1747-L532模块备件

1747-L532

Faulty operation of controller possible! Before loading a user program for safety-related operation, the user program must be first compiled twice. Both versions generated must have the same CRC. By compiling the user program twice and comparing the checksums of the generated code, the user can detect potential corruptions of the user program resulting from sporadic faults in the hardware or operating system of the PC in use . 10.2.5 Downloading and Starting the User Program A PES in the HIMax system cannot be downloaded until it is set to the STOP state. A load process includes all user programs of the project configuration. The system monitors that the project configuration is loaded completely. Afterwards, the user program can be started, i.e., the routine begins to be processed in cycles. i HIMA recommends backing up project data, e.g., on a data storage medium, after loading user programs into the controller, even by performing a reload. This is done to ensure that the project data corresponding to the configuration loaded into the controller remains available even if the PADT fails. HIMA recommends a data back up on a regular basis also independently from the program load. 10.2.6 Reload If user programs were modified, the changes can be transferred to the PES during operation. After being tested by the operating system, the modified user programs are activated and it assumes the control task. i Take the following point into account when reloading step chains: The reload information for step sequences does not take the current sequence status into account. The step sequence can be accordingly changed and set to an undefined state by performing a reload. The user is responsible for this action. Examples: ƒ Deleting the active step. As a result, no step of the step chain has the active state. ƒ Renaming the initial step while another step is active. As a result, a step chain has two active steps! i Take the following point into account when reloading actions: During the reload, actions are loaded with their corresponding data. All potential consequences must be carefully analyzed prior to performing a reload. Examples: ƒ If a timer action qualifier is deleted due to the reload, the timer expires immediately. Depending on the remaining settings, the Q outputs can therefore be set to TRUE. ƒ If the status action qualifier (e.g., the S action qualifier) is deleted for a set element, the element remains set. ƒ Deleting a P0 action qualifier set to TRUE actuates the trigger. 10 User Program HIMax Page 48 of 64 HI 801 003 E Rev. 4.00 Prior to performing a reload, the operating system checks if the required additional tasks would increase the cycle time of the current user programs to such an extent that the defined watchdog time is exceeded. In this case, the reload process is aborted with an error message and the controller continues operation with the previous project configuration. i The controller can interrupt a reload. A successful reload is ensured by planning a sufficient reserve for the reload when determining the watchdog time or temporarily increasing the controller watchdog time by a reserve. Any temporary increases in the watchdog time must be coordinated with the responsible test authority. Also exceeding the target cycle time can result in a reload interruption. The reload can only be performed if the Reload Allowed system parameter is set to ON and the Reload Deactivation system variable is set to OFF. i The user is responsible for ensuring that the watchdog time includes a sufficient reserve time. This should allow the PES to manage the following situations: ƒ Variations in the user program's cycle time ƒ Sudden, strong cycle loads, e.g., due to communication. ƒ Expiration of time limits during communication For more details on the watchdog time, refer to Chapter 3.2.2. 10.2.7 Online Test Online test fields (OLT fields) can be used in the user program logic to display variables while the controller is operating. For more information on how to use OLT fields, use OLT field as keyword for the SILworX online help and refer to the SILworX First Steps Manual (HI 801 103 E). 10.2.8 Single Step Mode To diagnose faults during the online test, the user program can be run in single steps, i.e., cycle for cycle. Each cycle is triggered by a command from the PADT. This function can only be used if the Freeze Allowed system parameter is set to ON in the corresponding user program. State Description OFF Single step mode impossible ON Single step mode possible (default setting) Table 14: User Program Switch Freeze Allowed NOTE Failure of safety-related operation possible! The single step mode must not be used in safety-related operation! 10.2.9 Changing the System Parameters during Operation Some system parameters may be changed during operation (online). An application case is the temporary increase of the watchdog time to be able to perform a reload. HIMax 10 User Program HI 801 003 E Rev. 4.00 Page 49 of 64 Prior to using an online command to set parameters, make sure that this change will not result in a dangerous state. If required, organizational and/or technical measures must be taken to exclude the accident. The safety time and watchdog time values must be checked and compared to the safety time required by the application and to the actual cycle time. These values cannot be verified by the PES! Table 11 specifies the parameters that can be changed during operation. 10.2.10 Program Documentation for Safety-Related Applications SILworX allows the user to automatically print the documentation for a project. The most important documentation includes: ƒ Interface declaration ƒ Signal list ƒ Logic ƒ Description of data types ƒ Configurations for system, modules and system parameters ƒ Network configuration ƒ List of signal cross-references This documentation is required for the acceptance test of a system subjected to approval by a test authority (e.g., TÜV). 10.2.11 Multitasking Multitasking refers to the capability of the HIMax system to process up to 32 user programs within the processor module. The individual user programs can be started, stopped and loaded (even reloaded) independently from one another. A user program cycle can take multiple processor module cycles. This can be controlled with the parameters of the resource and user program. SILworX uses these parameters to calculate the user program watchdog time: Watchdog timeuser program = watchdog timeprocessor module * maximum number of cycles Usually, the individual user programs run concurrently in a non-reactive manner. However, reciprocal influence can be caused by: ƒ Use of the same global variables in several user programs. ƒ Unpredictably long runtimes can occur in individual user programs if no limit is configured with Max Duration for Each Cycle. ƒ The distribution of user program cycle over processor module cycles strongly affects the user program response time and the response time of the variables written by the user program! ƒ A user program evaluates global variables written by another user program after at least one processor module cycle. In the worst case, the evaluation is performed with a delay of 32 processor module cycles. The reaction to changes performed to such global variables is thus delayed!