Error Detection - TM5SAI4AFS Safety Module 2x2AI 4-20mA 24 Bits
Detected Internal Module Errors
The red S and E LED indicators make it possible to evaluate the following error states:
oDetected internal module error (hardware error)
oOver/under temperature
oOver/under voltage
oIncompatible firmware version
NOTE: Errors that occur within the module are detected according to the requirements of the relevant standards and within the minimum safety-related response time specified in the technical data of the EcoStruxure Machine Expert - Safety software.
After an error within the module is detected, the module reverts to a defined safe state.
The internal module tests needed for this are only performed, however, if the firmware of the module was booted and the module is in either the preoperational state or the operational state. If this state is not achieved (for example, because the module is not configured in the application), then the module remains in boot state.
Boot mode on a module is clearly indicated by a slow flashing SE LED (2 Hz or 1 Hz).
NOTE: The error detection time specified in the technical data is relevant only for detecting external errors (for example wiring errors) in single-channel structures.
Recognizable errors are detected by the module within the error detection time.
If a module detects an error, then:
oThe channel LED indicator is lit constantly red
oThe SafeChannelOKxx signal is set to SAFEFALSE.
oThe SafeCurrentOKxx signal is set to SAFEFALSE.
oAn entry is generated in the Safelogger of EcoStruxure Machine Expert.
Other errors that are not detected by the module (or not detected on time) may lead to unintended machine states and therefore must be uncovered using additional measures.
|
|
|
UNINTENDED EQUIPMENT OPERATION |
|
Be sure that your risk assessment takes into account errors which are undetectable by the Safety I/O module, and that appropriate additional measures are implemented according to your risk assessment. |
|
Failure to follow these instructions can result in death, serious injury, or equipment damage. |
For more information on errors that are, and are not, detected by the Safety I/O module, refer to the Error Detection tables found in the Connection Examples.
Make all necessary repairs in a timely manner if an error occurs because subsequent errors could create a hazardous situation.
|
|
|
UNINTENDED EQUIPMENT OPERATION |
|
oImmediately replace any and all modules that indicate that they are in an inoperable state. oEnsure that the effect on un-repaired equipment is taken into account in your risk assessment. oMake all necessary repairs to equipment before re-starting, or continuing service of, your machine. |
|
Failure to follow these instructions can result in death, serious injury, or equipment damage. |
Error detection for safe inputs
|
Potential error |
Detection |
Comment |
|---|---|---|
|
Non-wired inputs |
Detected |
General indication for one or more non-wired channels. |
|
Short circuit between signal lines |
May not be detected |
You must take appropriate measures to ensure that this detected error does not lead to a defined safe state. Signal and supply lines must be installed in accordance with EN ISO 13849-2:2010, Table D.5. |
|
Short circuit between signal and supply line |
May not be detected |
|
|
Reverse polarity of signal lines |
Detected |
Module switches to a defined safe state. |
|
Disturbance voltage |
Not detected |
This error results in signal distortion that may be detected by two-channel evaluation in some circumstances. Shielded cables are mandatory for the signal lines. Different installation paths must be used for the wiring of both signals of the signal pair. |
NOTE: You must take appropriate measures to ensure that this error does not lead to a defined safe state.
NOTE: Signal and supply lines must be installed in accordance with EN ISO 13849-2:2010, Table D.5.
|
Step |
Action |
|---|---|
|
1 |
Switch off the module. |
|
2 |
Each open current measurement input of the module has to be wired with one jumper. Result: The module can be switched on again. |
HW_LIMIT_MIN designates the lower limit and HW_LIMIT_MAX designates the upper limit of the measurement range specified in the chapter TM5SAI4AFS Presentation.
Signal evaluation takes place in three stages:
Stage 1: Evaluation of signals against absolute time limits
Stage 2: Evaluation of signals against configurable time limits
Stage 3: Evaluation of signals against configurable signal pair limits
A reset must be performed in order to leave an error state. For this, a valid signal must be received at the analog input for the duration of the I/O update time. The error can then be acknowledged by a rising edge of the signal SafeRelease0x0y.
Channel electronics are automatically tested internally by the module. A test signal is generated in the module and applied to each channel once every 75 minutes for a maximum time of 1 s. To avoid signal distortion, the signal value of the channel being tested is held in a static state during this time. Only one channel is tested at a time. In accordance with EN IEC 61508:2010, the module is considered as a one out of two diagnostic system for the duration of the channel test.
In firmware version 302 of the module, the behavior for the duration of channel diagnostics is structured as follows:
The safe analog input channels (data type SAFEINT) are constituted as the arithmetic mean value of the two individual signals. Since the signal value of the channel being tested is held static for the duration of channel diagnostics, the arithmetic mean value during this period of channel diagnostics for the safe signal is taken from the static value of the diagnosed channel and the signal value of the non-diagnosed channel.
In firmware version 322 and greater, the behavior for the duration of channel diagnostics is structured as follows:
The safe analog input channels (data type SAFEINT) are constituted as the arithmetic mean value of the two individual signals. For the duration of channel diagnostics, however, it is not the arithmetic mean value that is used, but the signal value of the channel that is not currently being diagnosed. If the behavior of firmware version 302 is desired for compatibility reasons, this can be implemented using parameter Measurement Result while Testing = Averaged. An active channel test is indicated by channel TestActive.
The sequence for channel diagnostic is independent of the firmware version and structured as follows:
|
Diagnostic window |
Time sequence |
Channel sequence |
|---|---|---|
|
Diagnostic window 1 |
Every 75 min |
SAI1 |
|
Diagnostic window 2 |
15 min after diagnostic window 1 |
SAI3 |
|
Diagnostic window 3 |
30 min after diagnostic window 1 |
SAI4 |
|
Diagnostic window 4 |
45 min after diagnostic window 1 |
SAI2 |
For further information about variables and parameters refer to EcoStruxure Machine Expert - Safety User Guide.
In order to meet the requirements of CAT 4 per EN ISO 13849-1:2015, the shunts of the channel electrics must be tested (shunt test) despite the multi-channel structure. For a proper shunt test, the slew rate of the input signals must be limited to 200 μA/ms.
For steeper signal edges and parameter configuration Disable Shunttest = Yes-ATTENTION, the module switches to defined safe state if necessary, which affects the entire module.
NOTE: Noisy signal sources or signals with high frequencies may result in excessively steep signal edges and can trigger a shunt test error.
NOTE: If issues with the slew rate of input signals or shunt test occur, the shunt test can be disabled with the parameter Disable Shunttest = Yes-ATTENTION. In this case the module meets only the requirements of CAT 3 per EN ISO 13849-1:2015.
