Faq - Ac500-S Safety Plc - ABB AC500-S Safety User Manual

Overview of AC500-S safety PLC

FAQ - AC500-S safety PLC

2.16 FAQ - AC500-S safety PLC
● Boot project availability on the safety CPU after power dip or incomplete power cycle
In case of an under- or overvoltage, which may be also caused by an incomplete power
cycle (power off followed by power on in less than 1.5 s), the safety CPU goes to SAFE
STOP state with I-ERR LED ON. However, the boot project is still intact. To put the safety
CPU back to RUN mode, it is necessary to perform two subsequent power cycles. After the
first power cycle, the safety CPU goes to DEBUG STOP (non-safety) mode state with DIAG
LED ON. The second power cycle puts the safety CPU back to RUN (safety) mode.
● Not possible to create a boot project for the safety CPU
Check if the parameter "Enable Debug" for the safety CPU is set to "ON" in Automation
Builder project and the generated boot project was loaded to the non-safety CPU followed
by the power cycle.
● After power cycle, the safety CPU goes into SAFE STOP state (I-ERR ON)
This situation could arise due to a corrupt boot project or the rotary switch setting in the
safety CPU is wrongly set to one of these values: 0xFE, 0xFD or 0xFC. Another possibility is
that the power cycle (OFF time) was too short (to ensure a reliable restart the power off time
must be > 1.5 s.).
● Channel reintegration of AI581-S safety module is not possible after removal of the
fault condition
Only in the case of a channel passivation due to overcurrent or undercurrent the safety
analog channel remains passivated for 30 s to restore its initial properties and then the
check is performed if the error condition is still present or not. If the error has gone, then the
reintegration request signal for the given channel is set to TRUE to allow channel reintegra-
tion. Within previously mentioned 30 s time, the safety analog channel cannot be reinte-
grated.
● Process value of certain configured input is always FALSE (only in 2-channel evalua-
tion mode)
Our modules are designed in such a way that, in a 2-channel mode, the lower channel (e.g.,
channels 0/4 ➔ Channel 0, channels 1/5 ➔ Channel 1, etc. for DX581-S module) always
transports the aggregated process value, PROFIsafe diagnostic bit, acknowledgment
request and acknowledge reintegration information. The higher channel always provides the
passivated value "0". Thus, a name mapping for the higher channel is not required in a 2-
channel evaluation mode.
● Acyclic non-safe data exchange takes a very long time
This behavior depends on the task configuration setting in your non-safety CPU. Adjust the
cycle time (e.g., set task cycle time to 1 ms) of your task on non-safety CPU where the acy-
clic non-safe data exchange FBs are programmed to obtain the best performance.
● When should I use cyclic non-safe data exchange instead of acyclic non-safe data
exchange?
If 84 bytes in acyclic non-safe data exchange are not enough or data exchange is too slow,
you can use cyclic non-safe data exchange for data up to 2 kB with minimum programming
effort.
In most safety applications, this functionality is not needed and, thus, shall not be used.
However, if you still need it, refer to
and V2 non-safety CPU" on page 377
CPU and V3 non-safety CPU" on page 393.
● Is data communication using acyclic or cyclic non-safe data exchange safe?
Data communication using acyclic or cyclic non-safe data exchange is non-safe, because it
is not protected by any functional safety measures for data communication. However, cus-
tomers may implement their own safety profiles on top of this non-safe communication using
so-called "black channel" principle. If customers implement proper safety profile measures
for SIL 3 communication, the safety level for the receipt of data in the safety CPU through
acyclic and cyclic non-safe data exchange can be also SIL 3, however, the sending of data
with acyclic and cyclic non-safe data exchange can only reach SIL 2. Special measures
(e.g., usage of dedicated internal CRC24 calculation functions, etc.) have to be carried out
in the safety CPU program to reach SIL 3 in the latter case.
● How discrepancy time handling (2-channel configuration) in S-DIs is implemented?
To get a robust evaluation of a 2 channel configuration, it's very important to handle noises,
disturbances and other influences at safety digital inputs in a reliable way. Without such a
behavior, a flickering on a channel would cause a faulty 2 channel evaluation of the given
process value, which would jeopardize system availability.
28
Ä Appendix B.5 "Data exchange between safety CPU
Ä Appendix C.5 "Data exchange between safety
3ADR025091M0208, 12, en_US 2020/06/19