HIMA HIMatrix F30 Compact Safety Controller

HIMA HIMatrix F30 Compact Safety Controller

Safety regulations and environmental requirements

（1） Core security requirements

Expected use and protective measures

The controller is a SELV/PELV safety ultra-low voltage device, which poses no direct danger to itself. For use in Ex areas (such as Zone 2), additional explosion-proof requirements must be met (such as installation in enclosures with protection levels above IP54);

ESD protection: Only personnel with knowledge of electrostatic protection are allowed to operate. ESD wristbands should be worn during work, and when idle, they should be stored in anti-static packaging to avoid electrostatic damage to internal circuits (such as processors and relays).

Residual risk and emergency response

Residual risk sources: engineering design defects (such as unmonitored lines), user program vulnerabilities (such as lack of configured fault safety logic), wiring errors (such as poor output grounding), which need to be avoided through compliant configuration and regular testing;

Emergency principle: The controller is the core of the safety system, and in the event of a malfunction, all outputs must be switched to the "power-off safety state" (such as relay disconnection). It is prohibited to perform operations that obstruct the safe operation of the system in emergency scenarios (such as forcibly activating outputs).

（2） Environment and installation conditions

Specific parameter specifications for the required type

The protection level IP20 (IEC 60529) needs to be installed inside the control cabinet to prevent dust and condensation. Ex Zone 2 requires additional enclosure protection

Working temperature standard type 0...+60 ° C; low-temperature type (F30 011) -20...+60 ° C Low temperature type Electronic components coated with protective paint, suitable for cold industrial environments

Storage temperature -40...+85 ° C must be met during transportation or idle to avoid component damage

Pollution level II (IEC/EN 61131-2) is applicable to non-conductive dust environments to avoid short circuit risks

Evaluation of heat dissipation and insulation performance is required in high-altitude areas with an altitude of less than 2000 meters

Supply voltage 24 VDC (-15%...+20%) ripple factor ≤ 15%, requires independent power supply (recommended PELV/SELV power supply), equipped with 10A delay fuse

Product Description and Core Features

（1） Basic characteristics of controller

Functional positioning and compatibility

Role: As a compact controller, it can independently run user programs, support local I/O control and remote I/O expansion, and cover small and medium-sized safety application requirements with a single device;

Safety certification: certified by T Ü V, supporting SIL 3（IEC 61508/61511/62061）、Cat. 4（EN 954-1）、PL e（EN ISO 13849-1）， Simultaneously compliant with ATEX Zone 2 (T4), UL Class I Div 2, Lloyd's Register certification, and other global industry standards;

Model difference: divided into "standard type (F30 01/F30 01 SILworX)" and "low-temperature type (F30 011/F30 011 SILworX)", with the same hardware, only the working temperature range and programming tool adaptation are different (see table below):

Model, Operating Temperature, Adaptation Programming Tool, Part Number

F30 01 0…+60°C ELOP II Factory 98 2200415

F30 011 -20…+60°C ELOP II Factory 98 2200455

F30 01 SILworX 0…+60°C SILworX 98 2200472

F30 011 SILworX -20…+60°C SILworX 98 2200478

Core Components and Security Design

I/O circuit design:

Digital input: 20 non isolated inputs, divided into 5 groups for power supply (4 in each group, LS+is a short-circuit protection 24V power supply), supports "power loss trip" logic (input is in a low-level safety state in case of fault), and can be configured with line control to detect short circuits/open circuits;

Digital output: 8 non isolated outputs, channels 1-3/5-7 have a rated current of 0.5 A (60 ° C), channels 4/8 support 1 A (60 ° C)/2 A (50 ° C), automatically turn off and periodically retry when overloaded, and trigger a fault alarm when short circuited;

Fault response mechanism: When an input/output fault (such as open circuit or output overload) is detected, a single channel fault only cuts off the corresponding channel. If the controller experiences an overall fault, all outputs are cut off, and the FAULT LED is activated and a fault code is reported (such as 0x0001 indicating input module fault and 0x0200 indicating total current exceeding the limit);

Self detection function: supports MOT (maintenance testing) and FTT (fault tolerance time) testing, detecting hardware faults (such as processor abnormalities), software errors (such as cycle time exceeding limits), and triggering output cutoff when overheating occurs (first level overheating code 0x0400, second level overheating code 0x0800).

（2） Hardware Structure and Interface

key parameters

|Storage capacity | Version<6.46:500 kB program/data; Version ≥ 7:1023 kB program/data; Version 6.100:2047 kB Program/Data | Adapt to User Programs of Different Complexity|

|Response time | ≥ 20 ms | Meet the real-time requirements of small and medium-sized security applications|

|Communication interface | 4 x RJ-45 (SafeEthernet), 3 x 9-pin D-sub (FB1/FB2/FB3, supports PROFIBUS/RS485, etc.) | Supports secure and standard communication protocols|

|Clock buffer | Integrated gold capacitor, maintains clock for about 1 week after power failure | Ensure time synchronization continuity|

|Dimensions (H × W × D) | 114 × 257 × 66 mm (including fasteners) | Weight approximately 1.2 kg, supporting 35 mm DIN rail installation|

Grouping and meaning of LED indicator lights

There are a total of 5 sets of LEDs on the front end of the controller, which perform a full light test when powered on. The status meanings of each indicator light are as follows:

Working voltage light (24 VDC, green): normally on indicates normal power supply, off indicates no voltage;

System lights (red/yellow, 6 lights):

RUN (green): Constant light indicates normal operation (executing user programs), slow flashing indicates STOP status or loading of operating system;

ERROR (red): Constant light indicates entering the ERROR STOP state (such as hardware failure), slow flashing indicates operating system failure requiring reloading;

ROG (yellow): Constant light indicates loading configuration, slow flashing indicates switching to STOP state or loading operating system;

FORCE (yellow): Constant light indicates that the forced function is activated in RUN state, and slow flashing indicates that it is ready to be forced in STOP state;

FAULT (yellow): Constant light indicates configuration/operating system damage, slow flashing indicates I/O failure;

OSL/BL (yellow): Slow flashing indicates emergency loader activation/boot loader failure;

Communication light (green/yellow next to RJ-45): Green light constantly on indicates full duplex, flashing indicates conflict; A constant yellow light indicates a normal physical connection, while a flashing light indicates data transmission;

I/O light (DI 1-20/DO 1-8, yellow): normally on indicates that the channel is powered on (input valid/output engaged), off indicates that the channel is powered off (safe state);

Fieldbus light (FB1-3, yellow): The status changes with the protocol (such as always on when PROFIBUS communication is normal), please refer to the corresponding communication manual for details.

Reset button function

Reserve a reset hole in the upper left corner of the controller (triggered by an insulating pin), only for scenarios where the administrator account is forgotten or the IP address does not match: when restarting, press and hold the reset button for ≥ 20 seconds to restore the default parameters (IP: 192.168.0.99; SRS: 60000.0.0), and clear the user account (only the default administrator account is retained, password is empty). Attention: Before resetting, all fieldbus plugs must be unplugged to avoid interfering with communication with other devices.

Installation and configuration process

（1） Controller installation and wiring

Installation prerequisites

It needs to be fixed on a 35 mm DIN rail with reserved heat dissipation space around it (power loss of 12-33 W, avoiding close proximity to heating equipment);

Ex Zone 2 installation requires additional requirements: enclosure protection level ≥ IP54 (compliant with EN 60529), enclosure must be labeled with a "power off operation only" warning, equipped with a 10A delay fuse, PELV/SELV power supply, and reference to EN 60079-15 standard (terminal wiring, creepage distance, etc.).

Wiring specifications

Power wiring: Connect the positive terminal of the 24 VDC module to the "LS+" terminal, and the negative terminal to the "L -" terminal. Independent power supply is required to avoid collinearity with the power circuit;

Digital input wiring: 20 inputs are divided into 5 groups, each corresponding to independent "LS+" (sensor power supply) and "L -" (grounding), such as DI 1-4 corresponding to terminals 13 (LS+) -17 (DI4) -18 (L -), supporting passive contacts and active signals (corresponding to "L -" needs to be connected);

Digital output wiring: 8 outputs are divided into 2 groups, each corresponding to "LS+" (common terminal) and "L -" (ground). For example, DO 1-4 corresponds to terminals 1 (LS+) -5 (DO4) -6 (L -), channels 4/8 support high loads (2A @ 50 ° C), and inductive loads require parallel freewheeling diodes;

Communication wiring: RJ-45 interface connected to SafeEthernet network, supporting daisy chain topology; The D-sub interface (FB1-3) is connected to a fieldbus (such as PROFIBUS/RS485) and requires the use of shielded cables (single ended grounding of the shielding layer to reduce interference).

（2） Software configuration configuration

SILworX configuration (version ≥ 7)

Core Parameters (Module tab):

Basic parameters: Configure controller name, IP address, subnet mask (default 192.168.0.99), SRS (system rack slot address, default 60000.0.0);

Line monitoring: Set the number of pulse channels (e.g. 1 indicates using DO1 pulse to detect the line), pulse delay (waiting time for line fault detection), and pulse slot (fixed at 3);

Fault monitoring: Enable MOT/FTT testing and read fault codes (such as 0x0010 indicating input short circuit, 0x0002 indicating output safety shutdown fault).

Input channel configuration (DI 20: Channels tab): Assign global variables to each input (DI1-DI20), set pulse channels (such as 1 for receiving DO1 pulses), and monitor single channel faults (such as 0x80 for open circuit);

Output channel configuration (DO 8: Channels tab): Assign global variables to each output (DO1-DO8), set output values (1=power on, 0=power off), and monitor single channel faults (such as 0x02 indicating channel overload).

ELOP II Factory configuration (version<7)

Assign system signals to I/O channels through the "Signal Editor", with configuration parameters similar to SILworX. The core difference lies in the signal mapping method (based on "signal name channel" association rather than variable allocation), and the fault code is consistent with the state definition (such as Mod. Error Code 0x0010 indicating configuration error).

Operation, maintenance, and troubleshooting

（1） Daily operation and diagnosis

operation monitoring

Real time status can be viewed through LED: the RUN light is always on to indicate normal operation, the ERROR/AULT light is on to indicate a fault, and the I/O light corresponds to the channel status;

Detailed diagnosis: Read fault logs (such as line short circuit, output overload) through programming tools, support online viewing of I/O feedback values (ensure that instructions are consistent with actual status), SOE function records 5000 events (resolution 1ms) for easy fault tracing.

Common faults and solutions

|Fault phenomenon | Possible causes | Troubleshooting steps|

|All outputs are unresponsive (all I/O lights are off) | 1 The controller has not entered the RUN state; 2. The total current exceeds the limit; 3. Power supply failure | 1 Check the status of the RUN light (whether it is RUN); 2. Read DO. Error Code (whether it is 0x0200); 3. Measure the 24 VDC power supply|

|Single input fault (DI light off, fault code 0x80) | 1. Line open circuit; 2. Sensor power supply failure; 3. Pulse channel configuration error | 1 Check the input wiring (for looseness); 2. Measure LS+voltage (whether it is 24V); 3. Confirm that the pulse channel matches the DO configuration|

|Communication interruption (communication light off) | 1 IP address conflict; 2. Cable malfunction; 3. Mismatch of fieldbus protocol | 1 Check if the controller IP and PADT are on the same network segment; 2. Replace the communication cable; 3. Confirm that the fieldbus protocol (such as PROFIBUS slave address) is configured correctly|

（2） Maintenance and Lifecycle Management

regular maintenance

Operating system update: Utilize system downtime to load the latest version of the operating system through programming tools (the controller needs to be in STOP state), and backup the configuration before updating to avoid data loss;

Proof Test: Conducted every 10 years, the test includes I/O channel continuity, line monitoring function, fault response (such as simulating overheating), and communication link integrity. Refer to the HIMA Safety Manual (HI 800 023 E).

Scrap and transportation

Scrap: Industrial users need to dispose of controllers containing electronic components in accordance with environmental protection requirements. They can contact HIMA to sign a scrap agreement, which prohibits the arbitrary disposal of controllers containing electronic components;

Transportation/Storage: Original anti-static packaging should be used to avoid mechanical impact, and the storage temperature should be maintained at -40...+85 ° C to avoid humid environments.