Two Operating Modes

The M580 safety PAC presents two operating modes:

  • Safety mode: the default operating mode used for safety operations.

  • Maintenance mode: an optional operating mode that can be entered temporarily to debug and modify the application program, or change the configuration.

Control Expert XL Safety software is the exclusive tool you can use to manage operating mode transitions.

NOTE: The operating mode setting of a Hot Standby safety PAC – either safety mode or maintenance mode – is not included in the transfer of an application from the primary PAC to the standby PAC. On a switchover, when a safety PAC switches from standby PAC to primary PAC, the operating mode is automatically set to safety mode.

Safety Mode and its Limitations

Safety mode is the default mode of safety PAC. When the safety PAC is powered ON with a valid application present, the PAC enters safety mode. Safety mode is used to control execution of the safety function. You can upload, download, run and stop the project in safety mode.

When the M580 safety PAC is operating in safety mode, the following functions are not available:

  • Downloading a changed configuration from Control Expert to the PAC.

  • Editing and/or forcing safety variable values and safety I/O states.

  • Debugging application logic, by means of breakpoints, watchpoints, and step-through code execution.

  • Using animation tables or UMAS requests (for example, from an HMI) to write to safety variables and safety I/O.

  • Changing the configuration settings of safety modules via CCOTF. (Note that the use of CCOTF for non-interfering modules is supported.)

  • Performing online modification of the safety application.

  • Using link animation.

NOTE: In safety mode, all safety variables and safety I/O states are read-only. You cannot directly edit the value of a safety variable.

You can create a global variable, and use it to pass a value between a linked process (non-safe) variable and a linked safety variable using the interface tabs of the Process Data Editor and the Safety Data Editor. After the link is made, the transfer is executed as follows:

  • At the beginning of each SAFE task, the non-safe variable values are copied to the safe variables.

  • At the end of the SAFE task, the safe output variable values are copied to the non-safe variables.

Maintenance Mode Functionality

Maintenance mode is comparable to the normal mode of a non-safety M580 CPU. It is used only to debug and tune the application SAFE task. Maintenance mode is temporary because the safety PAC automatically enters safety mode if communication between Control Expert and the PAC is lost, or upon the execution of a disconnect command. In maintenance mode, persons with the appropriate permissions can both read and write to safety variables and safety I/O that are configured to accept edits.

In maintenance mode, dual execution of SAFE task code is performed, but the results are not compared.

When the M580 safety PAC is operating in maintenance mode, the following functions are available:

  • Downloading a changed configuration from Control Expert to the PAC.

  • Editing and/or forcing safety variable values and safety I/O states.

  • Debugging application logic, by means of breakpoints, watchpoints, and step-through code execution.

  • Using animation tables or UMAS requests (for example, from an HMI) to write to safety variables and safety I/O.

  • Changing the configuration via CCOTF.

  • Performing online modification of the safety application.

  • Using link animation.

In maintenance mode, the SIL level of the Safety PLC is not guaranteed.

Operating Mode Transitions

The following diagram shows how the M580 safety PAC enters, then transitions between safety mode and maintenance mode:

When switching between safety mode and maintenance mode:

  • It is OK to switch from maintenance mode to safety mode with forcing ON. In this case, the forced variable value or I/O state remains forced after the transition until another transition from safety to maintenance mode occurs.

  • The transition from maintenance mode to safety mode can be accomplished in the following ways:

    • Manually, by menu or toolbar command in Control Expert.

    • Automatically, by the safety PAC, when communication between Control Expert and the PAC is lost for about 50 seconds.

  • The maintenance input function, when it is configured, operates as a check on the transition from safety mode to maintenance mode. The maintenance input function is configured in Control Expert in the CPU Configuration tab by:

    • Selecting the Maintenance Input setting, and

    • Entering the topological address of an input bit (%I) for a non-interfering digital input module on the local rack.

    When the maintenance input is configured, the transition from safety mode to maintenance mode takes into account the state of the designated input bit (%I). If the bit is set to 0 (false), the PAC is locked in safety mode. If the bit is set to 1 (true), a transition to maintenance mode can occur.

Switching Between Safety Mode and Maintenance Mode in Control Expert

Switching the safety PAC from maintenance mode to safety mode is not possible if:

  • The PAC is in debug mode.

  • A breakpoint is activated in a SAFE task section.

  • A watchpoint is set in a SAFE task section.

When debug mode is not active, no SAFE task breakpoint is activated, and no SAFE task watchpoint is set, you can manually activate a transition between safety mode and maintenance mode, as follows:

  • To switch from safety mode to maintenance mode, either:

    • Select PLC > Maintenance , or

    • Click the toolbar button.

  • To switch from maintenance mode to safety mode, either:

    • Select PLC > Safety , or

    • Click the toolbar button.

NOTE: Entering and exiting safety mode events are logged in the SYSLOG server in the CPU.

Determining the Operating Mode

You can determine the current operating mode of an M580 safety PAC using either the SMOD LEDs of the CPU and coprocessor, or Control Expert.

When the SMOD LEDs of the CPU and coprocessor are:

  • Flashing ON, the PAC is in maintenance mode.

  • Solid ON, the PAC is in safety mode.

When Control Expert is connected to the PAC, it identifies the operating mode of the M580 safety PAC in several places:

  • System words %SW12 (coprocessor) and %SW13 (CPU) together indicate the operating mode of the PAC, as follows:

    • if %SW12 is set to 16#A501 (hex) and %SW13 is set to 16#501A (hex), the PAC is in maintenance mode.

    • if either or both of these system words is set to 16#5AFE (hex), the PAC is in safety mode.

  • Both the Task and Information sub-tabs of the CPU Animation tab display the operating mode of the PAC.

  • The task bar, at the bottom of the Control Expert main window, indicates the operating mode as either MAINTENANCE or SAFETY.