manualshive.com logo in svg

ABB AC500-S, Safety User Manual

Share
Download
ABB AC500-S Safety User Manual Download Page 224

Table 13: CoDeSys safety programming rules which have to be checked manually (ABB SCA tool is not able

to detect them in the safety application program)

Rule for manual check in CoDeSys Safety

Comments (Relevance for AC500-S)

Verify that the watchdog is activated. Verify that the watchdog

time is set sufficiently shorter than the process failure response

time.

Use a special library POU

SF_WDOG_TIME_SET (

 

Ä

 Chapter

4.6.1 “Overview” on page 224

 for further

details)

Verify that there is only one task.

AC500-S supports only one task, thus,

there is no need for this check.

Verify that, other than standard libraries, only libraries certified

for safety applications are used.

These rules are included in AC500-S

“Checklist for Creation of Safety Applica-

tion Program”

For each POU, verify that there are no unnecessary state varia-

bles.

Verify that the following holds for all function blocks: If more than

one variable is used to store state information, encapsulate

these variables into their own function block and only use calls

on this function block to change the state.

Verify that the compiler reports neither errors nor warnings when

compiling the application.

For each POU, verify that variables are not re-used later on with

a different meaning.

Verify that the names of safety POUs start with “S_”. Verify that

the names of non-safety POUs do not start with “S_”.

These rules have to be checked only if

you plan to implement not only safety

but also non-safety functions on SM560-

S Safety CPU. In typical applications

with AC500-S it is not the case, because

non-safety functions are realized on

PM5xx Non-safety CPUs.

Verify that names of safety-related local variables start with “S_”.

Verify that names of global safety variables start with “GS_”.

Verify that names of safety inputs start with “IS_”.

Verify that names of safety outputs start with “OS_”.

Verify that names of non-safety variables do not start with either

“S_”, “GS_”, “IS_” or “OS_”.

Verify that names of global variable lists containing non-safety

variables do not start with S_.

Verify that names of global variable lists containing safety varia-

bles start with S_.

For each non-safety POU, verify that it does not write to any

safety variable.

4.6  AC500-S Libraries

4.6.1  Overview

The following safety libraries are certified by TÜV and are allowed to be used with AC500-S Safety PLC:

Configuration and programming

AC500-S Libraries > Overview

30.03.2017

AC500-S

224

Summary of Contents for AC500-S

Page 1: ...Safety User Manual V1 0 4 Original Instructions AC500 S ...

Page 2: ...s strictly forbidden Copyright 2012 2017 ABB All rights reserved ABB Automation Products GmbH Wallstadter Str 59 68526 Ladenburg Germany Telephone 49 62 21 701 1444 Fax 49 62 21 701 1382 E mail plc sales de abb com Internet www abb com plc 3ADR025091M0205 30 03 2017 AC500 S 2 ...

Page 3: ...onmentally friendly disposal 22 2 12 Safe communication 23 2 13 Safety function and fault reaction 24 2 13 1 Safety CPU SM560 S 24 2 13 2 Safety module with safety input channels DI581 S DX581 S and AI581 S 25 2 13 3 Safety module with safety output channels DX581 S 25 2 14 Safety function test 25 2 15 Troubleshooting 26 3 AC500 S Safety Modules 32 3 1 SM560 S Safety CPU 32 3 1 1 Purpose 32 3 1 2 ...

Page 4: ...amples 117 3 4 8 LED status display 126 3 4 9 Technical data 127 3 4 10 Ordering data 135 3 5 AI581 S analog safety input module 136 3 5 1 Purpose 136 3 5 2 Functionality 138 3 5 3 Mounting dimensions and electrical connection 139 3 5 4 Internal data exchange 143 3 5 5 I O configuration 143 3 5 6 Parameterization 144 3 5 7 Circuit examples 144 3 5 8 LED status display 149 3 5 9 Technical data 149 ...

Page 5: ...y times 395 5 1 Overview 395 5 2 Fault reaction time 396 5 3 Safety function response time 396 6 Checklists for AC500 S Commissioning 405 6 1 Overview 405 6 2 Checklist for creation of safety application program 406 6 3 Checklist for configuration and wiring 409 6 4 Checklist for operation maintenance and repair 410 6 5 Verification procedure for safe iParameter setting in AC500 S Safety I Os 412 ...

Page 6: ...iption of safety functions 437 7 4 2 Graphical overview of the safety application interface 438 7 4 3 Declaration of used variables 438 7 4 4 Program example 440 7 4 5 Additional notes 440 8 Index 442 Appendix 445 A System data for AC500 S XC 446 Table of contents 30 03 2017 AC500 S 6 ...

Page 7: ...n the system correctly in functional safety applications up to SIL3 according to IEC 61508 ed 2 IEC 62061 and Performance Level e according to ISO 13849 ABB s AC500 series is a PLC based modular automation solution that makes it easy to mix and match standard and safety I O modules to meet automation market requirements Introduction Purpose 30 03 2017 AC500 S 7 ...

Page 8: ...ject update on SM560 S is possible only if no boot project is loaded on SM560 S n Not more than one communication error CE_CRC or Host_CE_CRC output signals become equal to TRUE per 100 hours is allowed to be acknowledged by the operator using OA_C input signal without consulting the responsible safety per sonnel n SM560 S cycle time shall be included three times instead of two times in Safety Fun...

Page 9: ...me2 and Device_WD2 term definitions in Chapter 5 3 were corrected n F_Host_WD was replaced with the value set using SF_WDOG_TIME_SET inside of NOTICE box in Chapter 5 3 ABB 28 05 2015 1 0 4 Various typos were corrected Minor improvements in the text Major changes Licensing information was updated n Ch 4 1 Notice Block with reference to PS501 S license installa tion removed n Ch 4 2 Figure 63 updat...

Page 10: ...e following special notices may appear throughout this documentation to warn of potential hazards or to call attention to specific information DANGER The notices referring to your personal safety are highlighted in the manual by this safety alert symbol which indicates that death or severe personal injury may result if proper precautions are not taken NOTICE This symbol of importance identifies in...

Page 11: ...ad only Memory ESD Electro Static Discharge ESPE Electro sensitive protective equipment for example a light curtain F Host Data processing unit that is able to perform a special protocol and to service the black channel 3 F Device Passive communication peer that is able to perform the special protocol usually triggered by the F Host for data exchange 3 F Parameter Fail safe parameter as defined in...

Page 12: ...roller POU Program Organization Unit PROFIsafe Safety related bus profile of PROFIBUS DP PA and PROFINET IO for communication between the safety program and the Safety I O in the Safety system Proof Test Interval The proof test is a periodic test performed to detect failures in a safety related system so that if necessary the system can be restored as close as possible to its previous new state Th...

Page 13: ... http en wikipedia org wiki Unit_in_the_last_place for more details 1 6 Functional safety certification The AC500 S Safety Modules are safety related up to SIL3 according to IEC 61508 ed 2 IEC 62061 and Performance Level e according to ISO 13849 as certified by TÜV Süd Rail GmbH Germany Fig 1 Certificate AC500 S Introduction Functional safety certification 30 03 2017 AC500 S 13 ...

Page 14: ... References Related documents 1 Creation of safety oriented applications with CoDeSys V2 3 Document version 1 8 2 TÜV Süd Rail Certification Report for AC500 S Safety PLC Version 2013 or newer 3 PROFIsafe Profile for Safety Technology on PROFIBUS DP and PROFINET IO Profile part related to IEC 61784 3 3 Version 2 4 March 2007 4 AC500 User Documentation PS501 Control Builder Plus V2 2 1 or newer Aut...

Page 15: ...in high demand systems of safety machinery applications 1oo2 system includes two microprocessors Each of them executes the safety logic in its own memory area and both compare the results of the execution at the end of each cycle If a mismatch in the execution or an error is detected the system goes to a safe state which is described for each of the safety modules separately Overview of AC500 S Sa...

Page 16: ...odules n The same diagnostics concept is used for Safety and Non safety modules Fig 2 Overview on ABB s AC500 family with Safety and Non safety modules n Standard communication module Fig 2 1 AC500 covers all common communications standards such as Ethernet EtherCAT PROFINET IO PROFIBUS DP CANopen DeviceNet Modbus TCP Modbus serial Serial ABB CS31 and PROFIsafe via PROFINET Combinable to form opti...

Page 17: ...components The AC500 S Safety PLC includes the following safety related hardware components SM560 S SM560 S DIAG PWR RUN I ERR E ERR C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 ADDR x10H ADDR x01H Safety CPU Safety Module for up to SIL3 IEC 61508 ed 2 and IEC 62061 and PL e ISO 13849 safety applications DI581 S DI581 S UP 24VDC 5W 16SDI Safety Digital Input 24VDC 3 8UP 3 9ZP 3 ...

Page 18: ...y output channels up to SIL3 or PL e and 8 safety input channels up to SIL2 or PL d or 4 safety input channels up to SIL3 or PL e with 4 test pulse output channels AI581 S AI581 S UP 24VDC 2W 4SAI Safety Analog Input 3 8UP 3 9ZP 3 4 3 7 3 0I2 3 1FE 3 2I3 3 3FE 3 5 3 6 ERR1 2 9ZP 2 8UP 2 3 2 4 2 5 2 1 2 7 2 6 2 2I1 2 0I0 ERR2 4 9ZP 4 8UP 4 7 4 2I3 4 0I2 4 6 4 5 4 4 4 3 4 1 PWR 1 9ZP 1 8UP 1 7 1 4 1...

Page 19: ...f ABB AC500 S safety components in his applications with the competent authorities and get their approval ABB assumes no liability or responsibility for any consequences arising from the improper use n Non compliance with standards and guidelines n Unauthorized changes to equipment connections and settings n Use of unauthorized or improper equipment n Failure to observe the safety instructions in ...

Page 20: ... safety values can be used for AC500 S safety modules Type Description SIL 1 PL 2 DC 3 PFHd 4 MTTFd 5 T1 6 SM560 S XC Safety module 3 e 95 3 0E 09 100 years 20 AI581 S XC Safety Analog Input Module 3 e 95 3 0E 09 100 years 20 DI581 S XC Safety Digital Input Module 3 e 95 3 0E 09 100 years 20 DX581 S XC Safety Digital Input Output Module 3 e 94 3 0E 09 100 years 20 1 according to IEC 62061 and IEC ...

Page 21: ...edge of AC500 system is required to correctly understand this AC500 S Safety User Manual n AC500 automation system n PS501 Control Builder Plus ABB Automation Builder Programming Environment system configuration and programming in ST LAD and FBD programming languages 2 6 Lifecycle All AC500 S safety modules have a maximum life of 20 years This means that all AC500 S safety modules shall be taken o...

Page 22: ...m a restart protection in the safety program The safety process data outputs must be blocked until manually acknowledged These safety outputs must not be enabled until it is safe to do so and faults were corrected 2 10 Replacing AC500 S Safety PLC components When replacing software components on your programming device or PC with a newer version you must observe the notes regarding upward and down...

Page 23: ...ith a PROFIsafe profile for safe data transmission 3 Safety and non safety I O modules can be mixed on a local I O Bus both in central and remote configuration PROFINET IO controller Communication Module CM579 PNIO shall be used on Non safety CPUs as a part of the black channel to transfer safety data to PROFINET IO devices PROFINET devices CI501 CI502 CI504 and CI506 Release date 2013 and newer c...

Page 24: ... to control the safety digital outputs by the safety logic module SM560 S according to a user defined IEC 61131 application program and configuration The AC500 S Safety PLC can be used as a de energize to trip Normally Energized NE system The safe state of the outputs is defined according to the table below Table 2 NE safety system behaviour Normally energized NE Mode according to IEC 61508 ed 2 H...

Page 25: ...to correctly write their output channel signals If this function cannot be correctly executed the safety module or its output channel group depending on the fault scope has to go to a safe state In case of a channel fault the safe value de ener gized 0 is set for the given safety output channels In case of module fault no valid telegrams are gener ated by the safety output module to the Safety CPU...

Page 26: ...alization was connected directly to SM560 S Safety CPU which blocks the connection to SM560 S Only one connection to SM560 S Safety CPU is allowed at a time Disconnect CoDeSys visualiza tion from SM560 S Safety CPU 3 During closing or saving of the project modification of CoD eSys Safety project etc with PS501 Control Builder Plus ABB Automation Builder you may see that no reaction comes from the ...

Page 27: ...f ferent SM560 S Safety CPUs so that each SM560 S Safety CPU has less Safety I Os to handle 8 After login to CoDeSys Safety one can observe a long list of internal constants with a green font colour for PROFIsafe F Host instances In CoDeSys Safety the option Replace constants is selected Go in CoDeSys Safety menu to Project è Options è Build Unselect option Replace constants 9 No valid safety proj...

Page 28: ...s shown as CDCDCDCD which can be misleading since the boot project on SM560 S was not changed CoDeSys Safety does not sup port the described use case After powering off on of SM560 S Safety CPU the correct boot project CRC shall be shown for SM560 S 12 The serial driver is used to con nect to SM560 S Safety CPU One executes Login com mand shortly followed by Logout command in CoD eSys Safety and s...

Page 29: ...M560 S Safety CPU password close CoDeSys Safety instance and open it again The error message will not appear again 14 After power on Safety I O module goes to SAFE STOP state with both ERR LEDs ON The configured F_Dest_Add value in PS501 Control Builder Plus ABB Automation Builder project is not equal to the PRO FIsafe address switch value on the Safety I O module Make sure that F_Dest_Add value i...

Page 30: ...ned 19 During project download to SM560 S Safety CPU the download window stays with 0 bytes of downloaded code for ever or an error message pops up Enable debug parameter was set to OFF for SM560 S Safety CPU and this configura tion data was downloaded to PM5xx Set Enable debug parameter to ON generate a new con figuration and download CoD eSys project to PM5xx New project code can be now down loa...

Page 31: ...STOP state Non safety mode Safety I O mod ules go to module passivation state If you login to SM560 S Safety CPU then you can see OA_Req_S TRUE bits in PROFIsafe instances of F Devices The safety application is not executed by SM560 S Safety CPU but you still can set OA_C TRUE for F Devices and they will go to RUN mode SM560 S remains in DEBUG STOP state Non Safety all the time PROFIsafe F Host do...

Page 32: ...les e g CM579 PNIO etc can be simultaneously employed at one Non safety CPU However only one SM560 S Safety CPU can be operated simultaneously at one Non safety CPU The Safety CPU is programmed and configured via the dual port RAM using safety system configurator and CoDeSys Safety programming environment which are a part of the PS501 Control Builder Plus V2 2 1 or newer ABB Automation Builder 1 0...

Page 33: ...e review according to CoDeSys Safety Programming Guidelines Ä Chapter 4 4 CoDeSys Safety program ming guidelines on page 210 If case of exceptions during floating point operations e g due to usage of invalid arguments SM560 S Safety CPU goes to a SAFE STOP state or delivers a return value Infinity Note that the range of valid arguments in SM560 S Safety CPU for floating point functions is SIN and ...

Page 34: ...ge is switched on Data exchange between Safety and Non safety CPUs is possible using special library POUs SF_DPRAM_PM5XX_S_SEND SF_DPRAM_PM5XX_S_REC DPRAM_SM5XX_SEND and DPRAM_SM5XX_REC Ä Chapter 4 6 AC500 S Libraries on page 224 for further details on both CPUs DANGER It is of no concern to transfer data values from Safety CPU to Non safety CPU e g for diagnosis and later visualization on the ope...

Page 35: ...avoid continuous automatic restart of SM560 S after power supply is back within an allowed voltage range one can set the maximum allowed number of SM560 S restarts using POU SF_MAX_POWER_DIP_SET Ä Chapter 4 6 AC500 S Libraries on page 224 for further details As soon as the maximum allowed number of SM560 S restarts is exceeded the Safety CPU does not restart auto matically and remains in the SAFE ...

Page 36: ... switch address position on SM560 S Safety CPU NOTICE Despite the fact that SF_SM5XX_OWN_ADR function is a safety POU the hardware switch address value is a non safety value and needs additional measures to satisfy functional safety requirements 3 1 2 6 Firmware boot code and boot project update using SD card The firmware boot code and boot project update can be executed using standard AC500 SD ca...

Page 37: ... replacement of this device At the end of boot code and or firmware update SM560 S stays in DEBUG STOP state The updated firmware and or boot code can be started only after powering off on of SM560 S If firmware and or boot code update was not successful SM560 S goes to a SAFE STOP state with an I ERR LED ON Restart Safety CPU and if this error persists replace Safety CPU During boot project updat...

Page 38: ...to be performed according to the technical rules codes and relevant standards e g EN 60204 part 1 by skilled electricians only AC500 S Safety Modules SM560 S Safety CPU Mounting dimensions and electrical connection 30 03 2017 AC500 S 38 ...

Page 39: ...Y RUN STA ERR DIAG PWR RUN I ERR E ERR ADDR x10H 4 C 3 B 2 A 1 9 0 8 F 7 E 6 D 5 ADDR x01H 4 C 3 B 2 A 1 9 0 8 F 7 E 6 D 5 SM560 S Fig 6 Assembly instructions Insert the module below and then click in above Disassembly of SM560 S Fig 7 Disassembly instructions Press above and below then swing out the module and remove it AC500 S Safety Modules SM560 S Safety CPU Mounting dimensions and electrical ...

Page 40: ...N rail DIN rail Fig 8 Dimensions of SM560 S Safety CPU 3 1 4 Diagnosis and LED status display Safety CPU status is shown by its LEDs RUN LED is bicolored The following figure and table show posi tions and functions of 5 LEDs SM560 S DIAG PWR RUN I ERR E ERR Fig 9 LEDs for status display Table 3 Status display and its meaning LED Description Colour Status Meaning PWR Module power supply Green ON 3 ...

Page 41: ...4 6 AC500 S Libraries on page 224 for further details One of possible use cases is the visu alization of important external device errors BLINKING This LED can be set only from the user applica tion program using a special library POU SF_E_ERR_LED_SET Ä Chapter 4 6 AC500 S Libraries on page 224 for further details One of possible use cases is the visu alization of light external device errors OFF ...

Page 42: ...using e g diagshow all PLC browser command Table 4 List of error messages for SM560 S Error class Compo nent or Inter face Device Module Channel Error Error text Remedy E2 1 4 255 30 1 2 Internal PRO FIsafe initiali zation error Restart Safety PLC If this error persists replace Safety PLC Contact ABB technical support E2 1 4 255 30 2 2 Internal PRO FIsafe error Restart Safety PLC If this error per...

Page 43: ...this error persists replace Safety PLC E2 1 4 255 30 1 1 Wrong user data Delete user data from Safety PLC Restart Safety PLC and write user data again E2 1 4 255 30 1 0 Operation fin ished Change Safety PLC switch address setting or remove SD Card from non safety PLC Restart Safety PLC If this error persists replace Safety PLC E2 1 4 255 30 1 18 Internal error Contact ABB technical sup port Replac...

Page 44: ...Safety PLC E2 1 4 255 30 2 42 Internal error Contact ABB technical sup port Replace Safety PLC E2 1 4 255 30 2 1 Internal error Contact ABB technical sup port Replace Safety PLC E2 1 4 255 30 2 3 Internal error Contact ABB technical sup port Replace Safety PLC E2 1 4 255 30 2 54 Internal error Contact ABB technical sup port Replace Safety PLC E2 1 4 255 30 2 38 Internal error Contact ABB technical...

Page 45: ...ash write error pass word Warning E4 1 or 9 255 30 8 13 Flash write error user data Warning E4 1 or 9 255 30 9 13 Flash write error user data Warning E4 1 or 9 255 30 10 13 Flash write error internal Warning E4 1 or 9 255 30 11 13 Flash write error internal Warning E4 1 or 9 255 30 12 13 Flash write error internal Warning E4 1 or 9 255 30 1 4 Boot project not loaded maximum power dip reached Resta...

Page 46: ... message entries copies of original error messages from SM560 S Safety CPU are acknowledged from PM5xx Non safety CPU their original sources at SM560 S do not become at the same time acknowledged on SM560 S Safety CPU As a result error messages on SM560 S Safety CPU may exist as not acknowledged during a normal operation mode and can be used as a log if no access using CoDeSys Safety and its PLC B...

Page 47: ...itions between SM560 S states on page 50 3 1 5 1 Description of SM560 S module states INIT Ä Fig 10 This is a temporary system state which is left after internal safety diagnostic tests and start up procedures are executed RUN SM560 S DIAG PWR RUN I ERR E ERR In this state the safety application is normally executed provided that the boot project is loaded No fatal serious errors are available AC5...

Page 48: ...tate can be reached if CoDeSys online services from Online menu are used except Login Logout and Check boot project in PLC from safe RUN state The user can set a breakpoint in the safety program perform Single cycle program execution force and write variable values and execute other debugging functions of CoDeSys Safety If CoDeSys online service Stop is called or the breakpoint is reached in the s...

Page 49: ... values and sets FV_activated for all Safety I O modules If CoDeSys online service RUN is called in the safety application program SM560 S switches to DEBUG RUN state All CoDeSys online services are available in this state In case of CoDeSys online commands Step in Step over Single cycle and when the breakpoint is reached there is a switch between DEBUG RUN and DEBUG STOP states Ä Fig 11 transitio...

Page 50: ... values or Single cycle was used 8 DEBUG STOP SAFE STOP Fatal error E1 or serious error E2 was identified 9 RUN SAFE STOP Fatal error E1 or serious error E2 was identified 10 RUN DEBUG STOP n CoDeSys Safety online services Stop Sourcecode download or Reset various n Run button on PM5xx Non safety CPU Non safety CPU was in Run state n CoDeSys Non safety online services Stop or Reset various on PM5x...

Page 51: ...ubstitute values are used on SM560 S for all Safety I Os PROFIsafe F Host stack execution on SM560 S can be stopped only if it goes to SAFE STOP state no valid telegrams are generated by the device and I ERR LED ON Online CoDeSys commands Run and Stop have the same effect on SM560 S and PM5xx as Run button on Non safety CPU DANGER It is not possible to safely start Safety CPU using Run button on P...

Page 52: ...elegrams can reach Safety I O modules and they go to a passivation state after the watchdog time runs out n Actual state hardware and online If PM5xx is stopped SM560 S continues running SM560 S output values in safety telegrams will not be nulled by PM5xx Both hardware status of SM560 S communication interface and online display values remain intact As a result Safety I Os can receive safety tele...

Page 53: ...n modules including SM560 S Safety CPU will be done After restart of SM560 S Safety CPU Safety I O can be reintegrated using PROFIsafe F Device reintegration scheme 3 3 1 7 Technical data Use SM560 S Safety CPU up to SIL3 and PL e with PM573 PM583 PM592 or others with the firmware version from V2 2 1 pay attention to the required TB units SM560 S Safety CPU shall not to be used with AC500 eCo CPUs...

Page 54: ... point 0 50 µs Instruction Voltages according to EN 61131 2 Data Value Unit Process and supply voltage without ripple 24 15 20 V DC Absolute limits including ripple 19 2 30 V Ripple 5 Protection against reverse polarity 10 s DANGER Exceeding the maximum process or supply voltage range 35 V DC or 35 V DC could lead to unrecoverable damage of the system AC500 S Safety Modules SM560 S Safety CPU Tech...

Page 55: ...ng altitude 2000 m above sea level Storage altitude 3500 m above sea level Extended temperature ranges below 0 C and above 60 C can be supported in special versions of SM560 S Ä Appendix System data for AC500 S XC on page 446 Creepage distances and clearances The creepage distances and clearances meet the overvoltage category II pollution degree 2 Power supply units For the supply of modules power...

Page 56: ...1131 2 all three axes contin uous 3 5 mm 2 15 Hz Vibration resistance acc to EN 61131 2 all three axes contin uous 1 g 15 150 Hz Shock test all three axes 11 ms half sinusoidal 15 g MTBF 168 years Higher values on request Self test and diagnostic functions Start up and runtime tests Program flow control RAM CPU etc AC500 S Safety Modules SM560 S Safety CPU Technical data 30 03 2017 AC500 S 56 ...

Page 57: ...ns weight Data Value Unit W x H x D 28 x 135 x 75 mm Weight 100 g Certifications CE cUL Ä further certifications at www abb com plc AC500 S Safety Modules SM560 S Safety CPU Technical data 30 03 2017 AC500 S 57 ...

Page 58: ...configura tion with PROFINET PROFIsafe see Figure 2 3 PROFINET devices CI501 CI502 CI504 and CI506 Release date 2013 and newer can be used to attach Safety I O modules in remote configurations Safety I O modules can be freely mixed with any Non safety I Os from AC500 and AC500 eCo product families NOTICE Safety I O module firmware update can be currently performed only by the qualified personnel i...

Page 59: ...sitions related to powering off on and fatal errors Fig 14 provides an overview on the rest of transitions in Safety I O modules Fig 13 Overview of transitions related to powering off on and fatal errors in Safety I O modules Powering off on Fatal error AC500 S Safety Modules Generic Safety I O module behaviour Safety I O module states 30 03 2017 AC500 S 59 ...

Page 60: ... The Safety I O Module will remain in this state n as long as the undervoltage is detected n if the parameterization failed or pending n if the PROFIsafe communication is pending Users have to check that a dedicated qualifier output bit PROFIsafe diagnostic for at least one of the chan nels in the given Safety I O module is set to 1 to verify that PROFIsafe F Devices are initialized PROFIsafe stat...

Page 61: ...0 8 F 7 E 6 D 5 C 3 B 2 A 1 9 0 8 F 7 E 6 D 5 PROFIsafe communication is up and running The safety application is running without any detected errors PROFIsafe status bits in the F Host for Safety I O module OA_Req_S 0 FV_activated_S 0 Device_Fault 0 Process data bits in the Safety I O module process image PROFIsafe diagnostic bit 1 Channel process value Process value Reintegration request bit 0 A...

Page 62: ...e diagnostic bit s are also set to 0 to indicate the usage of fail safe values As soon as the channel error is gone e g wiring error was corrected this is valid only for those errors which are acknowledgeable the reintegration request bit for the given channel switches to 1 which indicates the safety application running on the Safety CPU that a reintegration of the channel is possible Setting the ...

Page 63: ...vice_Fault status bit 1 The fail safe value 0 is transferred to the Safety PLC for all passivated input channels if the connection to the PROFIsafe F Host is possible The safety application continuously attempts to establish a communica tion to the Safety CPU if the communication is broken All passivated output channels have a state of 0 A state transition to another RUN mode is only possible if t...

Page 64: ... The module and all its channels are passivated because the safety application on the Safety CPU requested a module passivation activate_FV_C 1 was set The fail safe value 0 is transferred to the Safety CPU for all passivated input channels All passivated output channels have a state of 0 The PROFIsafe diagnostic bit s for all channels have the state of 0 to indicate that fail safe values are tran...

Page 65: ...the Safety CPU for all passivated input channels All passivated output channels have a state of 0 The PROFIsafe diagnostic bits for all channels have the state of 0 to indicate that fail safe values are transferred The OA_Req_S bit is reported as 1 As soon as the safety application of the Safety CPU sets OA_C positive edge the Safety I O module goes to RUN ok state if no further errors are detecte...

Page 66: ...PROFIsafe communication is possible This state is reached if one of the fatal errors e g CPU test RAM test etc failed took place This state can be left only through powering off on of the process power supply 24 V or reboot command from PM5xx or CI5xx modules PROFIsafe status bits in the F Host for Safety I O module OA_Req_S 0 FV_activated_S 1 Device_Fault 0 Process data bits in the Safety I O mod...

Page 67: ...s possible are continued for the given channel to be able to see if the error is gone e g wiring error was cor rected As soon as the error is gone the module sets Reintegration request bit 1 for the given channel 8 RUN channel passivation reintegration RUN ok n The channel error is gone n Reintegration request bit 1 is set for the given channel by the Safety I O module n Acknowledge reintegration ...

Page 68: ...d go to RUN ok state automatically but short time before the activate_FV_C 1 com mand was sent from the PROFIsafe F Host stack which leads the Safety I O module to RUN module passivation with a command state 20 RUN user acknowledge ment request RUN module passivation Process undervoltage overvoltage was identified 21 RUN module passivation RUN user acknowledge ment request n Module error watchdog ...

Page 69: ... RUN channel passivation reintegra tion state 30 RUN module passivation RUN ok If the threshold shut down value was not reached during undervoltage phase and the process voltage is back in the normal range the Safety I O module reintegrates and goes to RUN ok state automatically If the threshold fuse value was not reached during overvoltage phase and the process voltage is back in the normal range...

Page 70: ...ontinuously supervise Device_Fault bit of the Safety I O module and if Device_Fault 1 is detected he passivates the module with activate_FV_C 1 If overvoltage 31 2 V is detected in the Safety I O module the module goes to RUN module passivation state until the process voltage did not reach the threshold fuse value 35 V when the Safety I O module is damaged and has to be replaced If the threshold f...

Page 71: ...3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 AI581 S UP 24VDC 2W 4SAI Safety Analog Input 3 8UP 3 9ZP 3 4 3 7 3 0I2 3 1FE 3 2I3 3 3FE 3 5 3 6 ERR1 2 9ZP 2 8UP 2 3 2 4 2 5 2 1 2 7 2 6 2 2I1 2 0I0 ERR2 4 9ZP 4 8UP 4 7 4 2I3 4 0I2 4 6 4 5 4 4 4 3 4 1 PWR 1 9ZP 1 8UP 1 7 1 4 1 0I0 1 2I1 1 3FE 1 1FE 1 5 1 6 ADDR x10H ADDR x01H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D...

Page 72: ...module Check channel wiring and sensor power supply E3 14 1 10 1 0 3 7 Measurement underflow at the I O module Check channel wiring and sensor power supply E3 14 1 10 1 0 3 55 Channel value difference too high Adjust tolerance window for channels Check channel wiring and sensor configu ration E3 14 1 10 0 0 15 3 Discrepancy time expired Check discrepancy time value channel wiring and sensor E3 14 ...

Page 73: ...messages for Safety I O modules channel or module reintegration is not possible Error class Compo nent or Inter face Device Module Channel Error Error text Remedy E3 14 1 10 31 31 28 F Parameter configuration and address switch value do not match Check I O module F Parameter configuration and module address switch value E3 14 1 10 31 31 26 Parameter value Check master or configura tion E3 14 1 10 ...

Page 74: ... D 5 1 2 3 4 6 7 8 10 9 4 5 5 8 Fig 16 Safety digital input module DI581 S plugged on Terminal Unit TU582 S 1 I O Bus 2 System LED 3 Allocation terminal No signal name 4 16 yellow red LEDs signal status I0 I7 I8 I15 5 8 unique phase shifted test pulse outputs T0 T3 T4 T7 6 2 rotary switches for PROFIsafe address 7 Green LED process voltage UP 8 Red LEDs to display errors 9 Label TA525 10 I O Termi...

Page 75: ...r 3 3 7 Circuit examples on page 85 DI581 S contains 16 safety digital inputs 24 V DC separated in two groups 2 0 2 7 and 4 0 4 7 with no potential separation between the channels The inputs are not electrically isolated from the other electronic circuitry of the module AC500 S Safety Modules DI581 S digital safety input module Purpose 30 03 2017 AC500 S 75 ...

Page 76: ...put channels I8 and I9 T5 can be used only with input channels I10 and I11 T6 can be used only with input channels I12 and I13 T7 can be used only with input channels I14 and I15 n Input delay with the following values 1 ms 2 ms 5 ms 10 ms 15 ms 30 ms 50 ms 100 ms 200 ms 500 ms Input delay value of 1 ms is the minimum one NOTICE The allowed signal frequency on safety digital inputs is dependent on...

Page 77: ...accuracy values can be estimated based on the input delay parameter value in the table below Input delay ms Input delay accuracy ms 1 2 2 2 5 3 10 4 15 5 30 6 50 7 100 10 200 15 500 25 n Checking of process power supply Diagnostic message is sent from the Safety I O module to the CPU informing about the lack of process power supply for the given Safety I O module This function is a non safety one ...

Page 78: ...ad to the machine start because both TRUE TRUE and FALSE FALSE are valid states for equivalence and TRUE FALSE and FALSE TRUE are valid states for antivalence Make sure that such behaviour is acceptable in your safety application If no then you can use either included PLCopen Safety POUs for 2 channel evaluation in your safety programm or write your own POUs for 2 channel evaluation on SM560 S Saf...

Page 79: ...do 2 channel equivalent and 2 channel antivalent evaluation at SM560 S Safety CPU using PLCopen Safety FBs SF_Equivalent and SF_Antivalent Ä Chapter 4 6 6 2 SF_Equiva lent on page 269 and Ä Chapter 4 6 6 3 SF_Antivalent on page 274 3 3 3 Mounting dimensions and electrical connection The input modules can be plugged only on spring type TU582 S I O Terminal Unit The unique mechanical coding on I O T...

Page 80: ...0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 3 8 3 9 4 0 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 8 4 9 DX581 S 3 8UP 3 9ZP 3 7 3 0T2 3 1 3 2T3 3 3 3 5 3 4 3 6 UP 24VDC 100W 8SDI 8SDO Safety Digital Input 24VDC Safety Digital Output 24VDC 0 5A ERR2 4 9ZP 4 2I6 4 0I4 4 1I5 4 3I7 4 4O4 4 5O5 4 6O6 4 7O7 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4O0 2 5O1 2 6O2 2 7O3 2 8UP PWR 1 9ZP 1 ...

Page 81: ...of DI581 S Fig 20 Disassembly instructions Press above and below then remove the module AC500 S Safety Modules DI581 S digital safety input module Mounting dimensions and electrical connection 30 03 2017 AC500 S 81 ...

Page 82: ... If TU582 S is wired for DX581 S module with Safety digital outputs and DI581 S or AI581 S modules are occasionally placed on this Terminal Unit under no circumstances it is possible that Safety digital output clamps on TU582 S become energized due to a wrongly placed DI581 S or AI581 S Safety I O modules The electrical connection of the I O channels is carried out using 40 terminals of the I O Te...

Page 83: ...single channel Ix 1 8 1 9 UP 24 V ZP 0 V 4 8 4 9 3 8 3 9 2 8 2 9 I0 2 0 I1 2 1 I2 2 2 I3 2 3 I4 2 4 I5 2 5 I6 2 6 I7 2 7 I8 4 0 I9 4 1 I10 4 2 I11 4 3 I12 4 4 I13 4 5 I14 4 6 I15 4 7 T0 1 0 T1 1 2 T2 1 4 T3 1 6 T4 3 0 T5 3 2 T6 3 4 T7 3 6 Uout Uout Uout Uout Uout Uout Uout Uout Fig 22 Example of electrical connections with DI581 S UP Ix ZP Fig 23 Example of single channel with DI581 S AC500 S Safe...

Page 84: ...3 3 5 I O configuration The safety digital input module DI581 S does not store configuration data itself The configuration data is stored on SM560 S and PM5xx CPUs AC500 S Safety Modules DI581 S digital safety input module I O configuration 30 03 2017 AC500 S 84 ...

Page 85: ... 100 ms 150 ms 200 ms 250 ms 300 ms 400 ms 500 ms 750 ms 1 s 2 s 3 s 4 s 5 s 10 s 20 s 30 s 50 ms Available only for 2 channel equivalent and 2 channel antivalent configuration 3 3 7 Circuit examples Examples of electrical connections and reachable SIL IEC 61508 ed 2 and IEC 62061 Category EN 954 and PL ISO 13849 with DI581 S module are presented below NOTICE Whenever DC High is used in the circui...

Page 86: ...UP ERR1 2 9 ZP 2 2 I2 2 0 I0 2 1 I1 2 3 I3 2 4 I4 2 5 I5 2 6 I6 2 7 I7 2 8 UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 24 Circuit example DI581 S 1 channel sensor 24 V DC 1 MTTFd High DC 0 2 Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion you can reach higher levels up to PL e SI...

Page 87: ... 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 25 Circuit example DI581 S 1 channel OSSD output with internal tests external sensor power supply 1 MTTFd High DC 0 2 Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion y...

Page 88: ...11 4 4I12 4 5I13 4 6I14 4 7I15 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 26 Circuit example DI581 S 2 channel sensor equivalent 24 V DC 1 MTTFd High DC Medium 2 Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion y...

Page 89: ...11 4 4I12 4 5I13 4 6I14 4 7I15 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 27 Circuit example DI581 S 2 channel sensor antivalent 24 V DC 1 MTTFd High DC Medium 2 Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion y...

Page 90: ... 0I8 4 1I9 4 3I11 4 4I12 4 5I13 4 6I14 4 7I15 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 28 Circuit example DI581 S 2 channel OSSD output with internal tests external sensor power supply 1 MTTFd High DC High 2 Max reachable ISO ...

Page 91: ...4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 29 Circuit example DI581 S 1 channel sensor with test pulses 1 MTTFd High DC Medium 2 Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion you can reach higher levels up to ...

Page 92: ...4 2I10 4 0I8 4 1I9 4 3I11 4 4I12 4 5I13 4 6I14 4 7I15 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 30 Circuit example DI581 S 2 channel sensor equivalent with test pulses 1 MTTFd High DC Medium 2 Max reachable ISO 13849 IEC 62061 ...

Page 93: ... 2I10 4 0I8 4 1I9 4 3I11 4 4I12 4 5I13 4 6I14 4 7I15 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 31 Circuit example DI581 S 2 channel sensor equivalent with test pulses 1 MTTFd High DC High 2 Max reachable ISO 13849 IEC 62061 EN ...

Page 94: ...I8 4 1I9 4 3I11 4 4I12 4 5I13 4 6I14 4 7I15 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 OSSD Fig 32 Circuit example DI581 S 2 x OSSD output with internal tests external sensor power supply 1 MTTFd High DC High 2 Max reachable ISO 138...

Page 95: ...4 2I10 4 0I8 4 1I9 4 3I11 4 4I12 4 5I13 4 6I14 4 7I15 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 33 Circuit example DI581 S 2 separate sensors with test pulses 1 MTTFd High DC Medium 2 Max reachable ISO 13849 IEC 62061 EN 954 wi...

Page 96: ...DC 3 8UP 3 9ZP 3 7 3 0T4 3 1 3 2T5 3 3 3 5 3 4T6 3 6T7 ERR2 4 9ZP GND 24 VDC 4 2I10 4 0I8 4 1I9 4 3I11 4 4I12 4 5I13 4 6I14 4 7I15 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 34 Circuit example DI581 S 2 x 2 channel sensor antiva...

Page 97: ...5 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4I4 2 5I5 2 6I6 2 7I7 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4T2 1 6T3 ADDR x01H ADDR x10H Mode switch C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 35 Circuit example DI581 S mode switch 1 from 4 24 V DC 1 MTTFd High DC Low 2 Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion you can reach higher levels ...

Page 98: ...y voltage OK PWR 3 3 V voltage from IO Bus Green 3 3 V IO Bus voltage is not avail able 3 3 V IO Bus voltage is available ERR1 Module error indicator 1 Red No module error Module error which leads to a SAFE STOP state Module passivation and or acknowl edgement request alternating blinking ERR2 Module error indicator 2 Red 3 3 9 Technical data NOTICE DI581 S XC version is available for usage in ext...

Page 99: ...r module electronics 0 18 A Inrush current from UP at 30 V at power up 0 1 A2s Inrush current from UP at 24 V at power up 0 06 A2s NOTICE All DI581 S channels including test pulse outputs are protected against reverse polarity reverse supply short circuit and continuous overvoltage up to 30 V DC Mounting position Horizontal or vertical with derating maximal operating temperature reduced to 40 C Co...

Page 100: ...de 2000 m above sea level Storage altitude 3500 m above sea level Extended temperature ranges below 0 C and above 60 C can be supported in special versions of DI581 S Ä Appendix System data for AC500 S XC on page 446 Creepage distances and clearances The creepage distances and clearances meet the overvoltage category II pollution degree 2 Power supply units For the supply of modules power supply u...

Page 101: ...nce acc to EN 61131 2 all three axes contin uous 1 g 15 150 Hz Shock test all three axes 11 ms half sinusoidal 15 g MTBF 102 years Higher values on request Self test and diagnostic functions Start up and runtime tests Program flow control RAM CPU cross talk stuck at 1 etc AC500 S Safety Modules DI581 S digital safety input module Technical data 30 03 2017 AC500 S 101 ...

Page 102: ...Data Value Unit W x H x D 67 5 x 76 x 62 mm Weight 130 g Certifications CE cUL Ä further certifications at www abb com plc AC500 S Safety Modules DI581 S digital safety input module Technical data 30 03 2017 AC500 S 102 ...

Page 103: ...l for all inputs minus pole of the process supply voltage signal name ZP 1 9 4 9 Electrical isolation from the rest of the module I O Bus Yes Input type acc to EN 61131 2 Type 1 Input delay 0 1 or 1 0 configurable 1 500 ms Input signal indication One yellow LED per channel the LED is ON when the input signal is high signal 1 AC500 S Safety Modules DI581 S digital safety input module Technical data...

Page 104: ...t voltage 15 V 4 mA Input voltage 30 V 8 mA Cable length Data Value Unit Max cable length shielded 1000 m Max cable length unshielded 600 m 3 3 9 2 Technical data of non safety test pulse outputs DANGER Exceeding the maximum process or supply voltage range 35 V DC or 35 V DC could lead to unrecoverable damage of the system AC500 S Safety Modules DI581 S digital safety input module Technical data 3...

Page 105: ... V Length of test pulse 0 phase 1 ms Output current Data Value Unit Rated value per channel 10 mA Maximum value all channels together 80 mA Short circuit proof overload proof yes Output current limitation 65 mA Resistance to feedback against 24V signals yes Cable length Data Value Unit Max cable length shielded 1000 m Max cable length unshielded 600 m 3 3 10 Ordering data Type Description Order co...

Page 106: ...1 2 3 4 7 8 9 11 10 4 5 5 9 Fig 36 Safety digital input output module DX581 S plugged on Terminal Unit TU582 S 1 I O Bus 2 System LED 3 Allocation terminal No signal name 4 8 yellow red LEDs signal status I0 I3 I4 I7 5 4 Test pulse outputs T0 T1 T2 T3 6 8 yellow red LEDs signal status O0 O3 O4 O7 7 2 rotary switches for PROFIsafe address 8 Green LED process voltage UP 9 Red LEDs to display errors ...

Page 107: ...es on page 117 DX581 S contains 8 safety digital inputs 24 V DC separated in two groups 2 0 2 3 and 4 0 4 3 and 8 safety digital transistor outputs with no potential separation between the channels The inputs outputs are not electrically isolated from the other electronic circuitry of the module AC500 S Safety Modules DX581 S digital safety input output module Purpose 30 03 2017 AC500 S 107 ...

Page 108: ...nly with input channels I4 and I5 T3 can be used only with input channels I6 and I7 n Input delay with the following values 1 ms 2 ms 5 ms 10 ms 15 ms 30 ms 50 ms 100 ms 200 ms 500 ms Input delay value of 1 ms is the minimum one NOTICE The allowed signal frequency on safety digital inputs is dependent on the input delay value for the given channel For channel input delay values of 1 10 ms the puls...

Page 109: ...put delay accuracy values can be estimated based on the input delay parameter value Input delay ms Input delay accuracy ms 1 2 2 2 5 3 10 4 15 5 30 6 50 10 100 15 200 25 500 50 n Checking of process power supply Diagnostic message is sent from the Safety I O module to the CPU informing about the lack of process power supply for the given Safety I O module This function is a non safety one and is n...

Page 110: ...o the machine start because both TRUE TRUE and FALSE FALSE are valid states for equivalence and TRUE FALSE and FALSE TRUE are valid states for antivalence Make sure that such behaviour is acceptable in your safety application If no then you can use either included PLCopen Safety POUs for 2 channel evaluation in your safety programm or write your own POUs for 2 channel evaluation on SM560 S Safety ...

Page 111: ... S and DX581 S then it is highly recommended to configure related channels in 1 channel mode and do 2 channel equivalent and 2 channel antivalent evaluation at SM560 S Safety CPU using PLCopen Safety FBs SF_Equivalent and SF_Antivalent Ä Chapter 4 6 6 2 SF_Equiva lent on page 269 and Ä Chapter 4 6 6 3 SF_Antivalent on page 274 DX581 S contains 8 safety digital output channels with the following fe...

Page 112: ...ety output channel it is directly passivated by DX581 S module Note that for some errors the reintegration request bit for passivated output channels is automatically set to HIGH as soon as the channel is passivated and the expected LOW state 0 value was reached by the output channel Such behavior can be seen for some errors because DX581 S module is not able in the LOW 0 value output channel stat...

Page 113: ...9ZP 3 7 3 0T2 3 1 3 2T3 3 3 3 5 3 4 3 6 UP 24VDC 100W 8SDI 8SDO Safety Digital Input 24VDC Safety Digital Output 24VDC 0 5A ERR2 4 9ZP 4 2I6 4 0I4 4 1I5 4 3I7 4 4O4 4 5O5 4 6O6 4 7O7 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4O0 2 5O1 2 6O2 2 7O3 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4 1 6 ADDR x10H 4 C 3 B 2 A 1 9 0 8 F 7 E 6 D 5 ADDR x01H 4 C 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 39 Ass...

Page 114: ...gital outputs and DI581 S or AI581 S modules are occasionally placed on this terminal unit under no circurmstances it is possible that Safety digital output clamps on TU582 S become energized due to a wrongly placed DI581 S and AI581 S Safety I O modules The electrical connection of the I O channels is carried out using 40 terminals of the I O Terminal Unit I O modules can be replaced without re w...

Page 115: ...amples of electrical connections with DX581 S module single channels Ix and Ox 1 8 1 9 UP 24 V ZP 0 V 4 8 4 9 3 8 3 9 2 8 2 9 I0 2 0 I1 2 1 I2 2 2 I3 2 3 I4 4 0 I5 4 1 I6 4 2 I7 4 3 T0 1 0 T1 1 2 T2 3 0 T3 3 2 2 4 O0 2 5 O1 2 6 O2 2 7 O3 4 4 O4 4 5 O5 4 6 O6 4 7 O7 Uout Uout Uout Uout Fig 42 Example of electrical connections with DX581 S AC500 S Safety Modules DX581 S digital safety input output m...

Page 116: ...s bytes 5 Outputs bytes 3 3 4 5 I O configuration The safety digital input output module DX581 S does not store configuration data itself The configuration data is stored on SM560 S and PM5xx CPUs AC500 S Safety Modules DX581 S digital safety input output module I O configuration 30 03 2017 AC500 S 116 ...

Page 117: ... channel con figuration Not used Used Not used 7 Detection internal output channel test Off On On Available only for 2 channel equivalent and 2 channel antivalent configuration 3 4 7 Circuit examples Examples of electrical connections and reachable SIL CL IEC 61508 ed 2 and IEC 62061 PL ISO 13849 and Category EN 954 with DX581 S module are presented below Note that electrical connections presented...

Page 118: ...iple I O Whenever DC Medium is used in the circuit examples for safety digital outputs any of the measures for output devices with DC 90 can be used from ISO 13849 1 10 DANGER The reachable SIL CL IEC 62061 SIL IEC 61508 ed 2 and PL ISO 13849 levels for safety out puts of DX581 S module are only valid if the parameter Detection On If the parameter Detection Off then contact ABB technical support t...

Page 119: ... 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4O0 2 5O1 2 6O2 2 7O3 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4 1 6 ADDR x10H ADDR x01H GND 24 VDC Readback contact with or without K1 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 44 Circuit example DX581 S Relay 1 Without readback contact Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion you can reach high...

Page 120: ...SIL 3 Cat 4 with error exclusion MTTFd High DC Medium 4 With readback contact Max reachable SIL acc IEC 61508 Typ A components are required without error exclusion you can reach higher level up to SIL 3 with error exclusion AC500 S Safety Modules DX581 S digital safety input output module Circuit examples 30 03 2017 AC500 S 120 ...

Page 121: ... 4 5O5 4 6O6 4 7O7 4 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4O0 2 5O1 2 6O2 2 7O3 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4 1 6 ADDR x10H ADDR x01H GND 24 VDC C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Readback contact with or without K1 K2 Fig 45 Circuit example DX581 S Relay 2 channel redundant 1 Without readback contact Max reachable ISO 13849 IEC 62061 EN 954...

Page 122: ... SIL 3 Cat 4 with error exclusion MTTFd High DC High 4 With readback contact Max reachable SIL acc IEC 61508 Typ A components are required without error exclusion you can reach higher level up to SIL 3 with error exclusion AC500 S Safety Modules DX581 S digital safety input output module Circuit examples 30 03 2017 AC500 S 122 ...

Page 123: ...1 5 1 4 1 6 ADDR x10H ADDR x01H GND 24 VDC C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Control input e g Drive 1 channel GND E1 Readback contact with or without Fig 46 Circuit example DX581 S Transistor input 1 channel 1 Without readback contact Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion you can reach higher levels up to PL e SIL 3 Cat 4 with error exclusi...

Page 124: ... SIL acc IEC 61508 Typ A components are required without error exclusion you can reach higher level up to SIL 3 with error exclusion AC500 S Safety Modules DX581 S digital safety input output module Circuit examples 30 03 2017 AC500 S 124 ...

Page 125: ...1 0T0 1 2T1 1 3 1 1 1 5 1 4 1 6 ADDR x10H ADDR x01H GND 24 VDC C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Control input 2 channel e g Drive E1 E2 GND Readback contact with or without Fig 47 Circuit example DX581 S Transistor input 2 channel 1 Without readback contact Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion you can reach higher levels up to PL e SIL 3 C...

Page 126: ... 8UP ERR1 2 9ZP 2 2I2 2 0I0 2 1I1 2 3I3 2 4O0 2 5O1 2 6O2 2 7O3 2 8UP PWR 1 9ZP 1 8UP 1 7 1 0T0 1 2T1 1 3 1 1 1 5 1 4 1 6 ADDR x10H ADDR x01H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 GND 24 VDC User acknowledgement Feedback loop 3 Motor K2 K1 L Safety door contact 2 Safety door contact 1 E Stop K1 K2 Fig 48 Application example with DX581 S 3 4 8 LED status display Table 8 St...

Page 127: ...ge is not avail able 3 3 V IO Bus voltage is available ERR1 Module error indicator 1 Red No module error Module error which leads to a SAFE STOP state Module passivation and or acknowl edgement request alternating blinking ERR2 Module error indicator 2 Red 3 4 9 Technical data NOTICE DX581 S XC version is available for usage in extreme environmental conditions Ä Appendix System data for AC500 S XC...

Page 128: ...ush current from UP at 30 V at power up 0 1 A2s Inrush current from UP at 24 V at power up 0 06 A2s NOTICE All DX581 S channels including test pulse outputs are protected against reverse polarity reverse supply short circuit and continuous overvoltage up to 30 V DC Mounting position Horizontal or vertical with derating output load reduced to 50 at 40 C per group and with maximal oper ating tempera...

Page 129: ...2000 m above sea level Storage altitude 3500 m above sea level Extended temperature ranges below 0 C and above 60 C can be supported in special versions of DX581 S Ä Appendix System data for AC500 S XC on page 446 Creepage distances and clearances The creepage distances and clearances meet the overvoltage category II pollution degree 2 Power supply units For the supply of modules power supply unit...

Page 130: ... acc to EN 61131 2 all three axes contin uous 1 g 15 150 Hz Shock test all three axes 11 ms half sinusoidal 15 g MTBF 73 years Higher values on request Self test and diagnostic functions Start up and runtime tests Program flow control RAM CPU cross talk stuck at 1 etc AC500 S Safety Modules DX581 S digital safety input output module Technical data 30 03 2017 AC500 S 130 ...

Page 131: ...a Value Unit W x H x D 67 5 x 76 x 62 mm Weight 130 g Certifications CE cUL Ä further certifications at www abb com plc AC500 S Safety Modules DX581 S digital safety input output module Technical data 30 03 2017 AC500 S 131 ...

Page 132: ... all inputs minus pole of the process supply voltage signal name ZP 1 9 4 9 Electrical isolation from the rest of the module I O Bus Yes Input type acc to EN 61131 2 Type 1 Input delay 0 1 or 1 0 configurable 1 500 ms Input signal indication One yellow LED per channel the LED is ON when the input signal is high signal 1 AC500 S Safety Modules DX581 S digital safety input output module Technical da...

Page 133: ...t voltage 15 V 4 mA Input voltage 30 V 8 mA Cable length Data Value Unit Max cable length shielded 1000 m Max cable length unshielded 600 m 3 4 9 2 Technical data of safety digital outputs DANGER Exceeding the maximum process or supply voltage range 35 V DC or 35 V DC could lead to unrecoverable damage of the system AC500 S Safety Modules DX581 S digital safety input output module Technical data 3...

Page 134: ...ther 4 A Leakage current with signal 0 0 5 mA Short circuit proof overload proof yes Overload message channel passivation I 0 7 A yes Output current limitation automatic reactivation after short cir cuit overload yes Resistance to feedback against 24 V signals yes Demagnetization by internal suppressor diods when switching off inductive loads yes Rated protection fuse on UP 4 5 A Switching frequen...

Page 135: ...gnal 1 UP 0 8 V Length of test pulse 0 phase 1 ms Output current Data Value Unit Rated value per channel 10 mA Maximum value all channels together 40 mA Short circuit proof overload proof yes Output current limitation 65 mA Resistance to feedback against 24V signals yes Cable length Data Value Unit Max cable length shielded 1000 m Max cable length unshielded 600 m 3 4 10 Ordering data Type Descrip...

Page 136: ... 9 0 8 F 7 E 6 D 5 1 2 3 4 5 6 7 9 8 4 7 Fig 49 Safety analog input module AI581 S plugged on Terminal Unit TU582 S 1 I O Bus 2 System LED 3 Allocation terminal No signal name 4 4 yellow red LEDs signal status I0 I1 I2 I3 5 2 rotary switches for PROFIsafe address 6 Green LED process voltage UP 7 Red LEDs to display errors 8 Label TA525 9 I O Terminal Unit TU582 S 3 5 1 Purpose Safety analog input ...

Page 137: ...r 3 5 7 Circuit examples on page 144 AI581 S contains 4 safety current analog inputs separated in two groups 2 0 2 2 and 4 0 4 2 with no potential separation between the channels The inputs are not electrically isolated from the other electronic circuitry of the module AC500 S Safety Modules AI581 S analog safety input module Purpose 30 03 2017 AC500 S 137 ...

Page 138: ...ode Tolerance range 4 12 can be set for 2 channel mode NOTICE In a 2 channel mode the lower channel channels 0 2 Channel 0 channels 1 3 Channel 1 etc transports the aggregated process value PROFIsafe diagnostic bit acknowledgement request and acknowledge reintegration information The higher channel always provides the passivated value 0 NOTICE The maximal internal discrepancy time between two chan...

Page 139: ...ls are passivated and 0 process values are delivered to the Safety CPU 3 5 3 Mounting dimensions and electrical connection The input modules can be plugged only on spring type TU582 S I O Terminal Unit The unique mechanical coding on I O Terminal Units prevents a potential mistake of placing the Non safety I O module on Safety I O Terminal Unit and the other way around Installation and maintenance...

Page 140: ... 5 4 6 4 7 4 8 4 9 AI581 S UP 24VDC 2W 4SAI Safety Analog Input 3 8UP 3 9ZP 3 4 3 7 3 0I2 3 1FE 3 2I3 3 3FE 3 5 3 6 ERR1 2 9ZP 2 8UP 2 3 2 4 2 5 2 1 2 7 2 6 2 2I1 2 0I0 ERR2 4 9ZP 4 8UP 4 7 4 2I3 4 0I2 4 6 4 5 4 4 4 3 4 1 PWR 1 9ZP 1 8UP 1 7 1 4 1 0I0 1 2I1 1 3FE 1 1FE 1 5 1 6 ADDR x10H 4 C 3 B 2 A 1 9 0 8 F 7 E 6 D 5 ADDR x01H 4 C 3 B 2 A 1 9 0 8 F 7 E 6 D 5 Fig 50 Assembly instructions 1 Put the...

Page 141: ...cal connection NOTICE The same TU582 S is used by all AC500 S Safety I O modules If TU582 S is wired for DX581 S module with Safety digital outputs and DI581 S or AI581 S modules are occasionally placed on this terminal unit under no circumstances it is possible that Safety digital output clamps on TU582 S become energized due to a wrongly placed DI581 S and AI581 S Safety I O modules The electric...

Page 142: ...n between the analog circuitry and ZP UP Therefore analog sensors must be electrically isolated in order to avoid loops via the earth potential or supply voltage NOTICE Analog signals are always laid in shielded cables The cable shields are earthed at both ends of the cables In order to avoid unacceptable potential differences between different parts of the installation low resistance equipotentia...

Page 143: ...the connection diagram is built in in AI581 S module I0 I3 0 20 mA 4 20 mA Fig 54 Example of single channels with AI581 S 3 5 4 Internal data exchange Inputs bytes 9 Outputs bytes 1 3 5 5 I O configuration The safety analog input module AI581 S does not store configuration data itself The configuration data is stored on SM560 S and PM5xx CPUs AC500 S Safety Modules AI581 S analog safety input modu...

Page 144: ...9 10 11 12 4 5 Used value Min Max used only for 2 channel 4 20 mA mode Minimum Maximum Minimum 3 5 7 Circuit examples Examples of electrical connections and reachable SIL CL IEC 61508 ed 2 and IEC 62061 Category EN 954 and PL ISO 13849 with AI581 S module are presented below NOTICE Whenever DC High is used in the circuit examples for safety analog inputs the following measure from ISO 13849 1 10 i...

Page 145: ...2 3 2 4 2 5 2 1 2 7 2 6 2 2I1 2 0I0 ERR2 4 9ZP Sensor 0 20 mA 24VDC GND 4 8UP 4 7 4 2I3 4 0I2 4 6 4 5 4 4 4 3 4 1 PWR 1 9ZP 1 8UP 1 7 1 4 1 0I0 1 2I1 1 3FE 1 1FE 1 5 1 6 ADDR x10H ADDR x01H Fig 55 Circuit example AI581 S analog sensor 0 20 mA 1 MTTFd High DC Low 2 Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion you can reach higher levels up to PL e SIL 3 Cat 4 with error exclusio...

Page 146: ...2 3 2 4 2 5 2 1 2 7 2 6 2 2I1 2 0I0 ERR2 4 8UP 4 7 4 2I3 4 0I2 4 6 4 5 4 4 4 3 4 1 PWR 1 9ZP 1 8UP 1 7 1 4 1 0I0 1 2I1 1 3FE 1 1FE 1 5 1 6 ADDR x10H ADDR x01H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 4 9ZP Sensor 0 20mA 24VDC GND Sensor 0 20mA Fig 56 Circuit example AI581 S 2 analog sensors 0 20 mA 1 MTTFd High DC Medium 2 Max reachable ISO 13849 IEC 62061 EN 954 without err...

Page 147: ... 3 2 4 2 5 2 1 2 7 2 6 2 2I1 2 0I0 ERR2 4 9ZP Sensor 4 20mA 24VDC GND 4 8UP 4 7 4 2I3 4 0I2 4 6 4 5 4 4 4 3 4 1 PWR 1 9ZP 1 8UP 1 7 1 4 1 0I0 1 2I1 1 3FE 1 1FE 1 5 1 6 ADDR x10H ADDR x01H Fig 57 Circuit example AI581 S analog sensor 4 20 mA 1 MTTFd High DC Medium 2 Max reachable ISO 13849 IEC 62061 EN 954 without error exclusion you can reach higher levels up to PL e SIL 3 Cat 4 with error exclusi...

Page 148: ... 2 3 2 4 2 5 2 1 2 7 2 6 2 2I1 2 0I0 ERR2 4 8UP 4 7 4 2I3 4 0I2 4 6 4 5 4 4 4 3 4 1 PWR 1 9ZP 1 8UP 1 7 1 4 1 0I0 1 2I1 1 3FE 1 1FE 1 5 1 6 ADDR x10H ADDR x01H C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 C 4 3 B 2 A 1 9 0 8 F 7 E 6 D 5 4 9ZP Sensor 4 20mA 24VDC GND Sensor 4 20mA Fig 58 Circuit example AI581 S 2 analog sensors 4 20 mA 1 MTTFd High DC High 2 Max reachable ISO 13849 IEC 62061 EN 954 without erro...

Page 149: ...tage OK PWR 3 3 V voltage from IO Bus Green 3 3 V IO Bus voltage is not avail able 3 3 V IO Bus voltage is available ERR1 Module error indicator 1 Red No module error Module error which leads to a SAFE STOP state Module passivation and or acknowl edgement request alternating blinking ERR2 Module error indicator 2 Red 3 5 9 Technical data NOTICE AI581 S XC version is available for usage in extreme ...

Page 150: ...r at factory and resolution within the normal range typically 1 Conversion error of the analog values caused by non linearity adjustment error at factory and resolution within the normal range max 1 5 Maximum signal frequency 70 Hz Current consumption from UP at normal operation with 24 V DC for module electronics 0 18 A Inrush current from UP at 30 V at power up 0 1 A s Inrush current from UP at ...

Page 151: ...cables 0 14 mm Max analog cable length shielded 100 m Cooling The natural convection cooling must not be hindered by cable ducts or other parts in the switchgear cabinet AC500 S Safety Modules AI581 S analog safety input module Technical data 30 03 2017 AC500 S 151 ...

Page 152: ...ude 2000 m above sea level Storage altitude 3500 m above sea level Extended temperature ranges below 0 C and above 60 C can be supported in special versions of AI581 S Ä Appendix System data for AC500 S XC on page 446 Creepage distances and clearances The creepage distances and clearances meet the overvoltage category II pollution degree 2 Power supply units For the supply of modules power supply ...

Page 153: ...on resistance acc to EN 61131 2 all three axes contin uous 1 g 15 150 Hz Shock test all three axes 11 ms half sinusoidal 15 g MTBF 102 years Higher values on request Self test and diagnostic functions Start up and runtime tests Program flow control RAM CPU ADC etc AC500 S Safety Modules AI581 S analog safety input module Technical data 30 03 2017 AC500 S 153 ...

Page 154: ... Unit W x H x D 67 5 x 76 x 62 mm Weight without Terminal Unit 130 g Certifications CE cUL Ä further certifications at www abb com plc AC500 S Safety Modules AI581 S analog safety input module Technical data 30 03 2017 AC500 S 154 ...

Page 155: ...r of channels per module 4 Configurability 1 channel mode 0 20 mA Configurability 1 channel mode 4 20 mA Configurability 2 channel mode 4 20 mA Channel input resistance in active mode 125 Ω Channel input resistance in inactive mode 15 kΩ Distribution of channels into groups 2 groups of 2 channels each AC500 S Safety Modules AI581 S analog safety input module Technical data 30 03 2017 AC500 S 155 ...

Page 156: ...manent allowed overload no damage self pro tected voltage 32 V DC Maximum permanent allowed overload no damage self pro tected current 24 mA Non linearity of full scale 0 05 Sample repetition time 3 3 ms Input filter characteristics first order filter time constant 1 ms Transition frequency 160 Hz Overvoltage protection Yes Electrical isolation Against internal supply and other modules Input signa...

Page 157: ...ge no deviation Analog input protection Data Value Type of analog input protection supressor diode Cable length Data Value Unit Max cable length shielded 100 m 3 5 10 Ordering data Type Description Order code AI581 S AI581 S S500 Safety Analog Input Module 4SAI 1SAP 282 000 R0001 AI581 S XC AI581 S XC S500 Safety Analog Input Module 4SAI Extreme Condi tions 1SAP 482 000 R0001 AC500 S Safety Module...

Page 158: ...m each other 5 Holes for wall mounting 6 40 spring terminals signals and process voltage 3 6 1 Functionality The I O Terminal Units TU582 S with spring type terminals is specifically designed for use with AC500 S Safety I O modules AI581 S DI581 S and DX581 S The safety input output modules I O expansion modules plug into the I O Terminal Unit When properly seated they are secured with two mechani...

Page 159: ... ical coding on I O Terminal Units prevents a potential mistake of placing the Non safety I O module on Safety I O Terminal Unit and the other way around Installation and maintenance have to be performed according to the technical rules codes and relevant standards e g EN 60204 part 1 by skilled electricians only Assembly of TU582 S on DIN rail 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2...

Page 160: ...al Unit like DIN rails 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 3 8 3 9 4 0 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 8 4 9 2 Fasten Terminal Unit with 2 M4 screws max 1 2 Nm AC500 S Safety Modules TU582 S Safety I O Terminal Unit Mounting dimensions and electrical connection 30 03 2017 AC500 S 160 ...

Page 161: ... 8 4 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 3 8 3 9 4 0 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 8 4 9 1 Shove the Terminal Units from each other 2 Pull down the Terminal Unit and remove it AC500 S Safety Modules TU582 S Safety I O Terminal Unit Mounting dimensions and electrical connection 30 03 2017 AC500 S 161 ...

Page 162: ... 1 1 1 5 1 4T2 1 6T3 ADDR x01H 4 C 3 B 2 A 1 9 0 8 F 7 E 6 D 5 ADDR x10H 4 C 3 B 2 A 1 9 0 8 F 7 E 6 D 5 2 27 57 7 59 2 32 70 5 2 78 135 5 31 135 mm 5 31 67 5 2 66 28 21 0 83 54 2 13 75 2 95 59 2 32 70 5 2 78 135 5 31 76 2 99 77 3 03 84 5 3 33 DIN rail 15 mm DIN rail 7 5 mm 135 mm 5 31 1 10 Fig 61 Dimensions of TU582 S Safety I O Terminal Unit 1 5 1 6 1 7 1 8 1 9 8 9 mm min max 0 08 2 5 mm2 AWG 22...

Page 163: ... into groups 4 groups of 8 channels each 1 0 1 7 2 0 2 7 3 0 3 7 4 0 4 7 the allocation of the channels is given by the inserted I O expansion module Mounting position Horizontal or vertical Earthing Direct connection to the earthed DIN rail or via the screws with wall mounting AC500 S Safety Modules TU582 S Safety I O Terminal Unit Technical data 30 03 2017 AC500 S 163 ...

Page 164: ...tripped conductor end 7 mm Data Value Unit Degree of protection IP 20 MTBF 2757 years Weight 200 g 3 6 4 Ordering data Type Description Order code TU582 S TU582 S S500 Safety I O Terminal Unit 24V DC 1SAP 281 200 R0001 TU582 S XC TU582 S XC S500 Safety I O Ter minal Unit 24V DC Extreme Condi tions 1SAP 481 200 R0001 AC500 S Safety Modules TU582 S Safety I O Terminal Unit Ordering data 30 03 2017 A...

Page 165: ...ect name file name change date title author version description and CRC Using CoDeSys Safety menu item Online Check boot project in PLC one can check that offline CoDeSys safety project and the boot project on the Safety CPU are identical Forcing of variables is supported by SM560 S Safety CPU but only in DEBUG mode Non safety which means that user takes over a complete responsibility for potentia...

Page 166: ... deleted after SM560 S powering off on is executed When transferring a safety application program to SD card you must adhere to the following procedure 1 Transfer the safety program to the SD card 2 Perform a program identification check if SD card and offline e g on PC safety program CRCs match 3 Attach an appropriate label to the SD card The procedure outlined must be ensured through organizatio...

Page 167: ...the black channel 3 in the safe communication part All other non safety modules are separately covered in PS501 Control Builder Plus V2 2 1 or newer ABB Automation Builder 1 0 or newer and AC500 User Documentation Fig 63 provides an overview of steps which have to be carried out to successfully configure and program AC500 S Safety PLC Configuration and programming Workflow 30 03 2017 AC500 S 167 ...

Page 168: ... Instantiate safety modules and non safety modules which are a part of the black channel for safe communication and do a proper configuration of those Define variable names for input output and PROFIsafe signals and pay attention to CoDeSys Safety Programming Guidelines to define proper variable names 6 Write your Safety application program and pay attention to system start up procedure 7 Check yo...

Page 169: ...0 PS501 S License Enabling Package as follows 1 Order PS501 S license with order number 1SAP198000R0001 2 Activate license on your PC following license activation instructions For ABB Automation Builder 2 0 2 or newer 1 Order DM220 FSE or DM221 FSE NW add on with order numbers 1SAS010020R0102 and 1SAS010021R0102 respectively 2 Activate license on your PC following license activation instructions C...

Page 170: ...Builder Plus ABB Automation Builder to create a new project ð New project window opens Fig 65 New project window 2 Select for example AC500 PM583 ETH in the menu to instantiate a Non safety CPU make sure that you select the right ones supporting SM560 S Safety CPU e g PM573 ETH PM583 ETH PM592 ETH and others Configuration and programming System configuration and programming Creation of new project...

Page 171: ...munication channels NOTICE Pay attention to PM5xx Non safety CPU settings Behaviour of Outputs in Stop Stop on Error Class and Warmstart Ä Chapter 3 1 6 SM560 S and PM5xx interaction on page 51 3 To create new users and maintain existing ones go to Project Settings Configuration and programming System configuration and programming Creation of new project and user management 30 03 2017 AC500 S 171 ...

Page 172: ...strator The project admin istrator is responsible to create a new password for user Owner and in addition create dedi cated safety and non safety users based on your project organization demands Fig 67 Selection of project settings Configuration and programming System configuration and programming Creation of new project and user management 30 03 2017 AC500 S 172 ...

Page 173: ...ety application project to avoid unauthorized access to Safety modules Passwords for users with Safety group membership shall be properly selected at least 8 symbols are recommended with a combination of numbers and letters An access to passwords must be strictly controlled Make sure that you set Deny permission for proper users and groups e g Everyone through menu Project è User Management è Perm...

Page 174: ...issions for user and user groups 4 3 4 Working with PROFINET PROFIsafe F Devices Configuration and programming System configuration and programming Working with PROFINET PROFIsafe F Devices 30 03 2017 AC500 S 174 ...

Page 175: ...vices portions of the specifica tion are protected by a CRC 3 GSDML files are supplied by the device manufacturers NOTICE Only GSDML files with version 2 1 are fully supported by PS501 Control Builder Plus ABB Automa tion Builder GSDML files with version 2 2 and higher are only partially supported 1 To install GSDML file go to Device Repository menu Fig 70 Device repository 2 Then press Install bu...

Page 176: ...Fig 71 Install GSDML file Configuration and programming System configuration and programming Working with PROFINET PROFIsafe F Devices 30 03 2017 AC500 S 176 ...

Page 177: ... 5 Instantiation and configuration of safety modules Definition of variable names Configuration and programming System configuration and programming Instantiation and configuration of safety modules Definition of variable names 30 03 2017 AC500 S 177 ...

Page 178: ...nes to define proper variable names 1 Select one of four slots available for communication modules and Safety CPU and instantiate a Safety CPU on it using Plug Device menu Note that the slot number shall be the same as the physical slot number on which Safety CPU is attached Fig 73 Select Plug Device Configuration and programming System configuration and programming Instantiation and configuration...

Page 179: ...n SM560 S Safety CPU and set Min update time and Enable debug parameters as needed Configuration and programming System configuration and programming Instantiation and configuration of safety modules Definition of variable names 30 03 2017 AC500 S 179 ...

Page 180: ... all PLC Browser commands resetprg Reset PLC program resetprgorg Reset PLC program original setpwd set login password delpwd delete login password delappl delete user program deluserdat delete user data segments Note that Min update time influences the black channel performance for SM560 S The smaller the value is the higher Safety Function Response Time Ä Chapter 5 1 Overview on page 395 can be r...

Page 181: ...d default value for Cyclic non safe data exchange is unselected However if you still need it please refer to ABB technical support and request document 3ADR025195M which describes in details how to use cyclic non safe data exchange functionality 3 To have remote stations in the system we can instantiate PROFINET IO controller communication module CM579 PNIO in Slot 2 Note that PROFINET is the only...

Page 182: ...PROFINET modules previously imported in the Device Repository using GSDML files Details on how to set proper PROFINET device names and IP addresses can be found in AC500 User Documentation Fig 77 Select module and open Add Device menu Configuration and programming System configuration and programming Instantiation and configuration of safety modules Definition of variable names 30 03 2017 AC500 S ...

Page 183: ...ocated centrally on the Non Safety CPU Fig 78 Open Add Device menu 6 Similarly up to 10 I O modules Safety and Non safety can be instantiated on any ABB PROFINET IO device Configuration and programming System configuration and programming Instantiation and configuration of safety modules Definition of variable names 30 03 2017 AC500 S 183 ...

Page 184: ...supported modules on 3rd party PROFINET IO devices Fig 79 Using Add Device Configuration and programming System configuration and programming Instantiation and configuration of safety modules Definition of variable names 30 03 2017 AC500 S 184 ...

Page 185: ...valid safety configuration can be generated Decimal or hexadecimal number with a prefix 16 or 0x can be used to set F_Dest_Add F_iPar_CRC is a special parameter which is used for a safe transfer of iParameters to F Devices F_iPar_CRC is calculated outside F Parameter editor and thus has to be manually copied from Checksum iParameter field and pasted to F_iPar_CRC field after pressing Calculate but...

Page 186: ...required 3 octet CRC 0 2 octet CRC 1 Not supported by SM560 S 4 octet CRC 2 3 octet CRC 0 AC500 S Safety I O modules can work only with 3 octet CRC F_Block_ID Type identification of parameters No F_iPar_CRC within F Parameter block 0 F_iPar_CRC within F Parameter block 1 F_iPar_CRC within F Parameter block 1 AC500 S Safety I O modules can work only with this default value F_Par_Version Version num...

Page 187: ... F Parameter tab re calculate iParameter CRC and paste it to F_iPar_CRC F Parameter row Otherwise the new parameter set will not be accepted by the F Device because F_iPar_CRC will not be a valid one for a given iParameter set As for 3rd party F Devices coming from GSDML files one has no Checksum iParameter feature because PS501 Control Builder Plus ABB Automation Builder does not know a specific ...

Page 188: ...81 S Safety module all input channels are paired as Channel X with Channel X 8 Configuration and programming System configuration and programming Instantiation and configuration of safety modules Definition of variable names 30 03 2017 AC500 S 188 ...

Page 189: ...or PL level The parameter Detection was created for customers who want to use safety outputs of DX581 S for SIL1 or maximum SIL2 under special conditions or PL c or maximum PL d under special conditions safety functions and have less internal DX581 S pulses visible on the safety output line Such internal pulses could be detected as LOW signal by for example drive inputs which would lead to uninten...

Page 190: ... of Safety I O parameters using generic device configuration view is not recommended due to potential user mistakes during the parameter setting using integer numbers Furthermore each F Device has a special Safety I O Mapping and I O Mapping tab in which variable names for input and output signals PROFIsafe diagnostic bits etc can be defined Configuration and programming System configuration and p...

Page 191: ...trol Higher overall system availability can be expected for end customers because they can selectively decide which channels have to be acknowledged and which not n one bit Ack_Rei for channel reintegration if the error was fixed e g external sensor wiring was cor rected One can also define one variable as a BYTE for all Ack_Rei bits and use 0xFF value to acknowl edge all errors at once NOTICE Whe...

Page 192: ...n errors make sure that you download first a valid CoDeSys Non safety PLC project to PM5xx CPU and after this CoDeSys Safety PLC project is downloaded to SM560 S Safety CPU 1 Start programming CoDeSys Non Safety by double click on AC500 object Configuration and programming System configuration and programming Programming of AC500 S Safety CPU 30 03 2017 AC500 S 192 ...

Page 193: ...on Safety is started you may be asked to update your CoDeSys V2 3 configuration It is needed to transfer the updated configuration data e g variable names etc to CoDeSys V2 3 Configuration and programming System configuration and programming Programming of AC500 S Safety CPU 30 03 2017 AC500 S 193 ...

Page 194: ...CoDeSys Safety is started the following properties can be be observed Yellow background SAFETY MODE is visible in the title bar Configuration and programming System configuration and programming Programming of AC500 S Safety CPU 30 03 2017 AC500 S 194 ...

Page 195: ...ully you will have to manually delete the selected safety library save the CoDeSys Safety project open it again and add a new safety library with a new CRC In the latter case the new safety library with a new CRC will be accepted and no compilation error will be observed 3 If your configuration of F Devices is final you have to check that F Parameter values from F Parameter tab are the same as tho...

Page 196: ...Fig 87 F Parameter values in CoDeSys Safety V2 3 Configuration and programming System configuration and programming Programming of AC500 S Safety CPU 30 03 2017 AC500 S 196 ...

Page 197: ...e lists Fig 88 Global variable list in CoDeSys Safety V2 3 ð DANGER It is not allowed to change read only see R sign resources or Task configuration in CoD eSys Safety V2 3 Configuration and programming System configuration and programming Programming of AC500 S Safety CPU 30 03 2017 AC500 S 197 ...

Page 198: ...c The difference comparing to CoDeSys Safety project is that end user is not able to modify the values of those safety variables from CoDeSys Non safety project It is prohibited by proper design Fig 89 All available Safety libraries can be found in the Library Manager Configuration and programming System configuration and programming Programming of AC500 S Safety CPU 30 03 2017 AC500 S 198 ...

Page 199: ... created by him and referenced in the project for use in safety applications You have to formally confirm in the Checklist for creation of safety application program that no Non safety libraries are used in your safety application NOTICE SM560 S is a single task machine thus no task configuration is needed Configuration and programming System configuration and programming Programming of AC500 S Sa...

Page 200: ...r Automation Builder 1 0 or newer Fig 90 Set passwords 6 All User Management features of CoDeSys Safety V2 3 are available for project administrator Ä AC500 User Documentation for further details The following PLC Browser commands these commands can be called from CoDeSys Safety V2 3 are supported by SM560 S Safety CPU List of available browser commands Configuration and programming System configu...

Page 201: ... is active only if SM560 S Enable debug parameter was set to ON deluserdat It deletes user data in the Flash memory This command is executed only in DEBUG STOP state of SM560 S Safety CPU It is executed immediately and is active only if SM560 S Enable debug parameter was set to ON applinfo It shows the application information e g results of time profiling using functions SF_APPL_MEASURE_BEGIN and ...

Page 202: ...ine password power dip value and user data of the Safety CPU are also saved on the SD card After successful sdclone command execution the sdcard ini file on SD card is automatically updated so that when SD card is inserted to the other AC500 PLC with Safety CPU the content of SD card is copied to that system to create a so called clone of the previous system sdcou pler x The communication module f...

Page 203: ...x S_Module_ Global variable lists starting with S_Module_ will be automatically updated by the CoDeSys Safety and may lead to the loss of the user information For SM560 S Safety PLC it is important that all F Devices are successfully initialized before pro gram logic execution starts It is also possible that some F Devices start in FV_activated mode Ä Chapter 4 6 3 SafetyBase_PROFIsafe_AC500_V22_E...

Page 204: ...an acknowledgement DI581_S OA_C DI581_S OA_Req_S Acknowledge it if requested We check here that DI581_S OA_C did not passivate the given F Device and no Operator Acknowledge Request is available from this module GS_DI581_Started is the variable for all channel PROFIsafe diagnostic bits set in Control Builder Plus Automation Builder Plus for DI581 S module ELSIF GS_DI581_Started wdNull THEN Is this...

Page 205: ... to 1 until OA_Req_S status bit becomes 0 7 To download the safety project to SM560 S Safety CPU you have to set correct communication parameters Fig 92 Set communication parameters Configuration and programming System configuration and programming Programming of AC500 S Safety CPU 30 03 2017 AC500 S 205 ...

Page 206: ...munication channels were selected Fig 93 Example with Ethernet connection Note that Address is the IP address of your Non safety CPU you can also use COM port for pro gram download using serial connection Coupler Level 1 defines the position of SM560 S Safety CPU Line 1 Position 1 Line 2 Postion 2 and so on Configuration and programming System configuration and programming Programming of AC500 S S...

Page 207: ...ecution after powering off on NOTICE The Online Change service of CoDeSys is not supported by SM560 S Safety CPU for safety reasons It means that each program change of CoDeSys Safety project requires stopping SM560 S downloading a new boot project and then powering off on or rebooting through PM5xx to see the safety program change s become active Configuration and programming System configuration...

Page 208: ...me The limitation on the number of open connections is valid only for SM560 S Safety CPU which means that it is still possible to simultaneously connect to PM5xx Non safety CPU using web and OPC server functionality Fig 95 Create boot project for SM560 S Safety CPU Configuration and programming System configuration and programming Programming of AC500 S Safety CPU 30 03 2017 AC500 S 208 ...

Page 209: ...all not only download your safety application program to Safety CPU but also in a similar way Ä AC500 User Documentation for details download Non safety program from CoD eSys Non Safety to Non Safety CPU and create a boot project for PM5xx Non Safety CPU If you do not follow the recommendation above you may face configuration error or passiva tion of some F Devices DANGER Do not use Write file to ...

Page 210: ...pplications with CoDeSys V2 3 It also serves as a basis for testers who approve safety oriented applications 4 4 1 2 Requirements To understand this document knowledge of IEC 61131 3 5 particularly the CoDeSys V2 3 programming system is required Experience with the creation of safety oriented applications is helpful 4 4 1 3 Terms Output Variable that is mapped to an IEC output address Q Output par...

Page 211: ...t n Reboot the controller causes loading and starting of the application All online commands like the following disable the safe operation n Download n Online change n Set breakpoint n Write values n Force values n Trace n Single cycle n Start Stop n Flow control The variable monitoring in online mode does not disable the safe operation 4 4 2 4 Application creation procedure Application creation m...

Page 212: ...a controls Ä Chapter 4 4 2 3 Control specific application notes on page 211 Write values would cause the run time system to switch into non safe mode without necessarily telling the user 4 4 3 2 Language Of the five IEC 61131 3 languages implemented in CoDeSys V2 3 Structured Text ST Function Block Diagram FBD and Ladder Logic LD are approved for creating safety oriented applications 4 4 3 3 Task ...

Page 213: ...address allocation Yes see next chapter CONSTANT Declaration as constant no write access possible Yes We recommend to declare each constant explicitly RETAIN Variable value is preserved after switch off No not supported PERSISTENT Variable value is preserved after reloading No not supported In the interest of better readability the following rules should be followed for the declaration of variable...

Page 214: ... The application of marker addresses M should be limited to a minimum due to the error proneness of the allocation and the lack of purpose memory for variables is allocated automatically n Multiple address allocation should be avoided due to obscure side effects For word and bit wise access a variable is defined for the word and accessed via bit access variable bit number n No address declarations...

Page 215: ...rone to errors STRUCT Yes Listing types Yes Subrange types Yes POINTER To a limited extent Recommended measures no pointer arithmetic range check new allocation of pointer value at the start of each cycle The following rules must be followed when complex data types are used n For complex data types we recommend using type declarations n Before each access to an array an explicit range check of the...

Page 216: ...tes This can be achieved through write access to global data and by calling system components n Explicit parameter transfer is preferable for calling programs and function blocks Bad Inst Param1 7 Inst Param2 3 Inst X Inst Out1 AND A OR B Good Inst Param1 7 Param2 3 Out Result X Result AND A OR B n All input parameters should be assigned for a call Configuration and programming CoDeSys Safety prog...

Page 217: ...wed for programming of expressions in safety oriented applications n Mixing of different data types in an expression should be avoided If mixing is unavoidable explicit type conversion should be used instead n The complexity of expressions should be minimised through the following measures Limitation of nesting depth e g no more than 3 nesting levels per expression No more than 10 operators and 10...

Page 218: ...ot be used Explicit conversion should be used instead 4 4 3 9 4 Parentheses Through definition of priorities for operators each expression is uniquely defined even without parentheses However in order to avoid mistakes and improve readability the use of parenthesis is highly recommended except in very familiar cases multiplication division before addition subtraction Bad X A B AND NOT A C D OR E G...

Page 219: ...or assignation and mixed types i e only explicit conversions should be used Bad VAR A BYTE B INT C DWORD END_VAR C A B Good VAR A BYTE B INT C DWORD END_VAR C INT_TO_DWORD B BYTE_TO_INT A An even better solution in such cases is to reflect on type allocation Configuration and programming CoDeSys Safety programming guidelines Language specific programming guidelines 30 03 2017 AC500 S 219 ...

Page 220: ...rameter for runtime system functions The function used should be treated like an independent task SIZEOF Yes ROL ROR SHR SHL Yes 4 4 3 11 Language constructs The following ST language control elements are suitable for creating safety oriented applications Keyword Suitable Yes To a limited extent No comment IF Yes CASE Yes FOR Yes WHILE To a limited extent Proof of avoidance of an infinite loop is ...

Page 221: ...scribed at one point in the program n No access to global variables from functions and function blocks A function should have no side effects a function block should only change the state of its own instance Functions and function blocks should therefore not access global variables 4 4 5 Safety oriented and non safety oriented parts of the application For very complex applications it is advisable ...

Page 222: ...er addresses in the memory n The following measures should also be adhered to in the non safety oriented part Limited application of pointers Range check of indices before write access to fields ARRAY No multiple address allocation Configuration and programming CoDeSys Safety programming guidelines Safety oriented and non safety oriented parts of the application 30 03 2017 AC500 S 222 ...

Page 223: ...l have to be checked manually can be found in Ä Table 13 CoDeSys safety programming rules which have to be checked manually ABB SCA tool is not able to detect them in the safety application program on page 224 Fig 96 TÜV letter of confirmation The detailed description on how to use ABB SCA tool can be found in its Help system Contact ABB tech nical support to obtain ABB SCA tool Configuration and ...

Page 224: ...r errors nor warnings when compiling the application For each POU verify that variables are not re used later on with a different meaning Verify that the names of safety POUs start with S_ Verify that the names of non safety POUs do not start with S_ These rules have to be checked only if you plan to implement not only safety but also non safety functions on SM560 S Safety CPU In typical applicati...

Page 225: ...ser data storage in the Flash memory etc Safety Blocks_PLCopen_AC500_v22 lib Version 1 0 0 b6e0bc60 PLCopen Safety Libraries SafetyUtil_CoD eSys_AC500_V22 lib Version 1 0 0 6b29c54 Internal SM560 S safety utilities Internal use only Safety_SysLibTime lib Version 2 4 0 6 672b8325 Time system library Internal use only SysLibCallback lib Version 2 4 0 6 6b29c54 or 62ad210d Internal CoDeSys library no...

Page 226: ...Q1 NOT RESET1 AND SET OR Q1 SEMA Software semaphore Interruptable BUSY is TRUE if there was a call with CLAIM TRUE but no call with RELEASE TRUE CLAIM TRUE sets BUSY TRUE RELEASE TRUE sets BUSY FALSE SR Bistable function set dominant Q1 SET1 OR NOT RESET AND Q1 CTD Counter Down CV is decremented by 1 if CD has a rising edge Q is TRUE if CV reached 0 Configuration and programming AC500 S Libraries ...

Page 227: ... rising edge CV is decremented by 1 if CD has a rising edge QU is TRUE if counter is PV QD is TRUE if counter is 0 CONCAT Concatenation of two strings DELETE Delete LEN characters of STR beginning at the POS th character position POS 1 is the first character Configuration and programming AC500 S Libraries Safety_Standard lib 30 03 2017 AC500 S 227 ...

Page 228: ...ERT Insert STR2 into STR1 after the POS th character position POS 0 inserts before the first character POS 1 inserts after the first character LEFT Return leftmost SIZE characters of STR LEN String length function Returns the number of characters in STR MID Configuration and programming AC500 S Libraries Safety_Standard lib 30 03 2017 AC500 S 228 ...

Page 229: ...on and returns the new string POS 1 is the first character RIGHT Returns rightmost SIZE characters of STR RTC Sets CDT to PDT when rising edge in EN and starts increasing CDT With EN FALSE CDT set to DT 1970 01 01 00 00 00 TOF Timer of delay Q is FALSE PT milliseconds after IN had a falling edge Configuration and programming AC500 S Libraries Safety_Standard lib 30 03 2017 AC500 S 229 ...

Page 230: ...had a rising edge TP Timer Pulse Q produces a High Signal with the length of PT on every rising edge on IN F_TRIG Falling Edge detection R_TRIG Rising Edge detection Configuration and programming AC500 S Libraries Safety_Standard lib 30 03 2017 AC500 S 230 ...

Page 231: ...safe telegram is implemented which means that no further considerations against systematic loop back configuration errors shall be per formed by end users Ä www profisafe net for further details DANGER Not more than one communication error CE_CRC or Host_CE_CRC output signals become equal to TRUE per 100 hours is allowed to be acknowledged by the operator using OA_C input signal without consulting...

Page 232: ...vice based Toggle Bit indicating a trigger to increment the virtual consecutive number within the F Host 3 FV_activated_S BOOL FALSE With input devices this variable indicates if TRUE that the driver is delivering fail safe values 0 to the F Host program for every input value With output devices this variable indicates if TRUE that every output is set to fail safe values 0 default behavior or F Ou...

Page 233: ...parameter is for debugging purposes only This parameter is set to TRUE if communication fault CRC error on F Host side occured HostTimeout BOOL FALSE This parameter is for debugging purposes only This parameter is set to TRUE if communication fault Timeout on F Host side occured tResponseTi meMS TIME 16 0000 This parameter is for debugging purposes only It represents the current response time for ...

Page 234: ..._Ext lib library also includes a number of internal POUs GetWord MappingIn MappingOut and SMemCpy related to Safety I O handling These POUs are for internal use only Configuration and programming AC500 S Libraries SafetyBase_PROFIsafe_AC500_V22_Ext lib 30 03 2017 AC500 S 234 ...

Page 235: ...on SM560 S Safety CPU SF_RTS_INFO It provides the firmware version of the Safety CPU The version is a binary coded decimal e g 16 10 means version 1 0 n Data storage SF_FLASH_DEL This function block deletes a data segment in the Flash memory All data in this data segment will be deleted SF_FLASH_READ The function block reads a data set from a data segment of the Flash memory and stores the read da...

Page 236: ...T call Table 15 FUN Name SF_E_ERR_LED_SET Name Data Type Initial Value Description Parameter Values VAR_INPUT SET BOOL FALSE FALSE E ERR LED is OFF TRUE E ERR LED is ON VAR_OUTPUT SF_E_ERR_LED_ SET BOOL FALSE FALSE E ERR LED is OFF TRUE E ERR LED is ON Call in ST SF_E_ERR_LED_SET_Value SF_E_ERR_LED_SET SF_E_ERR_LED_SET_Set Configuration and programming AC500 S Libraries SafetyExt_AC500_V22 lib 30 ...

Page 237: ...will be started from 0 now Thus it makes sense to use SF_MAX_POWER_DIP_SET FB in safety program only once as a one time parameterisation of power dip functionality After calling SF_MAX_POWER_DIP_SET FB in your safety application program either uncomment SF_MAX_POWER_DIP_SET in your safety application program recompile your project and create a new boot project or make sure that SF_MAX_POWER_DIP_SE...

Page 238: ... If TRUE then error occurred during the set process saving of MAX_POWER_DIP_CNT value to the Flash memory Call in ST SF_MAX_POWER_DIP_SET EN SF_MAX_POWER_DIP_SET_EN MAX_POWER_DIP_CNT SF_MAX_POWER_DIP_SET_MAX_POWER_DIP_CNT DONE SF_MAX_POWER_DIP_SET_DONE ERR SF_MAX_POWER_DIP_SET_ERR Configuration and programming AC500 S Libraries SafetyExt_AC500_V22 lib 30 03 2017 AC500 S 238 ...

Page 239: ..._Time of the safety I O module Only one function block instance must be used in the safety program otherwise a warning is issued NOTICE The cycle time supervision takes place only in RUN Safety mode Table 17 FB Name SF_WDOG_TIME_SET Name Data Type Initial Value Description Parameter Values VAR_INPUT EN BOOL FALSE The function block is activated EN TRUE or deactivated EN FALSE via input EN If the b...

Page 240: ...SET_EN WDOG SF_WDOG_TIME_SET_WDOG RESET SF_WDOG_TIME_SET_RESET DONE SF_WDOG_TIME_SET_DONE ACT_TIME SF_WDOG_TIME_SET MAX_TIME SF_WDOG_TIME_SET_MAX_TIME Configuration and programming AC500 S Libraries SafetyExt_AC500_V22 lib 30 03 2017 AC500 S 240 ...

Page 241: ...suring short time intervals only which means that for time intervals of 10 minutes and longer it produces invalid results Table 18 FUN Name SF_APPL_MEASURE_BEGIN Name Data Type Initial Value Description Parameter Values VAR_INPUT TIMER BYTE 16 00 Timer identification The allowed range is from 0 to 31 RESET BOOL FALSE If TRUE then MAX and MIN results of time profiling will be deleted Otherwise the ...

Page 242: ..._MEASURE_END function was developed for measuring short time intervals only which means that for time intervals of 10 minutes and longer it produces invalid results Table 19 FUN Name SF_APPL_MEASURE_END Name Data Type Initial Value Description Parameter Values VAR_INPUT TIMER BYTE 16 00 Timer identification The allowed range is from 0 to 31 VAR_OUTPUT SF_APPL_MEAS URE_END BOOL FALSE Return value i...

Page 243: ...ame SF_MAX_POWER_DIP_GET Name Data Type Initial Value Description Parameter Values VAR_OUTPUT SF_MAX_POWER _DIP_GET WORD 16 0000 Actual value of power dip error counter Call in ST SF_MAX_POWER_DIP_GET_Value SF_MAX_POWER_DIP_GET Configuration and programming AC500 S Libraries SafetyExt_AC500_V22 lib 30 03 2017 AC500 S 243 ...

Page 244: ...Name Data Type Initial Value Description Parameter Values VAR_OUTPUT SF_SAFETY_MO DE BOOL FALSE SM560 S Safety CPU mode n FALSE DEBUG RUN non safety or DEBUG STOP non safety mode is active n TRUE RUN safety mode is active Call in ST SF_SAFETY_MODE_Value SF_SAFETY_MODE Configuration and programming AC500 S Libraries SafetyExt_AC500_V22 lib 30 03 2017 AC500 S 244 ...

Page 245: ...the hardware switch address value is a non safety value and needs additional measures to satisfy functional safety requirements Table 22 FUN Name SF_SM5XX_OWN_ADR Name Data Type Initial Value Description Parameter Values VAR_OUTPUT SF_SM5XX_OWN _ADR BYTE 16 00 Value of the hardware switch address on SM560 S Safety CPU set during its start up Call in ST SF_SM5XX_OWN_ADR_Value SF_SM5XX_OWN_ADR Confi...

Page 246: ...INFO Name Data Type Initial Value Description Parameter Values VAR_OUTPUT SF_RTS_INFO WORD 16 0000 Firmware version of the Safety CPU The upper BYTE of the entry represents the main version the lower BYTE represents the subver sion of the runtime system Example RTS_VERSION 16 0110 V01 1 0 Call in ST SF_RTS_INFO_Value SF_RTS_INFO Configuration and programming AC500 S Libraries SafetyExt_AC500_V22 l...

Page 247: ...Table 24 FB Name SF_FLASH_DEL Name Data Type Initial Value Description Parameter Values VAR_INPUT EN BOOL FALSE Activation of the FB using a positive edge Deletion of the data segment is started once Input EN will not be evaluated again until the delete operation is finished DONE TRUE EN TRUE The function block is not processed i e it does not change its outputs anymore This is not valid during a ...

Page 248: ...r see 4 for more details Output ERNO indicates an error number This output always has to be considered together with the outputs DONE and ERR The SF_FLASH_DEL operation may take quite a long time since the PLC user program is pro cessed with priority Output ERNO then indicates that the function block has started the execution 0x0FFF BUSY During this phase the outputs ERR and DONE are set to FALSE ...

Page 249: ... byte for alignment see figure at the end of this block description Reading a data set is triggered once by a FALSE TRUE edge at input EN If no error occurred while reading the data output DONE is set to TRUE and the outputs ERR and ERNO are set to FALSE The data set is stored beginning at the defined start flag SM Storing the data set can take several PLC cycles If an error occurs during reading ...

Page 250: ...gment 16 01 or 16 02 BNR WORD 16 0000 Starting block number in the Flash memory data segment decimal 0 1723 SM DWORD 16 00000000 Destination address for the read data set address of the first variable where the data are placed VAR_OUTPUT DONE BOOL FALSE Reading procedure is completed DONE TRUE This output always has to be considered together with output ERR The following applies n DONE TRUE and ER...

Page 251: ...ite a long time since the PLC user program is pro cessed with priority Output ERNO then indicates that the function block has started the execution 0x0FFF BUSY During this phase the outputs ERR and DONE are set to FALSE The structure of one of the Flash memory segments with user data is presented below Byte 1 2 3 4 5 6 29 30 31 32 33 36 37 38 Byte offset Block no Word 1 Word 2 Word 3 Word 15 Word ...

Page 252: ...ERR ERR_FLASH_READ ERNO ERNO_FLASH_READ Configuration and programming AC500 S Libraries SafetyExt_AC500_V22 lib 30 03 2017 AC500 S 252 ...

Page 253: ...8 bytes n 32 bytes of data n 4 bytes for CRC checksum n 1 byte as written identifier n 1 byte for alignment See figure at the end of the SF_FLASH_READ function block description Once the write operation for a data set has been started by a FALSE TRUE edge at input EN the data contained in the data set must not be changed anymore until the write operation completes DONE TRUE Storing the data set in...

Page 254: ...ed at MW0 0 to MW0 15 1 block 16 word data SM ADR MW0 0 and NB 2 Data are stored at MW0 0 to MW0 31 2 blocks 32 word data SEG BYTE 16 00 ID number of the data segment 16 01 or 16 02 BNR WORD 16 0000 Starting block number in the Flash memory data segment decimal 0 1723 SM DWORD 16 00000000 Source start address address of the first variable from where the data will be written to the Flash memory At ...

Page 255: ...ollowing applies if an error occurred DONE TRUE and ERR TRUE Output ERNO indicates the error number ERNO WORD 16 0000 Error number Ä 4 for more details Output ERNO indicates an error number This output always has to be considered together with the outputs DONE and ERR The SF_FLASH_WRITE operation may take quite a long time since the Safety PLC user program is processed with priority Output ERNO th...

Page 256: ...is set to FALSE Output DATA_LEN displays the length of the received data in bytes DONE TRUE and ERR FALSE indicate successful reception If an error was detected during function block processing the error is indicated at the outputs ERR and ERNO NOTICE Reception using the SF_DPRAM_SM5XX_S_REC function block is not edge triggered Therefore input EN has to be continuously set to TRUE during data rece...

Page 257: ...dicates the error number ERNO WORD 16 0000 Output ERNO provides an error identifier if an invalid value has been applied to an input or if an error occurred during job processing ERNO always has to be considered together with the outputs DONE and ERR The output value at ERNO is only valid if DONE TRUE and ERR TRUE The error messages encoding at output ERNO is explained at the beginning of the func...

Page 258: ...e microprocessor no 1oo2 safety architecture in the background on SM560 S Safety CPU handles FB SF_DPRAM_PM5XX_S_SEND Contact ABB technical support on how to reach SIL 3 and PL e with FB SF_DPRAM_PM5XX_S_SEND or use PROFIsafe Safety Output e g from DX581 S to trigger safety functions NOTICE Sending data using the SF_DPRAM_PM5XX_S_SEND function block is edge triggered i e each sending process is in...

Page 259: ...t ERNO indi cates the error number ERNO WORD 16 0000 Output ERNO provides an error identifier if an invalid value has been applied to an input or if an error occurred during job processing ERNO always has to be considered together with the outputs DONE and ERR The output value at ERNO is only valid if DONE TRUE and ERR TRUE The error messages encoding at output ERNO is explained at the beginning o...

Page 260: ...on safety CPU to Safety CPU In the latter case end users have to define additional process specific vali dation procedures in the safety program to check the correctness of the transferred non safety data if they would like to use those non safety values for safety functions Configuration and programming AC500 S Libraries DPRAM_SM5XX_SEND and DPRAM_SM5XX_REC in SysInt_AC500_V10 lib 30 03 2017 AC50...

Page 261: ...lues VAR_INPUT EN BOOL FALSE Enabling of function block processing Processing of this function block is controlled by input EN The function block is active if EN TRUE The sending of data is indicated by output DONE SLOT BYTE 16 00 Slot number module number Input SLOT is used to select the slot module number the data should be sent to The external slots are numbered consecutively from right to left...

Page 262: ...urred during sending DONE TRUE and ERR TRUE Output ERNO indi cates the error number ERNO WORD 16 0000 Error number Output ERNO provides an error identifier if an invalid value has been applied to an input or if an error occurred during job processing ERNO always has to be considered together with the outputs DONE and ERR The output value at ERNO is only valid if DONE TRUE and ERR TRUE The error me...

Page 263: ...eption Table 30 FB Name DPRAM_SM5XX_REC Name Data Type Initial Value Description Parameter Values VAR_INPUT EN BOOL FALSE Enabling of function block processing Processing of this function block is controlled by input EN The function block is active if EN TRUE The reception of data is indicated by output DONE SLOT BYTE 16 00 Slot number module number Input SLOT is used to select the slot module num...

Page 264: ...nd ERR TRUE Output ERNO indicates the error number ERNO WORD 16 0000 Error number Output ERNO provides an error identifier if an invalid value was applied to an input or if an error occurred during job processing ERNO always has to be considered together with the outputs DONE and ERR The output value at ERNO is only valid if DONE TRUE and ERR TRUE The error messages encoding at output ERNO is expl...

Page 265: ...ib A list of supported PLCopen Safety POUs is presented in the following sub chapters The developed PLCopen Safety POUs are based on 9 Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 265 ...

Page 266: ...L Variable or constant FALSE initial value Manual reset when emergency stop button is released TRUE Automatic reset when emergency stop button is released This function shall only be activated if it is ensured that no hazard can occur at the start of the PES Therefore the use of the Automatic Circuit Reset feature of the function blocks requires implementation of other system or application measur...

Page 267: ...ultiple errors the Dia gCode output indicates the first detected error For additional information see next tables in this sub chapter Useful in debug mode as well as for further processing in the functional program A transparent and unique diagnostic concept forms the basis of all function blocks Thus it is ensured that regardless of the supplier s implementation uniform diagnostic information is ...

Page 268: ...r Contact ABB technical support Note This is a manufacturer specific value defined by AC500 S Safety PLC 1000_0000_0000_0000bin 8000hex The FB is activated without an error or any other condition that sets the safety output to FALSE This is the default operational state where the S_Out safety output TRUE in normal operation For a generic example the I O setting could be Activate TRUE S_In TRUE Rea...

Page 269: ...ut FALSE For a generic example the I O setting could be Activate TRUE S_In FALSE TRUE continuing with static TRUE Ready TRUE Error FALSE S_Out FALSE Note If there are more operational states where safety output TRUE the next available DiagCode number will be assigned for subsequent states 4 6 6 2 SF_Equivalent Standards Requirements EN 954 1 1996 6 2 General safety principles Idle current 6 2 Erro...

Page 270: ... 0ms Constant Maximum monitoring time for discrepancy status of both inputs VAR_OUTPUT Ready BOOL FALSE Ä Table 32 General Output Parameters on page 267 S_EquivalentOut BOOL FALSE Safety related output FALSE Minimum of one input signal FALSE or status change outside of monitoring time TRUE Both input signals active and status change within monitoring time Error BOOL FALSE Ä Table 32 General Output...

Page 271: ...Typical Timing Diagrams Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 271 ...

Page 272: ...t to TRUE DiagCode indicates the Error states There is no Reset defined as an input coupled with the reset of an error If an error occurs in the inputs a new set of inputs with correct S_EquivalentOut must be able to reset the error flag Example if a switch is faulty and replaced using the switch again results in a correct output Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen...

Page 273: ...ror DiagCode State Name State Description and Output Setting 0000 Idle The function block is not active initial state Ready FALSE S_EquivalentOut FALSE Error FALSE 8001 Init An activation has been detected by the FB and the FB is now activated Ready TRUE S_EquivalentOut FALSE Error FALSE 8000 Safety Output Enabled The inputs switched to TRUE in equivalent mode Ready TRUE S_EquivalentOut TRUE Error...

Page 274: ...y TRUE S_EquivalentOut FALSE Error FALSE 4 6 6 3 SF_Antivalent Standards Requirements EN 954 1 1996 6 2 General safety principles Idle current 6 2 Error detection for category 3 und 4 This function block converts two antivalent BOOL inputs NO NC pair to one BOOL output with discrepancy time monitoring This FB should not be used stand alone since it has no restart interlock It is required to connec...

Page 275: ... of both inputs VAR_OUTPUT Ready BOOL FALSE Ä Table 32 General Output Parameters on page 267 S_AntivalentOut BOOL FALSE Safety related output FALSE Minimum of one input signal not active or status change outside of monitoring time TRUE Both inputs signals active and status change within monitoring time Error BOOL FALSE Ä Table 32 General Output Parameters on page 267 DiagCode WORD 16 0000 Ä Table ...

Page 276: ...Typical Timing Diagrams Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 276 ...

Page 277: ...de indicates the Error states There is no Reset defined as an input coupled with the reset of an error If an error occurs in the inputs one new set of inputs with the correct value must be able to reset the error flag Example if a switch is faulty and replaced using the switch again results in a correct output Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03...

Page 278: ...tate Name State Description and Output Setting 0000 Idle The function block is not active initial state Ready FALSE S_AntivalentOut FALSE Error FALSE 8001 Init An activation has been detected by the FB and the FB is now activated Ready TRUE S_AntivalentOut FALSE Error FALSE 8000 Safety Output Enabled The inputs switched to the Active state in antivalent mode Ready TRUE S_AntivalentOut TRUE Error F...

Page 279: ...f the selector must correspond to a single operating or control mode EN ISO 12100 2 2003 4 11 10 Selection of Control and Operating Modes shall be fitted with a mode selector which can be locked in each position Each posi tion of the selector shall be clearly identifiable and shall exclusively enable one control or operating mode to be selected IEC 60204 1 Ed 5 0 2003 9 2 3 Operating Modes When a ...

Page 280: ...his function block selects the system operation mode such as manual automatic semi automatic etc Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 280 ...

Page 281: ...ariable or constant Input 3 from mode selector switch FALSE Mode 3 is not requested by operator TRUE Mode 3 is requested by operator S_Mode4 BOOL FALSE Variable or constant Input 4 from mode selector switch FALSE Mode 4 is not requested by operator TRUE Mode 4 is requested by operator S_Mode5 BOOL FALSE Variable or constant Input 5 from mode selector switch FALSE Mode 5 is not requested by operato...

Page 282: ...ent mode FALSE A change in mode must be acknowl edged by the operator via SetMode TRUE A valid change of the S_ModeX input to another S_ModeX automatically leads to a change in S_ModeXSel without operator acknowl edgment via SetMode as long as this is not locked by S_Unlock Reset BOOL FALSE Ä Table 31 General Input Parameters on page 266 ModeMonitorTime TIME T 0 Constant Maximum permissible time f...

Page 283: ...RUE Mode 5 is selected and active S_Mode6Sel BOOL FALSE Indicates that mode 6 is selected and acknowl edged FALSE Mode 6 is not selected or not active TRUE Mode 6 is selected and active S_Mode7Sel BOOL FALSE Indicates that mode 7 is selected and acknowl edged FALSE Mode 7 is not selected or not active TRUE Mode 7 is selected and active S_AnyModeSel BOOL FALSE Indicates that any of the 8 modes is s...

Page 284: ...for SF_ModeSelector valid change in Mode input with acknowledgment Fig 101 Timing diagram for SF_ModeSelector error condition 2 at Mode inputs Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 284 ...

Page 285: ... more than one S_ModeX mode input is selected at the same time A static reset condition is detected when the FB is either in Error state C001 or C002 Error Behavior In the event of an error the S_ModeXSel and S_AnyModeSel outputs are set to safe state FALSE The DiagCode output indicates the relevant error code and the Error output is set to TRUE An error must be acknowledged with the rising trigge...

Page 286: ...d that all S_ModeX are FALSE The period following a falling S_ModeX trigger exceeds ModeMonitorTime e g open circuit of cables Ready TRUE Error TRUE S_AnyModeSel FALSE All S_ModeXSel FALSE C003 Reset Error 1 Static Reset signal detected in state C001 Ready TRUE Error TRUE S_AnyModeSel FALSE All S_ModeXSel FALSE C004 Reset Error 2 Static Reset signal detected in state C002 Ready TRUE Error TRUE S_A...

Page 287: ... not yet locked Ready TRUE Error FALSE S_AnyModeSel TRUE S_ModeXSel Selected X is TRUE others are FALSE 8004 ModeLocked Valid mode selection is locked Ready TRUE Error FALSE S_AnyModeSel TRUE S_ModeXSel Selected X is TRUE others are FALSE 4 6 6 5 SF_EmergencyStop Standards Requirements EN 418 1992 3 Definitions 4 1 12 Resetting the control device shall not by itself cause a restart command EN 954 ...

Page 288: ...ergency stop button This FB can be used for emergency switch off functionality stop category 0 or with additional peripheral support as emergency stop stop category 1 or 2 Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 288 ...

Page 289: ...reset required or internal errors active TRUE Safety output enabled No demand for safety related response e g emergency stop button not engaged no internal errors active Error BOOL FALSE Ä Table 32 General Output Parameters on page 267 DiagCode WORD 16 0000 Ä Table 32 General Output Parameters on page 267 Notes The following requirements as defined in EN 418 1992 have to be fulfilled by the user n...

Page 290: ...oReset FALSE Start reset normal operation safety demand restart Fig 104 Timing diagram for SF_EmergencyStop S_StartReset TRUE S_AutoReset FALSE Start normal operation safety demand restart Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 290 ...

Page 291: ...signal at Reset input Error Behavior S_EStopOut is set to FALSE In case of a static TRUE signal at the Reset input the DiagCode output indi cates the relevant error code and the Error output is set to TRUE To leave the error states the Reset must be set to FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 291 ...

Page 292: ...eady FALSE S_EStopOut FALSE Error FALSE 8001 Init Activation is TRUE The function block was enabled Check if S_Star tReset is required Ready TRUE S_EStopOut FALSE Error FALSE 8002 Wait for S_EstopIn 1 Activation is TRUE Check if Reset is FALSE and wait for S_EStopIn TRUE Ready TRUE S_EStopOut FALSE Error FALSE 8003 Wait for Reset 1 Activation is TRUE S_EStopIn TRUE Wait for rising trigger of Reset...

Page 293: ...art inter lock is manually reset However it shall not be possible to reset the restart interlock whilst the sensing device is actuated EN 954 1 1996 5 4 Manual reset ISO 12100 2 2003 4 11 4 Restart following power failure spontaneous restart This function block is a safety related function block for monitoring electro sensitive protective equipment ESPE The function is identical to SF_EmergencySto...

Page 294: ...hall only be activated if it is ensured that no hazardous situation can occur when the PES is started The ESPE must be selected in respect of the product standards EN IEC 61496 1 2 and 3 and the required categories according EN 954 1 Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 294 ...

Page 295: ... Table 31 General Input Parameters on page 266 S_AutoReset BOOL FALSE Ä Table 31 General Input Parameters on page 266 Reset BOOL FALSE Ä Table 31 General Input Parameters on page 266 VAR_OUTPUT Ready BOOL FALSE Ä Table 32 General Output Parameters on page 267 S_ESPE_Out BOOL FALSE Output for the safety related response FALSE Safety output disabled Demand for safety related response e g reset requi...

Page 296: ...Reset FALSE Start reset normal operation safety demand restart Fig 107 Timing diagram for SF_ESPE S_StartReset TRUE S_AutoReset FALSE Start normal opera tion safety demand restart Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 296 ...

Page 297: ...al at Reset input Error Behavior S_ESPE_Out is set to FALSE In case of a static TRUE signal at the Reset input the DiagCode output indi cates the relevant error code and the Error output is set to TRUE To leave the error states the Reset must be set to FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 297 ...

Page 298: ...eady FALSE S_ESPE_Out FALSE Error FALSE 8001 Init Activation is TRUE The function block was enabled Check if S_Star tReset is required Ready TRUE S_ESPE_Out FALSE Error FALSE 8002 Wait for S_ESPE_In 1 Activation is TRUE Check if Reset is FALSE and wait for S_ESPE_In TRUE Ready TRUE S_ESPE_Out FALSE Error FALSE 8003 Wait for Reset 1 Activation is TRUE S_ESPE_In TRUE Wait for rising trigger of Reset...

Page 299: ...e guard is closed n Closing the guard initiates operation of the hazardous machine function s EN 1088 1995 3 2 Interlocking Guard n The hazardous machine functions covered by the guard cannot operate until the guard is closed n If the guard is opened while the hazardous machine functions are operating a stop instruction is given n When the guard is closed the hazardous machine functions covered by...

Page 300: ...itches is set to FALSE When closing the safety guard both S_GuardSwitch1 and S_GuardSwitch2 inputs should switch to TRUE This FB monitors the symmetry of the switching behavior of both switches The S_GuardMonitoring output remains FALSE if only one of the contacts has completed an open close process The behavior of the S_GuardMonitoring output depends on the time difference between the switching i...

Page 301: ...E Ä Table 31 General Input Parameters on page 266 Only Constant S_AutoReset BOOL FALSE Ä Table 31 General Input Parameters on page 266 Only Constant Reset BOOL FALSE Ä Table 31 General Input Parameters on page 266 VAR_OUTPUT Ready BOOL FALSE Ä Table 32 General Output Parameters on page 267 S_GuardMoni toring BOOL FALSE Output indicating the status of the guard FALSE Guard is not active TRUE both S...

Page 302: ...Typical Timing Diagrams Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 302 ...

Page 303: ...rdSwitch1 S_GuardSwitch2 input and the second is greater than the value for the DiscrepancyTime input The Error output is set to TRUE The function block detects a static TRUE signal at the RESET input Error and Reset Behavior The S_GuardMonitoring output is set to FALSE If the two S_GuardSwitch1 and S_Guardswitch2 inputs are bridged no error is detected To leave the Reset error state the Reset inp...

Page 304: ...itoring FALSE Error TRUE Table 53 FB specific status codes no error DiagCode State Name State Description and Output Setting 0000 Idle The function block is not active initial state Ready FALSE S_GuardMonitoring FALSE Error FALSE 8000 Normal Safety guard closed and Safe state acknowledged Ready TRUE S_GuardMonitoring TRUE Error FALSE 8001 Init Function block has been activated Ready TRUE S_GuardMo...

Page 305: ...tarted Ready TRUE S_GuardMonitoring FALSE Error FALSE 8005 Guard Closed Guard closed Waiting for Reset if S_AutoReset FALSE Ready TRUE S_GuardMonitoring FALSE Error FALSE 4 6 6 8 SF_TwoHandControlTypeII Standards Requirements EN 574 1996 Clause 4 Table 1 Type II 5 1 Use of both hands simultaneous actuation 5 2 Relationship between output signal and input signals 5 3 Completion of the output signal...

Page 306: ...rding to EN 574 Section 4 Type II If S_Button1 and S_Button2 are set to TRUE in a correct sequence then the S_TwoHandOut output will also be set to TRUE The FB also controls the release of both buttons before setting the output S_TwoHandOut again to TRUE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 306 ...

Page 307: ...eased TRUE Button 2 actuated VAR_OUTPUT Ready BOOL FALSE Ä Table 32 General Output Parameters on page 267 S_TwoHandOut BOOL FALSE Safety related output signal FALSE No correct two hand operation TRUE S_Button1 and S_Button2 inputs are TRUE and no error occurred Correct two hand operation Error BOOL FALSE Ä Table 32 General Output Parameters on page 267 DiagCode WORD 16 0000 Ä Table 32 General Outp...

Page 308: ...d as an invalid input setting leading to an error Error Behavior In the event of an error the S_TwoHandOut output is set to FALSE and remains in this safe state The Error state is exited when both buttons are released set to FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 308 ...

Page 309: ...dOut FALSE Table 56 FB specific status codes no error DiagCode State Name State Description and Output Setting 0000 Idle The function block is not active initial state Ready FALSE Error FALSE S_TwoHandOut FALSE 8000 Buttons Actu ated Both buttons actuated correctly The safety related output is enabled Ready TRUE Error FALSE S_TwoHandOut TRUE 8001 Init Function block is active but in the Init state...

Page 310: ...s enabled and is disabled again FALSE at both S_Button1 and S_Button2 was not achieved after disabling the safety related output In this state S_Button1 is FALSE and S_Button2 is TRUE after disabling the safety related output Ready TRUE Error FALSE S_TwoHandOut FALSE 8009 Locked Off The safety related output was enabled and is disabled again FALSE at both S_Button1 and S_Button2 was not achieved a...

Page 311: ...y NO and NC switches together with antivalent processing ISO 12100 2 2003 4 11 4 Restart following power failure spontaneous restart This function block provides the two hand control functionality see EN 574 Section 4 Type III Fixed speci fied time difference is 500 ms This function block provides the two hand control functionality according to EN 574 Section 4 Type III If S_Button1 and S_Button2 ...

Page 312: ...VAR_OUTPUT Ready BOOL FALSE Ä Table 32 General Output Parameters on page 267 S_TwoHandOut BOOL FALSE Safety related output signal FALSE No correct two hand operation TRUE S_Button1 and S_Button2 inputs changed from FALSE to TRUE within 500 ms and no error occurred The two hand operation has been per formed correctly Error BOOL FALSE Ä Table 32 General Output Parameters on page 267 DiagCode WORD 16...

Page 313: ...ng to an error The FB detects when the divergence of the input signals exceeds 500 ms Error Behavior In the event of an error the S_TwoHandOut output is set to FALSE and remains in this safe state The Error state is exited when both buttons are released set to FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 313 ...

Page 314: ...tton1 was FALSE and S_Button 2 was TRUE after 500 ms in state 8005 Ready TRUE Error TRUE S_TwoHandOut FALSE C005 Error 2 B2 S_Button1 was TRUE and S_Button 2 was FALSE after 500 ms in state 8005 Ready TRUE Error TRUE S_TwoHandOut FALSE C006 Error 2 B1 B2 S_Button1 was TRUE and S_Button 2 was TRUE after 500 ms in state 8005 or 8006 This state is only possible when the states of the inputs S_Button1...

Page 315: ...E Error FALSE S_TwoHandOut FALSE 8005 Button 1 Actu ated Only Button 1 is actuated Start monitoring timer Ready TRUE Error FALSE S_TwoHandOut FALSE 8006 Button 2 Actu ated Only Button 2 is actuated Start monitoring timer Ready TRUE Error FALSE S_TwoHandOut FALSE 8007 Button 2 Released The safety related output was enabled and is disabled again FALSE at both S_Button1 and S_Button2 was not achieved...

Page 316: ...ady TRUE Error FALSE S_TwoHandOut FALSE 4 6 6 10 SF_GuardLocking Standards Requirements EN 953 1997 3 3 3 Control Guard n The hazardous machine functions covered by the guard cannot operate until the guard is closed n Closing the guard initiates operation of the hazardous machine function s EN 1088 1995 3 3 Definition Interlocking Guard With Guard Locking n The hazardous machine functions covered ...

Page 317: ...ch The operator requests to get access to the hazardous area The guard can only be unlocked when the haz ardous area is in a safe state The guard can be locked if the guard is closed The machine can be started when the guard is closed and the guard is locked An open guard or unlocked guard will be detected in the event of a safety critical situation The S_StartReset and S_AutoReset inputs shall on...

Page 318: ...rd is locked UnlockRequest BOOL FALSE Variable Operator intervention request to unlock the guard FALSE No request TRUE Request made S_StartReset BOOL FALSE Ä Table 31 General Input Parameters on page 266 S_AutoReset BOOL FALSE Ä Table 31 General Input Parameters on page 266 Reset BOOL FALSE Ä Table 31 General Input Parameters on page 266 Also used to request the guard to be locked again The qualit...

Page 319: ...unlock the guard FALSE Close guard TRUE Unlock guard Error BOOL FALSE Ä Table 32 General Output Parameters on page 267 DiagCode WORD 16 0000 Ä Table 32 General Output Parameters on page 267 Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 319 ...

Page 320: ...avior In the event of an error the S_GuardLocked and S_UnlockGuard outputs are set to FALSE the DiagCode output indicates the relevant error code and the Error output is set to TRUE An error must be acknowledged by a rising trigger at the Reset input Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 320 ...

Page 321: ...8011 Ready TRUE S_GuardLocked FALSE S_UnlockGuard FALSE Error TRUE C004 Safety Lost Safety lost guard opened or guard unlocked Ready TRUE S_GuardLocked FALSE S_UnlockGuard FALSE Error TRUE Table 62 FB specific status codes no error DiagCode State Name State Description and Output Setting 0000 Idle The function block is not active initial state Ready FALSE S_GuardLocked FALSE S_UnlockGuard FALSE Er...

Page 322: ...or reset Ready TRUE S_GuardLocked FALSE S_UnlockGuard FALSE Error FALSE 8012 Guard Open and Unlocked Lock is released and guard is open Ready TRUE S_GuardLocked FALSE S_UnlockGuard TRUE Error FALSE 8013 Guard Closed but Unlocked Lock is released but guard is closed Ready TRUE S_GuardLocked FALSE S_UnlockGuard TRUE Error FALSE 8014 Safety Return Return of S_SafetyActive signal now waiting for opera...

Page 323: ...en used as a perimeter guard and the duration of the periodic test is greater than 150 ms it is possible for a person to pass through the detection zone without being detected In this case a restart interlock should be included If the periodic test is automatically initiated the correct functioning of the periodic test shall be monitored and a single fault in the parts implementing the monitoring ...

Page 324: ...est is sup ported FALSE The external manual sensor test is sup ported Only after a complete manual sensor switching sequence an automatic test is possible again after a faulty automatic sensor test TRUE The external manual sensor test is not supported An automatic test is possible again without a manual sensor switching sequence after faulty automatic sensor test S_StartReset BOOL FALSE Ä Table 31...

Page 325: ...An automatic sensor test is not possible TRUE An automatic sensor test is possible TestExecuted BOOL FALSE A positive signal edge indicates the successful execution of the automatic sensor test FALSE An automatic sensor test was not executed yet An automatic sensor test is active An automatic sensor test was faulty TRUE A sensor test was executed successfully Error BOOL FALSE Ä Table 32 General Ou...

Page 326: ...nvalid static reset signal in the process n Plausibility check of the monitoring time setting In the event of an error the S_OSSD_Out output is set to FALSE and remains in this safe state Once the error has been removed and the sensor is on S_OSSD_In TRUE a reset removes the error state and sets the S_OSSD_Out output to TRUE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC50...

Page 327: ...nd 150 ms are possible Ready TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted FALSE Error TRUE C001 Reset Error 1 Static Reset condition detected after FB activation Ready TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted FALSE Error TRUE C002 Reset Error 2 Static Reset condition detected in state 8003 Ready TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossible F...

Page 328: ...SD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted FALSE Error TRUE C006 Reset Error 6 Static Reset condition detected in state C000 Ready TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted FALSE Error TRUE C007 Reset Error 7 Static Reset condition detected in state 8013 Ready TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted TRUE Error TRUE Configurat...

Page 329: ...ted FALSE Error TRUE Table 65 FB specific status codes no error DiagCode State Name State Description and Output Setting 0000 Idle The function block is not active initial state Ready FALSE S_OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted FALSE Error FALSE 8001 Init An activation has been detected by the FB Ready TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted F...

Page 330: ...OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted FALSE Error FALSE 8004 External Func tion Test The automatic sensor test was faulty An external manual sensor test is necessary The support for the necessary external manual sensor test has been acti vated at the FB NoExternalTest FALSE A negative signal edge at the sensor is required Ready TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossi...

Page 331: ...was faulty An external manual sensor test is necessary The support for the necessary external manual sensor test has been acti vated at the FB NoExternalTest FALSE The external manual test is complete The FB detected a complete sensor switching cycle external controlled Ready TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted FALSE Error FALSE 8010 ESPE Free No Test The FB has no...

Page 332: ...The automatic sensor test is active Test Timer is started second time The transmitter signal of the sensor is switched on by the FB The signal of the receiver must follow the signal of the transmitter Ready TRUE S_OSSD_Out TRUE S_TestOut TRUE TestPossible FALSE TestExecuted FALSE Error FALSE 8000 ESPE Free Test ok The FB has not detected a safety demand The sensor was automatically tested Ready TR...

Page 333: ...dy TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted TRUE Error FALSE 8013 Wait for Reset 2 Wait for rising trigger of Reset after state 8012 Ready TRUE S_OSSD_Out FALSE S_TestOut TRUE TestPossible FALSE TestExecuted TRUE Error FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 333 ...

Page 334: ...mute condition It shall not be possible to initiate the muting function when n the protective equipment OSSDs are in the OFF state n the protective equipment is in the lock out condition n initiation of the muting function by two or more independent muting sensors such that a single fault cannot cause a muted condition n termination of the muting function by two or more independent muting sensors ...

Page 335: ...ated by indicator lights There are sequential and parallel muting procedures In this FB sequential muting with four muting sensors was used an explanation for the forward direction of transportation is provided below The FB can be used in both directions forward and backward The muting should be enabled with the MutingEnable signal by the process control to avoid manipulation When the MutingEnable...

Page 336: ...or 21 FALSE Muting sensor 21 not actuated TRUE Workpiece actuates muting sensor 21 MutingSwitch22 BOOL FALSE Variable Status of Muting sensor 22 FALSE Muting sensor 22 not actuated TRUE Workpiece actuates muting sensor 22 S_MutingLamp BOOL FALSE Variable or constant Indicates operation of the muting lamp FALSE Muting lamp failure TRUE Muting lamp no failure MutingEnable BOOL FALSE Variable or cons...

Page 337: ...ction field not interrupted or muting active S_MutingActive BOOL FALSE Indicates status of Muting process FALSE Muting not active TRUE Muting active Error BOOL FALSE Ä Table 32 General Output Parameters on page 267 DiagCode WORD 16 0000 Ä Table 32 General Output Parameters on page 267 Notes A short circuit in the muting sensor signals or a functional application error to supply these signals are n...

Page 338: ...using a machine stop 3 Transmitter Receiver MS_11 MS_12 MS_21 MS_22 Danger zone Before muting sensors MutingSwitch11 MS_11 and MutingSwitch12 MS_12 are disabled muting sensors MutingSwitch21 MS_21 and MutingSwitch22 MS_22 must be activated This ensures that muting mode remains active 4 Transmitter Receiver MS_11 MS_12 MS_21 MS_22 Danger zone Muting mode is terminated if only muting sensor MutingSw...

Page 339: ...8122 to 8112 MS_21 is the second entry switch actuated MutingEnable AND NOT MS_11 AND NOT MS_12 AND R_TRIG at MS_21 AND MS_22 Muting condition 13 MS_12 is the first exit switch released Stop timer MaxMutingTime MS_11 AND F_TRIG at MS_12 AND NOT MS_21 AND NOT MS_22 Specification of wrong MutingSequences In state 8000 NOT MutingEnable AND R_TRIG at MS_11 OR NOT MutingEnable AND R_TRIG at MS_22 OR MS...

Page 340: ...tion n MaxMutingTime has been set to a value less than T 0s or greater than T 10min n The muting function S_MutingActive TRUE exceeds the maximum muting time MaxMutingTime Error Behavior In the event of an error the S_AOPD_Out and S_MutingActive outputs are set to FALSE The DiagCode output indicates the relevant error code and the Error output is set to TRUE A restart is inhibited until the error ...

Page 341: ...Active FALSE Error TRUE CYx4 Error Muting sequence Error detected in muting sequence in states 8000 8011 8012 8112 or 8122 Ready TRUE S_AOPD_Out FALSE S_MutingActive FALSE Error TRUE Y Status in the sequence 2 states for forward and 2 states for backward direction C0x4 Error occurred in state 8000 C1x4 Error occurred in state Forward 8011 C2x4 Error occurred in state Forward 8012 C3x4 Error occurr...

Page 342: ...iption and Output Setting 0000 Idle The function block is not active initial state Ready FALSE S_AOPD_Out FALSE S_MutingActive FALSE Error FALSE 8000 AOPD Free Muting not active and no safety demand from AOPD Ready TRUE S_AOPD_Out TRUE S_MutingActive FALSE Error FALSE 8001 Init Function block has been activated Ready TRUE S_AOPD_Out FALSE S_MutingActive FALSE Error FALSE 8002 Safety Demand AOPD Sa...

Page 343: ...starting phase and no safety demand Ready TRUE S_AOPD_Out TRUE S_MutingActive FALSE Error FALSE 8012 Muting For ward Active Muting forward sequence is active Ready TRUE S_AOPD_Out TRUE S_MutingActive TRUE Error FALSE 8112 Muting Back ward Active Muting backward sequence is active Ready TRUE S_AOPD_Out TRUE S_MutingActive TRUE Error FALSE 8122 Muting Back ward Start Muting backward sequence is in s...

Page 344: ... when n the protective equipment OSSDs are in the OFF state n the protective equipment is in the lock out condition n initiation of the muting function by two or more independent muting sensors such that a single fault cannot cause a muted condition n termination of the muting function by two or more independent muting sensors such that deactivation of one sensor will terminate the muting function...

Page 345: ...witches etc which do not have to be failsafe Active muting mode must be indi cated by indicator lights There are sequential and parallel muting procedures In this FB parallel muting with four muting sensors was used an explanation is provided below The FB can be used in both directions forward and backward The muting should be enabled with the MutingEnable signal by the process control to avoid ma...

Page 346: ...or 21 FALSE Muting sensor 21 not actuated TRUE Workpiece actuates muting sensor 21 MutingSwitch22 BOOL FALSE Variable Status of Muting sensor 22 FALSE Muting sensor 22 not actuated TRUE Workpiece actuates muting sensor 22 S_MutingLamp BOOL FALSE Variable or constant Indicates operation of the muting lamp FALSE Muting lamp failure TRUE Muting lamp no failure MutingEnable BOOL FALSE Variable or cons...

Page 347: ...ted output indicates status of the muted guard FALSE AOPD protection field interrupted and muting not active TRUE AOPD protection field not interrupted or muting active S_MutingActive BOOL FALSE Indicates status of Muting process FALSE Muting not active TRUE Muting active Error BOOL FALSE Ä Table 32 General Output Parameters on page 267 DiagCode WORD 16 0000 Ä Table 32 General Output Parameters on...

Page 348: ...er Receiver MS_11 MS_12 MS_21 MS_22 Danger zone Before muting sensors MutingSwitch11 MS_11 and MutingSwitch12 MS_12 are disabled muting sensors MutingSwitch21 MS_21 and MutingSwitch22 MS_22 must be activated This ensures that muting mode remains active The time discrepancy between switching of MutingSwitch21 and MutingSwitch22 is moni tored by the time DiscTime21_22 4 Transmitter Receiver MS_11 MS...

Page 349: ...D MS_12 AND MS_21 AND R_TRIG at MS_22 Muting condition 25 from 8314 MS_21 is the second exit switch actuated Stop timer DiscTime21_22 MS_11 AND MS_12 AND R_TRIG at MS_21 AND MS_22 Muting condition 5 one of the exit switches released Stop timer MaxMutingTime NOT MS_11 AND NOT MS_12 AND F_TRIG at MS_21 OR F_TRIG at MS_22 Backward Direction Muting condition 11 to 8122 MS_21 is the first entry switch ...

Page 350: ...TRIG at MS_21 AND MS_22 AND NOT R_TRIG at MS_22 OR R_TRIG at MS_22 AND MS_21 AND NOT R_TRIG at MS_21 OR MS_11 AND NOT R_TRIG at MS_11 AND MS_12 AND NOT R_TRIG at MS_12 OR MS_21 AND NOT R_TRIG at MS_21 AND MS_22 AND NOT R_TRIG at MS_22 State 8011 NOT MutingEnable OR NOT MS_11 OR MS_21 OR MS_22 State 8311 NOT MutingEnable OR NOT MS_12 OR MS_21 OR MS_22 State 8012 NOT MS_11 OR NOT MS_12 State 8021 R_...

Page 351: ...d n The muting function S_MutingActive TRUE exceeds the maximum muting time MaxMutingTime n Muting sensors MutingSwitch11 MutingSwitch12 MutingSwitch21 and MutingSwitch22 are activated in the wrong order n Muting sequence starts without being enabled by MutingEnable n A faulty muting lamp is indicated by S_MutingLamp FALSE n A static Reset condition is detected in state 8001 and 8003 Error Behavio...

Page 352: ...tate 8001 Ready TRUE S_AOPD_Out FALSE S_MutingActive FALSE Error TRUE C002 Reset Error 2 Static Reset condition detected in state 8003 Ready TRUE S_AOPD_Out FALSE S_MutingActive FALSE Error TRUE C003 Error Muting Lamp Error detected in muting lamp Ready TRUE S_AOPD_Out FALSE S_MutingActive FALSE Error TRUE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 201...

Page 353: ...state Forward 8021 C7x4 Error occurred in state Backward 8122 C8x4 Error occurred in state Backward 8422 C9x4 Error occurred in state Backward 8121 CAx4 Error occurred in state Backward 8114 CBx4 Error occurred in state Backward 8414 CCx4 Error occurred in state Backward 8112 CFx4 Muting Enable missing x Status of the sensors when error occurred 4 bits LSB MS_11 MS_12 MS_21 MSB MS_22 C005 Paramete...

Page 354: ...scription and Output Setting 0000 Idle The function block is not active initial state Ready FALSE S_AOPD_Out FALSE S_MutingActive FALSE Error FALSE 8000 AOPD Free Muting not active and no safety demand from AOPD If timers from subse quent muting are still running they are stopped Ready TRUE S_AOPD_Out TRUE S_MutingActive FALSE Error FALSE 8001 Init Function block has been activated Ready TRUE S_AO...

Page 355: ...SE Error FALSE 8311 Muting For ward Start 2 Muting forward sequence is in starting phase after rising trigger of MutingSwitch 12 Monitoring of DiscTime11_12 is activated Monitoring of MaxMutingTime is activated Ready TRUE S_AOPD_Out TRUE S_MutingActive FALSE Error FALSE 8012 Muting For ward Active 1 Muting forward sequence is active either After rising trigger of the second entry MutingSwitch 12 o...

Page 356: ...tingSwitch21 and 22 are actuated the monitoring of DiscTime21_22 is stopped Ready TRUE S_AOPD_Out TRUE S_MutingActive TRUE Error FALSE 8122 Muting Back ward Start 1 Muting backward sequence is in starting phase after rising trigger of MutingSwitch21 Monitoring of DiscTime21_22 is activated Monitoring of MaxMutingTime is activated Ready TRUE S_AOPD_Out TRUE S_MutingActive FALSE Error FALSE 8422 Mut...

Page 357: ...quence is active MutingSwitch11 is the first exit switch actuated Monitoring of DiscTime11_12 is started Ready TRUE S_AOPD_Out TRUE S_MutingActive TRUE Error FALSE 8414 Muting Back ward Step 2 Muting backward sequence is active MutingSwitch12 is the first exit switch actuated Monitoring of DiscTime11_12 is started Ready TRUE S_AOPD_Out TRUE S_MutingActive TRUE Error FALSE 8112 Muting Back ward Act...

Page 358: ...l not be possible to initiate the muting function when n the protective equipment OSSDs are in the OFF state n the protective equipment is in the lock out condition n initiation of the muting function by two or more independent muting sensors such that a single fault cannot cause a muted condition n termination of the muting function by two or more independent muting sensors such that deactivation...

Page 359: ...ting procedures In this FB parallel muting with two muting sensors was used an explanation is provided below The positioning of the sensors should be as described in Annex F 7 of IEC 62046 CD 2005 as shown in Figure 48 The FB can be used in both directions forward and back ward However the actual direction cannot be identified The muting should be enabled with the MutingEn able signal by the proce...

Page 360: ... lamp FALSE Muting lamp failure TRUE Muting lamp no failure MutingEnable BOOL FALSE Variable or constant Command by the control system that enables the start of the muting function when needed by the machine cycle After the start of the muting func tion this signal can be switched off FALSE Muting not enabled TRUE Start of Muting function enabled S_StartReset BOOL FALSE Ä Table 31 General Input Pa...

Page 361: ... 1 Transmitter Receiver Danger zone MS_11 MS_12 If reflection light barriers are used as muting sensors they are generally arranged diagonally In general this arrangement of reflection light barriers as muting sensors requires only two light barriers and only S_MutingSwitch11 MS_11 and S_MutingSwitch12 MS_12 are allocated Muting conditions Muting condition 1 to 8011 MS_11 is the first entry switch...

Page 362: ..._12 released consecutively Stop timer MaxMutingTime NOT MS_11 OR NOT MS_12 Wrong Muting Sequences State 8000 R_TRIG at MS_11 AND MS_12 AND NOT R_TRIG at MS_12 OR R_TRIG at MS_12 AND MS_11 AND NOT R_TRIG at MS_11 OR MS_11 AND NOT R_TRIG at MS_11 AND MS_12 AND NOT R_TRIG at MS_12 OR NOT MutingEnable AND R_TRIG at MS_11 OR NOT MutingEnable AND R_TRIG at MS_12 State 8011 NOT MutingEnable OR NOT MS_11 ...

Page 363: ...g sensors S_MutingSwitch11 S_MutingSwitch12 are activated in the wrong order n Muting sequence starts without being enabled by MutingEnable n Static muting sensor signals n A faulty muting lamp is indicated by S_MutingLamp FALSE n A static Reset condition is detected in state 8001 and 8003 Error Behaviour In the event of an error the S_AOPD_Out and S_MutingActive outputs are set to FALSE The DiagC...

Page 364: ... TRUE S_AOPD_Out FALSE S_MutingActive FALSE Error TRUE CYx4 Error Muting sequence Error detected in muting sequence state 8000 8011 8311 Ready TRUE S_AOPD_Out FALSE S_MutingActive FALSE Error TRUE Y Status in the sequence C0x4 Error occurred in state 8000 C1x4 Error occurred in state 8011 C2x4 Error occurred in state 8311 CFx4 Muting Enable missing x Status of the sensors when error occurred 4 bit...

Page 365: ...tate Description and Output Setting 0000 Idle The function block is not active initial state Ready FALSE S_AOPD_Out FALSE S_MutingActive FALSE Error FALSE 8000 AOPD Free Muting not active and no safety demand from AOPD If timers from subse quent muting are still running they are stopped Ready TRUE S_AOPD_Out TRUE S_MutingActive FALSE Error FALSE 8001 Init Function block was activated Ready TRUE S_...

Page 366: ...S_AOPD_Out TRUE S_MutingActive FALSE Error FALSE 8311 Muting Start 2 Muting sequence is in starting phase after rising trigger of S_MutingS witch12 Monitoring of DiscTimeEntry is activated Ready TRUE S_AOPD_Out TRUE S_MutingActive FALSE Error FALSE 8012 Muting Active Muting sequence is active either After rising trigger of the second S_MutingSwitch 12 or 11 has been detected When both S_MutingSwit...

Page 367: ...n 1 off function of the switch actuator is not operated position 2 enabling function actuator is operated in its mid position position 3 off function actuator is operated past its mid position n when returning from position 3 to position 2 the enabling function is not activated EN 954 1 1996 5 4 Manual reset ISO 12100 2 2003 4 11 4 Restart following power failure spontaneous restart The SF_EnableS...

Page 368: ...r to meet the requirements of DIN EN 60204 Section 9 2 4 the user shall use a suitable switching device In addition the user must ensure that the relevant operating mode DIN EN 60204 Section 9 2 3 is selected in the application automatic operation must be disabled in this operating mode using appropriate measures The operating mode is usually specified using an operating mode selection switch in c...

Page 369: ... Variable Signal of contacts E3 and E4 of the connected enable switch FALSE Connected switches are open TRUE Connected switches are closed S_AutoReset BOOL FALSE Ä Table 31 General Input Parameters on page 266 Reset BOOL FALSE Ä Table 31 General Input Parameters on page 266 VAR_OUTPUT Ready BOOL FALSE Ä Table 32 General Output Parameters on page 267 S_Enable SwitchOut BOOL FALSE Safety related out...

Page 370: ...Fig 118 Timing diagram for SF_EnableSwitch S_AutoReset FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 370 ...

Page 371: ...s Safe state Different from other FBs a Reset Error state can be left by the condition Reset FALSE or additionally when the signal S_SafetyActive is FALSE Once the error has been removed the enable switch must be in the initial position specified in the process before the S_EnableSwitchOut output can be set to TRUE using the enable switch If S_AutoReset FALSE a rising trigger is required at Reset ...

Page 372: ...ion Error 1 Enable switch not in position 1 during activation of S_SafetyActive Ready TRUE S_EnableSwitchOut FALSE Error TRUE C020 Operation Error 2 Enable switch in position 1 after C010 Ready TRUE S_EnableSwitchOut FALSE Error TRUE C030 Operation Error 3 Enable switch in position 2 after position 3 Ready TRUE S_EnableSwitchOut FALSE Error TRUE C040 Operation Error 4 Enable switch not in position...

Page 373: ...e is active Ready TRUE S_EnableSwitchOut FALSE Error FALSE 8006 Position 1 Safe operation mode is active and the enable switch is in position 1 Ready TRUE S_EnableSwitchOut FALSE Error FALSE 8007 Position 3 Safe operation mode is active and the enable switch is in position 3 Ready TRUE S_EnableSwitchOut FALSE Error FALSE 8000 Position 2 Safe operation mode is active and the enable switch is in pos...

Page 374: ... 2003 4 11 4 Restart following power failure spontaneous restart The function block represents the interface between the user program and system environment Fig 120 Example of SF_SafetyRequest This function block provides the interface to a generic actuator e g a safety drive or safety valve to place the actuator in a safe state This FB provides the interface between the safety related system and ...

Page 375: ...d S_Acknowledge BOOL FALSE Variable Confirmation of the generic actuator if actuator is in the Safe state FALSE Operation mode non safe TRUE Safe mode Reset BOOL FALSE Ä Table 31 General Input Parameters on page 266 MonitoringTime TIME T 0s Constant Monitoring of the response time between the safety function request S_OpMode set to FALSE and the actuator acknowledgment S_Acknowl edge switches to T...

Page 376: ...et signal External FB errors There are no external errors since there is no error bits information provided by the generic actuator Error Behavior In the event of an error the S_SafetyActive output is set to FALSE An error must be acknowledged by a rising trigger at the Reset input To continue the function block after this reset the S_OpMode request must be set to TRUE Configuration and programmin...

Page 377: ... state C002 Acknowledge Lost Ready TRUE S_SafetyActive FALSE S_SafetyRequest FALSE Error TRUE C005 Reset Error 3 Static Reset detected in state C003 MonitoringTime Elapsed Ready TRUE S_SafetyActive FALSE S_SafetyRequest FALSE Error TRUE Table 80 FB specific status codes no error DiagCode State Name State Description and Output Setting 0000 Idle The function block is not active initial state Ready ...

Page 378: ...irmation OpMode Operation mode with Acknowledge of safe mode Ready TRUE S_SafetyActive FALSE S_SafetyRequest TRUE Error FALSE 8003 Wait for Con firmation Waiting for confirmation from the drive system interface Ready TRUE S_SafetyActive FALSE S_SafetyRequest FALSE Error FALSE 8005 Wait for OpMode Error was cleared However S_OpMode must be set to TRUE before the FB can be initialized Ready TRUE S_S...

Page 379: ...t Control of a safety output with a signal from the functional application and a safety signal with optional startup inhibits The SF_OutControl FB is an output driver for a safety output The safety output is controlled via S_OutControl using a signal from the functional application ProcessCon trol BOOL to control the process and a signal from the safety application S_SafeControl BOOL to control th...

Page 380: ...and S_AutoReset inputs shall only be activated if it is ensured that no haz ardous situation can occur when the PES is started Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 380 ...

Page 381: ... StaticControl BOOL FALSE Constant Optional conditions for process control FALSE Dynamic change at ProcessControl FALSE TRUE required after block activation or triggered safety function Additional function start required TRUE No dynamic change at ProcessControl FALSE TRUE required after block activation or triggered safety function S_StartReset BOOL FALSE Ä Table 31 General Input Parameters on pag...

Page 382: ...al Output Parameters on page 267 DiagCode WORD 16 0000 Ä Table 32 General Output Parameters on page 267 Typical Timing Diagrams Fig 122 Timing diagram for SF_OutControl S_StartReset FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 382 ...

Page 383: ...ol output is set to FALSE and remains in this safe state To leave the Reset Init or Lock error states the Reset input must be set to FALSE To leave the Control error state the ProcessControl input must be set to FALSE After transition of S_SafeControl to TRUE the optional startup inhibit can be reset by a rising edge at the Reset input After block activation the optional startup inhibit can be res...

Page 384: ...multaneous rising trigger at Reset and ProcessControl in state 8001 Ready TRUE S_OutControl FALSE Error TRUE C211 Lock Error Simultaneous rising trigger at Reset and ProcessControl in state 8003 Ready TRUE S_OutControl FALSE Error TRUE Table 83 FB specific status codes no error DiagCode State Name State Description and Output Setting 0000 Idle The function block is not active initial state Ready F...

Page 385: ...ve and safety is enabled Ready TRUE S_OutControl TRUE Error FALSE 4 6 6 18 SF_EDM Standards Requirements IEC 60204 1 Ed 5 0 2003 Section 9 2 2 Stop function categories Category 0 EN 954 1 1996 5 2 Stop function stop initiated by protective devices shall put the machine in a safe state 6 2 Specification of categories Fault detection of the actuator e g open circuits ISO 12100 2 2003 4 11 4 Restart ...

Page 386: ... actuators A common feedback signal from the two connected actuators must be used for a restricted yet simple diagnostic func tion of the connected actuators When doing so the user must connect this common signal to both param eter S_EDM1 and parameter S_EDM2 S_EDM1 and S_EDM2 are then controlled by the same signal The switching devices used in the safety function should be selected from the categ...

Page 387: ... actuator S_EDM2 BOOL FALSE Variable Feedback signal of the second connected actuator If using only one signal in the application the user must use a graphic connection to jumper the S_EDM1 and S_EDM2 parameters S_EDM1 and S_EDM2 are then controlled by the same signal FALSE Switching state of the second connected actuator TRUE Initial state of the second connected actuator S_StartReset BOOL FALSE ...

Page 388: ...onnected actuators TRUE Enable connected actuators Error BOOL FALSE Ä Table 32 General Output Parameters on page 267 DiagCode WORD 16 0000 Ä Table 32 General Output Parameters on page 267 Typical Timing Diagrams Fig 124 Timing diagrams for SF_EDM S_StartReset FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 388 ...

Page 389: ...ectly interconnected due to programming error Error Behavior In error states the outputs are as follows n In the event of an error the S_EDM_Out is set to FALSE and remains in this safe state n An EDM error message must always be reset by a rising trigger at Reset n A Reset error message can be reset by setting Reset to FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC5...

Page 390: ...ter block activation the optional startup inhibit can be reset by a rising edge at the Reset input Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib 30 03 2017 AC500 S 390 ...

Page 391: ...ic Reset signal or same signals at EDM1 EDM2 and Reset rising trigger at Reset EDM1 and EDM2 at the same time in state C030 Ready TRUE S_EDM_Out FALSE Error TRUE C041 Reset Error 31 Static Reset signal or same signals at EDM1 and Reset rising trigger at Reset and EDM1 at the same time in state C040 Ready TRUE S_EDM_Out FALSE Error TRUE C051 Reset Error 32 Static Reset signal or same signals at EDM...

Page 392: ...LSE Error TRUE C020 EDM Error 12 The signal at EDM2 is not valid in the initial actuator state In state 8010 the EDM2 signal is FALSE when enabling S_OutControl Ready TRUE S_EDM_Out FALSE Error TRUE C030 EDM Error 13 The signals at EDM1 and EDM2 are not valid in the initial actuator states In state 8010 the EDM1 and EDM2 signals are FALSE when enabling S_OutControl Ready TRUE S_EDM_Out FALSE Error...

Page 393: ...e EDM1 signal is TRUE and the monitoring time has elapsed Ready TRUE S_EDM_Out FALSE Error TRUE C080 EDM Error 32 The signal at EDM2 is not valid in the actuator switching state In state 8000 the EDM2 signal is TRUE and the monitoring time has elapsed Ready TRUE S_EDM_Out FALSE Error TRUE C090 EDM Error 33 The signals at EDM1 and EDM2 are not valid in the actuator switching state In state 8000 the...

Page 394: ...on startup inhibit is active Reset required Ready TRUE S_EDM_Out FALSE Error FALSE 8010 Output Disable EDM control is not active Timer starts when state is entered Ready TRUE S_EDM_Out FALSE Error FALSE 8000 Output Enable EDM control is active Timer starts when state is entered Ready TRUE S_EDM_Out TRUE Error FALSE Configuration and programming AC500 S Libraries SafetyBlocks_PLCopen_AC500_v22 lib ...

Page 395: ...s are detected by the safety module background self tests which trigger defined error reactions in safety modules to transfer faulty mod ules into the safe state In this chapter we list various safety times for AC500 S components and AC500 S Safety PLC as a system Safety times Overview 30 03 2017 AC500 S 395 ...

Page 396: ...ause it is used in time critical safety applications like presses to define a proper distance for a light curtain or other safety sensor from the potentially dangerous machine parts SFRT for PROFIsafe devices can be defined based on 8 as Equation 1 SFRT TWCDT Longest T_WD where n TWCDT Total Worst Case Delay Time is the maximal time for input signal transfer in AC500 S system until the output reac...

Page 397: ...s Two times internal cycle time fixed AI581 S 4 5 ms DX581 S 5 5 ms and DI581 S 6 5 ms n F_WD_Time1 is the first watchdog time in ms for receipt of the new valid telegram variable as parameter and depends on system configuration n F_Host_WD is the watchdog time in ms equal to three times of the set value using SF_WDOG_TIME_SET POU variable as parameter through SF_WDOG_TIME_SET POU and depends on t...

Page 398: ... 50 Below a few examples on how to calculate SFRT values under various AC500 S system configurations are presented In our calculations we use the following approach based on 3 and 8 which allows us calcu lating SFRT as Equation 2 SFRT Device_WD1 0 5 F_WD_Time1 F_Host_WD 0 5 F_WD_Time2 Device_WD2 Longest T_WD Safety times Safety function response time 30 03 2017 AC500 S 398 ...

Page 399: ...delay time of SM560 S Safety CPU F_Host_WD can be calculated as three times the value set using SF_WDOG_TIME_SET POUs The correct value for SF_WDOG_TIME_SET can be empirically obtained using tracing MAX_TIME output of the same POU in a test run SF_WDOG_TIME_SET value shall be set about 30 higher than the worst case value MAX_TIME observed in the given safety application to avoid potential availabi...

Page 400: ...modules If the undervoltage phase is longer than 10 ms then module passivation occurs Ä Chapter 3 2 3 Undervoltage Overvoltage on page 70 End users who are not satisfied with the undervoltage detection approach described above e g undervoltage events with duration of 10 ms are frequently observed in their application have to add 10 ms for AI581 S module in their SFRT calculation to take into accou...

Page 401: ...Fig 126 SFRT in AC500 S system without PROFINET components Safety times Safety function response time 30 03 2017 AC500 S 401 ...

Page 402: ...Fig 127 SFRT in AC500 S system with PROFINET components Safety times Safety function response time 30 03 2017 AC500 S 402 ...

Page 403: ...s 12 5 ms no test pulses were used n F_WD_Time1 20 ms n F_Host_WD 3 x 2 ms SF_WDOG_TIME_SET time 6 ms n F_WD_Time2 20 ms n Device_WD2 8 ms output current 5 mA n Longest T_WD Max 0 5 F_WD_Time1 0 5 F_WD_Time2 10 ms Without PROFINET AI581 S SM560 S DX581 S SFRT Device_WD1 0 5 F_WD_Time1 F_Host_WD 0 5 F_WD_Time2 Device_WD2 Longest T_WD 76 5 10 6 10 8 10 120 5 ms where n Device_WD1 2 x 4 5 ms 67 5 ms ...

Page 404: ...T AI581 S SM560 S DX581 S SFRT Device_WD1 0 5 F_WD_Time1 F_Host_WD 0 5 F_WD_Time2 Device_WD2 Longest T_WD 76 5 15 6 15 8 15 135 5 ms where n Device_WD1 2 x 4 5 ms 67 5 ms 76 5 ms n F_WD_Time1 30 ms n F_Host_WD 3 x 2 ms SF_WDOG_TIME_SET time 6 ms n F_WD_Time2 30 ms n Device_WD2 8 ms output current 5 mA n Longest T_WD Max 0 5 F_WD_Time1 0 5 F_WD_Time2 15 ms DANGER Mistakes in SFRT calculation can le...

Page 405: ...issioning and document those in their final reports The items presented in the checklists include only the most important ones from AC500 S Safety PLC per spective which means that AC500 S checklists can be also extended by users to include additional aspects important for their safety applications Checklists for AC500 S Commissioning Overview 30 03 2017 AC500 S 405 ...

Page 406: ...he given safety application Note The rule F_Source_Add F_Dest_Add for the given F Device is automatically checked by PS501 Control Builder Plus V2 2 1 or newer Automation Builder 1 0 or newer 5 Validate iParameters Two options are available A Validate that all iParameters Input delay channel configuration etc for all Safety I Os and other F Devices are correct with a given F_iPar_CRC value using a...

Page 407: ...changes are still done then they will lead to a new CoDeSys Safety boot project CRC which will require re doing this checklist from the beginning 11 Verify using CoDeSys Safety menu item Online è Check boot project in PLC that offline CoDeSys safety project and the boot project on the Safety CPU are identical File name Change date Title Author Version Description and CRC 12 If floating point opera...

Page 408: ...carried out with the machine in its final configuration including mechanical electrical and electronic components sensors actuators and soft ware 19 Verify using library CRC shown in CoDeSys Safety that only TÜV certified safety libraries with correct CRCs Ä Chapter 4 6 1 Overview on page 224 are used in the given CoDeSys Safety project to execute safety functions All other user defined libraries ...

Page 409: ...edures e g limited access to the cabinet where Safety CPU is located on the end customer site are defined to avoid unintended firmware and or boot code update on SM560 S Safety CPU using SD card 4 Verify that correct parameter settings Behaviour of Outputs in Stop Stop on error class and Warmstart on E2 of PM5xx Non safety CPU are used for the given safety application 5 Verify that required Safety...

Page 410: ...t 1 Make sure that all Safety modules are properly placed on their positions at the terminal base Safety CPU or terminal units Safety I Os and stable con tact between terminals and safety modules is assured 2 Check that proper temperature monitoring measures e g temperature sensors could be placed in the control cabinet and connected to AI581 S safety analog input channels are implemented in the c...

Page 411: ...ers for a safety island Ä 3 for further details 5 Before any deployment of a safety application with PROFIsafe especially those using wireless compo nents an assessment for dangerous threats such as eavesdropping or data manipulation shall be exe cuted Ä 11 for more details Check that adequate level of security defining security zones with security gates was established In case of no threat no sec...

Page 412: ...00 S and AC500 S XC does not exceed 40 C e g temperature sensors could be placed in the control cabinet and connected to AI581 S safety analog input channels for temperature moni toring 10 Verify that no automatic reboot of PM5xx Non safety CPU is programmed in CoDeSys Non safety pro gram The automatic reboot of PM5xx would lead to automatic restart of SM560 S Safety CPU which is directly attached...

Page 413: ...e Show generic device configuration views and instantiate a given type of Safety I O module AI581 S DI581 S or DX581 S in the PS501 Control Builder Plus V2 2 1 or newer Automation Builder 1 0 or newer tree DX581 S is used as an example Checklists for AC500 S Commissioning Verification procedure for safe iParameter setting in AC500 S Safety I Os Verification procedure workflow 30 03 2017 AC500 S 41...

Page 414: ...spectively for the given module and set appropriate iParameter values e g Test Pulse Input Delay etc Checklists for AC500 S Commissioning Verification procedure for safe iParameter setting in AC500 S Safety I Os Verification procedure workflow 30 03 2017 AC500 S 414 ...

Page 415: ... Parameter tab and press Calculate button Copy calculated F_iPar_CRC value from the Checksum iParameter field and paste it to F_iPar_CRC field of the F Parameter editor see below Checklists for AC500 S Commissioning Verification procedure for safe iParameter setting in AC500 S Safety I Os Verification procedure workflow 30 03 2017 AC500 S 415 ...

Page 416: ...ty I Os on page 417 that iParameter settings previously set at Step 2 are the same as ones listed in the Value column for given channels use Ä Chapter 6 5 2 Verification tables for iParameter settings in AC500 S Safety I Os on page 417 to decode integer values to real parameter values Checklists for AC500 S Commissioning Verification procedure for safe iParameter setting in AC500 S Safety I Os Ver...

Page 417: ...the beginning If after this second repetition there is still inconsis tency contact ABB technical support for help n Note if iParameters values were verified as described in Steps 1 6 you can reuse this iParameter combination with the given F_iPar_CRC for further modules of the same type without repeating the verifi cation procedure described above 6 5 2 Verification tables for iParameter settings...

Page 418: ... calculated Dec_InputChannel0 Ä step 2 with Input 0 channel configuration value They have to be equal If they are not equal stop the procedure and re do the configuration and comparison If after the second iteration there is still a difference between those values stop verification procedure and contact ABB technical support 3 Repeat step 2 for the rest of analog input channels Input 1 Input 2 and...

Page 419: ...onfiguration and comparison If after the second iteration there is still a difference between those values stop verification procedure and contact ABB technical support 5 Repeat step 4 for Analog inputs 1 3 Extended configuration value Checklists for AC500 S Commissioning Verification procedure for safe iParameter setting in AC500 S Safety I Os Verification tables for iParameter settings in AC500 ...

Page 420: ...Input channel 0 decimal equivalent Dec_InputChannel0 as Dec_InputChannel0 Configuration_Value Test_Pulse_Value Input_Delay_Value where Configuration_Value 0 Not used 1 1 channel 2 2 channel equivalent 3 2 channel antivalent Test_Pulse_Value 0 Disabled 8 Enabled Input_Delay_Value 16 1 ms 32 2 ms 48 5 ms 64 10 ms 80 15 ms 96 30 ms 112 50 ms Checklists for AC500 S Commissioning Verification procedure...

Page 421: ...ame stop the procedure and re do the configuration and comparison If after the second iteration there is still a difference between those values stop verification procedure and contact ABB technical support Fig 130 Compare DI581 S tab and DI581 S Configuration tab 1 2 channel configuration 0 8 parameter in DI581 S tab 2 Inputs 0 8 discrepancy time parameter in DI581 S Configuration tab 5 Repeat st...

Page 422: ...alculate Input channel 0 decimal equivalent Dec_InputChannel0 as Dec_InputChannel0 Configuration_Value Test_Pulse_Value Input_Delay_Value where Configuration_Value 0 Not used 1 1 channel 2 2 channel equivalent 3 2 channel antivalent Test_Pulse_Value 0 Disabled 8 Enabled Input_Delay_Value 16 1 ms 32 2 ms 48 5 ms 64 10 ms 80 15 ms Checklists for AC500 S Commissioning Verification procedure for safe ...

Page 423: ...he configuration and comparison If after the second iteration there is still a difference between those values stop verification procedure and contact ABB technical support Fig 132 Compare DX581 S tab and DX581 S Configuration tab 1 2 channel configuration 0 4 parameter in DX581 S tab 2 Inputs 0 4 discrepancy time parameter in DX581 S Configuration tab 5 Repeat Step 4 for the rest of input channel...

Page 424: ... If after the second iteration there is still a difference between those values stop verification procedure and contact ABB technical support 7 Repeat step 6 for the rest of digital output channels Channel 1 Channel 2 Channel 7 Checklists for AC500 S Commissioning Verification procedure for safe iParameter setting in AC500 S Safety I Os Verification tables for iParameter settings in AC500 S Safety...

Page 425: ...ation program This production line includes the following Fig 133 Example of safety functionalities in a production line 1 Centralized control cabinet including the safety related part of the control system where the safety related function blocks are running 2 Infeed of material In this example no special safety related functions are used However safety functionalities like muting to separate bet...

Page 426: ...toring of the 2 connectors of the emergency switch is done in the safety application In this example both options of input evaluation are shown n via intelligent safety input n via the equivalent function block 7 2 1 Functional description of safety functions This example uses the following safety functions n Issuing the emergency stop via SF_EmergencyStop or interrupting the light beam in the lig...

Page 427: ...example with emergency stop The symbol represents a direct opening action Ä IEC 60947 5 1 7 2 3 Declaration of used variables Table 90 Inputs Name Data type Description S1_S_EstopIn_1 BOOL Emergency Stop Channel 1 S1_S_EstopIn_2 BOOL Emergency Stop Channel 2 S2_ESPE_In BOOL Light curtain signal S0_Reset BOOL Reset Emergency Stop and ESPE S3_Drive_Reset BOOL Reset Drive Error Table 91 Outputs Name ...

Page 428: ...sed after manual restart This behavior is enabled by setting the S_StartReset and S_AutoReset inputs to FALSE Safe Stop 1 Request Handling This FB handles the Safe Stop 1 Request for AxisID_1 and monitors that the axis follows the request within the predefined monitoring time of 100 ms Any error condition within the axis has to be acknowledged by a manual drive reset signal InputDevice1_active Act...

Page 429: ...t be assigned to the Activate input Evaluation of the diagnostic information The Error signals and DiagCodes of each safety function block are transferred to the standard application Diagnosis information might be processed and displayed by an attached visualization There are different possibilities to realize the evaluation of the diagnostic information n Transfer these values into the visualizat...

Page 430: ...of n an opening of the door n an error e g invalid muting sequence n an interruption of the unmuted light curtain e g by a person n pushing an emergency stop button By pushing an emergency stop button the operator can also stop all hazardous movements in stop category 0 via SF_EmergencyStop and subsequent FBs An infringement of the unmuted light curtain stops all hazardous movements In this applic...

Page 431: ...or Light Curtain Safety Input S7_S_AOPD_In S7 S_TestOut_LightCurtain_S8 Safety Output Light Curtain S8 Actuator Safety Input DiagCodes Errors TestPosssible _LC1 TestExecuted_LC1 Functional Application S0_Reset S9_Reset ApplMutingEnable1 StartTest_LC1 ApplCtrl1 S_MutingActive_L1 Safety Output Muting Lamp L1 S9_Reset S9 Standard Input User Acknowledge User Reset S0_Reset K2 Safety Input Contactor K2...

Page 432: ...LC1 BOOL Signal starting test of light curtain S7 derived from functional appli cation ApplMutingEnable1 BOOL Signal enabling start of the muting sequence derived from func tional application Table 95 Outputs Name Data type Description S_EDM_Out_K BOOL Drives actuator via K1 and K2 S_MutingActive_L1 BOOL Drives Muting lamp L1 S_TestOut_Light Curtain_S8 BOOL Test output for light curtain S8 All Err...

Page 433: ... variables Name Data type Description S_SafeControl BOOL Indicates the status of the safety guards TRUE safety enabled Safety application examples Example 2 Muting Declaration of used variables 30 03 2017 AC500 S 433 ...

Page 434: ...ain_1 StartTest TestTime TestPoss ible TestExecuted S_AutoReset Reset S_TestOut NoExternalTest r o r r E t e s e R t r a t S _ S DiagCode Error_EStop1 Diag_EStop1 Error_Guard1 Diag_Guard1 Error_Muting1 Diag_Muting1 Error_LightCurtain1 Diag_LightCurtain1 S_MutingActive_L1 TR UE S6_S_GuardSwitch S3_MutingSwitch12 S4_MutingSwitch21 S5_MutingSwitch22 T 30s ApplMutingEnable 1 TR UE S9_Reset L1_S_Muting...

Page 435: ...on at a material gate Application Program Page 2 7 3 5 Additional notes In this example two contacts of the guard switch are connected to a safety input device which realizes the error detection The resulting BOOL signal is mapped to the two input channels of the SF_GuardMoni toring_1 The diagnostic information retrieval has not been covered in this example For this refer to Ä Chapter 7 2 5 Additi...

Page 436: ... monitored to be within 30 sec SF_LightCurtain_1 S_StartReset TRUE Automatic reset allowed when PES is started S_AutoReset FALSE No automatic reset user reset acknowl edge necessary TestTime T 100ms The maximum test time is monitored to be within 100 msec NoExternalTest TRUE The external manual sensor test is not supported SF_OutControl_1 S_StartReset FALSE No automatic reset allowed when PES is s...

Page 437: ...dangerous motion via the contac tors K1 and K2 via SF_TwoHandControlTypeII n The initial state and the operational state of the connected contactors K1 and K2 are monitored and if an error is detected the safety output cannot become operational via SF_EDM n After power on of the safety or functional application or after an emergency stop condition the two hand control must be released and re opera...

Page 438: ...ll Errors Safety Output Safety Input S2 Safety Input S3 K1 K2 Safety Input K1 Safety Input K2 K1_S_EDM1 K2_S_EDM2 S0 Emergency Stop Pushbutton 1 Pushbutton 2 Feedback K1 Feedback K2 User Reset Fig 139 Graphical overview of the example TwoHand Control with EDM 7 4 3 Declaration of used variables Table 97 Inputs Name Data type Description S1_S_EStopIn BOOL Emergency stop button S1 S2_S_Switch1 BOOL ...

Page 439: ...s BOOL Enabling motion by the process derived from functional application Table 98 Outputs Name Data type Description S_EDM_Out_EDM_ K1_K2 BOOL Drives actuator via K1 and K2 All Errors BOOL Represents all error BOOLs of the used FB connected to the func tional application All DiagCodes WORD Represents all diagnostic codes of the used FB connected to the functional application Safety application ex...

Page 440: ... _K2 S0_Reset TRUE TRUE FALSE Activate S _Button1 Ready S_TwoHandOut SF_TwoHand ControlTypeII THC_S2_S3 S _Button2 Error DiagCode Process S 2_S_Switch1 S 3_S_Switch2 TRUE TRU E SAFEBOOL _TO_BOOL Fig 140 Application Program TwoHand Control with EDM 7 4 5 Additional notes This example can also be used with the SF_TwoHandControlTypeIII The diagnostic information retrieval has not been covered in this...

Page 441: ...Reset TRUE Automatic reset no user reset acknowl edge necessary StaticControl FALSE A dynamic change of the signal Appl_Control rising edge is required after block activation or a triggered safety function S_SafeControl at FALSE EDM_K1_K2 S_StartReset FALSE No automatic reset when PES is started MonitoringTime T 200ms The maximum response time of both feedback signals S_EDM1 and S_EDM2 is monitore...

Page 442: ... DI581 S 17 DPRAM 11 Dual port RAM 32 DX581 S 17 E EMC 11 F F_iPar_CRC 23 177 F Device 11 51 177 191 231 F Host 11 23 46 51 59 85 117 144 177 191 224 231 F Parameter 11 71 177 191 406 Fault reaction time 396 Firmware and or boot code update 36 409 Flash memory 11 34 35 36 165 191 224 235 247 249 253 G GSDML 11 23 85 117 144 174 177 I IO controller 11 IO device 11 iParameter 11 177 191 L License 16...

Page 443: ... PROFIsafe diagnostic 11 59 191 PS501 Control Builder Plus 32 85 117 144 165 167 169 170 191 Q qualified personnel 21 Qualified personnel 10 21 58 R Reintegration 11 59 S SAFE STOP 24 34 35 36 40 46 51 59 98 126 149 239 Safety Code Analysis 11 223 safety function 11 24 25 428 435 Safety function 24 231 323 334 344 358 374 379 385 425 426 440 Safety group 170 SAFETY MODE 191 Safety variable 11 SD c...

Page 444: ...V Verification for iParameter settings 417 Verification procedure 413 Index 30 03 2017 AC500 S 444 ...

Page 445: ...Appendix Appendix 30 03 2017 AC500 S 445 ...

Page 446: ...ications must be used NOTICE The creepage distances and clearances meet the requirements of the overvoltage category II pollu tion degree 2 Temperature Data Value Unit Operating temperature 40 70 C Operating temperature vertical mounting of module output load limited to 50 per group 40 40 C Storage temperature 40 85 C Transport temperature 40 85 C 60 C 70 C with the following deratings n Terminal ...

Page 447: ...roup A G3 GX IEC 60721 3 3 3C2 3C3 yes Immunity to salt mist Data Value Operating horizontal mounting only according to IEC 60068 2 52 severity level 1 yes Electromagnectic Compatibility Data Value Radiated emission radio disturbance according to CISPR 16 2 3 yes Conducted emission radio disturbance according to CISPR 16 2 1 CISPR 16 1 2 yes Electrostatic discharge ESD according to IEC 61000 4 2 z...

Page 448: ...o touching communication connectors or perform other suitable measures to reduce effects of electrostatic discharges NOTICE Unused sockets for Communication Modules on Terminal Bases must be covered with TA524 Dummy Communication Module I O Bus connectors must not be touched during operation Radiation Data Value Radio disturbance according to IEC 55011 group 1 class A yes System data for AC500 S X...

Page 449: ...nce according to IEC 60068 2 27 yes Horizontal assembly position yes Vertical assembly position no application in salt mist environment yes Assembly on DIN rail according to IEC 60715 Data Value Unit DIN rail type 35 mm DIN rail type depth 7 5 or 15 mm Assembly with screws Data Value Unit Screw diameter 4 mm Fastening torque 1 2 Nm System data for AC500 S XC 30 03 2017 AC500 S 449 ...

Page 450: ...trostatic discharge ESD Data Value Unit Electrostatic voltage in case of air discharge 8 kV Electrostatic voltage in case of contact discharge 6 kV Fast transient interference voltages burst Data Value Unit Supply voltage units DC 4 kV Digital inputs outputs 24 V DC 2 kV Analog inputs outputs 2 kV Communication lines shielded 2 kV I O supply DC out 2 kV High energy transient interference voltages ...

Page 451: ...ed interferences test voltage 10 V Power frequency magnetic fields at 30 A m 50 and 60 Hz NOTICE Extreme environmental conditions and relevant requirements for non safety AC500 XC modules shall be taken into account for used Non safety CPUs and I O modules from AC500 XC family Ä AC500 User Documentation for further details System data for AC500 S XC 30 03 2017 AC500 S 451 ...

Page 452: ...th regard to purchase orders the agreed particulars shall prevail ABB AG does not accept any responsibilitywhatsoever for potential errors or possible lack of information in this document We reserve all rights in this document and in the subject matter and illustrations contained therein Any reproduction disclosure to third parties or utilization of its contents in whole or in parts is forbidden w...

Reviews:

No comments

Brands by name

Popular brands

Load more brands