TM510TRE.433-ENG - Working With SafeDESIGNER - V4330-SD43

TM510
Working with SafeDESIGNER

Prerequisites and requirements
Training modules TM210 – Working with Automation Studio
TM500 – Introduction to Integrated Safety
Software Automation Studio 4.3.3
Automation Runtime 4.33
SafeDESIGNER 4.3
Safety Release V1.10
Hardware Upgrades > = 1.10.2
Hardware X20CPU and SafeLOGIC 81xx / SafeLOGIC-X
2 TM510 - Working with SafeDESIGNER

Table of contents
Table of contents
1 Introduction........................................................................................................................................... 4
1.1 Learning objectives................................................................................................................. 4
1.2 Safety notices and symbols....................................................................................................5
2 SafeDESIGNER installation and help.................................................................................................. 7
2.1 Installation and licensing.........................................................................................................7
2.2 SafeDESIGNER help documentation..................................................................................... 8
3 Configuration in Automation Studio..................................................................................................... 9
3.1 Adding a safety controller..................................................................................................... 10
3.2 Adding SafeIO modules........................................................................................................ 13
4 Creating a safety application............................................................................................................. 19
4.1 "Saw" sample project............................................................................................................ 19
4.2 SRS, safety lifecycle and V-model....................................................................................... 20
5 Working with SafeDESIGNER........................................................................................................... 25
5.1 User management and login................................................................................................ 25
5.2 SafeDESIGNER layout......................................................................................................... 27
5.3 Editor functions..................................................................................................................... 28
5.4 Connecting I/O channels...................................................................................................... 33
5.5 Configuration of the safe modules........................................................................................37
5.6 Programs and libraries..........................................................................................................43
5.7 Project documentation and printing...................................................................................... 49
6 Online connections, downloading and diagnostics............................................................................ 51
6.1 Simulating the application..................................................................................................... 51
6.2 Online communication and downloading.............................................................................. 53
6.3 Application diagnostics..........................................................................................................58
7 Commissioning and maintenance...................................................................................................... 65
7.1 SafeLOGIC control and status elements.............................................................................. 65
7.2 Operating and status elements of the Remote Control dialog box....................................... 67
7.3 LED status indicators on SafeIO modules............................................................................68
7.4 Commissioning the safety application.................................................................................. 69
7.5 Replacing and updating modules......................................................................................... 71
8 Sample projects and solutions...........................................................................................................74
8.1 "Basic Safety" sample project...............................................................................................74
8.2 The "AsSafety Basic" solution.............................................................................................. 75
9 Summary............................................................................................................................................ 78
TM510 - Working with SafeDESIGNER 3

Introduction
1 Introduction
This training module will help to familiarize you with SafeDESIGNER.

During this course, we will deal with the various aspects of safety-oriented application development and
explain the configuration options in both Automation Studio and SafeDESIGNER.
Another important aspect is the documentation requirements for the safety application. This is demon-
strated with the aid of a sample project with a standard and safety application.
Figure 1: SafeDESIGNER splash screen
Using a programmable safety solution opens up many new possibilities for creating safety applications.
SafeDESIGNER enhances Automation Studio by including all of the functions needed for developing a
simple, efficient yet cutting-edge safety application.
1.1 Learning objectives
This training module is designed to help you learn how to use SafeDESIGNER and develop a safety-ori-
ented application.
Overview of objectives:
• Participants will learn how individual configuration tasks are divided up between Automation
Studio and SafeDESIGNER.
• Participants will learn how to add safe modules to a project and complete the I/O configuration
in Automation Studio.
• Participants will learn how to open SafeDESIGNER, log in to a project and use the various fea-
tures of the SafeDESIGNER interface.
• Participants will learn how to edit the safe module configuration in SafeDESIGNER and set the
parameters for the safety equipment being used.
• Participants will learn about the documentation requirements for a safety application and how
to create documentation for a project using SafeDESIGNER.
• Participants will learn how to use the integrated help system to assist you in working with
SafeDESIGNER and the PLCopen Safety library.
• Participants will learn how to access and configure function blocks from the PLCopen Safety li-
brary in SafeDESIGNER.
• Participants will learn about the various diagnostic tools and procedures for commissioning the
safety controller.
• Participants will learn how to transfer a safety application to the SafeLOGIC and SafeLOGIC-X
controller and test it with the tools provided.

Introduction
In order to correctly implement a safety application, it is important that applicable regulations

and standards are observed in all phases of the safety application's lifecycle. This training
module is limited solely to the SafeDESIGNER application. This training manual can therefore
never replace sound training in safety-related topics.
Safety technology \ General information \ Qualified personnel

Safety technology \ General information \ Safety notices
1.2 Safety notices and symbols
Safety notices in this manual are organized as follows:
Danger: Disregarding these safety guidelines and notices can result in severe injury, death or
substantial damage to property.
Warning: Disregarding these safety guidelines and notices can result in severe injury or sub-
stantial damage to property.
Caution: Disregarding these safety guidelines and notices can result in injury or damage to
property. This information is important for preventing errors.
Additional notices and information in this manual are organized as follows:
Note: Provides important tips and additional information
Help: References additional documentation (help system, data sheets, user's manuals)
Example: Indicates an example to further illustrate a topic
Result: A brief summary of the results of an exercise
Organization of safety notices in external manuals

This manual contains references to other manuals. How safety notices are organized in external manuals
is listed in the respective manual.

Introduction
Exercise: Tasks and exercises

Sections marked with an orange stripe on the left side contain information about exercises as well as
the associated actions to be taken. Exercises are intended to provide a deeper understanding of the
information provided.

SafeDESIGNER installation and help
2 SafeDESIGNER installation and help
The next section describes the procedure for installing and licensing SafeDESIGNER. The integrated
help system will then be described.
2.1 Installation and licensing
Installing SafeDESIGNER
The installation wizard for installing SafeDESIGNER is part of the Automation Studio installation DVD.
Figure 2: The SafeDESIGNER installation wizard
Licensing SafeDESIGNER
Automation Studio's licensing mechanism is defaulted to when using
SafeDESIGNER. Therefore no special license is required.
Automation software \ Software installation

SafeDESIGNER installation and help
2.2 SafeDESIGNER help documentation
The help documentation for SafeDESIGNER is integrated in Au-

tomation Help. All information about SafeDESIGNER, PLCopen pro-
gramming as well as safety notices and system characteristics are
located under the category "Safety". There is information on safe
input and output modules as well as the SafeLOGIC controller and
SafeLOGIC-X controller in the X20 control system under the hard-
ware category.
Figure 3: The SafeDESIGNER help

documentation
Safety technology \ SafeDESIGNER \ User documentation

Safety technology \ Libraries
Hardware \ X20 system \ X20 modules \ CPUs \ X20(c)SL810x
Hardware \ X20 system \ X20 modules \ CPUs \ X20(c)SLXx1x
Hardware \ X20 system \ X20 modules \ CPUs \ X20SLXxxx
Hardware \ X20 system \ X20 modules \ Digital input modules
Hardware \ X20 system \ X20 modules \ Digital output modules
Hardware \ X20 system \ X20 modules \ Digital mixed modules
Hardware \ X20 System \ X20 module \ Analog input module
Hardware \ X20 system \ X20 modules \ reACTION I/O modules
Hardware \ X20 System \ X20 modules \ Counter modules

Configuration in Automation Studio
3 Configuration in Automation Studio
From a safety point of view, Automation Studio manages all of the modules for the safety-relevant com-
ponents.
In Automation Studio, SafeIO modules behave as if they are standard input or output modules. Variables
can be connected to individual I/O channels, which are used as standard I/O channels in the standard
application.
Module management in Automation Studio involves the following:
• Adding a safety controller
• Assigning the safety application project name
• Exchanging the data between the standard CPU and the safety controller via the communica-
tion channels
• Adding SafeIO modules
• Assigning the SafeIO modules to the safety controller
• Accessing I/O data from the safety components
The safety controller creates a virtual network around itself. A unique SafeLOGIC ID must be assigned
to each safety controller. The SafeMODULE ID represents the number used by an individual module in
the network. For this purpose, the safety controller always has the SafeMODULE ID 1.
Every SafeIO module added must have a safety controller assigned to it. For this purpose, the SafeL-
OGIC ID of the corresponding safety controller is specified. A unique SafeMODULE ID is assigned to
each module in the network.
SafeMODULE ID SafeLOGIC ID
SL 1 1
A 2 1
B 3 1
C 4 1
Table 1: Assigning SafeMODULE IDs to a SafeLOGIC ID
Figure 4: Hardware configuration of the sample project

3.1 Adding a safety controller
The safety controller handles the central management of all safety data. The SafeLOGIC controller is
added in Automation Studio to a POWERLINK interface and the SafeLOGIC-X controller is added to
an X2X interface.
Figure 6: SafeLOGIC-X controller hardware setup with an

Figure 5: SafeLOGIC controller hardware setup with an X20
X20 controller
controller
A safety controller is assigned to the SafeIO mod- Property Value

ule using the SafeLOGIC ID. This number is auto-
POWERLINK node number1 1
matically preallocated by the system, but it can al-
so be changed manually. SafeMODULE ID2 1
The node number must only be set using the
SafeLOGIC controller. SafeLOGIC ID2 1
Project name2 SafeLOGIC-1
Table 2: One possible SafeLOGIC configuration
The safety controller is assigned to a POWERLINK (SafeLOGIC controller) or X2X (SafeLOGIC-X con-
troller) from the Hardware Catalog using drag-and-drop.
Figure 7: Adding the safety controller from the hardware catalog
It is possible to configure and apply several safety controllers within an Automation Studio
project.
1 The POWERLINK node number is configured in the Physical View.

2 The SafeMODULE ID, as well as the project name and the SafeLOGIC ID are set in the module configura-
tion.

Setting the POWERLINK node number

The POWERLINK node number for the SafeL-
OGIC controller can be configured in the Physical
View.
Figure 8: Setting the POWERLINK node number
Configuring the safety controller

In the safety controller's shortcut menu, go to Physical View, and open the I/O configuration for the safety
controller.
The I/O configuration is where the SafeLOGIC ID, SafeDESIGNER version and project name for the
safety application are defined.
Figure 9: Safety controller configuration settings

The communication channels between the standard CPU and the

safety controller can also be configured. Four different data types
are available: BOOL, INT, UINT and UDINT.
Here, there is additional distinction between data points consumed
by the safety controller (Input) and data points produced by the safe-
ty controller (Output).
Figure 10: CPU – SafeLOGIC

communication channels
Variables can be connected to the individual communication chan-

nels via the safety controller's I/O mapping. The communication
channels are selected in the I/O configuration.
Figure 11: Safety controller I/O mapping
Transmission across the communication channels between the standard CPU and the safety
controller is "non-safety".
Exercise: Create a new Automation Studio project with a safety controller

This exercise will demonstrate how to create a new Automation Studio project. A safety controller is then
added in the Physical View.
1) Creating an Automation Studio project
2) Add safety controller
3) Check the configuration of the safety controller
Automation software \ Getting started

• Creating programs in Automation Studio \ X20 CPU example project
• Creating a safety application in Automation Studio
Project management \ Hardware management \ Physical View

3.2 Adding SafeIO modules
The SafeIO modules can be added directly on the X2X Link interface of a controller or a POWERLINK
bus controller. SafeIO modules can be freely combined with standard I/O modules.
Specific safety controllers are assigned to the SafeIO modules using the SafeLOGIC IDs.
Safe I/O modules can be added to the Physical View from the Hardware Catalog using drag-and-drop.
Figure 12: Adding SafeIO modules using drag-and-drop
Module configuration
The module configuration is opened from the I/O module's shortcut menu. A variety of different settings
can be made here depending on the module type. For example, the assignment to a specific safety
controller using the SafeLOGIC ID is carried out in the module configuration.
Figure 13: Opening the module configuration for a safe output module
3.2.1 Switching frequency of safe output modules
The maximum switching frequency of the output can be configured for each channel on a safe output
module. After a specific amount of time has elapsed, an internal check is made to determine if the output
has really been switched off. The output must be 0 for this amount of time before it can be switched
back on. Monitoring is triggered when the maximum switching frequency is exceeded. The output status
in the following image is indicated in red, while blue represents the time for checking the output. In the
image on the left, the output signal is already 0 before it is switched on again. In the image on the right,
the maximum switching rate has been exceeded.

Figure 14: Valid state Figure 15: Monitoring has detected an

error
The configured switching frequency must be supported by the connected actuator.
Hardware \ X20 system \ X20 modules \ Digital output modules \ X20(c)SOx1x0 \ X20SOx1x0
- Register description \ Parameters in the I/O configuration
3.2.2 Enabling principle
The enabling principle can be configured for each channel on a safe output module. The output channel
is either visible or hidden in the I/O mapping window depending on how the enabling principle has been
configured.
Figure 16: Settings for the enabling principle in Automation Studio. Channel 2 has been set to "Direct" mode.
Two different settings can be made for the enabling principle:
• "direct": The output channel is visible in the I/O mapping window (default value).
• "via SafeLOGIC": The output channel is hidden in the I/O mapping window.
Figure 17: Diagram of options for the enabling principle

In "Direct" mode, it is possible to use the safe output as a standard output from the perspective of the
standard application. That means the output is switched on and off by the standard application as long
as no safety requests are pending. In the "via SafeLOGIC controller" mode, the output is controlled only
via the safety controller.
Hardware \ X20 system \ X20 modules \ Digital output modules \ X20(c)SOx1x0

• Enabling principle
• X20SOx1x0 - Register description \ Parameters in the I/O configuration
3.2.3 Restart inhibit
Status information for the restart inhibit can be enabled in the I/O configuration of safe output modules.
More information about restart inhibit states and the associated state diagram can be found in the Au-
tomation Studio help documentation.
Figure 18: Enabling the restart inhibit status in the I/O configuration
The status of the restart inhibit is placed on the status channel "FBK_Status_1" for the individual chan-
nels. 4 bits are used for each channel. The status can be read from the state diagram for the restart
inhibit, which can be looked up in the register description in the "Channel list" section. The signal to
release the restart inhibit (ReleaseOutput) must be delayed by at least 50 ms after the output signal.
This ensures that the safety-related signal has been processed on the module.

Figure 19: X20SOx1x0 - Restart inhibit state diagram
Figure 20: Extract about the channel "FBK_Status_1" from the Automation Help
Safety technology \ System characteristics \ Channel characteristics \ Digital output channels

- Type A \ Restart behavior
Hardware \ X20 system \ X20 modules \ Digital output modules \ X20(c)SOx1x0
• Restart behavior
• X20SOx1x0 - Register description \ Channel list

3.2.4 Multi-channel evaluation
Safe digital input modules feature integrated mul-

ti-channel evaluation. The status of the multi-chan-
nel evaluation can be evaluated in the standard ap-
plication via the I/O mapping in Automation Studio.
Figure 21: I/O configuration and I/O mapping of an SI module

with the status of multi-channel evaluation
A status is generated in the safe input module and

listed in the Automation Studio I/O mapping ac-
cording to whether equivalence or antivalence was
used between two safe inputs in SafeDESIGNER.
Figure 22: Multi-channel evaluation: Equivalence and

antivalence
Multi-channel evaluation is automatically configured via the channels used in SafeDESIGNER.

It should be noted that in the safety application the channel pair can be used for either the
equivalence or the antivalence. The discrepancy time also needs to be configured. The equiv-
alence or antivalence must have reached a stable state within the discrepancy time.
Hardware \ X20 system \ X20 modules \ Digital input modules \ X20(c)SIx10x \ X20SIx1x0 -
Register description \ Channel list
Exercise: Complete the hardware configuration

In this exercise, the safe input and output modules from the training configuration will be added to the
project. The individual module configurations will then be checked.

1) Adding safe modules in the Physical View - Module Information: 4.1 ""Saw" sample project"
2) Check the module configuration of the safe output modules with regard to switching frequency and
the enabling principle.
If the maximum switching frequency is not otherwise specified in the Safety Requirements Specifi-
cation (SRS), then a maximum switching frequency of 1 Hz can be set.
3) Check the SafeMODULE ID and SafeLOGIC ID for all modules.
During compilation, the following errors are thrown in the event of an incorrect SafeMODULE
ID or SafeLOGIC ID:
Error 9823: Hardware module X20SO2110 of configuration already uses
SafeLOGIC ID 1 and SafeMODULE ID 2.
SafeMODULE ID SafeLOGIC ID
SL 1 1
A 2 1
B 3 1
C 4 1
Table 3: Assigning SafeMODULE ID and SafeLOGIC ID
Figure 23: Hardware configuration of the sample project

Creating a safety application
4 Creating a safety application
4.1 "Saw" sample project
For our small safety application example, we will be controlling a circular saw. The hardware setup and
related safety equipment are outlined in the image. Two possible configurations arise that are dependent
on the implemented safety controller. When using SafeLOGIC controller, it is connected via POWERLINK
to the PLC and the safe input and output modules are located after a POWERLINK bus controller.
Alternatively, a SafeLOGIC-X controller can be used, which is placed either on the X2X bus after the
PLC or the POWERLINK bus controller. This handles execution of the safety application and the local
inputs and outputs are used for logic of the application.
The following safety equipment will be used for the machine:
Module Safety component Slot Channel

type
X20SOxxxx Motor protection CPU.IF3.ST2.IF1.ST2 1
Enabling principle set to "Direct"
mode
X20DIxxxx Acknowledgment button (non-safety) CPU.IF3.ST2.IF1.ST3 1
Data transfer via CPU-SafeLOGIC
communication
X20SIxxxx Light curtain (equivalence) CPU.IF3.ST2.IF1.ST4 1+2
Emergency stop (equivalence) CPU.IF3.ST2.IF1.ST4 3+4
X20SIxxxx / Mode selector switch CPU.IF3.ST2.IF1.ST5 1+2
X20SLXx10
Start/Stop button CPU.IF3.ST2.IF1.ST5 3
Table 4: List of safety equipment and channels for the "Saw" sample project

Figure 24: Hardware configuration with a Figure 25: Hardware configuration with a
SafeLOGIC controller SafeLOGIC-X controller
The Safety Requirements Specification (SRS: see 4.2.1 "Safety Requirements Specification
(SRS)") defines how the individual safety features function and interact with one another.
4.2 SRS, safety lifecycle and V-model
4.2.1 Safety Requirements Specification (SRS)
The following safety functions will be implemented in the "Saw" sample project:
• 4.2.1.1 "Emergency stop switch function"
• 4.2.1.2 "Light curtain function"
• 4.2.1.3 "Operating mode switch function"
• 4.2.1.4 "Operating modes and interaction"
4.2.1.1 Emergency stop switch function
Required functionality:
• Acknowledgment is not necessary after startup.
• Acknowledgment is required via the acknowledgment but-
ton after the emergency stop switch is reset.
• Synchronism of multi-channel evaluation must be within
200ms. (see 5.5.4 "Specific parameters of input modules")
Figure 26: Emergency stop switch

4.2.1.2 Light curtain function
• Acknowledgment is required via the acknowledgment but-
ton after the light curtain has been penetrated.
• The simultaneity for the multi-channel evaluation must be
within 300 ms.
The light curtain outputs an OSSD signal (Output Signal

Switching Device). This OSSD signal must be filtered out
on the safe input using the switch-off filter (see 5.5.4 "Spe-
cific parameters of input modules")
Figure 27: Light curtains
4.2.1.3 Operating mode switch function
• Two operating modes are possible:
° Manual – Right switch position
° Automatic – Left switch position
° Prohibited state – Center switch position → Trig-
gers an error
• Switching directly between operating modes is possible Figure 28: Mode selector switch
without acknowledgment.
• The maximum time for an invalid state is 250 ms.
• An invalid state is acknowledged with the acknowledgment
button.
4.2.1.4 Operating modes and interaction
Two operating modes will be implemented:

• Manual mode
• Automatic operation
Make sure that an emergency stop switch will cut off the output in all operating modes. The
maximum switching frequency for the safe output must not exceed 1 Hz.
Manual mode (right switch position)

If manual operation is selected using the operating mode switch, then the functionality below must be
implemented.

The following criteria apply:

• The light curtain is not enabled in this operating mode
• The output is only enabled by the safety application if the start/stop button is pressed and the
safety equipment has not been violated.
• A safety violation must be acknowledged by a rising edge of the acknowledgment button.
Automatic mode (left switch position)

If automatic operation is selected using the operating mode switch, then the functionality below must
be implemented.
The following criteria apply:
• The output is always enabled by the safety application as a violation has not occurred on the
safety equipment (emergency stop, light curtain).
• The light curtain is enabled in this operating mode.
• A safety violation must be acknowledged by a rising edge of the acknowledgment button.
Automatic mode is started with the start/stop button. If the machine is running when the start/
stop button is pressed, it will be stopped. This functionality can be implemented in a standard
application in Automation Studio.
Error acknowledgment
Pending errors are acknowledged with the acknowledgment button.
The acknowledgment button signal is transferred from Automation
Studio to SafeDESIGNER via the safety controller's communication
channels.
Figure: Confirmation and Start/Stop

button
Transferring diagnostic data to the standard application

Diagnosis codes for the individual safe function blocks must be sent via the I/O mapping to the functional
application and passed on to the corresponding variables of the UINT data type.
The following variables must be declared:
• diagCode_EStop (diagnostic code for "SF_EmergencyStop")
• diagCode_LightCurtain (diagnostic code for "SF_ESPE")
• diagCode_ModeSelector (diagnostic code for "SF_ModeSelector")
If an error occurs in at least one function block, a bit must be set to TRUE in Automation Studio.
This variable must be declared:
• errorInSafetyApplication

The channel for the enabling principle can be used to control the saw in the standard application.
This is done by selecting "Direct" mode for the safe output signal in the module configuration.
4.2.2 Safety lifecycle in accordance with EN IEC 61508
A model with various phases is defined for the safety lifecycle of a machine in EN IEC 61508.
This image illustrates the entire safety lifecycle that must be observed in order to meet this standard. If
using a different safety lifecycle, it must be specified while planning the functional safety features.
Figure 29: Safety lifecycle in accordance with EN IEC 61508-11
The procedures required to create a safety application are handled in phase 9. A detailed look at the
stages involved in developing a safety application is provided by the V-model of the software lifecycle
in accordance with EN ISO 13849.
Training module "TM530 – Developing safety applications in accordance with EN ISO 13849
and EN IEC 62061" takes a closer look at the processes and different roles involved in devel-
oping safety applications.
1 E/E/PES=Electrical, Electronic or Programmable Electronic System

4.2.3 V-model of the software lifecycle in accordance with EN ISO 13849
A safety-oriented software specification is designed based on the guidelines of a specification. The soft-
ware modules are then implemented and tested. Finally, the safety-oriented software specification is
validated.
Figure 30: V-model of the software lifecycle in accordance with EN ISO 13849

5 Working with SafeDESIGNER
SafeDESIGNER represents the core of safety programming. The

safety application, which is cyclically processed by the safety con-
troller, is created with SafeDESIGNER. It is also used to config-
ure individual modules. Additionally, all safety-related components
assigned to the corresponding safety controller are automatically
adopted from the Automation Studio configuration.
The safety application can be opened via the safety controller's
shortcut menu.
Figure 31: Opening SafeDESIGNER
5.1 User management and login
The first time a SafeDESIGNER project is opened, the user is asked

to assign two new passwords. These passwords must contain at
least 6 alphanumeric characters.
One of these passwords must then be entered each time the
SafeDESIGNER project is opened.
Figure 32: SafeDESIGNER password

assignment
SafeDESIGNER has 3 different user levels.

• Development:
All rights
• Commissioning:
Open the project, change and download the commission-
ing parameters
Figure 33: Entering a password in • Maintenance:
SafeDESIGNER
Open and download the project - A password is not need-
ed
After successfully logging in, SafeDESIGNER functions are available based on the user level.
Passwords are set specifically for each project. If a new project is created, then new passwords
must be defined for it.

Safety technology \ SafeDESIGNER \ User documentation \ Password protection for projects

and the safety controller
If the hardware configuration has changed since

the last time SafeDESIGNER was opened, then
the changes must be acknowledged.
Figure 34: Window for confirming the modified hardware

configuration
Safety technology \ SafeDESIGNER \ User documentation \ Programming a project \ Device

parameterization

5.2 SafeDESIGNER layout
SafeDESIGNER includes several toolbars, configuration editors and editing windows. Additional infor-
mation about navigating in SafeDESIGNER can be found in the Automation Studio help documentation.
Figure 35: The SafeDESIGNER workspace
Safety technology \ SafeDESIGNER \ User documentation \

1) User interface \ Menu bar
2) User interface \ Toolbars
3) User Interface \ Editor wizard
4) User interface \ Project tree - Overview
5) User interface \ Toolbars
6) User interface \ Workspace
7) Programming a project \ Safety view
8) Programming a project \ Device parameterization
9) User interface \ Message Window
10) User interface \ Cross References Window
11) User interface \ Watch window

5.3 Editor functions
The programming interface in SafeDESIGNER is a graphical editor which supports the ladder diagram
(LD) and function block diagram (FBD) programming languages. Both IEC programming languages can
be freely mixed.
The programming interface contains not only the graphical editor but also the Editor Assistant. This
contains the function blocks for creating the safety application. There is also another window which
shows the current project structure.
Figure 36: The SafeDESIGNER programming interface
The safety application is basically a single-tasking system. All of the functions are programmed
on the "Main" workspace. Additional code workspaces can also be added to the project tree
to improve the structure of the safety application. Workspaces are executed according to their
order in the project tree. The order for executing the safety application is indicated by green
numbers on the workspace. Custom function blocks can also be created.
Data types are strictly separated when programming in SafeDESIGNER. There are safe data types and
those that are not considered safety-oriented (i.e. normal data types). It is possible to convert safe data
types into normal data types.

• User interface
• IEC 61131 Implementation \ Data Types
• Programming a project

5.3.1 Edit wizard
The Edit wizard can be used to add function blocks to the workspace.
These function blocks can be grouped according to functionality or
library.
Figure 37: Edit wizard
In accordance with IEC 61131-3, non-safe function blocks are listed in red, whereas safe func-
tion blocks are listed in yellow. PLCopen Safety function blocks are identified by a red "S" on
a yellow background. User function blocks have a green background.
Safety technology \ SafeDESIGNER \ User documentation \ User interface \ Edit wizard
5.3.2 Adding function blocks
Functions and function blocks can be added via drag-and-drop or by double-clicking on the respective
function or function block.
With drag-and-drop the corresponding function block is first selected in the Edit wizard and then pulled
into the workspace.
Figure 38: Adding a function block to the workspace using drag-and-drop
If a function block is inserted, a window appears for creating an

instance variable with an appropriate data type.
Figure 39: Declaring an instance variable for

a function block


• User Interface \ Editor wizard
• Programming a project \ Programming a graphic code
5.3.3 Adding new variables
There are two ways to add a new variable. One is using the Variable
button in the vertical toolbar, and the other is by double-clicking on
an input or output of a function or function block. Figure 40: Button for adding a new
variable
Clicking on this button opens a window for defining the variable

name, data type and scope.
Three different scopes are available for selection:
• Local: For the current workspace
• Global: For an I/O channel or communication channel
• Constant: Constants Figure 41: Defining a variable
Local variables are only used in the current workspace. In the declaration window, the name and data
type of the variable are defined and the scope is set to "Local".
Once the window is confirmed, the variable is added at the currently selected position.
Figure 42: Variable on the workspace
Using the Toggle WS buttonit is possible to switch between the code

view and the declaration view of the current work space.
Figure 43: Button for toggling the view
All declared local variables on the workspace are listed in the declaration window.
Figure 44: Local variable declaration window

Global variables are only used for I/O channels and communication channels. In this case, the scope
parameter must be set to "Global". The wizard can also be used to add constants to the workspace.
Here, the scope parameter must be set to "Constant" and a constant value assigned.
A global variable must always be assigned to an I/O channel or a communication channel.

Global variables that are not connected to an I/O channel or a communication channel will
cause an error message when the project is compiled.
Constants can be added by entering DATATYPE#VALUE for the different data types. Example:
"SAFETIME#10s" for a time constant with a duration of 10 seconds.

• User Interface \ Variables Worksheets
• User Interface \ Dialogs for Editing Code \ 'Variable' dialog
• User interface \ Graphic code objects \ Variables
• Programming a project \ Programming a graphic code \ Constants (literals): Inserting
and editing
5.3.4 Connecting a function block
A variable must first be selected before it can be connected to a

function block input or output. The variable can then be pulled into
the workspace using drag-and-drop and connected to an input or an
output on a function block.
Figure 45: Variable connected to a
function block input
Clicking on the Connect button in the vertical toolbar connects an

output from a function block to the input on the next function block.
Figure 46: The "Connect" button
Drawing a connection line is done by clicking and dragging from one

contact to another.
Figure 47: Drawing a connection line
Safety technology \ SafeDESIGNER \ User documentation \ User interface

• Keyboard shortcuts
• Graphical Code Editor (General Description)
° Handling objects in the code editor
° Connecting objects in the code editor

Exercise: Working with SafeDESIGNER

This exercise will rely solely on SafeDESIGNER. After opening SafeDESIGNER, a project password must
be assigned. The new hardware modules must then be confirmed. Some variables are then linked to a
function block.
The AND_S function block will be added to the workspace and connected to local variables.
1) Open the SafeDESIGNER project.
2) Assign a project password.
3) Acknowledge the hardware modules.

4) Add the AND_S function block to the workspace.
5) Declare the "local_value1" variable.
6) Declare the "local_value2" variable.
7) Declare the "local_result" variable.
8) Connect all variables to the function block.

9) Check the variable declaration window.
10) Building the project
11) Test the project in the simulation environment.
See 6.1 "Simulating the application".
5.3.5 Adding a comment to the workspace
The Comment button can be used to add a comment at the current-

ly selected position. This opens a window for entering the text and
making various text settings. Figure 48: Button for adding a comment
Once the window is confirmed, the comment is added at the currently

selected position.
Figure 49: Comment in the workspace
Safety technology \ SafeDESIGNER \ User manual \ User Interface \ Graphical Code Editor
(general description) \ Inserting Comments - 'Comment' Dialog

5.4 Connecting I/O channels
The I/O mapping in the Safety View acts as an interface between the safe modules configured in Au-
tomation Studio and SafeDESIGNER.
Variables and I/O channels are linked in the safety application via I/O mapping.
Figure 50: I/O mappings in SafeDESIGNER
The physical position of safe modules is listed in the "Slot" column. This display is for informational
purposes only and cannot be changed in SafeDESIGNER.
The "Variable" column lists the names of I/O data points in the safety application.
The "CPU variable" column lists the names of I/O data points as they are configured in Automation
Studio .
All channels marked with a yellow arrow are safety-related and must reference variables with
safe data types.
Safety technology \ SafeDESIGNER \ User manual \ Programming a Project \ Connecting/Dis-

connecting Process Data Items and Global I/O Variables
5.4.1 Safety controller
Configurable communication channels are available for SafeL-

OGIC / SafeLOGIC-X controllers. Additional machine option para-
meters are available depending on the device.
Figure 51: I/O mapping - SafeLOGIC

controllers

Machine option parameters will be explained in greater detail when covering SafeLOGIC para-
meters (see "Specific safety controller parameters" on page 39).
SafeLOGIC controller channels can be used to transfer diagnostic codes from PLCopen func-
tion blocks to the standard application, for example. SafeLOGIC controller channels can also
be used to transfer a non-safe acknowledgment button signal from the standard application to
the safety application.
Hardware \ X20 system \ X20 modules \ CPUs \

• X20(c)SL81xx \ X20SL81xx - Register description \ Channel list
• X20(c)SLXx1x \ X20SLXx10 - Register description \ Channel list
• X20SLXxxx \ X20SLXxxx - Register description \ Channel list
5.4.2 Safe input and output modules
Individual input channels are available on safe input modules. In addition, it is also possible to access
the multi-channel evaluation as well as module status information.
Individual output channels as well as acknowledgment of the automatic restart inhibit (ReleaseOutput)
are available on safe output modules. It is also possible to access module status information.
Figure 52: I/O mapping - safe input module
Hardware \ X20 system \ X20 modules \

• Digital input modules \ X20(c)SIx1x0 \ X20SIx1x0 - Register description \ Channel list
• Digital output modules \ X20(c)S0x1x0 \ X20S0x1x0 - Register description \ Channel
list

5.4.3 Connecting an I/O channel to a new variable
An I/O channel must first be selected in the I/O mapping before it can be connected to a variable. The
corresponding channel can then be moved to the workspace using drag-and-drop. The declaration win-
dow for a new global variable is opened automatically. After entering a variable name, the window can
be closed and the new variable placed in the workspace wherever it is needed. The new variable name
is now assigned to the corresponding channel in the I/O mapping.
Figure 53: Dragging the I/O channel into workspace and filling out the declaration window
Clicking on the Global declaration button opens the declaration

window for global variables.
Figure 54: Button for opening the global
declaration window
All global variables are listed in the declaration window. The "Terminal" field displays the I/O channel
links.
Figure 55: Global declarations


5.4.4 Connecting an I/O channel to an existing variable
Clicking on the Global declaration button opens the declaration

window for global variables.
Figure 56: Button for opening the global
declaration window
An I/O channel must first be selected in the I/O mapping window before a connection to a variable can
be established. The I/O channel is then moved to the global declaration window using drag-and-drop.
This is not possible in the opposite direction.
Figure 57: Selecting an I/O channel and assigning it using drag-and-drop
The SE LED on the safe module will blink if no variables have been connected to the safe
module in SafeDESIGNER.

Exercise: Connecting I/O variables

In this exercise, the two safe inputs for the emergency stop button will be connected to the AND_S function
block.

1) Add the safe inputs to the workspace using drag-and-drop.
2) Connect the safe inputs to the AND_S function block.
3) Save the results of the AND operator for both safe inputs to the "m_OutSignal" variable.
Instead of individually connecting two channels of a safe input module with the AND_S
function in the workspace, the corresponding data point can be used for multi-channel eval-
uation of the module (equivalence/antivalence). Here, the synchronicity of the channel pairs
should be defined using the discrepancy time of the safe input module (see 5.5.4 "Specific
parameters of input modules").
Now modify the program in such a way that the PLCopen function block "SF_Equivalent" is used in place
of the AND_S function block.
1) Add the SF_Equivalent function block.
2) Connect the safe inputs to the SF_Equivalent function block.
3) Configure the discrepancy time of the SF_Equivalent function block.
Open the help documentation for the SF_Equivalent function block and check the diagram
of the function block's signal sequence.
5.5 Configuration of the safe modules
The SafeIO modules provide the opportunity to connect different

sensors and actuators. Doing so results in parameters that have to
be set, according on the module type. Among these are general set-
tings valid for all module types as well as module-specific settings.
Selecting a safe module in the Safety View will list its safe parame-
ters in addition to its I/O mapping.
Tabs are located at the bottom of the window to allow a clear display.
With their help it is possible to display only a certain parameter set.
In order to reuse the parameters, there is the option of exporting
Figure 58: A module's safe parameters
them and reimporting them for other modules. This method, for ex-
ample, offers the efficient option of reproducing the settings for safe-
ty-oriented drives.
The description of the individual settings can be found in the register
description of the individual modules and describes the entries in
Automation Studio as well as those available in SafeDESIGNER.
The "ALL" tab should always be enabled in the parameter editor in order to see all of the nec-
essary parameters.

5.5.1 General parameters of the SafeIO modules
The general parameters that all SafeIO modules have in common can be found in the group "Basic".
This includes settings for firmware, startup behavior of the module and the properties of the UDID.
Hardware \ X20 system \ X20 modules \

• CPUs
• Digital input modules
• Digital output modules
5.5.2 Safety response time
Those parameters that are relevant for the safety response time are located in the group "Safety re-
sponse time". These are located on the SafeIO modules and on the safety controller. Here it must be
taken into account that basically the settings of the safety controller are applied for the SafeIO modules.
This applies as long as the entry "Manual Configuration" is set to "No". If deviating settings are required
for modules, then the parameter has to be set to "Yes" and the values set there are valid for the module.
When implementing a safe machine, the response time – labeled Total lag time in the image – plays
an important role. This has an immediate influence on the behavior and design of the machine.
The safety response time in the B&R system is the time between the arrival of the signal on the input
channel and the output of the cutoff signal on the output. This involves data transmission on the bus and
is set via the parameter "Safe Data Duration". Here, keep in mind that cutoff delays that are generated
by the application are not part of this value and, in addition, still have to be added. The same applies for
the "Signal processing in the safe B&R output module" that is not part of the Safe Data Duration.
Figure 59: Safety response time in the B&R system

When calculating the safety response time, it is important to take the "safety response time"
entries of the SafeIO module data sheets into consideration.
Safety technology \ System properties \ Safety response time
Automation Studio supports the monitoring of the data transmission time on the fieldbus using
the network analyzer.
Diagnostics and service \ Diagnostic tools \ Network analyzer
5.5.3 Specific safety controller parameters
Cycle_Time_µs - Cycle time

This parameter is used to define the cycle time (in µs) of the safety application.
Commissioning - Machine options parameters

Machine options are represented as channels that can be integrated in the safety application. Channels
will be set to TRUE (ON) or FALSE (OFF) by the system depending on the defined parameter value (ON
or OFF). This is how modular functionality is achieved in the safety application using machine options.
These machine options can be enabled or disabled during commissioning. The individual machine option
channels are located in the safety controller's I/O mapping.
Figure 60: Machine options "MachineType_A" and "MachineType_B" are used to configure the safety application

Figure 61: Machine options in the I/O mapping and enabling the machine options in the commissioning parameters
The machine option parameters are only present in the SafeLOGIC controller.
5.5.4 Specific parameters of input modules
"Internal" pulse mode

This setting is the default value and is used to apply the module's own clock generation. It is typically
used in one-channel and two-channel switches.
SI SI
SI
Sensor 1 Sensor 2
Sensor 3 Sensor 4
+24 VDC +24 VDC +24 VDC +24 VDC

GND GND GND GND
+24 VDC +24 VDC

GND GND
Figure 63: "Internal" pulse mode - Figure 64: "Internal" pulse mode -
2-channel normally closed-normally 2-channel normally open/normally
Figure 62: "Internal" pulse mode 1- closed combination closed combination
channel
"External" pulse mode

This setting is used for multi-channel switches and SI SI
very long cables. A typical application is switching

on a mode selector switch.
All of the switch's channels that are being

used must be set to "External".
+24 VDC +24 VDC +24 VDC
GND GND GND
Figure 65: "External" pulse mode

"No Pulse" pulse mode

This setting is used for active sensors (e.g. light curtains, laser scan- 24 VDC
SI
ners). This setting disables the module's internal clock generation.

Any testing gaps for the connected OSSD outputs must be closed OSSD1
24 VDC
using the filter parameter (Filter_Off).

OSSD3
OSSD4
+24 VDC +24 VDC

GND GND
Figure 66: "No pulse" mode
Pulse_Source
This parameter can be used to specify the clock source for the input SI
channel. The X20SI9100 module, for example, is equipped with 20
inputs and four pulse sources. One of these four pulse sources can
be assigned to each input.
+24 VDC +24 VDC

GND GND
Figure 67: Pulse source
Switch-on / switch-off filters

All safe digital input modules are equipped with separately configurable switch-on and switch-off filters.
• Filter_Off_µs – Filter for Low time
This parameter is used for the High-Low transition. It can be used for OSSD signals to bypass
the Low time, for example.
• Filter_On_µs – Filter for High time
This parameter is used for the Low-High transition. It can be used to extend High signals that
are too short so that they can be detected by the system.
Many sensors deliver a digital input signal with a superimposed OSSD signal (Output Signal
Switching Device). Testing gaps are built into the output signal where the output signal is briefly
Low. This method makes it possible to detect errors such as short circuits and cross faults to
the power supply or other channels. On safe input modules, the OSSD signal can be filtered
out by using the "Filter_Off_µs" parameter to prevent the test signal from being interpreted as
a switching state of the sensor.

Discrepancy time - Discrepance_Time_µs

This parameter is used for multi-channel evaluation to specify the interval at which both switching ele-
ments have to change their state. Multi-channel evaluation is handled automatically by the system.
Hardware \ X20 system \ X20 modules \ Digital input modules \ X20(c)SIx1x0

• Filter
• Connection examples
• X20SIx1x0 - Register description \ SafeDESIGNER parameters
Safety technology \ System properties \ Channel characteristics \ Digital input channels \ Con-
nection examples
• Single-channel connection of electromechanical switches
• Two-channel connection of electromechanical switches
• Connecting multi-channel electromechanical switches
• Connection of active sensors (EPE, inductive sensors, etc.)
5.5.5 Specific parameters of output modules
Disable OSSD – Disable OSSD (Output Switching Signal Device)

This parameter can be used to disable the internal automatic switch-off test for the channel.
Auto Restart – Automatic restart

This parameter is used to disable the automatic restart inhibit for a channel. In this way, the output chan-
nel can be switched on using safety technology without an additional signal edge on the ReleaseOutput
channel. This function remains active as long as the ReleaseOutput signal is TRUE.
Regardless of this parameter, a rising edge is required on the ReleaseOutput channel for
switching on the output channel in the following situations:
• After power up
• After error correction on the safe communication channel
• After correcting an error on a channel
• After the release signal drops out
Safety technology \ System characteristics \ Channel characteristics \ Digital output channels

- Type A \ Connection examples
• Connecting safety actuators
• Connecting ACOPOS (SIL 2, PL d, CAT 3)
• Connecting ACOPOSmulti (SIL 3, PL e, CAT 4)
Exercise: Configuring modules

Configure the safe module parameters according to the connected safety components and the require-
ments of the Safety Requirements Specification (SRS).

The following configuration settings should be made:

• Emergency stop - Discrepancy time
• Light curtain - Discrepancy time, filter time for switch-off filter (OSSD signal from light curtain)
5.5.6 Specific parameters for other module types
For parameter descriptions on additional module types (see temperature modules, safe analog module),
refer to the data sheets for the respective modules.
Hardware \ X20 system \ X20 modules

• Analog input modules \ X20(c)SA4430
• Temperature modules \ X20ST4492
• Counter modules \ X20(c)SD1207
5.6 Programs and libraries
SafeDESIGNER makes the programming languages Ladder Diagram and Function Block Diagram avail-
able for executing the safety application. These can be combined within the worksheets.
Implementing POUs (program organization units) provides the option of structuring the safety application.
The user can design their own blocks and reuse them within the software. Function blocks are executed
either by using Ladder Diagram / Function Block Diagram or Structured Text.
Safety technology \ SafeDESIGNER \ User documentation \ Programming a project

• Programming text-based code
• Programming graphical code
5.6.1 Creating a user function block
SafeDESIGNER allows the creation of user function blocks to more

clearly structure safety programs or to use parts of a program re-
peatedly. New function blocks are created by selecting the corre-
sponding option from the project tree's shortcut menu. A dialog box
then appears to input a name and to select the program language.
After the dialog box is confirmed, the function box appears in the Figure 68: Creating a new function block
project tree.

A dialog box then appears to input a name and to select the pro-
gram language. Either Ladder Diagram / Function Block Diagram or
Structured Text can be selected. After the dialog box is confirmed,
the function box appears in the project tree.
Figure 69: Select programming language

for function block
The workspace for the function block also includes a correspond-

ing variable declaration window. Local variables can be assigned
as either VAR, VAR_INPUT or VAR_OUTPUT. Variables assigned
VAR_INPUT and VAR_OUTPUT represent the inputs and outputs
of the function block instance in the "Main" workspace. These inputs
and outputs are used to supply the function block with data.
Figure 70: Defining a VAR_OUTPUT
instance variable
Each function block is programmed in a separate workspace. It is possible to access I/O vari-
ables directly. I/O variables must be declared globally.
Adding a user function block

Newly created function blocks can be added using the Edit wizard. To do so, the project name must be
selected as the group in the Edit wizard.
Figure 71: Selecting the "SafeLOGIC-1" grouping in the Edit wizard and moving the function block to the workspace using drag-
and-drop
The project must first be compiled so that the function block can be added to the main work
space. Changes to function block inputs and outputs become effective only after compilation.

• User interface \ Project tree - Overview
• Programming a project \ FB-POUs: Inserting, deleting, renaming

Exercise: Create a user function block

Create your own function block that outputs the delayed signal for enabling the restart inhibit (Release-
Output). Use the "TON_S" function block for this.
Parameter IN/OUT Description

S_safetySignal IN Safety signal to be used to switch an output
S_safeOutput OUT Safe output signal
ReleaseOutput OUT ReleaseOutput signal with 50 ms delay
Table 5: Overview of the function block parameters
The ReleaseOutput signal is a non-safe signal. Another function block is needed after the
user function block output in order to convert the signal from a safe to a non-safe data type
(SAFEBOOL_TO_BOOL) before the time delay (TON_S).
5.6.2 Adding a Ladder Diagram network
An LD network can be added by clicking on the Network button in

the vertical toolbar.
Figure 72: Adding an LD network
This adds a network to the workspace at the currently selected position.
Figure 73: Adding a network to the workspace
Variables can now be connected to the network elements. A wizard can be opened by double-clicking
on an element.
In order to connect an I/O variable, its scope must be set to "Global".
Safety technology \ SafeDESIGNER \ User documentation \ Programming a project \ Graphical

code objects
• Contact and coil
• Variable
Adding function blocks to a network

It is also possible to create more complex networks using a function block.

Figure 74: Complex network with a function block
It is necessary to connect a time constant to the PT input. This can be done by double-clicking on the input
to open the wizard. The scope must be set to "Constant". The value of the constant, "SAFETIME#5s"
for example, has to be entered in the "name" field.
Figure 75: Creating a time constant
Safety technology \ SafeDESIGNER \ User documentation \ Programming a project \ Graphical

code objects
• Function and function blocks
Exercise: Safe output and the ReleaseOutput signal

To enable the output for the saw, press the acknowledgment button. Enabling a safe output requires
activating the ReleaseOutput signal for the safe output with a delay of at least 50 ms.
The user function blocks created for generating the ReleaseOutput signal should be used for the time
delay.
1) Connect the safe input for the acknowledgment button to the function block input.
2) Connect the safe output for the saw to the function block's safe output.
3) Connect the ReleaseOutput signal to the corresponding function block output.
5.6.3 SafeDESIGNER libraries
Different functions are required for executing safety applications. In order to support the user as much
as possible, SafeDESIGNER provides the option to draw on previously certified libraries.

The available libraries can be imported via the shortcut menu of the
project tree and are structured into the following areas:
• openSAFETY
• PLCopen
• Presses
• SafeMOTION
• SafeROBOTIC
• Tables
Figure 76: Adding libraries to the

SafeDESIGNER project
A description of a function block is available in the shortcut menu of

a function block under Function block:Help on FB/FU. All of the
function blocks in the PLCopen_SF library are documented in Au-
tomation Help.
Figure 77: Help call
PLCopen organization
The independent PLCopen organization works together with its
members to develop safety-related solutions for IEC 61131-3 devel-
opment environments. This enables safety-related functions to be
used in a wide variety of different software tools. Functions are pro-
vided for safe logic programming and safe motion control This helps
users integrate standardized safety functions into their safety appli- Figure 78: Official PLCopen Safety logo
cation.
PLCopen_SF library
This library contains function blocks that were specified by the PLCopen organization and common
safety functions.
The function blocks specified by the PLCopen organization provide common safety functions. Among
these are, for example, function blocks for carrying out an emergency stop or a mode selector switch.
The PLCopen_SF library includes the following function groups:
• Actuator connections
• Sensor connections
• Muting
Safety technology \
• Libraries
• SafeDESIGNER \ User manual \ Function/Function Block Help

Exercise: Program the safety application

Program the functions specified in the Safety Requirements Specification (SRS) using the corresponding
function blocks in the PLCopen Safety library.
Use the following function blocks:
• SF_EmergencyStop
• SF_ESPE
• SF_ModeSelector
Also note the automatic restart inhibit of the safe output module.
Exercise: Program the emergency stop function

The emergency stop should be the first function programmed. All of the other safety functions such as
the light curtain and operating mode switch can then be programmed the same way.
1) Add SF_EmergencyStop and declare an instance.
2) Use an equivalence signal for both safe inputs.
3) Check the safe module configuration.
4) Connect the acknowledgment signal to the function block.
5) Connect the output signal.
6) Connect the ReleaseOutput signal.

5.7 Project documentation and printing
SafeDESIGNER can also be used to create documentation for the safety application. The documentation
interface can be opened by selecting Project / Project information from the main menu.
Figure 79: Project documentation

Project information includes the following:
• Manufacturer
Data about the machine manufacturer such as name, address and contact information can be
entered here.
• Project
Data related to the machine and the safety application is entered here. This project data is au-
tomatically maintained by the system. The safety application's unique CRC code2 is also listed
here.
• Responsible persons
This page contains a list of those responsible for the project, such as the project manager, safety
application programmer, safety application testers, etc.
• Safety functions
The safety functions configured for the machine are entered here. It is possible to check if a
safety function was successfully tested during integration, for example (see 4.2.3 "V-model of
the software lifecycle in accordance with EN ISO 13849").
• Commissioning checklist
This list is used to provide support for the validation process. Data such as, for example, network
connections and cabling are entered by the safety application programmer. These data must be
taken into account later during the commissioning process.
• History
History information for the safety application is managed on the History page. The respective
CRC code and other information regarding changes are entered for each revision.
2 A cyclic redundancy check (CRC) is a procedure used to determine data checksums.

Yellow fields should always be filled out. Gray fields are optional.
Safety technology \ SafeDESIGNER \ User documentation \ Programming a project \ "Project

info" dialog
Printing a project
Project documentation can be printed once the project information has been filled out. The selection
dialog box is opened by selecting File / Print project from the main menu.
The Page layout texts button can be used to configure additional settings for the documentation.
The following items can be selected:

• Table of contents
• Global cross references
• Local cross references
• Program: Main workspace and user function blocks
• Project information
• I/O mapping (I/O assignment) Figure 80: Selecting documentation for
• Safe parameters printing
Safety technology \ SafeDESIGNER \ User documentation \ Programming a project \ Printing

a project

Online connections, downloading and diagnostics
6 Online connections, downloading and diagnostics
The following section will cover the SafeDESIGNER functions needed to simulate the safety application
and the online connection to the SafeLOGIC / SafeLOGIC-X controller.
The various diagnostics possibilities in SafeDESIGNER and Automation Studio are another important
element.
6.1 Simulating the application
Simulation makes it possible to test the safety application indepen-

dently of the hardware. This virtual SafeLOGIC controller is started
by clicking on the Simulate button in the horizontal toolbar. Figure 81: Starting simulation
Clicking on this button initiates a project build and starts the simulat-
ed SafeLOGIC controller. An icon in the Windows system tray indi-
cates when simulation is running.
Figure 82: Icon in the system tray
The safety application itself can now be transferred and tested.

See also:
• 6.2 "Online communication and downloading"
• 6.3.3 "Forcing variables"
Safety technology \ SafeDESIGNER \ User documentation \ EASYSIM controller simulation
6.1.1 Enabling the simulation and debug functions
In order to enable the simulation, the corresponding button is enabled. If you are not prompted to provide
a password when establishing a connection to the safety controller, then simulation mode is still active.
This is indicated by a black border around the Simulation button.
Figure 83: Important! Simulation mode still active

Disabling simulation and changing the connection
1) Close the control window (safety controller window)
2) Disable simulation by clicking on the Simulation button
3) Enable the connection by clicking on the Safety controller button.
The SafePLC control window

The control dialog displays the status of the safety controller. The control dialog will have different colors
depending on the operational state. The Debug button needs to be enabled in order to force variables
in the safety program. The following table shows the possible operating states.
Yellow: Run [Safe] Red: Run [Debug]

Figure 84: Run[Safe] state Figure 85: Run[Debug] state
The Debug and Safe buttons can be used to switch between states.
• See: "Forcing variables" on page 60.
6.1.2 Downloading to the simulation via the control dialog box
The Run[Debug] state must be active in order to

perform a download. A notification window is dis-
played when switching from the Run[Safe] to the
Run[Debug] state to inform the user that the sys-
tem is leaving the safe state.
Figure 86: Message when switching to Debug mode
The SafeLOGIC controller must be stopped (in Stop[Debug] state)

in order to perform a download.
Then, you can download the safety application. A window is dis-
played to define what should happen after the download and with
the project source files.
Figure 87: Stop[Debug] state
The following download options are available:

• Auto restart
The safety application is started automatically after the de-
vice is restarted.
• Manual operation
The safety application must be started manually via the com-
munication window.
• Archive program sources on SafePLC
Figure 88: Download options

A notification window is displayed after a download to confirm that

the download was successful.
The download options can be used to specify if the safety application
is executed automatically after the SafeLOGIC controller is restarted
or if the safety application has to be restarted manually.
Figure 89: Message indicating a

successful download
The Control dialog box can only be used to download the safety application to the simulation
controller and debug it. For the safety controller, the Remote Control dialog box (6.2.3 "Down-
loading via the Remote Control dialog box to the safety controller") is required.
Safety technology \ SafeDESIGNER \ User manual \ Commissioning the SafePLC \ Download-

ing the Project
6.2 Online communication and downloading
A project must be compiled before being downloaded. Only compiled projects that are error-free can
be transferred to the safety application or the simulation. The source of any warnings that occur must
be found and corrected.
Clicking on the Compile button compiles the safety application and

assigns it a unique CRC code3. The safety application can then be
transferred to the safety controller. Figure 90: The "Compile" button
During the compilation procedure, any messages,

errors or warnings that occur will be listed in the
message window.
Figure 91: Message window
3 A cyclic redundancy check (CRC) is a procedure used to determine data checksums.

Safety technology \ SafeDESIGNER \ User documentation \ Compiling a project
6.2.1 Connection types to the safety controller
There are various options for connecting to a safety controller. The following table describes what types
of connection function with the various safety controllers. The following pages explain the connection
options more precisely.
Connection possibilities SL SLX

Online connection via the standard CPU
Online via direct connection
Manual connection
Table 6: Connection options to SafeLOGIC / SafeLOGIC-X
After describing the individual connection types, just the online connection via the standard
CPU is gone into detail in this training module.
Online via the standard CPU

The existing connection with the standard CPU can be used to pro-
duce the online communication with the safety controller. In this
case, data is forwarded automatically by the standard CPU. The ad-
vantage of this method is that the SafeLOGIC controller does not
have to be removed from the automation network when download-
ing software.
Figure 92: Online via a standard CPU
The automatic routing of communication to the safety controller is enabled in Automation Studio. This
takes place in the module configuration of the SafeLOGIC controller / SafeLOGIC-X controller. When
the option Activate SPROXY is active the port number for the communication can be set. This option
is always enabled as standard.

Figure 93: Enabling the SPROXY in the module configuration for SafeLOGIC in Automation Studio
A unique port number must be configured in the POWERLINK network for each safety controller. If there
are several safety controllers in a configuration, they have to be have different values set.
When SafeDESIGNER is opened, the current online settings of Automation Studio are called. If at this
time there is an online connection to a controller, then this IP address is used for the online settings in
safeDESIGNER and a connection can be made to the safety controller.
If the serial interface is used in Automation Studio, then an error message appears when
SafeDESIGNER is opened. This means that a TCP connection to a controller must exist in
order to be able to communicate with the safety controller.
In SafeDESIGNER, communication to SafeLOGIC controller /

SafeLOGIC-X controller can be activated via the menu item On-
line / TCPIP communication parameters. The preset standard
value is the connection "SL communication via the CPU".
Figure 94: TCP/IP communication

parameters for connecting via the CPU in
SafeDESIGNER
Online via direct connection

A direct connection is established by connecting the PC directly to
the SafeLOGIC controller using a network cable. An IP address is
set on the PC using the address range of the POWERLINK network
(192.168.100.xxx). The last position in the IP address is always the
node number defined for the SafeLOGIC controller.
Figure 95: Online via direct connection

The window for configuring connection settings in SafeDESIGN-

ER is opened by selecting Online / TCPIP communication pa-
rameters. To establish a direct connection, select the option SL
directly connected.
Figure 96: TCP/IP communication settings

for a direct connection
Manual connection
With a manual connection, all communication parameters such as the IP address and port number can
be set manually by the user.
Safety technology \ SafeDESIGNER \ User manual \ Commissioning the SafePLC \ Commu-

nication settings
6.2.2 Establishing the connection to the safety controller
If the connection settings have been carried out correctly, the Re-
mote Control dialog box can be opened via the SafeLOGIC con-
troller's shortcut menu in the Safety View.
Figure 97: Open the Remote Control

dialog box
Once the first connection to the SafeLOGIC-X controller has been

established, it is necessary to assign a password. This pass-
word is connected to the Safety Container4 and for every time
the connection is reestablished, the password must be reentered.
If the Safety Container contains an unknown safety application,
the Safety Container can be formatted by creating the Compact
Figure 98: Entering the password for the
SafeLOGIC-X controller Flash.
After the password is entered, the Remote Control dialog box is opened. A detailed description can be
found here:
• See: "Operating and status elements of the Remote Control dialog box" on page 67.
4 The Safety Container is a file that is saved on the CompactFlash of the CPU. This file contains the entire
safety application, the safety configuration, as well as the module IDs. The Safety Container can be under-
stood as the SafeKEY of the SafeLOGIC-X controller.


• Password protection for projects and the safety controller
• Commissioning the SafePLC
° SafePLC states
° SafePLC operating modes
° Dialogs for controlling the SafePLC \ 'SafePLC' Dialog (control dialog)
6.2.3 Downloading via the Remote Control dialog box to the safety controller
When it is compiled in SafeDESIGNER, the safety application is bundled into a file. This file is saved in
a Safety Container. This is saved in the controller's CompactFlash card. The Safety Container is the
SafeKey for the SafeLOGIC-X. Transfer is activated in SafeDesigner using the "Download" command
that is accessed in the Remote Control dialog.
Figure 99: Transfer process from PC to SLX module
The file containing the safety application is transferred to the Safety Container via the "Download" com-
mand in the Remote Control Dialog Box. Transfer to the SafeLOGIC-X controller takes place automati-
cally once the download is completed.
The Remote Control Dialog Box can be opened from the shortcut
menu of the SafeLOGIC-X controller in the Safety View.
Figure 100: Open Remote Control

Dialog Box

Once the necessary password has been entered, the Remote

Control Dialog Box will open1. The download can now take place
via the Remote Control Dialog box.
Figure 101: Remote Control dialog box
Exercise: Compile and download

Compile your project, create a connection to the Safety Controller (via the standard CPU) and execute
a download.
1) Compile the safety application.
2) Set up a connection to the safety controller
3) Assign SafeKEY / Safety Container password
4) Download the safety application to the safety controller
5) Monitoring of the LED status on the SafeLOGIC controller / status notifications of the Remote Con-
trol dialog box
(7 "Commissioning and maintenance")
6.3 Application diagnostics
SafeDESIGNER provides several possibilities for troubleshooting a safety application.

The following diagnostics options are available:
• 6.3.1 "Checking I/O status bits"
• 6.3.2 "Checking the variable status"
• 6.3.3 "Forcing variables"
• 6.3.4 "Executing the safety application cycle by cycle"
6.3.1 Checking I/O status bits
For each I/O channel, one bit of information about the status of that channel or multi-channel evaluation
is available in SafeDESIGNER. Additional information about the electrical current and physical switching
state is available for safe output modules.
1 If the password is unknown, a Compact Flash must be created. A new password must be set up the next
time the Remote Control Dialog box is activated.

Figure 102: Status information for a safe input module Figure 103: Status information for a safe output module
In order to receive status information, status information channels must be in use in the work-
space. Status information about safe modules is also available for diagnostic purposes in the
Automation Studio I/O mapping in the form of non-safe data points.
To change to the global variable declaration, click the Global Dec-

laration icon. Clicking on the Variable status button displays the
live values of global variables in the "Online value" column as well Figure 104: Enabling the variable status
as the I/O channels being used.
Figure 105: Variable status in the global declaration window
6.3.2 Checking the variable status
SafeDESIGNER also contains a function for checking the variable

status. It can be enabled with the Variable status button.
Figure 106: Button for enabling the
variable status
This allows the current value of each variable to be displayed in the visual editor. The connection lines
between function blocks are colored differently depending on the value of the variables.

Color Function
Red Signal switched through
Blue Signal not switched
through
Green Constants and informa-
tion
Figure 107: Variable status enabled: Corresponding values are shown below the
variables in the workspace.
Any variable with an enabled variable status can be added to the Watch window by selecting the corre-
sponding option in its shortcut menu. Variables can be forced in the Watch window in the Run[Debug]
state (see 6.3.3 "Forcing variables").
Figure 108: Variable status in the Watch window
Safety technology \ SafeDESIGNER \ User manual \ Commissioning the SafePLC \

• Monitor: Displaying the variable status
• Monitor: Using the Watch window
6.3.3 Forcing variables
In the Run[Debug] state, variables can be forced when the variable status is enabled.
Forced variables can cause dangerous situations on the machine. Always make sure that the
machine is secured appropriately.
Double-clicking on a variable will open a window for enabling the

force procedure. This action must be confirmed by the user. A noti-
fication window warns of the potential risks.
Figure 109: Forcing variables

Forced variables are shown in a different color in the visual editor.
Figure 110: Forced variables
All forced variables are reset when switching to the Run[Safe] state
via the communication window, a situation that is brought to the
user's attention by a notification window.
Figure 111: Message window indicating

that forced variables will be reset
Safety technology \ SafeDESIGNER \ User manual \ Commissioning the SafePLC \ Debugging:

Forcing, overwriting, single cycle mode
6.3.4 Executing the safety application cycle by cycle
SafeDESIGNER allows the safety application to be executed in sin-

gle cycles for testing purposes. To do so, it is necessary to first switch
to the Run[Debug] state and then to the Halt[Debug] state by clicking
on the Stop button.
Figure 112: The Halt[Debug] state
The safety application is executed a single time by clicking on the Single cycle button.
Selecting Continue switches back to the Run[Debug] state.
Safety technology \ SafeDESIGNER \ User manual \ Commissioning the SafePLC

• Debugging: Forcing, overwriting, single cycle mode
• Dialogs for controlling the SafePLC \ 'Debug' dialog
Exercise: Perform diagnostics on your application with additional functionality

Test and diagnose your safety application using the methods explained above. Expand your safety ap-
plication by adding the missing functions from the Safety Requirements Specification (SRS).

For integrating diagnostic data, the Diag-Codes of the PLCopen Safety function blocks can now be trans-
ferred via communication channels to the functional CPU.
1) Parameterize communication channels in the Automation Studio hardware configuration
2) Compile and transfer Automation Studio application
3) Assign Diag-Codes in SafeDESIGNER to global variables
4) Connect variables for Diag-Codes with the communication channels via the I/O mapping in
SafeDESIGNER
5) Compile and transfer the safety application
6) Evaluate the Diag-Codes in the Automation Studio I/O monitor
6.3.5 Automation Studio Logger window
The system keeps a log of the safety-related components and safe communication, which can be ac-
cessed via Automation Studio. This logger data is accessed in Automation Studio using the Open /
Logger main menu item.
Figure 113: Safety entries in the Automation Studio Logger window
The following events are recorded in this log:

• Replacing safety modules
• Safe modules configurations
• Application downloads
• Updating firmware
• Changes to the fail safe state
Diagnostics and service \ Diagnostic tools \ Logger window

6.3.6 Project comparison
SafeDESIGNER provides the user with the opportunity to compare

projects to each other. This means that the safety application, con-
figuration and parameters of the selected projects are compared with
each other.
When comparing projects, two different methods can be selected
that have to be called via "Project":
• Compare project...
• Compared to SafePLC project...
Figure 114: Start project comparison
Project compared
If it is necessary to compare the project currently opened in SafeDESIGNER with one that is stored
locally, "Compare project..." has to be selected. A window opens where the project to be compared is
selected. To do so, select the file in the project with the extension ".swt".
Compared with project on the safety controller

The second option is to compare with a project of the safety con-
troller. To do so, it must be connected and the project sources stored.
Under "Online - Communication parameters" in the bottom part
of the window there is an entry that has to be selected so that the
project sources are stored. If storage that corresponds to the stan-
dard setting is not desired, the entry can be deselected.
Figure 115: Store project sources on the

safety controller
The project comparison is separated into an upper and lower area. In the former, the differences are
shown in graphic form and labeled in different colors. The image below shows how a difference is dis-
played.

Figure 116: Displayed differences in the project comparison

Commissioning and maintenance
7 Commissioning and maintenance
This section will cover some of the various scenarios for commis-
sioning and maintenance. The checklists and informational notices
provided make daily work with SafeDESIGNER easier.
The safety application itself can now be transferred and tested.

See also:
• 7.1 "SafeLOGIC control and status elements"
• 7.2 "Operating and status elements of the Remote Control dialog box"
• 7.3 "LED status indicators on SafeIO modules"
• 7.4 "Commissioning the safety application"
• 7.5 "Replacing and updating modules"
Safety technology \ SafeDESIGNER \ User documentation \ EASYSIM controller simulation
The following topics will be covered in this section:

7.1 SafeLOGIC control and status elements.............................................................................. 65
7.2 Operating and status elements of the Remote Control dialog box....................................... 67
7.3 LED status indicators on SafeIO modules............................................................................68
7.4 Commissioning the safety application.................................................................................. 69
7.5 Replacing and updating modules......................................................................................... 71
7.1 SafeLOGIC control and status elements

LED status indicators of the safety processor on the SafeL-
OGIC controller
The SafeLOGIC controller has a user interface consisting of LED
status indicators and an operating mode switch. This interface is
used to display states and perform various actions. The image
shows the operating mode switch and LED status indicators for the
safety processor.
Figure 117: Selector switch,

acknowledgment button and LED status
indicators for the safety processor on the
SafeLOGIC X20SL81xx

The LED status indicators for this safety processor indicate the state of the SafeLOGIC controller, the
safety application and the safe modules. The operating mode switch is used to acknowledge when
firmware is modified, the SafeKEY is exchanged or when new modules have been added.
LED status indicators indicate various operating and error states using different flashing pat-
terns or by being lit constantly.
A detailed description can be found in the SafeLOGIC user's manual and in Automation Help.
Important information regarding commissioning, LED status indicators and acknowledgment:
7.4 "Commissioning the safety application"
Hardware \ X20 system \ X20 modules \ CPUs \ X20(c)SL81xx \ Control and connection ele-
ments \ Safety processor \ LED status indicators for the safety processor
Selector switch and acknowledgment button of the safety processor on the SafeLOGIC con-
troller
The selector switch and corresponding acknowledgment button can be used to perform various actions
depending on the status messages indicated by the LED status indicators on the SafeLOGIC controller.
Switch position Operating mode Description

FW-ACKN Firmware acknowledg- Acknowledges a firmware update
ment
SK-XCHG SafeKEY exchange Confirms the SafeKEY exchange
SK-COPY SafeKEY copy Copies the configuration file from the SafeKEY
SCAN Scan Triggers a module scan
Test Test Performs LED test
1,2,3,4,n Replacing a module Acknowledges a module replacement with 1, 2, 3, 4 or
more modules
Between Formats the SafeKEY The SafeKEY can be formatted by pressing the ac-
FW-ACKN knowledgment button for 20-30 seconds. After this
and time has passed, the ENTER LED lights up. This caus-
SK-XCHG es the password to be reset.
Table 7: Functions provided by the SafeLOGIC selector switch and acknowledgment button
Hardware \ X20 system \ X20 modules \ X20 CPUs \ X20(c)SL81xx \ Control and connection
elements \ Safety processor \ Selector switch and confirmation button

7.2 Operating and status elements of the Remote Control dialog box
The Remote Control dialog box is the user inter-

face for the safety controller. The status and vari-
ous option fields are shown. The option fields are
locked, highlighted or neutral. This means that an
incorrect entry is not possible.
Figure 118: Remote Control dialog box
Remote Control dialog box status notifications
1 Target status
2 Module status
3 Firmware / SafeKEY status
4 FAIL SAFE status
Figure 119: Remote Control dialog box status

notifications
Target status - shows the current operational status of the safety controller.
Module status - describes the status of the safe module, for example how many modules need to be
confirmed.
Firmware / SafeKEY status - displays the status of the Firmware and the Safety Container.
FAIL SAFE status - shows the startup behavior or the status of the entire module following startup.
Selection field of the safety controller

Button Operating mode Description
SK-FORMAT Format Safety Container / The Safety Container / SafeKEY is format-
SafeKEY ted and the password of the safety applica-
tion is reset.
SK-XCHG Confirm the Safety Contain- The new Safety Container / SafeKEY is con-
er / SafeKEY firmed.
Table 8: Remote control functions

Button Operating mode Description

SCAN Scan modules A module scan is started.
1,2,3,4,n Confirm modules The new modules are confirmed with 1, 2, 3,
4 or n.
CLEAR DATA The machine option parameter file is delet-
Delete data
ed.
TEST Test The LED test is performed.
FW-ACKN Firmware acknowledgment The firmware is confirmed.
Change password Change password The current password of the Remote Control
dialog box is changed.
Download Download project The safety application of the Safety Contain-
er / SafeKEY is downloaded.
Setup mode5 Download project This mode is a commissioning aid. The ac-
knowledgment of firmware, modules and
SafeKEY or safety application is done auto-
matically.
Reset SafeLOGIC Reset safety controller The safety controller is restarted.
Table 8: Remote control functions
Safety technology \ SafeDESIGNER \ User documentation \ Commissioning the SafePLC \

Dialogs for controlling the safety control system \ Remote Control
Hardware \ X20 system \ X20 modules \ CPUs \ X20(c)SL81xx \ Setup mode
A "Technology Solution" is available for the remote control of the safety controller. This solution
includes an HMI application that displays the Remote Control dialog box and therefore enables
the additional control of the SafeLOGIC-X controller via an HMI application (8.2 "The "AsSafety
Basic" solution").
7.3 LED status indicators on SafeIO modules
The LED status indicators of a safety module display various differ-

ent status messages. For example, the operating status of the I/O
module is displayed on the bus. In addition, safety-related informa-
tion is also indicated using additional LEDs. The operating state of
the module on the bus and the safety-related state should be con-
sidered separately. The LED status indicators indicate warnings and
errors using unique blink codes or by being lit constantly.
Detailed information about these LED status indicators can be found
Figure 120: LED status indicators on a
in the user's manual or Automation Studio help documentation. safe input module
5 Setup mode should be disabled after commissioning is complete. Alternatively, Setup mode can also be
set via the AsSafety library.

Hardware \ X20 system \ X20 modules \ Analog input modules \ X20(c)SA4430 \ LED status
indicators
Hardware \ X20 system \ X20 modules \ Digital output modules \ X20(c)S0x1x0 \ LED status
indicators
Hardware \ X20 system \ X20 modules \ Digital input modules \ X20(c)SIx1x0 \ LED status
indicators
Hardware \ X20 system \ X20 modules \ Temperature modules \ X20ST4492 \ LED status
indicators
Hardware \ X20 system \ X20 modules \ Counter modules \ X20(c)SD1207 \ LED status indi-
cators
7.4 Commissioning the safety application
The following is a list of the most important steps in commissioning the SafeLOGIC controller, the safe
I/O modules and the safety application. Notes have been added to the list.
Individual functions on the SafeLOGIC controller are acknowledged using the acknowledgment
button. The acknowledgment button must be pressed between for 500 ms and 4 seconds.
An incorrect entry is indicated by three flashes on the ENTER LED and is not accepted.
A correct entry is signaled by an ENTER LED that is continually lit.
When using the Remote Control dialog box, an incorrect entry is not possible. All non-buttons
that are not permitted to be selected at the respective time are disabled.
Process Notes SLX SL OK

Generate Com- CompactFlash card data must be generated for the standard CPU.
pactFlash data This includes the standard application and the hardware configura-
tion for all modules.
This process resets the safety application and SLX module pass-
word.
Wait for the The complete system boot must then be completed.
complete system The system performs the following steps:
to boot • Starting the standard CPU
• Starting the SafeLOGIC controller
• Performing firmware updates on the modules
• Initializing the hardware
Any necessary module firmware updates will be performed

when the system is started. This is indicated by the module
LED status indicators, the R LED on the standard CPU and
the status bar in Automation Studio.
SafeKEY blank? YES - If the FAIL LEDs light continuously on the SafeLOGIC con-
troller, a safety application has not yet been transferred to the
SafeKEY.


NO - If a safety application has already been saved to the SafeKEY,
the SafeKEY can be formatted to reset the password. If this is not
the case, the next step can be skipped.
This step is only necessary for the SafeLOGIC.
Formats the SafeLOGIC:
SafeKEY Setting the selector switch on the SafeLOGIC controller to the set-
ting between SK_XCHG and FW_ACKN (11 o'clock) and pressing
the acknowledgment button for 20-30 seconds (until the ENTER
LED lights) will format the SafeKEY. The SafeLOGIC controller will
then be restarted.
SafeLOGIC-X:
The Remote Control dialog box is necessary for this. This contains
its own SK-FORMAT button for formatting the SafeKEY.
Formatting the SafeKEY will result in the loss of all set-

tings/parameters as well as the safety application.
Download pro- If the Remote Control dialog box is used, the program with the
gram "Download" button intended for this purpose can be transferred to
safety controller in this step.
Restart:
The safety controller will then be restarted automatically.
Acknowledge SafeLOGIC:
the SafeKEY A constantly lit FW_ACKN LED indicates an unknown or blank
SafeKEY. The SafeKEY can be acknowledged using the SK_XCHG
setting.
SafeLOGIC-X:
Here, the SafeKEY status "SafeKEY exchanged" and the orange il-
lumination of the "SK-XCHG" button are displayed.
Connect to the The connection to the SafeLOGIC controller can now be established
SafeLOGIC con- in SafeDESIGNER.
troller This step is only necessary for the SafeLOGIC.
Download the SafeLOGIC:
safety applica- The safety application can now be loaded onto the SafeLOGIC con-
tion troller via SafeDESIGNER.
SafeLOGIC-X:
The download can be started here either via the control dialog or di-
rectly via the Remote Control.
Restart:
The safety controller will then be restarted automatically.
Acknowledge The newly detected safe modules must be acknowledged in the
new modules next step.
SafeLOGIC:
This is indicated on the SafeLOGIC controller by a quickly blinking
MXCHG LED. The number of flashes indicates the number of mod-
ules that must be set on the selector switch for acknowledgment.
The values 1,2,3,4 or n can be selected.
SafeLOGIC-X:
The module status of the Remote Control dialog box displays how
many modules must be acknowledged. This value is also highlight-
ed in orange.

The SafeLOGIC / SafeLOGIC-X controller is also included

in the modules.
Acknowledge The module firmware must now be acknowledged.

the firmware SafeLOGIC:
This is indicated by a blinking FW_ACKN LED on the SafeLOGIC.
SafeLOGIC-X:
If the FW-ACKN button is orange, this can be used to acknowledge
the firmware.
Test the applica- The safety application is now running. This is indicated by a con-
tion stantly lit green R/E LED on the SafeLOGIC controller. The safety
application can now be tested.
Safety technology \ SafeDESIGNER \ User manual \ Commissioning the SafePLC
7.5 Replacing and updating modules
This section discusses some of the procedures that could arise over the course of a machine's mainte-
nance cycle. It describes the replacement of SafeIO modules, the replacement of a safety controller and
the updating of the safety application, among other things.
7.5.1 Replacing a module
The system checks the safety-relevant hardware configuration at an interval set by the system. Any new
modules found are indicated by the SafeLOGIC controller.
SafeLOGIC:
• The MXCHG LED blinks (indicating the number of new modules).
• Acknowledge the new modules: Set the selector switch to 1, 2, 3, 4 or n and confirm with EN-
TER.
• Perform a test on the affected machine part.
SafeLOGIC-X:
• Module status "Scanning" is displayed in the Remote Control dialog box
• After the missing modules are detected, the module status displays "(Number of new modules)
modules missing"
• The button with the correct value is highlighted in orange
• Use this button to acknowledge the modules
If more modules were replaced than signaled, a manual scan can be started using the SCAN
switch position/button. This may be necessary for larger machines where automatic scanning
takes a long time.

7.5.2 Replacing a safety controller
SafeLOGIC:
• Replacing a SafeLOGIC controller
• Connect the old SafeKEY.
• FW-ACKN LED is permanently on
• Acknowledgment of the SafeKEY by selecting SK-XCHG, confirm by hitting ENTER
• The MXCHG LED blinks 1x slowly.
• Acknowledge the new SafeLOGIC controller.
Set the selector switch to 1 and confirm with ENTER.
• Testing is not required.
SafeLOGIC-X:
• Replacing the SafeLOGIC-X controller
• The module status in the Remote Control dialog box displays "1 module missing"
• The button with the value 1 is orange and it is this button used to acknowledge the SafeL-
OGIC-X controller
• Testing is not required.
A firmware update of the SafeLOGIC / SafeLOGIC-X may be performed.
7.5.3 Confirm the firmware update
In some cases, the system may have to update module firmware after a module is replaced, modules
are added to a safety application or after new firmware has been installed.
Process and procedure
• Wait for the firmware update.
• The FW-ACKN LED blinks.
• Acknowledge the firmware: Set FW-ACKN and confirm with the confirmation button.
• The modules will be updated and started.
• Perform a full test of the safety application.
SafeLOGIC-X:
• Wait for the firmware update.
• Firmware / SafeKEY status displays "FW updated"
• Acknowledge the firmware using the FW-ACKN button
• The modules will be updated and started.
• Perform a full test of the safety application.
Exercise: Diagnostics and module replacement

Test the functionality of your safety application. Replace a module and then test your application.
7.5.4 Missing modules
SafeLOGIC:

The system checks the safety-related hardware configuration at fixed intervals. A quickly blinking MX-
CHG LED and a double blinking LED FAILSAFE indicate that a missing module has been detected.
SafeLOGIC-X:
The SafeLOGIC-X controller also checks the modules at pre-determined time intervals. If a missing
module is detected, the module status displays: "(Number of missing modules) modules missing".
7.5.5 Update the safety application via SafeKEY
The safety application can be updated by connecting a preprogrammed SafeKEY. The SK-COPY func-
tion on the SafeLOGIC controller can be used to copy settings to the SafeKEY in order to back up the
safe configuration and safe parameters . This eliminates the need to acknowledge safe modules and
firmware.
• The old SafeKEY is connected.

• Set to SK-COPY and confirm with ENTER.
• The configuration data is copied from the SafeKEY to RAM on the SafeLOGIC controller.
• Remove the old SafeKEY.
• Connect the new SafeKEY.
• Confirm with ENTER.
• The system restarts.
In order to perform an update of the safety application in the SafeLOGIC-X controller, a Compact
Flash can be created. Then the new safety application is downloaded the using the "Download"
button in the Remote Control dialog box.

Sample projects and solutions
8 Sample projects and solutions
8.1 "Basic Safety" sample project
The "Basic safety" project is an Automation Studio project that al-

ready includes both a standard application as well as a safety appli-
cation.
Figure 121: Hardware structure of the

basic safety project
Some of the exercises in this training module have already been

completed in the "Basic safety" project to serve an examples. The
"Basic safety" project can be opened from the Automation Studio
start page.
The password for the SafeDESIGNER project in the "Basic

safety" project is "standard".
Figure 122: "Basic safety" project on the

Automation Studio start page
The following operations are included in the "Basic safety" project:

• Evaluating the equivalence of the emergency stop button with the SF_EmergencyStop function
block
• Evaluating the equivalence of the light curtain and the SF_ESPE function block
• Resetting all error messages from PLCopen function blocks with the reset button
A digital signal is transferred from the standard application via the CPU-SafeLOGIC communi-
cation channels.
• Transferring error bits from PLCopen function blocks via communication channels
• Switching the outputs with the enabling principle in "Direct" mode
• Implementation of the ReleaseOutput restart inhibit

Figure 123: "Main" workspace for the safety application in the "Basic safety" project
Automation software \ Example projects \ Basic Safety project \ Opening the project
Automation software \ Example projects \ Basic Safety project \ Starting SafeDESIGNER
8.2 The "AsSafety Basic" solution
A safety controller solution is available in Automation Studio. This solution includes an HMI application,
which is controlled by a task. The HMI application includes the remote control, among other things. This
can be operated on a panel, if necessary. In this case, a SafeDESIGNER is not needed to activate the
safety controller.
Downloading and installing the solution

If the "AsSafety Basic" solution is not yet available in Automation Studio, the solution is installed during
the upgrades, which can be opened under the "Extras" navigation field.
In this window, under the "Solution" category, you can find the required solution, which is marked and
installed with "Install selected upgrades".

Figure 124: "Extras"

navigation field
Figure 125: "Upgrades" window
Add solution to project

A solution can be imported using "Add object" in Logical View.
In the left column of the open window there is a category called "Solution", in which a distinction is
made between "Custom Solutions" and "Technology Solutions". The "AsSafety Basic" solution can
be found in the "Technology Solutions".
Figure 126: "Add object" window Figure 127: "Technology Solutions" window

Visualization
In the "AsSafety Basic" solution there is a visual-
ization which represents the remote control dialog
box and other functions. This Remote Control di-
alog box is identical to the one in SafeDESIGN-
ER, which means it is also used in the same way.
The HMI application can, for example, be assigned
to a panel and also operated with it as well. Using
SafeDESIGNER to start up the safety controller is
no longer necessary.
If no panel is available, this visualization can also
be started and controlled with the VNC viewer.
Figure 128: VNC Viewer with Remote Control dialog box
Solutions \ Technology Solutions \ AsSafety Basic

Summary
9 Summary
SafeDESIGNER is used for the safety-related configuration of the safety controller and safe modules.
The safety application is programmed using the visual editor and a variety of PLCopen safety function
blocks. A user-friendly interface and a wide range of diagnostic options make it easier to commission
the SafePLC. SafeDESIGNER provides additional benefits as well, including the possibility to create
complete documentation as well as a simulation environment for a project.
Participants are now familiar with the configuration possibilities offered in Automation Studio and
SafeDESIGNER for creating a safety application. They are able to easily create documentation for their
safety application. They have programmed their own safety functions in addition to using PLCopen Safe-
ty function blocks. They have learned how to make use of the integrated help documentation. They
are familiar with the processes for commissioning and maintenance of the safety controller and safety
modules.

Seminars and training modules
Seminars and training modules
At the Automation Academy, you'll develop the skills you need in no time!
Our seminars make it possible for you to improve your knowledge in the field of automation engineering.
Automation Studio seminars and training modules

Programming and configuration Diagnostics and service
SEM210 – Basics SEM910 – Workshop: Control and I/O system design
SEM246 – IEC 61131-3 programming language ST* SEM920 – Diagnostics and service for end users
SEM250 – Memory management and data storage SEM920 – Diagnostics and service with Automation Studio
SEM260 – The basics of closed-loop control SEM950 – POWERLINK configuration and diagnostics*
SEM410 – Integrated motion control* If you are unable to find a seminar on our website that suits your
SEM441 – Motion control: Electronic gears and cams** needs, we also offer customized seminars. Simply contact your sales
SEM480 – Hydraulics** representative to make the necessary arrangements:
SEM1110 – Axis groups and path-controlled movements** SEM099 – Individual training day
SEM510 – Integrated safety technology*

SEM540 – Safe motion control*** Please visit our website for more information****.****:
www.br-automation.com/academy
SEM610 – Integrated visualization*
SEM611 – Creating an HMI application with mapp View*
Overview of training modules

TM210 – Working with Automation Studio TM600 – Introduction to visualization
TM213 – Automation Runtime TM610 – Working with integrated visualization
TM223 – Automation Studio diagnostics TM611 – Working with mapp View
TM230 – Structured software development TM630 – Visualization programming guide
TM240 – Ladder Diagram (LD) TM640 – Alarm system, trends and diagnostics
TM241 – Function Block Diagram (FBD) TM670 – Advanced Visual Components
TM242 – Sequential Function Chart (SFC) TM671 – Creating efficient mapp View HMI applications
TM246 – Structured Text (ST)
TM250 – Memory management and data storage TN910 – Controller and I/O system design
TM260 - The basics of closed-loop control TM920 – Diagnostics and service
TM923 – Diagnostics and service with Automation Studio
TM400 – Introduction to motion control TM950 – POWERLINK configuration and diagnostics
TM410 – Working with integrated motion control
TM440 – Motion control: Basic functions TM280 – Condition monitoring for vibration measurement
TM441 – Motion control: Electronic gears and cams TM480 – The basics of hydraulics
TM1110 – Integrated motion control (axis groups) TM481 – Valve-based hydraulic drives
TM1111 – Integrated motion control (path-controlled movements) TM482 – Hydraulic servo pump drives
TM450 – Motion control concept and configuration TM490 – Printing machine technology
TM460 – Initial commissioning of motors
In addition to the printed version, our training modules are also avail-
TM500 – Introduction to Integrated Safety able on our website for download as electronic documents (login re-
TM510 – Working with SafeDESIGNER quired):
TM540 – Integrated safe motion control
Process control seminars and training modules

Process control standard seminars Process control training modules
SEM841 – Process control training: Basics 1 TM800 – APROL system concept
SEM842 – Process control training: Basics 2 TM810 – APROL setup, configuration and recovery
SEM890 – Advanced process control solutions TM811 – APROL Runtime System
TM812 – APROL operator management
TM813 – APROL web portal
TM820 – APROL solutions
TM830 – APROL project engineering
TM835 – APROL ST-SFC configuration
TM840 – APROL parameter management and recipes
TM850 – APROL controller configuration and INA
TM860 – APROL library engineering
TM865 – APROL library guide book
TM870 – APROL Python programming
TM880 – APROL reporting
TM890 – The basics of LINUX
* SEM210 - Basics is a prerequisite for this seminar.

** SEM410 - Integrated motion control is a prerequisite for this seminar.
*** SEM410 - Integrated motion control and SEM510 - Integrated safety technology are prerequisites for this seminar.
****Our seminars are listed in the Academy\Seminars area of the website.
****Seminar titles may vary by country. Not all seminars are available in every country.

V3.0.0.4 ©2017/05/22 by B&R, All rights reserved.
All registered trademarks are the property of their respective owners.
We reserve the right to make technical changes.

TM510TRE.433-ENG - Working With SafeDESIGNER - V4330-SD43

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TM510TRE.433-ENG - Working With SafeDESIGNER - V4330-SD43

Uploaded by

Copyright:

Available Formats

TM510

Working with SafeDESIGNER

2 TM510 - Working with SafeDESIGNER

TM510 - Working with SafeDESIGNER 3

This training module will help to familiarize you with SafeDESIGNER.

Figure 1: SafeDESIGNER splash screen

1.1 Learning objectives

4 TM510 - Working with SafeDESIGNER

In order to correctly implement a safety application, it is important that applicable regulations

Safety technology \ General information \ Qualified personnel

1.2 Safety notices and symbols

Safety notices in this manual are organized as follows:

Additional notices and information in this manual are organized as follows:

Note: Provides important tips and additional information

Example: Indicates an example to further illustrate a topic

Result: A brief summary of the results of an exercise

Organization of safety notices in external manuals

TM510 - Working with SafeDESIGNER 5

Exercise: Tasks and exercises

6 TM510 - Working with SafeDESIGNER

2 SafeDESIGNER installation and help

2.1 Installation and licensing

Figure 2: The SafeDESIGNER installation wizard

Automation software \ Software installation

TM510 - Working with SafeDESIGNER 7

2.2 SafeDESIGNER help documentation

The help documentation for SafeDESIGNER is integrated in Au-

Figure 3: The SafeDESIGNER help

Safety technology \ SafeDESIGNER \ User documentation

8 TM510 - Working with SafeDESIGNER

3 Configuration in Automation Studio

Figure 4: Hardware configuration of the sample project

TM510 - Working with SafeDESIGNER 9

3.1 Adding a safety controller

Figure 6: SafeLOGIC-X controller hardware setup with an

A safety controller is assigned to the SafeIO mod- Property Value

Figure 7: Adding the safety controller from the hardware catalog

1 The POWERLINK node number is configured in the Physical View.

10 TM510 - Working with SafeDESIGNER

Setting the POWERLINK node number

Figure 8: Setting the POWERLINK node number

Configuring the safety controller

Figure 9: Safety controller configuration settings

TM510 - Working with SafeDESIGNER 11

The communication channels between the standard CPU and the

Figure 10: CPU – SafeLOGIC

Variables can be connected to the individual communication chan-

Figure 11: Safety controller I/O mapping

Exercise: Create a new Automation Studio project with a safety controller

1) Creating an Automation Studio project

2) Add safety controller

3) Check the configuration of the safety controller

Automation software \ Getting started

Project management \ Hardware management \ Physical View

12 TM510 - Working with SafeDESIGNER

3.2 Adding SafeIO modules

Figure 12: Adding SafeIO modules using drag-and-drop

3.2.1 Switching frequency of safe output modules

TM510 - Working with SafeDESIGNER 13

Figure 14: Valid state Figure 15: Monitoring has detected an

The configured switching frequency must be supported by the connected actuator.

3.2.2 Enabling principle

Figure 17: Diagram of options for the enabling principle