1746-C9 Parameter / Switch Description Default value Setting for safe operation Maximum delay of a message between an I/O module and the processor module. 0, 100...50 000 µs Maximum System Bus Latency [µs] i A license is required for setting the maximum system bus latency to a value > 0. 0 µs Applicationspecific SILworX V.2.36.0 The CRC for safeethernet is created as in SILworX version 2.36.0. This setting is required for exchanging data with resources planned with SILworX version 2.36 or previous versions. safeethernet CRC Current Version The CRC for safeethernet is created with the current algorithm. Current Version Applicationspecific Table 11: Resource System Parameters Calculating the Maximum Duration of Configuration Connections [µs] If communication is not completely processed within a CPU cycle, it is continued in the next following CPU cycle at the interruption point. This slows down the process data communication, but it also ensures that all connections to external partners are processed equally and completely. For firmware HIMax CPU V3, the value of the maximum duration of configuration connections in SILworX is set to 6 ms by default. The time required to process communication with external partners may, however, exceed the default value in a CPU cycle. For firmware HIMax CPU V4, the value of the maximum duration of configuration connections must be set taking the defined watchdog time into account. Suitable value: Select the value such that the cyclic processor tasks can be executed within the time resulting from Watchdog Time - Max. Duration of Configuration Connections. The volume of the process data to be communicated depends on the number of configured remote I/Os, the existing connections to the PADT and the modules within the system that have an Ethernet interface. A first setting can be calculated as follows: TConfig = (nCom + nRIO + nPADT) * 0.25 ms + 2 ms + 4*TLatency, where TConfig System parameter Max. Duration of Configuration Connections [ms] nCom Number of modules with Ethernet interfaces {SB, CPU, COM} nRIO Number of configured remote I/Os nPADT maximum number of PADT connections = 5 TLatency System parameter Maximum System Bus Latency [µs] If the calculated time value is less than 6 ms, it is rounded up to 6 ms. The online statistics can be used to modify the calculated time either later in the resource properties or immediately online. i When generating the code or converting the project, a warning message is displayed in the PADT if the defined Max. Duration of Configuration Connections is less than the value resulting from the previous formula. HIMax 9 Software HI 801 003 E Rev. 4.00 Page 41 of 64 9.3.2 Hardware System Variables These variables are used to change the behavior of the controller while it is operating in specific states. Parameter / Switch Function Default setting Setting for safe operation Force Deactivation Used to prevent forcing and to stop it immediately OFF Application-specific Spare 0 ... Spare 16 No function - - Emergency Stop 1 ... Emergency Stop 4 Emergency stop switch to shutdown the controller if faults are detected by the user program OFF Application-specific Read-only in RUN With the exception of forcing and reload, it is not possible to perform any operations (stop, start, download) with SILworX OFF Application-specific Reload Deactivation Prevents execution of reload OFF Application-specific Table 12: Hardware System Variables In the SILworX Hardware Editor, these system variables may be assigned global variables with a value that is modified by a physical input or the user program logic. Example: Locking and Unlocking the PES Locking the PES locks all functions and prevents users from accessing them during operation. This also protects against unauthorized manipulations to the user program. Unlocking the PES: Deactivates any locks previously set (e.g., to perform work on the controller). The three system variables Read only in Run, Reload Deactivation and Force Deactivation may be used to lock the PES. If all three system variables are ON: no access to the controller is possible. In this case the controller can only be put into STOP state by restarting a processor module with the mode switch in the Init position. Then loading a new user program is possible. To make a controller lockable 1. Define a global variable of type BOOL and set its initial value to FALSE. 2. Assign the global variable as output variables to the three system variables Read only in Run, Reload Deactivation, and Force Deactivation. 3. Assign the global variable to the channel value of a digital input. 4. Connect a key switch to the digital input. 5. Compile the program, lod it on the controller, and start it. The owner of a corresponding key is able to lock and unlock the controller. In case of a fault of the corresponding digital input module, the controller is unlocked. 9.4 Forcing Forcing is the procedure by which a variable's current value is replaced with a force value. The variable receives its current value from a physical input, communication or a logic operation. If the variable is forced, its value does no longer depend on the process, but is defined by the user. 9 Software HIMax Page 42 of 64 HI 801 003 E Rev. 4.00 WARNING Use of forced values can disrupt the safety integrity! Forced value may lead to incorrect output values. Forcing prolongates the cycle time. This can cause the watchdog time to be exceeded. Forcing is only permitted after receiving consent from the test authority responsible for the final system acceptance test. When forcing values, the person in charge must take further technical and organizational measures to ensure that the process is sufficiently monitored in terms of safety. HIMA recommends to setting a time limit for the forcing procedure. Refer to the System Manual (HI 801 001 E) for further details on forcing. 9.5 Safe Version Comparator The safe SILworX version comparator is able to compare with one another the following resource configuration types: Resource configurations loaded into the controller Resource configurations existing in the PADT Exported, i.e., archived, resource configurations The comparison result achieves SIL 3, since it is derived from loadable files and includes the CRCs. The safe version comparator must be used to verify the changes performed to the program prior to loading it into the controller. It exactly determines the changed parts of the resource configuration. This, in turn, facilitates testing the changes and identifying the test data. Structured programming and the use of significant names from the first configuration version on, facilitate understanding of the comparison result. 9.6 Protection against Manipulation Together with the responsible test authority, the user must define which measures should be implemented to protect the system against manipulation. Protective mechanisms for preventing unintentional or unapproved modifications to the safety system are integrated into the PES and SILworX: Each change to the user program or configuration creates a new CRC. These changes can only be transferred to the PES via download or reload. The operating options depend on the rights of the user logged in to the PES. SILworX prompts the user to enter a password in order to log in to the PES. No connection is required between the PADT and PES in RUN. All requirements about protection against manipulation specified in the safety and application standards must be met. The operator is responsible for authorizing employees and implementing the required protective actions |
