ET200S FM e

Contents
Preface 1
SIMATIC Product Overview 2
Configuration Options 3
ET 200S Configuration and Parameter
Assignment 4
Distributed I/O System
Address Assignment and
Fail-Safe Modules Installation 5
Manual Wiring and Fitting Modules 6
Diagnostics 7
The following supplement is part of this documentation:
No. Designation Drawing number Version General Technical Specifications 8

1 Product Information A5E00167504-02 07/2003
Fail-Safe Modules 9
Appendices
Dimension Drawings 10
Accessories and Order Numbers 11
Response Times 12
Glossary 13
Index
This manual is part of the documentation
packages with the order numbers:
6ES7988-8FA10-8BA0
6ES7988-8FB10-8BA0
Edition 03/2002
A5E00103686-01
Safety Guidelines
This manual contains notices that you should observe to ensure your own personal safety, as well as to
protect the product and connected equipment from damage. These notices are highlighted in the manual by
a warning triangle and are marked as follows according to the level of danger:
! Safety Note
Contains important information relating to approval and safety-related use of a product.
! Danger
Indicates that death, severe physical injury, or substantial property damage will result if proper
precautions are not taken.
! Warning
Indicates that death, severe physical injury, or substantial property damage can result if proper
precautions are not taken.
! Caution
Indicates that minor physical injury or property damage can result if proper precautions are not taken.
Caution
Indicates that property damage can result if proper precautions are not taken.
Notice
Indicates important information relating to the product or draws special attention to part of the
documentation.
Qualified Personnel
This device/system may only be set up and operated by qualified personnel. Qualified personnel are
defined as persons who are authorized to commission, to ground, and to tag circuits, equipment, and
systems in accordance with established safety practices and standards.
Proper Use
Note the following:
! Warning
This device and its components may only be used for the applications described in the catalog or the
technical description, and only in connection with devices or components from other manufacturers
which have been approved or recommended by Siemens.
This product can only function correctly and safely if it is transported, stored, set up, and installed
correctly, and operated and maintained as recommended.
Trademarks
SIMATIC®, SIMATIC HMI®, and SIMATIC NET® are trademarks of Siemens AG.
Other names in this publication might be trademarks, the use of which by third parties for their own purposes
may violate the rights of the registered holder.
Copyright © Siemens AG 2002 All rights reserved Disclaimer of Liability

The reproduction, transmission or use of this document or its We have checked the contents of this manual for agreement with
contents is not permitted without express written authority. the hardware and software described. Since deviations cannot be
Offenders will be liable for damages. All rights, including rights precluded entirely, we cannot guarantee full agreement. However,
created by patent grant or registration of a utility model or design, the data in this manual are reviewed regularly and any necessary
are reserved. corrections included in subsequent editions. Suggestions for
improvement are welcomed.
Siemens AG
Bereich Automation and Drives
Geschaeftsgebiet Industrial Automation Systems ©Siemens AG 2002
Postfach 4848, D- 90327 Nuernberg Technical data subject to change.
Siemens Aktiengesellschaft A5E00103686
Contents
1 Preface
2 Product Overview
2.1 Introduction ....................................................................................................... 2-1
2.2 Using ET 200S Fail-Safe Modules ................................................................... 2-2
2.3 Step-by-Step Guide to Commissioning ET 200S
with Fail-Safe Modules on PROFIBUS-DP....................................................... 2-5
3 Configuration Options
3.1 Introduction ....................................................................................................... 3-1
3.2 Configuring ET 200S with Fail-Safe Modules................................................... 3-2
3.3 Assigning Modules of an ET 200S ................................................................... 3-4
3.4 Maximum Number of Connectable Modules/Maximum Configuration ............. 3-6
4 Configuration and Parameter Assignment
5 Address Assignment and Installation
6 Wiring and Fitting Modules

6.1 Introduction ....................................................................................................... 6-1
6.2 Safe Functional Extra Low Voltage for Fail-Safe Modules ............................... 6-2
6.3 Wiring Fail-Safe Modules.................................................................................. 6-3
6.4 Inserting and Removing Fail-Safe Modules...................................................... 6-4
6.5 Requirements for Sensors and Actuators......................................................... 6-5
7 Diagnostics
8 General Technical Specifications

8.1 Introduction ....................................................................................................... 8-1
8.2 Standards and Approvals ................................................................................. 8-2
8.3 Electromagnetic Compatibility .......................................................................... 8-5
8.4 Transport and Storage Conditions.................................................................. 8-10
8.5 Mechanical and Climatic Environmental Conditions ...................................... 8-11
8.6 Specifications for Nominal Line Voltages, Isolation Tests,
Protection Class,and Degree of Protection .................................................... 8-13
ET 200S Distributed I/O System Fail-Safe Modules

A5E00103686-01 iii
Contents
9 Fail-Safe Modules
9.1 Introduction ....................................................................................................... 9-1
9.2 PM-E F 24 VDC PROFIsafe Power Module ..................................................... 9-2
9.2.1 Diagnostic Functions of PM-E F 24 VDC PROFIsafe Power Module ............. 9-9
9.2.2 Technical Specifications for PM-E F 24 VDC PROFIsafe Power Module..... 9-12
9.3 4/8 F-DI 24 VDC PROFIsafe Digital Electronic Module ................................. 9-16
9.1.1 Applications for 4/8 F-DI 24 VDC PROFIsafe Digital Electronic Module........ 9-23
9.1.2 Application 1: Safety Mode AK4/SIL2/Category 3.......................................... 9-25
9.1.5 Diagnostic Functions of the EM 4/8 F-DI 24 VDC PROFIsafe ....................... 9-39
9.1.6 Technical Specifications for the EM 4/8 F-DI 24 VDC PROFIsafe................. 9-41
9.4 4 F-DO 24 VDC/2 A PROFIsafe Digital Electronic Module ............................ 9-45
9.4.1 Diagnostic Functions of the EM 4 F-DO 24 VDC/2 A PROFIsafe
Digital Electronic Module ................................................................................ 9-51
9.4.2 Technical Specifications for EM F-DO 24 VDC/2 A PROFIsafe..................... 9-54
10 Dimension Drawings
11 Accessories and Order Numbers
12 Response Times
13 Glossary
Index

iv A5E00103686-01
1 Preface
Purpose of this Manual

The information presented in this manual is a source of reference for operation,
description of functions, and technical specifications of the fail-safe modules of the
ET 200S distributed I/O system.
Basic Knowledge Requirements

This manual is a supplement to the ET 200S Distributed I/O System manual.
Working with this manual requires general knowledge of automation engineering.
Knowledge of STEP 7 standard software is also required.
Scope of this Manual
Module Order Number Release Number and

Higher
4/8 F-DI 24 VDC PROFIsafe digital 6ES7138-4FA00-0AB0 01
electronic module
4 F-DO 24 VDC/2A PROFIsafe 6ES7138-4FB00-0AB0 01
digital electronic module
PM-E F 24 VDC PROFIsafe power 6ES7138-4CF00-0AB0 01
module

A5E00103686-01 1-1
Preface
Approvals
ET 200S complies with the requirements and criteria of IEC 61131-2 and the
requirements for the CE label. ET 200S has earned CSA, UL, and FM approvals. In
addition, ET 200S fail-safe modules are certified for use in safety mode up to the
following levels:
· Safety class SIL3 (Safety Integrity Level) in accordance with IEC 61508
· Requirements class (AK) 6 in accordance with DIN V 19250 (DIN V VDE 0801)
· Category 4 in accordance with EN 954-1
Position in the Information Landscape

This manual is part of the S7 Distributed Safety documentation package. This
documentation package contains the following manuals for fail-safe components:
System Documentation Package Order Number

S7-300F S7 Distributed Safety 6ES7988-8FB10-8BA0
ET 200S fail-safe modules
S7-300 fail-safe signal modules
When working with ET 200S fail-safe modules, you will need to consult the
supplementary documentation presented below according to your particular
application.

1-2 A5E00103686-01
Preface
This manual refers to the supplementary documentation as needed. Certain

manuals are included in the S7 Distributed Safety documentation package, as
indicated in the following table.
Documentation Brief Description of Relevant Contents

ET 200S Distributed Describes all general aspects of the ET 200S hardware (including
I/O System design, assembly, and wiring of the ET 200S) and IM 151-1 High
manual Feature.
Safety Engineering in · Provides general information about the use, structure, and
SIMATIC S7 system function of the S7-300F and S7-400F/FH fail-safe automation
description systems.
· Contains a summary of detailed technical information
concerning fail-safe engineering
in S7-300 and S7-400
· Contains monitoring and response time calculations for the
S7-300F and S7-400F/FH fail-safe systems.
(included in the S7 Distributed Safety documentation package)
For integration in the The following elements are described in the S7 Distributed Safety,
S7-300F system Configuration and Programming manual and online help:
· Configuration of the fail-safe CPU and the fail-safe I/O
· Programming of the fail-safe CPU in fail-safe FBD or LAD
· The S7-300/M7-300, Module Data manual describes how to
assemble and wire S7-300 systems.
· The CPU Data, CPU 312C to
314C-2 DP/PtP reference manual describes the standard
functions of CPU 315F-2 DP.
· The product information for CPU 315F-2 DP describes only
the deviations from the standard CPU 314C-2 DP.
STEP 7 manuals · The Configuring Hardware and Connections with STEP 7
V5.1 manual describes how to operate the appropriate
STEP 7 standard tools.
· The System and Standard Functions reference manual
describes functions for distributed I/O access and diagnostics.
STEP 7 online help · Describes how to operate STEP 7 standard tools
· Contains information about module configuration and
parameter assignment and intelligent slaves with HW Config
· Contains a description of the programming languages FBD
and LAD
PCS 7 manuals · Describe how to operate the PCS 7 process control system
(required when ET 200S is connected to fail-safe modules in
a master control system)
You can obtain the entire SIMATIC S7 documentation set in the SIMATIC S7
collection on CD-ROM.

A5E00103686-01 1-3
Preface
Guide
This manual describes the fail-safe modules of the ET 200S distributed I/O system.
It consists of instructive sections and reference sections (technical specifications
and appendices).
This manual presents the following basic aspects of fail-safe modules:
· Design and use
· Configuration and parameter assignment
· Addressing, assembly, and wiring
· Diagnostic assessment
· Technical specifications
· Order numbers
Conventions
In this manual, the terms "safety engineering" and "fail-safe engineering" are used
synonymously.
The same applies to the terms "fail-safe" and "F-".
Additional Support
If you have any additional questions about the use of products presented in this
manual, contact your local Siemens representative:
http://www.ad.siemens.de/partner

1-4 A5E00103686-01
Preface
Training Center
We offer courses to help you get started with the S7 automation system. Contact
your regional training center or the central training center in Nuremberg (90327),
Federal Republic of Germany.
Telephone: +49 (911) 895-3200
http://www.sitrain.com
H/F Competence Center
The H/F Competence Center in Nuremberg offers special workshops on SIMATIC
S7 fail-safe and redundant automation systems. The H/F Competence Center can
also provide assistance with onsite configuration, commissioning, and
troubleshooting.
Telephone: +49 (911) 895-4759
Fax: +49 (911) 895-5193
For questions about workshops, etc., contact:
hf-cc@nbgm.siemens.de
For Safety Integrated questions (system, wiring, etc.), contact:
cocsi@nbgm.siemens.de
SIMATIC Documentation on the Internet

To access documentation on the Internet free of charge, go to:
http://www.ad.siemens.de/support
Here, you can use the Knowledge Manager to locate the required information
quickly. A "documentation" conference is available in the Internet forum for your
questions or comments regarding documentation.

A5E00103686-01 1-5
Preface
Automation and Drives, Service & Support

Available worldwide, 24 hours a day:
Nuremberg
Nürnberg
Johnson City
Singapore
Singapur
SIMATIC Hotline
Worldwide (Nuremberg) Worldwide (Nuremberg)

Technical Support Technical Support
(Free contact) (Charges apply, only available with
Local time M-F 7:00 a.m. to 5:00 SIMATIC card)
p.m. M-F 24-hr. service
Telephone: +49 (0) 180 5050-222 Telephone: +49 (911) 895-7777
Fax: +49 (0) 180 5050-223 Fax: +49 (911) 895-7001
E-mail: adsupport@
ad.siemens.de
GMT: +1:00 GMT: +1:00
Europe/Africa (Nuremberg) United States (Johnson City) Asia/Australia (Singapore)
Authorization Technical Support and Technical Support and
Local time: M-F 7:00 a.m. to 5:00 p.m. Authorization Authorization
Telephone: +49 (911) 895-7200 Local time: M-F 8:00 a.m. to 5:00 Local time M-F 8:30 a.m. to 5:30
Fax: +49 (911) 895-7201 p.m. p.m.
E-mail: authorization@ Telephone: +1 (0) 770 740 3505 Telephone: +65 740-7000
nbgm.siemens.de Fax: +1 (0) 770 740 3699 Fax: +65 740-7001
GMT: +1:00 E-mail: isd-callcenter@ E-mail: simatic.hotline@
sea.siemens.com sae.siemens.com.sg
GMT: -5:00 GMT: +8:00
English and German are the languages generally spoken on the SIMATIC hotlines; on the automation hotline, French,
Italian, and Spanish are also spoken.

1-6 A5E00103686-01
Preface
Service & Support on the Internet

In addition to our paper documentation, we also provide all of our technical
information on the Internet at:
http://www.ad.siemens.de/support
Here, you will find the following information:
· Current product information (latest news), FAQs (Frequently Asked Questions),
downloads, and Tips and Tricks.
· Newsletter, a constant source of the latest information about your products
· Knowledge Manager to locate the right documents for you.
· Forum, in which users and specialists from all over the world exchange their
views and experience.
· Contacts database, which you can use to find your local Automation & Drives
contact partner.
· "Service" section, where you will find information about onsite service and
repair, spare parts, and much more.

A5E00103686-01 1-7
Preface

1-8 A5E00103686-01
2 Product Overview
2.1 Introduction
Overview
This chapter provides information about the following topics:
· ET 200S distributed I/O system with fail-safe modules and its place in
SIMATIC S7 fail-safe automation systems.
· Components comprising the ET 200S distributed I/O system with fail-safe
modules.
· Steps to be performed, from selecting F-modules to commissioning ET 200S
on PROFIBUS-DP.

A5E00103686-01 2-1
Product Overview
2.2 Using ET 200S Fail-Safe Modules
What is a Fail-Safe Automation System?

Fail-safe automation systems (F-systems) are used in systems with higher-level
safety requirements. F-systems are used to control systems having a safe state
immediately after shutdown. That is, F-systems control processes in which an
immediate shutdown does not endanger humans or the environment.
What is the ET 200S Distributed I/O System?

The ET 200S distributed I/O system is a DP slave on the PROFIBUS-DP that can
include fail-safe modules in addition to standard ET 200S modules.
Safety-related data are exchanged between a fail-safe DP master and the fail-safe
ET 200S modules on the PROFIBUS-DP.
You can use copper cables to configure PROFIBUS-DP strands.
What are Fail-Safe Modules?

The major difference between fail-safe modules and standard ET 200S modules is
that fail-safe modules have a two-channel internal design. Both integrated
processors monitor each other, automatically test the input and output wiring, and
place the F-module in a safe state in the event of an fault.
Fail-safe power modules supply load voltage to the potential group and safely
switch off the load voltage for output modules.
Fail-safe digital input modules record the signal states of fail-safe sensors and
send corresponding safety message frames to the DP master.
Fail-safe digital output modules are suitable for shutdown procedures with short-
circuit and cross-circuit protection up to the actuator.
Possible Uses of ET 200S with Fail-Safe Modules

The use of ET 200S with fail-safe modules enables conventional configurations in
safety engineering to be replaced with PROFIBUS-DP components. This includes
replacement of switching devices for emergency stop, protective door monitors,
two-hand operation, etc.

2-2 A5E00103686-01
Product Overview
Applicable DP Masters
You can use the following fail-safe DP masters for ET 200S with fail-safe modules:
· S7-300F automation system with F-capable CPU, such as CPU 315F-2 DP
The fail-safe DP master exchanges safety-related and non-safety-related data with
fail-safe and standard ET 200S modules.
F-System with ET 200S

The following figure presents an example configuration for an S7-300F F-system
with ET 200S on PROFIBUS-DP.
S7-300F ET 200M
Automation system
Fail-safe signal
modules
Fail-safe
modules
PROFIBUS-DP
ET 200S
ET 200S
Figure 2-1 S7-300F Fail-Safe Automation System
Note
You can use S7-300 fail-safe signal modules either in an ET 200M or centrally,
that is, in a rack next to the F-CPU. You can find a description of the various
configuration options in the system description Safety Engineering in
SIMATIC S7.

A5E00103686-01 2-3
Product Overview
Which Fail-Safe Electronic modules are available?

The following fail-safe electronic modules are available for ET 200S:
· PM-E F 24 VDC PROFIsafe power module; P switching (current sourcing) and
M switching (current sinking), with two additional fail-safe digital outputs
· 4 F-DO 24 VDC/8A PROFIsafe digital electronic module
· 4 F-DO 24 VDC/2A PROFIsafe digital electronic module; P switching (current
sourcing) and M switching (current sinking)
A range of terminal modules is available for fail-safe power and electronic modules.
You will find a detailed list of these modules in Chapter 3.
Which Interface Modules Can Be Used in ET 200S with Fail-Safe Modules?

The IM 151-1 High Feature module can be used as an interface module for
ET 200S with fail-safe modules (order number 6ES7151-1BA00-0AB0, see
ET 200S Distributed I/O System manual).
Use in Safety Mode

Fail-safe modules can only be used in safety mode. They cannot be used in
standard operation.
Achievable Safety Classes

Fail-safe modules are equipped with integrated safety functions for safety mode.
The following safety classes can be achieved through appropriate assignment of
safety function parameters in STEP 7 with the S7 Distributed Safety optional
package, use of a particular combination of standard modules and F-modules, and
use of a particular arrangement and wiring of sensors and actuators:
Table 2-1 Achievable Safety Classes in Safety Mode
Safety Class in Safety Mode

In Accordance with In Accordance with In Accordance with
IEC 61508 DIN V 19250 EN 954-1
SIL2 AK4 Category 3
SIL3 AK6 Category 3
SIL3 AK6 Category 4

2-4 A5E00103686-01
Product Overview
2.3 Step-by-Step Guide to Commissioning ET 200S with

Fail-Safe Modules on PROFIBUS-DP
Introduction
In the following table, you will find all the important steps you must perform to
commission ET 200S distributed I/O systems with fail-safe modules as DP slaves
on PROFIBUS-DP.
Steps from Selecting the F Modules to Commissioning ET 200S
Table 2-2 Steps from Selecting F Modules to Commissioning ET 200S
Step Procedure See ...

1. Select F-modules for ET 200S Chapter 3
configuration
2. Configure and assign parameters to Chapter 4 and Chapter 9.x for
F-modules in STEP 7 specific F-module
3. Set PROFIsafe addresses on F modules Chapter 5
4. Mount ET 200S Chapter 5
5. Wire ET 200S Chapter 6
6. Commission ET 200S on PROFIBUS-DP ET 200S Distributed I/O System
manual
7. If commissioning was not successful, Chapter 7, Chapter 9.x for specific
perform diagnostics on ET 200S F module, and ET 200S Distributed
I/O System manual
Note
You must configure and assign parameters to the F-modules in STEP 7 before
mounting them.
This is required because the PROFIsafe addresses of F-modules are assigned
automatically by STEP 7. You must set these PROFIsafe addresses on each
F-module by means of switches before mounting the module.

A5E00103686-01 2-5
Product Overview

2-6 A5E00103686-01
3 Configuration Options
3.1 Introduction
Overview
This chapter provides information about the following topics:
· Fail-safe modules that can be used to configure an ET 200S distributed
I/O system
· Terminals, F-power modules, and F-electronic modules that can be used
together
· Number of fail-safe modules that can be used per ET 200S
· Maximum configuration per voltage group

A5E00103686-01 3-1
Configuration Options
3.2 Configuring ET 200S with Fail-Safe Modules
Introduction
You can configure ET 200S distributed I/O systems with standard and fail-safe
modules. This chapter present an example configuration.
Example Configuration of ET 200S with Fail-Safe Modules

In the following figure, you will find an example configuration using standard and
fail-safe modules in an ET 200S. You must divide and mount the modules in fail-
safe voltage groups and standard voltage groups. A new voltage group always
begins with a power module.
ET 200S Fail-safe Standard Fail-safe Standard
IM151-1 PM F-DI F-DO PM AO AI DI DO FM PtP PM-E F AO AI DI DO FM PtP PM MS

High -D
Feature
Terminal module
Fail-safe modules
Figure 3-1 Example Configuration of ET 200S with Fail-safe Modules
Safety Note
! Note that F-DI modules and F-DO modules cannot be combined with standard
DI/DO/FM modules within a voltage group.
Configuration Rules for Fail-Safe Voltage Groups

Table 3-3 presents all of the fail-safe and standard power and electronic modules
that you can use in a voltage group.

3-2 A5E00103686-01
Positioning and Connecting Power Modules

An ET 200S containing fail-safe modules is no different than an ET 200S
containing standard modules with regard to positioning and connection of power
modules.
You can position the power modules as you wish. Each TM-P terminal module (for
a power module) that you add to the ET 200S opens a new voltage group. All
sensor and load current supplies of the electronic modules/motor starters that
follow are fed from this terminal module.
Placing another TM-P terminal module after an electronic module/motor starter
interrupts the voltage buses (P1/P2) and simultaneously opens a new voltage
group. This enables individual connection of encoder and load current supplies.
AUX(iliary) Bus (AUX 1)

A TM-P terminal module (for a power module) allows an additional voltage
connection (up to the maximum rated load voltage of the module), which you can
apply by means of the AUX(iliary) bus. You can use the AUX(iliary) voltage as
follows:
· As a protective conductor bus
· When additional voltage is required
Additional Information about Positioning and Connecting Power Modules

You will find additional information about positioning and connecting power
modules in the ET 200S Distributed I/O System manual.

A5E00103686-01 3-3
3.3 Assigning Modules of an ET 200S
Introduction
This section presents the following module assignments for ET 200S:
· F-power modules to terminal modules
· F-electronic modules to terminal modules
· Power modules to electronic modules
Assigning F-Power Modules to Terminal Modules

You can use the PM-E F 24 VDC PROFIsafe with the following terminal modules:
Table 3-1 Assigning F-Power Modules to Terminal Modules
F-Power Modules Terminal Modules For a Description,

See ...
PM-E F 24 VDC TM-P30S44-A0 (screw-in type) ET 200S Distributed I/O
PROFIsafe TM-P30C44-A0 (snap-in type) System manual
Assigning F-Electronic Modules to Terminal Modules

You can use the following fail-safe electronic modules and terminal modules
together:
Table 3-2 Assigning F-Electronic Modules to Terminal Modules
F-Electronic Modules Terminal Modules For a Description,

See ...
4/8 F-DI 24 VDC TM-E30S46-A1 (screw-in type) ET 200S Distributed I/O
PROFIsafe and TM-E30C46-A1 (snap-in type) System manual
4 F-DO 24 VDC/2A TM-E30S44-01 (screw-in type)
PROFIsafe
TM-E30C44-01 (snap-in type)

3-4 A5E00103686-01
Assigning Power Modules to Electronic Modules

You can use the power and electronic modules listed in the table below together in
a voltage group.
Note that certain combinations limit the achievable safety classes.
Table 3-3 Assigning Power Modules to Electronic Modules and Safety Classes
Power Module For a Electronic Use and Achievable

Description, Module/Motor Starter AK/SIL/Category
See
...
PM-E F 24 VDC Chapter 9.2 Can be used with all Safe shutdown of DO AK4/ SIL2/
PROFIsafe power standard electronic modules from the Category 3
module modules ET 200S range
PM-E 24 ET 200S Can be used with all Supply of F-DI- and AK6/
VDC/120/230 VAC manual standard and fail-safe F-DO modules SIL3/Category 4
electronic modules
PM-E F 24 VDC ET 200S Can be used with all Supply of F-DI AK4/ SIL2/
manual standard and fail-safe modules and F-DO Category 3
electronic modules modules
Safety Note
! Note that F-DI modules and F-DO modules cannot be combined with standard
DI/DO/FM modules within a voltage group.
3.4 Maximum Number of Connectable Modules/Maximum

Configuration
Maximum Number of Modules

The modules include the interface module, power and electronic modules, and
motor starters.
The total width of an ET 200S is limited to 1 m. In addition, the maximum number
of modules in an ET 200S depends on the parameter length of the modules.
Overall, 244 bytes per ET 200S are permissible.
Table 3-4 Parameter Length of F-Modules in Bytes
Fail-Safe Module Parameter Length

PM-E F 24 VDC PROFIsafe 20 bytes
4/8 F-DI 24 VDC PROFIsafe 30 bytes
4 F-DO 24 VDC/2A PROFIsafe 20 bytes

A5E00103686-01 3-5
Example
In the following example, modules with a total parameter length of 219 bytes have
been used in an ET 200S. This means that 25 bytes are still available for inserting
additional modules.
Number of 1 +1 +5 +2 = 9 modules
Modules/M IM 151 PM-E 24 F-DI F-DO
odule Type VDC/120/230 VAC modules* modules*
Parameter 26 bytes + 3 bytes + 150 bytes + 40 bytes = 219 bytes
Length
* Five F-DI moduIes provide: 20 SIL3 inputs or 40 SIL2 inputs
Two F-DO modules provide: 8 SIL2/SIL3 outputs
DP Masters with Short Diagnostic Message Frames

ET 200S cannot be used with DP masters with 32-byte diagnostic message
frames.
Power Modules: Maximum Configuration per Voltage Group
Table 3-5 Maximum Configuration per Voltage Group
Power Modules Maximum Current Number of Connectable Modules

Carrying Capacity
PM-E F 24 VDC 10 A The number of modules that can be connected
PROFIsafe depends on the total current of all modules in
the voltage group. The total combined current
cannot exceed 10 A. The total current is
determined by the digital output modules.
ET 200S: Limitations and Maximum Configuration

You will find information on the limitations and maximum configuration of the
standard ET 200S in the ET 200S Distributed I/O System manual.

3-6 A5E00103686-01
4 Configuration and Parameter Assignment
Requirements
The following optional package must be installed in STEP 7 to configure and
assign parameters to ET 200S fail-safe modules in S7-300F:
· S7 Distributed Safety, Version V 5.1 or higher
Configuration
Follow the usual procedure with STEP 7 HW Config to configure fail-safe modules
(in the same way as standard ET 200S modules).
Parameter Assignment for Module Properties

To assign parameters for fail-safe module properties, select the module in
STEP 7 HW Config and select the Edit > Object Properties menu command.
The parameters are downloaded from the programming device (PG) to the F-CPU
of the DP master, where they are saved and transferred from the F-CPU to the
fail-safe module by means of IM 151-1 High Feature.
Where to Find the Parameter Description

You will find a description of assignable fail-safe module parameters in Chapter 9.
PROFIsafe Address and PROFIsafe Address Assignment

You can find a description of PROFIsafe addresses and the address assignment
procedure in Chapter 5.

A5E00103686-01 4-1
Configuration and Parameter Assignment

4-2 A5E00103686-01
5 Address Assignment and Installation
Introduction
Before installing fail-safe modules, you must set the PROFIsafe address on each
F-module.
PROFIsafe Address
Every fail-safe module has its own PROFIsafe address which it uses to send safety
message frames to the F-CPU and to receive them from the F-CPU.
PROFIsafe Address Assignment

PROFIsafe addresses are automatically assigned when fail-safe modules are
configured in STEP 7 (see S7 Distributed Safety, Configuring and Programming
manual).
You will find PROFIsafe addresses in STEP 7 HW Config in the "PROFIsafe"
parameter assignment dialog box under DP slave properties. You must take the
PROFIsafe addresses from the parameter assignment dialog box and set them on
the fail-safe modules using an address switch.
Address Switch for Setting PROFIsafe Addresses

An address switch (10-pin DIL switch) is located on the left-hand side of every fail-
safe module. Use this address switch to enter the PROFIsafe address of the F-
module.
Note
Fail-safe modules in ET 200S can only be used in safety mode.

A5E00103686-01 5-1
Address Assignment and Installation
Setting the Address Switch

Before installing the F-module, ensure that the address switch is set correctly.
PROFIsafe addresses from 1 to 1022 are permitted. The following figure illustrates
the switch setting for an example address assignment.
Example:Address 1018
9 8 7 6 54 3 2 1 0
ON
512 OFF
256
128
64
32
16
8
4
2
1
Figure5-1 Example for Setting the Address Switch (DIL Switch)
Safety Note
! Ensure that the address switch setting on the module matches the PROFIsafe
address in STEP 7 HW Config.
Data Exchange between an F-CPU and Fail-Safe Modules in ET 200S

An F-CPU communicates with fail-safe modules by means of PROFIsafe. This
means that the F-CPU exchanges fail-safe useful data, packed in a safety
message frame, with fail-safe modules in ET 200S. The safety message frame is
located in a memory area of the F-CPU.
Address Areas for Fail-Safe Modules in the F-CPU

In the following table, you will find a listing of address areas in the F-CPU that can
be used for fail-safe module safety message frames in ET 200S. You can assign
addresses freely in the specified address area. You will find information about the
size of the address area of a given F-CPU in the respective manual.
Table 5-1 Address Areas for Fail-Safe Modules in the Target F-System
Distributed I/O System CPU 315F-2 DP in S7-300F

Fail-safe modules in ET 200S In the address area of the process image

5-2 A5E00103686-01
Allocation of Address Areas in the F-CPU

The following figure illustrates the allocation of address areas in the F-CPU by the
safety message frame of fail-safe modules in ET 200S (gray background).
Allocation always begins at a logic base address.
The inputs of the first F-module begin with input byte IB 0, the next F-module
begins with address IB 6, the following one with IB 12, etc. Inputs also occupy
output bytes (OB) in the F-CPU. Note that there are address gaps in the output
area.
Table 5-2 Address Areas for ET 200S Fail-Safe Modules in an F-CPU
F-DI 1 F-DI 2 F-DO* Etc.

IB0 IB1 IB2 IB3 IB4 IB5 IB6 IB7 IB8 IB9 IB10 IB11 IB12 IB13 IB14 IB15 IB16 IB17 IB18
OB0 OB1 OB2 OB3 OB4 OB5 OB6 OB7 OB8 OB9 OB10 OB11 OB12 OB13 OB14 OB15 OB16 OB17 OB18
* Allocation of PM-E F corresponds to an F-DO module
Access in the Safety Program

You can access the address areas in the S7-300 CPU in your safety program (the
safety-related portion of the user program) by means of LAD or FBD instructions
(see S7 Distributed Safety, Configuring and Programming manual).
Installing Fail-Safe Modules

Fail-safe power modules, electronic modules, and terminal modules are part of the
ET 200S range of modules. They are installed using the same procedure as for all
standard modules in an ET 200S.
For more information about module installation, consult the ET 200S Distributed I/O
System manual.
Mounting Dimensions
Note that fail-safe modules are 30 mm wide (twice as wide as standard ET 200S
modules). Otherwise, information provided in the ET 200S Distributed I/O System
manual is applicable.

A5E00103686-01 5-3

5-4 A5E00103686-01
6 Wiring and Fitting Modules
6.1 Introduction
Overview
This chapter presents special features involved in wiring and fitting fail-safe
modules. Information on this subject that applies to both ET 200S with fail-safe
modules and ET 200S with standard modules can be found in the ET 200S
Distributed I/O System manual.

A5E00103686-01 6-1
Wiring and Fitting Modules
6.2 Safe Functional Extra Low Voltage for Fail-Safe Modules
Safe Functional Extra Low Voltage
Warning
! Fail-safe modules must be operated with safe functional extra low voltage. This
means that these modules, even in the event of an fault, can only have a
maximum voltage of Um. The following applies for all fail-safe modules:
Um < 60.0 V
You can find additional information about safe functional extra low voltage, for
example, in the data sheets of the applicable power supplies.
All components of the system that are capable of supplying electrical energy in any
form must satisfy this requirement.
Each additional circuit (24 VDC) implemented must have a safe functional extra
low voltage. Refer to the relevant data sheets or contact the manufacturer for this
information.
Note, too, that sensors and actuators having an external power supply can be
connected to F-modules. Ensure that a safe functional extra low voltage is used
here, as well. The process signal of a 24 VDC digital module must not exceed a
fault voltage of Um in the event of a fault.
Warning
! All voltage sources (such as 24 VDC internal load voltage power supplies, 24
VDC external load voltage power supplies, and 5 VDC bus voltages) must be
electrically connected to prevent voltage additions from occurring in individual
voltage sources, even in the event of voltage differences. Such voltage additions
could cause fault voltage Um to be exceeded. Ensure that there is sufficient line
cross section for the electrical connection, in accordance with the ET 200S
configuration guidelines (see ET 200S Distributed I/O System manual).

6-2 A5E00103686-01
Power Supply Requirements in Compliance with NAMUR Recommendations
Note
You must use only power packs or power supplies (230 VAC --> 24 VDC) with a
power failure ride-through of at least 20 ms to comply with NAMUR
recommendation NE 21, IEC 61131-2, and EN 298. The following power supply
board components are available:
S7-400:
· 6ES7407-0KA01-0AA0 for 10 A
· 6ES7407-0KR00-0AA0 for 10 A
S7-300:
· 6ES7307-1BA00-0AA0 for 2 A
· 6ES7307-1EA00-0AA0 for 5 A
· 6ES7307-1KA00-0AA0 for 10 A
These requirements also apply, of course, to power packs and power supplies
that do not have an S7-300 or S7-400 configuration.
6.3 Wiring Fail-Safe Modules
Same Wiring Procedure as for ET 200S

Fail-safe power modules, electronic modules, and terminal modules are part of the
ET 200S range of modules. They are wired using the same procedure as for all
standard modules in an ET 200S.
Consult the ET 200S Distributed I/O System manual for all information about wiring
and fitting modules and the IM 151-1.
Mounting Rails
Only 35 x 15 mm zinc-plated mounting rails in accordance with EN 50022 can be
used for installing ET 200S with fail-safe modules. Mounting rails with the following
order numbers, for example, comply with this requirement:
· 6ES5710-8MA11
· 6ES5710-8MA21
· 6ES5710-8MA31
· 6ES5710-8MA41
Assignment of Terminal Modules

The assignment of terminal modules depends on the type of power module or
electronic module inserted (see Sections 9.2 to 9.4).

A5E00103686-01 6-3
6.4 Inserting and Removing Fail-Safe Modules
Inserting and Removing Electronic Modules

In ET 200S, the same procedure is used to insert and remove both fail-safe
modules and standard modules on terminal modules (see ET 200S Distributed I/O
System manual).
Inserting and Removing Electronic Modules during Operation

F-modules can be inserted and removed during operation in exactly the same way
as standard modules in ET 200S.
Note
Note that replacing fail-safe modules in ET 200S during operation can cause a
communication error in the F-CPU.
You must acknowledge a communication error in your safety program (see S7
Distributed Safety, Configuring and Programming manual).
If the communication error is not acknowledged, the useful data of the F-DO
modules remain passivated (outputs at "0").
The inputs forward the current useful data to the safety program.
Requirements for Insertion and Removal during Operation

The following table presents the F-modules that can be inserted and removed, and
the conditions under which this is possible:
Table 6-1 Conditions for Inserting and Removing Fail-Safe Modules
Module Insertion Conditions

and
Removal
Interface module No --
Fail-safe power module (PM E-F) Yes Load voltage must be switched off
Fail-safe electronic module (F-DI) Yes --
Fail-safe electronic module (F-DO) Yes --
Remember to Set the PROFIsafe Address

When exchanging F-modules, ensure that the address switch (DIL switch) settings
of the modules match (for information on PROFIsafe address setting, see
Chapter 5).

6-4 A5E00103686-01
6.5 Requirements for Sensors and Actuators
General Requirements for Sensors and Actuators

Note the following important information for fail-safe use of sensors and actuators:
Safety Note
! The use of sensors and actuators is outside of our sphere of influence. We have
equipped our electronics with such safety engineering features as to leave 85%
of the maximum permissible probability of hazardous faults for sensors and
actuators up to you. (This corresponds to the recommended load division in
safety engineering between sensing devices, actuating devices, and electronic
switching for input, processing, and output).
Note, therefore, that instrumentation with sensors and accouters bears a
considerable safety responsibility. Consider, too, that sensors and actuators do
not generally withstand proof-test intervals of 10 years (the interval for an external
function test according to IEC 61508) without considerable loss of safety.
The probability of hazardous faults and the rate of occurrence of hazardous faults
of a safety function must comply with an upper limit determined by a safety
integrity level (SIL). You will find a listing of values achieved by F-modules under
"Fail-Safe Performance Characteristics" in the technical specifications for F-
modules in Chapter 9.
Requirements for the Duration of Sensor Signals
Safety Note
! In order to guarantee accurate detection of the sensor signal by the F-DI module,
you must ensure that the sensor signals have a particular minimum duration.
The following table presents the minimum duration of sensor signals for the F-DI
module, which depends on the short-circuit test parameter and the input delay in
STEP 7 (see Section 9.3).
Table 6-2 Minimum Duration of Input Signals for Accurate Detection by the F-DI
Module
Short-Circuit Test Parameter Parameter Assigned for Input Delay

0.5 ms 3 ms 15 ms
Deactivated 7 ms 9 ms 23 ms
Activated 7 ms 12 ms 37 ms

A5E00103686-01 6-5
Additional Requirements for Actuators

Fail-safe modules test the outputs in regular intervals. To do so, the F-module
briefly switches off activated outputs. The test pulses have the following duration:
· Dark period < 1 ms
Rapid response actuators can drop out briefly during the test. If your process does
not tolerate this, you must use actuators with sufficient inertia (> 1 ms; see
Table 6.3).
Examples of Actuators
In the following table, you will find a listing of coupling relays with sufficient inertia
so as not to drop out during the dark period.
Table 6-3 Actuators That Can Be Used for Fail-Safe Output Modules
Manufacturer Type Contacts/Current Carrying

Capacity
SIEMENS 3TF2010-0BB4 3 at 9 A for 400 VAC
SIEMENS 3TH4262-0BB4 8 at 10 A for 230 VAC
SIEMENS 3TH8031-0B 4 at 10 A for 230 VAC
SIEMENS 3TH3022-0B 4 at 10 A for 230 VAC
Télémécanique LP4-EC09 4 at 6 A for 230 VAC
ABB KC22E 4 at 10 A for 230 VAC
AEG SH04 4 at 6 A for 440 VAC
Safety Note
! If the actuators are operated at voltages higher than 24 VDC (for example, 230
VDC) or if the actuators clear higher voltages, safe isolation must be ensured
between the outputs of a fail-safe output module and the components carrying a
higher voltage (in accordance with EN 50178).
This is generally the case for relays and contactors. Particular attention must be
paid to this aspect for semiconductor switching devices.
Technical Specifications for Sensors and Actuators

Consult Sections 9.2 to 9.4 for information about technical specifications for
selecting sensors and actuators.

6-6 A5E00103686-01
7 Diagnostics
Definition
Diagnostics are used to determine whether fail-safe module signal acquisition is
taking place without errors. Diagnostic information is assigned either to one
channel or to the entire F-module.
Diagnostic Functions Are Not Critical to Safety

Diagnostic functions (displays and messages) are not critical to safety and
therefore are not designed to be safety-oriented functions. That is, they are not
tested internally.
Diagnostic Options for Fail-Safe Modules in ET 200S

The following diagnostic options are available for fail-safe modules:
· LED display on the module front panel
· Diagnostic functions of F-modules (slave-diagnostics according to PROFIBUS
standard EN 50170/A2, PROFIBUS)
Safe State (Safety Concept)

The basic principle of the safety concept is the existence of a safe state for all
process variables. For digital F-modules, this is always the value “0“. This applies
to both sensors and actuators.
In practice, the safe state is defined according to the application.
Examples: Fuel supply in fuel engineering is initiated with an actuator in state "1".
The safe state is achieved, that is, fuel supply is disabled, in state "0".
An emergency stop signal can have a continuous state of "1" and can signal an
alarm in state "0", which is also the safe state.

A5E00103686-01 7-1
Diagnostics
React to Faults
If a fail-safe module detects an fault/error, it switches the affected channel or all
channels to a safe state; this means that the channels of the F-module are
passivated. The F-module reports the fault/error it has detected to the F-CPU by
means of slave diagnostics.
F-modules cannot save data as retentive data. When the system is powered down
and then back up, any faults still existing are detected again during startup.
However, you have the option of saving faults/errors in your safety program.
Safety Note
! When a channel fault occurs, there is no fault reaction or fault handling for
channels to which you have assigned the "deactivated" parameter in STEP 7; this
is also the case when a "deactivated" channel is indirectly affected by a channel
group fault. (For information about the "Channel activated/deactivated“
parameter, see Sections 9.2 to 9.4.)
Passivation
Passivation of digital output channels means that output channels are placed in a
deenergized state.
Passivation of digital input channels means that the inputs transmit the substitute
value 0 to the F-CPU, regardless of the current process signal. When a channel
fault occurs (for example, a wire break), the affected channel is passivated. In the
event of a module fault (for example, overtemperature), all channels of the fail-safe
module are passivated. (The react for communication errors is different; see
below.)
As long as a passivated channel has a fault, it supplies a channel value and a
value status of "0“. Diagnostics are transmitted. If no more channel faults occur, the
channel is either automatically unpassivated or the F-module must be removed and
inserted.
A complete listing of faults requiring removal and insertion of the F-module can be
found in the "Causes of Faults/Errors and Corrective Measures" tables
in Sections 9.2 to 9.4.
F-DI Module React to Communication Errors

The F-DI module responds differently to a communication error than to other
faults/errors.
In the event of a communication error, the current process values at the outputs of
the F-DI module remain intact; the channels are not passivated. The current
process values are sent to the F-CPU and are passivated in the F-CPU.

7-2 A5E00103686-01
Diagnostics
Diagnostics by LED Display

Every fail-safe power and electronic module indicates faults/errors by means of its
SF LED (group fault LED). The SF-LED lights up as soon as a diagnostic function
is triggered by the F-module. It is extinguished when all faults/errors have been
eliminated.
The power module also has a PWR LED, which displays the load voltage power
supply of the voltage group.
The 4/8 F-DI 24 VDC PROFIsafe electronic module also has two fault LEDs
(1VsF and 2VsF) that display faults for both internal sensor supplies.
Diagnostic Functions That Cannot Be Assigned As Parameters

Fail-safe electronic and power modules provide diagnostic functions that cannot be
assigned as parameters. This means that diagnostics are always activated and are
automatically made available by the F-module in STEP 7 and passed on to the F-
CPU in the event of an fault/error.
Diagnostic Functions That Can Be Assigned As Parameters

You can assign (activate) certain diagnostic functions as parameters in STEP 7:
· Wire-break detection for the F-DO module and the PM-E F
· Short-circuit monitoring for the F-DI module
Safety Note
! Diagnostic functions should be activated or deactivated in accordance with the
application.
For example, for applications involving press machines, the short-circuit test for
F-DI modules must be activated because line isolation is jeopardized by constant
vibration.
For applications involving machine protection, a short circuit in the sensor line is
always considered to be a possible source of fault. Here too, one option for
preventing faults is to activate the short-circuit test in conjunction with 1oo2
evaluation with 2-channel sensors (see also Section 9.3).
Slave Diagnostics
Slave diagnostics behave in accordance with PROFIBUS standard EN 50170/A2.
Fail-safe electronic and power modules support slave diagnostics in the same way
as standard ET 200S modules.
You will find a description of the general configuration of slave diagnostics for
ET 200S and the fail-safe modules in the ET 200S Distributed I/O System manual . A
supplementary description of channel-specific diagnostics for fail-safe modules is
presented below.

A5E00103686-01 7-3
Diagnostics
Channel-Specific Diagnostics
As with ET 200S, three bytes of channel-specific diagnostics are available per
F-module starting with byte 35. Channel-specific diagnostics for fail-safe modules
are configured as follows:
7 6 5 4 3 2 1 0 Bit no.
Byte 35 1 0
000000B to 111111B: Slot of module

providing channel-specific diagnostics
Code for channel-specific diagnostics
7 6 5 4 3 2 1 0 Bit no.
Byte 36
000000B to 000011B: number of channel providing diagnostics

01B: Input channel (F-DI module)
10B: Output channel (F-DO module or PM E-F)
11B: Input/output channel
7 6 5 4 3 2 1 0 Bit no.
Byte 37
Fault/error type (see Table 7-1)

Channel type: 001B: bit
010B: 2 bits
011B: 4 bits (F-DO module or PM E-F)
100B: byte (F-DI module)
101B: word
110B: 2 words
Byte 38 Next channel-specific diagnostics

to 40 (same assignment as for byte 35 to byte 37)
through
Byte 63, maximum
Figure 7-1 Configuration of Channel-Specific Diagnostics
Note
In byte 35, bit 0 to 5, the module slot is encoded. The following applies:
Displayed number +1 = module slot (0 = slot 1; 1 = slot 2, etc.)
Note
Channel-specific diagnostics are always updated to the current diagnostic
function in the diagnostic message frame. Subsequent, older diagnostic functions
are not deleted.
Remedy: Evaluate the valid current length of the diagnostic message frame in
STEP 7 using the SFC 13 parameter RET_VAL.

7-4 A5E00103686-01
Diagnostics
Possible Fault/Error Types of Fail-Safe Modules
Table 7-1 Channel-Specific Diagnostics: Fault/Error Types of Fail-Safe Modules
F-Module Fault/ Diagnostic Function in Special Meaning for

Error STEP 7 F-Modules
Number (Fault/Error Type)
All F-modules 1H Short circuit Short circuit
5H Overtemperature Overtemperature
9H Fault Internal fault
10H Parameter assignment error Parameter assignment
error
11H Sensor voltage or load voltage External auxiliary
is missing voltage is missing
13H Communication error Communication error
PM-E F 24 VDC 4H Overload Overload
6H Line break Wire break
4 F-DO 24 4H Overload Overload
VDC/2A 6H Line break Wire break
4/8 F-DI 24 VDC 19H Safety-related deactivation Discrepancy error
React of F-Modules in the Event of Module Failure

The following events occur following a serious internal fault in the F-module
causing F-module failure:
· The connection to the backplane bus is interrupted, and the fail-safe inputs and
outputs are passivated.
· Diagnostics are not transmitted from the F-module, and the "Module Fault"
standard diagnostics message is issued.
· The SF LED of the corresponding module illuminates.
Specific Information about Diagnostic Functions

All module-specific diagnostic functions, possible causes, and their remedies are
described in Sections 9.2 to 9.4.
The status and diagnostic functions indicated by LEDs on the front panel of each
F-module are also presented in these sections.
Reading Out Diagnostic Functions

You can display the cause of a fault/error in the module diagnostics of STEP 7
(see STEP 7 Online Help).
You can read out diagnostic functions (slave diagnostics) by means of SFC 13 in
the standard user program (see System and Standard Functions reference
manual).

A5E00103686-01 7-5
Diagnostics

7-6 A5E00103686-01
8 General Technical Specifications
8.1 Introduction
Overview
This chapter presents the following information about fail-safe modules:
· Information about the most important standards and approvals
· Information about the general technical specifications
What Are General Technical Specifications?

General technical specifications include the standards and test values with which
the fail-safe modules comply when used in an ET 200S, as well as the testing
criteria used for fail-safe modules.

A5E00103686-01 8-1
General Technical Specifications
8.2 Standards and Approvals
PROFIBUS Standard
The ET 200S distributed I/O system is based on PROFIBUS standard EN
50170/A2.
IEC 61131
Fail-safe modules comply with the requirements and criteria of IEC 61131, Part 2.
CE Mark
Siemens products satisfy the requirements and safety objectives of the following
European Community directives and comply with the harmonized European
standards (EN) for programmable logic controllers published in the Gazette of the
European Community:
· 92/31/EEC and 93/68/EEC ”Electromagnetic Compatibility” (EMC directive)
· 93/68/EEC ”Electrical Equipment Designed for Use within Certain Voltage
Limits” (low voltage directive)
The EC declarations of conformity are available to the competent authorities at:
Siemens Aktiengesellschaft
Automation and Drives Division
A&D AS E4
Postfach 1963
D-92209 Amberg Federal Republic of Germany
Marking for Australia
All SIMATIC products bearing the mark depicted to the left comply with the
requirements of the standard AS/NZS 2064 (Class A).
Use in Industry
SIMATIC products are designed for use in industrial environments.
Field of Application Requirement Relating to

Emitted Interference Immunity to Interference
Industry EN 50081-2 : 1993 EN 61000-6-2 : 1999-04

8-2 A5E00103686-01
UL Approval
UL Recognition Mark
Underwriters Laboratories (UL) in accordance with
UL 508, file No. 116536
CSA Approval
CSA Certification Mark
Canadian Standard Association (CSA) in accordance with
C22.2 No. 142, file no. LR 48323
FM Approval
Factory Mutual Approval Standard Class Number 3611, Class I, Division 2,
Group A, B, C, D.
Warning
! There is a risk of personal injury or property damage.
In areas exposed to explosion hazard, personal injury or property damage can
occur if plug-in connections are disconnected during operation.
Before disconnecting plug-in connections in areas exposed to explosion hazard,
always deenergize the distributed I/O.
Summary
In the following table, you will find an overview of fail-safe modules with information
about approvals and areas of application.
Component Approval for Approval for CSA C 22.2

UL 508 No. 142
PM-E F 24 VDC PROFIsafe Yes Yes

EM 4/8 F-DI 24 VDC Yes Yes
EM 4 F-DO 24 VDC/2A Yes Yes

A5E00103686-01 8-3
TÜV Certificate and Standards

Fail-safe modules are certified for the following standards. Refer to the report
accompanying the TÜV certificate for the current version/edition of the standard.
Standards/Directives Standards/Directives Additional

for Functional Safety for Machine Safety Standards/Guidelines
DIN V 19250 98/37/EC DIN VDE 0110-1
DIN V VDE 0801 EN 60204-1 DIN VDE 0160
DIN V VDE 0801/A1 EN/ISO 954-1/13849-1 93/68/EEC
IEC 61508-1 to 7 prEN 954-2 92/31/EEC and 93/68/EEC
prEN 50159-1 and 2 Standards/Directives for DIN EN 55011
Fuel Engineering
Standards/Directives for DIN VDE 0116 no. 8.7 EN 50081-2
Process Engineering
DIN V 19251 prEN 50156-1 EN 61000-6-2
VDI/VDE 2180-1 to 5 EN 230 no. 7.3 DIN EN 61131-2
NE 31 EN 298 no. 7.3, 8, 9, and 10
ISA S 84.01 DIN V ENV 1954
Requesting TÜV Certificate

You can request copies of the TÜV certificate and the accompanying report at the
following address:
Automation and Drives Division
A&D AS E4
Postfach 1963
D-92209 Amberg Federal Republic of Germany

8-4 A5E00103686-01
8.3 Electromagnetic Compatibility
Introduction
This chapter presents information about immunity to interference of fail-safe
modules and about EMC conformity.
Fail-safe modules comply with the requirements of the EMC law for the European
internal market.
Definition of EMC
Electromagnetic compatibility is the ability of an electrical device to function in its
electromagnetic environment in a satisfactory manner without affecting this
environment.
Pulse-Shaped Interference
The following table presents the electromagnetic compatibility of fail-safe modules
with regard to pulse-shaped interference. As a requirement, the ET 200S
distributed I/O system must comply with the specifications and guidelines for
electrical configuration.
Pulse-Shaped Interference Tested With Degree of Severity

Electrostatic discharge in 8 kV 3 (air discharge)
accordance with IEC 61000-4-2 6 kV (cabinet installation 3 (contact discharge)
(DIN VDE 0843 Part 2) mandatory)
4 kV (no cabinet installation)
Burst pulse (rapid transient 2 kV (supply line) 3
interference) in accordance with 2 kV (signal line) 4
IEC 61000-4-4 (DIN VDE 0843
Part 4)
Surge in accordance with IEC 61000-4-5 (DIN VDE 0839 Part 10)
Degrees of severity 2 and 3 require an external protective circuit
(see paragraph on next page)
Asymmetrical connection 1 kV (supply line) 2
1 kV (signal lead/data lead)
2 kV (supply line) 3
Symmetrical connection 0.5 kV (supply line) 2
0.5 kV (signal lead/data lead)
1 kV (supply line) 3

A5E00103686-01 8-5
External Protective Circuit for ET 200S with Fail-Safe Modules

When ET 200S is implemented with fail-safe modules, an external protective circuit
for surge protection (surge filter) is required between the load voltage supply and
the load voltage input of the terminal.
The following figure illustrates an example configuration with F-modules, standard
modules, and the power modules PM-E 24 VDC/120/230 VAC and PM-E F 24
VDC PROFIsafe. Voltage is supplied over four power supplies.
You can also use fewer power supplies. However, you must ensure that the total
current of the modules fed by one power supply does not exceed the permissible
limits.
You can also use PM-E 24 VDC power modules. In this case, the protective circuit
corresponds to that of the PM-E 24 VDC/120/230 VAC + automatic circuit breaker
(as for PM-E F 24 VDC PROFIsafe).
For additional information about surge protection for standard modules, see the
ET 200S Distributed I/O System manual.

8-6 A5E00103686-01
1 2 3 4 5 6 7 8 9 10
IM 151-1
A5E00103686-01
4 DI
4 DI
Mounting rail
2 DO
2 DO
4 F-DO
PM-E-F
4/8 F-DI
4/8 F-DI
24 VDC
24 VDC
24 VDC
24 VDC
24 VDC
24 VDC/2A
24 VDC/2A
24 VDC/2A
120/230 VAC
DP
PM-E 24 VDC/
120/230 VAC
PM-E 24 VDC/
Shielded line
Unshielded line (suppressor circuit
not required)
element*
L+
see
element*
no. 5
see
module
no. 6
module
2 6 5 3 2 8 10
Shielded connecting

Terminal identifier
However, use 2L+ and 2M
2 3 3 2 3 on ET 200S
Shielded connecting
8/ 16/ terminal modules
2 4/ 14/
7/ 11/ 12/ 6/ 12/
3** 1 5 2 6 1 5 3 9 10 13 14 15 16 1 25 69 10 13 14 2 1 5 3 7 10 9 11 13 15
OUT + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + -
IN B10 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + -
1L+
2L+ 4L+
Miniature circuit-breaker Sensors
PROFIBUS-DP
-230 VAC -230 VAC -230 VAC Name Dehn Order Number
-230 VAC
L+ 1L+ L+ 2L+ L+ 3L+ L+ 4L+

24 VDC 24 VDC 24 VDC 24 VDC
M M M M
Power pack, such as SITOP Only one power pack can supply electrical energy
* For order numbers, refer to ET 200S Distributed I/O System manual

** Also applies to terminals 8/4/7
8-7
Sinusoidal Interference
HF radiation of the device in accordance with IEC 61000-4-3:
· Electromagnetic HF field, amplitude-modulated:
between 80 and 1000 MHz; 10 V/m; 80% amplitude modulation (1 kHz)

· Electromagnetic HF field, pulse-modulated:
900 ± 5 MHz; 10 V/m; 50 % ESD; 200 Hz repetition frequency
· GSM/ISM field interference, different frequencies (EN 298: 1998):
System Frequency Test Level Modulation

GSM 890-915 MHz 20 V/m Pulse modulation
200Hz
GSM 1710-1785 MHz 20 V/m; Pulse modulation
200Hz
ISM 6,765-6,795 MHz 20 V/m AM, 80%, 1kHz
ISM 13,553-13,567 MHz 20 V/m AM, 80% 1 kHz
ISM 26,957-27,283 MHz 20 V/m AM, 80%, 1kHz
ISM 40.66-40.70 MHz 20 V/m AM, 80% 1 kHz
ISM 433.05-434.79 MHz 20 V/m AM, 80% 1 kHz
ISM 3,370-3,410 MHz 20 V/m AM, 80% 1 kHz
ISM 13,533-13,533 MHz 20 V/m AM, 80% 1 kHz
ISM 13,567-13,587 MHz 20 V/m AM, 80% 1 kHz
ISM 83,996-84,004 MHz 20 V/m AM, 80% 1 kHz
ISM 167,992-168,008 MHz 20 V/m AM, 80% 1 kHz
ISM 886,000-906,000 MHz 20 V/m AM, 80% 1 kHz
· HF coupling with signal lines and data lines, etc., in accordance with IEC
61000-4-6, high frequency, asymmetric, amplitude-modulated:
between 0.15 MHz and 80 MHz; 10 V R.M.S. value, unmodulated; 80% AM (1
kHz); 150 W source impedance

8-8 A5E00103686-01
Radio Interference Emission

Emitted interference of electromagnetic fields according to EN 55011: limit value
class A, group 1.
Between 30 MHz and 230 MHz; < 40 dB (µV/m)Q

Between 230 MHz and 1000 MHz; < 47 dB (µV/m)Q
Measured at 10 m distance
Emitted interference by means of network-AC power supply in accordance with EN

55011: limit value class A, group 1.
Between 0.15 MHz and 0.5 MHz; < 79 dB (µV)Q, < 66 dB (µV)M
Between 0.5 MHz and 5 MHz < 73 dB (µV)Q, < 60 dB (µV)M
Between 5 MHz and 30 MHz < 73 dB (µV)Q, < 60 dB (µV)M
Expanding the Field of Application

If you use the ET 200S with fail-safe modules in a residential area, you must
ensure compliance with limit-value class B in accordance with EN 55011 relating to
radio interference emission.
Measures to achieve the limit-value B radio interference level include:
· Installation in grounded control cabinets/switchboxes
· Use of filters in power supply lines
8.4 Transport and Storage Conditions
Requirements for Fail-Safe Modules

Fail-safe modules exceed the requirements of IEC 61131, Part 2, with regard to
transport and storage conditions. The following specifications apply to fail-safe
modules that are transported and stored in their original packaging.
Type of Condition Permitted Range

Free fall £ 1m
Temperature - 40 °C to + 70 °C
Air pressure 1080 hPA to 660 hPa
(corresponds to an altitude of -1000 m to
3500 m)
Relative humidity 5% to 95%, without condensation

A5E00103686-01 8-9
8.5 Mechanical and Climatic Environmental Conditions
Conditions of Use
Fail-safe modules are intended for use as permanently installed modules protected
from the elements. The conditions of use exceed the requirements of IEC 61131-2.
Fail-safe modules comply with the conditions of use of Class 3C3 in accordance
with DIN EN 60721 3-3 (use in locations with heavy traffic and in the immediate
vicinity of industrial systems with chemical emissions).
Restrictions
Fail-safe modules cannot be implemented in the following locations without
additional measures being taken:
· Locations with a high level of ionizing radiation
· Locations with difficult operating conditions, for example, due to:
- Dust
- Corrosive vapors or gases
· Systems that require special monitoring, such as:
- Electrical systems in particularly hazardous areas
An additional measure for implementing fail-safe modules can be, for example,
installing the ET 200S in cabinets.
Mechanical Environmental Conditions

The mechanical environmental conditions for fail-safe modules are presented in the
following table as sinusoidal oscillations.
Frequency Range (Hz) Continuous Intermittent

10 £ f £ 58 0.15 mm amplitude 0.35 mm amplitude
58 £ f £ 150 2 g constant acceleration 5 g constant acceleration
Reduction of Oscillation
If fail-safe modules are subjected to sizable shock pulses or oscillation, you must
take appropriate measures to reduce acceleration and amplitude.
We recommend that you mount the ET 200S on cushioning material (for example,
on a rubber-metal vibration damper).

8-10 A5E00103686-01
Testing for Mechanical Environmental Conditions

The following table provides information about the type and scope of testing for
mechanical environmental conditions.
Condition Test Standard Comments

Oscillation Oscillation test in Type of oscillation: frequency cycles with a speed
accordance with of change of 1 octave/minute.
IEC 68 Part 2-6 10 Hz £ f £ 58 Hz, constant amplitude 0.35 mm
(sine) 58 Hz £ f £ 150 Hz, constant acceleration 5 g
Duration of oscillation: 20 frequency cycles per
axis in each of the three axes positioned vertically
to one another
Shock pulse Shock pulse test in Type of shock pulse: half sine
accordance with Intensity of the shock pulse: 15 g peak value,
IEC 68 Part 2-27 11 ms duration
Direction of shock pulse: three pulses each in +/-
direction in each of the three axes positioned
vertically to one another
Climatic Environmental Conditions

ET 200S can be used under the following climatic environmental conditions:
Environment-Related Range of Application Comments

requirements
Temperature -
Horizontal installation: 0 to 60 °C
Vertical installation 0 to 40 °C
Temperature change 10 K/h
Relative humidity 15% to 95%, No condensation; corresponds
to relative humidity (RH) stress
level 2 in accordance with IEC
61131-2
Air pressure 1080 hPa to 795 Corresponds to an altitude of
-1000 m to 2000 m
Contaminant concentration Test:
SO2: < 0.5 ppm; 10 ppm; 4 days
relative humidity < 60%, no
moisture condensation
H2S: < 0.1 ppm; 1 ppm; 4 days
relative humidity < 60%,
no moisture condensation

A5E00103686-01 8-11
8.6 Specifications for Nominal Line Voltages, Isolation Tests,

Protection Class,and Degree of Protection
Nominal Line Voltages for Operation

Fail-safe modules function with a nominal line voltage of 24 VDC. The tolerance
range is 20.4 VDC to 28.8 VDC.
Test Voltages
Isolation stability is proven in routine testing with the following test voltages in
accordance with IEC 61131 Part 2:
Circuits with Nominal Line Voltage Ue Test Voltage

against Other Circuits and against the
Ground
0 V < Ue £ 50 V 500 VDC
Protection Class
The protection class is in accordance with IEC 60536 (VDE 0106, Part 1). That is,
a ground terminal is required on the mounting rail.
Foreign Body and Water Protection

IP 20 degree of protection in accordance with EN 60529 is applicable. That is,
protection from contact with standard probes.
In addition, protection from foreign bodies larger than 12.5 mm in diameter is
applicable.
Protection from water penetration is not ensured.

8-12 A5E00103686-01
9 Fail-Safe Modules
9.1 Introduction
Overview
One fail-safe power module and two fail-safe digital modules are available for
connecting digital sensors or encoders and actuators or loads to ET 200S. This
chapter provides the following information for each fail-safe module:
· Properties and special features
· Front view, terminal assignment for terminal modules, and block diagram
· Wiring diagram and programmable parameters
· Diagnostic functions, including corrective measures
· Technical specifications
Safety Note
! The fail-safe performance characteristics in the technical specifications are valid
for a proof-test interval of 10 years.
Description of Applicable Standard Power Modules and Terminal Modules

The applicable standard power modules and terminal modules are described in the
manual ET 200S Distributed I/O System.

A5E00103686-01 9-1
Fail-Safe Modules
9.2 PM-E F 24 VDC PROFIsafe Power Module
Order Number
6ES7138-4CF00-0AB0
Properties
The PM-E F 24 VDC PROFIsafe power module has the following properties:
· Two relays for switching voltage buses P1 and P2, 10 A output current
· Two fail-safe digital outputs, P-M switching (current sourcing/sinking), 2 A
output current
· 24 VDC rated load voltage
· Suitable for solenoid valves, DC contactors, and indicator lights
· Group fault display (SF; red LED)
· Status display for each output (green LED)
· Status display for load current power supply (PWR; green LED)
· Assignable diagnostics
· Safety class SIL3 achievable
Switching of Voltage Buses P1 and P2

The power module can perform fail-safe switching of voltage buses P1 and P2 by
means of relay contacts in accordance with AK4/SIL2/Category 3.
Two Fail-Safe Digital Outputs

In addition to voltage buses P1 and P2, the power module has two fail-safe digital
outputs DO 0 and DO 1. These outputs enable AK6/SIL3/Category 4 to be
achieved (see Figure 9-4).
Conditions for Achieving Safety Class

The conditions for achieving the respective safety classes are summarized in the
following table.
Table 9-1 PM-E F 24 VDC PROFIsafe: Conditions for AK/SIL/Category
Condition Achievable
AK/SIL/Category
ET 200S standard modules supplied by means of P1 and P2 AK4/SIL2/Category 3 on
P1 and P2
DO 0 and DO 1 used, modules not supplied by means of P1 AK6/SIL3/Category 4 on
and P2 DO 0 and DO 1

9-2 A5E00103686-01
Fail-Safe Modules
Power Module Supplies for Standard ET 200S Modules
Safety Note
! Always connect the 24 VDC supply for the standard ET 200S modules on the
PM-E F 24 VDC PROFIsafe power module. Otherwise, the outputs of DO
modules may exhibit safety-critical behavior.
Safety Note
! When supplying standard DI/DO modules, always use the terminal modules to
supply the sensors or actuators (sensor supply on the DI module; actuator
feedback on the DO module). Otherwise, the power module signals a short circuit
and the load voltage of this voltage group is deactivated.
Short Circuits after L+ on Outputs of Standard DO Modules
Safety Note
! Fail-safe activation of outputs of standard DO modules is not possible; rather,
only fail-safe deactivation is possible. That is, the PM E-F 24 VDC PROFIsafe
power module does not detect external short circuits after L+ on the outputs of
standard ET 200S DO modules.
If short circuits after L+ cannot be ruled out in your process, we recommend the
use of P-M switching (current sourcing/sinking) fail-safe 4 F-DO 24 VDC/2 A
PROFIsafe electronic modules in place of standard modules (see Section 9.4).
Incoming Supply of the 24 VDC Supply for Electronic Modules with Process-
Related Functions
Depending on whether the electronic and load current supplies are electrically
isolated in the electronic modules with process-related functions (positioning,
counting), you must adhere to the following wiring instructions:
· If electrically isolated, provide an external 24 VDC feed for the electronic
module.
· If not electrically isolated, you must supply the electronic module by the voltage
bus voltage P1 of the PM-E F 24 VDC PROFIsafe power module.
AK4/SIL2/Category 3 is achievable in both cases.

A5E00103686-01 9-3
Fail-Safe Modules
Front View
Group fault display - red
Status display for load current

power supply - green Status displays for
each output - green
Figure 9-1 Front View of PM-E F 24 VDC PROFIsafe
Safety Note
! The SF LED and the status displays of the outputs must not be evaluated for fail-
safe activities.
Terminal Assignment
The terminal assignment of the PM-E F 24 VDC PROFIsafe power module for the
applicable terminal modules TM-P30S44-A0 and TM-P30C44-A0 is shown in the
following figure and table.
AUX1
DO0 DO1
4 8 9 13 P P
24 VDC 24 VDC DO0 DO1

(Incoming supply) 2 6 10 14 M M
M M DO2 DO2
(Incoming supply) P P
3 7 11 15
AUX1 AUX1 DO2 DO2

(Incoming supply) 4 8 12 16 M M
Figure 9-2 Terminal Assignment of TM-P30S44-A0 and TM-P30C44-A0 for PM-E F 24 VDC PROFIsafe

9-4 A5E00103686-01
Fail-Safe Modules
Table 9-2 Terminal Assignment of TM-P30S44-A0 and TM-P30C44-A0
Terminal Designation
2 24 VDC 24 VDC rated load voltage for: inserted power module,
associated voltage group, DO 0 and DO 1, and
voltage buses P1 and P2
3 M Ground
4 AUX 1 Any terminal for PE or voltage bus up to the maximum rated load
voltage of the module
6 24 VDC 24 VDC rated load voltage for: inserted power module, associated
voltage group, DO 0 and DO 1, and voltage buses P1 and P2
7 M Ground
8 AUX 1 Any terminal for PE or voltage bus up to the maximum rated load
voltage of the module
9 DO 0 P Terminals for fail-safe digital output 0 (P-M switching)
10 DO 0 M
11 DO 2 P Terminals (relay contacts) for fail-safe switching of voltage buses P1
12 DO 2 M and P2
P1 and P2 can also be used as DO 2 M and DO 2 P
13 DO 1 P Terminals for fail-safe digital output 1 (P-M switching)
14 DO 1 M
15 DO 2 P Terminals (relay contacts) for fail-safe switching of voltage buses P1
16 DO 2 M and P2
P1 and P2 can also be used as DO 2 M and DO 2 P
Caution
! If strong currents can occur on DO 2 P and DO 2 M, both terminals 11 and 15
(DO 2 P) and terminals 12 and 16 (DO 2 M) must be wired in parallel.
Otherwise, the current loading could cause the terminals to heat up.

A5E00103686-01 9-5
Fail-Safe Modules
Block Diagram
Address switch
PWR P-switch
M 9
Processing logic
13
Backplane bus interface module
Read back
10
SF
M
M-switch
14
M
Status of
output
Relays 5V
12, 16 M24
24 V
3, 7
P1
P2
11, 15 P24
2, 6
Figure 9-3 Block Diagram of the PM-E F 24 VDC PROFIsafe

9-6 A5E00103686-01
Fail-Safe Modules
Wiring Diagram
The three digital outputs each consist of one P-switch (current sourcing) DOx P
and one M-switch (current sinking) DOx M. They connect the load between the P
and M-switches. The two switches are always controlled so that voltage is applied
to the load.
The wiring for the power module is carried out on the special terminal module.
PM-E F 24 VDC EM DO1 EM DO2 EM DO3
P1 (P)
P1 P2
DO0 DO0 DO1 DO1 (P) (M) P2 (M)
L+ M (P) (M) (P) (M) DO2 DO2 DO3 M DO4 M DO5 M
K0 K1 K2 K3 K4 K5
L+ M
Figure 9-4 Wiring Diagram for the PM-E F 24 VDC PROFIsafe
Safety Note
! To protect the relay contacts from overload, use of an external fuse with the
following properties is recommended for L+ on the PM-E F: B-characteristic
circuit breaker in accordance with IEC 947-5-1, 10 A.
Safety Note
!
For safety reasons, you must disconnect the supply voltage to the fail-safe digital
outputs DO 0 and DO 1 within one hour after their passivation.
Relay Output DO 2
The relay output DO 2 connects the voltage L+ and M using one relay contact for
each. The voltage is fed outwards to the terminal module and to the internal
voltage buses P1 and P2. This results in two connection options that can be used
at the same time:
· A load can be connected directly to the terminal module (K2 in Figure 9-4).
· Electronic modules can be supplied by means of the internal voltage buses P1
and P2. Loads can be connected to these modules in turn (K3, K4, and K5 in
Figure 9-4).

A5E00103686-01 9-7
Fail-Safe Modules
Connection of Two Relays on One Digital Output

You can connect two relays to one fail-safe digital output. The following conditions
should be kept in mind:
· L+ and M of the relays must be connected with L+ and M of the
PM-E F (reference potential must be equal).
· The normally open contact of the two relays must be connected in series.
This connection can only be made on digital outputs DO 0 and DO 1 (not DO 2).
This connection enables AK6/SIL3/Category 4 to be achieved.
PM-E F 24 VDC EM DO1 EM DO2 EM DO3
P1 (P)
P1 P2
K1 K2 K3 K4
K1 K3
K2 K4
L+ M
Figure 9-5 Wiring Diagram for Each of Two Relays on DO 0 and DO 1 of the PM-E F 24 VDC PROFIsafe
Safety Note
! When connecting two relays on one digital output, the faults "wire break“ and
"overload“ are detected only on the P-switch of the output (not on the M-switch).

9-8 A5E00103686-01
Fail-Safe Modules
Parameters in STEP 7
The following table presents the parameters that can be assigned for the
PM-E F 24 VDC PROFIsafe power module (see also Chapter 4).
Table 9-3 Parameters of PM-E F 24 VDC PROFIsafe
Parameter Range Default Parameter Effective

Setting Type Range
F-Parameter:
F-monitoring time 10 to 10,000 ms 100 ms Static Module
Module Parameters:
DO channel 0 Activated/deactivated Activated Static Channel
Diagnostics: Wire break Activated/deactivated Deactivated Static Channel
9.2.1 Diagnostic Functions of PM-E F 24 VDC PROFIsafe

Power Module
Behavior in Case of Supply Voltage Failure

A supply voltage failure in the PM-E F 24 VDC PROFIsafe power module is always
indicated by the PWR LED on the module (light is off). This information is also
provided in the module (diagnostic entry). All channels of the module are
passivated (see Chapter 7).
Note
A supply voltage failure in the PM-E F PROFIsafe power module causes the SF
LEDs of the electronic modules to behave differently in the voltage group:
· Standard DI or DO modules: SF LED is off
· Standard AI or AO modules: SF LED is on
· Electronic modules with process-related functions: SF LED is on

A5E00103686-01 9-9
Fail-Safe Modules
Diagnostic Functions
The following table presents an overview of the diagnostic functions of the
PM-E F 24 VDC PROFIsafe power module. The diagnostic functions are assigned
either to one channel or the entire module.
Table 9-4 Diagnostic Functions of the PM-E F 24 VDC PROFIsafe
Diagnostic Function* LED Effective Range Assignable

of Diagnostics
Short circuit SF Channel No
Overload SF Channel No
Overtemperature SF Module No
Wire break SF Channel Yes
Internal fault SF Module No
Parameter assignment error SF Module No
Missing external auxiliary supply PWR Module No
Communication error SF Module No
* Specifically for F-modules; for display in STEP 7, see Table 7.1.
Causes of Faults and Corrective Measures

The following table presents the possible causes of faults and corrective measures
for the individual diagnostic functions of the PM-E F 24 VDC PROFIsafe power
module.
Table 9-5 Causes of Faults and Corrective Measures for Diagnostic Functions of the
PM-E F 24 VDC PROFIsafe
Diagnostic Fault Possible Causes Corrective Measures

Function Detection
Short circuit Always Short circuit in the Eliminate short circuit/cross circuit
actuator Once the fault is eliminated, the
Cross circuit in the module must be removed and
actuator reinserted or powered off and on
Internal fault Replace module
Wire break, if wire Eliminate broken wire
break diagnostic has Ensure specified minimum load (see
been deactivated Chapter 9.2.2)
Once the fault is eliminated, the
module must be removed and
reinserted or powered off and on
Short circuit in P1 Supply sensors/actuators in standard
and P2, because DI/DO modules by means of the
sensors/actuators in terminal modules of the standard
standard DI/DO DI/DO modules
modules are not Once the fault is eliminated, the
supplied by means module must be removed and
of the terminal reinserted or powered off and on
modules of the
standard DI/DO
modules

9-10 A5E00103686-01
Fail-Safe Modules

Function Detection
Overload For "1“ Output stage is Eliminate overload
output overloaded and Once the fault is eliminated, the
signal only becomes too hot module must be removed and
Excess Always Temperature limit in Check load wiring,
temperature the module housing check ambient temperature, and
is exceeded causing check whether permissible output
module to be current for the ambient temperature is
switched off exceeded
Wire break For "1“ Open circuit Correct the process wiring,
output and check whether the output current
signal only is less than the minimum permissible
output current of 20 mA
Internal fault Always Internal module fault Replace module
has occurred
Parameter Always Inserted module Correct the configuration (compare
assignment does not match actual and preset configuration), and
error configuration check communication paths
Faulty parameter Correct the parameter assignment
assignment
PROFIsafe address Check the configuration of the
set incorrectly in the PROFIsafe address, and set the
F-module address switch in the F-module
accordingly
Missing external Always No supply voltage or Check module for correct contact
auxiliary supply supply voltage is too Once the fault is eliminated, the
low module must be removed and
Communication Always Error in Check the PROFIBUS connection
error communication Eliminate the interference
between F-CPU and
module due to
defective PROFIBUS
connection or higher
than permissible
EMI, for example
F-monitoring time set Set a higher value for parameter
too low "F-monitoring time“
Configuration of the Regenerate fail-safe program;
F-module does not then reload configuration and fail-safe
agree with fail-safe program to the F-CPU
program
Generally Applicable Information on Diagnostics

For information on diagnostics that pertains to all fail-safe modules (for reading out
diagnostic functions, for example), refer to Chapter 7.

A5E00103686-01 9-11
Fail-Safe Modules
9.2.2 Technical Specifications for PM-E F 24 VDC PROFIsafe

Power Module
Technical Specifications
Dimensions and Weight
Dimensions W x H x D (mm) 30 x 81 x 52
Weight Approx. 88 g
Module-Specific Data
Number of outputs
· Semiconductor outputs (P-M switching) 2
· Relay outputs (P-M switching) 1
Assigned address area
· In PII 5 bytes
· In PIQ 5 bytes
Length of cable
· Unshielded 200 m, maximum
· Shielded 200 m, maximum
Maximum achievable safety class
· In accordance with IEC 61508, DIN SIL2, AK4, Category 3:
VDE 0801, and EN 954 · With ET 200S standard DOs
· Without ET 200S standard DOs for
relay outputs with static output signal
SIL3, AK6, Category 4:
· For semiconductor outputs
Without ET 200S standard DOs for relay
outputs with dynamic output signal
Fail-safe performance characteristics SIL3
· Low demand mode (average probability << 1.00 E-05
of failure on demand)
· High demand/continuous mode << 1.00 E-10
(probability of a dangerous failure per
hour)
Voltages, Currents, Potentials
Rated supply voltage L+ 24 VDC
· Permissible range 20.4 V to 28.8 V
· Power loss ride-through of L+ None
· Power loss ride-through of internal P5 5 ms
· Reverse polarity protection No
Aggregate current
· Horizontal installation
Up to 40°C 10 A
Up to 55°C 7A
Up to 60°C 6A
· Vertical installation
Up to 40°C 6A
Electrical isolation
· Between channels and backplane bus Yes
· Between channels and power supply No

9-12 A5E00103686-01
Fail-Safe Modules
· Between channels No
· Between channels/power supply and Yes
shield
Permissible potential difference between
· Shield and ET 200S bus connection 75 VDC/60 VAC
· Shield and I/O (DOs, P1/P2 buses) 75 VDC/60 VAC
· ET 200S bus connection and I/O (DOs, 250 VAC
P1/P2 buses)
Isolation in the series checked with
· Shield and ET 200S bus connection 500 VDC/1 min or 600 VDC/1 s
· Shield and I/O (DOs, P1/P2 buses) 500 VDC/1 min or 600 VDC/1 s
· ET 200S bus connection and I/O (DOs, 1500 VAC/1 min or 2545 VDC/1 s
P1/P2 buses)
Isolation in the type test checked with
· Shield and ET 200S bus connection 350 VAC/1 min
· Shield and I/O (DOs, P1/P2 buses) 350 VAC/1 min
· ET 200S bus connection and I/O (DOs, 2830 VAC/1 min
P1/P2 buses)
· Impulse current test between ET 200S 6000 VDC/5 positive and 5 negative pulses
bus connection and I/O (DOs, P1/P2
buses)
Current consumption
· From backplane bus 28 mA, maximum
· From load voltage L+ (without load) 100 mA, typical
Power dissipation of the module 4 W, typical
Status, Interrupts, Diagnostics
Status display · Green LED per channel
· Green LED for the load voltage
Diagnostic functions
· Group fault display Red LED (SF)
· Diagnostic information can be displayed Possible
Data for Selecting an Actuator for the Semiconductor Outputs*
Output voltage
· For "1“ signal · Minimum L+ (-2.0 V)
· (P-switch minimum L+
(-1.5 V), voltage drop in M-switch:
maximum 0.5 V)
Output current for "1“ signal
· Rated value 2A
· Permissible range 20 mA to 2.4 A
For "0“ signal (residual current) 0.5 mA, maximum
Indirect control of load by means of interface
relay:
Residual current for "0“ signal
· P-switch (current sourcing) 0.5 mA, maximum
· M-switch (current sinking) 4 mA, maximum
Load resistance range 12 W to 1 kW
Lamp load 10 W, maximum

A5E00103686-01 9-13
Fail-Safe Modules
Wire break monitoring (open load detection)
and overload monitoring
· Response threshold I < 4 to 19 mA
Parallel connection of 2 outputs Not possible
Control of a digital input Not possible
Switching frequency
· With resistive load 30 Hz, maximum
· With inductive load in accordance with 0.1 Hz, maximum
IEC 947-5-1, DC13
· With lamp load 10 Hz, maximum
Voltage induced on current interruption
limited to
· Semiconductor outputs L+ (-2x 47 V)
· Relay outputs P1/P2 (1 V)
Short-circuit protection of semiconductor Yes, electronic
outputs
· Response threshold of short circuit 5 A to 12 A
· Response threshold of external M-short 5 A to 12 A
circuit
· Response threshold of external P-short 25 A to 45 A
circuit
Overload protection of semiconductor Yes
outputs
· Response threshold I >2.6 A to 2.8 A
Data for Selecting an Actuator for the Relay Outputs*
Switching capacity and service life of the
contacts at 24 VDC
· Mechanical endurance (without load) Current No. of switching cycles
(typical)
0A 10 million
· For resistive load Current No. of switching cycles
(typical)
10 A 0.23 million
8A 0.3 million
6A 0.38 million
4A 0.5 million
2A 1.0 million
1A 2.0 million
· For inductive load in accordance with Current No. of switching cycles
IEC 947-5-1, DC13 (typical)
10 A 0.1 million
8A 0.15 million
6A 0.2 million
4A 0.3 million
2A 0.5 million
1A 1.0 million
· For lamp load Power No. of switching cycles
(typical)
100 W 0.12 million

9-14 A5E00103686-01
Fail-Safe Modules
Contact protection (internal) Internal readback circuit
· Between P and M relay output 39 V suppressor diode
Wire break monitoring No
Switching frequency
· Mechanical 10 Hz, maximum
IEC 947-5-1, DC13
Short-circuit protection of output No, external miniature circuit breaker, "B"
characteristic (in accordance with IEC 947-
5-1), 10 A required
Time, Frequency
Internal preparation times See Chapter 12
Acknowledgment time in safety mode 4 ms minimum/6 ms maximum
Protection against Overvoltage
Protection of supply voltage L+ from surge
in accordance with IEC 1000-4-5 with
external protection elements only
· Symmetrical (L+ to M) + 1 kV; 1.2/50 µs
· Asymmetrical (L+ to FE, M to FE) + 2 kV; 1.2/50 µs
Protection of outputs from surge in
accordance with IEC 1000-4-5 with external
protection elements only
· Asymmetrical (L+ to FE, ground to FE) + 2 kV; 1.2/50 µs
* For requirements for sensors and actuators, refer to Section 6.5

A5E00103686-01 9-15
Fail-Safe Modules
9.3 4/8 F-DI 24 VDC PROFIsafe Digital Electronic Module
Order Number
6ES7138-4FA00-0AB0
Properties
The 4/8 F-DI 24 VDC PROFIsafe digital electronic module has the following
properties:
· Eight inputs (AK4/SIL2/Category 3) or four inputs (AK6/SIL3/Category 3 or 4)
· 24 VDC rated input voltage
· Suitable for switches and 3 or 4-wire proximity switches (BEROs)
· Two short-circuit-proof sensor supplies for each of the four inputs
· External sensor supply possible
· Group fault display (SF; red LED)
· Status display for each input (green LED)
· One fault display for each sensor supply (1VsF and 2VsF; red LED)
Applicable Power Modules for SIL2 or SIL3
Table 9-6 EM 4/8 F-DI 24 VDC PROFIsafe: Power Modules for AK/SIL/Category
Power Module Achievable AK/SIL/Category

Supply using PM-E 24 VDC With 1oo1 evaluation of the sensors (8 F-DI)
AK4/SIL2/Category 3
Supply using PM-E 24 VDC/120 /230 VAC With 1oo1 evaluation of the sensors (8 F-DI)
AK4/SIL2/Category 3
With 1oo2 evaluation of the sensors (4 F-DI)
AK6/SIL3/Category 4

9-16 A5E00103686-01
Fail-Safe Modules
Front View
Error display for each sensor supply

Group fault display - red – red (Voltage supply Fault)
Status displays for

each input - green
Figure 9-6 Front View of EM 4/8 F-DI 24 VDC PROFIsafe

A5E00103686-01 9-17
Fail-Safe Modules
Terminal Assignment
The terminal assignment of the EM 4/8 F-DI 24 VDC PROFIsafe digital electronic
module for the applicable terminal modules TM-E30S44-01, TM-E30C44-01,
TM-E30S46-A1, and TM-E30C46-A1 is shown in the following figure.
DI0 DI1 1 5 9 13 DI4 DI5
Vs1 Vs1 2 6 10 14 Vs2 Vs2
DI2 DI3 3 7 11 15 DI6 DI7
Vs1 Vs1 4 8 12 16 Vs2 Vs2
Following terminals are only on Following terminals are only on

TM-E30S46-A1 and TM-E30C46-A1 A16 TM-E30S46-A1 and TM-E30C46-A1
A4 A8 A12
AUX1 AUX1 (PE) AUX1 AUX1 (PE)
A15
AUX1 AUX1 (PE) A3 A7 A11 AUX1 AUX1 (PE)
DI: fail-safe digital input

Vs1: internal sensor supply 1 for DI 0 to DI 3
Vs2: internal sensor supply 2 for DI 4 to DI 7
For TM-E30S46-A1 and TM-E30C46-A1:

AUX 1 bus in place: Use terminals A3 to A16, as desired, to connect to PE (individual
grouping of sensor supplies possible)
Figure 9-7 Terminal Assignment of TM-E30S44-01, TM-E30C44-01, TM-E30S46-A1, and TM-E30C46-A1

for EM 4/8 F-DI 24 VDC PROFIsafe

9-18 A5E00103686-01
Fail-Safe Modules
Block Diagram
Address switch
1Vs 2VsF
M M
2,6,4,8 10,14,12,16 VS2
VS1
1 9
5 13
3 11
7 M 15
Processing logic
Test
Filter logic
Status
M
SF
5V
M
24 V
P1
P2
Figure 9-8 Block Diagram of EM 4/8 F-DI 24 VDC PROFIsafe

A5E00103686-01 9-19
Fail-Safe Modules
The following table presents the parameters that can be assigned for the
EM 4/8 F-DI 24 VDC PROFIsafe digital electronic module (see also Chapter 4).
Table 9-7 Parameters of EM 4/8 F-DI 24 VDC PROFIsafe

Setting Type Range
F-Parameter:
Module Parameters:
Input delay 0.5; 3; 15 ms 3 ms Static Module
Short-circuit test Cyclic/blocked Cyclic Static Module
Channel 0, 4 Activated/deactivated Activated Static Channel
Evaluation of sensors 1oo2 evaluation/ 1oo2 Static Channel
1oo1 evaluation evaluation
Type of sensor 2-channel sensor; 2-channel Static Channel
interconnection 1-channel sensor, equivalent
non-equivalent sensor
Discrepancy time 10 to 30,000 ms 10 ms Static Channel
interconnection 1-channel sensor; sensor
Non-equivalent sensor
Evaluation of sensors 1oo2 evaluation/1oo1 1oo2 Static Channel
evaluation evaluation
interconnection 1-channel sensor; sensor
interconnection 1-channel sensor, sensor

9-20 A5E00103686-01
Fail-Safe Modules
Input Delay of 3 ms
Safety Note
! To avoid a safety-related deactivation, you must use shielded cables for the fail-
safe digital inputs and sensor supply when using an assigned input delay of
3 ms. Alternatively, you can assign an input delay of 15 ms.
Short-Circuit Test Parameter

The cyclic short-circuit test is activated or deactivated using the short-circuit test
parameter. The short-circuit test is only useful for simple switches that do not have
their own power supply. The internal sensor supplies must be used whenever the
short-circuit test has been activated (see also Section 9.3.1).
Definition of Discrepancy Time

The discrepancy analysis is initiated when different levels are detected in two
associated input signals. After a programmable time interval (discrepancy time) has
elapsed, a check is made to determine whether or not the difference has
disappeared. If not, this means that a discrepancy error exists.
Discrepancy Analysis with 1oo2 Evaluation

The discrepancy analysis is performed on the two input signals of the 1oo2
evaluation in the F-DI module.
If the input signals do not match after the assigned discrepancy time has elapsed
(due to a broken wire in a sensor cable, for example), the input signal to the F-CPU
is set to “0.“ This corresponds to an AND interconnection of the input signals. In
addition, the “safety-related deactivation“ diagnostic function containing information
on the faulty channel is generated in the diagnostic buffer of the module.

A5E00103686-01 9-21
Fail-Safe Modules
"Discrepancy Time"
The "discrepancy time“ parameter is only relevant for 1oo2 evaluation with a
2-channel sensor. For 1oo2 evaluation with a 1-channel sensor, the discrepancy
time is permanently preset to 10 ms.
The maximum time that the effective discrepancy time of the F-DI module can be
extended compared to the assigned discrepancy time is shown in the following
table.
Table 9-8 EM 4/8 F-DI 24 VDC: Extension of Assigned Discrepancy Time
Short-Circuit Test Parameter Assigned Input Delay

0.5 ms 3 ms 15 ms
Deactivated 6 ms
Activated 7 ms 12 ms 37 ms
In the case of 1oo2 evaluation, the F-DI module reads the input signals twice,
performs an internal comparison, and then sends the harmonized result to the
F-CPU.
Safety Note
! The input signals from the process are considered to be correct process values
within the effective discrepancy time even if the redundant input signal readings
are different.
While the discrepancy time procedure is in progress within the module, the old
value of the relevant input channel is sent to the F-CPU.
Note
The discrepancy time for 2-channel sensors must be set to short response times
for fast response.
Thus, for example, it makes no sense for a time-critical deactivation to be
triggered by 2-channel sensors with a discrepancy time of 500 ms. In the worst
case, the sensor-actuator response time is extended by an amount approximately
equal to the discrepancy time:
· For this reason, position the sensor in the process in such a way to minimize
discrepancy.
· Then select the shortest possible discrepancy time that also has sufficient
back up against false tripping of discrepancy errors.

9-22 A5E00103686-01
Fail-Safe Modules
9.3.1 Applications for 4/8 F-DI 24 VDC PROFIsafe Digital Electronic

Module
Selecting the Application

The following figure provides information to help you select the application that
corresponds to your fail-safe requirements. The following chapters provide
instructions on wiring the F-module and requirements for specific parameter
settings in STEP 7 for each application.
Required
safety class?
AK4/SIL 2/Cat.3 AK 6/SIL3/Cat.3 AK6/SIL3/Cat.4
Application 1 to 3
1 2 3
See See See
Sec. 9.3.2 Sec. 9.3.3 Sec. 9.3.4
Figure 9-9 Selecting the Application – Electronic Module 4/8 F-DI 24 VDC PROFIsafe
Safety Note
! The achievable safety class is dependent on the quality of the sensor and the
magnitude of the proof-test interval in accordance with IEC 61508 (interval for
external function test). If the quality of the sensor is lower than the quality
stipulated in the required safety class, the sensor must be applied redundantly
with a 2-channel connection.

A5E00103686-01 9-23
Fail-Safe Modules
Conditions for Achieving AK/SIL/Category

The conditions for achieving the respective safety requirements are presented in
the following table.
Table 9-9 EM 4/8 F-DI 24 VDC PROFIsafe: Conditions for Achieving AK/SIL/Category
Application Sensor Evaluation Sensor Supply Achievable

of Sensors AK/SIL/Category
1 1-channel 1oo1 Internal, with short- 4/2/3
circuit test
Internal, without
short-circuit test
External
circuit test
Internal, without
short-circuit test
External
2-channel 1oo2 Internal, without
short-circuit test
External
2-channel, 1oo2 Internal, without
non-equivalent short-circuit test
External
2-channel, circuit test
non-equivalent
Note
You can operate the various inputs of an F-DI module simultaneously in
AK4/SIL2/Category 3 and in AK6/SIL3/Category 3 or 4. You only have to connect
the inputs and assign parameters as shown in the following chapters.
Sensor Requirements
For safety-related use of sensors, refer to Section 6.5 Requirements for Sensors
and Actuators.

9-24 A5E00103686-01
Fail-Safe Modules
9.3.2 Application 1: Safety Mode AK4/SIL2/Category 3
Sensor Supply
The EM 4/8 F-DI 24 VDC PROFIsafe digital electronic module provides sensor
supply Vs1 for inputs 0 to 3 and sensor supply Vs2 for inputs 4 to 7. The sensor
supply can be provided internally or externally.
Wiring Diagram – 1-Channel Sensor

Eight process signals can be connected to an EM 4/8 F-DI 24 VDC PROFIsafe
digital electronic module. One 1-channel sensor (1oo1 evaluation) is connected for
each process signal.
The wiring is carried out on the appropriate terminal module.
PM-E EM 4/8 F-DI 24 VDC
8 F-DI
L+ M Vs1 DI0 DI1 DI2 DI3 Vs2 DI4 DI5 DI6 DI7
S0 S1 S2 S3 S4 S5 S6 S7
L+ M
Figure 9-10 Wiring Diagram EM 4/8 F-DI 24 VDC PROFIsafe – 1-Channel Sensor (1oo1), Internal Sensor
Supply
8 F-DI
S0 S1 S2 S3 S4 S5 S6 S7
L+ M
Figure 9-11 Wiring Diagram EM 4/8 F-DI 24 VDC PROFIsafe – 1-Channel Sensor (1oo1), External Sensor
Supply

A5E00103686-01 9-25
Fail-Safe Modules
Parameters for Application 1

Set the parameter "Evaluation of sensor“ to "1oo1 evaluation“ for the respective
input.
You can activate or deactivate the "short-circuit test" parameter. However, you
must deactivate the short-circuit test as soon as one or more fail-safe digital inputs
are externally supplied. Otherwise the "short-circuit“ diagnostic could be signaled
when applicable.
Special Features for Fault Detection

The following table presents fault detection according to the sensor supply and the
parameter assignment for the short-circuit test:
Table 9-10 EM 4/8 F-DI 24 VDC PROFIsafe: Fault Detection for Application 1
Example of Fault Fault Detection

Internal Sensor Internal Sensor External Sensor
Supply and Supply and Supply
Activated Short- Deactivated Short-
Circuit Test Circuit Test
Short circuit in DI 0 with DI 1 No No No
Short circuit in DI 0 with DI 4 Yes* No No
P-short circuit in DI 0 Yes No No
M-short circuit in DI 0 Yes* Yes* No
Discrepancy error - - -
P-short circuit in sensor Yes No No
supply 1
M-short circuit in sensor Yes Yes Yes
supply 1, or sensor supply 2
defective
Short circuit in sensor supply Yes No No
1 with sensor supply 2
Fault in read/test circuit Yes Yes Yes
Supply voltage fault Yes Yes Yes
* Fault is detected only in case of signal corruption. That is, the signal read differs from the sensor
signal. If there is no signal corruption with respect to the sensor signal, fault detection is not
possible and is not required from a safety standpoint.

9-26 A5E00103686-01
Fail-Safe Modules
Assigning Inputs to Each Other

The EM 4/8 F-DI 24 VDC PROFIsafe digital electronic module has eight fail-safe
inputs DI 0 to 7 (SIL2). Two inputs each can be used as one input (SIL3) The
following assignment applies:
· DI 0 to DI 4
· DI 1 to DI 5
· DI 2 to DI 6
· DI 3 to DI 7
Sensor Supply
supply can be provided internally or externally.
Wiring Diagram – Sensor Signal Read Twice

Four process signals can be connected to an EM 4/8 F-DI 24 VDC PROFIsafe
digital electronic module. One 1-channel sensor is connected to two inputs of the
module for each process signal (1oo2 evaluation).
Note
If the voltage is supplied to the sensor by the F-DI module, you must use the
internal sensor supply Vs1. Connection to Vs2 is not possible.

A5E00103686-01 9-27
Fail-Safe Modules
4 F-DI
S0
S1
S2
S3
L+ M
Figure 9-12 Wiring Diagram for EM 4/8 F-DI 24 VDC – Sensor Signal Read Twice (1oo2), Internal Sensor
Supply
PM-E EM 4/8 F-DI DC24V
4 F-DI
S0
S1
S2
S3
L+ M
Figure 9-13 Wiring Diagram for EM 4/8 F-DI 24 VDC – Sensor Signal Read Twice (1oo2), External Sensor
Supply

9-28 A5E00103686-01
Fail-Safe Modules
Safety Note
! To achieve AK6/SIL3/Category 3 using this wiring, you must use a sensor
qualified for this class.
Parameters – Sensor Signal Read Twice

Set the parameter "evaluation of sensors“ to "1oo2 evaluation“ and the parameter
"type of sensor interconnection“ to "1-channel sensor“ for the respective input. The
discrepancy time is permanently preset to 10 ms and cannot be changed.
You can activate or deactivate the "short-circuit test" parameter. However, you
must deactivate the short-circuit test as soon as one or more fail-safe digital inputs
are externally supplied. Otherwise the "short-circuit“ diagnostic could be signaled
when applicable.

Table 9-11 EM 4/8 F-DI 24 VDC PROFIsafe: Fault Detection for Application 2.1

Internal Sensor Internal Sensor External Sensor
Supply and Supply and Supply
Activated Short- Deactivated
circuit Test Short-circuit Test
M-short circuit in DI 0 Yes* Yes* No
Discrepancy error Yes Yes Yes
M-short circuit in sensor Yes Yes Yes
supply 1, or sensor supply 2
defective
Short circuit in sensor Yes No No
supply 1 with sensor
supply 2
Fault in read/test circuit Yes Yes Yes
Supply voltage fault Yes Yes Yes

A5E00103686-01 9-29
Fail-Safe Modules

PM-E EM 4/8 F-DI 24VDC
4 F-DI
S0
S1
S2
S3
L+ M
Figure 9-14 Wiring Diagram for EM 4/8 F-DI 24 VDC – 2-Channel Sensor Signal (1oo2), Internal Sensor
Supply

9-30 A5E00103686-01
Fail-Safe Modules
PM-E EM 4/8 F-DI DC24V
4 F-DI
S0
S1
S2
S3
L+ M
Figure 9-15 Wiring Diagram for EM 4/8 F-DI 24 VDC – 2-Channel Sensor Signal (1oo2), External Sensor
Supply
Safety Note
Parameters – 2-Channel Sensor

"type of sensor interconnection“ to "2-channel sensor“ for the respective input.
Deactivate the parameter "short-circuit test.“

A5E00103686-01 9-31
Fail-Safe Modules


Internal Sensor Supply External Sensor Supply
and Deactivated Short-
Circuit Test
Short circuit in DI 0 with DI 1 Yes* Yes*
Short circuit in DI 0 with DI 4 No No
P-short circuit in DI 0 Yes* Yes*
M-short circuit in DI 0 Yes* Yes*
Discrepancy error Yes Yes
P-short circuit in sensor supply 1 No No
M-short circuit in sensor supply 1, Yes Yes
or sensor supply 2 defective
Short circuit in sensor supply 1 with No No
sensor supply 2
Fault in read/test circuit Yes Yes
Supply voltage fault Yes Yes
Wiring Diagram – Non-Equivalent Sensor Signal

digital electronic module. One non-equivalent sensor is connected to two inputs
of the module for each process signal (1oo2 evaluation).
Note
If the voltage is supplied to sensor by the F-DI module, you must use the internal
sensor supply Vs1. Connection to Vs2 is not possible.

9-32 A5E00103686-01
Fail-Safe Modules
4 F-DI
S0
S1
S2
S3
L+ M
Figure 9-16 Wiring Diagram for EM 4/8 F-DI 24 VDC – Non-Equivalent Sensor Signal (1oo2), Internal
Sensor Supply
4 F-DI
S0
S1
S2
S3
L+ M
Figure 9-17 Wiring Diagram for EM 4/8 F-DI 24 VDC – Non-Equivalent Sensor Signal (1oo2), External
Sensor Supply

A5E00103686-01 9-33
Fail-Safe Modules
Safety Note
Parameters – Non-Equivalent Sensor Signal

"type of sensor interconnection“ to "non-equivalent sensor“ for the respective input.


Internal Sensor Supply External Sensor Supply
and Deactivated Short-
Circuit Test
Short circuit in DI 0 with DI 4 Yes Yes
P-short circuit in DI 0 Yes* Yes*
P-short circuit in sensor supply 1 No No
Short circuit in sensor supply 1 with No No
sensor supply 2

9-34 A5E00103686-01
Fail-Safe Modules
Category 4 for Machine Protection Applications

To achieve Category 4 for machine protection applications, one of the following
wiring options described in this chapter is generally required:
· 1oo2 evaluation with 2-channel sensors
· 1oo2 evaluation with 2-channel, non-equivalent sensors
Assigning Inputs to Each Other

The EM 4/8 F-DI 24 VDC PROFIsafe digital electronic module has eight fail-safe
inputs DI 0 to 7 (SIL2). Two inputs each can be used as one input (SIL3) The
following assignment applies:
· DI 0 to DI 4
· DI 1 to DI 5
· DI 2 to DI 6
· DI 3 to DI 7
Sensor Supply
must be supplied internally.

A5E00103686-01 9-35
Fail-Safe Modules

PM-E EM 4/8 F-DI 24VDC
4 F-DI
S0
S1
S2
S3
L+ M
Figure 9-18 Wiring Diagram for EM 4/8 F-DI 24 VDC – 2-Channel Sensor Signal (1oo2), Internal Sensor
Supply
Safety Note
Parameters – 2-Channel Sensor

"type of sensor interconnection“ to "2-channel sensor“ for the respective input.
Activate the parameter "short-circuit test.“

9-36 A5E00103686-01
Fail-Safe Modules
Wiring Diagram – Non-Equivalent Sensor Signal

digital electronic module. One non-equivalent sensor is connected to two inputs
of the module for each process signal (1oo2 evaluation).
Note
You must use the internal sensor supply Vs1 to supply voltage to the sensor.
Connection to Vs2 is not possible.
4 F-DI
S0
S1
S2
S3
L+ M
Figure 9-19 Wiring Diagram for EM 4/8 F-DI 24 VDC – Non-Equivalent Sensor Signal (1oo2), Internal
Sensor Supply
Safety Note
Parameters – Non-Equivalent Sensor Signal

"type of sensor interconnection“ to "non-equivalent sensor“ for the respective input.

A5E00103686-01 9-37
Fail-Safe Modules

Example of Fault Fault Detection with Internal Sensor Supply and

Activated Short-Circuit Test
2-Channel Sensor Non-Equivalent Sensor
Short circuit in DI 0 with DI 4 Yes* Yes
P-short circuit in DI 0 Yes Yes
P-short circuit in sensor supply 1 Yes Yes
Short circuit in sensor supply 1 with Yes Yes
sensor supply 2
Requirements for Machine Protection Applications with Category 4

The requirements for machine protection applications with Category 4 are:
· Wiring between sensors and the automation system and between the
automation system and the actuators must be state-of-the-art and must comply
with standards for preventing short circuits.
· All short circuits detected in the table above are detected.
In this case, it is sufficient to detect one short circuit, because it required two
faults to be generated (both of the short-circuited signal cables indicate an
isolation fault). Consequently, a multiple short-circuit analysis is not required.
Methods for detecting all short circuits are permissible even if no individual short
circuits are detected, provided they do one of the following:
· Do not cause corruption of read signals compared to sensor signals
· Cause corruption of read signals compared to sensor signals, but in the
direction that ensures safety

9-38 A5E00103686-01
Fail-Safe Modules
9.3.5 Diagnostic Functions of the EM 4/8 F-DI 24 VDC PROFIsafe

A failure in supply voltages Vs1 and Vs2 of the EM 4/8 F-DI 24 VDC PROFIsafe
digital electronic module is indicated on the module by the 1 VsF and 2 VsF LED.
This information is also provided in the module (diagnostic entry). All channels of
the module are passivated (see Chapter 7).
EM 4/8 F-DI 24 VDC PROFIsafe digital electronic module. The diagnostic functions
are assigned either to one channel or the entire module.
Table 9-15 Diagnostic Functions of EM 4/8 F-DI 24 VDC PROFIsafe
Diagnostic Function* LED Signaled in Effective Assignable

Application Range of
Diagnostics
Short circuit SF 1, 2, 3 Channel Yes
Overtemperature SF 1, 2, 3 Module No
Internal fault SF 1, 2, 3 Module No
Parameter assignment error SF 1, 2, 3 Module No
Missing external auxiliary 1VsF 1, 2, 3 Module No
supply 2VsF
Communication error SF 1, 2, 3 Module No
Discrepancy error (1oo2 SF 2,3 Channel No
evaluation)
Note
If you have activated the short-circuit test for the F-DI module in STEP 7 and
are using only one of the two internal sensor supplies of the module (Vs1 or Vs2),
a channel M-short circuit is then detected for each of the four channels that has
an unused sensor supply. Four "short-circuit" diagnostic functions are generated
in the diagnostic buffer of the module.

Detection of some faults (such as short circuits or discrepancy errors) is dependent
on the application, wiring, and parameter assignment of the short-circuit test. For
this reason, tables on fault detection are presented in Sections 9.3.2 to 9.3.4 for
the respective applications.

A5E00103686-01 9-39
Fail-Safe Modules

for the individual diagnostic functions of the EM 4/8 F-DI 24 VDC PROFIsafe digital
electronic module.
Table 9-16 Diagnostic Functions of the EM 4/8 F-DI 24 VDC PROFIsafe, Causes of
Faults and Corrective Measures
Diagnostic Possible Causes Corrective Measures

Function
Short circuit Short circuit in the sensor
Eliminate short circuit/cross circuit
Cross circuit in the sensor
Overtemperature Temperature limit in the module housing Check ambient temperature, and check
is exceeded causing module to be whether permissible output current of
deactivated the sensor supply is exceeded for the
ambient temperature
Once the fault is eliminated, the module
must be removed and reinserted or
powered off and on
Internal fault Internal module fault has occurred Replace module
Parameter Inserted module does not match Correct the configuration (compare
assignment error configuration actual and preset configuration), and
Faulty parameter assignment check communication paths
Correct the parameter assignment
PROFIsafe address set incorrectly in the Check the configuration of the
F-module PROFIsafe address and set the
address switch in the F-module
accordingly
External auxiliary No supply voltage or supply voltage is Check the connected PM, and
power supply too low check module for correct contact
missing Once the fault is eliminated, the module
must be removed and reinserted or
powered off and on
Communication Error in communication between Check the PROFIBUS connection
error F-CPU and module due to defective Eliminate the interference
PROFIBUS connection or higher than
permissible EMI, for example
F-monitoring time set too low Set a higher value for parameter
"F-monitoring time“
Configuration of the F-module does not Regenerate fail-safe program; then
match fail-safe program reload configuration and fail-safe
program to the F-CPU
Discrepancy error Faulty process signal Check process signal, replace sensor if
(1oo2 evaluation) Defective sensor necessary
Short circuit between unconnected Eliminate short circuit

sensor cable and the sensor supply
cable
Wire break in connected sensor cable or Eliminate broken wire
the sensor supply cable
Assigned discrepancy time too short Check the assigned discrepancy time

9-40 A5E00103686-01
Fail-Safe Modules

For information on diagnostics affecting all fail-safe modules (such as reading out
of diagnostic functions; passivation of channels), refer to Chapter 7.
9.3.6 Technical Specifications for the EM 4/8 F-DI 24 VDC PROFIsafe
Weight Approx. 78 g
Number of inputs
· 1-channel 8, maximum
· 2-channel 4, maximum
· In PII 6 bytes
· in PIQ 4 bytes
Length of cable
Maximum achievable safety class 1-channel 2-channel
· In accordance with IEC 61508 SIL2 SIL3
· In accordance with DIN VDE 0801 AK4 AK6
· In accordance with EN 954 Category 3 Category 4
Fail-safe performance characteristics SIL2 SIL3
· Low demand mode (average probability of failure << 1.00 E-03 << 1.00 E-05
on demand)
· High demand/continuous mode (probability of a << 1.00 E-08 << 1.00 E-10
dangerous failure per hour)
· Power loss ride-through of internal P5 5 ms
Number of simultaneously controllable inputs
Up to 55°C 8 (with 28.8 V)
Up to 60°C 8 (with 24 V)
Up to 60°C 6 (with 28.8 V)
Up to 40°C 8

A5E00103686-01 9-41
Fail-Safe Modules
· Between channels/power supply and shield Yes
· Shield and I/O (DIs, P1/P2 buses) 75 VDC/60 VAC
· ET 200S bus connection and I/O (DIs P1/P2 250 VAC
buses)
· Shield and I/O (DIs, P1/P2 buses) 500 VDC/1 min or 600 VDC/1 s
· ET 200S bus connection and I/O (DIs, P1/P2 1500 VAC/1 min or 2545 VDC/1 s
buses)
· Shield and I/O (DIs, P1/P2 buses) 350 VAC/1 min
· ET 200S bus connection and I/O (DIs, P1/P2 2830 VAC/1 min
buses)
· Impulse current test between ET 200S bus 6000 VDC/5 positive and 5 negative pulses
connection and I/O (DIs, P1/P2 buses)
Current consumption
· From backplane bus 28 mA, typical
Power dissipation of module 4 W, typical
Status display
Inputs Green LED per channel
Sensor supply Red LED per channel
Sensor Supply Outputs
Number of outputs 2
Output voltage
· Loaded Minimum L+ (-1.5 V)
Output current
· Rated value 300 mA
· Permissible range 0 mA to 300 mA
Permissible aggregate current of outputs 600 mA
Short-circuit protection Yes, electronic
· Operating value 0.7 A to 1.8 A

9-42 A5E00103686-01
Fail-Safe Modules
Data for Selecting a Sensor**
Input voltage
· Rated value 24 VDC
· For "1“ signal 15 V to 30 V
· For "0“ signal -30 V to 5 V
Input current
· For "1“ signal 3.7 mA, typical
Input delay* Assignable (for all inputs combined)
· For "0“ after "1“ 0.5 ms, typical (0.3 ms to 0.7 ms)
3 ms, typical (2.6 ms to 3.4 ms)
15 ms, typical (13 ms to 17 ms)
· For "1“ after "0“ 0.5 ms, typical (0.3 ms to 0.7 ms)
3 ms, typical (2.6 ms to 3.4 ms)
15 ms, typical (13 ms to 17 ms)
Input characteristic In accordance with IEC 1131, Type 1
Connection of 2-wire proximity switch Not possible
· Permissible quiescent current 0.6 mA, maximum
Time, Frequency
Acknowledgment time in safety mode
· Short-circuit test activated with input delay of 0.5
ms: 4 ms, minimum/7 ms, maximum
with input delay of 3 ms: 4 ms, minimum/12 ms, maximum
with input delay of 15 ms: 4 ms, minimum/9 ms. maximum
· Short-circuit test deactivated 4 ms, minimum/6 ms, maximum
Minimum sensor signal duration See Table 6.2 in Section 6.5
Protection of supply voltage L+ from surge stressing in
accordance with IEC 1000-4-5 with external protection
elements only
Protection of inputs and outputs from surge stressing
in accordance with IEC 1000-4-5 with external
protection elements only
* With an input delay of 0.5 ms, shielded cable must be used for the digital inputs and the sensor
supply.
With an input delay of 3 ms, shielded cable must be used for the fail-safe digital inputs and the
sensor supply to avoid a safety-related deactivation.
** For requirements for sensors and actuators, refer to Section 6.5

A5E00103686-01 9-43
Fail-Safe Modules
9.4 4 F-DO 24 VDC/2 A PROFIsafe Digital Electronic Module
Order Number
6ES7138-4FB00-0AB0
Properties
The 4 F-DO 24 VDC/2 A PROFIsafe digital electronic module has the following
properties:
· Four outputs, P-M switching (current sourcing/sinking)
· 2 A output current
· 24 VDC rated load voltage
· Suitable for solenoid valves, DC contactors, and indicator lights
· Group fault display (SF; red SLED)
· Status display for each output (green LED)
· Safety class SIL3 achievable
Applicable Power Modules for SIL2 or SIL3
Table 9-17 EM 4 F-DO 24 VDC/2 A PROFIsafe: Power Modules for AK/SIL/Category
Power Module Achievable AK/SIL/Category

Supply using PM-E 24 VDC AK4/SIL2/Category 3
Supply using PM-E 24 VDC/120/230 VAC AK6/SIL3/Category 4

9-44 A5E00103686-01
Fail-Safe Modules
Front View
Group fault display - red
Status displays for

each output - green
Figure 9-20 Front View of EM 4 F-DO 24 VDC/2 A PROFIsafe
Safety Note
! The SF LED and the status displays of the outputs must not be evaluated for fail-
safe activities.

A5E00103686-01 9-45
Fail-Safe Modules
Terminal Assignment
The terminal assignment of the EM 4 F-DO 24 VDC/2 A PROFIsafe digital
electronic module for the applicable terminal modules TM-E30S44-01,
TM-E30C44-01, TM-E30S46-A1, and TM-E30C46-A1 is shown in the following
figure.
DO0 DO1 1 5 9 13 DO2 DO3

P P P P
1
DO0 DO1 2 6 10 14 DO2 DO3
M M M M
- - 3 7 11 15 - -
- - 4 8 12 16
- -
Folllowing terminals are only on Following terminals are only on

TM-E30S46-A1 and TM-E30C46-A1 A16 TM-E30S46-A1 and TM-E30C46-A1
A4 A8 A12
AUX1 AUX1 (PE) AUX1 AUX1 (PE)
A15
AUX1 AUX1 (PE) A3 A7 A11 AUX1 AUX1 (PE)
DOx P and DOx M: interface module for fail-safe digital output (P-M switching)
For TM-E30S46-A1 and TM-E30C46-A1:
AUX 1 bus in place: Use terminals A3 to A16, as desired, to connect to PE (individual
grouping of sensor supplies possible)
Figure 9-21 Terminal Assignment of TM-E30S44-01, TM-E30C44-01, TM-E30S46-A1, and TM-E30C46-A1

for EM 4 F-DO 24 VDC/2 A PROFIsafe

9-46 A5E00103686-01
Fail-Safe Modules
Block Diagram
Address switch
P-switch
1
9
2 13
Read back
Processing logic
6

10
M-switch
14
M
Status of
output
SF
5V
M
24 V
P1
P2
Figure 9-22 Block Diagram of EM 4 F-DO 24 VDC/2 A PROFIsafe

A5E00103686-01 9-47
Fail-Safe Modules
Wiring Diagram
The four fail-safe digital outputs each consist of one P-switch (current sourcing)
DOx P and one M-switch (current sinking) DOx M. They connect the load between
the P and M-switches. The two switches are always controlled so that voltage is
applied to the load.
The wiring is carried out on an appropriate terminal module.
PM-E EM 4 F-DO 24 VDC/2 A
4 F-DO
DO0 DO0 DO1 DO1 DO2 DO2 DO3 DO3
L+ M (P) (M) (P) (M) (P) (M) (P) (M)
K0 K1 K2 K3
L+ M
Figure 9-23 Wiring Diagram of EM 4 F-DO 24 VDC/2 A PROFIsafe
Safety Note
! For safety reasons, you must disconnect the supply voltage to the fail-safe digital
outputs within one hour after their passivation.

9-48 A5E00103686-01
Fail-Safe Modules

You can connect two relays using one fail-safe digital output. The following
conditions should be kept in mind:
· L+ and M of the relays must be connected with L+ and M of the
PM-E F (reference potential must be equal).
· The normally open contacts of the two relays must be connected in series.
A connection to each of the four digital outputs is possible. For example, the
connection to DO 0 and DO 1 is shown in the following figure. This connection
enables AK6/SIL3/Category 4 to be achieved.
PM-E EM 4 F-DO 24 VDC/2 A
4 F-DO
DO0 DO0 DO1 DO1 DO2 DO2 DO3 DO3
L+ M (P) (M) (P) (M) (P) (M) (P) (M)
K1 K2 K3 K4
K1 K3
K2 K4
L+ M
Figure 9-24 Wiring Diagram for Each of Two Relays to One F-DO of the EM 4 F-DO 24 VDC/2 A
PROFIsafe
Safety Note
! When connecting two relays on one digital output, the faults "wire break“ and
"overload“ are detected only on the P-switch of the output (not on the M-switch).

A5E00103686-01 9-49
Fail-Safe Modules
The following table presents the parameters that can be assigned for the F-DO
module (see also Chapter 4).
Table 9-18 Parameters of the F-DO Module

Setting Type Range
F-Parameter:
Module Parameters:
9.4.1 Diagnostic Functions of the EM 4 F-DO 24 VDC/2 A PROFIsafe

Digital Electronic Module
EM 4 F-DO 24 VDC/2 A PROFIsafe digital electronic module. The diagnostic
functions are assigned either to one channel or to the entire module.
Table 9-19 Diagnostic Functions of EM 4 F-DO 24 VDC/2 A PROFIsafe
Diagnostic Function* LED Effective Range Assignable

of Diagnostics
Short circuit SF Channel No
Overload SF Channel No
Overtemperature SF Module No
Wire break SF Channel Yes
Internal fault SF Module No
Parameter assignment error SF Module No
Missing external auxiliary supply SF Module No
Communication error SF Module No

9-50 A5E00103686-01
Fail-Safe Modules

for the individual diagnostic functions of the EM 4 F-DO 24 VDC/2 A PROFIsafe
digital electronic module.
Table 9-20 Diagnostic Functions of the EM 4 F-DO 24 VDC/2 A PROFIsafe, Causes of

Faults and Corrective Measures

Function Detection
actuator Once the fault is eliminated, the
Wire break, if wire Eliminate broken wire
break diagnostic has Ensure specified minimum load
been deactivated (see Chapter 9.4.2)
Overload For "1“ Output stage is Eliminate overload
output overloaded and Once the fault is eliminated, the
signal only becomes too hot module must be removed and
Overtemperature Always Temperature limit in Check load wiring,
the module housing is check ambient temperature, and
exceeded causing check whether permissible output
module to be current (aggregate current) for the
deactivated ambient temperature is exceeded
Wire break For "1" Broken cable Correct the process wiring
output
signal only
Internal fault Always Internal module fault Replace module
has occurred
Parameter Always Inserted module does Correct the configuration
assignment error not match (compare actual and preset
configuration configuration), and check
Faulty parameter communication paths
assignment Correct the parameter assignment
PROFIsafe address Check configuration of the
set incorrectly in the PROFIsafe address, and set the
F-module address switch in the F-module
accordingly

A5E00103686-01 9-51
Fail-Safe Modules

Function Detection
External auxiliary Always No supply voltage or Check interconnected PM, and
power supply supply voltage is too check module for correct contact
missing low Once the fault is eliminated, the
Communication Always Error in Check the PROFIBUS connection
error communication Eliminate the interference
between F-CPU and
module due to
defective PROFIBUS
connection or higher
than permissible EMI,
for example
F-monitoring time set Set a higher value for parameter
too low "F-monitoring time“
Configuration of the F- Regenerate fail-safe program;
module does not then reload configuration and fail-
match fail-safe safe program to the F-CPU
program

For information on diagnostics that pertains to all fail-safe modules (for reading out
diagnostic functions, for example), refer to Chapter 7.

9-52 A5E00103686-01
Fail-Safe Modules
9.4.2 Technical Specifications for EM F-DO 24 VDC/2 A PROFIsafe
Weight Approx. 85 g
Data for Specific Module
Number of outputs (P-M switching) 4
· In PII 5 bytes
· in PIQ 5 bytes
Length of cable
· In accordance with IEC 61508 SIL3
· In accordance with DIN VDE 0801 AK6
· In accordance with EN 954 Category 4
Fail-safe performance characteristics SIL3
· Low demand mode (average probability << 1.00 E-05
· High demand/continuous mode << 1.00 E-10
hour)
· Power loss ride-through of internal 5 ms
power supply
Aggregate current of outputs
Up to 40°C 6A
Up to 55°C 5A
Up to 60°C 4A
Up to 40°C 4A
· Between channels/power supply and Yes
shield

A5E00103686-01 9-53
Fail-Safe Modules
· Shield and I/O (DOs, P1/P2 buses) 75 VDC/60 VAC
· ET 200S bus connection and I/O (DOs, 250 VAC
P1/P2 buses)
· Shield and I/O (DOs, P1/P2 buses) 500 VDC/1 min or 600 VDC/1 s
· ET 200S bus connection and I/O (DOs, 1500 VAC/1 min or 2545 VDC/1 s
P1/P2 buses)
· Shield and I/O (DOs, P1/P2 buses) 350 VAC/1 min
· ET 200S bus connection and I/O (DOs, 2830 VAC/1 min
P1/P2 buses)
· Impulse current test between ET 200S 6000 VDC/5 positive and 5 negative pulses
bus connection and I/O (DOs, P1/P2
buses)
Current consumption
· From backplane bus 28 mA, maximum
Power dissipation of the module 3.5 W, typical
Status display
Outputs Green LED per channel
Data for Selecting an Actuator*
Output voltage
· For "1“ signal Minimum L+ (-2.0 V)
(P-switch output minimum L+ (-1.5 V)
Voltage drop in the M-switch output:
maximum 0.5 V)
Output current for "1“ signal
· Rated value 2A
· Permissible range 20 mA to 2.4 A
For "0“ signal (residual current) 0.5 mA, maximum
Indirect control of load by means of interface
relay:
For "0“ signal (residual current)
· P-switch 0.5 mA, maximum
· M-switch 4 mA, maximum
Load resistance range 12 W to 1 kW

9-54 A5E00103686-01
Fail-Safe Modules
Lamp load 10 W, maximum
Wire break monitoring (open load detection)
and overload monitoring
· Response threshold I < 4 to 19 mA
Switching frequency
IEC 947-5-1, DC13
Voltage induced on current interruption typical L+ (-47 V)
limited to
Short-circuit protection of output Yes, electronic
· Response threshold (short circuit) 5 A to 12 A
· Response threshold (external M-short 5 A to 12 A
circuit)
· Response threshold (external P-short 25 A to 45 A
circuit)
Overload protection Yes
· Response threshold I >2.6 A to 2.8 A
Time, Frequency
stressing in accordance with IEC 1000-4-5
with external protection elements only
Protection of inputs and outputs from surge
stressing in accordance with IEC 1000-4-5
with external protection elements only
* For requirements for sensors and actuators, refer to Section 6.5

A5E00103686-01 9-55
Fail-Safe Modules

9-56 A5E00103686-01
10 Dimension Drawings
Terminal Modules with Inserted PM-E F, F-DI, or F-DO Modules
The following figure applies to an inserted PM-E F, F-DI, or F-DO module. The
same dimensions always apply.

A5E00103686-01 10-1
Dimension Drawings
3
66,5
Mounting rail
support
157
90,5
30 67
3 66,5
Mounting rail
132
support
65,5
30
67
Figure 10-1 Dimension Drawing of Terminal Modules with Inserted PM-E F, F-DI, or F-DO Module

10-2 A5E00103686-01
11 Accessories and Order Numbers
Accessories and Order Numbers

The following table presents the order numbers of terminal modules, fail-safe
power and electronic modules, and additional parts that can be ordered for fail-safe
modules.
Component Order Number

Terminal modules for F-DI and F-DO:
TM-E30S44-01 (screw-in type), one item 6ES7193-4CG20-0AA0
TM-E30C44-01 (snap-in type), one item 6ES7193-4CG30-0AA0
TM-E30S46-A1 (screw-in type), one item 6ES7193-4CF40-0AA0
TM-E30C46-A1 (snap-in type), one item 6ES7193-4CF50-0AA0
Terminal modules for PM-E F 24 VDC PROFIsafe:
TM-P30S44-A0 (screw-in type), one item 6ES7193-4CK20-0AA0
TM-P30C44-A0 (snap-in type), one item 6ES7193-4CK30-0AA0
Fail-safe power module:
PM-E F 24 VDC PROFIsafe power module 6ES7138-4FB00-0AB0
Fail-safe electronic module:
4/8 F-DI 24 VDC PROFIsafe 6ES7138-4FB00-0AB0
4 F-DO 24 VDC/2A PROFIsafe 6ES7138-4FB00-0AB0
Accessories
DIN A4 label sheets, yellow, quantity of 10 6ES7193-4BB00-0AA0

A5E00103686-01 11-1
Accessories and Order Numbers

11-2 A5E00103686-01
12 Response Times
Introduction
The response times of ET 200S fail-safe modules are presented below. The
response times of fail-safe modules are included in the calculation of F-system
response time.
You will find information about the calculation of F-system response times in the
Safety Engineering in SIMATIC S7 system description.
Definition of Response Time

For fail-safe digital inputs, the response time is the time between a signal change
at the digital input and safe loading of the safety message frame on the backplane
bus.
For fail-safe digital outputs, the response time is the time between an incoming
safety message frame from the backplane bus and the signal change at the digital
output.
Maximum Response Time of PM-E F 24 VDC PROFIsafe
Table 12-1 PM-E F 24 VDC PROFIsafe: Internal Preparation Times
Measuring Channel Minimum Internal Maximum Internal

Preparation Time Tmin Preparation Time Tmax
PM-E F 24 VDC PROFIsafe 2 ms 10 ms
(electrical PM channel)
PM-E F 24 VDC PROFIsafe 3 ms 8 ms
(P1/2 channel; relay; switch on)
PROFIsafe PM-E F 24 VDC 4 ms 12 ms
(P1/2 channel; relay; switch off)
The maximum response time of the PM-E F 24 VDC PROFIsafe without

faults/errors corresponds to the maximum internal preparation time Tmax.
The maximum response time of the PROFIsafe PM-E F 24 VDC with faults/errors
corresponds to the maximum response time without faults/errors.

A5E00103686-01 12-1
Response Times
Maximum Response Time of EM 4/8 F-DI 24 VDC PROFIsafe
Table 12-2 EM 4/8 F-DI 24 VDC PROFIsafe: Internal Preparation Times
Evaluation of the Sensors Minimum Internal Maximum Internal

1oo1 and 1oo2 5 ms 11 ms
Formula for Calculating the Maximum Response Time without Faults/Errors

of EM 4/8 F-DI 24 VDC:
Maximum response time without faults/errors = Tmax + input delay + short-circuit
test time*
* Short-circuit test time = 2 x input delay
Parameters for the input delay and the short-circuit test are assigned in STEP 7
(see Section 9.3).
Maximum Response Time with a Fault/Error:
The following table presents the maximum response times of the F-DI module
when a fault/error is present, depending on the parameter assignment in STEP 7
and the evaluation of the sensors.
Table 12-3 EM 4/8 F-DI 24 VDC PROFIsafe: Maximum Response Time with a
Fault/Error
1oo1 Evaluation 1oo2 Evaluation

Input Delay 0.5 ms 3 ms 15 ms 0.5 ms 3 ms 15 ms
Short-circuit test 17 ms 12 ms 14 ms 26 ms
deactivated
Short-circuit test 29 ms 40 ms 91 ms 13 ms 20 ms 56 ms
activated
Maximum Response Time of EM 4 F-DO 24 VDC/2A PROFIsafe
Table 12-4 EM 4 F-DO 24 VDC/2A PROFIsafe: Internal Preparation Times

PROFIsafe EM 4 F-DO 24 VDC/2A 2 ms 9 ms
The maximum response time of EM 4 F-DO 24 VDC/2A PROFIsafe without

faults/errors corresponds to the maximum internal preparation time Tmax.
The maximum response time of EM 4 F-DO 24 VDC/2A PROFIsafe with
faults/errors corresponds to the maximum response time without faults/errors.

12-2 A5E00103686-01
13 Glossary
1oo1 Evaluation
1oo1 evaluation is a type of sensor evaluation in which one sensor is connected to
the F-module by means of a single channel.
1oo2 Evaluation
1oo2 evaluation is a type of sensor evaluation in which the signal statuses of the
inputs are compared internally for equivalence or nonequivalence.
Acknowledgment Time
Within the acknowledgment time, the F-I/O modules acknowledge the sign of life
specified by the F-CPU. The acknowledgment time is included in the calculation of
the watchdog and response time of the entire F-system.
Actuator
Actuators can be power relays or contactors for switching on consumers, or they
can be consumers themselves (for example, directly controlled solenoid valves).
AUX1 Bus
Power modules enable the additional connection of electric potential (24 VDC),
which can be applied by means of an AUX(iliary) bus. AUX(iliary) buses can be
used individually as a protective conductor bus or they can be used to supply
additional voltage.
Availability
Availability is the probability that a system is functional at a specific point in time. It
can be increased by redundancy, for example, by using multiple sensors at the
same measuring point.

A5E00103686-01 13-1
Glossary
Backplane Bus
The backplane bus is a serial data bus used by the interface module IM 151 to
communicate with the electronic modules and motor starters and to supply them
with the required voltage. The connection between individual modules is
established by means of the terminal modules.
Category
Category in accordance with EN 954-01:
Safety modules can be used in safety mode up to Category 4.
Channel Fault
This is a channel-specific fault, such as a wire break or a short circuit. In channel-
specific passivation, the affected channel is either automatically depassivated or
the F-module must be removed and reinserted after the fault has been eliminated.
Channel Group
The channels of a module are grouped together in a channel group. Certain
parameters in STEP 7 can only be assigned to channel groups, rather than to
individual channels.
Channel Number
In the safety functions, the inputs and outputs are addressed by means of channel
numbers. The channel number is a consecutive number starting with “0“.
Channel-Specific Passivation
With channel-specific passivation, only the affected channel is passivated when a
channel fault occurs. In the event of a module fault, all channels of the fail-safe
module are passivated.
Configuration
A configuration is a systematic arrangement of the individual modules of ET 200S.

13-2 A5E00103686-01
Glossary
Connection to Common Potential

Connection to common potential refers to the opening of a new potential group by
a power module.
This enables individual connection of encoder and load current power supplies.
CRC
Cyclic Redundancy Check -> CRC signature
CRC Signature
The validity of the process values in the safety message frame, the accuracy of the
assigned address references, and the safety-related parameters are ensured by
means of a CRC signature contained in the safety message frame.
Dark Period
Dark periods occur during switch-off tests and during complete bit pattern tests.
This involves test-related 0 signals being switched to the output by the fail-safe
output module while the output is active. The output is then switched off briefly
(dark period). A sufficiently slow actuator does not respond to this and remains
switched on.
Discrepancy Analysis
Discrepancy analysis is used to detect errors based on the time characteristic of
two signals with the same functionality. Discrepancy analysis is initiated when
different levels are detected in two associated input signals. After a programmable
time interval (discrepancy time) has elapsed, a check is carried out to determine
whether or not the discrepancy has disappeared. If not, this means that a
discrepancy error exists.
A discrepancy analysis is carried out between the two input signals of the 1oo2
evaluation in the fail-safe input module.
Discrepancy Time
Discrepancy time is a period of time configured for the discrepancy analysis. If the
discrepancy time is set too high, the times for error detection and fault reaction are
extended unnecessarily. If the discrepancy time is set too low, availability is
decreased unnecessarily because a discrepancy error is detected when, in reality,
no error exists.
DP Master
A DP master is a master that behaves in accordance with the PROFIBUS standard
EN 50170/A2.

A5E00103686-01 13-3
Glossary
DP Slave
A DP slave is a slave operated on the PROFIBUS with the PROFIBUS-DP protocol
that behaves in accordance with the PROFIBUS standard EN 50170/A2.
Fail-Safe Modules
Fail-safe modules are ET 200S modules that can be used for safety-related
operation (in safety mode) in the ET 200S distributed I/O system. These modules
are equipped with integrated safety functions.
Fail-Safe Systems
Fail-safe systems (F-systems) ensure that safety functions can be executed
reliably and without error (functional safety). If individual components fail, the safety
functions are retained.
Fault Reaction Time

For F-Systems in general, the maximum fault reaction time begins with the
occurrence of any fault in any F-I/O module and ends with a safe response at the
associated fail-safe output.
For digital inputs, the maximum fault reaction time begins with the occurrence of a
fault and ends with a safe response on the backplane bus.
For digital outputs, the maximum fault reaction time begins with the occurrence of a
fault and ends with a safe response at the digital output.
F-CPU
An F-CPU is a central processing unit with fail-safe capability that is permitted for
use in S7-300F/S7-400F/FH. For S7-400F/FH, the F-copy license allows the
central processing unit
to be used as an F-CPU. That is, it can execute a safety program. No F-copy
license is required for S7-300F. A standard user program can also be run on the F-
CPU.
F-I/O
F-I/O is a group designation for fail-safe inputs and outputs available in
SIMATIC S7 for integration in the S7-300F and S7-400F/FH fail-safe systems.
The following F-I/O modules are available:
· S7-300 fail-safe signal modules
· Fail-safe electronic modules in the ET 200S distributed I/O system
(only for S7-300F)
· Fail-safe DP standard slaves (only for S7-300F)

13-4 A5E00103686-01
Glossary
Module Fault
Module faults can be external faults (for example, missing load voltage) or internal
faults (for example, processor failure). An internal fault always requires module
replacement.
Monitoring Time
Time monitoring of message frames updates takes place when the F-CPU
specifies a sign of life to the fail-safe module.
A valid current message frame must be received by the F-CPU with a new sign of
life within a configurable monitoring time.
Motor Starter (MS)

Motor starter is a general term referring to direct starters and reversing starters.
Motor starters are used to specify motor startup and direction of rotation.
M-Switch
In ET 200S F-modules, every fail-safe digital output consists of a P-switch (DOx P
current sourcing switch)and an M-switch (DOx M current sinking switch). The load
is connected between the P-switch and the M-switch. Both switches are always set
so that voltage is applied to the load.
Multiple Error Entry Time

Multiple error entry time in accordance with DIN V VDE 0801:
For PM-E F 24 VDC PROFIsafe, multiple error entry time is the time in which the
relay contacts of voltage buses P1 and P2 must be switched at least once in order
for the F-modules supplied by P1 and P2 to achieve AK6/SIL3/Category 4.
Parameter Assignment
When parameters are assigned by means of PROFIBUS-DP, slave parameters are
transferred from the DP master to the DP slave.
When parameters are assigned to modules, STEP 7 configuration software is
used to set module behavior.

A5E00103686-01 13-5
Glossary
Passivation
Passivation of digital output channels means that the outputs are deenergized.
Passivation of the input channels occurs when the inputs transfer a fail-safe value
to the F-CPU, irrespective of the current processor value.
PG
Programming devices (PGs) are compactly designed personal computers
especially made for use in an industrial setting. A programming device (PG) is
entirely equipped for programming SIMATIC automation systems.
Prewiring
Prewiring entails wiring the terminal modules before inserting the electronic
modules.
Process Image
The process image is a component of the system memory of the CPU. At the
beginning of the cyclic program, the signal states of the input modules are
transferred to the process image of the inputs. At the end of the cyclic program, the
process image of the outputs are transferred as a signal state to the DP slave.
Process Safety Time

The process safety time of a process is a time interval during which the process
can be left on its own without risk to life and limb of the operating personnel or
damage to the environment.
Within the process safety time, any type of F-system process control is tolerated.
That is, during this time, the F-system can control its process incorrectly or it can
even exercise no control at all.
The process safety time of a process depends on the process type and must be
determined individually.
PROFIBUS
PROFIBUS stands for PROcess Field BUS, a German process and field bus
standard set forth in the PROFIBUS standard EN 50170/A2. This standard
specifies functional, electric, and mechanical properties for a bit-serial field bus
system.
PROFIBUS is available with the following protocols: DP (= distributed I/O), FMS (=
Fieldbus Message Specification), PA (= Process automation), or TF (=
Technological functions).

13-6 A5E00103686-01
Glossary
PROFIsafe
PROFIsafe is a safety-related bus profile of PROFIBUS DP/PA for communication
between the safety program and the F-I/O.
PROFIsafe Address
Every fail-safe module has a PROFIsafe address over which it sends safety
message frames to the F-CPU and receives safety message frames from the F-
CPU.
Proof-Test Interval
A component must be set in the fail-safe state following the proof-test interval. That
is, it is replaced by an unused component or it is proven to be completely error-
free.
P-Switch
-> See M-Switch.
Redundancy, Availability-Enhancing
Availability-enhancing redundancy means multiple availability of components to
ensure that components continue to function even in the event of hardware faults.
Redundancy, Safety-Enhancing
Safety-enhancing redundancy means multiple availability of components with the
use of comparison to reveal hardware faults (for example, 1oo2 evaluation in fail-
safe modules).
Response Time
Response time starts with the detection of an input signal and ends with the
modification of a gated output signal.
The actual response time is between the shortest and the longest response time.
The longest response time must be used as a reference for configuring a system.
For fail-safe digital inputs, the response time begins with a signal change at the
digital input and ends when the safety message frame is safely prepared at the
backplane bus.
For fail-safe digital outputs, the response time begins with an incoming safety
message frame from the backplane bus and ends with a signal change at the
digital output.

A5E00103686-01 13-7
Glossary
Reversing Starter
A reversing starter is a motor starter that determines the rotational direction of a
motor. It comprises a circuit-breaker and two contactors.
Safe State
The basic principle of the safety concept in F-systems is the existence of a safe
state for all process variables. For digital F-modules, this is always the value “0“.
Safety Class (AK)

Safety level (AK) in accordance with DIN V 19250 (DIN V VDE 0801):
Safety classes are a way to categorize safety requirements for preventing and
remedying faults. Fail-safe modules can be used in safety mode up to safety class
AK6.
Safety Function
Safety function is a mechanism integrated in fail-safe signal modules enabling
them to be used in fail-safe systems.
In accordance with IEC 61508, a safety function is implemented by a safety
system to ensure that the system is kept in a safe state or brought into a safe state
in the event of a particular fault
Safety Integrity Level

The safety integrity level (SIL) is a safety class in accordance with IEC 61508 and
prEN 50129. The higher the safety integrity level, the stricter the measures must be
to prevent and eliminate systematic errors and to remedy hardware failures.
Safety modules can be used in safety mode up to SIL3.
Safety Message Frame

In safety mode, data are transferred between the F-CPU and the F-I/O in a safety
message frame.
Safety Mode
Safety mode is the operating mode of the F-I/O that allows safety-related
communication by means of safety message frames.
ET 200S fail-safe modules are designed for operation only in safety mode.

13-8 A5E00103686-01
Glossary
Safety Note
The safety note contains important information relating to approval and safety-
related use of a product.
Sensor Evaluation
There are two types of sensor evaluation:
· 1oo1 evaluation: The sensor signal is read once.
· 1oo2 evaluation:To increase availability, the sensor signal is read in twice by
the same module and compared internally.
Sensors
Sensors are used for exact measurement of paths, positions, velocities, rotational
speeds, mass, etc.
Standard Operation
In the standard operation mode of F-I/O, safety-related communication by means
of safety message frames is not possible; only standard communication is possible
in this operating mode.
S7-300 F-SMs can be used in standard operation or safety mode. ET 200S fail-
safe modules are designed for operation only in safety mode.
Static Parameters
Static parameters can only be set when the CPU is in STOP mode and cannot be
changed by means of SFC (system function) while the user program is running.
Terminal Module
The ET 200S distributed I/O system is terminated with a terminal module. If a
terminal module is not inserted, the ET 200S is not ready for operation.
Voltage Bus (P1/P2)

Voltage buses (P1 and P2) are two internal buses that supply the electronic
modules with voltage. The voltage buses are fed by the power module and are
connected by means of the terminal module.

A5E00103686-01 13-9
Glossary
Voltage Group
A voltage group is a group of electronic modules supplied by a power module.

13-10 A5E00103686-01
Index
Base address
logic ........................................................... 5-3
1 Basic knowledge
1 VsF LED Requirements ............................................ 1-1
EM 4/8 F-DI 24 VDC ................................9-39 Block diagram
1-channel EM 4 F-DO 24 VDC/2 A........................... 9-47
sensor ......................................................9-22 EM 4/8 F-DI 24 VDC ................................ 9-19
1oo1 evaluation............................................13-1 PM-E F 24 VDC ......................................... 9-6
EM 4/8 F-DI 24 VDC ................................9-25 Bus profile
1oo2 evaluation...................................9-21, 13-1 PROFIsafe ............................................... 13-7
EM 4/8 F-DI 24 VDC .......................................
............... 9-27, 9-30, 9-32, 9-35, 9-36, 9-37 C
1VsF LED.......................................................7-3
Cables
shielded ................................................... 9-21
2 Cat. ................................................ See category
2 VsF LED......................................................7-3 Category (Cat.) ............................................ 13-2
EM 4/8 F-DI 24 VDC ................................9-39 achievable.................................................. 2-4
2-channel Causes of faults
sensor ......................................................9-22 EM 4 F-DO 24 VDC/2 A........................... 9-51
EM 4/8 F-DI 24 VDC ................................ 9-40
PM-E F 24 VDC ....................................... 9-10
A CE mark......................................................... 8-2
Central processing unit
Accessories ..................................................11-1 F-capable...................................... See F-CPU
Acknowledgment time ..................................13-1 Channel
EM 4 F-DO 24 VDC/2 A ...........................9-55 deactivated ................................................ 7-2
EM 4/8 F-DI 24 VDC ................................9-43 Channel fault......................................... 7-2, 13-2
PM-E F 24 VDC........................................9-15 Channel group ............................................. 13-2
Actuators ......................................................13-1 Channel group fault ....................................... 7-2
additional requirements ..............................6-6 Channel number .......................................... 13-2
applicable ...................................................6-6 Channel-specific diagnostics
externally supplied......................................6-2 of F-modules.............................................. 7-4
requirements ..............................................6-5 Commissioning
Address of ET 200S................................................. 2-5
PROFIsafe .................................................5-1 Communication error ....................... 6-4, 7-2, 7-5
Address area EM 4 F-DO 24 VDC/2 A........................... 9-50
F-module .............................................5-2, 5-3 EM 4/8 F-DI 24 VDC ................................ 9-39
Address switch PM-E F 24 VDC ....................................... 9-10
for PROFIsafe addresses ...........................5-1 Conditions of use ......................................... 8-10
setting.........................................................5-2 Configuration ............................................... 13-2
AK ............................................ See Safety class ET 200S with F-modules............................ 3-2
Applications Configuring
EM 4/8 F-DI 24 VDC ................................9-23 F-modules.................................................. 4-1
Approvals .......................................................1-2 Connecting
FM, UL, CSA, KEMA ..................................8-3 power modules .......................................... 3-3
AUX1 bus ..............................................3-3, 13-1 Connection to common potential ................. 13-3
Availability ....................................................13-1 Conventions
in this manual............................................. 1-4
B Corrective measures
EM 4 F-DO 24 VDC/2 A........................... 9-51
Backplane bus..............................................13-2 EM 4/8 F-DI 24 VDC ................................ 9-40

A5E00103686-01 Index-1
Index
PM-E F 24 VDC ....................................... 9-10 EM 4 F-DO 24 VDC/2 A

Coupling relay acknowledgment time...............................9-55
applicable................................................... 6-6 block diagram ...........................................9-47
CPU causes of faults and corrective
F-capable................................................... 2-3 measures..............................................9-51
CRC ............................................................. 13-3 diagnostic functions ..................................9-50
CRC signature ..................................... See CRC fail-safe performance characteristics ........9-53
CSA approval................................................. 8-3 front view ..................................................9-45
Current carrying capacity order number............................................9-44
maximum ................................................... 3-6 parameters in STEP 7 ..............................9-50
technical specifications.............................9-53
terminal assignment .................................9-46
D wiring diagram ..........................................9-48
Dark period ........................................... 6-6, 13-3 EM 4 F-DO 24 VDC/2A
Data exchange Fault types..................................................7-5
between F-CPU and F-modules................. 5-2 EM 4/8 F-DI 24 VDC
Deactivated channel ...................................... 7-2 acknowledgment time...............................9-43
Degree of protection .................................... 8-12 Applications ..............................................9-23
Degree of protection IP 20 ........................... 8-12 block diagram ...........................................9-19
Diagnostic functions....................................... 7-1 Causes of faults and corrective
assignable as parameters .......................... 7-3 measures..............................................9-40
EM 4 F-DO 24 VDC/2 A........................... 9-50 diagnostic functions ..................................9-39
EM 4/8 F-DI 24 VDC ................................ 9-39 fail-safe performance characteristics ........9-41
nonassignable as parameters .................... 7-3 Fault types..................................................7-5
PM-E F 24 VDC ................................ 9-9, 9-10 front view ..................................................9-17
reading out ................................................. 7-5 order number............................................9-16
Diagnostic message frame parameters in STEP 7 ..............................9-20
short........................................................... 3-6 sensor supply ........................ 9-25, 9-27, 9-35
Diagnostics special features for fault detection...................
channel-specific ......................................... 7-4 ........................ 9-26, 9-29, 9-32, 9-34, 9-38
definition .................................................... 7-1 technical specifications.............................9-41
Digital module terminal assignment .................................9-18
fail-safe ...................................................... 2-2 wiring diagram .................................................
Dimension drawings ............... 9-25, 9-27, 9-30, 9-32, 9-36, 9-37
F-modules ................................................ 10-1 EMC ...............................................................8-5
Direct starter ................................................ 13-5 EMC guidelines ..............................................8-9
Directives ....................................................... 8-4 Environment-related requirements ...............8-10
Discrepancy analysis .......................... 9-21, 13-3 climatic .....................................................8-11
Discrepancy error mechanical ...............................................8-10
EM 4/8 F-DI 24 VDC ................................ 9-39 ET 200S .........................................................2-2
Discrepancy time ................................ 9-21, 13-3 parameter length ........................................3-5
effect on response time............................ 9-22 ET 200S distributed I/O system......................2-2
EM 4/8 F-DI 24 VDC ....................... 9-20, 9-22 Excess temperature
Documentation PM-E F 24 VDC........................................9-10
additional ................................................... 1-3
Documentation package F
Order number............................................. 1-2
DP master.................................................... 13-3 F modules............................................. 2-2, 13-4
applicable................................................... 2-3 address area ...................................... 5-2, 5-3
with short diagnostic message frames ....... 3-6 available .....................................................2-4
DP slave ...................................................... 13-4 configuring..................................................4-1
Duration of sensor signals Fault reaction..............................................7-2
requirement for........................................... 6-5 inserting and removing ...............................6-4
installing .....................................................5-3
mounting dimensions..................................5-3
E Order number .............................................1-1
Electrical connection ...................................... 6-2 parameter assignment................................4-1
Electromagnetic compatibility ........................ 8-5 parameter length ........................................3-5
Electronic module .......................................... 3-5 possible uses..............................................2-2
fail-safe ...................................................... 3-4 Response Times ......................................12-1
Fail-safe automation system...........................2-2

Index-2 A5E00103686-01
Index
Fail-safe modules ........................See F-modules PM-E F 24 VDC ....................................... 9-10

Fail-safe performance characteristics.............9-1 react to....................................................... 7-5
EM 4 F-DO 24 VDC/2 A ...........................9-53 Internal preparation time.............................. 12-1
EM 4/8 F-DI 24 VDC ................................9-41 Internet
PM-E F 24 VDC........................................9-12 documentation on the ................................ 1-5
Fail-safe system ............................See F-system IP 20 ............................................................ 8-12
Fault detection Isolation test................................................. 8-12
EM 4/8 F-DI 24 VDC .......................................
........................ 9-26, 9-29, 9-32, 9-34, 9-38
Fault reaction L
F-modules ..................................................7-2 LED display
Fault reaction time........................................13-4 of faults ...................................................... 7-3
Fault/Error types Line break ...................................................... 7-5
of F-modules ..............................................7-5 Line cross section .......................................... 6-2
F-copy license ..............................................13-4 Load voltage missing ..................................... 7-5
F-CPU ..........................................................13-4 Logic base address........................................ 5-3
F-I/O .............................................................13-4
FM approval ...................................................8-3
F-modules M
dimension drawings..................................10-1
wiring..........................................................6-3 Machine protection
F-monitoring time applications in ............................................ 7-3
EM 4 F-DO 24 VDC/2 A ...........................9-50 conditions for Category 4 ................ 9-35, 9-38
EM 4/8 F-DI 24 VDC ................................9-20 Manual
PM-E F 24 VDC..........................................9-9 Contents .................................................... 1-4
F-system ........................................................2-2 Maximum configuration
example configuration ................................2-3 F-System with ET 200S ............................. 3-5
Functional extra low voltage per voltage group....................................... 3-6
safe ............................................................6-2 Missing external auxiliary supply
Fuse, external EM 4 F-DO 24 VDC/2 A........................... 9-50
PM-E F 24 VDC..........................................9-7 EM 4/8 F-DI 24 VDC ................................ 9-39
PM-E F 24 VDC ....................................... 9-10
Module diagnostics ........................................ 7-5
G Module failure
react to....................................................... 7-5
General technical specifications .....................8-1 Module fault ................................................. 13-5
Guide diagnostic message ................................... 7-5
To manual ..................................................1-4 Module replacement .................................... 13-5
Modules
H fail-safe ...................................................... 2-2
Monitoring time ............................................ 13-5
H/F Competence Center ................................1-5 EM 4 F-DO 24 VDC/2 A........................... 9-50
EM 4/8 F-DI 24 VDC ................................ 9-20
PM-E F 24 VDC ......................................... 9-9
I Motor starter ................................................ 13-5
IEC 61131 ......................................................8-2 Mounting dimensions
IM 151-1 High Feature ...................................2-4 F-modules.................................................. 5-3
Input delay.............................................6-5, 12-2 Mounting rails
EM 4/8 F-DI 24 VDC .......................9-20, 9-21 applicable................................................... 6-3
Inserting M-switch....................................................... 13-5
F-module ....................................................6-4 M-switch (current sinking) ..................... 9-7, 9-48
Installing Multiple error entry time ............................... 13-5
F-modules ..................................................5-3
Interface module N
applicable ...................................................2-4
Interference NAMUR recommendations
pulse-shaped..............................................8-5 requirements for power supply................... 6-3
sinusoidal ...................................................8-8 Nominal line voltages................................... 8-12
Internal fault Nonequivalence ........................................... 13-1
EM 4 F-DO 24 VDC/2 A ...........................9-50 Non-equivalent sensor........................ 9-20, 9-37
EM 4/8 F-DI 24 VDC ................................9-39

A5E00103686-01 Index-3
Index
Number of modules Power module ................................................3-5

per ET 200S with F-modules...................... 3-5 fail-safe............................................... 2-2, 3-4
positioning and connecting .........................3-3
Power supply
O requirements ..............................................6-3
One-channel sensor..................................... 9-20 Preparation time
Optional package ........................................... 4-1 internal......................................................12-1
Order number Prewiring ......................................................13-6
Documentation package ............................ 1-2 Probability
F modules .................................................. 1-1 hazardous errors ........................................6-5
Order numbers Process image...................................... 5-2, 13-6
of accessories .......................................... 11-1 Process safety time ......................................13-6
Oscillation .................................................... 8-10 Processor failure ..........................................13-5
Overload ........................................................ 7-5 Process-related functions
EM 4 F-DO 24 VDC/2 A.................. 9-49, 9-50 electronic modules with ..............................9-3
PM-E F 24 VDC ......................................... 9-8 PROFIBUS ...................................................13-6
Overtemperature............................................ 7-5 PROFIBUS standard ......................................8-2
EM 4 F-DO 24 VDC/2 A........................... 9-50 PROFIsafe............................................ 5-2, 13-7
EM 4/8 F-DI 24 VDC ................................ 9-39 address...................................... 5-1, 6-4, 13-7
address assignment ...................................5-1
Programming device ....................................13-6
P Proof-test interval ................. 6-5, 9-1, 9-23, 13-7
Protection class ............................................8-12
Parameter assignment................................. 13-5 Protective circuit
of F-modules .............................................. 4-1 external.......................................................8-6
Parameter assignment error .......................... 7-5 Protective conductor bus ................................3-3
EM 4 F-DO 24 VDC/2 A........................... 9-50 P-Switch ........................................See M-Switch
EM 4/8 F-DI 24 VDC ................................ 9-39 P-switch (current sourcing)................... 9-7, 9-48
PM-E F 24 VDC ....................................... 9-10 Pulse-shaped interference..............................8-5
Parameter length Purpose of this manual...................................1-1
of F-modules .............................................. 3-5 PWR LED .......................................................7-3
Parameters PM-E F 24 VDC..........................................9-9
EM 4 F-DO 24 VDC/2 A........................... 9-50
EM 4/8 F-DI 24 VDC ................................ 9-20
PM-E F 24 VDC ......................................... 9-9 R
static ........................................................ 13-9
Passivation .................................................. 13-6 Radio interference
channel-specific ....................................... 13-2 emission of .................................................8-9
of channels ................................................ 7-2 Reading out
PG............................... See Programming device diagnostic function......................................7-5
PM-E 24 VDC ................................................ 3-5 Redundancy .................................................13-7
PM-E 24 VDC/120/230 VAC .......................... 3-5 References
PM-E F 24 VDC ............................................. 3-5 additional ....................................................1-3
acknowledgment time .............................. 9-15 Relay output
block diagram............................................. 9-6 PM-E F 24 VDC..........................................9-7
Causes of faults and corrective Relays, two
measures ............................................. 9-10 on one digital output ......................... 9-8, 9-49
diagnostic functions .......................... 9-9, 9-10 Removing
fail-safe performance characteristics ....... 9-12 F-module ....................................................6-4
Fault types ................................................. 7-5 Requirement class (AK)
front view.................................................... 9-4 achievable ..................................................2-4
order number ............................................. 9-2 Requirements
parameters in STEP 7................................ 9-9 sensors and actuators ................................6-5
relay output ................................................ 9-7 Response time
technical specifications ............................ 9-12 effect of discrepancy time.........................9-22
terminal assignment................................... 9-4 of F-modules ............................................12-1
wiring diagram............................................ 9-7 Reversing starter ................................ 13-5, 13-8
Possible uses
F modules .................................................. 2-2
Power failure ride-through.............................. 6-3

Index-4 A5E00103686-01
Index
S Short-circuit test............................. 6-5, 7-3, 12-2

EM 4/8 F-DI 24 VDC .......................................
S7 distributed safety ..... 9-20, 9-21, 9-26, 9-29, 9-31, 9-34, 9-36,
optional package .................................2-4, 4-1 9-37, 9-39
S7-300F Shutdown
example configuration ................................2-3 safe............................................................ 3-5
Safe functional extra low voltage....................6-2 SIL ............................... See Safety integrity level
Safe shutdown................................................3-5 Sinusoidal interference .................................. 8-8
Safe state ...................................... 2-2, 7-1, 13-8 Slave diagnostics........................................... 7-3
Safety class ..................................................9-23 reading out................................................. 7-5
conditions for achieving with Standard operation ............................... 2-4, 13-9
EM 4 F-DO 24 VDC/2 A .......................9-44 Standards ...................................................... 8-4
conditions for achieving with Static parameters......................................... 13-9
EM 4/8 F-DI 24 VDC ...................9-16, 9-24 Storage conditions ......................................... 8-9
conditions for achieving with Supply voltage
PM-E F 24 VDC......................................9-2 EM 4 F-DO 24 VDC/2 A........................... 9-48
Safety class (AK)..........................................13-8 PM-E F 24 VDC ......................................... 9-7
achievable ...........................................2-4, 3-5 Supply voltage, failure of
Safety function ......................................2-4, 13-8 EM 4/8 F-DI 24 VDC ................................ 9-39
Safety integrity level .....................................13-8 PM-E F 24 VDC ......................................... 9-9
Safety message frame ........... 5-1, 5-2, 5-3, 13-8 Support .......................................................... 1-6
Safety mode .................................. 2-4, 5-1, 13-8 additional ................................................... 1-4
Safety note ...................................................13-9 Surge filter ..................................................... 8-6
Safety program...............................................5-3
Safety-related deactivation.............................7-5
Saving errors ..................................................7-2
T
Scope Technical specifications
Of this manual ............................................1-1 EM 4 F-DO 24 VDC/2 A........................... 9-53
Sensor EM 4/8 F-DI 24 VDC ................................ 9-41
1-channel .................................................9-22 general....................................................... 8-1
2-channel .................................................9-22 PM-E F 24 VDC ....................................... 9-12
non-equivalent..........................................9-37 Terminal assignment
Sensor evaluation................................13-1, 13-9 EM 4 F-DO 24 VDC/2 A........................... 9-46
EM 4/8 F-DI 24 VDC ........................................... EM 4/8 F-DI 24 VDC ................................ 9-18
.......... 9-20, 9-26, 9-29, 9-31, 9-34, 9-36, 9-37 PM-E F 24 VDC ......................................... 9-4
Sensor interconnection Terminal module ...3-3, 3-4, 9-4, 9-18, 9-46, 13-9
EM 4/8 F-DI 24 VDC .... 9-20, 9-31, 9-34, 9-37 Test voltages ............................................... 8-12
Sensor signal TM-E30C44-01 ................................... 9-18, 9-46
requirement for duration .............................6-5 TM-E30C46-A1................................... 9-18, 9-46
Sensor supply TM-E30S44-01 ................................... 9-18, 9-46
EM 4/8 F-DI 24 VDC ....................................... TM-E30S46-A1 ................................... 9-18, 9-46
........................ 9-25, 9-26, 9-27, 9-29, 9-35 TM-P30C44-A0.............................................. 9-4
internal .....................................................9-21 TM-P30S44-A0 .............................................. 9-4
Sensor voltage missing ..................................7-5 Total voltage
Sensors ........................................................13-9 per voltage group....................................... 3-6
externally supplied......................................6-2 Total width
requirements ..............................................6-5 ET 200S..................................................... 3-5
Service ...........................................................1-6 Training center............................................... 1-5
SF LED...........................................................7-3 Transport and storage conditions .................. 8-9
EM 4 F-DO 24 VDC/2 A ...........................9-45 TÜV certificate ............................................... 8-4
PM-E F 24 VDC...................................9-4, 9-9 Two-channel sensor .................................... 9-20
SFC 13 ...........................................................7-5
Short circuit ....................................................7-5
EM 4/8 F-DI 24 VDC ................................9-26 U
EM 4 F-DO 24 VDC/2 A ...........................9-50
UL approval ................................................... 8-3
EM 4/8 F-DI 24 VDC .......................9-29, 9-39
on outputs of standard DO modules...........9-3
PM-E F 24 VDC........................................9-10

A5E00103686-01 Index-5
Index
V EM 4 F-DO 24 VDC/2 A ................. 9-49, 9-50

PM-E F 24 VDC......................... 9-8, 9-9, 9-10
Voltage bus ....................................3-3, 9-2, 13-9 Wiring
Voltage group .......................3-2, 3-3, 3-5, 13-10 F-modules ..................................................6-3
maximum configuration.............................. 3-6 Wiring diagram
Voltages EM 4 F-DO 24 VDC/2 A ...........................9-48
nominal line.............................................. 8-12 EM 4/8 F-DI 24 VDC........................................
............... 9-25, 9-27, 9-30, 9-32, 9-36, 9-37
PM-E F 24 VDC..........................................9-7
W
Wire break

Index-6 A5E00103686-01
s
SIMATIC
Product Information A5E00167504-02
Edition 07/2003
Distributed I/O System ET 200S Manual,

Fail-safe Modules A5E00103686-01
This Product Information contains important information about the Documentation packages S7 F
Systems, 6ES7 988-8FA10-8BA0 and S7 Distributed Safety, 6ES7 988-8FB10-8BA0. The Product
Information is part of the product supplied and the information in it should be considered more
up-to-date if uncertainties arise.
Range of Validity
This product information represents a supplementary documentation to the manual Distributed I/O System
ET 200S, Fail-safe Modules, A5E00103686-01, as of Edition 03/2002.
The new fail-safe power module PM-D F DC24V PROFIsafe has been described thoroughly in this product
information.
Copyright  Siemens AG 2003

Subject to alteration
Copyright
Copyright  Siemens AG 2003 All rights reserved.
The reproduction, transmission or use of this document or its contents is not permitted without express written authority.
Offenders will be liable for damages. All rights, including rights created by patent grant or registration of a utility model or
design, are reserved.
Copyright  Siemens AG 2003 All rights reserved Disclaimer of Liability
The reproduction, transmission or use of this document or its We have checked the contents of this manual for agreement with
contents is not permitted without express written authority. the hardware and software described. Since deviations cannot be
Offenders will be liable for damages. All rights, including rights precluded entirely, we cannot guarantee full agreement. However,
created by patent grant or registration of a utility model or the data in this manual are reviewed regularly and any necessary
design, are reserved. corrections included in subsequent editions. Suggestions for
improvement are welcomed.
Siemens AG
Bereich Automation and Drives
Geschaeftsgebiet Industrial Automation Systems ©Siemens AG 2003
Postfach 4848, D- 90327 Nuernberg Technical data subject to change.
Siemens Aktiengesellschaft A5E00167504-02

1 Changes to the Distributed I/O System
ET 200S, Fail-safe Modules Manual
Assigning Power Modules to Electronic Modules
Refer to the following table as an update to Table 3-3 in Chapter 3.3 of the Manual
Distributed I/O System ET 200, Fail-safe Modules. This table describes how to
match power modules to electronic modules and their safety classes:
Table 1 Assigning Power Modules to Electronic Modules and Safety Classes
Power Refer to... Electronic Application and achievable

module modules/motor AK/SIL/Cat.
starter
PM-E F Chapter 9.2 Can be used for all Safe shutdown of DO AK4/
DC24V standard electronic modules from the SIL2/
PROFIsafe modules ET 200S range Cat.3
PM-E Manual Can be used for all Supplies F-DI and AK6/
DC24..48V ET 200S standard and fail-safe F-DO modules SIL3/
electronic modules Cat.4
PM-E Manual Can be used for all Supplies F-DI and AK6/
DC24..48V/ ET 200S standard and fail-safe F-DO modules SIL3/
AC24..230V electronic modules Cat.4
PM-E Manual Can be used for all Supplies F-DI- and AK4/
DC24V ET 200S standard and fail-safe F-DO modules SIL2/
electronic modules Cat.3
Safety Note
! Please note that for AK6/SIL3/Cat.4 it is not allowed to combine F-DI-/F-DO
modules and standard-DI-/DO-/FM modules in the same potential group.
You can combine F-DI-/F-DO modules and standard DI-/DO-/FM modules in a
potential group for AK4/SIL2/Cat.3.
Product Information for ET 200S Manual, Fail-safe Modules

A5E00167504-02 3
Passivation of Fail-safe Outputs over a Long Period of Time
Please observe the following safety note as an amendment to the Distributed I/O
System ET 200S, Fail-safe Module manual, Chapter 7.
It applies to all fail-safe power modules and F modules with fail-safe outputs.
Safety Note
! If an F module with fail-safe outputs is passivated over a long period of time
(> 100 h) without the error being corrected, the possibility of a second error
activating the F module unintentionally and putting the F system in a dangerous
state cannot be ruled out.
Although the probability of the occurrence of such hardware error is very low, an
unintentional activation of F modules with fail-safe outputs must be prevented via
circuit technique or organizational measures. One possibility is switching off the
power supply of the passivated f module within a period of times von z. B. 100 h.
The required measures are standardized for plants with product. For all other
plants, the plant operator has to develop his own concept for the necessary
measures to be taken and have them acknowledged by a certified expert.
External Suppression Circuit for ET 200S with Fail-safe Modules

Please refer to the following paragraph as an amendment to the paragraph
“External Suppression Circuit for ET 200S with Fail-safe Modules” in Chapter 8.3 of
the manual Distributed I/O System ET 200S, Fail-safe Module,:
Protecting the ET 200S with fail-safe modules against overvoltage
If your plant requires protection against overvoltage, we recommend an external
surge filter to guarantee surge withstand capability for the ET 200S with fail-safe
modules. The filter should be installed between the load voltage supply and the
load voltage input of the terminal module.
Note
Lightning protective measures always require individual consideration of the
entire plant. Relatively complete protection against overvoltage can only be
achieved when the entire surrounding building is designed for overvoltage
protection. Above all, this affects building features even in the design phase.
If you wish to inform yourself in depth about overvoltage protection, we
therefore recommend that you contact a Siemens representative or a
company specialized in lightning protection.

4 A5E00167504-02
Safety Parameters in Technical Specifications
Please observe the following safety note as an amendment to the Distributed I/O
System ET 200S, Fail-safe Modules manual, Chapter 9.1. It is valid for all the fail-
safe modules in the manual and the fail-safe power module PM-D F DC24V
PROFIsafe power module PM-D F DC24V PROFIsafe described below.
Safety Note
! The safety parameters in the technical specification are valid for a proof-test
interval of 10 years and a repair time of 100 hours.
Technical Specifications of the PM-E F DC24V PROFIsafe and

Technical Specifications of the EM 4 F-DO DC24V/2A PROFIsafe
Please refer to the following information as an amendment to Chapters 9.2 and 9.4
in the manual Distributed I/O System ET 200S, Fail-safe Module:
Connecting to capacitive loads:
When the electronic outputs of the PM-E F DC24V PROFIsafe and EM 4 F-DO
DC24V/2A PROFIsafe are connected to loads that require little electricity and
demonstrate capacity, a “Short-circuit” error message may appear. This is caused
by the fact that during the brief readback time of < 1 ms for the self-test, the
capacities cannot be discharged fast enough.

A5E00167504-01 5
The following graph shows the relationship between load resistance and
connectable load capacity using the EM 4 F-DO DC24V/2A PROFIsafe as an
example:
Capacitive load content in µF
1 0 0 .0
50
20
1 0 .0
5,0
2,0
1 .0
0,5
0, 3
0 .1
20 50 100 200 500 750 1000 1250 1500 1750 2000
Load c urrent in mA
Figure 1 Relationship between load resistance and connectable load capacity

(example with EM 4 F-DO DC24V/2A PROFIsafe)
Remedy:
1. Determine the load current and the capacity of the load.
2. Determine the working point in the graph above.
3. If the working point is above the curve, you must connect a resistor in parallel
to raise the resistance of the load current to bring it to a new working point
below the curve.

6 A5E00167504-02
Connecting to loads that are not earth-free
If connect the PM-E F DC24V PROFIsafe or EM 4 F-DO DC24V/2A PROFIsafe to
loads that have a connection between the chassis and the ground (e.g. to improve
the EMC characteristics) and the housing and ground are connected in the power
supply being used, a “short-circuit” will be detected.
From the view of the F module, the chassis-ground connection is bridged by the M
switch (see illustration below with an example for PM-E F DC24V PROFIsafe).
Remedy: The connection between chassis and ground may not be below a resistor
value of 100 KOhm for the load.
Ausgang-
s
PM-E F DC24V PROFIsafe EM 4 F-DO DC24V/2A PROFIsafe
P2
P24 P- switch Readback P-rail
Output
driver
Central
ground
point
M P1
Load
M M-switch 1P5
Readback M-rail
Figure 2 Relationship between load resistance and connectable load resistance (example with EM 4 F-
DO DC24V/2A PROFIsafe)

A5E00167504-02 7
Technical Specifications of the EM 4/8 F-DI DC24V PROFIsafe
Please refer to the following information as a correction to Chapter 9.3.6 of the
manual Distributed I/O System ET 200S, Fail-safe Module:
• The acknowledgement time in safety mode for an activated short-circuit test
and with a input delay time of 15 ms is at least 4 ms / max. 17 ms.
• Data for selecting a sensor (input delay): If there is a danger of overvoltage on
the lines, with a 3 ms input delay you must use shielded cables to avoid a
safety shutdown for the fail-safe digital inputs and the sensor supply!
Error Identification Time During Wire Break

Please observe the following specifications as an amendment to the technical
specification of the F module with wire-break identification, i.e., the PM-D F DC24V
PROFIsafe and the 4 F-DO DC24V/2A PROFIsafe electronics module:
The error identification time during a wire break is 15 min.
Safety-related Shutdown of Standard DO Modules

Please observe the following safety note and information as an amendment to the
Distributed I/O System ET 200S manual, Fail-safe Module, Chapter 9.2.
Safety Note
! The digital electronic module 4DO DC24V/0,5A (order no. 6ES7 132-4BD00-
0AA0) is the only standard ET 200S module released for the safety-related
shutdown according to SIL2.

8 A5E00167504-02
Safety Note
! Fail-safe activation of outputs of standard DO modules is not possible; rather,
only fail-safe deactivation is possible. Therefore, you have to take into
consideration the following effects which may arise:
In the event of a worst case, you have to reckon with all possible faults of the
standard DO modules and of the program that controls them for which there is no
direct error detection. For example, the PM-D F DC24V PROFIsafe does not
recognize any external short circuits to L+ at the outputs of the standard DO
modules .
All the faults of the standard DO modules affect the process via the actuator. The
process has to be made known via a sensor and a corresponding F-CPU safety
program.
The safety program must react logically and properly to unwanted or potentially
dangerous states of the process via the PM-D F DC24V PROFIsafe and the fail-
safe output modules.
If you want to avoid the errors described above entirely, we recommend you use
the P switch/M switch fail-safe electronics modules 4 F-DO DC24V/2A PROFIsafe
with standard ET 200S power modules (see Chapter 9.4 and table 3-3 in Chapter
3.3) instead of the standard DO modules.
Advantage and disadvantage of the safety-related shutdown of the standard
DO modules via the PM-D F DC24V PROFIsafe:
Advantage: inexpensive solution
Disadvantage: When an error is detected in the process or on the PM-D F DC24V
PROFIsafe, all the affected outputs are shutdown globally and simultaneously.
Advantage and disadvantage of the individual shutdown of the F modules
with fail-safe outputs:
Advantage: The scope of a shutdown is at a minimum when an error is detected. In
addition, critical processing states can be reacted to gradually or outputs can be
shutdown.
Disadvantage: expensive.

A5E00167504-02 9
The following figure replaces figure 9-5, in Chapter 9.2, of the Distributed I/O
System ET 200S manual, Fail-safe Module. The contacts C1 to C4 are normally
open contacts.
PM-E F DC24V EM DO1 EM DO2 EM DO3
P1 (P)
P1 P2
C1 C2 C3 C4
C1 C3
C2 C4
L+ M
Figure 3 Wiring Diagram for Each of Two Relays on DO 0 and DO 1 of the PM-D F 24 VDC PROFIsafe

10 A5E00167504-02
2 What is new?
Use in S7 F/FH systems

In combination with the optional package S7 F Systems, as of Version V 5.2, the
ET200S distributed I/O systems with fail-safe modules can be operated in fail-
safe S7 F/FH systems.
Fail-safe power module for fail-safe motor starter

The distributed I/O systems ET 200S support operation with the fail-safe power
modules
PM-D F DC24V PROFIsafe. The PM-D F DC24V PROFIsafe is used for switching
off fail/safe selectively via six fail-safe shutdown groups.
The PM-D F DC24V PROFIsafe is described in the following Chapters.
Interface module for ET 200S with fail-safe modules

The new interface module IM 151-7 F-CPU is now available for ET200S
Depending on the F system, select the interface module for ET 200S as follows:
Table 2 Use of interface modules with fail-safe modules in ET 200S
Interface module As of order no. Usable in ET 200S with As of

optional software package version
IM151-1 High Feature 6ES7 151-1BA00-0AB0 S7 Distributed Safety V 5.1
S7 F Systems V 5.2
IM 151-7 F-CPU 6ES7 151-7FA00-0AB0 S7 Distributed Safety V 5.2
Further information
The IM 151-7 F-CPU is described in a product information, part of the
documentation package S7 Distributed Safety.
The information in the following manuals applies to the implementation of ET 200S
with fail-safe modules in S7 F/FH systems:
• Distributed I/O System ET 200S, Fail-safe modules
• S7 F and S7 FH Systems

A5E00167504-02 11
3 Installation of ET 200S with PM-D F DC24V
PROFIsafe
Installation with fail-safe motor starters

Use a PM-D F DC24V PROFIsafe for the selective shutdown of:
• fail-safe motor starters (F-MS) F-DS1e-x, F-RS1e-x
• fail-safe contact replicators
• fail-safe power / expansion modules PM-D F X1.
PM-D F DC24V PROFIsafe cannot supply other motor starters
(e.g. DS1-x/RS1-x, DS1e-x/RS1e-x, DSS1e-x)!
Fail-safe motor starters can be expanded:
• up to safety class AK6/SIL3/Cat.4, with the expansion modules
Brake Control xB1, xB2
• up to safety class AK4/SIL2/Cat.3, with the expansion modules
Brake Control xB3, xB4
Example of an installation with fail-safe motor starters

The figure below shows an example of an ET 200S installation that contains two
fail-safe potential groups. The primary potential group contains fail-safe motor
starters and a contact replicator. This structure reaches safety class
AK6/SIL3/Cat.4.
1 2 3 4 5 6 7 8 Terminator Slot
IM 151-1 High
4/8 F-DI DC24V
4/8 F-DI DC24V
F-DS1 e-x F-RS1 e-x

4 F-DO DC24V
PM-E DC24V
PM-D F DC24V
Feature
PROFIsafe
F-CM
3~
M M
3~ 3~
Figure 4 Example of an ET 200S installation with fail-safe motor starters and contact replicator

12 A5E00167504-02
Further information on fail-safe motor starters
All interfaces and modules which the PM-D F DC24V PROFIsafe is able to supply
are described in the ET 200S Motor starters Manual.
This manual forms part of the documentation package ET 200S, order no.
6ES7 151-1AA00-8BA0.
Assigning power modules to motor starters

You can use the power modules and motor starters listed in the table below
together in a voltage group.
Note that certain combinations limit the achievable safety classes.
Table 3 Assigning power modules to electronic modules and to the safety class
Power Electronic Module/Motor Starter Use and Achievable

Module AK/SIL/Category
PM-D F usable only for: safe shutdown of AK6/SIL3/Categ
DC24V • the fail-safe motor starters (F-MS) motor starters ory 4
PROFIsafe F-DS1e-x, F-RS1e-x
• the F-CM contact replicator
• the power module / expansion module
PM-D F X1.
• expansion modules Brake Control xB1
and xB2
usable for the F motor starters mentioned safe shutdown of AK4/ SIL2/
above: motor starters Category 3
• Expansion modules Brake Control
xB3 and xB4
Parameter Length
The parameter length for a PM-D F DC24V PROFIsafe is 20 bytes.
Maximum Configuration per Voltage Group
Table 4 Maximum configuration per voltage group

Power Modules Maximum Current Number of Connectable Modules
Carrying Capacity
PM-D F DC24V 10 A briefly* The number of modules that can be connected
PROFIsafe 5 A continuous* depends on the total current of all modules in
the voltage group. The total sum of current
must not exceed 10 A.
* Reason: Power consumption of the F motor starters

U1 (Electronic power supply) SG (switching groups)
ON time (up to 200 ms) 0.15 A 0.25 A
Period (after 200 ms) 0.15 A 0.06 A

A5E00167504-02 13
4 Power module PM-D F DC24V PROFIsafe
Order Number
3RK1903-3BA00
Properties
The characteristics of the power module PM-D F DC24V PROFIsafe are as follows:
• 6 safety groups SG 1 to SG 6 (Safety Group)
• Output current of SG 1 ... SG 6 respectively: 3 A (accumulative current 6 A)
• Rated load voltage: 24 VDC per safety group
• suitable for the supply of:
- fail-safe motor starter F-DS1e-x, F-RS1e-x
- fail-safe contact replicators F-CM,
- fail-safe power modules / expansion modules PM-D F X1.
- Expansion modules Brake Control xB1, xB2, xB3 and xB4
• Group error message (SF; red LED)
• Status display for each safety group (SG1 to SG6; green LED)
• Status display for the load power supply (PWR; green LED)
• Status display for the electronic power supply (U1; green LED)
• maximum safety class AK6/SIL3/Cat.4
Note
Please observe the safety notes described in this Distributed I/O System
ET 200S manual, Fail-safe Module, which are also valid for all fail-safe modules
in general. They are also valid for the PM-D F DC24V PROFIsafe.

14 A5E00167504-02
Switching of the voltage bus bar SG 1 to SG 6 and U 1
The power module is capable of switching off the SG 1 to SG 6 bus bar via 6 digital
outputs, fail-safe according to safety class AK4/SIL2/Cat.3 or AK6/SIL3/Cat.4. The
outputs are switched by means of two P switches. There is one master switch for
all six safety groups, with six interconnected single switches for each safety group.
The U 1 bus bar (electronic power supply for the motor starters) is supplied with 24
VDC. In the event of overvoltage or low voltage U 1 is switched off by means of
two P switches, and the downstream motor starters will be disabled. The motor
starter will not be switched off in the event of a safety-off.
Conditions for Achieving Safety Class

The conditions for achieving the respective safety classes are summarized in the
following table.
Table 5 PM-D F DC24V PROFIsafe: Conditions for AK/SIL/Cat.
Condition Achievable
AK/SIL/Category
fail-safe motor starters will be expanded with the modules: AK4/ SIL2/ Category 3
• Brake Control xB3 and xB4
Power is supplied to: AK6/SIL3/Category 4
• fails-safe motor starters F-DS1e-x and
F-RS1e-x only,
• fail-safe contact replicators F-CM,
• fail-safe power modules / expansion modules PM-D F X1.
fail-safe motor starters will be expanded with the modules:
• Brake Control xB1 and xB2
Note
The safety classes AK4/SIL2/Cat.3 and AK6/SIL3/Cat.4 specified in the table
above can only be achieved with the modules specified in the "Condition" column.
Configuration with other modules (e. g. motor starters DS1-x/RS1x, DS1e-x/
RS1e-x, DSS1e-x) are not permissible for safety-related use.

A5E00167504-02 15
Front View
PM-D F
PROFIsafe
Display of group errors - red
Status display, load voltage Status display on each

supply - green safety group - green
Status display for the power supply

to the electronic circuit of the motor
starter - green
24 VDC 24 VDC
(Power supply)
M M
(Power supply)
Figure 5 Front View of PM-D F DC24V PROFIsafe
Safety Note
! The SF LED and the status displays of the outputs must not be evaluated for
safety relevant activities.

16 A5E00167504-02
Terminal Assignment
The PM-D F DC24V PROFIsafe should only be connected to the 24 VDC load
supply voltage and ground. The wiring for the power module is carried out on the
special terminal module.
The table below shows the terminal assignment of PM-D F DC24V PROFIsafe the
terminal module TM-PF30S47-F1 (order no. 3RK 1903-3AA00).
Table 6 terminal assignment of TM-PF30S47-F1
Terminal Designation
20 24 VDC Rated load voltage 24 VDC for: inserted power modules and
bus bar SG 1 to SG 6 and U 1
21 M Ground
27 24 VDC Rated load voltage 24 VDC for: inserted power modules and
bus bar SG 1 to SG 6 and U 1
28 M Ground
Block Diagram
Address switch ...SG1

P-switch ...SG2
...SG3
PWR ...SG4
RL ...SG5
Logic processing circuit
...SG6
M
SG_1...6
RL Backplane bus interface
RL
U1
5V SF
24 V
20.27 P24 U1
M
21.28 M24
Figure 6 Block diagram of the PM-D F DC24V PROFIsafe

A5E00167504-02 17
The following table shows the parameters you can set for the PM-D F DC24V
PROFIsafe power module.
Table 7 Parameters of PM-D F DC24V PROFIsafe

Setting Type Range
F-Parameter:
F-monitoring time 10 to 10.000 ms 10 ms Static Module
4.1 Diagnostic Functions of PM-D F DC24V PROFIsafe

Loss of the voltage supply of the PM-D F DC24V PROFIsafe is always indicated by
means of a PWR LED on the module (= off). (The switched off U1 LED of the
module indicates failure of the electronic power supply). This information is also
provided in the module (diagnostic entry). All safety groups of the module (SG 1 to
SG 6) will be disabled.
The PWR LED will be switched off in the event of a load voltage drop and the
affected safety modules will be disabled. This status is maintained after the voltage
level returns to normal. The PWR LED is not re-enabled until after you have
restarted the ET 200S (switch the power supply to the ET 200S off and on or
remove and reinsert the power module when the load voltage supply is switched
off. The safety modules will thus be re-enabled.
PM-D F DC24V PROFIsafe power module. The diagnostic functions are assigned
either to one channel or to the entire module.
Table 8 Diagnostic functions of the PM-D F DC24V PROFIsafe power module
Diagnostic function Fault/Err LED Effective Range Can be

or of Diagnostics assigned?
Number
Short circuit 1H SF Channel No
Excess temperature 5H SF Module No
Internal error 9H SF Module No
Parameter assignment error 10H SF Module No
Missing external auxiliary 11H PWR Module No
supply
Communication error 13H SF Module No

18 A5E00167504-02
Causes of Errors and Corrective Measures
The following table shows possible causes of error and the troubleshooting options
of the PM-D F DC24V PROFIsafe power module's diagnostic functions.
Table 9 Diagnostic functions of PM-D F DC24V PROFIsafe, causes of error, remedies
Diagnostic Error Possible Causes Corrective Measures

Function Detection
actuator Once the error is eliminated, the
Internal error Replace module
Excess Always Temperature limit in the Check the load circuit wiring and
temperature module housing is the ambient temperature
exceeded causing Once the error is eliminated, the
module to be module must be removed and
deactivated reinserted or powered off and on
Internal error Always Internal module error Replace module
has occurred
Parameter Always Inserted module does Correct the configuration
assignment not match configuration (compare actual and preset
error Faulty parameter configuration), and
assignment check communication paths
Correct the parameter assignment
wrong setting of the Verify that the PROFIsafe address
PROFIsafe address at the module corresponds with
switch the configuration in STEP 7 HW
Config
External Always No supply voltage or Check the contacting of the
auxiliary supply voltage is too low module
power supply Once the error is eliminated, the
missing module must be removed and
Communicati Always Error in communication Check the PROFIBUS connection
on error between F-CPU and Eliminate the interference
module due to defective
PROFIBUS connection
or higher than
permissible EMI, for
example
PROFIsafe watchdog Increase the "F watchdog time"
time too low parameter for the module in
STEP 7 HW Config

A5E00167504-02 19
Generally Information on Diagnostics
You will find information on the diagnostics related to all fail-safe modules (e. g. for
reading the diagnostic functions, for passivating the channels) in Chapter 7 of the
ET 200S manual, Fail-safe Module.
4.2 Technical Data of PM-D F DC24V PROFIsafe

Dimensions W x H x D (mm) 30 x 196,5 x 117,5
Weight Approx. 112 g
Number of outputs (P-M switching) 6 safety groups SG 1 to SG 6 (Safety
Group)
internal power supply to the bus bar U1
• In PII 5 bytes
• in PIQ 5 bytes
• In accordance with IEC 61508, DIN SIL3, AK6, Cat.4
VDE 0801, and EN 954
fail-safe performance characteristics SIL3
• Low demand mode (average probability << 1.00E-05
• High demand/continuous mode << 1.00E-10
hour)
• Permissible range 21.6 V to 26.4 V
• Power loss ride-through of L+ None
• Power loss ride-through of internal P5 5 ms
• Reverse polarity protection No
Aggregate current of outputs
• Horizontal installation briefly/continuous:
Up to 40°C 10 A/5 A
Up to 60°C 10 A/4 A
• Vertical installation briefly/continuous:
Up to 40°C 10 A/4 A
• Between channels and backplane bus Yes
• Between channels and power supply No
• Between channels No
• Between channels/power supply and Yes
shield

20 A5E00167504-02
• Shield and ET 200S bus connection 75 VDC/60 VAC
• Shielding and I/O (SGs, U1 bus bar) 75 VDC/60 VAC
• ET200S bus terminal and I/O (SGs, U1 250 VAC
bus bar)
• Shield and ET 200S bus connection 500 VDC/1 min or 600 VDC/1 s
• Shielding and I/O (SGs, U1 bus bar) 500 VDC/1 min or 600 VDC/1 s
• ET200S bus terminal and I/O (SGs, U1 1500 VAC/1 min or 2545 VDC/1 s
bus bar)
• Shield and ET 200S bus connection 350 VAC/1 min
• Shielding and I/O (SGs, U1 bus bar) 350 VAC/1 min
• ET200S bus terminal and I/O (SGs, U1 2830 VAC/1 min
bus bar)
• Surge current test between the ET 6000 VDC/5 positive and 5 negative pulses
200S bus terminal and the I/O (SGs, U1
bus bar)
Current consumption
• From backplane bus 28 mA, maximum
• From load voltage L+ (without load) typ. 100 mA
Power dissipation of the module typ. 4 W
Status display • Green LED on each SG
• Green LED for the power supply of the
electronic circuits
• Green LED for the load voltage
• Group error display Red LED (SF)
• Diagnostic information can be displayed Possible
Time, Frequency
Internal preparation times See Chapter 4.4
in accordance with IEC 61000-4-5 with
external protection elements only
• Symmetrical (L+ to M) + 1 kV; 1.2/50 µs
• Asymmetrical (L+ to FE, M to FE) + 2 kV; 1.2/50 µs

A5E00167504-02 21
4.3 Dimensional drawing: Terminal module with installed
PM-D F DC24V PROFIsafe
Figure 7 Terminal module with installed PM-D F DC24V PROFIsafe

22 A5E00167504-02
4.4 Response times of the PM-D F DC24V PROFIsafe module
Max. response time of the PM-D F DC24V PROFIsafe module
Table 10 PM-D F DC24V PROFIsafe: Internal processing times

Processing Time Tmin Processing Time Tmax
PM-D F DC24V PROFIsafe 3 ms, typical 9 ms
If no error has occurred, the maximum response time of the PM-D F DC24V
PROFIsafe is equivalent to the maximum internal processing time Tmax.
The max. response time of the PM-D F DC24V PROFIsafe to errors is equivalent
to the time required after an error has occurred.

A5E00167504-02 23
24 A5E00167504-02

ET200S FM e

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ET200S FM e

Загружено:

Авторское право:

Доступные форматы

Contents

SIMATIC Product Overview 2

Manual Wiring and Fitting Modules 6

No. Designation Drawing number Version General Technical Specifications 8

Accessories and Order Numbers 11

Copyright © Siemens AG 2002 All rights reserved Disclaimer of Liability

5 Address Assignment and Installation

6 Wiring and Fitting Modules

8 General Technical Specifications

ET 200S Distributed I/O System Fail-Safe Modules

11 Accessories and Order Numbers

ET 200S Distributed I/O System Fail-Safe Modules

Purpose of this Manual

Basic Knowledge Requirements

Scope of this Manual

Module Order Number Release Number and

ET 200S Distributed I/O System Fail-Safe Modules

Position in the Information Landscape

System Documentation Package Order Number

ET 200S Distributed I/O System Fail-Safe Modules

This manual refers to the supplementary documentation as needed. Certain

Documentation Brief Description of Relevant Contents

ET 200S Distributed I/O System Fail-Safe Modules

ET 200S Distributed I/O System Fail-Safe Modules

SIMATIC Documentation on the Internet

ET 200S Distributed I/O System Fail-Safe Modules

Automation and Drives, Service & Support

Worldwide (Nuremberg) Worldwide (Nuremberg)

ET 200S Distributed I/O System Fail-Safe Modules

Service & Support on the Internet

ET 200S Distributed I/O System Fail-Safe Modules

ET 200S Distributed I/O System Fail-Safe Modules

ET 200S Distributed I/O System Fail-Safe Modules

2.2 Using ET 200S Fail-Safe Modules

What is a Fail-Safe Automation System?

What is the ET 200S Distributed I/O System?

What are Fail-Safe Modules?

Possible Uses of ET 200S with Fail-Safe Modules

ET 200S Distributed I/O System Fail-Safe Modules

F-System with ET 200S

Figure 2-1 S7-300F Fail-Safe Automation System

ET 200S Distributed I/O System Fail-Safe Modules

Which Fail-Safe Electronic modules are available?

Which Interface Modules Can Be Used in ET 200S with Fail-Safe Modules?

Use in Safety Mode

Achievable Safety Classes

Table 2-1 Achievable Safety Classes in Safety Mode

Safety Class in Safety Mode

ET 200S Distributed I/O System Fail-Safe Modules

2.3 Step-by-Step Guide to Commissioning ET 200S with

Steps from Selecting the F Modules to Commissioning ET 200S

Table 2-2 Steps from Selecting F Modules to Commissioning ET 200S

Step Procedure See ...

ET 200S Distributed I/O System Fail-Safe Modules

ET 200S Distributed I/O System Fail-Safe Modules

ET 200S Distributed I/O System Fail-Safe Modules

3.2 Configuring ET 200S with Fail-Safe Modules

Example Configuration of ET 200S with Fail-Safe Modules

ET 200S Fail-safe Standard Fail-safe Standard

IM151-1 PM F-DI F-DO PM AO AI DI DO FM PtP PM-E F AO AI DI DO FM PtP PM MS

Figure 3-1 Example Configuration of ET 200S with Fail-safe Modules

Configuration Rules for Fail-Safe Voltage Groups

ET 200S Distributed I/O System Fail-Safe Modules