dl-breadcrumbs__homedl-breadcrumb-item__separatorAC500-S safety PLCdl-breadcrumb-item__separatorSafety user manual V1.3.2dl-breadcrumb-item__separator...dl-breadcrumb-item__separatorAC500-S safety modulesdl-breadcrumb-item__separatorSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4dl-breadcrumb-item__separatorFunctionalitydl-breadcrumb-item__separatorSystem functions
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
System functions

This is the web edition of the original ‎⮫ AC500-S safety user manual, version 1.3.2. This web edition is provided for quick reference only. The original safety user manual must be used to meet functional safety application requirements.

The safety CPU is not equipped with a battery. Therefore, all operands are initialized once the control voltage is switched on. Data exchange between safety and non-safety CPUs is possible.

DANGER

DANGER
DANGER
DANGER

DANGER

DANGER

It is not recommended to transfer data values from non-safety CPU to safety CPU. But if doing so, end-users have to define additional process-specific validation procedures in the safety program to check the correctness of the transferred non-safety data, if they would like to use those non-safety values for safety functions.

It is of no concern to transfer data values from safety CPU to non-safety CPU, e.g., for diagnosis and later visualization on operator panels.

Self-tests and diagnostic functions (both start-up and runtime), like CPU and RAM tests, program flow control, etc. are implemented in the safety CPU according to IEC 61508 requirements.

Selected data can be stored fail-safe and permanently in the flash memory of the safety CPU using special library POUs SF_FLASH_READ, SF_FLASH_WRITE and SF_FLASH_DEL⮫ “SF_FLASH_READ”⮫ “SF_FLASH_WRITE”⮫ “SF_FLASH_DEL”.

The safety CPU is a single threaded and single task CPU. Only one free-wheeling program task is available for safety program execution. The free-wheeling task is the task which will be processed as soon as the safety program is started and at the end of one run will be automatically restarted in a continuous loop. For this task, the cycle time is not adjustable, but users can supervise the cycle time of the safety CPU using a special library POU SF_WDOG_TIME_SET⮫ “SF_WDOG_TIME_SET”.

The watchdog time of the safety CPU set using SF_WDOG_TIME_SET is the maximum permissible time allowed for its cycle time run. If the time set in SF_WDOG_TIME_SET is exceeded during the program execution on the safety CPU, then it goes to a SAFE STOP state (no valid telegrams are generated by the device) with I-ERR LED = ON.

NOTICE

NOTICE
NOTICE
NOTICE

NOTICE

NOTICE

POU SF_WDOG_TIME_SET must be called in the user program only one time to set some watchdog value greater than 0. If SF_WDOG_TIME_SET is not called in the user application program, the default watchdog time = 0 is used, which leads the safety CPU directly to a SAFE STOP state with I-ERR LED = ON.

To avoid occasional stops of the safety CPU due to cycle time overrun detected by the cycle time monitoring, one shall observe the safety CPU load in the test run of the user application program to make sure that the selected watchdog monitoring value was correctly set.

NOTICE

NOTICE
NOTICE
NOTICE

NOTICE

NOTICE

The watchdog value set in POU SF_WDOG_TIME_SET is used for the safety CPU cycle time monitoring only in RUN (safety) mode. In DEBUG RUN (non-safety) and DEBUG STOP (non-safety) modes of the safety CPU, the watchdog value is ignored.

Using a special PLC browser command "setpwd", it is possible to set a password for the safety CPU to prevent an unauthorized access to its data (application project, etc.). Without knowledge of this password, no connection to the safety PLC can be established.