Report. Certificate Z F-CM AS-i Safety for SIMATIC ET 200SP

Transcription

1

2 Report to the Certificate Z Safety Components F-CM AS-i Safety for SIMATIC ET 200SP Manufacturer: Siemens AG I IA CE Werner-von-Siemens-Straße 48 D Amberg Germany Revision 1.7 dated Testing Body: TÜV SÜD Rail GmbH Generic Safety Systems Barthstraße 16 D München Certification Body: TÜV SÜD Product Service GmbH Ridlerstraße 65 D München This report consists of 11 pages. Distribution, copying or any other use of information in this report in part is strictly prohibited.

3 Revision Log Version Name Date Changes/History 1.0 Jens Luther Initial 1.1 P. Weiß Formal changes in chapter P. Weiß Formal changes in chapter Jens Luther Supplementation of the parametric programming through the TIA-Portal (MDD) update of the general application conditions in chapter T. Paradzik Update IEC to 2 nd Edition 1.5 T. Paradzik Update IEC 62061:2015 and ISO 13849: Jens Luther Update FW to Jens Luther Chapter 5.1 updated (see SK91445T Technical Report of Modifications SIMATIC F/FH Systems) TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 2 of 11

4 Content Page 1 PURPOSE AND SCOPE DEFINITION OF TERMS SYSTEM OVERVIEW SAFETY MANUAL CERTIFICATION REQUIREMENTS BASIS OF CERTIFICATION CERTIFICATION DOCUMENTATION FUNCTIONAL SAFETY BASIC SAFETY AND ENVIRONMENTAL SAFETY ELECTROMAGNETIC COMPATIBILITY RESULTS FUNCTIONAL SAFETY BASIC SAFETY AND ELECTROMAGNETIC COMPATIBILITY IMPLEMENTATION CONDITIONS AND RESTRICTIONS GENERAL APPLICATION CONDITIONS GENERAL COMMISSIONING CONDITIONS GENERAL RUN-TIME CONDITIONS CERTIFICATE NUMBER TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 3 of 11

5 1 Purpose and Scope TÜV SÜD Rail GmbH has been contracted by Siemens AG to certify the Safety Components F-CM AS-i Safety for SIMATIC ET 200SP. This report summarizes the user related results of the tests and inspections performed on the F-CM AS-i Safety for SIMATIC ET 200SP based on the certification requirements outlined under clause 3.1 and reported by the documentation listed under clause Definition of Terms The following terms are used in this report with a meaning defined as follows: Functional Safety Fault tolerance time (process safety time) Probability of Failure on Demand (PFD) Probability of dangerous failure per hour (PFH) The ability of a safety-related system to carry out the actions necessary to achieve a (defined) safe state for the equipment under control (EUC) or to maintain the safe state for the EUC. The fault-tolerance time denotes a characteristic of the process and describes the period of time, in which the process can be controlled by a faulty control-output signal, without entering a dangerous condition. Average probability of failure of a system to perform its design functions on demand. The probability of a dangerous failure per hour (in the case of high demand or continuous mode) TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 4 of 11

6 2 System Overview The F-CM AS-i Safety for SIMATIC ET 200SP consists of a PROFIsafe, an AS-i-Bus connection, and a safety controller. Transferring of the safety layers into the different safety-related communication connections is provided from the safety controller. The overview of the F-CM AS-i Safety for SIMATIC ET 200SP series is depicted in the following figure Figure 1: F-CM AS-i Safety for SIMATIC ET 200SP The F-CM AS-i Safety for SIMATIC ET 200SP is a modular component of the ET 200SP family. The F-CM AS-i Safety for SIMATIC ET 200SP is collecting input signals from AS-i-Input slave and sends those to the AS-i-Output slaves. The collected data are transferred via the PROFIsafe bus to the connected safety related F-CPU. Component Name FW Version HW Version MLFB F-CM AS-i Safety for SIMATIC ET 200SP RK7136-6SC00-0BC1 2.1 Safety manual The conditions and rules for safe use of the F-CM AS-i Safety for SIMATIC ET 200SP are laid down within the user documentation: SIMATIC ET 200SP Failsafe Modul F-CM AS-i Safety ST (3RK7136-6SC00-0BC1) TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 5 of 11

7 3 Certification Requirements 3.1 Basis of Certification The certification of F-CM AS-i Safety for SIMATIC ET 200SP will be according to the regulations and standards listed in clause 3.3 to 3.5 of this document. This certifies the successful completion of the following test segments: I. Functional safety Functional safety management (FSM) und safety lifecycle Functional safety management (FSM) und safety lifecycle (from technical report) Analysis of the system structure (FMEA system) Analysis of the hardware (FMEA component, quantitative analysis) Analysis of the software Fault simulations and software tests Test of the fault prevention measures Functional test II. Electrical safety III. Susceptibility to environmental errors Climate and temperature, IP degree of protection IV. Electromagnetic compatibility Immunity V. Safety information in the product documentation (safety manual, operating instructions) VI. Product-related Quality Management in manufacturing and product care. Certification is dependent on successful completion of all of the above test segments. The testing follows the basic certification scheme for safety-related programmable electronic systems of TÜV SÜD Rail GmbH. 3.2 Certification Documentation Documentation of this certification is based in the following reports: Testing documentation The Technical Report SN85562T is summarizing the assessment activities related to functional safety. The certification report is a mandatory part of the certificate, whereas publication of the Technical Report is facultative. Manual, see chapter 2.1 Based on the specified purpose of use of the F-CM AS-i Safety for SIMATIC ET 200SP in safety critical process protection applications the certification is based on the following set of standards. The issuance of the certificate states compliance with these references unless specifically noted otherwise. TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 6 of 11

8 3.3 Functional Safety The testing for functional safety is to be performed using the following standards and guidelines: IEC :2010; up to SIL3 IEC :2010; up to SIL3 IEC : 2010; up to SIL3 IEC : 2010; up to SIL3 Functional safety of electrical/electronic/programmable electronic safety-related systems Part 1: General requirements Functional safety of electrical/electronic/programmable electronic safety-related systems Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems Functional safety of electrical/electronic/programmable electronic safety-related systems Part 3: Software requirements Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations EN ISO : 2015 Safety of machinery Safety-related parts of control systems Part 1: General principles for design IEC 62061:2005/A2: Basic Safety and Environmental Safety Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems To complete and to specify the technical requirements resulting from the essential requirements of the standards listed above the testing of Basic Safety is to cover the following standards: EN : 2006 Safety of machinery - Electrical equipment of machines Part 1: General requirements EN : 2007 Programmable controllers Part 2: Equipment requirements and tests 3.5 Electromagnetic Compatibility To complete and to specify the technical requirements resulting from the essential requirements of the standards listed above, the testing of Electromagnetic Compatibility is to cover the following standards: EN : 2005 Electromagnetic compatibility (EMC) - Part 6-2: Generic standards - Immunity for industrial environments EN : A1:2011 Electromagnetic compatibility (EMC) - Part 6-4: Generic standards - Emission standard for industrial environments TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 7 of 11

9 4 Results 4.1 Functional Safety The tests performed and quality assurance measures implemented by the manufacturer have shown that the F-CM AS-i Safety for SIMATIC ET 200SP complies with the testing criteria specified in clause 3 subject to the conditions defined in clause 5 and its subsections. The F- CM AS-i Safety for SIMATIC ET 200SP are suitable for safety-related use in applications in accordance with EN ISO :2015, up to CAT 4 PL e, and in accordance with IEC 61508: 2010, up to SIL Fault Reaction and Timing Fault detection in the F-CM AS-i Safety for SIMATIC ET 200SP is assured by means of following basic techniques: - self-test at power up and during operation - two channel control logic with cross check - redundancy - dynamic signals (safe telegrams) - de - energizing in case of over and under-voltage The fault tolerance period of the process controlled by the F-CM AS-i Safety for SIMATIC ET 200SP shall be greater than the worst case response time. Additional information is given in the manual (see clause 2.1) Evaluation of fault prevention measures For the avoidance of failures, the following techniques and measures were used: Project management Documentation Structured specification Inspection of the specification or walk-through of the specification Observance of relevant guidelines and standards Structured design Modularization Use of well-tried components Inspection of the hardware Functional testing (also under environmental conditions) Operational and maintenance instructions User- and maintenance friendliness The individual measures for the avoidance of failures provide the required degree of effectiveness and are specified in the relevant documents Analysis of the software and hardware integrity and fault simulations (FIT) The Failure Mode Effect and Diagnostic Analysis (FMEDA) showed that the occurrence of a single fault does not lead to loss of the safe functioning. The individual architectural constrains are sufficient and their corresponding degree of fault detection provide the required degree of effectiveness. TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 8 of 11

10 4.2 Basic Safety and Electromagnetic Compatibility Electrical Safety The results about the electrical safety are documented by the certificates and test reports of an accredited test center. The documentation of the tests has been reviewed for completeness. These certificates show that the standards specified in clause 3 are covered Environmental Testing The environmental stress tests are documented by the certificates of an accredited test center. The above mentioned certificates and tests and the quality assurance measures implemented by the manufacturer have shown that the F-CM AS-i Safety for SIMATIC ET 200SP complies with the testing criteria specified in clause 3 subject to the conditions defined in clause 5 and its subsections Electromagnetic Compatibility The tests of the electromagnetic compatibility are documented by the certificates and test reports of an accredited test center. The documentation of the tests has been reviewed for completeness. These certificates show that the standards specified in clause 3 are covered. TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 9 of 11

11 5 Implementation Conditions and Restrictions The use of the F-CM AS-i Safety for SIMATIC ET 200SP shall comply with the current version of the Safety parts of the manual (see chapter 2.1) and the following implementation and installation requirements shall be followed if the F-CM AS-i Safety for SIMATIC ET 200SP are used in safety-related installations. The F-CM AS-i Safety for SIMATIC ET 200SP is a safety-related product and the recommendations based on the experience and judgement of the Siemens AG documented in the manual shall therefore be carefully followed. The information, recommendations, specifications and safety instructions given in the belonging manual shall be read and understood. 5.1 General application conditions The guidelines specified in the user documentation shall be followed. Only modules certified for safety-related operation shall be used for safety-critical functions (see e.g. SIMATIC S7 F/FH Systems certificate Z ). Remark: The elements listed in the annex of the SIMATIC S7 F/FH Systems certification can be used together with the F-CM AS-i Safety for SIMATIC ET 200SP. The elements of the SIMATIC S7 F/FH Systems are tested, developed, and realized according to the standards mentioned in the related reports and certificates. As a result, the safety functions of these combined system elements shall be used in the certification scope of SIMATIC S7 F/FH Systems only. Only modules certified for safety-related operation shall be used for safety-critical functions (see e.g. SIMATIC S7 Distributed Safety certificate Z ). Remark: The elements listed in the annex of the S7 Distributed Safety system certification can be used together with the F-CM AS-i Safety for SIMATIC ET 200SP. The elements of the S7 Distributed Safety system are tested, developed, and realized according to the standards mentioned in the related reports and certificates. As a result, the safety functions of these combined system elements shall be used in the certification scope of SIMATIC S7 Distributed Safety only. Only modules certified for safety-related operation shall be used for safety-critical functions (see e.g. SIMATIC Safety Systems certificate Z ). Remark: The elements listed in the annex of the SIMATIC Safety Systems certification can be used together with the F-CM AS-i Safety for SIMATIC ET 200SP. The elements of the SIMATIC Safety Systems are tested, developed, and realized according to the standards mentioned in the related reports and certificates. As a result, the safety functions of these combined system elements shall be used in the certification scope of SIMATIC Safety Systems only. The fault tolerance period of the process controlled by the system shall be greater than the worst-case response time of the system. The F-CM AS-i Safety for SIMATIC ET 200SP can be used in applications up to category 4, PLe according to ISO The F-CM AS-i Safety for SIMATIC ET 200SP can be used in applications up to SIL 3 according to EN/IEC61508 and IEC TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 10 of 11

12 5.2 General commissioning conditions The guidelines and the instructions for commissioning, described in the user documentation, have to be followed. All timing requirements shall be validated Any application configuration modification after commissioning shall result in a re-validation. 5.3 General run-time conditions The operating conditions as specified in the user documentation shall be met. The procedures of modification of safety related data described in the user manual have to be followed. 6 Certificate Number This report specifies technical details and implementation conditions required for the application of the Safety Components F-CM AS-i Safety for SIMATIC ET 200SP by Siemens AG to the certificate: Z Munich, TÜV SÜD Rail GmbH Generic Safety Systems P. Weiß Technical Certifier Digital unterschrieben von Peter Weiß Datum: :40:00 +02'00' TÜV SÜD Rail GmbH Generic Safety Systems Revision 1.7 Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Page 11 of 11

13 Report to the Certificate Choose certainty. Add value. Z Safety Components F-CM AS-i Safety for SIMATIC ET 200SP Manufacturer: Siemens AG l IACE Werner-von-Siemens-Straße 48 D Amberg Germany Revision 1.6 dated Testing Body: TÜV SÜ D Rail GmbH Generic Safety Systems Barthstraße 16 D München Certification Body: TÜV SÜ D Product Service GmbH Ridlerstraße 65 D München This report consists of 11 pages. Distribution, copying or any other use of information in this report in part is strictly prohibited.

14 Revision Log Version Name Date Changes/History 1.0 Jens Luther 1.1 P.Weiß 1.2 P. Weiß 1.3 Jens Luther 1.4 T. Paradzik 1.5 T. Paradzik 1.6 Jens Luther Initial Formal changes in chapter 5.1 Formal changes in chapter 2 Supplementation of the parametric programming through the TIA-Portal (MDD) - update of the general application conditions in chapter 5.1 Update IEC to 2nd Edition Update IEC :2015 and ISO 13849:2015 Update FW to TUV SUD Rail GmbH Generic Safety Systems Barthstraße 16 D Munich Gerrnany Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Revision Page 2 of11

15 e H. Content Page 1 PURPOSE AND SCOPE DEFINITION OF TERMS SYSTEM OVERVIEW SAFETY MANUAL CERTIFICATION REQUIREMENTS BASIS OF CERTIFICATION CERTIFICATION DOCUMENTATION FUNCTIONAL SAFETY BASIC SAFETY AND ENVIRONMENTAL SAFETY ELECTROMAGNETIC COMPATIBILITY RESULTS FUNCTIONAL SAFETY BASIC SAFETY AND ELECTROMAGNETIC COMPATIBILITY IMPLEMENTATION CONDITIONS AND RESTRICTIONS GENERAL APPLICATION CONDITIONS GENERAL COMMISSIONING CONDIT/ONS GENERAL RUN-TIME CONDITIONS CERTIFICATE NUMBER TUV SUD Rail GmbH Generic Safety Systems Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Revision Page 3of 11

16 9 u D 1 Purpose and Scope TÜV SÜD Rail GmbH has been contracted by Siemens AG to certify the Safety Components F-CM AS-i Safety for SIMATIC ET 200SP. This report summarizes the user related results of the tests and inspections performed on the F-CM AS-i Safety for SIMATIC ET 200SP based on the certification requirements outlined under clause 3.1 and reported by the documentation listed under clause Definition of Terms The following terms are used in this report with a meaning defined as follows: Functional Safety Fault tolerance time (process safety time) Probability of Failure on Demand (PFD) Probability of dangerous failure per hour (PFH) The ability of a safety-related system to carry out the actions necessary to achieve a (defined) safe state for the equipment under control (EUC) or to maintain the safe state for the EUC. The fault-tolerance time denotes a characteristic of the process and describes the period of time, in which the process can be controlled by a faulty control-output signal, without entering a dangerous condition. Average probability of failure of a system to perform its design functions on demand. The probability of a dangerous failure per hour (in the case of high demand or continuous mode) TUV SUD Rail GmbH Generle Safety Systems Phone: -+49 (89) ; Fax: jens.luther@tuev-sued.de Revision Page4of11

17 e N. 2 System Overview The F-CM AS-i Safety for SIMATIC ET 200SP consists of a PROFisafe, an AS-i-Bus connection, and a safety controller. Transferring of the safety layers into the different safety-related communication connections is provided from the safety controller. The overview of the F-CM AS-i Safety for SIMATIC ET 200SP series is depicted in the following figure ibd (Block) ASlsafe ModlJ (AS!ule Modi.II) SP Legende - eint.1ehe Vetbindung - Bus(m11h1 1 Ve1b1ndungen) ; T ; g i e ;it i -- T 1 1 : l< E ;; nt : : r utu : AS- 1-81u 1 n 1 r R!lduundln.ts-Ansch.11tung (Bladc Ch.1nnel) r Umsetzung.su1 AS-i (Bl ck Channel) 1 1 : M.iinchester-Coder (ATMEL) J 1 L J Figure 1: F-CM AS-i Safety for SIMATIC ET 200SP The F-CM AS-i Safety for SIMATIC ET 200SP is a modular component of the ET 200SP family. The F-CM AS-i Safety for SIMATIC ET 200SP is collecting input signals from AS-i-lnput slave and sends those to the AS-i-Output slaves. The collected data are transferred via the PROFisafe bus to the connected safety related F-CPU. Component Name FW Version HW Version MLFB F-CM AS-i Safety for SIMATIC ET 200SP RK7136-6SCOO-OBC1 2.1 Safety manual The conditions and rules for safe use of the F-CM AS-i Safety for SIMATIC ET 200SP are laid down within the user documentation: SIMATIC ET 200SP Failsafe Modul F-CM AS-i Safety ST (3RK SCOO-OBC1 ) TUV SUD Rail GmbH Generic Safety Systems Phone: -+49 (89) ; Fax: jens.luther@tuev-sued.de Revision Page 5 of11

18 3 Certification Requirements 3.1 Basis of Certification The certification of F-CM AS-i Safety for SIMATIC ET 200SP will be according to the regulations and standards listed in clause 3.3 to 3.5 of this document. This certifies the successful completion of the following test segments: 1. Functional safety Functional safety management (FSM) und safety lifecycle Functional safety management (FSM) und safety lifecycle (from technical report) Analysis of the system structure (FMEA system) Analysis of the hardware (FMEA component, quantitative analysis) Analysis of the software Fault simulations and software tests Test of the fault prevention measures Functional test II. Electrical safety III. Susceptibility to environmental errors Climate and temperature, IP degree of protection IV. Electromagnetic compatibility lmmunity V. Safety information in the product documentation (safety manual, operating instructions) VI. Product-related Quality Management in manufacturing and product care. Certification is dependent on successful completion of all of the above test segments. The testing follows the basic certification scheme for safety-related programmable electronic systems of TÜV SÜD Rail GmbH. 3.2 Certification Documentation Documentation of this certification is based in the following reports: Testing documentation The Technical Report SN85562T is summarizing the assessment activities related to functional safety. The certification report is a mandatory part of the certificate, whereas publication of the Technical Report is facultative. Manual, see chapter 2.1 Based on the specified purpose of use of the F-CM AS-i Safety for SIMATIC ET 200SP in safety critical process protection applications the certification is based on the following set of standards. The issuance of the certificate states compliance with these references unless specifically noted otherwise. TUV SUD Rail GmbH Generic Safety Systems Phone: -+49 (89) ; Fax: jens.luther@tuev-sued.de Revision Page 6of11

19 \V 3.3 Functional Safety The testing for functional safety is to be performed using the following standards and guidelines: IEC :201 O; up to SIL3 IEC :2010; up to SIL3 IEC : 2010; up to SIL3 IEC : 201 O; up to SIL3 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General requirements Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 4: Definitions and abbreviations EN ISO : 2015 Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design IEC :2005/A2:2015 Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems 3.4 Basic Safety and Environmental Safety To complete and to specify the technical requirements resulting from the essential requirements of the standards listed above the testing of Basic Safety is to cover the following standards: EN : 2006 Safety of machinery - Electrical equipment of machines Part 1: General requirements EN : 2007 Programmable controllers - Part 2: Equipment requirements and tests 3.5 Electromagnetic Compatibility To complete and to specify the technical requirements resulting from the essential requirements of the standards listed above, the testing of Electromagnetic Compatibility is to cover the following standards: EN : 2005 EN : A1:2011 Electromagnetic compatibility (EMC) - Part 6-2: Generic standards - lmmunity for industrial environments Electromagnetic compatibility (EMC) - Part 6-4: Generic standards - Emission standard for industrial environments TUV SUD Rail GmbH Generic Safety Systems Phone: -+49 (89) ; Fax: jens.luther@tuev-sued.de Revision Page 7 of11

20 r -- - \V 4 Results 4.1 Functional Safety The tests performed and quality assurance measures implemented by the manufacturer have shown that the F-CM AS-i Safety for SIMATIC ET 200SP complies with the testing criteria specified in clause 3 subject to the conditions defined in clause 5 and its subsections. The F CM AS-i Safety for SIMATIC ET 200SP are suitable for safety-related use in applications in accordance with EN :201 5, up to CAT 4 PL e, and in accordance with IEC : 2010, up to SIL Fault Reaction and Timing Fault detection in the F-CM AS-i Safety for SIMATIC ET 200SP is assured by means of following basic techniques: self-test at power up and during operation two channel control logic with cross check redundancy dynamic signals (safe telegrams) de - energizing in case of over - and under-voltage The fault tolerance period of the process controlled by the F-CM AS-i Safety for SIMATIC ET 200SP shall be greater than the worst case response time. Additional information is given in the manual (see clause 2.1 ) Evaluation of fault prevention measures For the avoidance of failures, the following techniques and measures were used: Project management Documentation Structured specification lnspection of the specification or walk-through of the specification Observance of relevant guidelines and standards Structured design Modularization Use of well-tried components lnspection of the hardware Functional testing (also under environmental conditions) Operational and maintenance instructions User- and maintenance friendliness The individual measures for the avoidance of failures provide the required degree of effectiveness and are specified in the relevant documents Analysis of the software and hardware integrity and fault simulations (FIT) The Failure Mode Effect and Diagnostic Analysis (FMEDA) showed that the occurrence of a single fault does not lead to loss of the safe functioning. The individual architectural constrains are sufficient and their corresponding degree of fault detection provide the required degree of effectiveness. TUV SUD Rail GmbH Generle Safety Systems Phone: -+49 (89) ; Fax: jens.luther@tuev-sued.de Report No.: SF8 5561C Revision Page 8of11

21 4.2 Basic Safety and Electromagnetic Compatibility Electrical Safety The results about the electrical safety are documented by the certificates and test reports of an accredited test center. The documentation of the tests has been reviewed for completeness. These certificates show that the standards specified in clause 3 are covered Environmental Testing The environmental stress tests are documented by the certificates of an accredited test center. The above mentioned certificates and tests and the quality assurance measures implemented by the manufacturer have shown that the F-CM AS-i Safety for SIMATIC ET 200SP complies with the testing criteria specified in clause 3 subject to the conditions defined in clause 5 and its subsections Electromagnetic Compatibility The tests of the electromagnetic compatibility are documented by the certificates and test reports of an accredited test center. The documentation of the tests has been reviewed for completeness. These certificates show that the standards specified in clause 3 are covered. TUV SUD Rail GmbH Generic Safety Systems Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Revision Page 9 of11

22 5 Implementation Conditions and Restrictions The use of the F-CM AS-i Safety for SIMATIC ET 200SP shall comply with the current version of the Safety parts of the manual (see chapter 2.1 ) and the following implementation and installation requirements shall be followed if the F-CM AS-i Safety for SIMATIC ET 200SP are used in safety-related installations. The F-CM AS-i Safety for SIMATIC ET 200SP is a safety-related product and the recommendations based on the experience and judgement of the Siemens AG documented in the manual shall therefore be carefully followed. The information, recommendations, specifications and safety instructions given in the belonging manual shall be read and understood. 5.1 General application conditions The guidelines specified in the user documentation shall be followed. Only modules certified for safety-related operation shall be used for safety-critical functions (see e.g. SIMATIC S7 Distributed Safety certificate Z ). Remark: The elements listed in the annex of the S7 Distributed Safety system certification can be used together with the F-CM AS-i Safety for SIMATIC ET 200SP. The elements of the S7 Distributed Safety system are tested, developed, and realized according to the standards mentioned in the related reports and certificates. As a result, the safety functions of these combined system elements shall be used in the certification scope of SIMATIC S7 Distributed Safety only. Only modules certified for safety-related operation shall be used for safety-critical functions (see e.g. SIMATIC Safety Systems certificate Z ). Remark: The elements.listed in the annex of the SIMATIC Safety Systems certification can be used together with the F-CM AS-i Safety for SIMATIC ET 200SP. The elements of the SIMATIC Safety Systems are tested, developed, and realized according to the standards mentioned in the related reports and certificates. As a result, the safety functions of these combined system elements shall be used in the certification scope of SIMATIC Safety Systems only. The fault tolerance period of the process controlled by the system shall be greater than the worst-case response time of the system. The F-CM AS-i Safety for SIMATIC ET 200SP can be used in applications up to category 4, Ple according to IS The F-CM AS-i Safety for SIMATIC ET 200SP can be used in applications up to SIL 3 according to EN/IEC and IEC General commissioning conditions The guidelines and the instructions for commissioning, described in the user documentation, have to be followed. All timing requirements shall be validated Any application configuration modification after commissioning shall result in a re-validation. TUV SUD Rail GmbH Generic Safety Systems Barthstraße 16 D Munich Germany Phone: -+49 (89) ; Fax: jens.luther@tuev-sued.de Revision Page 10 of 11

23 5.3 General run-time conditions The operating conditions as specified in the user documentation shall be met. The procedures of modification of safety related data described in the user manual have to be followed. 6 Certificate Number This report specifies technical details and implementation conditions required for the application of the Safety Components F-CM AS-i Safety for SIMATIC ET 200SP by Siemens AG to the certificate: Z Munich, TÜV SÜD Rail GmbH Generic Safety Systems Technical Certifier TUV SUD Rail GmbH Generic Safety Systems Phone: +49 (89) ; Fax: jens.luther@tuev-sued.de Revision Page 11 of 11

24

25

26

27

28

29

30

31

32

33

34