dl-breadcrumbs__homedl-breadcrumb-item__separatorAC500-S safety PLCdl-breadcrumb-item__separatorSafety user manual V1.3.2dl-breadcrumb-item__separator...dl-breadcrumb-item__separatorAC500-S safety modulesdl-breadcrumb-item__separatorSafety CPU - SM560-S / SM560-S-FD-1 / SM560-S-FD-4dl-breadcrumb-item__separatorSafety CPU module statesdl-breadcrumb-item__separatorDescription of safety CPU module states
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
Description of safety CPU module states

This is the web edition of the original ‎⮫ AC500-S safety user manual, version 1.3.2. This web edition is provided for quick reference only. The original safety user manual must be used to meet functional safety application requirements.

INIT

This is a temporary system state which is left after internal safety diagnostic tests and start-up procedures are executed. Refer to (Fig.407) to see the LED states.

RUN

03.01.008_SM560-S-RUN

In this state, the safety application is normally executed, provided that the boot project is loaded. No error of severity levels 1 or 2 is available.

In AC500-S Programming Tool, all online services from “Online” menu are available for users, but only three of them can be executed without leaving RUN state: “Login”, “Logout” and “Check boot project in PLC”. All other services (e.g., set a breakpoint) switch the safety CPU to non-safety DEBUG states (DEBUG RUN or DEBUG STOP).

SAFE STOP

03.01.009_SM560-S-SAFE-STOP

The safety CPU goes to SAFE STOP state if an error of severity level 1 or 2 is identified. All PROFIsafe output telegrams are nulled (no valid PROFIsafe telegrams are generated in this state). In AC500-S Programming Tool, no online services from “Online” menu are available for users.

This state can be left only after a power cycle or using “reboot” PLC browser/shell command on non-safety CPU.

DEBUG RUN

03.01.010_SM560-S-DEBUG-RUN

DEBUG RUN (non-safety) state can be reached if online services from “Online” menu are used (except “Login”, “Logout” and “Check boot project in PLC”) from safe RUN state. The user can set a breakpoint in the safety program, perform “Single cycle” program execution, force and write variable values and execute other debugging functions available in AC500-S Programming Tool.

If online service “Stop” is called or the breakpoint is reached in the safety application program, the safety CPU switches to DEBUG STOP (non-safety) state.

Valid PROFIsafe safety telegrams are generated in DEBUG RUN state. DEBUG RUN state is non-safe, thus, the responsibility for safe process operation lies entirely with the organization and person responsible for the activation of DEBUG RUN (non-safety) mode.

One can go back to a safe RUN state only after a power cycle or using “reboot” PLC browser/shell command on non-safety CPU.

DANGER

DANGER
DANGER
DANGER

DANGER

DANGER

The safety functionality and, as a result, safe process operation, is no more guaranteed by the safety CPU in the DEBUG RUN (non-safety) or DEBUG STOP (non-safety) mode.

In case of DEBUG RUN (non-safety) or DEBUG STOP (non-safety) mode activation on the safety CPU, the responsibility for safe process operation lies entirely with the organization and person responsible for the activation of DEBUG RUN (non-safety) or DEBUG STOP (non-safety) mode.

With the help of POU SF_SAFETY_MODE one can retrieve the information if the safety CPU is in SAFETY or DEBUG (non-safety) mode and, if required, stop or limit user application program execution⮫ “SF_SAFETY_MODE”.

DEBUG STOP

Without error of severity level 3 or 4

With error of severity level 3 or 4
03.01.011_SM560-S-DEBUG-STOP 03.01.012_SM560-S-DEBUG-STOP-with-light-error

In this non-safe state, a user is able to intervene in safety program execution by setting breakpoints, etc., similar to DEBUG RUN state. The safety application program is not executed in DEBUG STOP (non-safety) state. The PROFIsafe F-Host and F-Devices (SM560-S-FD-1 and SM560-S-FD-4) of the safety CPU send PROFIsafe telegrams with fail-safe "0" values and set FV_activated for all safety I/O modules and F-Devices.

DANGER

DANGER
DANGER
DANGER

DANGER

DANGER

Since PROFIsafe F-Host continues to run in DEBUG STOP (non-safety) state, it is possible to reintegrate passivated safety I/O modules and bring them in the safety RUN state. One can force variables for safety I/O modules, for example, to activate safety outputs.

In case of or DEBUG RUN (non-safety) or DEBUG STOP (non-safety) mode activation on safety CPU, the responsibility for safe process operation lies entirely with the organization and person responsible for the activation of DEBUG RUN (non-safety) or DEBUG STOP (non-safety) mode.

If online service “RUN” is called in the safety application program, the safety CPU switches to DEBUG RUN state.

All online services are available in this state.

In case of online commands “Step in”, “Step over”, “Single cycle” and when the breakpoint is reached, there is a switch between DEBUG RUN and DEBUG STOP states (transitions 13 and 14 in Fig.408).

One can go back to a safe RUN state only after power cycle or using “reboot” PLC browser/shell command on non-safety CPU.