Exception avoidance

Validation

Only you, the user, machine builder or system integrator can be aware of all the conditions and factors realized in the design of your application for the machine. Therefore, only you can determine the automation equipment and the related safeties and interlocks which can be properly used, and validate such usage.

 WARNING

UNINTENDED EQUIPMENT OPERATION

Validate the overall safety-related function and thoroughly test the application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Time interval at MonitoringTime incorrectly dimensioned

If the feedback signal of the connected safety-related periphery is not present within the specified time interval following the request of the safety-related function, the function block rates this as an error.

Possible causes are:

  • Error in the safety-related code.

  • Time value incorrectly parameterized.

    NOTE:

    A time value that is set too large is not rated as an error by the function block.

Plausibility and connection errors

Plausibility errors are errors which occur, for example, when a range of values is exceeded or an impermissible connection is made. Such errors are detected and reported either by the function block itself or while the project is being compiled. However, this is not always possible in the case of connection errors.

This means that it is not possible, for example, to automatically verify whether:

  • Values or constants within the range of validity at inputs are, in fact, incorrect for the safety-related function executed.

    This does not apply to a static TRUE signal at the Reset input. This is detected by the function block and reported as an error.

  • Inputs and/or outputs are incorrectly connected or are not connected when they should be.

 WARNING

UNINTENDED EQUIPMENT OPERATION

Validate the signals, formulas, variables or constants connected to the input and output formal parameters of the safety-related function block and thoroughly test the application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Sporadically switching or toggling signal levels or impermissible signals

If no additional exception avoidance measures are taken, signal levels which switch or toggle sporadically have the following effects:

  • At the edge-triggered inputs, such signals cause the function block to interpret the signal as an edge and trigger a potentially undesirable corresponding action.

  • At the state-controlled inputs, such signals cause the signal to trigger a potentially undesirable corresponding action.

Impermissible signals at inputs can lead to an unintended start-up, prevent a requested action from being executed or cause an error.

These signals may be caused by:

  • Programming errors in the application program (user errors).

  • Cross circuit, short circuit, and cable break (user errors, wiring errors).

To prevent this, the following measures can be taken, depending on the safety-related function:

  • Using safety-related device signals.

  • Using options for cross-circuit detection.

  • Verifying the safety-related code in the code editor followed by validation of all safety-related networks.

The measures listed above can also be taken in combination in order to help prevent cascading or otherwise difficult to detect errors.

Impermissible static signals when starting up the Safety Logic Controller

A static TRUE signal at Reset results in an error message at the function block in case of a restart of the safety-related control.

Simultaneous edge change

In order to reduce the risk of an unintended start-up, it is essential to ensure that the Reset input is only connected to the signal of a manual reset device. The risk analysis determines how this signal is to be set up in practice.

Machine/system start-up without a function test for safety equipment

Inoperable or error producing safety equipment can only be detected by testing whether it is functioning correctly. The function block does not support function testing.

Possible causes of inoperable or error producing safety equipment are:

  • Inoperable devices (hardware errors)

  • Cross circuit, short circuit, and cable break (user errors, wiring errors)

 WARNING

UNINTENDED EQUIPMENT OPERATION

  • Validate the safety equipment by performing function tests.

  • Prior to performing function tests, make certain that appropriate procedures and measures (according to applicable sector standards) have been established to help avoid hazardous situations if the safety logic operates in ways you did not intend.

  • Do not enter the zone of operation while the machine is operating.

  • Ensure that no other persons can access the zone of operation while the machine is operating.

  • Observe the regulations given by relevant sector standards while the machine is running in any other operating mode than "operational".

  • Use appropriate safety interlocks where personnel and/or equipment hazards exist.

Failure to follow these instructions can result in death, serious injury, or equipment damage.