M580 Safety Configuration

Chapter 6 - Safety Programming Software 291 Activity 17 - SLAVE SETUP (CPU FW ≤ 3.10) In this activity: • Able to transfer data between Safety PAC stations • Configure Ethernet Safe Peer-to-Peer Communication • Use I/O Scanner Service to transfer data. This exercise is based on: ➢ I/O Scanner Service using Ethernet service port of Safety ePAC CPU ➢ Execution of DFBs: S_RD_ETH_MX (at Slave ePAC) ➢ NTP service for time base synchronization (using CPU FW ≤ 3.10) The objective is to: ➢ Configure Slave PAC for I/O Scanner service to receive \"User & Reserved Data\", an array of 100 integers from Master PAC ➢ Transfer the received data in I/O scanning table from Process to Safety memory area ➢ Execute DFB, S_RD_ETH_MX, to validate the Safety Data integrity and age of data with its NTP time and CRC. Before starting this exercise, following items are required: ➢ 2 set of Safety ePAC training stations (work in group of 2) ➢ One NTP Server (done in Activity - NTP Server Configuration) ➢ One NTP Client (done in Activity - NTP Client Configuration) ➢ A configured remote I/O drop of address = 02 ➢ Modicon M580 Safety CPU with firmware ≤ 3.10 Configuration Training

292 Chapter 6 - Safety Programming Software Note: Following steps applied to Training Station that was assigned as a Slave PAC station for Safe Peer-to-Peer Communication. Configure the remote I/O drop adapter (eCRA) with drop address = 02. 1. On the Slave PAC, declare Process and Safety variables of an array of 100 integers for receiving data from Modbus Scanner into the Process memory area and then transfer to Safety memory area a. Open previously created application. Create a global variable, a Process output interface variable and a Safety input interface variable as shown below: b. With the column on \"Effective Parameter\", data from Process memory area can be associated and linked to the Safety memory area. Note: On Slave PAC, the user has to assign in the Process memory area a located variable of %MW0 for \"Sender_Data\". This is because the Master PAC uses Modbus Scanner to dump data into this location, starting from %MW0. Hints & Tips Refer to Activity - Process & Safety Transfer on how to setup data transfer between safety and non-safety memory area. Modicon M580 Safety

Chapter 6 - Safety Programming Software 293 2. Create a new Safety programming section in Slave PAC a. From the Project Browser, open the branch Program-SAFE » Tasks » SAFE » Sections b. Right-click Sections and select New Section ... from the menu. c. Create a new Safety programming section: Name: Receive_Data Language: FBD d. When done, click OK button. e. Enter the following variables and program logic as shown below: Data_Received variable is taken from Safety input interface variable. Data_is_Safe variable is created in local Safety memory area. f. The DFB, S_RD_ETH_MX, will validate the data coming from INPUT_DATA pin, and if the data received is considered SAFE, the DFB will copy the data into OUTPUT_DATA_SAFE pin. Double-click the OUTPUT_DATA_SAFE pin and assign this pin to a local Safe memory area, called Data_is_Safe, with data type of an array of 100 integers. Note: Make sure variable “status” has a logical value of 1 to indicate that NTP time synchronization is healthy. The input parameter of SAFETY_CONTROL_TIMEOUT defines the maximum expectation age required for data received in the Slave PAC station. In this example, it is configured to 1000 ms as the worst case. Configuration Training

294 Chapter 6 - Safety Programming Software 3. Download the Application into the Slave PAC station a. Build the application and rectify any error(s). b. Save the application. c. Connect, and Transfer the application. d. Switch the Safety ePAC controller to RUN state. 4. Test the communication between two Safety PAC stations a. Make sure that both Master PAC and Slave PAC are in the same network segment; connected to a common Ethernet Switch. b. On Master PAC station: From Program-SAFE » Tasks » SAFE » Sections » Send_Data, initialize an animation table of all variables by right-click S_WR_ETH_MX function block and select Initialize New Animation Table item. Expand the array of variables “Data_to_Send” (NOTE that user Safety Data zone starts at index 0 and finished at index 90) Switch to Maintenance mode. In the animation table, click Modification button and enter any value into “Data_to_Send[0]” variable. For example: Data_to_Send[0] = 123 c. On Slave PAC station: From Program-SAFE » Tasks » SAFE » Sections » Receive_Data, initialize an animation table of all variables by right-click S_RD_ETH_MX function block and select Initialize New Animation Table item. Expand the array variable “Data_is_Safe” (NOTE that user Safety Data zone starts at index 0 and finished at index 90) In the animation table, observe the value of “Data_is_Safe[0]” variable. What is the display value? Data_is_Safe[0] = ________ d. What have been observed between Master PAC and Slave PAC? Modicon M580 Safety

Chapter 6 - Safety Programming Software 295 SAFE COMMUNICATION WITH CPU FW ≥ 3.20 SAFE PEER-TO-PEER COMMUNICATION (CPU FW ≥ 3.20) The following safe peer-to-peer solution architecture is based on using CPU with firmware ≥ 3.20: ➢ Use “monotonic” time clock for Time Base Synchronization ➢ Execution of two DFBs (S_WR_ETH_MX2 on the Master PAC and S_RD_ETH_MX2 on Slave PAC) ➢ I/O scanning service via Modbus TCP for: o Safe Data transportation from Master to Slave o Control Data transportation from Slave to Master Operations in Master CPU: When DFB S_WR_ETH_MX2 is executed, time stamped data (i.e. \"monotonic\" time in Ctrl_Data[0..3] coming from Slave via I/O scanning) and calculated the CRCs (based on data to send, \"monotonic\" time stamp and ID communication parameters) are added into the \"User+Reserved\" data memory block. Data array to be sent is composed of two kind of variables: • \"User Safety Data” are the safe user data array from index 0 to 99 with data type integer. • \"Reserved Data” are made of CRCs and \"monotonic\" time-stamp variables which are filled by the DFB at the end of the array, start from index 91 to 99. User should not write anything into this location. ➢ An implicit operation is automatic done by transferring data to the Process Data area. With the \"Effective Parameter\" assignment, data will be associated to the local process variables and ready for I/O scanning over to the Slave CPU. Configuration Training

296 Chapter 6 - Safety Programming Software Operations in the Slave CPU: ➢ An implicit operation is done to transfer the received memory block, \"User & Reserved\", from the I/O scanner buffer into the \"Data Exchange\" memory area via the data Input/Output Interface connection. This can be easily done by using \"Effective Parameter\" associating with the local process variables. ➢ With the \"Effective Parameter\" assignment, Data will be associated to the safety memory area via the data Input/Output Interface connection. ➢ When DFB S_RD_ETH_MX2 is executed, the memory block of data from in the Input/Output Interface area will be copied into the safety Data memory area only if the following conditions are fulfilled: ➢ Checks the CRCs of the last data packet received by I/O scanner (or Data Exchange) in the Input/Output Interface memory area. In case the CRC is not correct, the data are considered as unsafe and will NOT be written into the “safe” memory area. ➢ Checks if the last data packet received in the Input/Output Interface memory area are more recent than the last data written into the “safe” memory area (by checking with its \"monotonic\" time stamp). If it is not the case, the data in the Input/Output Interface memory area are NOT copied into the “safe” memory area. ➢ Check the “age” of data of the “safe” memory area. If the age is higher than a maximum value defined by the user, the data in the “safe” memory area are declared as unsafe and “HEALTH” bit parameter will be set to “0”. ➢ In case the Data are considered as unsafe, all data will be unchanged, and a health bit will be set to \"0\" to declare the values are unsafe. The user will need to manage and treat these Data accordingly. ➢ The DFB, S_RD_ETH_MX2, also generate an array of Ctrl_Data[0..3] that contains ID and time stamp based on system monotonic time to be sent to Master CPU. This array has to be linked with variables from Safety memory area, via the Effective parameter, into the process memory area in order for the data to be sent by I/O Scanner to the Master CPU. Note: The S_WR_ETH_MX2 DFB function block has to be called at each cycle in the “Safe” task after all of the modifications of the data by the application. That is to say that the data to be sent must not be modified by the user in the safe cycle after the execution of the DFB. The S_RD_ETH_MX2 DFB function block must be called at each cycle in the Slave CPU safe task application and must be executed before the data usage in the cycle. Modicon M580 Safety

Chapter 6 - Safety Programming Software 297 S_WR_ETH_MX2 FUNCTION BLOCK The following shows the DFB representation of S_WR_ETH_MX2 for use with CPU FW ≥ 3.20: The DFB S_WR_ETH_MX2 is for Safety ePAC using CPU firmware 3.20 or later. It calculates data (reserved data containing a CRC and the \"monotonic\" time stamp from receiver) required by the receiver to check and manage errors detected during the safe peer-to-peer communication. The S_WR_ETH_MX2 DFB function block has to be called at each cycle in the sender PAC. Within the cycle, it has to be executed in the logic after all required modifications have been performed on the data to be sent. This means that the data to be sent may not be modified within the cycle after the execution of the DFB, otherwise the CRC information used in the reserved data area will not be correct and the safe peer-to-peer communication will not succeed. Required to assign the ID parameter a unique value that identifies the safe peer-to-peer communication between a sender and a receiver. Note: The ID value has to be unique and fixed in the network for a coupled Master/Slave PAC. Configuration Training

298 Chapter 6 - Safety Programming Software S_RD_ETH_MX2 FUNCTION BLOCK The following shows the DFB representation of S_RD_ETH_MX2 for use with CPU FW ≥ 3.20. It copies the data received in the process area to the safety area and validate the accuracy of the received data: The S_RD_ETH_MX2 function block: ➢ Copies the data received in the INPUT_DATA register to the OUTPUT_DATA_SAFE register if it passes the following tests: o The function block checks the CRC of the last data packet received, via I/O scanner over Ethernet (Modbus TCP). If the CRC is not correct, the data is considered as unsafe and it is not written to the OUTPUT_DATA_SAFE register in the safety area. o The function block checks the last data received to determine if it is more recent than the data already written in the OUTPUT_DATA_SAFE register in the safety area (by comparing its monotonic time stamps). If the last data received is not more recent, it is not copied to the OUTPUT_DATA_SAFE register in the safety area. ➢ Checks the age of the data in the safety area. If the age is higher than a configurable maximum value set in the SAFETY_CONTROL_TIMEOUT input register, the data is declared unsafe and the HEALTH bit is set to 0. o NOTE: The data age is the time difference between the time when the data is computed in the sender PAC and the time when the data is checked in the receiver PAC. The time base reference is from the monotonic time clock at the receiver PAC. o If the HEALTH bit is set to 0, the data available in the OUTPUT_DATA_SAFE array is considered as unsafe. In this case, take the appropriate reactive steps. ➢ The CONTROL_DATA array contains ID and system monotonic time stamp, and has to be linked with variables from Safety memory area into the process memory in order the data to be sent by I/O Scanner to the correspondent sender. Modicon M580 Safety

Chapter 6 - Safety Programming Software 299 Note: The S_RD_ETH_MX2 DFB function block must be called at each cycle in the receiver PAC program logic, and it must be executed before the data in the cycle is used. The ID parameter value must be unique and fixed in the network for a sender/receiver pair. It's a must to test the HEALTH bit value of the S_RD_ETH_MX2 DFB at each cycle before using any safe data to manage the safety function. Configuration Training

300 Chapter 6 - Safety Programming Software Activity 18 - MASTER SETUP (CPU FW ≥ 3.20) In this activity: • Able to transfer data between Safety PAC stations • Configure Ethernet Safe Peer-to-Peer Communication • Use I/O Scanner Service to transfer data. This exercise is based on: ➢ I/O Scanner Service using Ethernet service port of Safety ePAC CPU ➢ Execution of DFBs: S_WR_ETH_MX2 (at Master ePAC) ➢ NTP service for time base synchronization (using CPU FW ≥ 3.20) The objective is to: ➢ Transfer \"User & Reserved Data\", an array of 100 integers, from Safety to Process memory area for I/O scanning preparation ➢ Configure Master ePAC for I/O Scanner Service to the Slave ePAC ➢ Receive Control Data (an array of 4 integers contains ID and system monotonic time stamp) coming from Slave PAC via I/O scanning service. Transfer the data from Process to Safety memory area for S_WR_ETH_MX2 to generate the \"User & Reserved Data\" Before starting this exercise, following items are required: ➢ 2 set of Safety ePAC training stations (work in group of 2) ➢ A configured remote I/O drop of address = 01 with FW ≥ 2.60 ➢ Modicon M580 Safety CPU with firmware ≥ 3.20 ➢ Programming Software, EcoStruxure™ Control Expert V15 for Safety and higher Modicon M580 Safety

Chapter 6 - Safety Programming Software 301 Note: Following steps applied to Training Station that was assigned as a Master ePAC station for Safe Peer-to-Peer Communication. Configure the remote I/O drop adapter (eCRA) with drop address = 01. 1. On the Master PAC, declare Safety and Process variables for transfer data between Safety to Process memory area a. Open previously created application. Create a Safety output interface variable and a Process input interface variable as shown below: With the column on \"Effective Parameter\", data from Safety memory area can be associated and linked to the Process memory area. Observe that on the Process: Data Editor table, the variable, Receiver_PAC_Ctrl_Data, is located at address %MW100. The Control Data coming from the Slave PAC will be written into this address, %MW100, via the Slave PAC Modbus I/O scanner. Hints & Tips Refer to Activity - Process & Safety Transfer on how to setup data transfer between safety and non-safety memory area. Configuration Training

302 Chapter 6 - Safety Programming Software 2. Create a new Safety programming section in Master PAC a. From the Project Browser, open the branch Program-SAFE » Tasks » SAFE » Sections b. Right-click Sections and select New Section ... from the menu. c. Create a new Safety programming section: Name: Send_Data Language: FBD d. When done, click OK button. e. Enter the following variables and program logic as shown below: Note: Make sure variable “ID_State\" has a logical value of 1 to indicate that ID data coming from Receiver PAC into CONTROL_DATA input pin and data on ID input pin are matched. Modicon M580 Safety

Chapter 6 - Safety Programming Software 303 3. Setup I/O Scanning function for Master PAC to send data to Slave PAC a. Open the DTM Browser by selecting from EcoStruxure™ Control Expert V15 for Safety menu Tools » DTM Browser. b. From the DTM Browser, right-click the CPU, BMEP58_ECPU_EXT. Click Add... from the popup menu. c. Select Protocol to be Modbus over TCP and locate the Modbus Device item from the list of available DTMs. Click the Add DTM button. d. A dialog box appeared showing the Properties of the device. Click OK button to accept the default parameters. Configuration Training

304 Chapter 6 - Safety Programming Software e. From the DTM Browser, double-click the CPU, BMEP58_ECPU_EXT, to launch the M580 CPU DTM screen. f. Locate the Modbus Device from the Device List and click to access the setup screen. g. Click Address Setting tab and Enter the IP Address of the Slave PAC station. h. Click Request Setting tab and add a new I/O scanning request by clicking on the Add Request button i. Enter the following I/O scanning parameters: The above setup an I/O scanner where the Master PAC will write data into the Slave PAC memory starting from %MW0 with a length of 100 variables. j. When done, Click Apply button. Modicon M580 Safety

Chapter 6 - Safety Programming Software 305 k. From the Device List under Modbus Device, click Request 001: Items and select Output tab. l. Highlight all items from the list and click Define Item(s) button. m. Define an array of type integer as shown below: n. A Process variable with an array of 100 integers is created for the Modbus Device. When done, Click OK button. o. Click OK button to accept the changes. Configuration Training

306 Chapter 6 - Safety Programming Software 4. Assign the Process variable to the Modbus Device for I/O scanning a. Observe that the Modbus Device DDT is created having an array of 100 items of integer. b. Create a new program section to move data into Modbus Device. From the Project Browser, open the branch Program-PROCESS » Tasks » MAST » Sections. c. Create a new programming section: Name: To_IO_Scanning Language: FBD d. When done, click OK button. e. Enter the following program logic in the Master PAC: The variable, Sender_PAC_Data, is an array of 100 integers moved from the Safety memory area and is sent over to the Modbus Device DDT for I/O scanning to the Slave PAC. f. When done, Build the application and rectify any error(s). g. Save the application. h. Connect, and Transfer the application. i. Switch the Safety ePAC controller to RUN state. Modicon M580 Safety

Chapter 6 - Safety Programming Software 307 Activity 19 - SLAVE SETUP (CPU FW ≥ 3.20) In this activity: • Able to transfer data between Safety PAC stations • Configure Ethernet Safe Peer-to-Peer Communication • Use I/O Scanner Service to transfer data. This exercise is based on: ➢ I/O Scanner Service using Ethernet service port of Safety ePAC CPU ➢ Execution of DFBs: S_RD_ETH_MX2 (at Slave ePAC) ➢ NTP service for time base synchronization (using CPU FW ≥ 3.20) The objective is to: ➢ Configure Slave PAC for I/O Scanner service to receive \"User & Reserved Data\", an array of 100 integers from Master PAC ➢ Transfer the received data in I/O scanning table from Process to Safety memory area ➢ Execute DFB, S_RD_ETH_MX2, to validate the Safety Data integrity and age of data with its internal monotonic time clock and check the data CRC ➢ The generated Control Data (an array of 4 integers contains ID and system monotonic time stamp) from S_RD_ETH_MX2 will be transferred from Safety to Process memory area for I/O scanner service to Master PAC Before starting this exercise, following items are required: ➢ A configured remote I/O drop of address = 02 with FW ≥ 2.60 ➢ Modicon M580 Safety CPU with FW ≥ 3.20 Configuration Training

308 Chapter 6 - Safety Programming Software Note: Following steps applied to Training Station that was assigned as a Slave PAC station for Safe Peer-to-Peer Communication. Configure the remote I/O drop adapter (eCRA) with drop address = 02. 1. On the Slave PAC, prepare to receive an array of 100 integers and transfer out the Control Data of an array of 4 integers via Modbus I/O Scanner a. Open previously created application. Create variables in Process output interface and Safety input interface as shown below: b. With the column on \"Effective Parameter\", data from Process memory area can be associated and linked to the Safety memory area. Note: On Slave PAC, the user has to assign in the Process memory area a located variable of %MW0 for \"Sender_Data\". This is because the Master PAC uses Modbus Scanner to dump data into this location, starting from %MW0. Hints & Tips Refer to Activity - Process & Safety Transfer on how to setup data transfer between safety and non-safety memory area. Modicon M580 Safety

Chapter 6 - Safety Programming Software 309 2. Create a new Safety programming section in Slave PAC a. From the Project Browser, open the branch Program-SAFE » Tasks » SAFE » Sections b. Right-click Sections and select New Section ... from the menu. c. Create a new Safety programming section: Name: Receive_Data Language: FBD d. When done, click OK button. e. Enter the following variables and program logic as shown below: Data_Received variable is taken from Safety input interface variable. Ctrl_Data variable contains ID and monotonic time stamp to be sent to the Master PAC. Data_is_Safe variable is created in local Safety memory area. f. The DFB, S_RD_ETH_MX2, will validate the data coming from INPUT_DATA pin and if the data received is considered SAFE, the DFB will copy the data to the OUTPUT_DATA_SAFE pin. Double-click the OUTPUT_DATA_SAFE pin and assign this pin to a local Safety memory area, called Data_is_Safe, with data type of an array of 100 integers. Note: Make sure variable “status” has a logical value of 1 to indicate that the received user safety data, Data_is_Safe, is safe and healthy. The input parameter of SAFETY_CONTROL_TIMEOUT defines the maximum expectation age required for data received in the Slave PAC station. In this example, it is configured to 1000 ms as the worst case. Configuration Training

310 Chapter 6 - Safety Programming Software 3. Setup I/O scanning function to send the Control Data to the Master PAC a. Open the DTM Browser by selecting from EcoStruxure™ Control Expert V15 for Safety menu Tools » DTM Browser. b. From the DTM Browser, right-click the CPU, BMEP58_ECPU_EXT. Click Add... from the popup menu. c. Select Protocol to be Modbus over TCP and locate the Modbus Device item from the list of available DTMs. Click the Add DTM button. d. A dialog box appeared showing the Properties of the device. Click OK button to accept the default parameters. Modicon M580 Safety

Chapter 6 - Safety Programming Software 311 e. From the DTM Browser, double-click the CPU, BMEP58_ECPU_EXT, to launch the M580 CPU DTM screen. f. Locate the Modbus Device from the Device List and click to access the setup screen. g. Click Address Setting tab and Enter the IP Address of the Master PAC station. h. Click Request Setting tab and add a new I/O scanning request by clicking on the Add Request button i. Enter the following I/O scanning parameters: The above setup an I/O scanner where the Slave PAC will write data into the Master PAC memory starting from %MW100 with a length of 4 variables. This will be the Control Data to be sent to Master PAC. j. When done, Click Apply button. Configuration Training

312 Chapter 6 - Safety Programming Software k. From the Device List under Modbus Device, click Request 001: Items and select Output tab. l. Highlight all items from the list and click Define Item(s) button. m. Define an array of type integer as shown below: n. A Process variable with an array of 4 integers is created for the Modbus Device. When done, Click OK button. o. Click OK button to accept the changes. Modicon M580 Safety

Chapter 6 - Safety Programming Software 313 4. Assign the Process variable to the Modbus Device for I/O scanning a. Observe that the Modbus Device DDT is created having an array of 4 items of integer. b. Create a new program section to move data into Modbus Device. From the Project Browser, open the branch Program-PROCESS » Tasks » MAST » Sections. c. Create a new programming section: Name: To_IO_Scanning Language: FBD d. When done, click OK button. e. Enter the following program logic in the Master PAC: The variable, Ctrl_Data_Out, is an array of 4 integers moved from the Safety memory area and is sent over to the Modbus Device DDT for I/O scanning to the Master PAC. The Ctrl_Data_Out contains ID and time stamp based on system monotonic time for the sender, i.e. Master PAC. Configuration Training

314 Chapter 6 - Safety Programming Software 5. Download the Application into the Slave PAC station a. Build the application and rectify any error(s). b. Save the application. c. Connect, and Transfer the application. d. Switch the Safety ePAC controller to RUN state. 6. Test the communication between two Safety PAC stations a. Make sure that both Master PAC and Slave PAC are in the same network segment; connected to a common Ethernet Switch. b. On Master PAC station: From Program-SAFE » Tasks » SAFE » Sections » Send_Data, initialize an animation table of all variables by right-click S_WR_ETH_MX function block and select Initialize New Animation Table item. Expand the array of variables “Data_to_Send” (NOTE that user Safety Data zone starts at index 0 and finished at index 90) Switch to Maintenance mode. In the animation table, click Modification button and enter any value into “Data_to_Send[0]” variable; For example: Data_to_Send[0] = 123 c. On Slave PAC station: From Program-SAFE » Tasks » SAFE » Sections » Receive_Data, initialize an animation table of all variables by right-click S_RD_ETH_MX function block and select Initialize New Animation Table item. Expand the array variable “Data_is_Safe” (NOTE that user Safety Data zone starts at index 0 and finished at index 90) In the animation table, observe the value of “Data_is_Safe[0]” variable. What is the display value? Data_is_Safe[0] = ________ d. What have been observed between Master PAC and Slave PAC? Modicon M580 Safety

Chapter 6 - Safety Programming Software 315 TÜV CERTIFIED SAFETY LIBRARIES To meet the requirements of the IEC 61508, only certified software is allowed for programming SIL 3 application. For this purpose, Schneider Electric has developed the Safety version of the programming tool EcoStruxure™ Control Expert V15 for Safety. It is able to perform both fault diagnostics and project protection to an extent necessary for programming a SIL 3 application. In order to manage a safety application (safety = simple) the programming languages are limited to the FBD (Function Block Diagram) and LD (Ladder Diagram) languages. Safety library with function blocks and elementary functions (EFBs/EFs) are TÜV certified and will be used in this safety programming. Code of the safety function blocks will be executed in the CPU and will become part of the \"safety loop\". RULES FOR SAFETY LOGIC User logic has to satisfy the specified rules for safety logic. The usage of language elements and Functions/Function Blocks is restricted in safety logic. A mixture of safety and non-safety logic is NOT allowed. The restrictions for Safety Logic are: ➢ Safety logic can only be programmed in FBD (Function Block Diagram) or LD (Ladder Diagram) ➢ All variables are unlocated, or mapped to a Device DDT. ➢ Only elementary data types EBOOL, BYTE, WORD, DWORD, INT, UINT, DINT, UDINT, TIME, BOOL, REAL are allowed ➢ Derived Data Types (DDT) are allowed ➢ Safe sections can only be part of the SAFE task ➢ System bits and system words are NOT allowed. ➢ Subroutines (SR) are NOT allowed ➢ ST expression are NOT allowed in FBD and LD (no operate and compare block) ➢ A set of FFBs (''Safety Library') will be certified to be used in safety logic ➢ Generic FFBs are NOT allowed ➢ Derived Function Blocks (DFBs) are allowed The program analyzer will check that the rules for safety logic and configuration are obeyed and will show detailed error messages if any. A download to the CPU is not possible if the program analyzer has found any error. Note: Additional rules are defined in the Safety Manual, which are not checked by EcoStruxure™ Control Expert V15 for Safety but have to checked by the customer, e.g. usage of Ethernet I/O or Modbus Plus I/O. Configuration Training

316 Chapter 6 - Safety Programming Software BASIC CERTIFIED SAFETY FFBS Following are the basic subset of Functions / Function Blocks (FFBs), which can be used inside safety logic: Family Functions / Function Blocks Description Logic S_AND_*, S_OR_*, S_XOR_*, Type specific e.g. S_AND S_NOT_*, S_SHL_*, S_SHR_*, with 2 to 32 inputs (in-line S_ROR_*, S_ROL_* code) S_RS, S_SR, S_F_TRIG, S_R_TRIG S_ADD_*, S_MUL_*, S_SUB_*, Type specific error handling Mathematics S_DIV_*, S_ABS_*, S_SIGN_*, (e.g. overflow) to be S_NEG_*, S_MOVE, S_SQRT_REAL considered (in-line code) Comparison S_GT_*, S_GE_*, S_LT_*, S_LE_*, Type specific (in-line code) S_NE_*, S_EQ_* Statistical S_LIMIT_*, S_MAX_*, S_MIN_*, Type specific (in-line code) S_MUX_*, S_SEL Type to Type S_BOOL_TO_*, S_BYTE_TO_*, S_WORD_TO_*, S_DWORD_TO_*, S_INT_TO_*, S_UNIT_TO_*, S_UDINT_TO_*, S_BIT_TO_BYTE, Type specific (in-line code) S_BIT_TO_WORD, S_BYTE_TO_BIT, S_WORD_TO_BIT, S_TIME_TO_UDINT, S_REAL_TO_* Timers & S_CTU_*, S_CTD_*, S_CTUD_* Type specific Counters S_TON, S_TOF, S_TP Instructor Note: For detailed information, please refer to the EcoStruxure™ Control Expert Safety Block Library user manual. Modicon M580 Safety

Chapter 6 - Safety Programming Software 317 MACHINE CERTIFIED SAFETY DFBS Following Safety Libraries which are compliant with the “PLCopen Safety“ standard: Family Derived Function Blocks Description Actuator S_EDM, S_ENABLE_SWITCH, Machine Safety Function Connection S_ESPE, S_OUTCONTROL, Blocks linked to actuators S_GUARD_LOCKING, S_GUARD_MONITORING, S_MODE_SELECTOR Sensor S_EQUIVALENT, S_ANTIVALENT, Machine Safety Function Connection S_EMERGENCYSTOP, Blocks linked to sensors S_TWO_HAND_CONTROL_TYPE_II, S_TWO_HAND_CONTROL_TYPE_III, S_MUTING_SEQ, S_MUTING_PAR Instructor Note: For detailed information, please refer to the EcoStruxure™ Control Expert Safety Block Library user manual. Configuration Training

318 Chapter 6 - Safety Programming Software ACTUATOR SAFETY FUNCTION BLOCKS The following are some example of the actuator safety function blocks: ➢ S_EDM: Actuator Error Detection Monitoring o Allows to control a safety output and monitors controlled actuators ➢ S_ENABLING_SWITCH: Three Position Enable Switch o Evaluates the signals of an enable switch with three positions ➢ S_ESPE: Electro-Sensitive Protective Equipment o Monitors electro-sensitive protective equipment, like light curtain, magnetic switch ➢ S_GUARD_LOCKING: Guard Lock Control o Controls the guard lock and monitors the position of its lock switch that restricts access to a secured, hazardous area ➢ S_GUARD_MONITORING: Guard Lock Monitoring o Similar to the S_GUARD_LOCKING without the locking mechanism ➢ S_MODE_SELECTOR: Safety Mode Switch o Allows selection of the operation of the system, such as Manual, Automatic, Semi-automatic, etc ➢ S_OUTCONTROL: Output Driver o Allows the control of a safety output with signals coming from the process and the safety part Modicon M580 Safety

Chapter 6 - Safety Programming Software 319 SENSOR SAFETY FUNCTION BLOCKS The following are some example of the sensor safety function blocks: ➢ S_ANTIVALENT: Compare Antivalent Inputs o Monitors states and discrepancy of two antivalent input contacts from sensors (NC/NC or NO/NC) ➢ S_EQUIVALENT: Compare Equivalent Inputs o Monitors states and discrepancy of two equivalent input contacts from sensors (NC/NC or NO/NC) ➢ S_AI_COMP (Not Certified): Analog Input Compare o To perform a \"one out of two\" (1oo2) evaluation of two analog integer values provided by two different input sensors ➢ S_TWO_HAND_CONTROL_TYPE_II: Two Hand Control o Controls each of the operator’s hands be placed on a separate control button, thereby keeping them out of harm’s way ➢ S_EMERGENCYSTOP: Emergency Stop Monitor o Monitors the state of an emergency stop button ➢ S_TWO_HAND_CONTROL_TYPE_III: Two Hand Control with Timer (500 ms) o Controls each of the operator’s hands and be placed on a separate control button, within a 500ms from each other, thereby keeping them out of harm’s way Configuration Training

320 Chapter 6 - Safety Programming Software MUTING SAFETY FUNCTION BLOCKS The muting function temporarily disables the safety function when a workpiece or conveying palette passes through the detection area of Safety Light Curtains or Safety Sensors. Muting is intended to permit necessary materials – but not humans – to enter the safety zone without interrupting the work process. Two or more sensors, properly situated in the production sequence, can be used to trigger muting of the safety function. Sensors can be situated in parallel positions to operate simultaneously (Parallel Muting) or can be staggered to operate sequentially (Sequential Muting). ➢ S_MUTING_PAR: Parallel Muting ➢ The function block implement a parallel muting of a safety process and it is designed to be used with four muting sensors. It can specify the maximum allowable times for muting of the safety process to allow material to enter or exit a detection zone guarded by an AOPD and completing the entire muting sequence (MaxMutingTime), beginning with the material's initial triggering of muting switches to its ultimate exit from the safety zone. ➢ The block supports bi-directional (forward and backward) travel of material. ➢ S_MUTING_SEQ: Sequential Muting ➢ The function block implements a sequential muting of a safety process. It is designed to be used with four muting sensors and can specify the maximum allowable time for completing the entire muting sequence (MaxMutingTime), beginning with the material's initial triggering of muting switches to its ultimate exit from the safety zone. ➢ The block supports bi-directional (forward and backward) travel of material. Modicon M580 Safety

Chapter 6 - Safety Programming Software 321 SYSTEM CERTIFIED SAFETY DFBS & FBS The following list the system safety certified DFBs and FBs: Family DFB / FBs Description Peer to Peer S_RD_ETH_MX, S_WR_ETH_MX DFB to perform a Safety peer to peer communication System S_SYST_STAT_MX, System function blocks S_SYST_TIME_MX, S_SYST_CLOCK_MX, S_SYST_RESET_TASK_BIT_MX, S_SYST_READ_TASK_BIT_MX Instructor Note: For detailed information, please refer to the EcoStruxure™ Control Expert Safety Block Library user manual. NON-CERTIFIED SAFETY FUNCTIONS The purpose is to provide to customer sample safety function blocks to be easily reused and adapted. The customer can copy and paste function blocks into their application and have the possibility to change them if needed. These are the subset of Derived Functions Blocks (DFBs), which can be used inside safety logic. These function blocks are NOT certified: Family DFBs / FBs Description High Availability_MX S_DIHA, S_AIHA Function for high availability SIL 2 or SIL 3 digital input modules (in-line code) Sensor Connection S_AI_COMP Machine Safety Function Blocks linked to sensors Note: Refer to Safety Manuals on proper use of these safety libraries. Configuration Training

322 Chapter 6 - Safety Programming Software HIGH AVAILABILITY SAFETY FUNCTION BLOCKS The following are two commonly used high availability safety function blocks: ➢ S_AIHA: High Availability for Mx80 Safety Analog Inputs o Use with redundant BMXSAI0410 safety analog input modules. It continuously compares the integrity of the two channels stemming from the two safety analog input modules and selects the data to be retrieved based on that comparison. ➢ S_DIHA: High Availability for Mx80 Safety Digital Inputs o Use with redundant BMXSDI1602 safety digital input modules. It continuously compares the integrity of the two channels stemming from the two safety digital input modules and selects the data to be retrieved based on that comparison. Modicon M580 Safety

Chapter 6 - Safety Programming Software 323 EXAMPLE: EMERGENCY STOP The following S_EMERGENCYSTOP function block is used to monitor the state of an emergency stop button. It can be used to activate emergency switch off functionality. Input Parameters: Parameter Description Activate TRUE: Activation of the Function Block FALSE: All output variables are set to the initial values S_EStopIn If no device is connected, a direct TRUE value must be assigned S_StartReset TRUE: Not engaged for any safety-related response S_AutoReset FALSE: Engaged for a safety-related response Reset TRUE: Automatic reset when system is started (warm or cold) FALSE: Manual reset when system is started (warm or cold) TRUE: Automatic reset when button is released FALSE: Manual reset when button is released Reset of the state machine and coupled error and status messages as indicated via DiagCode, when the error cause has been removed Output Parameters: Parameter Description Ready TRUE: Function is activated, and the output results are valid FALSE: Function is not active, and the program is not executed TRUE: Safety output is enabled. No demand for safety-related response S_EStopOut FALSE: Safety output disabled. A demand exists for safety-related response Error Function block detected error message DiagCode Function block diagnostic message UNGUARDED MACHINERY CAN CAUSE SERIOUS INJURY • Activate the S_StartReset and S_AutoReset inputs only after you verify that no hazardous situation can occur if the system is started. Failure to follow these instructions can result in death, serious injury, or equipment damage. Configuration Training

324 Chapter 6 - Safety Programming Software TYPICAL TIMING DIAGRAMS The following is a typical timing diagrams, when: ➢ S_StartReset = FALSE and S_AutoReset = FALSE: ➢ S_StartReset = TRUE and S_AutoReset = FALSE: ➢ S_StartReset = FALSE and S_AutoReset = TRUE: Modicon M580 Safety

Chapter 6 - Safety Programming Software 325 STATE DIAGRAM The following diagram describes the state transitions of the S_EMERGENCYSTOP function block: Above source is from PLCopen - Technical Committee 5, Safety Software, Technical Specification, Part 1: Concepts and Function Blocks, Version 1.0. Note: The transition to the Idle state from any other state, occurring because Activate = FALSE, is not depicted. Such a transition has the highest priority (0). Configuration Training

326 Chapter 6 - Safety Programming Software DETECTED ERROR MANAGEMENT S_EStopOut is set to an initial value of FALSE. If a static TRUE signal is received at the Reset input, the DiagCode output indicates the relevant detected error code and the Error output is set to TRUE. To leave the detected error state, set Reset input to FALSE. When returning a detected error message, the DiagCode parameter can present one of the following detected error values DiagCode State Name State Description and Output Settings C001 Reset Error 1 Reset signal is true while waiting for S_EStopIn = TRUE: S_EStopOut = FALSE Error = TRUE C002 Reset Error 2 Reset signal is true while waiting for S_EStopIn = TRUE: S_EStopOut = FALSE Error = TRUE DIAGNOSTIC CODE MANAGEMENT When returning a status message, the Error parameter is set to FALSE, and the DiagCode parameter displays one of the following hexadecimal values: DiagCode State Name State Description and Output Settings 0 IDLE The function block is not active (initial state): 8001 INIT S_EStopOut = FALSE Error = FALSE Activate is TRUE. The function block was enabled. Check if S_StartReset needs to be set: S_EStopOut = FALSE Error = FALSE Modicon M580 Safety

Chapter 6 - Safety Programming Software 327 APPLICATION EXAMPLES The following shows an application example of using Emergency Stop function: Below shows a Safety Instrument Function with Category 4: Configuration Training

328 Chapter 6 - Safety Programming Software SUMMARY This chapter provided information on how to use EcoStruxure Control Expert V15 for Safety to implement the control and safety program logic that is running in the controllers. QUESTIONS The following questions will help to check understanding of the topics covered in this chapter: ➢ What are the two programming tasks available in EcoStruxure™ Control Expert V15 for Safety? What are their supported programming languages? ➢ Why do we need NTP Server for peer-to-peer communication? ➢ Explain how data can be transferred between Safety controllers. Modicon M580 Safety

Chapter 7 - Redundant M580 Safety 329 Chapter 7 - REDUNDANT M580 SAFETY In engineering, redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the form of a backup or fail-safe, or to improve actual system performance. Safe and fault-tolerant controllers, e.g., Redundant M580 Safety ePAC, monitor themselves autonomously and detect faults. When a fault occurs, they immediately switch to/remain in safe mode or, in the event of a hardware failure, automatically switch over to the redundant system. This Chapter will introduce the Redundant M580 Safety ePAC used in process and machinery safety. Prerequisite Knowledge: It is expected that the trainees have good knowledge and have attended the \"M580 Redundant Configuration\" course, prior to this chapter. CONTENTS: Introduction to Redundancy........................................................................................330 Reliability, Availability and Maintainability ..................................................................335 M580 Safety Hot Standby CPU ..................................................................................340 System Implementation ..............................................................................................345 Configuration Training

330 Chapter 7 - Redundant M580 Safety INTRODUCTION TO REDUNDANCY Redundancy is a system design in which a component is duplicated so if it stops operating there will be a backup. It's a provision or existence of more than one means or resources to perform an activity or function. A repetition of parts or subsystems (or whole systems) to provide a backup in case of primary system stop operating. REDUNDANCY IN INDUSTRIAL AUTOMATION In industrial automation, some special or critical processes need to work permanently with minimum unwanted down time. Therefore, it is necessary to design a system which is fault tolerant and capable of handling the process with abnormal operating modules. Hot Standby systems are answering to this growing market demand for high availability automation architectures. Modicon M580 Safety

Chapter 7 - Redundant M580 Safety 331 REDUNDANCY PRINCIPLES The redundancy system uses a copper or fiber optic link between both controllers based on an industrial standard. It allows: ➢ Fast data transfer between both controllers ➢ All of the data exchanged, without any user configuration ➢ One scan cycle time is sufficient to exchange the whole content ➢ Both controllers may be placed a distance apart o Fiber optic link: up to 15 km o Copper link: 100 m Standard Hot Standby controllers are equipped with high-speed interface. There is no requirement for separate redundancy modules. A dedicated port link between both controllers (process by its multi-core CPU) required no specific data transfer configuration. By default, the assignment of the Primary PLC is automatic: No requirement for user selection of primary which makes the system plug and play. Moreover, the system achieves a total memory transfer. Selection of non-transferred data (Programs difference) can be done, by this mean, functionalities fit specific needs of the customer. ACHIEVING HIGH AVAILABILITY Customers or critical applications that cannot tolerate impact to the mission may find redundancy or fault tolerance necessary. Redundant components needed for high availability include: ➢ Uninterrupted power supply (UPS) ➢ Redundant power supplies ➢ Redundant components ➢ Chassis ➢ Processors ➢ I/O modules ➢ Sensors and actuators ➢ PCs / HMI-Networks ➢ Media ➢ Servers ➢ Databases Configuration Training

332 Chapter 7 - Redundant M580 Safety DATABASE TRANSFER The Database is built automatically by the Primary PLC Operating System and sent at each Primary PLC scan cycle to the Standby PLC. This exchange is performed via the dedicated embedded Ethernet port of the two HSBY PLCs. In a redundancy system, data are transferred from the Primary CPU to the Standby CPU at every beginning of PLC scan cycle. The following information will be transferred: ➢ All output objects, commands and adjustment parameters ➢ All contents in Fast Device Replacement (FDR) for DIO devices ➢ Selectable exchange of each variables (include located and unlocated) ➢ All instances of the DFB and EFB type ➢ Configurable SFC Variable area ➢ System bits and words Note: At each scan, all forced bits are transferred from the Primary CPU to the Standby CPU. Modicon M580 Safety

Chapter 7 - Redundant M580 Safety 333 MONITORING THE SYSTEM The Primary and the Standby Controllers continuously communicate with each other to determine the Health of the System. This information is used to determine if a switch- over should occur due to an abnormal operation. If the Primary Controller stops operating, the state of the Controllers is switched. The Standby Controller becomes the Primary, executes the Application Program, and controls the Remote I/O. If the Standby Controller stops operating, the Primary Controller continues to run without Redundancy and acts as a standalone System. DATA EXCHANGE The data exchange is done in 2 steps: ➢ A snapshot of the database is done by the multi-core processor, stored into its memory and ready to be transferred. (1) ➢ The multi-core processor, sharing workload and managing both application and redundant data exchanges in parallel, is in charge of sending the database from its memory to the Standby controller. (2) The Standby PAC regularly communicates information back to the Primary PAC via a group of system registers. The content of these system registers can be modified by the user application running in the Standby CPU. Most common use is to provide the Primary PAC information about the health status of the Standby CPU and its associated modules. Note: Due to its dual core management of CPU, the impact of scan time of redundancy systems vs standalone is less than 10 ms per MB of data exchanged. The impact depends on the application execution time. If application is long enough compared to the amount of transferred data, then the transfer takes place in parallel, and has almost no impact. As a comparison, in Quantum HSBY the impact was 17ms per 100KB of data exchanged + 7ms per 100KB of overhead (transfer CPU to Copro). Configuration Training

334 Chapter 7 - Redundant M580 Safety HIGH AVAILABILITY SOLUTION Availability can be defined as the probability that a system is operating successfully when needed. Availability is often expressed as a percent. Expressed mathematically, availability is one minus the unavailability. ➢ Availability (A) = MTBF / (MTBF + MDT); where o MTBF = Mean Time Between Failure o MDT = Mean Down Time ▪ MDT is often assumed to be MTTR (Mean Time to Repair) The term High Availability has been used to encompass all things related to productivity, including Reliability and Maintainability. Reliability can be defined as the probability that a device will perform its intended function during a specific period of time. While Maintainability is the ability of a system to be changed or repaired. HIGH AVAILABILITY AND FUNCTIONAL SAFETY Availability can be defined as “The proportion of time for which the equipment is able to perform its function”. An item is highly available if it does not fail very often and, when it does, it can be quickly returned to service. A key difference between high availability and functional safety is that functional safety must guarantee, to a high degree of probability, that the system will not compromise safety when a demand event occurs, while high availability must guarantee to a high degree of probability that the system continues to operate in the event of a failure. Modicon M580 Safety

Chapter 7 - Redundant M580 Safety 335 RELIABILITY, AVAILABILITY AND MAINTAINABILITY WHAT IS RELIABILITY? Reliability represents the probability of components, parts and systems to perform their required functions for a desired period of time without failure in specified environments with a desired confidence. Reliability accounts for the time that it will take the component, part or system to fail while it is operating. It does not reflect how long it will take to get the unit under repair back into working condition. WHAT IS AVAILABILITY? Availability is defined as the probability that the system is operating properly when it is requested for use. In other words, availability is the probability that a system is not failed or undergoing a repair action when it needs to be used. At first glance, it might seem that if a system has a high availability then it should also have a high reliability. However, this is not necessarily the case. WHAT IS MAINTAINABILITY? A measure of the ease and rapidity with which a system can be restored to operational status following a failure. Maintainability deals with duration of maintenance outages or how long it takes to achieve the maintenance actions. Maintainability characteristics are usually determined by equipment design which set maintenance procedures and determine the length of repair times. RELATIONSHIP BETWEEN AVAILABILITY, RELIABILITY AND MAINTAINABILITY As stated earlier, availability represents the probability that the system is capable of conducting its required function when it is called upon given that it is not failed or undergoing a repair action. Therefore, not only is availability a function of reliability, but it is also a function of maintainability. Below displays the relationship between reliability, maintainability, and availability. Note that in this table, an increase in maintainability implies a decrease in the time it takes to perform maintenance actions. Reliability-Maintainability-Availability If the reliability is held constant, even Constant-Decreases-Decreases at a high value, this does not directly Constant-Increases-Increases imply a high availability. As the time Increases-Constant-Increases to repair increases, the availability Decreases-Constant-Decreases decreases. Even a system with a low reliability could have a high availability if the time to repair is short. Configuration Training

336 Chapter 7 - Redundant M580 Safety RELIABILITY PARAMETERS Following are the commonly used reliability parameters: ➢ MTBF o Mean Time Between Failures (MTBF), as the name suggests, is the average time between failure of hardware modules. It is the average time a manufacturer estimates before a failure occurs in a hardware module. ➢ MTTF o Mean Time To Failure (MTTF), is an estimate of the average, or mean time until a design's or component's first failure or disruption in the operation of the product. o MTTF = E(t) = 0t∫ t.f(t).dt = 0t∫ t. λ e- λt dt = 1 / λ; where λ is the failure rate ➢ MTTR o Mean Time To Repair (MTTR), is the time taken to repair a failed hardware module. It should be a goal of system designers to allow for a high MTTR value and still achieve the system reliability goals. o MTBF = MTTF + MTTR AVAILABILITY CALCULATION Availability of the module is the percentage of time when system is operational. Once MTBF and MTTR are known, the availability of the component can be calculated using the following formula: Availability = (MTBF) / (MTBF + MTTR) Availability is typically specified in nines notation. For example 3-nines availability corresponds to 99.9% availability. A 5-nines availability corresponds to 99.999% availability. Modicon M580 Safety

Chapter 7 - Redundant M580 Safety 337 EXAMPLE 1 ON RELIABILITY AND AVAILABILITY Let's consider a system with an MTBF of 618,191hours. What is the chance to fail in a 5 years period for this system? This means, what is the module's Reliability over 5 years time period? ➢ Formula: R(t) = exp (-t / MTBF) ➢ time(t) = 5 years = 5 years * 365 days * 24 hours = 43,800 hours ➢ Given that MTBF = 618,191 hours Reliability, R(t) = exp (-(43,800 / 618,191)) = 93.159986% If the MTTR of the system is 1 minutes, then ➢ Availability = MTBF / (MTBF + MTTR) o = 618,191 / (618,191 + (1 minutes / 60)) o = 99.999997% EXAMPLE 2 ON RELIABILITY AND AVAILABILITY Let’s consider a system that has average of 3 failures per year. What is the MTBF? Answer to be formatted in X.X 10-x. ➢ One year = 365 days * 24 hours * 60 minutes = 525,600 minutes ➢ Failure Rate = 525,600 / 3 times = 175,200 ➢ MTBF = 1 / λ where λ is the failure rate ➢ = 1 / 175,200 = 5.7078E-06 Configuration Training

338 Chapter 7 - Redundant M580 Safety SYSTEM AVAILABILITY System Availability is calculated by modelling the system as an interconnection of parts in series and parallel. The following rules are used to decide if components should be placed in series or parallel: ➢ If failure of a part leads to the combination becoming inoperable, the two parts are considered to be operating in series. ➢ If failure of a part leads to the other part taking over the operations of the failed part, the two parts are considered to be operating in parallel. SYSTEM AVAILABILITY IN SERIES If failure of a part leads to the combination becoming inoperable, the two parts are considered to be operating in series. -Part X--Part Y- ---- As shown above, two parts X and Y are considered to be operating in series if failure of either of the parts results in failure of the combination. The combined system is operational only if both Part X and Part Y are available. From this it follows that the combined availability is a product of the availability of the two parts. The combined availability is shown by the equation below: ➢ A = Ax * Ay The implications of the above equation are that the combined availability of two components in series is always lower than the availability of its individual components. Consider the system in the figure above. Part X and Y are connected in series. The table below shows the availability and downtime for individual components and the series combination. COMPONENT-AVAILABILITY-DOWNTIME X-99% ( 2-nines)-3.65 days/year Y-99.99% (4-nines)-52 minutes/year X and Y combined-98.99%-3.69 days/year From the above table, it is clear that even though a very high availability Part Y was used, the overall availability of the system was pulled down by the low availability of Part X. This just proves the saying that a chain is as strong as the weakest link. More specifically, a chain is weaker than the weakest link. Modicon M580 Safety

Chapter 7 - Redundant M580 Safety 339 SYSTEM AVAILABILITY IN PARALLEL If failure of a part leads to the other part taking over the operations of the failed part, the two parts are considered to be operating in parallel. --Part X-- ---- --Part X-- ---- As shown above, two parts are considered to be operating in parallel if the combination is considered failed when both parts fail. The combined system is operational if either is available. From this it follows that the combined availability is 1 - (both parts are unavailable). The combined availability is shown by the equation below: ➢ A = 1 - (1 - Ax)2 The implications of the above equation are that the combined availability of two components in parallel is always much higher than the availability of its individual components. Consider the system in the figure above. Two instances of Part X are connected in parallel. The table below shows the availability and downtime for individual components and the parallel combination. COMPONENT-AVAILABILITY-DOWNTIME X-99% (2-nines)-3.65 days/year Two X components operating in parallel-99.99% (4-nines)-52 minutes/year Three X components operating in parallel-99.9999% (6-nines)-31 seconds/year! From the above table it is clear that even though a very low availability Part X was used, the overall availability of the system is much higher. Thus, parallel operation provides a very powerful mechanism for making a highly reliable system from low reliability. For this reason, all mission critical systems are designed with redundant components. Configuration Training

340 Chapter 7 - Redundant M580 Safety M580 SAFETY HOT STANDBY CPU REDUNDANT M580 SAFETY SOLUTION The Modicon M580 Safety Hot standby CPU is a TÜV Rheinland certified SIL 3 / PLe controller provides safe, reliability and performance with the availability to integrate Remote and Distributed I/Os over the Ethernet network based on the EtherNet/IP technology with reliable CIP object model. Its also able to integrate safety functions into standard process (Common Safety). A Redundant M580 Safety system that ensures that the two systems in charge of Safety and Process Control are separated and independent with different hardware resources in a common engineering environment. Figure below shows the Redundant M580 Safety solution: Modicon M580 Safety