Skip to main content

General Rules for Safety-Related Function Blocks

These programming rules correspond to the "General Rules for Safety-Related Function Blocks" of the PLCopen. This applies to PLCopen-compliant function blocks.

Guidelines specific to function blocks

Important

PLCopen FBs can be used only in programs and function blocks where "Single call" is set.

Default signal

All safety-oriented Boolean I/O signals have the preset safe value FALSE.

Signal level

The value SAFEBOOL can be used only as follows:

  • 0: Corresponds to the safety as defined for system outputs

  • 1: Means that the safety aspects of the system are operating correctly so that normal operation is possible, for example.

This reflects the functionality of IEC 61131 environments, such as the rules for the default value and that all outputs are set to 0 in case of error.

Outputs

Every output must be assigned in each cycle.

Missing I/O parameters

Missing parameters are permitted. The default values apply. These default values should in under no condition lead to an unsafe state. The default values and their attributes (Variable or Constant) are specified in the corresponding FBs.

Startup behavior

At the start, the outputs are set to default values. After the first FB call, the outputs are valid. There is a consistent startup behavior (cold start).

Timing diagram

Timing diagrams as shown for the function blocks are used for explanation only. They do not represent the exact time behavior. The exact time behavior depends on the implementation.

Error handling and diagnosis

All safety-oriented function blocks have two error-related outputs: Error and DiagCode. They are used for diagnostic purposes at the user level, not for diagnosing at the system or hardware level.

The provision for safety-oriented environments is that the activation of the safety-oriented function has the highest priority and that there is sufficient time for diagnosis in the subsequent activation, either in the functional program or in the user interface.

General input parameters

Name

Data Type

Description

Activate

BOOL

Variable or constant for the activation of the FB

Initial value: FALSE

This parameter can be linked to the variables that represent the state (active or not active) of the relevant safety device. This guarantees that no irrelevant diagnosis data is generated when the device is deactivated.

FALSE: All output variables are set to initial values.

If no device is connected, then a static TRUE signal must be assigned.

S_<safety-oriented input name>

SAFExxxx

Every name of an input of SAFExxxx type begins with S_.

Only variables can be assigned.

S_StartReset

SAFEBOOL

Variable or constant

Activation of the automatic start of the POU when the S-PLC is started (warm or cold).

FALSE (= initial value): Automatic start deactivated; manual start by means of the Reset input.

TRUE: Automatic start

The Safety notes for S_StartReset must be noted.

S_AutoReset

SAFEBOOL

Variable or constant

Activation of the automatic restart of the POU

FALSE (= initial value): Automatic restart deactivated; manual start by means of input reset.

TRUE: Automatic restart

The Safety notes for S_AutoReset must be noted.

Reset

BOOL

Variable

Initial value: FALSE

Depending on the function, this input can be used for different purposes.

  • Reset of the state machine and associated error and state messages, as displayed via DiagCode, if the cause of the error is remedied. This reset behavior is designed as an error reset.

  • Manual reset of a restart lock by the operator. This reset is designed as a functional reset.

  • Other FB-specific reset functions.

This function is active only for a signal switch from FALSE to TRUE. A static TRUE signal does not generate any more actions, but it can be detected as an error is some POUs.

The Safety notes for Reset must be observed.

The applicable meaning is described for each POU.

Safety notes for S_StartReset

S_StartReset

This automatic start should be activated only if it is guaranteed that no hazard can occur when starting the S-PLC. Therefore, the use of the feature "automatic start" of the function blocks requires to implement other system or application measures for making sure that no unexpected (or unintentional) startup occurs.

Caution

If the input is linked to a variable (and not to FALSE), then additional validation measures must be defined for it.

Safety notes for S_AutoReset

Caution

The automatic restart should be activated only if is it guaranteed that there can be no possible restart of the machinery after releasing the emergency stop button. Therefore, the use of the feature "automatic restart" of the function blocks requires to implement other system or application measures for making sure that no unexpected (or unintentional) restart of the machinery occurs.

Caution

If the input is linked to a variable (and not to FALSE), then additional validation measures must be defined for it.

Safety notes for Reset

Caution

Depending on the safety requirements, SAFEBOOL must be connected instead of BOOL.

General output parameters

Name

Data Type

Description

Ready

BOOL

TRUE: Indicates that the POU is activated and the output results are valid (same as the "POWER" LED of a safety relay).

FALSE: The POU is not active and the program is not executed. Useful in debug mode or for activating and deactivating additional POUs. Also for further processing in the functional program.

S_<safety-oriented output name>

SAFExxxx

Every name of a SAFExxxx type begins with S_.

Error

BOOL

Error flag (same as the "K1/K2" LED of a safety relay).

TRUE: Indicates that an error has occurred and the POU is in the error state. The relevant error state is indicated at the DiagCode output.

FALSE: There is no error and the POU is in another state. This is also indicated by the DiagCode output.

This is useful in debug mode, as well as for further processing in the functional program.

DiagCode

WORD

Diagnosis registry.

All POU states (Active, Not Active, and Error) are mapped by this registry. Only consistent code is displayed at the same time. In case of several errors, the DiagCode output displays the first detected error.

This is useful in debug mode, as well as for further processing in the functional program.

Diagnostic codes

A transparent and uniform diagnosis concept creates the basis for all blocks. This makes sure that uniform diagnostic information is available to end users in the form of DiagCode, regardless of the implementation of the end user. If there are no errors, then the internal state of the block (state machine) is displayed. Any errors are displayed via a binary output (Error) For more detailed information about internal or external block errors, see DiagCode. The block must be reset by means of various Reset inputs.

Table 9. General diagnostic code ranges

DiagCode

Description

0000_0000_0000_0000bin

The POU is not activated or the safety CPU is halted.

10xx_xxxx_xxxx_xxxxbin

Indicates that the activated POU is in operating state without errors.

X = POU-specific code

11xx_xxxx_xxxx_xxxxbin

Indicates that the activated POU is in error state.

X = POU-specific code



Table 10. System-specific or device-specific codes

DiagCode

Description

0xxx_xxxx_xxxx_xxxxbin

X = system-specific or device-specific message. This information includes diagnostic information about the system or device.

Note: 0000hex is reserved.



Table 11. Generic diagnostic codes

DiagCode

Description

0000_0000_0000_0000bin

0000hex

The POU is not activated. This code represents the idle state. As a general example, the I/O setting could be as follows:

Activate = FALSE

S_In = FALSE or TRUE

Ready = FALSE

Error = FALSE

S_Out = FALSE

1000_0000_0000_0000bin

8000hex

The function block is activated without errors or other conditions that set the safety output to FALSE. This is the standard operating state where the safety output S_Out is TRUE in normal operation. As a general example, the inputs and outputs could be set as follows:

Activate = TRUE

S_In = TRUE

Ready = TRUE

Error = FALSE

S_Out = TRUE

1000_0000_0000_0001bin

8001hex

An activation was detected by the block and the block is now activated. However, the S_Out safety output is set to FALSE. This code shows the Init state of the operating mode. As a general example, the inputs and outputs could be set as follows:

Activate = TRUE

S_In = FALSE or TRUE

Ready = TRUE

Error = FALSE

S_Out = FALSE

1000_0000_0000-0010bin

8002hex

The activated POU detects a safety demand (example: S_In = FALSE). The safety output is deactivated (S_Out = FALSE). As a general example, the inputs and outputs could be set as follows:

Activate = TRUE

S_IN = FALSE

Ready = TRUE

Error = FALSE

S_Out = FALSE

1000_0000_0000_0011bin

8003hex

The safety output of the active POU has been deactivated by a safety request. The safety request is now canceled, but the safety output remains FALSE until a reset condition is detected. This is an operating state where the safety output S_Out = FALSE. As a general example, the inputs and outputs could be set as follows:

Activate = TRUE

S_In = FALSE => TRUE (continue with static TRUE)

Ready = TRUE

Error = FALSE

S_Out = FALSE



Generic state chart

Figure 50. Generic state chart of safety FBs
Generic state chart of safety FBs


. Explanation of the generic state chart:

  • It provides a general overview of the states and transitions. Some transitions are not named, which means that they are FB-specific and must be assigned with the respective FB.

  • The diagram shows three areas:

    • In the top area, the function block is not active and in the safe state (safe outputs are FALSE).

    • In the middle area, the function block is active and in the safe state (safe outputs are FALSE).

    • In the bottom area, the function block is in the normal state (safe outputs are TRUE).

  • The first horizontal line in the status diagram shows the transition from an inactive FB to an active FB.

  • The second horizontal line shows the transition from a unsafe state to a safe state.

  • The priorities of possible parallel transitions are given by numbers (highest priority 0).

  • The states contain the state name and the hexadecimal diagnostic code.

  • The conditions OR, AND, and XOR are used as logical operators and NOT as negation.

  • In the FB description, the start state is Idle, with the transitions to the individual operating states via the Init state.

  • Activate = FALSE switches from each state directly to the Idle state (0 = highest priority is reserved for Activate = FALSE). For improved overview, these transitions are not shown in each status diagram. This is mentioned as a footnote in each status diagram.

  • Dur to the overview, the setting of outputs is not defined in the state chart. An explicit truth table, which includes the information "FB states to output (outputs) ", is part of each FB specification with the FB-specific error and stats codes.

Table 12. FB-specific error codes

DiagCode

Status Name

Status description and output setting

Cxxx

Error

Ready = TRUE

S_Out = FALSE

Error = TRUE



Table 13. FB-specific status codes (no error)

DiagCode

Status Name

Status description and output setting

0000

Idle

Ready = FALSE

S_Out = FALSE

Error = FALSE

8001

Init state of the operating mode

Ready = TRUE

S_Out = FALSE

Error = FALSE

8xxx

All states of the operating mode where S_Out = FALSE

Ready = TRUE

S_Out = FALSE

Error = FALSE

8000

All states of the operating mode where S_Out = TRUE

Ready = TRUE

S_Out = TRUE

Error = FALSE



: