Functional description

Dieses Thema enthält die folgenden Abschnitte:

The safety-related SF_MutingSeq function block executes the function "sequential muting with four sensors and override function" within an application.
To this end, it evaluates the following signals:

the signals of four muting sensors,
the status signal of the safety-related equipment (light grid),
the feedback signal from the muting lamp,
an enable signal for the muting operation,
a request signal for the override function.

A start-up inhibit can be specified at S_StartReset.

The function block switches the enable signal at the S_AOPD_Out output in accordance with the input signals present. It executes stop category 0 at this output.

Hinweis
The signal at the S_AOPD_Out output is the enable signal for the entire process. In order to process the enable or, equally, the request for the defined safe state in the functional safety system, the signal must be used in the safety logic in such a way that a SAFEFALSE signal at the S_AOPD_Out output stops the zone of operation from being used.

Hinweis
Depending on the result of the risk analysis, optical, mechanical or inductive sensors such as reflection light sensors, mechanical or inductive switches can be used as muting sensors. Optical sensors serve as examples in the help information.

Muting operation (without override function)

The overall muting operation is divided into different muting sequences.

Hinweis
Only the material flow direction from muting sensors S_MutingSwitch11S_MutingSwitch12 to muting sensors S_MutingSwitch21S_MutingSwitch22 is described in the following (forward direction). This is illustrated in the graphic in the function block overview.
The function block also supports the opposite material flow direction from muting sensors S_MutingSwitch22S_MutingSwitch21 to muting sensors S_MutingSwitch12S_MutingSwitch11 (backwards direction). The functional sequence remains identical.

Protecting the zone of operation.
The safety-related equipment is active when muting is not active: If the function block does not detect an active muting operation at the muting inputs, a SAFEFALSE signal from the light grid ("object detected") leads to the defined safe state SAFEFALSE at the S_AOPD_Out output (e.g., "stop machine").
Activating the muting operation.
The safety-related equipment is deactivated: When the muting sensors located before the safety-related equipment switch from SAFEFALSE to SAFETRUE one after the other (i.e., first S_MutingSwitch11 and then S_MutingSwitch12) (because both have detected an object), the muting operation is activated and the safety-related equipment deactivated.
Muting operation is active.
The safety-related equipment is deactivated for as long as the muting operation is active and the sensors detect an object permissible for the muting operation.
A SAFEFALSE signal from the light grid ("object detected") does in this case not cause the S_AOPD_Out output to switch to the defined safe state SAFEFALSE (e.g., "stop machine").
The muting operation remains active as long as the requirements for a valid muting sequence are met and when the muting operation is completed properly within the maximum muting time set at MaxMutingTime. If it is not, the S_AOPD_Out output switches to the defined safe state SAFEFALSE (e.g., "stop machine").
Completing the muting operation.
The safety-related equipment is active again. The muting operation is complete when the first muting sensor located behind the safety-related equipment (at the S_MutingSwitch21 input) switches back from SAFETRUE to SAFEFALSE, i.e., an object is no longer detected in the detection area. The safety-related equipment is reactivated at the same time when the S_MutingActive output switches to SAFEFALSE.

Weitere Infos
Refer also to the "Muting errors" section in this context.

Muting errors

Errors which occur during the muting operation are called muting errors. As a result, muting is interrupted and the safety-related equipment gets activated. The safety-related equipment can then be temporarily deactivated by means of the override function (see below).

Muting errors are:

Invalid muting sequences which always occur if the following valid muting operation is not adhered to:
- For a material flow direction from left to right: first, S_MutingSwitch11 must become SAFETRUE and subsequently S_MutingSwitch12. Both inputs must remain SAFETRUE until S_MutingSwitch21 and then S_MutingSwitch22 also become SAFETRUE.
- For a material flow direction from right to left: first, S_MutingSwitch22 must become SAFETRUE and subsequently S_MutingSwitch21. Both inputs must remain SAFETRUE until S_MutingSwitch12 and then S_MutingSwitch11 also become SAFETRUE.
The maximum muting time MaxMutingTime has elapsed.

If override is not requested in the event of a muting error, the outputs behave in the following way:

the S_AOPD_Out output switches to the defined safe state SAFEFALSE (e.g., "stop machine"),
the Error output switches to TRUE.

Override function

If the muting is interrupted by an error (e.g., the maximum muting time MaxMutingTime has elapsed because of an impermissible object), the safety-related equipment gets activated. This can be temporarily deactivated by the override function, e.g., to clear the zone of operation from the impermissible object.

The override function can only be used in the event of a previous muting error. The sequence is then as follows:

Normal sequence of the muting operation as described in the steps 1-3 above.
- Protecting the zone of operation by activating the safety-related equipment.
- Activating the muting operation and deactivating the safety-related equipment by the muting.
A muting error occurs.
The muting gets interrupted, e.g., by an impermissible object. The Error output switches to TRUE and the S_AOPD_Out output switches to the defined safe state SAFEFALSE (e.g., "stop machine"). Now, an override operation is possible (OverridePossible output = TRUE).
Override is started by the operator.
An override operation can be started by a SAFETRUE signal at the S_StartStopOverride input, if the OverridePossible output = TRUE. This initiates the override timer (MaxOverrideTime input). The start is caused by activating the connected control device and must be maintained for the overall override duration (e.g., by a key switch).
The safety-related equipment is deactivated for as long as the override operation is active. A FALSE signal from the light grid ("object detected") does not then cause the S_AOPD_Out output to switch to the defined safe state SAFEFALSE (e.g., "stop machine"). Now, the impermissbile object can be removed from the zone of operation.
Interrupting or exiting the override operation.
The override operation gets interrupted as soon as the operator releases the control device (e.g., a key switch) (S_StartStopOverride input = SAFEFALSE). The output OverrideActive becomes FALSE and S_AOPD_Out switches to the defined safe state SAFEFALSE (e.g., "stop machine") and the override timer MaxOverrideTime continues to run. The override operation can be restarted as long as MaxOverrideTime has not elapsed.
Override gets automatically exited when both muting sensors and the light grid detect no more object or when the override timer MaxOverrideTime has elapsed.

Example of a muting operation (without override function)

The graphic below shows an example of a muting operation.

Hinweis
In the graphic, only the values of the inputs and outputs which are relevant for this illustration are given.

Explanatory notes:

MS_11: Muting sensor 1, connected to function block input S_MutingSwitch11 and
MS_12: Muting sensor 2, connected to function block input S_MutingSwitch12.
These two sensors are positioned before the safety-related equipment in the material flow direction of the assembly conveyor.
The detection areas of the muting sensors are shown as "yellow light beams".
MS_21: Muting sensor 3, connected to function block input S_MutingSwitch21 and
MS_22: Muting sensor 4, connected to function block input S_MutingSwitch22.
These two sensors are positioned behind the safety-related equipment in the material flow direction of the assembly conveyor.
Signaling unit (e.g., lamp) "muting active", controlled via function block output S_MutingActive.
S/R: Safety-related equipment (e.g., light grid), consisting of a transmitter (S) and a receiver (R), connected to function block input S_AOPD_In. The function of this safety-related equipment is deactivated/activated by means of the muting operation.

The light beams of all the muting sensors are not interrupted. The muting operation is not (yet) active.

The light beam of the first muting sensor (1) before the safety-related equipment is interrupted by an object on the transport conveyor.

This initiates the muting operation but muting is not active yet (S_MutingActive remains SAFEFALSE).

The MaxMutingTime timer starts (measures the duration of the muting operation).

The light beam of the first muting sensor remains interrupted.

The light beam of the second muting sensor is also interrupted.
The requirements for a valid muting sequence are met because sensor 2 detected the object after sensor 1.

This starts the muting operation , i.e. muting is activated (S_MutingActive switches to SAFETRUE).

In this state the safety-related equipment is not active, i.e., SAFEFALSE at S_AOPD_In does not lead to SAFEFALSE at S_AOPD_Out.

An object interrupts the light beam of the safety-related equipment, i.e., S_AOPD_In switches to SAFEFALSE. S_AOPD_Out remains SAFETRUE because the muting operation is still active.

The light beam of the first muting sensor after the safety-related equipment (3) is interrupted.

The requirements for a valid muting sequence are met because sensor 3 detected the object after sensors 1 and 2, and because the light beams of muting sensors 1 and 2 are still interrupted.

The MaxMutingTime timer continues to run.

The light beam of the fourth muting sensor is also interrupted.

The requirements for a valid muting sequence are met because sensor 4 detected the object after sensors 1, 2 and 3, and because the light beams of muting sensors 1, 2 and 3 are still interrupted.

Hinweis
The muting sensors 1 and 2 must not report FALSE, before both sensors 3 and 4 have reported SAFETRUE. Otherwise the function block detects an error.

As muting is still active, the S_AOPD_Out output remains SAFETRUE even though the light beam of the safety-related equipment is still interrupted.

The object is already behind the safety-related equipment, i.e., a SAFETRUE signal is present at the S_AOPD_In input again and the muting sensors 1 and 2 report SAFEFALSE again.

The light beam of muting sensor 3 is also not interrupted any more (sensor reports SAFEFALSE).

The change from SAFETRUE to SAFEFALSE at input S_MutingSwitch21 stops the MaxMutingTime time measurement. As the muting operation has been completed within the time interval specified at MaxMutingTime, the S_AOPD_Out output remains SAFETRUE and no error is detected (Error remains FALSE).

Muting is inactive again.

In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

Example of a muting operation (with override function)

In the event of an error during the activated muting (S_MutingActive = SAFETRUE) in the muting operation described in the example above, muting is inactive. All requirements for an override operation are then met and the further sequence is indicated below.

A muting error occurs (e.g., invalid muting sequence because the object is too short and thus sensor 1 already reports SAFEFALSE, before sensor 3 and 4 report SAFETRUE). Muting is interrupted (S_MutingActive switches to SAFEFALSE, Error to TRUE).

The light beam of at least one of the two muting sensors and/or the safety-related equipment remains interrupted.

In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

The requirements for the override function are given (OverridePossible = TRUE)

The override operation is started by the operator via the control device (S_StartStopOverride input = SAFETRUE). The override function is activated (OverrideActive output = TRUE). The safety shutdown is temporarily removed, the S_AOPD_Out output becomes SAFETRUE and the Error output switches to FALSE.

The override timer starts.

The light beam of at least one of the muting sensors and/or the safety-related equipment remains interrupted until the object has been removed from the zone of operation.

The object is again outside the zone of operation, i.e., light grid and muting sensors are no longer interrupted (S_AOPD_In = SAFETRUE, S_MutingSwitch11, S_MutingSwitch12, S_MutingSwitch21, and S_MutingSwitch22 = SAFEFALSE).

The override operation is automatically exited. OverridePossible and OverrideActive switch to FALSE.

The operator releases the control device (e.g., a key switch).

The time measurement at MaxOverrideTime is stopped.

In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

Hinweis
As the override operation in this example has been completed within the time slot specified at the MaxOverrideTime input, the S_AOPD_Out output remains SAFETRUE and no error is detected (Error remains FALSE). Exceeding would result in an error (Error output = TRUE) and the S_AOPD_Out output would be switched to the defined safe state SAFEFALSE (e.g., "switch off machine").

Start-up inhibit (S_StartReset)

S_StartReset is used to specify the start-up inhibit after activating the function block and/or starting the Sicherheitssteuerung.

S_StartReset = SAFEFALSE After the Sicherheitssteuerung has been started up and/or the function block has been activated at input Activate, the start-up inhibit is active. The start-up inhibit is only removed if there is a positive signal edge at the Reset input.
Refer to the first warning below this table.

S_StartReset = SAFETRUE After the Sicherheitssteuerung has been started up and/or the function block has been activated at input Activate, no start-up inhibit is active.
Refer to the second warning below this table.

Removing the start-up inhibit by means of a positive signal edge at the Reset input can cause the S_AOPD_Out output to switch to SAFETRUE immediately (depending on the status of the other inputs).

WARNUNG

Unintended start-up

Verify the impact of removing the start-up inhibit by means of a positive signal edge at the Reset input.

Make certain that appropriate procedures and measures (according to applicable sector standards) have been taken to help avoid hazardous situations when removing the start-up inhibit.

Do not enter the zone of operation when removing the start-up inhibit.

Ensure that no other persons can access the zone of operation when removing the start-up inhibit.

Use appropriate safety interlocks where personnel and/or equipment hazards exist.

WARNUNG

Non-conformance to safety function requirements

Verify the impact of a deactivated start-up inhibit (S_StartReset = SAFETRUE) on your machine or process prior to implementation.

Observe the regulations given by relevant sector standards regarding the start-up inhibit.

Verify that a suitable start-up inhibit is in place at another location or using other means if the start-up inhibit is deactivated by setting S_StartReset = SAFETRUE.

	A muting error occurs (e.g., invalid muting sequence because the object is too short and thus sensor 1 already reports SAFEFALSE, before sensor 3 and 4 report SAFETRUE). Muting is interrupted (S_MutingActive switches to SAFEFALSE, Error to TRUE). The light beam of at least one of the two muting sensors and/or the safety-related equipment remains interrupted. In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out. The requirements for the override function are given (OverridePossible = TRUE)
	The override operation is started by the operator via the control device (S_StartStopOverride input = SAFETRUE). The override function is activated (OverrideActive output = TRUE). The safety shutdown is temporarily removed, the S_AOPD_Out output becomes SAFETRUE and the Error output switches to FALSE. The override timer starts. The light beam of at least one of the muting sensors and/or the safety-related equipment remains interrupted until the object has been removed from the zone of operation.
	The object is again outside the zone of operation, i.e., light grid and muting sensors are no longer interrupted (S_AOPD_In = SAFETRUE, S_MutingSwitch11, S_MutingSwitch12, S_MutingSwitch21, and S_MutingSwitch22 = SAFEFALSE). The override operation is automatically exited. OverridePossible and OverrideActive switch to FALSE. The operator releases the control device (e.g., a key switch). The time measurement at MaxOverrideTime is stopped. In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

S_StartReset = SAFEFALSE	After the Sicherheitssteuerung has been started up and/or the function block has been activated at input Activate, the start-up inhibit is active. The start-up inhibit is only removed if there is a positive signal edge at the Reset input. Refer to the first warning below this table.
S_StartReset = SAFETRUE	After the Sicherheitssteuerung has been started up and/or the function block has been activated at input Activate, no start-up inhibit is active. Refer to the second warning below this table.