Siemens 277IWLAN-V200 User Manual

Download

Page 1

SIMATIC HMI Fail-safe operation of the Mobile Panel 277F IWLAN

SIMATIC HMI

Fail-safe operation of the Mobile Panel 277F IWLAN

Function Manual

No. Designation Drawing number Edition

1 Product Information A5E01005059-01 09/2008

2 Product Information A5E01004934-02 10/2008

The following supplement is part of this documentation:

Preface

Overview and definition of terms

_____________

Safety instructions, standards and notes

_____________

Application Planning

_____________

Configuration

_____________

System commissioning

_____________

Operation

_____________

Diagnostics

_____________

Maintenance

_____________

Technical data

_____________

Application example: Safety Functions

_____________

Version 1.04 Order No. 6AV6691-1FQ01-2AB0

08/2008

A5E01003779-01

Page 2

Legal information

Warning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING

indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION

with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

CAUTION without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

NOTICE indicates that an unintended result or situation can occur if the corresponding information is not taken into

account.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

Qualified Personnel

The device/system may only be set up and used in conjunction with this documentation. Commissioning and operation of a device/system may only be performed by qualified personnel. Within the context of the safety notes in this documentation qualified persons are defined as persons who are authorized to commission, ground and label devices, systems and circuits in accordance with established safety practices and standards.

Prescribed Usage

Note the following:

WARNING

This device may only be used for the applications described in the catalog or the technical description and only in connection with devices or components from other manufacturers which have been approved or recommended by Siemens. Correct, reliable operation of the product requires proper transport, storage, positioning and assembly as well as careful operation and maintenance.

Trademarks

All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of Liability

We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Siemens AG

Industry Sector Postfach 48 48 90026 NÜRNBERG GERMANY

Order-No.: 6AV6691-1FQ01-2AB0 Ⓟ 08/2008

Page 3

Preface

Purpose of the function manual

This function manual provides all information required for operation of the Mobile Panel 277F IWLAN in fail-safe systems.

Readership of this function manual:

● Plant designers

● Project engineers

● Commissioning engineers

● Users

● Service technicians

● Maintenance technicians Please pay particular attention to the "Safety instructions, standards and notes" chapter.

Basic knowledge required

General knowledge in the field of automation technology, safety technology, and process communication is a prerequisite for comprehension of this function manual.

It is also assumed that those using the manual have experience in using personal computers and knowledge of Microsoft operating systems.

Valid scope of the function manual

The function manual covers the Mobile Panel 277F IWLAN HMI device in combination with the software packages STEP 7 V5.4 SP2 or higher, S7 Distributed Safety V5.4 SP3 and WinCC flexible 2007 with HSP Mobile Panel 277 Wireless.

Position in the information landscape

This function manual is part of the SIMATIC HMI documentation. The section below provides an overview of the documentation which is relevant to applications with Mobile Panel 277F IWLAN.

Additional documentation for Mobile Panel 277F IWLAN

● Operating instructions for Mobile Panel 277F IWLAN

● Mobile Panel IWLAN Getting Started

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 4

Preface

Documentation for fail-safe systems

● System description "Safety technology in SIMATIC S7" – Provides general information on the use, structure, and mode of operation of the fail-

safe automation systems S7 Distributed Safety and S7 F/FH Systems

– Contains detailed technical information which can be represented for the fail-safe

technology both in S7-300 and S7-400.

– Contains information about the calculation of monitoring and reaction times of the fail-

safe systems S7 Distributed Safety and of S7 F/FH Systems.

● "S7 Distributed Safety, Configuring and Programming" Manual / Online Help Describes the configuration of the F-CPU and of the fail-safe I/O and the programming of

the F-CPU in F-FBD or F-LAD

● "Automation System S7-400, CPU Data" Reference Manual Describes the standard functions of CPU 416F-3 PN/DP, CPU 414-3 PN/DP and

CPU 416-3 PN/DP

● "Automation System S7-300, CPU Data" Reference Manual Describes the standard functions of CPU 315F-2 PN/DP, CPU 317F-2 PN/DP,

CPU 315-2 PN/DP and CPU 317-2 PN/DP

User manuals

Getting started

● WinCC flexible Compact/ Standard/ Advanced Describes basic principles of configuration using the WinCC flexible Compact

Engineering System/WinCC flexible Standard/WinCC flexible Advanced.

● WinCC flexible Runtime Describes how to commission and operate your runtime project on a PC.

● Communication – Communication Part 1 describes the connection of the HMI device to SIMATIC PLCs. – Communication Part 2 describes the connection of the HMI device to third-party PLCs.

● WinCC flexible for first time users Based on an example project, this is a step-by-step introduction to the basics of

configuring screens, alarms, recipes and screen navigation.

● WinCC flexible for power users Based on an example project, this is a step-by-step introduction to the basics of

configuring logs, project reports, scripts, user management, multilingual projects and integration in STEP 7.

● WinCC flexible options Based on an example project, this is a step-by-step introduction to the basics of

configuring the WinCC flexible Sm@rtServices, Sm@rtAccess and OPC server options.

Fail-safe operation of the Mobile Panel 277F IWLAN

4 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 5

Preface

Online availability

The link below guides you to the multilingual technical documentation offered for the SIMATIC products and systems.

http://www.automation.siemens.com/simatic/portal/html_76/techdoku.htm"

Screens

The HMI device is sometimes represented in the form of photographs in this function manual. The photographs of the HMI device may differ slightly from the factory state of the HMI device.

Conventions

Configuration and runtime software differ with regard to their names as follows:

● "WinCC flexible 2007" for example, refers to the configuration software.

The term "WinCC flexible" is used in a general context. The full name, for example "WinCC flexible 2007", is always used when it is necessary to differentiate between different versions of the configuration software.

● "WinCC flexible Runtime" refers to the runtime software that can run on HMI devices.

Trademarks

The following text notation facilitates the reading of this function manual:

Notation Scope "Add screen"

"File > Edit" Operational sequences, for example menu commands, shortcut

<F1>, <Alt+P> Keyboard operation

• Terminology that appears in the user interface, for example dialog names, tabs, buttons, menu commands

• Inputs required, for example limit values, tag values

• Path information

menu commands.

Please observe notes labeled as follows:

Note Notes contain important information concerning the product, its use or a specific section of

the documentation to which you should pay particular attention.

Names labeled with a ® symbol are registered trademarks of the Siemens AG. Other names used in this documentation may be trademarks, the use of which by third parties for their own purposes could violate the rights of the owner.

● HMI

● SIMATIC

● SIMATIC HMI

● SIMATIC ProTool

● SIMATIC WinCC

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 6

Preface

Representatives and offices

If you have any further questions relating to the products described in this manual, please contact your local representative at the Siemens branch nearest you.

Your Siemens representative can be found at "http://www.automation.siemens.com/partner

Training center

Siemens AG offers a variety of training courses to familiarize you with automation systems. Please contact your regional training center, or our central training center in 90327 Nuremberg, Germany, for details.

Internet: "http://www.sitrain.com

Technical support

You can contact Technical Support as follows: Using the support request form on the web at:

"http://www.siemens.com/automation/support-request Further information about our technical support is available on the Internet at

"http://www.siemens.com/automation/service

Service & Support on the Internet

Service & Support provides additional comprehensive information on SIMATIC products through online services at "http://www.siemens.com/automation/support

● The newsletter offers you the latest information about your products

● A large document base is available using our Service & Support search engine

● A forum for global exchange of information by users and experts

● Current product information, FAQs and downloads

● Your local Automation & Drives representative

● Information about on-site services, repairs, spare parts, and more

Fail-safe operation of the Mobile Panel 277F IWLAN

6 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 7

Table of contents

Preface ......................................................................................................................................................

1 Overview and definition of terms..............................................................................................................

1.1 Using the Mobile Panel 277F IWLAN ..........................................................................................

1.2 Areas in the plant .........................................................................................................................

1.3 Switch-off behavior ......................................................................................................................

1.4 Integration and segregation .........................................................................................................

1.5 Log on and log off at the effective range .....................................................................................

1.6 Safety-oriented operator controls.................................................................................................

1.6.1 Emergency stop button................................................................................................................

1.6.2 Enabling button ............................................................................................................................

1.7 "Override" mode...........................................................................................................................

2 Safety instructions, standards and notes .................................................................................................

2.1 Safety instructions........................................................................................................................

2.2 Guidelines, standards, certificates and approvals .......................................................................

2.3 Operating safety...........................................................................................................................

2.4 Power supply................................................................................................................................

2.5 Notes about usage.......................................................................................................................

2.6 Risk analysis ................................................................................................................................

3 11 11 12 16 18 19 20

20 22

24 27 27 30 33 34 36 37

2.7 Safety functions of the emergency stop button............................................................................

2.8 Safety functions of the enabling button........................................................................................

3 Application Planning ................................................................................................................................

3.1 Check list: Planning the application .............................................................................................

3.2 Application and ambient conditions .............................................................................................

3.3 Check list: Planning the system ...................................................................................................

3.4 Planning effective ranges.............................................................................................................

3.5 For the "Override" mode: Planning the protective devices ..........................................................

3.6 Check list: Data security ..............................................................................................................

4 Configuration ...........................................................................................................................................

4.1 Check list: Configuration ..............................................................................................................

4.2 Procedure for configuration..........................................................................................................

4.3 STEP 7: HW Config .....................................................................................................................

4.3.1 Integrating the GSD file in STEP 7 ..............................................................................................

4.3.2 Assigning parameters for communication between the HMI device and the controller...............

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

37 39 41 41 42 45 46 49 50 53 53 53 55

55 55

Page 8

Table of contents

4.4 S7 Distributed Safety .................................................................................................................. 58

4.4.1 Checklist: Creation of the safety program...................................................................................

4.4.2 Using F-FBs ................................................................................................................................

4.4.3 FB161: Mobile Panel Status (F_FB_MP) ....................................................................................

59 60 63

4.4.4 FB162: Effective range for 4 Mobile Panel (F_FB_RNG_4) / FB 163 Effective range for 16

Mobile Panel (F_FB_RNG_16)....................................................................................................

4.5 WinCC flexible.............................................................................................................................

4.5.1 Configuration overview................................................................................................................

4.5.2 Effective ranges editor ................................................................................................................

4.5.3 Objects for the Mobile Panel 277F IWLAN .................................................................................

5 System commissioning............................................................................................................................

5.1 Acceptance of the system...........................................................................................................

5.2 Accepting effective ranges and transponders.............................................................................

6 Operation.................................................................................................................................................

6.1 Organizational measures ............................................................................................................

6.2 Typical applications.....................................................................................................................

6.2.1 Overview .....................................................................................................................................

6.2.2 Switch on the HMI device............................................................................................................

6.2.3 Integrating and segregating the HMI device ...............................................................................

6.2.3.1 Integrating the HMI device (start project)....................................................................................

6.2.3.2 Communication error for the integrated HMI device ...................................................................

6.2.3.3 Discrepancy error during enabling ..............................................................................................

6.2.3.4 Segregate....................................................................................................................................

6.2.4 Log on and log off at the effective range.....................................................................................

6.2.4.1 Detecting the effective range ......................................................................................................

6.2.4.2 Log on at the effective range ......................................................................................................

6.2.4.3 Log off at the effective range ......................................................................................................

6.2.5 Behavior in the effective rage .....................................................................................................

6.2.5.1 Exiting the effective range without log off ...................................................................................

6.2.6 "Override" mode..........................................................................................................................

6.2.6.1 Activating "override" mode..........................................................................................................

6.2.6.2 Terminating "override" mode.......................................................................................................

6.2.7 Special operating conditions .......................................................................................................

6.2.7.1 Internal error................................................................................................................................

6.2.7.2 Communication error with the HMI device logged on in the effective range ..............................

72 72 73 73

77 77 79 83 83 84

84 85 86 86 87 88 90 91 91 92 93 94 94 95 95 96 97 97 98

7 Diagnostics..............................................................................................................................................

7.1 Alarm messages .........................................................................................................................

7.2 Diagnostics................................................................................................................................

8 Maintenance..........................................................................................................................................

8.1 Function tests............................................................................................................................

8.2 Maintenance cycles...................................................................................................................

8.3 Cleaning, repairs and spare parts.............................................................................................

9 Technical data .......................................................................................................................................

9.1 Technical data for fail-safe operation........................................................................................

9.2 HMI device ................................................................................................................................

9.3 Charging station ........................................................................................................................

Fail-safe operation of the Mobile Panel 277F IWLAN

99 101 105 105 105 106 109 109 111 112

8 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 9

Table of contents

A Application example: Safety Functions.................................................................................................. 113

A.1 Configuration and operation.......................................................................................................

A.2 Components and settings used .................................................................................................

A.3 Safety program S7 Distributed Safety .......................................................................................

Index......................................................................................................................................................

113 116 121 127

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 10

Table of contents

Fail-safe operation of the Mobile Panel 277F IWLAN

10 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 11

Overview and definition of terms

1.1 Using the Mobile Panel 277F IWLAN

Use

The Mobile Panel 277F IWLAN offers the possibility of having the mobile safety functions of emergency stop and enable available at any point of a machine or plant. An effective range limit has been implemented for the Mobile Panel 277F IWLAN. Depending on his location, the operator obtains a safe, electronically monitored operator control enable.

The HMI device communicates with an access point via WLAN. Thus the operator can operate the various machines or process cells without bothersome cable. The HMI device is connected via the access point with a PROFINET network in which it communicates with an F-CPU via the PROFIsafe protocol.

Sample installation - F-system with Mobile Panel 277F IWLAN

6,0$7,&6)31'3DV

352),1(7,2FRQWUROOHU

6

Basic terms

352),1(7

6&$/$1&(

(76

In the depicted configuration, each PROFINET IO device communicates with a single PROFINET IO controller. In this example the Mobile Panel 277F IWLAN communicates exclusively with the F-CPU as F-PROFINET IO controller.

In the following chapters several basic terms are explained that you must learn before you use the HMI device.

)DLOVDIH,2DV

352),1(7,2GHYLFH

$FFHVV3RLQW

0RELOH3DQHO),:/$1

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 12

Overview and definition of terms

1.2 Areas in the plant

WLAN area

The WLAN area is the area in the plant where the HMI device communicates with other communication nodes over a wireless local area network.

352),VDIH







① Access point is the network transition from WLAN to LAN ② WLAN area in which communication with the access point is possible ③ Mobile panel in the WLAN area; the emergency stop button is active, the enabling buttons are

without function.

When the PROFIsafe communication between the controller and operator panel is established in the WLAN area, the emergency stop button on the HMI device becomes active.

Safe operation of the plant with the enabling buttons only becomes possible when the HMI device is logged on in an effective range within the WLAN area.

Fail-safe operation of the Mobile Panel 277F IWLAN

12 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 13

Overview and definition of terms

1.2 Areas in the plant

Effective range

An effective range is the range in which sections of the plant, e.g. a machine can be operated with the enabling buttons of the HMI device. An effective range is formed physically with transponders that are mounted in the vicinity of the machine. Each transponder has a unique ID. The transponder emits this ID in a lobe-shaped area. The ID is received by the HMI device, which enables the HMI device to determine its distance from the transponder. Additional information about the transponders is provided in the chapter ranges (Page

46) and in the operating instructions for the HMI device.

352),VDIH



Planning effective





① Effective range 1, formed by a transponder ② Effective range 2, formed by two transponders ③ The mobile panel is located in effective range 3. The emergency stop button is active The

enabling buttons are active after logon in the effective range.

When the HMI device detects that it is within an effective range the operator can log the HMI device on at the effective range. Safe operation of the plant unit delimited by the effective range is only possible after successful connection.

Effective ranges should not overlap. All effective ranges available in the plant are stored in the project. The effective ranges are

verified in the acceptance procedure for the plant.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 14

Overview and definition of terms

1.2 Areas in the plant

Note In addition to the effective ranges you can define zones in your project. The zones are not

relevant for fail-safe operation. They are used merely to control the project depending on the location of the operator. For example a picture change can be configured for zone entry or zone exit.

Zones and effective range are independent of each other. Additional information on zones is provided in the Operating instructions for the HMI device.

Distance measurement between HMI device and transponder

The transmitting range of the transponder and the receiving range of the HMI device have the approximate shape of a lobe with a range of approximately 8 m.

The detailed representation of the radiation characteristics of HMI device and transponder is provided in the appendix of the Operating instructions.

A distance measurement between HMI device and transponder is only possible if both devices are in range of each other. The following table shows when a distance measurement is successful.

Fail-safe operation of the Mobile Panel 277F IWLAN

14 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 15

Overview and definition of terms

1.2 Areas in the plant

In the figures the HMI device and transponder are represented as follows:

● The HMI device as circle

● The transponder as square

See also

HMI device in the transmitting range of the transponder

Transponder in the receiving range of the HMI device

Result Successful distance

Yes Yes No

Yes No Yes

measurement

Distance measurement

not possible

Distance measurement

not possible

The distance measurement is executed in the following manner:

● The HMI device emits signals in the current project.

● The transponder reacts to the signal from the HMI device and transmits its ID to the HMI device.

● The HMI device evaluates the ID and only measures the distance to the configured transponders.

Integration and segregation (Page 18) Planning effective ranges (Page 46)

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 16

Overview and definition of terms

1.3 Switch-off behavior

Introduction

Different switch-off behavior is possible depending on the situation in the plant:

● Emergency stop

● Shutdown

● Local rampdown.

● Global rampdown

Emergency stop

Shutdown

Plant switch-off differs in its triggers and effects.

DANGER

No switch off triggering In the plant the described switch-off behavior is only triggered if the F-CPU has been

programmed accordingly.

The operator triggers the emergency stop by pressing the emergency stop button. Emergency stop is a procedure in response to an emergency that is intended to stop a

process or movement that could result in danger (from EN 60204-1 Appendix D). The emergency stop immediately stops all machines that are assigned to the F-CPU via the

safety program. The emergency stop depends on the effective ranges. The emergency stop button is always active if there is PROFIsafe communication between

HMI device and F-CPU, i.e. if the HMI device is integrated in the PROFIsafe communication.

Shutdown is triggered if the F-CPU detects a communication error on an HMI device which is logged on in the effective range.

Shutdown is the immediate stopping of the machines which belong to the effective range. The shutdown is always specific to the effective range.

Local rampdown.

Local rampdown is triggered if the HMI device is logged on at the effective range and if it is removed from the effective range for longer than 30 seconds.

Local rampdown is the defined shutdown of the machines belonging to the effective range within a defined time period.

Local rampdown is always specific to the effective range.

Fail-safe operation of the Mobile Panel 277F IWLAN

16 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 17

Overview and definition of terms

1.3 Switch-off behavior

Global rampdown

Global rampdown is triggered if the F-CPU detects a communication error on an HMI device which is integrated in the PROFIsafe communication.

Global rampdown is the defined shutdown of the machines assigned in the safety program within a defined time period.

Global rampdown is independent of the effective ranges. In the safety program of the F-CPU, ensure that global rampdown is available in the event

that a communication error occurs on an HMI device which is integrated in the PROFIsafe communication.

Trigger

The switch off can have the following triggers:

● The operator presses the emergency stop button.

● A communication error occurs.

● Timeout: The HMI device is logged on at the effective range and the operator leaves the effective range with his HMI device for longer than 30 seconds.

Triggering the switch off

The following table shows the effect of the different triggers depending on the operating situation:

Trigger Operating situation Emergency stop

pressed

HMI not integrated --- --- --HMI

integrated

HMI device logged on at the effective range

HMI device is logged off from the effective range Emergency stop Global

HMI device is in the effective range

HMI device is outside of the effective range for less than 30 seconds

HMI device is outside of the effective range for longer than 30 seconds

Emergency stop Shutdown ---

Emergency stop Shutdown Local

Communication error

rampdown

Timeout

rampdown.

---

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 18

Overview and definition of terms

1.4 Integration and segregation

Introduction

In fail-safe operation a safety program runs in the F-CPU. This safety program communicates with the HMI device. The F-CPU monitors this communication for errors and analyzes the signals. The terms "integrate" and "segregate" refer to the integration and segregation of the HMI device in/from the safety program of the F-CPU.

Integrate

If the HMI device is configured for the safety program then when the HMI device starts it is automatically integrated in the safety program. The integration process is concluded as soon as the LED"SAFE" is illuminated.

The emergency stop button is active as soon as the HMI device is integrated.

Segregation

Segregation means the desired segregation of the HMI device from the safety program.

See also

The operator has the following alternatives for segregating the HMI device:

● The operator terminates the project.

● The operator presses the ON/OFF button for longer than 4 seconds. After the segregation process the HMI device switches off.

When the operator segregates the HMI device there are no side effects, e.g. a global rampdown. When the segregation process is terminated the LED "SAFE" and the emergency stop button are no longer active.

Safety functions of the emergency stop button (Page 37)

Fail-safe operation of the Mobile Panel 277F IWLAN

18 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 19

Overview and definition of terms

1.5 Log on and log off at the effective range

Introduction

An effective range is the range within which plant units, e.g. a machine, can be operated with the enabling buttons of the HMI device. The prerequisite for this is that the operator must log the HMI device on at the effective range.

Logging on at the effective range

If the operator enters an effective range with the HMI device the system shows that he can log the HMI device on at the effective range via the "Effective range name" object.

To log on he touches the "Effective range name" object. Then he reads the effective range ID in the plant and enters this ID in the ""Effective range logon" dialog box.

If the entered effective range ID agrees with the configured ID then the HMI device is logged on.

When the HMI device is logged on the enabling buttons are active. The system alerts the operator that the HMI device is logged on at the effective range in the

following manner:

● The LED "RNG" is illuminated.

● The "Effective range name" object is displayed in green.

● In the process cell the indicator for the effective range is active, e.g. a lamp. When the HMI device is logged on at the effective range the following rules apply:

● The operator should not leave the effective range without logging off. Local rampdown

occurs if the operator leaves the effective range for longer than 30 seconds without logging off.

● No other HMI device can log on at this effective range.

Log off at the effective range

Before the operator exits the effective range at which the HMI device is logged on, he must log off from the effective range. To log off he touches the "Effective range name" object and edits the dialog box ""Effective range logoff".

When the HMI device is logged off the enabling buttons are no longer active. The LED "RNG" is not illuminated.

See also

Log on and log off at the effective range (Page 91)

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 20

Overview and definition of terms

1.6 Safety-oriented operator controls

Introduction

The Mobile Panel 277F IWLAN has the following elements for safe operation of a process cell:

● Emergency stop button

● Enabling button

1.6.1 Emergency stop button

Introduction

The emergency stop button is designed with 2-channels and enables an emergency stop of the configured system.

The emergency stop button satisfies the requirements specified in DIN IEC 60947-5-5;1997 Annex K.

For additional safety instructions please refer to the chapter, Safety instructions, standards and notes.

When using the emergency stop button the following F-FBs must be linked in the safety program of the F-CPU:

● F_FB_MP

● F_FB_RNG_n





① Fall protection ② Emergency stop button

Fail-safe operation of the Mobile Panel 277F IWLAN

20 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 21

Overview and definition of terms

1.6 Safety-oriented operator controls

Due to its position, the emergency stop button is equally accessible for both left-handed and right-handed individuals.

Due to its profiled design, the emergency stop button is easily accessible. A collared enclosure is used to protect the operator controls against damage. This applies in particular to the emergency stop button The emergency stop button may still trigger if the HMI device falls and hits the floor.

Operation

The operator triggers the emergency stop by pressing the emergency stop button. The emergency stop button engages in the emergency stop position.

Releasing the emergency stop button

See also

WARNING

If you have activated the emergency stop button and thereby brought the configured system to a standstill, the emergency stop button should only be released under the following conditions:

• The reasons for the emergency stop have been eliminated.

• A safe restart is possible.

• The restart should not be executed by releasing the emergency stop button.

The operator must strictly ensure that he executes a separate operator action to commence the restart. The safety program must ensure that release of the emergency stop button alone does not trigger an automatic restart of the system.

In order to release the emergency stop button, turn it in a clockwise direction. The emergency stop button then returns on its own to the initial position.

Safety functions of the emergency stop button (Page 37) S7 Distributed Safety (Page 58)

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 22

Overview and definition of terms

1.6 Safety-oriented operator controls

1.6.2 Enabling button

Introduction

The enabling device consists of the two enabling buttons mounted on both sides of the Mobile Panel 277F IWLAN. The switch setting of the two enabling buttons is determined by electrical momentary contact switches.

Operation

Note The HMI device analyzes the switch settings of the two enabling buttons in the form of an

OR gate.



① Enabling button

WARNING

Unintentional enabling Press the enabling button only until the operation you wish to enable is completed.

Enabling is a conscious operator action. It is not permissible to continuously press the enabling button or to fix it in any way.

The following happens if you leave the effective range for a period of up to 30 seconds with the enabling button pressed: Enabling is revoked 5 seconds after leaving the effective range. If you reenter the effective range within 30 seconds, you must release the enabling button and press it again for enabling to take effect again.

The enabling button has three switch settings:

● Neutral position: The enabling button is not pressed.

● Enable: The enabling button is pressed to a mid position. This switch setting is used to allow another command, for example an input with the membrane keyboard.

Fail-safe operation of the Mobile Panel 277F IWLAN

22 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 23

Overview and definition of terms

1.6 Safety-oriented operator controls

● Panic: The "Panic" switch setting is reached as soon as one of the two enabling buttons

is fully pressed. The switch setting of the other enabling button is unimportant in this case. The "Panic" switch setting has the same effect as releasing the enabling button, namely, it revokes the enable.

You only have to activate one enabling button. The PLC gets the same signal regardless as to whether one or two enabling buttons of the Mobile Panel 277F IWLAN have been pressed.

Switch settings

Note The enabling button and the membrane keyboard can be operated at the same time.

When using the enabling button the following F FBs must be linked in the safety program of the F CPU:

● F_FB_MP

● F_FB_RNG_n

The following figure shows the switching sequence for enable.

1HXWUDOSRVLWLRQ

6ZLWFKVHWWLQJ

(%OHIW(%ULJKW

[ \

  

[

(QDEOH

\

1HXWUDOSRVLWLRQ

(%(QDEOLQJEXWWRQ

The following figure shows the switching sequence during panic usage.

1HXWUDOSRVLWLRQ

6ZLWFKVHWWLQJ

(%OHIW(%ULJKW

[ X

  

If the operator has pressed the enabling button through to the "Panic" setting, the "Enable" setting will not be evaluated when leaving the panic setting. A new enable can only be triggered by releasing the enabling button.

See also

Safety functions of the enabling button (Page 39) S7 Distributed Safety (Page 58)

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

(QDEOH

[

X

\

3DQLF 1HXWUDOSRVLWLRQ

(%(QDEOLQJEXWWRQ

\

Page 24

Overview and definition of terms

1.7 "Override" mode

Introduction

The effective range functionality of the HMI device can be extended through the "override" mode.

Applications

"Override" mode can be used in the following cases:

● Use of existing protective measures instead of the effective range functionality If protective measures, such as protective fences are already available in your plant, then

you can integrate them in your safety concept with the "override" mode. Thus you achieve a consistent concept for safe plant operation.

● If plant units, which do not allow themselves transponder coverage, (such as inside a robot cell), will be operated with the enabling buttons.

In this case you must secure the plant area with additional protective measures, such as a protective fence.

Requirements

Only use "override" mode in delimited plant units that are secured by additional protective measures.

Entering and leaving the protected area must be monitored by the F-CPU. The operator must be able to fully see the area for which "override" mode applies. The

danger location must be visible from every point of the override area. When using the "override" mode you must install a switch within an effective range that is

independent of the HMI device. The operator activates "override" mode with this switch.

WARNING

Inadmissible activation of the "override" mode The operator has to activate "override" mode through a conscious operator action, e.g. by

activating a switch. The "override" mode should not be automatically activated, e.g. when the safety area is entered.

The application program in conjunction with F-FB must ensure that the "override" mode is revoked when the area is left.

Fail-safe operation of the Mobile Panel 277F IWLAN

24 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 25

Overview and definition of terms

1.7 "Override" mode

Sample configuration

352),VDIH







① Protective fence ② Switch for activating "override" mode ③ Transponder for logging on at the effective range ④ Foot grating for access monitoring ⑤ HMI device ⑥ Machine that will be operated

Activation of the "override" mode

The operator activates "Override" mode in the following manner:

1. The operator enters the protected area through a light barrier or across a foot grating.

The protective device is activated.

2. The operator logs on at the effective range in which the override switch is located.

3. The operator activates the override switch. "Override" mode is now active until either the operator deactivates "Override" mode with the

override switch or until he leaves the protected area.

 

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 26

Overview and definition of terms

1.7 "Override" mode

Operating principle

In the following figure you see the plant area for which "override" mode is active.

352),VDIH

If "override" mode is activated the operator can safely operate the associated plant area with the enabling buttons. The HMI device is considered to be permanently logged on in the effective range, without analyzing the transponder signals.

Deactivation of "override" mode

The operator deactivates "override" mode in the following manner:

1. The operator activates the override switch. "Override" mode is deactivated by the safety program.

2. The operator logs off from the effective range. Subsequent logon at this effective range is only possible if the operator has terminated

"override" mode with the override switch.

3. The operator leaves the protected area.

If the operator leaves the protected area without deactivating "override" mode, "override" mode is deactivated by the safety program.

See also

For the "Override" mode: Planning the protective devices (Page 49) Configuration and operation (Page 113)

Fail-safe operation of the Mobile Panel 277F IWLAN

26 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 27

Safety instructions, standards and notes

2.1 Safety instructions

Safety regulations

Configuration requirements

WARNING

Injury or material damage Strictly observe all instructions in this document at all times. Otherwise, hazardous

situations can arise or the safety functions integrated in the HMI device can be rendered ineffective.

Observe the safety and accident prevention instructions applicable to your application in addition to the safety instructions given in this manual.

Injury or material damage The configuration engineer for a machine or system PLC must take precautions to ensure

that an interrupted program can be restarted normally after communication errors, voltage dips, or power failures.

Dangerous operating modes must not occur, not even temporarily, from the entire sequence of the user program up to troubleshooting.

Proper use

Commissioning of the HMI device is forbidden until it has been absolutely ensured that the machine which is to be operated with the HMI device complies with Directive 98/37/EC.

Fault-free operation

Interference with other systems When using the HMI device in accordance with DIN EN 13557 you must ensure that the

HMI device does not interfere with other systems at the site, or that other systems do not interface with the HMI device.

WARNING

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 28

Safety instructions, standards and notes

2.1 Safety instructions

Safety measures during operation

WARNING

Non-functional emergency stop button The emergency stop button must be checked annually for proper function.

WARNING

HMI device failure After a hard impact to the HMI device, check the safety-relevant features for functional

capability, for example in the event that the HMI device is dropped.

WARNING

Danger of injury Manual movements controlled with the HMI should only be executed in conjunction with the

enabling buttons and at reduced velocity.

WARNING

Exclusive operating right When operating the plant with the HMI device it is not permitted to operate the plant

concurrently from a different HMI device. Prevent concurrent operation through appropriate configuration.

High frequency radiation

WARNING

Unintentional operating situations High-frequency radiation, for example from cellular phones, can lead to undesirable

operating situations.

Fail-safe operation of the Mobile Panel 277F IWLAN

28 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 29

Safety instructions, standards and notes

2.1 Safety instructions

Information for handling the battery:

CAUTION

Charging and discharging the battery In the following cases, there is a risk of fire and, in extreme cases, explosion!

• Incorrect charging and discharging of the battery

• Reverse polarity

• Short-circuit

Only charge the bridging battery in the HMI device. Only charge the main battery in the HMI device or in the charging compartment of the

charging station.

CAUTION

The battery is a lithium ion battery. The following safety notes apply to these rechargeable batteries:

• Do not crush

• Do not expose to heat and do not burn

• Do not short-circuit

• Do not take apart

• Do not immerse in liquid – the battery might crack or burst

• Store unused batteries away from the following items, which can cause the contacts to

be bridged – Paper clips – Coins – Keys – Nails – Screws or other small metal objects

CAUTION

Danger of injury If used incorrectly, fluid can leak from the battery. Avoid contact with the battery fluid. If fluid

comes into contact with the skin, rinse with water. If fluid comes into contact with the eyes, rinse with water and seek medical advice.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 30

Safety instructions, standards and notes

2.2 Guidelines, standards, certificates and approvals

Instructions for battery replacement in Mobile Panel 277F IWLAN

CAUTION Local rampdown of logged on HMI device

If the HMI device which is logged on at the effective range no longer recognizes the transponder and, therefore, the effective range, it triggers a local rampdown.

To change the battery, rest the HMI device on its front. Align the HMI device so that it is still possible to measure the distance between the HMI device and the transponder.

If possible, log the HMI device off from the effective range.

NOTICE

Pay attention to cleanliness. Foreign bodies or liquids must not come into contact with the printed circuit board or penetrate the inside of the HMI device.

Place the HMI device with the front side facing down on a flat, clean surface to protect against damage.

CAUTION Malfunctions

If the HMI device is resting on its front, the following can be activated:

• The emergency stop button This can bring the system to a standstill unintentionally.

• The key-operated switch or an illuminated pushbutton This can result in malfunctions.

Components and modules endangered by electrostatic discharge (ESD) When working in the open housing, ensure that current-carrying conductors do not come

into contact with electrical circuits. Note the ESD instructions.

2.2 Guidelines, standards, certificates and approvals

Certifications

Fail-safe operation of the Mobile Panel 277F IWLAN

30 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

CAUTION

The following overview shows possible approvals. The only valid approvals for the HMI device, the charging station, the power supply module,

and the transponder are those shown on the label on the rear panel.

Page 31

Safety instructions, standards and notes

2.2 Guidelines, standards, certificates and approvals

CE approval

The HMI device, charging station, power supply unit, and transponder satisfy the requirements and protection objectives of the EC Directives below. The HMI device, charging station, power supply unit, and transponder comply with the harmonized European standards (EN) published in the Official Journals of the European Union for programmable controllers:

● 2004/108/EC Electromagnetic Compatibility Directive (EMC Directive)

● 98/37/EG Directive of the European Parliament and Council of 22 June 1998 on the approximation of the laws and administrative regulations of the Member States concerning machinery

● Specific absorption rate in accordance with EN 50392

EC Declaration of Conformity

The EC Declarations of Conformity are available to the relevant authorities at the following address:

Siemens AG Industry Sector I IA AS RD ST PLC PO Box 1963 D-92209 Amberg

UL approval

Underwriters Laboratories Inc., to

● UL 508 (Industrial Control Equipment)

● CSA C22.2 No. 142 (Process Control Equipment)

The approval is only valid in the case of battery operation or when stationary in the charging station.

Marking for Australia

The HMI device, charging station, power supply unit, and transponder satisfy the requirements of Standard AS/NZS 2064 (Class A).

N117

Wireless approval

The HMI device wireless approvals for the various countries are located as follows:

● On the rear of the HMI device

● In the product information supplied together with the HMI device

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 32

Safety instructions, standards and notes

2.2 Guidelines, standards, certificates and approvals

TÜV

The TÜV confirms that the HMI device satisfies the requirements of the standards below with regard to its safety functions.

● SIL3 to IEC 61508-1 to 4

● Category 4 in accordance with EN 954-1.

● Pl e and Cat. 4 in accordance with EN ISO 13849-1

● EN 60204-1

● ISO 13850

● IEC 62061

Requesting certificates

Copies of the certificates and associated reports can be requested from the following address:

Siemens AG Industry Sector I IA AS RD ST PO Box 1963 D-92209 Amberg

Fail-safe operation of the Mobile Panel 277F IWLAN

32 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 33

Safety instructions, standards and notes

2.3 Operating safety

Standards

The HMI device complies with the following standards:

● EN 954-1 Safety of machinery

● EN 60204-1 Safety of machinery – Electrical equipment of machines

● EN 62061 Safety of machinery – Functional safety of safety-related electrical, electronic and

programmable electronic control systems

● EN ISO 13849-1 Development, testing and certification of safety-related machine controls

● ISO 13850 Safety of machinery – Emergency stop – Principles for design

● IEC 61508 Functional safety of electrical/electronic/programmable electronic-related systems

● EN 61131-1 and EN 61131-2 Programmable Controllers

● The HMI device was tested for EMC in accordance with the following standards: – EN 61000-6-4, Generic standard – emitted interference – EN 61000-6-2, Generic standard, Immunity, industrial environments – EN 61131-2, Programmable Controllers

● EN 300 328 V1.6.1, EN 300 440-1 V1.3.1, EN 301 893, EN 301 489-1, EN 301 489-17, FCC Part 15.245, 15.247, 15.407

Wireless approval

● EN 50 360, IEEE 1528-X, EN 50371, EN 50 392 Radiation protection requirements (SAR/EMF)

If the HMI device is used in a system, the following standards are fulfilled:

● prEN 1921, Industrial automation systems – safety of integrated manufacturing systems

● EN 12417:2001, Machine tools – safety – machining centers

● UL 508, Industrial Control Equipment

● CSA C22.2 No.14, Industrial Control Equipment

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 34

Safety instructions, standards and notes

2.4 Power supply

Safety specifications

CAUTION Damage to the HMI device

Only operate the HMI device with approved components:

• Batteries

• Charging station

• For office environments only: Tabletop power supply unit

Order information of the components is available on the Internet at

http://mall.automation.siemens.com".

WARNING

Injury or material damage You may operate the HMI device in the plant only with the battery or in the charging station.

Operation with the desktop power supply module is not permitted.

WARNING

Effectiveness of the emergency stop button The emergency stop button only has an effect if the HMI device is integrated into the safety

program.

Charging station

WARNING

Injury or material damage The charging station complies with the following standards:

• EN 50335-2-29

• DIN EN 60204-1

• Protection class III in accordance with EN 61131-2 or EN 50178.

The 24 VDC power supply must be ensured by safely isolating the low voltage from hazardous voltages, e.g. by using a safety transformer or equivalent equipment.

Allowance should be made for the loss of voltage on the connection cable during dimensional analysis of the supply!

Fail-safe operation of the Mobile Panel 277F IWLAN

34 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 35

Safety instructions, standards and notes

2.4 Power supply

WARNING

Injury or material damage Configure the 24 VDC supply for the charging station correctly, otherwise components of

your automation system can be damaged and persons may be injured. Use only voltage generated as protective extra-low voltage (PELV) for the 24 VDC supply

of the charging station.

CAUTION Safe electrical separation

Use only power supply units with safety isolation complying with IEC 60364-4-41 or HD 384.04.41 (VDE 0100, Part 410), for example according to the PELV standard, for the charging station's 24 VDC supply.

The supply voltage must be within the specified voltage range. Malfunctions in the charging station may otherwise result.

Applies to non-isolated system design: Connect the connection for GND 24 V from the 24 V power supply output to equipotential

bonding for uniform reference potential.

The following table shows the technical data of the supply voltage for the charging station:

Nominal voltage Range, permissible Transients, maximum permissible 35 V (500 ms) Time between two transients, minimum 50 sec Current consumption with Mobile Panel

• Typical

• Constant current, maximum

• Power on current surge I

+24 VDC

19.2 V to 28.8 V (–20 %, +20 %)

• Approximately 1.5 A

• Approx. 1.8 A

• Approx. 1.7 A2s

Current consumption with Mobile Panel and batteries in charging compartment

• Typical

• Constant current, maximum

• Power on current surge I

Fuse, internal Electronic

Connection to the supply voltage

Wire the supply voltage to the cable terminal box included with the charging station using a 3-wire flexible cable (0.75 mm²). For additional information, refer to the operating instructions of the HMI device.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

• Approximately 2.8 A

• Approximately 3.4 A

• Approximately 1.7 A

Page 36

Safety instructions, standards and notes

2.5 Notes about usage

Tabletop power supply unit

CAUTION

Please note that the mains connector must be removed for a complete disconnection from the mains.

Do not operate the HMI device in the plant with the table power supply unit. The tabletop power supply unit is only suitable for an office environment. The device is designed for operation on grounded power supply networks (TN systems to

VDE 0100, Part 300, or IEC 364-3). Operation is not authorized on ungrounded or impedance-grounded power networks

(IT networks).

2.5 Notes about usage

Using the HMI device

A list indicating the country or geographical region of a country in which the HMI device is certified is included in the product information supplied with the HMI device.

Use in industry

The HMI device is designed for industrial use. For this reason, the following standards are met:

● Interference emission requirements, paragraph 7.3, DIN EN 60947-1, Environment A

● Interference immunity requirements DIN EN 61326

Residential use

Note The HMI device is not suitable for use in residential areas: If you use the HMI device in

residential areas, the radio/TV reception may be impeded.

If the HMI device is used in a residential area, you must take measures to achieve Limit Class B conforming to EN 55011 for RF interference.

A suitable measure for achieving the required RF interference level for Limit Class B includes for example:

● Use of filters in electrical supply lines Individual acceptance is required.

Fail-safe operation of the Mobile Panel 277F IWLAN

36 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 37

Safety instructions, standards and notes

2.6 Risk analysis

Use of cable-free control equipment

WARNING

When using cable-free control equipment you must ensure that it does not interfere with other systems at the site, or that other systems do not interfere with it.

2.6 Risk analysis

Carrying out a risk analysis

The following standards must be used to perform the risk analysis:

● EN ISO 12100-1 and EN ISO 12100-2, General design guidelines for machines

● EN 1050 Risk Assessment for Machinery

● EN 954-1 Safety of Machinery

These considerations result in a safety category (B, 1, 2, 3, 4) in accordance with EN 954-1 that ultimately dictates how the safety-related aspects of the system that will be configured must be furnished.

With the safety-related parts of the Mobile Panel 277F IWLAN the following requirements are satisfied:

● Category 4 in accordance with EN 954-1.

● SIL 3 in accordance with IEC 61508

● Pl e and Cat. 4 in accordance with EN ISO 13849-1

The risk assessment must take into account that the overall concept of the plant must be configured accordingly. More detailed instructions on risk assessment and risk reduction are provided in the system manual "Safety Integrated".

2.7 Safety functions of the emergency stop button

Safety instructions

There is an emergency stop button on the Mobile Panel 277F IWLAN. The emergency stop button on the Mobile Panel 277F IWLAN brings about a safety-related

stop of the configured machine in accordance with EN 60204-1:1997, Section 9.2.5.3. You have the option of implementing a Category 0, 1, or 2 Stop function in accordance with EN 60204-1: 1997, Section 9.2.2. The stop function category must be selected on the basis of a risk assessment.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 38

Safety instructions, standards and notes

2.7 Safety functions of the emergency stop button

WARNING

Emergency stop button not available The emergency stop button on the HMI device must not used as a replacement for a

permanently-wired emergency stop/emergency off on the machine. Install stationary emergency stop buttons that are available at all times on the configured

system.

WARNING

Effectivity of the emergency stop button The following requirements must be met in order to render the emergency stop button

effective:

• The HMI device must be operated in the charging station or operated with the battery.

• The project must be running on the Mobile Panel 277F IWLAN.

• The HMI device must be integrated in the safety program of the F-CPU.

If these prerequisites are satisfied the following applies:

• The SAFE LED on the HMI device is illuminated.

• The emergency stop button of the Mobile Panel 277F IWLAN is effective.

Category 0 or 1 Stop If a Category 0 or 1 Stop circuit is implemented, the stop function must be in effect

regardless of the operating mode. A Category 0 Stop must have precedence. Release of the emergency stop button should not cause a hazardous situation (see also EN 60204:1997 chapter 9.2.5.3).

The stop function is not to be used as a replacement for safety equipment.

NOTICE The emergency stop button can be triggered unintentionally

The emergency stop button is evaluated under the following conditions:

• The Mobile Panel 277F IWLAN is integrated in the safety program of the F CPU. In the following cases, the emergency stop button can be triggered unintentionally, bringing

the configured system to a standstill:

• If the HMI device falls down

• When opening one of the coverings on the rear of the HMI device

WARNING

Emergency stop button disabled If a global rampdown has been triggered by a communication error, the emergency stop will

no longer be available on the Mobile Panel in question. You have the option of configuring the "Global rampdown" signal to trigger an emergency

stop.

Fail-safe operation of the Mobile Panel 277F IWLAN

38 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 39

Safety instructions, standards and notes

2.8 Safety functions of the enabling button

Storing the HMI device

WARNING

Non-functional emergency stop button If the HMI device is not integrated, the emergency stop button does not function. To avoid confusion between effective and non-effective emergency stop buttons, only one

integrated HMI device should be freely accessible.

If the HMI device is not in use, it must be stored in an secure place.

See also

Emergency stop button (Page 20)

2.8 Safety functions of the enabling button

Introduction

The enabling mechanism is comprised of two enabling buttons mounted on both sides of the HMI device.

Numerically controlled machines and systems are equipped with the operating modes "Automatic mode" and "Special mode".

Special mode

Safety instructions

Safety is ensured in automatic mode by means of closed, isolating protective devices and/or with functional non-isolating protective devices that block access.

In special mode, safety has to be ensured in a different manner than in automatic mode. In special mode, the danger zones of the machine or system are entered, where controlled movements have to be possible.

A reduced speed on the machine or in the system has to be specified for special mode based on the risk assessment. Movement of the machine should only be possible when the enabling device is activated. The operator must have the necessary qualifications and be acquainted with the details of the intended application.

The safety-related aspects of the velocity reduction control and those for the enabling device are designed in such a way that they satisfy the EN 954-1 safety category determined by the risk analysis.

The operating principles of enabling devices are described in EN 60204. Through the findings from accident investigations and the existence of technical solutions, the 3-stage enabling button became state of the art. Positions 1 and 3 of the enabling button are Off functions. Only the middle position allows the enabling function. EN 60204-1:1997 is identical to IEC 60204-1, whereby the 3-stage enabling button is gaining international importance.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 40

Safety instructions, standards and notes

2.8 Safety functions of the enabling button

The Stop category of the enabling device must be selected on the basis of a risk assessment and correspond to a Category 0 or 1 Stop.

WARNING

Injury or material damage Enabling buttons should only be used when the following applies for the person activating

the enabling button:

• The person can see the danger zone.

• The person is capable of recognizing personal injury hazards in good time.

• The person is capable of taking immediate measures to avoid danger.

The only person allowed to remain in the danger zone is the person who is activating the enabling button.

Commands for unsafe conditions are not permitted to be issued with one enabling button alone. For this purpose, a secondary, intentional start command by means of a button on the Mobile Panel 277F IWLAN is required.

NOTICE Enabling button not effective

The enabling button is only effective if the HMI device is logged on in the effective range and the "RNG" LED on the HMI device lights up.

If the operator leaves the effective range, the enabling button is deactivated after 5 seconds. The "Exit effective range without logoff" dialog opens after 30 seconds. The "RNG" LED only goes off when the operator confirms this dialog.

Risk from improper use

To avoid the danger of unauthorized use of the enabling button due to impermissible holddown, on each project start the enabling button must be pressed all the way down, and then released.

See also

Enabling button (Page 22)

Fail-safe operation of the Mobile Panel 277F IWLAN

40 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 41

Application Planning

3.1 Check list: Planning the application

Application planning

For application planning of the HMI device go through the following steps.

Check list for application planning

Step Information Check Check the application conditions and

environmental conditions Plant planning for application of the HMI device Check list: Planning the system

Planning the effective ranges Planning effective ranges (Page 46) Only for the "override" mode: Planning the

protective devices Planning measures to increase data safety Check list: Data security (Page 50)

Application and ambient conditions (Page 42)

(Page 45)

For the "Override" mode: Planning the protective devices (Page 49)

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 42

Application Planning

3.2 Application and ambient conditions

Mechanical and climatic conditions of use

The HMI device is designed for use in a location protected from the effects of the weather. The conditions of use are compliant with requirements to DIN IEC 60721-3-3:

● Class 3M3 (mechanical requirements) The table applies to the HMI device, charging station, and transponder.

Tested for Test standard Comments Sinusoidal vibration, stationary DIN IEC 60721-3-3 Frequency range:

2 ≤ f ≤ 200 Hz Deflection:

1.5 mm/5 m/s2

Shocks, non-stationary, Total shock response spectrum

● Class 3K3 (climatic requirements)

DIN IEC 60721-3-3 Shock amplitude: 70 m/s2

Shock duration: 22 ms

The table applies to the HMI device, charging station, and transponder.

Ambient conditions Permitted range Comments Air temperature 5 to 40 °C Relative humidity 5 to 85 %,

Absolute humidity 1 to 25 g/m3 Atmospheric pressure 70 to 106 kPa Corresponds to an elevation of up to

Use with additional measures

In the following cases the use of the HMI device requires additional measures:

● In locations with a high degree of ionizing radiation

● In locations with difficult operating conditions, for example due to: – Corrosive vapors, gases, oils or chemicals – Electrical or magnetic fields of high intensity

● In systems that require special monitoring, for example: – Elevators

no condensation

Corresponds to relative humidity, load degree 2 in accordance with IEC 61131, part 2

3,000 m

– Systems in especially hazardous rooms

Fail-safe operation of the Mobile Panel 277F IWLAN

42 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 43

Application Planning

3.2 Application and ambient conditions

Testing for mechanical environmental conditions

The following table provides information on the type and scope of tests to determine mechanical ambient conditions for the HMI device.

Tested for Test standard Comments Vibrations IEC 60068, part 2–6

(sinusoidal)

Shock IEC 60068, part 2–27 Shock form: Half-sinus

Continuous shocks IEC 60068, part 2–29 Shock form: Half-sine

Impact IEC 60068, part 2–75 One-time impact stress of 1 Nm with an impact

Falling Drop testing in accordance

with EN 60068-2-32

Type of vibration: 20 frequency cycles with a tuning rate of 1 octave/minute.

Frequency range: 10 ≤ f ≤ 150 Hz, ± 1 Hz Deflection:

0.35 mm / 5 g ± 15% at the control point

Shock amplitude: 30 g Shock duration: 11 ms Number of shocks: 3 per axis

Shock amplitude: 10 g Shock duration: 16 ms Shock cycle: (1–3)/s Number of shocks: 1000 ± 10

test device similar to DIN VDE 0740, Part 1, Section 19.2 at room temperature.

1.2 m Applies to the HMI device with and without

battery:

Reducing vibrations

If the HMI device is subjected to greater shocks or vibrations, you must take appropriate measures to reduce acceleration or amplitudes.

We recommend fitting the charging station of the HMI device to vibration-absorbent material (on metal shock absorbers, for example).

Climatic ambient conditions for the HMI device

The following table shows the permitted climatic ambient conditions for use of the HMI device:

Ambient conditions Permitted range Comments Temperature

• Operation

• Storage/transport

Relative humidity 5 to 85 %,

Atmospheric pressure 1060 to 700 hPa Corresponds to an elevation of –1,000 to

• 0 to 40 °C

• –20 to 60 °C

no condensation

Corresponds to relative humidity, load degree 2 in accordance with IEC 61131, part 2

2,000 m

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 44

Application Planning

3.2 Application and ambient conditions

Ambient conditions Permitted range Comments Pollutant concentration

SO2: < 0.5 vpm; Relative humidity < 60 %, no condensation

H2S: < 0.1 vpm; Relative humidity < 60 %, no condensation

Check: 10 cm3/m3; 10 days

Check: 1 cm3/m3; 10 days

Climatic ambient conditions for the charging station

The following table shows the permitted climatic ambient conditions for use of the charging station.

Ambient conditions Permitted range Comments Temperature

• Operation

• Storage/transport

• From 0 to 40 °C

• From –20 to 60 °C

Relative humidity 5 to 85 %,

no condensation

Atmospheric pressure 1060 to 700 hPa Corresponds to an elevation of –1,000 to

Pollutant concentration

SO2: < 0.5 vpm; Relative humidity < 60 %, no condensation

S: < 0.1 vpm;

Relative humidity < 60 %, no condensation

Ambient climatic conditions for the transponder

The following table shows the permitted climatic ambient conditions for use of the transponder:

Ambient conditions Permitted range Comments Temperature

• Operation

• Storage/transport

Relative humidity 5 to 85 %,

Atmospheric pressure 1060 to 700 hPa Corresponds to an elevation of –1,000 to

• 0 to 50 °C

• –20 to 60 °C

no condensation

SO2: < 0.5 vpm; Relative humidity < 60 %, no condensation

S: < 0.1 vpm;

Relative humidity < 60 %, no condensation

Corresponds to relative humidity, load degree 2 in accordance with IEC 61131, part 2

2,000 m Check: 10 cm3/m3; 10 days

Check: 1 cm3/m3; 10 days

Corresponds to relative humidity, load degree 2 in accordance with IEC 61131, part 2

2,000 m Check: 10 cm3/m3; 10 days Pollutant concentration

Check: 1 cm3/m3; 10 days

Fail-safe operation of the Mobile Panel 277F IWLAN

44 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 45

Application Planning

3.3 Check list: Planning the system

Introduction

For fail-safe systems careful system planning is necessary so that the system can be subsequently accepted and commissioned successfully.

Check list

Use the following check list when planning fail-safe systems:

Step Further information Check Obtain an current plan of the plant for which an

effective range concept should be created. Based on the system plan specify the

operator's access paths to the machine. Specify the location from which the operator

will operate the machine. Here you need WLAN coverage.

Plan the WLAN areas. Specify the mounting locations of the access

points in such a manner that good WLAN coverage is ensured.

Special tools such as Sinema E are available on the market for planning WLAN coverage.

Specify the effective ranges in which the operator will operate the machine with the enabling buttons.

Specify the mounting locations for the transponders.

When using "override" mode: Plan additional protective measures.

Planing the installation of the PROFINET and PROFIsafe communication.

Particularly specify the PROFIsafe addresses for the HMI devices.

System description "///Setting up an industrial wireless LAN", on the Internet at the following address: "

http://support.automation.siemens.com/

WW/view/en/22681042"

Information about Sinema E is available on the Internet at the following address:

http://www.siemens.com/sinema"

Planning effective ranges (Page 46)

For the "Override" mode: Planning the protective devices (Page

System manual: "SIMATIC Communication"

Programming and operating manual "SIMATIC S7 Distributed Safety Configuring and Programming".

49)

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 46

Application Planning

3.4 Planning effective ranges

Effective range and transponder

An effective range is physically formed by transponders mounted in the vicinity of the machine. Each transponder sends a unique ID. The ID is received by the HMI device and enables it to determine its distance from the transponder. If the HMI device is within the effective range, safe operation is possible once it logs on in the effective range.

Rules for effective ranges

The following rules apply when defining effective ranges:

Rule Explanation The maximum distance from the transponder

to the HMI device can be 8 meters. No minimum distance to the transponder can

be configured, but this is always a percent of the configured maximum range. The following section provides a detailed description.

The effective range must be scaled so that the danger point can be seen from every angle of the effective range.

The distance between the machine to be operated and the operator needs to be scaled according to the machine.

Machine, transponder and operator position need to be adapted to one another.

Effective ranges should not overlap. Consequently you should only assign each transponder to a single effective range.

Transponders in different effective ranges must be far enough away from each other that their transmission ranges do not overlap.

You can set up a maximum of 127 effective ranges in a project.

A maximum of 127 transponders can be assigned to one effective range.

System limits

Too great a distance or a cluttered effective range prevents visual control on the part of the operator.

Insufficient distance from the machine increases the injury hazard for the user.

Too great a distance from the machine prevents visual control on the part of the operator.

The HMI device needs to be able to measure the distance to the transponder during operation. The requires the HMI device to aligned with the transponder. The operator needs visual contact to the machine at the same time.

Assignment of effective range to the machine that will be operated must be unique.

System limits

Fail-safe operation of the Mobile Panel 277F IWLAN

46 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 47

Application Planning

3.4 Planning effective ranges

Distance measurement between HMI device and transponder

The transponder transmits its ID in lobe-shaped area with a maximum range of approx. 8 meters. The following example shows the varying quality of the effective range based on a configuration in which a maximum range of x

= 8 m has been specified.

[

[

[









[



[

① Zone with poor quality effective range ② Zone with good quality effective range ③ The effective range quality along the line is 100%.

The effective range quality is best in the middle of the lobe-shaped area: the effective range quality along the white line is 100%. The effective range quality decreases along the lobe's center line in the direction of each edge.

There is a zone of poor quality effective range (marked yellow) both directly at the transponder as well as at the other end of the lobe. At the long side of the lobe there is a direct transition of the effective range quality from "good" to "no effective range detected".

You can find an exact description of the radiant characteristics of the HMI device and transponder in specifications section of the operating instructions.

Transponders must be mounted in the system in such a manner that the planned effective range is covered by the transmitting range of the transponders assigned to it.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 48

Application Planning

3.4 Planning effective ranges

Example:

Procedure

 

① Machine that will be operated from within the effective range ② Transponder with transmitting range in the form of a lobe ③ Planned effective range; safe operation of the machine is possible from here ④ Actual effective range; safe operation of the machine is still possible from here

 

1. On the system plan specify which parts of the system will be operated with the enabling buttons. You require effective ranges for these areas of the system.

2. Specify the spatial expansion of the individual effective ranges. The operator must be located within the limits of the respective effective range in order to operate the corresponding plant unit with the enabling buttons.

Comply with the rules for the definition of effective ranges.

3. Plan the transponders in the effective range in such a manner that the effective range is covered by the radiated emission of the transponders. Ensure that the effective range is not too large to be seen or another danger arises.

4. Specify the following: – A name and an ID unique throughout the plant for each effective range from the value

range 1 to 127

– A name and an ID unique throughout the plant for each transponder from the value

range 1 to 65534

– For each effective range the maximum distance that the HMI device can have to the

transponders of this effective range. The distance must be the same for all transponders of an effective range.

– The mounting location for an indicator.

WARNING

An indicator in the effective range is an absolute necessity A indicator supplies the operator the feedback that he has logged onto the correct

effective range. Install an indicator in every situation, for example a light that shows that an HMI

device is logged on in the effective range.

5. On the system plan, note the names and the IDs that you use during commissioning. Prior to commissioning you must affix the IDs of the effective ranges in the plant so that

they are easily legible.

Fail-safe operation of the Mobile Panel 277F IWLAN

48 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 49

Application Planning

3.5 For the "Override" mode: Planning the protective devices

Introduction

Use "override" mode to extend the effective range concept.

Requirements

Only use "override" mode in delimited plant areas that are secured by additional protective measures.

The operator must be able to fully see the area for which "override" mode applies. The danger location must be visible from every point of the override area.

When using the "override" mode you must install a switch within an effective range that is independent of the HMI device.

The operator logs his HMI device on at the effective range and activates "override" mode with this switch.

Suitable additional protective measures

When using "override mode you must provide additional protective measures in your plant which prevent unauthorized use or incorrect operation of the HMI device. The additional protective measures must have a safety category that is commensurate with the plant requirements.

For example the following measures are suitable:

● Grate with protective door

● Light barrier

● Foot grating / safety shutdown mat

● Additional plant-typical safety measures If you use a grating with a protective door, you have to protect against access to the override

area using a further protective measure, e.g a light barrier or a foot grating. This enables you to leave the protective door open as an escape route during operation of the plant in "override" mode.

Safety program

The "override" mode may only be activated as long as the safety measure is active. If the operator leaves the protected area, the "override" mode must be automatically ended.

Example of an application

A detailed example of an application can be found in the section Application example: Safety Functions (Page

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

113) .

Page 50

Application Planning

3.6 Check list: Data security

Introduction

Data security, security in automation technology serves particularly to ensure the availability and trouble-free operation of industrial plants.

In order to ensure secure transmission of signals via a WLAN for the Mobile Panel 277F IWLAN, you must particularly safeguard the system from unauthorized access.

You can count on the following types of unauthorized accesses:

● Outside accesses To protect against unauthorized accesses from outside you must protect the WLAN in the

same way you would protect a WLAN for office communication, namely with a firewall.

● Accesses from inside Investigations have shown that the majority of attacks on data security are executed from

inside the plant. To ensure data security you must take special measures inside the plant.

Possible attack objectives

The HMI device communicates with the fail-safe controller via PROFIsafe. Here the following possible attack objectives are present:

● Parameter assignment and configuration Possible objectives of an attack are assignment of parameters to a device and

configuration.

● Productive operation data The productive data can be manipulated by sending a series of false PROFIsafe

telegrams, which prevent the machine from being switched off. Data transfer between HMI device and access point is protected by the AES encryption

mechanism. Manipulation of productive data is prevented in this manner.

Organizational measures to ensure data security

The organizational measures to ensure data security are described in the following documents:

● PROFIsafe – Profile for Safety Technology on PROFIBUS DP and PROFINET IO (IEC 61784-3-3)

● PROFIsafe - Environmental Requirements

Note the regulations in these documents.

Check list

The following check list shows the organizational measures required to achieve the highest possible level of data security when transmitting via WLAN.

Specify the organizational measures you must implement in accordance with your plant's requirements. Take all phases into account:

● The configuration phase

Fail-safe operation of the Mobile Panel 277F IWLAN

50 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 51

Application Planning

3.6 Check list: Data security

● Project transfer to the HMI device

● The process management phase in which the HMI device is used to operate and monitor

the plant. Check the interplay of the specified measures. The measures listed in the table are marked as follows:

● To achieve PROFIsafe conformity, you must take all the measures which are marked with

an asterisk * and highlighted in bold in the table.

● Additional voluntary measures are not marked.

Measure Further information Check * Comply with the regulations in the document "PROFIsafe

- Environmental Requirements".

Access points Select the installation site and antenna characteristics of

the access points in such a manner that only the desired area is with supplied wireless capacity. In this regard note that wireless waves spread out horizontally as well as vertically.

* Install access points where there is secure access, e.g. in intermediate ceilings. In this manner you prevent manipulations directly at the access point or at the Ethernet connection to the LAN.

* Only use wire conducted connections to access the parameter assignments of the access point.

Change the default administration password. Access point Operating

* Hidden SSID: Configure the access point in such a manner that the SSID of the wireless cell is not visible.

* Change the pre-set SSID. Access point Operating

Network Examine the use environment with a spectrum analyzer

and via WLAN measurement programs for possible interference to the WLAN on the wireless level.

If you have detected interference sources specify the appropriate remedial measures. Log the results.

Only operate the network in the infrastructure mode. System manual

* Completely disconnect the automation networks from other networks. Use firewalls, or VPNs at points where connections to these networks must exist. Limit the communication between the networks to the absolute minimum required.

Document PROFIsafe Environmental Requirements

Access point operating instructions

instructions Access point Operating

instructions

"Fundamentals of Industrial Wireless LAN", chapter "Network architecture"

System manual "Fundamentals of Industrial Wireless LAN", chapter "VPN (Virtual Private Network)"

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 52

Application Planning

3.6 Check list: Data security

Measure Further information Check * Use authentication mechanisms to prevent unauthorized

participation in wireless traffic. Shared key as well as certificates are allowed as

authentication methods. The pass phrase must be at least 20 characters long. The

passphrase should contain alphanumeric characters and special characters.

HMI device * Protect the HMI device and the toolbar of the HMI device

against unauthorized access with a password.

* Only release the data channel via which the project will be transmitted to the HMI device, during transmission of the project.

F-CPU and safety program * Protect the access to the F-CPU and to the safety

program with passwords.

WinCC flexible ES Protect WinCC flexible Es with general IT technologies. Examples:

• Protect the PC where the ES is installed on the operating system level with a password.

• To encrypt files, folders, and partitions use an appropriate encryption program. Programs with this functionality are available as shareware.

• Assign access rights to specific drives so that only a certain person subgroup can use the data.

• Encrypt the data with mechanisms that Windows makes available.

HMI device operating instructions, chapter "Change password protection".

HMI device operating instructions, chapter "Data channel parameter assignment".

Programming and operating manual "S7 Distributed Safety Configuring and Programming", chapter "Access protection"

Protect the "Effective range name" object with a password. WinCC flexible Information

System

Further information

Addition information on the data security is available in the following publications:

● System manual "Fundamentals - Industrial Wireless LAN", chapter "Data security of wireless communication in accordance with IEEE 802.11".

● Brochure published by the German Federal Office for Information Secuiruty (Bundesamt für Sicherheit in der Informationstechnik): "Wireless communication systems and their security aspects".

Fail-safe operation of the Mobile Panel 277F IWLAN

52 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 53

Configuration

4.1 Check list: Configuration

Configuration

Go through the following steps for configuration.

Checklist for configuration

Step Information Check STEP 7, HW Config:

Integrating the HMI device in the plant configuration

Setting the PROFIsafe parameters S7 Distributed Safety:

Call the F-FBs in the safety program that are necessary for the HMI device

WinCC flexible: Configure a unique project ID, the effective ranges, and the desired objects

Setting the HMI device parameters HMI device operating instructions,

Assigning parameters for communication between the HMI device and the controller (Page 55)

Using F-FBs (Page 60)

Configuration overview (Page 72)

Appendix

4.2 Procedure for configuration

Tools

For the use of a Mobile Panel 277F IWLAN you have to use various tools, which you can call centrally on the configuration computer via the SIMATIC Manager:

● The STEP 7 hardware configuration "HW Config"

● The S7 Distributed Safety option pack

● WinCC flexible 2007 ES

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 54

Configuration

4.2 Procedure for configuration

Basic procedure

Always use the following procedure for configuration:

1. Create a STEP 7 project in the SIMATIC Manager.

2. Configure the required F-CPU and a PROFINET connection in the hardware

configuration "HW Config".

3. Insert a Mobile Panel 277F IWLAN in the configuration from the hardware catalog of the

HW Config by dragging it to the PROFINET connection in the station window via Drag&Drop.

4. Call the object properties of the Mobile Panel 277F IWLAN using the context menu (right

mouse button) and configure the communication between the HMI device and the PLC,

Assigning parameters for communication between the HMI device and the controller

see

55).

(Page

5. Configure other components in accordance with your plant.

6. Create a safety program for the F-CPU in STEP 7 with S7 Distributed Safety. Insert the

F-FBs required for the HMI device in the safety program and wire them according to instructions. Do this according to the checklist

59).

(Page

Checklist: Creation of the safety program

7. Start WinCC flexible ES and create a project for the HMI using the Wizard.

8. Set "Ethernet/Wireless" in the project view under "Communication".

9. Set the PROFIsafe address of the HMI device in the project view under "Device settings"

10. Configure the effective ranges planned for your plant under "Device settings" > "Effective

11. Configure the figures for operating and monitoring the plant. Insert the objects required

Further information

You have central access to SIMATIC documentation under SIMATIC in the Start menu on the configuration computer.

More detailed information can be found under the following references:

> "Device settings".

ranges", see

for working with effective ranges in these figures, see IWLAN (Page

Tool Task Documentation STEP 7, HW Config Creation of the project for the

S7 Distributed Safety Creation of the safety program SIMATIC > Documentation >

WinCC flexible Creation of the project for the

Effective ranges editor (Page 73).

73).

automation system

HMI device

Objects for the Mobile Panel 277F

SIMATIC > Documentation > desired language

desired language SIMATIC > WinCC flexible 2007

> WinCC flexible help system

Fail-safe operation of the Mobile Panel 277F IWLAN

54 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 55

Configuration

4.3 STEP 7: HW Config

Procedure in STEP 7 HW Config

When you have created a STEP 7 project in the SIMATIC Manager, configure the desired F-CPU and a PROFINET connection in the hardware configuration "HW Config".

Then insert a Mobile Panel 277F IWLAN in the configuration from the hardware catalog of the HW Config by dragging it to the PROFINET connection in the station window via Drag&Drop.

Configure the communication between the HMI device and the F-CPU in the properties of the HMI device.

4.3.1 Integrating the GSD file in STEP 7

If the HMI device is not listed in the hardware catalog of HW Config, you need to integrate the valid GSD files for the HMI device in the STEP 7 database.

The GSD files are available on the documentation CD or in the Internet at the following address:

http://www.siemens.com/automation/support"

Note

t installation of WinCC flexible, the GSD files supplied with WinCC flexible are automatically

integrated in STEP 7.

4.3.2 Assigning parameters for communication between the HMI device and the controller

Introduction

If you select the HMI device in the HW Config, the following modules are displayed:

● mobile277fiwlan

● Mobile277Standard_IO

● Mobile277Failsafe_IO

Object properties of the module "Mobile277Failsafe_IO"

The parameters for fail-safe operation are configured in the object properties of the Mobile277Failsafe_IO module. You can only change this parameter after you have entered a password for the safety program.

You can find additional information about access protection in the manual "S7 Distributed Safety Configuring and Programming".

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 56

Configuration

4.3 STEP 7: HW Config

● "Addresses" tab The address area for the process image is configued in this tab. The process image is a

memory area in the controller which the HMI device and controller access together. At the beginning of the cyclic control program the signal states of the inputs of the HMI device are transferred to the controller via the process input images, PII. At the end of the cyclic program the process image of the outputs, PIQ is transferred as a signal state to the HMI device.

Parameter Meaning Input > Address > Start of

Address Area

Input > process image Process image to which the address range of the inputs belongs, PII.

Output > Address > Start of Address Area

Output > process image Process image to which the address range of the outputs belongs,

Start address of the inputs in the process image. The safety-relevant user data of the HMI device is shown.

The default depends on the controller used.

This parameter cannot be set with controllers of the SIMATIC CPU 300 type.

Start address of the outputs in the process image The safety-relevant user data of the HMI device is shown.

The default depends on the controller used.

PIQ. This parameter cannot be set with controllers of the

SIMATIC CPU 300 type.

● Tab "PROFIsafe" Here you must set the parameters "F_Dest_Add" and "F_WD_Time".

Parameter Meaning F_SIL Safety class of the Mobile Panel 277F IWLAN

The value of the parameter is set to "SIL 3". This parameter cannot be modified.

F_CRC_Length Length of the CRC for the consistency check.

The value of the parameter is set to "3 byte CRC". This parameter cannot be modified.

F_Block_ID This parameter must be set to the value "0", as there is no checksum

of the individual device parameters.

F_Par_Version Implemented PROFIsafe version.

The value of the parameter is set to "1". This means that PROFIsafe V2 is used.

This parameter cannot be modified.

F_Source_Add PROFIsafe address used to uniquely identify the source throughout

the network and station. The address is assigned automatically. The "F_Source_Add"

parameter can have a value between 1 and 65534. This parameter cannot be modified.

Fail-safe operation of the Mobile Panel 277F IWLAN

56 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 57

Configuration

4.3 STEP 7: HW Config

Parameter Meaning F_Dest_Add PROFIsafe address used to uniquely identify the destination

throughout the network and station. The address is assigned automatically. The "F_Dest_Add" parameter

can have a value between 1 and 65534. You can change the value for "F_Dest_Add".

F_WD_Time (ms) Monitoring time in the fail-safe IO device.

A valid current safety frame must reach the F-CPU and be returned to the HMI device within the monitoring time period. This ensures that failures and errors are detected and appropriate responses, which keep the fail-safe system in a safe state or transfer it to a safe state, are triggered.

The monitoring time selected must be long enough that message frame delays will be tolerated by the communication system, but short enough that the fault reaction function responds quickly enough in the event of a fault (e.g. interruption in the communication connection).

The "F_WD_Time" parameter can be set in 1 ms increments. The default monitoring time is 500 ms.

Calculate the minimum monitoring time with the Excel table "s7fcotia.xls".

This table is part of the option package S7 Distributed Safety. You can find the current version of this table on the Internet at the following address:

http://www.siemens.de/automation/support", document ID 21627074.

You can find the parameters needed to calculate the monitoring time under "General specifications".

NOTICE

If an error occurs, the monitoring time is included in the maximum response time. The selected monitoring time must be short enough that the error tolerance time of the process is not exceeded.

Additional information on configuring F-I/O in STEP 7

You can find additional information on configuring fail-safe I/O in STEP 7 in the manual "S7 Distributed Safety Configuring and Programming" and in the system manual "Safety Engineering in SIMATIC S7".

Additional information on working in HW Config

You can find additional information on working in HW Config in the manual "Configuring hardware and communication connections with STEP 7" and in the HW Config online help.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 58

Configuration

4.4 S7 Distributed Safety

Introduction

The Mobile Panel 277F IWLAN is used as a peripheral in fail-safe automation systems. Failsafe automation system, also referred to as F systems in the following, are used in plants requiring high levels of safety.

During fail-safe operation, a safety program runs in the F CPU. The HMI device must be integrated into this safety program.

The HMI device and F CPU communicate via PROFINET IO. They use the safety-related PROFIsafe protocol as of V 2.0 for fail-safe communication.

Safety-related functions of the HMI device

The fail-safe HMI device performs the following:

● Detects the signal states of the emergency stop button and enabling button

● Sends these signal states to the F CPU in the form of safety message frames

Safety program and F FBs

To operate the HMI device, you need to configure a safety program in STEP 7 with the "SIMATIC S7 Distributed Safety" add-on package as of V5.4 SP3.

To guarantee availability of the safety functions, you need to use particular fail-safe function blocks (F FBs) in the safety program.

If you do not use the fail-safe function blocks, the HMI device cannot be integrated in the safety program of the F CPU. The project on the HMI device cannot be started.

The F FBs are supplied on a CD together with the HMI device. You can also obtain the F FBs in the Internet at the following address:

http://www.siemens.de/automation/support"

Additional information

You can find additional information about working with S7 Distributed Safety in the programmer and operator manual "SIMATIC S7 Distributed Safety - Configuration and Programming" as well as the online help for S7 Distributed Safety.

Fail-safe operation of the Mobile Panel 277F IWLAN

58 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 59

Configuration

4.4 S7 Distributed Safety

4.4.1 Checklist: Creation of the safety program

Checklist for configuring a safety program for emergency stop applications

Information on S7 Distributed Safety can be found in the programming and operating manual "S7 Distributed Safety - configuring and programming".

Please observe all additional instructions described in the programming and operating manual "S7 Distributed Safety - configuring and programming".

Go through the following steps for configuration.

Step Information Check Configuration of the hardware S7 Distributed Safety, chapter

"Overview of configuration"

Configuration of the F-CPU

• Level of protection "CPU contains safety program"

• Password

• Define/set F-specific parameters:

• Define the call time for the F-run-time group in

which the safety program is to be executed.

S7 Distributed Safety, chapter "Configuring the F-CPU"

Save, compile and load the hardware configuration The following blocks are generated:

• F-shared DB

• F-I/O DB for the HMI device

• System data

Insert the following fail-safe blocks:

• FB 161: F_FB_MP

• FB 162: F_FB_RNG_4 or FB 163:

F_FB_RNG_16

• FC 176: F_BO_W

• FC 177: F_W_BO

• FB 215: F_ESTOP1

• F_DB_STATES or a comparable data area in

an existing F-DB

Call and wire the F-FBs as described in the application example

Creating the additional safety program Creating the fail-safe run-time group

• Create F-CALL

• Assign F-FB/F-FC to F-CALL

• Set maximum cycle time for the F-run-time

group in accordance with requirements

• Using F-FBs (Page 60) FB161: Mobile Panel Status

•

(F_FB_MP) (Page FB162: Effective range for 4

•

Mobile Panel (F_FB_RNG_4) / FB 163 Effective range for 16 Mobile Panel (F_FB_RNG_16) (Page

67)

• Online help for the F-FBs Application example: Safety

•

Functions (Page

S7 Distributed Safety, chapter "Defining F-run-time groups"

63)

113)

Calling the safety program e.g. OB 35 S7 Distributed Safety, chapter

Compiling the safety program S7 Distributed Safety, chapter

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

"Defining F-run-time groups"

"Compiling the safety program"

Page 60

Configuration

4.4 S7 Distributed Safety

Step Information Check Checking the safety program

Loading the safety program in the F-CPU Testing and acceptance testing of the safety

program

• Online help for the F-FBs FB161: Mobile Panel Status

•

(F_FB_MP) (Page FB162: Effective range for 4

•

Mobile Panel (F_FB_RNG_4) / FB 163 Effective range for 16 Mobile Panel (F_FB_RNG_16) (Page

S7 Distributed Safety, chapter "Safety program acceptance test"

63)

67)

4.4.2 Using F-FBs

Required F FBs

You must integrate the following fail-safe blocks in your safety program:

● For each HMI device: An F_FB_MP The assigned HMI device is monitored by this F FB.

● For each effective range: An F_FB_RNG_4 or alternatively an F_FB_RNG_16 The assigned effective range is managed by this F FB. The number of HMI devices that should get permission to log onto the effective range

determines the F FB that is called, F_FB_RNG_4 or F_FB_RNG_16: – F_FB_RNG_4 For a maximum of 4 HMI devices – F_FB_RNG_16 For a maximum of 16 HMI devices

● An F_DB_STATES with a WORD data type or a comparable address area in an available F DB

Using this F DB, data is exchanged between the F_FB_MP of the HMI deice and F_FB_RNG_n of the effective range.

● FB 215: F_ESTOP1; with this block, you can ensure that the operator must first provide confirmation after an emergency stop before the plant can be restarted. You can find this block in the Distributed Safety F library in the F Application Blocks block container.

● FC 176: F_BO_W and FC 177: F_W_BO Insert the FC 176: F_BO_W and FC 177: F_W_BO blocks into your safety program since

these blocks are used as calls. You can find these blocks in the Distributed Safety F library in the F Application Blocks block container.

WARNING

Defective fail-safe application blocks Do not change the numbers of F application blocks! Ensure the following matches when changing the names of F application blocks:

• The symbolic name in the symbol table

• The name in the object properties of the block (header)

Fail-safe operation of the Mobile Panel 277F IWLAN

60 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 61

Configuration

4.4 S7 Distributed Safety

Rules for the safety program

WARNING

Emergency stop button not evaluated The emergency stop button can only be evaluated if you call an F_FB_RNG_n in your

safety program. Always call an F_FB_RNG_n in your safety program, even if you do not use effective

ranges in your plant.

WARNING

Prohibited restart of the plant Once the emergency stop button has been triggered, the plant can only be restarted for

operation only after the operator provides acknowledgment. Use the FB 215 F_ESTOP1 in your safety program to ensure acknowledgment by the operator.

WARNING

Emergency stop button evaluation delayed If the cycle time for OB 35 is set too high, message frame may be lost and the evaluation of

the "E-STOP" of F_FB_RNG_n may be delayed. Set the cycle time for OB 35 lower than that for the PROFINET IO time.

CAUTION

Safety states not evaluated The safety states, such as a global rampdown, can only be evaluated if you call an

F_FB_RNG_n in your safety program. Always call an F_FB_RNG_n in your safety program, even if you do not use effective

ranges in your plant.

WARNING

Emergency stop button enabled If a global rampdown has been triggered by a communication error, the emergency stop will

no longer be available on the Mobile Panel in question. You have the option of configuring the "Global rampdown" signal to trigger an emergency

stop.

The F FBs used are called cyclically and in a specific order in the safety program. You need to call the F FBs in the following order in your safety program:

1. All F_FB_MP

2. All F_FB_RNG_n The operator must always acknowledge errors, such as communication errors. You cannot

use any automatic acknowledgment in your safety program, therefore.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 62

Configuration

4.4 S7 Distributed Safety

WARNING

Unwanted restart of the plant after acknowledgment of a communication error The plant cannot be automatically restarted after a communication error on the HMI device

is acknowledged. Therefore, ensure that your safety program requires an additional user action before the

plant can be restarted.

Interconnection of the F FBs

The blocks are interconnected with one another and with the process image of the Mobile Panel 277F IWLAN.

For every Mobile Panel 277F IWLAN, there is a memory area in the PLC that is commonly access by the HMI device and the PLC, the so-called process image. The signal sates of the HMI device's inputs is sent to the PLC at the start of the cyclic control program through the process image of the inputs, PII. The process image of the outputs, PIQ, is sent to the HMI device as the signal state at the end of the cyclic program.

The following figure is a schematic representation of the interconnection of F FBs to one another and to the PII and PIQ.

WARNING

You cannot directly evaluate the PII and PIQ in your program.

3$(

03B'$7$

03B51*

03B)B.(<

UHVHUYLHUW

)B)% B03

  

03B'$7$ 03B51*

03B67$7

03B,17B67$786

03B,17B67$786

)B)% B51*BQ

03B'$7$ 03B51*

  

03B67$7

03B'$7$B4

03B51*B4

)B'%B67$7( 6



  

3$$

03B'$7$

03B51*

UHVHUYLHUW

  

UHVHUYLHUW

Fail-safe operation of the Mobile Panel 277F IWLAN

62 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 63

Configuration

4.4 S7 Distributed Safety

Example application

Read Application example: Safety Functions (Page 113) if you use F_FB_RNG_n. You can find another detailed example application in the Internet under

http://support.automation.siemens.com", contribution number 25702331.

F I/O DB

An F I/O DB is automatically generated in HW Config for every F I/O.

WARNING

Emergency stop button not evaluated Keep the default setting for the output PASS_ON = 0 in the F I/O DB of the HMI device,

otherwise the emergency stop will not be evaluated.

The access to the F I/O and working with the F I/O DB is described in detail in the manual "SIMATIC S7 Distributed Safety Configuration and Programming", "F I/O Access" section.

4.4.3 FB161: Mobile Panel Status (F_FB_MP)

Structure

)B)% B0 3



4%$'



$&.B5(4



6B03B5(6

6B$&. B (55

$&.B5(,

03B'$7$B4



03B'$7$



03B51*



03B67$7

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

03B51*B4

',$*

(12



Page 64

Configuration

4.4 S7 Distributed Safety

Inputs

Parameters Data type Description Interconnection QBAD Bool QBAD indicates if the F-I/O has been

passivated.

ACK_REQ Bool Acknowledgement required

After a communication error, the fail-safe system sets QBAD = 1 and ACK_REQ = 0.

ACK_REQ = 1 indicates that the PROFIsafe message frames are being exchanged again.

S7_MP_RES Bool This input is set so that the F-CPU resets the

status of F_FB_MP to its "original state", i.e.:

• The HMI device has the status "removed"

• If a rampdown or shutdown was set, it is

reset.

• If the HMI device was logged on to an effective range, it is enabled again.

The input is only evaluated if Q_BAD = 1. Setting the input S7_MP_RES is necessary if

the HMI device cannot return itself to a defined state, for example when a system error occurs or the battery is dead.

S7_ACK_ERR Bool Communication errors may not be

acknowledged automatically. This input is set to have the F-CPU to

acknowledge a communication error during ongoing PROFIsafe communication.

F_FB_MP only reacts to a rising edge.

MP_DATA Word User data of the fail-safe process image's

inputs

MP_RNG Word ID of the effective range in which the HMI is

included.

MP_STAT Word Data are exchanged through F_DB_STATES

to F_FB_RNG_n via this input/output.

F-I/O DB: DBx2.1 = QBAD

F-I/O DB: DBx2.2 = ACK_REQ

Must be specifically interconnected for plant.

The security program must ensure that after S7_MP_RES is set, automatic restart of the plant is not possible. The operator must strictly ensure that he executes a separate operator action to commence the restart.

Must be specifically interconnected for plant.

PII: Word 1 = MP_DATA

PII: Word 2 = MP_RNG

F_DB_STATES

Outputs

Parameter Data type Description Interconnection ACK_REI Bool Acknowledgement for reintegration

The automatic reintegration is regulated via the F-I/O DB through this output.

MP_DATA_Q Word User data of the fail-safe process image's

inputs:

MP_RNG_Q Word The effective range ID is transmitted to the

HMI device through this output.

Fail-safe operation of the Mobile Panel 277F IWLAN

64 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

F-I/O DB: DBx0.2 = ACK_REI

PIO: Word 1 = MP_DATA

PIO: Word 2 = MP_RNG

Page 65

Configuration

4.4 S7 Distributed Safety

Parameter Data type Description Interconnection DIAG Word Information about any occurring errors is

provided through this output for servicing purposes.

Bit 0: HMI removed Bit 1: HMI integrated Bit 2: Communication error on the HMI device Bit 3: Communication error must be

acknowledged. Bits 4 to 15: Reserved

You can evaluate the DIAG output in your program.

Enable inputs EN and ENO

When you call a fail-safe block, the enable input EN and enable output ENO automatically appear.

Note the following:

● Do not connect these I/Os

● Do not supply these I/Os with "0"

Validity

Wiring

Purpose

● Do not evaluate these I/Os

This description applies to version 1.0 of F_FB_MP.

Note Insert the FC 176: F_BO_W and FC 177: F_W_BO blocks into your safety program because

they are called by F_FB_MP. You can find these blocks in the Distributed Safety F-Library in the F-Application Blocks block container.

You have to wire the inputs and outputs of the F-FB manually. They are not automatically wired.

The assigned Mobile Panel 277F IWLAN HMI device is monitored by F_FB_MP. You need to use a separate F_FB_MP for each Mobile Panel 277F IWLAN. F_FB_MP performs the following tasks:

● The block integrates the HMI device in the safety program of the F-CPU after startup.

● The block removes the HMI device from the safety program after a communication error. As soon as the communication error has been corrected and the operator has acknowledged this, the block integrates the HMI device back into the safety program.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 66

Configuration

4.4 S7 Distributed Safety

● The block passes the states of the HMI device through F_DB_STATES to F_FB_RNG_n. The following HMI device states are possible: – "Integrated" – "Removed" – "Communication error" – "Acknowledgement required"

QBAD monitors the output of the F-I/O for integrating and removing the HMI device.

● QBAD = 0: PROFIsafe communication is taking place between the HMI device and the F-CPU.

● QBAD = 1: No PROFIsafe communication is taking place between the HMI device and the F-CPU.

WARNING

Inadmissible automatic restart of the plant The security program must ensure that after S7_MP_RES is set, automatic restart of the

plant is not possible. The operator must strictly ensure that he executes a separate operator action to commence the restart.

Addresses of PII and PIQ

You can find the start addresses of PII and PIQ in the PROFIsafe settings of the HMI device in HW Config.

Fail-safe operation of the Mobile Panel 277F IWLAN

66 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 67

Configuration

4.4 S7 Distributed Safety

4.4.4 FB162: Effective range for 4 Mobile Panel (F_FB_RNG_4) / FB 163 Effective range for 16 Mobile Panel (F_FB_RNG_16)

Structure

)B)% B51 * BQ



51*B,'



29(55,'(



03B'$7$



03B51*



03B)B.(<



03B'$7$



03B51*



03B)B.(<



03QB'$7$

03QB51*

03QB)B.(<

03B67$7

03B67$7



03QB67$7

(B6723

*/2%B5'

/2&B5'

6+87'2:1

(1$%/(

)B.(<6

51*B%86<

',$*

(12



MPn is used as follows:

● With F_FB_RNG_4 for HMI device 1 to HMI device 4

● With F_FB_RNG_16 for HMI device 1 to HMI device 16

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 68

Configuration

4.4 S7 Distributed Safety

Inputs

Parameters Data type Description Interconnection RNG_ID Integer Click on this input and enter the ID of the

effective range to be monitored by F_FB_RNG_n. The RNG_ID must be unique throughout the plant and is set in WinCC flexible.

OVERRIDE Bool 0 = "Override" mode inactive,

1 = "Override" mode active

MPn_DATA* Word User data of the inputs of the fail-safe

process image.

MPn_RNG* Word ID of the effective range in which the HMI

device is located. MPn_F_KEY* Word Reserved MPn_STAT* Word Data is exchanged with F_FB_MP

through this input/output via

F_DB_STATES. *MPn is used as follows:

• With F_FB_RNG_4 for HMI device 1 to HMI device 4

• With F_FB_RNG_16 for HMI device 1 to HMI device 16

---

Result of the link between the override switch and the protection mechanism

PII: Word 1 = MP_DATA

PII: Word 2 = MP_RNG

F_DB_STATES

Outputs

Parameters Data type Description Interconnection E_STOP Bool Emergency stop

Evaluation of the emergency stop button of all HMI devices connected to F_FB_RNG_n.

0 = at least one emergency stop pressed, 1 = no emergency stop pressed

GLOB_RD Bool Global rampdown You can detect if a global

LOC_RD Bool Local rampdown You can detect if a local

SHUTDOWN Bool Shutdown You can detect if a shutdown

ENABLE Bool This output passes the state of the

enabling button for the HMI device logged on in the effective range.

0 = enabling button not presses, 1 = enabling button pressed

You can detect if an emergency stop is pressed with this output.

rampdown has been triggered with this output.

has been triggered with this output.

You can detect if the enabling button has been pressed with this output.

Fail-safe operation of the Mobile Panel 277F IWLAN

68 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 69

Configuration

4.4 S7 Distributed Safety

Parameters Data type Description Interconnection F-KEYS Word Reserved RNG_BUSY Bool This output passes the state of the

effective range. 0 = effective range free,

1 = effective range in use

DIAG Word This output indicates which of the HMI

devices with permission to log on in the effective range are actually logged on.

Bit 0: 1st panel logged on Bit 1: 2nd panel logged on Bit 2: 3rd panel logged on Bit 3: 4th panel logged on

With F_FB_RNG_16: Bit 4: 5th panel logged on ...

Bit 14: 15th panel logged on Bit 15: 16th panel logged on

You can detect if the effective range is free or in use with this output.

You use this output, for example, to control a light that indicates the allocation of the effective range in the plant.

You can evaluate the DIAG output in your user program.

Enable inputs EN and ENO

When you call a fail-safe block, the enable input EN and enable output ENO appear automatically.

Please observe the following:

● Do not connect these I/Os.

● Do not set "0" for these I/Os.

● Do not evaluate these I/Os.

Validity

This description applies to the following F FB:

● F_FB_RNG_4, version 1.0

● F_FB_RNG_16, version 1.0 When the term "F_FB_RNG_n" is used, the information applies to both F-FB.

Note Insert the FC 176: F_BO_W and FC 177: F_W_BO blocks into your safety program since

these blocks are called by F_FB_RNG_n. You can find these blocks in the Distributed Safety F library in the F Application Blocks block container.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 70

Configuration

4.4 S7 Distributed Safety

Wiring

You have to wire the inputs and outputs of the F FB manually. No automatic wiring is performed.

Usage

How it works

WARNING

Emergency stop button not evaluated The emergency stop button can only be evaluated if you call an F_FB_RNG_n in your

safety program. Always call an F_FB_RNG_n in your safety program, even if you do not use effective

ranges in your plant.

The assigned effective range is managed by this F FB. You need call one of the following F FB for every effective range when using the

Mobile Panel 277F IWLAN:

● F_FB_RNG_4 "Effective range for 4 Mobile Panels"

● F_FB_RNG_16 "Effective range for 16 Mobile Panels" The FB you need to call depends on how many HMI devices are used in the effective range:

● If you configure a logon for up to 4 HMI devices in this effective range, use F_FB_RNG_4.

● If you configure a logon for up to 16 HMI devices in this effective range, use F_FB_RNG_16.

The F FB performs the following depending on the state of the HMI devices assigned to the effective range:

● Connect the outputs of F_FB_RNG_n

● Prepare the output user data

Each HMI device can take one of the following states in the effective range:

● Removed without communication error The HMI device is successfully removed from the safety program of the F CPU. This

ends PROFIsafe communication. The HMI device has no influence on the outputs of F_FB_RNG_n.

● Integrated without communication error The actual operating state of the HMI device in the effective range

Fail-safe operation of the Mobile Panel 277F IWLAN

70 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 71

Configuration

4.4 S7 Distributed Safety

F_FB_RNG_n reacts as follows: – The HMI device is supplied with user data, such as the effective range ID and the

status of the HMI device in the effective range, if it is located in the effective range.

– If no other HMI device is logged on in the effective range, the operator can log on the

HMI device in the effective range.

– The outputs of F_FB_RNG_n are set according to the state of the enabling button of

the logged on HMI device. The setting for E-STOP output depends on whether or not the HMI device is logged on

in the effective range.

– The RNG_BUSY output of F_FB_RNG_n is set to "1" if the HMI device is logged on in

the effective range. – The operator can activate the "Override" mode if needed. – If the operator wants to exit the effective range, he can log the HMI device off from the

effective range.

● Removed with communication error PROFIsafe communication with the HMI device was interrupted without explanation. The following outputs are set in F_FB_RNG_n: – GLOB_RD, if the HMI device was not logged on in the effective range. – SHUTDOWN, if the HMI device was logged on in the effective range.

The corresponding signal is reset following acknowledgment of the communication error or the MP status reset is set. The allocated effective range is enabled again by F_FB_RNG_n for logging on of an HMI device .

● Integrated with communication error PROFIsafe communication with the HMI device is resumed after a brief interruption,

enabling user data to be exchanged again between the HMI device and F CPU. As long as communication error in not acknowledged, F_FB_RNG_n reacts as follows:

– The HMI device is supplied with user data (effective range ID, status of the HMI device

in the effective range), if it is located in the effective range.

– If the emergency stop of the HMI device is pressed, the E_STOP output of

F_FB_RNG_n is set to "0".

Override in the safety program

The override switch should only be active as long as the protective mechanism is active. Connect the following in the safety program to ensure this reaction:

● The switch position of the override switch with the evaluation signals of the protective device

● The result of the first link with the OVERRIDE input of F_FB_RNG_n

Addresses of PII and PIQ

You can find the start address of the PII and PIQ AA in HW Config in the PROFIsafe settings for the HMI device.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 72

Configuration

4.5 WinCC flexible

4.5.1 Configuration overview

For fail-safe operation of the HMI you must configure the following areas of WinCC flexible ES:

● Settings of the HMI device: Set the PROFIsafe address of the HMI device in the project view under "Device settings"

> "Device settings".

● Effective ranges editor Configure the effective ranges defined when the plant was planned in the project view

under "Device settings" > "Effective ranges".

● Figures

● Configure the following in the project view under "Images": – Display of the project ID

You must assign a unique project ID for each project. The project ID is used to check which project is currently on the HMI. You must update the project ID each time the project is changed, e.g. by listing a

version or date. Configure the display of the project ID at a point of the project that can be displayed at

any time in the current project, e.g. start screen or in a service display.

– Objects that are specially designed for fail-safe operation of the HMI device

Additional information on configuration with WinCC flexible

Only a brief overview is provided below. A detailed description of the configuration is provided in the WinCC flexible Information System.

Fail-safe operation of the Mobile Panel 277F IWLAN

72 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 73

Configuration

4.5 WinCC flexible

4.5.2 Effective ranges editor

Work area

In WinCC flexible ES, open the "Effective Ranges" work area in the project window under "Device Settings" by double-clicking on "Effective Ranges".

The work area provides a tabular view of the effective ranges and their transponders.

Configuring

The configuration consists of the following tasks:

1. You create the effective ranges by specifying the "Name", "Display name" and "ID".

The "Display name" and "ID" of an effective range cannot be identical.

2. You configure a transponder by specifying the "Name" and "ID" of the transponder.

3. You assign the transponders to the effective ranges.

4. You set the "limit" for each effective range.

The "Limit" parameter determines the maximum distance between the HMI device and the individual transponders of an effective range. The "Limit" parameter applies to all transponders of the effective range. If the HMI device is located farther from the transponders than the "Limit", it is outside the effective range.

Commissioning

When commissioning the plant, you need to enter the checksum determined during the verification of the effective ranges in the "Checksum" box in this editor.

4.5.3 Objects for the Mobile Panel 277F IWLAN

Introduction

WinCC flexible ES offers you a variety of objects especially designed for configuring the Mobile Panel 277F IWLAN.

These objects offer the operator the latest information about the effective range and batteries during runtime.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 74

Configuration

4.5 WinCC flexible

Effective range name

The "Effective range name" object shows the name and logon status of the effective range in which the HMI device is currently located.

Display during runtime: Description

The HMI device is within the effective range shown. The HMI device is not logged on in the effective range.

It is possible to log onto the effective range. The HMI device is within the effective range shown and is logged on in

the effective range. Safe operation in the effective range is possible using the enabling

buttons. The HMI device is within the effective range shown. Logon to the effective range is rejected because a different HMI device is

already logged on. Note: When using the "Override" mode: Although no other HMI device is still

logged on in the effective range, logon is rejected because the override switch is still set.

The HMI device is outside all of the effective ranges.

Effective range quality

The "Effective range quality" object shows how close the HMI device is to the limits of a effective range.

Display during runtime Description

The HMI device is in the middle of the effective range.

The HMI device is located at the limits of the effective range.

The HMI device is located outside the effective range.

"Override" mode is active. The distance of the HMI device to the transponders is not evaluated.

Fail-safe operation of the Mobile Panel 277F IWLAN

74 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 75

Configuration

4.5 WinCC flexible

Battery

The "Battery" object indicates the charging status of the HMI device's main battery.

CAUTION

The battery must always b sufficiently charged. If the battery becomes empty, a communication error occurs. The F CPU initiates one of the following measures:

• If the HMI device is logged on at the effective range: a shutdown.

• If the HMI device is not logged on at the effective range: a global rampdown.

Symbol Color Meaning Charging status

Additional information

You can find a detailed description of the object configuration in the WinCC flexible Information System.

Green The battery is sufficiently charged. >20%

Yellow The battery is weak. The battery

Red Battery is very weak. The battery

must be charged. Alternatively, insert a charged spare battery.

10% to 20%

<10%

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 76

Configuration

4.5 WinCC flexible

Fail-safe operation of the Mobile Panel 277F IWLAN

76 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 77

System commissioning

5.1 Acceptance of the system

Introduction

All of the relevant application-specific standards and the procedure described in this chapter must be observed in the course of final acceptance of the plant.

Important information about the final acceptance of a plant with fail-safe systems

Requirement

Note This document only provides detailed information about the additional acceptance

procedures required for operation of the Mobile Panel 277F IWLAN HMI device. In the course of final inspection of the plant, you must strictly observe the detailed

description of basic measures to be taken provided in the "S7 Distributed Safety, Configuring and Programming" manual, chapter "Final inspection of the plant."

● The hardware configuration was created in HW Config.

● The safety program was created and generated.

● A backup of the STEP 7 project was created.

Basic procedure

The acceptance of the plant includes the following areas:

● Configuring the F CPU and fail-safe I/O

● Safety program

● Effective ranges and transponders

Acceptance of the configuration for the F CPU and fail-safe I/O

● Print and archive the hardware configuration data.

● Check the following parameters in the hardware configuration data:

– Parameters of the F-CPU – Safety-relevant parameters of the fail-safe I/O:

Unique PROFIsafe addresses, additional PROFIsafe parameters

● Backup the hardware configuration data along with your STEP 7 project. A detailed description is provided in the "S7 Distributed Safety, Configuring and

Programming" Manual, chapter "Acceptance of the configuration for the F-CPU and fail-safe I/O."

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 78

System commissioning

5.1 Acceptance of the system

Acceptance of the safety program

● Print and archive the safety program.

● Check the printed copy of the safety program for existence of the criteria specified in the "S7 Distributed Safety, Configuring and Programming" manual, chapter "Acceptance of a safety program."

● Download the entire safety program to the F-CPU.

● Test all functions of the safety program.

A detailed description is provided in the "S7 Distributed Safety, Configuring and Programming" manual, chapter "Acceptance of the configuration for the F-CPU and fail-safe I/O."

Acceptance of the effective ranges and transponders

● For acceptance of the effective ranges and transponders you must determine a CRC checksum in the plant and enter it in the project. After subsequent project transfer to the HMI device you can operate the plant with the HMI device.

● Generate a printed copy of the project with output format "Complete."

See also

● Archive the project.

A detailed description about the printing and archiving of projects is provided in the WinCC Online Help.

Note If you change transponders in the plant you must execute another acceptance of the plant.

Accepting effective ranges and transponders (Page 79)

Fail-safe operation of the Mobile Panel 277F IWLAN

78 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 79

System commissioning

5.2 Accepting effective ranges and transponders

Introduction

The operational safety of the plant for the most part depends on a good safety plan and a careful realization of the safety functions.

For safe operation, the project of the HMI device must precisely match the plant. For this reason when first starting a project in the plant, you must verify all effective ranges

with all transponders. The result of the verification is a CRC checksum that you must enter in the project. Then you must transfer the project to the HMI device again.

Note Transponders that are exclusively assigned to one zone are not considered in this

verification.

Acceptance if there are changes

If you change the configuration of transponders and effective ranges in the system, you need to adapt the configuration. Then you must accept the effective ranges and transponders again.

Requirement

● In the project:

– Effective ranges and transponders must be configured in the project. – The project has been transferred to the HMI device.

● In the plant:

– The transponders must be mounted in the plant in such a manner that the effective

ranges stored in the project are formed.

– Batteries must be inserted in the transponders. The ID must be set on the

transponders that is stored in the project for these transponders. – The IDs of the effective ranges must be marked in the plant. – The quality of the WLAN range must be sufficient. – An indicator is installed.

WARNING

An indicator in the effective range is an absolute necessity A indicator supplies the operator the feedback that he has logged onto the correct

effective range. Install an indicator in every situation, for example a light that shows that an HMI

device is logged on in the effective range.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 80

System commissioning

5.2 Accepting effective ranges and transponders

Procedure

Proceed as follows:

1. Switch on the HMI device. The Windows CE desktop with Loader is displayed.

2. If the project does not start automatically, start the project. The "Transponder test" dialog box opens.

To the left you will see the list with the names of all configured effective ranges.

3. In the "Effective ranges" list highlight the first effective range that you want to verify. The "Transponder" list on the right shows the IDs of the transponders that are assigned to

the effective range in the project.

4. Go to the transponder that you want to verify in the "Transponder" list.

5. In the system, read the ID of the highlighted effective range and enter this ID in the "Effective range" box.

6. Enter the ID of the transponder where you are located in the "Transponder" box.

7. Verify the entered ID with the "Test" button. When the HMI device receives the signal of the corresponding transponder, that

transponder is considered verified. The transponder will be marked with a check mark in the list.

8. Repeat steps 4 to 7 for all transponders of this effective range. If you have successfully checked all transponders of an effective range, that effective

range will be indicated with a check mark in the list.

Fail-safe operation of the Mobile Panel 277F IWLAN

80 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 81

System commissioning

5.2 Accepting effective ranges and transponders

9. Select the next effective range in the list.

10. Repeat steps 4 to 7 for all transponders assigned to this effective range.

11. Verify all additional effective ranges in the list to the left.

12. When you have successfully verified all effective ranges, touch the "Calculate" button.

The HMI device calculates the CRC checksum. The CRC checksum is displayed in the "CRC" box.

13. Open the project in WinCC flexible ES.

14. Enter the checksum in the "Effective ranges" editor.

15. Transfer the project to the HMI device again.

Result

The project can now be used for operating and monitoring the plant.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 82

System commissioning

5.2 Accepting effective ranges and transponders

Testing the effective ranges in the plant

After successful verification of the transponders and effective ranges you must test in the plant whether the expansion of the configured effective ranges corresponds to the planning.

In particular, check the following cases:

● Do the limits of the effective range run as planned? Pay special attention that no machine operations are permitted from excessive distances

or areas that cannot be seen.

● Does the indicator that belongs to the effective range show whether an HMI device is logged on at the effective range?

● Are moving machine parts influencing the reception of the transponders? Check also the extreme positions of moving machine parts.

● Is WLAN coverage ensured everywhere in the effective range?

Fail-safe operation of the Mobile Panel 277F IWLAN

82 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 83

Operation

6.1 Organizational measures

The HMI device should only be operated in the system with a battery or in the charging station.

To ensure fail-safe operation of the HMI device the organizational measures described below must be complied with.

Storing the HMI device

WARNING

integrated HMI device should be freely accessible.

If the HMI device is not in use, it must be stored in a locked area.

Handling the HMI device during operation

CAUTION Shutdown or rampdown of the system due to empty battery

An integrated HMI device with flat battery triggers a communication error. This results in the following reaction of the F CPU:

• If the HMI device is logged on at the effective range: Shutdown

• If the HMI device is not logged on at the effective range: Global rampdown

Check the charge status of the battery of the ready-for-operation device via the "BAT" LED.

• Recharge the HMI device in good time. To charge the batteries, the ambient temperature / battery temperature must not exceed

40 °C The higher the temperature, the longer it will take for the battery to charge. Find a place with a cool ambient temperature for the charging station. If necessary,

allow the battery to cool first. You can check the battery temperature in the "OP" dialog box, "Battery" tab in the Control Panel.

Alternatively, change the main battery.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 84

Operation

6.2 Typical applications

The following must be noted when working with the Mobile Panel 277F IWLAN:

● Pay attention to the "SAFE" LED. If the HMI device is integrated in fail-safe communication, the "SAFE" lights up and the

emergency stop button is active.

● Pay attention to the "COM" LED. If you leave the area with sufficient WLAN coverage, the "COM" LED will flash.

Communication between the HMI device and PLC is down. You can no longer operate the system with the HMI device.

● Check the "RNG" LED when the HMI device is logged onto the effective range. The "RNG" LED indicates when the HMI device is logged onto the effective range.

Logging onto the effective range is required for the enabling button to be active.

CAUTION Unauthorized operation possible

It is not permitted to leave the effective range without an HMI device while the HMI device is logged on to the effective range.

6.2 Typical applications

6.2.1 Overview

Introduction

Typical applications for the HMI device are described in this chapter. The assumption for all application cases is that the HMI device will be used in mobile

operation with batteries.

Structure of the application cases

All application cases are described in the same form:

● Description and identification of the initial situation

● Action of the operator and of the plant

● Result of the action and identification of the new situation

Graphic representations

In the application cases the following is presented graphically.

● LED status

● Operability of the emergency stop button and of the enabling buttons

Thus you can detect the action described in the application case at a glance. The figures used have the following meaning:

Fail-safe operation of the Mobile Panel 277F IWLAN

84 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 85

Operation

6.2 Typical applications

Example of an LED display

Figure Meaning

6$)( 3:5 &20 51* %$7

Emergency stop button

Figure Meaning

Status of the LEDs that are displayed on the HMI device during the situation described in the application case.

In this example all LEDs are on.

Pressing the emergency stop button triggers an emergency stop.

Pressing the emergency stop has no effect.

Enabling button

Figure Meaning

The operator can release movements of the assigned machine with the enabling buttons.

Pressing the enabling buttons has no effect.

6.2.2 Switch on the HMI device.

Starting situation The HMI device is switched off.

The battery must be charged.

6$)( 3:5 &20 51* %$7

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 86

Operation

6.2 Typical applications

Action The operator switches the HMI device on via the ON/OFF button. Communication via WLAN starts up. While the WLAN connection is being established the "COM"

LED flashes.

Result WLAN communication is established.

The HMI device displays the Windows CE Desktop with the Loader.

6$)( 3:5 &20 51* %$7

6.2.3 Integrating and segregating the HMI device

6.2.3.1 Integrating the HMI device (start project)

Initial situation The HMI device is switched on. WLAN communication is established. The HMI device displays the

Windows CE desktop with the loader.

6$)( 3:5 &20 51* %$7

Action The project is started either automatically or by the operator using the loader, depending on the

configuration. PROFIsafe communication is established. While the connection is being established, the

"Establishment of safety connection" dialog box is displayed. The HMI device is integrated in the safety program of the F CPU.

The "Test enabling switch" dialog box opens. The operator is requested to press both enabling buttons until the "Panic" switch position is reached.

The operator presses both enabling buttons until the "Panic" switch position is reached.

Fail-safe operation of the Mobile Panel 277F IWLAN

86 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 87

Operation

6.2 Typical applications

Result Both enabling buttons were tested in the "Enable" and "Panic" switch positions.

The project start screen appears.

6$)( 3:5 &20 51* %$7

If the operator now exits the WLAN area, the F-CPU detects a communication error and initiates a global rampdown. The "COM" LED on the HMI device flashes. The "Establishment of safety connection" dialog with the text "No safe connection available. Reason: Communication error (timeout)" is displayed.

6.2.3.2 Communication error for the integrated HMI device

Initial situation The HMI device is integrated in the safety program of the F CPU. The HMI device is not logged on to

an effective range.

6$)( 3:5 &20 51* %$7

Action The operator takes the HMI device out of the WLAN range. The "COM" LED flashes.

The F CPU detects a communication error and initiates a global rampdown. The LEDs "SAFE" and "COM" are switched off. The user is informed that no safety functions are

available. Scenario 1: The operator returns to the WLAN range within

60 seconds.

Result scenario 1: return to the WLAN range The "Acknowledgment of communication error" dialog box opens. In this dialog, the operator

acknowledges the communication error. The global rampdown signal is canceled. PROFIsafe communication is possible again. The HMI device has recovered the fully functional state.

Scenario 2: The operator stays outside the WLAN range.

6$)( 3:5 &20 51* %$7

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 88

Operation

6.2 Typical applications

Result scenario 2: no return to the WLAN range The "Confirm removal" dialog box is displayed on expiration of 60 seconds.

The project is closed immediately if you confirm the Confirm removal dialog within 60 seconds. The active project is closed automatically if you do not confirm the Confirm removal dialog within 60

seconds. The HMI device displays the Windows CE desktop with the loader. Users can react to a fault on the HMI device by resetting the associated F_FB_MP to the "original

state" using input "S7_MP_RES." This action sets the relevant HMI device to the "removed" state and the global rampdown signal is canceled.

6$)( 3:5 &20 51* %$7

The WLAN communication is set up again after the operator returns with the HMI device to the WLAN range. The operator must restart the project and acknowledge the communication error in the "Acknowledgment of communication error" dialog. The operator performs the enabling button test in the next step.

The global rampdown signal is canceled. The HMI device has recovered the fully functional state.

6.2.3.3 Discrepancy error during enabling

The enabling switch is connected to two channels. Both contacts must be closed in parallel to reach the enabled state. A discrepancy error is generated if one of the contacts is open while the other is closed. Distinguish between the following fault scenarios:

● The enabling switch is jammed

● The enabling switch is damaged

Enabling switch jammed

Initial situation The HMI device is integrated in the safety program of the F CPU. The HMI device may or may not be

logged on to an effective range.

• The HMI device is integrated without being logged on to an effective range:

6$)( 3:5 &20 51* %$7

• The HMI device is integrated and logged on to an effective range:

6$)( 3:5 &20 51* %$7

Fail-safe operation of the Mobile Panel 277F IWLAN

88 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 89

Operation

6.2 Typical applications

Action The operator presses the enabling switch. Unintentional incorrect operation of the enabling switch.

Instead of operating the switch in the center, the operator pressed it at the edge.

Result The enabled state is deactivated immediately after discrepancy was detected. The "Enabling switch

discrepancy error" dialog box opens on expiration of the discrepancy time (see safe operation (Page

The dialog stays open until this discrepancy is cleared. The enabling switch must be released completely and pressed again to recover the enabled state.

The HMI device has then recovered the fully functional state.

• The HMI device is integrated without being logged on to an effective range:

109)).

Technical data for fail-

6$)( 3:5 &20 51* %$7

• The HMI device is integrated and logged on to an effective range:

6$)( 3:5 &20 51* %$7

The enabling switch is damaged

Initial situation The HMI device is integrated and logged on to an effective range. The enabling switch is damaged

and is not pressed. Distinguish between the two scenarios:

• Scenario 1: One channel of the enabling switch is opened permanently.

• Scenario 2: One channel of the enabling switch is closed permanently. Discrepancy is detected in

this situation. The "Enabling switch discrepancy error" dialog is displayed.

6$)( 3:5 &20 51* %$7

Action The operator presses the enabling switch.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 90

Operation

6.2 Typical applications

Result scenario 1: The enabled state is not activated. The "Enabling switch discrepancy error" dialog box opens on

expiration of the discrepancy time. The dialog stays open until the button is released to clear the discrepancy. A discrepancy error is displayed again when the operator presses the enabling switch once again .

The device must be repaired. Return the HMI device for repair as described in the section repairs and spare parts (Page 106).

You can use the second, functional enabling switch to remove the HMI device.

Result scenario 2: The "Enabling switch discrepancy error" dialog box is closed and the discrepancy is cleared. The

enable signal remains in deactivated state. The "Enabling switch discrepancy error" dialog box opens again after the button was released and the discrepancy time has expired (see safe operation (Page 109)).

The device must be repaired. Return the HMI device for repair as described in the section repairs and spare parts (Page 106).

Technical data for fail-

Cleaning,

6.2.3.4 Segregate

Removal means the intentional removal of the HMI device from the safety program without side effects, e.g. a global rampdown.

The operator removes the HMI device by alternatively executing one of the following actions:

● Closing the project

● Switching off the HMI device

After removal the HMI device must be kept in an enclosed area.

Starting situation The project must be started.

The HMI device must be integrated in the safety program of the F-CPU.

6$)( 3:5 &20 51* %$7

Project termination alternatives

Action The operator terminates the project with an operator object that has been provided for this purpose. Following a prompt, the dialog box "Confirm removal" is opened. The operator is requested to confirm

the desired removal with the enabling button. The operator presses within 60 seconds at least one enabling button until the "Enable" setting is

reached. PROFIsafe communication is terminated. The HMI device has been successfully segregated from the

safety program of the F-CPU. The project is terminated.

Fail-safe operation of the Mobile Panel 277F IWLAN

90 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 91

Operation

6.2 Typical applications

Result The HMI device shows the Windows CE Desktop with the Loader.

6$)( 3:5 &20 51* %$7

Alternative - switch the HMI device off

Action The operator presses the ON/OFF button for longer than 4 seconds. Following a prompt, the "Confirm removal" dialog box is displayed. The operator is requested to

confirm the desired removal with the enabling button. The operator presses within 60 seconds at least one enabling button until the "Enable" setting is

reached. PROFIsafe communication is terminated. The HMI device has been successfully segregated from the

safety program of the F-CPU. The project is terminated. The HMI device will be switched off.

Result The HMI device is switched off.

6$)( 3:5 &20 51* %$7

6.2.4 Log on and log off at the effective range

6.2.4.1 Detecting the effective range

Starting situation The HMI device must be integrated in the safety program of the F-CPU.

6$)( 3:5 &20 51* %$7

Action With the "Effective range name" object the HMI device shows the name and the status of the

effective range in which the HMI device is located. The operator evaluates the display of the "Effective range name" operator control.

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 92

Operation

6.2 Typical applications

Result Case 1:

The object is displayed in white with lettering.

Example:

Case 2: The object is displayed in gray

without lettering. Example:

Case 3: The object is displayed in gray

with lettering. Example:

The HMI device is in the "Rangename" effective range. It is not possible to log on at the effective range

6$)( 3:5 &20 51* %$7

6.2.4.2 Log on at the effective range

Starting situation The "Effective range name" object is displayed in white.

It is not possible to log on at the effective range Example:

The HMI device is located outside of the effective range of the plant.

The HMI device is in the "Rangename" effective range. Log on at the effective range is rejected because a different HMI device is already logged on at the effective range.

6$)( 3:5 &20 51* %$7

Action The operator touches the "Effective range name" object. If the "Effective range name" object is protected with a password, the operator has to enter his user

name and password. See also Check list: Data security (Page 50) The "Effective range logon" dialog box opens. The operator reads the effective range ID in the plant. He enters the effective range ID and confirms

with "OK". The dialog box closes.

Fail-safe operation of the Mobile Panel 277F IWLAN

92 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 93

Operation

6.2 Typical applications

Result The HMI device must be logged on at the effective range.

The "Effective range name" object is displayed in green. Example:

6$)( 3:5 &20 51* %$7

6.2.4.3 Log off at the effective range

Starting situation The "Effective range name" object is displayed in green.

The HMI device must be logged on at the effective range. Example:

6$)( 3:5 &20 51* %$7

Action The operator touches the "Effective range name" object. If the "Effective range name" object is protected with a password, the operator has to enter his user

name and password. See also

After a query the HMI device is logged off from the effective range.

Result The "Effective range name" object is displayed in white.

Example:

Check list: Data security (Page 50)

The HMI device must be logged off from the effective range.

6$)( 3:5 &20 51* %$7

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 94

Operation

6.2 Typical applications

Note Only for effective ranges which belong to an override switch

If the operator has logged off from an effective range which belongs to an override switch, the "Effective range name" object is displayed in gray in the following case: The operator has left the effective range without pressing the override switch.

6.2.5 Behavior in the effective rage

6.2.5.1 Exiting the effective range without log off

Starting situation The operator with his HMI device is located at the limit of the effective range.

6$)( 3:5 &20 51* %$7

Action The operator exits the WLAN area with the HMI device.

After 5 seconds the following occurs:

• The enabling buttons are deactivated.

• The "Effective range exited without logoff" dialog box opens.

• Depending on the setting of the HMI device, the vibration alarm is triggered.

The operator now has 25 seconds time to enter the effective range again or log off from the effective range via the "Effective range exited without logoff" dialog box.

Case 1: The operator enters the effective range again

within 25 seconds.

Result case 1: return to the effective range on time The HMI device is fully functional again.

6$)( 3:5 &20 51* %$7

Case 2: The operator remains outside of the effective

range for longer than 25 seconds

Fail-safe operation of the Mobile Panel 277F IWLAN

94 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 95

Operation

6.2 Typical applications

Result case 2: does not return to the effective range on time The "Effective range exited without logoff" dialog box opens.

The HMI device triggers a local rampdown and log off from the effective range. As long as the operator does not confirm log off from the effective range, the dialog box is displayed

on the HMI device. The operator is not able to interact with the machine. The effective range remains in use.

When the operator has confirmed logoff from the effective range, the HMI device is logged off from the effective range and the effective range is then released for logon for other HMI devices.

6$)( 3:5 &20 51* %$7

6.2.6 "Override" mode

6.2.6.1 Activating "override" mode

Initial situation The system has the protective devices specified for "Override" mode.

6$)( 3:5 &20 51* %$7

Action The operator enters a protected zone.

The operator logs the HMI device on in the effective range in which the override switch is located. The operator activates the override switch.

Result "Override" mode is active.

The "Effective range quality" object is displayed entirely in green.

The transponders are not evaluated for detection of the effective range. The operator can operate the machine in the entire override range as if he were in the middle of the

effective range. No other HMI device can log onto the effective range.

6$)( 3:5 &20 51* %$7

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 96

Operation

6.2 Typical applications

6.2.6.2 Terminating "override" mode

Introduction

The "Override" mode can be closed by the operator or closed automatically by the safety program of the F CPU.

Closed by the operator

The operator closes the "Override" mode with the following actions:

1. The operator activates the override switch.

2. The operator logs the HMI device off from the effective range.

Closing automatically

If the operator leaves the override range without activating the override switch, the override mode is automatically closed by the safety program of the F CPU. The transponders are the evaluated again for detection of the effective range. "Override" mode can only be activated again if the override switch is reset by the operator.

Initial situation "Override" mode is active.

6$)( 3:5 &20 51* %$7

Action Scenario 1:

The operator activates the override switch.

Result of scenario 1: "Override" mode is deactivated.

The transponders are evaluated again for detection of the effective range. If the operator is outside the effective range when "Override" mode closes, the system reacts as

described in the section

Exiting the effective range without log off (Page 94).

Scenario 2: The operator leaves a protected zone.

6$)( 3:5 &20 51* %$7

Fail-safe operation of the Mobile Panel 277F IWLAN

96 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 97

Operation

6.2 Typical applications

Result of scenario 2: "Override" mode is closed automatically by the safety program of the F CPU.

The transponders are evaluated again for detection of the effective range. If the operator is outside the effective range when "Override" mode closes, the system reacts as

described in the section "Override" mode can only be activated again if the override switch is reset by the operator.

Exiting the effective range without log off (Page 94).

6$)( 3:5 &20 51* %$7

6.2.7 Special operating conditions

6.2.7.1 Internal error

Initial situation The HMI device is logged on in the effective range.

6$)( 3:5 &20 51* %$7

Action An internal error occurs on the HMI device.

Result The F CPU performs a shutdown. It stops the section of the system that belongs to the effective

range. The project is closed immediately. The HMI device shows a red error display. All LEDs go out. The effective range remains allocated.

6$)( 3:5 &20 51* %$7

See also

Diagnostics (Page 101)

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 98

Operation

6.2 Typical applications

6.2.7.2 Communication error with the HMI device logged on in the effective range

Starting situation The HMI device must be logged on at the effective range.

6$)( 3:5 &20 51* %$7

Action A communication error occurs.

The F-CPU executes a shutdown. It stops the plant unit that belongs to the effective range. The LED "SAFE" and the LED "RNG" go out. The operator is alerted that a secure connection is not

present. Case 1: Communication can be restored within 60

seconds.

Result case 1: Communication is restored. The "Acknowledgment of communication error" dialog box opens. The operator acknowledges the

communication error in this dialog box. The shutdown signal is revoked and the effective range is released for all HMI devices. PROFIsafe communication is again possible.

6$)( 3:5 &20 51* %$7

Result case 2: Communication remains interrupted for more than 60 seconds After 60 seconds the project is terminated.

The HMI device displays the Windows CE Desktop with the Loader.

If the operator enters the WLAN area again with the HMI device and WLAN communication is reestablished, the operator has to acknowledge the communication error in the "Acknowledgment of communication error" dialog box.

The shutdown signal is revoked. The HMI device is fully functional again.

Case 2: Communication remains continuously interrupted.

6$)( 3:5 &20 51* %$7

Fail-safe operation of the Mobile Panel 277F IWLAN

98 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 99

Diagnostics

7.1 Alarm messages

The following alarms are displayed on the HMI device, depending on the operating situation:

Dialog box Possible reactions Situation Additional information Establishment of safety

connection No safe connection available. Reason:

• Connection not yet completed

• PROFIsafe address error

• Internal configuration error

• Communication error

(timeout)

• Communication error (CRC)

• CPU in STOP

• PROFIsafe CRC

configuration error

Should the Panel be switched off?

"Yes" button The alarm displays one of the

stated reasons, depending on the situation.

• Reason: Connection not yet completed: Setup of the safe connection was not yet completed after the project was started. In this case, wait for the connection to be set up. The dialog is closed on completion.

• Other reasons: A communication error has occurred after successful integration of the HMI device. Clear the cause of error defined as "Reason" and restart the HMI device.

Communication error for the integrated HMI device

87)

(Page Communication error with the

HMI device logged on in the effective range (Page 98)

Start removal The removal cannot be

interrupted once it has started. Do you want to start the

removal? Confirm removal Please confirm the removal with

the enabling switch.

Effective range logon Do you want to logon to the

following effective range? Effective range <<EFFECTIVE

RANGE NAME>> Please enter the effective range

ID: Effective range logoff Do you want to log off from the

following effective range? Effective range <<EFFECTIVE

RANGE NAME>>

"Yes" button "No" button

The operator must press at least one of the enabling switches until the "Enable" switch position is reached.

"Yes" button "No" button

The operator has activated an object for closing the project.

The operator has confirmed the security prompt for logoff.

The HMI device is located within the effective range, but it is not logged on.

The operator has activated the white "Effective range name" object to log himself on.

The HMI device is logged on to the effective range. The operator has activated the "Effective range name" object to log himself off.

Segregate (Page 90)

Log on at the effective range (Page 92)

Log off at the effective range (Page 93)

Fail-safe operation of the Mobile Panel 277F IWLAN Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Page 100

Diagnostics

7.1 Alarm messages

Dialog box Possible reactions Situation Additional information Effective range logoff

(shutdown) The Panel cannot be switched

off. You have to first logoff from the effective range.

Do you want to logoff from the following effective range?

Effective range <<EFFECTIVE RANGE NAME>>

Acknowledgment of communication error

A safe connection is possible again. Please confirm the communication error.

"Yes" button "No" button

"OK" button Communication was recovered

The HMI device is logged on to the effective range. The operator has attempted to shut down the HMI device.

after a short communication error. The operator must confirm this state.

The short-term communication error was caused by one of the following actions:

• The operator briefly left the WLAN range and has now returned.

• PROFIsafe communication was briefly interrupted.

Communication error for the integrated HMI device (Page

87)

Communication error with the HMI device logged on in the effective range (Page

98)

Effective range exited without logoff(5 seconds)

WARNING: You have exited the following effective range without logging off:

Effective range <<EFFECTIVE RANGE NAME>>

The enabling switch is deactivated.

Do you want to log off from the effective range?

Exited effective range without logging off(30 seconds)

You have left the effective range without permission. Local switch off was executed! Please confirm logging off from the effective range.

Low battery alarm Battery charge is less than 20

percent.

Transponder test This dialog does not contain any

correlative text. The user is informed that he is in

transponder test mode. The user must test all transponders of all effective ranges.

"Yes button or return to the effective range within 25 seconds

"OK" button The operator has left the

"OK" button The remaining battery charge is

Diverse The project started on the HMI

The operator left the effective range with the logged on HMI device for more than 5 seconds.

effective range with the logged on HMI device for more than 30 seconds.

less than 20 %. An additional system alarm is

output after the battery charge has dropped to less than 10 %.

device does not contain a current CRC checksum for the effective ranges. The effective ranges and transponders must be checked using the dialog.

Exiting the effective range without log off (Page 94)

Exiting the effective range without log off (Page

Chapter "Inserting, charging and replacing the battery" in the operating instructions

Accepting effective ranges and transponders (Page

94)

79)

Fail-safe operation of the Mobile Panel 277F IWLAN

100 Function Manual, 08/2008, 6AV6691-1FQ01-2AB0

Siemens 277IWLAN-V200 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual