Fault avoidance
Dieses Thema enthält die folgenden Abschnitte:
- Validation
- Invalid switch signal or the coil is locked
- Incorrect status message for the zone of operation with safety equipment open
- Plausibility and connection errors
- Sporadically switching or toggling signal levels or impermissible signals
- Impermissible static signals when starting up the Sicherheitssteuerung
- Simultaneous edge change
- Machine/system start-up without a function test for safety-related equipment
Validation
Only you, the user, machine builder or system integrator can be aware of all the conditions and factors realized in the design of your application for the machine. Therefore, only you can determine the automation equipment and the related safeties and interlocks which can be properly used, and validate such usage.
|
WARNUNG
|
| Unintended machine operation Validate the overall safety-related function and thoroughly test the application. |
Invalid switch signal or the coil is locked
In order to switch the S_GuardLocked output of the safety-related SF_GuardLocking 2 function block to SAFETRUE, the safety equipment must be closed and the guard locking locked.
In the closed and locked state, the signals at inputs S_Guard and S_GuardLock must show the value SAFETRUE. If SAFEFALSE is detected at one or both of the inputs, the S_GuardLocked output switches to SAFEFALSE and remains in this defined safe state, while an error message (Error = TRUE) is also output.
Incorrect status message for the zone of operation with safety equipment open
The function block interprets a SAFEFALSE signal at input S_Guard and/or S_GuardLock as meaning that the safety equipment is open and/or unlocked.
While the safety equipment is open and/or unlocked, a SAFETRUE signal at input S_SafetyActive must confirm the defined safe state of the zone of operation. If S_SafetyActive incorrectly switches to SAFEFALSE, the S_GuardLocked output remains in the defined safe state (S_GuardLocked = SAFEFALSE). In addition, the Error output is switched to TRUE.
Plausibility and connection errors
Plausibility errors are errors which occur, for example, when a range of values is exceeded or an impermissible connection is made. Such errors are detected and reported either by the function block itself or while the project is being compiled. However, this is not always possible in the case of connection errors.
This means that it is not possible, for example, to automatically verify whether:
- Values or constants within the range of validity at inputs are, in fact, incorrect for the safety-related function executed.This does not apply to a static TRUE signal at the Reset input. This is detected by the function block and reported as an error.
- Inputs and/or outputs are incorrectly connected or are not connected when they should be.
- Actual parameters/signals are incorrectly connected or are not connected when they should be.
|
WARNUNG
|
| Unintended machine operation Validate the signals, formulas (if applicable), variables or constants connected to the input and output formal parameters of the safety-related function block and thoroughly test the application. |
Sporadically switching or toggling signal levels or impermissible signals
If no additional fault avoidance measures are taken, signal levels which switch or toggle sporadically have the following effects:
- At the edge-triggered inputs, such signals cause the function block to interpret the signal as an edge and trigger a potentially undesirable corresponding action.
- At the state-controlled inputs, such signals cause the signal to trigger a potentially undesirable corresponding action.
Impermissible signals at inputs can lead to an unintended start-up, prevent a requested action from being executed or cause an error.
These signals may be caused by:
- Programming errors in the application program (user errors).
- Cross circuit, short circuit, and cable break (user errors, wiring errors).
- Errors in the standard (non-safety-related) application.
To prevent this, the following measures can be taken, depending on the safety-related function:
- Using safety-related device signals.
- Additional measures to prevent a hazard if a signal from the standard controller is used (e.g. execution of an additional function start after resetting a triggered safety function or after a fault has been rectified).
- Using options for cross-circuit detection.
- Suitable wiring when using standard (non-safety-related) signals from the standard application.
- Verifying the safety-related code in the code editor followed by validation of all safety-related networks.
The measures listed above can also be taken in combination in order to help prevent errors.
Impermissible static signals when starting up the Sicherheitssteuerung
If a start-up inhibit following activation of the function block is specified by the setting S_StartReset = SAFEFALSE, a static TRUE signal at the Reset input when the Sicherheitssteuerung starts up leads to a function block error message (Error = TRUE).
If the start-up inhibit is not in use when the Sicherheitssteuerung starts up (S_StartReset = SAFETRUE), the signal state at the Reset input is not relevant at this time. In such cases, the signal at the S_GuardLocked output depends exclusively
- on the status of the connected safety-related equipment
- and on the setting at S_AutoReset (restart inhibit).
Simultaneous edge change
In order to reduce the risk of an unintended start-up, it is essential to ensure that the Reset input is only connected to the signal of a manual reset device. The risk analysis determines how this signal is to be set up in practice.
Machine/system start-up without a function test for safety-related equipment
Inoperable or error producing safety-related equipment can only be detected by testing whether it is functioning correctly. The function block does not support function testing.
Possible causes of inoperable or error producing safety-related equipment are:
- Inoperable devices (hardware errors)
- Cross circuit, short circuit, and cable break (user errors, wiring errors)
|
WARNUNG
|
Unintended machine operation
|