Commissioning the Safety-Related Application

Safety Logic Controller Password

The SLC password protects the configuration on the Safety Logic Controller against unauthorized access and unauthorized switching of the operating mode.

If you are connecting the first time to a non-configured Safety Logic Controller, you have to define an SLC password. If a password has already been defined (for example in an earlier session or via the SlcRemoteController visualization), enter this password and click OK to log on.

The minimum password length is six characters. The password is case-sensitive and can be a mix of up to 10 characters. Refer to Password Protection for Projects and Safety Logic Controller in the EcoStruxure Machine Expert - Safety - User Guide for detailed information.

Safety Logic Controller Operating Modes

The Safety Logic Controller can run in two different operating modes. The operating can be controlled via the SafePLC dialog. To open this control dialog, click the SafePLC icon on the main toolbar.

Refer to the section Safety Logic Controller Password for details on the logon procedure and password definition.

Description of the SafePLC operating modes:

SLC operating mode

Meaning

Safe mode

The safe mode restricts operations in the project that would otherwise influence the state or mode of operation of the SLC.

In safe mode, it is possible to:

  • Switch the SLC to debug mode.

  • Display the variables status (view online values of variables).

  • Read out SLC errors via the Error button in the control dialog.

In safe mode, the SafePLC dialog is red. The Debug button is available in the SafePLC dialog to switch to debug mode.

Debug mode

Switching to debug mode means leaving the safe mode of operation. This is only possible after entering the correct SLC password (see section Safety Logic Controller Password for details).

NOTE: Switching to debug mode does not stop the program execution on the SLC.

In debug mode it is possible to:

In debug mode, the SafePLC dialog is gray. The Safe button is visible in the SafePLC dialog to switch to safe mode.

After you have clicked the Debug or Safe button to activate the other mode, you must confirm the mode transition to activate the desired mode.

Debug Watchdog

If the SLC runs in debug mode and the connection between Machine Expert - Safety and SLC is interrupted, or the control dialog is closed and the variable status is deactivated, a debug watchdog timer starts. If the connection to the SLC can be reestablished and you continue debugging or switch the target back to safe mode within 10 minutes, the debug watchdog is reset. If the debug watchdog timer exceeds 10 minutes, the SLC sets the state to STOP [Debug] and writes an error to the error stack. The machine is signaled to assume the defined safe-state. You cannot switch to safe mode again. In this case, you have to restart the SLC.

Safety Logic Controller States

The state machine of the Safety Logic Controller knows several different states. The current state is displayed in the SafePLC dialog. You can open this control dialog by clicking the SafePLC icon on the main toolbar.

Possible states are:

SLC state

Meaning

On

SLC power supply on, no program downloaded.

No Execution

Program downloaded, start up in progress.

STOP [Safe]

Program loaded but not executing. I/O images are not updated.

RUN [Safe]

Program is executing. Variable status possible.

STOP [Debug]

Program is not executing. Download possible.

RUN [Debug]

Program is executing. Variable status and forcing/overwriting/single cycle mode possible.

HALT [Debug]

Program is halted in single cycle mode.

NOTE: If the Sercos bus is not at least in phase 2 (or if it is in NRT state), the state display in the SafePLC control dialog differs from the SlcProjectStatus displayed in EcoStruxure Machine Expert Logic Builder. Even in Sercos NRT state, the SLC may run in RUN [Safe] mode.

Downloading and Starting the Safety Application

After you have compiled your project without errors (see section Compiling the Safety-Related Project), you must download it to the Safety Logic Controller. The download includes the machine-readable application code as well as the parameterization data.

 WARNING
UNINTENDED EQUIPMENT OPERATION
  • Ensure that suitable organizational measures (according to applicable sector standards) have been taken to avoid hazardous situations if the safety logic application operates in an unintended or incorrect way, or an incorrect target for the download was selected.
  • Do not enter the zone of operation while the machine is operating.
  • Ensure that no other persons can access the zone of operation while the machine is operating.
  • Observe the regulations given by relevant sector standards while the machine is running in any other operating mode than "operational".
  • Use appropriate safety interlocks where personnel and/or equipment hazards exist.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

Download procedure in Machine Expert - Safety:

Step

Action

1

Before downloading the project, ensure that you have set the SLC communication path (see section Defining the Communication Path) and the SLC is connected, and switched on.

2

Click the SafePLC icon on the toolbar.

Result:

  • The system verifies whether it was previously connected to the same or a different SLC and the program in the SLC is different from the compiled project in EcoStruxure Machine Expert - Safety. If so, confirm the appearing dialog with Yes.

  • The login dialog appears if you are not yet logged-on to the SLC.

3

If you are connecting the first time to an unconfigured Safety Logic Controller, you have to define a Safety Logic Controller password.

Refer to the section Safety Logic Controller Password for details.

Result: The SafePLC control dialog appears.

NOTE: If the simulation mode is activated and safe mode is simulated, the SafePLC dialog only shows a red border instead of a red background. In debug mode, no difference is visible between simulation and Safety Logic Controller. Make certain that the desired target (Safety Logic Controller or simulation) is connected when working with the dialog. Refer to Using the Simulation in the EcoStruxure Machine Expert - Safety - User Guide for information how to activate/deactivate the simulation mode.

4

In the SafePLC control dialog, click the Debug button to switch the Safety Logic Controller to debug mode (if not yet activated).

Result: A confirmation message box appears.

5

Observe the message and confirm the dialog within 30 seconds.

Result:

  • If the SLC is stopped, the Download button is active.

  • If the SLC is in RUN [Debug] state, click Stop to enable the Download button.

6

In the SafePLC control dialog, click the Download button.

Result:

  • If another project is stored on the SLC or another user has downloaded the same project, click Yes to overwrite it.

  • The status bar indicates the download process and a message informs about the successful project download.

7

Confirm this message.

Result: The SLC is restarted and then transitions to a RUN [Safe] state automatically. Depending on the configuration, this may take some time.

Observe the note below the table.

For detailed information on the possible SLC states, refer to Safety Logic Controller States in the EcoStruxure Machine Expert - Safety - User Guide.

8

Perform a functional test on the project and monitor the application.

NOTE: If the Sercos bus is not at least in phase 2 (or if it is in NRT state), the SLC enters the RUN [Safe] state after the download. This enables the debugging of the safety-related application even if no Logic/Motion Controller is connected or the Sercos bus is down. Therefore, the state display in the SafePLC control dialog in Machine Expert - Safety differs from the SlcProjectStatus displayed in EcoStruxure Machine Expert Logic Builder.

Functional Test and Monitoring the Safety Application

After you have downloaded the project to the SLC, followed by the automatic transition to RUN [Safe] state, you must perform a functional test to ensure that the SLC is working correctly and, therefore, that the safety logic and the wiring are working correctly as well. The functional test must also include the positioning of the safety equipment and the verification of the correctly set safety response time.

 WARNING
NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS
Be sure that the functional testing you perform entirely corresponds to your risk analysis and consider each possible operating mode and scenario the safety-related application should cover.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

When testing and commissioning the system, unintentional system states or incorrect responses must be anticipated.

 WARNING
UNINTENDED EQUIPMENT OPERATION
  • Make certain that the functional testing cannot result in hazardous situations for persons or material.
  • Make certain that requesting the safety function during the functional testing cannot result in hazardous situations for persons or material.
  • Do not enter the zone of operation while the machine is operating.
  • Ensure that no other persons can access the zone of operation while the machine is operating.
  • Observe the regulations given by relevant sector standards while the machine is running in any other operating mode than "operational".
  • Use appropriate safety interlocks where personnel and/or equipment hazards exist.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

To support you in functional testing, Machine Expert - Safety enables you to open code/variables worksheets in online mode and display the variable status. This means that the variables values are cyclically read from the SLC and displayed in the worksheets as they are stored in the I/O image at the end of an execution cycle. The variable status corresponds to online monitoring of worksheets.

Variable status is possible while the SLC is running in safe mode and in debug mode.

Online monitoring of the safety application:

Step

Action

1

Click the Variable status icon on the toolbar or press F10.

Result:

  • The system verifies whether it was previously connected to the same or a different SLC and if the program in the SLC fits to the compiled project in EcoStruxure Machine Expert - Safety. If so, confirm the appearing dialog with Yes.

  • The open worksheets are switched automatically to online mode.

2

If open function block code worksheets are instantiated several times and you want to display the variable status for these worksheets, a message appears. This dialog indicates that you must use the Open instance menu command to call these worksheets in online mode.

Refer to Monitoring: Displaying the Variable Status in the EcoStruxure Machine Expert - Safety - User Guide for details on the layout and colors used in online worksheets. This applies also to the watch window which you can use for collecting variables from different worksheets and displaying their online values (help chapter Monitoring: Using the Watch Window).

Debugging the Safety Application (Forcing, Overwriting)

As a supplement to the functional system test, you can use the debug mode in Machine Expert - Safety while commissioning the application. In debug mode, you can force and overwrite variables.

Forcing and overwriting means assigning a new value to a variable. Overwriting is possible for variables without assigned signal (only memory variables but not I/O variables). The value is overwritten (set) only once at the beginning of the task execution cycle. Then, the variable is processed normally. Thus, the new value of the variable remains until a write access is performed within the application. Forcing is only possible for variables connected to process data items (I/O variables). Forcing means setting the I/O variable to the force value, regardless of the logic of the I/O image until forcing is manually reset.

NOTE: Generally, forcing is performed once per cycle. Inputs are forced at the beginning of a cycle before processing the input variable. This way, the Safety Logic Controller application uses the forced value. Outputs are forced at the end of a cycle. The variable value processed by the application is finally replaced by the forced value in the output image.
 WARNING
UNINTENDED EQUIPMENT OPERATION
  • Ensure that suitable organizational measures (according to applicable sector standards) have been taken to avoid hazardous situations if the safety logic application operates in an unintended or incorrect way, or an incorrect target for debugging was selected.
  • Verify the impact of forcing or overwriting variables or using the single cycle operation prior to their use.
  • Do not enter the zone of operation while the machine is operating.
  • Ensure that no other persons can access the zone of operation while the machine is operating.
  • Observe the regulations given by relevant sector standards while the machine is running in any other operating mode than "operational".
  • Use appropriate safety interlocks where personnel and/or equipment hazards exist.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
 WARNING
UNINTENDED EQUIPMENT OPERATION
  • You must have a thorough understanding of how forcing will affect the outputs relative to the tasks being executed.
  • Do not attempt to force I/O that is contained in tasks that you are not certain will be executed in a timely manner, unless your intent is for the forcing to take affect at the next execution of the task whenever that may be.
  • If you force an output and there is no apparent affect on the physical output, do not exit EcoStruxure Machine Expert - Safety without removing the forcing.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

Forcing/overwriting a variable in graphical FBD/LD code:

Step

Action

1

Click the SafePLC icon on the toolbar and log-on to the SLC. See section Downloading and Starting the Safety Application for details.

2

In the control dialog, click the Debug button.

3

Observe the appearing message and confirm the dialog within 30 seconds.

4

Open the worksheet to be debugged in variable status by clicking the Variable status icon on the toolbar or pressing F10.

5

Double-click the variable to be forced or overwritten.

Result: The Debug dialog appears.

6

In the Debug dialog, enter the desired value for a non-Boolean variable or select TRUE or FALSE for a Boolean variable.

7

Click Force or Overwrite depending on the desired operation and variable type.

Result: The forcing/overwriting is applied as described at the beginning of this section. Forced variables are shown on a pink background.

Unforcing variables:

Step

Action

1

Select Debug dialog... from the context menu of the variable (in variable status).

Result: The Debug dialog appears.

2

Click Reset force to unforce the selected variable.

Click Reset force list to unforce each forced variable.

In debug mode, Machine Expert - Safety provides an additional debug function referred to as single cycle operation. In single cycle operation, the Safety Logic Controller interrupts the continuous cyclic processing.

Refer to Debugging: Forcing, Overwriting, Single Cycle Operations in the EcoStruxure Machine Expert - Safety - User Guide for details on forcing/overwriting and single cycle mode.