Safety Monitoring

Overview

Safety hardware, along with TwinSAFE Groups and Function Blocks, can be monitored through their available State and Diag variables. The SPT Diagnostic library provides the necessary components for monitoring and resetting each of these.

All of the safety monitoring components inherit from FB_Component_Safety_Base. This provides the ability for each safety monitoring component to be registered to a module, the same as any other component. If the SPT Framework is not being used, it is still possible to use the components on their own by calling the CyclicLogic() and Reset() methods of the components.

The Base Safety component is extended by all other safety monitoring function blocks, and contains a declaration for InfoData AT %I* : ST_SafetyStateDiag. When the Base Safety component is extended by the specific child classes they will inherit this variable for their own use. The Initialization() method of this block will check to see if the variable is linked, and if not, it will set the error bit to true and provide a trace message.

Note

There is no detection for the link being correct, only that one exists.

Additionally, a property of type I_SafetyReset is available. This will allow for an instance of a class that implements the I_SafetyReset interface to be assigned as the reset routine when the Reset() method is called.

FB_SafetyResetPulse is available for use from the library. An instance of this can be declared and passed into a child class. It is also possible to assign a DependenceFB to any of the child classes. This will allow for error suppression when the defined FB has an error. For example: without the use of a DependenceFB a hardware error can cause consequential errors to be raised for multiple FBs that use the hardware. But when the DependenceFBs are properly defined these extraneous errors can be reduced.

Safety Group Monitoring

FB Instances and Links

An instance of FB_ComponentSafety_Group can be declared as follows:

SafetyGroupAutoReset : FB_SafetyResetPulse;
SafetyGroup_Main     : FB_Component_Safety_Group :=(
    Name := 'Safety Group Main',
    SafetyReset := SafetyGroupAutoReset,
    AutoResetConnectionFaults := TRUE);

A unique instance of the FB_SafetyResetPulse is defined and passed to the instance SafetyGroup_Main. When the code is compiled an instance variable will appear under the Plc Task Inputs of the PLC Instance with the declared name.

In the code we must call the CyclicLogic() method, and selectively call the Reset() method. It is imperative that the Reset() method be called at least once before valid messages can be logged. When using the SPT Framework this is handled by the state machine.

The two links for State and Diag cannot be made until the TwinSAFE logic program has been created. Once created, you will find the TwinSAFE Group Info Data under the EL6910 or other safety controller. For this variable, enabling ‘Matching Type’ and ‘Matching Size’ will be helpful.

For the Diag variable, remove ‘Matching Type’ and 'Matching Size’, and select ‘All Types’. Then type diag in the search window. The Diag variable in the ST_SafetyStateDiag is of type UINT and the hardware variable is of type USINT.

When creating the link there will be a popup window for a Size Mismatch, because we are linking a UINT to a USINT. No changes are needed in the popup window.

The reason behind this is that some of the Diag variables are of the smaller USINT type, and other Diag variables are a UINT. But in order to use a single structure for all Diag variables, we created the structure with the larger UINT and link it to a smaller variable. Once the link is created, you can see that the link is only to the first 8 bits ‘Diag<0-7>’:

Alarms

The Alarms provided by the FB_Component_Safety_Group are based on the following event class:

An instance of FB_Component_Safety_ConnectionFB can be declared as follows:

SafetyReset   : FB_SafetyResetPulse;
SafetyOutput  : FB_Component_Safety_ConnectionFB :=(
    Name := 'EL2904',
    DependenceFB := SafetyGroup_Main,
    SafetyReset := SafetyReset);

The SafetyReset instance of FB_SafetyResetPulse is passed to the FB_Component_Safety_ConnectionFB. When the Component’s Reset() method is called, it will in turn call the Execute() method of FB_SafetyResetPulse. The default behavior of the FB_SafetyResetPulse is to toggle the variable Reset which is defined as a %Q* at the duration of the PulseDuration input. The PulseDuration time is a configurable property, with a default of 100ms. If a custom reset is needed, a function block that implements the I_SafetyReset interface can be passed to your instance of FB_Component_Safety_ConnectionFB using the strategy pattern.

The FB_Component_Safety_ConnectionFB also uses a DependenceFB which allows for the errors of that function block to suppress the errors of this function block.

The SafetyOutput instance will provide the following variables for linking to the safety controller hardware.

Before the variables in the PLC instance can be linked, the variables in the safety projects must be enabled. Locate the sds for the connection to be monitored, enable the Map State and Map Diag check boxes. This will create the variables needed in the process image.

Then select the Linking tab and take note of the Name. In this image it is Message_3.

When the State and Diag variables are linked, it is important to ensure that they are linked to the correct message of the Safety Controller.

Again, changing the filter options and searching for diag will add in finding the needed variable.

The component instance will either need to be registered with an EM in the SPT Framework, or the CyclicLogic() and Reset() methods will need to be called appropriately from your code.

The alarms provided by the FB_Component_Safety_ConnectionFB are defined in the SafetyConection event class:

Monitoring a Safety Input is similar to the Safety Output. The biggest difference being the DependenceFB would typically be set to the Safety FB that the input is being passed to (covered in the next section).

SafetyInput  : FB_Component_Safety_ConnectionFB :=(
    Name := 'EL1904',
    DependenceFB := SafetyEstop,
    SafetyReset := SafetyReset);

An instance of FB_Component_Safety_EstopFB can be declared as follows:

SafetyEstop  : FB_Component_Safety_EstopFB  :=(
    Name := 'E-Stop',
    DependenceFB := SafetyOutput,
    SafetyReset := SafetyReset);

The DependenceFB is set to the SafetyOutput Connection that the safeEstop is driving, if the output is faulted then the safeEstop will also be faulted and its errors will only cause confusing and misdirection.

In order to link the State and Diag variables they must first be created in the safety project. After opening the sal file, select the desired safety function block and open the properties window. Under Info Data set the Map Diag and Map State to TRUE.

This will create the variables under the Safety Controller for linking.

These links between the PLC and the Safety Controller do not require an offset, and can be linked directly.

The component instance will either need to be registered with an EM in the SPT Framework, or the CyclicLogic() and Reset() methods will need to be called appropriately from your code.

The alarms provided by the FB_Component_Safety_EStopFB are defined in the SafetyEstop event class:

The remaining Safety Function Blocks will have a similar configuration. The alarms are defined in the following event classes:

Safety Edm

Safety Mon