standards, certificates and approvals Instructions for battery replacement in Mobile Panel 277F IWLAN CAUTION Local rampdown of logged on HMI device If the HMI device which is logged on at the effective range no longer recognizes the transponder and, therefore, the effective range, it triggers a local rampdown. To change the battery, rest the HMI device on its front.
Safety instructions, standards and notes 2.2 Guidelines, standards, certificates and approvals CE approval The HMI device, charging station, power supply unit, and transponder satisfy the requirements and protection objectives of the EC Directives below.
Safety instructions, standards and notes 2.2 Guidelines, standards, certificates and approvals TÜV The TÜV confirms that the HMI device satisfies the requirements of the standards below with regard to its safety functions. ● SIL3 to IEC 61508-1 to 4 ● Category 4 in accordance with EN 954-1. ● Pl e and Cat.
Safety instructions, standards and notes 2.3 Operating safety 2.
Safety instructions, standards and notes 2.4 Power supply 2.4 Power supply Safety specifications CAUTION Damage to the HMI device Only operate the HMI device with approved components: • Batteries • Charging station • For office environments only: Tabletop power supply unit Order information of the components is available on the Internet at "http://mall.automation.siemens.com". WARNING Injury or material damage You may operate the HMI device in the plant only with the battery or in the charging station.
Safety instructions, standards and notes 2.4 Power supply WARNING Injury or material damage Configure the 24 VDC supply for the charging station correctly, otherwise components of your automation system can be damaged and persons may be injured. Use only voltage generated as protective extra-low voltage (PELV) for the 24 VDC supply of the charging station. CAUTION Safe electrical separation Use only power supply units with safety isolation complying with IEC 60364-4-41 or HD 384.04.
Safety instructions, standards and notes 2.5 Notes about usage Tabletop power supply unit CAUTION Please note that the mains connector must be removed for a complete disconnection from the mains. Do not operate the HMI device in the plant with the table power supply unit. The tabletop power supply unit is only suitable for an office environment. The device is designed for operation on grounded power supply networks (TN systems to VDE 0100, Part 300, or IEC 364-3).
Safety instructions, standards and notes 2.6 Risk analysis Use of cable-free control equipment WARNING When using cable-free control equipment you must ensure that it does not interfere with other systems at the site, or that other systems do not interfere with it. 2.
Safety instructions, standards and notes 2.7 Safety functions of the emergency stop button WARNING Emergency stop button not available The emergency stop button on the HMI device must not used as a replacement for a permanently-wired emergency stop/emergency off on the machine. Install stationary emergency stop buttons that are available at all times on the configured system.
Safety instructions, standards and notes 2.8 Safety functions of the enabling button Storing the HMI device WARNING Non-functional emergency stop button If the HMI device is not integrated, the emergency stop button does not function. To avoid confusion between effective and non-effective emergency stop buttons, only one integrated HMI device should be freely accessible. If the HMI device is not in use, it must be stored in an secure place. See also Emergency stop button (Page 20) 2.
Safety instructions, standards and notes 2.8 Safety functions of the enabling button The Stop category of the enabling device must be selected on the basis of a risk assessment and correspond to a Category 0 or 1 Stop. WARNING Injury or material damage Enabling buttons should only be used when the following applies for the person activating the enabling button: • The person can see the danger zone. • The person is capable of recognizing personal injury hazards in good time.
3 Application Planning 3.1 Check list: Planning the application Application planning For application planning of the HMI device go through the following steps.
Application Planning 3.2 Application and ambient conditions 3.2 Application and ambient conditions Mechanical and climatic conditions of use The HMI device is designed for use in a location protected from the effects of the weather. The conditions of use are compliant with requirements to DIN IEC 60721-3-3: ● Class 3M3 (mechanical requirements) The table applies to the HMI device, charging station, and transponder.
Application Planning 3.2 Application and ambient conditions Testing for mechanical environmental conditions The following table provides information on the type and scope of tests to determine mechanical ambient conditions for the HMI device. Tested for Test standard Comments Vibrations IEC 60068, part 2–6 (sinusoidal) Type of vibration: 20 frequency cycles with a tuning rate of 1 octave/minute. Frequency range: 10 ≤ f ≤ 150 Hz, ± 1 Hz Deflection: 0.
Application Planning 3.2 Application and ambient conditions Ambient conditions Permitted range Comments Pollutant concentration SO2: < 0.5 vpm; Relative humidity < 60 %, no condensation Check: 10 cm3/m3; 10 days H2S: < 0.1 vpm; Relative humidity < 60 %, no condensation Check: 1 cm3/m3; 10 days Climatic ambient conditions for the charging station The following table shows the permitted climatic ambient conditions for use of the charging station.
Application Planning 3.3 Check list: Planning the system 3.3 Check list: Planning the system Introduction For fail-safe systems careful system planning is necessary so that the system can be subsequently accepted and commissioned successfully. Check list Use the following check list when planning fail-safe systems: Step Further information Check Obtain an current plan of the plant for which an effective range concept should be created.
Application Planning 3.4 Planning effective ranges 3.4 Planning effective ranges Effective range and transponder An effective range is physically formed by transponders mounted in the vicinity of the machine. Each transponder sends a unique ID. The ID is received by the HMI device and enables it to determine its distance from the transponder. If the HMI device is within the effective range, safe operation is possible once it logs on in the effective range.
Application Planning 3.4 Planning effective ranges Distance measurement between HMI device and transponder The transponder transmits its ID in lobe-shaped area with a maximum range of approx. 8 meters. The following example shows the varying quality of the effective range based on a configuration in which a maximum range of x1 = 8 m has been specified. [ [ \ [ [ [ ① Zone with poor quality effective range ② Zone with good quality effective range ③ The effective range qua
Application Planning 3.4 Planning effective ranges Example: ① Machine that will be operated from within the effective range ② Transponder with transmitting range in the form of a lobe ③ Planned effective range; safe operation of the machine is possible from here ④ Actual effective range; safe operation of the machine is still possible from here Procedure 1. On the system plan specify which parts of the system will be operated with the enabling buttons.
Application Planning 3.5 For the "Override" mode: Planning the protective devices 3.5 For the "Override" mode: Planning the protective devices Introduction Use "override" mode to extend the effective range concept. Requirements Only use "override" mode in delimited plant areas that are secured by additional protective measures. The operator must be able to fully see the area for which "override" mode applies. The danger location must be visible from every point of the override area.
Application Planning 3.6 Check list: Data security 3.6 Check list: Data security Introduction Data security, security in automation technology serves particularly to ensure the availability and trouble-free operation of industrial plants. In order to ensure secure transmission of signals via a WLAN for the Mobile Panel 277F IWLAN, you must particularly safeguard the system from unauthorized access.
Application Planning 3.6 Check list: Data security ● Project transfer to the HMI device ● The process management phase in which the HMI device is used to operate and monitor the plant. Check the interplay of the specified measures. The measures listed in the table are marked as follows: ● To achieve PROFIsafe conformity, you must take all the measures which are marked with an asterisk * and highlighted in bold in the table. ● Additional voluntary measures are not marked.
Application Planning 3.6 Check list: Data security Measure Further information Check * Use authentication mechanisms to prevent unauthorized participation in wireless traffic. Shared key as well as certificates are allowed as authentication methods. The pass phrase must be at least 20 characters long. The passphrase should contain alphanumeric characters and special characters. HMI device * Protect the HMI device and the toolbar of the HMI device against unauthorized access with a password.
4 Configuration 4.1 Check list: Configuration Configuration Go through the following steps for configuration.
Configuration 4.2 Procedure for configuration Basic procedure Always use the following procedure for configuration: 1. Create a STEP 7 project in the SIMATIC Manager. 2. Configure the required F-CPU and a PROFINET connection in the hardware configuration "HW Config". 3. Insert a Mobile Panel 277F IWLAN in the configuration from the hardware catalog of the HW Config by dragging it to the PROFINET connection in the station window via Drag&Drop. 4.
Configuration 4.3 STEP 7: HW Config 4.3 STEP 7: HW Config Procedure in STEP 7 HW Config When you have created a STEP 7 project in the SIMATIC Manager, configure the desired F-CPU and a PROFINET connection in the hardware configuration "HW Config". Then insert a Mobile Panel 277F IWLAN in the configuration from the hardware catalog of the HW Config by dragging it to the PROFINET connection in the station window via Drag&Drop.
Configuration 4.3 STEP 7: HW Config ● "Addresses" tab The address area for the process image is configued in this tab. The process image is a memory area in the controller which the HMI device and controller access together. At the beginning of the cyclic control program the signal states of the inputs of the HMI device are transferred to the controller via the process input images, PII.
Configuration 4.3 STEP 7: HW Config Parameter Meaning F_Dest_Add PROFIsafe address used to uniquely identify the destination throughout the network and station. The address is assigned automatically. The "F_Dest_Add" parameter can have a value between 1 and 65534. You can change the value for "F_Dest_Add". F_WD_Time (ms) Monitoring time in the fail-safe IO device. A valid current safety frame must reach the F-CPU and be returned to the HMI device within the monitoring time period.
Configuration 4.4 S7 Distributed Safety 4.4 S7 Distributed Safety Introduction The Mobile Panel 277F IWLAN is used as a peripheral in fail-safe automation systems. Failsafe automation system, also referred to as F systems in the following, are used in plants requiring high levels of safety. During fail-safe operation, a safety program runs in the F CPU. The HMI device must be integrated into this safety program. The HMI device and F CPU communicate via PROFINET IO.
Configuration 4.4 S7 Distributed Safety 4.4.1 Checklist: Creation of the safety program Checklist for configuring a safety program for emergency stop applications Information on S7 Distributed Safety can be found in the programming and operating manual "S7 Distributed Safety - configuring and programming". Please observe all additional instructions described in the programming and operating manual "S7 Distributed Safety - configuring and programming". Go through the following steps for configuration.
Configuration 4.4 S7 Distributed Safety Step Information Checking the safety program • • • Check Online help for the F-FBs FB161: Mobile Panel Status (F_FB_MP) (Page 63) FB162: Effective range for 4 Mobile Panel (F_FB_RNG_4) / FB 163 Effective range for 16 Mobile Panel (F_FB_RNG_16) (Page 67) Loading the safety program in the F-CPU Testing and acceptance testing of the safety program 4.4.
Configuration 4.4 S7 Distributed Safety Rules for the safety program WARNING Emergency stop button not evaluated The emergency stop button can only be evaluated if you call an F_FB_RNG_n in your safety program. Always call an F_FB_RNG_n in your safety program, even if you do not use effective ranges in your plant. WARNING Prohibited restart of the plant Once the emergency stop button has been triggered, the plant can only be restarted for operation only after the operator provides acknowledgment.
Configuration 4.4 S7 Distributed Safety WARNING Unwanted restart of the plant after acknowledgment of a communication error The plant cannot be automatically restarted after a communication error on the HMI device is acknowledged. Therefore, ensure that your safety program requires an additional user action before the plant can be restarted. Interconnection of the F FBs The blocks are interconnected with one another and with the process image of the Mobile Panel 277F IWLAN.
Configuration 4.4 S7 Distributed Safety Example application Read Application example: Safety Functions (Page 113) if you use F_FB_RNG_n. You can find another detailed example application in the Internet under "http://support.automation.siemens.com", contribution number 25702331. F I/O DB An F I/O DB is automatically generated in HW Config for every F I/O.
Configuration 4.4 S7 Distributed Safety Inputs Parameters Data type Description Interconnection QBAD Bool QBAD indicates if the F-I/O has been passivated. F-I/O DB: DBx2.1 = QBAD ACK_REQ Bool Acknowledgement required F-I/O DB: DBx2.2 = ACK_REQ After a communication error, the fail-safe system sets QBAD = 1 and ACK_REQ = 0. ACK_REQ = 1 indicates that the PROFIsafe message frames are being exchanged again.
Configuration 4.4 S7 Distributed Safety Parameter Data type Description Interconnection DIAG Word Information about any occurring errors is provided through this output for servicing purposes. You can evaluate the DIAG output in your program. Bit 0: HMI removed Bit 1: HMI integrated Bit 2: Communication error on the HMI device Bit 3: Communication error must be acknowledged.
Configuration 4.4 S7 Distributed Safety ● The block passes the states of the HMI device through F_DB_STATES to F_FB_RNG_n. The following HMI device states are possible: – "Integrated" – "Removed" – "Communication error" – "Acknowledgement required" QBAD monitors the output of the F-I/O for integrating and removing the HMI device. ● QBAD = 0: PROFIsafe communication is taking place between the HMI device and the F-CPU.
Configuration 4.4 S7 Distributed Safety 4.4.4 FB162: Effective range for 4 Mobile Panel (F_FB_RNG_4) / FB 163 Effective range for 16 Mobile Panel (F_FB_RNG_16) Structure )B)%B51*BQ (1 51*B,' 29(55,'( 03 B'$7$ 03 B51* 03 B)B.(< 03 B'$7$ 03 B51* 03 B)B.(< (B6723 */2%B5' 03QB'$7$ /2&B5' 03QB51* 6+87'2:1 03QB)B.(< (1$%/( 03 B67$7 )B.
Configuration 4.4 S7 Distributed Safety Inputs Parameters Data type Description Interconnection RNG_ID Integer Click on this input and enter the ID of the effective range to be monitored by F_FB_RNG_n. The RNG_ID must be unique throughout the plant and is set in WinCC flexible.
Configuration 4.4 S7 Distributed Safety Parameters Data type Description F-KEYS Word Reserved RNG_BUSY Bool This output passes the state of the effective range. 0 = effective range free, 1 = effective range in use DIAG Word This output indicates which of the HMI devices with permission to log on in the effective range are actually logged on. Interconnection You can detect if the effective range is free or in use with this output.
Configuration 4.4 S7 Distributed Safety Wiring You have to wire the inputs and outputs of the F FB manually. No automatic wiring is performed. Usage WARNING Emergency stop button not evaluated The emergency stop button can only be evaluated if you call an F_FB_RNG_n in your safety program. Always call an F_FB_RNG_n in your safety program, even if you do not use effective ranges in your plant. The assigned effective range is managed by this F FB.
Configuration 4.4 S7 Distributed Safety F_FB_RNG_n reacts as follows: – The HMI device is supplied with user data, such as the effective range ID and the status of the HMI device in the effective range, if it is located in the effective range. – If no other HMI device is logged on in the effective range, the operator can log on the HMI device in the effective range. – The outputs of F_FB_RNG_n are set according to the state of the enabling button of the logged on HMI device.
Configuration 4.5 WinCC flexible 4.5 WinCC flexible 4.5.1 Configuration overview For fail-safe operation of the HMI you must configure the following areas of WinCC flexible ES: ● Settings of the HMI device: Set the PROFIsafe address of the HMI device in the project view under "Device settings" > "Device settings". ● Effective ranges editor Configure the effective ranges defined when the plant was planned in the project view under "Device settings" > "Effective ranges".
Configuration 4.5 WinCC flexible 4.5.2 Effective ranges editor Work area In WinCC flexible ES, open the "Effective Ranges" work area in the project window under "Device Settings" by double-clicking on "Effective Ranges". The work area provides a tabular view of the effective ranges and their transponders. Configuring The configuration consists of the following tasks: 1. You create the effective ranges by specifying the "Name", "Display name" and "ID".
Configuration 4.5 WinCC flexible Effective range name The "Effective range name" object shows the name and logon status of the effective range in which the HMI device is currently located. Display during runtime: Description The HMI device is within the effective range shown. The HMI device is not logged on in the effective range. It is possible to log onto the effective range. The HMI device is within the effective range shown and is logged on in the effective range.
Configuration 4.5 WinCC flexible Battery The "Battery" object indicates the charging status of the HMI device's main battery. CAUTION The battery must always b sufficiently charged. If the battery becomes empty, a communication error occurs. The F CPU initiates one of the following measures: • If the HMI device is logged on at the effective range: a shutdown. • If the HMI device is not logged on at the effective range: a global rampdown.
Configuration 4.
System commissioning 5.1 5 Acceptance of the system Introduction All of the relevant application-specific standards and the procedure described in this chapter must be observed in the course of final acceptance of the plant. Important information about the final acceptance of a plant with fail-safe systems Note This document only provides detailed information about the additional acceptance procedures required for operation of the Mobile Panel 277F IWLAN HMI device.
System commissioning 5.1 Acceptance of the system Acceptance of the safety program ● Print and archive the safety program. ● Check the printed copy of the safety program for existence of the criteria specified in the "S7 Distributed Safety, Configuring and Programming" manual, chapter "Acceptance of a safety program." ● Download the entire safety program to the F-CPU. ● Test all functions of the safety program.
System commissioning 5.2 Accepting effective ranges and transponders 5.2 Accepting effective ranges and transponders Introduction The operational safety of the plant for the most part depends on a good safety plan and a careful realization of the safety functions. For safe operation, the project of the HMI device must precisely match the plant. For this reason when first starting a project in the plant, you must verify all effective ranges with all transponders.
System commissioning 5.2 Accepting effective ranges and transponders Procedure Proceed as follows: 1. Switch on the HMI device. The Windows CE desktop with Loader is displayed. 2. If the project does not start automatically, start the project. The "Transponder test" dialog box opens. To the left you will see the list with the names of all configured effective ranges. 3. In the "Effective ranges" list highlight the first effective range that you want to verify.
System commissioning 5.2 Accepting effective ranges and transponders 9. Select the next effective range in the list. 10. Repeat steps 4 to 7 for all transponders assigned to this effective range. 11. Verify all additional effective ranges in the list to the left. 12. When you have successfully verified all effective ranges, touch the "Calculate" button. The HMI device calculates the CRC checksum. The CRC checksum is displayed in the "CRC" box. 13. Open the project in WinCC flexible ES. 14.
System commissioning 5.2 Accepting effective ranges and transponders Testing the effective ranges in the plant After successful verification of the transponders and effective ranges you must test in the plant whether the expansion of the configured effective ranges corresponds to the planning. In particular, check the following cases: ● Do the limits of the effective range run as planned? Pay special attention that no machine operations are permitted from excessive distances or areas that cannot be seen.
6 Operation 6.1 Organizational measures The HMI device should only be operated in the system with a battery or in the charging station. To ensure fail-safe operation of the HMI device the organizational measures described below must be complied with. Storing the HMI device WARNING Non-functional emergency stop button If the HMI device is not integrated, the emergency stop button does not function.
Operation 6.2 Typical applications The following must be noted when working with the Mobile Panel 277F IWLAN: ● Pay attention to the "SAFE" LED. If the HMI device is integrated in fail-safe communication, the "SAFE" lights up and the emergency stop button is active. ● Pay attention to the "COM" LED. If you leave the area with sufficient WLAN coverage, the "COM" LED will flash. Communication between the HMI device and PLC is down. You can no longer operate the system with the HMI device.
Operation 6.2 Typical applications Example of an LED display Figure 6$)( Meaning 3:5 &20 51* %$7 Status of the LEDs that are displayed on the HMI device during the situation described in the application case. In this example all LEDs are on. Emergency stop button Figure Meaning Pressing the emergency stop button triggers an emergency stop. Pressing the emergency stop has no effect.
Operation 6.2 Typical applications Action The operator switches the HMI device on via the ON/OFF button. Communication via WLAN starts up. While the WLAN connection is being established the "COM" LED flashes. Result WLAN communication is established. The HMI device displays the Windows CE Desktop with the Loader. 6$)( 3:5 &20 51* 6.2.3 Integrating and segregating the HMI device 6.2.3.1 Integrating the HMI device (start project) %$7 Initial situation The HMI device is switched on.
Operation 6.2 Typical applications Result Both enabling buttons were tested in the "Enable" and "Panic" switch positions. The project start screen appears. 6$)( 3:5 &20 51* %$7 If the operator now exits the WLAN area, the F-CPU detects a communication error and initiates a global rampdown. The "COM" LED on the HMI device flashes. The "Establishment of safety connection" dialog with the text "No safe connection available. Reason: Communication error (timeout)" is displayed. 6.2.3.
Operation 6.2 Typical applications Result scenario 2: no return to the WLAN range The "Confirm removal" dialog box is displayed on expiration of 60 seconds. The project is closed immediately if you confirm the Confirm removal dialog within 60 seconds. The active project is closed automatically if you do not confirm the Confirm removal dialog within 60 seconds. The HMI device displays the Windows CE desktop with the loader.
Operation 6.2 Typical applications Action The operator presses the enabling switch. Unintentional incorrect operation of the enabling switch. Instead of operating the switch in the center, the operator pressed it at the edge. Result The enabled state is deactivated immediately after discrepancy was detected. The "Enabling switch discrepancy error" dialog box opens on expiration of the discrepancy time (see Technical data for failsafe operation (Page 109)).
Operation 6.2 Typical applications Result scenario 1: The enabled state is not activated. The "Enabling switch discrepancy error" dialog box opens on expiration of the discrepancy time. The dialog stays open until the button is released to clear the discrepancy. A discrepancy error is displayed again when the operator presses the enabling switch once again . The device must be repaired. Return the HMI device for repair as described in the section Cleaning, repairs and spare parts (Page 106).
Operation 6.2 Typical applications Result The HMI device shows the Windows CE Desktop with the Loader. 6$)( 3:5 &20 51* %$7 Alternative - switch the HMI device off Action The operator presses the ON/OFF button for longer than 4 seconds. Following a prompt, the "Confirm removal" dialog box is displayed. The operator is requested to confirm the desired removal with the enabling button. The operator presses within 60 seconds at least one enabling button until the "Enable" setting is reached.
Operation 6.2 Typical applications Result Case 1: Case 2: Case 3: The object is displayed in white with lettering. The object is displayed in gray without lettering. The object is displayed in gray with lettering. Example: Example: Example: The HMI device is in the "Rangename" effective range. It is not possible to log on at the effective range The HMI device is located outside of the effective range of the plant. The HMI device is in the "Rangename" effective range.
Operation 6.2 Typical applications Result The HMI device must be logged on at the effective range. The "Effective range name" object is displayed in green. Example: 6$)( 6.2.4.3 3:5 &20 51* %$7 Log off at the effective range Starting situation The "Effective range name" object is displayed in green. The HMI device must be logged on at the effective range. Example: 6$)( 3:5 &20 51* %$7 Action The operator touches the "Effective range name" object.
Operation 6.2 Typical applications Note Only for effective ranges which belong to an override switch If the operator has logged off from an effective range which belongs to an override switch, the "Effective range name" object is displayed in gray in the following case: The operator has left the effective range without pressing the override switch. 6.2.5 Behavior in the effective rage 6.2.5.
Operation 6.2 Typical applications Result case 2: does not return to the effective range on time The "Effective range exited without logoff" dialog box opens. The HMI device triggers a local rampdown and log off from the effective range. As long as the operator does not confirm log off from the effective range, the dialog box is displayed on the HMI device. The operator is not able to interact with the machine. The effective range remains in use.
Operation 6.2 Typical applications 6.2.6.2 Terminating "override" mode Introduction The "Override" mode can be closed by the operator or closed automatically by the safety program of the F CPU. Closed by the operator The operator closes the "Override" mode with the following actions: 1. The operator activates the override switch. 2. The operator logs the HMI device off from the effective range.
Operation 6.2 Typical applications Result of scenario 2: "Override" mode is closed automatically by the safety program of the F CPU. The transponders are evaluated again for detection of the effective range. If the operator is outside the effective range when "Override" mode closes, the system reacts as described in the section Exiting the effective range without log off (Page 94). "Override" mode can only be activated again if the override switch is reset by the operator. 6$)( 3:5 &20 6.2.
Operation 6.2 Typical applications 6.2.7.2 Communication error with the HMI device logged on in the effective range Starting situation The HMI device must be logged on at the effective range. 6$)( 3:5 &20 51* %$7 Action A communication error occurs. The F-CPU executes a shutdown. It stops the plant unit that belongs to the effective range. The LED "SAFE" and the LED "RNG" go out. The operator is alerted that a secure connection is not present.
7 Diagnostics 7.1 Alarm messages The following alarms are displayed on the HMI device, depending on the operating situation: Dialog box Possible reactions Situation Additional information Establishment of safety connection "Yes" button The alarm displays one of the stated reasons, depending on the situation. • Reason: Connection not yet completed: Setup of the safe connection was not yet completed after the project was started. In this case, wait for the connection to be set up.
Diagnostics 7.1 Alarm messages Dialog box Possible reactions Situation Effective range logoff (shutdown) "Yes" button "No" button The HMI device is logged on to the effective range. The operator has attempted to shut down the HMI device. "OK" button Communication was recovered after a short communication error. The operator must confirm this state. The Panel cannot be switched off. You have to first logoff from the effective range.
Diagnostics 7.2 Diagnostics Dialog box Possible reactions Situation Additional information Test enabling switch The operator must press both enabling switches until the "Panic" switch position is reached. The operator has started the project. The operator must test the functions of the enabling switches. Integrating the HMI device (start project) (Page 86) "OK" button An error occurred during logon of the HMI device to the effective range.
Diagnostics 7.2 Diagnostics Diagnostics of internal faults of the HMI device The HMI device reacts as follows to an internal fault which leads to its failure: ● All LEDs go dark. The following actions are initiated if a project was started on the HMI device: ● The project is terminated. ● If an "Enable" discrepancy error is detected, the "Discrepancy error enabling switch" dialog opens; see Discrepancy error during enabling (Page 88).
Diagnostics 7.2 Diagnostics ErrorCode Based on the ErrorCode, Technical Support can come to a conclusion about the type of internal error. The following table lists the ErrorCodes for discrepancy errors. You might be able to troubleshoot such errors by yourself, depending on the situation. The first six digits of the ErrorCode are decisive for the correct allocation of the error. The terms "left" and "right" enabling switch refer to the your position facing the screen of the HMI device.
Diagnostics 7.
8 Maintenance 8.1 Function tests Check list Execute the tests cited in the following check list, in the specified intervals. If the intervals are not maintained function of the HMI device is not ensured. Requirements The HMI device must be switched on and integrated in the safety program of the F-CPU. 8.2 Test Test cycle Press the emergency stop button. At least once a year Fully press both enabling buttons.
Maintenance 8.3 Cleaning, repairs and spare parts 8.3 Cleaning, repairs and spare parts Cleaning CAUTION Inadvertent operation Always switch off the HMI device before cleaning it. This will ensure that you do not trigger unintended functions when you touch the keys. CAUTION Do not clean the HMI device with compressed air or steam jet blowers. Never use aggressive solvents or scouring powder. Use a cleaning cloth dampened with a cleaning agent to clean the equipment.
Maintenance 8.3 Cleaning, repairs and spare parts Replacement batteries Main batteries and bridge batteries can be ordered from your Siemens sales office. Service & Support on the Internet The online services of Service & Support at "http://www.siemens.com/automation/support" provide comprehensive information on SIMATIC products: ● Local service ● Repairs ● Replacement parts and more Recycling and disposal Due to the low levels of pollutants in the HMI device described in this manual, it can be recycled.
Maintenance 8.
9 Technical data This chapter lists the specifications that are relevant for fail-safe operation. For more information, please read Application and ambient conditions (Page 42). Additional specifications can be found in the operating instructions for the HMI device. 9.1 Technical data for fail-safe operation Fail-safe operation WARNING The safety characteristics in the specifications apply for a proof-test interval of 10 years and a mean repair time of 8 hours.
Technical data 9.1 Technical data for fail-safe operation Other safety-related values Acknowledgment time 1) Maximum reaction time of the HMI device in faultless state Discrepancy times • Emergency stop • Enabling button position "Enable" • Enabling button position "Panic" Runtime of the F-FBs 40 ms 1) 25 ms • • • 500 ms 2 sec 1 sec The runtime of the F-FBs required in the safety program depends on the F-CPU used.
Technical data 9.2 HMI device 9.2 HMI device Weight Weight without packing Approximately 2.2 kg Protection class parameters Protection class to IEC 60417 Description Front panel and rear panel Protection class III Symbol Protection type parameters Degree of protection in accordance with IEC 60529 Description Front panel and rear panel IP65 Radio system parameters Frequency 2400 - 2483 MHz Power -1.5 dBm (0.7 mW ) EIRP -3.65 dBm (0.4 mW ) ERP WLAN parameters Frequency 5.180 - 5.
Technical data 9.3 Charging station 9.3 Charging station Weight Weight without packing Approx. 1.1 kg Nominal voltage +24 VDC Range, permissible 19.2 V to 28.8 V (–20%, +20%) Transients, maximum permissible 35 V (500 ms) Time between two transients, minimum 50 sec Current consumption with Mobile Panel • Typical • Constant current, maximum • Power on current surge I2t • • • Approx. 1.5 A Approx. 1.8 A Approx. 1.
Application example: Safety Functions A.1 A Configuration and operation Introduction The following example shows a possible application of the safety functions of the Mobile Panel 277F IWLAN. Note This example is restricted exclusively to the typical functionality of the Mobile Panel 277F IWLAN, in this case to the "override" mode. Additional security measures, e.g. reducing speeds when opening protective doors, must also be taken into consideration in the safety program,depending on the plant.
Application example: Safety Functions A.1 Configuration and operation The following figure shows the configuration used in the example. 352),VDIH $ $ $ ( ( ) ', The following signals are used: Function Symbolic name Signal Explanation "Override" switch "Switch_Override" I11.0 "0": "Override" switch is off Contact mat I11.1 "1": "Override" switch is on "Contact_Mats" Function key F1 of HMI device "1": Do not step on contact mat E0.
Application example: Safety Functions A.1 Configuration and operation Flowchart The following flowchart shows the operation sequence of the example.
Application example: Safety Functions A.2 Components and settings used A.2 Components and settings used Necessary components Hardware components ● S7 F-CPU, can be used for safety applications, e.g. CPU-317F-2PN/DP ● HMI device Mobile Panel 277F IWLAN ● Protective door ● Contact mat ● "Override" switch ● Signal lamp Configuration software ● SIMATIC STEP 7 V5.4 as of SP2 ● S7 Distributed Safety, V5.
Application example: Safety Functions A.2 Components and settings used CPU 317F-2PN/DP 1. Create a STEP 7 project in the SIMATIC Manager. 2.
Application example: Safety Functions A.2 Components and settings used 3. Open the settings by double-clicking on the F-CPU in the HW Config. You see the most important settings in the following: Setting Explanation Cyclic interrupts: This is where you set the cycle time for the OB 35. Note: If the cycle time for OB 35 is set too high, message frames may be missing and there may be a delay in evaluating the "E-STOP" output of the F_FB_RNG_n . Set the cycle time for OB 35 slower than the PROFINET IO time.
Application example: Safety Functions A.2 Components and settings used Mobile Panel 277F IWLAN 1. Insert the Mobile Panel 277F IWLAN in the HW Config in the following manner: 2. To define the device name, open the properties dialog box of the HMI device by doubleclicking on the Mobile Panel 277F IWLAN in the HW Config. 3.
Application example: Safety Functions A.2 Components and settings used Setting Explanation Inputs: Here, define the starting addresses of the inputs and the process image to which this address area belongs (PII). Outputs: Here, define the starting addresses of the outputs and the process image to which this address area belongs (PIQ). F_Dest_Add: PROFIsafe address of the Mobile Panel 277F IWLAN. This address must match the address on the HMI device.
Application example: Safety Functions A.3 Safety program S7 Distributed Safety A.3 Safety program S7 Distributed Safety Functionality The safety program of the S7-CPU takes care of the following: ● The "override" mode is started when the Mobile Panel 277F IWLAN is logged on at the effective range and there is a positive edge on the override switch. ● When the Mobile Panel 277F IWLAN is logged on at the effective range in which the override switch is located, the signal lamp comes on.
Application example: Safety Functions A.3 Safety program S7 Distributed Safety Symbolic name Meaning MP1_F_DATA_PIQ Word 1 of the PIQ of the HMI device MP1_F_RANGE_PIQ Word 2 of the PIQ of the HMI device Interface_DB F-DB for the data transfer of user data F_DB_States F-DB for the transfer of data between the F_FB_MP of the HMI device and the F_FB_RNG_n of the effective range F-CALL (FC 1) F-CALL (FC1) is the F-run-time group and is called from the cyclic interrupt OB (OB35).
Application example: Safety Functions A.3 Safety program S7 Distributed Safety Network 2 (GJHB 2YHUULGH 6ZLWFKB 2YHUULGH 65B2YHUULGH 326 65 0B%,7 4 6 '% )B)%B51*B &RQWDFWB0DWV (GJHB &RQWDFWB 0DWV 1(* 0B%,7 4 5 4 6ZLWFKB 2YHUULGH 03 B)B'$7$B3,, 03 B)B51*B3,, )B'%B67$7(6 03B B6WDWXV (1 51*B,' 29(55,'( 03 B'$7$ 03 B51* 03 B)B.(< 03 B'$7$ 03 B51* 03 B)B.
Application example: Safety Functions A.3 Safety program S7 Distributed Safety Network 3 '% )B(6723 ,QWHUIDFHB'% (5 B(B6723 (1 (B6723 $&.B1(& $&. 7,0(B'(/ 4 4B'(/$< $&.B5(4 ',$* (12 (B6WRSB5RERW In network 3 the emergency stop signal of the HMI device is monitored via the F_ESTOP1 from the F-library of S7 Distributed Safety.
Application example: Safety Functions A.3 Safety program S7 Distributed Safety Network 7 $ ,QWHUIDFHB'% (5 B51*B%86< If the "RNG_BUSY" signal is set in the F_FB_RNG, the signal lamp indicating in the plant that the effective range is in use is activated via the output O 11.2. Network 8 ,QWHUIDFHB'% (5 B(1$%/( )XQFWLRQNH\B) $ If the operator simultaneously presses the key F1 and the enabling button, the robot is activated via the output O11.1.
Application example: Safety Functions A.
Index " "override" mode Activating, 25 Deactivating, 26 "Override" mode Application, 24 Requirements, 24, 49 Sample configuration, 25 suitable protective measures, 49 A Acceptance, 77 Effective ranges and transponders, 78, 79 F CPU and fail-safe I/O, 77 Plant, 77 Safety program, 78 Activating override Application case, 95 Agency, 6 Ambient conditions Climatic, charging station, 44 Climatic, HMI device, 43 Climatic, transponder, 44 Tested for, 43 Application case Activating override, 95 Closing override, 96
Index D Data security, 50 Check list, 51 Detecting the effective range Application case, 91 Diagnostics, 101 Diagnostics functions Reading out, 101 Discrepancy error after integration Application scenario, 88, 89 Distance between transponder and operator panel, 14 Documentation Conventions, 5 Fail-safe system, 4 Getting started, 4 Operating instructions, 3 User manual, 4 E Effective range Acceptance, 79 Effective range name Object, 74 Effective range quality Object, 74 Effective ranges, 13 Configuring, 73
Index HMI device Distance to the transponder, 14 Emergency stop button, 20 Enabling button, 22 Fail-safe application, 58 Storing, 83 How it works F_FB_RNG_n, 70 HW Config Display HMI device, 55 I I/Os F_FB_MP, 64 F_FB_RNG_n, 68 Indicator, 48, 79 Inputs F_FB_MP, 64 F_FB_RNG_n, 68 Integrate, 18 Integrating Application scenario, 86 Internal error Application case, 97 Behavior in case of, 102 Internet Service, 6, 107 Support, 6, 107 L Local rampdown.
Index Remove Application case, 90 Repairs, 106 Replacement key set, 106 Return Center, 106 Risk analysis, 37 Risk evaluation Special mode, 39 Risk from improper use Enabling button, 40 Rules Safety program, 61 S Safe electrical separation, 35 Safety Standards, 33, 37 Safety instruction, 27 Category 0 Stop, 38 Category 1 Stop, 38 Emergency stop button, 28, 30, 37, 38 Emergency stop button enabled, 38 Enabling button, 28, 39, 40 General, 36 High frequency radiation, 28 Malfunctions, 30 Power supply, 34 Prev
