HIMax Saftey Manual - HI - 801 - 003 - E - Safety - Manual - HIMax

SAFETY
All HIMA products mentioned in this manual are protected by the HIMA trademark. Unless noted otherwise,
this also applies to other manufacturers and their respective products referred to herein.
HIMax®, HIMatrix®, SILworX®, XMR® and FlexSILon® are registered trademarks of
HIMA Paul Hildebrandt GmbH.
All of the instructions and technical specifications in this manual have been written with great care and
effective quality assurance measures have been implemented to ensure their validity. For questions, please
contact HIMA directly. HIMA appreciates any suggestion on which information should be included in the
manual.
Equipment subject to change without notice. HIMA also reserves the right to modify the written material
without prior notice.
For further information, refer to the HIMA DVD and our website at http://www.hima.de and
http://www.hima.com.
© Copyright 2015, HIMA Paul Hildebrandt GmbH

All rights reserved
Contact
HIMA contact details:
HIMA Paul Hildebrandt GmbH
P.O. Box 1261
68777 Brühl, Germany
Phone: +49 6202 709-0
Fax: +49 6202 709-107
E-mail: [email protected]
Revision Changes Type of change

index
technical editorial
5.02 New: Fire alarm systems X X
Reviewed: Code generation, maintenance work
6.00 Adjusted to HIMax V6/SILworX V6 X X
New: X-CPU 31, cyber security
Deleted: Fault reaction
7.00 Revised: HIMax V7/SILworX V7, cyber security, standards, forcing X X
of data sources, watchdog time, response time
Deleted: protection against manipulations
7.01 New: gas detectors X X
Changed: test conditions
HIMax Table of Contents
Table of Contents
1 Safety Manual 7
1.1 Validity and Current Version 7
1.2 Objectives of the Manual 7
1.3 Target Audience 8
1.4 Writing Conventions 8
1.4.1 Safety Notices 8
1.4.2 Operating Tips 9
2 Usage Notes for HIMax Systems 10
2.1 Intended Use 10
2.1.1 Scope 10
2.1.2 Environmental Conditions 10
2.2 Tasks of Operators and Machine and System Manufacturers 10
2.2.1 Connection of Communication Partners 10
2.2.2 Use of Safety-Related Communication 10
2.3 ESD Protective Measures 11
2.4 Additional System Documentation 11
3 Safety Concept for Using the PES 12
3.1 Safety and Availability 12
3.1.1 Calculating the PFD, PFH and SFF Values 12
3.1.2 Self-Test and Fault Diagnosis 12
3.1.3 PADT 13
3.1.4 Redundancy 13
3.1.5 Structuring Safety Systems in Accordance with the Energize-to-Trip Principle 13
3.2 Time Parameters Important for Safety 14
3.2.1 Process Safety Time 14
3.2.2 Resource Watchdog Time 14
3.2.3 Watchdog Time of the User Program 15
3.2.4 Safety Time of the Resource 16
3.2.5 User Program Safety Time 16
3.2.6 Response Time 16
3.3 Proof Test (in Accordance with IEC 61508) 16
3.3.1 Proof Test Execution 16
3.3.2 Frequency of Proof Tests 16
3.4 Safety Requirements 17
3.4.1 Hardware Configuration 17
3.4.2 Programming 17
3.4.3 Communication 18
3.4.4 Maintenance Work 18
3.4.5 Cyber Security for HIMax Systems 18
3.5 Certification 20
3.5.1 Test conditions 21
4 Processor Module 24
4.1 Self-Tests 24
4.2 Reactions to Faults in the Processor Module 24
Table of Contents HIMax
4.3 Replacing Processor Modules 24

4.4 The X-CPU 01 Processor Module 25
4.5 The X-CPU 31 Processor Module 25
5 System Bus Module 26
5.1 Rack ID 26
5.2 Responsibility 26
6 Communication Module 29
7 Input Modules 30
7.1 General 30
7.2 Safety of Sensors, Encoders and Transmitters 30
7.3 Reaction in the Event of a Fault 31
7.4 Safety-Related Digital Inputs 31
7.4.1 Test Routines 31
7.4.2 Redundancy 31
7.4.3 Surges on Digital Inputs 31
7.5 Safety-Related Analog Inputs and Proximity Switch Inputs 31
7.5.2 Redundancy 31
7.5.3 State of LL, L, N, H, HH in X-AI 32 01 and X-AI 32 02 32
7.6 Safety-Related Counter Inputs 32
7.6.2 Important Information in Connection with the X-CI 24 01 Counter Module 32
7.6.3 Redundancy 32
7.7 Checklists for Inputs 32
8 Output Modules 34
8.1 General 34
8.2 Safety of Actuators 34
8.3 Reaction in the Event of a Fault 34
8.4 Safety-Related Digital Outputs 34
8.4.1 Test Routines for Digital Outputs 35
8.4.2 Output Noise Blanking 35
8.4.3 Behavior in the Event of External Short-Circuit or Overload 35
8.4.4 Redundancy 35
8.5 Safety-Related Relay Outputs 35
8.5.1 Test Routines for Relay Outputs 35
8.5.2 Redundancy 36
8.6 Safety-Related Analog Outputs 36
8.6.1 Test Routines for Analog Outputs 36
8.6.2 Output Noise Blanking 36
8.6.3 Behavior in the Event of External Open-Circuit 36
8.6.4 Important Information in Connection with the Analog X-AO 16 01 Output Module 36
8.6.5 Redundancy 37
8.7 Checklists for Outputs 37
9 Special I/O Modules 38
HIMax Table of Contents
9.1 HART Module: X-HART 32 01 38

9.1.1 Safety Function 38
9.2 The HIMax Overspeed Trip Module X-MIO 7/6 01 38
9.2.1 Safety Function 38
9.2.2 Redundancy 38
10 Software 39
10.1 Safety-Related Aspects of the Operating System 39
10.2 Safety-Related Aspects of Programming 39
10.2.1 Safety Concept of SILworX 39
10.2.2 Verifying the Configuration and the User Program 40
10.3 Resource Parameters 40
10.3.1 System Parameters of the Resource 41
10.4 Forcing 45
10.4.1 Forcing of data sources 46
10.5 Safe Version Comparator 46
11 User Program 47
11.1 General Sequence 47
11.2 Scope for Safety-Related Use 47
11.2.1 Programming Basics 47
11.2.2 Functions of the User Program 48
11.2.3 System Parameters of the User Program 49
11.2.4 Code Generation 50
11.2.5 Loading and Starting the User Program 50
11.2.6 Reload 51
11.2.7 Online Test 52
11.2.8 Test Mode 52
11.2.9 Changing the System Parameters during Operation 52
11.2.10 Project Documentation for Safety-Related Applications 53
11.2.11 Multitasking 53
11.2.12 Factory Acceptance Test and Test Authority 54
11.3 Checklist for Creating a User Program 54
12 Communication Configuration 55
12.1 Standard Protocols 55
12.2 Safety-Related Protocol: safeethernet 55
12.3 Worst Case Reaction Time for safeethernet 56
12.3.1 Calculating the Worst Case Reaction Time of 2 HIMax controllers 56
12.3.2 Calculating the Worst Case Reaction Time with 1 HIMatrix Controller 57
12.3.3 Calculating the Worst Case Reaction Time with 2 HIMatrix Controllers or Remote I/Os
58
12.3.4 Calculating the Worst Case Reaction Time with 2 HIMax and 1 HIMatrix Controller 58
12.4 Safety-Related Protocol: PROFIsafe 59
13 Use in Fire Alarm Systems 60
14 Use as Safety, Controlling and Regulating Device with
Gas Detector 62
Appendix 63
Table of Contents HIMax
Glossary 63
Index of Figures 64
Index of Tables 65
Index 66
HIMax 1 Safety Manual
1 Safety Manual
This manual contains information on how to operate the HIMax safety-related automation device
in the intended manner.
The following conditions must be met to safely install and start up the HIMax automation
systems, and to ensure safety during their operation and maintenance:
Knowledge of regulations.
Proper technical implementation of the safety instructions detailed in this manual performed
by qualified personnel.
HIMA will not be held liable for severe personal injuries, damage to property or the environment
caused by any of the following:
Unqualified personnel working on or with the devices.
De-activation or bypassing of safety functions.
Failure to comply with the instructions detailed in this manual.
HIMA develops, manufactures and tests the HIMax automation systems in compliance with the
pertinent safety standards and regulations. The use of the devices is only allowed if the
following conditions are met:
They are only used for the intended applications.
They are only operated under the specified environmental conditions.
They are only operated in connection with the approved external devices.
To provide a clearer exposition, this manual does not specify all details of all versions of the
HIMax automation devices. Refer to the corresponding manuals for further details.
This safety manual represents the "Original instructions" as of Directive on Machinery (Directive
2006/42/EC).
The "Original documentation" for the HIMA system is written in German language. The
statements made in the German documentation shall apply.
1.1 Validity and Current Version

This safety manual is to be preferred when the following products are
used:
Rev. 7.01
HIMax operating system V7 and higher, and
SILworX V7 and higher
The most current version of this safety manual, which is indicated by the highest revision
number, is applicable and valid. The current version is available on the current HIMA DVD or
can be downloaded from the HIMA website at www.hima.com.
For details on how to use previous HIMax and SILworX versions, refer to the corresponding
previous versions of this manual.
1.2 Objectives of the Manual

This manual contains information on how to operate the HIMax safety-related automation device
in the intended manner. It provides an introduction to the safety concept of the HIMax system
and should increase the reader's safety awareness.
The safety manual is based on the contents of the certificate and of the test report for the
certificate.
1 Safety Manual HIMax
1.3 Target Audience

This manual addresses system planners, configuration engineers, programmers of automation
devices and personnel authorized to start up, operate and maintain the devices and systems.
Specialized knowledge of safety-related automation systems is required.
1.4 Writing Conventions

To ensure improved readability and comprehensibility, the following writing conventions are
used in this document:
Bold To highlight important parts.
Names of buttons, menu functions and tabs that can be clicked and used
in SILworX.
Italics For parameters and system variables
Courier Literal user inputs.
RUN Operating states are designated by capitals.
Chapter 1.2.3 Cross-references are hyperlinks even if they are not particularly marked.
When the cursor hovers over a hyperlink, it changes its shape. Click the
hyperlink to jump to the corresponding position.
Safety notices and operating tips are particularly marked.
1.4.1 Safety Notices

The safety notices are represented as described below.
They must be strictly observed to ensure the lowest possible operating risk. The content is
structured as follows:
Signal word: warning, caution, notice
Type and source of risk
Consequences arising from non-observance
Risk prevention
SIGNAL WORD
Type and source of risk!
Consequences arising from non-observance
Risk prevention
The signal words have the following meanings:

Warning indicates hazardous situations which, if not avoided, could result in death or serious
injury.
Caution indicates hazardous situation which, if not avoided, could result in minor or modest
injury.
Notice indicates a hazardous situation which, if not avoided, could result in property damage.
NOTICE
Type and source of damage!
Damage prevention
HIMax 1 Safety Manual
1.4.2 Operating Tips

Additional information is structured as presented in the following example:
The text corresponding to the additional information is located here.

i
Useful tips and tricks appear as follows:
TIP The tip text is located here.

2 Usage Notes for HIMax Systems HIMax
2 Usage Notes for HIMax Systems

All safety information, notes and instructions specified in this manual must be strictly observed.
The product may only be used if all guidelines and safety instructions are adhered to.
2.1 Intended Use

This chapter describes the conditions for using HIMax systems.
2.1.1 Scope
The safety-related HIMax controllers are certified for use in process controllers, protective
systems, burner systems and machine controllers.
Redundant operation of HIMax modules does not preclude simultaneous operation of other non-
redundant modules.
2.1.1.1 Application in Accordance with the De-Energize-to-Trip Principle
The automation devices have been designed in accordance with the de-energize-to-trip
principle.
If a fault occurs, a system operating in accordance with the de-energize-to-trip principle enters
the de-energized state to perform its safety function.
2.1.1.2 Application in Accordance with the Energize-to-Trip Principle
The HIMax controllers can be used in applications that operate in accordance with the energize-
to-trip principle.
A system operating in accordance with the energize-to-trip principle switches on, for instance,
an actuator to perform its safety function.
When designing the controller system, the requirements specified in the application standards
must be taken into account. For instance, line diagnosis for inputs and outputs or message
reporting a triggered safety function may be required.
2.1.1.3 Use in Fire Alarm Systems
All HIMax systems with analog inputs are tested and certified for used in fire alarm systems in
accordance with DIN EN 54-2 and NFPA 72.
2.1.2 Environmental Conditions

All the environmental conditions specified in this manual must be observed when operating the
HIMax system. For more details on the type of condition, refer to the product data.
2.2 Tasks of Operators and Machine and System Manufacturers

Operators as well as machine and system manufacturers are responsible for ensuring that
HIMax systems are safely operated in automated systems and plants.
Machine and system manufacturers must sufficiently validate that the HIMax systems were
properly programmed.
2.2.1 Connection of Communication Partners

Only devices with safe electrical separation may be connected to the communications
interfaces.
2.2.2 Use of Safety-Related Communication

When implementing safety-related communications between various devices, ensure that the
overall response time does not exceed the process safety time. All calculations must be
performed in accordance with the rules given in Chapter 12.
HIMax 2 Usage Notes for HIMax Systems
2.3 ESD Protective Measures

Only personnel with knowledge of ESD protective measures may modify or extend the system
or replace a module.
NOTICE
Electrostatic discharge can damage the electronic components within the controllers!
When performing the work, make sure that the workspace is free of static, and wear
an ESD wrist strap.
If not used, ensure that the module is protected from electrostatic discharge, e.g., by
storing it in its packaging.
Only personnel with knowledge of ESD protective measures may modify or extend the
system wiring.
2.4 Additional System Documentation

In addition to this manual, the following documents for configuring HIMax systems are also
available:
Name Content Document no.
HIMax System Manual Hardware description of the modular system HI 801 001 E
Certificate Test result
Version list Versions of the operating systems certified
by TÜV
Manuals for the Components Description of the individual components
Communication Manual safeethernet and standard protocols HI 801 101 E
SILworX First Steps Manual Use of SILworX for engineering, starting up, HI 801 103 E
testing and operating the HIMA systems.
SILworX Online Help Instructions on how to use SILworX
Table 1: Overview of the System Documentation
The documents are available as PDF files on HIMA website at www.hima.com (except for the
SILworX online help).
3 Safety Concept for Using the PES HIMax
3 Safety Concept for Using the PES

This chapter contains important general information on the functional safety of HIMax systems.
Safety and availability
Time parameters important for safety
Proof test
Safety requirements
Certification
3.1 Safety and Availability
No imminent danger results from the HIMax systems.
WARNING
Possible physical injury caused by safety-related automation systems improperly
connected or programmed.
Check all connections and test the entire system for compliance with the specified
safety requirements before start-up!
HIMA strongly recommends replacing failed modules as soon as possible.

A replacement module that is used instead of a failed one starts operation with no operator
action. It adopts the function of the failed module, provided that is of the same type or is an
approved replacement model.
3.1.1 Calculating the PFD, PFH and SFF Values

The PFD, PFH and SFF values have been calculated for the HIMax systems in accordance with
IEC 61508.
The PFD, PFH and SFF values are provided by HIMA upon request.
A proof test interval of 10 years has been defined for the HIMax systems (offline proof test, see
IEC 61508-4, Paragraph 3.8.5).
The safety functions, consisting of a safety-related loop (input, processing unit, output and
safety communication among HIMA systems), meet the requirements described above in all
combinations.
3.1.2 Self-Test and Fault Diagnosis

The operating system of the modules executes several self-tests at start-up and during
operation. The following components are tested:
Processors
Memory areas (RAM, NVRAM)
Watchdog
Connections between modules
Individual channels of the I/O modules
If faults are detected during these tests, the defective module or the defective channel of the I/O
module is switched off. If the tests detect a module fault while starting up the module, the
module does not begin to operate.
In non-redundant systems, this means that sub-functions or even the entire PES is shut down. If
a fault is detected in a redundant system, the redundant module or redundant channel assumes
the function to be performed.
HIMax 3 Safety Concept for Using the PES
All HIMax modules are equipped with LEDs to indicate that faults have been detected. This
allows the user to quickly diagnose faults detected in a module or the external wiring.
Additionally, the user program can evaluate various system variables displaying the module
status.
Extensive diagnostics of the system performance and detected faults are stored in the
diagnostic memory of the processor module or other modules. The diagnostics can also be read
after a system fault using the PADT.
For more information on how to evaluate diagnostic messages, see Chapter Diagnosis in the
system manual (HI 801 001 E).
For a very few number of component failures that do not affect safety, the HIMax system does
not provide any diagnostic information.
3.1.3 PADT
Using the PADT, the user creates the program and configures the controller. The safety concept
of the PADT supports the user in the proper implementation of the control task. The PADT
implements numerous measures to check the entered information.
3.1.4 Redundancy
To improve availability, all parts of the system containing active components can be set up
redundantly and, if necessary, replaced while the system is operating.
Redundancy does not impair safety. SIL 3 is still guaranteed even if system components are
used redundantly.
3.1.5 Structuring Safety Systems in Accordance with the Energize-to-Trip Principle

Safety systems operating in accordance with the energize-to-trip principle have the following
function:
1. The safe state of a module is the de-energized state. This state is adopted, for instance, if a
fault has occurred in the module.
2. The controller can trigger the safety function on demand by switching on an actuator.
3.1.5.1 Detection of Failed System Components

Thanks to the automatic diagnostic function, the safety system is able to detect that modules
have failed.
3.1.5.2 Safety Function in Accordance with the Energize-To-Trip Principle

The safety function is performed when the safety system energizes one or several actuators,
thus ensuring that the safe state is adopted.
The user must plan the following actions:
If I/O modules are used, redundancy groups must be configured.
Line monitoring (short-circuits and open-circuits) with input and output modules.
These must be configured accordingly.
The operation of the actuators can be monitored through a position feedback.
3.1.5.3 Redundancy of Components

It may be necessary to structure the components redundantly, refer to the system manual
(HI 801 001 E) for further details:
Power supply of the controller.
HIMax modules.
Sensors and actuators.
If redundancy is lost, the controller must be repaired as soon as possible.

It is not required to design the safety system modules redundantly if, in the event of a safety
system failure, the required safety level can otherwise be achieved, e.g., by implementing
organizational measures.
3.2 Time Parameters Important for Safety

Time parameters important for safety are:
Process Safety Time
Watchdog Time
Safety Time
Response Time
3.2.1 Process Safety Time

The process safety time is a property of the process and describes the time interval during
which the process allows faulty signals to exist before the system state becomes dangerous.
A safety-related response of the HIMax PES including all delays due to sensors, actuators, input
and output modules must occur within the process safety time.
3.2.2 Resource Watchdog Time

The watchdog time is preset in SILworX in the dialog box for configuring the resource
properties. This time is the maximum permissible duration of a RUN cycle (cycle time). If the
cycle time exceeds the preset watchdog time, the processor module enters the ERROR STOP
state.
When determining the watchdog time, the following factors must be taken into account:
Time required by the application, i.e., the duration of one user program cycle.
Time required for process data communication.
Time required to synchronize the redundant processor modules.
Time internally required to perform a reload.
The setting range for the watchdog time of the resource ranges
from 6 ms to a maximum of 7 500 ms.
The default setting is 200 ms.
The following must apply for the watchdog time: watchdog time ≤ ½ * safety time
3.2.2.1 Estimation of the Watchdog Time

To ensure sufficient availability, HIMA strongly recommends the following setting:
2 * watchdog time + max. CPU cycle time + 2 * I/O cycle time ≤ safety time
Replace a redundant processor module to measure the maximum cycle time in the actual
application. Enter the determined maximum cycle time into the above formula.
If no reliable assessment of the max. CPU cycle time can be made, set the watchdog time such
that:
3 * watchdog time + 2 * I/O cycle time ≤ safety time
The I/O cycle time is equal to 2 ms.
3.2.2.2 Precisely Determining the Watchdog Time

For time-critical applications or very large systems, it may be necessary to precisely determine
the watchdog time.
The watchdog time for a project is precisely determined by performing a test on the entire
system. During the test, all the modules are inserted in the rack. The system operates in RUN
mode with full load.
All communication links are operating (safeethernet and standard protocols).
To determine the watchdog time

1. Set the watchdog time high for testing.
2. Operate the system under full load. In the process, all communication connections must be
operating both via safeethernet and standard protocols. Frequently read the cycle time in
the Control Panel and note down the variations or load peaks of the cycle time.
3. In succession, remove and reinsert every processor module in the base plate. Prior to
removing one processor module, wait that the processor module that has just been inserted
is synchronized.
When a processor module is inserted in the base plate, it automatically synchronizes itself with
i the configuration of the existing processor modules. The time required for the synchronization
process extends the controller cycle up to the maximum cycle time.
The synchronization time increases with the number of processor modules that have already
been synchronized.
For more information on how to insert and remove a processor module, refer to the X-CPU 01
manual (HI 801 009 E), or to the X-CPU 31 manual (HI 801 355 E).
4. In the diagnostic history for the non-synchronized module, read the synchronization time
from n to n+1 processor modules in every synchronization process and note it down. The
greatest synchronization time value is used to determine the watchdog time.
5. Calculate the watchdog time TWD using the following equation:
TWD = TSync + TMarg + TCom + TConfig + TLatency + TPeak where
TSync Time determined for the processor module's synchronization
TMarg Safety margin 12 ms
TCom The configured system parameter: Max. Com.Time Slice ASYNC [ms]
Use the Control Panel to determine the current value. Refer to the
communication manual (HI 801 101 E) for details.
TConfig The configured system parameter: Max. Duration of Configuration Connections
[ms], refer to Chapter 10.3.1.2 for further details.
TLatency The configured system parameter: Maximum System Bus Latency [µs] * 4
TPeak Observed load peaks of the user programs
► A suitable value can thus be determined for the watchdog time.
TIP The configured watchdog time can be used as maximum cycle time in the safeethernet
configuration, see communication manual (HI 801 101 E).
3.2.3 Watchdog Time of the User Program

Each user program has its own watchdog and watchdog time.
The watchdog time for the user program cannot be set directly. To calculate the watchdog time
for a user program, HIMax uses the resource-specific parameter Watchdog Time [ms] and the
parameter Program's Maximum Number of CPU Cycles. Refer to Chapter 11.2.3 and Chapter
11.2.11 for more details.
Make sure that the calculated watchdog time is not greater than the response time required for
the process portion processed by the user program.
3.2.4 Safety Time of the Resource

The safety time of the resource is the maximum permissible time within which the resource must
react to a demand. The requirements are:
Changes in process input signals from process.
Faults occurring in the resource.
The HIMax system responds to faults that may result in a safety-critical operating state within
the configured safety time of the resource. It triggers predefined fault reactions that bring the
faulty parts to the safe state. The requisites are:
No input signal delay, caused by delay elements configured in the input modules (T on,
T off).
No delay within the user program.
User program response within one PES cycle.
The following factors prolong the safety time of the resource and must be taken into account:
Physical delays at the inputs and outputs, e.g., the switching times of relays.
Delays of output signals due to output noise blanking, see Chapter 8.4.2.
In HIMax resources, the safety time can be set anywhere in the range 20...22 500 ms.
3.2.5 User Program Safety Time

The safety time for the user program cannot be set. To calculate it, HIMax uses the parameters
Safety Time of the resource and Maximum Number of Cycles. Refer to Chapter 11.2.3 and
Chapter 11.2.11 for more details.
3.2.6 Response Time

Assuming that no delay results from the configuration or the user program logic, the response
time of HIMax controllers running in cycles is twice the system cycle time.
3.3 Proof Test (in Accordance with IEC 61508)

A proof test is a periodic test performed to detect any hidden faults in a safety-related system so
that, if necessary, the system can be restored to a state where it can perform its intended
function.
HIMA safety systems must be subject to a proof test in intervals of 10 years.
This interval can often be extended by calculating and analyzing the implemented safety loops.
3.3.1 Proof Test Execution

The execution of the proof test depends on how the system (EUC = equipment under control) is
configured, its intrinsic risk potential and the standards applicable to the equipment operation
and required for approval by the responsible test authority.
According to IEC 61508 1-7, IEC 61511 1-3, IEC 62061 and VDI/VDE 2180 sheets 1 to 4, the
operator of the safety-related systems is responsible for performing the proof tests.
3.3.2 Frequency of Proof Tests

The HIMA PES can be proof tested by testing the entire safety loop.
In practice, shorter proof test intervals are required for the input and output field devices (e.g.,
every 6 or 12 months) than for the HIMax controller. Testing the entire safety loop together with
a field device automatically includes the test of the HIMax controller. There is therefore no need
to perform additional proof tests of the HIMax controller.
If the proof test of the field devices does not include the HIMax controller, the HIMax controller
must be tested for SIL 3 at least once every 10 years. This can be achieved by restarting the
HIMax controller.
3.4 Safety Requirements

The safety requirements specified below must be met when using the safety-related PES of the
HIMax system.
3.4.1 Hardware Configuration

Personnel configuring the HIMax hardware must observe the safety requirements specified
below.
Product-Independent Requirements
To ensure safety-related operation, only approved safety-related hardware modules and
software components may be used. The approved hardware modules and software
components are specified in the Version List of Modules and Firmware for HIMax Systems
from HIMA Paul Hildebrandt GmbH. The latest versions can be found in the version list
maintained together with the test authority.
The operating requirements specified in this safety manual (see Chapter 2.1.2) about EMC,
mechanical, chemical, climatic influences must be observed.
Product-Dependent Requirements
Only devices that are safely separated from the power supply may be connected to the
system.
The operating requirements detailed in the system manual, particularly those concerning
supply voltage and ventilation, must be observed.
Only safety-related modules may be used to process safety-related tasks.
Only power supply units of type PELV or SELV may be used for power supply. The provided
supply voltage must be ≤ 35 V even if a fault occurs!
3.4.2 Programming
Personnel developing user programs must observe the safety requirements specified below.
Product-Independent Requirements
In safety-related applications, proper configuration of the safety-relevant system parameters
must be ensured.
In particular, this applies to the system configuration, maximum cycle time and safety time.
Requirements for Using the Programming Tool

SILworX must be used for programming.
The proper implementation of the application specifications must be validated,
verified and documented. A complete test of the logic must be performed by trial.
If the user program is changed, test at least all the parts of the logic concerned by the
changes.
The system response to faults in the safe input and output modules must be defined in the
configuration in accordance with the system-specific safety-related conditions. Examples:
- Fault reaction in the user program.
- Configuration of safe initial values for variables.
3.4.3 Communication
When implementing safety-related communications between the various devices, ensure
that the system's overall response time does not exceed the process safety time. All
calculations must be performed in accordance with the rules given in 12.2.
During the transfer of (safety-related) data, IT security rules must be observed.
The transfer of safety-relevant data through public networks like the Internet is only permitted
if additional security measures such as VPN tunnel or firewall have been implemented.
If data is transferred through company-internal networks, administrative or technical
measures must be implemented to ensure sufficient protection against manipulation (e.g.,
using a firewall to separate the safety-relevant components of the network from other
networks).
Never use the standard protocols to transfer safety-related data.
Only devices with safe electrical separation may be connected to the communication
interfaces.
3.4.4 Maintenance Work

Operators are responsible for ensuring proper maintenance work. They must take the required
measures to guarantee safe operation during maintenance.
Whenever necessary, the operator must consult with the test authority responsible for the
factory acceptance test (FAT) and define administrative measures appropriate for regulating
access to the systems.
3.4.5 Cyber Security for HIMax Systems

Industrial controllers must be protected against IT-specific problem sources. Those problem
sources are:
Attackers inside and outside of the customer's plant
Operating failures
Software failures
A HIMax installation consists of the following parts to be protected:

HIMax PES
PADT
OPC server: X-OPC DA, X-OPC AE (optional)
Communication connections to external systems (optional)
The HIMax system with basic settings is already a system fulfilling the requirements for cyber
security. The relevant modules were tested by the Canadian company Wurldtech Security
Technologies Ind. in accordance with Achilles Level I.
Protective mechanisms for preventing unintentional or unapproved modifications to the safety
system are integrated into the PES and the programming tool:
Each change to the user program or configuration results in a new configuration CRC.
The operating options depend on the rights of the user logged into the PES.
The programming tool prompts the user to enter a password in order to log in to the PES.
PES data can only be accessed if the PADT is operating with the current version of the user
project (archive maintenance!).
Connection between the PADT and PES is not required in RUN and can be interrupted.
The PADT can be shortly connected for maintenance work or diagnostic tasks.
All requirements about protection against manipulation specified in the safety and application
standards must be met. The operator is responsible for authorizing employees and
implementing the required protective actions.
WARNING
Physical injury possible due to unauthorized manipulation of the controller!
The controller must be protected against unauthorized access!
For instance:
Changing the default settings for login and password!
Controlling the physical access to the controller and PADT!
Careful planning should identify the measure to be taken. The required measures are only to be
taken after the risk analysis is completed. Such measures are, for example:
Meaningful allocation of user groups.
Maintained network maps help ensuring that secure networks are permanently separated
from public networks, and if required, only a well-defined connection exists (e.g., via a
firewall or a DMZ).
Use of appropriate passwords.
A periodical review of the security measures is recommended, e.g., every year.
The user is responsible for implementing the necessary measures in a way suitable for
the plant!
For more details, refer to the HIMA cyber security manual (HI 802 373 E).
3.5 Certification
HIMA safety-related automation devices (programmable electronic systems, PES) of the HIMax
system have been tested and certified by TÜV for functional safety in accordance with and
the standards listed below:
TÜV Rheinland Industrie Service GmbH

Automation, Software und Informationstechnologie
Am Grauen Stein
51105 Köln
Certificate and test report

safety-related automation devices HIMax
Intended use: "Safety-related programmable electronic system for process control, burner
management (BMS), emergency shutdown and machinery, where the demanded safe state is
the de-energized state.
Applications, where the demand state is the de-energized or energized state".
International standards:
EN / IEC 61508, Parts 1-7: 2010 SIL 3
EN / IEC 61511, Parts 1-3: 2004 SIL 3
EN / ISO 13849-1: 2008 + AC:2009 Performance level e
EN / IEC 62061: 2005 + AC:2010 + A1:2013 SIL CL 3
EN 50156-1: 2004 SIL 3
EN 12067-2: 2004
EN 298: 2012
EN 230: 2005
EN 60079-29-1: 2007
EN 50495: 2010
NFPA 85: 2011
NFPA 86: 2011
EN / IEC 61131-2: 2007
IEC 61326-3-1:2008
EN 54-2: 1997 + AC:1999 + A1:2006
NFPA 72: 2013
The following chapter contains a detailed list of all environmental and EMC tests performed.
All devices have received the mark of conformity.
To program the HIMax devices, a PADT is required, which is a PC running SILworX.

This software helps the user operate the automation devices and create safety-related
programs using function block diagrams (FBD) and sequential function charts (SFC) in
accordance with IEC 61131-3. Refer to the SILworX online help and SILworX first steps manual
(HI 801 103 E) for further details.
3.5.1 Test conditions

The devices have been tested to meet the climatic and environmental requirements as of the
following EMC standards:
Standard Content
IEC/EN 61131-2 Programmable controllers, Part 2
Equipment requirements and tests
IEC/EN 61000-6-2 EMC
Generic standards, Parts 6-2
Immunity for industrial environments
IEC/EN 61000-6-4 Electromagnetic Compatibility (EMC)
Generic standards – Emission standard for industrial environments.
EN 298 Automatic burner control systems for burners and appliances burning
gaseous or liquid fuels
EN 61326-1 Electrical equipment for measurement, control and laboratory
use - EMC requirements - Part 1: General requirements
EN 61326-3-1 Electrical equipment for measurement, control and laboratory use -
EMC requirements
Part 3-1: Immunity requirements for safety-related systems and for
equipment intended to perform safety-related functions (functional
safety) - General industrial applications
EN 54-2 Fire alarm systems
Table 2: Standards for EMC, Climatic and Environmental Requirements
When using the safety-related HIMax control systems, the following general conditions must be
met:
Condition type Condition content
Protection class Protection class III in accordance with IEC/EN 61131-2
Pollution Pollution degree II in accordance with IEC/EN 61131-2
Altitude < 2000 m
Enclosure Standard: IP20/IP00
If required by the relevant application standards (e.g., EN 60204), the
device must be installed in an enclosure of the specified protection class
(e.g., IP54).
Table 3: General Requirements
3.5.1.1 Climatic Conditions

The following table lists the most important tests and limits for climatic conditions:
Standard Climatic tests
IEC/EN 61131-2 Operating temperature: 0...+60 °C
(test limits: -10...+70 °C)
Storage temperature: -40...+85 °C
Dry heat and cold resistance tests:
+70 °C / -40 °C, 16 h, +85 °C, 1 h
Power supply not connected
Temperature changes, withstand test:
Fast temperature changes: -40 °C / +70 °C power supply not connected
Immunity test
Slow temperature changes: -10 °C / +70 °C power supply not connected
Cyclic damp-heat withstand tests:

+25 °C / +55 °C, 95 % relative humidity,
Power supply not connected
EN 54-2 Damp-heat
93 % relative humidity, 40 °C, 4 days in operation
93 % relative humidity, 40 °C, 21 days, power supply not connected
Table 4: Climatic Conditions
3.5.1.2 Mechanical Conditions

The following table lists the most important tests and limits for mechanical conditions:
IEC/EN 61131-2 Mechanical tests
Vibration immunity test:
5...9 Hz / 3.5 mm amplitude
9...150 Hz, 1 g, EUT in operation, 10 cycles per axis
Shock immunity test:
15 g, 11 ms, EUT in operation,
3 shocks per axis and direction (18 shocks)
Table 5: Mechanical Tests
3.5.1.3 EMC Conditions

Higher interference levels are required for safety-related systems. HIMax systems meet these
requirements in accordance with IEC 62061 and IEC 61326-3-1.
Test standards Interference immunity tests Criterion
IEC/EN 61000-4-2 ESD test: 6 kV contact discharge, 8 kV air discharge FS
IEC/EN 61000-4-3 RFI test (20 V/m): 80 MHz...1 GHz, 80 % AM FS
RFI test (10 V/m): 1 GHz...2 GHz, 80 % AM FS
RFI test (3 V/m): 2 GHz...3 GHz, 80 % AM FS
IEC/EN 61000-4-4 Burst test
Supply voltage: 3 kV FS
Signal lines: 2 kV FS
IEC/EN 61000-4-5 Surge:
DC supply voltage: 2 kV CM, 1 kV DM FS
Signal lines: 2 kV CM FS
IEC/EN 61000-4-6 High frequency, asymmetrical
10 V, 150 kHz...80 MHz, 80 % AM FS
IEC/EN 61000-4-16 Supply and signal lines:
1…10 V, 20 dB/decade (1,5…15 kHz) FS
10 V (15…150 kHz) FS
10 V constant (with DC, 16²/3 Hz, 50/60 Hz, FS
150/180 Hz)
100 V temporary (1 s, with DC, 16²/3 Hz, 50/60 Hz) FS
Table 6: Interference Immunity Tests
IEC/EN 61000-6-4 Noise emission tests

EN 55011 Emission test:
Class A radiated, conducted
Table 7: Noise Emission Tests
3.5.1.4 Supply Voltage

The following table lists the most important tests and limits for the device's supply voltage:
IEC/EN 61131-2 Verification of the DC supply characteristics
Alternatively, the power supply must comply with the following standards:
IEC/EN 61131-2 or
SELV (Safety Extra Low Voltage) or
PELV (Protective Extra Low Voltage)
HIMax devices must be fuse protected as specified in the manual for the
X-BASE PLATE (HI 801 025 E)
Voltage range test:
24 VDC, -20...+25 % (19.2...30.0 V)
Momentary external current interruption immunity test:
DC, PS 2: 2 ms
Reversal of DC power supply polarity test:
Refer to corresponding chapter of the system manual or data sheet of
power supply.
Backup duration withstand test:
Test B, 1000 h
Table 8: Verification of the DC Supply Characteristics
4 Processor Module HIMax
4 Processor Module
The processor module's safety function is maintained by processing the user program with two
processors that constantly compare their data. If a fault occurs, the watchdog sets the module to
the safe state and reports the CPU state.
Refer to the manual for further details about the processor modules.
4.1 Self-Tests
The following section specifies the most important self-test routines of controllers' safety-related
processor modules:
Processor test
Memory test
Comparator test
CRC test with non-volatile memories
Watchdog test
4.2 Reactions to Faults in the Processor Module

A hardware comparator in the processor module constantly checks whether the data in
microprocessor systems 1 and 2 are identical. If they are different, or if the test routines detect
faults in the processor module, the processor module automatically enters the ERROR STOP
state.
If such a fault occurs for the first time, the controller is restarted (reboot). If a further internal fault
occurs within the first minute after start-up, the controller enters the STOP/INVALID
CONFIGURATION state and will remain in this state.
If an automatic restart is not desired, set the resource parameter Autostart to OFF.
4.3 Replacing Processor Modules

Prior to replacing a processor module, ensure that the replacement will not cause a running
HIMax system to stop.
In particular, this applies for systems running in accordance with the energize-to-trip principle.
The failure of such systems causes the loss of the safety function.
Redundant processor modules can be replaced during operation, provided that at least one
processor module that can maintain safety-related operation while the other module is being
replaced, is available.
NOTICE
Interruption of the safety-related operation possible!
Replacing a processor module with a lit or blinking Ess LED can result in the
interruption of a controller's operation.
Do not remove processor modules with a lit or blinking Ess LED.
A lit or blinking Ess LED indicates that the processor module is required for the system to
function.
Even if the LED is not lit or blinking, the system redundancies, which this processor module is
part of, must be checked using SILworX. The communication connections processed by the
processor module must also be taken into account.
Refer to the processor module manuals (HI 801 009 E and HI 801 355 E) and to the system
manual (HI 801 001 E) for more details on how to replace processor modules.
HIMax 4 Processor Module
4.4 The X-CPU 01 Processor Module

The X-CPU 01 processor module can be operated with up to 4-fold redundancy. It may be
inserted into racks 0 and 1, slots 3...6.
4.5 The X-CPU 31 Processor Module

The X-CPU 31 processor module combines the functions of processor and system bus
modules. For this reason, it can only be inserted into slots 1 or 2 of rack 0. If so, no further
processor module can be used in slots 3...6 of racks 0 and 1!
5 System Bus Module HIMax
5 System Bus Module

A system bus module administrates one of the two safety-related system busses. The two
system busses are redundant to one another. Each system bus interconnects the various
modules and base plates. The system busses transfer safe data using a safety-related protocol.
A HIMax system that only contains one processor module can be operated at a reduced
availability level using one system bus only.
Processor modules of type X-CPU 31 can also be used in rack 0 instead of system bus
modules. The statements made in this chapter also apply for X-CPU 31 modules. The
X-CPU 31 processor modules require a special double-width connector board.
5.1 Rack ID
The rack ID identifies a base plate within a resource and must be unique for each base plate.
The rack ID is the safety parameter for addressing the individual base plates and the modules
mounted on them!
The rack ID is stored in the connector board of the system bus module.
The procedure for configuring the rack ID is described in the system manual (HI 801 001 E) and
in the SILworX first steps manual (HI 801 103 E).
5.2 Responsibility
Only one of the system bus module contained in each system bus may receive the Responsible
attribute and thus be configured as responsible for system bus operation.
For system bus A, the Responsible attribute is reserved for the system bus module or the
X-CPU 31 processor module in rack 0, slot 1.
The following conditions apply for system bus B:
- If X-SB 01 and X-CPU 01 are used, the attribute can be configured with SILworX.
The Responsible system bus module must either be located in rack 0, slot 2, or in rack 1,
slot 2.
- If X-CPU 31 is used, the attribute is fixed for the module in rack 0, slot 2.
Prior to starting safety-related operation, ensure the Responsible attribute is properly configured
for both system busses.
The procedure for setting the Responsible attribute is described in the SILworX first steps
manual (HI 801 103 E).
WARNING
Physical injury possible!
SILworX must be used to verify the configuration.
Proceed as follows:
In SILworX, log in to the system module in rack 0, slot 2.
In SILworX, log in to the system module in rack 1, slot 2.
Check the Control Panels of both system bus modules to ensure that the Responsible
attribute has only been set for the correct system bus module (see Figure 1 and
Figure 2)!
Recommended configurations:
If processor modules are only contained in rack 0, both system bus modules in rack 0 must
be set to Responsible (Figure 1).
If processor modules are also contained in rack 1 (Figure 2), the following system bus
modules must be set to Responsible.
HIMax 5 System Bus Module
- In rack 0, the system bus module in slot 1 (automatically).

- In rack 1, the system bus module in slot 2.
R System Bus Module set to Responsible
Figure 1: Recommended Configuration: All Processor Modules in Rack 0
R System Bus Module set to Responsible
Figure 2: Recommended Configuration: X-CPU 01 Processor Modules in Rack 0 and Rack 1
If X-CPU 31 processor modules are inserted in rack 0, slots 1 and 2 (Figure 3), they are
always set to Responsible. In this case, the system bus module in rack 1, slot 2, must not be
set to Responsible.
5 System Bus Module HIMax
R Processor Module is set to Responsible
Figure 3: Configuration with X-CPU 31 Processor Modules in Rack 0, Slots 1 and 2

HIMax 6 Communication Module
6 Communication Module
Communication modules control both safety-related data transfer to other HIMA controllers and
non-safety-related data transfer through fieldbuses and Ethernet.
The processor module controls safety-related data traffic using the SIL 3-certified transfer
protocol safeethernet. The communication module forwards the data packets to the other
systems. The safety-related protocol ensures that corrupted messages are detected (black-
channel principle).
This allows safety-related communication via non safety-related transmission paths, i.e.,
standard network components.
The standard protocols are for instance:
- Modbus
- PROFIBUS master/slave
- Send/Receive TCP
- PROFINET IO
- SNTP
Refer to the following documents for further details on communication and communication
modules:
This manual, Chapter 12.1.
Communication module manual HI 801 011 E
Communication manual, HI 801 101 E
System manual, HI 801 001 E
7 Input Modules HIMax
7 Input Modules
Module Number of Safety-related Interference-free Remark
channels channels
Digital inputs
X-DI 16 01 16 SIL 3 • 120 VAC
X-DI 32 01 32 SIL 3 • 24 VDC
X-DI 32 02 32 SIL 3 • Proximity switches
(NAMUR)
X-DI 32 03 32 SIL 3 • 48 VDC
X-DI 32 04 32 SIL 3 • With sequence of events
recording
X-DI 32 05 32 SIL 3 • Proximity switches
(NAMUR), with sequence
of events recording
X-DI 32 51 32 - • 24 VDC
X-DI 32 52 32 - • Proximity switches
(NAMUR)
X-DI 64 01 64 SIL 3 • 24 VDC
X-DI 64 51 64 - • 24 VDC
Analog inputs 0/4...20 mA
X-AI 16 51 16 SIL 1 • Thermocouple
X-AI 32 01 32 SIL 3 •
X-AI 32 02 32 SIL 3 • With sequence of events
recording
X-AI 32 51 32 - •
Counter inputs
X-CI 24 01 24 SIL 3 •
X-CI 24 51 24 - •
Table 9: Overview of the Input Modules
7.1 General
Safety-related inputs can be used for both safety-related signals and non-safety-related signals.
Non-safety-related signals, however, may not be used for safety functions!
Safety-related input modules automatically perform high-quality, cyclic self-tests during
operation.
If a fault occurs, the initial value is provided to the user program as a global variable and, if
possible, detailed fault information is issued. The user program can read out the error code and
thus evaluate this fault information.
In addition to the diagnostic LEDs, the controllers generate and save error and status
messages. The PADT can read the saved diagnostic messages.
For more information on the input modules, refer to the individual module manuals.
7.2 Safety of Sensors, Encoders and Transmitters

In safety-related applications, the PES and connected sensors, encoders and transmitters must
all meet the safety requirements and achieve the specified SIL. For information on how to
achieve the required SIL for sensors, see IEC 61511-1, Section 11.4.
HIMax 7 Input Modules
7.3 Reaction in the Event of a Fault

If the test routines detect a faulty input, the user program processes the initial value of the global
variables. The module activates the Error LED.
Failure of the overall input module causes the user program to process the initial value of the
global variables for all the inputs.
The error code and other system variables can be used to program application-specific fault
reactions. Refer to the module-specific manual for more details.
7.4 Safety-Related Digital Inputs

The digital input module reads the values at its digital inputs and provides safe values in every
processor module cycle. The module cyclically tests the inputs' safe operation.
7.4.1 Test Routines

The online test routines check whether the input channels are able to forward both signal levels
(L and H levels), irrespective of the signals actually present on the input. This functional test is
performed whenever the input signals are read.
7.4.2 Redundancy
The digital inputs may be connected redundantly. The redundant connection is usually used to
increase availability.
If other connection variants should be used, e.g., to increase the SIL value, fault states must be
handled in the user program logic.
7.4.3 Surges on Digital Inputs

Due to the short cycle time of the HIMax systems, a surge pulse as described in EN 61000-4-5
can be read in to the digital inputs as a short-term high level.
If shielded cables are used for digital inputs, no additional precautionary measures are required
to protect against surges.
If no shielded cables are used, the channel-specific time on and time off delay must be applied
to avoid these types of faults. A signal must be present for at least a certain time period before it
is evaluated. The configured delay + 2 * I/O cycle time must be added to the response time and
to the safety time configured for the resource.
7.5 Safety-Related Analog Inputs and Proximity Switch Inputs

Analog input channels convert the measured input currents to a value of type DINT (double
integer), i.e., the raw value, and to a value of type REAL, i.e., the process value. The raw value
contains the measured input signal, whereas the process value is a scaled value.
The proximity switch inputs create a digital value by comparing the raw value with the
configured thresholds.
7.5.1 Test Routines

The module captures analog values in parallel along two paths and compares the results with
one another. Additionally, it cyclically tests the input path function.
7.5.2 Redundancy
The analog inputs may be connected redundantly. The redundant connection is usually used to
7 Input Modules HIMax
7.5.3 State of LL, L, N, H, HH in X-AI 32 01 and X-AI 32 02

For safety-related applications, if scalar events have been defined for the thresholds of a
channel located in an analog module (X-AI 32 01 or X-AI 32 02), the state variables -> State LL,
-> State L, -> State N, -> State H, -> State HH must be connected to Channel OK! If faults
occur, these state variables return FALSE.
7.6 Safety-Related Counter Inputs

Depending on its configuration, a safety-related counter input can return the following process
values:
A counter reading as an integer value or as a scaled floating-point value.
A rotation speed or frequency as an integer value or as a scaled floating-point value.
Additional auxiliary values such as overflow.
For further details, refer to the module-specific manual (HI 801 113 E).
7.6.1 Test Routines

The module captures the counter values in parallel along three paths and compares the results
with one another. Additionally, it cyclically tests the input path function.
7.6.2 Important Information in Connection with the X-CI 24 01 Counter Module

If the X-CI 24 01 counter module is used, the following characteristic must be observed; also
refer to the module-specific manual (HI 801 113 E):
While performing a reload, input pulses may be lost during the first 3 cycles, if the following
parameters are changed during the process:
- Counting Pulse Evaluation Type
- Channel pairs in use
If the channel sensor fails during the edge evaluation 2 Phases, 4 Edges, and no short-
circuit or open-circuit was detected, the module only registers half of the actual frequency
value.
Pulses to be counted can be lost during an automatic restart.
Automatic or manual module restart must be considered as application-specific.
Application recommendation:
- To ensure detection of a sensor failure, HIMA recommends using redundant sensors for
multiple-phase evaluation or for recognizing the rotation direction.
- Configuring noise blanking while frequencies are measured does not impair safety.
7.6.3 Redundancy
The counter inputs may be connected redundantly. The redundant connection is usually used to
7.7 Checklists for Inputs

HIMA recommends using the available checklists for engineering, programming and starting up
safety-related digital inputs. The checklists can be used for helping with planning as well as to
demonstrate later on that the planning phase was carefully completed.
HIMax 7 Input Modules
When engineering or starting up the system, it is useful to fill out a checklist for each of the
safety-related input channels used in the system to verify the requirements to be met. This is the
only way to ensure that all requirements were considered and clearly recorded. The checklist
also documents the relationship between the external wiring and the user program.
The checklists are available in Microsoft® Word® format on the HIMA website.
8 Output Modules HIMax
8 Output Modules
Module Number of Safety- Safely galvanically Remark
channels related separated
Digital outputs
X-DO 12 02 12 SIL 3 - 24 VDC, 2 A
X-DO 24 01 24 SIL 3 - 24 VDC
X-DO 24 02 24 SIL 3 - 48 VDC
X-DO 32 01 32 SIL 3 - 24 VDC
X-DO 32 51 32 - - 24 VDC
Digital relay outputs
X-DO 12 01 12 SIL 3 • 230 VAC
X-DO 12 51 12 - • 230 VAC
Analog outputs
X-AO 16 01 16 SIL 3 Pairwise
X-AO 16 51 16 - -
Table 10: Overview of the Output Modules
8.1 General
The safety-related output modules are written once per cycle, the generated output signals are
read back and compared with the specified output data.
The safe state of the outputs is 0 or an open relay contact.
Using the corresponding error code, the user can program additional fault reactions in the user
program.
For more information on the output modules, refer to the individual module manuals.
8.2 Safety of Actuators

In safety-related applications, the PES and connected actuators must all meet the safety
requirements and achieve the specified SIL. For information on how to achieve the required SIL
for sensors and actuators, see IEC 61511-1, Section 11.4.
8.3 Reaction in the Event of a Fault

If the test routines detect a faulty output, the controller switches off the output, i.e., it enters the
safe state. The module activates the Error LED.
Failure of the overall output module causes all outputs to enter the safe state.
The error code and other system variables can be used to program application-specific fault
reactions. Refer to the module-specific manual for more details.
8.4 Safety-Related Digital Outputs

The safety-related output channels are equipped with three testable switches connected in
series. This ensures compliance with the SIL 3 requirement for a second safe independent
switch-off option. If a fault occurs, this integrated safety switch-off function safely de-energizes
the individual channels of the defective output module (de-energized state).
Additionally, the watchdog signal of the module is the second safety shutdown option: If the
watchdog signal is lost, the module immediately enters the safe state.
HIMax 8 Output Modules
8.4.1 Test Routines for Digital Outputs

The modules are tested automatically during operation. The main test functions are:
Read back of the output signal.
Checking the integrated redundant safety shutdown.
Shutdown test of the outputs.
Operating voltage monitoring.
8.4.2 Output Noise Blanking

If the output noise blanking is activated, the output module delays the switch-off reaction of a
channel.
If output noise blanking has been activated and transient interference has been
i suppressed, a potential delay in the reaction to safety time - watchdog time must be
taken into account.
In all cases, the module also indicates the fault through the Error LED on the front plate.
8.4.3 Behavior in the Event of External Short-Circuit or Overload

If the output is short-circuited to L- or overloaded, the module is still safe.
In this state, the outputs are checked every few seconds to determine whether the overload is
still present. In a normal state, the outputs are switched on again.
8.4.4 Redundancy
The digital outputs may be connected redundantly. The redundant connection is usually used to
8.5 Safety-Related Relay Outputs

Relay output modules are connected to the actuator under any of the following circumstances:
Electric separation is required.
Higher amperages are used.
Alternating currents are to be connected.
The module outputs are equipped with two safety relays with forcibly guided contacts. The
outputs can thus be used for safety shutdowns in accordance with SIL 3.
Additionally, the watchdog signal of the module is the second safety switch-off function: If the
watchdog signal is lost, the module immediately enters the safe state.
8.5.1 Test Routines for Relay Outputs

The module is tested automatically during operation. The main test functions are:
Reading the output signals back from the switching amplifiers located before the relays.
Testing the switching of the relays with forcibly guided contacts.
Operating voltage monitoring.
8 Output Modules HIMax
8.5.2 Redundancy
The digital relay outputs may be connected redundantly. The redundant connection is usually
used to increase availability.
8.6 Safety-Related Analog Outputs

They forward the values determined in the user program to the actuators.
The safety-related analog outputs read back their output values and compare them to the
values to be output. If the values differ, a fault reaction is triggered.
8.6.1 Test Routines for Analog Outputs

The modules are tested automatically during operation. The main test functions are:
Reading the output signals back.
If faults occur, the outputs are set to the safe value 0 mA.
8.6.2 Output Noise Blanking

If the output noise blanking is activated, the output module delays the switch-off reaction of a
channel.
If output noise blanking has been activated and transient interference has been
i suppressed, a potential delay in the reaction to safety time - watchdog time must be
taken into account.
In all cases, the module also indicates the fault through the Error LED on the front plate.
8.6.3 Behavior in the Event of External Open-Circuit

If an open-circuit occurs, the module switches the current off for approx. 8 ms and checks if the
open-circuit is still present. If this is the case, it switches off for approx. 10 s. This process can
repeat indefinitely.
8.6.4 Important Information in Connection with the Analog X-AO 16 01 Output Module
If the analog output module is used, the following characteristic must be observed; also refer to
the module-specific manual (HI 801 111 E):
Only the connection variants specified in the module-specific manual (HI 801 111 E) may be
used!
If more than two modules are redundantly connected in series, the SELV voltage can be
exceeded!
With serial redundancy, only one channel of each group of two channels may be used!
If HART communication occurs between the connected actuator and one HART terminal, the
output signal can deviate from the full scale by up to 1 %!
If a fault occurs, the time to reach the safe state can take up to 16 ms in the worst case.
Take this time into account when defining the reaction and safety times!
The user program may not write to analog outputs in cycles shorter than 6 ms.
If faults occur, the module outputs the safe value 0 mA, even if the upper limit of the setting
range is exceeded.
HIMax 8 Output Modules
8.6.5 Redundancy
The analog outputs may be connected redundantly. The redundant connection is usually used
to increase availability.
8.7 Checklists for Outputs

HIMA recommends using the available checklists for engineering, programming and starting up
safety-related digital outputs. The checklists can be used for helping with planning as well as to
demonstrate later on that the planning phase was carefully completed.
When engineering or starting up the system, it is useful to fill out a checklist for each of the
safety-related output channels used in the system to verify the requirements to be met. This is
the only way to ensure that all requirements were considered and clearly recorded. The
checklist also documents the relationship between the external wiring and the user program.
The checklists are available in Microsoft® Word® format on the HIMA website.
9 Special I/O Modules HIMax
9 Special I/O Modules
9.1 HART Module: X-HART 32 01

The HART module serves for communicating with HART-capable sensors and actuators.
For further details, refer to the module-specific manual (HI 801 307 E).
9.1.1 Safety Function

The safety function of the X-HART module includes the following points:
HART Deactivation: If the module is shut down, the HART channels are safely deactivated in
accordance with SIL 3.
HART Filtering: HART access to HART transmitters or sensors is locked in accordance with
SIL 3.
HART communication influences the analog metrological accuracy by approx. 1 %.
There are no additional repercussions for the analog modules.
If the HART filtering function is deactivated on the HART module, the corresponding analog
sensor or actuator can be reprogrammed. This can impair safety.
9.2 The HIMax Overspeed Trip Module X-MIO 7/6 01

The module serves for monitoring the rotation speed and the emergency stop function (trip
function) of a turbine. For further details, refer to the module-specific manual (HI 801 305 E).
The module can be used to implement applications in accordance with API 670. The module
complies with the turbine requirements for rotation speed monitoring and trip routines defined in
API 670. The rotation speed monitoring and the trip routines are independent of the overall
HIMax system and the user program.
9.2.1 Safety Function

The module monitors the rotation speed of a turbine, independently of the HIMax overall system
and the user program. The module trips the turbine via the digital outputs.
Depending on the measuring input, the module measures the rotation speed and direction of a
sensor with safety-related accuracy. To determine the rotation speed, one turbine is equipped
with three sensors. The rotation speed values calculated for the three sensors are used by the
module to perform a 2oo3 evaluation. The result is provided to the safety-related X-MIO 7/6 01
processor system and the user program.
If a sensor signal fails, the module outputs a warning. If two of the three signals fail, the trip
function is triggered.
The module is equipped with safety-related digital outputs as described in Chapter 8.3.
The safety function is performed for all inputs and outputs in accordance with SIL 3. The relay
output is implemented as a potential-free, non-safety-related signaling contact (changeover).
9.2.2 Redundancy
To increase availability, the module must be used in a dual redundant structure. To this end,
only dual redundant connector boards may be used.
HIMax 10 Software
10 Software
The software for the safety-related automation devices of the HIMax systems consists of the
following components:
Operating system.
User program.
SILworX programming tool in accordance with IEC 61131-3
The operating system is loaded into each module of the controller. HIMA recommends using the
latest version valid for the safety-related applications. This chapter particularly describes the
operating system of the processor module.
The user program is created using the SILworX programming tool and contains the application-
specific functions to be performed by the automation device. Parameters are also set using
SILworX.
The user program is compiled with the code generator and transferred to the non-volatile
memory automation device through an Ethernet interface.
10.1 Safety-Related Aspects of the Operating System

Each approved operating system is clearly identified by the revision number and the CRC
signature. The valid versions of the operating system and corresponding signatures (CRCs) -
approved by the TÜV for use in safety-related automation devices - are subject to a revision
control and are documented in the version list of modules and firmware for HIMax systems from
HIMA Paul Hildebrandt GmbH maintained by HIMA in co-operation with the TÜV.
The current version of the operating system can be read using SILworX. The users must ensure
that a valid version of the operating system has been loaded into the modules (see 11.3
Checklist for Creating a User Program).
10.2 Safety-Related Aspects of Programming

When creating a user program, the requirements detailed in this section must be observed.
10.2.1 Safety Concept of SILworX

The safety concept of SILworX:
When SILworX is installed, a checksum (CRC) helps ensure the program package integrity
on the way from the manufacturer to the user.
SILworX performs validity checks to reduce the likelihood of faults while entering data.
When starting up a safety-related controller for the first time, a comprehensive functional test
must be performed to verify the safety of the entire system.
Verify that the tasks to be performed by the controller were properly implemented using the
data and signal flows.
Perform a thorough functional test of the logic by trial (see Chapter 10.2.2).
If a user program is modified, only the program components affected by the change must be
tested. To do this, the safe version comparator in SILworX can be used to determine and
display all changes relative to the previous version.
Whenever the safety-related controller is started up, the verification and validation requirements
specified in the application standards must be observed!
10 Software HIMax
10.2.2 Verifying the Configuration and the User Program

To verify that the user program created performs the required safety function, the user must
create suitable test cases for the required system specification.
An independent test of each loop (consisting of input, the key interconnections in the application
and output) is usually sufficient.
Suitable test cases must also be created for the numerical evaluation of formulas. Equivalence
class tests are useful. These are tests within defined ranges of values, at the limits of or within
invalid ranges of values. The test cases must be selected such that the calculations can be
proven to be correct. The required number of test cases depends on the formula used and must
include critical value pairs.
HIMA recommends actively performing a simulation with data sources, since this is the only way
to prove that the sensors and actuators in the system (also those connected to the system via
communication with remote I/Os) are properly wired. This is also the only way to verify the
system configuration.
SILworX can be used as testing aid for:
checking inputs
forcing outputs
This procedure must be followed both when initially creating and when modifying the user
program.
10.3 Resource Parameters

Some parameters are defined in SILworX for actions permitted during the resource's safety-
related operation and are referred to as safety parameters.
WARNING
Physical injury possible due to defective configuration!
Neither the programming system nor the controller can verify project-specific
parameters. For this reason, enter these safety parameters correctly and verify the
whole entry upon completion of the PES load from within the PES itself.
These parameters are:
Rack ID, see Chapter 5.1 and system manual (HI 801 001 E).
Responsible attribute of system bus modules, see Chapter 5.2
The parameters marked in Table 11
Parameters that may be defined for safety-related operation are not firmly bound to any specific
requirement classes. Instead, each of these must be agreed upon together with the competent
test authority for each separate implementation of the automation device.
HIMax 10 Software
10.3.1 System Parameters of the Resource

The system parameters of the resource can be set in SILworX, in the Properties dialog box of
the resource.
Parameter Description Default Setting for safe
value operation
Name Name of the resource Arbitrary
1)
System ID [SRS] System ID of the resource 60 000 Unique value
1...65 535 within the
The value assigned to the system ID must differ from controller
the default value, otherwise the project is not able to network. This
run! network includes
all controllers that
can potentially be
interconnected.
Safety Time [ms] 1) Safety time in milliseconds 600 ms Application-
20...22 500 ms (changeable online) specific
Watchdog Time Watchdog time in milliseconds: 6...7500 ms 200 ms Application-
[ms] 1) (changeable online) specific
Target Cycle Time Targeted or maximum cycle time, see Target Cycle 0 ms Application-
[ms] Time Mode, 0...7500 ms. The maximum target cycle specific
time value may not exceed the defined watchdog
time minus 6 ms; otherwise it is rejected by the PES.
If the default value 0 ms is set, the target cycle time
is not taken into account. See Chapter 10.3.1.1.
(changeable online)
Target Cycle Time Use of Target Cycle Time [ms]. (changeable online), Fixed- Application-
Mode see Chapter 10.3.1.1. tolerant specific
Multitasking Mode Mode 1 The duration of a CPU cycle is based on Mode 1 Application-
the required execution time of all user specific
programs.
Mode 2 The processor makes execution time,
which lower priority user programs do not
require, available to higher priority user
programs. Operation mode for high
availability.
Mode 3 The processor waits until the execution
time not needed by the user programs has
expired, thus increasing the cycle.
Max.Com. Time Highest value in ms for the time slice used for 60 ms Application-
Slice ASYNC [ms] communication during a resource cycle, see the specific
communication manual (HI 801 101 E),
2...5000 ms
Max. Duration of It defines how much time within a CPU cycle is 12 ms Application-
Configuration available for configuration connections, 2...3500 ms. specific
Connections [ms] See Chapter 10.3.1.2.
Maximum System Maximum delay of a message between an I/O 0 µs Application-
Bus Latency [µs] module and the processor module. 0, specific
100...50 000 µs
A license is required for setting the maximum
i system bus latency to a value > 0.
10 Software HIMax
Parameter Description Default Setting for safe

value operation
Allow Online ON: All the switches/parameters listed below ON OFF is
Settings 1) OFF can be changed online using the PADT. recommended
This is only valid if the system variable
Read-only in RUN has the value OFF.
OFF: The following The following
parameters may not parameters may be
be changed online: changed online if
System ID Reload Allowed is
Autostart set to ON.
Global Forcing Watchdog Time
Allowed (for the resource)
Global Force Safety time
Timeout Reaction Target Cycle
Load Allowed Time
Reload Allowed Target Cycle
Start Allowed Time Mode
If Reload Allowed is
set to OFF, they are
not changeable
online.
Allow Online Settings can only be set to ON
i via reload or if the PES is stopped.
1)
Autostart ON: If the processor module is connected to the OFF Application-
supply voltage, the user program starts specific
automatically
OFF: The user program does not start
automatically after connecting the supply
voltage.
Start Allowed 1) ON: A cold start or warm start permitted with the ON Application-
PADT in RUN or STOP specific
OFF: Start not allowed
Load Allowed 1) ON: Configuration download is allowed ON Application-
OFF: Configuration download is not allowed specific
Reload Allowed 1) ON: Configuration reload is allowed ON Application-
OFF: Configuration reload is not allowed. specific
A running reload process is not aborted
when switching to OFF
Global Forcing ON: Global forcing is permitted for this resource ON Application-
Allowed 1) OFF: Global forcing is not permitted for this specific
resource
Global Force Specifies how the resource should behave when the Stop Forcing Application-
Timeout Reaction global force timeout has expired: specific
Stop Forcing
Stop Resource
Minimum With this setting, code compatible with previous or SILworX V7 Application-
Configuration newer HIMax operating system versions in for new specific
Version accordance with the project requirements may be projects
generated. See Chapter 0.
SILworX V2 The code is generated like in
SILworX V2 for HIMax prior to V3.
SILworX V3 for HIMax V3.
HIMax 10 Software

SILworX V6.48 for HIMax V6.
SILworX V6b The code is generated like in
SILworX V6.114 for HIMax V6.
Fast Start-Up Not applicable to HIMax. OFF OFF
1)
Safety parameters are marked in bold.
Table 11: Resource System Parameters
10.3.1.1 Use of the Parameters Target Cycle Time and Target Cycle Time Mode
These parameters can be used to constantly maintain the cycle time as close to the Target
Cycle Time [ms] value as possible. To do this, this parameter must be set to a value > 0. HIMax
then limits tasks such as reload and synchronization on the redundant modules to ensure that
the target cycle time is maintained.
The following table describes the effect of Target Cycle Time Mode.
Target Cycle Effect on user programs Effect on reload, synchronization of
Time Mode processor modules
Fixed The PES maintains the target cycle time and Reload or synchronization is not processed
extends the cycle if necessary. If the if the target cycle time is not sufficient
Fixed-tolerant processing time of the user programs At most each 5th cycle may be prolonged
exceeds the target cycle time, the cycle during reload.
duration is increased. One single cycle may be prolonged during
synchronization.
Dynamic- HIMax executes the cycle as quickly as At most each 5th cycle may be prolonged
tolerant possible. during reload.
One single cycle may be prolonged during
synchronization.
Dynamic Reload or synchronization is not processed
if the target cycle time is not sufficient
Table 12: Effect of Target Cycle Time Mode
10.3.1.2 Calculating the Maximum Duration of Configuration Connections [ms]

If communication is not completely processed within a CPU cycle, it is resumed in the next
following CPU cycle at the interruption point.
This slows down communication, but it also ensures that all connections to external partners are
processed equally and completely.
For firmware HIMax CPU V3, the value of the maximum duration of configuration connections in
SILworX is preset to 6 ms. The time required to process communication with external partners
may, however, exceed the default value in a CPU cycle.
For firmware HIMax CPU V4 and higher, the value of the maximum duration of configuration
connections must be set taking the defined watchdog time into account.
Suitable value: Select the value such that the cyclic processor tasks can be executed within the
time resulting from Watchdog Time - Max. Duration of Configuration Connections.
The volume of the configuration data to be communicated depends on the number of configured
remote I/Os, the existing connections to PADTs and the system modules with an Ethernet
interface.
A first setting can be calculated as follows:
For X-CPU 01: TConfig = (nCom + nRIO + nPADT) * 0.25 ms + 2 ms + 4*TLatency/1000
10 Software HIMax
For X-CPU 31: TConfig = nCom + nRIO * 0.25 ms + nPADT + 2 ms + 4*TLatency/1000

Where:
TConfig System parameter Max. Duration of Configuration Connections [ms]
nCom Number of modules with Ethernet interfaces {SB, CPU, COM}
nRIO Number of configured remote I/Os
nPADT Maximum number of PADT connections = 5
TLatency The system parameter Maximum System Bus Latency [µs] must be divided
by 1000 to allow the calculation in ms.
If the calculated time value is less than 6 ms, it is rounded up to 6 ms. The calculated time can
either be modified in the properties of the resource or directly online based on the figure
gathered in the online statistics.
When generating the code or converting the project, a warning message is displayed in the
PADT if the value defined for Max. Duration of Configuration Connections is less than the value
resulting from the previous formula.
If Max. Duration of Configuration Connections is set too low, communication between PADT
i and PES runs very slow and may even fail!
10.3.1.3 Notes on the Minimum Configuration Version Parameter:

In a new project, the latest Minimum Configuration Version is selected. Verify that this setting
is in accordance with the operating system version in use.
In a project converted from a previous SILworX version, the value for Minimum Configuration
Version remains the value set in the previous version. This ensures that the configuration
CRC does not change during code generation and that the generated configuration is
compatible with the operating systems of the modules.
For this reason, the value of Minimum Configuration Version should only be changed in
connection with other changes performed to the affected resource.
If features only available in higher configuration versions are used in the project, SILworX
automatically generates a higher configuration version than the preset Minimum
Configuration Version. This is indicated by SILworX at the end of the code generation. The
modules reject loading higher configuration versions that do not match their operating
system.
To remove such incompatibilities, it can be helpful to compare the information provided by
the version comparator with the overview of the module data.
If X-CPU 31 processor modules are used, Minimum Configuration Version must be set to
SILworX V6 or higher.
HIMax 10 Software
10.3.1.4 Rack System Variables

These variables are used to change the behavior of the controller while it is operating in specific
states.
Parameter Function Default Setting for
setting safe operation
Force Deactivation Used to prevent forcing and to stop it immediately OFF Application-specific
Spare 0...Spare 16 No function - -
Emergency Stop 1... Emergency stop switch to shut down the controller
OFF Application-specific
Emergency Stop 4 if faults are detected by the user program
Read-only in RUN After starting the controller, no operating action
such as stop, start or download is permitted in OFF Application-specific
SILworX, except for forcing and reload.
Reload Deactivation Prevents execution of reload OFF
Application-specific
Table 13: System Variables of Racks
In the SILworX Hardware Editor, these system variables may be assigned global variables with
a value that is modified by a physical input or the user program logic.
10.3.1.5 Simple Example: Locking and Unlocking the PES

Locking the PES locks all functions and prevents users from accessing them during operation.
This also protects against unauthorized manipulations to the user program.
Unlocking the PES: Deactivates any locks previously set (e.g., to perform work on the
controller).
The three system variables Read-only in Run, Reload Deactivation and Force Deactivation may
be used to lock the PES, see Table 13.
If all three system variables are ON: no access to the controller is possible. In this case the
controller can only be put into STOP state by restarting all processor modules with the mode
switch in the Init position. Then loading a new user program is possible. The example describes
a simple case, in which a single key is used to block or permit all interventions on the PES.
To make a controller lockable

1. Define a global variable of type BOOL and set its initial value to FALSE.
2. Assign the global variable as output variables to the three system variables Read-
only in Run, Reload Deactivation, and Force Deactivation.
3. Assign the global variable to the channel value of a digital input.
4. Connect a key switch to the digital input.
5. Compile the program, load it on the controller, and start it.
► The owner of a corresponding key is able to lock and unlock the controller. If the
corresponding digital input module fails, the controller is unlocked.
The simple example can be modified using multiple global variables, digital inputs and key
switches so that the permissions for forcing, reload, stop, start and download can be distributed
on different keys and persons.
10.4 Forcing
Forcing is the procedure by which a variable's current value is replaced with a force value. The
variable receives its current value from a physical input, communication or a logic operation. If
the variable is forced, its value does no longer depend on the process, but is defined by the
user.
10 Software HIMax
WARNING
Failure of safety-related operation possible due to forced values possible!
Forced value may lead to incorrect output values.
Forcing prolongates the cycle time. This can cause the watchdog time to be
exceeded.
Forcing is only permitted after receiving consent from the test authority responsible for
the factory acceptance test (FAT).
When forcing values, the person in charge must take further technical and organizational
measures to ensure that the process is sufficiently monitored in terms of safety. HIMA
recommends setting a time limit for the forcing procedure.
Refer to the system manual (HI 801 001 E) for further details on forcing.
10.4.1 Forcing of data sources

Changing the assignment of a forced global variable to one of the following data sources can
lead to unexpected results:
Physical inputs
Communication protocols
System variable
The following sequence of actions causes a variable to be unintentionally forced:

1. A global variable A is assigned to one of the forced data sources and therefore the variable
is forced. This indeed causes the data source to be forced!
2. The assignment is removed. The data source maintains the property Forced.
3. The data source is assigned another global variable (global variable B).
4. A reload is performed to load the project change into the PES.
The newly assigned variable B results to be forced, even if this was not intended!
Workaround: First stop forcing variable A.
Which channels have been forced is displayed in the channel view of the Force Editor.
Global variables having the user program as data source retain the forced setting whenever an
assignment is changed.
10.5 Safe Version Comparator

The safe SILworX version comparator is able to compare the following resource configuration
types with one another:
Resource configuration loaded into the controller
Resource configuration existing in the PADT
Exported (archived) resource configuration
The comparison result achieves SIL 3, since it is derived from loadable files and includes the
CRCs.
The safe version comparator must be used to verify the changes performed to the program prior
to loading it into the controller.
It exactly determines the changed parts of the resource configuration. This, in turn, facilitates
testing the changes and identifying the test data.
Structured programming and the use of significant names from the first configuration version on,
facilitate understanding of the comparison result.
HIMax 11 User Program
11 User Program
This chapter describes the safety-related aspects that are important for the user programs.
11.1 General Sequence

General sequence for programming HIMax automation devices for safety-related applications:
1. Specify the controller functionality.
2. Write the user program.
3. Compile the user program:
the user program is error-free and can run.
4. Verify and validate the user program.
Upon completing these steps, the user program can be tested and the PES can begin the safe
operation.
11.2 Scope for Safety-Related Use

(For more on specifications, regulations and explanation of safety requirements, see Chapter
3.4, Safety Requirements)
The user program must be written using the SILworX programming tool. For further details on
the operating system released for personal computer, refer to the release documentation for the
SILworX version to be used.
The SILworX programming tool includes the following functions:

Input (Function Block Editor, Structured Text Editor), monitoring and documentation.
Global variables with symbolic names and data types (BOOL, UINT, etc.).
Assignment of HIMax controllers (Hardware Editor).
Compilation of user program into a format that can be loaded into the PES.
Communication configuration.
11.2.1 Programming Basics

The tasks to be performed by the controller should be defined in a specification or a
requirements specification. This documentation serves as the basis for checking its proper
implementation in the user program. The specification format depends on the tasks to be
performed. These include:
Combinational logic
- Cause/effect diagram.
- Logic of the connection with functions and function blocks.
- Function blocks with specified characteristics.
Sequential controllers (sequence control system).
- Written description of the steps and their enabling conditions and of the actuators to be
controlled.
- Flow charts.
- Matrix or table form of the step enabling conditions and the actuators to be controlled.
- Definition of constraints, e.g., operating modes, EMERGENCY STOP, etc.
11 User Program HIMax
The I/O concept of the system must include the analysis of the field circuits, i.e., the type of
sensors and actuators:
Sensors (digital or analog)
- Signals during normal operation (de-energize-to-trip principle with digital sensors, 'life-
zero' with analog sensors).
- Signals in the event of a fault:
- For more details on the safety-related redundancies required for safety (1oo2, 2oo3).
- Monitoring of discrepancy and reaction.
Actuators
- Positioning and activation during normal operation.
- Safe reaction/positioning at shutdown or after power loss.
Programming goals for user program.

Easy to understand.
Easy to trace and follow.
Easy to test.
Easy to modify.
11.2.2 Functions of the User Program

Programming is not subject to hardware restrictions. The user program functions can be freely
programmed.
When programming, account for the de-energize-to-trip principle for the physical inputs and
outputs. Only elements complying with IEC 61131-3 together with their functional requirements
are permitted within the logic.
The physical inputs and outputs usually operate in accordance with the de-energize-to-trip
principle, i.e., their safe state is 0.
The user program may be built of logic and/or arithmetic functions irrespective of the
de-energize-to-trip principle of the physical inputs and outputs.
The program logic should be clear and easy to understand and well documented to assist in
debugging. This includes the use of functional diagrams.
To simplify the logic, the inputs and outputs of all function blocks and variables can be
inverted in any given order.
The programmer must evaluate the fault signals from the inputs/outputs or from logic blocks.
HIMA recommends encapsulating functions to user-specific function blocks and functions based
on standard functions. This ensures that a user program can be clearly structured in modules
(functions, function blocks). Each module can be viewed and tested on an individual basis. By
grouping smaller modules into larger ones and then all together into a single user program, the
user is effectively creating a comprehensive, complex function.
11.2.3 System Parameters of the User Program

The following user program switches and parameters can be set in the Properties dialog box of
the user program:
Parameter Function Default Setting for
value safe operation
Name Name of the user program User-defined
Program ID ID for identifying the program when displayed in SILworX, 0
0…4 294 967 295. Application-
If Code Generation Compatibility is set to SILworX V2, only specific
the value 1 is permitted.
Priority Priority of the user program: 0...31 0 Application-
specific
Program's Maximum number of CPU cycles that a user program cycle
Application-
Maximum Number may encompass. 1
specific
of CPU Cycles
Max. Duration for Maximum time in each processor module cycle for
Application-
Each Cycle [µs] executing the user program: 1...4 294 967 295 µs. 0 µs
specific
Set to 0: No limitation.
Watchdog Time Monitoring time of the user program, calculated from the
[ms] (calculated) maximum number of cycles and the watchdog time of the
resource
Not changeable!
Classification Classification of the user program: Safety-related or Safety- Application-
Standard (for documentation only). related specific
Allow Online It enables changes of other user program switches during
Settings operation.
ON -
It only applies if the Allowed Online Settings switch for the
resource is set to ON!
Autostart Enabled type of Autostart: Application-
Cold Start
Cold Start, Warm Start, Off. specific
Start Allowed ON The PADT may be used to start the user program. Application-
ON
OFF The PADT may not be used to start the user program specific
Test Mode Allowed ON The test mode is not permitted for the user program. Application-
OFF
OFF The test mode is permitted for the user program. specific1)
Reload Allowed ON User program reload is permitted Application-
ON
OFF User program reload is not permitted specific
Local Forcing ON: Forcing permitted at program level OFF is
Allowed OFF
OFF Forcing not permitted at program level recommended
Local Force Behavior of the user program after the forcing time has
Stop
Timeout Reaction expired:
Forcing -
Stop Forcing Only. Only
Stop Program.
Code Generation Code generation is compatible with previous versions of
Compatibility SILworX.
SILworX V7 Code generation is compatible with
and higher SILworX V7. SILworX V7
SILworX V4 – V6b Code generation is compatible with and higher Application-
SILworX V4 up to SILworX V6b. for new specific
SILworX V3 Code generation is compatible with projects
SILworX V3.
SILworX V2 Code generation is compatible with
SILworX V2.
1)
Once test operation is completed, the program's cold start is necessary prior to starting safety-related
operation!
Table 14: System Parameters of the User Program
Notes specific to the Code Generation Compatibility Parameter:

In a new project, SILworX selects the latest value for the Code Generation Compatibility
parameter. This ensures that the current, enhanced features are activated and the latest
module and operating system versions are supported. Verify that this setting is in
accordance with the hardware in use.
In a project converted from a previous SILworX version, the value for Code Generation
Compatibility remains the value set in the previous version. This ensures that the
configuration CRC does not change during code generation and that the generated
configuration is compatible with the operating systems of the modules.
For this reason, the value of Code Generation Compatibility should not be changed for
converted projects.
If a Minimum Configuration Version of SILworX V4 and higher is set for a resource (see
above), the Code Generation Compatibility parameter must be set to SILworX V4 in every
user program.
11.2.4 Code Generation

The code is generated after entering the complete user program and the I/O assignments of the
controller. During these steps, the configuration CRC, i.e., the checksum for the configuration
files, is created.
This is a signature for the entire configuration that is issued as a 32-bit, hexadecimal code. This
includes all of the configurable or modifiable elements such as the logic, variables or switch
parameter settings.
Before loading a user program for safety-related operation, the user program must be
first compiled twice. The two generated versions must have the same CRC.
SILworX automatically compiles the resource configuration twice and compares the checksums
if the CRC Comparison option is activated for code generation. This option is preset.
The result of the CRC comparison is displayed in the logbook.
By compiling the user program twice and comparing the checksums of the generated code, the
user can detect potential corruptions of the user program resulting from sporadic faults in the
hardware or operating system of the PC in use.
11.2.5 Loading and Starting the User Program

The configuration can only be loaded into the PES of the HIMax system by performing a
download, if it has been set to the STOP state beforehand.
A load process includes all user programs of the resource configuration. The system monitors
that the resource configuration is loaded completely. Afterwards, the user programs can be
started, i.e., the routine begins to be processed in cycles.
The PADT is only able to operate the resource, e.g., by performing a reload and forcing, if the
i project loaded in the resource is opened in SILworX. Without the project in SILworX, only a
STOP of the resource is possible!
HIMA recommends performing a project data backup, e.g., on an external data storage
medium, after the user programs are loaded into the controller, even in case of reload.
This is done to ensure that the project data corresponding to the configuration loaded into the
controller remains available even if the PADT fails.
HIMA recommends performing a data backup on a regular basis also independently from the
program load.
11.2.6 Reload
If user programs were modified, the changes can be transferred to the PES during operation.
After being tested by the operating system, the modified user program is activated and assumes
the control task..
Observe the following points when reloading step sequence:

i The reload information for step sequences does not take the current sequence status into
account. The step sequence can be accordingly changed and set to an undefined state by
performing a reload. The user is responsible for this action.
Examples:
Deleting the active step. As a result, no sequence step has the active state.
Renaming the initial step while another step is active.
As a result, a sequence has two active steps!
Observe the following points when reloading actions:

i During the reload, actions are loaded with their corresponding data. All potential consequences
must be carefully analyzed prior to performing a reload.
Examples:
If a timer action qualifier is deleted due to the reload, the timer expires immediately.
Depending on the remaining settings, the Q outputs can therefore be set to TRUE.
If the status action qualifier (e.g., the S action qualifier) is deleted for a set element, the
element remains set.
Deleting a P0 action qualifier set to TRUE actuates the trigger function.
Prior to performing a reload, the operating system checks if the required additional tasks would
increase the cycle time of the current user programs to such an extent that the defined
watchdog time is exceeded. In this case, the reload process is aborted with an error message
and the controller continues operation with the previous resource configuration.
The controller can abort a reload.

i A successful reload is ensured by planning a sufficient reserve for the reload when determining
the watchdog time or temporarily increasing the controller watchdog time by a reserve.
Any temporary increases in the watchdog time must be agreed upon with the competent test
authority.
Also exceeding the target cycle time can result in a reload abort.
The reload can only be performed if the Reload Allowed system parameter is set to ON and the
Reload Deactivation system variable is set to OFF.
The user is responsible for ensuring that the watchdog time includes a sufficient reserve time.
i This should allow the user to manage the following situations:
Variations in the user program's cycle time.
Sudden, strong cycle loads, e.g., due to communication.
Expiration of time limits during communication.
For more details on the watchdog time, refer to Chapter 3.2.2.
11.2.7 Online Test

Online test fields (OLT fields) can be used in the user program logic to display variables while
the controller is operating.
For more information on how to use OLT fields, use OLT field as keyword in the SILworX online
help and refer to the SILworX first steps manual (HI 801 103 E).
11.2.8 Test Mode

To diagnose faults, the user program operating in test mode can be run in single steps, i.e.,
cycle for cycle. Each cycle is triggered by a command from the PADT. In the period between
two cycles, the global variables written to by the user program remain frozen. The assigned
physical outputs and communication data no longer respond to changes in the process
accordingly!
This function can only be used if the Test Mode Allowed system parameter is set to ON in the
corresponding user program.
State Description
OFF Test mode is not possible (default setting).
ON Test mode is possible.
Table 15: User Program Switch Test Mode Allowed
NOTE
Failure of safety-related operation possible!
If the user program is frozen in test mode, it cannot provide a safety-related response to
inputs and thus control the outputs! The values of the outputs cannot change in test
mode.
For this reason, test mode is not allowed during safety-related operation!
For safety-related operation, the Test Mode Allowed parameter must be set to OFF!
11.2.9 Changing the System Parameters during Operation

The system parameters specified in Table 16 may be changed during operation (online).
A typical application case is the temporary increase of the watchdog time to be able to perform
a reload.
Prior to using an online command to set parameters, make sure that this change will not result
in a dangerous state of the plant. If required, organizational and/or technical measures must be
taken to preclude any damage. The application standards must be observed!
The safety time and watchdog time values must be checked and compared to the safety time
required by the application and to the actual cycle time. These values cannot be verified by the
PES!
The controller ensures that the watchdog time is not set to a value less than the watchdog time
value of the configuration loaded in the PES.
Parameter Changeable in this PES state

System ID STOP
Watchdog Time (for the resource) RUN, STOP_VALID_CONFIGURATION
Safety Time RUN, STOP_VALID_CONFIGURATION
Target Cycle Time RUN, STOP_VALID_CONFIGURATION
Target Cycle Time Mode RUN, STOP_VALID_CONFIGURATION
Allow Online Settings ON->OFF: All
OFF->ON: STOP
Autostart All
Start Allowed All
Load Allowed All
Reload Allowed All
Global Forcing Allowed All
Global Force Timeout Reaction All
Table 16: Online Changeable Parameters
System parameters may also be changed during operation by performing a reload.
11.2.10 Project Documentation for Safety-Related Applications

SILworX allows the user to automatically print the documentation for a project. The most
important document types include:
Interface declaration
Signal list
Logic
Description of data types
Configurations for system, modules and system parameters
Network configuration
List of signal cross-references
This documentation is required for the factory acceptance test (FAT) of a system subject to
approval by a test authority (e.g., TÜV).
11.2.11 Multitasking
Multitasking refers to the capability of the HIMax system to process up to 32 user programs
within the processor module.
The individual user programs can be started and stopped independently from one another.
A user program cycle can takes multiple processor module cycles. This can be controlled with
the resource and user program parameters. SILworX uses these parameters to calculate the
user program watchdog time:
Watchdog timeuser program = watchdog timeprocessor module * maximum number of cycles
Operation of the individual user programs is usually interference-free and independent of one
another. However, reciprocal influence can be caused by:
Use of the same global variables in several user programs.
Unpredictably long runtimes can occur in individual user programs if no limit is configured
with Max Duration for Each Cycle.
The distribution of user program cycle over processor module cycles strongly affects the
user program response time and the response time of the variables written by the user
program!
A user program evaluates global variables written by another user program after at least one
processor module cycle. Depending on the value set in the programs for Program's
Maximum Number of CPU Cycles, the reading process may be prolonged by many
processor module cycles. The reaction to changes performed to such global variables is thus
delayed!
Refer to the system manual (HI 801 001 E) for details on multitasking
11.2.12 Factory Acceptance Test and Test Authority

HIMA recommends involving the test authority as soon as possible when designing a system
that is subject to approval.
The factory acceptance test (FAT) only applies to the user functionality, but not to the safety-
related modules and automation devices of the HIMax system that have already been approved.
11.3 Checklist for Creating a User Program

To comply with all safety-related aspects during the programming phase, HIMA recommends
using the following checklist prior to and after loading a new or modified program. The checklist
can be used for helping with planning as well as to demonstrate later on that the planning phase
was carefully completed.
The checklist is available in Microsoft® Word® format on the HIMA website.
HIMax 12 Communication Configuration
12 Communication Configuration
In addition to using the physical input and output variables, variable values can also be
exchanged with other system through a data connection. In this case, the variables are declared
with SILworX, in the Protocols area of the corresponding resource.
12.1 Standard Protocols

Many communication protocols only ensure a non-safety-related data transmission. These
protocols can be used for the non-safety-related aspects of an automation task.
WARNING
Physical injury possible due to usage of unsafe import data!
Do not use data imported from unsafe sources for the user program's safety functions.
The following standard protocols are available:

On the Ethernet interfaces on the communication module:
- Modbus TCP (master/slave)
- Modbus, redundant (slave)
- SNTP
- Send/Receive TCP
- PROFINET IO (controller, device)
On the fieldbus interfaces (RS485) of the communication module according to the device
model:
- Modbus (master/slave)
- Modbus, redundant (slave)
- PROFIBUS DP (master/slave)
12.2 Safety-Related Protocol: safeethernet

Safety-related communication via safeethernet is certified up to SIL 3.
Use the safeethernet Editor to configure how safety-related communication is monitored.
Refer to the communication manual (HI 801 101 E) for further details on safeethernet.
NOTICE
Unintentional transition to the safe state possible!
Receive Timeout is a safety-related parameter!
Receive Timeout is the monitoring time of PES 1 within which a correct response from PES 2
must be received.
ReceiveTimeout also applies in the other direction from PES 2 to PES 1!

i
If a correct response is not received from the communication partner within Receive Timeout,
HIMax terminates the safety-related communication. The input variables of this safeethernet
connection react in accordance with the setting in Freeze Data on Lost Connection [ms]. Use
Initial Data may only be used for safety-related functions implemented via safeethernet.
12 Communication Configuration HIMax
In the following equations for determining the worst case reaction time, the target cycle time can
be used instead of the watchdog time, if it is guaranteed that process module maintains the
target cycle time, even in case of reload and synchronization.
In this case, the following requirements apply to the Fixed-tolerant or Dynamic-tolerant settings
of Target Cycle Time Mode:
1. Watchdog Time ≤ 1,5*Target Cycle Time
2. Receive Timeout ≤ 5*Target Cycle Time + 4*Latency
Latency refers to the delay on the transmission path.
3. For reload, there is either just one user program or several user programs, the cycle of which
is limited to a single processor module cycle.
12.3 Worst Case Reaction Time for safeethernet

In the following examples, the formulas for calculating the worst case reaction time only apply
for a connection with HIMatrix controllers if their programming does not include noise blanking.
These formulas always apply to HIMax controllers.
The allowed worst case reaction time depends on the process and must be agreed upon
i together with the competent test authority.
Terms
Receive Timeout: Monitoring time of PES 1 within which a correct response from PES 2
must be received. Otherwise, safety-related communication is terminated
after the time has expired.
Production Rate: Minimum interval between two data transmissions.
Watchdog Time: Maximum duration permitted for a controller's RUN cycle. The duration of
the RUN cycle depends on the complexity of the user program and the
number of safeethernet connections. The watchdog time (WDT) must be
entered in the resource properties.
Worst Case The worst case reaction time is the time between a change in a physical
Reaction Time input signal (in) of PES 1 and a reaction on the corresponding output (out)
of PES 2.
Delay: Delay on a transmission path, e.g., with a modem or satellite connection.
For direct connections, one can assume an initial delay of 2 ms.
The responsible network administrator can measure the actual delay on a
transmission path.
The following conditions apply to the calculations of the maximum reaction times specified
below:
The signals transmitted over safeethernet must be processed in the corresponding
controllers within one CPU cycle.
The reaction time of the sensors and actuators must be added.
The calculations also apply to signals in the opposite direction.
12.3.1 Calculating the Worst Case Reaction Time of 2 HIMax controllers

The worst case reaction time TR is the time between a change on the sensor input signal (in) of
controller 1 and a reaction on the corresponding output (out) of controller 2. It is calculated as
follows:
Input HIMax Controller 2

HIMax Controller 1 Output
Safety-Related Protocol
Figure 4: Reaction Time with Interconnection of 2 HIMax Controllers
TR = t1 + t2 + t3
TR Worst Case Reaction Time
t1 Safety time of HIMax controller 1
t2 Receive Timeout
12.3.2 Calculating the Worst Case Reaction Time with 1 HIMatrix Controller
HIMax controller and a reaction on the corresponding output (out) of HIMatrix controller. It is
calculated as follows:
Input HIMatrix Controller

HIMax Controller Output
Safety-Related Protocol
Figure 5: Response Time when 1 HIMax and 1 HIMatrix Controllers are Interconnected
TR = t1 + t2 + t3
t1 Safety time of HIMax controller
t2 Receive Timeout
t3 2 * Watchdog time of the HIMatrix controller
12 Communication Configuration HIMax
12.3.3 Calculating the Worst Case Reaction Time with 2 HIMatrix Controllers or
Remote I/Os
the first HIMatrix controller or remote I/O (e.g., F3 DIO 20/8 01) and a reaction on the
corresponding output (out) of the second HIMatrix controller or remote I/O (out). It is calculated
as follows:
Input Remote I/O 2

Remote I/O 1 Output
HIMax Controller
Figure 6: Response Time with 2 HIMatrix Controllers or Remote I/Os and 1 HIMax Controller
TR = t1 + t2 + t3 + t4 + t5
t1 2 * watchdog time of the HIMatrix controller or the remote I/O 1
t2 Receive Timeout1
t3 2 * watchdog time of the HIMax controller.
t4 Receive Timeout2
t5 2 * watchdog time of the HIMatrix controller or the remote I/O 2
Remote I/O 1 and remote I/O 2 can also be identical. The time values still apply if a HIMatrix
i controller is used instead of a remote I/O.
12.3.4 Calculating the Worst Case Reaction Time with 2 HIMax and 1 HIMatrix
Controller
the first HIMax controller and a reaction on the corresponding output (out) of the second HIMax
controller. It is calculated as follows:
Input HIMax Controller 2

HIMax Controller 1 Output
HIMatrix Controller
Figure 7: Response Time with 2 HIMax Controllers and 1 HIMatrix Controller
TR = t1 + t2 + t3 + t4 + t5

t2 Receive Timeout1
t3 2 * watchdog time of the HIMatrix controller
t4 Receive Timeout2
HIMax controller 1 and HIMax controller 2 can also be identical.

i The HIMatrix controller can also be a HIMax controller.
12.4 Safety-Related Protocol: PROFIsafe

The requirements for using the PROFIsafe protocols are specified in the communication manual
(HI 801 101 E). These requirements must be met.
The equations for determining the worst case reaction time are also specified in the
communication manual.
13 Use in Fire Alarm Systems HIMax
13 Use in Fire Alarm Systems

The HIMax systems may be used in fire alarm systems in accordance with DIN EN 54-2 and
NFPA 72, if line monitoring is configured for the inputs and outputs.
In this case, the user program must fulfill the requirements specified for fire alarm systems in
accordance with the standards previously mentioned.
The maximum cycle time of 10 seconds required by DIN EN 54-2 for fire alarm systems and the
safety time of 1 second (fault reaction time) required in certain cases, can be easily met since
the cycle times for these systems reside in the millisecond range.
According to EN 54-2, the fire alarm system must enter the fault report state within 100 seconds
after the HIMax system has received the fault message.
The connection of fire alarms is performed in accordance with the energize-to-trip principle
using the line short-circuit and open-circuit function. To this end, the following inputs and
outputs may be used:
digital and analog inputs of input modules supporting line monitoring
digital and analog outputs of output modules supporting line monitoring
Sensor Supply M Fire alarm

Analog Input REOL Terminating Resistor on the Last Loop
Ground Sensor
Detection Loop RL Limit for the Maximum Loop Current
RShunt Shunt (see the Module-Specific
Manual)
Figure 8: Wiring of Fire Alarms
For the application, the REOL, RL and RShunt resistors must be calculated as dictated by the
sensors in use and the number of sensors per detection loop. Refer to the data sheet from the
sensor manufacturer for the necessary data.
The alarm outputs for controlling lamps, sirens, horns etc. are operated in accordance with the
energize-to-trip principle. These outputs must be monitored for short-circuits and open-circuits.
Additionally, line monitoring for the output modules must be configured and processed in the
user program.
A suitable user program can be used to control visual display systems, indicator light panels,
LED indicators, alphanumeric displays, audible alarms, etc.
The routing of fault signal messages via input and output channels or to transmission equipment
for fault signaling must occur in accordance with the de-energize-to-trip principle.
Fire alarms can be transmitted from one HIMax system to a different system using the existing
Ethernet communication standard (OPC). Any communication loss must be reported.
HIMax 13 Use in Fire Alarm Systems
HIMax systems that are used as fire alarm systems must have a redundant power supply.
Precautionary measures must also be taken against power supply drops, e.g., the use of a
battery-powered horn. Uninterrupted operation must be ensured while switching from the main
power supply to the backup power supply. Voltage drops for a duration of up to 10 ms are
permitted.
If a system failure occurs, the operating system writes to the system variables defined in the
user program. This allows the user to program fault signaling for faults detected by the system.
If a fault occurs, the HIMax system switches off the safety-related inputs and outputs with the
following effects:
The low level is processed in all channels of the faulty inputs.
All channels of the faulty outputs are switched off.
14 Use as Safety, Controlling and Regulating Device with Gas Detector HIMax
14 Use as Safety, Controlling and Regulating Device with Gas

Detector
The HIMax modules are suitable for the intended use in industrial applications operating in
hazardous areas up to Zone 2 (gas, vapor, mist). As components of the certified HIMax safety
system, the HIMax X-AI 32 01 and X-AI 32 02 modules have been tested for use as safety,
controlling and regulating devices with gas detector. An EC Type Test Certificate based on the
ATEX Directive has been issued and is available.
The application must be created and tested in accordance with the requirements of the relevant
Ex-standards.
IEC / EN 60079-0
IEC / EN 60079-29-1
Tested and certified measuring gas sensors are connected to the HIMax modules. Observe the
specifications provided by the manufacturer.
When used in Zone 2, the sensor is directly connected to the HIMax module, see Figure 9:
AI
2
Sensor 4…20 mA X-AI 32 01 or X-AI 32 02
Figure 9: Use in Ex-Zone 2
Figure 10 depicts the use in Zone 1. The HIMax module is located in Zone 2 and is connected
to the sensors in Zone 1 via a suitable isolation amplifier.
3
5
AI
4
Sensor 4…20 mA X-AI 32 01 or X-AI 32 02

Zone 1 Isolation amplifier, e.g., H 6200A
Zone 2
Figure 10: Use in Ex-Zone 1
SILworX can be used to create the user program. When setting the threshold parameters,
observe the specifications provided by the sensor manufacturer and relevant standards.
The safety function of the HIMax PES with connected sensors is to monitor the corresponding
flammable gases. The safety-related controlling, regulating and warning function must be
programmed in the application. The application must be subject to extensive testing prior to
starting safety-related operation.
HIMax Appendix
Appendix
Glossary
Term Description
ARP Address resolution protocol: Network protocol for assigning the network addresses to
hardware addresses
AI Analog input
AO Analog output
Connector board Connector board for the HIMax module
COM Communication module
CRC Cyclic redundancy check
DI Digital input
DO Digital output
EMC Electromagnetic compatibility
EN European norm
ESD Electrostatic discharge
FB Fieldbus
FBD Function block diagrams
ICMP Internet control message protocol: Network protocol for status or error messages
IEC International electrotechnical commission
MAC Address Media access control address: Hardware address of one network connection
PADT Programming and debugging tool (in accordance with IEC 61131-3)
PC with SILworX
PE Protective earth
PELV Protective extra low voltage
PES Programmable electronic system
R Read
Rack ID Base plate identification (number)
Interference-free Inputs are designed for interference-free operation and can be used in circuits with
safety functions.
R/W Read/Write
SB System bus (module)
SELV Safety extra low voltage
SFF Safe failure fraction, portion of faults that can be safely controlled
SIL Safety integrity level (in accordance with IEC 61508)
SILworX Programming tool for HIMax
SNTP Simple network time protocol (RFC 1769)
SRS System.Rack.Slot addressing of a module
SW Software
TMO Timeout
W Write
rP Peak value of a total AC component
Watchdog (WD) Time monitoring for modules or programs. If the watchdog time is exceeded, the
module or program enters the error stop state.
WDT Watchdog time
Appendix HIMax
Index of Figures
Figure 1: Recommended Configuration: All Processor Modules in Rack 0 27
Figure 2: Recommended Configuration: X-CPU 01 Processor Modules in Rack 0 and Rack 1 27
Figure 3: Configuration with X-CPU 31 Processor Modules in Rack 0, Slots 1 and 2 28
Figure 4: Reaction Time with Interconnection of 2 HIMax Controllers 57
Figure 5: Response Time when 1 HIMax and 1 HIMatrix Controllers are Interconnected 57
Figure 6: Response Time with 2 HIMatrix Controllers or Remote I/Os and 1 HIMax Controller 58
Figure 7: Response Time with 2 HIMax Controllers and 1 HIMatrix Controller 58
Figure 8: Wiring of Fire Alarms 60
Figure 9: Use in Ex-Zone 2 62
Figure 10: Use in Ex-Zone 1 62
HIMax Appendix
Index of Tables
Table 1: Overview of the System Documentation 11
Table 2: Standards for EMC, Climatic and Environmental Requirements 21
Table 3: General Requirements 21
Table 4: Climatic Conditions 22
Table 5: Mechanical Tests 22
Table 6: Interference Immunity Tests 23
Table 7: Noise Emission Tests 23
Table 8: Verification of the DC Supply Characteristics 23
Table 9: Overview of the Input Modules 30
Table 10: Overview of the Output Modules 34
Table 11: Resource System Parameters 43
Table 12: Effect of Target Cycle Time Mode 43
Table 13: System Variables of Racks 45
Table 14: System Parameters of the User Program 50
Table 15: User Program Switch Test Mode Allowed 52
Table 16: Online Changeable Parameters 53
Appendix HIMax
Index
CRC ............................................................ 50 Responsible................................................ 26
De-energize-to-trip principle ........................ 10 Safety concept............................................ 39
Energize-to-trip principle ............................. 10 Safety function............................................ 38
ESD protection ............................................ 11 Safety time ................................................. 16
Fault reactions Self-test ...................................................... 12
inputs ....................................................... 31 Test conditions
outputs ..................................................... 34 climatic .................................................... 22
Fire alarm .................................................... 60 EMC ........................................................ 23
Functional test of the controller ................... 39 mechanical.............................................. 22
Hardware Editor .......................................... 45 supply voltage ......................................... 23
LED Ess ...................................................... 24 To make a controller lockable .................... 45
Multitasking ................................................. 53 Version list .................................................. 39
Online test field ........................................... 52 Watchdog time
Output noise blanking ........................... 35, 36 determination .......................................... 15
Process safety time ..................................... 14 resource .................................................. 14
Proof test..................................................... 16 user program .......................................... 15
Rack ID ....................................................... 26 Zone 1 ........................................................ 62
Redundancy ................................................ 13 Zone 2 ........................................................ 62
Response time ............................................ 16
HI 801 003 E
© 2015 HIMA Paul Hildebrandt GmbH
HIMax and SILworX are registered trademark of:
HIMA Paul Hildebrandt GmbH
Albert-Bassermann-Str. 28
68782 Brühl, Germany
Phone: +49 6202 709-0
Fax: +49 6202 709-107
[email protected]
www.hima.com

HIMax Saftey Manual - HI - 801 - 003 - E - Safety - Manual - HIMax

Uploaded by

Copyright:

Available Formats

HIMax Saftey Manual - HI - 801 - 003 - E - Safety - Manual - HIMax

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HIMax Saftey Manual - HI - 801 - 003 - E - Safety - Manual - HIMax

Uploaded by

Copyright:

Available Formats

SAFETY

© Copyright 2015, HIMA Paul Hildebrandt GmbH

Revision Changes Type of change

4.3 Replacing Processor Modules 24

9.1 HART Module: X-HART 32 01 38

1.1 Validity and Current Version

1.2 Objectives of the Manual

1.3 Target Audience

1.4 Writing Conventions

Safety notices and operating tips are particularly marked.

1.4.1 Safety Notices

The signal words have the following meanings:

1.4.2 Operating Tips

The text corresponding to the additional information is located here.

TIP The tip text is located here.

2 Usage Notes for HIMax Systems

2.1 Intended Use

2.1.2 Environmental Conditions

2.2 Tasks of Operators and Machine and System Manufacturers

2.2.1 Connection of Communication Partners

2.2.2 Use of Safety-Related Communication

2.3 ESD Protective Measures

2.4 Additional System Documentation

3 Safety Concept for Using the PES

3.1 Safety and Availability

No imminent danger results from the HIMax systems.

HIMA strongly recommends replacing failed modules as soon as possible.

3.1.1 Calculating the PFD, PFH and SFF Values

3.1.2 Self-Test and Fault Diagnosis

3.1.5 Structuring Safety Systems in Accordance with the Energize-to-Trip Principle

3.1.5.1 Detection of Failed System Components

3.1.5.2 Safety Function in Accordance with the Energize-To-Trip Principle

3.1.5.3 Redundancy of Components

If redundancy is lost, the controller must be repaired as soon as possible.

3.2 Time Parameters Important for Safety

3.2.1 Process Safety Time

3.2.2 Resource Watchdog Time

3.2.2.1 Estimation of the Watchdog Time

3.2.2.2 Precisely Determining the Watchdog Time

To determine the watchdog time

3.2.3 Watchdog Time of the User Program

3.2.4 Safety Time of the Resource

3.2.5 User Program Safety Time

3.2.6 Response Time

3.3 Proof Test (in Accordance with IEC 61508)

3.3.1 Proof Test Execution

3.3.2 Frequency of Proof Tests

3.4 Safety Requirements

3.4.1 Hardware Configuration

Requirements for Using the Programming Tool

3.4.4 Maintenance Work

3.4.5 Cyber Security for HIMax Systems

A HIMax installation consists of the following parts to be protected:

TÜV Rheinland Industrie Service GmbH

Certificate and test report

To program the HIMax devices, a PADT is required, which is a PC running SILworX.

3.5.1 Test conditions

3.5.1.1 Climatic Conditions

Cyclic damp-heat withstand tests: