Fail-safe CPUs

Hello guys,

I know this has been discussed earlier, but I still don't understand numerous of issues related with fail-safe when it comes to PLC.
I have found this article. It is interestad that in this case fail safe doesn't assume redundancy on the CPU level.
Know I need to ask this: How can I know when to use fail safe Siemens S7 PLC (or any other manufacturer) and when it is not necessary.
I know that S7 failsafe CPUs have "F" letter next to its model name, and I know there are special software blocks which are programmed with special software (modul separately installed).

I know that many safety functions can be realized with ordinary PLC, but in order to understand and kno if I should insist on use fail safe processor in specific situation, I need to know exactly what is the difference.
I'm personally interested in Siemens' CPUs, because I'm in touch with them for the most time.

I know there are special parts of CPU's memory that takes special safety software blocks. I cannot understand why these blocks are more realiable (if they are, at all).

Can anyone explain in short terms what are most important differences between ordinary and fail-safe CPU?

Thank you very much

Use a fail-safe PLC + safety blocks for safety control functions where you would normally use traditional safety relays.

The advantages are:
Possibly lower cost when replacing a large number of safety realys with one safety PLC.
Greater flexibility - rather than rewiring or exchanging components, a software change can quickly adapt to differing requirements.
For complex safety applications, overlapping areas, cascaded safety relays etc, a safety PLC will allow a simpler installation than would be possible with traditional safety relays.
For physically wide spread safety applications, a safety PLC can be used in combination with fieldbus networks. For Siemens Profibus and Profinet.

A safety PLC is allowed to control safety functions because the safety blocks are two control elements checking each other and realised with two differing methods - thereby guarding against that the same engineering or manufacturing error violates the safety. In Siemens F CPUs the safety blocks are realised in the CPU and FPU respectively.

If you use the Fail Safe CPUs you will also need to install the "Integrated Safety" software (Add On to Simatic Manager).
If you also use the safety I/O modules, they run their own dignostics/monitoring so bypassing anything on the cards will be impossible (jumpers and such)
Good thing is that if you do CE work The F series hardware will pass
all inspections concerning safety without an issue.

You only really need to use a failsafe PLC instead of a standard PLC where you require the safety stamp, EN-954 on machinery or IEC61508/61511 on process. In terms of difference in design the F series is slightly more limiting and quite a bit more expensive. Unless you need eg a SIL 3 system then theres not much point in spending more on the F series, and even if you do you still of course need to do the functional safety study of your system design.

Also remember that all your other engineering has to be to a similar standard. This means that if you trying to acheive SIL2 for example then all components, not just the PLC need to be engineered to be SIL2, that means input sensors, output devices etc. Or to put it another way putting a SIL2 PLC in dosnt automatically make the whole system SIL2!

True and even if everything on your system (sensor to actuator) is certified SIL2 it doesnt mean your system is SIL2. That requires lots of lovely PFD/PFH calculations.

My understanding is that with a fail safe PLC is that similar to safety systems (cat3 and cat4), a component failure on the PCB or elswhere in the system shouldn't cause an unsafe condition to occur, whereas a standard PLC could fail in any condition i.e with outputs active that should have turned off etc.

They also do self checks intermittently.

Is this correct or am I just talking trash. I haven't done much on safety systems but no doubt it will come up one day.

Jon.

Yup, thats right, it (hopefully) fails to safety.