Report

to the
Choosecertainty.

Certificate Addvalüe.

Z10 09 07 67803 004

Safety-Related Programmable Systems

SIMATIC S7 F/FH Systems

Manufacturer:
Siemens AG
Industry Sector IA AS
Gleiwitzer Str. 555
0-90475 Nürnberg

Report No.: SN73321C

Revision 2.0 dated 2009-07-20

Testing Body:
TÜV SÜD Automotive GmbH
Electronics Safety
Ridlerstraße 57

0-80339 München

Accredited Testing Body for Functional Safety

Distribution, copying or any other use of information in this report in part is strictly prohibited.
 Revision Log

Version Name Date Changes/History

1.0 R. Faller 30.11.1999 Initial
1.1 P. Müller 18.12.2000 LS 2
1.3 P. Müller 15.11.2001 Section 5.4 added and modified
1.4 A. Beer 23.04.2003 • Product name
• Definition of terms; 1001 D and 1002D added
• Section 2.2
I
I

• General application condition added

M. Weber • New software version V5.2 added
• Restriction 5.4.1 modified
1.5 A. Beer 03.06.2004 Make reference to "Annexes" (instead a particular annex)
M. Weber when the annex refers to a software component revision in-
formation.
1.6 F. Rauch 30.06.2005 SP2: The standards EN 54-2:1997, EN 54-4:1997,
NFPA72:2002 and NFPA 85:2004 were included and EN 298
was updated to 2003 in section 3.6.
1.7 P. Weiß 28.09.2007 • Layout
• Make reference to "Annexes" (instead a particular annex)
when the annex refers to a hardware component revision
information
• In chapter 2.2 "rückwirkungsfrei" deleted
2.0 F. Rauch 2009-07-20 The report and certification no. has changed due to the up-
J. Blum date of referenced certificate.
This report is based on the certificate report 10042360 1.7
from 2007-09-28. The certificate Z10 09 07 67803 004 is re-
placed by Z2 03 04 38282 002.
Standards updated
NFPA 72; NFPA 85; lEG 61131-2; EN 60204-1; VDINDE
2180; EN 230; EN 54-2; EN 50159-1; EN 50159-2; EN
55011; ANSI/ISA-84.00.01; EN50156-1
New standards considered
UL 1998; lEG 61784-3; lEG 61784-3-3; 2006/95/EG (former
73/23/EEG;93/68/EEG); UL 508; EN 61000-6-2; EN 61000-
6-4; ISO 13849-1; 2006/42/EG (former 98/37/EEG); NFPA
79; lEG 62061; lEG 61511
Standards deleted
EN50178; DIN V 19250; DIN V VDE 0801; lEG 61508-4;
lEG 61508-5; IEG61508-6; lEG 61508-7; DIN VDE 0110;
EN 60068; EN 50081-2; EN 50082-2; DIN V 19251; NE
31 ; ENV 1954; DIN VDE 0116; EN 54-4

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Salety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
D-80339 München 2009-07-20
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 2 0122
 Content Page

1 PURPOSE AND SCOPE ....................................................................................................................... 4

1.1 DEFINITION OF TERMS ...................................................................................................................... 4

2 SYSTEM OVERVIEW ............................................................................................................................ 6

2.1 SYSTEM ARCHITECTURE ................................................................................................................... 6
2.2 HARDWARE COMPONENTS UNDER CERTIFICATION ............................................................................. 8
2.3 SOFTWARE COMPONENTS UNDER CERTIFICATION ............................................................................. 8
2.4 SAFETY MANUAL ............................................................................................................................. 10

3 CERTIFICATION REQUIREMENTS ................................................................................................... 11

3.1 BASIS OF CERTIFICATION ................................................................................................................ 11
3.2 CERTIFICATION DOCUMENTATION ................................................................................................... 12
3.3 FUNCTIONAL SAFETY ...................................................................................................................... 12
3.4 BASIC SAFETY ............................................................................................................................... 13
3.5 ELECTROMAGNETIC COMPATIBILITY ............................................................................................... 13
3.6 ApPLlCATION STANDARDS .............................................................................................................. 13

4 RESULTS ............................................................................................................................................ 16
4.1 FUNCTIONAL SAFETY ...................................................................................................................... 16
4.2 BASIC SAFETY AND ELECTROMAGNETIC COMPATIBILlTY ................................................................... 18
4.3 PRODUCT SPECIFIC QUALITY ASSURANCE AND CONTROL ............................................................... 19

5 IMPLEMENTATION CONDITIONS AND RESTRICTIONS ................................................................ 20

5.1 GENERAL APPLICATION CONDITIONS ................................................................................................ 20
5.2 GENERAL COMMISSIONING CONDITIONS ........................................................................................... 20
5.3 GENERAL RUN-TIME CONDITIONS ..................................................................................................... 21
5.4 PRODUCT-RELATED CONDITIONS .................................................................................................... 21

6 CERTIFICATE NUMBER ..................................................................................................................... 22

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum. F. Rauch
0-80339 München 2009-07-20
Phone: ->49 (89) 5791-1393; Fax: -4438 Page 3 of22
 1 Purpose and Scope
TÜV SÜD Automotive GmbH has been contracted by Siemens AG to certify the Safety-Related
Programmable Systems SIMATIC S7 F/FH Systems.
This report summarizes the user related results of the tests and inspections performed on the
SIMATIC S7 F/FH Systems based on the certification requirements outlined under clause 3.1
and reported by the documentation listed under clause 3.2.

1,1 Definition of Terms

The following terms are used in this report with a meaning defined as folIows:

Functional Safety The ability of a safety-related system to carry out the actions ne-
cessary to achieve a (defined) safe state for the equipment un-
der control (EUC) or to maintain the safe state for the EUC.
CFC Continuous Function Chart
Multiple fault occurrence The multiple-fault occurrence period denotes a time frame, in
time which the probability for the appearance of combination-wise
safety-critical multiple faults is sufficiently low for the considered
requirement class. The period of time begins with the last point
in time, at which the considered system was in a fault-free as-
sumed condition according to the considered requirements
class.
The definition of this time is not system specific. A general rec-
ommendation is to assume this time to be magnitudes (2 to 3)
below the specified MTBF time.
Fault tolerance time The fault-tolerance time denotes a characteristic of the process
and describes the period of time, in which the process can be
controlled by a faulty control-output signal, without entering a
dangerous condition.
Interference free Property of a unit not to cause faulty state in connected units
even if it fails
Probability of Failure on Average probability of failure of a system to perform its design
Demand (PFD) functions on demand.
Probability of dangerous The probability of a dangerous failure per hour (in the case of
failure per hour (PFH) high demand or continuous mode)

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum. F. Rauch
D·80339 München 2009-07-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 4 of22
 10020 This architecture consists of two ehannels eonneeted in parallel.
Ouring normal operation, both ehannels need to demand the
safety funetion before it ean take plaee. In addition, if the diag-
nostie tests in either channel deteet a fault then the output voting
is adapted so that the overall output state then follows that given
by the other ehannel. If the diagnostie tests find faults in both
ehannels or a discrepaney that eannot be alloeated to either
ehannel, then the output goes to the safe state. In order to deteet
a diserepaney between the ehannels, either ehannel ean deter-
mine the state of the other ehannel via a means independent of
the other ehannel.
10010 This arehiteeture eonsists of a single ehannel connected to an
independent diagnostie circuit (not self-diagnosties). If the diag-
nostie cireuit deteets a hidden fault in the ehannel it asserts the
safe state via a means independent of the ehannel.

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
D-80339 München 2009-07-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 5 01 22
 !.··.~~IU.V
'9"·
;?:g,,--_.
<
.......•-.
SlJO· ..

2 System Overview
2.1 System Architecture
The SIMATIC S7 F/FH Systems are safety-related fail-safe programmable electronic systems
(PES) that are suitable for safety-related applications with a high level of potential danger, e.g.
controllers for offshore processes, chemical processes.

Operator Station
(System visualization)
r====='
D
~ S7-400F programmable controller
/ \
/
I ~H

I D=I-------+-~-tll Fail-safe 110 modules

I/~~\ ~~~ (optionally redundant)
Programming device

Standard 1/0 modules

(optionally redundant)

System Architecture for S7 F

TÜV SÜD Automotive GmbH Report No.: SN73321 C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
D-80339 München 2009-07-20
Phone: +49 (89) 5791-1393: Fax: 4438 Page 6 of22
 Redundant system bus (PROFI BUS or Ethernet)

Operator Station S7-400FH programmable controller

(System visualization)
F===~ /r/~~ff9=\~~

D l~~, l~~,
~ Jl
/ \ Fail-safe 1/0 modules
(optionally redundant)

Redundant
PROFIBUS-DP\ _____
Standard 1/0 modules
(optionally redundant)

FM I~~~I
$----11-------' I

System Architecture for S7 FH

The SIMATIC S7 F/FH Systems consist of 1 or 2 "S7-400 CPUs" (central processing units) re-
spectively that are suitable for safety-related applications and "Fail-Safe 1/0 Modules" (F-I/O).
Safety critical input signals are read from the process with the F-1I0 or read from other F-CPU's
via safety-related communication.
Safety critical output signals are sent from the F-CPU to the F-I/O or to other F-CPU's via safe-
ty-related communication. The F-I/O is responsible for the safety-related output to the process.
The S7-400 F-CPU implements a 10010 structure with diverse application software on a single
channel hardware. Fault detection is implemented by comparison of the diverse application
software results in the CPU and the independent F-I/O, internal self-tests and program and data
flow monitoring in the CPU and fault monitoring by the F-I/O.

TÜV SÜD Automotive GmbH Report No.: SN73321 C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
D-80339 München 2009-07-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 7 of 22
 ;6)'T1f)"'"
.. ., .:
' "<!~ßOD
,."I.IV V·
....·... '.

"

The following failure control measures are implemented in the CPU:

• redundant execution with data and code redundancy and diversity and comparison of the di-
verse results
• self-test of safety-related operations in each cycie
• program and data flow monitoring
Checking of this and fault reaction is done directly by the CPU itself as weil as indirectly by the
recipients of the CPU's safety-related outputs, Le. the fail-safe output modules and other CPUs.
In addition the CPU performs self-tests in the background and uses two independent time
bases. One CPU is sufficient to achieve the certified functional safety. In the 87 FH two redun-
dant CPUs are used in 2002 of 10010 configuration to increase availability. The second channel
of the 110 module implements an independent comparison and diagnostic entity and allows the
Odesignator for the 1001 hardware CPU architecture.
The F-IIO modules are in an internal 10020 structure (two channels with comparison). One F-
110 module is sufficient to achieve the certified functional safety. Optional two redundant F-IIO
modules are used in 2002 of 10020 configuration to increase availability.

2.2 Hardware/Firmware Components under Certification

The system components which are certified 'safety-related' are listed in the current revision of
the applicable Annexes to this report. This allows the components to be used to process safety
critical signals and functions.
All other components of the 87 -400 and 87-300 family are 'interference-free' and allowed to be
used; however, they are not certified for process safety critical signals and functions. Using
these components does not interfere with the proper functioning of the safety-related modules.
For details on architectural, configuration and implementation requirements please refer to the
manuals (see chapter 2.4).

2.3 Software Components under Certification

A list of the software components with the valid version numbers is shown in the current revision
of the applicable Annexes to this report.

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Salety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
D-80339 München 2009-07-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 8 0122
 2.3.1 Safety-related Software Components
The following software components have been certified 'safety-related' allowing the software
components to be used for processing safety critical signals and executing critical functions:
• Add-on option package S7 F Systems
• F-FBs
For the specific versions see the current revision of the Annexes to this report.

2.3.2 Interference-Free Software Components

Other software components than those mentioned in 2.3.1 are not the subject of this certifica-
tion. Absence of impact of non certified components on 'safety-related' components is enforced
due to the intrinsic safety features provided by the diverse logic implementation followed by the
1002 F-I/O modules.

2.3.3 Communication
Safety-related communication between F-CPUs and F-I/O is based on the Profibus protocol but
implements an additional safety shell on top (PROFIsafe).
Safety-related communication between F-CPUs is based on a standard protocol like MPI, Profi-
bus-DP/PA or Ethernet but implements an additional safety shell on top.

2.3.4 Programming environment

Safety application programming is performed by connection of function blocks using the Step7
CFC language. Only special certified function blocks shall be used for safety applications. Use
of standard function blocks for safety applications is prevented by their own safety data types.
Edit, compile and load use the standard STEP7 programming environment of the S7-400 and
S7-300 family. An add-on option package S7 F Systems provides the following properties re-
quired to improve the standard programming environment for safety programming:
• Library with safety-related function blocks (F-FBs)
• Integration of fault detection measures (self-tests, program and data flow monitoring, data
redundancy) into the application program
• Additional access protection for the safety program in the F-CPU
• Add-on option package S7 F Systems checks

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.8Ium, F. Rauch
0-80339 München 2009-07-20
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 9 of 22
 2.4 Safety manual
The conditions and rules for safe use of the SIMATIC S7 F/FH Systems are laid down within the
user documentation:
• Safety Engineering in SIMATIC S7
• S7 F/FH Systems, Configuring and Programming
• Industrial Software Safety Matrix
• Automation System S7-300, Fail-Safe Signal Modules
• ET 200S Distributed 1/0 System, Fail-Safe Modules
• ET 200eco Distributed 1/0 Station, Fail-Safe 1/0 Modules
• ET 200pro Distributed 1/0 Device, Fail-Safe Modules

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Salety Revision 2.0
Ridlerstraße 57 JBlum, F. Rauch
D-80339 München 2009-07-20
Phone: +49 (89) 5791-1393: Fax: -4438 Page 100122
 3 Certification Requirements

3.1 Basis of Certification

The certification of SIMATIC S7 F/FH Systems will be according to the regulations and stan-
dards listed in clause 3.3 to 3.6 of this document. This certifies the successful completion of the
following test segments:
I. Functional Safety
A. Fault investigations for the hardware components listed in the current revision of
the Annexes to this report and of the system configurations as described in the
manuals (see chapter 2.4).
B. Software analysis for the software components listed in the current revision of the
Annexes to this report
C. Descriptive safety as given by the safety sections of the user documentation, in-
dicated in section 2.4 of this report.
11. Basic Safety including electrical safety- EN 61131-2
111. Environmental Stress Testing
A. Climatic and temperature stress
B. Mechanical stress
IV. Electromagnetic compatibility
A. Electromagnetic susceptibility
B. Electromagnetic emission
V. Product-related Quality Management in manufacturing and product care
Certification is dependent on successful completion of all of the above test segments. The test-
ing follows the basic certification scheme for safety-related programmable electronic systems of
TÜV SÜD Automotive GmbH.

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
0-80339 München 2009.()7-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 11 of22
 3.2 Certification Documentation
Documentation of this certification is based in the following reports:
• Testing documentation
The Technical Report SN73321T summarizes the assessment activities related to functional
safety. The certification report is a mandatory part of the certificate, whereas publication of
the Technical Report is facultative.
• Manuals, see chapter 2.4

Based on the specified purpose of use of the SIMATIC S7 F/FH Systems in safety critical
process protection applications the certification is based on the following set of standards. The
issuance of the certificate states compliance with these references unless specifically noted
otherwise.

3.3 Functional Safety

The functional safety assessment of the safety related system has been performed in accor-
dance to the following mentioned standards and guidelines (see table below). Some of these
standards have been updated during system development. Therefore a few components are
compliant to former dated standards. This component specific information is given in the current
revision of the Annexes.
IEC 61508-1:1998 Functional safety; Safety-related systems
IEC 61508-2:2000
IEC 61508-3:1998
up to SIL 3
(to the extent applicable)
EN 50159-1 :2001 Railway Applications; Safety-Related Communication In Closed
(to the extent applicable) Transmission Systems (as applicable)
EN 50159-2:2001 Railway Applications; Safety-Related Communication In Open
(to the extent applicable) Transmission Systems (as applicable)
IEC 61784-3:2007 Industrial communication networks - Profiles - Part 3: Functional
safety fieldbuses
IEC 61784-3-3:2007 Industrial communication networks - Profiles - Part 3-3: Functional
safety fieldbuses - Additional specifications for CPF 3
UL 1998:2008 Safety Software in Programmable Components

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
D-80339 München 2009-07-20
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 12 0122
 3.4 Basic Safety
To complete and to specify the technical requirements resulting from the Essential Require-
ments of the Directives listed above the testing of Basic Safety is to cover the following stan-
dards:

EN 61131-2:2007 Programmable controllers - equipment requirements and tests

2006/95/EC Directive 2006/95/EC of the European Parliament and of the Coun-

eil of 12 December 2006 on the harmonisation of the laws of Mem-
ber States relating to electrical equipment designed for use within
certain voltage limits

UL508:2008 Industrial Control Equipment

3.5 Electromagnetic Compatibility

To complete and to speeify the technical requirements resulting from the Essential Require-
ments of the Directives listed above, the testing of Electromagnetic Compatibility is to cover the
following standards:
EN 61131-2:2007 Programmable controllers - equipment requirements and tests
IEC 61131-2:2007
EN 55011 :2007 Limits and methods of measurement of radio disturbance characte-
ristics of industrial, scientific and medical (ISM) radio-frequency
equipment.
EN 61000-6-2:2005 Electromagnetic compatibility (EMC) - Part 6-2: Generic standards -
Immunity for industrial environments
EN 61000-6-4:2007 Electromagnetic compatibility (EMC) - Part 6-4: Generic standards -
Emission standard for industrial environments

3.6 Application Standards

Because of the expected applications of the system following additional standards and regula-
tions should be considered:

Machinery Applications
EN 60204-1 :2006 Safety of machinery - Electrical equipment of machines
(to the extent applicable)
EN 954-1:1997 Safety of machinery; Safety-related parts of control systems
up to safety category 4 Part 1 "General principles for design"
ISO 13849-1 :2006 Safety of machinery - Safety-related parts of control systems -
EN ISO 13849-1:2008 Part 1: General prineiples for design
(to the extent applicable)
up to PL e

TÜV SÜD Automotive GmbH Report No.: SN73321 C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
D-80339 München 2009-07-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 13 of 22
 98/37/EC Directive 98/37/EC of the European Parliament and of the Council
2006/42/EC of 22 June 1998 on the approximation of the laws of the Member I
States relating to machinery
Directive 2006/42/EC of the European Parliament and of the
Council of 17 May 2006 on machinery, and amending Directive
95/16/EC
NFPA 79:2007 Electrical Standard for Industrial Machinery
IEC 62061 :2005 Safety of machinery - Functional safety of safety-related electrical,
electronic and programmable electronic control systems
Process Industry
IEC 61511 :2003 Functional safety - Safety instrumented systems for the process
Parts 1-3 industry sector
Part 1: Framework, definitions, system, hardware and software re-
quirements
Part 2: Guidelines for the application of IEC 61511-1
Part 3: Guidance for the determination of the required safety integ-
rity levels
VDINDE 2180:2007 Safeguarding of industrial process plants by means of process con-
Parts 1-5 trol engineering
Part 1: Introduction, terms, concepts I

Part 2: Management system I

Part 3: Plant engineering, realisation and operation
Part 4: Calculating methods of reliability characteristics of safety
instrumented systems
Part 5: Recommendations for practical use
ANSI/ISA-84.00.01- Application of safety instrumented system for the Process Industry
2004
Parts 1-3
(to the extent applica-
ble)
Burner Systems
EN 230:2005 Automatie burner control systems for oil burners
chapter 7.3,8,9 and 10
EN 298:2003 Automatie gas burner control systems for gas burners and gas
chapter 7.3,8, 9 and 10 burning appliances with or without fans
EN 50156-1 :2004 Electrical equipment for furnaces and ancillary equipment - Part 1:
(to the extent applica- Requirements for application design and installation
ble)
NFPA 85:2007 Boiler and Combustion Systems Hazards Code
chapter 4.6.3

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.8lum, F. Rauch
D-80339 München 2009-07-20
Phone: -+49 (89) 5791-1393: Fax: -4438 Page 14 of 22
 Fire Detection and Fire Alarm Systems
EN 54-2:1997/A1:2006 Fire detection and fire alarm systems - Part 2: Control and indicat-
ing equipment
NFPA 72:2007 National Fire Alarm Code
(to the extent applica-
ble)

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
D.a0339 München 2009-07-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 150122
 4 Results

4.1 Functional Safety

The tests periormed and quality assurance measures implemented by the manufacturer have
shown that the 81MATIC 87 F/FH Systems in conjunction with their system software comply
with the testing criteria specified in clause 3 subject to the conditions defined in clause 5 and its
subsections, and are suitable for safety-related use in applications in accordance with
18013849-1:2006, up to PL e, EN 954-1:1996 upto CAT 4, and in accordance with IEC 61508:
2000, up to 81L3, for intermittent or continuous operation, as weil as for operation with or without
continuous supervision, on condition that the "0 state" (closed-circuit principle) is defined as the
safe state for the binary inputs and outputs.

4.1.1 Fault Reaction and Timing

Fault reactions of F-CPU:
1. Faults in the cyclic communication between the F-CPU and the F-I/O input modules are de-
tected by the F-CPU. Either '0' or configured substitute values are handed to the application
program. A specific fault reaction must be implemented by the application program develop-
er.
2. Faults in the cyclic communication between the F-CPU and the F-I/O output modules are de-
tected by the F-DO. If a fault occurs all outputs of the affected F-I/O are driven to '0'.
3. Faults in the cyclic communication between two F-CPUs are detected by the receiving F-
CPU. If a fault occurs the application program is notified and configured substitute values are
handed to the receiving application program. A specific fault reaction must be implemented
by the application program developer.
4. Faults within the safety data types, within data or control flow of the application program lead
to blocking of the cyclic transmissions to output modules and other F-CPUs or signaling of
the fault to them. If a fault occurs all outputs of the affected output modules are driven to '0'
and the affected receiving F-CPUs use the configured substitute values.
5. Faults detected by built-in self-test lead to blocking of the cyclic transmissions to output mod-
ules and other F-CPUs or signaling of the fault to them. If a transmission fault occurs all out-
puts of the affected output modules are driven to '0' and the affected receiving F-CPUs use
the configured substitute values.
6. In the FH-system structure one of the CPUs is running as master whereas the other CPU is
running as standby. Faults in the Master-CPU detected by self-tests or other fault control me-
chanism inside the CPU lead to master changeover before failure effects the F-DO. Faults in
the 8tandby-CPU detected by self-tests or other fault control mechanism inside the CPU lead
to blocking of master changeover before failure effects the F-DO.

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Salety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
D-80339 München 2009·07-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 16 0122
 Fault reactions of F-I/O:
Faults detected by built-in self-test or diagnostics are either safely communicated to the ap-
plication program or in case communication is affected faults are detected as described in
section 1. and 2. above. If the faulty module is an input module, the process data transmitted
to the F-CPU is set to '0' with binary inputs and 7FFFH with analog inputs for all inputs or the
faulty inputs. If the faulty module is an output module, all outputs or the faulty outputs are dri-
ven to '0'.

The fault tolerance period of the process controlled by the SIMATIC S7 F/FH Systems shall be
greater than the worst case response time. Additional information is given into the manual 'Safe-
ty Engineering in SIMATIC S7'.

4.1.2 Application Development

The SIMATIC S7 F/FH Systems can treat and execute programmed safety and non-safety-
related functions independently from each other at the same time. An intended safety function of
the SIMATIC S7 F/FH Systems can be enforced either by application programmed functions or
by built in fault reaction functions. The application programmed safety function lies with the ap-
plication program developer.
During planning and engineering of applications the developers should regard the certification
requirements defined in the chapters 3.3 to 3.6 and the component specific information detailed
in the current revision of the Annexes.
Acceptance of programmed safety function requires complete functional testing. After that com-
plete functional testing is only necessary for changed parts of the programmed safety function.
Loading and changing of safety-related programs in the CPU need authorization by password.
Non safety-related programs can be changed at any time without impact on programmed and
built-in safety functions of the SIMATIC S7 F/FH Systems.

4.1.3 Online loading of safety applications

In general, responsibility for monitoring the process during and after the on-ti ne modification lies
entirely with the organization and person responsible for the on-line modification. Since on-line
modifications are generally associated with an increased level of risk the approval of on-line
modifications is at the discretion of the testing and inspection center responsible for approval of
the system's application.
The procedure for on-line modifications and existing restrictions are described in the manuals
'S7 F/FH Systems, Configuring and Programming'.
Loading of safety program changes and changes of safety related constant parameters while
the process is running in observed mode requires at least:

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Salety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
0-80339 München 2009·07·20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 170122
 - off-line verification and I or
- simulation and I or
- online testing on a hot standby CPU and lor
- similar IEC 61508 compliant verification activities within a weil defined modification pro-
cedure
of the changes prior to downloading them into the CPU controlling the safety critical process.

4.1.4 Simulation of safety applications

Offline simulation of safety applications can be performed on a virtual CPU, emulated by an ad-
ditional software package either on the programming station or the engineering station. If an on-
line connection to a running safety system exists, the "safety mode" shall not be deactivated and
the password protected access to the S7-F-CPU shall not be granted.

4.2 Basic Safety and Electromagnetic Compatibility

4.2.1 Basic Safety

The tests of the electrical safety and the environmental stress tests executed by the accredited
laboratory of Siemens AG shows that the standards specified in clause 3.4 are covered.
The tests performed and the quality assurance measures implemented by the manufacturer
have shown that the SIMATIC S7 F/FH Systems comply with the testing criteria specified in
clause 3 subject to the conditions defined in clause 5 and its subsections.

4.2.2 Electromagnetic Compatibility

The documentation of the electromagnetic compatibility tests executed by an accredited labora-
tory of Siemens AG has been reviewed for completeness. The testing executed has covered the
requirements of the standards specified in clause 3.5.

TUV SÜD Automotive GmbH Report No.: SN73321 C

Electronics Salety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
0-80339 München 2009-07-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 180122
 .....
Q ,
;it"lUV.
•.. ~soo;
r

4.3 Product Specific Quality Assurance and Control

All software and hardware components developed and manufactured in course of the safety
evaluation are governed by an ISO 9001 certified quality assurance and control system. Some
older components have been developed under the manufacturer's internal quality procedures.

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Salety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
0-80339 München 2009-07-20
Phone: +49 (89) 5791-1393: Fax: -4438 Page 190122
 t:v\
:w. . . . ..
5 Implementation Conditions and Restrietions
The use of the SIMATIC S7 F/FH Systems shall comply with the current version of the Safety
parts of the manuals (see chapter 2.4) and the following implementation and installation re-
quirements shall be followed if the SIMATIC S7 F/FH Systems are used in safety-related instal-
lations.
The SIMATIC S7 F/FH Systems is a safety-related product and the recommendations based on
the experience and judgement of the Siemens AG documented in the manuals shall therefore
be carefully followed. The information, recommendations, specifications and safety instructions
given in the belonging manuals shall be read and understood.

5.1 General application conditions

5.1.1. The guidelines specified in the user's manuals shall be followed. Specifically the safety
notes in the user's manuals shall be followed.
5.1.2. Only hardware modules certified for safety-related operation, as listed in Annexes of this
report shall be used for safety-critical signals. Not certified standard modules (defined as
"interference-free") may be used for non-safety-critical signals only.
5.1.3. Only software modules listed in Annexes of this report shall be used to process safety
critical data.
5.1.4. The fault tolerance period of the process controlled by the system shall be greater than
the worst-case reaction time of the system.
5.1.5. A weil defined shutdown procedure shall be specified.
5.1.6. Non-safety-related blocks in the application program shall not control or affect data used
by any safety-critical block unless with safety-related function blocks for data conversion
and plausibility checks in the safety-related program.
5.1.7. Operator alarms as exclusive means of shutdown are only permitted under supervised
operation and if the fault tolerance time of the controlled process is sufficiently long to
ensure a safe manual reaction and shutdown and the operator has sufficient independent
means to supervise the process.
Installations that must react to shutdown conditions quicker than achievable with manual
intervention or installations running unsupervised shall incorporate an automatie fault
reaction procedure.
5.1.8. The operating conditions as specified in the user manuals shall be met.

5.2 General commissioning conditions

5.2.1. Prior to commissioning, a complete functional test of all safety-relevant functions shall be
performed. The programming of the application shall ensure that modules are small and
self contained, sufficient to permit full functional testing.

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum. F. Rauch
D-80339 München 2009·07-20
Phone: ->49 (89) 5791-1393; Fax: -4438 Page 20 0122
 5.2.2. All timing requirements shall be validated, including fault detection time, fault reaction
time, throughput delay for shutdown logic and cycle time.
5.2.3. Any application software modification after commissioning shall result in are-validation of
the entire application software system. The commissioning can be reduced if the change
can be shown by use of a revision checker to be limited to a specific area of program.
5.2.4. The proper fail-safe configuration of all safety-critical F-I/O shall be verified. Only configu-
rations covered by the User's manual are covered by the certification.

5.3 General run-time conditions

5.3.1. Failed modules that are safety-related and in redundant configurations should be re-
placed as quickly as practical to minimize the probability of multiple fault accumulation
and potential (safe) nuisance shutdown. As a maximum, failed modules should be re-
placed within the multiple fault occurrence time.
5.3.2. Application program modification du ring run-time should only be permitted under
end-user responsibility.
5.3.3. The procedure described in the user manual has to be followed.
5.3.4. The application program modifications shall be limited and simple to verify and validate.
5.3.5. The modifications and their interaction with existing program sections shall be thoroughly
tested, e.g. using simulation.
5.3.6. The modification shall be granted by the approval authority for the plant assessment.
5.3.7. Maintenance override is to be limited (time-restriction and number) of logical points. The
TÜV guidelines for maintenance overrides are to be followed. TUV certification does not
cover output override.
5.3.8. The use of F-Function Blocks for SIMATIC S7 F/FH Systems F/FH is only permitted if for
the specific target system (F or FH system) an official F-Copy License with the order
number 6ES7 833 1CCOO 6YXO is available.
The F-Copy License consists of:
- the F-Copy License contract
- the copy of the TUV-Certificate
- two labels to mark up the CPU (or CPU's on a FH system) of the used F-Copy License

5.4 Product-Related conditions

5.4.1. The Safety Protector allows use of failsafe-modules in combination with standard-
modules. Purpose of the Safety Protector is to isolate the failsafe-modules from overvol-
tages up to a maximum of 250 Volt AC/DC caused by not-safety related standard mod-
ules. No field voltage higher than 250V is allowed.

TÜV SÜD Automotive GmbH Report No.: SN73321C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum. F. Rauch
D·80339 München 2009-07-20
Phone: +49 (89) 5791-1393: Fax: -4438 Page 21 of22
 6 Certificate Number
This report specifies technical details and implementation conditions required for the application
of the Safety-Related Programmable Systems SIMATIC S7 F/FH Systems by Siemens AG to
the certificate:

Z10 09 07 67803 004

Munieh, 7-07-20

1)/ f!-~-
Vau
Technical Certifier

TÜV SÜD Automotive GmbH Report No.: SN73321 C

Electronics Safety Revision 2.0
Ridlerstraße 57 J.Blum, F. Rauch
0-80339 München 2009-07-20
Phone: +49 (89) 5791-1393; Fax: -4438 Page 22 0122
 Annex 1 ofthe Report
to the
Choose certainty.

Certificate Add value.

Z10 09 07 67803 004

Safety-Related Programmable Systems

SIMATIC 57 F/FH Systems

Manufacturer:
Siemens AG
Industry Sector IA AS
Gleiwitzer Str. 555
0-90475 Nürnberg

Report No.: SN73321C-A1

Revision 3.4 dated 2010-04-30

Testing Body:
TÜV SÜD Automotive GmbH
Electronics Safety
Ridlerstraße 57

0-80339 München

Accredited Testing Body for Functional Safety

Distribution, copying or any other use of information in this report in part is strictly prohibited.
Revision Log

Version Name Date Changes/History

1.1 P. Müller 18.12.2000 Initial
1.2 P. Müller 18.09.2001 Seperator module has been added
Version of Option Package S7 F Systems
Version of F_R_R
Version of F_R_BO
Version of F_CH_AI
1.3 P. Müller 15.11.2001 Section 2.2, comment has been added
1.4 P. Müller 08.02.2002 Version of Option Package S7 F Systems
Version of FJ _TRIG
Version of F_R_TRIG
Version of F-SM added
1.5 A. Beer 22.07.2002 Integration of a Revision Log
Version of SM 326 00 10xOC24V/2A
Version of SM 326 01 24xDC24V
1.6 A. Beer 02.12.2002 Firmware version of SM 326 00 10xOC24V/2A
1.7 A. Beer 25.04.2003 4/8 F-OI OC24V, 4 F-DO OC24V2A, PM-E F D24V, PM-O F
024Vadded
Section 2.2 deleted
Table of section 1
New software versions added
1.8 A. Beer 13.10.2003 Certification number, Version of SM 326, 00 10 x OC24V/2A
deleted
1.9 A. Beer 25.11.2003 Version of SM 326, 00 10 x OC24V/2A added
2.0 A. Beer 03.03.2004 Added new CPU FW version with EOC RAM option; added
new Version of SM 326, 00 10 x OC24V/2A.
2.1 A. Beer 16.12.2004 Added new ET200S modules for use in S7 F/FH:
6ES7 148-3FAOO-OXBO
6ES7 138-4CF01-0ABO
6ES7138-4CF40-0ABO
Added new FB for V5.2, SP1 in section 2.1.3;
Added signature changes for FB for V5.2, Sp1 in section
2.1.4
2.2 A. Beer 28.02.2005 4/8 F-OI OC24V, 4 F-OO OC24V/2A, SM 326,
008 x OC24V/2A, CPU 417-4H and CPU 414-4H added
2.3 F. Rauch 30.06.2005 Added new F-FBs for V5.2 SP2 (Safety Oata Write) in
section 2.1.5

TÜV SÜD Automotive GmbH Report No.: SN73321 C·A 1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0·80339 München 2010·04·30
Phone: +49 (89) 5791-1393: Fax: -4438 Page 2 of22
Version Name Date Changes/History
2.4 F. Rauch 30.11.2005 RESTRICTION: "Safety Oata Write" handling of Boolean
J. Blum parameters shall not be used with the OCX Faceplate of S7
F Systems HMI V5.2, which is part of the optional package
S7 F Systems V5.2+SP2. F_CH_BO shall be used with the
associated OCX of S7 F Systems HMI V5.2+SP3 or higher
only.
Modules added:
SM326, 0124 x OC24V, 6ES7 326-1BK01-0ABO
4/8 F-OI OC24V, 6ES? 138-4FA02-0ABO
4 F-OO OC24V/2A, 6ES? 138-4FB02-0ABO
PM-E F OC24V, 6ES? 138-4CF02-0ABO
PM-E F OC24V, 6ES? 138-4CF41-0ABO
PM-O F OC24V, 3RK1 903-3BA01
Release number of:
SM 326, 01 24 x OC24V, 6ES? 326-1 BKOO-OABO
SM 326, 01 8 x NAMUR, 6ES? 326-1 RFOO-OABO
SM 326,0010 x OC24V/2A, 6ES? 326-2BF01-0ABO
SM 336, AI6 x 13 Bit, 6ES? 336-1HEOO-OABO
PM-E F OC24V, 6ES7 138-4CF01-0ABO
PM-E F OC24V, 6ES7 138-4CF40-0ABO
2.5 A. Beer 19.01.2006 Release number of
SM 336, AI 6 x 13 Bit, 6ES? 336-1 HEOO-OABO
SM 326, 008 x OC24V/2A PM, 6ES? 326-2BF40-0ABO
ET200eco 4/8 F-OI, 6ES7148-3FAOO-OXBO
2.6 F. Rauch 20.02.2006 Added new F-FBs for V5.2 SP4 in section 2.1.6
Correction of signature of F-FBs
2.? A. Beer 31.03.2006 Release number of
ET200S-F-Modul PM-E F pm, 6ES?138-4CF02-0ABO
2.8 A. Beer 23.06.2006 Release number of
SM 326 00 10xOC24V/2A, 6ES7326-2BF01-0ABO
2.9 A. Beer 11.08.2006 Module added:
0 ET200S 1F-RO OC24V/5A, AC24 .. 230V/5A (6ES? 138-
4FROO-OAAO)
-----

TÜV SÜD Automotive GmbH Report No.: SN73321C·A1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0-80339 München 2010·04·30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 3 of 22
Version Name Date Changes/History
2.10 M. Rau 09.01.2007 Module added:
• ET200S 4/8 F-DI DC24V (6ES7 138-4FA03-0ABO)
Release Number of
• ET200S 4 F-DO DC24V/2A (6ES7 138-4FB02-0ABO)
• ET200S PM-E F pp DC24V (6ES7 138-4CF41-0ABO)
• ET200S PM-D F DC24V (3RK1903-3BA01)
2.11 P. Weiß 14.08.2007 Modules added:
• ET200S 4F-DI/3F-DO DC24V
(6ES7 138-4FCOO-OABO)
• ET200pro-F 8/16 F-DI DC24V
( 6ES7 148-4FAOO-OABO)
• ET200pro-F 4/8 F-DI DC24V 1 4 F-DO
DC24V/2A (6ES7 148-4FCOO-OABO)
• ET200pro F-Switch (6ES7 148-4FSOO-OABO)
New version V6.0 of Option Package S7 F Systems (S7 F
Systems Lib V1_3) added
2.12 P Weiß 28.09.2007 F-CPUs added:
• CPU 417-4H (6ES7 417-4HT14-0ABO)
• CPU 414-4H (6ES7 414-4HM14-0ABO)
• CPU 412-3H (6ES7 412-3HJ 14-0ABO)
2.13 M. Rau 04.04.2008 Version V5.5 SP4 of S7 ConfigurationPack added
Module added:
• SM336, F-AI 6 x 0/4 .. 20 mA HART
(6ES7 336-4GEOO-OABO)
2.14 M. Rau 26.06.2008 Version of ET200eco 4/8F-DI 6ES7148-3FAOO-OXBO
Remark 6) ET200M SM 326,
DI 8 x NAMUR 6ES7 326-1 RFOO-OABO
2.15 J. Blum 14.08.2008 Release Number of
• SM 326 DO 10 x DC24V/2A
(6ES7 326-2BF01-0ABO)
2.16 J. Blum 22.08.2008 Version V5.5 SP5 of S7 ConfigurationPack added

TÜV SÜD Aulomolive GmbH Report No.: SN73321C·A1

Eleclronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0·80339 München 2010·04·30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 4 of 22
Version Name Date Changes/History
2.17 J. Blum 19.09.2008 Modules added:
• ET200S 4/8 F-DI DC24V
(6ES7 138-4FA04-0ABO)
• ET200S 4 F-DO DC24V/2A
(6ES7 138-4FB03-0ABO)
• ET200S PM-E F pm DC24V
(6ES7138-4CF03-0ABO)
• ET200S PM-E F pp DC24V
(6ES7 138-4CF42-0ABO)
Release Number of
• ET200S 1F-RO DC24V/SA, AC24 .. 230V/SA (6ES7 138-
4FROO-OAAO)
2.18 J. Blum 13.11.2008 Modules added:
• ET200S 4F-DI/3F-DO
(6ES7 138-4FC01-0ABO)
• ET200S PM-D F DC24V
(3RK1903-3BA02)
Release Number of
• ET200pro 8/16 F-DI DC24V
(6ES7 148-4FAOO-OABO)
• ET200pro 4/8 F-DI/4 F-DO DC24V/2A
(6ES7 148-4FCOO-OABO)
• ET200pro F-Switch
(6ES7 148-4FSOO-OABO)
• SM 336 F-AI 6 x 0/4 .. 20 mA HART
(6ES7 336-4GEOO-OABO)
2.19 J. Blum 29.01.2009 Release number of
• ET200S PM-E F pm DC24V
(6ES7138-4CF03-0ABO
2.20 K. Leupold 19.03.2009 Release number of
• SM 336 AI6 x 13 Bit
(6ES7 336-1 HEOO-OABO)

TÜV SÜD Automotive GmbH Report No.: SN73321C·A1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0·80339 München 2010·04·30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 5 of 22
Version Name Date Changes/History
3.0 F. Rauch 2009-07-20 The report and certification no. has changed due to the
update of referenced certificate and certification report.
This Annex is based on Annex-1 10042360-A 1 V2.20.
Modules and footnotes aligned to the updated standards of
the certification report.
Version V6.1 of Option Package S7 F Systems (S7 F
Systems Lib V1.3 SP1) added
Version V5.5 SP6 of S7 ConfigurationPack added
F-CPUs deleted:
• 6ES7417-4HL04-0ABO
• 6ES7414-4HJ04-0ABO
Modules deleted:
• 6ES7326-1 BKOO-OABO
• 6ES7326-2BFOO-OABO
• 6ES7138-4FA03-0ABO
• 6ES7138-4FA02-0ABO
• 6ES7138-4FA01-0ABO
• 6ES7138-4FAOO-OABO
• 6ES7138-4FB02-0ABO
• 6ES7138-4FB01-0ABO
• 6ES7138-4FBOO-OABO
• 6ES7138-4CF02-0ABO
• 6ES7138-4CF01-0ABO
• 6ES7138-4CFOO-OABO
• 6ES7138-4CF41-0ABO
• 6ES7138-4CF40-0ABO
• 3RK1903-3BAOO
• 6ES7138-4FCOO-OABO
3.1 J. Blum 2009-08-20 Modules added:

• SM 326 01 24 x OC24V (6ES7 326-1 BK02-0ABO)

• SM 326 00 8 x OC24V/2A PM (6ES7326-2BF41-0ABO)
3.2 M. Ramold 2009-11-06 Release Number of
• ET200M: SM 326 01 8 x NAMUR (6ES7326-1 RFOO-
OABO)
• ET200eco: 4/8 F-OI OC24V (6ES7148-3FAOO-OXBO)
• ET200M: Safety protector (6ES7195-7KFOO-OXAO)
3.3 F. Rauch 2009-11-27 Version V5.5 SP6 HF1 of S7 ConfigurationPack added

TÜV SÜD Automotive GmbH Report No.: SN73321C·A1

Electronics Sarety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
D-80339 München 2010·04·30
Phone: -149 (89) 5791·1393: Fax: -4438 Page 6 0122
Version Name Date Changes/History
3.4 J. Blum 2010-04-30 Release Number of
• ET200S: 4F-DI/3F-DO
(6ES7138-4FC01-0ABO)
0 ET200S: PM-E F pp DC24V
(6ES7138-4CF42-0ABO)
• ET200S: 1 F-RO DC24V/5A, AC24.230V/5A
(6ES7138-4FROO-OAAO)
• ET200pro: 8/16 F-DI DC24V
(6ES7148-4FAOO-OABO)
• ET200pro: 4/8 F-DI/4 F-DO DC24V/2A
(6ES7148-4FCOO-OABO)
• ET200pro: F-Switch
(6ES7148-4FSOO-OABO)

TÜV SÜD Automotive GmbH Report No.: SN73321C-A1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0-80339 München 2010-04-30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 7 of 22
 Safety-Certified and Interference-Free Components

1 Hardware and Firmware Components

The following system components are certified 'safety-related'. This allows the components to
be used to process safety critical signals and functions:

Order Release Number I

Module Module Description
Number Firmware Version
CPUs:
CPU 417-4H 6ES7 1 or higher CPU which is suitable for safety-related
4)
417-4HT14- applications by using a fail-safe-application
V4.5.0 or higher
OABO program.
CPU 414-4H 6ES7 1 or higher
4)
414-
V4.5.0 or higher
4HM14-
CPU 412-3H 6ES7 1 or higher
4)
412-3HJ14-
V4.5.0 or higher
OABO
Signal Modules S7-300:
SM 326, 6ES7 02 24 channel digital input module 24VOC
0124 x 326-1BK01-
OC24V OABO 8)

SM 326, 6ES7 01 24 channel digital input module 24VOC

0124 x 326-1BK02-
OC24V OABO 8)

SM 326, 6ES7 01 1)7) to 06 1) 7), 07 8 channel NAMUR digital input module for
018 x 326-1RFOO- intrinsically-safe sensors
NAMUR OABO
SM 326, 6ES7 01 to 06 10 channel digital output module 24VOC/2A,
0010 x 326-2BF01- P-switch
OC24V/2A OABO 1)

SM 326, 6ES7 02 8 channel digital output module 24VOC/2A,

008 x 326-2BF40- P/M-switch
OC24V/2A OABO 8)
PM

TÜV SÜD Automotive GmbH Report No.: SN73321C-A1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0·80339 München 2010·04-30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 80f22
 Order Release Number /
Module Module Description
Number Firmware Version
SM 326, 6ES7 01 B channel digital output module 24VDC/2A,
DO 8 x 326-2BF41- P/M-switch
DC24V/2A OABO 8)
PM
SM 336, 6ES7 01 to 07 6 channel analog input module
AI 6 x 13 Bit 336-1HEOO-
OABO 1)

SM 336, 6ES7 01/V1.0.1 6 channel analog input module, HART

F-AI 6 x 0/4 336-4GEOO-
02/V1.0.1
.. 20 mA OABO
HART
Safety 6ES7 03 to 04 safety protector protects the fail-safe signal
Protector 195-7KFOO- modules from possible overvoltage
OXAO 1)

Modules ET 200S:
4/B F-DI 6ES7 01 41B channel digital input module 24VDC
DC24V 13B-4FA04-
OABO 1)

4 F-DO 6ES7 01 4 channel digital output module 24VDC/2A;

DC24V/2A 138-4FB03- P/M switch
OABO 1)

4F-DII3F- 6ES7138- 01 to 02 4 channel digital input 1 3 channel digital

DO 4FC01- output module 24VDC/2A
OABO 6)

1F-RO 6ES7 01 to 03 1 channel digital relay output module

DC24V/5A, 138-4FROO- DC24V/5A, AC24 .. 230V/5A
AC24 ... 230V OAAO 8)
15A
PM-E F pm 6ES7 01 to 02 Power module 24VDC; P/M switch
DC24V 13B-4CF03-
OABO 1)

PM-E F pp 6ES7 01 to 02 Power module 24VDC; P/P switch

DC24V 13B-4CF42-
OABO 8)

PM-D F 3RK1903- 01 Power module 24VDC for failsafe motor

DC24V 3BA02 1) starters

TÜV SÜD Automotive GmbH Report No.: SN73321 C-A1

Eleclronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
D-80339 München 2010-04·30
Phone: ;49 (89) 5791-1393; Fax: -4438 Page 9 of 22
 Order Release Number I
Module Module Description
Number Firmware Version
PM-D F 3RK1903- 01 to 02 Power module 24VDC for failsafe motor
DC24V 3BA01 1) starters

Modules ET 200eco:
4/8 F-DI 6ES7 01 to 05 4/8 channel digital input module 24VDC
DC24V 148-3FAOO-
OXBO 2)8)

Modules ET 200pro:
8/16 F-DI 6ES7 01 to 05 8/16 channel digital input module 24VDC
DC24V 148-4FAOO-
OABO 2) 8)

4/8 F-D1/4 F- 6ES7 01 to 05 4/8 channel digital input 24VDC and 4

DO 148-4FCOO- channel digital output module 24VDC/2A P-/
DC24V/2A OABO 2)8) M-switch (combined)
F-Switch 6ES7 01 to 03 2 channel digital input 24VDC and 3 channel
148-4FSOO- digital P- 1 P-switch module 24VDC
OABO 2) 8) (combined).

1) tested in accordance with EN61131-2: 1995

2) EN298: 2003 and EN 230: 2005 fulfilled with the exception of permissible environmental temperature -25 to +55
degree centigrade (instead of 0 to +60 degree centigrade)
nd
4) the sinusoidal vibrations service conditions does not comply with the increased requirements of IEC 61131 2 and
3,d Ed. The requirements of IEC 61131-2: 1992 are fulfilled.
6) classified SIL 2 in accordance with IEC 61508 and CAT 3/PL d in accordance with EN 95411S0 13849-1: 2006 and
no certification in accordance with EN 298
7) The requirement of EN 298: 2003 and EN 230: 2005: fulfilled only with shielded signal cables
8) tested in accordance with EN61131-2: 2003

Remark: For the 110 modules EN 298, 2003 and EN 230: 2005 is fulfilled with external
surge protection; see related manuals.
All other components of the S7-400 and S7-300 family are 'interference-free' and allowed to be
used, however, they are not certified for process safety critical signals and functions. Using
these components does not interfere with the proper functioning of the safety-related modules.

For details on architectural, configuration and implementation requirements please refer to the
Siemens manuals of the SIMATIC S7 F/FH Systems documentation package.

TÜV SÜD Automotive GmbH Report No.: SN73321 C-A 1

Electronics Salety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0-80339 München 2010-04-30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 10 01 22
2 Safety-Relevant Software Components

2.1 Option Package S7 F Systems

S7 F Systems V6.1 consists of the following certified installation units

S7 F Systems (Engineering Tool) V6.1

S7 F Systems Lib V1.3 + SP1 S7 F Systems Lib (V1_3)
S7 F Systems HMI V6.1
S7 F ConfigurationPack V5.5 + SP6

S7 F Systems V6.1 is also certified in combination with

S7 F Library V1.2 + SPx Failsafe Blocks (V1_2)

S7 F Library V1.1 Failsafe Blocks (V1_1)
S7 F ConfigurationPack V5.5 + SP6,
V5.5 + SP6 + HF1,
V5.5 + SP5, V5.5 + SP4

S7 F Systems V6.0 consists of the following certified installation units

S7 F Systems (Engineering Tool) V6.0

S7 F Systems Lib V1.3 S7 F Systems Lib (V1_3)
S7 F Systems HMI V5.2 + SP3
S7 F ConfigurationPack V5.5 + SP3, V5.4 + SP1

S7 F Systems V6.0 is also certified in combination with

S7 F Library V1.2 + SPx Failsafe Blocks (V1_2)

S7 F Library V1.1 Failsafe Blocks (V1_1)
S7 F ConfigurationPack V5.5 + SP5, V5.5 + SP4

Tüv SÜD Automotive GmbH Report No.: SN73321 C-A 1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0·80339 München 2010-04-30
Phone: +49 (89) 5791-1393; Fax: -4438 Page 11 of22
S7 F Systems V5.2 + SPx is certified in combination with

S7 F Library V1.2 + SPx Failsafe Blocks (V1_2)

S7 F Library V1.1 Failsafe Blocks (Vi_i)
S7 F ConfigurationPack V5.5 + SPx, V5.4 + SPx,
V5.3 + SPx, V5.2 + SPx

2.1.1 S7 F Systems Lib (V1_3)

F-FB Function Signature Initial Value Signature

OB INIT F-Control block N/A N/A
OB RES F-Control block N/A N/A
F 1oo2AI F-User block 0130 OCE3
F 1002 R F-User block OA53 AA5A
F 20UT3 F-User block 340E 079F
F 2003AI F-User block 4580 CE7E
F 200301 F-User block 5323 04AO
F 2003 R F-User block AB9F 112C
F ABS R F-User block 7E90 4885
F AOO R F-User block OFBF B10F
F AN04 F-User block 89BO 6837
F AVEX R F-User block E570 9470
F BO FBO F-User block 27AB 870A
F CHG BO F-User block 1) 0042 E5F2
F CHG R F-User block E4CO 50B5
F CHG WS F-Control block N/A N/A
0846 3A31
F_CH_AI F-User block A293 2) 3A31 2)
E888 5FA7
F_CH_BI F-User block
EOA2 2 ) 5FA7 2 )
F CH BO F-User block A8C7 A5E4
F CH 01 F-User block 3119 EA57
F CH Oll F-User block 6709 3) F35B 3)
3
F CH 010 F-User block OAB9 3) CF40 )

F967 4F58
F_CH_OO F-User block C5F2 2 ) BCEE 2)
F CH II F-User block 405E 3) 40AE 3)
F CH 10 F-User block 39E2 3
) 0409 3 )
F CMP R F-User block 689A 602E

TÜV SÜD Automotive GmbH Report No.: SN73321 C-A 1

Electronics Sarety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
D·80339 München 2010·04-30
Phone: -t49 (89) 5791-1393; Fax: -4438 Page 12 of 22
 F-FB Function Signature Initial Value Signature
F_CTUD F-User block 609B 188C
F CYC CO F-Control block 701D 424E
F DEADTM F-User block 1448 3 ) 2566 3 )
F DIAG F-Control block 40FC DDF4
F DIV R F-User block 43F6 COB8
F FBO BO F-User block N/A N/A
3
F FDI FR F-User block 6CFE 3) OD64 )

F FI FR F-User block 672A 9FDE

F FI I F-User block N/A N/A
3 3
F FR FDI F-User block D913 ) OD64 )

F FR FI F-User block 2B3C B269

F FR R F-User block N/A N/A
F FTI TI F-User block N/A N/A
F F TRIG F-User block 75E7 8F11
F INT P F-User block 09D7 3 ) DCDF 3)
F I FI F-User block 4871 87DA
F UM HL F-User block A43A 1E14
F UM I F-User block 4845 4D9B
F UM LL F-User block 1451 1E14
F UM R F-User block B3DO 3957
F UM TI F-User block 6E64 68DC
F MAX3 R F-User block C14F F93F
F MID3 R F-User block EC2C EA98
F MIN3 R F-User block DOD7 E12A
F MOV R F-User block 652F C02B
F MOVRWS F-Control block N/A N/A
F MUL R F-User block AAOF B1DF
F_MUX16R
F-User block AF74 EEFE

F MUX2 R F-User block BFE3 9CB1

F NOT F-User block 9CD8 DD06
F OR4 F-User block 5DCA 6B42
84D9 B5A7
F_PA_AI F-User block D5C3 2 ) B5A7 2 )
F PA DI F-User block 2FC7 E4F2
F PLK F-Control block CD05 A65D
F PLK 0 F-Control block 45F2 7B78
F POLYG F-User block FBF5 3 ) C81 D 3)

TÜV SÜD Automotive GmbH Report No.: SN73321 C-A 1

Eleclronics Safely Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
D-80339 München 2010-04-30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 13 of 22
 F-FB Function Signature Initial Value Signature
F PS 12 F-Control block A56A B87A
F PS MIX F-Control block A087 N/A
F PSG M F-User block N/A N/A
F PT1 P F-User block CAAE 3) 300B 3)
797A B027
F_QUITES F-User block 3630 2) B027 2)
F RCVBO F-User block 004B 8360
F RCVR F-User block 3209 B103
F ROS BO F-User block 4389 E009
F_REPCYC
F-User block 8F66 61F4

F ROT F-User block 7ECA 73FO

F RS FF F-User block 6257 B560
F R BO F-User block CC9E E882
F R FR F-User block 4278 6BCE
F R R F-User block AC9C 237E
F R TRIG F-User block BFC8 8F11
F SOS BO F-User block C804 662A
F SENOBO F-User block 8063 5812
F SENOR F-User block 2FE2 678B
F SHUTON F-Control block N/A N/A
F SMP AV F-User block 5659 EEOA
E621 6BOF
F_SQRT F-User block 3B59 2) 6BOF 2)
F SR FF F-User block 9EBE B560
F START F-User block 5791 2151
F SUB R F-User block E217 B10F
F SWC BO F-User block FEE7 3 ) 87B0 3)
F SWC P F-User block 7AOO 3) 5A86 3)
F SWC R F-User block 1939 3 ) E2B9 3 )
F S BO F-User block 5905 1110
F S R F-User block 7394 1FC2
F TEST F-Control block EC5F EB03
F TESTC F-Control block 680A 38BA
F TESTM F-Control block 8B5A 9A74
F TI FTI F-User block A060 6BCE
F TOF F-User block E45B 22F6
F TON F-User block 380A 22F6

TÜV SÜD Automotive GmbH Report No.: SN73321C-A1

Electronics Salety Revision 3.4
Ridlerstraße 57 F. Rauch. J. Blum
0-80339 München 2010-04-30
Phone: ->49 (89) 5791-1393: Fax: 4438 Page 14 0122
 F-FB Function Signature Initial Value Signature
F TP F-User block E671 22F6
F VFSTP1 F-Control block N/A N/A
F VFSTP2 F-Control block N/A N/A
F XOR2 F-User block 6D4D 069A
F XOUTY F-User block selection 68AO 68BE
FORCE OFF F-Control block N/A 3) N/A 3)
RTGLOGIC F-Control block N/A N/A
SWC MOS F-User block N/A 3) N/A 3)

1) RESTRICTION: "Safety Data Write" handling of Boolean parameters shall not be used with the OCX
Faceplate of S7 F Systems HMI V5.2, which is part of the optional package S7 F Systems
V5.2+SP2. F_CH_BO shall be used with the associated OCX of S7 F Systems HMI V5.2+SP3
or higher only.
2) signature of F-FB in S7 F Library V1.3 SP1 or higher
3) F-FB added in S7 F Library V1.3 SP1

TÜV SÜD Automotive GmbH Report No.: SN73321 C-A 1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0·80339 München 2010·04·30
Phone: 449 (89) 5791-1393; Fax: 4438 Page 15 of 22
2.1.2 Failsafe Blocks (V1_2)

F-FB Function Signature Initial Value Signature

OB INIT F-Control block N/A N/A
OB RES F-Control block N/A N/A
6717 1)
F_1oo2_R F-User block 0100
2E06
F 20UT3 F-User block 340E 079F
3043 1)
F_2oo3_R F-User block FC09
36CB
F ABS R F-User block 7E90 4885
F AOO R F-User block B495 B10F
F AN04 F-User block 89BO 6837
F AVEX R F-User block BE40 1CB3
F BO FBO F-User block 27AB 870A
F CHG BO 4) F-User block 6) 0042 E5F2
F CHG R 4) F-User block E4CO 50B5
F CHG WS 4) F-Control block N/A N/A
8F67 0784
F_CH_AI F-User block 741E 2) 804B 2)
2346 F504
F_CH_OI F-User block A47F 2) EC21 2)
EOB9 07FO
F_CH_OO F-User block 92C1 2 ) OA68 2)
F CTUO F-User block EF97 F701
F CYC CO F-Control block E895 6769
F DIV R F-User block 07A8 COBS
F FBO BO F-User block N/A N/A
F FI FR 3) F-User block 672A 9FOE
F FI I F-User block N/A N/A
F FR R F-User block N/A N/A
F FTI TI F-User block N/A N/A
F F TRIG F-User block 75E7 8F11
F I FI F-User block 4871 870A
F UM HL F-User block 5116 7656
F UM I F-User block OBOC F4F9
F UM LL F-User block AF69 7656
F UM R F-User block 4017 B4BE
F UM TI F-User block 3ABB 7CAB

TÜV SÜD Automotive GmbH Report No.: SN73321C-A1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch. J. Blum
0·80339 München 2010·04-30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 16 of 22
 F-FB Function Signature Initial Value Signature
AF64 ECOO
F_M_AI6 F-User block 1E41 2) 0818 2)
EB16 1FE2
F_M_0124 F-User block
F887 2) 2EAC 2)
8FA4 9022
F_M_018 F-User block
5078 2) 940C 2)
22E8 EB44
F_M_0010 F-User block
6CA7 2 ) 4A6E 2)
7337 3B1F
F_M_008 F-User block 86EF 2) B024 2 )
F MAX3 R F-User block 780B 5833
F MI03 R F-User block 0596 6ACF
F MIN3 R F-User block 551B 2950
F MPA 15) F-User block F001 381B
F MUL R F-User block 360C B1DF
F MUX2 R F-User block 70EO 5B43
f_ NOT ~._~- - - --~ .. .
F-User block
~--_. -~--_._._~-
- ----- -
9C08 0006
--
F OR4 F-User block 50CA 6B42
F PA AIS) F-User block 9046 14F5
F PA 01 5) F-User block BC04 9564
F PLK F-Control block A234 5FAO
F PLK 0 F-Control block 0690 834C
F PSG M 3) F-User block N/A N/A
F QUITES F-User block B433 B027
F RCVBO F-User block A2B9 OCF4
F RCVR F-User block B854 14C1
F RS FF F-User block 3A1A 069A
F R BO F-User block 6CE1 B9A5
F R FR F-User block 4278 6BCE
F R R F-User block 64A1 543A
F R TRIG F-User block BFC8 8F11
F SENOBO F-User block E223 F301
F SENOR F-User block 7B16 5B90
F SHUTON F-Control block N/A N/A
F SMP AV F-User block 9024 9COF
F SQRT F-User block 593F COOB
F SR FF F-User block 61BC 069A
F START F-User block 5791 2151
F SUB R F-User block 5C35 B10F

TÜV SÜD Automotive GmbH Report No.: SN73321 C-Ä 1

Electronics Salety Revision 3.4
Ridlerstraße 57 F, Rauch, J, Blum
0-80339 München 2010-04-30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 17 0122
 F-FB Function Signature Initial Value Signature
F S BO F-User block F353 1110
F S R F-User block 372C 1FC2
F TEST F-Control block 5B60 38AF
F TESTC F-Control block 5A93 08AA
F TESTM F-Control block 2983 BE02
F TI FTI F-User block A060 6BCE
F TOF F-User block 31A9 7CFC
F TON F-User block F8E5 7CFC
F TP F-User block 6400 7CFC
F XOR2 F-User block 6040 069A
F XOUTY F-User block 6A1C C510
FAlL MSG F-Control block N/A N/A
RTG LOGIC F-Control block N/A N/A

1) displayed in S7 F Systems up to V5.2 SP3, if these F-FBs are the only F-FBs in a S7 program
2) signature of F-FB in S7 F Library V1.2 + SP1 or higher
3) F-FB added in S7 F Library V1.2 + SP1
4) F-FB added in S7 F Library V1.2 + SP2
5) F-FB added in S7 F Library V1.2 + SP4
6) RESTRICTlON: "Safety Data Write" handling of Boolean parameters shall not be used with the OCX
Faceplate of S7 F Systems HMI V5.2, which is part of the optional package S7 F Systems
V5.2+SP2. F_CH_BO shall be used with the associated OCX of S7 F Systems HMI V5.2+SP3
or higher only.

Attention!
Contrary to the Siemens S7 user's manual "Programmable Controllers S7 F/FH
Systems" (Edition 2/2003) the F_FR_FI function block of S7 F Library V1.2 is NOT
certified for safety applications and shall NOT be used to process safety critical
data.

TÜV SÜD Automotive GmbH Report No.: SN73321C·A1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0·80339 München 2010·04·30
Phone: -t49 (89) 5791·1393; Fax: -4438 Page 18 of 22
2.1.3 Failsafe Blocks (V1_1)

F-FB Function Signature Initial Value Signature

DB RES F-Control block N/A N/A
F 20UT3 F-User block 34DE D79F
F ABS R F-User block 7E9D 4885
F AOO R F-User block 643F 206C
F AN04 F-User block 89BO 6837
F AVEX R F-User block 9926 8CE8
F BO FBO F-User block 27AB 870A
2960 C540
F_CH_A() F-User block or or
AA4F C540
F CH 01 F-User block E41B F504
F CH 00 F-User block 6E6A 18CF
F CTUO F-User block 9928 F701
F CYC CO F-Control block 3263 CB50
F OIV R F-User block 9CF2 4A67
75E7 2000 obs )
H

F_F _TRIG ) F-User block or

8F11 HF1)
F FBO BO F-User block N/A N/A
F FI I F-User block N/A N/A
F FR R F-User block N/A N/A
F FTI TI F-User block N/A N/A
F I FI F-User block 4871 870A
F UM HL F-User block 435E CB3F
F UM I F-User block 5219 F4F9
F UM LL F-User block FB73 CB3F
F UM R F-User block C92F OA10
F UM TI F-User block 13AO 7CAB
F M AI6 F-User block 3CC4 75CF
F M 0124 F-User block 7DA1 0091
F M DI8 F-User block 4996 6400
F M 0010 F-User block A89E EE4E
F MAX3 R F-User block AEA9 9A67
F MI03 R F-User block 5422 6A94
F MIN3 R F-User block A524 31E1

TÜV SÜD Automotive GmbH Report No.: SN73321C-A1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
D-80339 München 2010-04-30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 19 of 22
 F-FB Function Signature Initial Value Signature
F MUL R F-User block B7AC 206C
F MUX2 R F-User block 5911 5B43
F NOT F-User block 9C08 0006
F OR4 F-User block 50CA 6B42
F PLK F-Control block E5B4 02F9
F PLK 0 F-Control block 53BE 3E43
F QUITES F-User block 89EC B027
3E82 B9A5
F_R_BO") F-User block or or
0775 B9A5
F R FR F-User block 6E03 6BCE
6C69 543A
F R R") F-User block or or
6F8F 543A
3E5E 2000 obs )
F_R_TRIG") F-User block or
8F11 HF1)
F RCVBO F-User block 6FFB OCF4
F RCVR F-User block F6F3 14C1
F RS FF F-User block 5A81 069A
F S BO F-User block CC75 1110
F S R F-User block 0897 1FC2
F SENOBO F-User block B204 F301
F SENOR F-User block 3BA4 5B90
F SMP AV F-User block FB42 5B98
F SQRT F-User block C412 8950
F SR FF F-User block 7F12 069A
F START F-User block 5791 2151
F SUB R F-User block 46B5 206C
F TEST F-Control block 0774 A04B
F TESTC F-Control block E7E8 711C
F TESTM F-Control block 2983 BE02
F TI FTI F-User block A060 6BCE
F TOF F-User block F899 7CFC
F TON F-User block 0031 7CFC
F TP F-User block 0608 7CFC
F XOR2 F-User block 6040 069A
F XOUTY F-User block 5F86 C510

TÜV SÜD Automotive GmbH Report No.: SN73321C-A1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
D-80339 München 2010-04-30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 20 of 22
 F-FB Function Signature Initial Value Signature
F IN 024') F-User block 903C 7A60
F IN OS') F-User block CCCF 6AS1
F OU 010') F-User block E930 9FEO
')
These F-FBs are not inciuded in Option Package S7 F Systems V5.1. They are delivered to
customers of Option Package S7 F Systems V5.0 on request.
"}
The certified F-FB has two valid signatures.
obs} These F-FBs are included in Option Package S7 F Systems V5.1. They may cause a
wrong overall signature and problems starting the CPU. Thus it is recommended to use the
FBs delivered with the V5.1+SP1+HF1.
HF1} These F-FBs are included in Option Package S7 F Systems V5.1+SP1+HF1. It is delivered
to customers of Option Package S7F Systems V5.1 on request.
The Option Package S7 F Systems V5.1 may be used together with F-FBs with version number
1.0 of Option Package S7 F Systems V5.0 listed in Revision 1.0 of this Annex. However mixing
of version 1.0 and version 2.0 F-FBs in the same program is not possible.

TÜV SÜD Automotive GmbH Report No.: SN73321C-A1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch, J. Blum
0·80339 München 2010·04·30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 21 of 22
3 Non-Safety Relevant Software Components

Function Version
CFC 1) V5.2 or higher

STEP 7 1) V5.2 or higher

1) Further restrietions specific to modules or versions of the optional package S7 F Systems can
be found in the corresponding user documentation.

Munieh, 2010-04-30

l~-2 ~'",
Frank Rauch
Technical Certifier

TÜV SÜD Automotive GmbH Report No.: SN73321 C-A 1

Electronics Safety Revision 3.4
Ridlerstraße 57 F. Rauch. J. Blum
0-80339 München 2010-04-30
Phone: -+49 (89) 5791-1393; Fax: -4438 Page 22 of22