PSS FS System Description 18644-En-12

PSS-Range
Modular and compact PSS
Programmable control systems PSS®
FS System Description – Item No. 18 645-12

All rights to this documentation are reserved by Pilz GmbH & Co. KG. Copies may be made
for internal purposes.
Suggestions and comments for improving this documentation will be gratefully received.
Pilz®, PIT®, PMI®, PNOZ®, Primo®, PSEN®, PSS®, PVIS®, SafetyBUS p®, SafetyEYE®,
SafetyNET p®, the spirit of safety® are registered and protected trademarks of
Pilz GmbH & Co. KG in some countries.
Contents
Introduction 1-1
Definition of symbols 1-2
Overview 2-1
PSS-range 2-1
Failsafe section 2-1
Standard section 2-2
Hardware 2-2
Modular PSS 2-2
Compact PSS 2-3
Configuration and programming 2-4
Safety 3-1
Safety guidelines 3-1
Technical safety requirements 3-1
Overview of categories 3-2
Structure (hardware) 4-1

Compact controller 4-1
Modular safety system 4-1
Power supply 4-2
Battery 4-2
CPU 4-3
Memory 4-4
PG interface 4-7
User interface 4-8
Timer 4-8
32-bit timer 4-9
Counters 4-9
CPU display 4-9
PSS-Range: FS System Description 1

Contents
Selector switch 4-10

Error stack button 4-10
Input/output modules 4-11
Programming 5-1
Programming model 5-1
Creating a project 5-3
Program transfer 5-4
Addressing 5-6
Organisation blocks 5-8
Standard function blocks 5-8
Standard function block SB255 5-9
Operation 6-1
Communication with the periphery 6-1
Direct periphery access 6-1
Periphery access via process images 6-2
Process image of bit modules 6-3
Process image of word modules 6-4
Amending alignment algorithms through the user program 6-8
Reading in read segments on request 6-9
Outputting output segments on request 6-10
Program cycle 6-11
Blocks which are executed once 6-11
Blocks which are executed cyclically 6-12
Defining the scan time and the block run times 6-14
Self-test 6-16
Defining the number of test slices 6-17
Alarm processing 6-18
Inputs with alarm capabilities 6-19
Alarm organisation blocks 6-20
2 PSS-Range: FS System Description

Communication with the ST-section 6-23
User interface in the FS-section 6-26
Configuration of the user interface 6-27
Interface configuration-DB 6-28
Example 6-30
Sending via the user interface 6-31
Send-DB 6-32
Example 6-32
Receiving via the user interface 6-33
Receive-DB 6-33
Example 6-34
CRC calculation 6-35
Test pulses for signals with infrequent operation 6-37
Outputs on the CPU display 6-38
Operating states and changes 6-39
Operating statuses 6-40
Change in operating status 6-41
Commissioning 7-1
Initial commissioning 7-1
Recommissioning 7-2
Changing the configuration or the user program 7-3
Fault diagnostics and rectification 8-1

Error management 8-1
Minor errors 8-2
Major errors 8-3
Fatal errors 8-4
Error stack 8-5
Display of errors as plain text 8-7
Display of errors on the CPU display 8-8
Display on 1st and 2nd generation controllers 8-8
Display on 3rd generation controllers 8-10
Evaluation of the error parameters 8-15
PSS-Range: FS System Description 3

Contents
Diagnostics 8-21
Variable display 8-21
Dynamic program display 8-22
Appendix 9-1
System data blocks 9-1
DB000 9-1
DB001 9-8
DB002 9-9
DB003 9-12
Operating system calls with SB255 9-13
Changes in the documentation 9-14
Index 10-1
4 PSS-Range: FS System Description

Introduction
This System Description forms part of the PSS system manuals. It

explains how the failsafe section of the PSS-range of programmable safety
systems functions and operates. This description is divided into the follow-
ing chapters:
1 Introduction
2 Overview
Provides information about the most important features of a safety
system.
3 Safety
Contains safety guidelines and provides information about the
performance of a risk assessment for an installation or machine.
4 Structure (hardware)
Explains the structure of the hardware and the functions of the
individual system units.
5 Programming
Describes the programming and the addressing for the safety
systems.
6 Operation
Explains the PSS system processes and the changes which can be
made by the operator.
7 Commissioning
Explains the procedure during initial commissioning and after a reset,
e.g. after a fault.
8 Fault diagnostics and rectification
Explains how fault messages are evaluated and how faults can be
rectified.
9 Appendix
Contains the assignment of the system data blocks and an overview
of the operating system calls with SB255.
10 Index
PSS-Range: FS System Description 1-1

Introduction
Definition of symbols
Information in this manual that is of particular importance can be identified

as follows:
DANGER!
This warning must be heeded! It warns of a hazardous situation which
poses an immediate threat of serious injury or death and indicates
preventive measures that can be taken.
WARNING!
This warning must be heeded! It warns of a hazardous situation which
could lead to serious injury or death and indicates preventive measures
that can be taken.
CAUTION!
This refers to a hazard that can lead to a less serious or minor injury plus
material damage, and also provides information on preventive measures
that can be taken.
NOTICE
This describes a situation in which the unit(s) could be damaged and also
provides information on preventive measures that can be taken.
INFORMATION
This gives advice on applications and provides information on special
features, as well as highlighting areas within the text that are of particular
importance.
1-2 PSS-Range: FS System Description

Overview
PSS-range
The PSS-range comprises modular safety systems and compact program-

mable controllers.
The programmable safety systems from the PSS-range are suitable for
use in safety circuits in plants and machinery. The safe status of these
circuits is brought about by shutting down the energy supply.
Each programmable safety system incorporates a failsafe section
(FS section) and a non-failsafe - or standard - section (ST section) into a
single unit.
Control and monitoring Control of

of safety-relevant tasks, Failsafe Standard non-safety-relevant
e.g. press controller, section section tasks with and
EMERGENCY STOP without monitoring,
circuits diagnostics
Fig. 2-1: Functions of the FS section and the ST section
Failsafe section
The failsafe section (FS section) processes all of the safety-related

functions and is designed with multi-channel diversity. Each channel has its
own microprocessor which processes the FS user program. If the micro-
processors are not identical, the controller will immediately switch to a safe
condition and switch off all the outputs.
The FS user program is created and then, once taken into operation,
approved by a body for official approval, such as the BG or TÜV, or by the
company’s internal test/quality control department.
The FS section and the ST section communicate without feedback. This
means that errors in the user program of the ST section will have no effect
on the FS section and vice versa.

Overview
Standard section
The standard section (ST section) processes all non-safety-related tasks

and operates in the same way as a conventional PLC (e.g. P10 from Pilz).
It has a single-channel structure.
A separate ST user program is created for the ST section. It can run
independently of the FS user program.
The FS section and the ST section communicate without feedback.
This means that errors in the ST user program will have no effect on the
FS section and vice versa.
Hardware
Modular PSS
The basic system of a modular safety system comprises a module rack, a

power supply and a CPU. Various periphery modules can be plugged onto
the module rack. Depending on the design of the module rack, both FS
and ST modules can be plugged in.
The FS and ST modules communicate via separate buses (backboard
bus) with the CPU module.
Fig. 2-2: Example of a PSS 3000 layout (from left to right): Power supply, CPU,
4 FS modules and 5 ST modules

Compact PSS
On the PSS, the power supply, CPU and periphery modules are fixed in a
housing.
PSS 3074
24 V 1 24 V 1
· ·
0V X0 0V X7
· ·
3 3
RUN ST
O -2.16 1 O -1.16 1
RUN FS O+2.16 · O+1.16 ·
O 2.8 · O -1.17 ·
POWER · ·
O 2.9 O+1.17
O 2.10 X1 O -1.18 X8
AUTO PG O 2.11 · O+1.18 ·
ST SPS O 2.12 · O 4.0 ·
· ·
PG O 2.13 O 4.1
F-STACK O 2.14 9 O 4.2 9
RUN
FS O -2.17 1 O -1.19 1
STOP O +2.17 · O +1.19 ·
· O -1.20 ·
O 2.15 · ·
O/T 2.0 O +1.20
O/T 2.1 X2 O - 1.21 X9
O/T 2.2 · O +1.21 ·
· O 4.8 ·
O/T 2.3 · ·
O 4.9
9 O 4.10 9
PG USER
0V 1 0V 1 0V 1
I 1.0 · I 0.0 · I 0.16 ·
I 1.1 · I 0.1 · I 0.17 ·
· · ·
I 1.2 I 0.2 I 0.18
I 1.3 X5 I 0.3 X3 I 0.19 X10
I 1.4 · I 0.4 · I 0.20 ·
I 1.5 · I 0.5 · I 0.21 ·
· · ·
I 1.6 I 0.6 I 0.22
I 1.7 9 I 0.7 9 I 0.23 9
0V 1 0V 1 0V 1
I 1.8 · I 0.8 · I 0.24 ·
I 1.9 · I 0.9 · I 0.25 ·
· · ·
I 3.0 I 0.10 I 0.26
I 3.1 X6 I 0.11 X4 I 0.27 X11
I 3.2 · I 0.12 · I 0.28 ·
I 3.3 · I 0.13 · I 0.29 ·
· · ·
I 3.4 I 0.14 I 0.30
I 3.5 9 I 0.15 9 I 0.31 9
Fig. 2-3: PSS 3074 with power supply, CPU and periphery (example)

Overview
Configuration and programming
A PSS-range safety system needs to be configured and programmed for

operation. The data are combined into a so-called project. This project is
created and maintained using the system software PSS WIN-PRO.
The computer on which the PSS WIN-PRO system software is installed is
referred to as the programming device.
Programming can be performed in three different programming languages:

the text-oriented programming language Instruction List (IL), plus the
graphical programming languages Function Block Diagram (FBD) and
Ladder Diagram (LD).

Safety
Safety guidelines
Refer to the safety guidelines in the operating manual for the safety system
used and to the "Safety Manual" of the PSS-range. The "Safety Manual"
also includes check lists designed to help you with the safety-related plan-
ning, construction and operation of a plant.
Technical safety requirements
Each machine and plant must undergo a risk assessment by the manufac-
turer or operator in accordance with EN 1050. The aim is to reduce the risk
to below a justifiable risk limit by carrying out a series of relevant meas-
ures. These measures are classified as follows:
• Measurement and control protection devices
These prevent personal injury as a priority, plus major damage to plant,
machinery or product.
• Non measurement and control protection measures
These are measures such as closing off dangerous areas, putting up
warning signs or covering moving parts. If such measures are taken and
the risk is still above the justifiable risk limit, measurement and control
protection measures must be taken.
EN 954-1 offers another option for risk assessment.

The focus of this legislation is to categorise the technical safety require-
ments of control systems into five technically meaningful categories, re-
gardless of the area of technology. These categories include both simple
and more complex requirements, such as single fault tolerance, redun-
dancy, diversity and/or self-monitoring.
The following pages give a summary of some of the sections from the
standard.

Safety
Overview of categories
Category Requirement Risk evaluation Safety

B The safety-related ports and components A fault can lead to the Through the
of the control system and their safety loss of the safety function. selection of
devices must be selected in accordance components
with the standards, and they must be
able to withstand the anticipated
environmental conditions.
1 In addition to category B: As category B, but with
Only components and principles whose higher reliability of the
safety function is guaranteed shall be safety function.
used.
2 In addition to category B and 1: A fault can lead to the loss Through the
Safety functions shall be checked by of the safety function structure
the controller at suitable intervals. between checks. The loss
of the safety function will
be detected through the
checks.
3 In addition to category B and 1: The safety function is
Controllers must be designed in such a always maintained if one
way that: single fault occurs.
- a single fault does not lead to the loss Some, but not all, faults
of the safety function (single fault are detected.
tolerance) and An accumulation of
- a single fault will be detected using undetected faults can
suitable methods (in accordance with lead to the loss of the
the latest technology). safety function.
4 In addition to category B and 1: Safety functions are
Controllers shall be designed in such maintained if one single
a way that: fault occurs.
- a single fault in the control system Faults are detected in
does not lead to the loss of the safety time to prevent the loss
function (single fault tolerance), and of the safety function.
- a single fault will be detected during or
prior to the next demand on the safety
function or, if that is not possible, an
accumulation of faults should not lead
to the loss of the safety function.
Please refer to EN 954-1 for the detailed text.

These criteria must always be applied to the whole of a plant’s control
section and not just to its component parts. A component part cannot itself
meet categories 3 and 4, but if correctly applied in conjunction with other
components, category 3 and 4 can be achieved.
The following table shows the category into which individual product
groups should be classified:
Category Product groups

B 1 2 3 4
X X Electrosensitive protective equipment
X X X X X Electrical equipment according to EN 60 204
X X X Interlocking devices
X X X Two-hand control devices
X X X X X Safety mats
X X X Emergency stop equipment
The fact that a category is technically possible does not necessarily mean
that it is permitted for a particular application.
Example: only categories 2 and 4 are permitted for electrosensitive protec-
tion equipment (e.g. light barriers).
Risk assessments must be carried out individually for each application.

The diagram below should help (refer to EN 954-1):

Safety
Category
B 1 2 3 4
S1
Starting point
for the risk P1
assessment
F1
P2
S2
P1
F2
P2
Component Redundancy and/or

reliability self-monitoring
S Severity of potential injury

S1 Slight (normally reversible) injury
S2 Serious irreversible injury of one person or death
F Frequency of occurrence of hazardous situations

F1 Seldom to quite often
F2 Frequent to continuous
P Possibility of avoiding the hazard

(generally these relate to the speed and frequency with which the
hazardous part moves and the distance from the hazardous part)
P1 Possible under specific conditions
P2 Scarcely possible
B, 1-4 Categories for safety-related parts of control systems

Preferred category for reference points
Possible categories which can require additional measures
Measures which can be over-dimensioned for the relevant risk
Fig. 3-1: Risk evaluation

Example:
Cyclically operated safety gates on a lathe.
A CNC or PLC-driven lathe is fed manually with a work-piece into the
chuck, the operation is started up and, once the machining process is
complete, the work-piece is removed again by hand.
Fig. 3-2: Lathe
If no safety devices are in place there is an extremely high risk of an acci-

dent, as careless mistakes can occur during repetitive and monotonous
tasks.
Risk assessment:
S2: As the work-piece is inserted manually, severe and irreversible
injuries can be caused by the rotating part of the lathe.
F2: As the work-piece is manually inserted into the hazardous areas
after each cycle, the hazard occurs frequently.
P2: Scarcely possible to avoid, as the work procedure is routine.

Safety
Category
B 1 2 3 4
S1
Starting point
for the risk P1
assessment
F1
P2
S2
P1
F2
P2
Fig. 3-3: Classification of categories
The risk assessment results in category 4.

Category 4 can be achieved with a fixed guard, which is not suitable in this
case as access is required every cycle. A sliding or hinged guard, prefer-
ably with position monitoring and ideally with a guard locking, would be the
most suitable safety measure in this case, for example a monitored safety
gate.

Structure (hardware)
Compact controller
A compact controller combines the following units in a single housing:

• Bus
• CPU (1)
• Power supply (2)
• Input and output modules (3)
1
2
3
Fig. 4-1: Layout of a compact controller using the PSS 3056 system as an example
Modular safety system
The modular safety systems are composed of the following units:

• Module rack (1)
• Power supply (2)
• CPU (3)
• Central input and output modules for the FS section (4) and ST section (5)
2 3 4 5
Fig. 4-2: Layout of a modular safety system using the PSS 3000 system as an example

The base unit consists of a base module rack, power supply and CPU.
Input and output modules are required to input and output data.
There are different base module racks. On some base module racks you
can use only FS modules or only ST modules, whereas on other base
module racks you can use a combination of both FS and ST modules.
Two additional expansion module racks for ST modules can be connected

to a series PSS 3000 base module rack. This provides an additional 16 slots
for ST modules.
The expansion module racks are connected via expansion modules. The
expansion module for the base module rack is called PSS EPBM, the one
for the expansion module rack PSS EPEM.
For accurate information about the module racks please refer to the
"Installation Manual" of the modular safety system and the descriptions of
the module racks.
Power supply
The power supply provides the internal supply voltage to the CPU and bus.
Power supplies are available for different supply voltages, e.g. 230 V AC
and 24 V DC.
The power supply on modular safety systems must always occupy the first
slot on the rack.
Battery
The battery acts as a buffer for the CPU memories.

On modular programmable control systems, the battery is located within
the power supply. If the CPU or power supply is removed from the module
rack, the data will be retained in the memory for one day.
On PSS with an FS operating system version >= 70, the unit can also be
operated without a battery. Operation without a battery results in the
following restrictions:
• FS section: Remanant data blocks cannot be used.
• ST section: A general reset is performed each time the section switches
from STOP-RUN.

• Each time the PSS is restarted (voltage switched off and then on again),
the system time is reset to zero.
A setting must be configured to determine whether the unit is to be
operated with or without a battery; this is done under the “Basic Settings”
tab in PSS WIN-PRO’s PSS Configurator. If the “Operate PSS without
battery” option is selected, the unit will operate without a battery,
irrespective of whether or not a battery is available.
CPU
The CPU is the safety system’s central processing unit. It controls the
input and output modules, and processes and stores the FS and ST user
program. The CPU has different operating elements and interfaces, e.g.:
• 4-digit display
• LEDs for operating mode and mains voltage
• 3-position switch for selecting the operating mode of the ST section
(ST selector switch)
• Button for scrolling through the error stack
• 2-position switch for selecting the operating mode of the FS section
(FS selector switch)
• Serial programming device interface or Ethernet-2 interface
• User interface
In the CPU, the FS user program is processed by independent micropro-

cessors. Each microprocessor has its own bus system for communicating
with the inputs/outputs on the central I/O modules.
The microprocessors monitor one another in order to achieve the high
safety level that is required:
• Input signals are compared. The user program will only be processed if
the signals match without discrepancies. If there are discrepancies in the
comparison, then the safety system switches to a safe condition.
• Output signals are only emitted if all of the microprocessors have calcu-
lated the same values. If there are discrepancies in the comparison, then
the safety system switches to a safe condition.
The different processing times of the processors need synchronising when

reading in and outputting data. The operating system carries out this syn-
chronisation automatically.

Memory
The CPU makes available the following memories for the FS section:
• Program memory
• Data memory
• Dual port RAM
Some memories are non-volatile. Non-volatile means that data is retained

in the event of a power failure.
Program memory
One memory is present for each microprocessor. It serves as a memory
for the user program. Depending on which operations are used in the user
program and how many data blocks are used, the program memory can
store between 4,000 and 5,000 operations. Third generation systems can
have up to 10,000 operations. The program memory is checked by CRC
and is non-volatile.
Data memory
Variable data such as set data, error messages and system data are
stored in the data memory. The size of the data memory will depend on the
safety system used.
The data memory is divided into data blocks which each have a maximum
of 1024 memory cells. Each memory cell has a length of 16 bits and is
called a data word (DW). Bit 0 ... 7 of the data word is referred to as the
right data byte (DR) and bit 8 ... 15 as the left data byte (DL).
There are three types of data blocks:

• Read-only data blocks
can only be read by the user program, data is non-volatile
• Read/write data blocks
can both be read and written to, data is non-retentive
• Remanent data blocks
can be both read and written to; data is non-volatile (exception: power
failure during write access)
Remanent data blocks are supported from FS operating system version
65 and PSS WIN-PRO Version 1.8.0. They can only be used if the PSS
contains a battery.

The data memory is divided in a similar manner:
• Read-only data memory
It is stored in the program memory and contains the read only data
blocks
• Read/write data memory
Contains the read/write data blocks. This part of the memory is not non-
volatile. In order to ensure that the behaviour of the safety system on
startup always remains the same, a copy of each read/write data block is
saved in the program memory with the values entered during program-
ming. This copy is used to automatically pre-assign the read/write data
blocks at the start of the FS user program.
INFORMATION
The values of the copy of the read/write data block are also used if the
FS section has changed to the STOP condition on account of an error and
is then restarted.
• Remanent data memory (from FS operating system version 65 and only if
the PSS contains a battery)
contains the remanent data blocks.
In contrast to the data in the read/write DBs, data in the remanent DBs is
retained when the FS user program is started; it is only reset in certain
circumstances. Remanent DBs can be used, for example, if the user
program is to establish certain values during commissioning and, after
commissioning, these values are to be used each time the PSS is
started.
Values are pre-assigned to the remanent data blocks during
programming. The system operates with these values once the user
program has been downloaded to the programmable safety and control
system; the values can also be overwritten by the user program. If the
user program is stopped and restarted, it continues working with the
amended values.
To ensure that the remanent data blocks can be restored to their original
status, a copy is made of every remanent data block as soon as the user
program is downloaded to the programmable safety and control system.
After a reset, the values from this copy are pre-assigned to the remanent
data blocks.
The reset can be triggered manually by selecting „Reset remanent DBs“
from the „PSS“ menu in PSS WIN-PRO or by setting the FS selector
switch from STOP to RUN with the error stack button pressed. After a
manual reset, message F-20, error number 31 is displayed and flag
M113.08 is set.

A reset is performed automatically if an error is detected within the

remanent data blocks as the FS section switches from STOP to RUN.
Potential error sources:
- Power failure or power switched off
- Supply interruptions
- Scan time exceeded (error F-0C)
If the error occurs at the precise moment in which the user program is
writing data to the remanent DBs, the remanent DBs will be reset the
next time the programmable safety and control system is started. If the
error occurs after the data has been written, the data will be retained.
However it is important to note that processing of the user program will
Block Entry Output Key

SB255 FUNK = 50 Confirm reset of remanent DBs
ERG = 4 Function performed without error
ERG = 16 Error calling up SB255,
FUNK = 50 (M113.08 was already
reset)
be aborted at any point in the cycle. If there are any remaining write
operations to remanent blocks programmed between this point and the
end of the cycle, these will not be carried out. The data in the remanent
DBs will not have the status that it would have had at the end of the
cycle.
After an automatic reset, message F-20, error number 32 is displayed
and flag M113.08 is set.
You can react to the reset in the user program by polling the flag, e.g. in
the start-up organisation block (OB120), and programming the desired
reaction.
Flag M113.08 remains set until it is reset using SB255, FUNK = 50.
Provided the flag is set, the remanent DBs will be reset each time the
PSS is cold/warm started. The flag is non-volatile.
For information on the application of SB255 please refer to the section
“Standard function block SB255” in chapter "Programming".
If a new user program is downloaded into the programmable safety and

control system and this program contains the same remanent data
blocks as the previous user program (quantity of DBs, DB numbers and
length of DBs must be identical, content may vary), the current values on
the old DBs are not automatically overwritten. A prompt will appear in

PSS WIN-PRO, asking whether the values are to be overwritten. If the
values are not overwritten, the programmable safety and control system
will start up with the old values when it is cold/warm started.
If the remanent DBs on the new user program are not identical to those
on the old program, the remanent data blocks on the programmable
safety and control system must be reset before downloading. PSS WIN-
PRO performs the reset after approval from the user.
If the user program is stopped via the „Stop program“ operation or a

programming error occurs (error F-21 to F-28), processing of the user
program will be aborted within the cycle and the PSS will switch to a
STOP condition. If there are any remaining write operations to remanent
blocks programmed between this point and the end of the cycle, these
will not be carried out. The data in the remanent DBs will not have the
status that it would have had at the end of the cycle.
Dual port RAM

The dual port RAMs (DPR) are used for communication between the
microprocessors. They save the data during the comparison.
PG interface
The communications between the programming device (PG) and the

safety system take place via a PG interface.
• Serial PG interface
Each safety system has a serial PG interface.
Depending on the type of safety system being used, the PG interface is
designed either as an RS-485 or as a combined RS-232/RS-485 inter-
face.
Depending on the design of the PG interface on the safety system, it may
be necessary to use a PAP interface adapter to connect the programming
device with the safety system (see chapter 5, "Program transfer").
• Ethernet-2 interface as PG interface
If a safety system has an ETH-2 interface, then this interface can also be
used as the PG interface (see operating manual of the compact safety
system or the module with Ethernet-2 interface).

User interface
The user interface can be used for communication between the safety
system and other devices (refer also to the chapter "Operation", section
"User interface FS section").
Depending on the type of safety system, the user interface is designed

either as an RS-232 or as a combined RS-232/RS-485 interface. The
following data are defined in the default setting:
• Transmission rate: 9600 bit/s
• Parity: Even
• Stop bit: 1
• Data bit: 8
• Handshaking: On
The user interface is operated with the standard function block SB255,
FUNK = 200 ... 211 (see chapter 6).
Timer
The FS section is equipped with 64 timers: T064 ... T127.

The timers are used to create switch-on delays
The switch-on delay arises as follows:
Time = Time value x Time base
Time value: Any value in the range 1 ... 32767
Time base: 0 corresponds to 50 ms

1 corresponds to 100 ms
2 corresponds to 1 s
3 corresponds to 10 s
4 corresponds to 1 min
Example: Time should be 8 s

Time base: 2, time value: 8
Time = 1 s x 8 = 8 s

32-bit timer
Safety systems with an FS operating system version ≥ 19 have a

32-bit timer.
The timer is a consecutive timer, on which the bit changes at 1 ms intervals.
The timer has a data width of 32 bits.
The current timer status at the time of the call is returned for every operating
system call SB255, FUNK = 151.
Block Input Output Key

SB255 FUNK = 151 Poll 32-bit timer
ERG = 16 Error during call of the SB255,
FUNK = 151
DB001 DW200 Low-order word of timer status
DW201 Higher-order word of timer status
For information on application of the SB255 please refer to the section

"Standard function block SB255" in chapter "Programming".
Counters
The FS section has over 64 counters: Z064 ... Z127.

Each counter consists of a counter word and a status bit. The counter word
can assume values between -32768 and 32767. If the value of the counter
word is > 0, then the status bit assumes the value 1.
CPU display
The 4-digit hexadecimal display is used to output error messages (see

chapter 8) or user messages (see chapter 6, section "Output on the CPU
display").

Selector switch
The programmable safety system is equipped with two selector switches:

• ST selector switch
3-position selector switch for the standard section (see ST System
Description)
• FS selector switch
2-position selector switch for the failsafe section
The FS selector switch has the following functions:

• It defines the start-up procedure during a voltage return
RUN
FS Program starts up automatically
STOP
RUN
FS Program stopped
STOP
• The FS user program can be started and stopped by operating the FS

selector switch
RUN Start program

FS
STOP
RUN
FS Stop program
STOP
Error stack button
Error messages are saved in an error stack. The current error message
is always displayed on the CPU display. To display the previous error
message, press the error stack button (see chapter 8, section "Display of
errors on the CPU display").

Input/output modules
There are a variety of central and decentralised input/output modules

available for communication between the safety system and the plant or
machine. On compact controls the central input/output modules are inte-
grated in the housing. On modular controls the central input/output mod-
ules are located next to the CPU on the module rack. The term 'decentral-
ised input/output modules' is used to describe the modules which are
connected via the SafetyBUS p to the safety system.
The modules are tested in order to allow them to be used in safety-related

installations. The following tests are carried out for example on the central
modules:
• Output module
The cyclic switch-off test of the switched-on outputs detects short circuits
and open circuits in the wiring.
• Input module
After the optocouplers the inputs are designed to be multi-channel. A
digital test checks the digital part of the module. On some modules the
optocoupler is also tested.
• When the input devices are connected to test pulse outputs, the system
tests for
- Short circuit in the wiring
- Open circuit in the wiring and
- Tests of the input filter and optocouplers
WARNING
When wiring the safety system, the instructions given in the "Operating
Manuals" of the modules used or in the "Operating Manual" of the compact
safety system used must be observed at all times! If wired incorrectly,
subsequent faults in the cycle of the plant (machine) could arise, possibly
resulting in severe injury or even death.

Notes

Programming
Programming model
It is necessary to create a so-called "project" in order to operate a

PSS-range programmable safety system. All the necessary files are
combined within this project. The project is created and maintained using
PSS WIN-PRO.
SafetyBUS p configuration
Project
Diagnostic configuration
PSS configuration
FS project ST project
section section
FS program ST program
PSS configuration PSS configuration

DB (FS) DB (ST)
SBp
configuration DB
OBs OBs
DBs DBs
PBs PBs
FBs FBs
SBs SBs
FS allocation table ST allocation table
Fig. 5-1: Programming model

Programming
The project consists of the PSS configuration, the diagnostic configuration

and one project section each for the safety system’s FS and ST section.
If only one section of the PSS is being used, only the corresponding
project section will be processed. The other project section is available, but
remains unchanged.
The project section includes the actual program that is transmitted to the
PSS plus the allocation table.
Symbols can be assigned to the operands in the allocation table, for exam-
ple the symbol "START" to the operand "E02.08".
For the sake of clarity, the program is divided into blocks. There are five
different types of blocks:
• Organisation blocks (OB), which form the interface between the user
program and the operating system
• Program blocks (PB), which contain fundamental and plant-specific
functions
• Function blocks (FB), which are made up of functions for specific indi-
vidual tasks
• Standard function blocks (SB), which carry out standardised functions
• Data blocks (DB), which contain fixed or variable data
The PSS configuration contains all key settings for the safety system:
• Basic settings (e.g. PSS type, scan time, ...)
• Registered hardware
• Test pulse configuration
• Alarm configuration for PSS and SafetyBUS p
• Configuration of word modules
• Definition of password for the FS section
The PSS configuration is generated using the PSS configurator on

PSS WIN-PRO. The data is stored in system data blocks.

PSS WIN-PRO (from Version 1.3.1) can be used to create a diagnostic
configuration for a PSS with an FS operating system version ≥ 47. This
diagnostic configuration enables detailed PSS event messages.
If the PSS is to be connected to a SafetyBUS p network, a SafetyBUS p

configuration will have to be generated for this network. This will contain
information on the structure of the network and all the connected devices.
The data for the SafetyBUS p configuration is stored in the projects of all
the programmable safety systems connected to SafetyBUS p.
The SafetyBUS p configuration is generated using the SafetyBUS p
configurator on PSS WIN-PRO.
Creating a project
Steps to take to create a project:

• Create project
• Create PSS Configuration
The following steps are identical for the FS and ST project sections. They
must be performed for both project sections.
• Create an allocation table
• Program the blocks
• Link the program
After the project has been created the FS program and the ST program
need to be linked. The programming is checked in the process.
If any errors are found, these will need to be rectified and the linking
process performed again. The program cannot be transferred to the
programmable safety system until it has been linked without error.
• Transfer the program
See next section
INFORMATION
Creating projects is covered in detail in the online help of PSS WIN-PRO.

Programming
Program transfer
PSS
Ethernet
COM Interface adapter

ETH-2 RS 232 RS 485
(e.g. PAP
PSS CONV RS 232/485)
RS 485
RS 232
RS 232
Ethernet
Fig. 5-2: Program transfer via the serial PG interface
The linked program is transferred to the safety system by activating a

menu item in the system software (PG). To do this the programming device
must be connected to the safety system.
The connection can be established via the serial PG interface of the

safety system or, if available, via the ETH-2 interface. If the connection
is established via the serial PG interface, then, depending on its design
(RS-485 interface or combined RS-232/RS-485 interface), you may require
an additional PAP interface adapter. To set up the connection via an
ETH-2 interface, please refer to the operating manual of the compact
safety system or the module with Ethernet-2 interface.
The FS user program is transferred block by block to the safety system.

The transfer starts with a so-called preliminary telegram which contains
the name of the project. The first block is transferred once an error-free
response to the telegram has been received from the safety system. The
microprocessors in the CPU module compare the block and each form a
check sum before sending a reply to the system software. If the micropro-

cessors calculate different results, then an error message is sent. If they
are all the same, this shows the transfer data was successful. The remain-
ing blocks are processed in a similar fashion until the whole program is
transferred.
This process ensures a high level of security and reliability.
To prevent manipulations, the program must be linked before it is trans-
ferred, and it can only be read out in its linked form from the safety system.
Amendments can only be made to the original program, not the linked
version.

Programming
Addressing
The address of a central module results from its slot. Each slot is then
divided further into two sub-slots.
With the modular safety systems, the first sub-slot usually corresponds to
the first two plugs and the second sub-slot to the 3rd and 4th plugs on the
module.
PSS 3000
PSS 3100
0 2 4 6 8 10 12 14 10
16 Sub-slots
PS CPU 1 3 5 7 9 11 13 15 17 Sub-slots
0 1 2 3 4 5 6 7 8 Slots
Fig. 5-3: Addressing of slots using the PSS 3000 and PSS 3100 as examples
The way in which the slots and sub-slots are arranged on compact safety
systems varies from system to system. Details for each case can be found
in the operating manual of the relevant compact controller.
Each slot is allocated a slot number. The digital inputs and outputs are
addressed through the slot number and a bit number. The two entries are
separated by a full stop.
On modular systems the first two slots are always occupied by the power
supply and the CPU. Subsequent numbering starts from 0.
Example: Bit 8 of the module in slot 3 is to be addressed.
Address: 3.8

Modules which have more than 32 bits are called word modules. Each
word module can have a maximum of 8 words. The slot at which the word
module is connected defines the address of the word.
Example: The first word of the word module in slot 2 is to be addressed.
Address: XW16
PSS 3000
PSS 3100
0 8 16 24 32 40 48 56 10
64
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
PS CPU 7 15 23 31 39 47 55 63 71
0 1 2 3 4 5 6 7 8 Slot
Fig. 5-4: Addressing of words in word modules

Programming
Organisation blocks
The functions of the organisation blocks (OB) are set by the operating
system. Each user program must contain organisation block OB 101,
which among other things, manages the program cycle. The blocks of the
user program are called up in the cycle OB. All other organisation blocks
are reserved for specific applications, but they do not necessarily have to
be used.
INFORMATION
The "PSS WIN-PRO Programming Manual" contains information about
which organisation blocks there are and what their functions are.
Standard function blocks
Standard function blocks (SB) contain the standard functions which are
shared by several machines or plants. Standard function blocks are divided
into two groups:
• Available SBs
SB002 ... 199 are freely available. They can be used for any functions.
Exception: SB003, SB007, SB011, SB015 and SB041 are reserved.
• Pre-defined/reserved SBs
SB001, SB003, SB007, SB011, SB015, SB041, SB200 ... SB255 are
pre-defined and are supplied by Pilz.
The pre-defined standard function blocks are tested and approved by

the relevant approval bodies (e.g. BG, TÜV). To prevent any changes from
being made at a later date they are encrypted to level 2, which means that
although they can be called up they cannot be edited. The dynamic pro-
gram display of these modules in PSS WIN-PRO’s online mode is also
unavailable.
The pre-defined standard function blocks are described in detail in the
"PSS WIN-PRO Programming Manual".

Standard function block SB255
The standard function block SB255 is used for communications between

the failsafe section and the operating system. It is used for the so-called
operating system calls.
The standard function block can be called via the operation "CAL" or
"CALC" in the user program. It has the following layout:
SB255
CallFsBs
W FUNK ERG W
The function of the block is defined by the input parameter "FUNK".

Depending on the function, additional parameters may be required. These
are specified in data block DB003. The output parameter "ERG" reports
whether the function has been executed correctly. In the event of an error
message the data block DB001 will contain the error cause.
Proceed as follows to use the standard function block:

• Specify the parameters in DB003.
• Call up SB255
• At the input parameter "FUNK", enter the number of the function.
• Allocate an operand to the output parameter "ERG", e.g. a flag word.
• Poll the content of the flag word. If it contains the code for an error
message, call data block DB001. DB001 will contain the reason for the
error.
INFORMATION
Some of the functions of the SB255 are described in this System Descrip-
tion (refer to the overview in the Appendix). There are also further functions
for special applications (e.g. SafetyBUS p). These are described in the
corresponding manuals and operating manuals.

Programming
Notes

Operation
Communication with the periphery
The CPU can communicate in two ways with the periphery:

• direct periphery access
• periphery access via process images
Direct periphery access
The process of reading the signal states of the inputs or setting the outputs
can be triggered with special operations in the user program. Access to the
inputs/outputs is performed immediately, irrespective of the cycle.
With direct periphery access, the operands will be called either "Periphery
word PW" or "Periphery word PB". "Load" or "Store" are available as
operations.
The direct access has the advantage that signals shorter than the scan
time can also be processed. The user program can scan the inputs and
outputs several times during the program cycle and always receives the
current status.
Direct periphery access is only available for bit modules. However, with
word modules the read-in/output point can be determined with the aid of
the operating system calls SB255, FUNK = 29 or FUNK = 25.
INFORMATION
• In order for a status of an input which has been read directly to be trans-
ferred to the process image, the "Save" operation of the input byte/word
must be executed after the "Load" operation of the periphery byte/word.
Example:
L PB2.08
T EB2.08
• If direct access is made to an output (example: T PB2.08), then the
process image is automatically updated.

Operation
Periphery access via process images
Communication usually takes place via the process images.

In the FS section there is a process image for bit modules and a process
image for word modules. In both process images there is an area in which
the states of the inputs are saved and an area in which the states of the
outputs are saved:
• Process image for bit modules
- Memory area for the input states: PII
- Memory area for the output states: PIO
• Process image for word modules
- Memory area for the input states: XW-PII
- Memory area for the output states: XW-PIO
Access to the process images is via operations such as "Load" or

"Transfer". The operands are called for example "E", "AB" and "XW".
The advantage of communicating with the periphery via process images

is that the states of the inputs and outputs remain unchanged during a
program cycle. In addition, the access time to the process image is less
than the time taken for direct access.
The sections "Process image of bit modules" and "Process image

of word modules" describe how the communication takes place via the
process images.

Process image of bit modules
At the start of a program cycle each microprocessor in the CPU reads in

the states of the inputs. The read-in results of the microprocessors are
compared. If there are any discrepancies, then a new read-in attempt is
started. The results of the new read-in process are compared again.
Start of cycle Read in the inputs
Max. no.
Alignment No of PII read No
successful? attempts
Yes exceeded?
Yes
Save PII
STOP condition
Process user
program
Alignment No
End of cycle STOP condition
successful?
Yes
Output PIO
Fig. 6-1: Communication via the process images PII and PIO
The number of PII read attempts is defined in the PSS configurator of the
system software (PG). A maximum of 50 attempts can be started. Each
attempt lasts approximately 0.2 ms.
If the read-in results are not identical after the specified maximum number
of attempts, then the FS section changes to the safe condition (STOP).
If a read-in attempt is successful, then the read-in result is saved in the
process image of the inputs (PII). Afterwards the user program is called

Operation
and run with the values in the process image of the inputs.
The process image of the outputs (PIO) is created while the user program
is running. Each microprocessor of the CPU calculates its own process
image for the outputs. At the end of the program cycle the calculated
process images for the outputs are compared. If they are identical, then
the process image for the outputs (PIO) is output on the outputs of the
modules.
If the comparison yields an error, then the FS section changes to the safe
condition (STOP).
Process image of word modules
Each word module in the FS section has a maximum of 8 words. If data are
read into these words (e.g. analog input signals, counter states), then they
are referred to as 'read segments'. If the words are used to output data
(e.g. analog output signals), then they are referred to as 'output segments'.
Reading in the read segments

In the PSS configurator of the system software (PG) you can define for
each read segment whether it should be read in at the start of each
program cycle or only after the operating system call SB255, FUNK = 25
(see below).
At the defined point each microprocessor of the CPU reads in the value of
the read segment. On account of the differing microprocessor speeds and
temperature differences, the read values are usually not identical.
The maximum permissible difference in the read values (tolerance) can be

defined in the PSS configurator of the system software (PG) for each read
segment.
INFORMATION
Choose a small value for the tolerance if the read values display only a
small variation with time, and a correspondingly larger tolerance if the
variation is greater.

Start of cycle Read in the read
or SB255, segment
FUNK = 25
Tolerance Yes
STOP condition
exceeded?
Nein
Alignment No STOP condition

successful?
Yes
Save XW-PII
Process
user program
End of cycle Alignment No

or SB255, STOP condition
successful?
FUNK = 29
Yes
Output XW-PIO
Fig. 6-2: Communication via the process images XW-PII and XW-PIO

Operation
If the tolerance of the read values is exceeded, then the FS section will
change to a safe status (STOP).
If the difference between the values is within the tolerance, then the values
are aligned, and the aligned value is saved in the process image of the
inputs (XW-PII).
The alignment algorithm (also referred to as the 'match algorithm') used
here is defined in the PSS configurator of the system software (PG) or
determined with the operating system call SB255, FUNK = 21 (see below).
Possible alignment algorithms:

• Equal
Compare: The values read in must be identical. If they are not identical,
the PSS will switch to a STOP condition.
• Min
Minimum value without sign: The aligned value will correspond to the
lowest value read in.
• Av
Average value without sign: The aligned value will correspond to the
arithmetic mean of the values read in.
• Max
Maximum value without sign: The aligned value will correspond to the
highest value read in.
• +/- Min
Minimum value with sign: The aligned value will correspond to the lowest
value read in, signs are taken into account.
• +/- Av
Average value with sign: The aligned value will correspond to the arith-
metic mean of the values read in, signs are taken into account.
• +/- Max
Maximum value with sign: The aligned value will correspond to the
highest value read in, signs are taken into account.
After a successful alignment the aligned value is saved in the process

image of the inputs (XW-PII). These values can then be used in the user
program.

Output of the output segments
The process image of the outputs (XW-PIO) is created while the user
program is running. Each microprocessor of the CPU calculates its own
process image for the outputs.
If the value of an output segment is to be output on an output, then the
calculated process images for the outputs are compared. If they are identi-
cal, then the value of the output segment is output on the output.
If the comparison yields an error, then the FS section changes to the safe
condition (STOP).
In the PSS configurator of the system software (PG) you can define for
each output segment whether it should be output at the end of each
program cycle or only after the operating system call SB255, FUNK = 29
(see below).

Operation
Amending alignment algorithms through the user program
The alignment algorithm defined for a read segment in the PSS configurator
of the system software (PG) can be amended in the user program if
required. This is done with the operating system call SB255, FUNK = 21.
The amendment can also be performed for several read segments at the
same time.

SB255 FUNK = 21 Amending alignment (match)
algorithms for read segments
ERG ≠ 1 Faulty call of SB255,
FUNK = 21. FS section changes to
STOP condition.
DB003 DW200 = 0 ... 8 Slot number of the word module
DW201 = 0 ... 7 Segment number of the first read
segment of which the alignment
algorithm is to be amended
DW202 = 0 ... 6 New alignment algorithm
0: Comparison
1: Minimum value without sign
2: Arithmetic average value
without sign
3: Maximum value without sign
4: Minimum value with sign
5: Arithmetic average value
with sign
6: Maximum value with sign
DW203 Segment number of the next read
segment of which the alignment
algorithm is to be amended
DW204 New alignment algorithm
... ...
DW215 If this action is to be performed for
DW216 fewer than 8 segments, then the
end of the list needs to be marked
by entering the value FFFF instead
of the segment number.

Reading in read segments on request
With the operating system call SB255, FUNK = 25 you can read in the
read segments of a word module at any point in the user program.
The standard function block accesses the data block DB003, which
contains the read segments which are to be read in.
INFORMATION
The system will only read in the read segments indicated in DB003.

SB255 FUNK = 25 Reading in read segments
FUNK = 25. FS section changes
to STOP condition.
DW201 = 0 ... 7 Segment number of the first read
segment which is to be read in
DW202 = 0 ... 7 Segment number of the next read
segment which is to be read in
... ...
DW209 = 0 ... 7 If this action is to be performed for
fewer than 8 segments, then the

Operation
Outputting output segments on request
With the operating system call SB255, FUNK = 29 you can output the
output segments of a word module at any point in the user program.
The standard function block accesses the data block DB003, which con-
tains the output segments which are to be output.
INFORMATION
The system will only output the output segments indicated in DB003.

SB255 FUNK = 29 Outputting output segments
to STOP condition.
DW201 = 0 ... 7 Segment number of the first output
segment which is to be output
DW202 = 0 ... 7 Segment number of the next output
segment which is to be output
... ...
DW209 = 0 ... 7 If this action is to be performed for
fewer than 8 segments, then the

Program cycle
Before the safety system starts with the cyclic processing of the FS and
ST user program, a reset block and a start-up block are executed once.
The time required by the safety system to process the FS and ST user
program once is referred to as the scan time.
The FS and ST user programs are processed independently of each
other, i.e. if for example the FS-section is in the STOP condition, then only
the ST user program is processed.
PSS STOP-RUN
on transition
RESET STOP Start-up Cycle
FS-PII FS block run time ST-PII ST block run time FS and Test Waiting
ST PIO slices period
Fig. 6-3: Program cycle
Blocks which are executed once
RESET block
The RESET block is run through once when the safety system is switched
on. During this time the CPU display shows "❚ ❚ ❚ ❚".
In the reset block the safety system performs a self-test of the hardware
and software. After completion of the test the microprocessors are initial-
ised and synchronised. The safety system is then in the STOP condition
and the display shows "0000".
Duration: approximately 30 s, on 3rd generation PSS: 10 s
STOP-RUN transition
Depending on the setting of the FS selector switch, the FS section
will either switch automatically to RUN, or it will wait to do this until the
FS selector switch is operated. The same is true for the ST section.
Start-up block
As soon as the FS section changes to RUN the start-up block is executed
for it. The same is true for the ST section.

Operation
The start-up blocks for the FS section and the ST section can be executed
at the same time. If either section is still in the STOP condition, then only
the start-up for the other section is executed. The start-up of the other
section is integrated into the cycle later on.
FS start-up: The system checks the FS user program and the structure of
the internal administration tables. Afterwards the configuration test is car-
ried out, the modules are tested and the start-up OB is called.
ST start-up: The system checks the ST user program and the structure
of the internal administration tables. Afterwards the configuration test is
performed (only if the option "Configuration test" is selected in the
PSS configurator of the system software), the modules are tested and the
start-up OB or the general reset OB is called.
Combined duration of FS and ST start-up: approx. 2 s
Blocks which are executed cyclically
FS-PII (read block for PII and XW-PII of the FS section)

The process of reading in the process image for the inputs and process
image for the read segments of the FS section is described in detail in the
section "Communication with the periphery".
Duration: a few ms, on 3rd generation PSS: 0.2 ms
FS block run time (execution of the FS user program)

The FS user program is started after successful alignment of the read in
values. For safety reasons all of the microprocessors process the user
program of the FS section. At the end of the program another synchronisa-
tion of the microprocessors takes place.
The duration of the FS user program varies as it usually comprises various
program parts, and a different number of these program parts is run
through in any given cycle.
Duration: max. 100 ms for FS and ST user program together, depends on
the program

ST-PII (read block for the PII of the ST section)
The process image for the inputs of the ST section is read in.
Duration: a few ms, on 3rd generation PSS: 0.1 ms
ST block run time (execution of the ST user program)

The ST user program is executed. The program of the ST section is only
processed by one microprocessor.
The duration of the ST user program varies as it usually comprises various
program parts, and a different number of these program parts is run
through in any given cycle.
Duration: max. 100 ms for FS and ST user program together, depends on
the program
FS and ST-PIO (output block for PIO and XW-PIO of the FS section
and PIO of the ST section)
The process images for the outputs created during execution of the FS and
ST user programs are output.
The process of outputting of the process image for the outputs and the
process image for the output segments of the FS section is described in
detail in the section "Communication with the periphery".
Duration: 0.3 ms
Test slices
A test block is processed at the end of a cycle. All of the tests on the sys-
tem are divided into slices with a duration of 1 ms. The operating system
automatically performs one test slice in each test block.
The number of test slices can be influenced by the user via an operating
system call (SB255, FUNK = 1). In this way, the testing frequency can be
adapted to the status of the process which is to be controlled.
Waiting period for minimum scan time (optional)

A waiting period can be inserted in order to keep the scan time constant,
i.e. to minimise the scan time. During this waiting period the operating
system will run test slices.
The length of the waiting period results from the selected minimum scan
time. The minimum scan time is defined in the PSS configurator of the

Operation
system software (PG). It is comprised of:
FS block run time

+ ST block run time
+ Operating system run time for 'Read PII', 'Output PII'
and a test slice
+ Time for additional test slices
+ Waiting period
_______________________________________________
= Minimum Scan Time
The minimum scan time must be less than or equal to 100 ms.
Defining the scan time and the block run times
In the PSS configurator of the system software (PG) you need to enter the
FS and ST block run time for a project. You can also define a value for the
minimum scan time. Proceed as follows to define these values:
• In the PSS configurator, default values are set for the block run time of
the user program and the minimum scan time. Accept these values for
the initial program test.
Please note: If you are using remanent data blocks in the FS section, you
must enter an ST block run time of at least 5 ms.
• Let your user program run through several cycles. If the value set for the
minimum scan time is too low, error message "F-20" will appear on the
display. Increase the value for the minimum scan time in the configurator
and run the test again.
• The current, maximum and minimum times are entered in the data block
DB000, data word DW007 ... DW012. You can display the values in the
system software (PG) via the variable display (see online help of the
system software).
DB000
DW007 Current scan time in ms
DW008 Max. scan time in ms
DW009 Current FS block run time
DW010 Max. FS block run time
DW011 Current ST block run time
DW012 Max. ST block run time

• FS block run time
Enter the max. FS block run time (DB000, DW010) in the PSS configurator
as the FS block run time.
(The FS block run time and the ST block run time must be less than
100 ms combined.)
• ST block run time
Enter the max. ST block run time (DB000, DW012) in the PSS configurator
as the ST block run time.
(The FS block run time and the ST block run time must be less than
100 ms combined.)
• Enter the minimum scan time
Enter a minimum scan time in the PSS configurator if you wish to have a
constant scan time.
The minimum scan time must be

- less than the maximum scan time
- less than 100 ms
- greater than the sum of:
the determined max. FS block run time (DB000, DW010)
+ the determined max. ST block run time (DB000, DW012)
+ operating system run time for 'Read PII', 'Output PII' and a test slice
+ time for additional test slices, if the number of test slices to be
executed in the user program is increased by the operating system
call SB255, FUNK = 1 (1 ms per test slice)
The operating system run time for 'Read PII', 'Output PII' and a test
slice is
10 ms max. on 1st and 2nd generation PSS
5 ms max. on 3rd generation PSS
10 ms max. for all PSS with SafetyBUS p

Operation
Self-test
A regular self-test must be carried out on the safety system to ensure that
undetected errors do not accumulate. The self-test tests the parts of the
safety system in which a failure may not be detected immediately under
certain conditions of normal operation:
• Microprocessors
• Memory
• Periphery
The self-test is subdivided into test slices. Each test slice carries out a part
of the self-test. Approximately 40,000 test slices are required to test the
entire system.
Self-tests are carried out at various points:

• Self-test when voltage is restored (reset block)
Extensive self-test of the entire system after switching on the safety
system. During this time the CPU display shows "❚ ❚ ❚ ❚" .
Duration: approximately 30 s, on 3rd generation PSS 10 s
• Self-test when changing from STOP to RUN (start-up)
The duration of the self-test is negligible, the system checks the configu-
ration and the module function.
In order to identify faults with this test, the controller needs to be
switched off and on again on a regular basis.
• Cyclic self-test
During operation the self-test is performed in test slices at each cycle
change. A test slice requires a test time of approximately 1 ms. One test
slice is executed per cycle without intervention from the user. The
number of test slices per cycle can be influenced by
- defining a minimum scan time
Depending on the duration of the FS and ST user programs, a waiting
period is created at the end of the cycle. If possible, the test slices are
carried out during this period.
- using the operating system call SB255, FUNK = 1
The number of test slices is set by the user (see section "Defining the
number of test slices").

If the self-test detects a major error, then the safety system immediately
switches to a safe condition. Processing of the ST section continues pro-
vided the error does not affect this section.
Defining the number of test slices
The operating system call SB255, FUNK = 1 can be used to define the
number of test slices to be performed.
The selected number of test slices is processed at the next cycle change.
The setting is only valid for one cycle. After the test slices have been pro-
cessed the system automatically resets the setting to one test slice.

SB255 FUNK = 1 Defining the test slices
(The setting is only valid for one
cycle)
ERG = 16 Faulty call of SB255,
to STOP condition.
DB003 DW200 = 1 ... 99 Number of test slices
DB001 DW200 Fault detection at ERG = 16
0: no error
1: too many test slices

Operation
Alarm processing
The alarm processing allows the system to have a quick influence on

external events. The occurrence of an alarm event interrupts the process-
ing of the program. Alarms can only be triggered by special inputs with
alarm capabilities.
If an alarm occurs, then the CPU exits the user program and returns to the
operating system. The CPU determines the module and the input which
triggered the alarm. An alarm organisation block is assigned to this input,
which is marked by the alarm. The CPU returns to the user program and
continues to process the current block. At the next block change or seg-
ment start the marked organisation block is processed.
If several alarms occur simultaneously, they are stored in a queue. A
maximum of 32 entries can be stored at any one time in the queue. All
entries are processed in sequence at the next block change/segment start.
Any more than 32 alarms cannot be processed.
The alarm function is locked during the reading and alignment of the pro-
cess image for the inputs and the alignment and outputting of the process
image for the outputs. The alarms are collected in the queue.
User
program
Operating
system
Block 4
OB x Queuing
Alarm OB y system
Block 5
Block 6
OB x
OB y
Fig. 6-4: Reaction to an alarm

Alarms which occur during the ST user program interrupt the execution of
the ST user program immediately. The FS alarm OB is executed, and the
ST user program then continues from the point where the program was
interrupted.
The alarm reaction time is made up of:

• Max. run time difference between the microprocessors and
• Max. time difference between block changes or the maximum segment
length and
• Run time of the alarm organisation blocks.
If the FS section switches from a STOP condition to a RUN condition, then

all of the old entries in the alarm queue are deleted.
Inputs with alarm capabilities
Special inputs with alarm capabilities are available for alarm processing,
e.g. the PSS DIF module. These inputs react quicker to a signal change
than "normal" inputs.
An alarm can be triggered via a

• rising edge
• falling edge
• any edge

Operation
Alarm organisation blocks
If an alarm is triggered at an input with alarm capability, the associated

alarm organisation block (OB) is executed. The alarm OB contains the
reaction to the alarm. The organisation blocks OB140 ... OB171 are
reserved for processing the alarm. The assignment of alarm input to alarm
OB and the flank selection take place in the PSS configurator of the
system software (PG).
NOTICE
When processing alarms, please note:
• A maximum of 32 central alarms can be configured for a PSS.
• Alarm inputs must be configured without gaps.
Example: An alarm module has 16 inputs with alarm capabilities; you
wish to use 5 of these as alarm inputs and the remaining 11 as simple
inputs.
- Option 1: Assign the first 5 inputs on the module (x.0 to x.4) to the
alarm OBs and leave the remaining inputs unconfigured.
- Option 2: If you do not wish to use x.0 to x.4 as the alarm inputs, but
would prefer to use e.g. x.3, x.4, x.8, x.12 and x.13, then set , or
as the edge for these inputs, and set as the edge for all the
inputs in between (x.0 ... x.2, x.5 ... x.7, x.9 ... x.11). " " means that
the input can be used as a normal input.
• Inputs with alarm capabilities which are not configured as alarm inputs
can be used as normal inputs with a very fast response time.
• Alarm inputs for safety-related functions must operate in accordance with
the failsafe principle (on switching off). A falling edge must therefore be
set as the trigger for these alarm inputs.
• Use test pulses to check safety-related alarm inputs.
If test pulses are not permitted on the alarm inputs (e.g. PSS(1) DIF2),
you can only connect the alarm inputs to input signals with frequent
operation, which you monitor using feasibility checks.
• The reaction time for sporadic alarms depends upon the hardware regis-
try, the user program, the use of test pulses and the number of alarms
occurring simultaneously.

• With periodic alarms, the CPU has little time to process administrative
tasks and the user program. If the user program and the alarm process-
ing are not planned correctly, then the CPU can be permanently busy
processing alarms: while one alarm is being processed the next is one
already triggered - the program ends up "floating" in a state of sus-
pended progress. The scan time monitoring responds.
• The execution time of the block is extended as a result of the dynamic
program display of alarm organisation blocks. As a result, the status of
"floating" can be reached if alarms are processed periodically and the
program design is critical.
If an alarm is present, it will only be detected if the following condi-

tions are met:
• For an alarm to be detected in the case of a pulse edge change, both the
"0" signal and the "1" signal must be present for at least the duration of
the alarm detection time.
This means that if alarm is to be triggered by a falling edge, first the
"1" signal and then the "0" signal need to be present for at least the
alarm detection time.
A time delay which is at least as large as the alarm detection time must
occur between two alarms at an input configured for a rising and a falling
edge.
If these conditions are not met, then the triggering alarm cannot be de-
tected and an error message is shown on the CPU display.
• Alarms are processed in the order in which they occur.
If the time sequence of alarms at different alarm inputs is important,
these alarms must be separated by at least the alarm detection time. If
the separation is not adhered to, then the order of processing is deter-
mined by the slot. Slot 0 has the highest priority, which decreases with
increasing slot number.
If several alarms occur simultaneously on one slot, then the alarms are
processed in the order of the addresses (e.g. first the alarm at I3.0, then
the alarm at I3.1, then the alarm at I3.2 etc.).

Operation
• Only a maximum of two alarm modules must be used on a modular

safety system.
• When an alarm OB is called up, the RLO is set at the value of the input
at the time of the alarm.
• Break down the modules into several segments in order to reduce the
alarm reaction time. Alarms are only triggered at segment limits and
block changes. Long blocks without segments increase the alarm reac-
tion time just as much as time-intensive operations (such as timer opera-
tions and periphery access).
• Time-intensive alarm OBs increase alarm reaction time.
As the alarm OBs are executed in sequence, the length of an alarm OB
has an effect on the alarm reaction time. Reaction to the next alarm will
not be possible until the current alarm OB has been processed.
• Alarms are stored in a queuing system. If a lot of alarms occur in quick
succession, the alarm reaction time for the last alarm will be increased by
the time taken to process the alarm OBs that entered the queue first.
• Alarm reaction time does not depend on the number of alarms
configured, but rather on the number of alarms occurring (almost) simul-
taneously.
• For a faster response to alarms, do not use alarm inputs that use test
pulses. Alarm detection time is longer on pulsed inputs, as no alarms will
be triggered during the function test on the inputs.

Communication with the ST-section
Various flags are available for communication between the FS section and
the ST section:
• Communication flags
M100.00 ... 104.31
M105.00 ... 109.31 (only on PSS with operating system ≥ 43)
The communication flags can be written to and read by the ST user
program. The FS section only has read-access to these flags. The flags
are available to the user for free use.
• Fixed flags
Flags Description
M110.00 FALSE (RLO-0)
Flag content is always = 0
M110.01 TRUE (RLO-1)
Flag content is always = 1
The fixed flags have a fixed status. They are often used to set the RLO
to "1" or "0". To do this, the corresponding flag is loaded with the "Load"
operation.
The FS section and the ST section only have read-access.
• Arithmetic flags
Flags Description
M111.00 Carry
= 1 if the carry flag has been set by an arithmetic operation
M111.01 Overflow
= 1 if the overflow flag has been set by an arithmetic operation
M111.02 Zero
= 1 if the zero flag has been set by an arithmetic operation
M111.03 Sign
= 1 if the sign flag has been set by an arithmetic operation
Arithmetic flags are used by the operating system during arithmetic

operations. The FS section and the ST section only have read-access.

Operation
• FS status flags
Flags Description
M113.00 = 0 if status of FS section is STOP
= 1 if status of FS section is RUN, only checked after the first
cycle
M113.01 = 0 if status of FS section is "No error"
= 1 if status of FS section is "Error"
M113.02 = 1 if FS section has been stopped through a STOP operation
M113.03 = 1 after start-up (STOP > RUN) of the FS section, only
active for one cycle
M113.04 = 1 after restart (OFF > RUN) of the FS section, only active
for one cycle
M113.05 = 1, if SafetyBUS p 0 is in a RUN condition
M113.06 = 1, if SafetyBUS p 1 is in a RUN condition
M113.08 = 1 if the remanent DBs in the FS section have been reset;
flag must be reset through SB255, FUNK = 50. Provided the
flag is set, the remanent DBs will be reset each time the PSS
is cold/warm started. The flag is non-volatile.
FS status flags provide information about the status of the FS section.


• ST status flags
Flags Description
M112.00 = 0 if status of ST section is STOP
= 1 if status of ST section is RUN, only checked after the first
cycle
M112.01 = 0 if status of ST section is "No error"
= 1 if status of ST section is "Error"
M112.02 = 1 if ST section has been stopped through a STOP operation
M112.03 = 1 after start-up (STOP > RUN) of the ST section, only
M112.04 = 1 after restart (OFF > RUN) of the ST section, only active
for one cycle
M112.05 = 1 if a general reset was performed in the ST section, only
ST status flags provide information about the status of the ST section.

INFORMATION
The FS section cannot access the operands of the ST section. Communi-
cation is only possible via the above flags.
The ST section can obtain read-access to the process images of the in-
puts and outputs (PII and PIO, but not XW-PII and XW-PIO), the flags, the
data blocks, the timers and counters of the FS-section.

Operation
User interface in the FS-section
The user interface (refer also to the chapter "Structure", section

"User interface") can be used either in the FS section or in the ST section
for communication with other devices. The section which accesses the
user interface first obtains the access rights. If the user interface has
already been configured for the FS section, then it cannot be used by the
ST section again until a general reset is performed in the ST section and
the power supply to the PSS is switched off and back on again.
NOTICE
You as the user are responsible for ensuring that the data transfer is per-
formed correctly. Please check the plausibility of the received data in the
user program. We recommend the use of a CRC calculation, which is
supplied as standard function block SB001 (see "CRC calculation").
Access from the FS section to the user interface is provided with the aid of
the following functions of the SB255:
FUNK Description
200 Status poll for the configuration
201 Configure
202 Acknowledge configuration error
204 Status poll for sending
205 Send
206 Acknowledge send error
208 Status poll for receiving
210 Acknowledge receive error
211 Acknowledge receipt

Configuration of the user interface
The send-DB, the received-DB and the interface data are specified during
configuration.
The interface data must be entered in an interface configuration-DB before
the configuration is performed. The configuration can be performed with
the aid of the following three operating system calls.

SB255 FUNK = 200 Configuration status poll
ERG = 1 Interface ready for operation
ERG = 2 Interface is currently being configured
ERG = 16 Configuration error

SB255 FUNK = 201 Configure
ERG = 1 Configuration successfully completed
DB003 DW201 Fault detection at ERG = 16
0002H ... 0006H: Number of the
faulty data word in the interface
configuration-DB
FFF0H: Interface is assigned to the
ST section
DW202 Number of the interface
configuration-DB
DW203 Number of the receive-DB
DW204 Number of the send-DB
DB<no.> Interface configuration-DB,
see below

SB255 FUNK = 202 Acknowledge configuration error
ERG = 2 Interface is currently being configured

Operation
Interface configuration-DB
The interface data are entered in the interface configuration-DB.
Properties
Length: at least 7 data words
Access right: Read/Write
Assignment
DW000 Reserved
DW001 Fault detected if SB255, FUNK = 200 or SB255, FUNK = 201
reports a configuration error (ERG = 16).
0002H ... 0006H: Number of the faulty data word in the interface
configuration-DB
FFF0H: Interface is assigned to the ST section
DW001 can only be read.
DW002 Transmission rate
Value Transmission rate in bit/s
0 150
1 300
2 600
3 1200
4 2400
5 4800
6 9600
7 19200
8* 38400
* only on 3rd generation PSS

DW003 Parity bit
Value Parity bit

0 None
1 Odd
2 Even

DW004 Number of stop bits
Value Stop bits

0 1
1 1.5
2 2
DW005 Number of data bits

Value Number of data bits
0 5
1 6
2 7
3 8
DW006 Handshake
Value Handshake
0 No
1 Yes

Operation
Example
The interface is to be configured with the following data:

Transmission rate: 9600 bit/s
Parity: Even
Stop bit: 1
Data bit: 8
Handshake: Yes
Interface configuration-DB: DB010
Send-DB DB011
Receive-DB DB012
To operate
SB255, call FUNK = 200 and evaluate ERG.
ERG = 1 The interface can be configured.
Assign the following values to DB010

(interface configuration-DB):
DW002 = 6
DW003 = 2
DW004 = 0
DW005 = 3
DW006 = 1
Assign the following values to DB003:

DW202 = 10
DW203 = 12
DW204 = 11

If ERG = 1 for SB255, FUNK = 201, then the configuration was
successful.
If ERG = 16 for SB255, FUNK = 201, then a configuration error
has occurred. DW201 of DB003 contains the fault detection.
The error must be rectified and acknowledged with SB255,
FUNK = 202. In the event of a major configuration error the
FS section switches to the STOP condition. The error stack will
contain the cause of the error. This type of error also needs to
be acknowledged with SB255, FUNK = 202 after it has been
rectified.

ERG = 2 Interface is currently being configured.
DW201 of DB003 contains the fault detection. The error must be
rectified and acknowledged with SB255, FUNK = 202. In the
event of a major configuration error the FS section switches to
the STOP condition. The error stack will contain the cause of the
error. This type of error also needs to be acknowledged with
SB255, FUNK = 202 after it has been rectified.
Sending via the user interface
The process of sending data via the user interface takes place with the aid
of the following operating system calls.

SB255 FUNK = 204 Send status poll
ERG = 2 Data are being sent
ERG = 16 Send errors

SB255 FUNK = 205 Send
ERG = 16 Send errors
DB<no.> Send-DB,
see below

SB255 FUNK = 206 Acknowledge send error
ERG = 16 Error during send acknowledgement

Operation
Send-DB
The data which are to be sent are entered in the send-DB.
Properties
Assignment
DW000 Number of bytes to be sent
reports a send error (ERG = 16)
8: Error while sending
9: Number of bytes to be sent is too high
FFFFH: No error
DW001 can only be read.
DW002...1023 Send data
Send sequence: DR2 (2nd right data word), DL2 (2nd left
data word), DR3, DL3, DR4, DL4 ... DRx, DLx.
Example

ERG = 1 Data can be sent.
Save the data to be sent and their number in the send-DB.
If ERG = 1 for SB255, FUNK = 205, then the data have been
sent successfully.
If ERG = 16 of SB255, FUNK = 205, then a send error has
occurred. The cause of the send error can be read out from
DW001 of the send-DB. The error must be rectified and
acknowledged with SB255, FUNK = 206.
ERG = 16 Send error
The cause of the send error can be read out from DW001 of the
send-DB. The error must be rectified and acknowledged with
SB255, FUNK = 206.

Receiving via the user interface
The process of receiving data via the user interface takes place with the
aid of the following operating system calls.

SB255 FUNK = 208 Receive status poll
ERG = 1 No data received
ERG = 2 Received data are ready for retrieval
ERG = 16 Receive errors
DB<no.> Receive-DB,
see below

SB255 FUNK = 210 Acknowledge receive error
ERG = 1 No data received
ERG = 2 Received data are ready for retrieval
ERG = 16 Receive errors

SB255 FUNK = 211 Acknowledge receipt
ERG = 16 Error during send acknowledgement
DB003 DW200 Number of bytes to be acknowledged
Receive-DB
The received data are entered in the receive-DB.
Properties

Operation
Assignment
DW000 Number of bytes received
reports a receive error (ERG = 16)
12: Receive-DB overflow
14: More data acknowledged than received
FFFFH: No error
DW002...1023 Receive data
Sequence for receiving data: DR2 (2nd right data word),
DL2 (2nd left data word), DR3, DL3, DR4, DL4 ... DRx,
DLx.
Example

ERG = 1 No data were received.
ERG = 2 Received data are saved in the receive-DB from DW002, the
number of received bytes is recorded in DW000.
The data then need to be read out from the receive-DB, and
receipt of the data needs to be acknowledged with SB255,
FUNK = 211. The number of bytes to be acknowledged must be
entered beforehand in DW200 of DB003. The operating system
then sets the number of bytes in the receive-DB to 0.
If ERG = 16 for SB255, FUNK = 211, then a receive error has

occurred. The cause of the receive error can be read out from
DW001 of the receive-DB. The error must be rectified and ac-
knowledged with SB255, FUNK = 210.
If SB255, FUNK = 208 is called again, then all data which have
not yet been acknowledged are written to the receive-DB again,
followed by the newly received data. The number of received
data in DW000 is updated.
ERG = 16 Receive error

The cause of the receive error can be read out from DW001 of
the receive-DB. The error must be rectified and acknowledged
with SB255, FUNK = 210.

CRC calculation
The standard function block SB001 for CRC calculations has been inte-
grated in the FS section via data and flag areas. With this module, up to
five CRC calculations can be performed in one cycle. The maximum run
time per call is 2 ms.
The CRC calculation takes place on the basis of the generator polynomial
1021H, with the starting value FFFFH.
Block header:
SB001
CRCPOLYN
B SSNR ERG W
B DBNR CRC W
B STRT
W CNT
Input parameters
SSNR Call number,
Value range: 0 ... 255
DBNR Data block number of the data range for which the CRC sum
is to be calculated; only if parameter STRT = DL or DR
(if STRT = MB: DBNR is meaningless)
Value range: 10 ... 255
STRT Start address of the data range for which the CRC sum is to be
calculated.
Value ranges:
MB64.00 ... MB99.24,
MB100.00 ... MB109.24 (only on PSS with operating
system version ≥ 49),
MB130.00 ... MB255.24 (only on PSS with operating
system version ≥ 49),
DL0 ... DL1023, DR0 ... DR1023
CNT Number of bytes to be used for the CRC sum calculation.
Value range: > 0

Operation
Output parameters
ERG Result
ERG = 2: CRC calculation not yet complete,
repeat call required.
ERG = 4: CRC calculation is complete.
ERG = 16:Error, because CNT = 0
CRC CRC sum, if ERG = 4

Test pulses for signals with infrequent operation
If the signal at an input rarely changes its status, i.e. it is a signal with
infrequent operation, then the function test of this input can be ensured by
using a test pulse output. With the test pulse output, the input is actuated
with a "normal" output. The difference is that the test pulse output briefly
switches the signal off one or more times in a cycle, allowing the operating
system to check the function of the input as a result.
On modular safety systems, the test pulse outputs are provided for exam-
ple through the module PSS DI2O T. Some compact controllers also have
test pulse outputs.
The assignment of the test pulse outputs to the inputs under testing is
implemented in the PSS configurator of the system software (PG).
INFORMATION
• Configure the test pulses without gaps
Start the configuration at the first test pulse on the test pulse module and
use the following test pulses consecutively without gaps. Reason: If
unused test pulses are present among the test pulses that are used, the
PSS will check both in the same way. This will extend the test time un-
necessarily.
• Check adjacent inputs using different test pulses
If not, it will not be possible to detect short circuits between the inputs.
Further explanations can be found in your PSS documentation.
• Check PSS(1) DI and PSS(1) DIF as well as PSS(1) DI2 and PSS(1) DIF
with different test pulses.
The inputs on the modules PSS(1) DI and PSS(1) DIF as well as on the
modules PSS(1) DI2 and PSS(1) DIF must not be tested with the same
test pulse. Reason: the delay of the inputs on the modules is different in
each case (PSS(1) DIF: approx. 0.5 ms; PSS(1) DI/PSS(1) DI2: approx.
1 ms and 3 ms respectively). The test pulse will automatically adjust to
the input delay in order to keep the test time brief. If the test pulse were
to check the inputs on the PSS(1) DIF as well as the PSS(1) DI/PSS(1)
DI2, it would not be possible to reduce the test time in accordance with
the input delay on the PSS(1) DIF.

Operation
• Do not pulse PSS(1) DIF2

Test pulses must not be used to check the inputs on the PSS(1) DIF2
module.
Outputs on the CPU display
Hexadecimal numbers can be output on the display of the CPU. The

operating system call SB255, FUNK = 32 is used to do this.
INFORMATION
Error messages from the system are displayed as the top priority.

SB255 FUNK = 32 Output on the CPU display
ERG = 16 Error during output
DB003 DW200 = 0000H ... 0000H ... FFFEH: Hexadecimal
FFFFH number which is to be output on the
CPU display
FFFFH: Clear CPU display

Operating states and changes
This section describes the operating states that can be assumed by the
FS section of the safety system, which changes in status can take place,
what happens while the status change is happening and what you can do
to trigger a status change.
PSS
switched off
Switch on
voltage
1
FS-STOP
"FS RUN" LED:
Fatal Off
error CPU display:
"0000" or "F-xx""
8
2
RUN RUN
FS FS
Fatal error STOP STOP NO FS
"FS RUN" LED: or or "FS RUN" LED:
any status system software minor error flashing
CPU display: or CPU display:
STOP operation
STOP operation
"*xxx" or "+xxx" or "F-xx"
or
system software
system software
7 6 3 4 5
Fatal FS-RUN Major

error error
"FS RUN" LED:
On
CPU display:
"0000"
Fig. 6-5: Operating states of FS section
The numbers identify status changes which are described on the next
pages.

Operation
Operating statuses
Status "FS-STOP"
• The FS user program is not processed and all FS outputs are switched
off (safe condition).
• The ST user program runs and can read the PII and PIO of the
FS section.
• All of the functions of the system software (PG) are available.
• "FS RUN" LED: Off
• CPU display: Error class of the error "F-xx"
Status "FS-RUN"
• The FS user program is worked through.
• The ST user program can read the PII and PIO of the FS section.
• All of the functions of the system software (PG) are available
(Exceptions: transfer or delete program).
• "FS RUN" LED: On
• CPU display: "0000"
Status "No FS"

FS section.
• The functions of the system software (PG) are restricted to read access.
• "FS RUN" LED: flashing
Status "Fatal error"

• FS and ST section are inoperative, all outputs are switched off
(safe condition).
• No communication with the programming device is possible.
• "FS RUN" LED: any status
• CPU display: Fault detection "*xxx" or "+xxx"

Change in operating status
Switch on voltage ➀
After the voltage is switched on the PSS performs a self-test. Afterwards
the FS-section is in the STOP condition.
Display: "❚ ❚ ❚ ❚"
Status flag M113.04 = 1 (only remains set for one cycle)
Duration: approximately 30 s, on 3rd generation PSS approx. 10 s
Status change from FS-STOP to FS-RUN (start-up) ➁

If the CPU display shows "0000", then you can proceed as follows to return
to the RUN condition:
• Set the FS selector switch to RUN or
• Start the FS section with the aid of the system software.
If the FS section is in the STOP condition on account of an error which has

occurred (CPU display: "F-xx"), then you will need to proceed as follows to
return to the RUN condition:
• Read out the error stack (see chapter "Fault diagnostics and rectifica-
tion", section "Error stack").
• If necessary use the dynamic program display (system software) to
search for the error.
• Rectify the error.
• Set the FS selector switch from RUN to STOP and back to RUN, or start
the FS section with the aid of the system software.
The following happens during the changeover of the FS section from

STOP to RUN:
• The FS user program is tested.
• The start-up OB is executed.
• Hardware registry and module tests are carried out.
• The PIO and the PII of the FS section are assigned the value 0.
• FS flags are set to 0.
• DBs of the FS section are initialised using the values specified in the
system software (PG).

Operation
• FS timers are stopped.

• FS counters are reset.
• The queue of waiting alarms is deleted.
• Status flags
- M113.00 = 1 (only set after the first cycle)
- M113.01 = 0
- M113.02 = 0
- M113.03 = 1 (only remains set for one cycle)
Status change from FS-RUN to FS-STOP ➂

Reasons:
• The FS selector switch was set to STOP, or
• the STOP function was called in the system software (PG), or
• the STOP operation was called in the FS user program, or
• a minor error has occurred.
Minor errors include:
- An error in the user program
- Plausibility errors, i.e. errors in the periphery modules and the external
wiring
- Range exceeded during addressing
- Write attempt to write-protected data block
- Module error
During this change of status the following happens:

• All of the outputs of the FS modules are switched off.
• The FS user program is stopped.
• The PIO of the FS section is assigned the value 0.
• Status flag M113.00 = 0
• After a STOP on account of a STOP operation in the FS user program:
Status flag M113.02 = 1
• After a STOP on account of a minor error:
- Status flag M113.01 = 1
- After errors which belong to the error class F-21 or F-22, the error
organisation block OB125 is called before the FS section changes its
status to STOP. For errors belonging to error class F-23 or F-24 the
error organisation block OB127 is called. (Refer to the PSS WIN-PRO
Programming Manual for more information about "Error organisation
blocks".)
• The STOP organisation block OB124 is called.
The OB124 is called every time the system changes into the STOP
condition. OB124 is only available for PSS with an operating system
version ≥ 43. (Refer to the PSS WIN-PRO Programming Manual for
more information about "STOP organisation blocks".)
• After a STOP on account of execution of the stop function in the system
software or actuation of the FS selector:
STOP organisation block OB128 is called, followed by STOP organisa-
tion block OB124 (refer to the PSS WIN-PRO Programming Manual for
more information about "STOP organistation blocks").
Status change from FS-RUN to "No FS" ➃

Reason: A major error has occurred.
Major errors can include:
• Major module errors
• Irregularities between the microprocessors, e.g. discrepancies in the
process images of the outputs
• Errors which prevent correct processing of the program

• Status flags M113.00 = 0 and M113.01 = 1
Status change from "No FS" to FS-RUN ➄

Proceed as follows to return to the RUN condition:
• Read out the error stack (see chapter "Fault diagnostics and rectifica-
tion", section "Error stack").
• Switch off the PSS and set the FS selector switch to STOP.
• Switch on the PSS and set the FS selector switch to RUN.

Operation
Status change from FS-RUN to "Fatal error" ➅

Reason: A fatal error has occurred.
Fatal errors can include:
• Major system defect
• Error during self-test

• All the outputs are shut down.
• The FS and ST user programs are stopped.
Status change from "Fatal error" to FS-RUN ➆

It is not possible for the user to rectify the error. If the PSS is in this state,
then the only option is to:
• Note the conditions under which the error occurred.
• Write down the displayed fault detection.
• Switch the PSS off and back on again and then read out the error stack
(see chapter "Fault diagnostics and rectification", section "Error stack").
• Contact Pilz.
Status change from FS-STOP to "Fatal error" ➇

Fatal errors are detected by the PSS even when it is in the FS-STOP
condition, and they cause the status of the system to change to "Fatal
error".

• The ST outputs are also shut down.
• The ST user program is also stopped.

Commissioning
Initial commissioning
Hardware requirements
• Supply voltage connected to PSS
(modular PSS: see power supply operating manual; compact PSS: see
PSS operating manual)
• Supply voltage for inputs and outputs connected
(modular PSS: see I/O modules operating manual; compact PSS: see
PSS operating manual)
• For modular PSS: Correct module rack configuration
(first slot must be occupied by the power supply and the second by the
CPU module)
Software requirements
• Configuration data (slot configuration, block run time etc.) entered in the
PSS configurator of the system software are correct.
• Executable user program is available in a linked form (see "Link" in the
online help of the system software).
Commissioning procedure
• Set the FS selector switch to "STOP".
• Switch on the power supply (position "I")
Reaction: "Power" LED on the power supply and the CPU module
light up. CPU carries out a self-test, CPU display shows:
"❚❚❚❚"
• If the self-test is successful the CPU display will show: "0000"
• Transfer program (see online help of the system software)
• Set the FS selector switch to "RUN".
Reaction: The program is executed.
The "FS RUN" LED lights up.
Error messages are described in chapter 8.
Safety System: FS System Description 7-1

Commissioning
Recommissioning
If a hardware or software error occurs, the safety system will immediately

switch to a safe condition. The fault will be shown on the CPU display (see
Chapter 8 for details of error messages) and the "FS RUN" LED will either
flash or go out. The following states are available:
• The "FS RUN" LED flashes and the CPU display indicates an error
("F-xx"): a major error has occurred.
Recommissioning:
- Rectify the error
If necessary have the PSS error stack displayed in the system software
(PG) and call up the error remedy.
- Switch the power supply off and back on again
If the error has been rectified, the CPU will go into RUN mode after the
self-test and the program will run again.
• The "FS RUN" LED goes out and the CPU display indicates an error
("F-xx"): a minor error has occurred.
Recommissioning:
- Rectify the error
If necessary have the PSS error stack displayed in the system software
(PG) and call up the error remedy.
- Set the "FS" selector switch to "STOP" and then to "RUN". The
program will run again.
• "FS RUN" LED any status, CPU display shows "+xxx" or "* xxx": a fatal
error has occurred. The system is defective.
The user will not be able to rectify the error. If the PSS is in this state,
- Note the conditions under which the error occurred.
- Write down the displayed fault detection.
- Switch the PSS off and back on again and then read out the error stack
(see chapter "Fault diagnostics and rectification", section "Error stack").
- Contact Pilz.
7-2 Safety System: FS System Description

Changing the configuration or the user program
Sequence:
• Enter the changes to the configuration, e.g. changed test pulse wiring, in
the PSS configurator (see online help of the system software).
• If necessary change the user program (see online help of the system
software)
• Re-link the program (see online help of the system software).
• Proceed as for the initial commissioning procedure
Safety System: FS System Description 7-3

Commissioning
Notes
7-4 Safety System: FS System Description

Fault diagnostics and rectification
Error management
The safety system continuously checks the hardware and software during
the program cycle. If an error is discovered, the following sequence is
triggered:
• The fault detection is displayed on the CPU display.
• The error is entered in the error stack.
• Execution of the error reaction.
The reaction of the safety system to an error depends on the severity of

the error.
FS-RUN
"FS RUN" LED:
On
CPU display:
"0000"
Fatal Minor Major

error error error
Fatal error Fatal FS-STOP NO FS

error
"FS RUN" LED: "FS RUN" LED: "FS RUN" LED:
any status Off flashing
CPU display: CPU display: CPU display:
"*xxx" or "+xxx" "0000" or "F-xx" "F-##"
Fig. 8-1: Change in operating status on account of an error

Minor errors
Possible causes
• Error in the user program
• Plausibility error, i.e. error in the periphery modules and the external
wiring
• Range exceeded during addressing
• Write attempt to write-protected data block
• Module error
PSS reaction
The FS section switches to a STOP condition. The following happens
during the switch to this status:
• The PIO of the FS section is assigned the value 0.
• With errors belonging to error class F-21 or F-22, the error organisation
block OB125 is called before the FS section changes into the STOP
condition. For errors belonging to error class F-23 or F-24 the error
organisation block OB127 is called. (Refer to the PSS WIN-PRO
Programming Manual for more information about "Error organisation
blocks".)
• The STOP organisation block OB124 is called.
The OB124 is called every time the system changes into the STOP
condition. OB124 is only available for PSS with an operating system
version ≥ 43. (Refer to the PSS WIN-PRO Programming Manual for
more information about "STOP organisation blocks".)
The PSS operates as follows in the STOP condition:

FS section.
• All of the functions of the system software (PG) are available.
• "FS RUN" LED: Off

Remedy
• Read out the error stack (see section "Error stack").
• If necessary use the dynamic program display (system software) to
search for the error.
• Set the FS selector switch from RUN to STOP and back to RUN, or start
the FS section with the aid of the system software.
Major errors
Possible causes
• Major module errors
• Irregularities between the microprocessors, e.g. discrepancies in the
process images of the outputs
• Errors which prevent correct processing of the program
Reaction
The FS section switches to "No FS". The following happens during the
switch to this status:
The PSS operates as follows in the "No FS" condition:

FS section.
• The functions of the system software (PG) are restricted to read access.
• "FS RUN" LED: flashing

Remedy
• Read out the error stack (see section "Error stack").
• Switch off the PSS and set the FS selector switch to STOP.
• Switch on the PSS and set the FS selector switch to RUN.
Fatal errors
Possible causes
• Major system defect
• Error during self-test
Reaction
The safety system changes to "Fatal Error". The following happens during
the switch to this status:
• All the outputs are shut down.
• The FS and ST user programs are stopped.
The PSS operates as follows in the "Fatal Error" condition:

• FS and ST section are inoperative, all outputs are switched off
(safe condition).
• No communication with the programming device is possible.
• "FS RUN" LED: any status
• CPU display: Fault detection "*xxx" or "+xxx"
Remedy
It is not possible for the user to rectify the error. If the PSS is in this state,
• Note the conditions under which the error occurred.
• Write down the displayed fault detection.
• Switch the PSS off and back on again and then read out the error stack
(see section "Error stack").
• Contact Pilz.

Error stack
The error stack can record a maximum of 16 error entries. In system data
block DB000 it occupies data words DW085 ... DW148. Each error entry
occupies 4 words.
DW Assignment
084 Indicator pointing to current error entry
1. Error entry:
085 Bit 0 ... 7: Error class
Bit 8: if = 1 => it is an FS error
if = 0 => it is an ST error
Bit 9 ... 15: ID of the microprocessor
086 Bit 0 ... 6: Error number
Bit 7: if = 1 => error parameter-1/-2 present
087 Error parameter -1
089 ... 092 2nd error entry
093 ... 096 3rd error entry
097 ... 100 4th error entry

INFORMATION
DB000 can only be read from the ST section. Access to the error stack
from the FS section is not possible.
As the error stack is organised as a ring memory, data words are accessed
via the indicator in DW084. The indicator always points to the data word
containing the error class of the current error entry.
If more than 16 errors occur, the first entry is overwritten. The error stack
contains errors from both the FS and ST sections.
What the entries mean

• Error class
The error class tells you what type of error it is, e.g. errors of the error
class "06" are in the FS section "module errors".
• Error number
All of the errors within an error class are numbered. The error number
specifies an error more accurately within an error class.
Example: FS section, error class "06", error number "73" means
"module error", "short circuit between test pulse outputs and 24 V".
• Error parameter-1, Error parameter-2
The error parameters contain additional information about an error. The
contents of the error parameter depend on the type of error.
The "error list" in the "PSS System Manual" describes the information
behind an error entry. The errors can however also be displayed as plain
text messages, i.e. with descriptive text (see section "Display of errors as
plain text").
INFORMATION
Messages are also entered in the error stack which are not error mes-
sages. Instead, these are information messages intended for the user.
These messages neither have an influence on the operating status nor the
program cycle. This could for example be the information that a restart of
the FS section was carried out (error class: F-20; error number: 01).

Display of errors as plain text
The display of errors as plain text, i.e. with a descriptive text, is possible for
example as follows:
• with the system software
Connect the programming device and display the error stack of the PSS
in the system software (PG) (see online help of the system software). A
plain text message is displayed for every error in the error stack. A rem-
edy can be displayed for each error as required.
• with a text display
Connect a text display. If the FS section has changed to the STOP con-
dition because of an error, then the ST section can read out the error
stack or the content of DB000, DW085 ... DW0148 and output a plain
text message to the text display. Standard function blocks from the "Error
evaluation" software package from Pilz can be used for this purpose.

Display of errors on the CPU display
If no error has occurred in the FS or ST section since the last change into
RUN, then the CPU display will show the following:
0000
Any error which has occurred is displayed, e.g.:

F-06
The errors saved in the error stack can be displayed on the CPU display by
pressing the "Error stack" button.
Display on 1st and 2nd generation controllers
Press and hold the error stack button. The data for the first entry in the
error stack are shown on the display in sequence, e.g.:
F020
Error class (hexadecimally encoded)

Entry number in error stack
(hexadecimally encoded)
ID for the FS/ST section
F = error in FS section
C=20 S = error in the ST section

ID for the error class
N=03
Error number (hexadecimally encoded)
ID for the error number
Release the error stack button again, then press and hold it again. The
data for the next entry in the error stack are now displayed, e.g.:

F106

S = error in the ST section
C=06
ID for the error class
N=07
AT ID for "The first error parameter follows"
FFFE Error parameter -1
PARA ID for "The second error parameter follows"
INFORMATION
It depends on the error whether or not error parameters are displayed. The
way in which the error parameters should be interpreted also depends on
the error. The error parameters for every error are described in detail in the
"Error list" in the "PSS System Manual". Help on the evaluation of the data
in the error parameters can be found in the section "Evaluation of the error
parameters" in this chapter.

If you press and hold the error stack button again, then the data for the
next entry will be displayed. After the last entry in the error stack the
display goes back to the first entry.
Display on 3rd generation controllers
Briefly press the error stack button.

If the CPU display showed "0000" before the error stack button was
pressed, the data for the first entry in the data stack will now be shown in
sequence on the display.
If an error was displayed before the error stack button was pressed
(e.g. "F-06"), then the data for this error will be displayed in sequence, i.e.
the display starts with the entry of the last error which occurred, not with
the first entry in the error stack.
Example:
ER02
ID for the entry number in the error stack
F-06

S = error in the ST section
N-02

AT ID for "An error parameter follows"

The data display is repeated three times, then the rotation mode stops and
the CPU display reverts back to its initial status.
If you wish to have the data for the next entry in the error stack displayed
as well, then you should briefly press the error stack button while the rota-
tion mode is still running.
In this way you can get the system to display the entire error stack.
To manually exit the rotation mode, press the error stack button for at least
3 seconds.
If the operating status changes while the rotation mode is active (e.g. due
to the operation of a selector switch on the PSS, or due to the FS section
changing to the STOP condition in response to an error), then the rotation
mode is also stopped.
If an entry in the error stack has error parameters, the system displays
error parameter-1 first and then error parameter-2. The display is intro-
duced through an ID:
PARA
ID for "An error parameter follows"
AT
For some errors a range is indicated, e.g. the first and last defective input
of a module:
0318 Address 3.18
TO ID for a range specification
0320 Address 3.20

INFORMATION
It depends on the error whether or not error parameters are displayed. The
way in which the error parameters should be interpreted also depends on
the error. The error parameters for every error are described in detail in the
"Error list" in the "PSS System Manual". Help on the evaluation of the data
in the error parameters can be found in the section "Evaluation of the error
parameters" in this chapter.
On PSS with an FS operating system version ≥ 60, further information can

be called up after the final error entry.
To do this, briefly press the error stack button while the final error entry is
still running in rotation mode.
The ID “OrNo” is displayed, followed by the order number in rotation mode.
If you press the error stack button again, the next ID will be displayed,
followed by the data in rotation mode. This way you can call up all the
information.
OrNo ID for “The PSS order number follows”
0030 Order number, e.g. 301 200
1200
SrNo ID for “The PSS serial number follows”
0016 Serial number, e.g. 165 668
5668

IPAd ID for “The IP address of the Ethernet interface
follows”1)
169. IP address, e.g. 169.254.060.001
254:
060.
001
SubN ID for “The subnet mask of the Ethernet interface

follows”1)
255. Subnet mask, e.g. 255.255.255.240
255:
255.
240
R-IP ID for “The IP address of the Router follows”1)
169. IP address, e.g. 169.254.060.001
254:
060.
001
ETH ID for “The port for the Ethernet Configurator follows”1)
Port, e.g. 18080

0001
8080

PG ID for “The port for PSS WIN-PRO follows” 1)
0000 Port, e.g. 1025
1025
DHCP ID for “DHCP information follows” 1)
ON DHCP is activated
VERS ID for “Versions follow”
FS60 FS operating system version, e.g. 60
SB05 SafetyBUS p bus version, e.g. 5
S101 ST operating system version, e.g. 101
1)
Only on PSS with Ethernet interface and an FS operating system version
≥ 60. This information is only available if the network connection is active.
This can take 1 to 2 minutes after a PSS cold start.

Evaluation of the error parameters
In order to evaluate the error parameters of an error, you will first need to
look at the "Error list" in the "PSS System Manual" to see what the content
of the error parameters is for the particular error (e.g. "Block" or "Slot
number"). You can then interpret the display on the CPU according to the
content.
Each error parameter corresponds to one data word in the error stack. As
the CPU display has four digits, the error parameters are usually displayed
as a hexadecimal number. The two left-hand digits on the display corres-
pond to the left data byte (DL) and the two right-hand digits to the right
data byte (DR).
Table for converting hexadecimal code into binary code:
Hexadecimal Binary Hexadecimal Binary

0 0000 8 1000
1 0001 9 1001
2 0010 A 1010
3 0011 B 1011
4 0100 C 1100
5 0101 D 1101
6 0110 E 1110
7 0111 F 1111
Example: FFFB -> 1111 1111 1111 1011

The error parameters listed below require a special evaluation. All other
error parameters are numbers in hexadecimal format or, if specified expli-
citly in the error list, numbers in decimal format.
Absolute address, decimal

4-digit display, decimal code
• DL corresponds to the slot number
• DR contains the bit address
Example: The display "0318" corresponds to the address "3.18"
Absolute address, hexadecimal

4-digit display, hexadecimal code
The hexadecimal code on the display needs to be converted into binary
code.
• Bit 0 … 4: Bit section of address
• Bit 5 … 15: Slot number
Example: The conversion of the display "00B1" into binary code yields
"0000 0000 1011 0001". The resulting address is "5.17".
Block
• DL indicates the block type
08 = DB
10 = SB
20 = PB
40 = FB
80 = OB
• DR contains the block number in hexadecimal code

Bit sequence
2 or 4-digit display in hexadecimal code
The hexadecimal code on the display needs to be converted into binary
code.
With 1st and 2nd generation controllers, the defective inputs/outputs on

module and wiring errors are output as a bit sequence. Each bit in the bit
sequence corresponds to one input/output on the module.
Bit = 1 means that the corresponding input/output is error-free, and bit = 0
means that the corresponding input/output is faulty.
Bit numbers in the bit sequence

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
corresponding bit address on the upper sub-slot

of a single-pole I/O module
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
corresponding bit address on the lower sub-slot

of a single-pole I/O module
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
corresponding bit address on the upper sub-slot

of a dual-pole I/O module
7- 6- 5- 4- 3- 2- 1- 0- 7+ 6+ 5+ 4+ 3+ 2+ 1+ 0+
corresponding bit address on the lower sub-slot

of a dual-pole I/O module
23- 22- 21- 20- 19- 18- 17- 16- 23+ 22+ 21+ 20+ 19+ 18+ 17+ 16+
In order to determine the absolute bit address, you also need to know the
slot and sub-slot. These details can be found in error parameter-2.

Example table for a faulty bit on an upper sub-slot
Hexadecimal Conversion to Bit address

code on the binary code
CPU display single-pole dual-pole
FFFE 1111 1111 1111 1110 X.00 X.00+
FFFD 1111 1111 1111 1101 X.01 X.01+
FFFB 1111 1111 1111 1011 X.02 X.02+
FFF7 1111 1111 1111 0111 X.03 X.03+
FFEF 1111 1111 1110 1111 X.04 X.04+
FFDF 1111 1111 1101 1111 X.05 X.05+
FFBF 1111 1111 1011 1111 X.06 X.06+
FF7F 1111 1111 0111 1111 X.07 X.07+
FEFF 1111 1110 1111 1111 X.08 X.00-
FDFF 1111 1101 1111 1111 X.09 X.01-
FBFF 1111 1011 1111 1111 X.10 X.02-
F7FF 1111 0111 1111 1111 X.11 X.03-
EFFF 1110 1111 1111 1111 X.12 X.04-
DFFF 1101 1111 1111 1111 X.13 X.05-
BFFF 1011 1111 1111 1111 X.14 X.06-
7FFF 0111 1111 1111 1111 X.15 X.07-

Example table for a faulty bit on a lower sub-slot
Hexadecimal Conversion to Bit address

code on the binary code
CPU display single-pole dual-pole
FFFE 1111 1111 1111 1110 X.16 X.16+
FFFD 1111 1111 1111 1101 X.17 X.17+
FFFB 1111 1111 1111 1011 X.18 X.18+
FFF7 1111 1111 1111 0111 X.19 X.19+
FFEF 1111 1111 1110 1111 X.20 X.20+
FFDF 1111 1111 1101 1111 X.21 X.21+
FFBF 1111 1111 1011 1111 X.22 X.22+
FF7F 1111 1111 0111 1111 X.23 X.23+
FEFF 1111 1110 1111 1111 X.24 X.16-
FDFF 1111 1101 1111 1111 X.25 X.17-
FBFF 1111 1011 1111 1111 X.26 X.18-
F7FF 1111 0111 1111 1111 X.27 X.19-
EFFF 1110 1111 1111 1111 X.28 X.20-
DFFF 1101 1111 1111 1111 X.29 X.21-
BFFF 1011 1111 1111 1111 X.30 X.22-
7FFF 0111 1111 1111 1111 X.31 X.23-
INFORMATION
If more than one input/output is faulty, then there will be a 0 at the relevant
positions.
Example: "FAFB" corresponds to "1111 1010 1111 1011", i.e. the
bits 10, 8 and 2 are defective.

Error code
2 or 4-digit display in hexadecimal code
The error code is used by Pilz for fault diagnostics. The error code cannot
be evaluated by the user.
I/O group
00 ... 1F = Hexadecimally coded number of the I/O group
FE = All I/O groups which are assigned to the LD
FF = All I/O groups
Item
2-digit display in hexadecimal code
00 = Item 0, corresponds to I/OD A
FF = Item 1, corresponds to I/OD B
Sub-slot
00 = Total module
(for single-pole I/O modules: Bit addresses 0 ... 31;
for two-pole I/O modules: Bit addresses 0+/- ... 23+/-)
01 = Upper sub-slot
02 = Lower sub-slot

Diagnostics
Various tools are available for fault diagnostics in the system software (PG):
• Variable display
• Dynamic program display
Variable display
In the system software (PG), the values of any operand(s) from one or
more blocks are displayed as part of the variable display. The system can
also display the absolute addresses of the safety system (e.g. inputs and
outputs).
Information on how to display the variables can be found in the online help
of the system software (PG).
Fig. 8-2: Variable display in PSS WIN-PRO

Dynamic program display
When a block is shown in dynamic program display in the system software

(PG), the contents of the indirect addresses, operands, RLO, accumulator
and auxiliary accumulator are shown next to the program code.
Information on how to perform the dynamic program display can be found

in the online help of the system software (PG).
Fig. 8-3: Dynamic program display in PSS WIN-PRO

Appendix
System data blocks
Data blocks are available for communication between the FS user program
or the system software (PG) and the operating system. The tables below
give an overview of their assignment.
DB000
DB000 contains general program data. It cannot be changed from the user
program.
INFORMATION
DB000 can only be read from the standard section.
Data Word Format Assignment

000 KY Current year
Byte 1: 00
Byte 2: 00 ... 99
001 KY Byte 1: Current month 01 ... 12
Byte 2: Current day 01 ... 31
002 KY Byte 1: Current hour 00 ... 23
Byte 2: Current minute 00 ... 59
003 KY Byte 1: Current second 00 ... 59
Byte 2: free
004 KH FS operating system version
005 KH Hardware version
006 KH Reserved
007 KH Current scan time in ms
008 KH Max. scan time in ms since the
FS section was last started
009 KH Current FS block run time in ms
010 KH Max. FS block run time in ms since the
FS section was last started
011 KH Current ST block run time in ms
012 KH Max. ST block run time in ms since the
ST section was last started

Appendix
DB000 continued

013 KH Duration of the self-test in ms
014 KH Indication of what is shown on the CPU display:
0 = user data, see DW015
1 = FS error ("F-xx")
3 = ST error ("S-xx")
015 KH If DW014 = 0: User data (hexadecimal figure) from
the CPU display
If DW014 = 1: Error class of FS error
If DW014 = 3: Error class of ST error
016 ... 019 KH Reserved
020 ... 043 KH Actual configuration of the ST section
DW020: Code for module on slot 0
...
DW043: Code for module on slot 23:
044 ... 083 KH Reserved
084 KH Indicator pointing to current error entry
KH 1st error entry:
085 Bit 0 … 7: Error class
Bit 8: If = 1 => it is an FS-error
If = 0 => it is an ST-error
Bit 9 ... 15: ID of the microprocessor
086 Bit 0 … 6: Error number
Bit 7: If = 1 then error parameters -1/-2 are
present
089 ... 092 KH 2nd error entry
093 ... 096 KH 3rd error entry
097 ... 100 KH 4th error entry

DB000 continued

149 KH Internal software version, microprocessor A
150 KH Internal software version, microprocessor B
151 KH Internal software version, microprocessor C
152 KH Internal hardware version, microprocessor A
153 KH Internal hardware version, microprocessor B
154 KH Internal hardware version, microprocessor C
155 KH ST operating system version
156 KH Internal hardware version of the ST section
157 ... 163 KH Operating system CRC sum
164 KH FS user program CRC sum
165 ... 168 KC Short name of FS user program
169 KH Link date of FS user program: Year
170 KY Link date of FS user program
DL: Month
DR: Day
171 KY Link date of FS user program
DL: Hour
DR: Minute
172 KH Version of SafetyBUS p interface
173 ... 176 - Reserved

Appendix
DB000 continued

177 KH SafetyBUS p bus version (SBp protocol)
178 ... 179 - Free
180 ... 181 KH IP address of Ethernet interface1)
182 ... 183 KH Subnet mask of Ethernet interface1)
184 ... 185 KH IP address of Router1)
186 KH Port for the Ethernet Configurator1)
187 KH Port for PSS WIN-PRO1)
188 KH DHCP information1)
1 = DHCP is activated
189 - Reserved
190 ... 195 - Free
196 KY Year
Byte 1: 00
Byte 2: 00 ... 99
197 KY Byte 1: Month 01 ... 12
Byte 2: Day 01 ... 31
198 KY Byte 1: Hour 00 ... 23
Byte 2: Minute 00 ... 59
199 KY Byte 1: Second 00 ... 59
Byte 2: Type of time details in DW 196 ... 199
0 = Relative time (time that has elapsed
since the programmable safety system
was first switched on)
1 = Absolute time (system time on
the programmable safety system)
200 ... 220 KH Parameters for operating system calls in
the ST section
221 ... 239 - Free

DB000 continued

240 ... 399 FS program downloads, resets of the remanent
FS-DBs and changes to the system time are
logged in data words 240 to 399.2)
Each entry is 10 data words long. The most recent
entry is always in DW240 ... DW249 and moves
older entries to the following data words.
Entry for FS program download:

1st DW CRC sum (KH)
2nd - 5th DW Short name (KC)
6th DW Link date, Bit 0 … 15 (KH)
7th DW Link date, Bit 16 … 31 (KH)
8th DW Download date, Bit 0 … 15 (KH)
9th DW Download date, Bit 16 … 31 (KH)
Entry for change to system time:

1st DW 0000 (KH)
2nd DW 0001 (KH)
3rd DW Old date, Bit 0 ... 15 (KH)
4th DW Old date, Bit 16 ... 31 (KH)
5th DW New date, Bit 0 ... 15 (KH)
6th DW New date, Bit 16 ... 31 (KH)
7th - 9th DW Free
Entry for resetting the remanent FS-DBs:

1st DW 0000 (KH)
2nd DW 0002 (KH)
3rd DW Resolution (KH)
If = 1, manual
If = 2, automatic
4th DW Date, Bit 0 ... 15 (KH)
5th DW Date, Bit 16 ... 31 (KH)
6th - 9th DW Free

Appendix
DB000 continued

Date details
Time details may be relative or absolute,
depending on DW199, Byte 2.
Absolute time details:
Bit 0 ... 5: Second
Bit 6 ... 11: Minute
Bit 12 ... 15: Month
Bit 16 ... 20: Hour
Bit 21 ... 25: Day
Bit 26 ... 31: Year (maximum 63)
Relative time details:

Bit 0 ... 5: Second
Bit 6 ... 11: Minute
Bit 12 ... 15: Day, upper 4 Bit
Bit 16 ... 20: Hour
Bit 21 ... 31: Day, lower 11 Bit
240 ... 249 1st entry (most recent entry)
250 ... 259 2nd entry
260 ... 269 3rd entry
270 ... 279 4th entry
280 ... 289 5th entry
290 ... 299 6th entry
300 ... 309 7th entry
310 ... 319 8th entry
320 ... 329 9th entry
330 ... 339 10th entry
340 ... 349 11th entry
350 ... 359 12th entry
360 ... 369 13th entry
370 ... 379 14th entry
380 ... 389 15th entry
390 ... 399 16th entry

DB000 continued

400 KY Device version (identical to the information on
the type label)
DL: Figure before the decimal point
DR: Figure after the decimal point
401 KH Reserved
402 KH Serial number (high word)
403 KH Serial number (low word)
404 KH Reserved
405 KH Order number (high word)
406 KH Order number (low word)
407 KH Reserved
408 ... 423 KC Name of PLC in plain text
424 KH Device data CRC sum
425 KY Programming date of device data
DL: Month
DR: Day
DL: Free
DR: Year
427 ... 499 KH Reserved for further device data
1)
Only on PSS with Ethernet interface and an FS operating system version
≥ 60. This information is only available if the network connection is active.
2)
Only on PSS with an FS operating system version ≥ 60.

Appendix
DB001
DB001 contains, among other things, messages of the operating system

calls and information for selective shut down.
000 KH No. of PII read attempts
001 KH Version identifier
Bit 0 = 1: PSS supports selective shut down
Bit 1 = 1: PSS supports SafetyBUSp 0
Bit 2 = 1: PSS supports SafetyBUSp 1
Bit 3 = 1: PSS can operate without a battery
002 ... 199 free
200 ... 220 KH Parameters of the operating system calls
in the FS section
221 ... 399 KH Reserved for selective shut down (can only be
read by PSS with selective shut down)
400 KY Device version (identical to the information on
the type label)
DL: Figure before the decimal point
DR: Figure after the decimal point
401 KH Reserved
402 KH Serial number (high word)
403 KH Serial number (low word)
404 KH Reserved
405 KH Order number (high word)
406 KH Order number (low word)
407 KH Reserved
408 ... 423 KC Name of PLC in plain text
424 KH Device data CRC sum
DL: Month
DR: Day
DL: Free
DR: Year
427 ... 499 KH Reserved for further device data

DB002
DB002 contains the PSS configuration data. It is created by the

PSS configurator (system software) and cannot be changed by the user
program.

000 KF FS block run time in ms
001 KF ST block run time in ms
002 KF Minimum scan time in ms
FFFF = no min. scan time configured
003 KF No. of PII read attempts
004 KF Maximum delay of digital inputs in ms
005 KF Maximum alarm reaction time in ms
FFFF = no max. alarm reaction time configured
006 KH Operating system version
007 ... 014 KY ID for operating system version
015 ... 018 - free
019 KF System software version (PG)
020 ...037 KH Registered hardware
DW 020: Code for sub-slot 0
.
.
.
038 ... 083 - Reserved
084 ... 099 - free

Appendix
DB002 continued

Configuration of the read segments
Configuration of the first read segment
100 KY DR:
1 = Read at each scan change
2 = Read on request (SB255, FUNK = 25)
DL:
0 ... 8 = Slot number
101 KY DR: Reserved

DL:
0 ... 7 = Start address of the read segment
102 KF Match algorithm

0 = Comparison
1 = Minimum value without sign
2 = Arithmetic average value without sign
3 = Maximum value without sign
4 = Minimum value with sign
5 = Arithmetic average value with sign
6 = Maximum value with sign
103 KF 0 ... 65535 = tolerance
104 ... 107 Configuration of the second read segment

. .
. .
. .
384 ... 387 Configuration of the last read segment
The end of the list of configured read segments

is marked by having the value 255 entered
instead of a slot number.
388 ... 399 - Free

DB002 continued

Configuration of the output segments
Configuration of the first output segment
400 KY DR:
1 = Output at each scan change
2 = Output on request (SB255, FUNK = 29)
DL:
0 ... 8 = Slot number
401 KY DR: Reserved

DL:
0 ... 7 = Start address of the output segment
402 ... 403 Configuration of the second output segment

. .
. .
. .
542 ... 543 Configuration of the last output segment
The end of the list of configured output segments

is marked by having the value 255 entered
instead of a slot number.
544 ... 549 - Free
Test pulse configuration
550 KY DR:
0 ... 15 = Number of the last used test pulse output
255 = no test pulses used
DL:
0 ... 1 = sub-slot on which the test pulse outputs
are located
551 KM Test pulse assignment sub-slot 0, test pulse 0

. .
. .
. .
838 KM Test pulse assignment sub-slot 17, test pulse 15

Appendix
DB002 continued

Configuration of the alarms
840 KY Assignment to OB140
DR:
0 ... 17 = Sub-slot number of the alarm module
DL:
0 = No alarm
1 = Alarm at rising edge
2 = Alarm at falling edge
3 = Alarm at rising and falling edge

. . .
. . .
. . .
DB003
The parameters for the various operating system calls in the FS section
(functions of the SB255) are transferred in DB003.

000 ... 199 Free
200 ... 220 Enable parameters for FS operating system calls

Operating system calls with SB255
FUNK Description page

1 Defining the number of test slices for the self-test of 6-17
the safety system
2 Deactivate power-up test of DOS outputs 1)
21 Amending match algorithms for read segments 6-8
of word modules
25 Reading in read segments 6-9
29 Outputting output segments 6-10
32 Output of hexadecimal numbers to the CPU display 6-38
50 Confirm reset of remanent DBs 4-6
100 Operating system calls for the selective shut down 2)
...
109
111 SafetyBus p: Stopping I/O groups 3)
115 SafetyBus p: Starting I/O groups 3)
118 SafetyBus p: Data exchange with domains 3)
...
147
151 Poll 32-bit timer 4-9
200 Configuration of the user interface 6-27
201
202
204 Sending via the user interface 6-31
205
206
208 Receiving via the user interface 6-33
210
211
1)
This operating system call is not for use on all PSS-range system
controllers. It can only be used with DOS outputs. Refer to the operating
manual of the module or compact controller used.
2)
refer to the selective shut down System Description
3)
refer to the SafetyBUS p System Description

Appendix
Changes in the documentation
Changes in Version 18 645-09
The System Description was completely revised.
Old New Change

page page
4-4 4-4 New: Non-volatile data blocks
5-1 5-1 New: Diagnostic configuration
6-14 6-14 ST block run time at least 5 ms when using
non-volatile data blocks
6-24 6-24 New: FS status flag M113.07 and M113.08
6-34 6-35 CRC calculation: Changed value range for STRT
8-12 8-12 New: PSS information that can be called up via the
error stack button
9-1 9-1 Layout of DB000: DW172 to DW399
Old New Change

page page
- 4-3 New: Definition of "non-volatile"
4-4 to 4-4 to "Data memory" section amended
4-6 4-6
6-24 6-24 FS status flag M113.07 deleted
FS status flag M113.08 amended
Old New Change

page page
4-2 4-2 New: Ability to operate PSS with an FS
operating system version >= 70 without a battery

Index
A C
Access rights 6-25 Category 3-1
Accumulator Central processing unit 4-3
Display 8-22 Channels 2-1
Addresses Checksum calculation 6-35
Display 8-21 Code
Addressing 5-6 Binary 8-15
Alarm detection time 6-21 Error code 8-20
Alarm inputs 6-19 Hexadecimal 8-15
Number of 6-20 Commissioning
Alarm OB 6-20 Recommissioning 7-2
Alarm processing 6-18 Communication
Alarm reaction time 6-20 FS - ST 6-23
Alarms 6-18 User interface 6-26
Alignment 4-3, 6-3, 6-6 Communication flags 6-23
Alignment algorithm/match algorithm 6-6 Compact PSS 2-3, 4-1
Change 6-8 Configuration 5-2
Alignment attempts 6-3 Block run time 6-14
Allocation table 5-2 Changing 7-3
Arithmetic flags 6-23 Scan time 6-13
Auxiliary accumulator Configuration data block
Display 8-22 User interface 6-28
Configurator 5-2
Controller
B Compact 2-3, 4-1
Base module rack 4-2 Modular 2-2, 4-1
Battery 4-2 Counter bit 4-9
Binary code 8-15 Counter word 4-9
Bit encoding 8-17 Counters 4-9
Bit numbers 5-6 Display status 8-21
Bit sequences 8-17 CPU 4-3
Block run time 6-11 CPU display 4-9, 6-38
Definition of 6-14 Error display 8-8
Blocks 5-2 CRC calculation 6-35
Data blocks 4-4, 5-2 Cycle OB 5-8
Interface configuration-DB 6-28 Cyclic switch-off test 4-11
Receive-DB 6-33
Send-DB 6-32
Function blocks 5-2
Organisation blocks 5-2, 5-8
Alarm organisation block 6-20
Error organisation blocks 8-2
Program blocks 5-2
Standard function blocks 5-2, 5-8
Bus 4-3

Index
D Error number 8-6

Error organisation block 8-2
Data blocks 4-4, 5-2
Error parameters 8-6
Interface configuration-DB 6-28
Evaluation 8-15
remanent 4-5
Error stack 8-5
Read-only 4-4
Button 4-9
Read-write 4-4
Displaying 8-8
Receive-DB 6-33
Errors
Send-DB 6-32
Display 8-7
System data blocks 9-1
displaying 8-8
Data memory 4-4
Ethernet-2 interface 4-7
Read only 4-4
Expansion module 4-2
Read write 4-4
Expansion module rack 4-2
Data transfer 5-4
Data words 4-4
Display status 8-21 F
DB000 9-1
Failsafe section 2-1
DB001 9-4
Fatal error 6-40
DB002 9-9
FBD 2-4
DB003 9-12
Fixed flags 6-23
Diagnostic configuration 5-3
Flags
Diagnostics 8-8, 8-21
Arithmetic flags 6-23
DIF inputs 6-19
Communication flags 6-23
Digital test 4-11
Display status 8-21
Display 4-9, 6-38
Fixed flags 6-23
Display 6-38
Status flags 6-24
Flash EPROM 4-4
Error display 8-7, 8-8
Floating 6-21
Error stack 8-8
FS section 2-1
Variables 8-21
FS selector switch 4-10
Diversity 2-1, 3-1
Function Block Diagram 2-4
DL 4-4
Function blocks 5-2
DR 4-4
Function test
Dual port RAM 4-7
Cyclic switch-off test 4-11
DW 4-4
Digital test 4-11
Inputs 6-37
FUNK 50 4-6
E
EN 1 050 3-1 H
EN 954-1 3-1
Hexadecimal code 8-15
Error
Fatal 8-4
Major 8-3
Minor 8-2
Module error 8-2
Error class 8-6
Error code 8-20
Error list 8-6
Error management 8-1

I Module errors 8-3
Module rack 4-2
IL 2-4
Modules
Input modules 4-11
Output modules 4-11
Input modules 4-11
Testing 6-37
Inputs N
Alarm inputs 6-19
No FS 6-40
Display status 8-21
Non-volatile 4-4
Function test 6-37
Process image 6-2
Pulsing 6-37 O
Reading in 6-1 OB101 5-8
Instruction List 2-4 OB124 8-2
Interface adapter 5-4 OB125 8-2
Interface configuration-DB 6-28 OB127 8-2
Interfaces Operating states
Programming device interface 4-7 Fatal error 6-40
RS 232 4-7 No FS 6-40
RS 485 4-7 RUN 6-40
User interface 4-8, 6-26 STOP 6-40
Configuring 6-27 Operating system calls 5-9, 9-13
Receive 6-33 Organisation blocks 5-2, 5-8
Send 6-31 Alarm organisation blocks 6-20
Item 8-20 Output
Direct 6-1
L Via process images 6-2
Output block
Ladder Diagram 2-4
FS section 6-13
LD 2-4
ST section 6-13
Linking 5-3
Output module 4-11
Output segments 6-4
M Outputting 6-10
Outputs
Measurement and control protection devices 3-1
Display status 8-21
Memory
Process image 6-2
Data memory 4-4
Writing to 6-1
Dual port RAM 4-4
Flash EPROM 4-4
Program memory 4-4 P
Message errors 8-6 PB 6-1
Messages Periphery access
Displaying 6-38 Direct 6-1
Microprocessor 4-3 Via process images 6-2
Minimum scan time 6-13 Periphery bytes 6-1
Modular PSS 2-2, 4-1 Periphery words 6-1
Module PG interface 4-7
Addressing 5-6 PII 6-2
Module error 8-2 PII read attempts 6-3

Index
PIO 6-2 ST section 6-13

Plain text messages 8-7 Read segments 6-4
Power supply 4-2 Update 6-9
Process alarms 6-18 Read-only 4-5
Process image 6-2 Read-write 4-5
Inputs 6-2 Receive-DB 6-33
Outputs 6-2 Recommissioning 7-2
Program 5-1 Redundancy 3-1
Changing 7-3 Reset block 6-11
Start 4-10 Restart 4-5
Stop 4-10 Result of logic operation
Transfer 5-4 Display 8-22
Program blocks 5-2, 6-11 Risk assessment 3-1
Program cycle 6-11 Risk categories 3-1
Program display RS 232 4-7
Dynamic 8-22 RS 485 4-7
Accumulator 8-22 RUN 6-40
Auxiliary accumulator 8-22
Indirect addresses 8-22
Inputs 8-22
S
Outputs 8-22 Safety guidelines 3-1
Result of logic operation 8-22 Safety requirements 3-1
Word operands 8-22 SafetyBUS p
Program memory 4-4 Configuration 5-3
Program scan time 6-11 SB254, FUNK=50 4-5
Program transfer 5-4 SB255 5-9, 9-13
Programming 5-1 FUNK 1 6-17
Programming device 2-4 FUNK 151 4-9
Interface 4-7 FUNK 200 6-27
Programming languages 2-4 FUNK 201 6-27
Programming model 5-1 FUNK 202 6-27
Project 5-1 FUNK 204 6-31
Create 5-3 FUNK 205 6-31
Protection devices 3-1 FUNK 206 6-31
PSS FUNK 208 6-33
Compact 2-3, 4-1 FUNK 21 6-8
Modular 2-2, 4-1 FUNK 210 6-33
PSS configuration 5-2 FUNK 211 6-33
PSS configurator 5-2 FUNK 24 6-9
PSS WIN-PRO 2-4 FUNK 29 6-10
PW 6-1 FUNK 32 6-38
FUNK 50 4-5
Scan time 6-11
R Definition of 6-14
Reaction time Minimum 6-13
Alarm reaction time 6-20 Scan time block 6-13
Read attempts 6-3 Selector switch 4-10
Read block Self-monitoring 3-1
FS section 6-12 Self-test 6-16

Send-DB 6-32 U
Signals
User interface 4-8, 6-26
Infrequent operation 6-37
Configuring 6-27
Single fault tolerance 3-1
Receive 6-33
Slot 5-6
Send 6-31
Slot number 5-6
User program 4-3, 4-4, 5-1
ST section 2-2
Changing 7-3
ST selector switch 4-10
Cycle 6-11
Standard function blocks 5-2, 5-8
Error 8-2
Standard section 2-2
Start-up 6-11
Start-up block 6-11 V
Start-up procedure 4-9 Voltage return 4-10
States
Fatal error 6-40
No FS 6-40 W
RUN 6-40 Word modules
STOP 6-40 Alignment algorithms/match algorithms 6-6
Status flags Change 6-8
FS section 6-24 Output segments
ST section 6-25 Outputting 6-10
STOP 6-40 Read segments
Sub-slots 5-6 Update 6-9
Supply voltage 4-2 Tolerance 6-4
System data 4-4 Word operands
System data blocks 9-1 Display 8-22
System error 8-4 Write protection 4-5
System software 2-4
T
Test block 6-13
Test pulse outputs 6-37
Test slices 6-13, 6-16
Defining the number of 6-17
Tests 4-11
Cyclic switch-off test 4-11
Digital test 4-11
Inputs 6-37
Self-test 6-16
Time base 4-8
Time value 4-8
Timer 4-8
Timers
Display status 8-21
Times
Alarm reaction time 6-20
Block run time 6-11
Scan time 6-11

Index
Notes

18 645-12, 2008-12 Printed in Germany
© Pilz GmbH & Co. KG, 2008
•… • www
In many countries we are www.pilz.com
represented by our subsidiaries
and sales partners.
• Technical
Please refer to our homepage
for further details or contact our support
headquarters. +49 711 3409-444
Pilz GmbH & Co. KG

Felix-Wankel-Straße 2
73760 Ostﬁldern, Germany
Telephone: +49 711 3409-0
Telefax: +49 711 3409-133
E-Mail: pilz.gmbh@pilz.de

PSS FS System Description 18644-En-12

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PSS FS System Description 18644-En-12

Uploaded by

Copyright:

Available Formats

PSS-Range

Modular and compact PSS

Programmable control systems PSS®

FS System Description – Item No. 18 645-12

Structure (hardware) 4-1

PSS-Range: FS System Description 1

Selector switch 4-10

2 PSS-Range: FS System Description

Fault diagnostics and rectification 8-1

PSS-Range: FS System Description 3

4 PSS-Range: FS System Description

This System Description forms part of the PSS system manuals. It

PSS-Range: FS System Description 1-1

Information in this manual that is of particular importance can be identified

1-2 PSS-Range: FS System Description

The PSS-range comprises modular safety systems and compact program-

Control and monitoring Control of

Fig. 2-1: Functions of the FS section and the ST section

The failsafe section (FS section) processes all of the safety-related

PSS-Range: FS System Description 2-1

The standard section (ST section) processes all non-safety-related tasks

The basic system of a modular safety system comprises a module rack, a

2-2 PSS-Range: FS System Description

PSS-Range: FS System Description 2-3

Configuration and programming

A PSS-range safety system needs to be configured and programmed for

Programming can be performed in three different programming languages:

2-4 PSS-Range: FS System Description

Technical safety requirements

EN 954-1 offers another option for risk assessment.

PSS-Range: FS System Description 3-1

Category Requirement Risk evaluation Safety

Please refer to EN 954-1 for the detailed text.

3-2 PSS-Range: FS System Description

Category Product groups

Risk assessments must be carried out individually for each application.

PSS-Range: FS System Description 3-3

Component Redundancy and/or

S Severity of potential injury

F Frequency of occurrence of hazardous situations

P Possibility of avoiding the hazard

B, 1-4 Categories for safety-related parts of control systems

Fig. 3-1: Risk evaluation

3-4 PSS-Range: FS System Description

Fig. 3-2: Lathe

If no safety devices are in place there is an extremely high risk of an acci-

PSS-Range: FS System Description 3-5

Fig. 3-3: Classification of categories

The risk assessment results in category 4.

3-6 PSS-Range: FS System Description

A compact controller combines the following units in a single housing:

Modular safety system

The modular safety systems are composed of the following units:

PSS-Range: FS System Description 4-1

Two additional expansion module racks for ST modules can be connected

The battery acts as a buffer for the CPU memories.

4-2 PSS-Range: FS System Description

In the CPU, the FS user program is processed by independent micropro-

The different processing times of the processors need synchronising when

PSS-Range: FS System Description 4-3

Some memories are non-volatile. Non-volatile means that data is retained

There are three types of data blocks:

4-4 PSS-Range: FS System Description

PSS-Range: FS System Description 4-5