Safety Function Response Time (SFRT)

What is the Safety Function Response Time (SFRT)?

When planning a safety application, you must determine the correct mechanical positions of the safety equipment involved at the machine, i.e., the safety-related command devices, sensors, and actuators. The position and the physical distance of each safety equipment must fulfill the requirements of your application according to applicable standards and regulations.

To be able to perform safety distance calculations, you must know the safety function response time (SFRT).

The SFRT is the duration that elapses between

the receipt of the safety request signal (coming from the safety-related command device or sensor, such as an emergency stop button or a light barrier) in the safety-related input module, and
the output of the request signal for the defined safe state of the machine at the safety-related output module. Whether the defined safe state means the standstill of the machine, or for example, a torque-free axis or a limited speed, depends on your application and must be determined in the context of your mandatory risk analysis.

Note
The maximum permissible safety function response time (SFRTmax) depends on the relevant safety function to be implemented.

Note
In the application, the SFRTmax must be determined for each implemented safety function.

The longer the SFRT of the safety system, the greater must be the minimum distance of the safety command device/sensor from the zone of operation.

SFRT determination

The SFRT of your safety application is composed as follows:

TWCDT (Total Worst Case Delay Time) is the sum of all processing and transmission times in the respective signal path of the safety system. The value is composed as follows:

TWCDT = t1 + t2 + t3

The partial delay times t1, t2, and t3 are composed as follows:

t1 = worst case input delay time
   = Signal processing time in the sensor and in the safety-related input module
     (Device Acknowledgment Time)
     Refer to the technical data sheet/user manual of the devices involved.

t2 = transmission delay + processing time
   = Transfer time from input module to Safety PLC via EtherCAT
     (incl. bus coupler in case of SDI slave) or Axioline
     + execution processing time in the Safety PLC (see note below)
     + transfer time from Safety PLC to output module via EtherCAT
     (incl. bus coupler in case of SDO slave) or Axioline

t3 = worst case output delay time
= Signal processing time in the safety-related output module
Refer to the technical data sheet/user manual of the devices involved.

Note
The execution processing time included in t2 is displayed as 'Program Execution Time' in the Safety Cockpit. See topic "Safety PLC Diagnostics out of the Safety Cockpit" for details.

SFRT = TWCDT + Δtmax of the longest output device WD time
For information on Δtmax refer to the section "Relevant watchdogs".

Note
The SFRT must be determined for each safety function to be implemented.

SFRTmax = maximum Safety Function Response Time of all SFRTs in your application.

Note
SFRT must be ≤ SFRTmax.

WARNING

Unintended machine operation

Verify that each link which is involved in the safety function and programmed in the safety-related application program is taken into account when determining the SFRT.

Verify that also the physical properties of the machine (such as the casting down of an axis etc.) are taken into account in addition to the calculated SFRT.

Relevant watchdogs

In an PLCnext Technology safety system, various watchdogs (WD) are implemented. The watchdogs allow to monitor the correct function of the safety-related communication and devices. Some watchdogs are device-internal and therefore not parameterizable, some must be parameterized in PLCnext Engineer (for example, FSoE communication watchdog times).

Depending on the SFRTmax , you must determine the resulting maximum monitoring/watchdog times as an upper limit for each individual safety function. If, for example, the WD of a safety-related output device is greater than actually required by the device for processing the output signal, a time delta Δt results. This time delta must be considered when planning the safety system.

The following watchdogs are relevant:

Input/output device WD: Internal watchdog time of each input/output device involved in the safety function

Note
Refer to the respective user manual for information on watchdog times within the internal FSoE slave function.

Communication WDs (to be set in the parameterization for each input/output FSoE slave)

Each FSoE slave device implements a watchdog (parameter Watchdog Time) for monitoring the safety-related communication. Within this watchdog period, the following must apply: At least one valid telegram must be exchanged between Safety PLC and FSoE safety module and the I/O data must have been copied from the EtherCAT telegrams to the I/O areas of the Safety PLC. Otherwise, the defined safe state is requested. The watchdog time must be set to a value that telegram runtimes can be tolerated but an interruption of the connection is detected sufficiently quickly.

For each safety function, you must consider the sum of the maximum watchdog times set for the input devices and for the output devices involved:
Watchdog TimeIN slave max + Watchdog TimeOUT slave max

The sum of these watchdog times specifies the maximum internal processing time that is required for point-to-point FSoE communication between the input device and the output device via the Safety PLC, even in the event of an error, such as a telegram delay.

Further Info
Information how to determine the watchdog times can be found in the respective User Manual.
The steps how to set the Watchdog Time value and how to evaluate the related diagnostic system variables, are described in the topic "Communication/Device State Diagnostics", section "Monitoring the FSoE Communication".