M580 Safety Configuration

Chapter 6 - Safety Programming Software 241 WHAT IS ECOSTRUXURE™ CONTROL EXPERT V15 FOR SAFETY? EcoStruxure™ Control Expert V15 for Safety is a software programming tool for 6 specialised hardware platforms: EcoStruxure™ Modicon MC80, M340, M580, Quantum, Unity Momentum and Premium programmable logic controller ranges. A programming tool that meets requirements addressed by the IEC61508 for safety applications. It is part of the certification but not part of the safety loop, which means it is not involved when the controller is running and controlling parts of the safety function. With EcoStruxure™ Control Expert V15 for Safety comes everything needed to program a complete control and safety automation system for its entire life cycle from design, through debugging, operation, and maintenance. The standard IEC61131-3 languages are supported in both control and safety programming in EcoStruxure™ Control Expert V15 for Safety with all debugging functions, either on the simulator or directly online with the programmable controller. Thanks to symbolic variables independent of memory, structured data and user function blocks, application objects are a direct reflection of the automated process application components. EcoStruxure™ Control Expert V15 for Safety operator screens are user- configured in the application from graphic libraries. Operator accesses are simple and direct. REQUIREMENTS The EcoStruxure™ Control Expert V15 for Safety (with a Safety Add-On pack) is available with ➢ L version for the BMEx582040S ➢ XL version for all the BMEx58x040S A bundle software package with XL + Safety is also available. In addition, the Safety ePAC system uses FDT/DTM Technologies, which means that the correct DTMs must be installed and available inside the EcoStruxure™ Control Expert V15 for Safety Catalogue. Note: The EcoStruxure™ Control Expert V15 for Safety DOES NOT allow programming of Modicon Quantum SIL 3 Safety controllers; have to use former Unity Pro XLS Version 7.0). Configuration Training

242 Chapter 6 - Safety Programming Software ECOSTRUXURE™ CONTROL EXPERT V15 FOR SAFETY PROJECT BROWSER The Project Browser allows the contents of a EcoStruxure™ Control Expert V15 for Safety project to be displayed and to move around its various elements. Process and Safety applications are now within one Project Browser. Hardware Configuration ➢ CPU & I/O Modules ➢ User DFB and DDT creation ➢ Global Memory Area ➢ Variables & FB instances for Project Application Process area ➢ Variables & FB instances ➢ Process Logics - Master task with Sections & Subroutines ➢ Timers & I/O Events ➢ Process Animation Tables Safety area ➢ Variables & FB instances ➢ Safety Logics - Safe task with Sections only ➢ Safety Animation Tables Common area ➢ Animation Tables - For both Process & Safety Data ➢ Operator Screens - For both Process & Safety display Modicon M580 Safety

Chapter 6 - Safety Programming Software 243 APPLICATION PROGRAM STRUCTURE EcoStruxure™ Control Expert V15 for Safety is part of the certification, but not part of the safety loop. The control and safety program logics are running in the same controller using same engineering tool, communicating on the same network. The IEC61131-3 languages are supported in 2 programming tasks: Program-PROCESS folder: ➢ MAST Task (cyclic or periodic): o Function Block Diagram - FBD o Ladder Diagram - LD o Sequential Function Chart - SFC o Instruction List - IL o Structured Text - ST o Ladder Logic 984 - LL984 (non-IEC standard) Program-SAFE folder: ➢ SAFE Task (periodic): o Function Block Diagram - FBD o Ladder Diagram - LD EcoStruxure™ Control Expert V15 for Safety is part of the certification because it's responsible to generate the (doubled) code that is executed on the Safety ePAC controller. The technical specification in this area had to be approved by TÜV and also the verification of these functions are controlled by TÜV. But the emphasis of TÜV is more on the runtime system. Because of this, all further releases or patches of EcoStruxure™ Control Expert V15 for Safety have to be re-certified by TÜV. Schneider Electric has to create a list with all the changes of the software and an impact analysis of the changes. If the changes are only on non-safety related parts of the system, then the re-certification will be easy. If we want to make changes to the safety relevant part (software or firmware) we have to follow all requirements of the standard (as we have done for the current development). TÜV will add the new EcoStruxure™ Control Expert V15 for Safety version to the certification (the certification will contain a list of all modules with the hardware and firmware revision, the programming software revision, etc). Note: Programming language Ladder Logic 984 (LL984) is NOT supported in SAFE task. The programming tool itself is NOT part of the safety loop. Configuration Training

244 Chapter 6 - Safety Programming Software PROGRAMMING TASKS CHARACTERISTICS The below table shows the main characteristics of all the tasks: Execution Type Duration Watchdog Application Default (ms) Default (ms) Safety SAFE Periodic 20 250 Process MAST 20 250 Process FAST Cyclic or Periodic 5 100 Process AUX 0 100 2000 Process AUX 1 Periodic 200 2000 Process I/O Event - Periodic - Process Timer Event - Periodic - Event (128 max. from 0 to 127) Event (32 max. from 0 to 31) The following tasks are supported in Safety ePAC controller: ➢ Safe (Safe task) is a periodic task used for the safety part of the application mandatory for Safety ePAC. ➢ Mast (master task) is a mandatory cyclic or periodic task depending on user configuration used for the process control part of the application. ➢ Fast, Aux 0 and Aux 1 are optional and periodic tasks used for the process control part of the application. ➢ I/O event and Timer event are optional and only usable for local I/O (not for Remote I/O) in the scope of the process control part of the application. Modicon M580 Safety

Chapter 6 - Safety Programming Software 245 PROCESS PROGRAMMING - MAST TASK The master (MAST) task represents the main task for the process control application program. Its program memory is physically different and separated from the safety program memory. The available type of execution is selectable, either Cyclic or Periodic. The master task is made up of sections and subroutines programmed using the following programming languages: ➢ Ladder Diagram – LD ➢ Function Block Diagram – FBD ➢ Instruction List – IL ➢ Structure Text – ST ➢ Sequential Function Chart – SFC ➢ Ladder Logic 984 - LL984 (only allowed in the master task) SAFETY PROGRAMMING - SAFE TASK The safety (SAFE) task represents the main task for the safety application program. The safety program memory is physically different and separated from the master (MAST) task program memory. The type of execution is Periodic only. (Adjustable; default = 20 ms) The safety task is made up of sections only and two type of IEC programming languages are available: ➢ Ladder Diagram – LD ➢ Function Block Diagram – FBD A power cycle (ON to OFF to ON) on the Safety ePAC will perform a COLD restart on the SAFE task. Note: Programming language Ladder Logic 984 (LL984) is NOT supported in SAFE task. Configuration Training

246 Chapter 6 - Safety Programming Software Activity 11 - PROJECT DESCRIPTION In this activity: • Understand the operation & requirements of a simple Reactor. • Identify the BPCS & SIS operational requirements. 3. ONLY FOR TRAINING PURPOSES The following hands-on example is just given as a training exercise example and must not be used or referred in a real case. Failure to follow these instructions can result in injury or equipment damage. Note: FOR TRAINING PURPOSE ONLY: The following diagrams are intended to be a representation and should not be viewed as an actual process flow diagram. 1. Operation of the Process Reactor In this following hands-on example, we will consider as a target process reactor, which is illustrated by the drawing as below: As seen from the above diagram, the Temperature Transmitters (TT1, TT2 & TT3) report temperature measurement given by the temperature sensor located in the vessel. TT1 measurement is forwarded to a Safety Controller while TT2 and TT3 are linked to a Process Controller, BPCS. The BPCS plays on a Valve (FV 10) controlling the steam flow admission in the vessel’s jacket. The Safety Valves, SV 11 and SV 12, are used as part of the Safety Functions (SIF) to cut off the steam flow in case of faults. Steam flow will influence the temperature inside the vessel and consequently the pressure inside this Vessel. Modicon M580 Safety

Chapter 6 - Safety Programming Software 247 2. Basic Process Control System (BPCS) a. The BPCS has a control loop that adjusts steam input to the reactor jacket based on temperature in the reactor. The BPCS would shut off steam to the reactor jacket if the reactor temperature is above setpoint. b. Since shutting off steam is sufficient to prevent high pressure, the BPCS is a protection layer. 3. SIS Implementation a. Assume that a hazard and risk analysis has been done and a Safety Integrity Level (SIL) is determined by the risk reduction associated with a particular Safety Instrumented Function (SIF). b. A proposed SIS is added, as shown in previous diagram, as another protection layer to increase the safety level (SIL). 4. BPCS operation indications a. In case temperature, TT2 or TT3, in the reactor exceed HIGH Threshold (110°C), the process logic will stop the steam flow by closing the Valve, FV 10. b. Temperature measurement in the reactor will be done using a PT100 probe and a 4-20 mA Transmitter. c. When the temperature is below 100°C, the Valve, FV 10, will automatically open to allow the steam to flow into the vessel. 5. SIS operation indications a. In case temperature, TT1, in the reactor exceed HIGH-HIGH Threshold (125°C) for 3 seconds, the Safety Function will have to close the safety shutdown valves, SV 11 & SV 12. preventing the steam flowing into the vessel. b. The safety valve demand state is to \"De-energized to Close\". c. Temperature measurement in the reactor will be done using a PT100 probe and a 4-20 mA Transmitter. d. Safety Function will grant a manual acknowledge, provided reactor's temperature is below 110°C. Note: FOR TRAINING PURPOSE ONLY: Assume temperature sensors, TT1, TT2 and TT3 are the same temperature transmitter connected to channel 0 of Safety Analog Input module on the training rack. A potentiometer is used to simulate a 4 to 20 mA signal. Configuration Training

248 Chapter 6 - Safety Programming Software Activity 12 - SAFETY LOGIC CREATION In this activity: • Create simple program logic in MAST task • Create simple safety logic in SAFE task • Integrate Safety Function and Process Logic into same controller. 4. Note: Use system Default variable names and variables names declared in this training manual. These variables are used in the operator screen when you import the file. 1. Create simple control logic in MAST task a. From the Project Browser, open the branch Program-PROCESS » Tasks » MAST » Logic b. Right-click Logic and select New Section ... from the menu. Hints & Tips To see only the PROCESS area, right-click on the \"Program-PROCESS\" and select menu \"Zoom in\". Select \"Zoom out\" will back to structural view of the current project. c. Create a new process logic section: Name: Control_FV10 Language: FBD Modicon M580 Safety

Chapter 6 - Safety Programming Software 249 d. Enter the following logic for this exercise: Note above variable \"FV10\" is an alias name from module BMX DDM 16022 output channel 16 on the training rack. Variables TT2 & TT3 are temporary unlocated variables and will be assigned with an analog input channel 0 later in the exercise. The above logic will select the maximum temperature value coming from the temperature transmitter, TT2 & TT3. Simulate manually both TT2 & TT3 via animation table or an operator screen. If the reactor exceed 110°C, the logic will close the Valve, FV 10. When the temperature is below 100°C, the Valve, FV 10, will automatically open to allow the steam to flow. e. Build, Connect, Transfer and Test the application. f. Rectify any error(s). g. Save the application. 2. Create simple safety logic in SAFE task a. From the Project Browser, open the branch Program-SAFE » Tasks » SAFE » Sections b. Right-click Sections and select New Section ... from the menu. Configuration Training

250 Chapter 6 - Safety Programming Software Hints & Tips To see only the SAFE area, right-click on the \"Program-SAFE\" and select menu \"Zoom in\". Select \"Zoom out\" will back to structural view of the current project. c. Create a new safety logic section: Name: Control_SV Language: FBD d. Enter the following logic for this exercise: Note variables SV11_V1, SV11_V2, SV12_V1, SV12_V2 are alias name from Safety Relay Output module. Wiring are already done to achieve PLe / CAT 4 certification. Safety Valve, SV11, is assigned to channel 0 and 1 (variables: SV11_V1 & SV11_V2) Safety Valve ,SV12, is assigned to Channel 2 and 3 (variables: SV12_V1 & SV12_V2) Variable \"Temp_in_C\" is taken from Exercise - Safety Analog Input Module (page 231). The above safety logic will monitor the temperature value coming from the safety temperature transmitter, TT1. If the reactor exceeds 125°C for over 3 seconds, the Safety Function will shutdown both Safety Valves, SV11 & SV12, preventing further steam flowing into the vessel. Modicon M580 Safety

Chapter 6 - Safety Programming Software 251 e. Build, Connect, Transfer and Test the application. f. Rectify any error(s) g. Save the application. Configuration Training

252 Chapter 6 - Safety Programming Software Activity 13 - PROCESS & SAFETY TRANSFER In this activity: • Learn how to transfer data from Safety to Process area • Learn how to transfer data from Process to Safety area 5. 1. Declare a data structure to be used as interfacing variables a. Open previously created application. From Project Browser, double-click Derived Data Types folder. b. Declare a new DDT, Reactor_System, as shown below: c. Assign a new variable, Reactor_01, of data type Reactor_System 2. Configure variable to transfer out from Safety area a. From the Project Browser, under the branch Program-SAFE, open Variables & FB Instances. Hints & Tips To see only the SAFE area, right-click on the \"Program-SAFE\" and select menu \"Zoom in\". Select \"Zoom out\" will back to structural view of the current project. b. Click on Interface tab of the Safe Data Editor. c. Create an output interface connector with variable called Safety_Temp of data type REAL. Modicon M580 Safety

Chapter 6 - Safety Programming Software 253 d. From the \"Effective Parameter\" column, associate and link this variable to the \"Exchange\" variable: Reactor_01.Temperature. Variable, Safety_Temp, in Safety memory area is now linked to variable, Reactor_01.Temperature. 3. Modify safety logic to move data to the output interface's variable a. From the Project Browser, open the branch Program-SAFE » Tasks » SAFE » Sections. b. Open program section, Control_SV (previously created in Exercise - Safety Logic Creation (page Error! Bookmark not defined.)). c. For this exercise, modify the safety logic section, Control_SV, by adding a S_MOVE block as shown below: This additional logic will assign output Interface's variable, Safety_Temp, to variable Temp_in_C which reside in Safety memory area. Configuration Training

254 Chapter 6 - Safety Programming Software 4. Configure variable to receive and transfer into Process area a. From the Project Browser, under the branch Program-PROCESS, open Variables & FB Instances. Hints & Tips To see only the PROCESS area, right-click on the \"Program-PROCESS\" and select menu \"Zoom in\". Select \"Zoom out\" will back to structural view of the current project. b. Click the Interface tab of the Process Data Editor. c. Create an input interface with variable STemp of data type REAL d. From the \"Effective Parameter\" column, associate and link to variable: Reactor_01.Temperature. Variable, STemp, in Process memory area is now linked to variable, Reactor_01.Temperature, in the Exchange Memory area. This result in variables STemp (Process area) = Safety_Temp (Safety area). Modicon M580 Safety

Chapter 6 - Safety Programming Software 255 5. Modify process logic to receive data from input interface's variable a. From the Project Browser, open the branch Program-PROCESS » Tasks » MAST » Sections. b. Open program section, Control_FV10 (previously created in Activity - Safety Logic Creation). c. For this exercise, modify the process logic section, Control_FV10, by adding two REAL_TO_INT blocks as shown below: As a training example, variables TT2 & TT3 will take the value coming from the Safety Analog Input module, simulated by a potentiometer on the training rack. This demonstrates that variables from Safety Memory area can be transferred to Process Memory area. 6. Connect, Transfer and Test the application a. From EcoStruxure™ Control Expert V15 for Safety, Build, Connect and Transfer the application. b. Test the program logic Control_FV10. c. Turn the potentiometer to simulate the temperature. d. If the reactor exceed 110°C, the logic will close the valve, FV 10. When the temperature is below 100°C, the valve, FV 10, will automatically open to allow the steam to flow into the vessel. e. Rectify any error(s). f. Save the application. Configuration Training

256 Chapter 6 - Safety Programming Software 7. Configure variable to transfer out from Process area a. From the Project Browser, under the branch Program-PROCESS, open Variables & FB Instances. b. Click the Interface tab of the Process Data Editor. c. Create an output interface variable called Override with Data Type BOOL. d. From the \"Effective Parameter\" column, associate and link to variable: Reactor_01.Manual_Override. Variable, Override, in Process area is now linked to variable, Reactor_01.Manual_Override, in the Exchange Memory area. 8. Configure variable to transfer into Safety area a. From the Project Browser, under the branch Program-SAFE, open Variables & FB Instances. b. Click the Interface tab of the Safety Data Editor. c. Create an input interface variable called PB_Override with Data Type BOOL. d. From the \"Effective Parameter\" column, associate and link to variable: Reactor_01.Manual_override. Safety variable, PB_Override, in Safety area is now linked to variable, Reactor_01.Manual_Override, in the Exchange Memory area. This result in variables PB_Override (Safety area) = Override (Process area). Modicon M580 Safety

Chapter 6 - Safety Programming Software 257 9. Modify safety logic to receive input variable from Process area a. From the Project Browser, open the branch Program-SAFE » Tasks » SAFE » Sections. b. Open program section, Control_SV. c. For this exercise, modify the safety logic section, Control_SV, by adding S_OR_BOOL block as shown below: An additional OR logic above will give a manual override signal, from an HMI in the Process area, to all of the safety valves, SV11 & SV12. 10. Connect, Transfer and Test the application a. From EcoStruxure™ Control Expert V15 for Safety, Build, Connect and Transfer the application. b. Test the program logic Control_SV. c. Turn the potentiometer to simulate the temperature. d. If the reactor exceeds HIGH-HIGH of 125°C for 3 seconds, the Safety Function logic will close valves, SV11 & SV12, preventing the steam flowing into the vessel. Note that safety valves demand state are to \"De- energized to Close\". e. Test the HMI PB_Override signal by creating a toggle button in EcoStruxure™ Control Expert V15 for Safety Operator Screen to manually override the control of the valves SV11 & SV12. f. Rectify any error(s). g. Save the application. Configuration Training

258 Chapter 6 - Safety Programming Software 11. Create a simple operator screen for the Process Reactor a. From EcoStruxure™ Control Expert V15 for Safety, create a simple operator screen (or import file \"Process Reactor.XCR\" and \"Message_Lists.XCR\", provided by your Instructor) to control and monitor the Process Reactor. b. Test the overall application by connecting it to the training rack. c. Rectify any error(s). d. When done, Save the application. Modicon M580 Safety

Chapter 6 - Safety Programming Software 259 SAFE PEER-TO-PEER COMMUNICATION WHY NEED PLC TO PLC COMMUNICATION? There are often customer requirements to send safety related data over communications links. In order to save time and costs in the long-term regarding the life cycle of a facility, the number and variation of the components and bus systems employed must be reduced. At the same time, the requirement automatically arises for the transference of safe and non-safe data via a collective standard network. A safe network will allows the safety PLC to communicate with each other and provides a robust and safe means of sending safety related data over long distances using the communications medium that best suits the applications and budget. COMMUNICATION WITH SAFETY EPAC The Safety ePAC is able to communicate with other controllers using the following kinds of communication, categorized as non-interfering: ➢ Modbus TCP o On service port of CPU ▪ Act as Modbus TCP server ▪ Features implemented on OFS v3.5 and higher are also supported on the Ethernet port connected to control network o Ethernet module, BME NOC 03x1, Type 1 non-interfering module, are used to transfer/forward safety messages (BLACK CHANNEL messages) and are not Safety related o Safe Peer-to-Peer communication with S_WR_ETH_MX / S_RD_ETH_MX (for CPU FW ≤ 3.10) and S_WR_ETH_MX2 / S_RD_ETH_MX2 (for CPU FW ≥ 3.20) DFB function blocks; allowed mixing of safety and non-safety related data without impact on the integrity level of the safety related data (this will be discussed later in this chapter) ➢ EtherNet/IP o On service port of CPU o Ethernet module, BME NOC 03x1, Type 1 non-interfering module o Act both as Server and Client for CIP Explicit messaging and Modbus TCP messaging Note: This communication part may be part of a safety loop but, in this case, it carries only data protected by a BLACK CHANNEL. There is no limits in the number of Safety ePACs used; Only limitation in the module's Ethernet port communication bandwidth. The safe peer-to-peer communication is also possible between a Modicon Quantum Safety PLC and a M580 Safety ePAC with CPU firmware 3.10 or earlier. Configuration Training

260 Chapter 6 - Safety Programming Software SAFE ETHERNET PAC TO PAC COMMUNICATION By implementing a specific configuration, peer-to-peer communication is possible with Ethernet technology to perform a safety function with SIL 3 level. This specific Safe Peer-to-Peer Ethernet communication is based on a \"BLACK CHANNEL\". The protocol checks or manages detected errors such as detected transmission errors, omissions, insertions, wrong order, delays, incorrect addresses and masquerade bits and retransmissions. This Safe Peer-to-Peer Ethernet communication is possible: ➢ Between Safety ePACs ➢ On Ethernet module, BME NOC 03x1 (Type 1 non-interfering module) ➢ With synchronized time base periodically updated from the time received from an NTP server BLACK CHANNEL WITHIN MODBUS TCP FOR SAFETY The Modbus TCP protocols will use a \"BLACK CHANNEL\" approach in which the new safety functionality is built on top of the existing protocol without the safety protocol knowing it and therefore the safety protocol is being kept \"in the dark\" or \"black\". The safety layer is essentially built into the network and exists between the communication stack and the application according to the IEC 62280-1 standard. The safety layer of the black channel approach handles all the safety related applications and requirements. With the BLACK CHANNEL concept, end users can even connect non-safety devices to the safety network because the protection layers are built in to the network. Everything can share a common network and costs are greatly reduced. If these design and installation practices had needed to change as well, this could have added additional risk to the safety process - the exact opposite of the desired result. Some additional benefits of using a BLACK CHANNEL approach are improvements in the reliability and availability of the overall communications structure, and these improvements will impact all Modbus TCP/IP systems. The \"BLACK CHANNEL\" indicates that fail-safe communication is independent of the bus system and the underlying network components. IEC 62280-1:2002 This part of IEC 62280 is applicable to safety-related electronic systems using a closed transmission system for communication purposes. It gives the basic requirements needed in order to achieve safety-related communication between safety-related equipment connected to the transmission system. This standard is applicable to the safety requirement specification and design of the communication system in order to obtain the assigned safety integrity level (SIL). Modicon M580 Safety

Chapter 6 - Safety Programming Software 261 PEER-TO-PEER STANDALONE CONFIGURATION The following is an example of a safety standalone communication between two Safety ePACs, consisting of: ➢ Two standalone safety configurations ➢ With two standard type 1 non-interfering Ethernet modules, BME NOC 03x1 ➢ Communicating through a \"BLACK CHANNEL\" on an Ethernet link ➢ Integrating into an existing Ethernet networks Below shows the functional overview: Configuration Training

262 Chapter 6 - Safety Programming Software BLACK CHANNEL IN I/O COMMUNICATION The communication between the CPU and the I/O modules via the backplane and the remote I/O drops are considered as using a \"BLACK CHANNEL\". The consequence for the safety application is that there is no probability of dangerous failure to be considered for all involved modules and components. The exchange between safety I/O modules and Safety ePAC includes \"consistency\" data in addition to functional data. Safety I/O modules can be either configured in the local drop and/or in the remote I/O drop. All drops (local and remote with Safety I/Os) are treated as Safety drops. The communication between the CPU and I/Os has no impact on the PFD and PFH evaluations. Here are the rules in Safety ePAC configuration: ➢ On a safety rack: only Safety SIL compliant and type 1 non-interfering modules are allowed (Type of Non-interfering Modules (page 139)) ➢ Remote I/O drop is allowed as safety rack ➢ Extension racks are allowed ➢ Local I/O network supports up to 8 racks ➢ Each Remote I/O drop network can only allowed one extension rack ➢ Premium racks extension are NOT supported ➢ The Safety ePAC CPU, with firmware ≤ 3.10, must configured as either an NTP Server or an NTP Client in order for the Safety I/O modules on Remote I/O rack to work correctly. The CPU real-time clock has to be updated for the NTP service to sync with the CRA module. ➢ The Safety ePAC CPU, with firmware ≥ 3.20, uses “monotonic” time clock and does not need NTP service, but need BM*CRA31210 to be upgraded with firmware ≥ 2.60. Modicon M580 Safety

Chapter 6 - Safety Programming Software 263 HOW THE BLACK CHANNEL WORKS? The BLACK CHANNEL is based on management of some specific data : ➢ Some CRC32 bits are calculated by the master (ePAC which publishes the data), and transmitted to slave (ePAC which receives the data throughout I/O Scanner or Global data service). The slave checks the CRC before using the data. ➢ A specific ID of the communication is defined and is used to encode into the CRCs but not transmitted into the data. As a consequence, the data will be decoded as safe only if both master and slave have the same ID value. It allows the system to prevent against mascaraed/insertion of message. ➢ A time stamp number is added to the data transmitted. This time stamp contains a time in ms. This time is calculated and based on the NTP service or from the “monotonic” time clock that is available on M580 configuration. By this way, both CPUs (master and slave) are time synchronized. The data producer CPU introduces the value into the data sent to the slave. The slave, by checking and comparing the received time stamp with its own time value, is able to: o Checks the “aging” of the safe data o Avoids double read-outs o Determines the chronological sequence of different packets o Determines how long the consumer has not received any new safe data packet. A monotonic clock is a time source that won't ever jump forward or backward (due to NTP or Daylight Savings Time updates). Monotonic uses Thomas Habets's cross platform \"monotonic clock\" library under the hood. All the checks and all the calculation to perform the BLACK CHANNEL are provided by DFBs (one for Master CPU (S_WR_ETH_MX*) and one for Slave CPU (S_RD_ETH_MX*) and so are double executed in safe task. Note: The S_WR_ETH_MX* DFB function block has to be called at each cycle in the “Safe” task after all of the modifications of the data by the application. That is to say that the data to be sent mustn't be modified by the user in the safe cycle after the execution of the DFB. The S_RD_ETH_MX* DFB function block must be called at each cycle in the Slave ePAC safe task application and must be executed before the data usage in the cycle. Configuration Training

264 Chapter 6 - Safety Programming Software NTP TIME SYNCHRONIZATION AND TIME STAMPS The Safety ePAC CPU can be configured as an NTP server or an NTP client in the EcoStruxure™ Control Expert V15 for Safety from the NTP tab. The NTP service has these features: ➢ A periodic time correction is obtained from the reference-standard time server. ➢ There is an automatic switchover to a backup (secondary) time server if an error is detected with the normal time server system. ➢ Controller projects use a function block to read the accurate clock, allowing project events or variables to be time stamped. When the PAC is configured as an NTP server, it can synchronize client clocks (such as the CRA EIO adapter modules). The CPU's internal clock is then used as reference clock for NTP services. When the PAC is configured as an NTP client, the network time service (SNTP) synchronizes the clock in the CPU to that of the time server. The synchronized value is used to update the clock in the CPU. Typical time service configurations utilize redundant servers and diverse network paths to achieve high accuracy and reliability. Action-Result 1. NTP Client requests a time synchronization signal from an NTP server. (Request is sent over an Ethernet network.)-NTP Server responds with a signal. 2. NTP Client stores the time.- 3. NTP Client sends a message to the controller’s clock system counter.-The controller updates its internal clock with the following granularity: • 1 ms Note: When only BMX/BME CRA31200 modules are configured as NTP clients, the accuracy of this server allows time discrimination of 20 ms. All BMX/BME CRA31200 modules in the network have the same client configuration. Modicon M580 Safety

Chapter 6 - Safety Programming Software 265 SAFETY TIME SYNCHRONIZATION WITH NTP SERVICE The Safe Ethernet PAC to PAC communication needs a synchronization of the time base of both ePACs (Master & Slave). The user has to configure the NTP service on each Slave and Master ePAC. Each Master and Slave has to be connected to the same NTP server. It is possible to configure two redundant NTP servers. In case the connection on one fails, it will automatically connect to the other NTP server. Both servers have to be synchronized and display the same time value. Below shows the synchronization principle of the time base: The operating system of the CPU updates each cycle of the system words (%SW36 to %SW38) which contains a time used by the safe communication as a time base. This time is internally filtered to avoid \"jump\" and forbid some fugitive bad values received from the NTP server. The system word, %SW39, allows to diagnose the health status of the time, taken into account by the DFBs used in the user program that implement the Safe Peer-to-Peer communication. Configuration Training

266 Chapter 6 - Safety Programming Software NTP TIME CONSISTENCY & SYSTEM WORDS The following table describes system words, %SW36 to %SW38: %SW36-NTP number of seconds (LSB)-Contains the number of seconds passed since January 1, 1980, at 00:00. (LSB part). This counter is refreshed internally between two NTP synchronization. As long as the first accurate NTP time is not received, the counter keeps the value 0. %SW37-NTP number of seconds (MSB)-Contains the number of seconds passed since January 1, 1980, at 00:00. (MSB part). This counter is refreshed internally between two NTP synchronization. As long as the first accurate NTP time is not received, the counter keeps the value 0. %SW38-NTP milli- seconds-Contains the number of milliseconds to add to the NTP number of seconds. This counter is refreshed internally between two NTP synchronization. As long as the first accurate NTP time is not received, the counter keeps the value 0. NTP server time consistency: ➢ If the NTP server time is consistent with the internal PAC time in %SW36 to %SW38 with less than 2 seconds difference, then the time value in %SW36 to %SW38 is updated with the last NTP server time received filtered with a slope of 1ms per second. ➢ If the NTP server time received differs from the internal PAC time in %SW36 to %SW38 by more than 2 seconds, then the last NTP server time received is ignored by the PAC, the time value in %SW36 to %SW38 is refreshed internally and the bit %SW39.2 is set to 1 to warn the user. LOSS OF TIME SYNCHRONIZATION Do not change the NTP server time during operation. Failure to follow these instructions can result in injury or equipment damage. Modicon M580 Safety

Chapter 6 - Safety Programming Software 267 In order to have the NTP server time being taken into account by the PLC, one of the following actions can be done: ➢ Reinitialize the application by a cold start. ➢ Download the application. ➢ Restart the PLC. ➢ Set the system bit %SW39.8 to 1. In this case, the CPU will accept the next NTP server time received without filtering (1ms/s) and without consistency check. After the next NTP server time is received, the %SW39.8 bit is automatically reset to 0 by the controller. Note: If the system bit %SW39.8 is set to 1, both master and slave ePACs' time base can desynchronized and there is a risk that the safe peer-to-peer communication fails (S_RD_ETH DFB health output parameter set to 0). LOSS OF TIME SYNCHRONIZATION Do not set the system bit %SW39.8 to 1 continuously during operation. Failure to follow these instructions can result in injury or equipment damage. Configuration Training

268 Chapter 6 - Safety Programming Software The following describes the system word, %SW39: ➢ %SW39-Status of the NTP timestamp in ms-%SW39.0 (managed by the controller): ➢ -= 0, the time value is not available, or the time has not been updated within last 2 minutes. ➢ -= 1, the time value is available, or the time has been updated within last 2 minutes. ➢ %SW39.1 (managed by the 140 NOE 771 11 status): ➢ -= 0, the NTP server time value is not available. ➢ -= 1, the updated time value is received from the NTP server and has been sent to the module (at least once). ➢ %SW39.2 (managed by the CPU): ➢ -= 0, the time value in %SW36 to %SW38 words differs from the last NTP server time received by more than 2 seconds. The last NTP server time received has been ignored. ➢ -= 1, the time value in %SW36 to %SW38 words are consistent with the last NTP server time received (less than 2 seconds difference). The time value in %SW36 to %SW38 words is filtered with a slope of 1ms/s to reach the last NTP server time received. ➢ %SW39.3 to %SW39.7: not used. ➢ %SW39.8 (control that can be set by the application): ➢ -= 0, no action. ➢ -= 1,. When set to 1, the CPU will accept the next NTP server time received without filtering (1 ms/s) and without consistency check (difference between time value in %SW36 to %SW38 words and NTP server time). After the next NTP server time is received, the %SW39.8 bit is automatically reset to 0 by the controller. ➢ %SW39.9 to %SW39.15: not used. Modicon M580 Safety

Chapter 6 - Safety Programming Software 269 SETTING UP NTP TIME SERVICE Setup and configure the NTP service parameters in the EcoStruxure™ Control Expert V15 for Safety NTP tab as shown below: Use the pull-down menu in the NTP field to configure the CPU as an NTP Server or an NTP Client: ➢ Value-Comment Disabled-Default - Both the NTP server and the NTP client services are disabled. NTP Client-Functions as an NTP client. In this case, required to configure the location of the remote NTP Server. NOTE: Enable the NTP client here will automatically enable the NTP client service on all BMX/BME CRA312x0 adapter modules. NTP Server-The Ethernet I/O scanner PAC acts as an NTP server. Note: Enable the NTP server here will automatically enable the NTP client service on all BMX/BME CRA312x0 adapter modules and to configure the BMx/BME CRA312x0 to use the PAC as the NTP server. Assign values to these parameters in the NTP Server Configuration field: ➢ Parameter-Comment Primary NTP Server IP address-IP address of the NTP server, from which the PAC first requests a time value Secondary NTP Server IP address-IP address of the backup NTP server, from which the PAC requests a time value after not receiving a response from the primary NTP server Polling Period-The time (in seconds) between updates from the NTP server. Smaller values typically result in better accuracy. Configuration Training

270 Chapter 6 - Safety Programming Software SAFETY TIME SYNCHRONIZATION WITH MONOTONIC TIME CLOCK A computer or controller has two different clocks system: ➢ The Real-time System Clock ➢ The Monotonic Time Clock The Real-time (wall-clock), the one we all known and that is used to get the current time of the day. This clock is subject to potential variations. For example, if it is synchronized with NTP (Network Time Protocol). In this case after synchronization, the local clock of our server can jump backward or forward in time. So, measuring a duration from the real- time clock can be biased. The second clock is called the Monotonic Clock. Here, we have a guarantee that the time always moves forward and will not be impacted by variations leading to jumps in time. The only change is potential frequency adjustments. Basically, if our server detects that its local quartz is moving faster or slower than the NTP server, it can adjust its clock rate. But again, there's no jump in time with the monotonic clock. A Monotonic Clock is a time source that won't ever jump forward or backward (due to NTP or Daylight Savings Time updates). Monotonic uses Thomas Habets's cross platform \"monotonic clock\" library under the hood. The important aspect of a monotonic time source is NOT the current value, but the guarantee that the time source is strictly linearly increasing, and thus useful for calculating the difference in time between two samplings. SAFETY EPAC WITH CPU FW ≥ 3.20 For Safety ePAC with CPU firmware 3.20 or later, the safe time synchronization is based on an internal and \"monotonic\" time clock. The safe communication does not need an NTP time synchronization: ➢ The CPU is sharing its safe time with all its Local and Remote I/Os ➢ The Remote I/O head communication module, BM•CRA31210, will need a firmware 2.60 or later ➢ For a peer-to-peer communication, CPU are sharing their safety time SAFETY EPAC WITH CPU FW ≤ 3.10 For Safety ePAC with CPU firmware 3.10 or earlier, the NTP service configuration is required to allow a safe communication. Both safe senders and receivers need to be time synchronized using NTP services. The CPU's internal real-time clock must be set and updated to be used as a reference clock for NTP services. Due to using BLACK CHANNEL to synchronize with CRA modules, CPU time MUST be set with correct valid date/time, even if it is configured as an NTP Server or NTP Client. Modicon M580 Safety

Chapter 6 - Safety Programming Software 271 CONCEPTS OF I/O SCANNER The I/O Scanning is an Ethernet service that continuously polls I/O modules to collect data, status, event, and diagnostics information. This process monitors inputs and controls outputs. This is a feature that resides in an Ethernet port of the Safety ePAC and the BME NOC 03x1 Ethernet module. Use I/O scanner to transfer data between network devices. The I/O scan list is a configuration table that identifies the targets to which repetitive communications are authorized. While the controller is running, the Ethernet module transfers data to and from the controller’s registers as indicated by the I/O scan list. I/O Scanner services can be done with EcoStruxure™ Control Expert V15 for Safety programming software. CONFIGURATION OF I/O SCANNING SERVICE The I/O scanning service for safe peer-to-peer communication is used for data transportation of the data from “DATA_SAFE” array (cf S_WR_ETH_MX* output parameter) in the safety memory of the Master ePAC to the data of the “INPUT_DATA” array (cf S_RD_ETH_MX* input parameter) in the Slave ePAC. I/O Scanner service must be configured using EcoStruxure™ Control Expert V15 for Safety programming software. The Ethernet network used for I/O Scanning can be either connected to the Ethernet port of the CPU or to an Ethernet module (BME NOC 03x1). Add a Modbus Device DTM onto the CPU or the Ethernet module from the DTM Browser. In EcoStruxure™ Control Expert V15 for Safety, configure on Master ePAC program the I/O Scanning for safe peer-to-peer communication with taking into account the requirements below: ➢ Configure the data to send in one block with a write request. ➢ Set the “WR length” parameter to 100 (data size is fixed to 100 words). ➢ Set a value in “WR Address” parameter which fit to the source address (in the \"Process\" memory area) of the output parameter “DATA_SAFE” of the S_WR_ETH_MX* function block used on Master ePAC program. ➢ Set a value in “RD Address” parameter which fit to the source address (in the \"Process\" memory area) of the input parameter “INPUT_DATA” of the S_RD_ETH_MX* function block used on Slave ePAC program. ➢ The \"RD Length\" parameter in the Slave ePAC will be set to 100. ➢ Choose a “Repetitive rate” value minor to the Master and Slave cycle time. Configuration Training

272 Chapter 6 - Safety Programming Software SAFE COMMUNICATION WITH CPU FW ≤ 3.10 SAFE PEER-TO-PEER COMMUNICATION (CPU FW ≤ 3.10) The following safe peer-to-peer solution architecture is based on using CPU with firmware ≤ 3.10: ➢ Network Time Protocol (NTP) service for Time Base Synchronization ➢ Execution of two DFBs (S_WR_ETH_MX on the Master ePAC and S_RD_ETH_MX on Slave ePAC) ➢ I/O Scanning service on Ethernet for data transportation (Modbus TCP) Following shows the overview of the configuration necessary to establish the safe communication: Operations in Master CPU: ➢ When DFB S_WR_ETH_MX is executed, time stamped data (from NTP server) and calculated the CRCs (based on data to send, time stamp and ID communication parameters) are added into the \"User & Reserved\" data memory block. Data array to be sent is composed of two kind of variables: ➢ \"User Safety Data” are the safe user data array from index 0 to 99 with data type integer. ➢ \"Reserved Data” are made of CRCs and time-stamp variables which are filled by the DFB at the end of the array, start from index 91 to 99. User should not write anything into this location. ➢ This DFB also manage to transfer the \"User & Reserved\" data memory block into the \"Data Exchange\" memory area via the data Input/Output Interface connection. ➢ An implicit operation is automatic done by transferring data to the Process Data area. Thanks to the \"Effective Parameter\" assignment, data will be associated to the local process variables and ready for I/O scanning over to the Slave CPU. Modicon M580 Safety

Chapter 6 - Safety Programming Software 273 Operations in the Slave CPU: ➢ An implicit operation is done to transfer the received memory block, \"User & Reserved\", from the I/O scanner buffer into the \"Data Exchange\" memory area via the data Input/Output Interface connection. This can be easily done by using \"Effective Parameter\" associating with the local process variable. ➢ With the \"Effective Parameter\" assignment, Data will be associated to the safety memory area via the data Input/Output Interface connection. ➢ When DFB S_RD_ETH_MX is executed, the memory block of data from in the Input/Output Interface area will be copied into the safety Data memory area only if the following conditions are fulfilled: o Checks the CRCs of the last data packet received by I/O scanner (or Data Exchange) in the Input/Output Interface memory area. In case the CRC is not correct, the data are considered as unsafe and will NOT be written into the “safe” memory area. o Checks if the last data packet received in the Input/Output Interface memory area are more recent than the last data written into the “safe” memory area (by checking the time stamp). If it is not the case, the data in the Input/Output Interface memory area are NOT copied into the “safe” memory area. o Check the “age” of data of the “safe” memory area. If the age is higher than a maximum value defined by the user, the data in the “safe” memory area are declared as unsafe and “HEALTH” bit parameter will be set to “0”. ➢ In case the Data are considered as unsafe, all data will be unchanged, and a health bit will be set to \"0\" to declare the values are unsafe. The user will need to manage and treat these Data accordingly. Note: The S_WR_ETH_MX DFB function block has to be called at each cycle in the “Safe” task after all of the modifications of the data by the application. That is to say that the data to be sent must not be modified by the user in the safe cycle after the execution of the DFB. The S_RD_ETH_MX DFB function block must be called at each cycle in the Slave CPU safe task application and must be executed before the data usage in the cycle. Configuration Training

274 Chapter 6 - Safety Programming Software Activity 14 - NTP SERVER CONFIGURATION In this activity: • Setup a local NTP Server for Safe communication between 2 PACs • Learn how to configure the Safety ePAC CPU as the NTP Server. Instructor Note: This Activity is applicable for M580 Safety CPU with firmware ≤ 3.10. 6. UNSTABLE OR LOSS OF TIME SYNCHRONIZATION Server time is inaccurate or unstable, especially if the network uses a Personal Computer as an NTP server. Windows PCs are the most likely to create problems, whereas an industrial dedicated NTP time server is more reliable. Failure to follow these instructions can result in injury or equipment damage. Microsoft® Windows Operating System has an integrated time synchronisation service, installed by default, that can synchronise to an NTP Time Server. Indeed, by manipulating registry settings for the service it can act as both an SNTP client and server to synchronise other network clients. The 'Windows Time' service should be present in the systems service list. The application executable is 'w32time.exe'. The parameter list for w32time can be found in the registry at: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Similar procedure can also be found in Microsoft website: http://support.microsoft.com/kb/314054 In this exercise, the class will work in a group of two training kits and decide which one to be the NTP Server and the NTP Client. Continue this exercise to configure the PAC as NTP Server. For NTP Client, refer to Activity - NTP Client Configuration. Modicon M580 Safety

Chapter 6 - Safety Programming Software 275 1. Configure this Safety ePAC to be the NTP Server a. Double click the embedded Ethernet port of the CPU b. Go to the NTP tab c. Click the pull-down menu in the NTP field and select NTP Server d. When done, Validate the changes. This Safety ePAC will be enabled as NTP server e. Save the application. Configuration Training

276 Chapter 6 - Safety Programming Software Activity 15 - NTP CLIENT CONFIGURATION In this activity: • Setup an NTP Client in Safety ePAC CPU • Configure the NTP Time Service, linking to the previously setup NTP Server - refer to Activity - NTP Server Configuration. Instructor Note: This Activity is applicable for M580 Safety CPU with firmware ≤ 3.10. 7. UNSTABLE OR LOSS OF TIME SYNCHRONIZATION Server time is inaccurate or unstable, especially if the network uses a Personal Computer as an NTP server. Windows PCs are the most likely to create problems, whereas an industrial dedicated NTP time server is more reliable. Failure to follow these instructions can result in injury or equipment damage. Microsoft® Windows Operating System has an integrated time synchronisation service, installed by default, that can synchronise to an NTP Time Server. Indeed, by manipulating registry settings for the service it can act as both an SNTP client and server to synchronise other network clients. The 'Windows Time' service should be present in the systems service list. The application executable is 'w32time.exe'. The parameter list for w32time can be found in the registry at: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Similar procedure can also be found in Microsoft website: http://support.microsoft.com/kb/314054 In this exercise, the class will work in a group of two training kits and decide which one to be the NTP Server and the NTP Client. Continue this exercise to configure the PAC as NTP Server. For NTP Client, refer to Activity - NTP Server Configuration. Modicon M580 Safety

Chapter 6 - Safety Programming Software 277 1. Configure this Safety ePAC to be the NTP Client a. Double click the embedded Ethernet port of the CPU b. Go to the NTP tab c. Click the pull-down menu in the NTP field and select NTP Client d. Enter the Primary NTP Server IP address to be the IP address of the other training kit that was previously setup as the NTP Server. e. When done, Validate the changes. f. Save the application. Configuration Training

278 Chapter 6 - Safety Programming Software S_WR_ETH_MX FUNCTION BLOCK The function block, S_WR_ETH_MX (for CPU FW ≤ 3.10), is executed by a safe task and to be used on a Master ePAC when configuring a safe peer-to-peer communication between two Safety ePAC controllers. Its purpose is to calculate the Cyclic Redundancy Check (CRC) and time stamp value of safety data and insert them into a data array to be sent to the Slave via the IO Scanner service. The main objective of S_WR_ETH_MX DFB are: ➢ To calculate the CRC of the safety data to be sent. ➢ To calculate the time stamp value to be sent. The time stamp is based on a time base reference which is periodically updated with the time received from an NTP server (%SW36 to %SW39 system words). To introduce both the calculated CRC and time stamp information into the end of a data array (Reserved Data zone, index 91 to 99 of the DATA_SAFE array) that to be sent. The S_WR_ETH_MX DFB has to be called at each scan cycle in the Master ePAC. Within the scan cycle, it has to be executed in the logic after all required modifications have been performed on the data to be sent. This means that the data to be sent must not be modified by the user within the scan cycle after the execution of this DFB, otherwise the CRC information used in the reserved data area will not be correct and the safe peer-to-peer communication will fail. The ID parameter has to be assigned with a value which identifies the safe peer-to-peer communication between a Master and a Slave ePAC. Note: The ID value has to be unique and fixed in the network for a coupled Master/Slave ePAC. Modicon M580 Safety

Chapter 6 - Safety Programming Software 279 DESCRIPTION OF S_WR_ETH_MX FUNCTION BLOCK Representation in FBD: Description of the Input/Output parameter: Parameter Data Type Meaning DATA_SAFE ARRAY[0..99] Array of safety data to be sent using the I/O of INT Scanning service (“User safety data”, index 0 to 90 & “Reserved data”, index 91 to 99). These variables have to be defined as a shared Output variables, each with an equivalent global variables using the “Safety Data Interface” tab Description of the input parameter: Parameter Data Type Meaning Communication identifier. The ID value is used to ID INT calculate the CRC and it must be unique and have the same value as the value used by the Slave Description of the output parameter: Parameter Data Type Meaning SYNCHRO_NT BOOL Set to 1 to indicate that NTP time synchronization is P healthy. SYNCHRO_NTP is a logical AND of bits %SW39.0, %SW39.1 and %SW39.2 Configuration Training

280 Chapter 6 - Safety Programming Software DESCRIPTION OF DATA_SAFE ARRAY The DATA_SAFE array of 0 to 99 integers values must be resided inside the safety memory area. If it is not the case, EcoStruxure™ Control Expert V15 for Safety creates an error message and does not generate the user application code. Data_SAFE array size of 100 integers values compose of two zones: ➢ The User Safety Data zone contains the user data. This zone starts at index 0 and finishes at index 90. ➢ The Reserved Data zone is used by the DFB to insert the calculated CRC and time-stamp variables. They are used to check the data integrity contained in the User Safety Data zone. o User must not write into this data zone. o This zone starts at index 91 and end at index 99. Below is the structure of DATA_SAFE array size of 100 Integers: Note: The array “DATA_SAFE [0..99]” will be moved to the Process data area and mapped to located variables for the data to be sent by I/O Scanner service to the receiver station. Refer to Safe Memory Isolation Cells. Modicon M580 Safety

Chapter 6 - Safety Programming Software 281 S_RD_ETH_MX FUNCTION BLOCK The function block, S_RD_ETH_MX (for CPU FW ≤ 3.10), is executed by a safety task and to be used on a Slave ePAC when configuring a safe peer-to-peer communication between two Safety ePAC controllers. Its purpose is to transfer data received from the I/O scanner into the safety memory area and guarantee the validity of the received data. The link between the IO scanner data in located “Process” variables and safety variables (“INPUT_DATA”) is done through the “Safety Data Interface” and “Process Data interface”, refer to Safe Memory Isolation Cells. Data will be transferred from \"INPUT_DATA\" to \"OUTPUT_DATA_SAFE\" only when the following conditions are validated: ➢ The Cyclic Redundancy Check (CRC) of the last data received. o If the CRC is not correct, data are considered as unsafe and will not write into the safety memory area. ➢ Check if the last data packets are more recent, than the data written into the safety memory area (Time Stamp Checks). o If not recent, they are not copied into the safety memory. ➢ Check the \"age\" of the received data in the safety memory area. If the age is higher than a maximum value set by the user in the SAFETY_CONTROL_TIMEOUT input register, the data are declared unsafe and the HEALTH bit is set to 0. The reference time base is based on a synchronized time base which is periodically updated accordingly with the time received from an NTP server. o If the HEALTH bit is set to 0, the data available in the OUTPUT_DATA_SAFE array will be unsafe, and user must react accordingly. The data contained in the output array “OUTPUT_DATA_SAFE” are considered as safe if the output “HEALTH” bit is set to “1”. The “HEALTH” bit is set to “1” if the integrity of the data is correct (CRC) and if the age of the data is lower than the value set in the “SAFETY_CONTROL_TIMEOUT”. If no new correct data is received in the required time interval, the timer will expire, and health bit will be set to “0”. The ID parameter has to be assigned with a value which identifies a safe communication between Master and Slave ePAC. The ID value has to be unique in the network for a coupled Master/Slave. Note: The data age is the time difference between the time when the data are computed in the Master ePAC and the time when the data are checked in the Slave ePAC. The time base reference is periodically updated with the time received from an NTP server (%SW36 to %SW39 system words). This function block has to be called at each scan cycle in the Slave ePAC application. It has to be executed before the usage of the data in the scan cycle. ➢ Configuration Training

282 Chapter 6 - Safety Programming Software DESCRIPTION OF S_RD_ETH_MX FUNCTION BLOCK Representation in FBD: Description of the input parameters: Parameter Data Type Meaning INPUT_DATA ARRAY[0..99] Array of Safety data variables (“User Safety\" data, index of INT 0 to 90 & “Reserved\" data, index 91 to 99). These variables have to be defined as a shared Input variable with an equivalent variable in “Exchange” area inside the “Safety Data Interface”. Also, the Exchange variables have to be linked to located data in “Process” area inside the “Process Data interface”. Communication identifier. The ID value is used to ID INT calculate the CRC and it must be unique and have the same value as the value used by the Master SAFETY_CONT Time out value (in ms). Used to check the age of the ROL_TIMEOUT INT data in the safety memory area and to determine if those data are considered as safe. Recommendation: SAFETY_CONTROL_TIMEOUT > 2 * (CPU master cycle time + I/O Scanner Repetitive rate + Networktransmission_time + CPU slave cycle time) Description of the output parameters: Parameter Data Type Meaning OUTPUT_DA ARRAY[0..99 Array of Safety data variables (“User Safety\" data, index 0 to TA_SAFE ] of INT 90 and “Reserved\" data, index 91 to 99) SYNCHRO_N BOOL Bit = 1, indicate that NTP time synchronization is healthy; TP logical AND of bits %SW39.0, %SW39.1 & %SW39.2 NEW BOOL Bit = 1, indicate new set of safe data have been refreshed during the current cycle HEALTH BOOL Bit = 1, data in the safety memory area are safe Bit = 0, data in the safety memory area are NOT safe DIFF Return the age in ms of the received data written into the safety memory area. INT Bit = 0, if the internal NTP time (%SW36 to %SW38) is not initialized or if no correct data have been received. Modicon M580 Safety

Chapter 6 - Safety Programming Software 283 DESCRIPTION OF INPUT_DATA AND OUTPUT_DATA_SAFE ARRAYS The characteristic of INPUT_DATA and OUTPUT_DATA_SAFE arrays are: ➢ INPUT_DATA is declared as an array of safety data variables and data values are coming from the I/O scanner which is linked to the located \"Process\" variables via the \"Process Data Interface\". ➢ OUTPUT_DATA_SAFE is an array of safety data variables result from a DFB operation. INPUT_DATA and OUTPUT_DATA_SAFE arrays, size of 100 integers values, composes of two zones: ➢ The User Safety Data zone contains the user data. This zone starts at index 0 and finishes at index 90. ➢ The Reserved Data zone is reserved for safety and it contains the CRC and time-stamp variables. They are used to check the data integrity contained in the User Safety Data zone. o User must not write into this data zone. o This zone starts at index 91 and end at index 99. Below is the structure of INPUT_DATA and OUTPUT_DATA_SAFE arrays size of 100 Integers: Note: The data contained inside the array “INPUT_DATA” should come from I/O Scanner data. The link between the I/O scanner data in located “Process” variables and safety variables (“INPUT_DATA”) is done through the “Safety Data Interface” and “Process Data interface”, refer to Safe Memory Isolation Cells. Configuration Training

284 Chapter 6 - Safety Programming Software Activity 16 - MASTER SETUP (CPU FW ≤ 3.10) In this activity: • Able to transfer data between Safety PAC stations • Configure Ethernet Safe Peer-to-Peer Communication • Use I/O Scanner Service to transfer data. This exercise is based on: ➢ I/O Scanner Service using Ethernet service port of Safety ePAC CPU ➢ Execution of DFBs: S_WR_ETH_MX (at Master ePAC) ➢ NTP service for time base synchronization (using CPU FW ≤ 3.10) The objective is to: ➢ Transfer \"User & Reserved Data\", an array of 100 integers, from Safety to Process memory area for I/O scanning preparation ➢ Configure Master ePAC for I/O Scanner Service to the Slave ePAC Before starting this exercise, following items are required: ➢ 2 set of Safety ePAC training stations (work in group of 2) ➢ One NTP Server (done in Activity - NTP Server Configuration) ➢ One NTP Client (done in Activity - NTP Client Configuration) ➢ A configured EcoStruxure™ Control Expert V15 for Safety project done previously ➢ A configured remote I/O drop of address = 01 ➢ Modicon M580 Safety CPU with firmware ≤ 3.10 ➢ Programming Software, EcoStruxure™ Control Expert V15 for Safety and higher Modicon M580 Safety

Chapter 6 - Safety Programming Software 285 Note: Following steps applied to Training Station that was assigned as a Master ePAC station for Safe Peer-to-Peer Communication. Configure the remote I/O drop adapter (eCRA) with drop address = 01. 1. On the Master ePAC, declare Safety and Process variables of an array of 100 integers for transfer data from Safety to Process memory area a. Open previously created application. Create a global variable, a Safety output interface variable and a Process input interface variable as shown below: b. With the column on \"Effective Parameter\", data from Safety memory area can be associated and linked to the Process memory area. Hints & Tips Refer to Activity - Process & Safety Transfer on how to setup data transfer between safety and non-safety memory area. Configuration Training

286 Chapter 6 - Safety Programming Software 2. Create a new Safety programming section in Master ePAC a. From the Project Browser, open the branch Program-SAFE » Tasks » SAFE » Sections b. Right-click Sections and select New Section ... from the menu. c. Create a new Safety programming section: Name: Send_Data Language: FBD d. When done, click OK button. e. Enter the following variables and program logic as shown below: Note: Make sure variable “Synch_OK_1” has a logical value of 1 to indicate that NTP time synchronization is healthy. Modicon M580 Safety

Chapter 6 - Safety Programming Software 287 3. Setup I/O Scanning function for Master ePAC to send data to Slave ePAC a. Open the DTM Browser by selecting from EcoStruxure™ Control Expert V15 for Safety menu Tools » DTM Browser. b. From the DTM Browser, right-click the CPU, BMEP58_ECPU_EXT. Click Add... from the popup menu. c. Locate and select the Modbus Device item from the list of available DTMs. Click the Add DTM button. d. A dialog box appeared showing the Properties of the device. Click OK button to accept the default parameters. Configuration Training

288 Chapter 6 - Safety Programming Software e. From the DTM Browser, double-click the CPU, BMEP58_ECPU_EXT, to launch the M580 CPU DTM screen. f. Locate the Modbus Device from the Device List and click to access the setup screen. g. Click Address Setting tab and Enter the IP Address of the Slave ePAC station. h. Click Request Setting tab and add a new I/O scanning request by clicking on the Add Request button i. Enter the following I/O scanning parameters: The above setup an I/O scanner where the Master PAC will write data into the Slave PAC memory starting from %MW0 with a length of 100 variables. j. When done, Click Apply button. Modicon M580 Safety

Chapter 6 - Safety Programming Software 289 k. From the Device List under Modbus Device, click Request 001: Items and select Output tab. l. Highlight all items from the list and click Define Item(s) button. m. Define an array of type integer as shown below: n. A Process variable with an array of 100 integers is created for the Modbus Device. When done, Click OK button. o. Click OK button to accept the changes. Configuration Training

290 Chapter 6 - Safety Programming Software 4. Assign the Process variable to the Modbus Device for I/O scanning a. Observe that the Modbus Device DDT is created having an array of 100 items of integer. b. Create a new program section to move data into Modbus Device. From the Project Browser, open the branch Program-PROCESS » Tasks » MAST » Sections. c. Create a new programming section: Name: To_IO_Scanning Language: FBD d. When done, click OK button. e. Enter the following program logic in the Master PAC: The variable, Sender_PAC_Data, is an array of 100 integers moved from the Safety memory area and is sent over to the Modbus Device DDT for I/O scanning to the Slave PAC. f. When done, Build the application and rectify any error(s). g. Save the application. h. Connect, and Transfer the application. i. Switch the Safety ePAC controller to RUN state. Modicon M580 Safety