|
This is the web edition of the original ⮫ AC500-S safety user manual, version 1.4.0. This web edition is provided for quick reference only. The original safety user manual must be used to meet functional safety application requirements. |
Instantiate safety and non-safety modules, which are a part of the "black channel" for safe communication and do a proper configuration of those. Define variable names for input, output and PROFIsafe signals in accordance with the safety programming guidelines.
-
Select one of four slots available for communication modules and safety CPU and instantiate a safety CPU on it. Note, that the slot number shall be the same as the physical slot number on which safety CPU is attached.
-
Double-click on the safety CPU and set its parameters, as needed.
NOTICE
Pay attention to the parameter “Enable debug”. If this parameter is set to “Off”, then no new boot project can be loaded to the safety CPU.
-
To have remote stations in the system, we can instantiate PROFINET IO controller communication module CM579-PNIO, for example, in slot 2. Note that PROFINET is the only bus which is supported for PROFIsafe communication in AC500-S safety PLC.
-
Now, select newly created CM579-PNIO module and instantiate the required number of PROFINET modules, e.g., CI501-PNIO, CI502-PNIO, etc. or any 3rd party PROFINET modules previously imported in the “Device Repository” using GSDML files.
⮫ Details on the setting of proper PROFINET device names and IP addresses.
NOTICE
When using CI501-PNIO or CI502-PNIO with safety I/O modules with firmware V1.0.0, set the parameter “IO-BUS Reset after PROFINET reconnection” = OFF on CI502-PNIO or CI501-PNIO.
“IO-BUS Reset after PROFINET reconnection” = ON is not recommended and permitted only for special use cases. Contact ABB technical support for more details.
-
On “IO_Bus” object, one can instantiate up to 10 I/O modules (safety or non-safety ones) located centrally on the non-safety CPU.
-
Similarly, up to 10 I/O modules (safety and non-safety) can be instantiated on any ABB PROFINET IO device.
GSDML file defines the maximum number of supported modules on 3rd party PROFINET IO devices.
Parameters of safety I/O modules can be set using double-click on those modules. Each module has two types of parameters: F-Parameters and iParameters.
F-Parameters are parameters which were specially defined by PROFIsafe group ⮫ [2] to realize safe device communication and parameterisation. F-Parameter names are the same for all F-Devices (ABB and 3rd party devices). The most important of them for end-users are explained here.
- F_SIL
-
defines the highest useable safety integrity level for the given F-Device. It shall not be higher than the defined value in the GSDML file of the F-Device.
- F_Dest_Add
-
defines the F-Device address which shall be the same address as the one set on the physical safety I/O device.
NOTICE
Make sure that F_Dest_Add is set unique for all F-Devices, otherwise no valid safety configuration can be generated.
Decimal or hexadecimal number with a prefix 16# or 0x can be used to set F_Dest_Add in Automation Builder.
- F_Source_Add
-
defines the F-Host address which shall be valid for the given F-Device.
- F_WD_Time
-
defines the watchdog timeout on the F-Device connection. It is supervised on both F-Host and F-Device. If the F-Host detects a timeout, the F-Device will be passivated and fail-safe values will be sent. If the F-Device detects a timeout, it will indicate this to the F-Host via PROFIsafe status byte and sends fail-safe values. F_WD_Time is further used in safety function response time calculations.
- F_CRC_Seed
-
defines the supported PROFIsafe version.
If F_CRC_Seed = 1 (symbolic value "CRC_Seed24/32"), the device operates with PROFIsafe V2.6.
If F_CRC_Seed = 0 (symbolic value "CRC_Seed16") or if F_CRC_Seed is not present, the device operates with PROFIsafe V2.4.
The parameter is not changeable and is defined in the GSDML file. The engineering tool automatically sets the correct value based on the selected device version.
- F_Passivation
-
only exists if PROFIsafe V2.6 is supported (F_CRC_Seed = 1). If F_Passivation = 1 (symbolic value "Channel"), support of RIOforFA profile for the given F-Device will be requested, as specified in ⮫ [13]. If F-Passivation = 0 (symbolic value "Device/Module") or parameter does not exist in the GSDML, this profile will not be supported. The parameter is not changeable.
- F_WD_Time_2
-
is an optional second watchdog timeout, which is not supported by AC500-S.
NOTICE
The F-Submodules "12 Byte In/Out (PROFIsafe V2.6)" and "123 Byte In/Out (PROFIsafe V2.6)" in the SM560-S-FD-1 / SM560-S-FD-4 are compliant to PROFIsafe V2.6. F_CRC_Seed ("CRC_Seed24/32") is indicated in the F-Parameter configuration. The F-Parameters F_Passivation and F_WD_Time_2 are not applicable for them and thus not configurable (F_Passivation = 0 and is not changeable, F_WD_Time_2 does not exist).
The F-Submodules "12 Byte In/Out (PROFIsafe V2.4)" and "8 Byte and 2 Int In/Out (PROFIsafe V2.4)" in the SM560-S-FD-1 / SM560-S-FD-4 only support the PROFIsafe V2.4. The F-Parameters F_CRC_Seed and F_Passivation do not exist in the F-Parameter configuration.
- F_iPar_CRC
-
is a special F-Parameter which is used for a safe transfer of iParameters to F-Devices. F_iPar_CRC is calculated outside F-Parameter editor and, thus, has to be manually copied from “Checksum iParameter” field and pasted to F_iPar_CRC field in the F-Parameter tab after pressing [Calculate] button for the given F-Device.
Note, that F_iPar_CRC has to be recalculated for AC500-S safety I/O modules also if F_Dest_Add is changed, because F_Dest_Add is also invisibly transported as iParameter to AC500-S safety I/O modules. It is needed in AC500-S safety PLC for further comparison of the physical PROFIsafe address value on the safety I/O device and one configured in the engineering environment.
|
F-Parameter |
Definition |
Allowed values |
Default value |
|---|---|---|---|
|
F_Check_iPar |
Checks manufacturer-specific iParameters within safety parameters. |
0 = No check 1 = Check |
0 = No check |
|
F_SIL |
Different safety functions that use safety-related communication may require different safety integrity levels (SIL). An F-Device compares its assigned SIL with the SIL configured by the F-Host (F_SIL). If the configured SIL (F_SIL) exceeds the SIL capability of the connected F-Device, the F-Device will set the "Device Failure" status bit and initiate the configured safe-state reaction. ⮫ [2] |
0 = SIL1 1 = SIL2 2 = SIL3 3 = No SIL |
2 = SIL3 |
|
F_CRC_Length |
Specifies the expected length of the CRC2 signature. |
2 = 4 octet CRC2 signature |
2 = 4 octet CRC2 signature |
|
F_CRC_Seed |
Indicates the PROFIsafe version and the CRC length used for safety communication. |
1 = CRC_Seed24/32 |
1 = CRC_Seed24/32 |
|
F_Passivation |
Defines whether channel-granular passivation according to RIOforFA is supported. Channel-granular passivation according to RIOforFA is not supported by safety I/O modules and the F-Submodules of SM560-S-FD-1 and SM560-S-FD-4. All safety I/O modules support own channel-granular passivation. According to RIOforFA, F-Submodules of RIOforFA do not require channel-granular passivation. |
0 = Device/Module |
0 = Device/Module |
|
F_Block_ID |
Identifies the PROFIsafe parameter block version used by the F-Device. |
|
|
|
F_Par_Version |
Version number of the F-Parameter set. |
1 = Valid for V2-mode |
1 = Valid for V2-mode |
|
F_Source_Add |
F-Host source address. The F_Source_Add parameter is a logical address designation that can be assigned freely but unambiguously. F_Source_Add shall not equal the F_Dest_Add for the given F-Device. |
|
1 |
|
F_Dest_Add |
The unique F-Device address which will be compared with the set hardware switch address in the F-Device. The F_Dest_Add parameter is a logic address designation that can be assigned freely but unambiguously. |
|
|
|
F_WD_Time |
Watchdog time in ms for receipt of the new valid telegram. |
10 – 10000 |
|
|
F_iPar_CRC |
Value of iParameter CRC. This parameter only applies to the safety I/O modules and is not available for SM560-S-FD-1 and SM560-S-FD-4. |
0 – 4294967295 (0xFFFFFFFF) |
Module-type-specific. |
|
F_Par_CRC |
Value of F-Parameter CRC. |
0 – 65535(0xFFFF) |
Module-type-specific. |
|
F-Parameter |
Definition |
Allowed values |
Default value |
|---|---|---|---|
|
F_Check_SeqNr |
Defines whether the consecutive number is included in CRC2. In PROFIsafe V2-mode ⮫ [2], the consecutive number must always be included in CRC2 generation. This parameter only applies to the safety I/O modules and is not available for SM560-S-FD-1 and SM560-S-FD-4. |
0 = No check 1 = Check |
1 = Check |
|
F_Check_iPar |
Checks manufacturer-specific iParameters within safety parameters. |
0 = No check 1 = Check |
0 = No check |
|
F_SIL |
Different safety functions that use safety-related communication may require different safety integrity levels (SIL). An F-Device compares its assigned SIL with the SIL configured by the F-Host (F_SIL). If the configured SIL (F_SIL) exceeds the SIL capability of the connected F-Device, the F-Device will set the "Device Failure" status bit and initiate the configured safe-state reaction. ⮫ [2] |
0 = SIL1 1 = SIL2 2 = SIL3 3 = No SIL |
2 = SIL3 |
|
F_CRC_Length |
Specifies the expected length of the CRC2 signature. |
0 = 3 octet CRC2 signature |
0 = 3 octet CRC2 signature |
|
F_Block_ID |
Identifies the PROFIsafe parameter block version used by the F-Device. |
|
|
|
F_Par_Version |
Version number of the F-Parameter set. |
1 = Valid for V2-mode |
1 = Valid for V2-mode |
|
F_Source_Add |
F-Host source address. The F_Source_Add parameter is a logical address designation that can be assigned freely but unambiguously. F_Source_Add shall not equal the F_Dest_Add for the given F-Device. |
|
1 |
|
F_Dest_Add |
The unique F-Device address which will be compared with the set hardware switch address in the F-Device. The F_Dest_Add parameter is a logic address designation that can be assigned freely but unambiguously. |
|
|
|
F_WD_Time |
Watchdog time in ms for receipt of the new valid telegram. |
10 – 10000 |
|
|
F_iPar_CRC |
Value of iParameter CRC. This parameter only applies to the safety I/O modules and is not available for SM560-S-FD-1 and SM560-S-FD-4. |
0 – 4294967295 (0xFFFFFFFF) |
Module-type-specific. |
|
F_Par_CRC |
Value of F-Parameter CRC. |
0 – 65535(0xFFFF) |
Module-type-specific. |
iParameters are individual F-Device parameters which are transferred to F-Devices with a proper F_iPar_CRC parameter.
NOTICE
NOTICE
After changing iParameters, you have to go to “F-Parameter” tab, re-calculate iParameter CRC and paste it to F_iPar_CRC F-Parameter row. Otherwise, the new parameter set will not be accepted by the F-Device because F_iPar_CRC will not be a valid one for a given iParameter set.
As for 3rd party F-Devices coming from GSDML files, one has no “Checksum iParameter” feature, because Automation Builder does not know a specific algorithm used for F_iPar_CRC calculation in 3rd party devices. One has to calculate F_iPar_CRC using a special tool delivered by the F-Device manufacturer for engineering its F-Devices.
If the provided tool supports the Tool Calling Interface (TCI ⮫ [14]), it can be called directly from the context menu of the 3rd party device in the Automation Builder. The advantage is, e.g., that the configuration parameters are taken directly from the Automation Builder. They do not need to be re-entered.
⮫ “Tool Calling Interface (TCI) implementation”
Another option is to contact the vendor of the F-Device and ask for F_iPar_CRC value for the given F-Device iParameter. As soon as F_iPar_CRC is available for the given 3rd party F-Device, one can paste it to the F_iPar_CRC row in F-Parameter editor.
DANGER
If for one of the output channels you set Detection = OFF, the warning appears that the output channel does not satisfy max. SIL 3 (IEC 62061) and PL e (ISO 13849-1) requirements in such condition. Two safety output channels may have to be used to satisfy required SIL or PL level.
The parameter "Detection" was created for customers who want to use safety outputs of DX581-S for max. SIL 1 (or max. SIL 2 under special conditions) or PL c (or maximum PL d under special conditions) safety functions and have less internal DX581-S pulses visible on the safety output line. Such internal pulses could be detected as LOW signal by, for example, drive inputs, which would lead to unintended machine stop.
DANGER
One can also use generic device configuration view from “DI581-S Parameters”, “DX581-S Parameters” or “AI581-S Parameters” tab to edit module and channel parameters. However, change of safety I/O parameters using generic device configuration view is not recommended due to potential user mistakes during the parameter setting using integer numbers.
Furthermore, each F-Device has a special “I/O Mapping” tab in which variable names for input and output signals, PROFIsafe diagnostic bits, etc. can be defined.
DANGER
If data types like Unsigned16, Unsigned32, Integer16, Integer32 or Float32, which require more than one byte, are used in PROFIsafe data, note the following. The byte order in such data types depends on the used PROFIsafe device endianness and selected AC500 non-safety CPU type. AC500 V2 non-safety CPU supports big-endian. AC500 V3 non-safety CPU supports little-endian. Make sure that the symbolic variables are mapped properly and the delivered safety data is correctly represented in your safety application.
It is also valid for DX581-S and DI581-S safety modules; the only difference is the number of input and output channels. Each process channel (Input 0 - Input 3 for AI581-S) has additionally the following bits:
-
one bit for safe diagnostic (Safe_Diag bit) to be able to differentiate if the process value is the real process state or "0" value due to channel or module passivation.
-
one bit Rei_Req for channel reintegration request, which can be used in the safety application program as a signal that external error (e.g., sensor wiring error) was fixed and the channel can be reintegrated in the safety control. Higher overall system availability can be expected for end-customers, because they can selectively decide which channels have to be acknowledged and which not.
-
one bit Ack_Rei for channel reintegration if the error was fixed (e.g., external sensor wiring was corrected). One can also define one variable as a BYTE for all Ack_Rei bits and use 0xFF value to acknowledge all errors at once.
The PROFINET IO protocol uses the Provider Status (PS) and the Consumer Status (CS) to describe the quality or status of the input and output values of each I/O submodule.
-
Value "Good": The input and output values are valid.
-
Value "Bad": The input and output values are invalid.
There is one byte for each input PS, output CS, input CS and output PS channel. Since the channels are part of the PROFINET layer, the variables that are mapped to these channels are not available in the safety application program and therefore are not safety-relevant. However, the user can use these channels in non-safety context to monitor if the PROFINET communication is successful. Furthermore, these channels are not present for the safety I/O modules connected via the local I/O bus.
NOTICE
When you define variable names for input signal, output signal and other safety signals, pay attention to the safety programming guidelines.
NOTICE
Only BYTE data type is supported instead of WORD for safety data of DI581-S module when AC500 V3 non-safety CPU is used. It is needed to meet the endianness, which is different between AC500 V2 non-safety CPU (big-endian) and AC500 V3 non-safety CPU (little-endian). This shall be considered when safety project is migrated from AC500 V2 to V3 non-safety CPU.