Profisafe Communication/F-Device State Diagnostics

In a safety-related application, the safety-related communication and the operational state of safety-related devices should be monitored. This enables the Safety PLC to determine the state of the functional safety system.

For that purpose, PLCnext Technology controllers may provide system variables which report

the status of the safety-related communication between the Safety PLC and the Profisafe F-Devices.
the operational state and condition of the configured Profinet F-Devices.

In PLCnext Engineer, such diagnostic system variables should be evaluated in the application program, e.g., by programming an edge detection which reacts on the toggling of the Boolean values.

To inform the standard application about the condition of the functional safety application, the system variables can be assigned to exchange variables of the standard controller. Refer to the topic "Exchanging Data between Controller and Safety PLC" for details.

In case of a safety-related device/communication error, the machine must enter the defined safe state.

WARNING

Unintended machine operation

Make sure that your risk analysis includes a possible temporary or permanent malfunction of a safety-related device/module or of the communication between devices (F-Devices) and the Safety PLC (i.e., F-Host).

Use the relevant diagnostic system variables provided by the Safety PLC to monitor the status of the Profisafe communication between F-Host and the F-Devices involved in your safety application.

Verify that the machine enters the defined safe state (in accordance with the risk analysis) depending on the result of the system variables evaluation.

Use appropriate safety interlocks where personnel and/or equipment hazards exist.

Validate the overall safety function and test the application.

Two categories of diagnostic Profisafe system variables are distinguished:

F-Device-related system variables: available for each configured Profisafe device. Such device-related system variables contain the F-address (XXXXX) of the affected device in the variable name: F_ADDR_XXXX_*.
Global system variables for F-Devices which summarize all configured F-Devices. A global system variable is set to TRUE, if the respective condition applies to at least one configured F-Device.

The creation of these system variables can be enabled/disabled in PLCnext Engineer as described below.

Note
Besides the diagnostic system variables, also variables for the device management may be available. Refer to the respective controller user manual for details.

Note
F-Parameters and I-Parameters - Term definition
The address parameters (source address of the F-Host and F-Device destination addresses) are collectively referred to as F-Parameters. Within a Profisafe network, these addresses must be unique.
The term I-Parameters refers to the data record consisting of the safety logic and the safety-related channel parameters (input/output parameters). This means, I-Parameters specify the configured safety function and the channel parameters of the devices concerned. In the 'Safety Parameters' editor of the respective device in PLCnext Engineer, they are listed in channel-related parameter categories.

Monitoring the Profisafe Communication

With regard to the monitoring of the Profisafe communication, two different error types are distinguished and different diagnostic system variables are relevant:

Error type Relevant diagnostic system variable

Checksum error

Checksum-related error detected by an F-Device: system variables *CE_CRC.
The system variable is available F-Device-related (F_ADDR_XXXXX_CE_CRC) and globally (CE_CRC_GLOBAL).

Communication error detected by local F-Host driver: system variables *CE_CRC_H.
The system variable is available F-Device-related (F_ADDR_XXXXX_CE_CRC_H) and globally (CE_CRC_H_GLOBAL).

Watchdog exceeded

Watchdog error detected by F-Device: system variables *_WD_TIMEOUT.
The system variable is available F-Device-related (F_ADDR_XXXXX_WD_TIMEOUT) and globally (WD_TIME_OUT_GLOBAL).

Watchdog error detected by local F-Host driver: system variables *_WD_TIMEOUT_H.
The system variable is available F-Device-related (F_ADDR_XXXXX_WD_TIMEOUT_H) and globally (WD_TIMEOUT_H_GLOBAL).

How to set the F-Device watchdog time in PLCnext Engineer

In the PLANT, expand the 'Profinet' node and the node of the safety-related F-Device to be parameterized.

Double-click the Profinet submodule node and open the 'Safety Parameters' editor. Example:

In the 'F_Parameters' category set the 'F_WD_Time' parameter to configure the watchdog time.

Failed loopback check Communication error reported by an F-Host and detected when performing a loopback check.
The system variable is available F-Device-related (F_ADDR_XXXXX_LOOPBACK) and globally LOOPBACK_GLOBAL.

Error type	Relevant diagnostic system variable
Checksum error	Checksum-related error detected by an F-Device: system variables CE_CRC. The system variable is available F-Device-related (F_ADDR_XXXXX_CE_CRC) and globally (CE_CRC_GLOBAL). Communication error detected by local F-Host driver: system variables CE_CRC_H. The system variable is available F-Device-related (F_ADDR_XXXXX_CE_CRC_H) and globally (CE_CRC_H_GLOBAL).
Watchdog exceeded	Watchdog error detected by F-Device: system variables _WD_TIMEOUT. The system variable is available F-Device-related (F_ADDR_XXXXX_WD_TIMEOUT) and globally (WD_TIME_OUT_GLOBAL). Watchdog error detected by local F-Host driver: system variables _WD_TIMEOUT_H. The system variable is available F-Device-related (F_ADDR_XXXXX_WD_TIMEOUT_H) and globally (WD_TIMEOUT_H_GLOBAL). How to set the F-Device watchdog time in PLCnext Engineer In the PLANT, expand the 'Profinet' node and the node of the safety-related F-Device to be parameterized. Double-click the Profinet submodule node and open the 'Safety Parameters' editor. Example: In the 'F_Parameters' category set the 'F_WD_Time' parameter to configure the watchdog time.
Failed loopback check	Communication error reported by an F-Host and detected when performing a loopback check. The system variable is available F-Device-related (F_ADDR_XXXXX_LOOPBACK) and globally LOOPBACK_GLOBAL.

Further Info
For a detailed description of all available Profisafe system variables, refer to the respective controller user manual.
For the RFC 4072S controller, read chapter 8 "System variables" of the user manual "Installation and operation in the RFC 4072S Remote Field Controller with integrated safety-related PROFINET controller (part. no. 108580_en_01).

Monitoring the Profisafe Device Status

With regard to the monitoring of the operational state of Profisafe F-Devices, the following status types are distinguished and different diagnostic system variables are relevant:

Status type Relevant diagnostic system variable

Device passivated F-Device has been passivated.
The system variable is available F-Device-related (F_ADDR_XXXXX_PASS_OUT) and globally (PASS_OUT_GLOBAL).
Possible reasons for the device passivation:

Passivation was requested out of the application by setting the device management system variable F_ADDR_XXXXX_PASS_ON to TRUE.

A communication, device, or parameterization errors exists (see F_ADDR_ XXXXX_ACK_REQ system variable).

Device waits for operator acknowledge F-Device requires an operator acknowledge request after removing a communication, or CRC, watchdog or F-Device error.
The system variable is available F-Device-related (F_ADDR_XXXXX_ACK_REQ) and globally (ACK_REQ_GLOBAL).
Acknowledgement can be done after removing the error cause by setting the device-related management system variable F_ADDR_XXXXX_ACK_REI or the global management variable ACK_REI_GLOBAL to TRUE. Observe the hazard message below this table.

Device fault Error in an F-Device.
The system variable is available F-Device-related (F_ADDR_XXXXX_DEVICE_FAULT) and globally (DEVICE_FAULT_GLOBAL).
After such a device error has been reported, proceed as follows:

Remove the cause of the error.

Perform an acknowledgment by switching the device-specific management system variable F_ADDR_XXXXX_ACK_REI or the global management variable ACK_REI_GLOBAL to TRUE.
Observe the hazard message below this table.

Channel fault and acknowledgement Channel fault of an F-Device waits for acknowledgement by the operator.
The system variable is available F-Device-related (F_ADDR_XXXXX_CHF_ACK_REQ) and globally (CHF_ACK_REQ_GLOBAL).
After such a channel error has been reported, proceed as follows:

Remove the cause of the error.

Perform an acknowledgment by switching the device-related management system variable F_ADDR_XXXXX_ACK_REI or the global management variable CHF_ACK_REI_GLOBAL to TRUE.
Observe the hazard message below this table.

I-Parameters applied The F-Device with the F-address XXXXX indicates that the I-Parameters have been applied: F_ADDR_XXXXX_IPAR_OK
Applying the I-Parameters of an F-Device is initiated by setting the device management system variable F_ADDR_XXXXX_IPAR_EN to TRUE. For detailed information on the device-specific process of applying I-Parameters, please refer to the user manual of the respective device.
Observe the hazard message below this table.

Status type	Relevant diagnostic system variable
Device passivated	F-Device has been passivated. The system variable is available F-Device-related (F_ADDR_XXXXX_PASS_OUT) and globally (PASS_OUT_GLOBAL). Possible reasons for the device passivation: Passivation was requested out of the application by setting the device management system variable F_ADDR_XXXXX_PASS_ON to TRUE. A communication, device, or parameterization errors exists (see F_ADDR_ XXXXX_ACK_REQ system variable).
Device waits for operator acknowledge	F-Device requires an operator acknowledge request after removing a communication, or CRC, watchdog or F-Device error. The system variable is available F-Device-related (F_ADDR_XXXXX_ACK_REQ) and globally (ACK_REQ_GLOBAL). Acknowledgement can be done after removing the error cause by setting the device-related management system variable F_ADDR_XXXXX_ACK_REI or the global management variable ACK_REI_GLOBAL to TRUE. Observe the hazard message below this table.
Device fault	Error in an F-Device. The system variable is available F-Device-related (F_ADDR_XXXXX_DEVICE_FAULT) and globally (DEVICE_FAULT_GLOBAL). After such a device error has been reported, proceed as follows: Remove the cause of the error. Perform an acknowledgment by switching the device-specific management system variable F_ADDR_XXXXX_ACK_REI or the global management variable ACK_REI_GLOBAL to TRUE. Observe the hazard message below this table.
Channel fault and acknowledgement	Channel fault of an F-Device waits for acknowledgement by the operator. The system variable is available F-Device-related (F_ADDR_XXXXX_CHF_ACK_REQ) and globally (CHF_ACK_REQ_GLOBAL). After such a channel error has been reported, proceed as follows: Remove the cause of the error. Perform an acknowledgment by switching the device-related management system variable F_ADDR_XXXXX_ACK_REI or the global management variable CHF_ACK_REI_GLOBAL to TRUE. Observe the hazard message below this table.
I-Parameters applied	The F-Device with the F-address XXXXX indicates that the I-Parameters have been applied: F_ADDR_XXXXX_IPAR_OK Applying the I-Parameters of an F-Device is initiated by setting the device management system variable F_ADDR_XXXXX_IPAR_EN to TRUE. For detailed information on the device-specific process of applying I-Parameters, please refer to the user manual of the respective device. Observe the hazard message below this table.

WARNING

Unintended start-up

Make sure that executing an operator acknowledgment or applying I-Parameters cannot result in any hazardous situations.

Make sure that appropriate procedures and measures (according to applicable sector standards) have been taken before executing an operator acknowledgment or applying I-Parameters.

Do not enter the zone of operation and ensure that no other persons can access the zone of operation when executing an operator acknowledgment or applying I-Parameters.

Use appropriate safety interlocks where personnel and/or equipment hazards exist.

Enabling the creation of diagnostic Profisafe system variables

For each diagnostic Profisafe system variable the Safety PLC involved provides, you can determine whether the variable is to be created in PLCnext Engineer or not. This way, the number of available system variables in the Safety PLC Data List can be limited according to your requirements.
By default, the most important and commonly used variables are set to 'create'.

Proceed as follows:

In the PLANT, double-click the 'Safety PLC' node and open the 'Settings' editor.
In the Profisafe categories set those variables to 'create' which you want to use for monitoring and evaluation purposes in your application.