System Manager and PLC Manager

System Manager

PLCnext Technology is by definition an open platform. This means that as a user you can integrate your own components and programs. During firmware startup, the System Manager ensures that all integrated components and programs are configured and started in the correct order. Here, all system processes are generated and function extensions are supplemented. A system component is always started, configured and shut down by the System Manager.

PLC Manager

The PLC Manager is a firmware component that loads the necessary PLC program code into the memory and boots up or shuts down the programs. The program code can exist of an IEC 61131-3 program that was created and sent using PLCnext Engineer.

The code can also be created in C++ or MATLAB® Simulink®. C++ and MATLAB® Simulink® programs are available on the controller as program code libraries (shared object, *.so).

Configuration files on the controller are used to determine which libraries the PLC Manager is to load and which programs in these libraries are to instantiate. The PLC Manager is therefore superordinate to the code. It controls booting up and shutting down of the real-time system (ESM) as well as starting and stopping data exchange via fieldbusses.

If the controller is in the stop state, the real-time tasks monitored by the ESM are not executed. The signals of the sensors connected to the fieldbus are no longer read as inputs, and the output signals are no longer sent to the connected actuators.

The PLCnext Engineer  software can be used to start the controller in three different modes:

  • Cold Start:
    During a Cold Start, all data is reset.
  • Warm Start:
    During a Warm Start, all data is reset and all retentive data is restored (system start).
  • Hot Start:
  • During a Hot Start, the data is neither reset nor restored. All variable values are retained.

PLC state

Available states

A PLC can be in one of these basic states:

Ready The firmware is set up but the PLC is not loaded.
Stop The PLC is loaded and set up but not started.
Running The PLC is started.
Halt The PLC is halted for debugging.

Some more (error) states are present; search for PlcState in the API documentation of the firmware release you're working on.

In addition, from firmware release 2022.0 LTS:

Suspended This error bit is set if the PLC could not be started because it was prevented by a component.
Blocked This error bit is set if the PLC could not be loaded because it was prevented by a component.

In addition, from firmware release 2022.6:

StartingDelayed The PLC is about to start but due to component conditions the PLC start has to be delayed.

Such a delay may be caused by an integrated Uninterruptible Power Supply (UPS) if during power up the UPS is not yet loaded sufficiently.

Changing the PLC state

The state of a PLC can be affected by the IPlcManagerService2 RSC service which can be used by C++ programs to call the respective Load(), Start(), Stop(), or Reset() function (see the PlcState diagram). These functions check if the PLC is in the initial state for the demand so changing the state is possible.

Even the PLCnext Engineer uses the IPlcManagerService2 for user operations. In addition, some errors (e.g. ESM task watchdog or exception) can cause changing the PLC's state from Running to Stop

Changing between the Ready, Stop, and Running state is done by the RSC serviceIPlcManagerService2 directly; changing between the Running and Halt state is done in the PLCnext Engineer.

Recommendation:

On calling the Load(), Start(), Stop(), or Reset() function the async parameter should be set to True. By doing so, the operation is executed asynchronous, immediately getting back and avoiding a timeout during the RSC call. Then the PlcState can be polled to check when the change is active.

Getting notified on PLC state changes

There are different ways to getting notified:

  • via IControllerComponent interface:
    PLM and ACF components can register with the IControllerComponent interface
    • PLM components will get notified on PlcState changes by calling the respective Start() or Stop() interface methods.
    • For ACF components, the Start() and Stop() methods are called at starting and stopping the firmware.
  • via Notifications in C++:
    PlcState changes are logged as Arp.Plc.Domain.PlcManager.StateChanged notification, which can be subscribed at the NotificationLogger
  • via PLC events:
    PLM components and ACF components can get notified on state changes by means of the PlcDomainProxy object (see API documentation). Therefore the components must create a function for each event coming into question. Each state change has two events that are triggered at the beginning and at the end of the event.  The functions have to be registered at the PlcDomainProxy by += make_delegate(), and unregistered in the Dispose() function of the component.
PlcState diagram
PlcState diagram

Reading the state of the PLC

The GetPlcState() method of the IPlcManagerService2 provides the Arp::Plc::Commons::Domain::PlcState enumeration as a return value. In this enumeration, the current state is combined with additional information bits.

  • With PlcState::StateMask the raw state can be extracted
  • With PlcState::FlagsMask the portion of additional information can be extracted (see the following table)

Additional information at PlcState

Hot The PLC is stopped in hot state, that is all data still remains, so a Hot Start is possible.
Warm The PLC is in Stop state and a Warm Start is possible. The retain data will be restored.
Changing The PLC is currently changing a configuration. This implies that the Running state is set. Designates the state during execution of Download Changes (PLCnext Engineer function: Write and Start Project Changes).
Forcing The PLC is in Force mode. One or more variables are forced by the GDS.
Debugging The PLC is in Debug mode. One or more breakpoints are set.
Warning An unspecified warning occurred.
Error An unspecified error or exception occurred, and the PLC is in STOP state.
Typically this error is caused by an erroneous PLC configuration. The PLC usually remains in Ready state; if not, the Reset() function needs to be executed.
After fixing the error the PLC has be set to the Stop state by executing the Load() function again, and thereafter the Start operation may be called so the PLC changes to Running state.
FatalError An unspecified fatal error or exception occurred, and the PLC is in Error state. The entire firmware has to be restarted.
SuspendedBySwitch This error bit is set if the PLC could not be started because it is suspended by the hardware switch (STOP switch). This switch exists only at some PLCnext controllers, e.g. AXC F 3152.
SuspendedBySystemWatchdog This error bit is set if the PLC could not be started because the PLC has been suspended by the system watchdog. In this case a Cold Start has to be performed manually.
DcgNotPossible This error bit is set if the PLC tried to perform a change operation, but it was not possible. This bit is usually combined with the Running state.("Dcg" means Download Changes, in PLCnext Engineer the function is called Write and Start Project Changes.)
DcgRealTimeViolation This error bit is set if the PLC tried to perform a change operation, but it was not possible in real time. This bit is usually combined with the Running state.

PLCnext Engineer project integrity check

Available from 2022.6

To use the function, you need PLCnext Engineer from software version 2022.6 and a corresponding FDCML file for firmware version 2022.6 and newer.

From firmware 2022.6 onwards, you can check your PLCnext Engineer project for integrity. The check takes place during the Load() transition from the PLC state PlcState.Ready to PlcState.Stop

PLCnext Engineer calculates an integrity information (hash code) about the project to be downloaded. The Integrity information refers to the following aspects of the project:

  • Code, including PLCnext Engineer libraries, binary code from Simulink and C++ libraries
  • Configuration, e.g. field busses, ESM, OPC UA etc.
  • PLCnext Engineer HMI files

The hash codes are sent to the PLC together with the project files. The PLC also calculates hash codes and compares them with those of PLCnext Engineer. If errors occur during transmission from PLCnext Engineer to the PLC, they are detected.

Configuration

The response to an integrity breach detected by the firmware can be configured via the configuration file /opt/plcnext/config/Plc/Domain/ProjectManager.plc.config. By default, the configuration file is structured as follows:

<?xml version="1.0" encoding="UTF-8"?>
<PlcDomainConfigurationDocument
   xmlns="http://www.phoenixcontact.com/schema/plcdomainconfig"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.phoenixcontact.com/schema/plcdomainconfig"
   schemaVersion="1.0">
   
   <ProjectManagerConfig>
     <!-- IntegrityCheck mode="Error" / -->
     <!-- Possible modes: "Disabled", "Warning", "Error" -->
   </ProjectManagerConfig>
     
</PlcDomainConfigurationDocument>

You can configure the following modes in the configuration file (The file can be edited by Linux user admin, root rights are not necessary):

  • Disabled: No check is performed. The PLCnext Engineer project is loaded in any case and the PLC is started
  • Warning: The PLCnext Engineer project is checked. In case of an integrity breach the project remains loaded and the PLC changes to the PLC state PlcState.Run. A notification is sent.
  • Error: The PLCnext Engineer project is checked. In case of an integrity breach the project is unloaded again and the PLC remains in the PLC state PlcState.Ready. A notification is sent.

Note: If the integrity check is active (Warning or Error), any project is checked while loading. This means that an integrity breach is also detected for projects without the hash code, e.g. projects that are created with a PLCnext Engineer version prior to 2022.6. The notification payload will report: Manifest file 'PCWE.manifest.config' does not exist.

Example configuration for the project integrity check configured as Error mode:

<?xml version="1.0" encoding="UTF-8"?>
<PlcDomainConfigurationDocument
   xmlns="http://www.phoenixcontact.com/schema/plcdomainconfig"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.phoenixcontact.com/schema/plcdomainconfig"
   schemaVersion="1.0">
   
   <ProjectManagerConfig>
     <IntegrityCheck mode="Error" />
     <!-- Possible modes: "Disabled", "Warning", "Error" -->
   </ProjectManagerConfig>
     
</PlcDomainConfigurationDocument>

Note: The Warning mode is enabled by default. When the Security Profile is activated, the Error mode is enabled.

Detected project integrity breach

When a project integrity breach is detected, a notification is written to the security log giving details of the integrity breach (Security.Arp.Plc.Domain.PlcManager.ProjectIntegrityFail). 

Note: If the integrity check is active (Warning or Error), any project is checked while loading. This means that an integrity breach is also detected for projects without the hash code, e.g. projects that are created with a PLCnext Engineer version prior to 2022.6. The notification payload will report: Manifest file 'PCWE.manifest.config' does not exist.

 

 


•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari • 
• Published/reviewed: 2022-09-14 • Revision 046 •