Notes on implemented behavior for PLCOpen function blocks

When using the PLCopen blocks (details on these blocks: see Neuron Power Engineer user documentation, "PLCopen blocks"), comply with the following warnings and notes:

Note 1

Applies to all PLCopen blocks:

Warning 1

Applies to all PLCopen blocks: An input variable declared as constant in TC5 Safety Software (2.01) must not change its value, after a function block has been activated (i.e. the block is no longer in the "Idle" state).

Warning 2

Applies to the SF_ResetButton block: The value of the input TrailingMinimum must not be less than 100 ms and 2 PLC cycles

Warning 3

Applies to the SF_Override block: The value of the input MaxOverrideTime must not be greater than 10 min.

Assumptions and implementation decisions

SF_Antivalent block

none

SF_EDM block

  • Transitions 8810_Cx10, 8810_Cx20 and 8810_Cx30 all have the same guard condition "S_OutControl AND NOT EDM1 AND / OR NOT EDM2" based on the specification. This has been split up into three transitions to the respective states. Based on the information of the descriptions of the error states (Cx10, Cx20 and Cx30), this resulted in the following design decision:

    Transition

    Specification

    Implementation

    8810_Cx10

    S_OutControl AND NOT EDM1 AND / OR NOT EDM2

    S_OutControl AND NOT EDM1 AND EDM2

    8810_Cx20

    S_OutControl AND EDM1 AND NOT EDM2

    8810_Cx30

    S_OutControl AND NOT EDM1 AND NOT EDM2

  • Transitions 8810_Cx40, 8810_Cx50 and 8810_Cx60 all have the same guard condition "MonitoringTime elapsed AND NOT EDM1 AND / OR NOT EDM2" based on the specification. This has been split up into three transitions to the respective states. Based on the information of the descriptions of the error states (Cx40,Cx50 and Cx60), this resulted in the following design decision:

    Transition

    Specification

    Implementation

    8810_Cx40

    MonitoringTime elapsed AND NOT EDM1 AND / OR NOT EDM2

    MonitoringTime elapsed AND NOT EDM1 AND EDM2

    8810_Cx50

    MonitoringTime elapsed AND EDM1 AND NOT EDM2

    8810_Cx60

    MonitoringTime elapsed AND NOT EDM1 AND NOT EDM2

  • Transitions 8000_C070, 8000_C080 and 8000_C090 all have the same guard condition "MonitoringTime elapsed AND (EDM1 OR EDM2)" based on the specification. This has been split up into three transitions to the respective states. Based on the information of the descriptions of the error states (C070C080 and C090), this resulted in the following design decision:

    Transition

    Specification

    Implementation

    8000_C070

    MonitoringTime elapsed AND (EDM1 OR EDM2) 

    MonitoringTime elapsed AND EDM1 AND NOT EDM2

    8000_C080

    MonitoringTime elapsed AND NOT EDM1 AND EDM2

    8000_C090

    MonitoringTime elapsed AND EDM1 AND EDM2

  • Transitions C x10_C011, C x20_C021 and C x30_C031 all have no clearly guard conditon in the state diagram. Based on the information of the descriptoins of the error states (C011, C021 and C031), this resulted in the following design decision:

    Transition

    Specification

    Implementation

    Cx10_C011

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1 AND / OR EDM2)

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1)

    Cx20_C021

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM2) 

    Cx30_C031

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1 AND R_TRIG at EDM2) 

  • Transitions C x40_C041, C x50_C051 and C x60_C061 all have no clearly guard conditon in the state diagram. Based on the information of the descriptoins of the error states (C041C051 and C061), this resulted in the following design decision:

    Transition

    Specification

    Implementation

    Cx40_C041

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1 AND / OR EDM2)

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1)

    Cx50_C051

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM2) 

    Cx60_C061

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1 AND R_TRIG at EDM2) 

  • Clarification for the Note in the state diagram (Note: "The x in Cx is 0 when only one of the EDMs is TRUE. And it is 4 if both EDM's are TRUE")This transition has the lowest priority since signaling the error (Reset Error) or switching back to Output_Enable is more important.

  • In the PLCOpen specification at states EDM_Error_11, EDM_Error_12, EDM_Error_21, EDM_Error_22, EDM_Error_23 for the variable ResetRequest a placeholder "R" is specified (value depends on the inputs EDM1 and EDM2). For state EDM_Error_13 this placeholder is not defined.
    Assumption: For EDM_Error_13 it is assumed that ResetRequest also contains this placeholder.

  • The state EDM_Error_XX is split into EDM_Error_XX_One_EDM (DiagCode C0x0, ResetRequest = FALSE) and EDM_Error_XX_Both_EDM (DiagCode C4x0, ResetRequest = TRUE) states, where "XX" is 11, 12, 13 and 21, 22, 23; "x" is 1, 2, 3 and 4, 5, 6
    Furthermore if one of these states (C0x0 or C4x0) is reached, it still changes from one state to the other when EDM1 or EDM2 changes.
    This implementation decision – in combination with the aforementioned ones – results in the following concrete transitions being implemented:

    Transition

    Guard Condition

    8810_C010

    S_OutControl AND NOT EDM1 AND EDM2

    8810_C020

    S_OutControl AND EDM1 AND NOT EDM2

    8810_C030

    S_OutControl AND NOT EDM1 AND NOT EDM2

    8810_C040

    MonitoringTime elapsed AND NOT EDM1 AND EDM2

    8810_C050

    MonitoringTime elapsed AND EDM1 AND NOT EDM2

    8810_C060

    MonitoringTime elapsed AND NOT EDM1 AND NOT EDM2

    C010_C011

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1)

    C010_C410

    EDM1 AND EDM2

    C010_8810

    R_TRIG at Reset AND EDM1 AND EDM2

    C020_C021

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM2)

    C020_C420

    EDM1 AND EDM2

    C020_8810

    R_TRIG at Reset AND EDM1 AND EDM2

    C030_C031

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1 AND R_TRIG at EDM2)

    C030_C430

    EDM1 AND EDM2

    C030_8810

    R_TRIG at Reset AND EDM1 AND EDM2

    C040_C041

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1)

    C040_C440

    EDM1 AND EDM2

    C040_8810

    R_TRIG at Reset AND EDM1 AND EDM2

    C050_C051

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM2)

    C050_C450

    EDM1AND EDM2

    C050_8810

    R_TRIG at Reset AND EDM1 AND EDM2

    C060_C061

    (Reset AND NOT R_TRIG at Reset AND EDM1 AND EDM2) OR (R_TRIG at Reset AND R_TRIG at EDM1 AND R_TRIG at EDM2)

    C060_C460

    EDM1 AND EDM2

    C060_8810

    R_TRIG at Reset AND EDM1 AND EDM2

    C011_C010

    NOT Reset

    C021_C020

    NOT Reset

    C031_C030

    NOT Reset

    C041_C040

    NOT Reset

    C051_C050

    NOT Reset

    C061_C060

    NOT Reset

    C410_8810

    R_TRIG at ResetAND EDM1 AND EDM2

    C420_8810

    R_TRIG at ResetAND EDM1 AND EDM2

    C430_8810

    R_TRIG at ResetAND EDM1 AND EDM2

    C440_8810

    R_TRIG at ResetAND EDM1 AND EDM2

    C450_8810

    R_TRIG at ResetAND EDM1 AND EDM2

    C460_8810

    R_TRIG at ResetAND EDM1 AND EDM2

SF_EmergencyStop block

none

SF_EnableSwitch block

none

SF_Equivalent block

none

SF_ESPE block

none

SF_Guard block

In the state diagram the state with the DiagCode 8802 is referred to as "Opening Started". In the table with the FB-specific status codes, the name "Open Guard Request" is used instead.
It was decided, that the implementation shoulde use the name "Open Guard Request".

SF_GuardLocking_2 block

  • The state Init is split into Init_S_Guard_And_S_GuardLock_True (DiagCode 8401) and Init_S_Guard_Or_S_GuardLock_False (DiagCode 8801) states.
    Furthermore if one of these states (8401 or 8801) is reached, the block still changes from one state to the other, when S_Guard and S_GuardLock meet the respective condition.

  • The state Safety_Losti s split into Safety_Lost_S_Guard_And_S_GuardLock_True (DiagCode C450) and Safety_Lost_S_Guard_Or_S_GuardLock_False (DiagCode C050) states. Furthermore if one of these states (C450 or C050) is reached, the block still changes from one state to the other, when S_Guard and S_GuardLock meet the respective condition.

SF_GuardLockingSerial block

  • The state Init is split into Init_S_Guard_True (DiagCode 8401) and Init_S_Guard_False (DiagCode 8801) states.
    Furthermore if one of these states (8401 or 8801) is reached, it still changes from one state to the other when S_Guard changes.

    Init_S_Guard_False is only reachable from Idle. (From Init_S_Guard_True the transition to either 8822 or C010 will be triggered, when S_Guard is FALSE)

    A self transition from Init_S_Guard_False to Init_S_Guard_False is also impossible.

  • The state Safety_Lost is split into Safety_Lost_S_Guard_True (DiagCode C450) and Safety_Lost_S_Guard_False (DiagCode C050) states.
    Furthermore if one of these states (C450 or C050) is reached, it still changes from one state to the other when S_Guard changes.

  • The state Unlock_Request_Error is split into Unlock_Request_Error_S_Guard_True (DiagCode C440) and Unlock_Request_Error_S_Guard_False (DiagCode C040) states.
    Furthermore if one of these states (C440 or C040) is reached, it still changes from one state to the other when S_Guard changes.

    C040 is not reachable from 8410. (From C040 the transition to 8822 will be triggered, when S_Guard is FALSE)

  • Transitions 8812_8430 and 8812_8000 from state Wait_For_Operator are inconsistent. Transition 8812_8430 has the condition S_Guard and Transition 8812_8000 has S_Guard AND NOT S_AutoReset. That makes transition 8812_8000 unreachable.
    Assumption: The following guard conditions are correct (This change was also proposed and accepted for V2.02):

    Transition

    Condition

    8812_8430

    S_Guard AND NOT S_AutoReset

    8812_8000

    S_Guard AND S_AutoReset

SF_OutControl block

none

SF_Override block

  • The following statement is missing from the end of the state diagram:

    Note: The transition from any state to the Idle state due to Activate = FALSE is not shown. However these transitions have the highest priority (0).

    This is present in every other diagram, thus it is assumed that it was incorrectly omitted.

  • The following expression is given in the state diagram:

    MutingSwitch* = (MutingSwitch11 OR MutingSwitch12 OR MutingSwitch21 OR MutingSwitch 21)

    The following intended meaning is assumed:

    MutingSwitch* = (MutingSwitch11 OR MutingSwitch12 OR MutingSwitch21 OR MutingSwitch 22)

  • The following descriptions are given for the states "Safety Demand AOPD", "Override Interrupt" and "Override Active" :

    Safety Demand AOPD

    Protection field interrupted and muting not active or override is not active 
    and the timer for the MaxOverrideTime will be reset.
    Override Interrupt The override start signal is set to FALSE during override process. The 
    time for the MaxOverrideTime is still running.
    Override Active Override is active and the timer for the MaxOverrideTime is starting to 
    run.

    Based on this information, the following assumptions are made:

    • Only switching to "Safety Demand AOPD" resets the timer for MaxOverrideTime.

    • Switching from "Override Interrupt" to "Override Active" does NOT reset or restart the timer for MaxOverrideTime.

SF_PSE block

none

SF_ResetButton block

  • The specification provides the following description for the state 8000 "Reset Detected":

    Valid reset behavior was detected.
    The state is valid for at least one cycle and will automatically transfer to 
    83E2.

It was decided, that in the implementation the state shall automatically transfer to 83E2 after exactly one cycle. 

  • The state diagram shows an output named ResetEvaluation. It is assumed that this name is a synonym for the output ResetOut.

  • The specification dictates a minimum value of 2 PLC cycles for the input TrailingMinimum. 
    From a technical point of view it's currently not possible, to implement an adequate parameter check, as the standard library block SysTaskCycleTime can not be used for safety projects.

SF_SafetyRequest block

none

SF_TestableSafetySensor block

  • The state Test_Error_1 is split into the states Test_Error_1 (Diag Code C410) and Test_Error_2 (Diag Code C010).
    Furthermore, if one of these states (C410 or C010) is reached, the block still changes from one state to the other, when S_OSSD_IN or NoExternalTest changes.
    Depending on the inputs, a "NOT Reset" in Reset_Error_3 will either lead to Test_Error_1 or Test_Error_2.
    The transitions resulting from this decision are shown in the table below:

    Source State

    Target State

    		 Priority Guard Condition

    Diag Code

    Name

    Diag Code

    Name

    		    

    8020

    Test Request

    C410

    Test Error 1

    1

    TestTime (Timer1) elapsed AND S_OSSD_In AND NoExternalTest

    C010

    Test Error 2

    1

    TestTime (TImer1) elapsed AND NOT (S_OSSD_In AND NoExternalTest)

    8030

    Test Active

    C410

    Test Error 1

    1

    TestTime (Timer2) elapsed AND S_OSSD_In AND NoExternalTest

    C010

    Test Error 2

    1

    TestTime (Timer2) elapsed AND NOT (S_OSSD_In AND NoExternalTest)

    C021

    Reset Error 3

    C410

    Test Error 1

    1

    NOT Reset AND S_OSSD_In AND NoExternalTest

    C010

    Test Error 2

    1

    NOT Reset AND NOT (S_OSSD_In AND NoExternalTest)

    C410

    Test Error 1

    C021

    Reset Error 3

    1

    Reset AND NOT R_TRIG at Reset

    8002

    External Function Test

    2

    R_TRIG at Reset AND NOT NoExternalTest

    8010

    ESPE Free No Test

    3

    S_OSSD_In AND NOT R_TRIG at S_OSSD_In AND R_TRIG at Reset AND NoExternalTest

    C010

    Test Error 2

    4

    NOT (S_OSSD_In AND NoExternalTest)

    C010

    Test Error 2

    C021

    Reset Error 3

    1

    Reset AND NOT R_TRIG at Reset

    8002

    External Function Test

    2

    R_TRIG at Reset AND NOT NoExternalTest

    8010

    ESPE Free No Test

    3

    S_OSSD_In AND NOT R_TRIG at S_OSSD_In AND R_TRIG at Reset AND NoExternalTest

    C410

    Test Error 1

    4

    S_OSSD_In AND NoExternalTest

  • In the state diagram only the guard condition "TestTime > 150ms" leads to Parameter_Error (Diag Code C000). But in the description of state C000 it is mentioned, that TestTime has to be between 0ms and 150ms.
    Assumption:
    The Guard Condition that leads to C000 is "TestTime < 0ms OR TestTime > 150ms".

SF_TwoHandControlTypeII block

  • In the state diagram B1 and B2 are referred. A note in the state diagram says: With B1 the input S_Button1 is meant, with B2 the input S_Button 2 is meant.

  • Transitions 8001_C010, 8001_C020 and 8001_C030 all have the same guard condition B1 OR B2 based on the specification. This has been split up into three transitions to the respective states. Based on the information of the descriptions of the error states (C010, C020 and C030), this resulted in the following design decision (based on the assumption above, again in the table B1 refers to S_Button1, B2 refers to S_Button2):

    Transition

    Specification

    Implementation

    8001_C010

    B1 OR B2

    B1 AND NOT B2

    8001_C020

    B1 OR B2

    NOT B1 AND B2

    8001_C030

    B1 OR B2

    B1 AND B2

  • The guard condition of transition 8802_8804 is B1 and of transition 8802_8806 it is B2. The specification does not explicitly mention that in each case the other S_Button is false.

    Transition

    Specification

    Implementation

    8802_8804

    B1

    B1 AND NOT B2

    8802_8806

    B2

    NOT B1 AND B2

SF_TwoHandControlTypeIII block

  • In the state diagram B1 and B2 are referred. Assumption: With B1 the input S_Button1 is meant, with B2 the input S_Button 2 is meant.

  • Transitions 8001_C010, 8001_C020 and 8001_C030 all have the same guard condition B1 OR B2 based on the specification. This has been split up into three transitions to the respective states. Based on the information of the descriptions of the error states (C010, C020 and C030), this resulted in the following design decision (based on the assumption above, again in the table B1 refers to S_Button1, B2 refers to S_Button2):

    Transition

    Specification

    Implementation

    8001_C010

    B1 OR B2

    B1 AND NOT B2

    8001_C020

    B1 OR B2

    B2 AND NOT B1

    8001_C030

    B1 OR B2

    B1 AND B2

  • Transitions 8806_C040, 8806_C050 and 8806_C060 as well as 8804_C040, 8804_C050 and 8804_C060 all have the same guard condition Timer elapsed (>500ms). As soon as this guard condition is met, in addition S_Button1 and S_Button2 are checked to determine the resulting error state. So the state Error 2 from the state diagram is also modeled as three different states. This leads to the following design decision:

    Transition

    Specification

    Implementation

    Note

    8804_C040

    Timer elapsed (>500ms)

    not implemented

    C040 would only be reachable in the extreme edge case, where Button 1 and Button 2 switch their states simultaneously and exactly at the same time as the discrepancy timer elapses. The state would not be reachable in any other way, as one of the other 3 transitions would always be triggered beforehand.

    It was decided, that in this rare scenario the block should transition to C050 instead, as this describes the reason of the error more precisely i.e. Button 1 was True and Button 2 was False for the last 500ms.

    8804_C050

    Timer elapsed (>500ms) AND B1 AND NOT B2

    -

    8804_C060

    Timer elapsed (>500ms) AND B1 AND B2

    This rare edge case is explicitly mentioned by the technical specification.

    8806_C040

    Timer elapsed (>500ms) AND B2 AND NOT B1

    -

    8806_C050

    not implemented

    C050 would only be reachable in the extreme edge case, where Button 1 and Button 2 switch their states simultaneously and exactly at the same time as the discrepancy timer elapses. The state would not be reachable in any other way, as one of the other 3 transitions would always be triggered beforehand.

    It was decided, that in this rare scenario the block should transition to C040 instead, as this describes the reason of the error more precisely i.e. Button 2 was True and Button 1 was False for the last 500ms.

    8806_C060

    Timer elapsed (>500ms) AND B1 AND B2

    This rare edge case is explicitly mentioned by the technical specification.

  • The guard condition of transition 8802_8804 is B1 and of transition 8802_8806 it is B2. The specification does not explicitly mention that in each case the other S_Button is false.

    Transition

    Specification

    Implementation

    8802_8804

    B1

    B1 AND NOT B2

    8802_8806

    B2

    NOT B1 AND B2