Introduction

The BME•58•040S CPUs and the BMEP58CPROS3 Coprocessor (Copro), acting as a pair of processors, are certified by the TÜV Rheinland Group for use in Safety Integrity Level 3 (SIL3) M580 safety solutions.

Working together, the CPU and Copro provide the following SIL3 safety level functions:

  • Independent double execution of the safety task code.

  • Comparison of the results of the double code execution.

  • Periodic self-tests.

  • Support for a 1oo2D (“one out of two”) architecture with diagnostic.

NOTE: In addition to the safety functionality, the BMEP58•040S CPUs provide comparable features of equivalent non-safety standalone M580 CPUs, and the BMEH58•040S CPUs provide comparable features of equivalent non-safety Hot Standby M580 CPUs. Refer to both the Modicon M580, Hardware, Reference Manual and the Modicon M580 Hot Standby, System Planning Guide for Frequently Used Architectures for information regarding the non-safety features of these safety CPUs.

Description of the Internal CPU & Copro Architecture

The M580 safety CPU and Copro each contains a SPEAr 1300 processor. Each processor executes the safety logic in its own memory area, and compares the results of the execution at the end of the safe task.

The following figures show the internal architecture of the M580 Safety CPU in a single and a redundant configurations:

Double Code Generation and Execution

The two processors inside the M580 safety PAC provide for double code generation and execution. This diversity provides the following advantages in error detection:

  • Two executable code programs are generated independently. The use of two independent code compilers aids in the detection of systemic errors in code generation.

  • The two generated code programs are executed by two separate processors. Thus, the CPU can detect both systematic errors in the code execution and random errors in the PAC.

  • Each of the two processors uses its own independent memory area. Thus, the PAC can detect random errors in the RAM, and a full RAM test is not necessary at every scan.

1oo2D Architecture

The 1oo2D (“one out of two with Diagnostic”) architecture means that two independent channels execute the safety logic and, if an error is detected on either channel, the system goes in its safe state.

Single Architecture

The Single M580 Safety PAC architecture is based on a 1oo2D architecture made of dual processors providing safety integrated level (SIL3) compliance even in a non Redundant architecture.

Redundant Architecture

The M580 Safety PAC in Redundant architecture provides maximum system availability and process uptime by adding full redundancy (Quadruple Structure, i.e. four CPU) on the control, power supply and communication.

One of the CPU (pair of processors) acts as the Primary, runs the application by executing program logic and operating IO. The Primary CPU (pair of processors) updates the secondary CPU (pair of processors) so that it is ready to assume IO control.

The system monitors itself continuously. In case of the Primary CPU control failure, the system switches control to the secondary CPU. In this degraded mode, the system remains SIL3. In case primary and secondary CPU fails, the system goes in fail safe state.

The redundant M580 Safety PAC, based on a quadruple architecture (4 processors) allows to increase the system availability and provides safety integrated level (SIL3) compliance.

Watchdog

A hardware and a firmware watchdog check the PAC activity and the time required to execute the safety program logic.

NOTE: Configure the software watchdog (in the Properties of SAFE dialog) to allow for:

  • application execution time

  • filtering of any detected I/O communication errors

  • process safety time.

For more information, refer to the topic Process Safety Time.

Memory Check

The integrity of the content of static memory is tested via cyclic redundancy check (CRC) and the double code execution. The integrity of the content of dynamic memory is tested by double code execution, by a periodic memory test, and by an error correcting code (ECC) mechanism that detects and corrects the most common instances of corrupted internal data. At cold start, these tests are re-initialized and fully performed before the CPU goes into Stop or Run mode.

Over Voltage Monitoring

The CPU receives power from the dedicated M580 safety power supply module over the backplane line. The power supply module provides a regulated 24V with an absolute maximum voltage in the range 0...36V.

Embedded in the CPU is an embedded function that checks the internal power supplies. If an undervoltage or overvoltage condition is detected, the PAC shuts down.