ecomat 100 type R 360 Use as safety controller

Similar documents
Operating instructions. Speed monitor D / / 2014

Original operating instructions Safety relay with relay outputs with and without delay G1502S / / 2016

AS-i Safety Relay Output Module with Diagnostic Slave

Installation instructions Diagnostic electronics for vibration sensors VSE / / 2007

Original operating instructions Safety relay with relay outputs G1501S / / 2016

Operating instructions. Switching amplifier DN0210 DN / / 2015

Operating instructions. Standstill monitor A / / 2011

Device manual Profibus encoder. RM30xx RN30xx /00 06/2013

AS-i Safety Relay Output Module with Diagnostic Slave

Operating instructions Evaluation system for flow sensors VS / / 2013

Monitoring technique. VARIMETER Voltage relay MK 9064N, MH 9064

Operating instructions AC010S Compact AS-i E-STOP safety module

Product Information on the Manual

Original operating instructions Fail-safe inductive sensor GF711S / / 2013

SCHMIDT Sensor interface PROFIBUS Instructions for use

Installation instructions Inclination sensor EC2019 EC / / 2013

Polymer Electric. Operating Instructions. Control Unit SG-EFS 1X4 ZK2/1 8k2. Version 3

Control unit SG-EFS 104/2W. EN Operating instructions. Innovative by tradition. Version SG-EFS 104/2W 24 V=/~

Control unit SG-EFS 104/4L. EN Operating instructions. Innovative by tradition. Version SG-EFS 104/4L AC/DC 24 V

Operating instructions Memory plug E /02 11/2011

Original operating instructions Fail-safe inductive sensor GI711S / / 2010

Electronic Control Unit RC

SK TU4-IOE-M12-C Part Number

FANCOIL CONTROLLER UNIT TC17B01KNX. Product Handbook

ICS Regent. Monitored Digital Input Modules 24 VDC (T3411) PD-6031

System manual AS-i safety monitor AC041S /00 05/2013

PSR-PC50. SIL 3 coupling relay for safety-related switch on. Data sheet. 1 Description

Translation of original operating instructions

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. Control Cabinet Inverter MOVITRAC B Functional Safety

Line Coupler, MDRC LK/S 2.1, GH Q R0001

T4HD: Installation Supplement R8.1.13

Type 9160 / Transmitter supply unit / Isolating repeater. Safety manual

2 Control Equipment for General Applications

88 Dugald Campbell. Making Industrial Systems Safer Meeting the IEC standards

USER MANUAL VIBRATION CONTROL RMA-POWER-BOX 107/230

Energize to Trip Requirement for SIL 3 according to IEC 61511

Device manual Field modules DP AC2630 / AC2631 / AC2634 AC2636 / AC2637 / AC / / 2013

User Guide IM/C250 MOD_3. Modbus (RTU) Communications Option C250 and V250

Operating Instructions

ControlLogix SIL2 System Configuration

24 V DC typ. 0,65 W. Liquid level with conductive probes (type SK1, SK5) Resistance measurement E1-E0, E2-E0, E3-E0, E4-E0

Assembly and Operating Instructions. M2 module for BDC-i440 control units

SECURE DIGITAL ACCESS SYSTEM USING IBUTTON

VersaPoint I/O Module

SD1. Differential Controller. Operating and Installation Instructions F2 72.3

SK CU4-CAO Part number:

ISO SINAMICS G110D FAQ

Functional Safety for Electronic Control

FSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1

to 12a Added Standard and Electrical requirements for UL table 1.1

Operating Guide MODBUS (RTU) Communications Option IM/L150 MOD_2. Level Indicator L150 and L160

Brief instructions Starter set BasicController BasicRelay BasicDisplay EC / / 2011

EKS Light FSA on Siemens S7-300 operation mode selection with touchscreen

Power module PM-E DC24V/8A RO SIMATIC. ET 200S distributed I/O Power module PM-E DC24V/8A RO (6ES7138-4CA80-0AB0) Preface. Properties.

SIMATIC. ET 200S distributed I/O Digital electronic module 4DO DC24V/0.5A ST (6ES7132-4BD02-0AA0) Preface. Properties 2. Diagnostics 3.

Operating Instructions

Product Specifications

SIMATIC. ET 200S distributed I/O Digital electronic module 4DO DC24V/0.5 A ST (6ES7132-4BD01-0AA0) Preface. Properties 1. Diagnostics 2.

Operating instructions AS-i SmartLine module AC3200 AC /00 06/2016

Performance Level PL d. Safety Category Type 3. Automatic reset / Manual reset. Very short reaction times. Connection of several signal transmitters

User s Manual. EIB 741 EIB 742 External Interface Box for Connecting HEIDENHAIN Encoders

Tap Manager TM100. Operating Instructions

Operating instructions RFID read/write head with IO-Link DTIxxx

FACTORY AUTOMATION. MANUAL VAA-2E-G4-SE Original Instructions Version 1.1

SNO 4003 K plus. Areas of application for the unit. Connection circuit diagrams. Intended use. Competent persons. Equipment and functional description

Safe and Fault Tolerant Controllers

Operating instructions. Monitor FD / / 2013

GFK-2415A March Type of sensor connection

Digital Thermometer and Thermostat in SOT23

Operating instructions Diagnostic electronics for vibration sensors VSE002 / VXE002 / VXE003 VYE001 / VYE002 / VYE003 / VYE /01 05/2015

LVX Control Unit. Features:

Type Switching repeater. Safety manual

SAFETY RELAY YRB-4EML-31S MAIN FEATURES

Replacement of MS6-SV-1/2-E-ASIS-

GuardPLC Controller Systems

AXL E IOL AO1 U M12 R

SK TU4-CAO-C Part number:

EY-EM : Remote I/O module, ecolink

Operating instructions. Monitor FS-2 / FS-2N / / 2013

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. MOVITRAC MC07B Functional Safety

Power supply module PS 25W 24VDC (6ES7505-0KA00-0AB0) SIMATIC. S7-1500/ET 200MP Power supply module PS 25W 24VDC (6ES7505-0KA00-0AB0) Preface

AS-i 3.0 Gateways, PROFIsafe via PROFIBUS or PROFINET

Original operating instructions. Fail-safe SmartPLC with Profinet slave interface AC402S /00 06/2016

AS-i 3.0 Gateways, PROFIsafe via PROFIBUS or PROFINET

AS-i 3.0 PROFIBUS Gateways with integrated Safety Monitor

GuardPLC Controller Systems

Higher-level safe switch-off of the power supply of functionally non-safe standard modules

English. Operating manual. Universal transmitter UT125. Save for later reference. Companies / brands of GHM

Industrial-Automation System HIMatrix. Safety Manual

Safety Control. FS1A Multi-function Safety Relay. Optional Parts. Marked Cable Tie. DIN Rail BNDN1000 Aluminum, 1m 35mm wide

S7-300 Programmable Controller

Added Standard and Electrical requirements for UL table Switching-off inductive loads 1.2

SS2200 Remote Controller

hipecs-cio55 CANopen I/O module with 4 analog inputs

Installation Instructions Temperature transmitter TAA /00 06/2011

User Guide Supplement Modbus TM Serial Data Communications Option IM/C100 MOD_6. /8 DIN Process Indicators and Controllers C100, C150, C160 and V100

EL731 PROFIBUS INTERFACE

2 Table of Contents 1. TABLE OF CONTENTS. 1. Table of Contents Introduction Wiring Diagram Terminals Review...

Operating Manual -ENGLISH- Page 1 KWG-ISO

CANopen User Manual IE25, IWN

Transcription:

Supplement to the system manual ecomat 100 type R 360 Use as safety controller

Supplement to the system manual ecomat 100 type R 360, April 2000 Warranty This manual was written with the utmost care. However, we cannot assume any guarantee for the contents. Since errors cannot be avoided despite all efforts we appreciate any comment. We reserve the right to make technical alterations to the product which might result in a change of contents of the manual. page 2

1. General 5 1.1. Safety advice 5 1.2. Functions and features 5 1.3. Test basis for certification 7 2. Safety concept of the hardware 9 2.1. Digital inputs 9 2.2. Fast inputs 10 2.3. Analog inputs 11 2.4. Digital outputs 12 2.5. PWM outputs 16 2.6. Peculiarities and restrictions 17 3. Safety concept of the software 18 3.1. Program and system monitoring 18 3.2. Error messages 19 3.3. Program creation and download 20 3.4. LED functions 21 4. Use in control category 3/requirement class 4 applications 22 5. Wiring 25 5.1. CR7016 25 5.2. CR7017 26 5.1. CR7501 27 5.1. CR7502 28 page 3

page 4

1. General 1.1. Safety advice Please follow the details of the description. Ignoring the instructions, operation outside the proper use as described below, wrong installation or incorrect handling can result in severe impairment of the safety of people and systems. These instructions are aimed at persons who can be considered "experts" in the sense of the EMC guideline, the low-voltage guideline, the machine guideline and the safety-relevant special standards listed below. The controllers are to be installed and set up by a skilled person (programmer or service technician) This description is a supplement to the current system manual ecomat 100 type R 360 the knowledge of which is required. It contains text and diagrams on the use of the controller under safety-relevant considerations and has to be read before installation or application. In the case of malfunctioning or uncertainties please contact the manufacturer. Tampering with the unit might lead to considerable impairment of the safety of persons and systems. It is not permissible and will lead to an exclusion of liability and warranty. 1.2. Functions and features The controller modules ecomat 100 type R 360 (in the following text called ecomat R 360) are designed for use under severe conditions (e.g. extended temperature range, strong vibration, intensive EMC stress). They are suitable for direct installation in machinery in mobile and robust applications. Due to their specifications the inputs and outputs are specially designed for this application. Integrated hardware and software functions (operating system) offer high protection. In addition, special hardware and software functions for safetyrelevant applications are integrated in the certified controllers allowing the use as safety controllers. page 5

The controller ecomat R 360 is approved for safety-relevant tasks in the sense of the protection of persons if the appropriate system test routines are integrated in the operating system and in the application software. Depending on the use of the hardware or its external wiring (see chapter 2) and the structure of the user program (see chapter 3) the following safety classes can be reached with the certified controllers ecomat 100 type R 360: to EN 954-1: control category 3 to DIN 19250: requirement class 4 However, the final classification should only be made after a risk analysis of the application. The relevant supervisory bodies have to release the system (hardware and software). The application software can easily be created by the user with the programming software ecolog 100plus. All software functions and programming procedures described in this documentation refer to the programming software ecolog 100 plus the knowledge of which is required in this description. The operating system (*.H86), the controller configuration (*.M66) and the unit libraries (*.LIB) always have to have the same software level. The software status is indicated by suffixed letters in alphabetical order in the file names (e.g. CR7016_G.H86 or TDM_D.LIB). It also has to be noted that the internal libraries (made in IEC1131) are translated with the loaded software level. In general, only certified operating systems can and must be used in safety-relevant applications. The user himself is responsible for the safe functioning of the application programs that he has created. If required, he has to obtain an approval by a relevant test and supervisory authority in accordance with the national regulations. page 6

1.3. Test basis for certification Testing and certification was carried out on the basis of the following standards and specifications: DIN EN 954-1/03.97 Safety-related parts of control systems Part 1: General principles for designs DIN V 19250/05.94 Fundamental safety aspects to be considered for measurement and control equipment DIN V VDE 0801/01.90 with modification A1/1994-10 Principles for computers in safety-related systems DIN V 19251 Draft/12.93 Mc-protection equipment Requirements and measures for safeguarded function page 7

page 8

2. Safety concept of the hardware The following chapters describe the safety concept of the hardware and its use in safety-relevant applications. Certified controllers type R 360 can be used in applications up to control category 3 or requirement class 4 if the inputs and outputs are selected and wired accordingly. 2.1. Digital inputs For the processing of digital signals switching states 0 (no voltage present) and 1 (voltage present) are permissible. Therefore a wire break (signal 0) and a short circuit to supply voltage (signal 1) cannot be detected. To keep up the safety functions the input signals in the application have to be monitored. Therefore safety-relevant signals are processed redundantly, i.e. the signal transmitters are connected in double and are processed via the user software (also double). In addition, the inputs need to be in different input groups. Program example page 9

Plausibility check of the process If the application allows, sufficient failure safety can be achieved by selecting suitable signal transmitters (mechanical or electronic), by appropriate installation and plausibility checks of certain parts of the plant which makes the installation of two equal signal transmitters in one installation position obsolete. 2.2. Fast inputs Fast counter, pulse or interrupt inputs (%IX0.12...%IX0.15) are a special form of digital inputs which is why the facts described in 2.1 also apply to these inputs. Measuring methods In the case of safety-relevant frequency measurements the signal frequency also has to be determined in two different ways in addition to the external wiring. Depending on the selected software functions (see library: CRxxxx_x.LIB) different hardware parts are used in the ecomat R 360. The software function FREQUENCY determines the frequency on the basis of the internal hardware counter, the function CYCLE on the basis of the internal timer. The result of these different measurement methods then needs to be checked via the user program. Program example In the above example function SAVE_Value_ok compares the two frequency values SAVE_frequency and REF_frequency. If the difference is smaller than or equal to the value of ACCEPT_TOLERANCE the two frequency values are considered equal and can be further processed. A program page 10

example for the function SAVE_Value_ok is shown in chapter 2.5. Use Safety consideration Use as digital inputs It has to be observed that due to the different measurement methods, errors in the frequency determination might occur. The function FREQUENCY is therefore suited for frequencies between 100 Hz and 50 khz with the error decreasing at higher frequencies. The function CYCLE carries out a period measurement and is therefore suitable for frequencies lower than 100 khz. For safety considerations errors in the reference measurement up to 20% can be tolerated, as the reference value is only used to check the function of the measuring channel. The frequency value for the application is derived from the "precise" measurement. It also has to be observed that due to the permissible high input frequencies error signals (e.g. bouncing contacts of mechanical switches) are also detected. This has to be suppressed via the user software, if required. 2.3. Analog inputs The correct functioning of the analog / digital converter is checked in the controller by the system on a regular basis via reference voltages so that all internal errors can be detected. Errors in the wiring (short circuit, wire break), in the sensor or in the input amplifier of the controller are not detected in these checks. Therefore analog input signals also have to be connected and processed redundantly. Furthermore, it makes sense to evaluate the signal voltage only in a limited range (e.g. 1... 9 V). This way the errors short circuit to ground or wire break and short to supply voltage /short circuit can be detected. page 11

Program example In the above example function SAVE_Value_ok compares the two frequency values SAVE_A_IN_1a and SAVE_A_IN_1b. If the difference is smaller than or equal to the value of ACCEPT_TOLERANCE the two analog values are considered equal and can be further processed. A program example for the function SAVE_Value_ok is shown in chapter 2.5. 2.4. Digital outputs Switching off the outputs in case of a fault is one of the most important features of machine controllers. The switched-off (deenergized) state is considered the safe state. The constant monitoring of the connected actuators for wire break, short to the supply voltage or ground, multiple connection of two or more outputs to a given actuator as well as undesired and unallowed direct connection of the supply voltage to a given actuator is therefore absolutely necessary. For the above-mentioned faults the ecomat R 360 has outputs with diagnostic capability which are automatically checked by the operating system. Also, they must be evaluated in the application software by the user. page 12

Readback outputs are internally set up as follows: The block diagram shows: Wire break A wire break detection is made via the input channel. If the output is blocked, High (logic 1) is read in because the resistor R i pulls the connection to HIGH potential (VBB). Without the wire break the low-ohmic load (R L < 10 kω) would force LOW (logic 0). The error bit in the system flag byte BREAK... for the corresponding output is only set in the state Output OFF. Flag byte Output addresses Error bits BREAK_Q1Q2 %QX0.0... %QX0.7 %IX0.120...%IX0.127 BREAK_Q3 %QX0.8... %QX0.15 %IX0.128...%IX0.135 BREAK_Q4 %QX0.16... %QX0.23 %IX0.136...%IX0.143 The short to ground can also be detected via the readback channel. If the output is switched on, LOW (logic 0) is read in. Short The error bit in the system flag byte SHORT... for the corresponding output is only set in the state Output ON. Flag byte Output addresses Error bits SHORT_Q1Q2 %QX0.0... %QX0.7 %IX0.96...%IX0.103 SHORT_Q3 %QX0.8... %QX0.15 %IX0.104...%IX0.111 SHORT_Q4 %QX0.16... %QX0.23 %IX0.112...%IX0.119 In the case of a short/overload the output transistor switches off automatically. For reasons of safety it does not switch on again automatically. It must therefore first be deactivated via the application software and then switched on again. Monitoring for multiple Connections Depending on the result of the risk analysis of the application the outputs must be additionally tested for multiple connection of two or more outputs to a given actuator, undesired and page 13

unallowed direct connection of the supply voltage to a given actuator and short to the supply voltage. To do so, a short switch-off pulse (100-200 µs) is automatically applied to the monitored outputs (readback outputs) one after the other by the operating system of the controller. It is read back and evaluated by the integrated diagnostic channels. This diagnostic test is cyclically carried out (approx. every 30 s) during the whole controller test and monitoring. In addition, this diagnostic test also detects the wire break in the case of an active output (extension to normal diagnosis). A fault detected by the diagnostic test is indicated by the error bit ERROR_OUTPUTBLANKING. By means of a more extensive diagnosis (see above) the exact fault can be located. To activate the diagnostic test the corresponding bit in the system flag byte CHECK_... must be set. Flag byte CHECK_Q1Q2 CHECK_Q3 CHECK_Q4 Output addresses %QX0.0... %QX0.7 %QX0.8... %QX0.15 %QX0.16... %QX0.23 If one of the above errors is detected, all (!) outputs and the safety relay are immediately switched off. Also, the LED on the controller module passes into the state red/flashing (error) and the error bit ERROR_OUTPUTBLANKING is set. Second switch off-way Testing and monitoring Applications to control category 2 (and higher) require a second switch-off way if the dangerous failure is not signalled in time (warning message, alarm, display etc.). For this purpose the controller ecomat R 360 has an additional relay. Outputs which are switched off via the safety relay and provide full diagnostic capability are identified in the configuration diagrams by the designation "readback channel" ("R") and the reference to the relay contact. In these applications the outputs, as described above, need to be tested and monitored at all times (short circuit, wire break short against supply voltage and multiple connection of two or more outputs to a given actuator as well as undesired and unallowed direct connection of the supply voltage). The monitoring functions (interruption, short to GND/supply voltage and multiple connection of two and more outputs to a given actuator as well as undesired and unallowed direct connection of the supply voltage) of the operating system which can be activated via the user software have to be used, evaluated in the user software and have to respond appropriately to errors. page 14

The analysis of the safety system has to show if an output working as a safety-relevant switch-off way has to be redundant or if monitoring and testing as described above are sufficient. Furthermore, the analysis has to check if in the case of an error switching off via the internal relay is sufficient or if a second output (electrical or hydraulic) needs to be used for redundant switching off. If e.g. a cable loom to an external valve has no supply cable or if a short to GND is harmless from a safety point of view, switching off the output via the internal relay is sufficient. Program example page 15

Use of the diagnostic test For reasons of compatibility the diagnostic test (CHECK_xx) can be activated for all outputs. But this only makes sense when the corresponding readback channel and, if necessary, the relay are available as a second switch-off way. 2.5. PWM outputs No internal test Due to the function principle there is no system internal monitoring and testing for these outputs. Should this be required for reasons of safety it has to be accomplished via the user program, e.g. by reading back the analog voltage via a voltage channel, and the software function FAST_ANALOG. Program example page 16

2.6. Program example for the function SAVE_Value_ok 2.7. Peculiarities and restrictions Input test (pin 24) When outputs are defined as safety relevant (bits CHECK_xx set) they cannot be used when the test input is active. The test input has to be set when e.g. the software is to be loaded into the controller. The outputs are only available again when the test is deactivated and the controller is reset (switching off and on). Use of the CAN bus In the existing hardware version the CAN bus must not be used for safety-relevant applications. At present a CANopen profile for safety-oriented applications is in development at the user organisation "CAN in Automation" (CiA). As soon as it has been released and integrated, "safe" data can be transferred via CAN. page 17

3. Safety concept of the software 3.1. Program and system monitoring System test All software parts in the controller are monitored by the operating system and the internal additional processor as far as possible. This way errors, e.g. time-out in the case of an improper program run, can be detected and the user can react accordingly. When the controller is switched on all hardware and software parts of the controller are tested. These internal tests and monitoring processes are repeated at regular intervals with the time to first fault of 30 s being kept. Independent of the user program all function parts of the controller incl. the outputs (see chapter 2.4) are tested. Structure of the software Operating system The software in the controller is divided into the parts operating system and user software. They are monitored cyclically with regard to faultless operation individually and as a total by means of check sums. The check sums are generated automatically and are attached to the software parts The user receives the operating system together with the programming system. It has to be loaded once (normal case). The numbers of the operating system and of the hardware have to match, e.g. CR7016_H.H86 -> CR7016. User program The user program or application program is created in situ. The structure has to correspond to the required safety class. It has to be loaded into the controller after the operating system. When structuring the application program, make sure that the versions of the operating system (*.H86), the controller configuration (*.M66) and the libraries (*.LIB) are identical. Maximum program cycle time The maximum cycle time of a user program must not exceed 100 ms. Longer times result in a reaction of the watchdog and thus in a Fatal Error (LED red / permanently). page 18

3.2. Error messages The controller reacts to any error detected during the system monitoring. The reaction varies depending on the degree of the error. Severe error If a "severe error" is detected the outputs (and the relay) are switched off. The LED lights red. The application program continues thus allowing communication via the interfaces e.g. for troubleshooting. severe errors ERROR_TEMPERATURE (overtemperature) ERROR_POWER (under/overvoltage) ERROR_ANALOG (error analog conversion) ERROR_IO BREAK_Q1Q2_NEW (wire break, BREAK_Q3_NEW short circuit, BREAK_Q4_NEW multiple connect- SHORT_Q1Q2_NEW ion) SHORT_Q3_NEW SHORT_Q4_NEW ERROR_OUTPUTBLANKING When a severe error occurs, no further diagnostics can be carried out (wire break, short circuit). That is why e.g. all error bits and the outputs have to be reset and further error analysis has to be carried out in an error routine in the user program. Fatal error When a "fatal error" occurs the controller is stopped completely. All outputs are switched off, the processing of the software is stopped and communication is no longer possible. fatal error ERROR_MEMORY (memory error) ERROR_ADDRESS (addressing error) ERROR_CPU (CPU error) ERROR_CO_CPU (error in the co-processor) ERROR_INSTRUCTION_TIME (processing time error) ERROR_TIME_BASE (error internal system time) ERROR_RELAIS (error relay triggering) ERROR_DATA (faulty system data) If the test input (pin 24) is active a "fatal error" is treated like a "severe error" which means that the outputs are switched off and the LED lights red. Communication for further error diagnostics is possible as the application program continues running. page 19

CAN error Since the CAN bus can at present not be used for safetyrelevant tasks CAN errors are only displayed to the programmer who is responsible for processing them. For further information refer to the system manual ecomat R 360. 3.3. Program creation and download The user program is created with the programming system ecolog 100 plus (version 1.6) and is loaded into the controller several times during the program development. Before each download the generated code is translated again which means that each time a new check sum is created. This procedure is permissible up to the release of the software. For the series production of the machine or for service a uniform software and check sum have to be ensured. Download file For each translation process the programming software generates an additional Intel-hex-file which is stored in the current project directory \ECOPLUS under the name name_of_project_file.h86. This file has to be saved after the application software has been released. From this moment the application software should only be loaded into the controllers from this file. The H86 file is automatically assigned a check sum during translation. page 20

A download program (programme DOWNLOADER) is available for downloading the HEX file. This program has to be used to ensure a uniform software level. Changes in the original software automatically generate a new Intel-hex-file which may only be loaded into the safetyoriented controllers after renewed certification. 3.4. LED functions The following operating states of the controller are displayed via the integrated LED status. LED colour Flashing freq. Description orange permanently on reset checks red permanently on Fatal Error green 5 Hz no operating system loaded green 0.5 Hz Run, CANopen: PREOPERATIONAL 2.0 Hz Run, CANopen: OPERATIONAL permanently on Stop, CANopen: PREPARED red 0.5 Hz Run w. error (CANopen: PREOPERATIONAL) 2.0 Hz Run w. error (CANopen: OPERATIONAL) permanently on Stop with error CANopen operating states The operating states STOP (PREPARED) and RUN (PRE- OPERATIONAL / OPERATIONAL) can be changed by the programming system or the NMT master. In the state RUN the user program is processed. However, the controller only takes part in the CANopen communication when it is set in the state OPERATIONAL. To identify the current operating state in the application program the user can evaluate the flag COP_PREOPERATIONAL. The flag is TRUE in the state PREOPERATIONAL, otherwise it is FALSE. page 21

4. Use in control category 3/requirement class 4 applications The mobile controller ecomat R 360 is a one-channel controller which meets the requirements for control category 3 and requirement class 4 without any restrictions. Configuration and use in safety-oriented applications should only be carried out based on a risk analysis. In addition, the following points have to be observed: General Connection of inputs and outputs Sensors / signal transmitters Diagnosis for outputs Testing of outputs Program structure Safety consideration The de-energized state of an output with safety function is the safe state (L-signal). This state has to be accomplished via 2 separate and independent switch-off ways by using tested trip actuators. Safety-oriented inputs and outputs have to be used redundantly. This includes the redundant connection of signal transmitters to the inputs and the use of redundant outputs as second way of switching off in the application (e.g. hydraulic valves and pumps) (see chapter 2.) The signal transmitters have to be connected to two different input groups. If the outputs are not tested, they have to be connected in the same way. Digital outputs have to be monitored via the diagnostic function. If a signal changes (on/off) less than once per hour the outputs need to be tested additionally. Only use tested outputs (see chapter 2.4.) Testing of redundant inputs and outputs for equality and, if required, the automatic testing have to be realised in the user program. Furthermore, the dynamics of the input signals has to be observed. Monitoring for equality only uncovers errors when the input signals change at sufficiently short intervals. In the case of static signals it has to be assessed if e.g. further measures are required (see chapter 2.4) In the program structure it has to be ensured that safety functions are separated from pure control functions, i.e. that they are realised in their own program and function blocks. This prevents problems in the safe program parts and can be checked and tested more easily. On the basis of the monitoring functions of the above points realised in the operating system it has to be assessed if process dependent safety functions to requirement class 4 or control category 3 are provided in accordance with the safety system and the user software. page 22

Fault tolerance time Time to first fault In this context the fault tolerance time in particular needs to be assessed. This is the maximum time which may pass in the application between the occurrence of an error and the safe state without any danger for persons. The maximum cycle time of the user program (in the most unfavourable case 100 ms) and the possible delay and response times of the trip actuators need to be taken into account. The resulting total time has to be shorter than the fault tolerance time of the application. The time to first fault also has to be observed. The controller is tested by the operating system via internal monitoring and test routines at intervals of max. 30 s. This "test cycle time" has to be shorter than the statistical time to first fault for the application. The time is reduced when the cycle time is <100 ms (e.g. 10 ms <> time to first fault 3 s). Programming Operating system detection Program structure Function check of the software Program changes The user software always has to be created by observing all information and notes in the system manual. The number of the operating system has to match the article number of the control module (e.g. CR7016_H.H86 -> CR7016). It also has to be ensured that the software parts operating system (*.H86), control configuration ('.M66) and libraries ('.LIB) have the same version identification (e.g. CRxxxx_H). The safety-relevant part has to be clearly separated from the non-safety-relevant part of the user program. Variables and flags in the safety-relevant part have to have a clear identification, e.g. prefix S_.... Furthermore, it has to be proved that the safety-relevant part of the software is not influenced by the other program parts. All parts of the application software have to undergo a complete function check. After the application software has been approved, no more changes are allowed. Only use the software should with an unchanged operating system software. The only file allowed to be loaded into the control modules via the download software is the HEX file name_of_project_file.h86. If changes are made, the complete software needs to be checked again. Documentation In addition to a print out, the application software has to be archived with write protection in two copies (e.g. diskette, CD). The documentation has to clearly show the version of the operating system used, the programming software and the hardware used. Via the download software the version of the application software and the operating system can, if required, be compared with the archived software. This includes comparison of the CRC code. page 23

page 24

5. Wiring 5.1. CR7016 page 25

5.2. CR7017 page 26

5.1. CR7501 page 27

5.1. CR7502 page 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback