Fault avoidance
This topic contains the following sections:
- Validation
- Several inputs S_Mode0 to S_Mode7 are SAFETRUE simultaneously or all inputs are SAFEFALSE simultaneously
- Time slot for switchover incorrectly dimensioned at ModeMonitorTime
- Static signal at the S_SetMode input
- Plausibility and connection errors
- Sporadically switching or toggling signal levels or impermissible signals
- Impermissible static signals when starting up the Safety PLC
- Simultaneous edge change
- Machine/system start-up without a function test for safety-related equipment
Validation
Only you, the user, machine builder or system integrator can be aware of all the conditions and factors realized in the design of your application for the machine. Therefore, only you can determine the automation equipment and the related safeties and interlocks which can be properly used, and validate such usage.
|
WARNING
|
| Unintended machine operation Validate the overall safety-related function and thoroughly test the application. |
Several inputs S_Mode0 to S_Mode7 are SAFETRUE simultaneously or all inputs are SAFEFALSE simultaneously
If the operating mode switchover is not locked (S_Unlock = SAFETRUE), the function block detects an error after the time set at ModeMonitorTime has elapsed, if all inputs are showing a SAFEFALSE signal simultaneously. If several inputs S_Mode0 to S_Mode7 are SAFETRUE simultaneously, an error message is output immediately (output Error = TRUE), independent of the monitoring time set at ModeMonitorTime.
If the set operating mode is locked by S_Unlock = SAFEFALSE, the signal combination at the inputs is not evaluated.
Possible causes for impermissible signal combinations might be:
- Cross circuits, open circuits, wiring errors (user errors, wiring errors).
- Errors in the mode selector switch (hardware errors).
Time slot for switchover incorrectly dimensioned at ModeMonitorTime
If the time value set at ModeMonitorTime is too short, the function block outputs an error for every switching operation. If the time slot set is too long, impermissible signal combinations or unavailable signals at the inputs are not reliably detected as errors.
Static signal at the S_SetMode input
If there is a static SAFETRUE signal at the S_SetMode input, the function block cannot output the selected operating mode at its outputs. No operating mode will be active. This state can affect system availability.
Plausibility and connection errors
Plausibility errors are errors which occur, for example, when a range of values is exceeded or an impermissible connection is made. Such errors are detected and reported either by the function block itself or while the project is being compiled. However, this is not always possible in the case of connection errors.
This means that it is not possible, for example, to automatically verify whether:
- Values or constants within the range of validity at inputs are, in fact, incorrect for the safety-related function executed.This does not apply to a static TRUE signal at the Reset input. This is detected by the function block and reported as an error.
- Inputs and/or outputs are incorrectly connected or are not connected when they should be.
- Actual parameters/signals are incorrectly connected or are not connected when they should be.
|
WARNING
|
| Unintended machine operation Validate the signals, formulas (if applicable), variables or constants connected to the input and output formal parameters of the safety-related function block and thoroughly test the application. |
Sporadically switching or toggling signal levels or impermissible signals
If no additional fault avoidance measures are taken, signal levels which switch or toggle sporadically have the following effects:
- At the edge-triggered inputs, such signals cause the function block to interpret the signal as an edge and trigger a potentially undesirable corresponding action.
- At the state-controlled inputs, such signals cause the signal to trigger a potentially undesirable corresponding action.
Impermissible signals at inputs can lead to an unintended start-up, prevent a requested action from being executed or cause an error.
These signals may be caused by:
- Programming errors in the application program (user errors).
- Cross circuit, short circuit, and cable break (user errors, wiring errors).
- Errors in the standard (non-safety-related) application.
To prevent this, the following measures can be taken, depending on the safety-related function:
- Using safety-related device signals.
- Additional measures to prevent a hazard if a signal from the standard controller is used (e.g. execution of an additional function start after resetting a triggered safety function or after a fault has been rectified).
- Using options for cross-circuit detection.
- Suitable wiring when using standard (non-safety-related) signals from the standard application.
- Verifying the safety-related code in the code editor followed by validation of all safety-related networks.
The measures listed above can also be taken in combination in order to help prevent errors.
Impermissible static signals when starting up the Safety PLC
If there is a static SAFETRUE signal at the S_SetMode input when the Safety PLC starts up and, at the same time, S_Unlock = SAFETRUE, this leads to an error message for the function block (output Error = TRUE).
Simultaneous edge change
In order to reduce the risk of an unintended start-up, it is essential to ensure that the Reset input is only connected to the signal of a manual reset device. The risk analysis determines how this signal is to be set up in practice.
Machine/system start-up without a function test for safety-related equipment
Inoperable or error producing safety-related equipment can only be detected by testing whether it is functioning correctly. The function block does not support function testing.
Possible causes of inoperable or error producing safety-related equipment are:
- Inoperable devices (hardware errors)
- Cross circuit, short circuit, and cable break (user errors, wiring errors)
|
WARNING
|
Unintended machine operation
|