Supported platforms: CODESYS 3.5 SAFETY
This section describes the structure of a safety project and which parts of the project are safety related.
This guide also gives a basic outline of what MultiTool Creator generates and when.
Code template reviewing focuses on safety related code.
Generated safety project's code template shall be reviewed:
1. Verify that the correct components are generated according to selections made in MultiTool Creator (see sections below)
2. Verify that safe / non-safe definitions in the generated code template are according to this guide
The following basic structure is always generated for a safety project.
The device version shall be verified that it matches the MultiTool Creator selection.
The version can be checked by opening the device (double click) and then opening the device's information tab.
Libraries required for safety projects are listed in Safety project prerequisites.
A safety project is generated using the default library versions of a safety control unit.
Versions are defined by the selected CODESYS device description.
All required libraries are automatically added to the generated code template.
Verify that the libraries included in CODESYS device description are using default version.
This can be done by opening the device's Library manager and opening the Placeholders menu.
The Info column has Resolved by device to indicate that the default library version is used.
Two tasks are automatically generated for a safety project.
|
|
SafePRG_TASK priority value shall be lower (better priority) than NonSafePRG_TASK. |
|
|
Task with better priority can interrupt lower priority task. |
SafePRG_TASK
Task priority 0
Task type Cyclic
Task interval 10ms
Watchdog: Enabled, 10ms
NonSafePRG_TASK
Task priority 1
Task type Cyclic
Task interval 10ms
Watchdog: Disabled
This chapter defines all the global variable and constant lists used by a safety project.
By default, global variable lists in a safety control unit application are in safety context.
Non-safety related global variable lists need to be defined using a location attribute: {attribute 'location':='16#800'}
See also Safety project guidelines.
When a global variable list has "No" in the Safety context column (see tables below), by default all of them shall have a location attribute defined.
|
|
The following non-safety related global variable lists do not have location attribute defined:
For more information, see "Type not allowed in EVLs" issue in Known issues. The variables in these global variable lists are automatically moved to non-safety context by compiler detecting them as non-safe library implementations. |
|
|
When a global variable list has "Yes" in Safety context column (below), they shall not have location attribute defined. |
|
|
X in a CAN related global variable list name is replaced by the corresponding CAN bus number. |
The following variable lists are generated in the folder CodeTemplate\Constants.
Constants can be used in safety and non-safety related code since they are read-only.
|
Name |
Safety context |
Condition to Generate |
Description |
|
G_CONSTANTS |
Yes |
Always |
Contains constants used in code template (e.g. generated diagnostic limits) |
The following variable lists are generated in the folder CodeTemplate\Globals.
|
Name |
Safety context |
Condition to Generate |
Description |
|
G_CAN |
No |
Always |
CAN-channel definitions |
|
G_Common |
No |
Always |
Contains variables common for all CANs, e.g. parameter system handlers and images which are used by code template. |
|
G_Logs |
No |
Always |
Application log data |
|
G_StatusFlags |
No |
Always |
Code template non-safety flags |
|
G_StatusFlags_Safe |
Yes |
Always |
Safety related code template flags |
|
G_SystemInfo |
No |
Always |
Information about the project and the unit |
The following variable lists are generated in folder CodeTemplate\CANopen_CANX.
|
Name |
Safety context |
Condition to Generate |
Description |
|
G_CANX_PAR |
No |
Parameters or Safety Parameters defined |
Non-safe OD variables for all application parameters. Variables are stored in non-volatile memory. |
|
G_CANX_RPDO |
No |
Receive PDO-messages defined |
Variables received in PDO messages |
|
G_CANX_RSRDO |
No |
Receive SRDO-messages defined |
Variables received in SRDO messages. These variables are in non-safe context but are also used by safety related code template (S_Validate_SRDOs_CANx program). |
|
G_CANX_SPAR |
Yes |
Safety Parameters defined |
Validated safety parameter values Safety related application template updates values from OD variables on bootup if safety parameter CRCs are valid. |
|
G_CANX_TPDO |
No |
Transmit PDO-messages defined |
Variables transmitted in PDO messages |
|
G_CANX_TSRDO |
No |
Transmit SRDO-messages defined |
Variables transmitted in SRDO messages. These variables are in non-safe context but are also used by safety related code template (S_Create_SRDOs_CANx program). |
|
G_CANX_VAR |
No |
CANopen initialized |
Variables stored in volatile memory (RAM parameter) and defined in OD. All the other OD variables that do not belong to any of the other G_CANx groups. |
|
G_CANopen_CANX |
No |
CANopen initialized |
CANopen related function blocks and struct variables for code template. |
|
G_CANopen_CANX_Mappings |
No |
PDO or SRDO messages defined |
PDO and SRDO mappings |
|
G_CANopen_CANX_Slave_Configurations |
No |
Slave control units selected to be configured |
Variables for each configured slave control unit. |
|
G_CANopen_CANX_VAR |
No |
CANopen initialized |
CANopen related variables that the code template uses (basic datatypes and enumerations). |
The following variable lists are generated in the folder CodeTemplate\Events.
|
Name |
Safety context |
Condition to Generate |
Description |
|
G_Events_CANX |
No |
Event system initialized (Events defined) |
Event system variables for code template. |
The following variable lists are generated in the folder CodeTemplate\J1939.
|
Name |
Safety context |
Condition to Generate |
Description |
|
G_J1939 |
No |
J1939 PGNs defined |
Application J1939 data |
|
G_J1939_CANX_RPGN |
No |
J1939 Receive PGNs defined |
Receive PGN & SPN variables |
|
G_J1939_CANX_TPGN |
No |
J1939 Transmit PGNs defined |
Transmit PGN & SPN variables |
|
G_J1939_FB |
No |
J1939 PGNs defined |
J1939 function block instances for code template |
All code template code is generated in programs.
Safety project code template does not contain any actions or methods because of CODESYS restrictions for non-safety code (see also Safety project guidelines).
All code template non-safety application POUs are generated under the folder CodeTemplate\POUs.
All code template safety application POUs are generated under the folder CodeTemplate\SafePOUs.
|
|
Safe PRG setting in POU Properties... > SIL2 Properties is automatically set ON for POUs which have "Yes" in the safety context column below. This is also indicated by a yellow icon in the project tree. See Safety project guidelines for more information. |
|
|
X in a CAN related POU name is replaced by the corresponding CAN bus number. |
The following POUs are generated in the folder SafePOUs.
|
Name |
Safety context |
Condition to Generate |
Description |
|
S_Inputs |
Yes |
Always |
All safety related input code is generated. Safety application shall use input data from this program. |
|
S_Outputs |
Yes |
Safety related output I/O defined |
All safety related output code is generated. Safety application shall control outputs through this program. |
|
S_PLC_PRG |
Yes |
Always |
Safety related program entry point. Calls the safety related user application "S_Main". |
The following POUs are generated in the folder SafePOUs\Initializations.
|
Name |
Safety context |
Condition to Generate |
Description |
|
S_CopyValidatedParameters |
Yes |
Safety Parameters defined |
Copy validated safety parameters from OD to safe variables (from G_CANX_PAR to G_CANX_SPAR). |
|
S_Init_IO |
Yes |
Always |
Initialize the I/O of the Safety Control Unit. Both the non-safe and safe I/O is initialized here. |
|
S_ValidateConfigurations |
Yes |
Safety Parameters or SRDO messages defined |
Check that safety parameters are valid and SRDO signatures are valid. If they are not, safe operation of the application is not allowed. |
|
S_ValidateParameters_CANX |
Yes |
Safety Parameters defined |
Check that safety parameter CRCs match with the ones saved to the non-volatile memory. |
|
S_ValidateSRDOSignatures_CANX |
Yes |
SRDO messages defined |
Check that SRDO signatures match the ones set by MultiTool. |
The following POUs are generated in the folder SafePOUs\RuntimeCode.
|
Name |
Safety context |
Condition to Generate |
Description |
|
S_Create_SRDOs_CANX |
Yes |
Transmit SRDO messages defined |
Create transmit SRDO variables from Safe variables. Updates OD-data located in G_CANX_TSRDO. |
|
S_Safety_Status |
Yes |
Always |
Check the conditions for enabling safe operation. Resulting status is written to S_SafeOperationEnable located in G_StatusFlags_Safe. |
|
S_ValidateAccessCode_CANX |
Yes |
Safety Parameters defined |
Before adjusting safety parameters, check that user has given a valid access code. |
|
S_Validate_SRDOs_CANX |
Yes |
Receive SRDO messages defined |
Check that plain and inverted values received from SRDO messages in G_CANX_RSRDO match, and time limits of receiving SRDOs have not been exceeded. |
The following POUs are generated in the folder POUs
|
Name |
Safety context |
Condition to Generate |
Description |
|
NVMemory |
No |
Always |
Handles OD parameter and fast parameter reading and writing to/from non-volatile memory |
|
Inputs |
No |
Non-safety related input I/O defined |
All non-safety related input code is generated. Non-safety application shall use input data from this program. |
|
Outputs |
No |
Non-safety output I/O defined |
All non-safety related output code is generated. Non-safety application shall control outputs through this program. |
|
PLC_PRG |
No |
Always |
Non-safe program entry point. Calls the non-safety related user application "Main". |
The following POUs are generated in the folder POUs\Initializations.
|
Name |
Safety context |
Condition to Generate |
Description |
|
Init_CAN |
No |
Always |
Initializes CAN channels |
|
Init_CANopen_CANX |
No |
CANopen initialized |
Initializes CANopen protocols |
|
Init_CANopen_ODX |
No |
CANopen initialized |
Initializes CANopen OD indexes |
|
Init_Entry |
No |
Always |
Reads system information and initializes random number generator |
|
Init_Events |
No |
Event system initialized (Events defined) |
Initializes event system for EventLog library |
|
Init_J1939_CANX |
No |
J1939 PGNs defined |
Initializes J1939 protocol's PGN messages |
The following POUs are generated in the folder POUs\RuntimeCode.
|
Name |
Safety context |
Condition to Generate |
Description |
|
Handle_CANopen_CANX |
No |
CANopen initialized |
Update CANopen protocols |
|
Handle_Diagnostic |
No |
Always |
Run non-safe diagnostics, update SystemOk flag located in G_StatusFlags. |
|
Handle_Firmware_Errors |
No |
When SafeErrorLog library is available |
Reads latest firmware errors to application log. Executed by PLC_PRG when firmware is in error state. |
|
Handle_J1939_CANX |
No |
J1939 PGNs defined |
Update J1939 protocol |
Source file topic100550.htm
Last updated 19-Dec-2024
