HI 800 013 E H41qH51q Safety Manual PDF

H41q/H51q
Safety-Related Controller
H41q/H51q Safety Manual
HIMA Paul Hildebrandt GmbH + Co KG

Industrial Automation
Rev. 1.00 HI 800 013 E

Important Note
All HIMA products mentioned in this manual are protected by the HIMA trademark. Unless not-
ed otherwise, this also applies to other manufacturers and their respective products referred to
herein.
Equipment subject to change without notice.
All of the instructions and technical specifications in this manual have been written with great
care and effective quality assurance measures have been implemented to ensure their validity.
However, we cannot fully preclude flaws or typesetting errors in this manual.
For this reason, HIMA offers no warranties and assumes no legal responsibilities or liabilities
for the potential consequences of any errors in this manual. HIMA appreciates any information
concerning possible errors.
Contact
HIMA Address:
© HIMA Paul Hildebrandt GmbH + Co KG
P.O. Box 1261
68777 Brühl
Telephone +49 06202 709-0
Fax +49 06202 709-107
E-mail [email protected]
Internet http://www.hima.com
Revision Revisions Type of Change

index technical editorial
1.00 New document layout, general revision X X
HI 800 013 E Rev. 1.00 (1050)

H41q/H51q Safety Manual Table of Contents
Table of Contents
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.1 Validity and Current Version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2 Formatting Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.1 Safety Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.2 Operating Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3 Target Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Intended Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1 Application Area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.1 Application in Accordance with the 'De-Energize to Trip Principle'. . . . . . . . . . . 9
2.1.2 Application in Accordance with the Energize to Trip Principle. . . . . . . . . . . . . . 9
2.1.3 Explosion Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.4 Use in Fire Alarm Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Non-Intended Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Operating Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.1 Environmental Requirements and Specifications. . . . . . . . . . . . . . . . . . . . . . . 10
2.3.2 Climatic Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.3 Mechanical Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.4 EMC Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.5 Power Supply. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.6 ESD Protective Measures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 Personnel Qualifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.5 Requirements to be met by the operator and the machine and system manufac-
turers.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Safety Philosophy and Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1 Certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Safety and Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2.1 Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2.2 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.3 Safety Times. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.4 Proof Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4.1 Proof Test Execution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4.2 Frequency of Proof Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.5 Safety Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.5.1 Hardware Project Planning: Product-Independent Requirements. . . . . . . . . . 19
3.5.2 Hardware Project Planning: Product-Dependent Requirements. . . . . . . . . . . . 19
3.5.3 Programming: Product-Independent Requirements. . . . . . . . . . . . . . . . . . . . . 19
3.5.4 Programming: Product-Dependent Requirements. . . . . . . . . . . . . . . . . . . . . . 19
3.5.5 Communication: Product-Dependent Requirements. . . . . . . . . . . . . . . . . . . . . 20
3.5.6 Special Modes of Operation: Product-Independent Requirements. . . . . . . . . . 20
4 Central Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.1 Central Modules and Kits for the H41q and H41qc Systems. . . . . . . . . . . . . . 21
4.2 Central Modules and Kits for the H51q System. . . . . . . . . . . . . . . . . . . . . . . . 21
4.3 Additional Central Modules for the H41q, H41qc and H51q Systems. . . . . . . . 22
4.4 General Notes on the Safety and Availability of Safety-Related Central Modules.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4.1 Power Supply Units. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4.2 Functional Description of the Safety-Related F 8652 X / F 8650 X Central Modu-
les. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.5 Principles of Function of Safety-Related Central Modules. . . . . . . . . . . . . . . . 24
4.5.1 Self-Test Routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.5.2 Response to Faults Detected in Central Modules. . . . . . . . . . . . . . . . . . . . . . . 25
4.5.3 Diagnostic Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
HI 800 013 E Rev. 1.00 3/88

Table of Contents H41q/H51q Safety Manual
4.6 Response to Faults Detected in the I/O Bus Area. . . . . . . . . . . . . . . . . . . . . . . 25

4.7 Note for Replacing Central Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5 Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.1 Overview of All Input Modules
for the H41q, H41qc and H51q Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.2 Safety and Availability of Safety-Related Input Modules. . . . . . . . . . . . . . . . . . 27
5.2.1 Safety of Sensors, Detectors and Transmitters. . . . . . . . . . . . . . . . . . . . . . . . . 28
5.3 Safety-Related Digital Input Modules
F 3236, F 3237, F 3238, F 3240 and F 3248. . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.3.1 Test Routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.3.2 Reaction to Faults Detected in Safety-Related Digital Input Modules. . . . . . . . 29
5.4 Safety-Related F 5220 Counter Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.4.1 Test Routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.5 Safety-Related Analog Input Modules
F 6213, F 6214 and F 6217. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.5.1 Test Routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.5.2 Reactions to Faults Detected in the Safety-Related
Analog F 6213, F 6214 Input Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Analog F 6217 Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.6 Safety-Related Analog Intrinsically Safe F 6220 Thermocouple Input Module. 31
5.6.1 Test Routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
F 6220 Thermocouple Input Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.6.3 Configuration Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.7 Safety-Related Analog Intrinsically Safe F 6221 Input Module. . . . . . . . . . . . . 32
5.7.1 Test Routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Analog F 6221 Input Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.7.3 Additional Configuration Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.8 Note for Replacing Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6 Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.1 Overview of All Output Modules for the H41q, H41qc and H51q Systems. . . . 35
6.2 General Notes on the Safety and Availability of Safety-Related Output Modules. .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.2.1 Safety-Related Digital Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
6.2.2 Safety-Related Analog Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
6.3 Principles of Function of Safety-Related Output Modules. . . . . . . . . . . . . . . . . 37
6.4 Safety-Related Digital Output Module
F3330, F3331, F3333, F3334, F3335, F3348, F3349. . . . . . . . . . . . . . . . . . . . 37
6.4.1 Test Routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.4.2 Reaction to Faults Detected in Safety-Related
Digital Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.5 Safety-Related Digital F 3430 Relay Module. . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.5.1 Test Routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.5.2 Reaction to Faults Detected in Safety-Related Digital Relay Modules. . . . . . . 38
6.5.3 Notes for Project Planning with F 3430. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.6 Safety-Related Analog Analog F 6705 Output Module. . . . . . . . . . . . . . . . . . . 38
6.6.1 Test Routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.6.2 Reactions to faults detected in the safety-related analog output module. . . . . 38
4/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual Table of Contents
6.7 Note for Replacing Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.8 Checklists for Engineering, Programming and Starting up Safety-Related Output
Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
7 Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.1 Safety-Related Aspects of the Operating System. . . . . . . . . . . . . . . . . . . . . . . 41
7.1.1 Identifying the Current Version Released for Safety-Related Applications (CRC
Signature). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.1.2 Operation and Functions of the Operating System. . . . . . . . . . . . . . . . . . . . . . 41
7.2 Safety-Related Aspects of the User Program. . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.2.1 Requirements and Rules for Use in Safety-Related Applications (e.g., Require-
ments Resulting from the Type Approval Report). . . . . . . . . . . . . . . . . . . . . . . 42
7.2.1.1 Programming Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.2.2 Safety-Related Aspects of Programming with ELOP II. . . . . . . . . . . . . . . . . . . 43
7.2.2.1 Usíng the ELOP II Safety Tool when Creating the Program. . . . . . . . . . . . . . . 44
7.2.2.2 Usíng the ELOP II Safety Tool when Modifying the Program. . . . . . . . . . . . . . 44
7.2.3 Use of Variables and PCS Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7.2.3.1 Assigning PCS Names to Variable Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7.2.3.2 Types of Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.2.3.3 Digital Inputs and Outputs for Boolean Variables. . . . . . . . . . . . . . . . . . . . . . . 48
7.2.3.4 Analog I/O Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.2.3.5 Imported or Exported Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.2.4 User Program Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.4.1 Code Version Number. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.4.2 Run Version Number. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.4.3 Data Version Number. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.4.4 Area Version Number. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.5 Use of Standard Function Blocks for Safety-Related Applications. . . . . . . . . . 50
7.2.5.1 Standard Function Blocks, Not Depending on the I/O Level. . . . . . . . . . . . . . . 50
7.2.5.2 Standard function blocks, depending on the I/O level. . . . . . . . . . . . . . . . . . . . 51
7.2.6 Setting the Parameters for the Automation Device. . . . . . . . . . . . . . . . . . . . . . 51
7.2.6.1 Safety Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
7.2.6.2 Behavior if Faults Occur in Safety-Related Output Channels. . . . . . . . . . . . . . 53
7.2.7 Identifying the Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
7.2.8 Checking the Created User Program for Compliance with the Specified Safety
Function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
7.3 Checklist: Measures for Creating a User Program. . . . . . . . . . . . . . . . . . . . . . 54
7.4 Reload (Reloadable Code). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
7.4.1 Systems with One Central Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
7.4.2 Systems with Redundant Central Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
7.4.3 Restrictions with Respect to Reload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
7.5 Offline Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7.6 Forcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7.7 Protection against Manipulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.8 Functions of the User Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.8.1 Group Shut-Down. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.8.2 Software Function Blocks for Individual Safety-Related I/O MOdules. . . . . . . 58
7.8.3 Redundant I/O Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
7.8.3.1 Redundant, non safety-related sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
7.8.4 Redundant Analog Sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
7.8.5 Input Modules with 2oo3 Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
HI 800 013 E Rev. 1.00 5/88

Table of Contents H41q/H51q Safety Manual
7.9 Program Documentation for Safety-Related Applications. . . . . . . . . . . . . . . . . 61

7.10 Safety-Related Communication Aspects
(Safety-Related Data Transfer). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
7.10.1 Safety-Related Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
7.10.2 Time Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
7.10.3 Notes for Creating the User Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
8 Use in Fire Alarm Systems in accordance with DIN EN 54-2
and NFPA 72. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Appendix
1 Standard Software Function Blocks for the Central Area. . . . . . . . . . . . . . 67
1.1 HK-AGM-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
1.2 HK-COM-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
1.3 HK-MMT-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
1.4 H8-UHR-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
2 Standard Software Function Blocks for the I/O Area. . . . . . . . . . . . . . . . . . 68
2.1 H8-STA-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
2.1.1 Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
2.2 HA-LIN-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.3 HA-PID-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.3.1 Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.3.2 Outputs:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.4 HA-PMU-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.5 HA-RTE-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.5.1 Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.5.2 Outputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.6 HB-BLD-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.6.1 Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.6.2 Outputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.7 HB-BLD-4 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.7.1 Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.7.2 Outputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.8 HB-RTE-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.8.1 Inputs:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.8.2 Outputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
2.9 HF-AIX-3 Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
2.10 HF-CNT-3 Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.11 HF-CNT-4 Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
2.12 HF-TMP-3 Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.13 HK-LGP-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.14 HZ-DOS-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.15 HZ-FAN-3 Function Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.15.1 Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.15.2 Outputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Index of Figures
Index of Tables
6/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual 1 Introduction
1 Introduction
This manual contains information on how to operate the H41q and H51q safety-related
automation devices from HIMA in the intended manner.
The following conditions must be met to safely install and start up the H41q/H51q automation
devices, and to ensure safety during their operation and maintenance:
• Knowledge of regulations.
• Proper technical implementation of the safety instructions detailed in this manual
performed by qualified personnel.
HIMA will not be held liable for severe personal injuries, damage to property or the
environment caused by any of the following:
• Unqualified personnel working on or with the devices.
• De-activation or bypassing of safety functions.
• Failure to comply with the instructions detailed in this manual.
HIMA develops, manufactures and tests the H41q/H51q automation devices in compliance
with the pertinent safety standards and regulations. The use of the devices is only allowed if
the following conditions are met:
• They are used for the intended applications.
• They are operated under the specified environmental conditions.
• They are only connected to the approved external devices.
To provide a clearer exposition, this manual does not specify all details of all versions of the
H41q/H51q automation devices.
1.1 Validity and Current Version

The most current version of the safety manual is also valid for previous operating system
versions. Special features of the individual versions are mentioned in this manual.
Refer to the HIMA website at www.hima.com for the most current version of the manual.
Extensive changes performed to the manual are identified by a revision status, less extensive
changes by an issue status. The revision status is specified on the front side next to the
document number, the issue status is specified on the rear side.
1.2 Formatting Conventions

To ensure improved readability and comprehensibility, the following fonts are used in this
document:
Bold: To highlight important parts

Names of buttons, menu functions and tabs that can be clicked and used
in the programming tool.
Italics: For parameters and system variables
Courier Literal user inputs
RUN Operating state are designated by capitals
Chapter 1.2.3 Cross references are hyperlinks even though they are not particularly
marked. When the cursor hovers over a hyperlink, it changes its shape.
Click the hyperlink to jump to the corresponding position.
Safety notes and operating tips are particularly marked.
1.2.1 Safety Notes

The safety notes are represented as described below.
HI 800 013 E Rev. 1.00 7/88

1 Introduction H41q/H51q Safety Manual
These notes must absolutely be observed to reduce the risk to a minimum. The content is
structured as follows:
• Signal word: danger, warning, caution, notice
• Type and source of danger
• Consequences arising from the danger
• Danger prevention
SIGNAL WORD
Signal Word! Type and source of danger.
Consequences arising from the danger
Danger prevention
The signal words have the following meanings:

• Danger indicates hazardous situation which, if not avoided, will result in death or
serious injury.
• Warning indicates hazardous situation which, if not avoided, could result in death or
serious injury.
• Warning indicates hazardous situation which, if not avoided, could result in minor or
modest injury.
• Notice indicates a hazardous situation which, if not avoided, could result in property
damage.
NOTE
Note! Type and source of damage!

Damage prevention
1.2.2 Operating Tips

Additional information is structured as presented in the following example:
The text corresponding to the additional information is located here.

i
Useful tips and tricks appear as follows:
TIP The tip text is located here.
1.3 Target Audience

This manual addresses system planners, configuration engineers and programmers of
automation devices. Specialized knowledge of safety-related automation systems is
required.
8/88 HI 800 013 E Rev. 1.00

2 Intended Use
2.1 Application Area

The safety-related automation devices H41q, H41qc and H51q can be used in applications
up to SIL 3 (IEC 61508), Cat. 4 / Pl e (ISO 13849-1).
All input and output modules can be used in both redundant and a single channel
implementations of the central modules.
When implementing safety-related communications between various devices, ensure that the
overall response time does not exceed the fault tolerance time. All calculations must be
performed in accordance with the rules given in this safety manual.
Only devices with safe electrical isolation may be connected to the communications
interfaces.
The H41q/H51q systems are certified for use in process controllers, protective systems,
burner systems and machine controllers.
2.1.1 Application in Accordance with the 'De-Energize to Trip Principle'

The automation devices have been designed in accordance with the 'de-energize to trip'
principle.
A system that operates in accordance with the de-energize to trip principle does not require
any power to perform its safety function.
Thus, if a fault occurs, the input and output signals adopt a de-energized, safe state.
2.1.2 Application in Accordance with the Energize to Trip Principle

The H41q/H51q controllers can be used in applications that operate in accordance with the
'energize to trip' principle.
A system operating in accordance with the energize to trip principle requires power (such as
electrical or pneumatic power) to perform its safety function.
Therefore, the H41q/H51q controllers are tested and certified for use in fire alarm and fire-
fighting systems in accordance with EN 54 and NFPA 72. To contain the hazard, these
systems must be able to adopt an active state on demand.
2.1.3 Explosion Protection

The safety-related automation devices H41q, H41qc and H51q are suitable for
installation in zone 2. The declarations of conformity are contained in the
corresponding data sheets.
The following operating requirements must be observed!
2.1.4 Use in Fire Alarm Systems

All H41q/H51q systems with analog inputs can be used in fire alarm systems in accordance
with DIN EN 54-2 and NFPA 72.
The following operating requirements must be observed!
2.2 Non-Intended Use

The transfer of safety-relevant data through public networks like the Internet is not permitted
unless additional security measures such as VPN tunnel or firewall have been implemented
to increase security.
Fieldbus interfaces without safety-related fieldbus protocols cannot ensure safety-related
communication.
HI 800 013 E Rev. 1.00 9/88

2.3 Operating Requirements
2.3.1 Environmental Requirements and Specifications

When using the safety-related H41q/H51q control systems, the following general
requirements must be met:
Requirement type Requirement content

Protection class Protection class II in accordance with IEC/EN 61131-2
Operating tempera- Operating temperature: 0...+60 °C
ture
Storage temperature Storage temperature: -40...+80 °C
(with battery: only -30...+75°C)
Pollution Pollution degree II
Altitude < 2000 m
Housing Standard: IP 20
If required by the relevant application standards (e.g., EN 60204,
EN 954-1), the device must be installed in an enclosure of the spec-
ified protection class (e.g., IP 54).
Power supply input 24 VDC
voltage
See the data sheets for various deviations.

The safety-related control systems H41q, H41qc and H51q have been developed to meet the
following standards for EMC, climatic and environmental requirements.
Standard Content
IEC/EN 61131-2: Programmable controllers, Part 2:
2006 Equipment requirements and tests
IEC/EN 61000-6-2: EMC
2005 Generic standard, Part 6-2
Immunity for industrial environments
IEC/EN 61000-6-4: Electromagnetic compatibility (EMC)
2006 Generic emission standard, industrial environments
2.3.2 Climatic Requirements

The following table lists the key tests and thresholds for climatic requirements:
IEC/EN 61131-2 Climatic tests

Operating temperature: 0...+60 °C
(test limits: -10...+70 °C)
Storage temperature: -40...+80 °C
(with battery: only -30 °C)
Dry heat and cold resistance tests:
+70 °C / -25 °C, 96 h, power supply not connected
Temperature change, resistance and immunity test:
-25 °C / +70 °C and 0 °C / +55 °C,
power supply not connected
Cyclic damp-heat withstand tests:
+25 °C / +55 °C, 95 % relative humidity,
power supply not connected
10/88 HI 800 013 E Rev. 1.00

2.3.3 Mechanical Requirements

The following table lists the key tests and thresholds for mechanical requirements:
IEC/EN 61131-2 Mechanical tests

Vibration immunity test:
5...9 Hz / 3.5 mm
9...150 Hz / 1 g, EUT in operation, 10 cycles per axis
Shock immunity test:
15 g, 11 ms, EUT in operation, 3 shocks per axis (18 shocks)
2.3.4 EMC Requirements

The following table lists the key tests and thresholds for EMC requirements:
IEC/EN 61131-2 Interference immunity tests

IEC/EN 61000-4-2 ESD test: 6 kV contact, 8 kV air discharge (EN 230, EN 50130)
IEC/EN 61000-4-3 RFI test (10 V/m): 80 MHz...2 GHz, 80 % AM
IEC/EN 61000-4-4 Burst test: 2 kV on power supply, 1 kV signal lines
2 kV on AC lines
IEC/EN 61000-6-2 Interference immunity tests

IEC/EN 61000-4-6 High frequency, asymmetric:
10 V, 150 kHz...100 MHz, AM
IEC/EN 61000-4-3 434 MHz, 900 MHz impulses, 20 V/m
IEC/EN 61000-4-5 Surge: 2 kV, 1 kV on supply line
IEC/EN 61000-6-4 Noise emission tests

EN 50011 Emission test:
´Class A radiated, conducted
All modules of the H41q and H51q systems meet the requirements of the EMC Directive of
the European Union and are labeled with the CE mark.
The systems react safely to interferences exceeding the specified limits.
HI 800 013 E Rev. 1.00 11/88

2.3.5 Power Supply

The following table lists the key tests and thresholds for power supply requirements:
IEC/EN 61131-2: Review of the DC supply characteristics

The power supply unit must meet the requirements of one of the fol-
lowing standards:
IEC/EN 61131-2 or
SELV (Safety Extra Low Voltage, EN 60950) or
PELV (Protective Extra Low Voltage, EN 60742)
The H41q, H41qc and H51q systems must be fuse protected as
specified in the data sheets.
Voltage range test:
24 V DC, -20 %...+25 % (19.2...30.0 V DC)
Momentary external current interruption immunity test:
DC, PS 2: 10 ms
Reversal of DC power supply polarity test:
Refer to corresponding chapter of the catalog or data sheet of the
power supply module.
Back-up battery, withstand test:
Test B, 1000 h, lithium battery as back-up battery
2.3.6 ESD Protective Measures

Only personnel with knowledge of ESD protective measures may modify or extend the
system or replace a module.
Electrostatic discharge can damage the electronic components within the systems.
• Touch a grounded object to discharge any static in your body.
• When performing the work, make sure that the workspace is free of static, and wear an
ESD wrist strap.
• If not used, ensure that the device is protected from electrostatic discharge, e.g., by stor-
ing it in its packaging.
Only personnel with knowledge of ESD protective measures may modify or extend the sys-
tem wiring.
2.4 Personnel Qualifications

All staff members (planning, installation, commissioning) must be informed about the risks
and potential consequences resulting from the manipulation of a safety-related automation
system.
Planners and configuration engineers must have additional knowledge about the selection
and use of electrical and electronic safety systems within automated systems, e.g., to prevent
the effects of improper connections or faulty programming.
The operator is responsible for qualifying the operating and maintenance personnel and
providing them with appropriate safety instructions.
Only staff members with knowledge of industrial process measurement and control, electrical
engineering, electronics and the implementation of PES and ESD protective measures may
modify or extend the system wiring.
2.5 Requirements to be met by the operator and the machine and system
manufacturers.
The operator and the machine and system manufacturers are responsible for ensuring that
12/88 HI 800 013 E Rev. 1.00

H41q/H51q systems are safely operated in automated systems and plants.

The machine and system manufacturers must validate that the H41q/H51q systems are
correctly programmed.
HI 800 013 E Rev. 1.00 13/88

14/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual 3 Safety Philosophy and Requirements
3 Safety Philosophy and Requirements
3.1 Certification
The safety-related automation devices (PES = programmable electronic system) of the H41q,
H41qc and H51q system families are certified as follows:
TÜV Rheinland Industrie Service GmbH

Automation, Software and Information Technology
Am Grauen Stein
51105 Cologne
Certificate and test report n. 968/EZ 129.16/10
Safety-Related Automation Devices

H41q-MS, H41q-HS, H41q-HRS
H41qc-MS, H41qc-HS, H41qc-HRS
H51q-MS, H51q-HS, H51q-HRS
The safety-related automation devices of the H41q, H41qc and H51q system families are
tested and certified in accordance with the following relevant functional safety standards:
IEC 61508: Parts 1-7: 1998-2000 up to SIL 3
IEC 61511: Part 1-3: 2004 up to SIL 3
EN/ISO 13849-1: 2008 Category 4, Performance Level e
EN 50156-1: 2004
EN 12067-2: 2004, EN 298: 2003, EN 230: 2005
NFPA 85: 2007, NFPA 86: 2007
EN 61131-2: 2007
EN 61000-6-2: 2005, EN 61000-6-4: 2007
EN 54-2:1997, A1: 2006, NFPA 72: 2010
EN 50130-4: 1998 + A1: 1998 + A2: 2003 + Corr. 2003
Chapter 2.3 contains a detailed list of all environmental and EMC tests performed.
HI 800 013 E Rev. 1.00 15/88

3 Safety Philosophy and Requirements H41q/H51q Safety Manual
3.2 Safety and Availability

Even as mono systems, the H41q, H41qc and H51q system families are designed for use up
to SIL 3 thanks to the 1oo2D microprocessor structure on one central module.
Depending on the required availability, the HIMA automation devices can be equipped with
redundant modules in the central and I/O areas. Redundant modules increase availability
since the redundant module maintains operation, if a module is be shut down due to a failure.
3.2.1 Safety
The PFD (probability of failure on demand) and PFH (probability of failure per hour) values
were calculated for the safety-related H41q, H41qc and H51q systems in accordance with
IEC 61508.
IEC 61508-1 prescribes for SIL 3:
• A PFD value of 10-4...10-3
• A PFH value of 10-8...10-7 per hour
15 % of the limit value for PFD and PFH specified in the standard is assumed for the
controller. The resulting limit values for the controller's proportion:
• PFD = 1.5 ∗ 10-4
• PFH = 1.5 ∗ 10-8 per hour
A proof test interval of 10 years1) has been defined for the safety-related systems H41q,
H41qc and H51q.
The safety functions, consisting of a safety-related loop (an input, a processing unit and an
output), meet the requirements described above in all combinations.
Further information is available upon request.
3.2.2 Overview
The following table presents an overview of the system designations, safety, availability and
configurations
System designation H41qc-MS H41qc-HS H41qc-HRS

H41q-MS H41q-HS H41q-HRS
H51q-MS H51q-HS H51q-HRS
SIL / Category SIL 3 / Cat. 4 SIL 3 / Cat. 4 SIL 3 / Cat. 4
Availability Normal High Very high
Configuration
Central module Mono redundant redundant
I/O modules Mono1) mono1) redundant
I/O bus Mono Mono redundant2)
1)
To increase availability, individual I/O modules can also be used redundantly or in a 2oo3 circuit
(e.g., see Chapter 7.8.5).
2) When a redundant I/O bus is used, HIMA recommends configuring both the I/O modules and
the peripherals (sensors and actuators within the plant) as redundant modules. Experience
shows that these components have higher failure rates than the PES modules.
Table 1: System designations, safety, availability and configurations
1)
Refer to Chapter 6.5 for further information on the F 3430 relay module.
16/88 HI 800 013 E Rev. 1.00

When redundant modules are used for increasing availability, three essential points must be
considered:
• Faulty modules must be detected and shut down to prevent the system from being
blocked.
• If a fault occurs, the operator must receive a message indicating that the module must
be replaced.
• Once the module has been replaced, it must automatically start operation.
The HIMA automation systems with the corresponding configuration meets these
requirements.
To program the devices, a PADT (programming and debugging tool, PC) is used with the
following programming tool
ELOP II
In accordance with IEC 61131-3 is used. It supports the user while operating the automation
devices and creating safety-related programs.
3.3 Safety Times

Single faults which may lead to a dangerous operating state are detected by the self-test
facilities within the fault tolerance time (at least 1 s). The fault tolerance time is preset as
safety time in the menu for setting the resource properties.
Fault tolerance time

Process value which is often referred to as safety time in user guidelines.
Safety time (iwithin the PES)

Value which depends on the system capability
Failures, which can only have a dangerous impact on safety if combined with additional faults
are detected by background tests within the multiple fault occurrence time (MOT). The
multiple fault occurrence time is defined when the safety time is set and is defined in the
operating system as 3600 times that value.
The distinction between two types of tests is made:

• Tests performed within the safety time
They are performed within the safety time (foreground tests).
Response time: immediate response, at the latest within the safety time.
• Tests performed during the multiple fault occurrence time
They are performed during the multiple fault occurrence time and are subdivided into
many cycles (background test).
Response time: immediate response, at the latest within the multiple fault occurrence
time.
Example of response time: a maximum of two times the cycle time. If a fault tolerance time
(safety time) of 1s is required for the process, the cycle time may not exceed 500 ms.
Fault response time

The fault response time of an automation device corresponds to the safety time (≥ 1s),
defined in the resource properties. Note that the cycle time may not exceed half the safety
time value, since a response to faults in the input modules is triggered within 2 cycles. The
cycle time depends on the safety time, which defines the period within which all foreground
tests are performed.
A short safety time increases the cycle time, and vice versa. With long safety times, some
tests are distributed among multtiple cycles.
HI 800 013 E Rev. 1.00 17/88

Example 1: Safety time = 1 s

Cycle time for user program = 450 ms
Cycle time required for tests = 100 ms
2 cycles are possible within the safety time
100 ms / 2 = 50 ms / cycle time required for tests
Overall cycle time = 500 ms
Example 2: Safety time = 2 s

Cycle time for user program = 450 ms
Cycle time required for tests = 100 ms
4 cycles are possible within the safety time
100 ms / 4 = 25 ms / cycle time required for tests
Overall cycle time = 475 ms
For operating system versions prior to (07.14), the safety time must not be set to 255 s!
i Only values within 1...254 are allowed!
3.4 Proof Test

The proof test detects dangerous undetected faults that could otherwise affect the safe
function of the system.
HIMA safety systems must be subjected to a proof test in intervals of 10 years1). It is often
possible to extend this interval using the a calculation tool to analyze the implemented safety
loops.
With relay modules, the proof test must be performed in the intervals defined for the plant.
3.4.1 Proof Test Execution

The proof test execution depends on the following factors:
• Plant characteristics (EUC = equipment under control)
• Plant's intrinsic risk potential
• The standards applicable to the plant operation and required for approval by the
responsible test authority.
According to IEC 61508 1-7, IEC 61511 1-3 and VDI/VDE 2180 sheets 1 to 4, the operator of
the safety-related systems is responsible for performing the proof tests.
3.4.2 Frequency of Proof Tests

The HIMA PES can be proof tested by testing the full safety loop.
In practice, shorter proof test intervals are required for the input and output field devices (e.g.,
every 6 or 12 months) than for the HIMA controller. Testing the entire safety loop together
with a field device automatically includes the test of the HIMA controller. There is therefore
no need to perform additional proof tests of the HIMA controller.
If the proof test of the field devices does not include the HIMA controller, the HIMA controller
must be tested at least once every 10 years. This can be achieved by restarting the HIMA
controller.
1)
Exception: The F 3430 module must be tested for SIL 3 in intervals of 5 years.
18/88 HI 800 013 E Rev. 1.00

Additional proof test requirements for specific devices are described in the corresponding
data sheets.
3.5 Safety Requirements

The following safety requirements must be met when using the safety-related controllers of
the H41q, H41qc and H51q systems:
i The operating company is responsible for operating a plant safely in accordance with the
relevant application standards.
3.5.1 Hardware Project Planning: Product-Independent Requirements

• To ensure safety-related operation, only approved fail-safe hardware modules and
software components may be used. The approved hardware modules and software
components are listed in the
Revision List of Devices and Firmware of H41q/H51q Systems of HIMA Paul
Hildebrandt GmbH + Co KG
Refer to the last valid release document for the certificate number. The latest versions
can be found in the version list maintained together with the test authority.
• The operating requirements specified in this safety manual (see Chapter 2.3) about
EMC, mechanical and climatic influences must be observed.
• Non fail-safe, non-reactive hardware modules and software components may be used
for processing non-safety-relevant signals, but not for handling safety-related tasks.
• The de-energized to trip principle must be applied to all safety circuits externally
connected to the system.
3.5.2 Hardware Project Planning: Product-Dependent Requirements

• Only devices that are safely electrically isolated from the power supply may be
connected to the system.
• The safe electrical power supply isolation must be ensured within the 24 V system
supply. Only power supply units of type PELV or SELV may be used.
3.5.3 Programming: Product-Independent Requirements

• In safety-related applications, ensure that the system parameters influencing safety
are properly configured. The possible configuration variants are described in the
following chapters. In particular, this applies to the system configuration, maximum
cycle time and safety time.
3.5.4 Programming: Product-Dependent Requirements

• The system response to faults in the fail-safe input and output modules must be
defined in the user program in accordance with the system-specific safety-related
conditions.
• If ELOP II, rev. 3.5 and below, is used as programming tool, the verification of the
program created can be simplified in accordance with the conditions specified in this
manual.
• The program, however, must be sufficiently validated.
• Function tests / verifications after a user program change can be limited to the
modified program parts.
• The procedure for creating and changing the program described in Chapter 7 must be
observed.
HI 800 013 E Rev. 1.00 19/88

3.5.5 Communication: Product-Dependent Requirements

• When implementing safety-related communications between the various devices,
ensure that the system's overall response time does not exceed the fault tolerance
time. All calculations must be performed in accordance with the specified rules.
• The transfer of safety-relevant data through public networks like the Internet is only
permitted if additional security measures have been implemented such as: VPN
tunnel.
• If data is transferred through company-internal networks, administrative or technical
measures must be implemented to ensure sufficient protection against manipulation
(e. g., using a firewall to separate the safety-relevant components of the network from
other networks).
• Only devices with safe electrical isolation may be connected to the communications
interfaces.
3.5.6 Special Modes of Operation: Product-Independent Requirements

• Reload in safety applications is only permitted after receiving consent from the test
authority responsible for the final system acceptance test and using the certified
programming tool ELOP II.
• When performing the reload, the person in charge must take further technical and
organizational measures to ensure that the process is sufficiently monitored in terms
of safety.
• Prior to performing the reload, determine the version changes compared to the user
software using the C-code comparator of ELOP II.
• During the reload of a mono PES, the duration of the entire modification plus twice the
cycle time must not exceed the failure tolerance time of the process.
• If maintenance override is used, observe the current version of the document
Maintenance Override / Wartungseingriffe available on the TÜV Rheinland website at
www.tuvasi.com.
• A static offline test of the logic may be performed with ELOP II. The offline simulation
was not subject to any safety-relevant tests. For this reason, the simulation may not
replace the functional test of the plant.
• Whenever necessary, the operator must consult with the test authority responsible for
the final inspection of the system and define administrative measures appropriate for
regulating access to the controller.
20/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual 4 Central Modules
4 Central Modules
The central components required for the different types of HIMA automation devices are
assembled in kits. The kit of a funcitoning central module is composed of the following
elements:
• Central subrack
• Central modules
• Power supply units
• Accessories
The detailed scope of delivery, the supply voltage wiring and the connection of the I/O level
are described in the data sheets of the catalog Programmable Systems, System Families
H41q/H51q (HI 800 263).
4.1 Central Modules and Kits for the H41q and H41qc Systems
Module / Designation Safety-related Non-reactive

kit
F 8652 X Central module, • •
Dual processor 1oo2
F 8653 X Central module •
B 4231 Central device kit H41q-MS • •
B 4233-1 Central device kit H41q-HS • •
B 4233-2 Central device kit H41q-HRS • •
B 4235 Central device kit H41qc-MS • •
B 4237-1 Central device kitH41qc-HS • •
B 4237-2 Central device kit H41qc-HRS • •
Table 2: Central modules and kits for the H41q and H41qc systems
4.2 Central Modules and Kits for the H51q System

kit
F 8650 X Central module, • •
Dual 1oo2 processor
F 8651 X Central module •
B 5231 Central device kit H51q-MS • •
B 5233-1 Central device kit H51q-HS • •
B 5233-2 Central device kit H51q-HRS • •
B 9302 I/O subrack • •
Table 3: Central modules and kits for the H51q system
HI 800 013 E Rev. 1.00 21/88

4 Central Modules H41q/H51q Safety Manual
4.3 Additional Central Modules for the H41q, H41qc and H51q Systems

kit
Power distribution modules
F 7132 4fold power distribution modules •
F 7133 4fold power distribution modules with fuse •
monotoring
Supplementary modules
F 7126 Power supply module •
F 7130A Power supply module •
F 7131 Power supply module monitoring with •
back-up batteries for H51q
F 8621A Co-processor module for H51q •
F 8627 Communication module for Ethernet •
F 8627X
F 8628 Communication module for PROFIBUS DP •
F 8628X (slave)
Bus connections
F 7553 I/O bus connection module for H51q •
Bus connection modules for configuring HIPRO
H 7505 Interface converter •
RS 485, V.24/20mA
two-wire/four-wire (HIPRO)
H7506 Bus terminals for configuring 2-wire buses •
Table 4: Additional central modules for the H41q, H41qc and H51q systems
22/88 HI 800 013 E Rev. 1.00

4.4 General Notes on the Safety and Availability of Safety-Related Central

Modules
Compliance with the following requirements concerning the equipment of the central and
power supply modules and the bus components within the subrack of the H41q/H51q system
families must be ensured:
H41q, H41qc systems H51q system

The following modules can be used in the The following modules can be used in the
H41q system subrack: central module subrack :
• 2 central modules • 2 central modules
• 12 I/O modules • For each central module: three F 8621/A
• 2 power supply modules co-processors or five F 8625, F 8626,
• 3 fuse modules F 8627, F 8628 communication modules
The following modules can be used in the The basic components for I/O subracks are
H41qc system subrack: assembled in kits.
• 2 central modules
• 2 communication modules
• 13 I/O modules
• 2 power supply modules
Circuit breakers are used to fuse the inputs/
outputs
Table 5: Safety and availability, differences between H41q, H41qc and H51q
4.4.1 Power Supply Units

In safety-related applications, use one 24 VDC / 5 VDC power supply unit more than required
by the power consumption. This applies to the central module subrack and the additional
power supply module. The power supply units are decoupled via diodes and monitored by the
central devices.
4.4.2 Functional Description of the Safety-Related F 8652 X / F 8650 X Central

Modules
Each central module of type F 8652 X or F 8650 X is composed of the following function
blocks:
• Two synchronous microprocessors
• Each microprocessor has its own memory.
• The memories of one processor contain the program and the data in non-inverted
form while the memories of the other processor contain the program and the data in
inverted form.
• Testable hardware comparators for all external accesses of both microprocessors.
• If a fault occurs, the watchdog is set to a safe state and the processor status is
reported.
• Flash EPROM, the program memory for operating systems and user programs,
suitable for at least 100,000 memory cycles.
• Data storage in SRAM (static RAM)
• Multiplexer for connecting I/O bus, dual port RAM (DPR) and redundant central
module.
• Buffering of the SRAMs through batteries on the central module
• 2 RS 485 interfaces with electrical isolation and baud rate equal to 57600 bps. A
switch or software can be used to set the rate to 9600 bps and 57600 bps (other baud
rates are also possible); values set by software have priority.
• Diagnostic indicators and 2 LEDs for information from the system, I/O area and user
program.
• DPR for fast, mutual memory access to the second central module
• Battery-buffered hardware clock
HI 800 013 E Rev. 1.00 23/88

• I/O bus logic for connection to I/O modules.

• Safe watchdog
• Monitoring of power supply units, testable (5 V system voltage).
• Battery monitoring
4.5 Principles of Function of Safety-Related Central Modules

Safety-related central modules are composed of two microprocessors, each with one RAM,
that simultaneously process the same programs, operating systems and user programs. A
comparator continuously compares the data on the busses between the two microprocessors
with their memories.
The operating system includes self-test routines which are periodically run. The watchdog
monitors the program sequence.
4.5.1 Self-Test Routines

Table 6 explains the self-test routines run by the safety-related F 8650 X and F 8652X central
modules and how they are connected at the I/O level:
Test Description
CPU test The following is tested:
• Command and Addressing Types
• The writability of the flags and the commands related to the
flags.
• The writability and crosstalk of the registers.
• Arithmetic logic unit (ALU)
Memory areas test The operating system, user program, constants and parameters
as well as the variable data are stored in each central module
directly and inversely and are checked for antivalence by a
hardware comparator.
Fixed memory areas The operating system, user program and parameter area are
each stored in a flash EPROM and are protected by a CRC test.
RAM test A write and read test is performed to check the RAM areas, in
particular for crosstalk.
Watchdog test The watchdog signal is switched off unless it is triggered within a
determined period by both the CPUs with antivalent bit patterns
or if the hardware comparator detects a difference between the
two memories (directly and inversely). An additional test deter-
mines the watchdog signal’s switch-off ability.
Test of the connection to If the central modules in the H41q-HS / H41qc-HS / H51q-HS
the I/O level within the systems are used redundantly with a single-channel I/O bus, the
central module reciprocal interlocking of the I/O access to the central modules
is ensured. Self-tests check the interlocking circuit used to this
end.
With a two-channel I/O level, HR or HRS system, the I/O access
rights are read back and checked.
With a single-channel I/O level, M or MS system (single-channel
I/O modules and single-channel CPU), the I/O access rights are
read back and checked.
Test of the connection The addressing is tested cyclically after the safety-related I/O
module in the I/O sub- module has been processed.
racks The addresses of all agreed I/O module positions are read back
and tested. The safety switches of the F 7553 module are
tested.
Table 6: Self-Test Routines
24/88 HI 800 013 E Rev. 1.00

4.5.2 Response to Faults Detected in Central Modules

The test routines ensure that faults are detected and that the defective central module is
switched off. At the same time, the diagnostic indicators report the faults and register them in
the system diagnosis.
For a central module, MS system, this means a complete shut-down of the automation
device.
For redundant central modules, HS and HRS systems, the defective central module is
switched off while the redundant module continues to operate.
If the defective central module of a redundant system is replaced by a functional one with the
same user program and operating system, the new central module receives the current data
from the running central module and the system restarts redundant operation.
Uder certain conditions, such as the same operating system version which must be at least
7.0-8 (05.21), the running central module can load the user program in the new "empty"
central module (self-education). For more details, refer to the Chapter Self-Education of the
operating system manual (HI 800 105 E).
4.5.3 Diagnostic Indicators

The diagnostic indicators are integral part of the central module. It includes the following
elements:
• a 4-digit alphanumeric display for representing texts and values
• a CPU LED for signaling central module faults
• an I/O LED for displaying general faults in safety-related I/O modules.
Three additional keys are also available: an acknowledgement key (ACK) and two keys for
calling further system information.
If faults occur in the central module, the CPU LED is lit. STOP appears on 4-digit display. It
is possible to intervene to show the error code. The operating system manual (HI 800 105 E)
provides a list of the error codes.
If faults occur in the safety-related modules at I/O level, the IO LED is lit. The 4-digit display
shows the module position and possibly the faulty channel.
The diagnostic system provides all error codes to be visualized in the process control system.
The diagnostic system maintains an error history. The error history can be displayed in the
PADT and is of help for detecting problems within the plant.
4.6 Response to Faults Detected in the I/O Bus Area

If a fault occurs in the I/O bus area between central module and connection modules, all I/O
subracks affected by the fault are switched off.
If a fault in the I/O bus area only occurs within an I/O subrack, the connection module
switches off the output module in the affected I/O subrack.
4.7 Note for Replacing Central Modules

Faulty modules in the central area or in the I/O area can be replaced during operation; the
automation device needs not be shut down during replacement.
Service interruption possible!

i HIMA strongly recommends replacing faulty central modules.
If faults occur or during maintenance, the following steps are required for replacing the
modules:
HI 800 013 E Rev. 1.00 25/88

• Central modules for non-redundant automation devices with integrated back-up

battery must be stored without user program if the user program contains retain
variables. These variables are not set to their initial values when the system is started.
• Central modules for redundant automation devices with integrated back-up battery
may be stored with the user program even if the user program contains retain
variables. These variables are adopted by the running central module during strart-up.
The diagnostic indicator on the central module displays BATI to signalize that the internal
battery is empty.
Refer to the data sheet for recommendations on how to replace the battery on the modules.
If the battery fails simultaneously to a voltage drop, the RETAIN variables lose the values
i previously stored. In such a case, the system initializes the values during start-up.
26/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual 5 Input Modules
5 Input Modules
5.1 Overview of All Input Modules

for the H41q, H41qc and H51q Systems
Module Safety- Non- (Ex)i Associated

related reactive software func-
tion block
Digital input modules
F 3221 16-fold input module •
F 3222 8-fold input module •
F 3223 4-fold input module • •
F 3224A 4-fold input module • •
F 3237 8-fold input module • • HB-RTE-3
F 3238 8-fold input module • • • HB-RTE-3
F 5220 2-fold counter module • • HF-CNT-3, -4
Analog input modules
F 6213 4-fold analog input module • • HA-RTE-3
F 6214 4-fold analog input module • • HA-RTE-3
F 6215 8-fold analog input module •
F 6217 8-fold analog input module • •
F 6220 8-fold thermocouple module • • • HF-TMP-3
F 6221 8-fold analog input module • • • HF-AIX-3
Table 7: Input modules for the H41q, H41qc and H51q systems
5.2 Safety and Availability of Safety-Related Input Modules

Due to the high complexity of some types of analog and digital input modules, these modules
have their own 1oo2 microprocessor system that automatically performs safety-related tests
during operation and provides safe data to the safe processing unit.
The safety-related input modules allows one to display a diagnosis and therefore to identify
and locate the faults.
In safety-related systems, both safety-related and non-reactive input modules can be used
i with mixed component configurations.
During operation, safety-related input modules automatically perform high-quality, cyclic self-
tests within the H41q, H41qc and H51 systems. The input modules include wiring elements
ensuring that the input module function is tested with special test routines integrated in the
operating system. These test routines are TÜV tested and ensure the safe functioning of the
corresponding module. If faults are detected, error messages are displayed. Detected faults
automatically trigger a safety-related reaction of the system. The error messages are
HI 800 013 E Rev. 1.00 27/88

5 Input Modules H41q/H51q Safety Manual
diagnostic information for the operator. It is thus possible to flexibly create a diagnostic
system when planning and implementing the system.
To increase availability, the safety related input module can also be used redundantly.
Using redundant input modules does not affect the system safety.
Safety-related input modules can be used for both safety-related signals and non-safety-
related signals.
The following conditions must be observed when using the slots permitted for input modules
within the system subracks, and the H41q, H41qc and H51q systems within the I/O subracks:
H41q, H41qc system H51q system

The input modules are inserted into the sys- Each input module is inserted into the I/O
tem subrack. Kits with 12 slots (H41q) or 13 subrack (EABTs) with 16 slots. The basic
slots (H41qc) are available for I/O modules. components required for EABTs are assem-
bled in kits.
Table 8: Permitted slots
5.2.1 Safety of Sensors, Detectors and Transmitters

Safety-related signals are only given if the external sensors, detectors or transmitters have a
related proof of safety. If no proof of safety is available, safety of external sensors, detectors
or transmitters can also be ensured by a special wiring, see the operating system manual
(HI 800 105 E).
To do this, multiple sensors must be wired in a 1oo2, 2oo3 or NooM circuit. (Note: 1oo2
means 1 out of 2).
The wiring of the sensors can improve their safety and availability. Chapter 7.8 provides a
detailed description of how to implement the various sensor wiring options taking the aspects
of safety and availability into account. The user program must be designed accordingly.
Based on the IEC 61508 standard, proof test intervals are defined and allow one to provide
various proofs of safety. The detailed definitions of proof tests depend on the application.
5.3 Safety-Related Digital Input Modules

F 3236, F 3237, F 3238, F 3240 and F 3248
5.3.1 Test Routines

The online test routines check whether the input channels are able to pass both signal levels
(low and high levels), regardless of the signals actually present on the input. This functional
test is performed each time the input signals are read. Whenever a fault occurs in the input
module, the low level (safe state) is processed in the user program.
The modules for proximity switches and contact makers with line monitoring additionally test
the line up to the sensor. A safety-related proximity switch can be connected to these
modules. Self-tests ensure that all requirements to the detection of thresholds for safety-
related proximity switches are met.
The sensor current monitoring for a contact maker requires wiring with two resistors in
accordance with the data sheet.
28/88 HI 800 013 E Rev. 1.00

5.3.2 Reaction to Faults Detected in Safety-Related Digital Input Modules
Type of fault System reaction Remark

Module fault FALSE for- In accordance with the de-energized-to-trip princi-
(input module) warded to user ple, this ensures the system's safe function.
program for all
channels
Open-circuit in FALSE is read in If modules with line monitoring are used, a line fault
the sensor circuit the affected is reported. In safety-related inputs, this signal must
channel be evaluated with the HB-RTE-3 software function
block (see Annex) to ensure a safe system reac-
tion.
Short-circuit in TRUE is read in If modules with line monitoring are used, a line fault
the sensor circuit the affected is reported. In safety-related inputs, this signal must
channel be evaluated with the HB-RTE-3 software function
block (see Annex) to ensure a safe system reac-
tion.
General The position of the faulty module is displayed on the diagnostic indica-
tors. For the F 3238 module, which occupies two slots, the position of
the right slot is displayed. If input modules with monitoring of the sen-
sor circuit for open-circuits and short-circuits are used, the diagnostic
indicators also display the faulty module channel.
Table 9: Reaction to faults detected in safety-related digital input modules
5.4 Safety-Related F 5220 Counter Module

This two-channel counter module has its own dual processor system with one safety-related
output for each channel. It can be used for counting the pulses, measuring the frequency or
the rotational speed via an adjustable gate time and for monitoring the rotation direction.
If the gate time is modified, the correct measured value is only available on the output after
i three gate times.
5.4.1 Test Routines

The module has its own 1oo2 microprocessor system that automatically performs safety-
related online tests and provides the safe data for safe signal processing to the HF-CNT-3 or
HF-CNT-4 function blocks.
HI 800 013 E Rev. 1.00 29/88

5.4.2 Reactions to Faults Detected in the Safety-Related F 5220 Counter Module
Type of fault System response in the Remark

event of failures
Module fault The safety-related output are In the event of a fault, reaction
switched off. in safe direction only
Channel fault Assigned safety-related out- In the event of a fault, reaction
put is switched off. in safe direction only
Open-circuit, short-circuit or Assigned safety-related out- After removing the fault, the
other type of faults within the put is switched off. reset signal is required on the
proximity switch circuit. input of the HF-CNT-3 / 4
function block.
Table 10: Reaction to faults detected in the safety-related F 5220 counter module
5.5 Safety-Related Analog Input Modules

F 6213, F 6214 and F 6217
If the safety-related analog input modules are functional and redundantly configured, the
mean value is processed (within permitted deviations only!). The mean value is created by
the corresponding function block or the user program depending on whether the F 6213 and
F 6214 modules (function block) or the F 6217 (user program) are used. If faults occur, only
the value of the functional module is processed.
5.5.1 Test Routines

The modules use the test D/A converter to apply test values and the A/D converter to test
them and digitize the input signal.

Analog F 6213, F 6214 Input Module

event of failures
Module or channel fault in Configured value processed In the event of a fault, reaction
single-channel analog inputs in the HA-RTE-3 software in safe direction only
function block (see Annex).
Module or channel fault in If an input module fails, the Minimum, maximum or aver-
redundant analog input mod- value of the redundant mod- age determined via the
ules and redundant transmit- ule or the fault value config- HARTE-3 function block (see
ters ured is processed. Annex).
Short-circuit in the transmit- Module position and faulty Only if 4...20 mA is used
ter circuit channel displayed on the
diagnostic indicator
Table 11: Reaction to faults detected in safety-related analog F 6213, F 6214 input
modules
30/88 HI 800 013 E Rev. 1.00


Analog F 6217 Input Modules

event of failures
Channel fault Analog value = 0000 Channel fault bit must be
Channel fault bit = TRUE safely processed in the user
program
Module fault All analog values = 0000 See channel fault; concerns
All channel bits = TRUE all channel fault bits
Measuring range exceeded max. analog value = 4095 Max. value allowed must be
(22 mA) Channel fault bit = TRUE defined in the user program.
Table 12: Reaction to faults detected in safety-related analog F 6217 input modules
related online tests and provides the safe data to the safe processing unit. Each channel has
an analog value and a corresponding channel fault bit.
WARNING
Warning! Physical injury due to incorrect measured values possible!
If the channel fault bit is set, a safety-related reaction must be programmed for each
safety-related analog input.
5.6 Safety-Related Analog Intrinsically Safe F 6220 Thermocouple Input

Module
The thermocouple module has 8 channels for connecting thermocouples of various types
(according to the parameters set on the HF-TMP-3 function blocks) and one input for
connecting a Pt 100 resistance thermometer as a reference temperature input. It has its own
dual processor system and is configured using the HF-TMP-3 software function block (see
Chapter 2.12 in the Annex and the ELOP II online help) for each channel in use.
The inputs can also be used to measure low voltages, see data sheet.
5.6.1 Test Routines

related online tests and provides the safe data for safe signal processing to the HF-TMP-3
function block. Each of the 8+1 channels provides safe input values and a safe fault status.
HI 800 013 E Rev. 1.00 31/88


F 6220 Thermocouple Input Module
State System reaction Remark

Module fault The Channel Fault output on the The reaction must be imple-
HF-TMP-3 function block is set to mented in the user program using
TRUE. Channel Fault the output signal.
Channel fault The Channel Fault output on the The reaction must be imple-
HF-TMP-3 function block is set to mented in the user program.
TRUE.
Underflow The Underflow output on the HF- The reaction must be imple-
TMP-3 function block is set to mented in the user program.
TRUE.
Overflow The Overflow output on the HF- The reaction must be imple-
TMP-3 function block is set to mented in the user program.
TRUE.
Table 13: Reaction to faults detected in the safety-related F 6220 thermocouple input
module
The Underflow Threshold and Overflow Threshold inputs of the HF-TMP-3 function block are
used to define the limit values for underflow and overflow, respectively. If the measured value
for the configured threshold values is exceeded, the corresponding signal is set to TRUE,
even if no fault occurred in the module.
5.6.3 Configuration Notes

• Unused inputs must be short-circuited.
• A requirement for SIL 3 is that the reference temperature must be taken from the user
program or must be determined by comparing the reference temperatures of two
modules.
• All possible deviations must be considered and taken into account when evaluating
the measured values.
• For SIL 3, the thermocouple temperature must be determined by comparing the
temperatures of two different thermocouples.
5.7 Safety-Related Analog Intrinsically Safe F 6221 Input Module

The analog input module has 8 channels for directly connecting analog transmitters used in
the Ex-zone. The transmitter supply voltage can be provided from the F 3325 output module
(or another generator according the data sheet specifications). This transmitter supply
voltage must be connected via the F 6221 module for monitoring purposes.
Each used channel is configured via its own HF-AIX-3 software function block.
5.7.1 Test Routines

related online tests and provides the safe data for safe signal processing to the HF-AIX-3
function block. Each of the 8 channels provides safe input values and a safe fault status.
32/88 HI 800 013 E Rev. 1.00


Analog F 6221 Input Module
State System reaction Remark

Module fault The Value output (INT) on the HF- The Error Value input signal of the
AIX-3 function block is set to 0. function block must be used to
The Channel Fault output on the HF- define an error value in the user
AIX-3 function block is set to TRUE. program.
Channel fault The Channel Fault output on the HF-
AIX-3 function block is set to TRUE.
Underflow The Underflow output on the HF-
AIX-3 function block is set to TRUE.
Overflow The Overflow output on the HF-AIX-
3 function block is set to TRUE.
Table 14: Reaction to faults detected in the safety-related analog F 6221 input module
The Underflow Threshold and Overflow Threshold inputs of the HF-AIX-3 function block are
used to define the limit values for underflow and overflow, respectively. If the measured value
for the configured threshold values is exceeded, the corresponding signal is set to TRUE,
even if no fault occurred in the module.
5.7.3 Additional Configuration Notes

• Unused voltage inputs 0...1 V must be short-circuited on the terminal strip.
• Unused current inputs are terminated with a shunt in the cable plug.
• Only uses specified in the data sheet of the F 6221 module are allowed.
• The Ex protection regulations and Ex connection conditions must be observed.
5.8 Note for Replacing Input Modules

If faults occurs or during maintenance, the following steps are required for replacing the
modules:
1. Unscrew the cable plug or remove the input module with inserted cable plug.
2. Insert the new module without cable plug and screw it in place.
3. Plug in the cable plug and screw it in place.
4. Engage the acknowledgment key (ACK key on the central module).

i HIMA strongly recommends replacing faulty input modules.
HI 800 013 E Rev. 1.00 33/88

5.9 Checklists for Engineering, Programming and Starting up Safety-

Related Input Modules
When engineering or starting up the system, a checklist must be filled out for each of the
safety-related input modules used in the system to verify the requirements to be met. This is
the only way to ensure that all requirements were considered and clearly recorded. The
checklists are also documents demonstrating a thorough engineering.
The checklists associated with this safety manual are available as MS Word files (*.doc) on
the HIMA DVD or can be downloaded from the corresponding Internet page at
www.hima.com.
SDIGE-F3236 For safety-related digital modules

SDIGE-F5220 For safety-related counter modules
SANAE-F6213 / F6214 For safety-related analog modules
SANAE-F6217 For safety-related analog modules
34/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual 6 Output Modules
6 Output Modules
6.1 Overview of All Output Modules for the H41q, H41qc and H51q Systems
Module Designation Safety- Non- Load Associated

related reactive capacity software func-
tion block
Digital output modules
F 3322 16-fold digital • ≤ 0.5 A
output module
F 3325 6-fold supply device (Ex) • 22 V
≤ 0.02 A
F 3330 8-fold digital • • ≤ 0.5 A
output module
F 3331 8-fold digital • • ≤ 0.5 A HB-BLD-31),
output module
HB-BLD-41)
F 3333 4-fold digital • • ≤2A
output module
F 3334 4-fold digital • • ≤2A HB-BLD-31),
output module
HB-BLD-41)
F 3335 4-fold digital • • 22 V
output module (Ex) ≤ 0.053 A
F 3348 8-fold digital • • ≤ 0.5 A
output module
F 3349 8-fold digital • • ≤ 0.5 A HB-BLD-31),
output module ≤ 48 V
HB-BLD-41)
F 3422 8-fold relay module • ≤ 2 A,
≤ 60 V
F 34302) 4-fold relay module • • ≤ 4 A,

≤ 250 V
Analog output modules
F 6705 2-fold D/A converter • • 0...20 mA HZ-FAN-33)
F 6706 2-fold D/A converter • 0...20 mA
1)
For displaying faults and configuring the modes of operation (de-energized to trip, energized to trip)
2) The F 3430 module is not certified in accordance with EN/ISO 13849-1.
3)
Required for fault evaluation in current sink mode.
Table 15: Output modules for the H41q, H41qc and H51q systems
6.2 General Notes on the Safety and Availability of Safety-Related Output

Modules
The safety-related output modules are written in each cycle, the generated output signals are
read back and compared with the output data calculated by the user program.
Additionally, a walking bit test is performed through all outputs within the multiple fault
occurrence time (MOT); during the test, the test signal is present for no longer than 200 µs.
This ensures that the switchability of the outputs is verified without affecting the function of
HI 800 013 E Rev. 1.00 35/88

6 Output Modules H41q/H51q Safety Manual
the connected actuators. As a result, the freezing of each output is detected, even if the
output signal is static.
Safety-related output modules with line monitoring can detect faults in the input lead to the
load. The line monitoring function meets the safety requirements up to SIL 1. This is only
relevant if line monitoring is used in safety-related circuits. The output signal can be used in
all applications for safety requirements up to SIL 3.
H41q, H41qc system H51q system

The output modules are inserted into the The output modules are inserted into specific
system subrack. Kits with 12 slots (H41q) I/O subracks (EABTs) equipped with a maxi-
or 13 slots (H41qc) are available for I/O mum of 16 slot for I/O modules. The basic
modules. components required for EABTs are assem-
bled in kits (see Chapter 4 on Page 21).
Table 16: Slots for output modules in the H41q, H41qc and H51q systems
6.2.1 Safety-Related Digital Output Modules

The test routines detect faults by comparing the output signals which were read back with the
internal output data. The operating system ensures that the module in the module position
detected as defective enters the safe state and displays this on the diagnostic indicator.
With modules with output circuit monitoring, a detected open-circuit is reported on the
diagnostic indicator with the indication of the faulty module channel. The faulty module is
safely shut down using the integrated safety shutdown.
Additionally, the H8-STA-3 function block can be used to define one or multiple shutdown
groups. An output module fault causes then all remaining output modules of the shutdown
group to be shut down.
Depending on the system safety requirements, the I/O parameters in the resource settings
can be used to configure a complete shutdown of the controller.
6.2.2 Safety-Related Analog Output Modules

The safety-related analog output modules can be used in current source mode or in current
sink mode of operation.
In current source mode, if a fault occurs, the integrated safety shutdown ensures the safe
state (output current 0 mA).
In current sink mode, the safe state can only be achieved taking additional measures. The
user program must safely shut down the supply voltage for the current loop. The faults are
evaluated using the HZ-FAN-3 function block.
36/88 HI 800 013 E Rev. 1.00

6.3 Principles of Function of Safety-Related Output Modules

In safety-related output modules, 3 testable semiconductor switches are connected in series.
Thus, a second independent shutdown function, which is a safety requirement, is integrated
into the output module. If a fault occurs, this integrated safety shutdown function safely de-
energizes all channels of the defective output module (de-energized state).
IO Bus
Figure 1: Principle of the output module circuit with integrated safety shutdown (here with
4 output channels)
6.4 Safety-Related Digital Output Module

F3330, F3331, F3333, F3334, F3335, F3348, F3349
6.4.1 Test Routines

The modules are tested automatically during operation. The main test functions are:
1. Reading the output signals back from the switching amplifier. The switching threshold
for a read-back low level is ≤ 6.5 V.
2. Reading the line diagnosis for the activated channels (only with F 3331, F 3334 and
F 3349).
3. Applying the test patterns and testing for crosstalk (walking bit test) .within the multiple
fault occurrence time.
4. Reading the line diagnosis for all channels (only with F 3331, F 3334 and F 3349).
5. Checking the integrated safety shutdown.
6.4.2 Reaction to Faults Detected in Safety-Related

Digital Output Modules
• All faults detected in the modules cause the affected module to enter the safe, de-
energized state, i.e., the module is shut down.
• External short-circuits that cannot be distinguished from internal faults also cause the
module to be shut down.
• Line faults are only signaled and do not lead to the module's shutdown.
HI 800 013 E Rev. 1.00 37/88

6.5 Safety-Related Digital F 3430 Relay Module
6.5.1 Test Routines

The module is automatically tested during operation. The main test functions are:
1. Reading the output signals back from the switching amplifier for the diversified, 3-chan-
nel relay switch.
2. Applying the test patterns and testing for crosstalk (walking bit test) within the multiple
fault occurrence time.
6.5.2 Reaction to Faults Detected in Safety-Related Digital Relay Modules
• All faults detected in the modules cause the affected module to enter the safe, de-
energized state, i.e., the module is shut down.
• External short-circuits cause the fuse for the relevant channel to trigger. No error
message is generated.
6.5.3 Notes for Project Planning with F 3430

Relays are electromechanical components with limited service life due to their construction.
The service life of relays depends on the switching capacity of the contacts (voltage/current)
and the number of switching cycles.
At nominal operating conditions, the service life is approx. 300 000 switching operations at
30 VDC and 4 A.
To meet the requirements in accordance with IEC 61508 (PFD/PFH, see Chapter 3.2.1), the
proof-test interval is of 5 years for use in SIL 3 and 20 years for use in SIL 2.
The required tests are performed by the manufacturer HIMA.
6.6 Safety-Related Analog Analog F 6705 Output Module
6.6.1 Test Routines

The module is automatically tested during operation. The main test functions are:
1. Reading the output signals back.
2. Checking the D/A converter for linearity.
3. Crosstalk test between the outputs.
6.6.2 Reactions to faults detected in the safety-related analog output module

In current source mode, all faults detected in the modules cause the affected module to enter
the safe, de-energized state, i.e., the module is shut down via the integrated safety shutdown.
An external open-circuit cannot be distinguished from internal faults and cause the module to
be shut down.
In current sink mode, the module can only enter the safe, de-energized state via an external
shutdown. The user program must shut down the voltage supply for the current loop safely.
Therefore, the HZ-FAN-3 function block must be used for evaluating the faults.
38/88 HI 800 013 E Rev. 1.00

6.7 Note for Replacing Output Modules

If faults occur or during maintenance, the following steps are required for replacing the
modules:
Replacing an output module
1. Unscrew the cable plug or remove the output module with inserted cable plug.
2. Insert the new output module without cable plug and screw it in place.
3. Plug in the cable plug and screw it in place.
4. Engage the acknowledgment key (ACK key on the central module).
The output module is replaced.

i HIMA strongly recommends replacing faulty output modules.
6.8 Checklists for Engineering, Programming and Starting up Safety-

Related Output Modules
When engineering or starting up the system, a checklist must be filled out for each of the
safety-related output modules used in the system to verify the requirements to be met. This
is the only way to ensure that all requirements were considered and clearly recorded. The
checklists are also documents demonstrating a thorough engineering.
The checklists associated with this safety manual are available as MS Word files (*.doc) on
the HIMA DVD or can be downloaded from the corresponding Internet page at
www.hima.com.
SDIGA-F3330 For safety-related digital modules

SANAA-F6705 For safety-related analog modules
HI 800 013 E Rev. 1.00 39/88

40/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual 7 Software
7 Software
The software for the safety-related HIMA automation devices of the H41q/H41qc and H51q
system families is divided into three blocks:
• Operating system
• User program
• Programming tool in accordance with IEC 61131-3 (ELOP II with intergated safety
tool).
The operating system must be used in the current version certified by TÜV for safety-related
applications. This version can be found in the version list maintained together with the test
authority (Revision List of Devices and Firmware of H41q/H51q Systems). This document is
created by the joint modification service from TÜV Rheinland Industrie Service GmbH and
HIMA.
The user program is created using the ELOP II programming tool and contains the
application-specific functions to be performed by the automation device. ELOP II is also used
to set the parameters for operating system functions. A code generator translates the user
program into a machine code. ELOP II uses a serial interface or the Ethernet interface to
transfer this machine code to the flash EPROM of the automation device central module.
The main functions of the operating system and the resulting specifications for the user
program are described in the table Operating System Functions of the operating system
manual (HI 800 104 D).
7.1 Safety-Related Aspects of the Operating System

This chapter describes the signature and the basic functionality of the operating system.
7.1.1 Identifying the Current Version Released for Safety-Related Applications

(CRC Signature)
Each new operating system is identified by its specific issue status. An additional
identification option is the operating system signature, which can be displayed on the
diagnostic indicator while the automation device is operating.
The valid operating system versions approved by TÜV for safety-related automation devices,
and the corresponding signatures (CRCs) are specified in the Revision List of Devices and
Firmware of H41q/H51q Systems.
7.1.2 Operation and Functions of the Operating System

The operating system executes the user program cyclically. The sequence order is
represented in simplified form:
• Reading of input data (hardware inputs)
• Editing of the logic functions in accordance with IEC 61131-3, Section 4.1.3
• Writing of output data (hardware outputs)
The following basic functions are also executed:

• Comprehensive self-tests
• Test of I/O modules during operation
• Data transfer and comparison
A cycle is processed in seven phases. Refer to the operating system manual (HI 800 105 E)
for more details on these phases.
HI 800 013 E Rev. 1.00 41/88

7 Software H41q/H51q Safety Manual
7.2 Safety-Related Aspects of the User Program

General sequence for programming the automation devices of the H41q/H51q system
families for safety-related applications:
1. Specify the controller functionality
2. Write the user program
3. Use the offline simulation to verify the user program
4. Use the C-code generator to compile the user program
5. The proven C compiler (GNU CC) translates the C code two times and generates the
target and comparison codes.
6. The target code comparator compares the target code and the comparison code. It
also detects and reports faults caused by the not safe PC.
7. The operational program resulting from this error-free procedure is loaded into the
H41q or H51q system. The program can then be tested from within the system.
8. Upon successful completion of the test, the PES starts safe operation.
Terms
Load This term indicates the procedure for loading a program into the controller,
either by performing a download or a reload.
Download If a download is performed to load a program into the controller, the controller
is stopped and all its outputs are reset.
Reload If a reload is performed to load a user program into a redundant controller, the
modified user program can be loaded into the central modules one after the
other. In the process, a central module is always operating in MONO mode.
The controller is not stopped.
If the PES only equipped with one central module, the outputs are held for the
duration of the loading process.
A reload can only be performed if a reloadable code was generated befor-
hand.
7.2.1 Requirements and Rules for Use in Safety-Related Applications (e.g.,

Requirements Resulting from the Type Approval Report)
The user program is input with the ELOP II programming tool for personal computers with
Windows® operating system. Additionally, the PC must be equipped with a hardlock module
from HIMA.
The ELOP II programming tool includes the following functions:

• Input (Function Block Editor), monitoring and documentation.
• Variables with symbolic names and variable types (BOOL, UINT, etc.).
• Resource assignment (HIMA H41q/H51q automation systems)
• Code generator (for translating the user program into a machine code) with C code
generator and GNU C compiler.
7.2.1.1 Programming Basics
The tasks to be performed by the controller should be defined in a specification or a
requirements specification. This documentation serves as the basis for checking its proper
implementation in the program. The specification format depends on the tasks to be
performed. These include:
• Combinational logic:
• Cause/effect diagram
• Logic of the connection with functions and function blocks
• Function blocks with specified characteristics.
42/88 HI 800 013 E Rev. 1.00

• Sequential controllers (sequence control system)

• This is a written description of the steps and their enabling conditions, and a descrip-
tion of the actuators to be controlled.
• Flow charts in accordance with DIN EN 60848
• Matrix or table form of the step enabling conditions and the actuators to be controlled
• Definition of constraints, e.g., operating modes, EMERGENCY STOP, etc.
The automation concept of the system must include an analysis of the field circuits, i.e., the
type of sensors and actuators:
• Sensors (digital or analog)
• Signals during normal operation (de-energize-to-trip principle with digital sensors, life-
zero with analog sensors)
• Signals in the event of a fault:
• Definition of required safety-related redundancies (1oo2, 2oo3)
• Discrepancy monitoring and reaction.
• Actuators
• Positioning and activation during normal operation
• Safe reaction/positioning at shutdown or after power loss.
Programming goals for user program:

• Comprehensibility
• Traceability
• Alterability
7.2.2 Safety-Related Aspects of Programming with ELOP II

The ELOP II programming tool is used to create user programs.
Operating conditions such as supported Windows version, are specified in the documentation
of the corresponding ELOP II version.
The safety concept of ELOP II ensures that
• The programming tool properly functions, i.e., no faults are detected in the
programming tool.
• The users employs the programming tool properly, i.e., user mistakes are detected.
When starting up a safety-related controller for the first time, a comprehensive functional test
is performed to verify the safety of the entire system. So far, to ensure safety, if the user
program changed, a complete functional test was required.
The safety tool included in ELOP II is in accordance with IEC 61131-3 and ensures that only
the changes must be verified, if the user program is modified. This safety tool is used to detect
user mistakes and programming tool failures.
The ELOP II safety tool is composed of three function blocks essential for safety:
• C code comparator
• Target code comparator
• Proven GNU C compiler.
The C code comparator identifies changes performed to the user program. The target code
comparator compares two target codes generated consecutively by the GNU C compiler
(GNU CC). This action prevents faults due to an unsafe PC.
HI 800 013 E Rev. 1.00 43/88

Not safety-related utilities are:

• The revision management integrated in ELOP II. It can be used to uniquely identifying
the relevant project versions.
• The offline simulation represented in the flow diagram Figure 2. The offline simulation
verifes whether the user program complies with the specification, but has no effect on
the process.
7.2.2.1 Usíng the ELOP II Safety Tool when Creating the Program
The reference points used in the following text are specified in Figure 2:.
1. Creation of a user program in accordance with a binding specification (e.g., based
upon IEC 61508 or a corresponding user standard); points (1) through (4) in the flow
diagram Figure 2.
2. The C code generator compiles the user program into C code and generates a
comparison file; point (5) in the flow diagram.
DANGER
Danger! Physical injury due to malfunction possible!
A cross-reference list must be generated for the user program and checked for cor-
rect use of the variables. It must be verified that all variables are only used in the posi-
tions indicated in the specification.
3. The proven compiler (GNU CC) translates the C code and the comparison file, points
(6) and (13). The target code and the comparison code are generated.
DANGER
The target code comparator must be activated, point (14). It compares the target code
and the comparison code. It also detects and reports faults caused by the not safe PC.
4. Load the resulting operational program into the H41q or H51q system, point (7). Then,
the program must be completely tested and accepted, point (8).
5. Generate a backup of the target code.
6. The PES starts safe operation.
7.2.2.2 Usíng the ELOP II Safety Tool when Modifying the Program
1. Modification of a user program in accordance with a binding specification (e.g., based
upon IEC 61508, DIN V VDE 0801 or a corresponding user standard); points (1)
through (4) in the flow diagram.
The modification is based on the backup of the running user program. This backup in-
cludes:
• Comparison file
• Target code
• Input data
2. The C code generator compiles the modified user program in the C codenew, point (5).
3. The C code comparator must be activated, point (12). It compares the C codenew with
the C codeold of the previous program version, point (11). The backup must be
indicated as comparison file (old C code).
4. The result of the comparison is documented, point (15).
5. Check whether the C code comparator displays the changes performed to the user
program. Only code-relevant changes are indicated.
44/88 HI 800 013 E Rev. 1.00

6. Results of the C code comparator:

a) It reports changes that the user does not recognize. Possible reasons:
- the change performed by the user resulted in additional unplanned modifica-
tions.
- An internal fault occurred.
b) It does not report the changes performed by the user. Possible reasons:
- They are changes which are not recognized by the C code comparator such as
graphic changes or changes to initial values.
- They are changes that were not adopted correctly.
7. The compiler (GNU CC) translates the C codenew and the comparison filenew, points
(6) and (13). It generates the target and comparison codes.
8. The target code comparator must be activated, point (14). It compares the target code
and the comparison code. Faults due to an unsafe PC are thus recognized and
reported.
9. The operational program resulting from this procedure is loaded into the H41q/H51q
system. At this level, all modified program parts must be tested. The test is intended to
verify the correctness of the target code.
10. If no malfunction results, a backup of the new current program must be generated. The
PES can start safe operation.
HI 800 013 E Rev. 1.00 45/88

Figure 2: Flow Diagram, Function of the Safety Tool
7.2.3 Use of Variables and PCS Names

The names and data types of the variables are defined using the Variable Declaration Editor.
All the user program variables are assigned symbolic names. These symbolic names may
include a maximum of 256 characters.
Symbolic names are also used for physical inputs and outputs and may include up to 256
characters.
46/88 HI 800 013 E Rev. 1.00

The user has two essential advantages when using symbolic names instead of physical
addresses:
• The system denominations of inputs and outputs are used in the user program.
• The modification of how the signals are assigned to the input and output channels
does not affect the user program.
7.2.3.1 Assigning PCS Names to Variable Names
PCS names should be assigned to variable names in accordance with the measuring points
list or a list of sensors and actuators.
Variable names are assigned to the used hardware in the dialog box for the resource, under
Process cabinet. The following information is entered: Required subrack type and position (1-
1 through 1-8 or 2-1 through 2-8), the slot and type of the required module and the PCS names
to be assigned to the variable names.
TIP For practical reasons, the variable name and the PCS name should be identical.
The number of channels (names) per module depends on the type of module used. The
required test routines for safety-related I/O modules are automatically executed by the
operating system.
HIMA recommends grouping the input and output modules used in the I/O subracks into
functional units.
The functional units may be grouped in accordance with the following aspects:
• Grouping in accordance with the plant parts
Homogenuous arrangement of the modules such as:
• Digital/analog system components
• Safety-related/non safety-related I/O modules
• Redundant grouping into various I/O subracks in the same order
• Spare modules or channels for later reload (reloadable code)
HI 800 013 E Rev. 1.00 47/88

7.2.3.2 Types of Variables

Depending on the program organization unit (POU) – program, function block or function –,
different types of variables can be defined. The following table provides an overview:
Type of variable User program Function block Function FUN Use

PROG FB
VAR X X X Local
(CONST1), (CONST, (CONST) variable
RETAIN)
RETAIN2))
VAR_INPUT - X X Input variable
VAR_OUTPUT - X X Output variable
(RETAIN)
VAR_EXTERNAL - X - Externally from / to
(CONST) another POU
VAR_GLOBAL X - - Global from
(CONST, RETAIN) another POU
VAR_ACTION X X X In the action block
of the sequential
function chart
1) CONST: Constant that can be changed in the online test without the need to recompile the user
program. It cannot be written by the user program.
2) RETAIN: Non-volatile variable, i.e., its value is retained after a voltage drop and resumption of
power supply.
Table 17: Types of Variables in ELOP II

Not initialized variables are reset to zero or FALSE after a cold start.
7.2.3.3 Digital Inputs and Outputs for Boolean Variables
When the resource is defined, the difference is made between digital inputs and outputs and
safety-related digital inputs. For safety-related functions, only safety-related I/O modules may
be used. For most safety-related I/O modules, HIMA standard function blocks must be
planned in the user program (see Annex).
Non-safety-related I/O modules are only read or written by the operating system and are not
subject to further test routines. For this reason, a defect is not detected by the operating
system and no error message appears. HIMA recommends using safety-related I/O modules
only, due to the extended diagnosis.
7.2.3.4 Analog I/O Modules
Analog input modules convert analog values (voltages, currents) into digital values with 12-
bit resolution.
Analog output modules convert 12-bit digital values into currents 0...20 mA or 4...20 mA.
For most analog safety-related and non safety-related I/O modules, HIMA function blocks
must be used in the user program, see Annex.
7.2.3.5 Imported or Exported Variables
The data of the variables to be imported or exported are either forwarded for HIMA
communication via HIPRO (PES master) or to third-party systems via the serial interfaces.
Protocols available for third-party systems are Modbus, Modbus TCP, PROFIBUS DP and
3964R. The data can also be transmitted to an OPC server via an Ethernet protocol. The
import and export variables are processed in the user program like normal input and output
variables. They are defined in the variable declaration of the program instance.
Boolean variables may be assigned the Event attribute. Events are signal changes of
Boolean variables with additional information about the time (date and time). The timestamp
48/88 HI 800 013 E Rev. 1.00

of an event corresponds to the time of the automation device in millisecond precision.
7.2.4 User Program Signatures

Unintentional or unauthorized changes to the user program, can be detected due to multiple
CRC signatures. These signatures are referred to as version numbers. The following version
numbers exist in ELOP II:
• Code version number
• Run version number
• Data version number
• Area version number
7.2.4.1 Code Version Number
The code version number is created using the functions of the programmed logic. The
controller function can only be viewed on a PC if the code version of the program loaded in
the controller and in the programming device are identical.
The following actions have no influence on the code version number:
• Writing or deleting of comments
• Setting or deleting of online test fields (OLT fields), i.e., force information
• Shifting of lines or function blocks, if the processing sequence does not change
• Changing of the SIO parameters themselves, but not activating/deactivating the SIO
parameters
• Bus parameters.
Changes of the basic addresses for external/Modbus coupling may result in a change of the
code version number. With all other changes, the code version number changes as well.
7.2.4.2 Run Version Number
The controller generates the run version number during operation. Its comparison with a
currently valid and documented run version number shows whether the program loaded into
the controller has changed (which is also displayed on the diagnostic indicators).
The run version number changes in the following cases:
• A different code version number is in use (does not apply to all changes)
• Modules were added or deleted
• Other system parameters are in use
• VAR_CONST have been added or deleted
• VAR_CONST values have changed
• The resource type has changed
• Setting have been changed online
• I/O variables have been forced in the online test field
• The position of the force main switch has changed
7.2.4.3 Data Version Number
The data version number refers to the definition of non-safety-related imported or exported
variables and changes in the following case:
• If the name of a variable with attributes for HIPRO-N (non safety-related) changes.
• If these variables were compressed when generating a non-reloadable code (if
memory gaps exist).
7.2.4.4 Area Version Number
The area version number records all the variables defined in a project and changes in the
following cases:
• If modules are deleted or added modules within the control cabinet.
• If the generation of reloadable code is set and more variables are associated with the
attributes of the following types than are deleted:
HIPRO N, HIPRO S, BUSCOM, event, 3964R
HI 800 013 E Rev. 1.00 49/88

• If the generation of non-reloadable code is set and variables are added or deleted and
are associated with the attributes of the following types:
HIPRO N, HIPRO S, BUSCOM, event, 3964R.
• If the memory must be reorganized because the memory limit was achieved.
Changes of the basic addresses for external/Modbus coupling may result in a change of the
area version number.
7.2.5 Use of Standard Function Blocks for Safety-Related Applications

The following list specifies the HIMA standard function blocks for safety-related applications.
Refer to HIMA website at www.hima.com or the HIMA DVD for a functional description of the
function blocks.
7.2.5.1 Standard Function Blocks, Not Depending on the I/O Level
Type Function TÜV test1)

Safety-related Non-reactive
H8-UHR-3 Date and time •
HK-AGM-3 PES master monitoring •
HK-COM-3 Communication module monitoring •
HK-LGP-3 LGP evaluation and configuration •
HK-MMT-3 Modbus master •
HA-LIN-3 Temperature linearization • •
HA-PID-3 PID controller • •
HA-PMU-3 Configurable transmitter • •
Table 18: Standard function blocks, not depending on the I/O level
1)
In the TÜV test column, the symbol • indicates that a TÜV safety certificate exists for the corre-
sponding function block. For the safety-related application of the function blocks, refer to the doc-
umentation of these function blocks.
50/88 HI 800 013 E Rev. 1.00

7.2.5.2 Standard function blocks, depending on the I/O level
Type Function TÜV test1)

Safety-related Non-reactive
H8-STA-3 Grouping of safety-related testable outputs • •
HA-RTE-3 Monitoring of analog testable, • •
F 6213 / F 6214 input modules
HB-BLD-3 Module and line diagnosis • •
of testable outputs
HB-BLD-4 Module and line diagnosis • •
of testable outputs
HB-RTE-3 Monitoring of binary, • •
testable input modules
HF-AIX-3 Monitoring of analog testable • •
F 6221 input modules
HF-CNT-3 Counter function block for the F 5220 mod- • •
ule
HF-CNT-4 Counter function block for the F 5220 mod- • •
ule
HF-TMP-3 Configuration function block for the F 6220 • •
module
HZ-FAN-3 Fault indicators for testable I/O modules •
HZ-DOS-3 Non safety-related diagnosis •
1)
In the TÜV test column, the symbol • indicates that a TÜV safety certificate exists for the corre-
sponding function block. For the safety-related application of the function blocks, refer to the doc-
umentation of these function blocks.
Table 19: Standard function blocks, depending on the I/O level

The following function blocks may be used in safety-related applications, but not for safety-
related actions:
• H8-UHR-3
• HK-AGM-3
• HK-LGP-3
• HK-MMT-3
• HZ-FAN-3
• HZ-DOS-3
Refer to the HIMA website at www.hima.com and the HIMA DVD for further details.
7.2.6 Setting the Parameters for the Automation Device

The parameters listed below define how the automation device behaves during operation and
are configured in the properties menu for the resource.
7.2.6.1 Safety Parameters
The following safety parameters can be set in the resource's properties:
• The parameters for safety-related operation of the automation device.
• The actions allowed with the PADT during safety-related operation
HI 800 013 E Rev. 1.00 51/88

Safety-Related Parameters Recommended settings

Parameters that can be modified online Reset, depending on the project
Safety parameters
Safety time in s Process-dependent
Watchdog time in ms No more than half of the safety time
value
Requirement class 6, corresponds to SIL 3, depending
on the project
Changeable values
Constants Reset
Variables Reset
I/O forcing Reset
Allowed actions
Test mode Reset
Start Reset
Reload Depending on the project
Table 20: Safety-Related Parameters
For operating system versions prior to (07.14), the safety time must not be set to 255 s!
i Only values within 1...254 s are allowed!
Parameters that may be defined for safety-related operation are not firmly bound to any spe-
i cific safety integrity levels. Instead, each of these must be agreed upon together with the
responsible test authority for each separate implementation of the automation device.
52/88 HI 800 013 E Rev. 1.00

7.2.6.2 Behavior if Faults Occur in Safety-Related Output Channels

The following table shows the setting options for the Behavior in Case of Output Faults
parameter. This parameter is located in the IO parameter tab of the ressource’s Properties
dialog.
Setting Description
Display only Shutdown via safety shutdown integrated in the output amplifier. If not
possible, the watchdog signal within the I/O subrack is switched off via the
connection module (systems H51q only).
The watchdog signal in the corresponding central module is not switched
off.
The user program and communication continue to run.
Only allowed up to SIL 1!
Emergency The watchdog signal of the corresponding central module is switched off,
stop which also results in the shutdown of the output channels.
The user program and communication are stopped.
Normal oper- Reaction as described in Display only; additionally, the watchdog signal in
ation the corresponding grouping is switched off if a group was configured
beforehand using the H8-STA-3 function block Chapter 2.1 in the Annex.
The watchdog signal in the corresponding central module is switched off
(error stop) if no group was configured beforehand or the groupe relay is
faulty. In this scenario, the user program and communication are stopped.
Required with SIL 2 and beyond.
Usual and recommended setting.
Table 21: Setting for the Behavior in Case of Output Faults parameter
When a fault occurs, communication with the PADT does not depend on the setting of the
Behavior in Case of Output Fault parameter.
7.2.7 Identifying the Program

The user program can be uniquely identified using the code version number. This also allows
one to uniquely identify the corresponding backup (archive version).
If it is not clear which backup copy is the correct one, the relevant backup must be compiled
with download option and its target code must be compared to the code version of the loaded
program.
With reloadable codes, this may only be done if the code was generated in the following way:
1. Perform the last change
2. Generate (compile) the reloadable code, resulting in code version A
3. Load controller with code version A
4. Generate the reloadable code, resulting in code version B, it can be identical to A
5. Load controller with code version B
6. Each additional code generation without changes results in code version B
7.2.8 Checking the Created User Program for Compliance with the Specified
Safety Function
A number of suitable test cases covering the specification must be created for the verification.
It is not necessary to perform 220 test cases for 20-fold AND gates. The independent test of
each input and of the most important logic connections is usually sufficient. This series of
tests is sufficient since ELOP II and the measures defined in this safety manual make it
sufficiently improbable that a code generated properly from a semantic and syntactic view
point can still contain undetected systematic faults resulting from the code generation
process.
An appropriate series of tests must also be generated for numerically evaluating formulas.
Equivalence class tests are convenient which are tests within defined ranges of values, at the
HI 800 013 E Rev. 1.00 53/88

limits of and within invalid ranges of values. The test cases must be selected such that the
calculation can be proven to be correct. The required number of test cases depends on the
formula used and must include critical value pairs.
To this end, the online test can be useful, e.g., for presetting values and read intermediate
values. However, the active simulation with sources must be performed since it is the only
way to verify the proper wiring of the sensors and actuators. This is also the only way to verify
the system configuration.
7.3 Checklist: Measures for Creating a User Program

The checklist is available as Word file (MEAP-0001-D.doc) on the HIMA DVD or can be
downloaded at www.hima.com.
7.4 Reload (Reloadable Code)
A reload is only permitted after receiving consent from the test authority responsible for the
i final system acceptance test. When performing the reload, the person in charge must take
further technical and organizational measures to ensure that the process is sufficiently mon-
itored in terms of safety.
WARNING
Warning! Physical injury due to malfunction possible!
• Prior to performing the reload, use the C code comparator integrated in the safety
tool of ELOP II to determine the changes performed to the user program compared
to the user program still running.
• The changes caused by the reload must be carefully tested on simulators prior to
transferring them to the PES.
If a reload may be performed to load the user program into the central module(s), the
message Reloadable Code appears while the code generator is compiling the code.
Reloadability is lost if the following changes are performed to the user program:
• Modules located in the control cabinet are deleted or added.
• More variables are associated with the attributes of the following types than are
deleted:
HIPRO N, HIPRO S, BUSCOM, event, 3964R
• The basic addresses for BUSCOM are modified, see Chapter 7.2.4.4.
• Assignments to system variables are added or modified.
This does not apply to all system variables; refer to the operating system manual
(HI 800 105 E) for further details.
• Names of HIPRO S variables are modified.
7.4.1 Systems with One Central Module

While the user program is being loaded, the I/O level may not be accessed, i.e., no I/O
modules are read, written to or tested.
54/88 HI 800 013 E Rev. 1.00

While the user program is being loaded, the controller interfaces are not processed by the
user program and imported or exported variables are not routed via the interfaces.
i Service interruption possible!

If a reload is performed in systems having only one central module, it must also be com-
pleted within the fault tolerance time of the process.
7.4.2 Systems with Redundant Central Modules

A reload may be performed in system having redundant central modules without the
restrictions mentioned for the single-channel systems.
Reload operating sequence:

1. While the first central module is being reloaded, the second central module continues
processing the user program in mono mode.
2. The newly loaded central module receives the current data from the central module in
operation and starts mono operation with the new user program.
3. Once the second central module has been loaded, it receives the current data from the
first central module and both central modules start to operate redundantly.
7.4.3 Restrictions with Respect to Reload

Observe the following points when performing a reload:
• If a logic part is deleted during a reload, e.g., a function controlling a physical output,
the process representation does not change. For this reason, all outputs affected by
the reload procedure must be deleted, which means that all these outputs must be
deactivated prior to performing the reload.
• If the input variable (VAR_INPUT) of a function block is no longer written during a
reload (e.g., because the variable or assignment has been deleted by the function
block), the input variable retains its last value and is not automatically reset to FALSE
/ 0!
This behavior concerns all the function blocks, but functions.
This behavior is due to the fact that the values of all variables remain stored during
reload to allow their further processing. Inputs of standard and user-defined function
blocks are internally processed like variables.
Workaround: Such an input must be connected to a new variable set to the required
value.
• After a reload, all the variables with the const attribute are reset to their initial value,
even if they have previously been set online to another value.
• During a reload, all the system parameters are reset to their configured value, even if
they have previously been set online to another value. This affects multiple
parameters such as the watchdog time, safety time or baud rate of the interfaces.
• If in a user program with a step chain the active step is deleted and then a reload is
performed, the step enabling condition for the next step is lost. This means that the
step chain can no longer be executed.
• If CRC 0 is generated while compiling a program, the program must not be loaded into
the controller!
Workaround: Modify and recompile the program to ensure that a new CRC not equal
to 0 is generated. The changes must not modify the program function. For this reason,
only independent objects may be graphically replaced such as the inputs of an AND
function block.
HI 800 013 E Rev. 1.00 55/88

7.5 Offline Test

Changes performed to the user program may be simulated in ELOP II with the offline test.
This type of simulation is helpful to evaluate the potential consequences of a change.
However, it is not sufficient to validate the changes performed to safety-related controllers.
To this end, a test of the actual controller or a simulator is necessary.
7.6 Forcing
Forcing is only permitted after receiving consent from the test authority responsible for the
final system acceptance test. When forcing values, the person in charge must take further
technical and organizational measures to ensure that the process is sufficiently monitored in
terms of safety.
Forcing in safety-related controllers must be performed in accordance with the current ver-
i sion of the document Maintenance Override published by TÜV Rheinland Industrie Service.
The document may be downloaded from the Internet at www.tuvasi.com.
The following options are available for forcing:

• The system can be configured to not permit forcing. The PES no longer accepts force
values defined by the user. In such a case, the new force values can only be set once
the system has been shut down.
• Prior to exiting the control panel, a message appears informing on whether and how
many forced values are still set.
• All forced inputs and outputs may be reset using two individual force main switches.
For further details on the forcing procedure refer to the operating system manual
(HI 800 105 E) and the ELOP II online help.
DANGER
All force markers must be removed from the user program prior to starting safety-
related operation or before an acceptance test is performed by a test institute!
Refer to the ELOP II online help for details on the force markers.
56/88 HI 800 013 E Rev. 1.00

7.7 Protection against Manipulation

Protective mechanisms for preventing unintentional or unauthorized modifications to the
safety system are integrated into the PES and the ELOP II programming tool:
1. The system parameters can be set in the PES such that loading the program newly is
necessary whenever a change is performed to it (Either Download or Reload).
2. The ELOP II programming tool is equipped with a hardlock and can additionally be
protected against unauthorized access using the password mechanisms provided in
Windows®.
All requirements about protection against manipulation specified in the safety and applica-
i tion standards must be met. The operator is responsible for authorizing employees and
implementing the required protective actions.
Together with the responsible test authority, the operator must define which measures
should be implemented to protect the system against manipulation.
7.8 Functions of the User Program

Programming is not subject to hardware restrictions. The user program functions can be
freely programmed. When programming, ensure that the de-energize-to-trip principle is taken
into account for the physical inputs and outputs. A line break, for instance, causes the related
actuators to be switched off.
• Compared to hard-wired safety-related controllers, line breaks occurred in the user
program of programmable logic controllers need not be taken into account.
• Negations are permitted at any place.
• Active signals for triggering an action (e.g., shift clock pulse for a shift register) can be
used for safety-related applications.
If an error occurs in a safety-related analog input module, a defined value is further

processed. Refer to the description of the function blocks provided in the ELOP II Resource
Type manual for details.
If an error occurs in a safety-related digital I/O module, the input is set to the safe value 0 and
the digital output module is switched off by the integrated safety shutdown. Refer to the
description of the software function blocks provided in the Annex for details.
Compared to hard-wired controllers, programmable logic controllers are provided with a more
extensive range of functions, in particular with respect to byte and word processing.
7.8.1 Group Shut-Down

The safety-related output modules used for a specific plant area (e.g., for burners) can be
arranged into a group. To do so, the H8-STA-3 software function block must be added to the
user program of each group. The parameters for all positions of the output modules belonging
to a group must be set. If an output module fails, all output modules belonging to this group
are shut down. However, the safety shutdown integrated in the output modules is sufficient
to ensure the system's safety.
HI 800 013 E Rev. 1.00 57/88

7.8.2 Software Function Blocks for Individual Safety-Related I/O Modules
Input module Output modules

Digital Digital
Type Software function Type Software function
block block
Table 22: Assignment of software function blocks to I/O modules

F 3237 HB-RTE-3 F 3331 HB-BLD-3 / -4
F 3238 HB-RTE-3 F 3334 HB-BLD-3 / -4
F 5220 HF-CNT-3 / -4 F 3349 HB-BLD-3 / -4
Analog Analog
F 6213 HA-RTE-3 F 6705 HZ-FAN-3
F 6214 HA-RTE-3
F 6220 HF-TMP-3
F 6221 HF-AIX-3
For safety-related I/O modules, the corresponding software function blocks must be added to
the user program. Refer to the annex or the description of the software function block
provided in the ELOP II online help for further details.
7.8.3 Redundant I/O Modules

To enhance availability without impairing safety, safety-related I/O modules can be
configured redundantly such as outlined below. Maximum availability is achieved if the
automation devices are used with two I/O busses and the redundant I/O signals are also
routed onto separated I/O modules.
Programming
Figure 3: Redundant I/O modules used for increasing availability
7.8.3.1 Redundant, non safety-related sensors

Hardware
Input modules of type F 3236, F 3237 or F 3238 must be used depending on the control signal
(mechanic contact, proximity switch, intrinsically safe / not intrinsically safe). The two sensors
operate in a 1oo2 structure, e. g., if one of the sensors is triggered, the safety-related circuit
is immediately switched off. A discrepancy is reported upon expiration of the time previously
set. This functionality can be included into a function block for the F 3236 input module. The
HB-RTE-3 function block is available for input modules of type F 3237 and F 3238.
58/88 HI 800 013 E Rev. 1.00

User program, input module F 3236
Figure 4: Example of a 1oo2 function block and function block logic
User program, input module F 3237 or F 3238

Use of the HB-RTE-3 function block
Figure 5: Use of the HB-RTE-3 function block
Safety considerations
The output is switched off if one of the two sensors is triggered or a components fails within
the system.
The relevant standards, e.g., IEC 61511, must be observed used for sensor applications.
Availability considerations
No availability since each component failure causes a shutdown.
HI 800 013 E Rev. 1.00 59/88

7.8.4 Redundant Analog Sensors
Wiring, hardware
Figure 6: Wiring of redundant sensors
User program, input module F 6213 or F 6214

Use of the HA-RTE-3 function block, refer to Chapter 2.5 in the Annex and the ELOP II online
help for further details on the function block.
1) e.g., 50
2) e.g., 50
3) 7777, if the physical size increases in dangerous situations (every four module channels),
0000, if the physical size decreases in dangerous situations (every four module channels)
4) Values 0...1066
Figure 7: Use of the HA-RTE-3 function block with the F 6213 or F 6214 module
Comparator element for alarming or shutting down upon achievement of the allowed
threshold
Figure 8: Comparator element for alarming or shutting down upon achievement of the al-
lowed threshold
60/88 HI 800 013 E Rev. 1.00

Safety Considerations
The output A has a high level if one of the two sensors is triggered or a components fails
within the system.
The relevant standards, e.g., IEC 61511, must be observed for sensor applications.
Availability Considerations
No availability since a shutdown occurs whenever a component fails or a sensor is triggered.
7.8.5 Input Modules with 2oo3 Architecture
Figure 9: 2oo3 function block and function block logic
Conveniently, the wiring is represented within a 2oo3 function block.

i
In a PES with two I/O busses, the signal of the second sensor is branched to two input
channels (one to a channel on the 1st I/O bus and one to a channel of the 2nd I/O bus) and
is directed to the user program via an OR function. All sensor signals can also be connected
in parallel to the input channels on both I/O busses and directed to the user program via a
respective OR function. Afterwards, the function block depicted above is used.
The relevant standards, e.g., IEC 61511, must be observed for sensor applications.
7.9 Program Documentation for Safety-Related Applications

The ELOP II programming tool allows the user to automatically print the documentation for a
project. The most important documentation includes:
• Interface declaration
• List of variables
• Logic
HI 800 013 E Rev. 1.00 61/88

• Description of data types

• Configurations for control cabinet, base plates, modules and system parameters
• PCS/Variable Cross-References
• Code generator informations
The layout of the various type of documents can be arbitrarily defined.
This documentation is required for the acceptance test of a system subjected to approval by
a test authority (e.g., TÜV). This acceptance test only applies to the user functionality, but not
to the safety-related HIMA automation devices H41q-MS, H51q-MS, H41q-HS, H51q-HS,
H41q-HRS, H51q-HRS that have already been approved.
HIMA recommends involving the test authority as soon as possible when designing systems
i that are subject to approval.
7.10 Safety-Related Communication Aspects

(Safety-Related Data Transfer)
The HIPRO S protocol is certified for SIL 3.
7.10.1 Safety-Related Communication

The data transfer to resources safely assigned can be monitored via the PES master from
within the resource's Properties dialog box (tab: HIPRO-S, Edit of the selected resource). To
this end, a monitoring time can be set as Time Interval, and the Reset Imported Variables
command can be activated once the monitoring time has been exceeded..
The monitoring time to be set depends on the process and must be agreed upon together with
the responsible test authority.
Safety-related communication can also occur via the TÜV-certified safeethernet protocol
using the F 8627 X or F 8628 X Ethernet communication modules.
7.10.2 Time Requirements

To achieve a constant transmission time, HIMA recommends planning an individual PES
master and an individual bus for safety-related data transmission with a baud rate of
57.6 kbit/s.
The data transmission time TT resulting from the moment in which a sensor changes on a
PES to the moment in which an output on another PES responds to the change, is:
TT= 2*CT1 + 2*TD + 2*CT2
CT1 Cycle time of PES 1

CT2 Cycle time of PES 2
TD Time required for data transfer between two controllers. It depends on the
data connection in use:
Serial data transfer: Use the value of the bus cycle time. Refer to the operating system
manual (HI 800 105 E), Chapter Safety-Related Data Transfer via HIPRO S to determine the
bus cycle time.
Data transfer via Ethernet: Use the maximum transmission time (Tmax), refer to the data sheet
of the F 8627 X module, Chapter Calculating the Monitoring Time for HIPRO S / HIPRO S
DIRECT Connections for details.
62/88 HI 800 013 E Rev. 1.00

7.10.3 Notes for Creating the User Program

The Ethernet network is automatically configured in ELOP II for HIPRO S. However, the
following notes must be taken into account when creating the user program:
• In ELOP II, resource names must consist of eight characters, the two last characters
must be numbers. Numbers between 1 and 99 may be used. The number
combination must be unique such that it can be used to determine the IP address of
the communication module.
• Safety-related communication with HIPRO S operating in NORMAL mode must be set
such that safety-related data exchange with any other device is configured in every
automation device. This means that dummy data is exchanged if no user data is
available. This is not required if the HIPRO S DIRECT modes is used, i.e., dummy
data is not necessary. Refer to the data sheet for the F 8627 X module for details.
• The PES master program must be compiled to verify the HIPRO S configuration.
Afterwards, the occurred faults must be corrected.
• With safety-related communication, 0 must be used as safe value for transfer data.
HI 800 013 E Rev. 1.00 63/88

64/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual 8 Use in Fire Alarm Systems
8 Use in Fire Alarm Systems in accordance with DIN EN 54-2

and NFPA 72
The H41q, H41qc and H51q systems may be used in fire alarm systems in accordance with
DIN EN 54-2 and NFPA 72.
In this case, the user program must fulfill the requirements specified for fire alarm systems in
accordance with the standards previously mentioned.
The H41q, H41qc and H51q systems allow one to easily meet the maximum cycle time of 10
seconds required by DIN EN 54-2 for fire alarm systems and the safety time of 1 second (fault
reaction time) required in certain cases, since the cycle times for these systems is less than
0.5 s.
The fire alarms are connected in accordance with the energize to trip principle with line short-
circuit and open-circuit monitoring. To this end, the F 3237/F 3238 input modules for Boolean
connections or the F 6217/F 6221 input modules for analog connections can be used in
accordance with the following wiring:
Digital connectors
Figure 10: Digital fire alarm connectors
Analog connectors
Figure 11: Wiring of fire alarms
Caption to the figures:

M Fire detector
REOL Terminating resistor on the last sensor of the loop
RL Limitation of the maximum permitted current of the loop
RShunt Shunt
For the application, the REOL, RL and RShunt resistors must be calculated as dictated by the
sensors in use and the number of sensors per detection loop. The data sheets provided by
HI 800 013 E Rev. 1.00 65/88

8 Use in Fire Alarm Systems H41q/H51q Safety Manual
the sensor manufacturer must also be taken into account.

Additionally, the current values specified for the F 3237 and 3238 modules must be observed
(see the corresponding data sheets). This is particularly important if the fire detectors are
equipped with electronic outputs instead of mechanical contacts.
The alarm outputs for controlling lamps, siren, horns etc. are operated in accordance with the
energize to trip principle, which means that output modules with line monitoring must be used
(e.g., the F 3331 or F 3334 modules).
A user program appropriately adjusted, can be used to control visual display systems,
indicator light panels, LED indicators, alphanumeric displays, audible alarms, etc.
The routing of fault signals via the input and output modules or to transmission equipment for
fault signals must occur in accordance with the de-energize to trip principle.
The transmission of fire alarms among HIMA systems can be realized using the available
communication standards such as Modbus, HIPRO S, or OPC (Ethernet). The
communication monitoring is an essential part of the user program. HIMA recommends
configuring communication redundantly to ensure communication even if a transmission
component (line, hardware fault, etc.) fails. The component failure must be reported and the
replacement or repair of the faulty component during operation should be ensured.
H41q, H41qc or H51q systems that are used as fire alarm systems must have a redundant
power supply. Precautionary measures must also be taken against power supply drops, e.g.,
the use of a battery-powered horn. Switching from the main power supply to the back-up
power supply must be performed as fast as possible to ensure uninterrupted operation.
Voltage drops of up to 10 ms are permitted.
If a fault occurs in the system, the operating system writes to the system variables that can
be evaluated in the user program. This allows the user to program fault signaling for faults
detected by the system. If a fault occurs, the safety-related inputs and outputs are switched
off, i.e., low levels are applied to all the channels of faulty input modules and all the channels
of faulty output modules are switched off.
Earth fault monitoring is required if fire detection and fire alarm systems in accordance with
EN 54-2 and NFPA 72 are used.
66/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual Standard Software Function Block for the Central Area
Appendix
1 Standard Software Function Blocks for the Central Area

Standard software function blocks can be used and configured for the central module's
functions. For a detailed description of the function blocks, refer to their respective online
help.
1.1 HK-AGM-3 Function Block

This function block is used to monitor the function of the H41qc or H51q automation device
used as HIPRO master.
The function block is not safety-relevant. The function block's outputs serve informative
purposes only, and no safety-related actions may be derived for the user program.
1.2 HK-COM-3 Function Block

This function block is used to monitor the function of the communication module within a
H41qc or H51q system.
1.3 HK-MMT-3 Function Block

This function block allows a H41q, H41qc or H51q automation device to be used as Modbus
master.
1.4 H8-UHR-3 Function Block

This function block allows external setting or modification of the automation device's date and
time.
The function block's outputs serve informative purposes only, and no safety-related actions
may be derived for the user program.
HI 800 013 E Rev. 1.00 67/88

Standard Software Function Blocks for the I/O Area H41q/H51q Safety Manual
2 Standard Software Function Blocks for the I/O Area

All software function blocks described below are approved for operation in safety-related
automation devices.
All specific programming instructions described in this chapter must be observed.

For details on a software function block's functions and the assignment of its inputs and
outputs, refer to the corresponding online help.
2.1 H8-STA-3 Function Block

The function block is used to configure a group shut-down. It is used in the user program one
time for each shut-down group.
Figure 12: H8-STA-3 function block's connectors
For details on the behavior in the event of output channel faults, refer to Chapter 7.2.6.2.
2.1.1 Inputs
The positions of the modules belonging to the shot-down group are input as four place
decimals in accordance with the values defined in the selected resource.
Example: 1306 means:

Cabinet 1, subrack 3, module position 06
If modules with integrated safety shut-down are used, either the Bus No. Rack Pos. Group
Amplif. or Bus No. Rack Pos. red. Group Amplif. input must be used. To do so, specify an
existing but currently unoccupied slot.
Output modules with integrated safety shut-down need no group shut-down. A group shut-
i down, however, can also be preset for this type of modules. If this is done, an output mod-
ule's failure causes all modules belonging to a specific group to shut down (in accordance
with the specifications on the H8-STA-3 function block).
68/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual Standard Software Function Blocks for the I/O Area
2.2 HA-LIN-3 Function Block

The function block is used to linearize temperatures measured using thermocouples and
resistance thermometers Pt 100. Ensure proper configuration if the values are used for
shutting down safety-relevant circuits (see ELOP II online help).
Figure 13: HA-LIN-3 function block's connectors
2.3 HA-PID-3 Function Block

The function block includes a digital regulator that can be configured to operate in the
following operating modes: P, l, D, Pl, PD and PID.
Figure 14: HA-PID-3 function block's connectors
HI 800 013 E Rev. 1.00 69/88

2.3.1 Inputs
True=Manual (PID=0), If the control function block is safely operating, these inputs must
True=Manual, Compen- not be used. Divergences must be approved by the test authority
sating responsible for the final inspection.
Parameters and constants in the function block inputs may only be
changed during operation if approved by the responsible test
authority and during monitored operation.
The function block inputs may not be assigned with non-safety-
related imported variables.
2.3.2 Outputs:
Safety shut-downs are only allowed using the following parameters:
Maximum Value Reached and Diff Maximum Reached
Divergences must be approved by the test authority responsible for the final inspection.
The control algorithm of the function block is not able alone to ensure the safe state in all
i cases. Additional measures could be necessary on an individual basis.
2.4 HA-PMU-3 Function Block

The function block is used for converting the digitized measured values into per mille values
as well as for converting per mille values into digitized analog values. Ensure proper
configuration if the values are used for shutting down safety-relevant circuits (see the ELOP II
online help).
Figure 15: HA-PMU-3 function block's connectors
70/88 HI 800 013 E Rev. 1.00

2.5 HA-RTE-3 Function Block

The function block is used to process values and display faults that occurred in analog safety-
related modules operating in single-channel or redundant mode. It must be used in the user
program one time for each safety-related analog input module (F 6213/F 6214). If two
redundant I/O modules are used, the function block may exist only one time in the user
program.
Figure 16: HA-RTE-3 function block's connectors
2.5.1 Inputs
Bus No. Rack Pos. (e.g., 1305) Position of the safety-related analog input module and, if
Bus No. Rack Pos. red. Mod. existing, of the redundant module as four-digit decimal num-
ber.
Cabinet 1, subrack 3, module position 05 (for redundant
operation, the redundant module must have a different posi-
tion)
0 = No Damping; 1 = Damping 1 for redundant operation only. The difference between the
current value and the value from the previous cycle is added
to the allowed difference in ‰ (Tolerated Differ. red. Values
in 0,1 %).
Maximum Test Time in min Limitation of the test time expressed in minutes. Upon com-
pletion of the test time, the actual value is once again pro-
cessed in the user logic. See also the document
Maintenance Override available on the TÜV Rheinland's
website: www.tuvasi.com.
2.5.2 Outputs
Value 1...4 The use of values must be verified if the values are
employed for shutting down safety-related circuits.
Error Value 1...4 The outputs must be in use to trigger a shut-down with their
Boolean values if faults occur.
The remaining outputs serve informative purposes only, and no safety-related actions may
be derived for the user program.
HI 800 013 E Rev. 1.00 71/88

2.6 HB-BLD-3 Function Block

The function block is used to evaluate and display channel faults occurred in the digital safety-
related output modules F 3331, F 3334 und F 3349. It may only be used one time for each
module in use.
Figure 17: HB-BLD-3 function block's connectors
2.6.1 Inputs
Bus No. Rack Pos. (e.g., 1305)“ Position of the safety-related digital output module as four-
digit decimal number,
Mode Channel n (0/1/2) Assign- Description
ment
1 Normal operation, detected errors are reported at
the corresponding Error Channel n with high
level, the output circuit of the module is closed
0 Fault evaluation, error messages are suppressed
2 Only plant-specific allowed, inverse operation,
i.e., the output circuit should be open
>2 Range of values exceeded: The channel is con-
sidered as faulty (output is TRUE) and a channel-
related error is output.
Usually the de-energized to trip principle applies for safety-
related control circuits.
Max. Time Inrush Current in ms Definition of the waiting time for detecting open-circuits or
the tolerance time for current limiting. No faults are displayed
during this time period. Increasing the waiting time causes
also the cycle time to rise.
2.6.2 Outputs
The Pulse on Error (2x), Error and Error Code outputs serve informative purposes only, and
no safety-related actions may be derived for the user program.
The remaining outputs may be used for safety-related actions.
72/88 HI 800 013 E Rev. 1.00

2.7 HB-BLD-4 Function Block

The function block is used to evaluate and display channel faults occurred in the digital safety-
related output modules F 3331, F 3334 und F 3349 operating redundantly. It may only be
used one time for each redundant module pair.
Figure 18: HB-BLD-4 function block's connectors
2.7.1 Inputs
Bus No. Rack Pos. (e.g., 1305) Position of the safety-related digital output module and, if
Bus No. Rack Pos. red. Mod. existing, of the redundant module as four-digit decimal
number.
Mode Channel n (0/1/2) Assign- Description
ment
1 Normal operation, detected errors are reported
at the corresponding Error Channel n with high
level, the output circuit of the module is closed
0 Fault evaluation, error messages are sup-
pressed
2 Only plant-specific allowed, inverse operation,
i.e. the output circuit should be open.
>2 Range of values exceeded: The channel is con-
sidered as faulty (output is TRUE) and a chan-
nel-related error is output.
Usually the de-energized to trip principle applies for
safety-related control circuits.
Max. Time Inrush Current in Definition of the waiting for detecting open-circuits or the
ms, Mod. tolerance time for current limiting. No faults are displayed
Max. Time Inrush Current in during this time period. Increasing the waiting time causes
ms, red. Mod. also the cycle time to rise.
2.7.2 Outputs
The Pulse on Error (2x), Error, Error Mod. and Error Code red. Mod. outputs serve informative
The remaining outputs may be used for safety-related actions.
HI 800 013 E Rev. 1.00 73/88

2.8 HB-RTE-3 Function Block

The function block is used to evaluate and display faults occurred in digital safety-related
modules in single-channel or redundant mode. It must be used one time in the user program
for each input module of type F 3237 or F 3238 used or for two input modules of type F 3237
or F 3238 operating redundantly.
Figure 19: HB-RTE function block's connectors
2.8.1 Inputs:
Bus No. Rack Pos. (e.g., Position of the safety-related digital output module and, if existing,
1305) of the redundant module as four-digit decimal number
Bus No. Rack Pos. red. Example: 1305 means:
Mod. Cabinet 1, subrack 3, module position 05
74/88 HI 800 013 E Rev. 1.00

1 = 1oo2; 2 = 2oo2-Trip Assign- Description

ment
0 Assignment in single-channel operation
Input in accordance with IEC 1131: 16#00 or
2#00000000.
1 1oo2 -Trip, corresponds to an AND gate.
With 1oo2-Trip, the module redundancy is used to
increase availability
If no faults occurred in the input modules and input cir-
cuits, the input signals of the module channels 1...8 are
connected to the corresponding outputs through an
AND gate.
If a fault occurs in a channel, the last state is retained
on the corresponding function block output, which is
set to FALSE upon expiration of the allowed down time
and if the fault still exists. If another fault-free input is
FALSE or faults occur simultaneously in both channels
(double failure), the function block output is immedi-
ately set to FALSE.
2 2oo2-Trip, corresponds to a OR gate.
With 2oo2-Trip, the module redundancy is used to
increase availability
If no faults occurred in the input modules and input cir-
cuits, the input signals of the module channels 1...8
are connected to the corresponding outputs through
and ODER gate.
If a fault occurs in a channel, the input signal of the
other channel is transferred to the function block out-
put.
Only if faults occur simultaneously in both channels
(double failure), the last state is retained on the corre-
sponding function block output, which is set to FALSE
upon expiration of the defined down time and if the
double failure still exists.
Basically the de-energized to trip principle applies for safety-
related control circuits.
Tolerated Fault Time in No effect on the shutdown within the indicated time after a sensor
min. test, component failure or line error.
Agreement together with the responsible test authority required.
Tolerated Time Differ- Time difference of the switching points between two redundant
ence red, Inputs in ds sensors. The time depends on the sensor; agreement together
with the responsible test authority required.
2.8.2 Outputs
The Channel Error Mask, Other Error Code, Pulse (2x), Error, Error Code Mod. and Error
Code red. Mod. outputs serve informative purposes only, and no safety-related actions may
be derived for the user program.
The outputs Output 1 through Output 8 may be used for safety-related actions.
HI 800 013 E Rev. 1.00 75/88

2.9 HF-AIX-3 Module

The HF-AIX-3 function block is used to configure and evaluate one individual channel of the
safety-related analog F 6221 (Ex)i input module with a resolution of 0...10 000.
The HF-AIX-3 function block must be used in the user program one time for each channel of
the F 6221 module.
Figure 20: HF-AIX-3 function block's connectors
For each channel, the analog input module has a safety-related output that is controlled
independently from the central module cycle. Its state is output to the HF-AIX-3 function block
and can be further processed in the user program.
The value of the analog input module can be converted and scaled through the parameter
setting.
A value preset on the Value on Error function block input is switched to the Value output in
the following cases:
• With channel faults
• With module faults
• With violation of the measurement range
In these cases, the user program processes the value of the Value on Error input instead of
the measured value.
76/88 HI 800 013 E Rev. 1.00

2.10 HF-CNT-3 Module

The HF-CNT-3 function block is used to configure and evaluate both channels of the safety-
related F 5220 counter module with a resolution of 24 bits. The counter module can be used
to count impulses, register frequency or rotation speeds, and to recognize the rotation
direction.
The HF-CNT-3 function block must be used in the user program one time for each channel
of the F 5220 module.
Figure 21: HF-CNT-3 function block's connectors
For each channel, the counter module has a safety-related output that is controlled
independently from the central module cycle. Its Output State is output to the HF-CNT-3
counter function block and can be further processed in the user program.
A TRUE signal on the MOS input (MOS: maintenance override switch) can be used to directly
control the counter module output during the specified test operating time, i.e., the output
drives the signal specified on the Force Value for Test Operation input. See also the
document Maintenance Override available on the TÜV Rheinland's website:
www.tuvasi.com.
If the Gate time is modified, the correct measured value is only available on the output
i after three Gate times (as currently set).
HI 800 013 E Rev. 1.00 77/88

2.11 HF-CNT-4 Module

This function block corresponds to the HF-CNT-3 function block, but also has a Channel Error
output.
Figure 22: HF-CNT-4 function block's connectors
The Channel Error output reports a channel fault.

Channel Error=
TRUE A channel fault occurred.
If a module fault, both Channel Error outputs are set to TRUE
FALSE The channel operates properly or has not been configured yet.
78/88 HI 800 013 E Rev. 1.00

2.12 HF-TMP-3 Module

The HF-TMP-3 function block is used for each channel of the F 6220 thermocouple module.
If the channel has not been properly configured with the HF-TMP-3 function block, it does not
function, i.e., the output values are 0 or FALSE. No default functionality or setting exist. The
sensor of type 1 may only be assigned to channel 9.
Figure 23: HF-TMP-3 function block's connectors
The Enable External Comparison Temperature signal is only evaluated if the Temperature
Measurement mode is set (values 2 through 8 on the Sensor Type input). If the input is TRUE,
the temperature on the External Reference Temperature input is used as comparison value.
If this input is FALSE, the temperature value of the resistance thermometer located in the
module is processed as reference temperature.
The Value function block output is set to 0 if the module or channel fails. If faults occur, the
Channel Error function block output must thus be evaluated in the user program to ensure
that the type of fault to be defined in the user program is processed.
The reference temperature for safety-related applications compliant with SIL 3 must be taken
from two different modules, the same applies to the temperature of two thermocouples.
The recalibration is automatically performed every 5 minutes to ensure the registration of

environment conditions existing on the module (e.g., temperature). This function can also be
performed in the user program via the TRUE signal on the Recalibration input. This signal
may only be present for a cycle.
The TRUE signal on the MOS input (MOS = maintenance override switch) is used to freeze
the value on the Value and Channel Error function block outputs, while the time for test
operation is running. See also the document Maintenance Override available on the TÜV
Rheinland's website: www.tuvasi.com.
HI 800 013 E Rev. 1.00 79/88

2.13 HK-LGP-3 Function Block

The function block is used to evaluate and configure the sequence of events recording and
the changeover between Modbus and LCL (logic-plan controlled logging).
Figure 24: HK-LGP-3 function block's connectors
2.14 HZ-DOS-3 Function Block

The function block is used to determine which safety-related I/O module should be operated
in diagnostic mode only. A function block allows one to monitor up to sixteen modules. The
function block can be used multiple times within a user program.
Figure 25: HZ-DOS-3 function block's connectors
All safety-related I/O modules listed on the HZ-DOS-3 function block must not be used for
safety functions!
80/88 HI 800 013 E Rev. 1.00

2.15 HZ-FAN-3 Function Block

The function block is used to evaluate and display faults occurred in safety-related I/O
modules. A function block allows one to monitor up to eight modules. The module can be
used multiple times within a user program.
Figure 26: HZ-FAN-3 function block's connectors
2.15.1 Inputs
Bus No. Rack Pos. (e.g., 1306) The positions of the safety-related I/O modules are specified
as four-digit decimal numbers.
2.15.2 Outputs
All function block's outputs serve informative purposes only, and no safety-related actions
may be derived for the user program.
HI 800 013 E Rev. 1.00 81/88

82/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual Index of Figures
Index of Figures
Figure 1: Principle of the output module circuit with integrated safety shutdown
(here with 4 output channels) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 2: Flow Diagram, Function of the Safety Tool . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 3: Redundant I/O modules used for increasing availability . . . . . . . . . . . . 58
Figure 4: Example of a 1oo2 function block and function block logic . . . . . . . . . 59
Figure 5: Use of the HB-RTE-3 function block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 6: Wiring of redundant sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 7: Use of the HA-RTE-3 function block with the F 6213 or F 6214 module 60
Figure 8: Comparator element for alarming or shutting down upon achievement of
the allowed threshold. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 9: 2oo3 function block and function block logic . . . . . . . . . . . . . . . . . . . . . 61
Figure 10: Digital fire alarm connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 11: Wiring of fire alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 12: H8-STA-3 function block's connectors. . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Figure 13: HA-LIN-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Figure 14: HA-PID-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Figure 15: HA-PMU-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Figure 16: HA-RTE-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Figure 17: HB-BLD-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Figure 18: HB-BLD-4 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Figure 19: HB-RTE function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Figure 20: HF-AIX-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Figure 21: HF-CNT-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 22: HF-CNT-4 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 23: HF-TMP-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Figure 24: HK-LGP-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Figure 25: HZ-DOS-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Figure 26: HZ-FAN-3 function block's connectors . . . . . . . . . . . . . . . . . . . . . . . . . . 81
HI 800 013 E Rev. 1.00 83/88

Index of Figures H41q/H51q Safety Manual
84/88 HI 800 013 E Rev. 1.00

H41q/H51q Safety Manual Index of Tables
Index of Tables
Table 1: System designations, safety, availability and configurations. . . . . . . . . . . . . 16

Table 2: Central modules and kits for the H41q and H41qc systems . . . . . . . . . . . . . . 21
Table 3: Central modules and kits for the H51q system. . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 4: Additional central modules for the H41q, H41qc and H51q systems . . . . . . . 22
Table 5: Safety and availability, differences between H41q, H41qc and H51q . . . . . . . 23
Table 6: Self-Test Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Table 7: Input modules for the H41q, H41qc and H51q systems . . . . . . . . . . . . . . . . . . 27
Table 8: Permitted slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 9: Reaction to faults detected in safety-related digital input modules . . . . . . . . 29
Table 10: Reaction to faults detected in the safety-related F 5220 counter module . . . 30
Table 11: Reaction to faults detected in safety-related analog F 6213, F 6214 input modu-
les. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 12: Reaction to faults detected in safety-related analog F 6217 input modules. . 31
Table 13: Reaction to faults detected in the safety-related F 6220 thermocouple input
module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Table 14: Reaction to faults detected in the safety-related analog F 6221 input module . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 15: Output modules for the H41q, H41qc and H51q systems . . . . . . . . . . . . . . . . 35
Table 16: Slots for output modules in the H41q, H41qc and H51q systems. . . . . . . . . . 36
Table 17: Types of Variables in ELOP II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Table 18: Standard function blocks, not depending on the I/O level . . . . . . . . . . . . . . . 50
Table 19: Standard function blocks, depending on the I/O level . . . . . . . . . . . . . . . . . . . 51
Table 20: Safety-Related Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Table 21: Setting for the Behavior in Case of Output Faults parameter . . . . . . . . . . . . . 53
Table 22: Assignment of software function blocks to I/O modules. . . . . . . . . . . . . . . . . 58
HI 800 013 E Rev. 1.00 85/88

Index of Tables H41q/H51q Safety Manual
86/88 HI 800 013 E Rev. 1.00

Sender:
Company:
Name:
Dept.
HIMA Paul Hildebrandt GmbH + Co KG Address:
Documentation
P.O. Box 1261
Telephone:
68777 Brühl, Germany Fax:
Date
Dear readers,
our manuals have been written with great care and quality measures have been implemented to
maintain them up to date and avoid mistakes. However, we cannot fully preclude flaws in this manual.
We appreciate any information concerning possible errors and any suggestions or recommendations
for improvement.
To this end, make a copy of the affected page and send or fax it to us.
(Fax: 06202 709 199)
Object: Functions of the H41q/H51q Operating System

88
96 9905116 © by HIMA Paul Hildebrandt GmbH + Co KG
HIMA Paul Hildebrandt GmbH + Co KG

P.O. Box 1261 • 68777 Brühl
Telephone: (06202) 709-0 • Fax: (06202) 709-107
(1050) E-mail: [email protected] • Internet: www.hima.com

HI 800 013 E H41qH51q Safety Manual PDF

Uploaded by

Copyright:

Available Formats

HI 800 013 E H41qH51q Safety Manual PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HI 800 013 E H41qH51q Safety Manual PDF

Uploaded by

Copyright:

Available Formats

What are the intended uses of the H41q/H51q systems?

What are the intended uses of the H41q/H51q systems?

What are the environmental requirements for using the H41q/H51q systems?

What are the environmental requirements for using the H41q/H51q systems?

H41q/H51q

H41q/H51q Safety Manual

HIMA Paul Hildebrandt GmbH + Co KG

Rev. 1.00 HI 800 013 E

Equipment subject to change without notice.

Revision Revisions Type of Change

HI 800 013 E Rev. 1.00 (1050)

HI 800 013 E Rev. 1.00 3/88

4.6 Response to Faults Detected in the I/O Bus Area. . . . . . . . . . . . . . . . . . . . . . . 25

4/88 HI 800 013 E Rev. 1.00

6.7 Note for Replacing Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

HI 800 013 E Rev. 1.00 5/88

7.9 Program Documentation for Safety-Related Applications. . . . . . . . . . . . . . . . . 61

6/88 HI 800 013 E Rev. 1.00

1.1 Validity and Current Version

1.2 Formatting Conventions

Bold: To highlight important parts

Italics: For parameters and system variables

Courier Literal user inputs

RUN Operating state are designated by capitals

Safety notes and operating tips are particularly marked.

1.2.1 Safety Notes

HI 800 013 E Rev. 1.00 7/88

The signal words have the following meanings:

Note! Type and source of damage!

1.2.2 Operating Tips

The text corresponding to the additional information is located here.

TIP The tip text is located here.

1.3 Target Audience

8/88 HI 800 013 E Rev. 1.00

2.1 Application Area

2.1.1 Application in Accordance with the 'De-Energize to Trip Principle'

2.1.2 Application in Accordance with the Energize to Trip Principle

2.1.3 Explosion Protection

2.1.4 Use in Fire Alarm Systems

2.2 Non-Intended Use

HI 800 013 E Rev. 1.00 9/88

2.3 Operating Requirements

2.3.1 Environmental Requirements and Specifications

Requirement type Requirement content

See the data sheets for various deviations.

2.3.2 Climatic Requirements

IEC/EN 61131-2 Climatic tests

10/88 HI 800 013 E Rev. 1.00

2.3.3 Mechanical Requirements

IEC/EN 61131-2 Mechanical tests

2.3.4 EMC Requirements

IEC/EN 61131-2 Interference immunity tests

IEC/EN 61000-6-2 Interference immunity tests

IEC/EN 61000-6-4 Noise emission tests

HI 800 013 E Rev. 1.00 11/88

2.3.5 Power Supply

IEC/EN 61131-2: Review of the DC supply characteristics

2.3.6 ESD Protective Measures

2.4 Personnel Qualifications