dl-breadcrumbs__homedl-breadcrumb-item__separatorAC500-S safety PLCdl-breadcrumb-item__separatorSafety user manual V1.3.2dl-breadcrumb-item__separator...dl-breadcrumb-item__separatorAppendixdl-breadcrumb-item__separatorUsage of safety CPU with AC500 V3 non-safety CPU PM56xxdl-breadcrumb-item__separatorAC500 V3 non-safety CPU parameters configuration
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
AC500 V3 non-safety CPU parameters configuration

This is the web edition of the original ‎⮫ AC500-S safety user manual, version 1.3.2. This web edition is provided for quick reference only. The original safety user manual must be used to meet functional safety application requirements.

If non-safety CPU is stopped, the safety CPU will go to DEBUG STOP (non-safety) state (Fig.408) and safety I/O modules will immediately switch to RUN (module passivation with a command) state (Fig.411).

Later, if the safety CPU changes to DEBUG RUN (non-safety) state, e.g., after switching non-safety CPU back to RUN state, the safety I/O modules will immediately change to RUN (ok) state (Fig.411) and deliver valid process values to the safety CPU without the need for reintegration.

NOTICE

NOTICE
NOTICE
NOTICE

NOTICE

NOTICE

The described behavior with AC500 V3 non-safety CPUs is different to the behavior with AC500 V2 non-safety CPUs. If you are familiar with AC500 V2 non-safety CPUs, you need to know the following differences:

If AC500 V2 non-safety CPU is stopped, the safety CPU will go to DEBUG STOP (non-safety) state and safety I/O modules will go to RUN (module passivation) state (Fig.411).

If the safety CPU changes to DEBUG RUN (non-safety) state, the safety I/Os have to be reintegrated first by going through the RUN (user acknowledgement request) state (Fig.411) and only then deliver current valid process outputs to the safety CPU.

The following settings of AC500 non-safety module configuraton influence the overall system behavior of safety and non-safety CPUs.

Settings for non-safety CPU in Automation Builder:

  • Tab “PLC Settings”

    • “Bus cycle task”

  • Tab “CPU-Parameters Parameters”

    • “Stop on error class”

Settings for I/O bus in Automation Builder:

  • Tab I/O-Bus I/O Mapping”

    • “Bus cycle task”

Settings for communication module in Automation Builder:

  • Tab “PROFINET-IO-Controller I/O Mapping” / “PROFINET-IO-Device I/O Mapping”

    • “Bus cycle task”

The settings for these parameters do not compromise on system safety.

“Bus cycle task”

We strongly recommend to read the AC500 user documentation on this topic to get an understanding of parameter “Bus cycle task” for the above listed settings and dependencies on other parameters.

⮫ “Bus Cycle Task”

The settings have to be considered carefully. On the one hand, to avoid any overload scenarios on the non-safety CPU. On the other hand, not to exceed the SFRT.

One easy possibility to set up the bus cycle

  1. Set a global bus cycle time in tab “PLC Settings” by assigning “Bus cycle task” with a task.

  2. Keep the default values for the bus cycle task for I/O bus and communication modules.

With these settings, both bus cycle times for I/O bus and communication modules are driven from the non-safety CPU with the cycle time of the assigned task (in tab “PLC Settings”).

NOTICE

NOTICE
NOTICE
NOTICE

NOTICE

NOTICE

The value of safety CPU parameter “Update cycle time” is the limitating bus cycle time for I/O bus and communication modules. If higher values for the bus cycle tasks are assigned for I/O bus and communication module, they will be limited to the lower value of “Update cycle time”. If lower values for the bus cycle tasks are assigned for I/O bus and communication module, they will be kept as they are.

NOTICE

NOTICE
NOTICE
NOTICE

NOTICE

NOTICE

The cycle times for I/O bus and communication modules affect the SFRT of your system. ⮫ “Safety function response time”

“Stop on error class”

Parameter in tab “CPU-Parameters Parameters” of non-safety CPU.

Value “Diagnosis of at least error class 2” (default)

If an error of severity level 1 or 2 occurs, non-safety CPU and safety CPU will be stopped. If present on the given safety CPU, PROFIsafe F-Host and F-Device stacks continue running on the safety CPU with fail-safe values.

Value “Diagnosis of at least error class 3”

If an error of severity level 1, 2 or 3 occurs, non-safety CPU and safety CPU will be stopped. If present on the given safety CPU, PROFIsafe F-Host and F-Device stacks continue running on safety CPU with fail-safe values.

Value “Diagnosis of at least error class 4”

If an error of severity level 1, 2, 3 or 4 occurs, non-safety CPU and safety CPU will be stopped. If present on the given safety CPU, PROFIsafe F-Host and F-Device stacks continue running on safety CPU with fail-safe values.