HIMA HIMA-HIMATRIX-F35 Safety Logic Solver – HIMatrix Series

HIMA HIMATRIX-F35: Distributed SIL 3 Safety Logic Solver for Independent Field-Level Safety Execution

The HIMA HIMATRIX-F35 is a compact, DIN-rail-mounted safety logic solver designed to execute SIL 3 safety functions autonomously at the field level, without dependency on a centralized safety controller or host PLC. Certified to IEC 61508 Edition 2 by TÜV Rheinland and loop-capable to SIL 3 under IEC 61511, the HIMATRIX-F35 occupies the logic layer of a Safety Instrumented System (SIS) as a self-contained node: it acquires field signals, processes certified safety logic, and drives output actuators within a single enclosure rated IP20 for DIN-rail installation.

This architectural autonomy is not a software configuration — it is a physical design property of the HIMatrix platform. Each HIMATRIX-F35 node holds its own compiled safety application in non-volatile memory, executes it on a dual-core lockstep processor, and maintains its own SafeEthernet watchdog state independently of any upstream system. In distributed SIS topologies — offshore platforms, pipeline compressor stations, chemical reactor skids — where routing dedicated safety cabling to a central cabinet is cost-prohibitive or physically constrained, the HIMATRIX-F35 allows safety functions to be placed at the point of measurement and actuation, reducing field wiring length, lowering installation cost, and eliminating the single-point-of-failure risk inherent in centralized safety architectures.

SIL 3 capability is achieved in a 1oo1D (one-out-of-one with diagnostics) single-unit configuration. The design reaches the required Probability of Failure on Demand (PFD) through diagnostic coverage (DC) ≥ 99% for critical failure modes — a figure certified by TÜV Rheinland — rather than through hardware redundancy. For applications requiring both SIL 3 integrity and high process availability, two HIMATRIX-F35 nodes can be coupled in a distributed 1oo2 voting configuration via SafeEthernet, with no additional backplane hardware or chassis modification required.

Real-time Stock & RFQ: [email protected] | WhatsApp: +86 18359268345

Technical Parameters

Hardware Logical Analysis

The HIMATRIX-F35 enforces the boundary between safety-critical signal paths and non-safety communication infrastructure at the component level. Each digital input channel is routed through a dedicated phototransistor optical isolator with a rated isolation voltage of ≥ 500 V AC. This galvanic barrier is a fixed hardware property — it is not configurable by the application program and cannot be bypassed through software — which means the isolation characteristic holds regardless of the application logic state. In practical terms, ground loop currents, common-mode transients from inductive field loads, and conducted EMI from adjacent variable-frequency drives cannot propagate from the field wiring into the logic layer. This is particularly relevant in retrofit installations where the plant earthing infrastructure may not meet current IEC 60364 standards.

The dual-core lockstep architecture runs an identical compiled safety application on both processor cores simultaneously. A dedicated hardware comparator circuit evaluates the output registers of both cores at the conclusion of every scan cycle. This comparison is performed entirely in hardware — not by a software watchdog task — which bounds the fault detection latency to the comparator propagation delay, measured in nanoseconds, rather than to the application cycle time. Any bit-level divergence between the two output register sets, regardless of root cause — single-event upset from cosmic radiation, memory cell wear, or arithmetic pipeline fault — triggers an immediate transition to the defined safe state via a hardware output de-energization path that is physically separate from the normal output driver circuit. This de-energization path is exercised automatically during the power-on self-test (POST) sequence and at configurable runtime intervals, with test results written to a non-volatile diagnostic log accessible via SafeEthernet without interrupting the running safety application.

Analog input channels employ 12-bit SAR ADCs with hardware-implemented wire-break detection. A 4–20 mA channel reading below 3.6 mA is classified as a wire-break fault within one scan cycle and generates a diagnostic alarm at the application layer without requiring the safety engineer to implement range-checking logic in the application program. This hardware-level fault detection contributes directly to the diagnostic coverage calculation for the overall safety loop and can support extended proof-test intervals under IEC 61511 Clause 16 by reducing the residual undetected failure rate of the input subsystem.

The SafeEthernet protocol stack conforms to the IEC 61784-3 black-channel safety communication profile. Each safety telegram carries five independently validated fields: sequence number, timestamp, source node identifier, destination node identifier, and a CRC-32 checksum computed over the payload. The receiving node validates all five fields before acting on the data. A sequence number gap — indicating a dropped or delayed packet — causes the receiver to enter the safe state rather than act on stale data. This architecture permits safety-rated data exchange over standard managed Ethernet switches without a dedicated safety network, provided worst-case network latency remains within the configured SafeEthernet watchdog timeout, which is application-configurable from 10 ms to 1000 ms.

System Integration Benefits

• Node-level autonomy removes central controller as single point of failure: Each HIMATRIX-F35 executes its safety application independently. A fault in one node affects only the local safety function; all other nodes continue operating. Distributed SIS architectures can be built without a master safety PLC, eliminating the topology-level single point of failure that centralized architectures carry by design.
• Hardware watchdog enforces deterministic cycle time: The onboard watchdog enforces the configured maximum scan cycle budget in hardware. If application logic complexity or communication processing causes a cycle overrun, the watchdog forces a safe-state transition before the next output update — preventing undefined output behavior that a software-only watchdog cannot guarantee.
• Live diagnostic readout without process interruption: CPU core health, per-channel I/O status, SafeEthernet watchdog state, supply voltage level, and internal temperature are all readable in real time via SafeEthernet during live operation. Maintenance engineers can assess system health and schedule condition-based maintenance without initiating a planned shutdown.
• IEC 61131-3 language portability reduces vendor lock-in: Safety logic is authored in ELOP II Factory using standard IEC 61131-3 languages (LD, FBD, SFC, ST). The compiled application is auditable by any qualified safety engineer without proprietary toolchain access, simplifying third-party safety lifecycle audits and reducing long-term vendor dependency risk.
• 1oo2 redundancy upgrade via configuration, not hardware replacement: Upgrading a simplex HIMATRIX-F35 installation to a 1oo2 redundant pair requires SafeEthernet cabling between two F35 nodes and a configuration change in ELOP II Factory. No additional backplane modules, chassis slots, or panel modifications are required, preserving the original installation layout.
• Defined safety/non-safety data boundary for DCS and SCADA integration: Modbus TCP and optional PROFIBUS DP interfaces expose only read-only mirrored status values to non-safety systems. Safety-rated process values and output commands are never transmitted on non-safety buses, preserving SIL 3 loop integrity against non-safety system faults or network-layer cyber events.
• Extended proof-test intervals reduce planned shutdown frequency: DC ≥ 99% for critical failure modes supports longer proof-test intervals compared to lower-DC architectures. Under IEC 61511 Clause 16, longer proof-test intervals translate directly to fewer planned shutdowns per year and lower lifecycle maintenance cost for the operator.
• Contractual 10-year product lifecycle with spare parts commitment: HIMA provides a documented minimum 10-year product lifecycle with guaranteed spare part availability. For brownfield plant operators managing 20–30 year asset lifecycles, this supply commitment is a quantifiable factor in total cost of ownership analysis and spare parts inventory planning.

Quality Assurance & Global Logistics

Every HIMATRIX-F35 unit dispatched from siemensplc.com is sourced through verified supply channels with full part number and serial number traceability to HIMA’s manufacturing records. At our Xiamen, China facility, each unit undergoes a structured incoming inspection before being listed as available stock: physical examination of housing integrity and label authenticity, part number and firmware revision verification against HIMA’s published product database, and a functional power-on test confirming normal POST completion and correct diagnostic LED status. Any unit that fails a single inspection step is quarantined and removed from available inventory immediately.

Original HIMA factory documentation — product datasheet, TÜV Rheinland certificate of conformity, and EU Declaration of Conformity — is available upon request and supplied with each shipment where documentation is held on file. For urgent plant maintenance requirements, buffer stock of high-demand HIMatrix modules is maintained at our Xiamen warehouse, enabling same-day dispatch for orders confirmed before 14:00 CST. International shipments are routed via DHL Express or FedEx International Priority as standard, with typical transit times of 3–5 business days to Europe, North America, Southeast Asia, and the Middle East. Full export documentation is prepared in-house: commercial invoice, packing list, certificate of origin, and destination-specific import compliance documents as required. EXW Xiamen and CIF destination Incoterms are both available. All shipments are insured at declared value. The 12-month warranty covers manufacturing defects from the shipment date, with warranty claims processed within 30 days and replacement or refund options available.

Contact Information

Email: [email protected]
WhatsApp: +86 18359268345
Web: siemensplc.com
Location: Xiamen, China
© 2026 siemensplc.com. All rights reserved.