SQR_CSG_VI4x.pdf

√𝑆𝑄𝑅
©
- All rights reserved, do not share without written approval. 2022-04-19 SQR_CSG_VI4x.docx
√𝑺𝑸𝑹
© Control System Guidelines
Table of Contents
1 INTRODUCTION............1
Purpose....................... 1
1.1.1 Objective ........................1
1.1.2 Audience ........................1
1.1.3 Relevance.......................1
Scope .......................... 1
1.2.1 References......................1
1.2.2 Deviations.......................1
1.2.3 Revisions ........................1
2 ENERGIES & SAFETY .....2
Energies ...................... 2
2.1.1 Terms of Use ..................2
2.1.2 Power Devices................2
2.1.3 Pipes & Wires.................2
2.1.4 Labeling’s........................2
2.1.5 Cabinets..........................2
2.1.6 Bonding ..........................2
Safety.......................... 3
2.2.1 Risks Control...................3
2.2.2 Electrical Main................3
2.2.3 Non-Electrical Main........3
2.2.4 Safety Related Parts .......3
2.2.5 Active Safeguards...........3
2.2.6 Emergency-Stops............3
2.2.7 Safe-Speed .....................3
3 CONTROL SYSTEM........4
Integration.................... 4
3.1.1 IS/IT Policies ...................4
3.1.2 Remote Access ...............4
3.1.3 Validation Plan ...............4
3.1.4 VMP Documents.............4
HMIs System ............... 5
3.2.1 Thin-Client HMIs.............5
3.2.2 Integrated HMIs .............5
3.2.3 Control Panels................5
PLCsSystem.................. 5
3.3.1 Traceability ....................5
3.3.2 Instruments....................5
3.3.3 Calibrations....................5
3.3.4 Inline-Checks..................5
3.3.5 Consumption..................5
3.3.6 Sustainability..................5
4 CONTROL MODEL ........ 6
Modes......................... 6
States......................... 7
Alarms......................... 7
Types .......................... 8
4.4.1 Use CaSe ........................8
4.4.2 Consecutive......................8
4.4.3 Up Report .....................9
4.4.4 Ticket Report..................9
4.4.5 Process Path...................9
4.4.6 Analog Act....................10
4.4.7 Digital Act.....................10
4.4.8 Check Act. ....................11
4.4.9 Use Act.........................11
Semantics.................. 12
4.5.1 Domain Visibility ..........12
4.5.2 Prefix and Attributes....12
4.5.3 Data Size Assessment...12
5 USER INTERFACE........ 13
HMIs Duties .............. 13
5.1.1 Colors Guide.................13
5.1.2 Lights & Buttons...........13
User Access ............... 13
5.2.1 User Login....................13
5.2.2 User Roles....................13
5.2.3 Acknowledge................13
5.2.4 eSignature! .................. 13
Visual Features.......... 14
5.3.1 Header Bar................... 14
5.3.2 Navigation Bar ............. 14
5.3.3 Alarms Banner............. 14
5.3.4 21 CFR Part 11 ............. 14
Visual Model ............. 15
5.4.1 HMI Hierarchy ............. 15
5.4.2 Screenshots ................. 15
6 MES NETWORK ..........17
Line Modes................ 17
Line States ............... 17
MES Types................. 17
6.3.1 Batch ........................... 17
6.3.2 Recipe.......................... 18
6.3.3 Raw-Lot ....................... 18
6.3.4 Trace............................ 18
6.3.5 Part.............................. 18
6.3.6 Ticketing ...................... 18
KPIs Types................. 19
6.4.1 I P C.............................. 19
6.4.2 I P S.............................. 19
6.4.3 NRG ............................. 19
6.4.4 Stoppages.................... 20
6.4.5 Reports ........................ 20
7 REMINDER .................21
Energies & Safety ...... 21
7.1.1 Main Energies.............. 21
7.1.2 Neutral Earthing .......... 21
7.1.3 Safe Stop Categories.... 21
7.1.4 Safety Functions .......... 21
7.1.5 Safety Symbols ............ 22
7.1.6 Safety Colors................ 22
7.1.7 Safety Tasks................. 22
Risks Assessment....... 23
7.2.1 Risks Inventory.............23
7.2.2 Risks Evaluation............23
7.2.3 Risks Reduction ............23
7.2.4 Safety Category............23
7.2.5 PLr Calculation .............23
IT/OT Convergence.... 24
7.3.1 IT/OT Networks............24
7.3.2 IIoT Integration.............24
IEC-61512 Models...... 25
7.4.1 Process..........................25
7.4.2 Physics..........................25
7.4.3 Procedures......................25
7.4.4 Activities .....................25
7.4.5 Shipments ...................25
7.4.6 Actuator - Manual........25
7.4.7 Station - Semi-Auto......25
7.4.8 Machine - Automatic....25
7.4.9 Keep It Simply Smooth .25
Digital Twin Model ... 26
7.5.1 Failsafe Inn...................26
7.5.2 Failsafe Recoveries.......26
7.5.3 Virtual Prototypes ........26
7.5.4 Edge Reports................26
7.5.5 Parts Trace ...................27
7.5.6 Pallet Twin....................27
Deployment Plan....... 28
7.6.1 Design Pattern..............28
7.6.2 System Hierarchy .........29
7.6.3 Model-Based Design ....29
7.6.4 Easy Path Design ..........30
7.6.5 Easy Path Code.............30
7.6.6 Safe Interlocks..............30
7.6.7 Rationalarms................31
7.6.8 Ratiocators...................31
Acronyms .................. 31
+=SQR
+1.Ss=...
+1.00=Frame
+1=Adm
+1=Filler
Act.
Mach. Station
Line
+3.01.000=Path
+3=Sealer
+3.00=Frame
+3.02=Load
+2.Ss=...
+2.00=Frame
+2=Adm
+2=Weigher
+3.01.001=Robot
+3.01.Aaa=...
+3.00.000=Path
+3.00.001=Train
+3.00.Aaa=...
+3.04=Fill
+3.04.000=Path
+3.04.001=Auger
+3.04.Aaa=...
+3.10=Seal
+3.10.000=Path
+3.10.001=Press
+3.10.Aaa=...
+3.12=Trace
+3.12.000=Path
+3.12.001=Print
+3.12.Aaa=...
+3.13=Unload
+3.13.000=Path
+3.13.001=Robot
+3.13.Aaa=...
+3=Adm
+3.Adm.000=SAFE
+3.Adm.001=PWUP
+3.Adm.Aaa=...
User
Requirements
Specification
Design
Specification
Assembly
Wiring-Coding
Modular Testing
Condition-BasedMonitoring
Maintenance •Repair• Overhaul
Line
Cell
Actuator(s)
Module(s)
Manual
FixUp
Integration
Qualification
Station(s)
Equipment(s)
Semi-Auto
Maintenance
Operational
Qualification
Functionnal
Specification
Machine(s)
Unit(s)
Automatic
Production
Performance
Qualification
Design
ISO 15288
ISO 13849
IEC 61512
IEC 62714
Assembly
IEC 60204
IEC 61508
Operation
Qualifcation

√𝑺𝑸𝑹
©
INTRODUCTION Control Systems Guidelines 1 / 31 
√𝑆𝑄𝑅
©
- All rights reserved, do not share without written approval. “fix mindset, do not mine fixes.” 2022-04-19 SQR_CSG_VI4x.docx
1 INTRODUCTION
Purpose
1.1.1 Objective
Guidelines to ensure user Safety, product Quality and machinery Reliability with Industrial Control Systems.
Few paths to apply Machinery Directives and Good Automation Modeling Practices on Industrial Control
Systems aggregatingmodules suchas Actuators , Stations and Machines in Line(s) for batch’s production.
1.1.2 Audience
OEM's Industrial Control Systems stakeholders trained on the following §1.2.1 References.
1.1.3 Relevance
User
Safety
Product
Quality
Machinery
Reliability
Cyber
Security
Process
Mastering
For new Industrial Control Systems only, existing ones are out of scope.
Concerns
Holistic Matrix
Chapters
ISO / IEC GAMP IS / IT
Ready
MES / IIoT
Ready
• Energies & Safety
Blue
. . .  
• Control System
Yellow
Green    
• Control Model Purple    
• User Interface Green   
• MES Network . . . Purple 
The right border color in the next pages shows which chapter paragraph is relevant to which concern.
Scope
1.2.1 References
• MD-2006/42/CE, Essential health and safety requirements relating to design and construction of machinery.
• ISO-9241:2010, Ergonomics of human-system-interaction - Human-centered design for interactive systems.
• ISO-12100:2010, Safety of machinery - General Principles for Design - Risk Assessment and Reduction.
• ISO-13849-1:2015, Safety of machinery - Safety related Parts of Control Systems - Part 1: Principles.
• ISO-13849-2:2012, Safety of machinery - Safety related Parts of Control Systems - Part 2: Validation.
• ISO-13850:2015, Safety of machinery - Emergency Stop Function - Principles for Design.
• ISO-13855:2010, Safety of machinery - Safeguards position with respect to approach speeds of parts of human body.
• ISO-14118:2017, Safety of machinery - Prevention of Unexpected StartUp.
• ISO-14119:2013, Safety of machinery - Guards Interlocking Devices Associated - Design and Selection Principles.
• ISO-15288:2015, Systems and software engineering - System life cycle processes.
• ISO-27000:2018, Information technology - Information security - management systems - Overview and vocabulary.
• IEC-60068-1:2013, Environmental testing - Part 1: General and guidance.
• IEC-60204-1:2016, Safety of machinery - Electrical equipment of machines - Part 1: General requirements.
• IEC-60300-1:2014, Dependability management - Part 1: Guidance for management and application.
• IEC-61131-3:2013, Programmable controllers - Part 3: Programming languages.
• IEC-61508:2010, Functional safety of electrical/electronic/programmable electronic safety-related systems.
• IEC-61512-1:1997, Batch control - Part 1: Models and terminology.
• IEC-62061-A2:2015, Safety of safety-related electrical, electronic and programmable electronic Control Systems.
• IEC-62264-1:2013, Enterprise Control Systems Integration - Part 1: Models and terminology.
• IEC-62443-3-3:2013, Industrial communication networks, system security requirements and security levels.
• IEC-62682-1:2014, Management of alarms systems for the process industries.
• IEC-62714-1:2018, Engineering data exchange Pattern - Automation markup language.
• IEC-81346-2:2019, Reference designations - Part 2: Classification of objects and codes for classes.
• ISPE-GAMP, Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized Systems.
• S88 Implementation Guide, Strategic Automation for process Industries - ISBN-10 0070216975.
1.2.2 Deviations
Each deviation with any statement written in this document needs a project team approval and validation.
1.2.3 Revisions
m.μ.ε Date Author Auditor Modifications Description
I.0.x 28 Feb. 2018 JCP PoP from CPA Draft
I.1.x 30 Sep. 2018 JCP VeP from CDI MES Network
I.2.x 11 Nov. 2019 JCP JCR from DCS Control System + Semantics + eSignature!
I.3.x 27 June 2020 JCP VeP from CDI Control Model + Up + Ticket + Analog + Digital
I.4.x 31 May 2021 JCP JCR from DCS IEC-61512 Models + Digital Twin + Deployment

√𝑺𝑸𝑹
©
ENERGIES & SAFETY Control Systems Guidelines 2 / 31 
√𝑆𝑄𝑅
©
2 ENERGIES & SAFETY
Energies Where machinery is powered by source of Energies, it must be so designed,
constructed and equipped as to avoid all potential risks associated with such
sources, i.e. MD-2006/42/CE; their supplies and distributions shall be able to
retain electrical, hydraulic and pneumatic hazards vs Safety Requirements.
2.1.1 Terms of Use The devices, connectors, pipes and wires shall comply with IEC-60068-1:2013
versus their environments and operative uses with a life cycle  10 years as :
• Ingress Protection Indoor Areas - IP2X Outdoor Areas - IP65
• Temperature °C +10°C to +40°C -0°C to +50°C
• Relative Humidity 20…90% 5…95%
• Vibration / Shock 1g / 10g 2g / 30g
• Contact / Air Discharges 1 kV / 2 kV
• ATEX‘s requirements if exposed to explosive or combustible areas.
2.1.2 Power Devices Those PDS shall comply with IEC-60204-1:2016; a supply isolator (breaker with
overcurrent protection) shall let disconnect each one. The electrical devices such
asmotors,drivesorVFD'sshallavoidconnectionbetweenneutralandPEbonding.
2.1.3 Pipes & Wires Conduits, Tubes, Pipes, Wires and Cables shall comply with IEC-60204-1:2016 :
• Leave more than 25 mm between electrical and non-electrical pipes.
• Avoid shearing, crushing, sharp edges, rough surfaces and cutting threads.
• Ensure PE bonding in metallic sheaths and DC-control separation to AC-power.
• Adopt open mesh on cable trays or basket without cover; minimize, where
possible, horizontal cable trays to reduce dust/debris accumulation; install
pipes and wires on a single layer with single clipping (no cables grouping).
• Seal conduits ends or install cable glands on both sides (silicon is forbidden).
• Grant hydraulic or pneumatic conduits, tubes or pipes that resist over 50%
of their nominal pressure without leakage or detachment.
2.1.4 Labeling’s SystemmarkingplatesshallcomplywithMD-2006/42/CE.Cabinets,devices,pipes
and wires labels shall comply with IEC-60204-1:2016 and IEC-81346-2:2019 :
• Label or engrave each cabinet on the door or front cover.
• Label every device in and out of cabinets as tagged in the drawings.
• Label pipes and wires at each termination point as tagged in the drawings.
• For all items, set labels to comply with tags in the associated drawings like
"+01.002-B3=Fct " with "+" for location, "-" for device and "=" for function.
2.1.5 Cabinets The control and termination cabinets as their devices layouts and cables
trays shall comply with IEC-60204-1:2016 and IEC-81346-2:2019 :
• Locate all live parts ≥ 60 V inside enclosures, not on opening door or covers.
• For doors or covers hiding live parts ≥ 60 V, LOCK them with special tools or keys -
HIGHLIGHTthemwithelectricalwarningstickers-CHECKtheiropeningangle≥90°.
• Fulfill EMC/EMI immunity with a bonded metal divider (plate, grid or mesh)
or insure 100 mm free space between devices < 60 V and devices ≥ 60 V.
• Seal conduits ends or install cable glands on both sides (silicon is forbidden).
• Ensure PE bonding continuity with metallic connectors and cable glands.
• Enter the conduits by the bottoms or sides (not by top, front or back).
• Provide two power receptacles or sockets with electrical protection.
• Fulfill Electrical Main Switch and Non-Electrical Main Valves.
• Adopt stainless steel for the cabinet's enclosures.
2.1.6 Bonding Protective Earth equipotential bonding shall comply with IEC-60204-1:2016 :
• Share selected Neutral Earthing methods at the electrical main supply.
• Identify PE conductors with GREEN-YELLOW or any combination of these.
• Make sure impedance between PE bonding and structural parts is ≤ 50 m.
• Ensure PE bonding continuity in all metallic cables sheaths or armoring.
• Segregate PE, Neutral VAC and 0 VDC in every cabinet and cable tray.
• Do not use system structural parts as PE bonding conductors.

√𝑺𝑸𝑹
©
ENERGIES & SAFETY Control Systems Guidelines 3 / 31 
√𝑆𝑄𝑅
©
Safety Machinery shall be designed and constructed so that it is fitted for its function, and
can be operated, adjusted and maintained without putting persons at risk when
these operations are carried out under the conditions foreseen but also under any
reasonably foreseeable misuse thereof, i.e. MD-2006/42/CE. Safety design steps
are①InherentlySafeDesign,②ActiveSafeguardsand③InformationofUse.
2.2.1 Risks Control As defined in ISO-12100:2010, the SRP/CS designs (ISO-13849-1:2015) and
validations (ISO-13849-2:2012) shall reach the eligible PLr and category.
The shared Risks Inventory, Risks Evaluation and Risks Reduction shall be done
by actuators or energies; If irreversible injuries are foreseeable, SRP/CS shall rank
Safety Category #3 or #4 with PLdor PLe insteadof invoking Information-of-Use.
2.2.2 Electrical Main It shall comply with IEC-60204-1:2016 and ISO-14118:2018 to filter, isolate
and disconnect any electrical energies with following protective features :
• Locate all live parts ≥ 60 V inside enclosures, not on opening door or covers.
• 3-Phase + Neutral EMC/EMI filter and overload protection at the main drop.
• The I/0n and 0/0ff labels shall indicate the switch positions (power status).
• The I/0n position shall keep the main cabinet door closed unless authorized
skilled or instructed persons use a tool or key to bypass it for maintenance.
• The 0/0ff position (disconnected state) can be mechanically lock with
padlock or trapped-key to prevent any unexpected StartUp.
2.2.3 Non-Electrical
Main
For all pneumatic or hydraulic supplies, provide dirt filter, overload protection,
isolation switch and quick disconnect; add to each of them 0n-0ff valves with a
gradual pressure build-up in downstream position (soft-start / quick exhaust).
2.2.4 Safety Related
Parts
The SRP/CS such as Active-Safeguards, Emergency-Stops or Deadman Switch
shall comply with IEC-61508:2010 and IEC-62061-A2:2015 and provide :
• Every related paper, specification, certificate, drawing, use and manual.
• Energies retainment strategies if Safeguards failures or emergency stop(s).
• Safety Reset to reset Active-Safeguards or Emergency-Stops without
initiating hazardous operation; only one true feedback from Safeguards
Interlock may enable the 0n to energize and initiate unsafe actuators.
• Safety Functions with redundant certified actuators such as Deadman Switch.
• Redundant Air and Hydraulic Valves to cut unsafe non-electrical actuators.
• Redundant 3-Phase Electrical Breakers to cut unsafe electrical actuators.
• Only physical buttons shall perform 0ff , Reset and 0n .
2.2.5 Active Safeguards The Active-Safeguards shall prevent any potential hazardous motion and
comply with ISO-13855:2010, ISO-14119:2013 and IEC-60204-1:2016 :
• They refer to such as Guard-Interlocks, presence sensors or light curtains.
• Only Two-Hand or Deadman Switches may mute Active-Safeguards to enable
the Redundant-Certified-Actuators while all Unsafe-Actuators remain disable.
• Presence-Sensors or Light-Curtains Muting shall complywith ISO-13849-1:2015.
• The fixed or moveable Guard-Interlocks shall submit an escape mean for
anyone trapped inside; padlocks or trapped-keys shall secure inappropriate
guards closing; irreversible fasteners shall avoid any work-around.
2.2.6 Emergency-Stops They shall comply with IEC-60204-1:2016 and ISO-13850:2015; nothing can
bypass Emergency-Stops ; they shall prevent hazardous motion versus one
of the Safe Stop Categories. Their Locations shall prevent accidental pushing
and not be placed next to an 0ff push-button. The supplier shall provide
layouts with their Locations and which device(s) they control.
2.2.7 Safe-Speed To run under cooperative motion speed while Muting Active-Safeguards; such
JogSafe Mode shall comply with the Safety Functions Safety-Limited-Speed :
• Nominal or slow-motion speed if nobody inside the Active-Safeguards.
• Safe-Speed under the control of a Deadman switch if anybody inside.
• Safe-Stop if Safeguards or Deadman switch are not active.

√𝑺𝑸𝑹
©
CONTROL SYSTEM Control Systems Guidelines 4 / 31 
√𝑆𝑄𝑅
©
3 CONTROL SYSTEM
An ICS aggregates HMIs and PLCs to control machinery; every system device shall :
• Provide electronic Crash-Recovery backups on IS/IT approved media storages.
• Integrate HardWare/SoftWare pieces approved by the original vendor ONLY.
• Replace HW/SW pieces before their obsolescence or security support end.
Integration It address system data sharingthrough OPC-UA onL2-Asynchrone-Network. The
Industrial Automation & Control System shall provide OPC-UA authentication
with certificates set by OPC-GDS Push (Global Discovery Server) and implement
OPC-UA authorization, if the IACS requires User Roles based on User Login.
3.1.1 IS/IT Policies They address Security-Level #2 or #3 vs ISO-27000:2018 and IEC-62443-3-3:2013.
Every device on L2-Asynchrone-Network or public cellular network (like xG) shall :
• Apply security fixes under the following SLO if CVSS ≥ 7 in the last CVE:
• 1 week for systems on public cellular network (like xG).
• 11 weeks for systems on L2-Asynchrone-Network.
• Report once a year following information for every asset :
• IP address, Systems & Applications names, User's roles and credentials.
• Security support end date by original software vendors and by suppliers.
• List of applicable patches required to fix CVSS ≥ 7 for all installed devices.
• Update once a year firmware, operating system and software with latest fixes.
• Change once a year every Psw/Pin with uncompromising credentials policies.
3.1.2 Remote Access 2 choices to keep an Industrial Control System secure while accessing it remotely :
• First an SSL-VPN, up to the
line Asset-Hub using proper
credentials like SQR-Adm.
• As second choice, a Teams
screen sharing as immediate
tactical solution where nothing occurs without a local SQR-Adm user session.
3.1.3 Validation Plan The VMPmarksthe beginningof any qualificationproject;it schedules allGAMP's
tasks in a risk-based assessment versus product quality and project milestones :
IACS
Milestones
URS
Review
+
FMEA
Functional
Review
Design
Specification
PLC
&
HMI
Coding
RCM
Ready
Modules
Tests
Integration
Tests
Operational
Tests
Performance
Tests
FAT
Ready
1
st
Run
Successful
Qualification
Ready
IQ-OQ-PQ
Support
FAT
Successful
SAT
Ready
Offline     
Online     
Release     
GAMP‘s
VMP
Documents
HDS
V0
DRW
V0
SDS
V0
PRG
V0
T4Q
V0
HDS
V1
DRW
V1
SDS
V1
PRG
V1
T4Q
V1
HDS
V2
DRW
V2
SDS
V2
PRG
V2
T4Q
V2
HW SW QC HW SW QC HW SW QC
3.1.4 VMP Documents Those listed in the Validation Plan shall demonstrate that all systems comply
with MD-2006/42/CE directives endorsing ISO-15288:2015 and GAMP's where :
• All tags, aliases and faceplates match the P&IDn drawings names.
• Hardware drawings and Labeling’s comply with IEC-81346-2:2019.
• Design patterns may endorse good practices such as IEC-62714-1:2018.
• All tags, mnemonics, descriptions, comments and instructions are in English.
Tests shall provide Risk-Assessment, I/O, Parameters, Reports and Alarms lists.
Theyshallbereadableonloose-leafprintofsizeA4orLetterwithdurablequality.
SQR Adm
Asset Hub
SQR WAN
SSL VPN
3rd Party
Computer
SQR Adm

√𝑺𝑸𝑹
©
CONTROL SYSTEM Control Systems Guidelines 5 / 31 
√𝑆𝑄𝑅
©
HMIs System The HMIs requirements are split in two chapters; this one describes how to
integrate IT/OT Networks; the next User Interface chapter describes Duties,
User Access, Visual Features and Visual Model for the visualization application.
3.2.1 Thin-Client HMIs To integrate the L2-Asynchrone-Network if database access is required. IT
provides HMIsHardwareandOperatingSystem. ITshall validatethevisualization
software. Any Not IT validated software requires a risk assessment to identify
risks versus IT security. The visualization application shall integrate User Access
Active Directory while its life cycle management shall be set-up to ensure
compatibility with IS/IT Policies validated hardware and software roadmap.
The project tool shall handle multiple targets held by multiple programmers.
3.2.2 Integrated HMIs To integrate the L1-Synchrone-Network, they shall provide the User Login
feature for operators, leaders and experts; Their IP address may be in IT
range like 10.63.x.y or in private ranges such as 192.168/16 and 172.16/16.
3.2.3 Control Panels All Stack-lights and Pushbuttons shall comply with IEC-60204-1:2016,
see §User Interface Lights & Buttons. If any hazardous operation may
cause irreversible injuries, every control panel shall be Wired by Hardware.
PLCs System In addition, the supplier shall integrate PLCs with the following features :
• Minimum of 20% spare for PLC memory, I/O and Tags Quantities.
• A safety logic (hardware or software) to control Safety Related Parts.
• The PLCs shall allow a remote access for diagnostic and troubleshooting
through the L1-Synchrone-Network with one of their own Ethernet ports;
IP address shall be in IT ranges as 10.63.x.y or in 192.168/16 and 172.16/16.
• A separate Ethernet port using a different IP address with potential IO-Link
gateways shall access to the L0-Synchrone-Fieldbus (IP address range is free).
The project tools shall handle multiple targets held by multiple programmers
and comply with IEC-61131-3:2013 for ST, LD or FBD programming languages.
3.3.1 Traceability The PLCs system shall provide Parts Trace and Pallet Twin features to build a
unique E2E traceable part identifier for the Shipments. The Serialization shall
record contextual part’s data (configurations, parameters, reports, status,
timestamps, contents, authentications, etc...) through Ticketing’s. Unique 1D
or 2D barcodes, RFID chips or alphanumeric texts may identify each part. A
Product is a part that completes every process stage without any failure.
See §Control Model Ticket Type, §MES Network Trace Type and Part Type.
3.3.2 Instruments
3.3.3 Calibrations
They act as Actuators and those tied to CPPs, CQAs or OPRPs shall belong
to an approved instruments list, other choices require individual approvals;
their monitoring’s may require an §MES Network Typ_IPC. Their calibration
certificates and maintenance/validation plans are required; if calibration
is not applicable, a gauge R&R (repeatability & reproducibility) is required.
3.3.4 Inline-Checks
3.3.5 Consumption
Some Instruments may require ICC Inline Calibration Checks with Traced
Challenge-Parts to control their calibration validities; those checks may occur
in Running States with mandatory Holds from IPS Inline Process Samplings.
The Inline-Checks also include energies consumption monitoring’s (Electricity
in KWh or Air Pressure in m3, etc...) as defined in §MES Network NRG Type.
3.3.6 Sustainability As cited in IEC-60300-1:2014, the Control System shall share Condition-Based
Monitoring's (CBM) with the MES Network to collect and contextualize edge
reports valuable for production improvement as for Maintenance, Repair &
Overhaul (MRO); such data may establish trends, predict failures and prescribe
corrective actions; this curative dependability management is more efficient
for Safety, Quality & Reliability (SQR) than classical Palliative Maintenances.

√𝑺𝑸𝑹
©
CONTROL MODEL Control Systems Guidelines 6 / 31 
√𝑆𝑄𝑅
©
4 CONTROL MODEL
A Model-Based Design, as MVC pattern, submits machinery control models
based on building blocks; the benefits of such methods are Failsafe Recoveries,
Virtual Prototyping’s and Productivity Gains. Key Modes, States, Alarms, Types
andSemantics
guide with
relevant
clues to
integrate IACS in
manufacturing lines
over an MES Network.
A rational
class design
model may
translate a
physical system to its
Digital Twin by sinking
FailsafeandEdge-Reports
in relevant Base Class .
Modes Those apply totally to Machines and partially to Stations and Actuators .
Control Modes Access Description compliant with IEC-60204-1:2016.
IEC-60204-1:2016
Modes
Production
Automatic
Oper.
It produces parts during periods dedicated to
ordered Batch’s;MES synchronizes the Reportsand
Recipe. Every Up shall run in full Automatic mode.
Maintenance
Semi-Auto
Leader
It produces parts without any Batch constraints and
allows MRO for tuning or testing. It permits Ticket’s
and/or Up‘s bypass as Limp Mode even in Run state.
Manual
FixUp
Expert
It provides deep control on all modules for FixUp
if the Active-Safeguards retain the known hazards.
It forbids Run state compared to Maintenance.
Sub-modes
tied
to
IEC
modes
Empty Line Oper. Consecutively Empty each system one by one in the
line.Empty process interruptioncanoccur anytime.
Empty One Oper. Empty one system and stop with Empty signal sent to
MES. Empty process interruption can occur anytime.
Clean
Wash Oper. Cleaning process as specified by factory operation
procedure; an Empty mode is required before.
Setup
Check Oper. RecipesettingorinstrumentscalibrationinvolvingInline-
Checks;anEmptymodeisrequiredbeforeanewbatch.
Slow Run Leader It reduces the system running rate to balance line
stream rate (to be aligned to the bottleneck rate).
Once Run Leader It cycles the system one by one with the 0n button
pushedeachtime by operator before runningagain.
Limp Run Leader It allows the system to run while bypassing some
Up‘s or disabling some parts Ticket‘s (*).
Dry Run Expert It allows the system to run without parts or
Ticket‘s to validate logics or to warm-up (*).
JogSafe Expert Safe-Limited-Speed while muting Active-Safeguards.
See §SAFETY Safe-Speed conditions for any detail (*).
FailSafe Expert Switch controls to be as tolerant as possible to
likely failure with Actuator's Failsafe-Inn logics (*).
Sleep Oper. Switching-0ff Unsafe-Actuators (Electrical & Air)
after a pre-defined delay without producing parts.
• The IEC Modes are mutually exclusive (Production, Maintenance, Manual).
• Theothersarenotmutuallyexclusive, buttheyaretiedtoone IECModeatatime.
(*) means “this mode can be set from Maintenance or Manual modes only”.
KPIs KQIs
1...*
Act_Actuator
Act_Instrument
M_SS_AAAInst...
M_SS_AAA Act...
M_ Machine
0...*
specialization
Mgr_Report
1...*
baseclass MESserver
Admin
Cfg_
Par_
Ctl_
Sts_
Rep_
Alm_
Network
MES
Sts
MES
Ctl
M_SS Station
1...*
0...*
specialization
Mgr_Usecase
Mgr_AlmRCA
baseclass
base class
Mgr_Upreport
baseclass
Mgr_Ticketreport
baseclass
1...*
Parts
Paths
specialization baseclass
specialization baseclass
Safe
Interlocks
0...*
0...*
Ticketing
Mgr_Consecutive
base class

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
States Those apply totally to Machines and partially to Stations and Actuators .
Control States Stop Cat. Description compliant with IEC-60204-1:2016.
Interlocking
Safeguards
Produce
Run
Starting
Produce Parts for the ordered Batch‘s even under
alerts like predict-warn or prescribe-alert . It ends
due to an Alarm occurrence or an 0ff button push.
Pause
Pausing
Cat. #2 Halt due to a system external product-pause . Self-
back to run when the outer request disappears.
Hold
Holding
Cat. #2 Halt due to a system internal product-hold . Self-
back to run when the inner request disappears.
Stopped Cat. #2 Maintain process-cycle end, waiting for Starting by an
0n buttonpushor E-Stoppingby an 0ff button push.
Stopping Initiate process-cycle ending due to an 0ff button
push or process-fail and then go to Stopped state.
StartUp Dueto process-break or an 0n, set thesystem ready
for the last ordered Batch after visual-acoustic alerts.
Safe
Access
Reset Interlock Safeguards and energize without hazardous
motion to enable the 0n button for StartUp.
E-Stopped Cat. #0 Unlock Safeguards when energies are retained. If
Safeguards are closed, push Reset button for Reset.
E-Stopping Cat. #1 Immediate stop due to safeguard(s) unlocked or
system-crash ; go to E-Stop under retained energies.
• A single push on button 0ff Stops the system and, from Stop state, another
push retains Unsafe-Actuators Energies before Unlocking Safeguards.
• A Reset button push clears all Alarms and interlocks all Safeguards without
hazardous motion; then a Safeguards feedback enables the button 0n.
• The initial push on button 0n StartUps the system to reach Stop state, then
a 2nd
push or a "keep pressed" makes the system to run for producing.
Alarms An IACS shall detect alarms to rationally reveal hazards. Contextual Stoppages
data improve Root Cause Analysis for faster troubleshooting. Some alarms
may reject a part/product (i.e. Ticket Fail status tied to CPPs or CQAs) andmay
require additional acknowledgment with single [!] or double [!!] eSignature!.
Rationalization compatible with IEC-62682-1:2014.
Stop
Category
to correct cause
Current States
Priority# of Alarm
E-Stop
StartUp
Stop
Hold
Pause
Run
System
States
Effect
Action
Acknow.
Acquit
Access
#1 - System Crash      E-Stop 0/1    
#2 - Process Break     StartUp 2   
#3 - Process Fail    Stop 2  
#4 - Product. Hold   Hold 2 
#5 - Product. Pause  Pause 2 
#6 - Predict Warn   No Issue N/A 
#7 - Prescribe Alert   No Issue N/A 
It displays rationalized messages in Alarms Banner at machine and station levels.
#3_ 3_02_002 _B0:0, Load Grab Sensor Fail ! Dec. 24 • 08:11:47
Multilingual text + eSignature! Multiformat Time Stamp
Device Code vs IEC-81346-2:2019, see Stoppages for details.
P&IDn to localize the Alarm Origin vs _Machine#_Station#_Actuator#.
Priority# of the Alarm such as Crash, Break, Fail, Hold, Pause, Warn or Alert.
Interlocking
Safeguards
Safe Access
// I
I

E-Stopped
E-Stopping

Run
Pause
Hold-to-Run
Start
Reset
Manual
StartUp
Safe
Stopped
Stopping

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
Types They network data in the PLC vs modules types - Machine , Station or Actuator .
Attribute Type Description vs linked IEC-61512 Models such as .M. .S. .A.
InOut
Net_... Typ_... To NETWORK relevant data outside a system. 
_MES Typ_MES Refer with MES to Ctl-Sts system data. 
_KPIs Typ_KPIs Refer with KPI's FROM module(s) TO line. 
_Tkg Typ_Tkg Refer with Ticketing to push-pull line Part(s). 
Adm_... Typ_... To SHARE global data inside the system. 
_Use Typ_Use Refer with Use CaSe logic, i.e. sequencer.   
_Ups Typ_Up[n] Refer with Up(s) of station edge reports. 
_Tks Typ_Tk[n] Refer with Part's Ticket(s) edge reports. 
Cfg_... TBD[n] To FIX system settings into module.   
Inpu
t
Par_... TBD[n] To TUNE system values into module.   
Ctl_... TBD[n] To SET case/state into module.   
_Inp TBD[n] Pull signals from physics. 
Output
Rep_... TBD[n] To SEE edge values from module.   
Sts_... TBD[n] To GET case/state from module.   
_Reps Typ_Rep[n] Module Reports values.   
_Alms Typ_Alm[n] Module Alarms monitoring.  
_Cons Typ_Cons[n] Module Consecutive events. 
_Out TBD[n] Push signals into physics. 
4.4.1 Use CaSe It manages a Use CaSe logic for Machines or Stations ; one module owns only
one instance. It manages states and attributes for a sequential procedural logic.
Attribute Type Description
_.Cfg_Act BOOL Fix equipment to be active.
_.Cfg_Safe BOOL Fix safe interlock for Easy-Path.
_.Cfg_Unsafe BOOL Fix unsafe if manual action from HMI.
_.Cfg_Failsafe BOOL Fix failsafe for Easy-Path (i.e. recovery).
_.Cfg_Jog BOOL Fix jog-speed or step-by-step.
_.Ctl_Jog BOOL Set jog-speed or step-by-step request.
_.Par_Tmr DINT Tune equipment response time.
_.Par_Ctl DINT Tune equipment added control.
_.Ctl_Seq DINT Set next sequencer step.
_.Ctl_State DINT Set next state.
_.Sts_State DINT Get current state.
_.Sts_FailID DINT Get failure Identifier.
_.Sts_Lagg DINT Get slowest sequencer step.
_.Sts_Seqp DINT Get past sequencer step.
_.Sts_Seq DINT Get current sequencer step.
_.Rep_Tmr DINT See use response time value.
_.Sts_StateOns BOOL Get state change status.
_.Sts_SeqOns BOOL Get sequencer change status.
_.Sts_Failsafe BOOL Get failsafe condition status.
_.Sts_NoAlm BOOL Get while no alarm pending.
_.Sts_Estop BOOL Get E-Stop/Crash status (I.e. for Easy-Path recovery).
_.Sts_Done BOOL Get time-out after a control change, Sts_StateOns.
_.Sts_Safe BOOL Get safe status for Easy-Path.
_.Sts_End BOOL Get end status.
_.Sts_Jog BOOL Get jog status.
4.4.2 Consecutive It manages consecutive occurrences monitoring; in a positive way, it may
define the rate before enabling an output (i.e. lubrication); in a negative way,
it may define how many times an actuator can fail before rising relevant Alarms.
[#].Attribute Type Description (may expose multiple instances)
_.Cfg_Clear BOOL Fix clear, initialize every report.
_.Par_Cons DINT Tune occurrence quantity to set consecutive status.
_.Ctl_Prod BOOL Set each time a product cycle begins.
_.Ctl_Cons BOOL Set each time a consecutive occurs.
_.Ctl_Rst BOOL Set Reset, FROM global logic TO alarm logic.
_.Rep_CtrProd LINT See production ticks count since last report clear.
_.Rep_CtrCons LINT See consecutive count since last report clear.
_.Rep_Cons DINT See current consecutive occurrence count.
_.Rep_OEE DINT See Overall-Equipment-Effectiveness.
_.Sts_AlmOns BOOL Get alarm occurrence threshold, rise only.
_.Sts_Prod BOOL Get production tick threshold.
_.Sts_Cons BOOL Get consecutive reached.

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
4.4.3 Up Report A Station combines all devices required to perform a fragment of a process;
each station on the Process Path may upgrade Part(s) with one or more Up’s;
it manages the Reports to monitor one process made by one station Up.
_.Typ_Use Typ_Use Refer with the linked Use CaSe logic instance.
_.Typ_Recipes Typ_Recipe[ID,Up,n] Refer with the Global values. Update each time
RecipeID changes
_.Typ_Params DINT[n] Refer with the Local parameters.
_.Cfg_RecipeID DINT Fix Recipe identifier to produce the current Part.
_.Cfg_UpID DINT Fix current station Up identifier.
_.Cfg_NxtID DINT Fix next station Up identifier.
_.Sts_FailID DINT Get module/part Failure Identifier.
_.Sts_State DINT Get current state from tied Use CaSe.
_.Rep_TmrProd LINT See producing time since last report clear.
_.Rep_TmrFail LINT See failure time since last report clear.
_.Rep_CtrProd LINT See product count since last report clear.
_.Rep_CtrFail LINT See failure count since last report clear.
_.Rep_MTTF LINT See Mean-Time-To-Fail.
_.Rep_MTtR LINT See Mean-Time-To-Repair.
_.Rep_Tmr DINT See last response time value.
_.Sts_NoAlm BOOL Get station Up without alarm.
_.Sts_Enable BOOL Get station Up is useful (no bypass).
_.Sts_Lagg BOOL Get station Up is lagging all (too slow).
_.Sts_Prod BOOL Get station Up is producing (not failed yet).
_.Sts_Fail BOOL Get station Up has failed (fail-code in Sts_FailID).
_.Sts_End BOOL Get station Up is complete.
_.Sts_ICC BOOL Get Inline-Calibration-Checks with Challenge-Part.
_.Sts_Jog BOOL Get station Up jog.
4.4.4 Ticket Report It acts as a token for Traceability to trace a Part at each Station Up through
the whole Process Path; it may twin a fixture, mover, nest, puck, pipe or any
kind of carriers; it manages the Reports for 𝑃𝑟𝑜𝑑𝑢𝑐𝑡 = 𝑃𝑎𝑟𝑡 𝐶𝑜𝑚𝑝𝑙𝑒𝑡𝑒.
See §Reminder Parts Trace and Pallet Twin for an implementation synoptic.
_.Typ_Up Typ_Up Refer Station Up in front of the Part’s Ticket.
_.Typ_Tks Typ_Part[n] Refer with the data of Parts loaded in the Tickets.
Typ_Path[n] Refer with Process Path for Parts to complete a product.
_.Typ_TkIDs DINT[n] Refer with the Circular Buffer tied to part Ticket’s IDs.
_.Cfg_LastUp BOOL Fix last Station Up for the part (end of process).
_.Sts_RecipeID DINT Get Recipe identifier to produce the current Part.
_.Sts_PartID DINT Get Part identifier as discriminator in the Batch.
_.Sts_NxtID DINT Get next station Up identifier.
_.Sts_FailID DINT Get module/part Failure Identifier.
_.Sts_TkID DINT Get part Ticket identifier in the Circular buffer.
_.Rep_Tmr DINT See last response time value.
_.Sts_InProd BOOL Get part Ticket is in Production Mode.
_.Sts_Enable BOOL Get part Ticket is useful (not bypass). Shall be used to
open/close ticket
_.Sts_Used BOOL Get part Ticket is in use (not free).
_.Sts_Prod BOOL Get part Ticket is producing (ongoing work without fail).
_.Sts_Fail BOOL Get part Ticket is failed (with fail-code in Sts_FailID).
_.Sts_End BOOL Get part Ticket synchronized with end of Station Up.
_.Sts_ICC BOOL Get Inline-Calibration-Checks with Challenge-Part.
_.Sts_OK BOOL Get ticket ready to run the Station Up process .
4.4.5 Process Path It maps Part’s consecutives Stations Up‘s and Use’s to complete a process
that build a product; consider that 𝑃𝑟𝑜𝑑𝑢𝑐𝑡 = 𝐶𝑜𝑚𝑝𝑙𝑒𝑡𝑒𝑙𝑦 𝑃𝑟𝑜𝑐𝑒𝑠𝑠𝑒𝑑 𝑃𝑎𝑟𝑡
_.Next-Up DINT[n] Set the next station Up after the current station Up.
_.Next-Use DINT[n] Set the next Up Use (may be Inline-Calibration-Checks).

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
4.4.6 Analog Act. It manages an analog imperative logic ( Actuator only, no sequential logic).
_.Cfg_Minimum DINT Fix minimum range value.
_.Cfg_Maximum DINT Fix maximum range value.
_.Cfg_InpWidth DINT Fix in-position width.
_.Cfg_JogRatio DINT Fix Jog Speed ratio versus nominal one.
_.Cfg_Safe BOOL Fix safe interlock from adjacent actuators (i.e. Easy-Path).
_.Cfg_Failsafe BOOL Fix Failsafe, simulate input vs response time.
_.Cfg_NoAlm BOOL Fix Alarms muting, no alarm status on failures.
_.Cfg_Mirror BOOL Fix Mirroring, set output as an image of input.
_.Cfg_Clear BOOL Fix Reports clearing, initialize edge values.
_.Par_Tmr DINT Tune actuator response time.
_.Par_Ctl DINT Tune actuator added control.
_.Ctl_Out DINT Set Output, FROM global logic TO local logic.
_.Ctl_Inn DINT Set Input, FROM physical input TO local logic.
_.Ctl_Hold BOOL Set immediate stop or hold-to-run situation.
_.Ctl_Rev BOOL Set Reverse Speed in JogSafe motion.
_.Ctl_Jog BOOL Set Jog Speed for setup or JogSafe motion.
_.Rep_Tmr DINT See current response time value.
_.Sts_Ante BOOL Get current position is before setpoint.
_.Sts_Post BOOL Get current position is behind setpoint.
_.Sts_Rev BOOL Get current speed is reverse.
_.Sts_Jog BOOL Get current speed is in JogSafe motion.
_.Sts_CtlOns BOOL Get control change threshold, rise and down.
_.Sts_Alm0 BOOL Get alarm if Ctl_Out=0 and Ctl_Inp=1 after time-out.
_.Sts_Done BOOL Get time-out after a control change, Sts_CtlOns.
_.Sts_Safe BOOL Get safe interlock for adjacent actuators (i.e. Easy-Path).
_.Rep_Out DINT See output, FROM local logic TO physical output.
_.Rep_Inn DINT Get input, FROM local logic TO global logic.
_.Sts_Inp BOOL Get in-position, FROM local logic TO global logic.
4.4.7 Digital Act. It manages a digital imperative logic ( Actuator only, no sequential logic).
_.Ctl_Out BOOL Set Output, FROM global logic TO local logic.
_.Ctl_Inp BOOL Set Input, FROM physical input TO local logic.
_.Sts_Out BOOL Get output, FROM local logic TO physical output.
_.Sts_Inp BOOL Get input, FROM local logic TO global logic.

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
4.4.8 Check Act. It manages a check imperative logic ( Actuator only, no sequential logic).
_.Par_Chk DINT Tune actuator check time.
_.Ctl_Trig BOOL Set Change-of-State Trigger, FROM global logic TO local logic.
_.Ctl_CoS BOOL Set Check Change-of-State, FROM global logic TO local logic.
_.Ctl_Off BOOL Set Check Off, FROM global logic TO local logic.
_.Ctl_On BOOL Set Check On, FROM global logic TO local logic.
_.Ctl_Done BOOL Set Done, FROM global logic TO local logic.
_.Ctl_Inp BOOL Set Input, FROM physical input TO local logic.
_.Sts_Fail BOOL Get failed check, FROM local logic TO global logic.
_.Sts_Inp BOOL Get input, FROM local logic TO global logic.
4.4.9 Use Act. It manages Sequential logic for a Smart Actuator or an Aggregate of them.
_.Cfg_Failsafe BOOL Fix failsafe for Easy-Path (i.e. recovery).
_.Cfg_ExoAlm BOOL Fix Alarms externally managed (i.e. from the tied sequencer).
_.Cfg_Jog BOOL Fix jog-speed or step-by-step.
_.Par_Tmr DINT Tune equipment response time.
_.Par_Ctl DINT Tune equipment added control.
_.Ctl_Jog BOOL Set jog-speed or step-by-step request.
_.Ctl_Seq DINT Set next sequencer step.
_.Ctl_State DINT Set next state.
_.Sts_State DINT Get current state.
_.Sts_Seqp DINT Get past sequencer step.
_.Sts_Seq DINT Get current sequencer step.
_.Sts_StateOns BOOL Get state change status.
_.Sts_SeqOns BOOL Get sequencer change status.
_.Sts_Failsafe BOOL Get failsafe condition status.
_.Sts_Alm0x BOOL[n] Get alarms if Ctl_State.0 without feedback after time-out.
_.Sts_Alm1x BOOL[n] Get alarms if Ctl_State.1 without feedback after time-out.
_.Sts_Estop BOOL Get E-Stop/Crash status (I.e. for Easy-Path recovery).
_.Sts_Done BOOL Get time-out after a control change, Sts_StateOns.
_.Sts_End BOOL Get end status.
_.Sts_Jog BOOL Get jog status.

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
Semantics Based on MSDN General Naming Conventions.
• USE Pascal case notation, NOT Hungarian; AVOID conflict with codingkeywords.
• USE an English noun or statement to designate modules and/or features.
• CAST easily readable designations and PROMOTE simplicity and directness.
4.5.1 Domain Visibility The domain defines the tags visibility as Public-Global or Private-Local.
Public Tag (global visibility) Private Tag (local visibility)
_Tag = " _M_Ss " + " Private_Tag "
Ex: " _1_02_003_Check.Sts_End “
_Tag = " Aaa " + "Feature.Attribute"
Ex: " _003_Check.Sts_End "
_M for machine ID _Ss for station ID _Aaa for actuator ID
4.5.2 Prefix and
Attributes
Prefix_Suffix-Attributes Description Dir.
_Ack Acknowledge As an alarm acknowledgment (i.e. eSignature!).
Act_ _Act Actuator To REFER with a control module. InOut
Adm_ _Adm Administrate To SHARE data anywhere in one system. InOut
_Alc Alarm Cause To sign a Root Cause vs P&IDn and device code.
_Alm Alarm Message To sign crash, break, fail, hold, pause, warn, alert
_Ana Analog Limited To sign an analog limited device (i.e. Act_).
_Ang Analog Angular To sign an analog modulo device (i.e. Act_).
Cfg_ _Cfg Configuration To FIX system settings in the logic. Input
_Chk Check Feature To sign check feature as Challenge-Part (i.e. Act_).
_Chx Check eXtended To sign extended check as feeder level (i.e. Act_).
_Clear Clear Reports To sign clear of reports (i.e. Cfg or Ctl).
_Cons Consecutive To sign consecutive process failures.
Ctl_ _Ctl Control-Cmd To SET case/state in the logic. Input
_Ctr Counter To increment numerical data.
_Dgt Digital Feature To sign elementary digital device (i.e. Act_).
_Dgx DigitaleXtended To sign extended digital device (i.e. Act_).
_Dly Digital Delay To sign delayed digital device (i.e. Act_).
_Done Overtime To sign running timer is done.
_End Complete To sign last feature has ended.
_Fail Failure To sign failed product versus Alarm.
_Failsafe Failsafe As failsafe mode (recoveryoremulation).
_ICC ICC Checks As Inline Calibration Check (i.e. Mgr_).
_...ID Identifier To sign multiple identifiers (i.e. Array).
_Inp Input To pull physical input from control device.
_IPC KPI Control As Inline Process Control (i.e. Mgr_).
_IPS KQI Sample As Inline Process Sampling (i.e. Mgr_).
_Jog JogSafe To sign JogSafe motion or step-by-step.
_Log Login "User" To sign User Login linked to credentials.
_MES M.E.S. As Manufacturing Execution System.
Mgr_ _Mgr Manager To MANAGE basic procedural module features. InOut
_Mode Mode To sign the chosen mode of the logic.
Net_ _Net Network To NETWORK IPC, IPS, Stoppages, Trace with MES. InOut
_NRG Energies As energies monitoring recorder (i.e. Act_).
_OEE O.E.E. As Overall Equipment Effectiveness (I.e. Reports).
_Ons Once Shot To sign a change threshold, rise and/or down.
_Out Output To push physical output to control device.
Par_ _Par Parameter To TUNE system values in the logic. Input
_Part Part Data To trace a part (i.e. Traceability).
Rep_ _Rep Report To SEE edge values out of the logic. Output
_Rst Reset To sign a reset for acknowledged alarms.
_...s Array of ... To sign data array (one or more axises).
_Safe Safe Interlock To sign safe with adjacent modules for Easy-Path.
_Seq Sequencer To sign a step in a sequential logic.
_Spg Sampling To sign a Sampling device as IPS-ICC (i.e. Act_).
_SRP Safety As SafetyRelatedPartsofControlSystem(i.e.SRP/CS).
_State State To sign the chosen state of the logic.
_Str String To sign alphanumeric characters chain.
Sts_ _Sts Status To GET case/state out of the logic. Output
Tmr_ _Tmr Timer To TIME stamp by clock/Tick or related data. InOut
_Tk Part Ticket To share part tokens and report Traceability.
Typ_ _Typ User Data Type To REFER with data structures going In & Out
modules.
InOut
_Up Station Up To share Up of station reports (single track).
_Use Use CaSe To use a procedural module or smart device.
4.5.3 Data Size
Assessment
Applications data assessment lets size application memory, see Ratiocators.
• Tags Quantity = Core_tags + Process_tags
(Spare > 20%) = GuardQty x 184 tags + (StationQty + UpQty) x 272 tags
• I/O Quantity = Core_I/O + Process_I/O
(Spare > 20%) = GuardQty x 16DI•8DO + UpQty x 16DI•8DO•3AI•2AO
"DI" Digital Input - "DO" Digital Output - "AI" Analog Input - "AO" Analog Output.

√𝑺𝑸𝑹
©
USER INTERFACE Control Systems Guidelines 13 / 31 
√𝑆𝑄𝑅
©
5 USER INTERFACE
HMIs Duties The interface between users and Control System shall be designed and realized
such that no person is endangered during all intended use and reasonable
foreseeable misuse of the machine. The interface ergonomic shall be easy to use
so the user is not tempted to act in hazardous manners, i.e. ISO-13849-1:2015.
5.1.1 Colors Guide It shall comply with IEC-60204-1:2016, see §Reminder Safety Colors.
Colors Line Machine Station Actuator Alarms
Red Abort E-Stop In Alarm Crash
Yellow Complete-ClearUp-Idle StartUp - Stop Stop – 0ff Break - Fail
Blue - Hold Jog Alarm Ack. Hold
Green Run Run – 0n Warn - Alert
White/Black Pause Failsafe Pause
5.1.2 Lights & Buttons They shall comply with IEC-60204-1:2016, see §Control System Control Panels.
Active Safeguards States Stack-Lights Pushbuttons
If
hazard
cause
irreversible
injuries
Disable SRP/CS E-Stop Flashing
Red
Enable SRP/CS Safe-Reset Steady
Continuous
Check on all
Safety Related Parts of
Control System
to ensure user's
Safeguards
StartUp Flashing
Yellow
Stop Steady
Hold Flashing Blue
Pause
Run
Flashing
Steady
Green
Horn in StartUp if unable to see all. Buzzer
Flash in Reset or Stop states - Steady in Run. 0n Button Light
Flash in E-Stop state or if an Alarm is pending. Reset Button Light
Flash in Run or Stop state - Steady in E-Stop. 0ff Button Light
The flashing pushbuttons induce user action to Run, Reset or Stop the system.
Any hazard able to cause irreversible injuries induce PHYSICAL pushbuttons.
User Access The IS/IT Policies require regular passwords changes. A centrally managed
user's credentials as Active Directory reduces time for password updates.
5.2.1 User Login The IS/IT Networks credentials domain manages user's names and passwords.
• This function is robust, fast and easy to use as company-badges or ID-cards.
• Auto-logout after a delay of inactivity and switch to Access Guest Level #3.
5.2.2 User Roles HMIs Features Users
see next HMI Hierarchy
Expert
Leader
Operator
Guest
(*) one machine may control the entire Line also. Levels #0 #1 #2 #3
• Select languages, dates and units formats.    
• Access to the 0ff buttons and the Machine Screens (*).    
Access to the Reset and 0n buttons.    x
Select Machine reports, modes and states (*).    x
Control machine recipe parameters and configurations.   x x
• Access to the sub-system (Stations or Actuators) Screens.    x
Select sub-systems reports and status.    x
Control sub-systems recipe parameters and states.   x x
• Control sub-systems setting parameters and configurations.  x x x
Control IS/IT Policies in the Control System.  x x x
5.2.3 Acknowledge
5.2.4 eSignature!
User's credentials acknowledgments with Electronic Signature provide audit trail
for Parameters or Alarms tied to CPPs, CQAs or OPRPs that may alter the product;
only alarms with priority #1 , #2 or #3 may have signable acknowledgments :
• Double eSignature !! requires BOTH Operator AND Leader credentials.
• Single eSignature ! requires ONLY one Operator OR one Leader credentials.
• No eSignature if Parameters or Alarms are NOT tied to CPPs, CQAs or OPRPs.
//
I 

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
Visual Features The visualization application shall comply with the human centered features
as guided in ISO-9241:2010; the next sections may describe how to apply those.
5.3.1 Header Bar This screen area shall display the following information :
• Manufacturing ID's of current Batch and Recipe.
• Multilingual selected text (or English) and Multiformat dates/units.
• User Login versus User Roles with an auto-logout (potentially user’s ID merge).
• Screen Title based on P&IDn, with the role and task of the device under focus.
Line SQR_Line • Line Task... SQR_ N/A N/A N/A
Machine SQR_3_Sealer • Machine Task... ' ' _3_ N/A N/A
Station SQR_3_00_Frame • Station Task... ' ' ' ' in
ISO-
9241:
2010
and
N/A
Actuator SQR_3_00_031_Energy • Actuator Task… ' ' ' ' ' ' _031
_
• Date & Time (The IS/IT Networks time service synchronizes every HMI and
a Clock Update Tools synchronizes HMIs and PLCs date and time).
• Current Modes of the Line and the Machine in focus.
5.3.2 Navigation Bar The Visual Model shall give an intuitive navigation to find any information with no
more than 3 clicks through a visualization application based on a flat design.
Left Bar to select machinery level Right Bar to select contextual task
To see the current
Batch and Recipe.
To expose Modes
of a module in focus.
To focus on
the Line,
also use as Home Screen.
To expose States
To focus on
a Machine.
To expose Reports
To focus on
a Station.
To expose diagnostics
To focus on
an Actuator.
To expose Recipes
of a module in focus,
with potential eSignature!
To send screenshot
to anyone anywhere.
To expose settings
To select Machine(s)
Stoppages causes.
To expose Machine(s)
Alarms or alerts,
with potential eSignature!
5.3.3 Alarms Banner This screen area shall toggle between Alarms Banner and Alarms Screen. The
messages merging Alarms attributes shall switch between local language and
English. Note Single [!] or double [!!] eSignature! in case of altered process.
[Stoppages] "Priority - Mach-Station-Act - Code - Description - Date&Time" [Alarms]
5.3.4 21 CFR Part 11 Optionally, Electronical Records and Signatures may comply with the FDA:
Audit Trail Topics Traceable Storage Descriptions
MES Types Batch, Recipe, and Raw-Lot logs.
Login / Logout User Access occurrences recapitulation.
System Events Modes, States, Alarms and eSignature! logs.
Product Traceability Push/Pull transactions for Ticketing to Trace each Part.
ConfigurationChanges Exhaustive recipe parameters & system settings logs.

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
t
Visual Model The visual HMI shall display any information with no more than three clicks.
5.4.1 HMI Hierarchy The HMI shall adopt the same hierarchical model as its linked PLC architecture.
In a Model–View–Controller
(MVC) pattern, the HMI
layout matches its System
Hierarchy; this mapping
provides design agility
and intuitive navigation
with active-stickers on 3D
picture to select modules
under focus.
The MVC design pattern
frames software modules
to allow parallel design
and efficient code reuses.
The NAMUR’s MTP-POL
provides similar paradigm.
5.4.2 Screenshots The next examples may guide an implementation of the previous features :
• Line Modes • Line States
• Machine Modes • Machine States
• Machine Reports • Machine Parameters
Guest Level #3
Line
"Cell"
View

Controller
Model
Updates
Reads
Writes
Events
Machine
"Unit"
Machine
"Unit"
OperatorLevel #2
Station
"Equip."
Station
"Equip."
Station
"Equip."
Leader Level #1
Actuator
"Module"
Actuator
"Module"
Actuator
"Module"
Actuator
"Module"
Actuator
"Module"
Actuator
"Module"
Actuator
"Module"
Expert Level #0
Expert
#6_3_02_010_C2:1, Load Feed Level Warn Dec. 24  07:49:11

States

Reports

Status

Parameters

Configurations
SQR
Line

Run
_
Machine
_
Station
_
Actuator

Stoppages Alarms

Shares
Chateleu
123456789 Production
Production
Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's Modes
Modes
"Batch"
SQR_Line  Modes
_1_Molder
NoAlm 87%
_2_Dryer
NoAlm 86%
_3_Sealer
Alm 85%
"Free"
Manual
"MRO"
Maintenance
Production
Setup
Clean
Empty
Production
N/A Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_Line  States
Run
Abort
Complete
Idle
ClearUp
Pause
_1_Molder
NoAlm 87%
_2_Dryer
NoAlm 86%
_3_Sealer
Alm 85%

States
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line

Run
_
Machine
_
Station
_
Actuator

Stoppages Alarms

Shares
Chateleu
Production
Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's Modes
Modes
SQR_3_Sealer  Modes
_3_Sealer
Machine
Run
_10_Seal
NoAlm 98%
_02_Load
Alm 105%
_13_Unload
NoAlm 109%
_00_Frame
NoAlm 114%
_04_Fill
NoAlm 98%
_12_Trace
NoAlm 109%
"Automatic"
"FixUp"
Manual
"Semi-Auto"
Maintenance
Production
Setup
Clean
Empty
Limp Run
Once Run
Slow Run
Sleep
JogSafe
Dry Run
Production
Production Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_Sealer  States
_10_Seal
NoAlm 98%
_00_Frame
NoAlm 114%
_04_Fill
NoAlm 98%
_12_Trace
NoAlm 109%
_3_Sealer
Machine
Run

States
_02_Load
Alm 105%
_13_Unload
NoAlm 109%
Run
Hold
Estop
Reset
Stop
StartUp
Pause
//
I

 I
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_Sealer  Reports
Rate Nominal Current Average
[part/min] 60 60 57
Report Select Batch Shift Used
Used Time [hour] 883.4 6541.2 7358.8
Prod. Time [hour] 882.9 6534.3 7257.8
Used Parts [part] 3040518 21637474 23906830
Prod. Parts [part] 3009968 21420562 23664979
Fail. Parts [part] 30545 216949 241888
M.T.T.F. [sec] 104 108 108
M.T.t.R. [sec] 0 0 1
Availability % 100 100 99
Performance % 96 92 91
Quality % 99 99 99
OEE % 96 92 89
100% 96% 99%
Availability Performance Quality

Reports
_3_Sealer
Machine
Run
[part/Rate]
[minute]
Work in Progress Time Line  Batch
Real Time Overall Equipment Effectiveness  Batch
08
06
07
09
05
10
04
11
03
12
02
14
0 1
4
1
0
7
1 3
0 2
1 2
0 3
1 1
0 4
1 0
0 5
0 9
13
01
0 6
0 8
Full Fail
OFF Lagg
Station Up Part Ticket
ON Alm
#1
#4
#2
#3
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_Sealer  Parameters

Parameters
_3_Sealer
Machine
Run
Batch ID Recipe ID GTIN
123456789 Chateleu 3092718605339
Expiration Raw-Lots ID Quantity
2020-Dec-24 SQR191224 4'000'000
Raw-Lot [0] Raw-Lot [1] Raw-Lot [2]
NFL-43210 NFL-54321 NFL-54321
Raw-Lot [3] Raw-Lot [4] Raw-Lot [5]
NFL-65432 NFL-87654 NFL-98765
Batch ID Recipe ID Product GTIN
123456789 Chateleu 3092718605339
Expiration Product SSCC - S/NHigh-digits Part ID - S/NLow-digits
2020-Dec-24 SQR191224.- -.3'009'969
Product Time Print Device Check Device
2019-Dec-24 _3_12_001_Print _3_12_002_Check
Batch OK
Recipe OK
Batch OK
SSCC OK
Raw-Lot OK
Control Status
Control Status
MES 
Trace  OK
OK

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
• Machine Stoppages • Machine Alarms
• Machine Configurations • Station Configurations
• Station Parameters • Station Status
• Station Reports • Actuator Reports
• Station States • Actuator States
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line

Run
_
Machine
_
Station
_
Actuator

Stoppages Alarms

Shares
Chateleu
Production
Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's Modes
SQR_3_Sealer  Stoppages
Free Cause  Due to vacation 
Materials Lack Labor Lack
Demand Lack
MRO Cause  Due to maintenance 
Warm-Up Labor Stoppage
Check-Up
Repair Overhaul
Maintenance
Clean Setup
Empty
Batch Cause  Due to production 
_3_Sealer
Machine
Stop

Stoppages
User Control Status
User Control Status OK
OK
#3_3_02_002_B0:0, Load Grab SensOn Fail ! Dec. 24  08:11:47
User Control Status OK
Unplanned
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
! eSignature  !! eSignature 
SQR_3_Sealer  Alarms

Alarms
_3_Sealer
Machine
Stop
_ _ ___
User
Password
Note

! Single Ack.
#2_3_13_002_B0:1, Unload Grab Sensor Break Dec. 23  14:23:46
#4_3_04_003_B4:1, Fill Hopper Low Hold Dec. 22  09:59:01
#1_3_Adm_001_F06:1, Adm Guard1 Crash Dec. 22  08:25:17
#2_3_10_001_X0:1, Seal Press Network Break !! Dec. 20  17:16:34
#3_3_10_001_P0:1, Seal Press Consecutive Fail ! Dec. 20  11:22:33
#n_Identifier_Ʌn:X  Message Date  Time
Past 
Pending 
#n_Identifier_Ʌn:X  Message Date  Time

!! Double Ack.
_ _ ___
User
Password
Note
#4_3_00_002_B1:1, Frame Lubrification Hold Dec. 17  15:11:44
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_Sealer  Configurations

Configurations
_3_Sealer
Machine
Run

Open

Pull

Push
Enable Process Stations • Offline Recipe • Online Recipe Set Tickets Enable
 SQR_3_01_ • •  01 
 SQR_3_02_Load • Load_Chasseral • Load_Chateleu  02 
 SQR_3_03_ • •  03 
 SQR_3_04_Fill • Fill_Chasseral • Fill_Chateleu  04 
 SQR_3_05_ • •  05 
 SQR_3_06_ • •  06 
 SQR_3_07_ • •  07 
 SQR_3_08_ • •  08 
 SQR_3_09_ • •  09 
 SQR_3_10_Seal • Seal_Chasseral • Seal_Chateleu  10 
 SQR_3_11_ • •  11 
 SQR_3_12_Trace • Trace_Chasseral • Trace_Chateleu  12 
 SQR_3_13_Unload • Unload_Chasseral • Unload_Chateleu  13 
 SQR_3_14_ • •  14 

Save

07
Set / Rst 
 All
 All
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_02_Load  Configurations
_3_Sealer
Machine
Stop
_02_Load
Station
Alm
_001_Robot
NoAlm 100%
_002_Grab
Alm 0 99%
_003_Check
NoAlm 100%
_010_Feed
Alm I 100%
_004_ICC
NoAlm 0.1%
Use.Par_Tmr [ms] 980
Use.Par_Ctl [ ] -1
Use.Cfg_Act [ ] 
Use.Cfg_Safe [ ] 
Use.Cfg_Unsafe [ ] 
Use.Cfg_Failsafe [ ] 
Use.Cfg_Jog [ ] 
Use.Ctl_Jog [ ] 
Use.Ctl_Seq [ ] +0
Use.Ctl_State [ ] +0
Up.Typ_Recipes [ ] Global
Uu.Typ_Params [ ] Local
Up.Cfg_Clear [ ] 
Up.Cfg_RecipeID [ ] Chateleu
Up.Cfg_UpID [ ] 302
Up.Cfg_NxtID [ ] 304
Tk.Cfg_Clear [ ] 
Tk.Cfg_LastUp [ ] 

Configurations
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_02_Load  Parameters
_3_Sealer
Machine
Stop
_02_Load
Station
Alm
_001_Robot
NoAlm 100%
_002_Grab
Alm 0 99%
_003_Check
NoAlm 100%
_010_Feed
Alm I 100%
_004_ICC
NoAlm 0.1%
Parameters Min Value Max
_Unload Time Out [ms] 940 940 940
_000_Path Time Out [ms] 100 210 360
_001_Robot Time Out [ms] 100 300 1000
_001_RobotZ High Setpoint [μm] -1000 0 100000
_001_RobotZ Pick Setpoint [μm] -1000 25000 100000
_001_RobotZ Place Setpoint [μm] -1000 50000 100000
_001_RobotX Pick Setpoint [μm] -50000 10000 500000
_001_RobotX Place Setpoint [μm] -50000 100000 500000
_001_RobotX Reject Setpoint[μm] -50000 200000 500000
_001_RobotX IPCs Setpoint [μm] -50000 300000 500000
_002_Grab Time Out [ms] 10 130 500
_003_Reject Time Out [ms] 10 120 500
_004_ICCs Time Out [ms] 10 2000 99999
_004_Sample Interval [part] 10 200 99999
_004_Shot Size [shot] 1 2 10

Parameters
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_02_Load  Status
_3_Sealer
Machine
Stop
_02_Load
Station
Alm
_001_Robot
NoAlm 100%
_002_Grab
Alm 0 99%
_003_Check
NoAlm 100%
_010_Feed
Alm I 100%
_004_ICC
NoAlm 0.1%
Use.Sts_State [ ] 4
Use.Sts_FailID [ ] 002'2
Use.Sts_Seqp [ ] 102
Use.Sts_Seq [ ] 0
Use.Sts_Lag [ ] 101
Use.Sts_Failsafe [ ] 
Use.Sts_NoAlm [ ] 
Use.Sts_Estop [ ] 
Use.Sts_Done [ ] 
Use.Sts_Safe [ ] 
Use.Sts_End [ ] 
Use.Sts_Jog [ ] 
Up.Sts_FailID [ ] 002'02
Up.Sts_State [ ] 4
Up.Sts_NoAlm [ ] 
Up.Sts_Enable [ ] 
Up.Sts_Lagg [ ] 
Up.Sts_Prod [ ] 
Up.Sts_Fail [ ] 
Up.Sts_End [ ] 
Up.Sts_ICC [ ] 
Tk.Sts_RecipeID [ ] Chateleu
Tk.Sts_PartID [ ] 3'009'985
Tk.Sts_NxtID [ ] 04
Tk.Sts_FailID [ ] 002'02
Tk.Sts_TkID [ ] 05
Tk.Sts_Time [ms] 980
Tk.Sts_InProd [ ] 
Tk.Sts_Enable [ ] 
Tk.Sts_Used [ ] 
Tk.Sts_Prod [ ] 
Tk.Sts_Fail [ ] 
Tk.Sts_End [ ] 
Tk.Sts_ICC [ ] 
Tk.Sts_OK [ ] 

Status
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_02_Load  Reports
_3_Sealer
Machine
Stop
_02_Load
Station
Alm
_001_Robot
NoAlm 100%
_002_Grab
Alm 0 99%
_003_Check
NoAlm 100%
_010_Feed
Alm I 100%
_004_ICC
NoAlm 0.1%
Use.Rep_Tmr [ms] 1000
Up.Rep_TmrProd [ms] 3529870
Up.Rep_TmrFail [ms] 40203
Up.Rep_CtrProd [part] 3600
Up.Rep_CtrFail [part] 41
Up.Rep_MTTF [ms] 86094
Up.Rep_MTtR [ms] 980
Up.Rep_OEE [%] 98
Up.Rep_Tmr [ms] 980
Tk.Rep_TmrProd [ms] 724703
Tk.Rep_TmrFail [ms] 11581
Tk.Rep_CtrProd [part] 254
Tk.Rep_CtrFail [part] 12
Tk.Rep_MTTF [ms] 60391
Tk.Rep_MTtR [ms] 965
Tk.Rep_OEE [%] 94
Tk.Rep_Tmr [ms] 980
Part.BatchID 123456789
Part.RecipeID Chateleu
Part.ProdGTIN 3092718605339
Part.Expiration 2020-Dec-24
Part.ProdTime 2019-Dec-24
Part.ProdSSCC SQR191224.-
Part.PartID 3'009'979
Part.TkID 05
Part.Slot PP-SS-TT-05
Part.Tray PP-SS-TT
Part.Stack PP-SS
Part.Pallet PP

Reports
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_02_002_Grab  Reports
_010_Feed
Alm I 100%
_001_Robot
NoAlm 100%
_002_Grab
Alm 0 99%
_003_Check
NoAlm 100%
_002_Grab
Actuator
Alm 0
_3_Sealer
Machine
Stop
_02_Load
Station
Alm
_004_ICC
NoAlm 0.1%

Reports
Rep_TmrProd [ms] 3528870
Rep_TmrFail [ms] 980
Rep_CtrProd [act] 3599
Rep_CtrFail [act] 1
Rep_MTTF [ms] 3528870
Rep_MTtR [ms] 1
Rep_OEE [%] 99
Rep_Tmr [ms] 100
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_02_Load  States
_3_Sealer
Machine
Stop
_02_Load
Station
Alm

States
_001_Robot
NoAlm 100%
_002_Grab
Alm 0 99%
_003_Check
NoAlm 100%
_010_Feed
Alm I 100%
Run
Estop
StartUp
Jog…
FailSafe
§
I
//


_004_ICC
NoAlm 0.1%
Expert

States

Reports

Status

Parameters

Configurations
SQR
Line
Run
_
Machine
_
Station
_
Actuator

Stoppages

Alarms

Shares
Chateleu
123456789 Batch
Recipe
Line
Machine
01:11
English
Dec. 24  07:49:11
ID's
Production
Production
Modes
SQR_3_02_002_Grab  States
_010_Feed
Alm I 100%
_001_Robot
NoAlm 100%
_002_Grab
Alm 0 99%
_003_Check
NoAlm 100%
_002_Grab
Actuator
Alm 0
_3_Sealer
Machine
Stop
_02_Load
Station
Alm

States
Alarm 0
Alarm I
ON I
FailSafe
OFF 0
§
I

//
_004_ICC
NoAlm 0.1%

√𝑺𝑸𝑹
©
MES NETWORK Control Systems Guidelines 17 / 31 
√𝑆𝑄𝑅
©
6 MES NETWORK
It networks the machines to the Manufacturing Execution Systems (MES) to
manage batch, handle recipes, catch alarms, trace parts and record reports.
Such Condition-Based Monitoring's (CBM) collect and contextualize edge reports
for production improvement as for Maintenance, Repair & Overhaul (MRO);
such data may establish trends, predict failures and prescribe corrective actions.
those tasks may run in a line PLC or in a Data Server that shall redundantly collect
machines data via OPC-UA Client services, while machines host OPC-UA Servers.
Line Modes It means operational periods of the line and affects the reports calculations.
Line Modes Periods … define the Stoppages types and under which Batch
Production Batch To produce parts based on ordered batch’s. 
Maintenance MRO To execute Maintenance-Repair-Overhaul. X
Manual Free When a line is vacant or released.
Line States In Production, a line PLC or MES Server controls the line state to synchronize all
line systems to Batch, Raw-Lot and Recipe in compliance with IEC-61512-1:1997.
Line States Line behavior Systems behavior
Run Starting Running batch. Running under MES control.
Pause Pausing Pausing batch. Temporary pause the batch.
Idle Waiting Line is ready to bath. Systems are ready to produce.
ClearUp Reset Clear for new batch. Setup batch, recipe and raw-lot data.
Complete Ending Batch is successful. Empty line and release batch.
Abort Aborting Batch has failed. Empty line and scrap batch.
MES Types They network data to build E2E chain through all the line from each machine.
Typ_MESCtl-Sts To Network mirrored control/status by system.
Batch Typ_Batch[n] Network Batch data (Manufacturing Order).
BatchCtl-Ack DINT/BOOL Network Batch Control and Status
Recipe Typ_Recipe[n] Network Recipe Parameters.
RecipeCtl-Ack DINT/BOOL Network Recipe Control and Status.
RawLot Typ_RawLot[n] Network material Raw-Lots linked to batch.
RawLotCtl-Ack DINT/BOOL Network material Raw-Lots Control and Status.
Trace Typ_Trace[n] Network Part's Traceability.
TraceCtl-Ack DINT/BOOL Network Part's Control and Status.
ModeSystem DINT Network System Modes.
StateSystem DINT Network System States.
SpeedSystem DINT [Cyc/Min] Network System Current Speed.
RateSystem DINT [Part/Min] Network System Average Rate.
Typ_KPIs For key performance indicators by system events.
IPC Typ_IPC[n] Network Inline Process Control by system.
IPS Typ_IPS[n] Network Inline Process Sampling by system.
NRG Typ_NRG[n] Network Energies Consumption by system.
Rep Typ_Rep[n] Network Reports based on systems States.
STP Typ_STP Network Stoppages vs Alarms (i.e. RCA)
SystemID STRING Network System Identifier.
UserID STRING Network User Identifier.
6.3.1 Batch It networks data usedto synchronize systems to batch(manufacturingorder) with
twoMESinstances(oneforcontrol"MESCtl.Batch"andoneforstatus"MESSts.Batch").
_.ID DINT/STRING Batch Identifier (Manufacturing Order).
_.RecipeID DINT/STRING Product Recipe Identifier (number / name).
_.ProdGTIN DINT/STRING Product Global Trade Item Number vs GS1 Authentication.
_.Expiration DINT/STRING Product Parts Expiration linked to Batch Date & Time.
_.RawLotsID DINT/STRING Raw-Lots List Identifier for SSCC as S/N high digits.
_.Quantity DINT Required Batch Quantity.
_.ModeLine DINT Get Line Modes.
_.StateLine DINT Get Line States.
Abort Complete ClearUp
Idle
Run
Pause

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
6.3.2 Recipe It networks the recipes parameters to a Station Up‘s every time its Ticket‘s
RecipeID changes, see §MES Network Types; the values tied to CPPs, CQAs or
OPRPs that may alter the product require single [!] or double [!!] eSignature!.
_.ID DINT/STRING Product Recipe identifier (number / name).
_.P&ID DINT/STRING Module P&IDn.
_.Role STRING Role Description.
_.Unit STRING Engineering Unit.
_.Min TBD Range minimum.
_.Max TBD Range maximum.
_.Value TBD Value as setpoint.
6.3.3 Raw-Lot It networks data type for material Raw-Lots consumed or produced by the
systems in relation to the running batch, see §MES Network Types.
_.ID DINT/STRING Material Raw-Lot identifier (number / name).
_.Role STRING Material Raw-Lot role description.
_.Category STRING Material Raw-Lot category.
_.Quantity DINT Material Raw-Lot quantity.
_.Ratio TBD Material Raw-Lot ratio.
6.3.4 Trace It networks the Traceability to serialize Part's, see §MES Network Types.
_.Typ_PRN Typ_Part[n] Refer with data to write to the print device.
_.Typ_CHK Typ_Part[n] Refer with data to read from the check device.
_.Control DINT Set the case/state.
_.ModeLine DINT Get Line Modes.
_.StateLine DINT Get Line States.
_.Sts_Batch BOOL Rises when Ctl_Batch matches Sts_Batch.
_.Sts_SSCC BOOL Rises when Ctl_Part matches Sts_Part.
6.3.5 Part It networks contextualizable Traceable part's Reportsprimary/secondary/tertiary/shipment with
Ticketing transactions to Ticket that moves it up to be a𝑃𝑟𝑜𝑑𝑢𝑐𝑡 = 𝑃𝑎𝑟𝑡 𝐶𝑜𝑚𝑝𝑙𝑒𝑡𝑒.
_.BatchID DINT/STRING Batch Identifier (Manufacturing Order).
_.RecipeID DINT/STRING Product Recipe Identifier (number / name).
_.ProdGTIN DINT/STRING Product Global Trade Item Number vs GS1 Authentication.
_.Expiration DINT/STRING Identify the Product Expiration as Date & Time.
_.ProdTime DINT/STRING Identify the Product Current Time as Date & Time.
_.ProdSSCC DINT/STRING Identify the Product SSCC as S/N high digits.
_.PartID DINT Identify the Part Identifier as S/N low digits.
_.UpID DINT Identify the last station Up with _.Sts_Prod OK.
_.NxtID DINT Identify the next station Up for the current part.
_.UseID DINT Identify the next Use CaSe (also for Inline-Checks).
_.FailID DINT Identify the Failure versus Alarm (if _.Sts_Prod KO).
_.TkID DINT Identify the part Ticket in the Circular buffer.
_.Slot DINT/STRING Identify the slot/pouch in the tray (i.e. Primary).
_.Tray DINT/STRING Identify the tray/rack in the stack (I.e. Secondary).
_.Stack DINT/STRING Identify the stack/carton in the pallet (i.e. Tertiary).
_.Pallet DINT/STRING Identify the pallet/container of batch (i.e. Shipment).
_.Report... TBD[n] See Process Values (Weight, T°, Level, Delay, …).
See §Reminder Parts Trace and Pallet Twin for an implementation synoptic.
6.3.6 Ticketing It networks Ticket’s transactions to MES for Parts Traceability (see 21 CFR Part 11).
_.Typ_Tks Typ_Tk[n] Refer Ticket’s array tracing Parts on the Process Path.
_.Typ_TkIDs DINT[n] Refer with the Circular Buffer tied to part Ticket’s IDs.
_.Typ_MES Typ_MES Refer MES data shared by Parts moving on a machine.
_.Typ_Parts Typ_Part[n] Refer Part‘s data sent to MES while leaving a machine.
_.Par_Tmr DINT Tune Transaction response time.
_.Cfg_Push DINT Fix Ticket’s identifier for a PUSH transaction.
_.Cfg_Pull DINT Fix Ticket’s identifier for a PULL transaction.
_.Ctl_Push BOOL Set Ticket’s transaction to PUSH data to the Part’s array.
_.Ctl_Pull BOOL Set Ticket’s transaction to PULL data from the MES.
_.Sts_NoAlm BOOL Get if transaction complete before timeout.
_.Sts_Push BOOL Get Ticket’s PUSH transaction done.
_.Sts_Pull BOOL Get Ticket’s PULL transaction done.
_.Rep_Push DINT See Ticket’s reports for Push transactions.
_.Rep_Pull DINT See Ticket’s reports for Pull transactions.

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
KPIs Types TheKeyPerformanceIndicatorssharerelevantEdgeReportstorankthesystems.
6.4.1 I P C It networks data for Inline Process Control by system (for critical Instruments).
[#].Attribute Type Unit Description (may expose multiple instances)
_.Typ_Meas Typ_MeasCtl-Sts Refer with the Inline Measure module.
_.Typ_MES Typ_MESSts Refer with the MES status network.
_.Par_Offset TBD [tbd] Tune the offset for calibration.
_.Par_Reject TBD [tbd] Tune the reject limit.
_.Par_Limit1 TBD [tbd] Tune the 1st
limit.
_.Par_Limit2 TBD [tbd] Tune the 2nd
limit.
_.TimeStamp LINT/STRING See time as Date & Time versus Batch time.
_.Sample LINT [part] See quantity of done probe value.
_.Reject LINT [part] See quantity of bad probe value.
_.Count1 LINT [part] See quantity of probe values below 1st
limit.
_.Count2 LINT [part] See quantity of probe values below 2nd
limit.
_.Probe TBD [tbd] See last probe value.
_.Sigma TBD [tbd] See standard probe values deviation in sample.
_.Average TBD [tbd] See probe values average in sample.
_.Sts_ICC BOOL Get if probe device is under Calibration as Inline-Checks.
_.Sts_OK BOOL Get if probe is ready to be measure.
6.4.2 I P S It networks data for Inline Process Sampling by system (Inline-Checks as KQI).
_.Typ_Spg Typ_Spg Refer with the Inline Sampling module.
_.Typ_Parts Typ_Part[n] Refer with the Part’s First-In-First-Out buffer.
_.Typ_Tks Typ_Tk[n] Refer with the Circular Buffer tied to part Ticket IDs.
_.Cfg_TkID DINT Fix the part Ticket identifier in the Circular buffer.
_.ShotSize LINT [part] Tune the shot size.
_.SampleSec LINT [sec] Tune the period between shot in time.
_.SampleSize LINT [part] Tune the number between shot in part.
_.Order BOOL Set a manual shot.
_.Stamp BOOL Set a checkout shot.
_.PartID STRING See the current part identifier (i.e. S/N).
_.ShotID STRING See the last shot part identifier (i.e. S/N).
_.Rep_Sampling LINT [part] See the total Sampling parts.
_.Rep_Sampled LINT [part] See the last Sampled part.
_.Rep_Shotted LINT [part] See the Shotted quantity.
_.Sts_Hold BOOL Get when shot is waiting for user.
_.Sts_Pause BOOL Get when shot is waiting for MES.
_.Sts_Shoot BOOL Get while the system is shooting.
_.Sts_Over BOOL Get when last shot reached over time.
_.Sts_OK BOOL Get when a shot is ready for approval.
6.4.3 NRG It networks data for Energies Consumption by system (machine power uses).
_.Typ_Nrgs Typ_NrgCtl-Sts Refer with the Energies Monitoring module.
_.ModeSystem DINT Get System Modes.
_.StateSystem DINT Get System States.
_.RateSystem DINT [Cyc/Min] See System Current Rate.
_.Electricity TBD [kWh] See Electrical Consumption.
_.AirPress TBD [m3
] See Air Pressure Consumption.
_.N2Gas TBD [m3
] See N2 Gas Consumption (Optional).
_.Water TBD [m3
] See Water Consumption (Optional).
_.WaterWaste TBD [m3
] See Waste-Water Consumption (Optional).
_.WaterCold TBD [kWh] See Cold-Water Consumption (Optional).
_.WaterHot TBD [kWh] See Hot-Water Consumption (Optional).
_.Steam TBD [Ton] See Steam Consumption (Optional).
_.Fuel TBD [Ton] See Fuel Consumption (Optional).
_.Oil TBD [Ton] See Oil Consumption (Optional).

√𝑺𝑸𝑹
©
√𝑆𝑄𝑅
©
6.4.4 Stoppages A stoppage is a period without production ! Its root cause may be identified from
the Initial Alarm ID or from HMI’s stoppages selection versus Line Modes; the
stoppage ID shall merge Alarm Priority#, P&IDn and device IEC Code; it is one of
thekeysto improve productivityeffectivenesswithanefficientRootCauseAnalysis.
IEC-81346 Device Code 
B-B
ool
Sensor
C-Level
E-Energy
F-Safety
P-Probe
S-Signal
X-Network
O.E.E.
Batch
Alarms #
versus
IEC-62682
Location
versus
DeviceID
Effectiveness
versusPeriods
(i.e. Line Modes)
System Crash "1"
P&IDn
      Hazard
Stop
Batch
Period

Process Break "2"       Major
Process Fail "3"       Minor
Product. Hold "4"     
Performance
Prod.
Loss
Product. Pause "5"     
Predict Warn "6"    
Quality
Prescrib
Alert "7"
   
Set
from
HMI
screen
Empty - Clean - Setup Change Over
"8" Maintenance - Repair - Overhaul
Check-Up - Warm-Up - Labor Stoppage
MRO Period
x
"9" Demand Lack - Materials Lack
Labor Lack
Free Period
_.RootCause REAL See "Alarm# . P&IDn . Code" (ex: 1.3'02'001.24).
_.TotalCause LINT See Change-of-Stoppage incrementation value.
6.4.5 Reports For Machines , Stations and Actuators , they collect and frame in Real Time
contextualized edge values such as Overall Equipment Effectiveness to reveal
potential Productivity Gains and improve Sustainability based on Prediction
and Prescription; they prefigure edge computing for the digital twin features.
[#].Attribute Type Unit Description (may expose Batch, Shift or Uses reports)
_.ModeSystem DINT Get System Modes.
_.StateSystem DINT Get System States.
_.Configurations DINT Fix Up(s) Nbr, Clear Rqst, …
_.UsedTime LINT [sec] See Used time.
_.ProdTime LINT [sec] See Producing time.
_.UsedParts LINT [part] See Used parts count.
_.ProdParts LINT [part] See Produced parts count.
_.FailParts LINT [part] See Failedscrap parts count.
_.MTTF LINT [sec] See Mean-Time-To-Fail.
_.MTtR LINT [sec] See Mean-Time-To-Repair.
_.Availability DINT [%] See Ratio of ProdTime to UsedTime (i.e. Operability).
_.Performance DINT [%] See Ratio of UsedParts to ProdTime x Rate.
_.Quality DINT [%] See Ratio of ProdParts to UsedParts.
_.OEE DINT [%] See Ratio of ProdParts to UsedTime x Rate.
_.Tmr DINT [ms] See Last Cycle Time (relative to System Speed).
Efficiency = 𝑜 𝑡 𝑠 𝑟 𝑡
Effectiveness = 𝑜 𝑡 𝑒 𝑟 𝑡 𝑡 𝑠
Production Good
Product atNominal Rate
𝑃𝑟𝑜𝑑𝑃𝑎𝑟𝑡𝑠 𝑅𝑎𝑡𝑒
𝑸 =
𝑃𝑟𝑜𝑑𝑃𝑎𝑟𝑡𝑠
𝑠𝑒𝑃𝑎𝑟𝑡𝑠
𝑃𝑟𝑜𝑑 𝑚𝑒
=
𝑠𝑒 𝑚𝑒
AvailabilityLoss
E-Stop + Startup + Stop
Performance Loss
TransientStates + Hold
Quality Loss
Product Failed
𝑠𝑒𝑃𝑎𝑟𝑡𝑠 𝑅𝑎𝑡𝑒
=
𝑃𝑟𝑜𝑑 𝑚𝑒 𝑅𝑎𝑡𝑒
𝑠𝑒 𝑚𝑒
DIN-8743, DIN-8782
Real Time OEE Calculation
End
End
// I

I

E-Stop Reset StartUp Stop Hold-to-Run Start… R u n
IEC-60204-1:2016
=
𝑎 𝑙𝑃𝑎𝑟𝑡𝑠
𝑡𝑅 =
𝑎 𝑙 𝑚𝑒
𝑎 𝑙𝑃𝑎𝑟𝑡𝑠
=
𝑃𝑟𝑜𝑑𝑃𝑎𝑟𝑡𝑠
𝑠𝑒 𝑚𝑒 𝑅𝑎𝑡𝑒
Hazard Stop MajorStop MinorStop Production Loss
IEC-62682-1:2014
𝑃𝑟𝑜𝑑𝑢𝑐𝑡 𝑡𝑦 =
𝑠𝑒 𝑚𝑒 𝑅𝑎𝑡𝑒

√𝑺𝑸𝑹
©
REMINDER Control Systems Guidelines 21 / 31 
√𝑆𝑄𝑅
©
7 REMINDER
7.1.1 Main Energies
All Energies that could cause injuries shall be involved in the SRP/CS, safety related parts of Control System;
they shall keep the system safe if guards are disable, see Safety. The design of all energies distribution shall
be able to manage JogSafe Mode with device(s) such as Deadman Switch. The values of Earth Fault Currents
shall be limited to reduce their effects. The AC power supply neutral can be earthed by different methods;
the Zn impedance between neutral and earth may be resistive or inductive from zero to infinite values.
7.1.2 Neutral Earthing Zn = ∞ Resistance Reactance Capacitance Zn = 0
Potential Damages Very Low Low Low Very Low Very High
Touch & step voltages Very Low Low Low Low High
Transient over voltages High Low High High Low
Temporary over voltages High Medium Medium Medium Low
7.1.3 Safe Stop Categories See §Control Model Alarms and IEC-60204-1:2016.
SS0 Immediate stop by REMOVING the energies on all actuators to initiate an uncontrolled stop.
SS1 Controlled stop with the energies and then REMOVE the energies on UNSAFE actuators.
SS2 Controlled stop with the energies and then MAINTAIN the energies on all actuators.
7.1.4 Safety Functions See §Reminder PLr Calculation and IEC-61508:2010.
SBC Safety Brake Control check with STO. SLT-STR Safety Limited Torque check & stop over torque.
SDI Safety Direction move check & SS1 on failure. SOS Safety Operating Stop & zero-speed, No shutoff.
SFX Safety Feedback on position & speed check. SS1 Safety Stop 1 compliant with stop category #1.
SLP Safety Limited Position check. SS2 Safety Stop 2 compliant with stop category #2.
SLS Safety Limited Speed check. ST0 Safety Torque 0ff by shutoff without check.
• Yellow-Green : Equipotential bonding
• Black / Grey / Brown : AC / DC power
• Orange : light / socket / ...
• Dark Blue : DC Control
• Light Blue : AC neutral
• Red : AC Control
ProgressivePressure
Cut Air Supply
Unsafe
Cylinders
Safe Devices
SRP's LOGIC
Safe
Cylinders
PLC's LOGIC
Air Supply
Emergency-Stop
Guard Interlock
Presence Sensor
Main
Switch
Clean Air
• L1
• L2
• L3
• N
• PE
TN-S
Network
Zn
Main
Valve
Redundant Main Valve
RedundantBreakers
EMI-EMC Filters
& Overload
Protection
Cut Electrical Supply
Unsafe Devices
Uncut Electrical Supply
ST0-SS1
SS0
Uncut Air Supply
SS2-SLS
Dead-Man Switch
Sleep
Energies & Safety See References for the machinery directives.

√𝑺𝑸𝑹
©
REMINDER Control Systems Guidelines 22 / 31 
√𝑆𝑄𝑅
©
7.1.5 Safety Symbols
Color's code assigns particular meanings to visual and tactile signals from simple cases such as buttons
or LEDs to extensive controls such as screens. It improves visual-tactile hazards awareness due to :
• An intuitive recognition of control conditions and devices positions to avoid unintended misuse.
• A proper monitoring, control and maintenance of the modules or devices with less confusion.
7.1.7 Safety Tasks
Both Process and Safety tasks are synchronized
in the most robust way; as shown in this
diagram, it means a clear mapping between the
machine States and the Safety Functions.
• IEC-60204:2016 §9.2.3.4.2 Emergency-Stop
The emergency stop shall function either as a safe stop
category #0 or as a stop category #1. The choice of the
safe stop category from the emergency stop depends on
the results of a risk assessment of the machine.
NOTE: In some cases, to avoid creating additional risks,
it can be necessary to perform a controlled stop and
maintain the power to actuators even if stopping is
achieved. The stopped condition shall be monitored and
upon failure detection of the stopped condition, power
shall be removed without creating hazardous situations.
• ISO-13849-1:2015 §5.2.2Manual Reset Function
After a stop command has been initiated by a safeguard, the stop condition shall be maintained until safe conditions for restarting
exist. The re-establishment of the safety function by resetting of the safeguard cancels the stop command. If indicated by the risk
assessment, this cancellation of the stop command shall be confirmed by a manual, separate and deliberate action (manual reset).
The manual reset function shall
⎯ be provided through a separate and manually operated device within the SRP/CS,
⎯ only be achieved if all safety functions and safeguards are operative,
⎯ not initiate motion or a hazardous situation by itself,
⎯ be by deliberate action,
⎯ enable the control system for accepting a separate start command, (the manual reset ENABLE the separate start).
⎯ only be accepted by disengaging the actuator from its energized (on) position (ENABLE on the negative threshold).
The reset actuators shall be situated outside the danger zone and in safe positions where there is good visibility for checking that no
person is within the danger zone. Where the visibility of the danger zone is not complete, a special reset procedure is required.
• IEC-62046:2018 §5.6 Restart Interlock
A Resetting a restart interlock is always a safety-related function. Measures shall be provided to reduce the probability of the restart
interlock being reset by a transient or steady-state fault condition. Such measures can include, for example, requiring both a rising and
falling edge signalwithin a defined time (e.g. between 150 ms and 4 s) froma manually actuated resetdevice.
NOTE: A pulse or falling edge on "reset" shall be done to enable a separate "start", this to prevent a potential damaged push button.
0n
Marche
0ff
Arrêt
0n/0ff
(push on - push off)
Reset
Acquit
Start
Marche
Hold-to-Run
Action Maintenue
Stop
Arrêt
Emergency-Stop
Arrêtd'urgence
IEC 60417-5007 IEC 60417-5008 IEC 60417-5010 IEC 60417-1027 IEC 60417-5104 IEC 60417-5011 IEC 60417-5110A IEC 60417-5638
!
Colors Symbols Meanings Explanations Actions by Operator Flashing Alerts Machine States Buttons
Red Emergency
Urgent
Hazard condition Immediate action to
care system hazard
to indicate
discrepancy E-Stop E-Stop
Yellow Abnormal
Anormale
Major or minor
condition
Cautiousaction to
care process hazard
To indicate
transition
Startup
Stop 0ff
Blue Mandatory
Obligatoire
Careful condition Mandatoryaction to
resume production
To request
action Hold Reset
Green Normal
Normale
Normal condition Optionalaction to
predict or prescribe To attract
attention
Run 0n
Black
White
Neutral
Neutre
Other conditionsif any
warn on other colors Monitoring Other(s) 0n/0ff

//
I

7.1.6 Safety Colors See §User Interface HMIs Duties and IEC-60204-1:2016.
Colors Symbols Meaning Explanation Action by Operator Flashing States Buttons
//
I
I
EmergencyStop
In
terlo
ckin
g
Sa
feg
u
a
rd
s

Startup
Safe
Controlled
Stop
Run
Manual
Reset
Hold
to Run

SAFE
PWUP
MUTE
SJOG
SS2
ST0 SS1
SS0 SLS
ST0
SS1
SLS
SS1
SLS
SS2
SS2

SQR_CSG_VI4x.pdf

Recommended

Recommended

More Related Content

Similar to SQR_CSG_VI4x.pdf

Similar to SQR_CSG_VI4x.pdf (20)

More from Pourchet Jean Claude

More from Pourchet Jean Claude (10)

Recently uploaded

Recently uploaded (20)

SQR_CSG_VI4x.pdf