-

Fault avoidance

Dieses Thema enthält die folgenden Abschnitte:

Validation

Only you, the user, machine builder or system integrator can be aware of all the conditions and factors realized in the design of your application for the machine. Therefore, only you can determine the automation equipment and the related safeties and interlocks which can be properly used, and validate such usage.

WARNUNG
Unintended machine operation

Validate the overall safety-related function and thoroughly test the application.

Plausibility and connection errors

Plausibility errors are errors which occur, for example, when a range of values is exceeded or an impermissible connection is made. Such errors are detected and reported either by the function block itself or while the project is being compiled. However, this is not always possible in the case of connection errors.

This means that it is not possible, for example, to automatically verify whether:

WARNUNG
Unintended machine operation

Validate the signals, formulas, variables or constants connected to the input and output formal parameters of the safety-related function block and thoroughly test the application.

Sporadically switching or toggling signal levels or impermissible signals

If no additional fault avoidance measures are taken, signal levels which switch or toggle sporadically at the state-controlled inputs may cause the signal to trigger a potentially undesirable corresponding action.

Impermissible signals at inputs can lead to an unintended start-up, prevent a requested action from being executed or cause an error.

These signals may be caused by:

To prevent this, the following measures can be taken, depending on the safety-related function:

The measures listed above can also be taken in combination in order to help prevent cascading or otherwise difficult to detect errors.

SAFETRUE signal at one input during function block activation

SAFETRUE signals from the two-hand buttons during function block activation are not permitted. These impermissible signals generate an error message (output Error = TRUE). The function block will then retain the defined safe state (output S_TwoHandOut = SAFEFALSE).

Impermissible SAFETRUE signals in normal operation

Asymmetric switching operations are not permitted (e.g., S_Button1 and S_Button2 became SAFETRUE at the same time, before either S_Button1 or S_Button2 alone switched to SAFEFALSE again and then back to SAFETRUE). They cause the defined safe state to be maintained (output S_TwoHandOut = SAFEFALSE). The function block does not output an error message here (Error = FALSE).

This does not apply where the input states are changing from SAFEFALSE to SAFETRUE with a time offset of more than 500 ms. The function block detects an error here.

Machine/system start-up without a function test for safety-related equipment

Inoperable or error producing safety-related equipment can only be detected by testing whether it is functioning correctly. The function block does not support function testing.

Possible causes of inoperable or error producing safety-related equipment are:

WARNUNG
Unintended machine operation
  • Validate the safety-related equipment by performing function tests.
  • Prior to performing function tests, make certain that appropriate procedures and measures (according to applicable sector standards) have been established to help avoid hazardous situations if the safety logic operates in ways you did not intend.
  • Do not enter the zone of operation while the machine is operating.
  • Ensure that no other persons can access the zone of operation while the machine is operating.
  • Observe the regulations given by relevant sector standards while the machine is running in any other operating mode than "operational".
  • Use appropriate safety interlocks where personnel and/or equipment hazards exist.