2 system description – BECKHOFF EL6900-FB User Manual

System description

Function blocks for TwinSAFE logic terminals

9

2 System description

The TwinSAFE system consists of safe inputs (EL/KL1904), safe outputs (EL/KL2904) and logic modules
(KL6904/EL6900). The TwinSAFE logic terminal (KL6904/EL6900) contains function blocks, which can be
parameterized and connected to each other and form the safety-related logic. Free programming is not
possible. In addition to the non-safety-related logic configuration a fieldbus configuration is required for
mapping the TwinSAFE data packets. These functions are realized via the TwinCAT System Manager.
The safety-related TwinSAFE Verifier, which is available at the moment as a separate installation, deals
with the loading and testing of the TwinSAFE project onto the EL6900/KL6904.

The TwinSAFE logic terminal can communicate, via the fieldbus-independent and certified TwinSAFE-
protocol with safe input and output terminals, and also via further logic terminals. The TwinSAFE protocol
is a Safety over EtherCAT (FSoE) protocol with one byte of safe user data. It is openly available via the
EtherCAT Technology Group (www.ethercat.org).

2.1 TwinSAFE logic terminals EL6900/KL6904

The configuration of a TwinSAFE logic terminal consists of function blocks that are consolidated into one
or several TwinSAFE groups. TwinSAFE groups can be started and stopped independently of each other.

The execution sequence of the function blocks corresponds to the TwinCAT System Managers project
structure sequence illustrated. This sequence can be changed in the System Manager by Drag’n Drop.

The function blocks have parameters which must be configured by the user.

The inputs and outputs of the function blocks are assigned to the inputs and outputs of the TwinSAFE
terminals, to other function blocks or to the input and output variable of the standard PLC by the user.

A TwinSAFE connection involves unambiguous assignment of a TwinSAFE device (EL/KL1904,
EL/KL2904, EL6900/KL6904) to TwinSAFE group. Only function blocks which belong to this TwinSAFE
group can be linked with the input and outputs of an assigned TwinSAFE connection. The DECOUPLE
block can be used if it is necessary for other groups to access the inputs and outputs (see chapter 3.6).

Errors of the TwinSAFE communication within the TwinSAFE group and errors within a function block
affect the complete TwinSAFE group. The TwinSAFE group then stops all associated function blocks,
which then switch their outputs into a safe state.

Errors in the TwinSAFE Logic result in it switching off completely.

2.1.1

TwinSAFE group

The function blocks are assigned to TwinSAFE groups. These have a characteristic that results in the
return of all group outputs to a safe state (a safe state is always a wattless state at the output,
corresponding to a logical 0) such as, in case of a communication error of an assigned TwinSAFE
connection, in case of an error in assigned function blocks (e.g. excessive discrepancy time) or an error in
the local assigned outputs. I.e. the TwinSAFE connection data and thus TwinSAFE input or output
terminal are always exactly assigned to a TwinSAFE group.

A communication error is displayed on the output (COM ERR) of the TwinSAFE group and acknowledged
on the input (ERR ACK). A function block error is displayed on the output (FB ERR) and acknowledged
on the same input (ERR ACK) as the communication error. An error on the local outputs (only KL6904) is
displayed on the third output (OUT ERR) and once again acknowledged (ERR_ACK) on the same input.
The safe state of the TwinSAFE group outputs is removed once the error is no longer present and has
been acknowledged.

The error acknowledgement is not carried out automatically, i.e. the "ERR ACK" input must always be