HI 801 003 E HIMax Safety Manual

HIMax
Safety Manual
SAFETY
All HIMA products mentioned in this manual are protected by the HIMA trademark. Unless otherwise noted,
this also applies to other manufacturers and their respective products referred to herein.
HIMax, HIMatrix, SILworX, XMR, HICore and FlexSILon are registered trademarks of
HIMA Paul Hildebrandt GmbH.
All technical specifications and notes in this manual have been written with great care and effective quality
assurance measures have been implemented to ensure their validity. For questions, please contact HIMA
directly. HIMA appreciates any suggestion on which information should be included in the manual.
Equipment subject to change without notice. HIMA also reserves the right to modify the written material
without prior notice.
For further information, refer to the HIMA DVD and our website http://www.hima.de and
http://www.hima.com.
Copyright 2016, HIMA Paul Hildebrandt GmbH

All rights reserved
Contact
HIMA contact details:
HIMA Paul Hildebrandt GmbH
P.O. Box 1261
68777 Brhl, Germany
Phone: +49 6202 709-0
Fax: +49 6202 709-107
E-mail: [email protected]
Revision
index
Changes
Type of change
technical
editorial
7.00
Revised: HIMax V7/SILworX V7, cyber security, standards, forcing

of data sources, watchdog time, response time
Deleted: Protection against manipulation
7.01
New: Gas detectors

Changed: Test conditions
8.00
New: Zone 2, HIPRO-S V2

Changed: Redundancy, fire alarm systems
8.01
Changed: Gas detectors (Chapter 14)
HI 801 003 E Rev. 8.01 (1620)
HIMax
Table of Contents
Table of Contents
1
Safety Manual
1.1
Validity and Current Version
1.2
Objectives of the Manual
1.3
Target Audience
1.4
1.4.1
1.4.2
Writing Conventions
Safety Notices
Operating Tips
8
8
9
Usage Notes for HIMax Systems
2.1
2.1.1
2.1.2
Intended Use
Scope
Environmental Conditions
10
10
10
2.2
2.2.1
2.2.2
Tasks of Operators and Machine and System Manufacturers

Connection of Communication Partners
Use of Safety-Related Communication
10
10
10
2.3
ESD Protective Measures
11
2.4
Additional System Documentation
11
Safety Concept for Using the PES
3.1
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
Safety and availability

Calculating the PFD, PFH and SFF Values
Self-Test and Fault Diagnosis
PADT
Redundancy
Structuring Safety Systems in Accordance with the Energize-to-Trip Principle
12
12
12
13
13
13
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
Time Parameters Important for Safety

Process Safety Time
Resource Watchdog Time
Watchdog Time of the User Program
Safety Time of the Resource
User Program Safety Time
Response Time
14
14
14
15
16
16
16
3.3
3.3.1
3.3.2
Proof Test (in Accordance with IEC 61508)

Proof Test Execution
Frequency of Proof Tests
16
16
17
3.4
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
Safety requirements
Hardware Configuration
Programming
Communication
Maintenance Work
Cyber Security for HIMax Systems
17
17
17
18
18
18
3.5
3.5.1
Certification
Test Conditions
20
21
Processor Module
4.1
Self-Tests
24
4.2
Reactions to Faults in the Processor Module
24
HI 801 003 E Rev. 8.01
10
12
24
Page 3 of 70
Table of Contents
HIMax
4.3
Replacing Processor Modules
24
4.4
Processor Module X-CPU 01
25
4.5
Processor module X-CPU 31
25
System Bus Module
26
5.1
Rack ID
26
5.2
Responsibility
26
Communication Module
29
Input Modules
30
7.1
General
30
7.2
Safety of Sensors, Encoders and Transmitters
30
7.3
Reaction in the Event of a Fault
31
7.4
7.4.1
7.4.2
7.4.3
Safety-Related Digital Inputs

Test Routines
Redundancy of Inputs
Surges on Digital Inputs
31
31
31
31
7.5
7.5.1
7.5.2
7.5.3
Safety-Related Analog Inputs and Proximity Switch Inputs

Test Routines
Redundancy of Analog Inputs
State of LL, L, N, H, HH in X-AI 32 01 and X-AI 32 02
31
31
31
32
7.6
7.6.1
7.6.2
7.6.3
Safety-Related Counter Inputs

Test Routines
Important Information in Connection with the X-CI 24 01 Counter Module
Redundancy of Counter Inputs
32
32
32
32
7.7
Checklists for Inputs
32
Output Modules
8.1
General
33
8.2
Safety of Actuators
33
8.3
33
8.4
8.4.1
8.4.2
8.4.3
8.4.4
Safety-Related Digital Outputs

Test Routines for Digital Outputs
Output Noise Blanking
Behavior in the Event of External Short-Circuit or Overload
Redundancy of Digital Outputs
33
34
34
34
34
8.5
8.5.1
8.5.2
Safety-Related Relay Outputs

Test Routines for Relay Outputs
Redundancy of Relay Outputs
34
34
34
8.6
8.6.1
8.6.2
8.6.3
8.6.4
8.6.5
Safety-Related Analog Outputs

Test Routines for Analog Outputs
Behavior in the Event of External Open-Circuit
Important Information in Connection with the Analog X-AO 16 01 Output Module
Redundancy of Analog Outputs
35
35
35
35
35
35
8.7
Checklists for Outputs
36
Special I/O Modules
Page 4 of 70
33
37
HI 801 003 E Rev. 8.01
HIMax
Table of Contents
9.1
9.1.1
HART Module: X-HART 32 01

Safety Function
37
37
9.2
9.2.1
9.2.2
The HIMax Overspeed Trip Module X-MIO 7/6 01

Safety Function
Redundancy
37
37
37
10
Software
10.1
Safety-Related Aspects of the Operating System
38
10.2
10.2.1
10.2.2
Safety-Related Aspects of Programming

Safety Concept of SILworX
Verifying the Configuration and the User Program
38
38
38
10.3
10.3.1
Resource Parameters
System Parameters of the Resource
39
40
10.4
10.4.1
Forcing
Forcing of Data Sources
44
45
10.5
Safe Version Comparison
45
11
User Program
11.1
General Sequence
46
11.2
11.2.1
11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8
11.2.9
11.2.10
11.2.11
11.2.12
Scope for Safety-Related Use

Programming Basics
Functions of the User Program
System Parameters of the User Program
Code Generation
Loading and Starting the User Program
Reload
Online Test
Test Mode
Changing the System Parameters during Operation
Project Documentation for Safety-Related Applications
Multitasking
Factory Acceptance Test and Test Authority
46
46
47
48
49
49
50
51
51
52
52
52
53
11.3
Checklist for Creating a User Program
53
12
Communication Configuration
12.1
Standard Protocols
54
12.2
Safety-Related Protocol: safeethernet
54
12.3
12.3.1
12.3.2
12.3.3
12.3.4
Worst Case Reaction Time for safeethernet

55
Calculating the Worst Case Reaction Time of 2 HIMax Controllers
55
Calculating the Worst Case Reaction Time with 1 HIMatrix Controller
56
Calculating the Worst Case Reaction Time with 2 HIMatrix Controllers or Remote I/Os
57
Calculating the Worst Case Reaction Time with 2 HIMax and 1 HIMatrix Controller 57
12.4
The HIPRO-S V2 Safety-Related Protocol
58
12.5
Safety-Related Protocol: PROFIsafe
58
13
Use in Fire Alarm Systems
59
14
ATEX-Conform Use as Safety, Controlling and

Regulating Device
61
HI 801 003 E Rev. 8.01
38
46
54
Page 5 of 70
Table of Contents
15
Page 6 of 70
HIMax
Use of HIMax Devices in Zone 2
62
Appendix
65
Glossary
65
Index of Figures
66
Index of Tables
67
Index
68
HI 801 003 E Rev. 8.01
HIMax
1 Safety Manual
Safety Manual
This manual contains information on how to operate the HIMax safety-related automation device
in the intended manner.
The following conditions must be met to safely install and start up the HIMax automation
systems, and to ensure safety during their operation and maintenance:
Knowledge of regulations.
Proper technical implementation of the safety instructions detailed in this manual performed
by qualified personnel.
HIMA will not be held liable for severe personal injuries, damage to property or the environment
caused by any of the following:
Unqualified personnel working on or with the devices.
De-activation or bypassing of safety functions.
Failure to comply with the instructions detailed in this manual.
HIMA develops, manufactures and tests the HIMax automation systems in compliance with the
pertinent safety standards and regulations. The use of the devices is only allowed if the
following conditions are met:
They are only used for the intended applications.
They are only operated under the specified environmental conditions.
They are only operated in connection with the approved external devices.
To provide a clearer exposition, this manual does not specify all details of all versions of the
HIMax automation devices. Refer to the corresponding manuals for further details.
This safety manual represents the "Original instructions" as of Machinery Directive (Directive
2006/42/EC).
The "Original documentation" for the HIMA system is written in German language. The
statements made in the German documentation shall apply.
1.1
Validity and Current Version

Rev. 8.00
This safety manual is to be preferred when the following products are

used:
HIMax operating system V8 and higher, and
SILworX V8 and higher
The most current version of this safety manual, which is indicated by the highest revision
number, is applicable and valid. The current version is available on the current HIMA DVD or
can be downloaded from the HIMA website at www.hima.com.
For details on how to use previous HIMax and SILworX versions, refer to the corresponding
previous versions of this manual.
1.2
Objectives of the Manual

This manual contains information on how to operate the HIMax safety-related automation device
in the intended manner. It provides an introduction to the safety concept of the HIMax system
and should increase the reader's safety awareness.
The safety manual is based on the contents of the certificate and of the test report for the
certificate.
HI 801 003 E Rev. 8.01
Page 7 of 70
1 Safety Manual
1.3
HIMax
Target Audience
This manual addresses system planners, configuration engineers, programmers of automation
devices and personnel authorized to start up, operate and maintain the devices and systems.
Specialized knowledge of safety-related automation systems is required.
1.4
Writing Conventions
To ensure improved readability and comprehensibility, the following writing conventions are
used in this document:
Bold
Italics
Courier
RUN
Chapter 1.2.3
To highlight important parts.

Names of buttons, menu functions and tabs that can be clicked and used
in the programming tool.
For parameters and system variables.
Literal user inputs.
Operating states are designated by capitals.
Cross-references are hyperlinks even if they are not particularly marked.
When the cursor hovers over a hyperlink, it changes its shape. Click the
hyperlink to jump to the corresponding position.
Safety notices and operating tips are particularly marked.
1.4.1
Safety Notices
The safety notices are represented as described below.
They must be strictly observed to ensure the lowest possible operating risk. The content is
structured as follows:
Signal word: warning, caution, notice

Type and source of risk
Consequences arising from non-observance
Risk prevention
SIGNAL WORD
Type and source of risk!
Consequences arising from non-observance
Risk prevention
The signal words have the following meanings:

Warning indicates hazardous situations which, if not avoided, could result in death or serious
injury.
Caution indicates hazardous situations which, if not avoided, could result in minor or modest
injury.
Notice indicates a hazardous situation which, if not avoided, could result in property damage.
NOTICE
Type and source of damage!
Damage prevention.
Page 8 of 70
HI 801 003 E Rev. 8.01
HIMax
1.4.2
1 Safety Manual
Operating Tips
Additional information is structured as presented in the following example:
The text corresponding to the additional information is located here.
Useful tips and tricks appear as follows:
TIP
The tip text is located here.
HI 801 003 E Rev. 8.01
Page 9 of 70
2 Usage Notes for HIMax Systems
HIMax
Usage Notes for HIMax Systems

All safety information, notes and instructions specified in this manual must be strictly observed.
The product may only be used if all guidelines and safety instructions are adhered to.
2.1
Intended Use
This chapter describes the conditions for using HIMax systems.
2.1.1
Scope
The safety-related HIMax controllers are certified for use in process controllers, protective
systems, burner systems and machine controllers.
Redundant operation of HIMax modules does not preclude simultaneous operation of other nonredundant modules.
2.1.1.1
Application in Accordance with the De-Energize-to-Trip Principle

The automation devices have been designed in accordance with the de-energize-to-trip
principle.
If a fault occurs, a system operating in accordance with the de-energize-to-trip principle enters
the de-energized state to perform its safety function.
2.1.1.2
Application in Accordance with the Energize-to-Trip Principle

The HIMax controllers can be used in applications that operate in accordance with the energizeto-trip principle.
A system operating in accordance with the energize-to-trip principle switches on, for instance,
an actuator to perform its safety function.
When designing the controller system, the requirements specified in the application standards
must be taken into account. For instance, line diagnosis for inputs and outputs or messages
reporting a triggered safety function may be required.
2.1.1.3

All HIMax systems with analog inputs are tested and certified for used in fire alarm systems in
accordance with DIN EN 54-2 and NFPA 72.
2.1.2
Environmental Conditions
All the environmental conditions specified in the safety manual (HI 801 001 E) must be
observed when operating the HIMax system.
2.2
Tasks of Operators and Machine and System Manufacturers

Operators as well as machine and system manufacturers are responsible for ensuring that
HIMax systems are safely operated in automated systems and plants.
Machine and system manufacturers must sufficiently validate that the HIMax systems were
properly programmed.
2.2.1
Connection of Communication Partners

Only devices with safe electrical separation may be connected to the communications
interfaces.
2.2.2
Use of Safety-Related Communication

When implementing safety-related communications between various devices, ensure that the
overall response time does not exceed the process safety time.
All calculations must be performed in accordance with the rules given in Chapter 12 and in the
communication manual (HI 801 101 E).
Page 10 of 70
HI 801 003 E Rev. 8.01
HIMax
2.3
2 Usage Notes for HIMax Systems
ESD Protective Measures

Only personnel with knowledge of ESD protective measures may modify or extend the system
or replace a module.
NOTICE
Electrostatic discharge can damage the electronic components within the controllers!
When performing the work, make sure that the workspace is free of static, and wear
an ESD wrist strap.
If not used, ensure that the module is protected from electrostatic discharge, e.g., by
storing it in its packaging.
Only personnel with knowledge of ESD protective measures may modify or extend the
system wiring.
2.4
Additional System Documentation

In addition to this manual, the following documents for configuring HIMax systems are also
available:
Name
HIMax system manual
Certificates
Version list
Manuals for the components
Communication manual
SILworX first steps manual
SILworX online help
Table 1:
Content
Hardware description of the modular system
Test results
Versions of the operating systems certified
by the TV
Description of the individual components
safeethernet and standard protocols
Use of SILworX for engineering, starting up,
testing and operating the HIMA systems.
Instructions on how to use SILworX
Document no.
HI 801 001 E
HI 801 101 E
HI 801 103 E
Overview of the System Documentation
The documents are available as PDF files on HIMA website at www.hima.com (except for the
SILworX online help).
HI 801 003 E Rev. 8.01
Page 11 of 70
3 Safety Concept for Using the PES
HIMax
Safety Concept for Using the PES

This chapter contains important general information on the functional safety of HIMax systems.
3.1

Time parameters important for safety
Proof test
Safety requirements
Certification

No imminent risk results from the HIMax systems.
WARNING
Possible physical injury caused by safety-related automation systems improperly
connected or programmed.
Check all connections and test the entire system for compliance with the specified
safety requirements before start-up!
HIMA strongly recommends replacing failed modules as soon as possible.

A replacement module that is used instead of a failed one starts operation with no operator
action. It adopts the function of the failed module, provided that is of the same type or is an
approved replacement model.
3.1.1
Calculating the PFD, PFH and SFF Values

The PFD, PFH and SFF values have been calculated for the HIMax systems in accordance with
IEC 61508.
The PFD, PFH and SFF values are provided by HIMA upon request.
A proof test interval of 10 years has been defined for the HIMax systems (offline proof test, see
IEC 61508-4, Paragraph 3.8.5).
The safety functions, consisting of a safety-related loop (input, processing unit, output and
safety communication among HIMA systems), meet the requirements described above in all
combinations.
3.1.2
Self-Test and Fault Diagnosis

The operating system of the modules executes several self-tests at start-up and during
operation. The following components are tested:
Processors
Memory areas (RAM, NVRAM)
Watchdog
Connections between modules
Individual channels of the I/O modules
If faults are detected during these tests, the defective module or the defective channel of the I/O
module is switched off. If the tests detect a module fault while starting up the module, the
module does not begin to operate.
In non-redundant systems, this means that sub-functions or even the entire PES may be shut
down. If a fault is detected in a redundant system, the redundant module or redundant channel
assumes the function to be performed.
Page 12 of 70
HI 801 003 E Rev. 8.01
HIMax

All HIMax modules are equipped with LEDs to indicate that faults have been detected. This
allows the user to quickly diagnose faults detected in a module or the external wiring.
Additionally, the user program can evaluate various system variables displaying the module
status.
Extensive diagnostics of the system performance and detected faults are stored in the
diagnostic memory of the processor module or other modules. The diagnostics can also be read
after a system fault using the PADT.
For more information on how to evaluate diagnostic messages, refer to the system manual
(HI 801 001 E).
For a very few number of component failures that do not affect safety, the HIMax system does
not provide any diagnostic information.
3.1.3
PADT
Using the PADT, the user creates the program and configures the controller. The safety concept
of the PADT supports the user in the proper implementation of the control task. The PADT
implements numerous measures to check the entered information.
3.1.4
Redundancy
To improve availability, all parts of the system containing active components can be set up
redundantly and, if necessary, replaced while the system is operating.
Redundancy does not impair safety. SIL 3 is still guaranteed even if system components are
used redundantly.
3.1.5
Structuring Safety Systems in Accordance with the Energize-to-Trip Principle

Safety systems operating in accordance with the energize-to-trip principle have the following
function:
1. The safe state of a module is the de-energized state. This state is adopted, for instance, if a
fault has occurred in the module.
2. The controller can trigger the safety function on demand by switching on an actuator.
3.1.5.1
Detection of Failed System Components

Thanks to the automatic diagnostic function, the safety system is able to detect that modules
have failed.
3.1.5.2
Safety Function in Accordance with the Energize-To-Trip Principle

The safety function is performed when the safety system energizes one or several actuators,
thus ensuring that the safe state is adopted.
The user must plan the following actions:
If I/O modules are used, redundancy groups must be configured.
Line monitoring (short-circuits and open-circuits) with input and output modules.
These must be configured accordingly.
The operation of the actuators can be monitored through a position feedback.
3.1.5.3
Redundancy of Components
It may be necessary to structure the components redundantly, refer to the system manual
(HI 801 001 E) for further details:
Power supply of the controller.
HIMax modules.
Sensors and actuators.
HI 801 003 E Rev. 8.01
Page 13 of 70
HIMax
If redundancy is lost, the controller must be repaired as soon as possible.

It is not required to design the safety system modules redundantly if, in the event of a safety
system failure, the required safety level can otherwise be achieved, e.g., by implementing
organizational measures.
3.2
Time Parameters Important for Safety

Time parameters important for safety are:
3.2.1
Process Safety Time

Watchdog Time
Safety Time
Response Time
Process Safety Time

The process safety time is a property of the process and describes the time interval during
which the process allows faulty signals to exist before the system state becomes dangerous.
A safety-related response of the HIMax PES including all delays due to sensors, actuators, input
and output modules must occur within the process safety time.
3.2.2
Resource Watchdog Time

The watchdog time is preset in SILworX in the dialog box for configuring the resource
properties. This time is the maximum permissible duration of a RUN cycle (cycle time). If the
cycle time exceeds the preset watchdog time, the processor module enters the ERROR STOP
state.
When determining the watchdog time, the following factors must be taken into account:
Time required by the application, i.e., the duration of one user program cycle.
Time required for process data communication.
Time required to synchronize the redundant processor modules.
Time internally required to perform a reload.
The setting range for the watchdog time of the resource ranges
from 6 ms to a maximum of 7 500 ms.
The default setting is 200 ms.
The following must apply for the watchdog time: watchdog time * safety time
3.2.2.1
Estimating the Watchdog Time

To ensure sufficient availability, HIMA strongly recommends the following setting:
2 * watchdog time + max. CPU cycle time + 2 * I/O cycle time safety time
Replace a redundant processor module to measure the maximum cycle time in the actual
application. Enter the determined maximum cycle time into the above formula.
If no reliable assessment of the max. CPU cycle time can be made, set the watchdog time such
that:
3 * watchdog time + 2 * I/O cycle time safety time
2 ms are set for the I/O cycle time.
Page 14 of 70
HI 801 003 E Rev. 8.01
HIMax
3.2.2.2
Precisely Determining the Watchdog Time

For time-critical applications or very large systems, it may be necessary to precisely determine
the watchdog time.
The watchdog time for a project is precisely determined by performing a test on the entire
system. During the test, all the modules are inserted in the rack. The system operates in RUN
mode with full load.
All communication links are operating (safeethernet and standard protocols).
To determine the watchdog time
1. Set the watchdog time high for testing.
2. Operate the system under full load. In the process, all communication connections must be
operating both via safeethernet and standard protocols. Frequently read the cycle time in
the Control Panel and note down the variations or load peaks of the cycle time.
3. In succession, remove and reinsert every processor module in the base plate. Prior to
removing one processor module, wait that the processor module just inserted is
synchronized.
When a processor module is inserted in the base plate, it automatically synchronizes itself with
the configuration of the existing processor modules. The time required for the synchronization
process extends the controller cycle up to the maximum cycle time.
The synchronization time increases with the number of processor modules that have already
been synchronized.
For more information on how to insert and remove a processor module, refer to the X-CPU 01
manual (HI 801 009 E) or the X-CPU 31 manual (HI 801 355 E).
4. In the diagnostic history for the non-synchronized module, read the synchronization time
from n to n+1 processor modules in every synchronization process and note it down. The
largest synchronization time value is used to determine the watchdog time.
5. Calculate the watchdog time TWD using the following equation:
TWD = TSync + TMarg + TCom + TConfig + TLatency + TPeak where
TSync
TMarg
TCom
Time determined for the processor module's synchronization

Safety margin 12 ms
The configured system parameter: Max. Com.Time Slice ASYNC [ms]
Use the Control Panel to determine the current value. Refer to the
communication manual (HI 801 101 E) for details.
TConfig The configured system parameter Max. Duration of Configuration Connections
[ms], refer to Chapter 10.3.1.2 for further details.
TLatency The configured system parameter: Maximum System Bus Latency [s] * 4
TPeak
Observed load peaks of the user programs
A suitable value can thus be determined for the watchdog time.
TIP
3.2.3
The configured watchdog time can be used as maximum cycle time in the safeethernet
configuration, see communication manual (HI 801 101 E).
Watchdog Time of the User Program

Each user program has its own watchdog and watchdog time.
The watchdog time for the user program cannot be set directly. To calculate the watchdog time
for a user program, HIMax uses the resource-specific parameter Watchdog Time [ms] and the
parameter Program's Maximum Number of CPU Cycles. Refer to Chapter 10.3 and Chapter
11.2.3 for more details.
HI 801 003 E Rev. 8.01
Page 15 of 70
HIMax
Make sure that the calculated watchdog time is not greater than the response time required for
the process portion processed by the user program.
3.2.4
Safety Time of the Resource

The safety time of the resource is the maximum permissible time within which the resource must
react to a demand. The requirements are:
Changes in process input signals from process.
Faults occurring in the resource.
The HIMax system responds to faults that may result in a safety-critical operating state within
the configured safety time of the resource. It triggers predefined fault reactions that bring the
faulty parts to the safe state. The requisites are:
No input signal delay, caused by delay elements configured in the input modules (T on,
T off).
No delay within the user program.
User program response within one PES cycle.
The following factors prolong the safety time of the resource and must be taken into account:
Physical delays at the inputs and outputs, e.g., the switching times of relays.
Delays of output signals due to output noise blanking, see Chapter 8.4.2.
In HIMax resources, the safety time can be set anywhere in the range 20...22 500 ms.
3.2.5
User Program Safety Time

The safety time for the user program cannot be set. To calculate it, HIMax uses the parameters
Safety Time of the resource and Maximum Number of Cycles. Refer to Chapter 11.2.3 and
Chapter 11.2.11 for more details.
3.2.6
Response Time
Assuming that no delay results from the configuration or the user program logic, the response
time of HIMax controllers running in cycles is twice the system cycle time.
3.3
Proof Test (in Accordance with IEC 61508)

A proof test is a periodic test performed to detect any hidden faults in a safety-related system so
that, if necessary, the system can be restored to a state where it can perform its intended
function.
HIMA safety systems must be subject to a proof test in intervals of 10 years.
This interval can often be extended by calculating and analyzing the implemented safety loops.
3.3.1
Proof Test Execution

The execution of the proof test depends on how the system (EUC = equipment under control) is
configured, its intrinsic risk potential and the standards applicable to the equipment operation
and required for approval by the responsible test authority.
According to IEC 61508 1-7, IEC 61511 1-3, IEC 62061 and VDI/VDE 2180 sheets 1 to 4, the
operator of the safety-related systems is responsible for performing the proof tests.
Page 16 of 70
HI 801 003 E Rev. 8.01
HIMax
3.3.2
Frequency of Proof Tests

The HIMA PES can be proof tested by testing the entire safety loop.
In practice, shorter proof test intervals are required for the input and output field devices (e.g.,
every 6 or 12 months) than for the HIMax controller. Testing the entire safety loop together with
a field device automatically includes the test of the HIMax controller. There is therefore no need
to perform additional proof tests of the HIMax controller.
If the proof test of the field devices does not include the HIMax controller, the HIMax controller
must be tested for SIL 3 at least once every 10 years. This can be achieved by restarting the
HIMax controller.
3.4
Safety requirements
The safety requirements specified below must be met when using the safety-related PES of the
HIMax system.
3.4.1
Hardware Configuration
Personnel configuring the HIMax hardware must observe the safety requirements specified
below.
Product-Independent Requirements
To ensure safety-related operation, only approved safety-related hardware modules and
software components may be used. The approved hardware modules and software
components are specified in the
Version List of Modules and Firmware for HIMax Systems from HIMA Paul Hildebrandt
GmbH. The latest versions can be found in the version list maintained together with the test
authority.
The operating requirements specified in this safety manual (see Chapter 2.1.2) about EMC,
mechanical, chemical, climatic influences must be observed.
Product-Dependent Requirements
Only devices that are safely separated from the power supply may be connected to the
system.
The operating requirements detailed in the system manual, particularly those concerning
supply voltage and ventilation, must be observed.
Only safety-related modules may be used to process safety-related tasks.
Only power supply units of type PELV or SELV may be used for power supply. The provided
supply voltage must be 35 V even if a fault occurs!
3.4.2
Programming
Personnel developing user programs must observe the safety requirements specified below.
Product-Independent Requirements
In safety-related applications, proper configuration of the safety-relevant system parameters
must be ensured.
In particular, this applies to the system configuration, maximum cycle time and safety time.
Requirements for Using the Programming Tool

SILworX must be used for programming.
The proper implementation of the application specifications must be validated,
verified and documented. A complete test of the logic must be performed by trial.
If the user program is changed, test at least all the parts of the logic concerned by the
changes.
HI 801 003 E Rev. 8.01
Page 17 of 70
HIMax
The system response to faults in the safe input and output modules must be defined in the
configuration in accordance with the system-specific safety-related conditions. Examples:
- Fault reaction in the user program.
- Configuration of safe initial values for variables.
3.4.3
Communication
When implementing safety-related communications between the various devices, ensure
that the system's overall response time does not exceed the process safety time. All
calculations must be performed in accordance with the rules given in 12.2.
During the transfer of (safety-related) data, IT security rules must be observed.
The transfer of safety-relevant data through public networks like the Internet is only permitted
if additional security measures such as VPN tunnel or firewall have been implemented.
If data is transferred through company-internal networks, administrative or technical
measures must be implemented to ensure sufficient protection against manipulation (e.g.,
using a firewall to separate the safety-relevant components of the network from other
networks).
Never use the standard protocols to transfer safety-related data.
Only devices with safe electrical separation may be connected to the communication
interfaces.
3.4.4
Maintenance Work
Operators are responsible for ensuring proper maintenance work. They must take the required
measures to guarantee safe operation during maintenance.
Whenever necessary, the operator must consult with the test authority responsible for the
factory acceptance test (FAT) and define administrative measures appropriate for regulating
access to the systems.
3.4.5
Cyber Security for HIMax Systems

Industrial controllers must be protected against IT-specific problem sources. Those problem
sources are:
Attackers inside and outside of the customer's plant
Operating failures
Software failures
A HIMax installation consists of the following parts to be protected:
HIMax PES
PADT
OPC server: X-OPC DA, X-OPC AE (optional)
Communication connections to external systems (optional)
The HIMax system with basic settings is already a system fulfilling the requirements for cyber
security. The relevant modules were tested by the Canadian company Wurldtech Security
Technologies Ind. in accordance with Achilles Level I.
Protective mechanisms for preventing unintentional or unapproved modifications to the safety
system are integrated into the PES and the programming tool:
Each change to the user program or configuration results in a new configuration CRC.
The operating options depend on the rights of the user logged into the PES.
The programming tool prompts the user to enter a password in order to log in to the PES.
PES data can only be accessed if the PADT is operating with the current version of the user
project (archive maintenance!).
Connection between the PADT and PES is not required in RUN and can be interrupted.
Page 18 of 70
HI 801 003 E Rev. 8.01
HIMax

The PADT can be shortly connected for maintenance work or diagnostic tasks.
All requirements about protection against manipulation specified in the safety and application
standards must be met. The operator is responsible for authorizing employees and
implementing the required protective actions.
WARNING
Physical injury possible due to unauthorized manipulation of the controller!
The controller must be protected against unauthorized access!
For instance:
Changing the default settings for login and password!
Controlling the physical access to the controller and PADT!
Careful planning should identify the measure to be taken. The required measures are only to be
taken after the risk analysis is completed. Such measures are, for example:
Meaningful allocation of user groups.
Maintained network maps help ensuring that secure networks are permanently separated
from public networks, and if required, only a well-defined connection exists (e.g., via a
firewall or a DMZ).
Use of appropriate passwords.
A periodical review of the security measures is recommended, e.g., every year.
The user is responsible for implementing the necessary measures in a way suitable for
the plant!
For more details, refer to the HIMA cyber security manual (HI 801 373 E).
HI 801 003 E Rev. 8.01
Page 19 of 70
3.5
HIMax
Certification
HIMA safety-related automation devices (programmable electronic systems, PES) of the HIMax
system have been tested and certified by TV for functional safety in accordance with
and
the standards listed below:
TV Rheinland Industrie Service GmbH

Automation, Software und Informationstechnologie
Am Grauen Stein
51105 Kln
Certificate and test report
safety-related automation devices HIMax
Intended use: "Safety-related programmable electronic system for process control, burner
management (BMS), emergency shutdown and machinery, where the demanded safe state is
the de-energized state.
Applications, where the demand state is the de-energized or energized state".
International standards:
EN / IEC 61508, Parts 1-7: 2010
EN / IEC 61511, Parts 1-3: 2004
EN / ISO 13849-1: 2008 + AC:2009
EN / IEC 62061: 2005 + AC:2010 + A1:2013
EN 50156-1: 2004
EN 12067-2: 2004
EN 298: 2012
EN 230: 2005
EN 60079-29-1: 2007
EN 50495: 2010
NFPA 85: 2011
NFPA 86: 2011
EN / IEC 61131-2: 2007
IEC 61326-3-1:2008
EN 54-2: 1997 + AC:1999 + A1:2006
NFPA 72: 2013
SIL 3
SIL 3
Performance level e
SIL CL 3
SIL 3
The following chapter contains a detailed list of all environmental and EMC tests performed.
All devices have received the
Page 20 of 70
mark of conformity.
HI 801 003 E Rev. 8.01
HIMax

To program the HIMax devices, a PADT is required, which is a PC running SILworX.
This software helps the user operate the automation devices and create safety-related
programs using function block diagrams (FBD) and sequential function charts (SFC) in
accordance with IEC 61131-3. Refer to the SILworX online help and SILworX first steps manual
(HI 801 103 E) for further details.
3.5.1
Test Conditions
The devices have been tested to meet the climatic and environmental requirements as of the
following EMC standards:
Standard
IEC/EN 61131-2
IEC/EN 61000-6-2
IEC/EN 61000-6-4
EN 298
EN 61326-1
EN 61326-3-1
EN 54-2
Table 2:
3.5.1.1
Content
Programmable controllers, Part 2
Equipment requirements and tests
EMC
Generic standards, Parts 6-2
Immunity for industrial environments
Electromagnetic Compatibility (EMC)
Generic standards Emission standard for industrial environments.
Automatic burner control systems for burners and appliances burning
gaseous or liquid fuels
Electrical equipment for measurement, control and laboratory use EMC
requirements - Part 1: General requirements
Electrical equipment for measurement, control and laboratory
use - EMC requirements - Part 3-1: Immunity requirements for safetyrelated systems and for equipment intended to perform safety-related
functions (functional safety) - General industrial applications
Fire alarm systems
Standards for EMC, Climatic and Environmental Requirements
Climatic Conditions
The following table lists the most important tests and limits for climatic conditions:
Standard
IEC/EN 61131-2
Climatic tests
Operating temperature: 0...+60 C
(Test limits: -10...+70 C)
Storage temperature: -40...+85 C
Dry heat and cold resistance tests:
+70 C / -40 C, 16 h, +85 C, 1 h
Power supply not connected
Temperature changes, withstand test:
Fast temperature changes: -40 C / +70 C power supply not connected
Immunity test
Slow temperature changes: -10 C / +70 C power supply connected
EN 54-2
Table 3:
HI 801 003 E Rev. 8.01
Cyclic damp-heat withstand tests:

+25 C / +55 C, 95 % relative humidity,
Power supply not connected
Damp-heat
93 % relative humidity, 40 C, 4 days in operation
93 % relative humidity, 40 C, 21 days, power supply not connected
Climatic Conditions
Page 21 of 70
3.5.1.2
HIMax
Mechanical Conditions
The following table lists the most important tests and limits for mechanical conditions:
IEC/EN 61131-2
Table 4:
3.5.1.3
Mechanical tests
Vibration immunity test:
5...9 Hz / 3.5 mm amplitude
9...150 Hz, 1 g, EUT in operation, 10 cycles per axis
Shock immunity test:
15 g, 11 ms, EUT in operation, 3 shocks per axis and direction
(18 shocks)
Mechanical Tests
EMC Conditions
Higher interference levels are required for safety-related systems. HIMax systems meet these
requirements in accordance with IEC 62061 and IEC 61326-3-1.
Test standards
IEC/EN 61000-4-2
IEC/EN 61000-4-3
IEC/EN 61000-4-4
IEC/EN 61000-4-5
IEC/EN 61000-4-6
IEC/EN 61000-4-16
Table 5:
Page 22 of 70
Criterion
FS
FS
FS
FS
FS
FS
FS
FS
FS
FS
FS
FS
FS
Interference Immunity Tests
IEC/EN 61000-6-4
EN 55011
Class A
Table 6:
Interference immunity tests

ESD test: 6 kV contact discharge, 8 kV air discharge
RFI test (20 V/m): 80 MHz...1 GHz, 80 % AM
RFI test (10 V/m): 1 GHz...2 GHz, 80 % AM
RFI test (3 V/m): 2 GHz...3 GHz, 80 % AM
Burst test
Supply voltage: 3 kV
Signal lines: 2 kV
Surge:
DC supply voltage: 2 kV CM, 1 kV DM
Signal lines: 2 kV CM
High frequency, asymmetrical
10 V, 150 kHz...80 MHz, 80 % AM
Supply and signal lines:
110 V, 20 dB/decade (1.515 kHz)
10 V (15150 kHz)
10 V constant (with DC, 16/3 Hz, 50/60 Hz,
150/180 Hz)
100 V temporary (1 s, with DC, 16/3 Hz, 50/60 Hz)
Noise emission tests

Emission test:
radiated, conducted
Noise Emission Tests
HI 801 003 E Rev. 8.01
HIMax
3.5.1.4
Supply Voltage
The following table lists the most important tests and limits for the device's supply voltage:
IEC/EN 61131-2
Table 7:
HI 801 003 E Rev. 8.01
Verification of the DC supply characteristics

Alternatively, the power supply must comply with the following standards:
IEC/EN 61131-2 or
SELV (Safety Extra Low Voltage) or
PELV (Protective Extra Low Voltage)
HIMax devices must be fuse protected as specified in the manual for the
X-BASE PLATE (HI 801 025 E)
Voltage range test:
24 VDC, -20...+25 % (19.2...30.0 V)
Momentary external current interruption immunity test:
DC, PS 2: 2 ms
Reversal of DC power supply polarity test:
Refer to corresponding chapter of the system manual or data sheet of
power supply.
Backup duration withstand test:
Test B, 1000 h
Verification of the DC Supply Characteristics
Page 23 of 70
4 Processor Module
HIMax
Processor Module
The processor module's safety function is maintained by processing the user program with two
processors that constantly compare their data. If a fault occurs, the watchdog sets the module to
the safe state and reports the CPU state.
Refer to the manual for further details about the processor modules.
4.1
Self-Tests
The following section specifies the most important self-test routines of controllers' safety-related
processor modules:
4.2
Processor test
Memory test
Comparator test
CRC test with non-volatile memories
Watchdog test
Reactions to Faults in the Processor Module

A hardware comparator within the processor module constantly checks whether the data from
microprocessor system 1 is identical with the data from microprocessor system 2. If they are
different, or if the test routines detect faults in the processor module, the processor module
automatically enters the ERROR STOP state.
If such a fault occurs for the first time, the controller is restarted (reboot). If a further internal fault
occurs within the first minute after start-up, the controller enters the STOP/INVALID
CONFIGURATION state and will remain in this state.
If an automatic restart is not desired, set the resource parameter Autostart to OFF.
4.3
Replacing Processor Modules

Prior to replacing a processor module, ensure that the replacement will not cause a running
HIMax system to stop.
In particular, this applies for systems running in accordance with the energize-to-trip principle.
The failure of such systems causes the loss of the safety function.
Redundant processor modules can be replaced during operation, provided that at least one
processor module that can maintain safety-related operation while the other module is being
replaced, is available.
NOTICE
Interruption of the safety-related operation possible!
Replacing a processor module with a lit or blinking Ess LED can result in the
interruption of a controller's operation.
Do not remove processor modules with a lit or blinking Ess LED.
A lit or blinking Ess LED indicates that the processor module is required for the system to
function.
Even if the LED is not lit or blinking, the system redundancies, which this processor module is
part of, must be checked using SILworX. The communication connections processed by the
processor module must also be taken into account.
Refer to the processor module manuals (HI 801 009 E and HI 801 355 E) and to the system
manual (HI 801 001 E) for more details on how to replace processor modules.
Page 24 of 70
HI 801 003 E Rev. 8.01
HIMax
4.4
4 Processor Module
Processor Module X-CPU 01

The X-CPU 01 processor module can be operated with up to 4-fold redundancy. It may be
inserted into racks 0 and 1, slots 3...6.
4.5
Processor module X-CPU 31

The X-CPU 31 processor module combines the functions of processor and system bus
modules. For this reason, it can only be inserted into slots 1 or 2 of rack 0. If so, no further
processor module can be used in slots 3...6 of racks 0 and 1!
HI 801 003 E Rev. 8.01
Page 25 of 70
5 System Bus Module
HIMax
System Bus Module

A system bus module administrates one of the two safety-related system busses. The two
system busses are redundant to one another. Each system bus interconnects the various
modules and base plates. The system busses transfer safe data using a safety-related protocol.
A HIMax system that only contains one processor module can be operated at a reduced
availability level using one system bus only.
Processor modules of type X-CPU 31 can also be used in rack 0 instead of system bus
modules. The statements made in this chapter also apply for this type of modules. The
X-CPU 31 modules require a special double-width connector board.
5.1
Rack ID
The rack ID identifies a base plate within a resource and must be unique for each base plate.
The rack ID is the safety parameter for addressing the individual base plates and the modules
mounted on them!
The rack ID is stored in the connector board of the system bus module.
The procedure for configuring the rack ID is described in the system manual (HI 801 001 E) and
in the SILworX first steps manual (HI 801 103 E).
5.2
Responsibility
Only one of the system bus module contained in each system bus may receive the Responsible
attribute and thus be configured as responsible for system bus operation.
For system bus A, the Responsible attribute is reserved for the system bus module or the
X-CPU 31 processor module in rack 0, slot 1.
The following conditions apply for system bus B:
- If X-SB 01 and X-CPU 01 are used, the attribute can be configured with SILworX.
The Responsible system bus module must either be located in rack 0, slot 2, or in rack 1,
slot 2.
- If X-CPU 31 is used, the attribute is fixed for the module in rack 0, slot 2.
Prior to starting safety-related operation, ensure the Responsible attribute is properly configured
for both system busses.
The procedure for setting the Responsible attribute is described in the SILworX first steps
manual (HI 801 103 E).
WARNING
Physical injury possible!
SILworX must be used to verify the configuration.
Proceed as follows:
In SILworX, log in to the system module in rack 0, slot 2.
In SILworX, log in to the system module in rack 1, slot 2.
Check the Control Panels of both system bus modules to ensure that the Responsible
attribute has only been set for the correct system bus module (see Figure 1 and
Figure 2)!
Page 26 of 70
HI 801 003 E Rev. 8.01
HIMax
5 System Bus Module

Recommended configurations:
If processor modules are only contained in rack 0, both system bus modules in rack 0 must
be set to Responsible (Figure 1).
If processor modules are also contained in rack 1 (Figure 2), the following system bus
modules must be set to Responsible.
- In rack 0, the system bus module in slot 1 (automatically).
- In rack 1, the system bus module in slot 2.
System Bus Module set to Responsible
Figure 1:
Recommended Configuration: All Processor Modules in Rack 0
System Bus Module set to Responsible
Figure 2:
HI 801 003 E Rev. 8.01
Recommended Configuration: Processor Modules X-CPU 01 in Rack 0 and Rack 1
Page 27 of 70
5 System Bus Module
HIMax
If X-CPU 31 processor modules are inserted in rack 0, slots 1 and 2 (Figure 3), they are
always set to Responsible. In this case, the system bus module in rack 1, slot 2, must not be
set to Responsible.
Processor Module is set to Responsible
Figure 3:
Page 28 of 70
Configuration with X-CPU 31 Processor Modules in Rack 0, Slots 1 and 2
HI 801 003 E Rev. 8.01
HIMax
6 Communication Module
Communication Module
Communication modules control both safety-related data transfer to other HIMA controllers and
non-safety-related data transfer through fieldbuses and Ethernet.
The processor module controls safety-related data traffic using the SIL 3-certified transfer
protocol safeethernet. The communication module forwards the data packets to the other
systems. The safety-related protocol ensures that corrupted messages are detected (blackchannel principle).
This allows safety-related communication via non safety-related transmission paths, i.e.,
standard network components.
The standard protocols are for instance:
- Modbus
- PROFIBUS master/slave
- Send/Receive TCP
- PROFINET IO
- SNTP
Refer to the following documents for further details on communication and communication
modules:
This manual, Chapter 12.1.

Communication module manual HI 801 011 E
Communication manual, HI 801 101 E
System manual, HI 801 001 E
HI 801 003 E Rev. 8.01
Page 29 of 70
7 Input Modules
HIMax
Input Modules
Module
Numbe Safetyr of
related
channel
s
Interference-free
channels
Remark
Digital inputs
X-DI 16 01
X-DI 32 01
X-DI 32 02
X-DI 32 03
X-DI 32 04
16
32
32
32
32
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
X-DI 32 05
32
SIL 3
X-DI 32 51
X-DI 32 52
X-DI 64 01
X-DI 64 51
Analog inputs
X-AI 16 51
X-AI 32 01
X-AI 32 02
32
32
64
64
SIL 3
-
16
32
32
SIL 1
SIL 3
SIL 3
120 VAC
24 VDC
Proximity switch (NAMUR)
48 VDC
With sequence of events
recording
Proximity switches (NAMUR),
with sequence of events
recording
24 VDC
Proximity switch (NAMUR)
24 VDC
24 VDC
0/4...20 mA
Thermocouple
X-AI 32 51
Counter inputs
X-CI 24 01
X-CI 24 51
32
24
24
SIL 3
-
Table 8:
7.1
With sequence of events

recording
Overview of the Input Modules
General
Safety-related inputs can be used for both safety-related signals and non-safety-related signals.
Non-safety-related signals, however, may not be used for safety functions!
Safety-related input modules automatically perform high-quality, cyclic self-tests during
operation.
If a fault occurs, the initial value is provided to the user program as a global variable and, if
possible, detailed fault information is issued. The user program can read out the error code and
thus evaluate this fault information.
In addition to the diagnostic LEDs, the controllers generate and save error and status
messages. The PADT can read the saved diagnostic messages.
For more information on the input modules, refer to the individual module manuals.
7.2
Safety of Sensors, Encoders and Transmitters

In safety-related applications, the PES and connected sensors, encoders and transmitters must
all meet the safety requirements and achieve the specified SIL. For information on how to
achieve the required SIL for sensors, see IEC 61511-1, Section 11.4.
Page 30 of 70
HI 801 003 E Rev. 8.01
HIMax
7.3
7 Input Modules

If the test routines detect a faulty input, the user program processes the initial value of the global
variables. The module activates the Error LED.
Failure of the overall input module causes the user program to process the initial value of the
global variables for all the inputs.
The error code and other system variables can be used to program application-specific fault
reactions. Refer to the module-specific manual for more details.
7.4
Safety-Related Digital Inputs

The digital input module reads the values at its digital inputs and provides safe values in every
processor module cycle. The module cyclically tests the inputs' safe operation.
7.4.1
Test Routines
The online test routines check whether the input channels are able to forward both signal levels
(L and H levels), irrespective of the signals actually present on the input. This functional test is
performed whenever the input signals are read.
7.4.2
Redundancy of Inputs
The digital inputs may be connected redundantly. The redundant connection is usually used to
increase the availability of the module inputs.
7.4.3
Surges on Digital Inputs

Due to the short cycle time of the HIMax systems, a surge pulse as described in EN 61000-4-5
can be read in to the digital inputs as a short-term high level.
If shielded cables are used for digital inputs, no additional precautionary measures are required
to protect against surges.
If no shielded cables are used, the channel-specific time on and time off delay must be applied
to avoid these types of faults. A signal must be present for at least a certain time period before it
is evaluated. The configured delay + 2 * I/O cycle time must be added to the response time and
to the safety time configured for the resource.
7.5
Safety-Related Analog Inputs and Proximity Switch Inputs

Analog input channels convert the measured input currents to a value of type DINT (double
integer), i.e., the raw value, and to a value of type REAL, i.e., the process value. The raw value
contains the measured input signal, whereas the process value is a scaled value.
Proximity switch inputs create a digital value by comparing the raw value with the configured
thresholds.
7.5.1
Test Routines
The module captures analog values in parallel along two paths and compares the results with
one another. Additionally, it cyclically tests the input path function.
7.5.2
Redundancy of Analog Inputs

The analog inputs may be connected redundantly. The redundant connection is usually used to
The SIL value of the X-AI 16 51 input module can be increased implementing the connection
variants described in the module-specific manual (HI 801 179 E).
HI 801 003 E Rev. 8.01
Page 31 of 70
7 Input Modules
7.5.3
HIMax
State of LL, L, N, H, HH in X-AI 32 01 and X-AI 32 02

For safety-related applications, if scalar events have been defined for the thresholds of a
channel located in an analog module (X-AI 32 01 or X-AI 32 02), the state variables -> State LL,
-> State L, -> State N, -> State H, -> State HH must be connected to Channel OK! If faults
occur, these state variables return FALSE.
7.6
Safety-Related Counter Inputs

Depending on its configuration, a safety-related counter input can return the following process
values:
A counter reading as an integer value or as a scaled floating-point value.
A rotation speed or frequency as an integer value or as a scaled floating-point value.
Additional auxiliary values such as overflow.
For further details, refer to the module-specific manual (HI 801 113 E).
7.6.1
Test Routines
The module captures the counter values in parallel along three paths and compares the results
with one another. Additionally, it cyclically tests the input path function.
7.6.2
Important Information in Connection with the X-CI 24 01 Counter Module

If the X-CI 24 01 counter module is used, the following characteristic must be observed; also
refer to the module-specific manual (HI 801 113 E):
While performing a reload, input pulses may be lost during the first 3 cycles, if the following
parameters are changed during the process:
- Counting Pulse Evaluation Type
- Channel pairs in use
If the channel sensor fails during the edge evaluation 2 Phases, 4 Edges, and no shortcircuit or open-circuit was detected, the module only registers half of the actual frequency
value.
Pulses to be counted can be lost during an automatic restart.
Automatic or manual module restart must be considered as application-specific.
Application recommendation:
- To ensure detection of a sensor failure, HIMA recommends using redundant sensors for
multiple-phase evaluation or for recognizing the rotation direction.
- Configuring noise blanking while frequencies are measured does not impair safety.
7.6.3
Redundancy of Counter Inputs

The counter inputs may be connected redundantly. The redundant connection is usually used to
7.7
Checklists for Inputs

HIMA recommends using the available checklists for engineering, programming and starting up
safety-related digital inputs. The checklists can be used for helping with planning as well as to
demonstrate later on that the planning phase was carefully completed.
When engineering or starting up the system, it is useful to fill out a checklist for each of the
safety-related input channels used in the system to verify the requirements to be met. This is the
only way to ensure that all requirements were considered and clearly recorded. The checklist
also documents the relationship between the external wiring and the user program.
The checklists are available in Microsoft Word format on the HIMA website.
Page 32 of 70
HI 801 003 E Rev. 8.01
HIMax
8 Output Modules
Output Modules
Module
Digital outputs
X-DO 12 02
X-DO 24 01
X-DO 24 02
X-DO 32 01
X-DO 32 51
Digital relay outputs
X-DO 12 01
X-DO 12 51
Analog outputs
X-AO 16 01
X-AO 16 51
Table 9:
8.1
Number of
channels
Safetyrelated
Safely galvanically
separated
Remark
12
24
24
32
32
SIL 3
SIL 3
SIL 3
SIL 3
-
24 VDC, 2 A
24 VDC
48 VDC
24 VDC
24 VDC
12
12
SIL 3
-
230 VAC
230 VAC
16
16
SIL 3
-
Pairwise
-
Overview of the Output Modules
General
The safety-related output modules are written once per cycle, the generated output signals are
read back and compared with the specified output data.
The safe state of the outputs is 0 or an open relay contact.
Using the corresponding error code, the user can program additional fault reactions in the user
program.
For more information on the output modules, refer to the individual module manuals.
8.2
Safety of Actuators
In safety-related applications, the PES and connected actuators must all meet the safety
requirements and achieve the specified SIL. For information on how to achieve the required SIL
for sensors and actuators, see IEC 61511-1, Section 11.4.
8.3

If the test routines detect a faulty output, the controller switches off the output, i.e., it enters the
safe state. The module activates the Error LED.
Failure of the overall output module causes all outputs to enter the safe state.
The error code and other system variables can be used to program application-specific fault
reactions. Refer to the module-specific manual for more details.
8.4
Safety-Related Digital Outputs

The safety-related output channels are equipped with three testable switches connected in
series. This ensures compliance with the SIL 3 requirement for a second safe independent
switch-off option. If a fault occurs, this integrated safety switch-off function safely de-energizes
the individual channels of the defective output module (de-energized state).
Additionally, the watchdog signal of the module is the second safety shutdown option: If the
watchdog signal is lost, the module immediately enters the safe state.
HI 801 003 E Rev. 8.01
Page 33 of 70
8 Output Modules
8.4.1
HIMax
Test Routines for Digital Outputs

The modules are tested automatically during operation. The main test functions are:
8.4.2
Read back of the output signal.

Checking the integrated redundant safety shutdown.
Shutdown test of the outputs.
Operating voltage monitoring.

If the output noise blanking is activated, the output module delays the switch-off reaction of a
channel.
If output noise blanking has been activated and transient interference has been
suppressed, a potential delay in the reaction to safety time - watchdog time must be
taken into account.
In all cases, the module also indicates the fault through the Error LED on the front plate.
8.4.3
Behavior in the Event of External Short-Circuit or Overload

If the output is short-circuited to L- or overloaded, the module is still safe.
In this state, the outputs are checked every few seconds to determine whether the overload is
still present. In a normal state, the outputs are switched on again.
8.4.4
Redundancy of Digital Outputs

The digital outputs may be connected redundantly. The redundant connection is usually used to
increase the availability of the module outputs.
8.5
Safety-Related Relay Outputs

Relay output modules are connected to the actuator under any of the following circumstances:
Electric separation is required.
Higher amperages are used.
Alternating currents are to be connected.
The module outputs are equipped with two safety relays with forcibly guided contacts. The
outputs can thus be used for safety shutdowns in accordance with SIL 3.
Additionally, the watchdog signal of the module is the second safety switch-off function: If the
watchdog signal is lost, the module immediately enters the safe state.
8.5.1
Test Routines for Relay Outputs

The module is tested automatically during operation. The main test functions are:
8.5.2
Reading the output signals back from the switching amplifiers located before the relays.
Testing the switching of the relays with forcibly guided contacts.
Operating voltage monitoring.
Redundancy of Relay Outputs

The digital relay outputs may be connected redundantly. The redundant connection is usually
used to increase the availability of the module outputs.
Page 34 of 70
HI 801 003 E Rev. 8.01
HIMax
8.6
8 Output Modules
Safety-Related Analog Outputs

They forward the values determined in the user program to the actuators.
The safety-related analog outputs read back their output values and compare them to the
values to be output. If the values differ, a fault reaction is triggered.
8.6.1
Test Routines for Analog Outputs

The modules are tested automatically during operation. The main test functions are:
Reading the output signals back.
If faults occur, the outputs are set to the safe value 0 mA.
8.6.2

If the output noise blanking is activated, the output module delays the switch-off reaction of a
channel.
If output noise blanking has been activated and transient interference has been
suppressed, a potential delay in the reaction to safety time - watchdog time must be
taken into account.
In all cases, the module also indicates the fault through the Error LED on the front plate.
8.6.3
Behavior in the Event of External Open-Circuit

If an open-circuit occurs, the module switches the current off for approx. 8 ms and checks if the
open-circuit is still present. If this is the case, it switches off for approx. 10 s. This process can
repeat indefinitely.
8.6.4
Important Information in Connection with the Analog X-AO 16 01 Output Module

If the analog output module is used, the following characteristic must be observed; also refer to
the module-specific manual (HI 801 111 E):
Only the connection variants specified in the module-specific manual (HI 801 111 E) may be
used!
If more than two modules are redundantly connected in series, the SELV voltage can be
exceeded!
With serial redundancy, only one channel of each group of two channels may be used!
If HART communication occurs between the connected actuator and one HART terminal, the
output signal can deviate from the full scale by up to 1 %!
If a fault occurs, the time to reach the safe state can take up to 16 ms in the worst case.
Take this time into account when defining the reaction and safety times!
The user program may not write to analog outputs in cycles shorter than 6 ms.
If faults occur, the module outputs the safe value 0 mA, even if the upper limit of the setting
range is exceeded.
8.6.5
Redundancy of Analog Outputs

The analog outputs may be connected redundantly. The redundant connection is usually used
to increase the availability of the module outputs.
HI 801 003 E Rev. 8.01
Page 35 of 70
8 Output Modules
8.7
HIMax
Checklists for Outputs

HIMA recommends using the available checklists for engineering, programming and starting up
safety-related digital outputs. The checklists can be used for helping with planning as well as to
demonstrate later on that the planning phase was carefully completed.
When engineering or starting up the system, it is useful to fill out a checklist for each of the
safety-related output channels used in the system to verify the requirements to be met. This is
the only way to ensure that all requirements were considered and clearly recorded. The
checklist also documents the relationship between the external wiring and the user program.
The checklists are available in Microsoft Word format on the HIMA website.
Page 36 of 70
HI 801 003 E Rev. 8.01
HIMax
9 Special I/O Modules
Special I/O Modules
9.1
HART Module: X-HART 32 01

The HART module serves for communicating with HART-capable sensors and actuators.
For further details, refer to the module-specific manual (HI 801 307 E).
9.1.1
Safety Function
The safety function of the X-HART module includes the following points:
HART Deactivation: If the module is shut down, the HART channels are safely deactivated in
accordance with SIL 3.
HART Filtering: HART access to HART transmitters or sensors is locked in accordance with
SIL 3.
HART communication influences the analog metrological accuracy by approx. 1 %.
There are no additional repercussions for the analog modules.
If the HART filtering function is deactivated on the HART module, the corresponding analog
sensor or actuator can be reprogrammed. This can impair safety.
9.2
The HIMax Overspeed Trip Module X-MIO 7/6 01

The module serves for monitoring the rotation speed and the emergency stop function (trip
function) of a turbine. For further details, refer to the module-specific manual (HI 801 305 E).
The module can be used to implement applications in accordance with API 670. The module
complies with the turbine requirements for rotation speed monitoring and trip routines defined in
API 670. The rotation speed monitoring and the trip routines are independent of the overall
HIMax system and the user program.
9.2.1
Safety Function
The module monitors the rotation speed of a turbine, independently of the HIMax overall system
and the user program. The module trips the turbine via the digital outputs.
Depending on the measuring input, the module measures the rotation speed and direction of a
sensor with safety-related accuracy. To determine the rotation speed, one turbine is equipped
with three sensors. The rotation speed values calculated for the three sensors are used by the
module to perform a 2oo3 evaluation. The result is provided to the safety-related X-MIO 7/6 01
processor system and the user program.
If a sensor signal fails, the module outputs a warning. If two of the three signals fail, the trip
function is triggered.
The module is equipped with safety-related digital outputs as described in Chapter 8.3.
The safety function is performed for all inputs and outputs in accordance with SIL 3. The relay
output is implemented as a potential-free, non-safety-related signaling contact (changeover).
9.2.2
Redundancy
To increase availability, the module must be used in a dual redundant structure. To this end,
only dual redundant connector boards may be used.
HI 801 003 E Rev. 8.01
Page 37 of 70
10 Software
10
HIMax
Software
The software for the safety-related automation devices of the HIMax systems consists of the
following components:
Operating system.
User program.
SILworX programming tool in accordance with IEC 61131-3
The operating system is loaded into each module of the controller. HIMA recommends using the
latest version valid for the safety-related applications. This chapter particularly describes the
operating system of the processor module.
The user program is created using the SILworX programming tool and contains the applicationspecific functions to be performed by the automation device. Parameters are also set using
SILworX.
The user program is compiled with the code generator and transferred to the non-volatile
memory automation device through an Ethernet interface.
10.1
Safety-Related Aspects of the Operating System

Each approved operating system is clearly identified by the revision number and the CRC
signature. The valid versions of the operating system and corresponding signatures (CRCs) approved by the TV for use in safety-related automation devices - are subject to a revision
control and are documented in the Version List of Modules and Firmware for HIMax Systems
from HIMA Paul Hildebrandt GmbH maintained by HIMA in co-operation with the TV.
The current version of the operating system can be read using SILworX. The users must ensure
that a valid version of the operating system has been loaded into the modules (see 11.3).
10.2
Safety-Related Aspects of Programming

When creating a user program, the requirements detailed in this section must be observed.
10.2.1
Safety Concept of SILworX

The safety concept of SILworX:
When SILworX is installed, a checksum (CRC) helps ensure the program package integrity
on the way from the manufacturer to the user.
SILworX performs validity checks to reduce the likelihood of faults while entering data.
When starting up a safety-related controller for the first time, a comprehensive functional test
must be performed to verify the safety of the entire system.
Verify that the tasks to be performed by the controller were properly implemented using the
data and signal flows.
Perform a thorough functional test of the logic by trial (see Chapter 10.2.2).
If a user program is modified, only the program components affected by the change must be
tested. To this end, the safe version comparator in SILworX can be used to determine and
display all the changes concerning the previous version.
Whenever the safety-related controller is started up, the verification and validation requirements
specified in the application standards must be observed!
10.2.2
Verifying the Configuration and the User Program

To verify that the user program created performs the required safety function, the user must
create suitable test cases for the required system specification.
Page 38 of 70
HI 801 003 E Rev. 8.01
HIMax
10 Software
An independent test of each loop (consisting of input, the key interconnections in the application
and output) is usually sufficient.
Suitable test cases must also be created for the numerical evaluation of formulas. Equivalence
class tests are useful. These are tests within defined ranges of values, at the limits of or within
invalid ranges of values. The test cases must be selected such that the calculations can be
proven to be correct. The required number of test cases depends on the formula used and must
include critical value pairs.
HIMA recommends actively performing a simulation with data sources, since this is the only way
to prove that the sensors and actuators in the system (also those connected to the system via
communication with remote I/Os) are properly wired. This is also the only way to verify the
system configuration.
SILworX can be used as testing aid for:
checking inputs
forcing outputs
This procedure must be followed both when initially creating and when modifying the user
program.
10.3
Resource Parameters
Some parameters are defined in SILworX for actions permitted during the resource's safetyrelated operation and are referred to as safety parameters.
WARNING
Physical injury possible due to defective configuration!
Neither the programming system nor the controller can verify project-specific
parameters. For this reason, enter these safety parameters correctly and verify the
whole entry upon completion of the PES load from within the PES itself.
These parameters are:
For the rack ID, refer to Chapter 5.1 and the system manual (HI 801 001 E).
Responsible attribute of system bus modules, see Chapter 5.2
The parameters marked in Table 10
Settings that may be defined for safety-related operation are not firmly bound to any specific
requirement classes. Instead, each of these must be agreed upon together with the competent
test authority for each separate implementation of the controller.
HI 801 003 E Rev. 8.01
Page 39 of 70
10 Software
10.3.1
HIMax
System Parameters of the Resource

The system parameters of the resource can be set in SILworX, in the Properties dialog box of
the resource.
Parameter
Name
System ID
[SRS]
Safety Time
[ms]
Watchdog
Time [ms]
Target Cycle
Time [ms]
Target Cycle
Time Mode
Multitasking
Mode
Max.Com.
Time Slice
ASYNC [ms]
Max.
Duration of
Configuration
Connections
[ms]
Maximum
System Bus
Latency [s]
Page 40 of 70
S 1) Description
X
X
Setting for safe

operation
Name of the resource
Arbitrary
System ID of the resource
Unique value
within the
1...65 535, default value: 60 000
The value assigned to the system ID must differ from the default value, controller
network. This
otherwise the project is not able to run!
network includes
all controllers
that can
potentially be
interconnected.
Safety time in milliseconds
Application20...22 500 ms, default value: 600 ms (changeable online)
specific
Watchdog time in milliseconds: 6...7500 ms, default value: 200 ms
Application(changeable online)
specific
Targeted or maximum cycle time, see Target Cycle Time Mode,
Application0...7500 ms, default value: 0 ms.
specific
The maximum target cycle time value may not exceed the configured
Watchdog Time [ms] minus the minimum value that can be set for
Watchdog Time [ms] (6 ms, see above); otherwise it is rejected by the
PES.
If the default value 0 ms is set, the target cycle time is not taken into
account. See Chapter 10.3.1.1. (changeable online)
Use of Target Cycle Time [ms]. (changeable online), see Chapter
Application10.3.1.1. Default value: Fixed-tolerant
specific
Mode 1
The duration of a CPU cycle is based on the required
Applicationexecution time of all user programs.
specific
Mode 2
The processor makes execution time, which lower priority
user programs do not require, available to higher priority
user programs. Operation mode for high availability.
Mode 3
The processor waits until the execution time not needed by
the user programs has expired, thus increasing the cycle.
Default value: Mode 1
Highest value in ms for the time slice used for communication during a Applicationresource cycle, refer to communication manual (HI 801 101 E),
specific
2...5000 ms, default value 60 ms.
It defines how much time within a CPU cycle is available for
Applicationconfiguration connections, 2...3500, default value: 12 ms See Chapter specific
10.3.1.2.
Maximum delay of a message between an I/O module and the

processor module. 0, 100...50 000 s, Default value: 0 s
A license is required for setting the maximum system bus
latency to a value > 0.
Applicationspecific
HI 801 003 E Rev. 8.01
HIMax
Parameter
Allow Online
Settings
10 Software
S 1) Description
X
ON:
OFF:
i
Autostart
Start Allowed
Load allowed
Reload
Allowed
Global
Forcing
Allowed
Global Force
Timeout
Reaction
All the switches/parameters listed below OFF can be changed

online using the PADT. This is only valid if the system variable
Read-only in RUN has the value OFF.
The following parameters may The following parameters may
not be changed online:
be changed online if Reload
Allowed is set to ON.
System ID
Watchdog Time (for the
Autostart
resource)
Global Forcing Allowed
Safety Time
Global Force Timeout
Target Cycle Time
Reaction
Target Cycle Time Mode
Load Allowed
Reload Allowed
If Reload Allowed is set to
OFF, they are not changeable
Start Allowed
online.
Allow Online Settings can only be set to ON via reload or if the
PES is stopped.
Default value: ON
ON:
If the processor module is connected to the supply voltage, the
user program starts automatically.
OFF: The user program does not start automatically after connecting
the supply voltage.
Default value: OFF
ON:
A cold start or warm start permitted with the PADT in RUN or
STOP
OFF: Start not allowed.
Default value: ON
ON:
Configuration download is allowed.
OFF: Configuration download is not allowed.
Default value: ON
ON:
Configuration reload is allowed.
OFF: Configuration reload is not allowed.
A running reload process is not aborted when switching to
OFF.
Default value: ON
ON:
Global forcing is permitted for this resource.
OFF: Global forcing is not permitted for this resource.
Default value: ON
Specifies how the resource should behave when the global force
timeout has expired:
Stop Forcing Only
Stop Resource
Default value: Stop Forcing Only
HI 801 003 E Rev. 8.01
Setting for safe

operation
OFF is
recommended
Applicationspecific
Applicationspecific
Applicationspecific
Applicationspecific
Applicationspecific
Applicationspecific
Page 41 of 70
10 Software
HIMax
Minimum
Configuration
Version
Fast Start-Up
1)
With this setting, code compatible with previous or newer HIMax

Applicationoperating system versions in accordance with the project requirements specific
may be generated. Default value: SILworX V8 for new projects. See
Chapter10.3.1.3.
SILworX V2 The code is generated like in SILworX V2 for HIMax prior
to V3.
SILworX V3 The code is generated like in SILworX V3 for HIMax V3.
SILworX V6 The code is generated like in SILworX V6.48 for HIMax
V6.
SILworX
The code is generated like in SILworX V6.114 for HIMax
V6b
V6.
Not applicable to HIMax.
OFF
An X in the S column means that the parameter is safety-related.
Table 10: Resource System Parameters
10.3.1.1
Use of the Parameters Target Cycle Time and Target Cycle Time Mode
These parameters can be used to constantly maintain the cycle time as close to the Target
Cycle Time [ms] value as possible. To do this, this parameter must be set to a value > 0. HIMax
then limits tasks such as reload and synchronization on the redundant modules to ensure that
the target cycle time is maintained.
The following table describes the effect of Target Cycle Time Mode.
Target Cycle
Time Mode
Fixed
Fixed-tolerant
Dynamic-tolerant
Effect on user programs.

The PES maintains the target cycle time
and extends the cycle if necessary. If the
processing time of the user programs
exceeds the target cycle time, the cycle
duration is increased.
HIMax executes the cycle as quickly as
possible.
Dynamic
Effect on reload, synchronization of

processor modules.
Reload or synchronization is not processed
if the target cycle time is not sufficient.
At most each 5th cycle may be prolonged
during reload.
One single cycle may be prolonged during
synchronization.
At most each 5th cycle may be prolonged
during reload.
One single cycle may be prolonged during
synchronization.
Reload or synchronization is not processed
if the target cycle time is not sufficient.
Table 11: Effect of Target Cycle Time Mode
10.3.1.2
Calculating the Maximum Duration of Configuration Connections [ms]

If communication is not completely processed within a CPU cycle, it is resumed in the next
following CPU cycle at the interruption point.
This slows down communication, but it also ensures that all connections to external partners are
processed equally and completely.
For firmware HIMax CPU V3, the value of the maximum duration of configuration connections in
SILworX is preset to 6 ms. The time required to process communication with external partners
may, however, exceed the default value in a CPU cycle.
For firmware HIMax CPU V4 and higher, the value of the maximum duration of configuration
connections must be set taking the defined watchdog time into account.
Page 42 of 70
HI 801 003 E Rev. 8.01
HIMax
10 Software
Suitable value: Select the value such that the cyclic processor tasks can be executed within the
time resulting from Watchdog Time - Max. Duration of Configuration Connections.
The volume of the configuration data to be communicated depends on the number of configured
remote I/Os, the existing connections to PADTs and the system modules with an Ethernet
interface.
A first setting can be calculated as follows:
For X-CPU 01: TConfig = nCom + nRIO + nPADT * 0.25 ms + 2 ms + 4*TLatency/1000
For X-CPU 31: TConfig = nCom + nRIO + nPADT * 0.25 ms + nPADT + 2 ms + 4*TLatency/1000
Where:
TConfig
nCom
nRIO
nPADT
TLatency
System parameter Max. Duration of Configuration Connections [ms]

Number of modules with Ethernet interfaces {SB, CPU, COM}
Number of configured remote I/Os
Maximum number of PADT connections = 5
The system parameter Maximum System Bus Latency [s] must be divided
by 1000 to allow the calculation in ms.
If the calculated time value is less than 6 ms, it is rounded up to 6 ms. The calculated time can
either be modified in the properties of the resource or directly online based on the figure
gathered in the online statistics.
When generating the code or converting the project, a warning message is displayed in the
PADT if the value defined for Max. Duration of Configuration Connections is less than the value
resulting from the previous formula.
i
10.3.1.3
If Max. Duration of Configuration Connections is set too low, communication between PADT
and PES runs very slow and may even fail!
Notices Concerning the Minimum Configuration Version Parameter:

In a new project, the latest Minimum Configuration Version is selected. Verify that this setting
is in accordance with the operating system version in use.
In a project converted from a previous SILworX version, the value for Minimum Configuration
Version remains the value set in the previous version. This ensures that the configuration
CRC does not change during code generation and that the generated configuration is
compatible with the operating systems of the modules.
For this reason, the value of Minimum Configuration Version should only be changed in
connection with other changes performed to the affected resource.
If features only available in higher configuration versions are used in the project, SILworX
automatically generates a higher configuration version than the preset Minimum
Configuration Version. This is indicated by SILworX at the end of the code generation. The
modules reject loading higher configuration versions that do not match their operating
system.
To remove such incompatibilities, it can be helpful to compare the information provided by
the version comparator with the overview of the module data.
If X-CPU 31 processor modules are used, Minimum Configuration Version must be set to
SILworX V6 or higher.
HI 801 003 E Rev. 8.01
Page 43 of 70
10 Software
10.3.1.4
HIMax
Rack System Variables

These variables are used to change the behavior of the controller while it is operating in specific
states.
Parameter
Function
Force Deactivation
Used to prevent forcing and to stop it

immediately
Spare 0...Spare 16
No function
Emergency Stop 1...Emergency To shut down the controller if faults
Stop 4
are detected by the user program
Read-only in RUN
After starting the controller, the
access permissions are downgraded
to Read-Only. Exceptions are forcing
and reload.
Reload Deactivation
Locks the execution of reload.
Default
setting
Setting for
safe operation
OFF
Application-specific
OFF
OFF
OFF
Table 12: System Variables of Racks

In the SILworX Hardware Editor, these system variables may be assigned global variables with
a value that is modified by a physical input or the user program logic.
10.3.1.5
Simple Example: Locking and Unlocking the PES

Locking the PES locks all functions and prevents users from accessing them during operation.
This also protects against unauthorized manipulations to the user program.
Unlocking the PES deactivates any locks previously set (e.g., to perform work on the
controller).
The three system variables Read-only in Run, Reload Deactivation and Force Deactivation may
be used to lock the PES, see Table 12.
If all three system variables are ON: no access to the controller is possible. In this case the
controller can only be put into STOP state by restarting all processor modules with the mode
switch in the Init position. Then loading a new user program is possible. The example describes
a simple case, in which a single key is used to block or permit all interventions on the PES.
Example: To make a controller lockable
1. Define a global variable of type BOOL and set its initial value to FALSE.
2. Assign the global variable as output variables to the three system variables Readonly in Run, Reload Deactivation, and Force Deactivation.
3. Assign the global variable to the channel value of a digital input.
4. Connect a key switch to the digital input.
5. Compile the program, load it on the controller, and start it.
The owner of a corresponding key is able to lock and unlock the controller. If the
corresponding digital input module fails, the controller is automatically unlocked.
This simple example can be modified using multiple global variables, digital inputs and key
switches. The permissions for forcing, reload and other operating functions can be distributed
on different keys and persons.
10.4
Forcing
Forcing is the procedure by which a variable's current value is replaced with a force value. The
variable receives its current value from a physical input, communication or a logic operation. If
the variable is forced, its value does no longer depend on the process, but is defined by the
user.
Page 44 of 70
HI 801 003 E Rev. 8.01
HIMax
10 Software
WARNING
Failure of safety-related operation possible due to forced values possible!
Forced value may lead to incorrect output values.
Forcing prolongates the cycle time. This can cause the watchdog time to be
exceeded.
Forcing is only permitted after receiving consent from the test authority responsible for
the acceptance test.
When forcing values, the person in charge must take further technical and organizational
measures to ensure that the process is sufficiently monitored in terms of safety. HIMA
recommends setting a time limit for the forcing procedure.
Refer to the system manual (HI 801 001 E) for further details on forcing.
10.4.1
Forcing of Data Sources

Changing the assignment of a forced global variable to one of the following data sources can
lead to unexpected results:
Physical inputs.
Communication protocols.
System variables.
The following sequence of actions causes a variable to be unintentionally forced:
1. A global variable A is assigned to one of the forced data sources and therefore the variable
is forced. This indeed causes the data source to be forced!
2. The assignment is removed. The data source maintains the property Forced.
3. The data source is assigned another global variable (global variable B).
4. A reload is performed to load the project change into the PES.
The newly assigned variable B results to be forced, even if this was not intended!
Workaround: First stop forcing variable A.
Which channels have been forced is displayed in the channel view of the Force Editor.
Global variables having the user program as data source retain the forced setting whenever an
assignment is changed.
10.5
Safe Version Comparison

The safe SILworX version comparison compares the following resource configuration types with
one another:
Resource configuration loaded into the controller.
Resource configuration existing in the PADT.
Exported (archived) resource configuration.
The comparison result achieves SIL 3, since it is derived from loadable files and includes the
CRCs.
To verify the program changes, the safe version comparison must be started before loading the
program into the controller. It exactly determines the changed parts of the resource
configuration. This, in turn, facilitates testing the changes and identifying the test data, and may
be submitted to the inspection authority as proof of the change.
Structured programming and the use of significant names from the first configuration version on,
facilitate understanding of the comparison result.
For details on the safe version comparison, refer to the corresponding manual (HI 801 286 E).
HI 801 003 E Rev. 8.01
Page 45 of 70
11 User Program
11
HIMax
User Program
This chapter describes the safety-related aspects that are important for the user programs.
11.1
General Sequence
General sequence for programming HIMax automation devices for safety-related applications:
1. Specify the controller functionality.
2. Write the user program.
3. Compile the user program:
the user program is error-free and can run.
4. Verify and validate the user program.
Upon completing these steps, the user program can be tested and the PES can begin the safe
operation.
11.2
Scope for Safety-Related Use

(For more on specifications, regulations and explanation of safety requirements, see Chapter
3.4)
The user program must be written using the SILworX programming tool. For further details on
the operating system released for personal computer, refer to the release documentation for the
SILworX version to be used.
The SILworX programming tool includes the following functions:
11.2.1
Input (Function Block Editor, Structured Text Editor), monitoring and documentation.
Global variables with symbolic names and data types (BOOL, UINT, etc.)
Assignment of HIMax controllers (Hardware Editor)
Compilation of user program into a format that can be loaded into the PES
Communication configuration
Programming Basics
The tasks to be performed by the controller should be defined in a specification or a
requirements specification. This documentation serves as the basis for checking its proper
implementation in the user program. The specification format depends on the tasks to be
performed. These include:
Combinational logic
- Cause/effect diagram
- Logic of the connection with functions and function blocks
- Function blocks with specified characteristics
Sequential controllers (sequence control system)
- Written description of the steps and their enabling conditions and of the actuators to be
controlled.
- Flow charts
- Matrix or table form of the step enabling conditions and the actuators to be controlled.
- Definition of constraints, e.g., operating modes, EMERGENCY STOP, etc.
Page 46 of 70
HI 801 003 E Rev. 8.01
HIMax
11 User Program
The I/O concept of the system must include the analysis of the field circuits, i.e., the type of
sensors and actuators:
Sensors (digital or analog)
- Signals during normal operation (de-energize-to-trip principle with digital sensors, 'lifezero' with analog sensors).
- Signals in the event of a fault:
- Definition of safety-related redundancies required for safety (1oo2, 2oo3).
- Monitoring of discrepancy and reaction.
Actuators
- Positioning and activation during normal operation.
- Safe reaction/positioning at shutdown or after power loss.
Programming objectives for user program
11.2.2
Easy to understand.
Easy to trace and follow.
Easy to test.
Easy to modify.
Functions of the User Program

Programming is not subject to hardware restrictions. The user program functions can be freely
programmed.
When programming, account for the de-energize-to-trip principle for the physical inputs and
outputs. Only elements complying with IEC 61131-3 together with their functional requirements
are permitted within the logic.
The physical inputs and outputs usually operate in accordance with the de-energize-to-trip
principle, i.e., their safe state is 0.
The user program may be built of logic and/or arithmetic functions irrespective of the deenergize-to-trip principle of the physical inputs and outputs.
The program logic should be clear and easy to understand and well documented to assist in
debugging. This includes the use of functional diagrams.
To simplify the logic, the inputs and outputs of all function blocks and variables can be
inverted in any given order.
The programmer must evaluate the fault signals from the inputs/outputs or from logic blocks.
HIMA recommends encapsulating functions to user-specific function blocks and functions based
on standard functions. This ensures that a user program can be clearly structured in modules
(functions, function blocks). Each module can be viewed and tested on an individual basis. By
grouping smaller modules into larger ones and then all together into a single user program, the
user is effectively creating a comprehensive, complex function.
HI 801 003 E Rev. 8.01
Page 47 of 70
11 User Program
11.2.3
HIMax

The following user program switches and parameters can be set in the Properties dialog box of
the user program:
Parameter
Function
Name
Program ID
Name of the user program

ID for identifying the program when displayed in
SILworX, 04 294 967 295.
If Code Generation Compatibility is set to SILworX V2,
only the value 1 is permitted.
Priority of the user program: 0...31
Priority
Program's
Maximum Number
of CPU Cycles
Max. Duration for
Each Cycle [s]
Maximum number of CPU cycles that a user program

cycle may encompass.
Maximum time in each processor module cycle for

executing the user program: 1...4 294 967 295 s.
Set to 0: No limitation.
Watchdog Time
Monitoring time of the user program, calculated from the
[ms] (calculated)
maximum number of cycles and the watchdog time of
the resource
Not changeable!
Classification
Classification of the user program: Safety-related or
Standard (for documentation only).
Allow Online
It enables changes of other user program switches
Settings
during operation.
It only applies if the Allowed Online Settings switch for
the resource is set to ON!
Autostart
Enabled type of Autostart:
Cold Start, Warm Start, Off.
Start Allowed
ON: The PADT may be used to start the user
program.
OFF: The PADT may not be used to start the user
program
Test Mode Allowed ON
The test mode is not permitted for the user
program.
OFF The test mode is permitted for the user program.
Reload Allowed
ON: User program reload is permitted
OFF: User program reload is not permitted
ON: Forcing permitted at program level
Local Forcing
Allowed
OFF: Forcing not permitted at program level
Local Force
Behavior of the user program after the forcing time has
Timeout Reaction expired:
Stop Forcing Only.
Stop Program.
Page 48 of 70
Setting for
safe operation
User-defined
Default
value
0
Applicationspecific
0
Applicationspecific
Applicationspecific
0 s
Applicationspecific
Safetyrelated
Applicationspecific
ON
Cold Start
Applicationspecific
ON
Applicationspecific
OFF
Applicationspecific1)
ON
Applicationspecific
OFF
OFF is
recommended
Stop
Forcing
Only.
HI 801 003 E Rev. 8.01
HIMax
11 User Program
Parameter
Function
Code Generation
Compatibility
Code generation is compatible with previous versions of

SILworX.
SILworX V7 Code generation is compatible with
and higher
SILworX V7.
V6b
SILworX V4 up to SILworX V6b.
SILworX V3.
SILworX V2.
1)
Default
value
Setting for
safe operation
SILworX V7
and higher Applicationfor new
specific
projects
Once test operation is completed, the program's cold start is necessary prior to starting safety-related
operation!
Table 13: System Parameters of the User Program
Notes specific to the Code Generation Compatibility Parameter:

In a new project, SILworX selects the latest value for the Code Generation Compatibility
parameter. This ensures that the current, enhanced features are activated and the latest
module and operating system versions are supported. Verify that this setting is in
accordance with the hardware in use.
In a project converted from a previous SILworX version, the value for Code Generation
Compatibility remains the value set in the previous version. This ensures that the
configuration CRC does not change during code generation and that the generated
configuration is compatible with the operating systems of the modules.
For this reason, the value of Code Generation Compatibility should not be changed for
converted projects.
If a Minimum Configuration Version of SILworX V4 and higher is set for a resource (see
above), the Code Generation Compatibility parameter must be set to SILworX V4 in every
user program.
11.2.4
Code Generation
The code is generated after entering the complete user program and the I/O assignments of the
controller. The code generator creates the configuration CRC.
This is a signature for the entire configuration that is issued as a 32-bit, hexadecimal code. This
includes all of the configurable or modifiable elements such as the logic, variables or switch
parameter settings.
Before loading a user program for safety-related operation, the user program must be
first compiled twice. The two generated versions must have the same CRC.
By default, SILworX automatically compiles the resource configuration twice and compares the
checksums.
The result of the CRC comparison is displayed in the Logbook.
By compiling the user program twice and comparing the checksums of the generated code, the
user can detect potential corruptions of the user program resulting from random faults in the
hardware or operating system of the PC in use.
11.2.5
Loading and Starting the User Program

The configuration can only be loaded into the PES of the HIMax system by performing a
download, if it has been set to the STOP state beforehand.
HI 801 003 E Rev. 8.01
Page 49 of 70
11 User Program
HIMax
A load process includes all user programs of the resource configuration. The system monitors
that the resource configuration is loaded completely. Afterwards, the user programs can be
started, i.e., the routine begins to be processed in cycles.
11.2.6
The PADT is only able to operate the resource, e.g., by performing a reload and forcing, if the
project loaded in the resource is opened in SILworX. Without the project in SILworX, only a
STOP of the resource is possible!
HIMA recommends performing a project data backup, e.g., on an external data storage
medium, after the user programs are loaded into the controller, even in case of reload.
This is done to ensure that the project data corresponding to the configuration loaded into the
controller remains available even if the PADT fails.
HIMA recommends performing a data backup on a regular basis also independently from the
program load.
Reload
If user programs were modified, the changes can be transferred to the PES during operation.
After being tested by the operating system, the modified user program is activated and assumes
the control task.
Observe the following points when reloading step sequence:

The reload information for step sequences does not take the current sequence status into
account. The step sequence can be accordingly changed and set to an undefined state by
performing a reload. The user is responsible for this action.
Examples:
Deleting the active step. As a result, no sequence step has the active state.
Renaming the initial step while another step is active.
As a result, a sequence has two active steps!
Observe the following points when reloading actions:

During the reload, actions are loaded with their corresponding data. All potential consequences
must be carefully analyzed prior to performing a reload.
Examples:
If a timer action qualifier is deleted due to the reload, the timer expires immediately.
Depending on the remaining settings, the Q outputs can therefore be set to TRUE.
If the status action qualifier (e.g., the S action qualifier) is deleted for a set element, the
element remains set.
Deleting a P0 action qualifier set to TRUE actuates the trigger function.
Prior to performing a reload, the operating system checks if the required additional tasks would
increase the cycle time of the current user programs to such an extent that the defined
watchdog time is exceeded. In this case, the reload process is aborted with an error message
and the controller continues operation with the previous resource configuration.
Page 50 of 70
HI 801 003 E Rev. 8.01
HIMax
11 User Program
The controller can abort a reload.

A successful reload is ensured by planning a sufficient reserve for the reload when determining
the watchdog time or temporarily increasing the controller watchdog time by a reserve.
Any temporary increases in the watchdog time must be agreed upon with the competent test
authority.
Also exceeding the target cycle time can result in a reload abort.
The reload can only be performed if the Reload Allowed system parameter is set to ON and the
Reload Deactivation system variable is set to OFF.
The user is responsible for ensuring that the watchdog time includes a sufficient reserve time.
This should allow the user to manage the following situations:
Variations in the user program's cycle time
Sudden, strong cycle loads, e.g., due to communication.
Expiration of time limits during communication.
For more details on the watchdog time, refer to Chapter 3.2.2.
11.2.7
Online Test
Online test fields (OLT fields) can be used in the user program logic to display variables while
the controller is operating.
For more information on how to use OLT fields, use OLT field as keyword in the SILworX online
help and refer to the SILworX first steps manual (HI 801 103 E).
11.2.8
Test Mode
To diagnose faults, the user program operating in test mode can be run in single steps, i.e.,
cycle for cycle. Each cycle is triggered by a command from the PADT. In the period between
two cycles, the global variables written to by the user program remain frozen. The assigned
physical outputs and communication data no longer respond to changes in the process
accordingly!
This function can only be used if the Test Mode Allowed system parameter is set to ON in the
corresponding user program.
State
OFF
ON
Description
Test mode is not possible (default setting).
Test mode is possible.
Table 14: User Program Switch Test Mode Allowed
NOTICE
Failure of safety-related operation possible!
If the user program is frozen in test mode, it cannot provide a safety-related response to
inputs and thus control the outputs! The values of the outputs cannot change in test
mode.
For this reason, test mode is not allowed during safety-related operation!
For safety-related operation, the Test Mode Allowed parameter must be set to OFF!
HI 801 003 E Rev. 8.01
Page 51 of 70
11 User Program
11.2.9
HIMax
Changing the System Parameters during Operation

The system parameters specified in Table 15 may be changed during operation (online).
A typical application case is the temporary increase of the watchdog time to be able to perform
a reload.
Prior to using an online command to set parameters, make sure that this change will not result
in a dangerous state of the plant. If required, organizational and/or technical measures must be
taken to preclude any damage. The application standards must be observed!
The safety time and watchdog time values must be checked and compared to the safety time
required by the application and to the actual cycle time. These values cannot be verified by the
PES!
The controller ensures that the watchdog time is not set to a value less than the watchdog time
value of the configuration loaded in the PES.
Parameter
System ID
Watchdog Time (for the resource)
Safety time
Target Cycle Time
Target Cycle Time Mode
Allow Online Settings
Autostart
Start Allowed
Load allowed.
Reload Allowed
Global Forcing Allowed
Global Force Timeout Reaction
Changeable in this PES state

STOP
RUN, STOP/VALID CONFIGURATION
ON->OFF: All
OFF->ON: STOP
All
All
All
All
All
All
Table 15: Online Changeable Parameters

System parameters may also be changed during operation by performing a reload.
11.2.10
Project Documentation for Safety-Related Applications

SILworX allows the user to automatically print the documentation for a project. The most
important document types include:
Interface declaration
Signal list
Logic
Description of data types
Configurations for system, modules and system parameters
Network configuration
List of signal cross-references
This documentation is required for the factory acceptance test (FAT) of a system subject to
approval by a test authority (e.g., TV).
11.2.11
Multitasking
Multitasking refers to the capability of the HIMax system to process up to 32 user programs
within the processor module.
The individual user programs can be started and stopped independently from one another.
Page 52 of 70
HI 801 003 E Rev. 8.01
HIMax
11 User Program
A user program cycle can takes multiple processor module cycles. This can be controlled with
the resource and user program parameters. SILworX uses these parameters to calculate the
user program watchdog time:
Watchdog TimeUser program = Watchdog TimeProcessor module * Maximum Number of Cycles
Operation of the individual user programs is usually interference-free and independent of one
another. However, reciprocal influence can be caused by:
Use of the same global variables in several user programs.
Unpredictably long runtimes can occur in individual user programs if no limit is configured
with Max Duration for Each Cycle.
The distribution of user program cycle over processor module cycles strongly affects the
user program response time and the response time of the variables written by the user
program!
A user program evaluates global variables written by another user program after at least one
processor module cycle. Depending on the value set in the programs for Program's
Maximum Number of CPU Cycles, the reading process may be prolonged by many
processor module cycles. The reaction to changes performed to such global variables is thus
delayed!
Refer to the system manual (HI 801 001 E) for details on multitasking
11.2.12
Factory Acceptance Test and Test Authority

HIMA recommends involving the test authority as soon as possible when designing a system
that is subject to approval.
The factory acceptance test (FAT) only applies to the user functionality, but not to the safetyrelated modules and automation devices of the HIMax system that have already been approved.
11.3
Checklist for Creating a User Program

To comply with all safety-related aspects during the programming phase, HIMA recommends
using the following checklist prior to and after loading a new or modified program. The checklist
can be used for helping with planning as well as to demonstrate later on that the planning phase
was carefully completed.
The checklist is available in Microsoft Word format on the HIMA website.
HI 801 003 E Rev. 8.01
Page 53 of 70
12 Communication Configuration
12
HIMax
Communication Configuration
In addition to using the physical input and output variables, variable values can also be
exchanged with other system through a data connection. In this case, the variables are declared
with SILworX, in the Protocols area of the corresponding resource.
12.1
Standard Protocols
Many communication protocols only ensure a non-safety-related data transmission. These
protocols can be used for the non-safety-related aspects of an automation task.
WARNING
Physical injury possible due to usage of unsafe import data!
Do not use data imported from unsafe sources for the user program's safety functions.
The following standard protocols are available:

On the Ethernet interfaces on the communication module:
- Modbus TCP (master/slave)
- Modbus, redundant (slave)
- SNTP
- Send/Receive TCP
- PROFINET IO (controller, device)
On the fieldbus interfaces (RS485) of the communication module according to the device
model:
- Modbus (master/slave)
- Modbus, redundant (slave)
- PROFIBUS DP (master/slave)
12.2
Safety-Related Protocol: safeethernet

Safety-related communication via safeethernet is certified up to SIL 3.
Use the safeethernet Editor to configure how safety-related communication is monitored.
Refer to the communication manual (HI 801 101 E) for further details on safeethernet.
The safe state may be entered inadvertently

Receive Timeout and Production Rate are safety-related parameters!
Receive Timeout is the monitoring time within which a correct response from the other PES
must be received.
If a correct response is not received from the communication partner within Receive Timeout,
HIMax terminates the safety-related communication. The input variables of this safeethernet
connection react in accordance with the preset parameter Freeze Data on Lost Connection
[ms]. The Use Initial Data setting may only be used for safety-related functions implemented
via safeethernet.
In the following equations for determining the worst case reaction time, the target cycle time can
be used instead of the watchdog time, if it is guaranteed that process module maintains the
target cycle time, even in case of reload and synchronization.
Page 54 of 70
HI 801 003 E Rev. 8.01
HIMax
In this case, the following requirements apply to the Fixed-tolerant or Dynamic-tolerant settings
of Target Cycle Time Mode:
1. Watchdog Time 1.5 * Target Cycle Time
2. Receive Timeout 5 * Target Cycle Time + 4 * Latency
Latency refers to the delay on the transport path.
3. For reload, there is either just one user program or several user programs, the cycle of which
is limited to a single processor module cycle.
12.3
Worst Case Reaction Time for safeethernet

In the following examples, the formulas for calculating the worst case reaction time only apply
for a connection with HIMatrix controllers if their programming does not include noise blanking.
These formulas always apply to HIMax controllers.
The allowed worst case reaction time depends on the process and must be agreed upon
together with the competent test authority.
Terms
Receive Timeout:
Production Rate:
Watchdog Time:
Worst Case
Reaction Time
Delay:
Monitoring time of PES 1 within which a correct response from PES 2

must be received. Otherwise, safety-related communication is terminated
after the time has expired.
Minimum interval between two data transmissions.
Maximum duration permitted for a controller's RUN cycle. The duration of
the RUN cycle depends on the complexity of the user program and the
number of safeethernet connections. The watchdog time (WDT) must be
entered in the resource properties.
The worst case reaction time is the time between a change in a physical
input signal (in) of PES 1 and a reaction on the corresponding output (out)
of PES 2.
Delay on a transport path, e.g., with a modem or satellite connection.
For direct connections, one can assume an initial delay of 2 ms.
The responsible network administrator can measure the actual delay on a
transport path.
The following conditions apply to the calculations of the maximum reaction times specified
below:
The signals transmitted over safeethernet must be processed in the corresponding
controllers within one CPU cycle.
The reaction time of the sensors and actuators must be added.
The calculations also apply to signals in the opposite direction.
12.3.1
Calculating the Worst Case Reaction Time of 2 HIMax Controllers

The worst case reaction time TR is the time between a change on the sensor input signal (in) of
controller 1 and a reaction on the corresponding output (out) of controller 2. It is calculated as
follows:
HI 801 003 E Rev. 8.01
Page 55 of 70
Input
HIMax Controller 1
Safety-Related Protocol
Figure 4:
HIMax
HIMax Controller 2
Output
Reaction Time with Interconnection of 2 HIMax Controllers
TR = t1 + t2 + t3
TR
t1
t2
t3
12.3.2
Worst Case Reaction Time

Safety time of HIMax controller 1
Receive Timeout
Calculating the Worst Case Reaction Time with 1 HIMatrix Controller

HIMax controller and a reaction on the corresponding output (out) of HIMatrix controller. It is
calculated as follows:
Input
HIMax Controller
Safety-Related Protocol
Figure 5:
HIMatrix Controller
Output
Response Time when 1 HIMax and 1 HIMatrix Controllers are Interconnected
TR = t1 + t2 + t3
TR
t1
t2
t3
Page 56 of 70

Safety time of HIMax controller
Receive Timeout
2 * Watchdog time of the HIMatrix controller
HI 801 003 E Rev. 8.01
HIMax
12.3.3
Calculating the Worst Case Reaction Time with 2 HIMatrix Controllers or

Remote I/Os
the first HIMatrix controller or remote I/O (e.g., F3 DIO 20/8 01) and a reaction on the
corresponding output (out) of the second HIMatrix controller or remote I/O (out). It is calculated
as follows:
Input
Remote I/O 2
Remote I/O 1
HIMax Controller
Output
Figure 6:
Response Time with 2 HIMatrix Controllers or Remote I/Os and 1 HIMax Controller
TR = t1 + t2 + t3 + t4 + t5
TR
t1
t2
t3
t4
t5
i
12.3.4

2 * watchdog time of the HIMatrix controller or the remote I/O 1
Receive Timeout1
2 * watchdog time of the HIMax controller.
Receive Timeout2
2 * watchdog time of the HIMatrix controller or the remote I/O 2
Remote I/O 1 and remote I/O 2 can also be identical. The time values still apply if a HIMatrix
controller is used instead of a remote I/O.
Calculating the Worst Case Reaction Time with 2 HIMax and 1 HIMatrix
Controller
the first HIMax controller and a reaction on the corresponding output (out) of the second HIMax
controller. It is calculated as follows:
Input
HIMax Controller 1
HIMatrix Controller
Figure 7:
HIMax Controller 2
Output
Response Time with 2 HIMax Controllers and 1 HIMatrix Controller
TR = t1 + t2 + t3 + t4 + t5
HI 801 003 E Rev. 8.01
Page 57 of 70
TR
t1
t2
t3
t4
t5
i
12.4
HIMax

Receive Timeout1
2 * watchdog time of the HIMatrix controller
Receive Timeout2
Both HIMax controllers, 1 and 2, can also be identical.

The HIMatrix controller can also be a HIMax controller.
The HIPRO-S V2 Safety-Related Protocol

The HIPRO-S V2 protocol is used for safety-related SIL 3 communication between HIMax PES
and HIMA PES of the HIQuad system family (H41q/H51q). The following operating systems are
required for using HIPRO-S V2:
For HIMax PES, operating system V8 or higher.
For HIQuad PES, an operating system release BS41q/51q V7.0-8 (08.xx) or higher.
The HIPRO-S V2 protocol may only be used for connecting HIQuad controllers to one another
or to HIMax controllers. Connections between HIMax controllers with one another and with
HIMatrix controllers must be established with safeethernet.
Refer to the HIPRO-S V2 manual (HI 800 722 E) for details.
12.5
Safety-Related Protocol: PROFIsafe

The requirements for using the PROFIsafe protocols are specified in the communication manual
(HI 801 101 E). These requirements must be met.
The equations for determining the worst case reaction time are also specified in the
communication manual.
Page 58 of 70
HI 801 003 E Rev. 8.01
HIMax
13
13 Use in Fire Alarm Systems

The HIMax systems may be used in fire alarm systems in accordance with DIN EN 54-2 and
NFPA 72, if line monitoring is configured for the inputs and outputs.
In this case, the user program must fulfill the requirements specified for fire alarm systems in
accordance with the standards previously mentioned.
DIN EN 54-2 requires 10 seconds as the maximum cycle time allowed for fire alarm systems.
This value can be easily met with the HIMA systems since the cycle time for these systems is in
the milliseconds range. This also applies to the safety time of 1 second (fault reaction time)
required in certain cases.
According to EN 54-2, the fire alarm system must enter the fault report state within 100 seconds
after the HIMax system has received the fault message.
The connection of fire alarms is performed in accordance with the energize-to-trip principle
using the line short-circuit and open-circuit function. To this end, the following inputs and
outputs may be used:
digital and analog inputs of input modules supporting line monitoring
digital and analog outputs of output modules supporting line monitoring
Sensor Supply
Analog Input
Ground
Detection Loop
Figure 8:
M Fire alarm
REOL
Terminating Resistor on the Last Loop
Sensor
RL Limit for the Maximum Loop Current
RShunt Shunt (see the Module-Specific
Manual)
Wiring of Fire Alarms
For the application, the REOL, RL and RShunt resistors must be calculated as dictated by the
sensors in use and the number of sensors per detection loop. Refer to the data sheet from the
sensor manufacturer for the necessary data.
The alarm outputs for controlling lamps, sirens, horns etc. are operated in accordance with the
energize-to-trip principle. These outputs must be monitored for short-circuits and open-circuits.
Additionally, line monitoring for the output modules must be configured and processed in the
user program.
A suitable user program can be used to control visual display systems, indicator light panels,
LED indicators, alphanumeric displays, audible alarms, etc.
HI 801 003 E Rev. 8.01
Page 59 of 70
13 Use in Fire Alarm Systems
HIMax
The routing of fault signal messages via input and output channels or to transmission equipment
for fault signaling must occur in accordance with the de-energize-to-trip principle.
Fire alarms can be transmitted from one HIMax system to a different system using the existing
Ethernet communication standard (OPC). Any communication loss must be reported.
HIMax systems that are used as fire alarm systems must have a redundant power supply.
Precautionary measures must also be taken against power supply drops, e.g., the use of a
battery-powered horn. Uninterrupted operation must be ensured while switching from the main
power supply to the backup power supply. Voltage drops for up to a duration of 10 ms are
permitted.
If a system failure occurs, the operating system writes to the system variables defined in the
user program. This allows the user to program fault signaling for faults detected by the system.
If a fault occurs, the HIMax system switches off the safety-related inputs and outputs with the
following effects:
The low level is processed in all channels of the faulty inputs.
All channels of the faulty outputs are switched off.
Page 60 of 70
HI 801 003 E Rev. 8.01
HIMax
14
14 ATEX-Conform Use as Safety, Controlling and Regulating Device
ATEX-Conform Use as Safety, Controlling and Regulating

Device
The following HIMax components are suitable for the intended use, i.e., for detecting and
measuring flammable gases:
X-BASE PLATE
X-SB 01
X-CPU 01, X-CPU 31
X-AI 32 01, X-AI 32 02
X-DO 24 01, X-DO 32 01
The specified HIMax components were tested in accordance with the following standards:
EN 50271:2010
EN 50495:2010
IEC / EN 60079-0:2012 + A11:2013
IEC / EN 60079-29-1:2008
The specified components meet the requirements of ATEX Directive 2014/34/EU and are safety
devices, controlling devices and regulating devices in accordance with it.
The specified components are suitable for monitoring ignition hazards in potentially explosive
atmospheres as associated apparatus or, as stationary gas detection systems, for detecting and
measuring flammable gases.
The components' hardware and software were tested for compliance with the requirements of
EN 60079-29-1 and EN 50271.
Gas sensors meeting the requirements of EN 60079-29-1 must be connected to the 4...20 mA
signal inputs. The gas sensors must be wired in compliance with the documentation and the
EU Type-Examination certificate.
The safety-relevant user program must be created using the SILworX programming tool and
taking the safety manual into account.
The safety function must be proved by verification and validation.
Specific safety information and operating instructions in accordance with ATEX Directive
2014/34/EU, Annex II (1.0.6) shall be created for the safety facility or gas warning system to be
assembled. In an additional conformity assessment procedure, a complete
EU Type-Examination certificate shall be issued for the safety facility or gas warning system
under consideration of the above-mentioned points.
HI 801 003 E Rev. 8.01
Page 61 of 70
15 Use of HIMax Devices in Zone 2
15
HIMax
Use of HIMax Devices in Zone 2

HIMax components are suitable for mounting in the explosive atmospheres of Zone 2. In
addition to the specific conditions, the mounting and installation instructions provided in the
system manual (HI 801 001 E) and in the module-specific manuals must be observed.
The Declaration of Conformity for the HIMax components is available on the HIMA website, at
www.hima.de and www.hima.com.
HIMax components meet the requirements of the following directives and standards:
Directive
IECEx
ATEX 2014/34/EU
IECEx
ATEX 2014/34/EU
Standard
IEC 60079-0:2011
EN 60079-0:2012 +
A11:2013
IEC 60079-15:2010
EN 60079-15:2010
Description
Explosive atmospheres - Part 0:
Equipment - General requirements
Explosive atmospheres - Part 15:
Equipment protection by type of
protection "n"
Table 16: Standard for HIMax Components in Zone 2

The HIMax components are provided with one of the following Ex marking:
II 3G Ex nA IIC T4 Gc
II 3G Ex nA nC IIC T4 Gc
Marking
Description
Explosion protection marking in accordance with directive.
II
Equipment group, for all areas with explosive atmosphere, other than
underground mines.
Equipment category, for use in areas in which explosive gas atmosphere is
unlikely to occur or, if it does occur, will persist for a short period only.
Explosion protection marking in accordance with IECEx standard.
Type of protection for non-sparking equipment.
Type of protection for sparking equipment.
Gas group for explosive gas atmospheres, typical gas is hydrogen.
Temperature class T4, with a maximum surface temperature of 135 C.
Equipment protection level, it corresponds to ATEX equipment category 3G
3G
Ex
nA
nC
IIC
T4
Gc
Table 17: Ex Marking Description for HIMax Components
Page 62 of 70
HI 801 003 E Rev. 8.01
HIMax
Specific Conditions
1. The HIMax components must be mounted in an enclosure that meets the
EN 60079-15/EN 600079-15 requirements with degree of protection IP54 or better.
2. The enclosure must be provided with the following label:
WARNING: Work is only permitted in the de-energized state
3.
4.
5.
6.
Exception:
If a potentially explosive atmosphere has been precluded, work can be also performed when
the device is under voltage.
The HIMax components are designed for operation not exceeding pollution degree 2.
The enclosure in use must be able to safely dissipate the generated heat. Refer to Table 18
for details on the power dissipation of HIMax components.
The supply voltages must be taken from power supply units with safe separation. Use power
supply units of type PELV or SELV only.
The operating conditions specified in the module manuals must be observed.
Applicable standards:
IEC 60079-14: 2013
Explosive atmospheres - Part 14: Electrical installations design,
selection and erection
EN 60079-14: 2014
The requirements for type of protection "n" must be observed.
HI 801 003 E Rev. 8.01
Page 63 of 70

Component
CB / FTA for X-AI 32 01
CB / FTA for X-DI 32 02
CB / FTA for X-DI 32 05
CB / FTA for X-AI 32 02
X-AI 16 51
X-AI 32 01
X-AI 32 02
X-AI 32 51
X-AO 16 01
X-AO 16 51
X-BASE PLATE
X-CI 24 01
X-CI 24 51
X-COM 01
X-CPU 01
X-CPU 31
X-DI 16 01
X-DI 32 01
X-DI 32 02
X-DI 32 03
X-DI 32 04
X-DI 32 05
X-DI 32 51
X-DI 32 52
X-DI 64 01
X-DI 64 51
X-DO 12 01
X-DO 12 02
X-DO 12 51
X-DO 24 01
X-DO 24 02
X-DO 32 01
X-DO 32 51
X-FAN 10 01
X-FAN 10 03
X-FAN 15 01
X-FAN 15 02
X-FAN 15 03
X-FAN 15 04
X-FAN 18 01
X-FAN 18 03
X-FTA 005 02L (X-DO 12 01)
X-HART 32 01
X-MIO 7/6 01
X-SB 01
HIMax
Max. power dissipation
3W
3W
3W
3W
11 W
21 W
21 W
14 W
38 W
13 W
15 W
21 W
12 W
9W
41 W
21 W
33 W
15 W
23 W
17 W
15 W
23 W
13 W
10 W
21 W
15 W
51 W
38 W
32 W
29 W
34 W
34 W
31 W
28 W
7W
41 W
41 W
9W
9W
55 W
12 W
7W
9W
45 W
21 W
Table 18: Power Dissipation of the HIMax Components
Page 64 of 70
HI 801 003 E Rev. 8.01
HIMax
Appendix
Appendix
Glossary
Term
AI
AO
ARP
COM
Connector board
CRC
DI
DO
EMC
EN
ESD
FB
FBD
ICMP
IEC
Interference-free
MAC Address
PADT
PE
PELV
PES
R
R/W
Rack ID
rP
SB
SELV
SFF
SIL
SILworX
SNTP
SRS
SW
TMO
W
Watchdog (WD)
WDT
HI 801 003 E Rev. 8.01
Description
Analog input
Analog output
Address resolution protocol, network protocol for assigning the network addresses to
hardware addresses
Communication module
Connector board for the HIMax module
Cyclic redundancy check
Digital input
Digital output
Electromagnetic compatibility
European norm
Electrostatic discharge
Fieldbus
Function block diagrams
Internet control message protocol, network protocol for status or error messages
International electrotechnical commission
Inputs are designed for interference-free operation and can be used in circuits with
safety functions.
Media access control address, hardware address of one network connection.
Programming and debugging tool (in accordance with IEC 61131-3)
PC with SILworX
Protective earth
Protective extra low voltage
Programmable electronic system
Read
Read/Write
Base plate identification (number)
Peak value of a total AC component
System bus (module)
Safety extra low voltage
Safe failure fraction, portion of faults that can be safely controlled.
Safety integrity level (in accordance with IEC 61508)
Programming tool for HIMax
Simple network time protocol (RFC 1769)
System.Rack.Slot addressing of a module
Software
Timeout
Write
Time monitoring facility for modules or programs. If the watchdog time is exceeded, the
module or program enters the error stop state.
Watchdog time
Page 65 of 70
Appendix
HIMax
Index of Figures
Figure 1:
Recommended Configuration: All Processor Modules in Rack 0
27
Figure 2:
Recommended Configuration: Processor Modules X-CPU 01 in Rack 0 and Rack 1
27
Figure 3:
Configuration with X-CPU 31 Processor Modules in Rack 0, Slots 1 and 2
28
Figure 4:
Reaction Time with Interconnection of 2 HIMax Controllers
56
Figure 5:
Response Time when 1 HIMax and 1 HIMatrix Controllers are Interconnected
56
Figure 6:
Response Time with 2 HIMatrix Controllers or Remote I/Os and 1 HIMax Controller
57
Figure 7:
Response Time with 2 HIMax Controllers and 1 HIMatrix Controller
57
Figure 8:
Wiring of Fire Alarms
59
Page 66 of 70
HI 801 003 E Rev. 8.01
HIMax
Appendix
Index of Tables
Table 1:
Overview of the System Documentation
11
Table 2:
Standards for EMC, Climatic and Environmental Requirements
21
Table 3:
Climatic Conditions
21
Table 4:
Mechanical Tests
22
Table 5:
Interference Immunity Tests
22
Table 6:
Noise Emission Tests
22
Table 7:
Verification of the DC Supply Characteristics
23
Table 8:
Overview of the Input Modules
30
Table 9:
Overview of the Output Modules
33
Table 10:
Resource System Parameters
42
Table 11:
Effect of Target Cycle Time Mode
42
Table 12:
System Variables of Racks
44
Table 13:
49
Table 14:
User Program Switch Test Mode Allowed
51
Table 15:
Online Changeable Parameters
52
Table 16:
Standard for HIMax Components in Zone 2
62
Table 17:
Ex Marking Description for HIMax Components
62
Table 18:
Power Dissipation of the HIMax Components
64
HI 801 003 E Rev. 8.01
Page 67 of 70
Appendix
HIMax
Index
CRC ............................................................ 49
De-energize-to-trip principle ........................ 10
Energize-to-trip principle ............................. 10
ESD protection ............................................ 11
Fault reactions
inputs ....................................................... 31
outputs..................................................... 33
Functional test of the controller ................... 38
Hardware Editor .......................................... 44
LED Ess ...................................................... 24
Multitasking ................................................. 52
Online test field ........................................... 51
Output noise blanking ........................... 34, 35
Process safety time ..................................... 14
Proof test..................................................... 16
Rack ID ....................................................... 26
Redundancy ................................................ 13
Response time ............................................ 16
Page 68 of 70
Responsible................................................ 26
Safety concept............................................ 38
Safety function............................................ 37
Safety time ................................................. 16
Self-test ...................................................... 12
Specific conditions...................................... 63
Test conditions
climatic .................................................... 21
EMC ........................................................ 22
mechanical.............................................. 22
supply voltage ......................................... 23
To make a controller lockable .................... 44
Version list .................................................. 38
Watchdog time
determination .......................................... 15
resource .................................................. 14
user program .......................................... 15
HI 801 003 E Rev. 8.01
HI 801 003 E
2016 HIMA Paul Hildebrandt GmbH
HIMax and SILworX are registered trademark of:
HIMA Paul Hildebrandt GmbH
Albert-Bassermann-Str. 28
68782 Brhl, Germany
Phone: +49 6202 709-0
Fax: +49 6202 709-107
[email protected]
www.hima.com

HI 801 003 E HIMax Safety Manual

Uploaded by

Copyright:

Available Formats

HI 801 003 E HIMax Safety Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HI 801 003 E HIMax Safety Manual

Uploaded by

Copyright:

Available Formats

HIMax

Copyright 2016, HIMA Paul Hildebrandt GmbH

Revised: HIMax V7/SILworX V7, cyber security, standards, forcing

New: Gas detectors

New: Zone 2, HIPRO-S V2

Changed: Gas detectors (Chapter 14)

HI 801 003 E Rev. 8.01 (1620)

Validity and Current Version

Objectives of the Manual

Usage Notes for HIMax Systems

Tasks of Operators and Machine and System Manufacturers

ESD Protective Measures

Additional System Documentation

Safety Concept for Using the PES

Safety and availability

Time Parameters Important for Safety

Proof Test (in Accordance with IEC 61508)

Reactions to Faults in the Processor Module

HI 801 003 E Rev. 8.01

Replacing Processor Modules

Processor Module X-CPU 01

Processor module X-CPU 31

System Bus Module

Safety of Sensors, Encoders and Transmitters

Reaction in the Event of a Fault

Safety-Related Digital Inputs

Safety-Related Analog Inputs and Proximity Switch Inputs

Safety-Related Counter Inputs

Checklists for Inputs

Reaction in the Event of a Fault

Safety-Related Digital Outputs

Safety-Related Relay Outputs

Safety-Related Analog Outputs

Checklists for Outputs

Special I/O Modules

HART Module: X-HART 32 01

The HIMax Overspeed Trip Module X-MIO 7/6 01

Safety-Related Aspects of the Operating System

Safety-Related Aspects of Programming

Safe Version Comparison

Scope for Safety-Related Use

Checklist for Creating a User Program

Safety-Related Protocol: safeethernet

Worst Case Reaction Time for safeethernet

The HIPRO-S V2 Safety-Related Protocol

Safety-Related Protocol: PROFIsafe

Use in Fire Alarm Systems

ATEX-Conform Use as Safety, Controlling and

HI 801 003 E Rev. 8.01

Use of HIMax Devices in Zone 2

HI 801 003 E Rev. 8.01

Validity and Current Version

This safety manual is to be preferred when the following products are

Objectives of the Manual

HI 801 003 E Rev. 8.01

To highlight important parts.

Safety notices and operating tips are particularly marked.

Signal word: warning, caution, notice

The signal words have the following meanings:

HI 801 003 E Rev. 8.01