Preventa Motion FB SF_SafeMotionControl
Short description
The safety-related SF_SafeMotionControl function block acts as interface between the Safety Logic Controller and the Safety Module (option module) which is the safety-related component of the ILM62 or LXM62 standard drive.
|
The main purpose of the safety-related SF_SafeMotionControl function block is to request safety-related monitoring functions on the Safety Module and to visualize the Safety Module state. It performs the following tasks:
|
|
The drive to be controlled is identified via an axis ID which is to be applied at the S_AxisIN function block input as well as to the S_AxisOUT output. This way, a unique assignment between the function block and the physical axis is done.
The Safety Module provides an internal start-up/restart inhibit that cannot be deactivated. The function block reflects this internal start-up/restart inhibit in the safety-related application programming and enables its resetting.
Supported safety-related functions
The following safety-related monitoring functions are supported by the safety-related SF_SafeMotionControl function block. Click the links to get detailed information.
NOTE:
All provided safety-related functions fulfill the safety requirements up to SIL3.
The various safety-related functions are subject to a fixed priority, whereby STO has the highest one.
Function block inputs
Click the corresponding hyperlinks to obtain detailed information on the items below.
|
Name |
Short description |
Value |
|
State-controlled input for activating the function block. Data type: BOOL Initial value: FALSE |
|
|
|
Input for specifying the axis to be controlled and monitored. Data type: SAFEDWORD Initial value: 0x0 |
This input must be connected to the SafeAxisIn data item provided (in the 'Devices' window) by the Safety Module which is controlling the respective drive or axis respectively. Therefore, its value is determined and provided by this Safety Module. |
|
|
State-controlled input for requesting the respective safety-related monitoring function. The * placeholder stands for: Data type: SAFEBOOL Initial value depends on the input:
NOTE: As the SMS (Safe Maximum Speed) monitoring function is active at any time, no function block input is available/required to request it. However, a function block output for indicating its activity is provided. |
NOTE: The S_STO_Request input must not remain unconnected. NOTE: For drive operation (rotation), SAFETRUE must apply to the S_STO_Request input. |
|
|
Edge-triggered input for the reset signal.
Data type: BOOL Initial value: FALSE NOTE: Resetting does not occur with a negative (falling) edge, as specified by standard EN ISO 13849-1, but with a positive (rising) edge. Refer to the hazard message below this table. |
|
Removing an active start-up/restart inhibit by means of a positive signal edge at the Reset input of the safety-related function block can immediately cause the switching of outputs (depending on the states of the remaining inputs) and influence the speed and behavior of the axis to be controlled.
WARNING
UNINTENDED START-UP
Include in your risk analysis the impact of removing an active start-up/restart inhibit by means of a positive signal edge at the Reset input.
Make certain that appropriate procedures and measures (according to applicable sector standards) have been established to help avoid hazardous situations when resetting the function block.
Do not enter the zone of operation when resetting the function block.
Ensure that no other persons can access the zone of operation when resetting the function block.
Use appropriate safety interlocks where personnel and/or equipment hazards exist.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
Function block outputs
Click the corresponding hyperlinks to obtain detailed information on the items below.
|
Name |
Short description |
Value |
|
Output for signaling "Function block activated/not activated". Data type: BOOL |
|
|
|
Output for indicating the controlled/monitored axis. Data type: SAFEDWORD |
This output must be connected to the SafeAxisOut data item provided (in the 'Devices' window) by the Safety Module which is controlling the respective drive or axis respectively. |
|
|
Outputs for signaling the status of the respective safety-related function. The * placeholder stands for: Data type: SAFEBOOL |
NOTE: In case of an active start-up/restart inhibit, S_STO_SafetyActive = SAFETRUE and the other SafetyActive outputs are SAFEFALSE. |
|
|
Output for signaling that the STO safety-related function has been requested via the direct hard-wired signal link. Data type: SAFEBOOL NOTE: This output is only relevant if the HW_STO device parameter of the Safety Module is set to Activated. Only with this setting, the use of the hard-wired STO request is possible (see section "STO hard-wired"). |
|
|
|
Output for signaling the active ramp monitoring for the requested safety-related monitoring function(s). |
|
|
|
Output for signaling the overall status of the requested safety-related functions. Data type: SAFEBOOL |
|
|
|
Output for signaling the error state of the Safety Module. Data type: SAFEBOOL |
|
|
|
Output for reporting the axis status. Data type: DWORD |
Bitwise status output as DWORD data type. Every Boolean FB output is mapped to one bit of this status DWORD which can be further processed and evaluated in the application (see table in topic "AxisStatus output"). |
|
|
Output for diagnostic message. Data type: WORD |
Diagnostic message of the function block. The possible values are listed and described in the topic "Diagnostic codes". |
Signal sequence diagram:
This diagram relates to a basic sample application of the safety-related SF_SafeMotionControl FB: The states of two safety-related command devices, an emergency-stop control button and a key switch, are evaluated by the function block. The emergency-stop control button requests the STO function and the key switch requests the SLS1 safety-related function.
According to the safety-related concept, the axis speed must be reduced before personnel may enter the zone of operation. Only with reduced speed, for example, a safety door can be opened to grant access to the zone of operation without requesting the STO function.
NOTE:
The signal sequence diagrams in this documentation possibly omit particular diagnostic codes. For example, a diagnostic code is possibly not shown if the related function block state is a temporary transition state and only active for one cycle of the Safety Logic Controller.
Only typical input signal combinations are illustrated. Other signal combinations are possible.
NOTE:
The signal sequence diagram is simplified and is intended to explain the functionality of the safety-related SF_SafeMotionControl function block. Therefore, this example is not intended as a practical safety solution implemented as shown and described in this document.
Further Information
Also take the other signal sequence diagram into account.
|
0 |
The function block is not yet activated (Activate = FALSE). As a result, the outputs are FALSE/SAFEFALSE. |
|
1 |
After starting up, the Safety Module automatically enters the STO functionally-safe state. After its activation (by switching Activate = TRUE), the function block indicates this state by S_STO_SafetyActive = SAFETRUE. As a consequence of the STO state, the internal start-up inhibit is active. (According to the relevant IEC 60204-1 standard, the STO function executes stop category 0. This stop category implies a subsequent start-up inhibit.) With the block activation, the S_NotErrFUNC output switches immediately to SAFETRUE indicating that the function block has not detected any error. |
|
2 |
With the FALSE > TRUE edge at the Reset input of the safety-related function block, the start-up/restart inhibit is removed. With this reset, the STO state is left. As no safety-related function is requested now, the S_STO_SafetyActive output switches back to SAFEFALSE while the other function block outputs keep their previous states. On that condition, the standard (non-safety-related) controller can start the drive operation by accelerating the axis to the target speed parameterized in the standard (non-safety-related) motion application. |
|
3 |
The SLS1 safety-related function is requested: The signal at the S_SLS_1_Request input switches to SAFEFALSE, for example, by unlocking a key switch. Within the t1 time interval, the standard (non-safety-related) controller also receives the request from the connected process and initiates the motion control function according to the logic and drive parameterization defined in the standard (non-safety-related) application. t1 is to be defined in the Safety Module device parameters (SLS*_StartDelayTime[t1]). After t1 has elapsed, the deceleration of the drive to target speed V2 is executed by the standard (non-safety-related) controller according to the drive parameterization defined in the standard application. During the deceleration (ramp-down) phase t2, ramp monitoring is parameterized in our example for the SLS1 safety-related function. For that purpose, the corresponding Safety Module parameter SLS1_RampMonitoring is set to Activated. Active ramp monitoring is indicated by the output S_RampMonitoringActive = SAFETRUE. Exceeding the defined ramp results in the immediate request of the STO function. |
|
4 |
The parameterized limited target speed V2 (set with the SLS1_Speed[v2] parameter) is achieved before the defined monitoring time t2 has elapsed and the ramp monitoring did not detect any speed errors during the ramp monitoring period t2. This means the requested SLS1 safety-related function is activated correctly and the function block does not detect any error (S_NotErrFUNC remains SAFETRUE). As a result, S_SLS_1_SafetyActive switches to SAFETRUE when t2 elapses, indicating that SLS1 has entered its defined safe state. Now, for the example, the safety door can be opened and access to the zone of operation is possible without a following emergency stop. S_AllReqFuncActive simultaneously switches to SAFETRUE signaling that each requested safety-related function is activated correctly and as parameterized. As long as the request for the safety-related function is maintained by further applying SAFEFALSE to the S_SLS_1_Request input, the target speed V2 is monitored. Any exceeding of the target speed V2 results in the immediate request of the STO function and switches S_SLS_1_SafetyActive to SAFEFALSE. |
|
5 |
The request for the SLS1 safety-related function is removed by switching the signal at the S_SLS_1_Request input back to SAFETRUE (for example by locking the key switch after closing a safety door). The outputs S_SLS_1_SafetyActive and S_AllReqFuncActive immediately switch back to SAFEFALSE, thus signaling that no safety-related function is active anymore. As no restart inhibit is required following the SLS function, the standard (non-safety-related) controller can accelerate the axis without any reset signal as soon as the request for the safety-related function is removed at S_SLS_1_Request. The axis achieves the speed (parameterized in the standard (non-safety-related) motion application) without exceeding the defined and permanently monitored safe maximum speed (Vmax). |
|
6 |
The STO safety-related function is requested: By pressing the monitored emergency-stop control button, the signal at the S_STO_Request input switches to SAFEFALSE. As a result, the Safety Module immediately sets the drive torque-free and the axis coasts down. S_STO_SafetyActive switches immediately to SAFETRUE, indicating that STO is activated. As STO is the only requested safety-related function at that time, S_AllReqFuncActive also shows SAFETRUE. |
|
7 |
The request for the STO function is removed by unlocking the emergency-stop control button before the axis has reached the standstill. As a result, the signal from the emergency stop button, connected to the S_STO_Request input, switches back to SAFETRUE. The drive, however, remains torque-free due to the implemented restart inhibit and the axis keeps on coasting down until v = 0. S_STO_SafetyActive and S_AllReqFuncActive remain SAFETRUE as long as the restart inhibit is active. |
|
8 |
With the FALSE > TRUE edge at the Reset input of the safety-related function block, the restart inhibit is removed. As no safety-related function is requested, the standard (non-safety-related) controller can accelerate the axis until it achieves its programmed speed (parameterized in the standard (non-safety-related) motion application) without exceeding the defined and permanently monitored safe maximum speed (Vmax). |
Application example
NOTE:
The application example is simplified and is intended to explain the functionality of the safety-related SF_SafeMotionControl function block. Therefore, this example is not intended as a practical safety solution implemented as shown and described in this document.
Only you, the user, machine builder or system integrator can be aware of all the conditions and factors realized in the design of your application for the machine. Therefore, only you can determine the automation equipment and the related safeties and interlocks which can be properly used, and validate such usage.
WARNING
NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS
Specify the requirements and/or measures to be implemented in the risk analysis you perform.
Verify that your safety-related application complies to applicable safety regulations and standards.
Make certain that appropriate procedures and measures (according to applicable sector standards) have been established to help avoid hazardous situations when operating the machine.
Use appropriate safety interlocks where personnel and/or equipment hazards exist.
Validate the overall safety-related function and thoroughly test the application.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
In the example shown below, the Safety Logic Controller processes the input signals coming from a TM5 safety-related extension module SDI 1. Here, an emergency-stop control button, a key switch and a light curtain are connected. These devices are connected via global I/O variables to the respective function block request inputs.
At the safety-related output device SDO 1 two signal lamps are connected: The green lamp signals "Safety Module OK" and the red one indicates "Safety-related function requested".
Further Information
Also take the details on this application example and the accompanying notes into account.
Detailed information
Additional information is available in the following sections:
