Functional description

Dieses Thema enthält die folgenden Abschnitte:

The safety-related SF_MutingPar_2Sensor function block executes the safety-related function "parallel muting with two sensors and override function" within an application.
To this end, it evaluates the following signals:

the signals of two muting sensors,
the status signal of the safety-related equipment (light grid),
the feedback signal from the muting lamp,
an enable signal for the muting operation,
a request signal for the override function.

A start-up inhibit can be specified at S_StartReset.

The function block switches the enable signal at the S_AOPD_Out output in accordance with the input signals present. It executes stop category 0 at this output.

Hinweis
The signal at the S_AOPD_Out output is the enable signal for the entire process. In order to process the enable or, equally, the request for the defined safe state in the functional safety system, the signal must be used in the safety logic in such a way that a SAFEFALSE signal at the S_AOPD_Out output stops the zone of operation from being used.

Muting operation (without override function)

The overall muting operation is divided into different muting sequences.

Protecting the zone of operation.
The safety-related equipment is active when muting is not active: If the function block does not detect an active muting operation at the muting inputs, a SAFEFALSE signal from the light grid ("object detected") leads to the defined safe state SAFEFALSE at the S_AOPD_Out output (e.g., "stop machine").
Activating the muting operation.
The safety-related equipment is deactivated: If the state of the muting sensors changes from SAFEFALSE to SAFETRUE within the discrepancy time set at DiscTimeEntry (because both sensors detect an object which is permissible for the muting operation, for example), the muting operation is activated and the safety-related equipment deactivated.
Muting operation is active.
The safety-related equipment is deactivated for as long as the muting operation is active (because both sensors detect an object which is permissible for the muting operation, for example). A SAFEFALSE signal from the light grid ("object detected") does in this case not cause the S_AOPD_Out output to switch to the defined safe state SAFEFALSE (e.g., "stop machine"). The muting operation must be completed within the maximum muting time set at MaxMutingTime. If it is not, the S_AOPD_Out output switches to the defined safe state SAFEFALSE (e.g., "stop machine").
Completing the muting operation.
The safety-related equipment is active again. The muting operation is complete as soon as a muting sensor switches from SAFETRUE to SAFEFALSE (i.e., no object is detected any longer within the detection area). The safety-related equipment is reactivated at the same time when the S_MutingActive output switches to SAFEFALSE.

Muting errors

Errors which occur during the muting operation are called muting errors. As a result, muting is interrupted and the safety-related equipment gets activated. The safety-related equipment can then be temporarily deactivated by means of the override function (see below).

Muting errors are:

The discrepancy time DiscTimeEntry has elapsed.
The maximum muting time MaxMutingTime has elapsed.
Invalid muting sequence (by appropriate signals at inputs S_MutingSwitch11, S_MutingSwitch12, and MutingEnable).

If override is not requested in the event of a muting error, the outputs behave in the following way:

The S_AOPD_Out output switches to the defined safe state SAFEFALSE (e.g., "stop machine"),
The Error output switches to TRUE.

Override function

If the muting is interrupted by an error (e.g., the maximum muting time MaxMutingTime has elapsed because of an impermissible object), the safety-related equipment gets activated. This can be temporarily deactivated by the override function, e.g., to clear the zone of operation from the impermissible object.

The override function can only be used in the event of a previous muting error. The sequence is then as follows:

Normal sequence of the muting operation as described in the steps 1-3 above.
- Protecting the zone of operation by activating the safety-related equipment.
- Activating the muting operation and deactivating the safety-related equipment by the muting.
A muting error occurs (see description above).
The muting gets interrupted, e.g., by an impermissible object. The Error output switches to TRUE and the S_AOPD_Out output switches to the defined safe state SAFEFALSE (e.g., "stop machine"). Now, an override operation is possible (output OverridePossible = TRUE).
Override is started by the operator.
An override operation can be started by a SAFETRUE signal at the S_StartStopOverride input, if the OverridePossible output = TRUE. This initiates the override timer (MaxOverrideTime input). The start is caused by activating the connected control device and must be maintained for the overall override duration (e.g., by a key switch).
The safety-related equipment is deactivated for as long as the override operation is active. A SAFEFALSE signal from the light grid ("object detected") does not then cause the S_AOPD_Out output to switch to the defined safe state SAFEFALSE (e.g., "stop machine"). Now, the impermissbile object can be removed from the zone of operation.
Interrupting or exiting the override operation.
The override operation gets interrupted as soon as the operator releases the control device (e.g., a key switch) (S_StartStopOverride input = SAFEFALSE). The output OverrideActive becomes FALSE and S_AOPD_Out switches to the defined safe state SAFEFALSE (e.g., "stop machine"), and the override timer MaxOverrideTime continues to run. The override operation can be restarted as long as MaxOverrideTime has not elapsed.
Override gets automatically exited when all muting sensors and the light grid detect no more object or when the override timer MaxOverrideTime has elapsed.

Example of a muting operation (without override function)

The graphic below shows an example of a muting operation.

Hinweis
The sensor beams can also be interrupted in a different sequence.

Hinweis
In the graphic, only the values of the inputs and outputs which are relevant for this illustration are given.

Explanatory notes:

MS_11: Muting sensor 1 (top), connected to the S_MutingSwitch11 function block input.
MS_12: Muting sensor 2 (bottom), connected to the S_MutingSwitch12 function block input.
Signaling unit (e.g., lamp) "muting active", controlled via function block output S_MutingActive.
S/R: safety-related equipment (e.g., light grid), consisting of a transmitter (S) and a receiver (R), connected to function block input S_AOPD_In. The function of this safety-related equipment is deactivated/activated by means of the muting operation.

The light beams of the two muting sensors are not interrupted. The muting operation is not (yet) active.

The light beam of the top muting sensor is interrupted by an object. This initiates the muting operation.

The DiscTimeEntry timer starts (measures the discrepancy time).

The MaxMutingTime timer starts (measures the duration of the muting operation).

The light beam of the first muting sensor remains interrupted.

The light beam of the second muting sensor is also interrupted. This happens within the time specified at DiscTimeEntry (DiscTimeEntry timer stops).

Muting is active (S_MutingActive switches to SAFETRUE).

The MaxMutingTime timer continues to run.

In this state the safety-related equipment is not active, i.e., SAFEFALSE at S_AOPD_In does not lead to SAFEFALSE at S_AOPD_Out.

The object has now passed the safety-related equipment (e.g., light grid). The light beam of one of the muting sensors is no longer interrupted (S_MutingSwitch12 is SAFEFALSE again) which causes S_MutingActive to switch back to SAFEFALSE: Muting is inactive.

The change from SAFETRUE to SAFEFALSE at input S_MutingSwitch12 stops the MaxMutingTime time measurement. As the muting operation has been completed within the time interval specified at MaxMutingTime, the S_AOPD_Out output remains SAFETRUE and no error is detected (Error remains FALSE).

In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

Example of a muting operation (with override function)

In the event of an error during the activated muting in the muting operation described in the example above, the last step does not occur (muting inactive again). All requirements for an override operation are then fulfilled and the further sequence is shown below.

A muting error occurs (e.g., the maximum muting time MaxMutingTime has been exceeded because the object is too long). Muting is interrupted (S_MutingActive switches to SAFEFALSE, Error to TRUE).

The light beam of at least one of the two muting sensors and/or the safety-related equipment remains interrupted.

In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

The requirements for the override function are given (OverridePossible = TRUE).

The override operation is started by the operator via the control device (S_StartStopOverride input = SAFETRUE). The override function is activated (OverrideActive output = TRUE). The safety-related shutdown is temporarily removed, the S_AOPD_Out output becomes SAFETRUE and the Error output switches to FALSE.

The override timer starts.

The light beam of at least one of the two muting sensors and/or the safety-related equipment remains interrupted until the object has been removed from the zone of operation.

The object is again outside the zone of operation, i.e., light grid and muting sensors are no longer interrupted (S_AOPD_In = SAFETRUE, S_MutingSwitch11 and S_MutingSwitch12 = SAFEFALSE).

The override operation is automatically exited. OverridePossible and OverrideActive switch to FALSE.

The operator releases the control device (e.g., a key switch).

The time measurement at MaxOverrideTime is stopped.

In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

Hinweis
As the override operation in this example has been completed within the time specified at the MaxOverrideTime input, the S_AOPD_Out output remains SAFETRUE and no error is detected (Error remains FALSE). Exceeding would result in an error (Error output = TRUE) and the S_AOPD_Out output would be switched to the defined safe state SAFEFALSE (e.g., "switch off machine").

Start-up inhibit (S_StartReset)

S_StartReset is used to specify the start-up inhibit after activating the function block and/or starting the Sicherheitssteuerung.

S_StartReset = SAFEFALSE After the Sicherheitssteuerung has been started up and/or the function block has been activated at input Activate, the start-up inhibit is active. The start-up inhibit is only removed if there is a positive signal edge at the Reset input.
Refer to the first warning below this table.

S_StartReset = SAFETRUE After the Sicherheitssteuerung has been started up and/or the function block has been activated at input Activate, no start-up inhibit is active.
Refer to the second warning below this table.

Removing the start-up inhibit by means of a positive signal edge at the Reset input can cause the S_AOPD_Out output to switch to SAFETRUE immediately (depending on the status of the other inputs).

WARNUNG

Unintended start-up

Verify the impact of removing the start-up inhibit by means of a positive signal edge at the Reset input.

Make certain that appropriate procedures and measures (according to applicable sector standards) have been taken to help avoid hazardous situations when removing the start-up inhibit.

Do not enter the zone of operation when removing the start-up inhibit.

Ensure that no other persons can access the zone of operation when removing the start-up inhibit.

Use appropriate safety interlocks where personnel and/or equipment hazards exist.

WARNUNG

Non-conformance to safety function requirements

Verify the impact of a deactivated start-up inhibit (S_StartReset = SAFETRUE) on your machine or process prior to implementation.

Observe the regulations given by relevant sector standards regarding the start-up inhibit.

Verify that a suitable start-up inhibit is in place at another location or using other means if the start-up inhibit is deactivated by setting S_StartReset = SAFETRUE.

	The light beams of the two muting sensors are not interrupted. The muting operation is not (yet) active.
	The light beam of the top muting sensor is interrupted by an object. This initiates the muting operation. The DiscTimeEntry timer starts (measures the discrepancy time). The MaxMutingTime timer starts (measures the duration of the muting operation).
	The light beam of the first muting sensor remains interrupted. The light beam of the second muting sensor is also interrupted. This happens within the time specified at DiscTimeEntry (DiscTimeEntry timer stops). Muting is active (S_MutingActive switches to SAFETRUE). The MaxMutingTime timer continues to run. In this state the safety-related equipment is not active, i.e., SAFEFALSE at S_AOPD_In does not lead to SAFEFALSE at S_AOPD_Out.
	The object has now passed the safety-related equipment (e.g., light grid). The light beam of one of the muting sensors is no longer interrupted (S_MutingSwitch12 is SAFEFALSE again) which causes S_MutingActive to switch back to SAFEFALSE: Muting is inactive. The change from SAFETRUE to SAFEFALSE at input S_MutingSwitch12 stops the MaxMutingTime time measurement. As the muting operation has been completed within the time interval specified at MaxMutingTime, the S_AOPD_Out output remains SAFETRUE and no error is detected (Error remains FALSE). In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

	A muting error occurs (e.g., the maximum muting time MaxMutingTime has been exceeded because the object is too long). Muting is interrupted (S_MutingActive switches to SAFEFALSE, Error to TRUE). The light beam of at least one of the two muting sensors and/or the safety-related equipment remains interrupted. In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out. The requirements for the override function are given (OverridePossible = TRUE).
	The override operation is started by the operator via the control device (S_StartStopOverride input = SAFETRUE). The override function is activated (OverrideActive output = TRUE). The safety-related shutdown is temporarily removed, the S_AOPD_Out output becomes SAFETRUE and the Error output switches to FALSE. The override timer starts. The light beam of at least one of the two muting sensors and/or the safety-related equipment remains interrupted until the object has been removed from the zone of operation.
	The object is again outside the zone of operation, i.e., light grid and muting sensors are no longer interrupted (S_AOPD_In = SAFETRUE, S_MutingSwitch11 and S_MutingSwitch12 = SAFEFALSE). The override operation is automatically exited. OverridePossible and OverrideActive switch to FALSE. The operator releases the control device (e.g., a key switch). The time measurement at MaxOverrideTime is stopped. In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

S_StartReset = SAFEFALSE	After the Sicherheitssteuerung has been started up and/or the function block has been activated at input Activate, the start-up inhibit is active. The start-up inhibit is only removed if there is a positive signal edge at the Reset input. Refer to the first warning below this table.
S_StartReset = SAFETRUE	After the Sicherheitssteuerung has been started up and/or the function block has been activated at input Activate, no start-up inhibit is active. Refer to the second warning below this table.