Boot project availability on the safety CPU after power dip or incomplete power cycle

In case of an under- or overvoltage, which may be also caused by an incomplete power cycle (power-off followed by power-on in less than 1.5 s), the safety CPU goes to SAFE STOP state with I-ERR LED ON. However, the boot project is still intact. To put the safety CPU back to RUN mode, it is necessary to perform two subsequent power cycles. After the first power cycle, the safety CPU goes to DEBUG STOP (non-safety) mode state with DIAG LED ON. The second power cycle puts the safety CPU back to RUN (safety) mode.

Not possible to create a boot project for the safety CPU

Check if the parameter "Enable Debug" for the safety CPU is set to "ON" in Automation Builder project and the generated boot project was loaded to the non-safety CPU followed by a power cycle.

After power cycle, the safety CPU goes into SAFE STOP state (I-ERR ON)

This situation could arise due to a corrupt boot project or the rotary switch setting in the safety CPU is wrongly set to one of these values: 0xFE, 0xFD or 0xFC. Another possibility is that the safety CPU was powered off too short. To ensure a reliable restart the power-off time must be ≥ 1.5 s.).

Channel reintegration of AI581-S safety module is not possible after removal of the fault condition

Only in the case of a channel passivation due to overcurrent or undercurrent the safety analog channel remains passivated for 30 s to restore its initial properties and then the check is performed if the error condition is still present or not. If the error has gone, then the reintegration request signal for the given channel is set to TRUE to allow channel reintegration. Within previously mentioned 30 s time, the safety analog channel cannot be reintegrated.

Process value of certain configured input is always FALSE (only in 2-channel evaluation mode)

Our modules are designed in such a way that, in a 2-channel mode, the lower channel (e.g., channels 0/4 ➔ Channel 0, channels 1/5 ➔ Channel 1, etc. for DX581-S module) always transports the aggregated process value, PROFIsafe diagnostic bit, acknowledgment request and acknowledge reintegration information. The higher channel always provides the passivated value "0". Thus, a name mapping for the higher channel is not required in a 2-channel evaluation mode.

Acyclic non-safe data exchange takes a very long time

This behavior depends on the task configuration setting in your non-safety CPU. Adjust the cycle time (e.g., set task cycle time to 1 ms) of your task on non-safety CPU where the acyclic non-safe data exchange FBs are programmed to obtain the best performance.

When should I use cyclic non-safe data exchange instead of acyclic non-safe data exchange?

If 84 bytes in acyclic non-safe data exchange are not enough or data exchange is too slow, you can use cyclic non-safe data exchange for data up to 2 kB with minimum programming effort.

In most safety applications, this functionality is not needed and, thus, shall not be used. However, if you still need it, refer to.

Is data communication using acyclic or cyclic non-safe data exchange safe?

Data communication using acyclic or cyclic non-safe data exchange is non-safe, because it is not protected by any functional safety measures for data communication. However, users may implement their own safety profiles on top of this non-safe communication using so-called "black channel" principle. Contact ABB technical support for details.

No detection of wire cross-talk or short circuit to 24 V DC for S-DOs of DX581-S. Why and how to solve this problem?

The outputs of the DX581-S safety module are decoupled from the connected load. This is necessary to avoid any influence of connected load on the internal test circuit and, thus, guarantee high robustness (no occasional trips due to false error detection caused by unexpected change of electrical characteristics of the connected load). Therefore, wire cross-talk and short circuit to 24 V DC can be detected only up to the output clamp of DX581-S safety output, but not on the attached output wire. In most customer cases, error exclusion due to output wire isolation or, alternatively, the machine re-start (with proper start-up test procedure implemented in the safety CPU program for given S-DOs to activate them one after each other) at least 1 per month is often enough. The user may also take other appropriate actions (e.g., by defining appropriate test periods for the safety function or by reading back the status of the output wire using a safety digital input) to satisfy their respective IEC 62061 and ISO 13849-1 requirements, if wire cross-talk or short-circuit to 24 V DC shall be detected.

Is my safety program OK if not all safety programming guidelines and rules checked by AC500-S safety code analysis (SCA) rules are satisfied?

SCA tool only checks whether the static safety programming guidelines or rules are followed. As such, any errors identified by SCA tool may not necessarily result in machine malfunction but will require additional argumentation why those exceptions (not fulfilled safety programming guidelines or rules) are allowed in the given customer safety application case. The latter may delay the certification of customer safety application program.

What does built-in power supply in the safety I/O module mean?

It means that no separate power supply module shall be bought for AC500-S safety I/Os. 24 V DC can be directly connected through UP and ZP pins on the terminal unit.

What is the effect of connecting test pulse of the same type (e.g., T0, T1, T2, T3, etc.) from one module to the safety digital input channel of another module? Are test pulses module-specific?

Yes, test pulses are module-specific. As test pulses are module-specific, connecting any test pulse of the same type from one module and still the same channel on the other module would cause channel passivation. This kind of connection is not permitted and not recommended.

Will there be a different delay of safety telegram if the safety module is placed in another physical slot (communication module or I/O module slot)?

The telegram delay difference can be negligible in such cases and possible difference is far below 1 ms.

Is 1oo2 internal safety structure applicable for safety inputs only when we have 2-channel input?

No, the entire AC500-S hardware system is designed using 1oo2 internal safety structure. Hence, even when you connect a single input, internally it is split and processed using 1oo2 safety architecture.

How to interface safety mats/bumpers and safety edges?

Most of the safety mats and bumpers in the market come with ASi-Safety option. With the help of ASi-Safety to PROFINET/PROFIsafe gateway, you can connect such signals to AC500-S.

Can we use 2-wire transmitters with analog input?

Yes, AI581-S analog module is equipped to handle 2-wire transmitters.

What is the ON time of a test pulse in DI581-S/DX581-S modules? How often is it repeated?

Test pulse terminal clamps provide 24 V DC signal for monitoring passive sensors with test pulses. This test pulse signal is switched off for a fixed time (1 ms) to LOW state. This is valid for both DI581-S and DX581-S module. The test pulse repeats every 58 ms for DI581-S and every 27 ms for DX581-S module on each test pulse channel.

How often is the safety output OFF when the detection feature is made ON in DX581-S module?

If the detection is enabled, the output of the DX581-S safety module is tested every 55 ms. Be aware, that the test pulse of the internal main switch can also be observed on each output. The main switch test pulse cannot be disabled and is always present. Its duration is slightly below 1 ms in the worst-case (if the output current is 500 mA) and is almost not visible in the best-case (if the output current is below 50 mA).

Can AC500-S safety modules be used in low-demand applications?

Yes.

How to make the safety CPU address switch setting compliant to SIL 3 / PL e if one wants to use its value in the safety application program?

One may want to change the safety CPU safety program execution path depending on the safety CPU configuration switch setting, which can be read in the safety program using SF_SM5XX_OWN_ADR function block. Changing the safety CPU safety program execution path depending on the safety CPU address switch setting only is not always enough to reach SIL 3 / PL e. One has to implement some additional mechanisms, e.g., to have a second point-of-entry for program configuration setting on the application level. This can be done, e.g., by reading some pre-configured (pre-saved) values from SD card on the non-safety CPU. This additional pre-configured (pre-saved) value has to be transferred to the safety CPU and compared against the safety CPU address switch setting before the safety CPU address switch setting is accepted for the safety CPU safety program execution path change. This way one can attain a higher functional safety level up to SIL 3 / PL e.

In which types of applications are FBs like SF_APPL_MEASURE_BEGIN and SF_APPL_MEASURE_END used?

These FBs can be used for time profiling of your safety application program, which is often very useful for debugging purposes to find performance bottle-neck in safety applications. For instance, to estimate the actual time taken by the safety CPU to execute a certain part of the safety program logic.

How can user data on the safety CPU be made persistent?

User data can be stored in the non-volatile flash memory of the safety CPU and read or deleted from there using special FBs (SF_FLASH_WRITE, SF_FLASH_READ and SF_FLASH_DEL).

Can errors related to remote PROFINET/PROFIsafe safety modules be captured in the diagnostic buffer of the non-safety CPU?

With AC500 V2 non-safety CPU:
Yes, you can use special diagnostic FBs to read diagnostic messages from remote safety modules on the V2 non-safety CPU. These FBs can be found in the library Profinet_AC500_V13.lib on the V2 non-safety CPU.

With AC500 V3 non-safety CPU:
The PROFINET/PROFIsafe related errors can be automatically collected in the diagnostic buffer of the V3 non-safety CPU.

Why does non-safety CPU reboot command not reboot remote safety I/O modules?

This behavior is as designed. Only central safety I/O modules will be re-initialized after non-safety CPU reboot command. All remote safety I/O modules may not be re-initialized and have to be acknowledged from the safety program to re-integrate them after non-safety CPU and safety CPU re-initialization is finished. This behavior (re-initialization or not) depends on PROFINET CI50x-PNIO setting and can be modified.

Is ST to LAD/FBD conversion possible?

Yes, for simple projects involving basic instruction set the conversion is possible. However, not all standard ST constructs can be converted to LAD/FBD. Please keep in mind that after a conversion from ST to LAD/FBD you cannot reverse the safety program code back to ST.

In antivalent mode wiring, the NO channel is always connected to the lower channel (the channel that delivers an aggregated 2-channel safety value to the safety CPU). Is there any specific reason for this?

This behavior is as designed to avoid any faults during antivalent sensor wiring and potential misinterpretation of which channel delivers an aggregated 2-channel safety value.

While using our safety and non-safety I/Os with 3rd party safety PLCs, will safety and non-safety I/O diagnostic messages be available in the diagnostic buffer of those 3rd party safety PLCs?

All diagnostic messages from safety and non-safety I/Os are non-safe data which is collected by non-safety CPU (also 3rd party one). All diagnostic messages from safety and non-safety I/Os are currently available in AC500 diagnostic message format and can be read and put in the diagnostic buffer of 3rd party non-safety CPU by invoking special FBs or using standard PROFINET diagnosis.

Who could certify a safety program?

All international and national accredited certification bodies like TÜV, EXIDA, UL, etc. (some of them operating around the world) could certify a safety program.

What are the right steps to develop a safety program?

You have to refer to ISO 13849-1 and IEC 62061 guidelines for machine safety application development and to IEC 61511 for process safety application development.

Is it allowed to use FOR loops in ST programs as an alternative to IF and CASE instructions for boundary checks in arrays?

No, it is not allowed to use it as an alternative.

If arrays are used in FOR loops, the programmer must still implement boundary checks using IF and CASE instructions.