Scribd
Upload
235 views

02-Safeethernet 12 e F

Safe ethernet HIMA

Uploaded by

Dario Faoro
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
235 views

02-Safeethernet 12 e F

Safe ethernet HIMA

Uploaded by

Dario Faoro
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 67

HIMA Training

SILworX safeethernet

Contents:
1

General ............................................................................................ 3

Principle, initial situation as example ............................................ 3

Interface settings (Hardware editor) .............................................. 4

Safeethernet Variables ................................................................... 6


4.1

Communication settings (safeethernet editor) ............................. 7


5.1
5.1.1

5.2
5.2.1
5.2.2

5.3
5.4

7.1.1
7.1.2
7.1.3
7.1.4

7.2
7.3
7.3.1
7.3.2
7.3.3
7.3.4
7.3.5
7.3.6

7.4
7.5
7.6
7.7

Set link properties ................................................................................................. 9


Basic link properties ...................................................................................................... 9
Advanced link properties (since SILworX V6) ........................................................... 11

Assign variables to communication .................................................................. 12


Check (or set) fragment definitions (optional) .................................................. 13

Safeethernet diagnostic block (in logic) (System Variables) ........................... 14


Basic check safeethernet communication ........................................................ 16
Check for sporadic or historical errors ............................................................. 18
Check transmitted data....................................................................................... 19
Check safeethernet signatures .......................................................................... 20

Basics .................................................................................................................. 21
Precondition.................................................................................................................. 21
Update existing link (<V6) for safeethernet Reload (V6) ........................................ 21
Safeethernet signature (SE signature) and Dual Configuration .............................. 27
Possible changes and impact on Dual Configuration, restrictions ........................ 29

Add/delete (new) link including communication signals.................................. 30


Add/delete communication signals in existing link (Dual Configuration) ....... 31
Standard procedures ................................................................................................... 31
Standard procedure (golden rule) in detail ................................................................ 34
Standard procedure (Check list for print out!) .......................................................... 36
Guidelines and additional user information (CG and Online) ................................. 41
Accident scenarios (overview).................................................................................... 43
Accident scenarios (details)........................................................................................ 50

Change safeethernet parameters ....................................................................... 58


Special case: Communication partner is not in the same project ................... 59
Information in Version comparison ................................................................... 60
Check SE Signature in a project backup ........................................................... 63

Appendix ....................................................................................... 64
8.1

Multiple links (new with V6) ........................................................................................... 8

Safeethernet Reload ..................................................................... 21


7.1

Create links, assign interfaces ............................................................................. 7

Diagnosis....................................................................................... 14
6.1
6.2
6.3
6.4
6.5

Create Safeethernet variables .............................................................................. 6

Safeethernet principle (simplified) ..................................................................... 64

Changes......................................................................................... 67

02-Safeethernet_12_e_F.docx

SILworX

Page 1/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

Page 2/67

SILworX

SILworX safeethernet

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
1

SILworX safeethernet

General

This document was created with SILworX Version 6.48.


In case you have SILworX version 5 or lower use the step guidance version 05-1.
To be able to use all new possible functions (multible links, reload) the hardware need an operation system which
supports all functions of SILworX V6.

Minimal needed OS version

SILworX Version V6
HIMax CPU and
COM
Remote I/O CPU

6.x
-

HIMatrix
F* 01/02

CPU

COM

HIMatrix
F* 03

CPU

10.x

COM

15.x

HIMatrix
M45

CPU

10.x

COM

15.x

Table 1.1: Needed operating system

Principle, initial situation as example

For general information and hints about possible network structures please read the
communication manual.
In this manual we show the setup for a redundant communication between two HIMax
resources.
In our example the Local Resource is called PES10, the Target Resource is called
PES20
PES10 has System ID = 10
PES20 has System ID = 20
Standard settings are finished (see First Step Manual)

Fig 2.1

02-Safeethernet_12_e_F.docx

SILworX

Page 3/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
3

SILworX safeethernet

Interface settings (Hardware editor)

Recommendation for IP addresses:


By principle every IP address is possible.
In order to meet a simple and understandable addressing principle and to avoid network
problems we recommend as follows:
-

For redundant networks use different network addresses in module within a system,
determined by an according Subnet mask.

Use the System ID as Host address for easy orientation

Example:
Subnet Mask: 255.255.255.0 for both CPUs
PES10 (System ID=10), CPU on slot 3: IP address = 192.168.1.10
PES10 (System ID=10), CPU on slot 4: IP address = 192.168.2.10
So 1 and 2 identifies the two redundant networks, the last number 10 (Host address) is
identical to the System ID.
Open Hardware Editor of PES10:

Fig 3.1: Hardware overview

Page 4/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Set IP address of CPUs:


The parameter Code generation must be in accordance to the loaded operating system in
the hardware.

Fig 3.2: Interface setting for CPU in slot 3

Fig 3.3: Interface settings for CPU in slot 4

Set IP addresses of PES20 accordingly:


PES20 (System ID=20), CPU on slot 3: IP address = 192.168.1.20
PES20 (System ID=20), CPU on slot 4: IP address = 192.168.2.20

02-Safeethernet_12_e_F.docx

SILworX

Page 5/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
4
4.1

SILworX safeethernet

Safeethernet Variables
Create Safeethernet variables

Safeethernet variables must be created on a common level. In our case it is the


configuration, but it could be also the project level!
Any data type is possible, even arrays or structured variables.

Fig 4.1: Variable defenition

Page 6/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
5

SILworX safeethernet

Communication settings (safeethernet editor)

Edit safeethernet in the Resource.


(Doesnt matter where you start, the settings in the partner Resource are automatically
matched)

5.1

Create links, assign interfaces

Drag the partner Resource into the upper table in order to create a communication link
between this Resource and the partner Resource.

Fig 5.1: Create a safeethernet link

Enter a name for the link:

Fig 5.2: naming a link

Result:

Left
CPU
local

Right CPU
local

Left
CPU
target

Right CPU
target

Fig 5.3: Interface overview

02-Safeethernet_12_e_F.docx

SILworX

Page 7/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Check the IP addresses and set properly if required.


Therefore select the available IP addresses out of the drop down menu.
The IP addresses of the PES are set in the Hardware editor as a property of CPU and COM
modules. See chapter 3 .

Fig 5.4: Eventual disconnection of the second line of a link

If no redundancy existing set None for the second channel.


5.1.1

Multiple links (new with V6)

The transport capacity per link and direction is limited to 1100 Byte.
Please note: 1 Bool = 1 Byte
1 Word = 2 Byte
1 Real = 4 Byte
Drag the same communication partner again into the table in order to create another link:

Fig 5.5: Creating a second link to the same communication partner

Result:

Fig 5.6: Link list

Page 8/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
5.2

SILworX safeethernet

Set link properties

5.2.1

Basic link properties

For every link you can set several parameters in order to adjust the link properties with
respect to the physical environment and expected time behavior.
For details refer to the communication manual.

Fig 5.7: Linkparameters

Recommendations for the most important settings:

Profile: Fast&Noisy (switched network, 100/1000Mbit), matches 98% of cases!

Receive Timeout (Rcv TMO) 4 x Delay + 5 x max. cycle time


Delay: Delay on the transmission path, e.g. due to switches or satellite.
For the calculation of max. cycle time weve two options:
In the most conservative calculation the max. cycle time = the greater Watchdog time
of both communication partners
(example: PES10 with Watchdog = 100ms, PES20 with Watchdog = 200ms, no relevant
delays,
=> Receive Timeout = 5 x 200ms = 1000ms)
or optimized since version 3 (Silworx and Firmware):
Set in the properties of the Resource a value for Target Cycle Time and the Target
Cycle Time to dynamic-tolerant or (if periodic behavior is needed) fixed-tolerant. This
means only during Reload or synchronization of a CPU the HIMax does exceed the set
Target Cycle Time eventually only one time. Normally the cycle time remains less the
Target Cycle Time.
Watch the cycle time statistic for some time. If the indicated Maximum is quite stable
you can use the Target Cycle Time value for calculating the max. Cycle Time in the
formula.
This normally allows using smaller values then the Watchdog Time, anyway you should
set the Target Cycle Time to be sufficient for synchronizing a CPU (see Safety Manual).

02-Safeethernet_12_e_F.docx

SILworX

Page 9/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

Response Time (Rsp t) Receive Timeout/2

Behavior on Connection Loss

SILworX safeethernet

Fig 5.8: Behavior on connection lost

For safety related links the setting must be Use Initial Value or a calculated time.
This parameter is relevant for safety! Please see also the Safety Manual
Rest of parameters is automatically calculated based on the selected Profile.
For a better understanding see also chapter 8.1
Please note:
A Receive Timeout of (e.g.) 5 seconds means also after disconnect it takes up to 5
seconds to reestablish the communication!

Code Generation
This parameter is new with version 6 and appears at the very right end of the table:
The default value might not match to the system. So it is needed to check this parameter.

Fig 5.9: Codegeneration parameter

For in V6 newly generated links the (default) value is automatically set to V6 and higher.
This setting is basically a preparation for safeethernet Reload and should only be set if
the communication partners support the new features (firmware compatible to V6, see
table Table 1.1 needed operating system).
For converted (old) projects the parameter is set to Up to V6

Fig 5.10: Codegeneration parameter

Do not change unless both communication partners are updated to a firmware


compatible to SILworX V6!

Page 10/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
5.2.2

SILworX safeethernet

Advanced link properties (since SILworX V6)

Safeethernet link ID safeethernet address

Fig 5.11: Link ID

The link ID is generated automatically but can be modified also.


The ID is part of the safeethernet address, for example used in online displays or
messages:
Example: Control Panel

1
2
3

Target System ID
Rack ID (e.g. for RIOs)
Link ID

Fig 5.12: Multible link list

Timing Master

Fig 5.13: Timing master

As default the partner with the lower System ID is set as Timing Master.
If modifying time settings only this partner must be reloaded, the other partner (called:
Timing Slave) automatically accepts the new time settings.

02-Safeethernet_12_e_F.docx

SILworX

Page 11/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
5.3

SILworX safeethernet

Assign variables to communication

Edit safeethernet in one of the communication partners.


Click Edit in the context menu of the link or double-click the line number:

or
Fig 5.14: Open the link editor

Hint:
If not working and the message following appears in the logbook, safe the safeethernet editor
and try again!
Fig 5.15: Error message

Assign the variables from the lower list into the upper lists. Regard the communication
direction!
(Multi selection of variables is possible!)

Fig 5.16: Assignment of the communication variables

Variables of various data types can be mixed and get automatically addresses according a
certain principle. The internal addresses are not important for the user and therefore
invisible.

Page 12/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
5.4

SILworX safeethernet

Check (or set) fragment definitions (optional)

Default: One fragment with priority 1. Recommendation: Keep default!


Priority 1 means, the telegram is transmitted each cycle, what is normal!
Only change the value if the frequency must be reduced, e.g. if facing load problems.
Consider the consequences: Slower update rate, impact on timing parameters etc.

02-Safeethernet_12_e_F.docx

SILworX

Page 13/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
6
6.1

SILworX safeethernet

Diagnosis
Safeethernet diagnostic block (in logic) (System Variables)

Therefore create in both resources in the Global Variables the according variables.

Fig 6.1: Defining the global variablas for the system variables

Edit the link again.


Every safeethernet link provides System Variables.
The System Variables used by partner PES_10 (our example!) appear in tab PES_10.
The System Variables used by partner PES_20 (our example!) appear in tab PES_20.
Assign Global Variables to some of the System Variables:

Fig 6.2: Assigning variables to the system variables

The meaning of all System Variables is explained in the Communication manual chapter 4.4.
Remark:
Even not assigned System Variables can be monitored Online in the Force Editor!
For the logic we provide a FB using the System Variables for diagnosis.
This FB is available from HIMA customer support or training department.
Page 14/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Fig 6.3: Diagnose function block

The most important information is the status of redundancy. You can transmit any diagnosis
information into a target scada or DCS system.

02-Safeethernet_12_e_F.docx

SILworX

Page 15/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
6.2

SILworX safeethernet

Basic check safeethernet communication

For details please see the communication manual. In chapter safeethernet you find the
meaning of all diagnostic data and also hints how to check a safeethernet communication
Check the status of safeethernet links in the Control Panel.
In example we see 4 links, including OPC Server.

Fig 6.4: Ckecking the connection state

Check State, must be Connected.


Check timing and enhanced link information:
First reset the safeethernet statistic. Right mouse click to the word safeethernet in the CP:

Fig 6.5: Resetting the safeethernet statistic

Select a link in order to see detailed link information:

Fig 6.6: Checking the link individual datas

Check Rsp t (Response Time) statistic and compare it to the set values for Receive
Timeout and Resend Timeout. See chapter 5.2 set link properties and 8.1 in the appendix
Check Errors, Rsnd (Resends), Succeeded (No. of Reconnections) and Early (Queue
Usage), if communication is working well these counters should not count up and normally
after a reset of statistic remain on zero.
Page 16/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Check (if existing) the redundant channels:


Both channels are used in parallel and transmitting the same telegrams. Of course always
one of them is the first. This fact and even the time delays between are visible in the
diagnostic.

Fig 6.7: Channel quality

Coding of the quality (Extraction of communication, manual chapter safeethernet)

Fig 6.8: Bitmeanibgs of the channel quality

The normal indication is 15 or 7, randomly changing between the channels.


15 means: Bit 0, 1, 2 and 3 are set channel connected and providing the first messages.
7 means: Bit 0, 1 and 2 are set channel connected but not the first.
Example for an error, channel 2 is not working:

Fig 6.9: Not connected second channel

Check Channel state and delays:

Fig 6.10: Channel state

Fig 6.11: Bitmeanibgs of the channel state

In example Channel 1 is OK, the redundant Channel (2) is not OK!


02-Safeethernet_12_e_F.docx

SILworX

Page 17/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
6.3

SILworX safeethernet

Check for sporadic or historical errors

First reset in CP the system error statistics:

Fig 6.12: Resetting the error and warning statistic

Check counter Communication Errors:

Fig 6.13: Checking the communication errors

Check counter Communication Warnings

Fig 6.14: Checking the communication warnings

Page 18/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Safeethernet can be performed by the CPU or COM modules.


Check the diagnostic buffer of both redundant modules, used in reality for safeethernet (see
the settings in the safeethernet editor, chapter 5.1.

1
2
3
4

HH network stands for HIMA-HIMA network, another word for safeethernet


Node-id= System_ID-Rack_ID-Link_ID of the communication partner
MAC-Address of the communication partner
IP-Address of the communication partner

Fig 6.15: Checking the module diagnose of a CPU or COM module

6.4

Check transmitted data

Start Force Editor and check the Global Variables (Global forcing):
In Register Inputs you find the safeethernet data, which this PES receives from a certain
communication partner:

Fig 6.16: Checking the transmitted data in the Force Editor tab Inputs

02-Safeethernet_12_e_F.docx

SILworX

Page 19/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
6.5

SILworX safeethernet

Check safeethernet signatures

Check and compare the safeethernet signatures in the CPs.


There must be always a matching couple of signatures.
For detailed explanation see chapter 7.1.3
If no matching signatures found the link is down and safeethernet is not working at all!
Remedy:
Start Code generation for both communication partners and load both PES.
Use safeethernet Reload, if possible. See chapter 7
:

Fig 6.17: checking the signatures of all links between the two partners

Page 20/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7

SILworX safeethernet

Safeethernet Reload

7.1

Basics

7.1.1
Precondition
The precondition for loading a new or changed safeethernet link by reload is to have an
operating system compatible to SILworX V6 or higher.
See therefor the Table 1.1 Needed operating system
How to load an operating system is described in following documents or the system manuals:
HIMax Diagnostic
HIMatrix Specials
7.1.2

Update existing link (<V6) for safeethernet Reload (V6)

Please note: All below mentioned preparations/updates will lead to a new Code
Version!
1. Convert project to SILworx V6 (or higher)
2. Update firmware of CPU and, if used for safeethernet links, also COM
Follow the firmware update procedures (System Manual, Release Notes)
Consider the consequences of stopping a module.
3. Prepare CPU, COM and the links for safeethernet Reload:
Settings required for safeethernet Reload:
Link properties:
The parameter Codegen must be set to V6 and higher
The parameter is in the table on the very right:

Fig 7.1: Changing the link property

02-Safeethernet_12_e_F.docx

SILworX

Page 21/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

HW Editor::
CPU properties: Code Generation Up to V6 V6 and higher
This parameter does not exist in a module which is new in version 6 or higher.

Fig 7.2: Changing the safeethernet reload property in the CPU

COM properties: Code Generation Up to V6 V6 and higher

Fig 7.3: Changing the safeethernet reload property in the COM

Background:
The setting is related to the new feature: Timing Master.
The setting Timing Master allows to change time settings (e.g. receive timeout) only
at the Timing Master Resource. The Timing Slave Resource accepts the new time
settings without another Reload. If Code Generation is set to V6 and higher the
Code Version of Resource Timing Slave does not change after next Code
Generation.
In older versions the setting Receive Timeout was also used for the timeout of HH
ping command. With the setting V6 and higher the timeout for HH ping has a fixed
value.
Now the CPU or COM does not block the Reload if Receive Timeout is changed.
The HH ping timeout is now set fix on 2 seconds.
Note:
Depending on existing settings this change sometimes requires a Cold Reload
of the COM module.
4. Generate the Code with reload option for both partners
During Code Generation appropriate messages appear:

Fig 7.4: Code Generation Messages

5. Reload both partners. Dont do a download if you have a reload code in this situation.
6. Repeat the points 4 and 5 a second time.
See update procedure next page.
Page 22/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Update procedure from link property up to V6 to V6 and higher


(see also chapter 7.3)
Editor
Set V6
+ del DC
-

Partner A
Action
CG
Reload
-

SIG N
E2<V6
E2<V6
E2<V6
E2<V6
E2<V6

SIG N+1
E2<V6
E3gen V6
E3genV6
E3loadV6
E3V6

Partner B
Action
CG
Reload

SIG N
E2<V6
E2<V6
E2<V6
E2<V6
E2<V6

SIG N+1
E2<V6
E2<V6
E3gen V6
E3genV6
E3loadV6

Reaction
Link on E2
Link on E2
Link on E2
Link on E2
Link on E3

CG
Reload
-

E3gen V6
E3genV6
E3loadV6
E3V6

E3V6
E3V6
E3V6
E3V6

CG
Reload

E2<V6
E3gen V6
E3genV6
E3loadV6

E3V6
E3V6
E3V6
E3V6

Link on E3
Link on E3
Link on E3
Link on E3

Table 7.1: Action-Sequence for changing the link properties per Reload

DC: Dual Configuration, in the safeethernet configuration are 2 signature versions

02-Safeethernet_12_e_F.docx

SILworX

Page 23/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Information in Version Comparison if changing from up to V5 to V6 and higher


Example configuration (PES_10, System-ID 10):
- CPU in Rack 0 Slot 3
- CPU in Rack 0 Slot 4
- COM in Rack 0 Slot 5
- Safeethernet link from PES_10 to OPC Server-A (System-ID 101)
- Safeethernet link from PES_10 to OPC Server-B (System-ID 102)
- Safeethernet link from PES_10 to PES_20 (System-ID 20)
-

Suppose all above mentioned preparations had been carried out and now we compare the
old configuration (up to V5) with the new configuration (V6 and higher).

In CPU and COM the hh.config file is indicated because the property Code Generation has
changed to V6 and higher
Ke.config shows the newly generated System Variable Versions-Zustand.
Thats normal if the link property has changed to V6 and higher.
No further meaning.

Safety Advice
Ke.config must not show any further indications, such as changed
offsets for safeethernet variables.
Otherwise contact HIMA support!

Page 24/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

cpcsip.config:

Configuration File Version changes automatically when Extended Configuration has


changed to On, what means the link property V6 and higher.
Since Version 6 the new feature Timing Master exists (see above, same chapter).
If the link property V6 and higher is set, SILworX selects one of the two communication
partners as a Timing-Master. The other partner is getting Timing-Slave.
The selection is random from a user point of view!
In example the Timing-Master was selected on OPC-Server-A, on OPC-Server-B and on
PES_10. Point of view is PES_10:

For the Timing-Slave (thats where the Remote Partner is Timing-Master) all relevant
time settings are set to maximum value, what means deactivated, because the really active
time settings are now only set by Timing-Master.

02-Safeethernet_12_e_F.docx

SILworX

Page 25/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

For the Timing-Master Max.Receive Timeout and Max. Resend Timeout change to
maximum value. These parameters are normally invisible for the user.
The change is due to system internal reasons and not relevant.

Page 26/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

7.1.3
Safeethernet signature (SE signature) and Dual Configuration
Safeethernet is a safety communication in SIL3 quality.
One of the safety features is the safeethernet signature (SE signature).
Actually the SE signature is a CRC code, describing e.g. the data layout of transmitted data.
The SE signatures are created during the Code Generation and get part of the loaded
(Reload or Download) configuration.
Safeethernet communication between two communication partners is only working if both
partners have identical SE signatures.
In example below we assume theres only one SE signature existing (SILworX V2 V5)
Partner A:
SE signature: E2

Link valid - working

Partner B:
SE signature: E2

Imagine a safeethernet modification and Download of Partner A:

Partner A:
SE signature: E3

Link invalid not working

Partner B:
SE signature: E2

Please note:
Invalid, not working link, means all transmitted variables are reset to initial values.
Consider the consequences for the process.
The challenge:
In order to achieve above mentioned conditions we must reach identical SE signatures within
both partners after carrying out a safeethernet modification.
We, as human, can execute the Reload only one by one!
Consequently for the meantime between loading both partners the system must be able to
deal with two different SE signatures.
As long the two partners find an identical SE signature the link remains valid.
Its the challenge to ensure this condition all the way during the safeethernet Reload
procedure!

02-Safeethernet_12_e_F.docx

SILworX

Page 27/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

The solution (SILworX V6):


After safeethernet modification and Reload of Partner A:
Partner A
Link status
SE Signature N
E2
Link still active on E2
SE Signature N+1
E3

Partner B
E2
E2

After Reload of Partner B:

SE Signature N
SE Signature N+1

Partner A
E2
E3

Link status
Link now active on E3

Partner B
E2
E3

Table 7.2:

Both partners have now a Dual Configuration

Basic rules generating safeethernet signatures:


Several CG without Reload:
Editor
Partner A
Action
SIG N
E2
SE Mod.1
CG
E2
SE Mod.2
CG
E2
SE Mod.2 undo CG
E2
E2
No SE Mod.
CG
E3

Reaction
SIG N+1
E2
E3gen
E4gen
E3gen
E3
E3

Dual Configuration generated


New Dual Configuration generated
Old Dual Configuration generated
Dual Configuration deleted

Table 7.3

Several CG with Reload


Editor

SE Mod.2 undo
-

Partner A
Action
CG
Reload
CG
Reload
CG
Reload

SIG N
E2
E2
E2
E3
E3
E4
E4

SIG N+1
E2
E3gen
E3load
E4gen
E4load
E3gen
E3load

E4

E3

No SE Mod.

CG
Reload

E3gen
E3load

E3
E3

SE Mod.1
SE Mod.2

Reaction

E2 E3 possible if Partner updated


E3 E4 possible if Partner updated
E4 E3 can leads to link interruption
if E4 was never activated
Link comes back again (if disconnected
before)
Dual Configuration deleted

Table 7.4

Consequence:
As long only Code Generations are executed no critical situations can occur we can
still undo.
But once the first partner is loaded theres no way back! Now we must execute the full
sequence properly and load also the second partner!
Page 28/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.1.4

SILworX safeethernet

Possible changes and impact on Dual Configuration, restrictions

Definition:
Dual Configuration means theres a new configuration with new safeethernet data existing
and also an old PreReload configuration.
Changes creating Dual Configuration, normal Reload possible:
Add/delete/rename safeethernet GV
Add/delete/rename XOPC (DA) GV
Add/delete/rename Events (Name,ID,Severity)
Change Timing Master
Change Event priority
Change link ID
Changes not creating Dual Configuration, normal Reload possible:
Add/delete communication partner
Add/delete link for existing partner
Change timing parameters
Change limits for scalar Events
Changes not creating Dual Configuration, Reload possible - but with link interruption
Change interface (e.g from CPU to COM) COM requires Cold Reload!
Non reloadable changes:
Parameter: Behavior on connection loss
Parameter: Profiles
HIMatrix Remote IO (RIO) connections (neither data nor settings)

02-Safeethernet_12_e_F.docx

SILworX

Page 29/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.2

SILworX safeethernet

Add/delete (new) link including communication signals

This option only exists for PES<>PES communication, not for PES<>XOPC!
HIMax (>=BS V6) and HIMatrix F*03 (>=BS V10) support up to 64 (redundant) links.
Each link transmits 1100 Byte per direction.
Create new link and enter a link name:

Fig 7.5

Enter a unique link ID (in example it would be 4).


Execute (Reload) Code Generation for both partners and Reload both partners.
The sequence of Reloads is not important!
Advantages:
No existing link is touched no risk!
No Dual Configuration created.
No specific procedure required.
(Compare the procedures in chapter 7.3)
Disadvantages:
More links lead to more complexity.
More links increase communication load (Com.Time Slice, cycle time)

Page 30/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.3

SILworX safeethernet

Add/delete communication signals in existing link (Dual Configuration)

This method is optional for PES<>PES communication (see chapter 7.2 Add/delete
(new) link including communication signals) but the only option for PES<>XOPC
communication.
7.3.1

Standard procedures

Color legend:
Highlighted: Change, new activity/status in current step
Pale:
Planed but not executed action
E2
color for E2 signature
E3
color for E3 signature
E4
color for E4 signature
E3gen
new activity: E3 generated by CG, old signature is still in PES (not displayed)
E3load
new activity: E3 loaded during Reload
E2, E3, E4 are placeholders for safeethernet signatures, in reality its a hex-code:

Fig 7.6: SE-Signatures N and N+1

7.3.1.1

Standard procedure PES<>PES communication golden rule

Editor

Partner A
Action
CG
Reload
-

SE Mod.
-

SIG N
E2
E2
E2
E2
E2

SIG N+1
E2
E3gen
E3gen
E3load
E3

Partner B
Action
CG
Reload

Reaction
SIG N
E2
E2
E2
E2
E2

SIG N+1
E2
E2
E3gen
E3gen
E3load

Link on E2
Link on E2
Link on E2
Link on E2
Link on E3

Table 7.5: Standard procedure

7.3.1.2

Standard procedure golden rule + deleting Dual Configuration (DC)

Editor

Partner A
Action
CG
Reload
-

SIG N
E2
E2
E2
E2
E2

SIG N+1
E2
E3gen
E3gen
E3load
E3

Partner B
Action
CG
Reload

SIG N
E2
E2
E2
E2
E2

SIG N+1
E2
E2
E3gen
E3gen
E3load

Link on E2
Link on E2
Link on E2
Link on E2
Link on E3

CG
Reload
-

E3gen
E3gen
E3load
E3

E3
E3
E3
E3

CG
Reload

E2
E3gen
E3gen
E3load

E3
E3
E3
E3

Link on E3
Link on E3
Link on E3
Link on E3

SE Mod.
+ del DC
-

Reaction

Table 7.6: Golden rule inclusive deleting the Dual Configuration

Details and explanation see chapter 7.3.2!


02-Safeethernet_12_e_F.docx

SILworX

Page 31/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.3.1.3

SILworX safeethernet

Standard procedure X-OPC (DA) communication

Editor
OPC DA/AE
-

Partner A (PES)
Action
SIG N
E2
CG
E2
E2
Reload E2
E2

SIG N+1
E2
E3gen
E3gen
E3load
E3

Partner B (X-OPC)
Action
SIG N
E2
E2
CG
E3gen E2ld
E3gen E2ld
Download E3load

Reaction
SIG N+1
E2
E2
E3gen E2ld
E3gen E2ld
E3load

Link on E2
Link on E2
Link on E2
Link on E2
Link on E3

Table 7.7

Recommendation: Now delete Dual Configuration for the PES, see chapter 7.3.1.2
X-OPC does not support Dual Configuration and requires Download!
We recommend the operating sequence: First PES and second X-OPC.
If executing the sequence the other way around, first X-OPC and second PES, the downtime
of the link is much longer (the link goes down immediately after loading the X-OPC) and
during Reload of the PES the following message appears:

Fig 7.7

Normally the link is down anyway and its correct to Resume Reload
Hint:
If two redundant X-OPC server existing its possible to run the update one by one and keep
at any time one X-OPC active.
After updating of first X-OPC server this server will immediately jump to the new
configuration (in our example E3) and the second X-OPC server still remains on the old
configuration (in our example E2)

Page 32/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

7.3.1.4

Standard procedure: Undo SE modification

Editor

Partner A
Action
CG
Reload
-

SIG N
E2
E2
E2
E2
E2

CG
Reload
-

E3
E3
E3
E3

SE Mod.
Undo
SE Mod.
-

SIG N+1
E2
E3gen
E3gen
E3load
E3

Partner B
Action
CG
Reload

Reaction
SIG N
E2
E2
E2
E2
E2

SIG N+1
E2
E2
E3gen
E3gen
E3load

Link on E2
Link on E2
Link on E2
Link on E2
Link on E3

E2gen
E2gen
E2load
E2

CG
Reload

E2
E3
E3
E3

E3
E2gen
E2gen
E2load

Link on E3
Link on E3
Link on E3
Link on E2

Table 7.8

Recommendation: Now delete Dual Configuration, see chapter 7.3.1.2

02-Safeethernet_12_e_F.docx

SILworX

Page 33/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.3.2

SILworX safeethernet

Standard procedure (golden rule) in detail

Every modification of safeethernet data or safeethernet properties requires basically a


Code Generation and Reload for both communication partners.
Its essential for success to follow the procedure consequently!
Phases 1 to 5 must be executed for every safeethernet modification!
Do not interrupt the procedure, do nothing else between!

Code Generation
(Reload option)
Partner A

Safeethernet
Modification

New SE Signature
E3 created

Reload
Partner A

Code Generation
(Reload option)
Partner B

New SE Signature
E3 created

New SE Signature
E3 loaded
Link active on E2

Reload
Partner B

New SE Signature
E3 loaded
Link active on E3

Fig 7.8: Standard procedure for safeethernet change

Until Phase 4 still the old safeethernet configuration E2 is working.


After the Reload in Phase 5 is successfully finished the new safeethernet configuration E3 is
executed!

Page 34/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Delete Dual Configuration


Most safeethernet modifications lead to a Dual Configuration
Then both communication partners still know the old configuration E2 and the new
configuration E3
The Dual Configuration is part of the configuration files and therefore affects the master CRC
(Codeversion).
The Dual Configuration disappears again after a next Code Generation without any
safeethernet modifications.
HIMA recommends to cleanup the Dual Configuration (if any existing) always.
Dont do any
modifications!

Code Generation
(Reload option)
Partner A

Dual Configuration
deleted
Master CRC changes

Reload
Partner A

Code Generation
(Reload option)
Partner B

Dual Configuration
deleted
Master CRC changes

Dual Configuration
in PES deleted

Reload
Partner B

Dual Configuration
in PES deleted

Fig 7.9: Additional activity for deleting the dual configuration

Remark:
Phases 6 to 9 are not mandatory but recommended.
Otherwise the master CRC may change after a Code Generation unexpectedly.
Then use the tool Version Comparison and see the details.
02-Safeethernet_12_e_F.docx

SILworX

Page 35/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.3.3

SILworX safeethernet

Standard procedure (Check list for print out!)

Project
Name:

Configuration
Name:

Link details (name, no.)

Checklist can be used for all safeethernet Reloads!


- If Partner B is X-OPC: No Reload possible Replace Reload by Download
- If Partner B is X-OPC: No Dual Configuration Skip Phase 3 for Partner B
(e.g. enter Done in all lines)
- If safeethernet modification doesnt create a Dual Configuration (e.g. new link, new
partner, time setting etc.) Skip Phase 3 for both Partners
(e.g. enter Done in all lines)

Phase 1: Check correct project basis and Reloadability


This step must be executed only if therere any doubts whether the present project is really
the correct basis for the planned Reload or if its not sure whether Reload is actually working
(correct time settings, Reload allowed etc.)
If Reload already worked several times before (with present project) skip phase 1 (e.g. enter
Done in all lines)
SEQ Action on
Project, Editor

Partner A
Name:

Partner B
Name:

1.1

Check link
status online:

Check link
status online:

1.2

Date/Time

Done

Project
archive

1.3
1.4

CG
(Reload option)
Note CRC (*1):

1.5

CG
(Reload option)
Note CRC (*1):

1.6
1.7

Execute Reload

1.8

Execute Reload

(*1) No CRC change expected!


Page 36/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Phase 2: Carry out planned safeethernet modification and Reload


Most mandatory step!
SEQ

Action on
Project, Editor

2.1

2.2
2.3
2.4
2.5

2.6

Partner A
Name:

Partner B
Name:

Check link
status online:

Check link
status online:

CG
(Reload option)
Check CG
warnings
expected: (*1)
Note CRC:

CG
(Reload option)
Check CG
warnings
expected: (*3)
Note CRC:

2.8

2.9
2.10

Execute Reload

2.11

Check Reload
warnings
(not expected)
Project archive
(automatic):
expected: (*2)
Check link
status online:

2.13

Done

Project
archive
SE
modification

2.7

2.12

Date/Time

02-Safeethernet_12_e_F.docx

Check link
status online:

SILworX

Page 37/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
SEQ

Action on
Project, Editor

Partner A
Name:

SILworX safeethernet
Partner B
Name:

Date/Time

2.14

Execute Reload

2.15

Check Reload
warnings
(not expected)
Project archive
(automatic):
expected: (*2)
Check link
status online:

2.16

2.17

Check link
status online:

Done

Fig 7.10: Checklist for the safeethernet change

(*1) examples!
If Dual Configuration generated:

Fig 7.11

Otherwise no warnings expected.


(*2) example!
Fig 7.12

(*3) example!

Fig 7.13

Page 38/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Phase 3: Delete Dual Configuration (if existing)


This step must be executed if a stable and explainable Code Version (CRC) is always
required.
Skip this step if Code Version (CRC) change is not relevant at all!
Skip this step if the executed safeethernet modification doesnt even create a Dual
Configuration (e.g. new link, new partner, time setting etc.)
(Skip enter Done in all lines)
SEQ Action on
Project, Editor

Partner A
Name:

3.1

CG
(Reload option)
Check CG
warnings
expected: (*4)

3.2

3.3

Date/Time

CG
(Reload option)
Check CG
warnings
expected: (*5)

3.5

3.6

Note CRC:

3.7

Execute Reload
expected:

3.8

Check Reload
warnings
(not expected)
Project archive
(automatic):
expected: (*2)

3.10

Execute Reload
expected:

3.11

Check Reload
warnings
(not expected)
Project archive
(automatic):
expected: (*2)
Check link status
online:
expected: (*6)

3.12

3.13

Done

Note CRC:

3.4

3.9

Partner B
Name:

Check link status


online:
expected: (*6)

Table 7.9: Checklist for deleting the dual configuration

02-Safeethernet_12_e_F.docx

SILworX

Page 39/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

(*4) example!
Fig 7.14

(*5) example!
Fig 7.15

(*6) example!

Fig 7.16

Page 40/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.3.4

SILworX safeethernet

Guidelines and additional user information (CG and Online)

Examples show a communication between Resource PES 10 and OPC Server.


The chapter is related to chapter 7.3.2

Provided info after phase 2 (Code Generation PES 10):


Code Generator (PES 10):
Please watch the warnings from the Code Generator (Example!):

Fig 7.17

The Code Generator is watching whether the newly created Dual Configuration includes a
signature matching to the communication partner (in our example Signature E2 )
Online (CP PES 10):
Example!

Fig 7.18

Version Comparison (PES 10):

Fig 7.19

Signature E2
last loaded

02-Safeethernet_12_e_F.docx

Signature E3
prepared for Reload

SILworX

Page 41/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Provided info after phase 4 (Reload PES 10):


Online (CP PES 10):

Fig 7.20

Signature N: (in our example E2) is still there and active.


Signature N+1(in our example E3 is already prepared and waiting for the update of
communication partner:
Reload status in CP: updated
Com LED on CPU shows Warning
Online (CP PES 20):

Fig 7.21

The communication partner realizes the new Signature (E3), already available for PES 10,
and indicates the
Reload status: outdated
Com LED on CPU shows Warning

After loading the partner the Reload status is back on up to date!

Provided info after deleting the Dual Configuration


In chapter 7.3.1 we recommend to delete the Dual Configuration because of changing the
master CRC.
Info during Code Generation:
Example!

Fig 7.22

(Example! PES10<>PES20_1 is the name of a link, PES_10 the name of the partner)

Page 42/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.3.5

SILworX safeethernet

Accident scenarios (overview)

Accident 1: Deleting Dual Configuration before loading the partner:


Editor

Partner A
Action
CG
Reload
-

SIG N
E2
E2
E2

SIG N+1
E2
E3gen
E3load

Partner B
Action
CG
Reload

Reaction
SIG N
E2
E2
E2

SIG N+1
E2
E2
E2

SE Mod.
- (1)
CG
E3gen E2ld E3
E2
E2
Reload
E3load
E3
E2
E2
(1) Means no SE modification but perhaps other (e.g. logic) modification

Link on E2
Link on E2
Link on E2

Link on E2
Link down

Tabelle 7.1

Problem:
The Dual Configuration in Partner A is deleted. Signature E2 disappears in Partner A, but is
still needed by Partner B. Consequence: The link breaks down!
The mistake is not loading Partner B immediately after Reload of Partner A.
The sequence of Code Generation is actually not important only the sequence of Reloads!
The Code Generator and the System (Firmware) will announce proper warnings, hence the
accident is avoidable!
If respecting the CG warnings and/or firmware warnings theres a way out!
For details see chapter 7.3.6.1 Dual Configuration deleted too early (Accident 1)

02-Safeethernet_12_e_F.docx

SILworX

Page 43/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Accident 2: Yet another SE modification and Reload Partner A again:


Editor
SE Mod1
SE Mod2
-

Partner A
Action
SIG N
E2
CG
E2
Reload E2
CG
Reload

E3gen E2ld
E3load

SIG N+1
E2
E3gen
E3load

E4gen
E4load

Partner B
Action
CG
Reload
-

Reaction
SIG N
E2
E2
E2

SIG N+1
E2
E2
E2

Link on E2
Link on E2
Link on E2

E2
E2

E2
E2

Link on E2
Link down

Tabelle 7.2

Problem:
Partner A creates yet another signature E4 and deletes signature E2. E2 is replaced by E3
but E3 is not yet available by Partner B. Consequence: The link breaks down!
The mistake is not loading Partner B immediately after Reload of Partner A.
The sequence of Code Generation is actually not important only the sequence of Reloads!
The Code Generator and the System (Firmware) will announce proper warnings, hence the
accident is avoidable!
If respecting the CG warnings and/or firmware warnings theres a way out!
Solution:
As long Partner A is not yet loaded (e.g. respecting the warnings) theres still a chance to get
back on track similar to solution in chapter 7.3.6.1 Dual Configuration deleted too early
(Accident 1)
-

Undo Mod2
CG Partner B
Reload Partner B Link on E3
CG Partner A (in order to get proper Online functionalities)
Reload Partner A
Then execute Mod2 again and start the full sequence (golden rule)

Page 44/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Accident 3: Yet another SE modification and Reload Partner B (deadlock):


Editor
Partner A
Partner B
Action
SIG N
SIG N+1 Action
SIG N
SIG N+1
E2
E2
E2
E2
SE Mod1
CG
E2
E3gen
E2
E2
Reload
E2
E3load
E2
E2
CG
Reload
SE Mod2
E2
E3
CG
E2
E4gen
E2
E3
Reload
E2
E4load

Reaction
Link on E2
Link on E2
Link on E2

Link on E2
Link on E2

Tabelle 7.3

Problem:
Partner B creates yet another signature E4.
Both partners are now indicating the Reload status updated and actually waiting for each
other.
The mistake is not loading Partner B immediately after Reload of Partner A.
The sequence of Code Generation is actually not important only the sequence of Reloads!
Up to now nothing serious has happened yet, therefore the Code Generator and the System
(Firmware) will not announce any warnings!
You can never get rid of this situation without a short interruption of the link, means whatever
you do; the next Reload will shut down the link.
This interruption can take up to two times the Receive Timeout value!
See also the basic lesson chapter 7.1.3
Result is a deadlock! Theres no proper way out!
The only remaining solution: Force (if allowed, respecting the safety rules!) all transmitted
variables and execute nevertheless CG and Reload of Partner A (in our example!)
The link will jump (with interruption) from E2 to E4.
Or wait
For more details and screenshots see chapter 7.3.6.2

02-Safeethernet_12_e_F.docx

SILworX

Page 45/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Accident 4: Undo SE modification in wrong sequence:


Editor
Partner A
Partner B
Action
SIG N
SIG N+1 Action
E2
E2
SE Mod1
CG
E2
E3gen
Reload
E2
E3load
E2
E3
CG
E2
E3
Reload
SE Mod2
E2
E3
CG
E2
E3
Reload
Undo
SE Mod2
-

Reaction
SIG N
E2
E2
E2
E2
E2

SIG N+1
E2
E2
E2
E3gen
E3load

Link on E2
Link on E2
Link on E2
Link on E2
Link on E3

E3
E3

E4gen
E4load

Link on E3
Link on E3

CG *

E3gen

E3

E3

E4

Link on E3

Reload

E3load

E3

E3

E4

Link on E3

Tabelle 7.4

CG * : Dual Configuration deleted because new signature is identical to the old signature
Right now (V6.48) no further warnings yet, but in next version!
The sequence of Code Generation is actually not important only the sequence of Reloads!
Up to now nothing serious has happened yet, but its difficult to do the next step correctly.
Option 1 for next step (bad option):
If now updating Partner B we get a short link interruption:
Editor
-

Partner A
Action
-

SIG N
E3
E3
E3

SIG N+1
E3
E3
E3

Partner B
Action
CG
Reload*
-

Reaction
SIG N
E4
E4
E4

SIG N+1
E3gen
E3load
E3

Link on E3
Link down
Link E3 back

Tabelle 7.5

Reload* : During Reload the firmware announces a warning. Hence the accident is
avoidable!

Fig 7.23

Abort Reload!
Option 2 for next step (good option):
Bring Partner A to the same new version (E4) as Partner B (undo undo)
Editor
Back to
SE Mod2

Partner A
Action
SIG N
CG
E3

SIG N+1
E4gen

Partner B
Action
-

SIG N
E3

SIG N+1
E4

Link on E3

Reload

E4load

E3

E4

Link on E4

E3

Reaction

Table 7.10

Page 46/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Accident 5: Code Generation or Reload denied by Partner B (deadlock):


Editor
SE Mod.
-

Partner A
Action
CG
Reload
-

SIG N
E2
E2
E2
E2

SIG N+1
E2
E3gen
E3load
E3

E2

E3

Partner B
Action
CG*
Reload**

Reaction
SIG N
E2
E2
E2
E2
E2

SIG N+1
E2
E2
E2
E3gen*
E2

Link on E2
Link on E2
Link on E2
Link on E2
Link on E2

Table 7.11

CG* Planned action, but Code Generation denied due to existing errors
Reload** Planned action, but Reload denied
Problem:
Partner A is already loaded, but Partner B cannot be loaded due to Code Generator
problems or Reload problems.
The Reload sequence cannot be completed.

Solutions:
If possible make sure the CG for Partner B works again (e.g. fix the errors)
If possible make sure the Reload for Partner B works again.
Thats not yet a real problem as long the fixing the problem only affects Partner B.
But its getting a real Problem if fixing the problem would require another CG and Reload of
Partner A
See next page

02-Safeethernet_12_e_F.docx

SILworX

Page 47/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Example for a deadlock scenario:


The CG for Partner B was denied because Partner A accidently transmits the same variable
twice via two different links. Thats no problem for Partner A, but CG for Partner B is not
possible because there the variable is written twice.

Theoretically two options exist:


1.

Undo the last safeethernet modification manually


(in example: remove the variable from the second link).
The CG of Partner A generates the old signature E2 again.

2.

Use a project backup and go back to the original version before the last modification.
(therefore export the current configuration and import it into the backup project)
The CG of Partner A generates the old signature E2 again.

But: If SIG N+1 has already been on E3 (but never activated) stepping back to E2 causes
always a short interruption of the link. See chapter 7.1.3
Editor
Undo
SE Mod
-

Partner A
Action
SIG N
E2

CG*

E3gen E2ld

Reload* E3load
E3

SIG N+1
E3

Partner B
Action
SIG N
E2

Reaction
SIG N+1
E2

E2gen

E2

E2

Link on E2

E2load
E2

E2
E2

E2
E2

Link interrupted
Link back on E2

Table 7.12

You can never get rid of this situation without a short interruption of the link, means whatever
you do; the next Reload of Partner A will shut down the link.
This interruption can take up to two times the Receive Timeout value!
CG and Reload of Partner A without any safeethernet modification is also not possible
anymore!
Firstly this does not solve the problem of Partner B and secondly then the link is really down
because the Dual Configuration in Partner A (including E2) will be removed
Result is a deadlock! Theres no proper way out!
The only remaining solution: Force (if allowed, respecting the safety rules!) all transmitted
variables and execute nevertheless CG and Reload of Partner A (in our example!) and
accept the link interruption.
Or wait

Page 48/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

The warning from CG* does not yet recognize the real, dangerous, issue:

Fig 7.24

During Reload* the firmware announces a warning:

Fig 7.25

Abort Reload if you cant afford a short link interruption.


Resume Reload only if you know the consequences

02-Safeethernet_12_e_F.docx

SILworX

Page 49/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

7.3.6

Accident scenarios (details)

7.3.6.1

Dual Configuration deleted too early (Accident 1)

(The correct procedure still appears in light grey the wrong procedure appears in red!)

Code Generation
(Reload option)
Partner A

Safeethernet
Modification

New SE Signature
E3 created

Reload
Partner A

No further
safeethernet
modification **

Code Generation
(Reload option)
Partner B

New SE Signature
E3 created

New SE Signature
E3 loaded
Link active on E2

Reload
Partner B

New SE Signature
E3 loaded
Link active on E3

Code Generation
(Reload option)
Partner A

Dual Configuration
deleted!
Version E2 disappears, version E3 still there

Reload
Partner A

New SE Signature E3 (but not E2) loaded


Link is now down since E2 does not exist
anymore but still needed by the partner!

Fig 7.26

Page 50/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
**

SILworX safeethernet

In diagram we only show Accident 1.


Accident 2 occurs if now alternatively another safeethernet modification is carried out.
See chapter 7.3.5

Normally step 4 and 5 should be Reload Partner A and Partner B!


Accident 1:
Here, for some reason, somebody made another Code Generation for partner A.
It doesnt matter whether the new Code Generation contains even new modifications, e.g.
changes in logic, or not.
If no further modifications for safeethernet made, the new Code Generation deletes the Dual
Configuration and consequently the old SE signature E2.
After executing the Reload (Step 6) the link would be down because SE signature E2 is still
required by communication Partner B.
Accident 2:
Accident 2 is only a variant. In accident 2 another safeethernet modification is carried before
loading Partner B. Same consequence: SE signature E2 disappears in Partner A
configuration.
After executing the Reload (Step 6) the link would be down because SE signature E2 is still
required by Partner B.

02-Safeethernet_12_e_F.docx

SILworX

Page 51/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Guidelines or how to avoid the mistake:

After phase 5 (second Code Generation of partner A) the Code Generator announces a
warning:

Examples!

Fig 7.27

(Normally the warning is displayed in one line)


If the warning is ignored the firmware is the second defense line:
During phase 6 (second Reload of partner A) the firmware announces a warning:

Fig 7.28

Fig 7.29

Page 52/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

The problem now:


The last generated Code for Partner-A is valid but cannot be used (yet) since therein the
needed Dual Configuration (Version E2 ) is already deleted.
A generated but not loaded code result in problems with Online Test and/or next Reload!

Solution: Back to the original phase 5!We must execute the Code Generation and Reload of partner B first and then
execute Code Generation and Reload of Partner A (again).
See next pages!

02-Safeethernet_12_e_F.docx

SILworX

Page 53/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

The only solution: Reverse!

Code Generation
(Reload option)
Partner A

Safeethernet
Modification

New SE Signature
E3 created

Reload
Partner A

No further
safeethernet
modification

Code Generation
(Reload option)
Partner A

Reload
Partner A

Code Generation
(Reload option)
Partner B

New SE Signature
E3 created

New SE Signature
E3 loaded
Link active on E2

Reload
Partner B

New SE Signature
E3 loaded
Link active on E3

Fig 7.30

Page 54/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

Back on track:

Code Generation
(Reload option)
Partner A

Safeethernet
Modification

New SE Signature
E3 created

Reload
Partner A

Code Generation
(Reload option)
Partner B

New SE Signature
E3 created

New SE Signature
E3 loaded
Link active on E2

Reload
Partner B

New SE Signature E3
loaded
Link active on E3

Code Generation
(Reload option)
Partner A

Dual Configuration is already deleted


Version E3 created again

Reload
Partner A

New SE Signature E3 loaded again!


Online Test and Reload possible again!

Fig 7.31

02-Safeethernet_12_e_F.docx

SILworX

Page 55/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.3.6.2

SILworX safeethernet

SE Change 1 >Reload Partner A, SE Change 2 >Reload Partner B (Accident 3)

(The correct procedure still appears in light grey the wrong procedure appears in red!)

Safeethernet
Modification

Code Generation
(Reload option)
Partner A

New SE Signature
E3 created

Reload
Partner A

New SE Signature
E3 loaded
Link active on E2

Another
safeethernet
modification

Code Generation
(Reload option)
Partner B

New SE Signature
E3 created

Reload
Partner B

New SE Signature
E3 loaded
Link active on E3

Code Generation
(Reload option)
Partner B

Another new SE Signature E4 created


Version E2 is still existing

Reload
Partner B

New SE Signature E4 and old SE Signature E2


loaded
Link remains active on E2

Fig 7.32

RESULT: DEADLOCK!

Page 56/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

The link is still active on E2, here displayed as Signature N.

Fig 7.33

Please note:
Therere no further warnings from the Code Generator or from firmware!
Both partners are now on status updated.
This is actually not foreseen and results in a crucial situation:
You cannot simply Reload partner A now!
This would most likely lead to a short communication interruption!
If you try anyway the system (firmware) announces a warning:

Fig 7.34

Abort Reload - or do not even execute the Reload if you cannot afford a temporally
link shutdown!
Do only Resume Reload if a temporally link shutdown can be accepted but
consider the consequences for the process!
02-Safeethernet_12_e_F.docx

SILworX

Page 57/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.4

SILworX safeethernet

Change safeethernet parameters

Change of timing parameters does not create a Dual Configuration (see chapter 7.1.4)
Change e.g. Receive Timeout and Response Time:

Fig 7.35

During Reload the following message appears:

Fig 7.36

If the values are calculated correctly: Resume Reload


Changing timing parameters requires only Reload of Timing Master.
The Timing Slave automatically accepts the Timing Master values.
See chapter 5.2.2

Page 58/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.5

SILworX safeethernet

Special case: Communication partner is not in the same project

Problem:
The Code Generator cannot check the partners loaded configuration, because it is not in the
same project.
Warning after Code Generation:

Fig 7.37

Consequence:
The guideline Code Generator does not exist anymore!
The only remaining safeguards are the firmware warnings (consider: they cant detect
everything).
Your options:
1. Trust yourself and the firmware and/or
2. Create a project archive and then load the Resource in a Test-PES and read the
generated safeethernet signatures.
Compare and analyze the signatures:
Test-PES:

Partner:
Result: OK!
Table 7.13

3. Or create a new link for newly generated communication variables and keep the
original link untouched ( risk reduction!) See chapter 7.2

02-Safeethernet_12_e_F.docx

SILworX

Page 59/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.6

SILworX safeethernet

Information in Version comparison

Example 1: New Variable added to existing link

Fig 7.38

Code Generation Version Comparison

Fig 7.39

Fig 7.40

Page 60/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

cpcsip.config:

Fig 7.41

Partner
System-ID

Link-ID
here = 0

SE signature

Hint: The link ID we see in safeethernet editor:

Fig 7.42

Link-ID

Current Online situation (before Reload):

Fig 7.43

Version DL in version comparison is identical to Signature N+1 (loaded in PES)


The old Signature N is not considered in the version comparison any more.

02-Safeethernet_12_e_F.docx

SILworX

Page 61/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

ke.config:

Fig 7.44

Fig 7.45

After Reload:

Fig 7.46

Version DL from version comparison is now Signature N


Version CG from version comparison is now Signature N+1

Page 62/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
7.7

SILworX safeethernet

Check SE Signature in a project backup

Open SILworX a second time and restore the project in which you assume the expected SE
Signature.
Export the last loaded configuration via the tool Version comparison

Fig 7.47

Import the configuration in your actual project:

Fig 7.48

In this example the imported version is identical to Last Load.


Means the previously restored project matches the last loaded version and can be used for
Reoad etc. again!

Fig 7.49

02-Safeethernet_12_e_F.docx

SILworX

Page 63/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
8

SILworX safeethernet

Appendix

8.1

Safeethernet principle (simplified)

1. Example, well working communication


Telegrams are send on the end of a CPU cycle. Any reaction, also the processing of data,
happens on the beginning of a CPU cycle. The understanding of this principle is important for
calculating Receive Timeout and Resend Timeout
Advantage of double shot principle: Processing newest data without waiting for
acknowledge. Makes a communication more efficient especially if the data transmission time
or the cycle time of target system is pretty long.
Cycle PES10

Cycle PES20

Telegram 1 (T1)
CPU cycle

Telegram 2 (T2)

PES20:
Processing data of T2

Acknowledge T1 and T2

T3

T4

PES20:
Processing data of T4

Acknowledge T3 and T4

Fig 8.1

Page 64/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

2. Example with a loss of telegram:


Profile Fast & Noisy tolerates the loss of one or more telegrams (depending relation
Receive TMO / Resend TMO). Resend after Resend Timeout.
Safety reaction after Receive Timeout expired.
Cycle PES10

Cycle PES20

T1

PES10:
Resend Timeout for
T2 started

T2 lost

PES20:
Processing data of T1
Start Receive Timeout

Acknowledge T1

PES10:
Resend Timeout for
T2 expired

Resend T2

PES20:
Processing data of T2

Acknowledge T2

T3

T4

PES20:
If Resend would not be
have been successful
Receive Timeout expired.
Set imported variables to
initial values

Fig 8.2

02-Safeethernet_12_e_F.docx

SILworX

Page 65/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training

SILworX safeethernet

3. Example demonstrates worst case situation regarding cycle time


Here the maximum calculated factor (5 x max. cycle time) is required.
Cycle PES10

Cycle PES20
T1

PES20:
Processing data of T1
Start Receive Timeout

T2 lost

PES10:
Resend Timeout for
T2 started
Acknowledge T1

PES10:
Resend Timeout for
T2 expired

Resend T2, lost again

PES20:
Processing data of T2 if
Resend successful

PES20:
Resend not successful
Receive Timeout expired.
Set imported variables to
initial values

Fig 8.3

Page 66/67

SILworX

02-Safeethernet_12_e_F.docx

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

HIMA Training
9

Changes

Rev.:
02

Date/Name
05.08.09/Kull

03

10.08.2009/Kull Adjusted to SILworX V3

04

14.06.2012/ML Adjusted to SILworX V4

SILworX safeethernet

Text
Document new created.

05

04.07.2012/ML Position of the variable definition changed.


Second Example in the appendix modified.
06-09
Draft versions
10

30.01.2014/Kull V6 features, safeethernet Reload

11

05.02.2014/ML Little updates

12

08.05.2014/ML Little addition in change from <V6 to V6, company name updated
13.06.2014/Kull New experience, new knowledge added in chapter 7 (Reload)

02-Safeethernet_12_e_F.docx

SILworX

Page 67/67

by HIMA Paul Hildebrandt GmbH. Any copy, even in extracts, are prohibited unless by permission from HIMA.

You might also like