SITRAIN Training for Automation and Industrial Solutions. Page 1. ST-PPDS Safety Concept: Distributed Safety

SITRAIN Training for Automation and Industrial Solutions

Page 1

ST-PPDS Safety Concept: Distributed Safety

Conventional Safety Technology

One standard PLC with distributed I/O (ET200S via PROFIBUS DP) controls the standard functions of a plant; a safety relay controls the dangerous machine function.

Functional Control

The dangerous machine function is switched via the two forced contactors K1 and K2, which are controlled in a safety-oriented manner by a safety relay. The safety relay receives the necessary On/Off control signals for the functional On and Off via the wiring from a digital standard output of the standard PLC, which for this purpose analyzes the corresponding signals from the plant (among other things, those of the operator panel) in the standard program.

Protective FunctionsIn order to protect the operator, the dangerous machine function is equipped with an Emergency Stop command device and an isolating protective equipment in the form of a safety door. As soon as a wiring error is determined, the Emergency Stop is pressed, or, the safety door is opened, the safety relay – independent from the control signals of the standard PLC – shuts down the motor via the contactors K1 and K2 as per Stop-Category 0 according to EN 60204-1. Before every renewed switch on of the contact, the safety relay checks whether the contacts of the Emergency Stop and the safety door are closed and the contactors drop or their feedback contacts are closed. Wiring

The wiring and architecture of the safety functions are implemented according to EN 61508 in SIL 3 or according to EN 954 in Cat.4: The Emergency Stop command device and the position switch of the safety door are wired via twochannels with the safety relay. To control the dangerous machine function, two contactors connected in series are used whose feedback or mirror contacts return a feedback signal to the safety relay.


Page 2


Safety Integrated

One PLC with failsafe CPU (F-CPU) and distributed I/O stations (ET200S via PROFIBUS DP) controls the standard as well as the safety functions.

Functional Control

The dangerous machine function is switched via the two forced contactors K1 and K2, that now are no longer controlled in a safety-oriented manner by the safety relay but rather from the safety program of the F-CPU in conjunction with safetyrelated input and output modules. The conditions for the functional On and Off are still analyzed by the standard program that informs the safety program through variables (such as memory bits) when the contactors are to be switched on and switched off.

Protective FunctionsThe previously described protective functions will no longer be handled by the safety relay but rather by the safety program of the F-CPU and the safety-related input and output modules (F-DI/DO): As soon as a wiring error is determined, the Emergency Stop is pressed, or, the safety door is opened, the safety relay must shut down the motor or the contactors K1 and K2 as per Stop-Category 0 according to EN 60204-1 – independent from the control signals of the standard program. The wire monitoring of the safety-related actuators and sensors now occurs through the F-DI / DO modules. Wiring

The wiring and architecture of the protective functions according to SIL 3 (EN 62061) Cat.4 (EN 954) is unchanged in principle: The Emergency Off command device and the position switch of the safety door are still two-channel wired, however, no longer with a safety relay, but rather with an F-DI module of the safety-related ET200S station. To switch the dangerous machine function, there are still two contactors used which are connected in series. Now they are controlled by an F-DO module and their feedback or mirror contacts are now analyzed by the safety program.


Page 3


F-CPU

As a rule, it is sufficient if the F-CPU used at least fulfills the same requirements as the previously used standard CPU with regards to performance data or performance profile (including communication possibilities). The most important characteristic values are the CPU processing speed from which the cycle time and thus the response time of the automation system result and the size of the working memory that must accommodate the execution-related parts of the standard and safety programs.

F-DI/DO

Standard and safety-related input and output modules (F-DI/DO) can be operated together in mixed configurations. The F-DI/DO modules required in place of the safety relay could also be integrated in an already existing ET200S station. All already used I/O modules including their wiring can continue to be used unchanged. If the dangerous function of the plant is implemented in SIL3/Cat.4, then the F-DI and the F-DO modules must be inserted into a separate potential group or must be isolated from the standard modules by an additional power module (PM) (see slide).

PROFIsafe Communication

The safety-related communication between F-CPU and the F-DI/DO modules using PROFIsafe is integrated in the failsafe modules. It is executed automatically and does not have to be programmed – regardless of whether the F-DI/DO modules are used centrally or distributed via PROFIBUS or PROFINET. Already configured standard communication remains unaffected by the safety-related communication via PROFIsafe.


Page 4


Libraries

S7 Distributed Safety Library: Library with prefabricated blocks that are approved by TÜV for controlling typical, safety-related functions


Page 5


Achievable Safety Classes

1v1 – Evaluation

When F-DI modules are used, the corresponding safety class is achieved through •

internal test switching

•

the external sensor/encoder wiring

•

the sensor/encoder quality or "characteristic safety values" (e.g. proof test interval) of the sensor/encoder used according to EN 62061

For 1v1 evaluation, there is one sensor/encoder and is connected to the F-DI module via one channel. If the sensor/encoder quality is less than that of the required safety class, the sensor/encoder must be used redundantly and connected via two channels.

2v2 – Evaluation

For 2v2 evaluation, two input channels are occupied •

through two 1-channel sensors/encoders

or •

through one 2-channel sensor/encoder

The input signals are compared for equality (equivalency) or non-equality (nonequivalency) (-> discrepancy analysis).


Page 6



Page 7


ET 200S

The ET 200S distributed I/O system is a DP-slave/IO-device on PROFIBUS DP/PROFINET IO that can contain standard ET 200S modules as well as fail-safe modules. You can set up the PROFIBUS DP/PROFINET IO lines with copper cable, with fiber-optic cable or with WLAN (S7 Distributed Safety as of V5.4). Even a design with fail-safe motor starters and frequency converters is possible.

F-DI / F-DO Fail-safe The basic difference between fail-safe modules and standard ET 200S modules Modules is that fail-safe modules are designed internally with two-channels. The two integrated processors monitor each other and automatically test the input and output switching and transfer the F-module to a safe state in case of failure. Fail-safe digital input modules (F-DI) acquire the signal states from safety-related encoders and send corresponding safety message frame telegrams to the F-CPU. Fail-safe digital output modules (F-DO) are suitable for safety-related switch-off operations with short-circuit and cross-circuit monitoring up to the actuator. The F-CPU communicates with the fail-safe modules over the safety-related bus profile PROFIsafe. Power Modules / Potential Groups

Power modules are used for the load voltage supply of potential groups. Potential groups in which F-DI/DO modules are used must be supplied by selected standard power modules (see slide). With fail-safe power modules, you can economically implement the safety-related switching off of the load voltage from standard output modules up to (Cat.3 / SIL2). A new potential group always begins with a power module. Standard and safety-related modules can be used •

in combination within a potential group for applications up to SIL2 / Cat.3

•

in separate potential groups for applications SIL3 / Cat.4


Page 8


CPU Password

As with standard CPUs, STEP7 queries for the assigned password as soon as the user tries to access the CPU online (for example, to download a block into the CPU). The assignment is required to activate the option "CPU contains safety program".

CPU Contains Safety Program

If "CPU contains safety program" is not activated, no safety program can be downloaded into the CPU later on! This option is therefore absolutely necessary to operate the CPU in safety mode.

Process Mode

Test functions such as "Monitoring" or "Monitor/control variable" are restricted so that the set permissible cycle time extension cannot be exceeded. Testing using breakpoints and step-by-step program execution cannot be performed.

Test Mode

All test functions can be used without restrictions, even if they cause greater cycle time extensions.


Page 9


Safety Mode can be If the F-CPU executes the safety program in safety mode, all safety mechanisms Deactivated for error detection are activated. In this state, the safety program cannot be changed during operation of the CPU (in RUN). The safety mode of the F-CPU can be temporarily switched off and then back on again. The "deactivated safety mode" enables the safety program to be tested online and be changed as needed while the CPU is in RUN mode. Switching back into safety mode is only possible by changing the operating mode of the CPU from STOP to RUN. Basis for PROFIsafe Addresses

PROFIsafe addresses are assigned automatically and uniquely identify source and destination. The "Basis for PROFIsafe addresses" can be set in increments of 1000 and is practical if several DP master systems or PROFINET IO systems are operated in a network.

F-DB / F-FB

When compiling the safety program, F-function and F-data blocks are automatically added to the function and data blocks created by the user. Their number range can be set here. We recommend that the number range for the automatically generated F-blocks is defined in the upper end of the range possible for the respective CPU used (see CPU performance data) so that the lower range remains free for the user-defined blocks.


Page 10


General

The selected F-DI module supports PROFIsafe V2, that means, that this module can be used in PROFIBUS as well as in PROFINET networks.

Addresses of the The addresses of fail-safe input and output modules can be set freely just as with Inputs and Outputs standard modules. The fail-safe input and output modules also occupy, in addition to the pure input and output user data, additional bytes in the process images for handling the safety-related PROFIsafe communication. An F-DI module therefore also occupies bytes in the process image of outputs, an F-DO module also bytes in the process image of inputs.


Page 11


F-Parameters

In the "F-Parameters" tab, settings are made that concern the fail-safe communication of the module with the F-CPU.

F_Source and F_Destination Address

are the PROFIsafe addresses and are used to uniquely identify the source (F-CPU) and the destination (F-module). The PROFIsafe addresses must be unique in the station and throughout the network. To prevent incorrect parameter assignment, the F_destination_address is automatically assigned. When the F_destination_address is changed manually, its station-side uniqueness is checked automatically, but not its network-wide uniqueness! It is up to the user to ensure this!

DIP Switch Setting

corresponds to the F_destination_address in binary representation. The address DIP switch setting of the module must match the bit pattern shown here. The address DIP switch of the F-module must therefore be set PRIOR TO the installation of the F-module.

F-Monitoring Time (ms)

…is the PROFIsafe monitoring time for the safety-related communication between the F-CPU and F-I/O. If the F-I/O does not receive a valid safety message frame from the F-CPU within a parameterizable monitoring time, the F-module passivates itself by means of a "communication error". The F-monitoring time should be long enough so that uncritical message frame delays are tolerated, but short enough so that in the event of an error the response is as quick as required by the control process. You will find more information on determining the F-monitoring time in the chapter "Configuring the Monitoring Times".


Page 12


Behavior at Discrepancy

The input signals are compared for equivalence or non-equivalence (-> discrepancy analysis). In the event of a discrepancy, (different levels when evaluating for equivalence or identical levels when evaluating for nonequivalence), a discrepancy time is initiated. If the discrepancy exists longer than the set discrepancy time, this is reported as an error and the module is passivated.

Discrepancy Time

The behavior at discrepancy is only relevant during the discrepancy time! If the discrepancy still exists after the discrepancy time has elapsed, the module recognizes this as an error and signals (as always in the event of an error) the value "0" for the affected channel to the F-CPU. Two module channel response settings are possible during the discrepancy time: "Supply last valid value" The last valid value prior to the occurrence of the discrepancy (old value) is made available to the safety program of the F-CPU as soon as a discrepancy between the signals of the two affected input channels is determined. This value remains available until the discrepancy is cleared, or until the discrepancy time has expired and a discrepancy error is detected. After the discrepancy time has elapsed, if a discrepancy error is detected, the value '0' is signaled in any case to the safety program of the CPU! Attention: Since a discrepancy error is only detected after the discrepancy time has elapsed, the response time of the controller is prolonged. If, for safety reasons, very fast responses by the PLC are required, the discrepancy time should not be set longer than necessary. "Supply value 0" Since, with this setting, the "safe" value "0" is signaled to the safety program of the F-CPU during the discrepancy time, the response time of the PLC is not prolonged. This is because the value "0" is already the value that is signaled to the CPU anyway in the event of an error (that is, after the discrepancy time has elapsed).


Page 13


General/Addresses The settings to be made in the "General" and "Addresses" tabs are equivalent to Tabs those of the standard modules. Activated

In order to avoid errors, outputs that are not used should be deactivated.

Read-back Time

…is the maximum time after switching off an output that a read-back signal may still be detected before the error "short-circuit" results in the passivation of the output channel. The set read-back time must be sufficiently long, especially when switching capacitative loads, to permit the discharge of the switched capacity within the read-back time. The read-back time is also the dark period in switch-off tests. 0-signals are switched to the output bit while the output is active for checking the actuator wiring. A sufficiently slow actuator does not respond to the temporary deactivation of the output and remains switched on.

Diagnostics: Wire Break

If wire break diagnostics is activated, the module passivates itself in the event of a wire break and signals a diagnostic interrupt to the CPU. However, a wire break is only detected if an output channel is switched on at the moment. The wire break diagnostic is no safety-related test function.

Hell- / Dark Tests

Independent of the wire break diagnostics, the F-DO modules always carry out (cannot be parameterized!) so-called light and dark period tests internally in which the respective output channel is briefly (<=1m) switched on or off. The actuators connected to the fail-safe outputs should therefore be selected sufficiently slowacting (possibly use interface relays).


Page 14


F-FC, F-FB

The user can program the required safety functions as required in the programming languages "F_FBD" and/or "F-LAD". These programming languages basically correspond to the standard FBD/LAD, with limited instruction set and usable data types and address ranges.

F-DBs

Data blocks for storing shared (global) data are also available in the safety program. Safety-related data blocks (F-DBs) are created/changed and used in the program in the same manner as standard DBs. Only the number of usable data types is restricted. Instance data blocks of safety-related FBs (no matter if created by the user or inserted from the Distributed Safety library) are, as in the standard, not edited by the user but generated by STEP7.

SBs

In order to make the user-programmed safety program executable, Distributed Safety generates F-system blocks (SBs) in the form of F-FBs when saving and compiling the hardware configuration as well as when compiling the safety program. These blocks are used for detecting errors and for ensuring the fault reaction so that failures of the F-system generate a safe state. Furthermore they handle communication between the F-CPU (process image) and F-I/O using the PROFIsafe safety protocol.

Shared (global) DB The "shared DB" is a failsafe data block (F-DB) that contains shared data of the safety program. The "shared DB" is automatically inserted or expanded when the hardware configuration is saved and compiled. The data of the "shared DB" can be evaluated both in the safety and in the standard user program. I/O DB

For every F-I/O, an F-I/O DB is automatically generated when the hardware configuration is compiled. This DB contains variables that describe the state of the respective module (passivation, depassivation capability, diagnostic data, channel information etc.).


Page 15


F-Program Structure Structured programming of the safety program is possible just as with the standard program. Run-time Group

By integrating the "F-Call" into a time interrupt OB, it is ensured that the safety program is executed at defined intervals, which is essential for determining the response times of the safety program and thus for the safety functions in the plant.

F-CALL

Each runtime group is represented by an "F-Call", a function (FC) that is inserted (not programmed!) by the user in the programming language "F-Call" and can be generated by Distributed Safety. In addition to the system blocks automatically generated by Distributed Safety (SBs, F-FBs, used for implementing safety functions, that serve as I/O drivers that contain the diverse redundant logic etc.), the F-Call block also contains the call of the "program block", which is declared as such (FC or FB) by the user. Invoking the F-Call is therefore tantamount to calling a runtime group of the safety program.

Program Block PB

The "program block" (PB), created by the user in the form of an F-FC or F-FB contains the user program. The user can program his control logic directly in this PB and/or he can use it to invoke other safety-related user or library blocks from Distributed Safety (F-FCs, F-FBs) for program structuring.


Page 16


Creating F-FC / F-FB The functions (FCs) or the function blocks (FBs) of the safety program are created in exactly the same manner as those of the standard program. When selecting the safety-related creation language the block is automatically created as a safetyrelated block. F-Program Block (F-PB)

The "F-program block" (F-PB) of a runtime group must be programmed as a non-parameterizable, F-FC or F-FB. The user can create the safety-related logic directly in the program block, and/or the block can used for program structuring where other safety-related user or library blocks are called up within it. The properties that an F-FC or F-FB are to serve as a "program block" are only assigned to this block when the runtime group is created. When the safety program is compiled, the call of the program block is integrated into the F-CALL.


Page 17


Programming in F-FBD / F-LAD

The editing of fail-safe blocks is carried out exactly as with standard blocks. The programming languages, F-FBD and F-LAD, basically correspond to the standard FBD/LAD, with limited instruction set and usable data types and address ranges. The programming of statement lists (STL) is not possible in a safetyrelated block.

Editor Settings

Within F-blocks, the Editor marks all not fail-safe addresses (standard inputs and outputs, bit memories etc.) in color. In the Editor’s standard settings, this is the color yellow. On the other hand, safety-related modules, such as F-CPUs, of all things, are marked in yellow which very easily leads to confusion. For that reason, it is recommended that you choose another color other than yellow in the Editor Settings to identify not fail-safe addresses.


Page 18


Creating F-CALL

The "F-CALL" of a runtime group is inserted by the user as an FC using the programming language "F-CALL", but not edited. Later, when compiling the safety program, Distributed Safety generates the F-Call or the internal F-Call program.

Invoking F-CALL

To guarantee that execution of the safety program is carried out continuously at equal intervals, the safety program or the F-CALL of a runtime group is programmed in a cyclic interrupt OB (e.g. OB35). The call is programmed just like it would for a standard block. Other standard blocks, in addition to the F-CALL, can also be called in this cyclic interrupt OB.


Page 19


Creating Runtime Groups

Once all safety-related blocks including the "F-Call" and the program block of a runtime group have been created, The safety program can subsequently be compiled completely and downloaded to the CPU.

F-Call Block

The block that is to be used as F-Call for the runtime group that is newly created in this dialog can be selected here.

F-Program Block

The F-FC or F-FB that is to serve as the program block (PB) in this runtime group can be selected here. Distributed Safety will integrate the call of the specified Fprogram block in the F-Call program when the F-Call is generated.


Page 20


Compile

Once the runtime group has been created, the complete safety program still has to be completely compiled using the menu command Compile. In the process, Distributed Safety generates further system blocks in the form of F-FBs in accordance with the user safety program. It is necessary to compile the safety program after every change to a safetyrelated block and a safety-relevant parameter of an F-module. If the safety program is successfully compiled, it receives a new signature and can be downloaded into the CPU.


Page 21


Downloading the Safety Program Safety Mode

All changes or the complete safety program can be downloaded into the CPU. This is only possible when the CPU is in STOP mode. After a consistent safety program has been downloaded into the CPU and a warm restart has subsequently been carried out, the safety mode of the CPU is activated.


Page 22



Page 23



Page 24



Page 25


De motor wordt in- en uitgeschakeld via standaard uitgangen Q8.4 en Q 8.5 vanuit het standaard programma.


Page 26



Page 27


Stap 1:

Maak voor het bestaande project de hardware configuratie kompleet overeenkomstig de testopstelling. Hierbij dienen alle typenummers exact overeen te komen met de testopstelling. Ook alle profibus-adressen moeten overeenkomen met de werkelijk ingestelde adressen. Ook de ProfiSafe-deelnemer moet geheel ingegeven worden in de hardware-configuratie. De symboltable is deels al ingevuld, het programma gebruikt bepaalde adressen; zorg dus dat de adressen overeen komen met de adressen die op de volgende bladzijde ingegeven zijn. Bij het plaatsen van de failsafe modules zal om een (nieuw) password gevraagd worden. Dit password beschermt zowel de safety hardwaremodules als de safety bouwstenen in de blocks map. In de cursus gebruiken wij 300f Omdat in deze eerste opdracht nog geen failsafe functies gebruikt worden, hoeven de parameters van de failsafe hardware nog niet ingesteld te worden.


Page 28


Stap 2:

Stel de adressen voor de Safety modules in zoals in bovenstaand beeld aangeven wordt (4/8 F-DI begint met 10, 4 F-DO begint met 16). Save & compile de hardware configuratie.

Stap 3:

Laad de hardware configuratie in de PLC.

NB.

Bij enkele opstellingen kan deze configuratie iets afwijken van bovenstaande ivm de toevoeging van de functiemodellen. Neem de exacte configuratie over van de opstelling.


Page 29



Page 30


Stap 1:

Open de eigenschappen van de F CPU en kies het tabblad “Protection”. Het F programma kan alleen geactiveerd worden als “Can be bypassed with password” aangevinkt wordt en een paswoord ingevuld wordt, of als de Write- of Write-/Read Protection aangevinkt wordt. In de workshop wordt het paswoord “siemens” gebruikt zodat alle cursisten van alle opstellingen gebruik kunnen maken. Met de instelling “Can be bypassed with password” is het standaard programma door iedereen te wijzigen, kunnen standaard adressen gemodificeerd worden, maar kunnen wijzigingen in standaard componenten waar ook safety componenten inzitten (zoals de HardwareConfiguratie) pas geladen worden nadat het password “siemens” ingegeven is. Wijzigingen in het specifieke F programma en de hardware configuratie van de F modules vragen om het eigen password (“300f”). Het is ook mogelijk een hoger beveiligingsniveau te kiezen waardoor altijd het password “siemens” ingegeven moet worden om standaard componenten te kunnen wijzigen of zelfs te lezen , maar dit zal in de workshop niet gebruikt worden.

Stap 2:

Zet het vinkje “CPU contains safety program” aan om de CPU te kunnen laden met een F-programma.


Page 31


De F applicatie wordt vanuit het standaard-gebruikers-programma aangeroepen met de cyclische Organisatie Bouwsteen OB35. Stap 3:

Open tabblad “Cyclic Interrupt” en stel de aanroeptijd voor OB35 in op 50ms.


Page 32


Stap 4:

Open de eigenschappen van de F DI kaart in de ET200S. Alle instellingen die door Step7 gegenereerd worden zijn grijs en niet aan te passen. F parameters zijn de instellingen geldig voor de gehele module. Iedere F-module krijgt een uniek adres: decimaal uitgedrukt is dit het F_dest_address, binair uitgedrukt de DIL switch setting (9..…0) In de praktijk levert het plaatsen van de modules in de HW-config een unieke code voor iedere module, en wordt de DIL Switch code van de HWconfig overgenomen op de feitelijke hardware. In onze oefeningen nemen wij de default adressen, deze zijn ook al in de modules ingesteld opdat wij niet iedere workshop de DIL-switches hoeven te wijzigen.

Stap 5:

geef F_dest_address 200 in.


Page 33


Module parameters Stap 6:

Parametreer de ingangskanalen zoals deze aangesloten zijn, voor de noodstop en eindschakelaars. Op het plaatje is aangeven welke signaalsoorten gebruikt zijn. Zet overige signalen op “not activated”. De kortsluittest moet op cyclisch staan.

NB.

Laat de instellingen voor de overige sensoren op not-activated staan.


Page 34


Stap 7:

Open de eigenschappen van de F-DO kaart in de ET200S.

F parameters

Alle instellingen die door Step7 gegenereerd worden zijn grijs en niet aan te passen.

Stap 8:

geef F_dest_address 199. Activeer daarna kanaal 0 zoals te zien is op de volgende bladzijde.


Page 35



Page 36


Stap 9:

Save & Compile de HW configuratie als alle gewenste instellingen correct zijn ingevuld. Download daarna de HW configuratie in de PLC Bij het compileren zal een extra schermpje met loop-balk te zien zijn (Initializing safety program) tijdens het genereren van de FB’s en DB’s behorende bij de fail-safe-modules. Deze zullen dan te zien zijn in de Blocks folder van de Manager.

Opmerking:

Downloaden van de HW-configuratie is mogelijk. Er mogen geen hardware-foutmeldingen (rode led’s, SF) meer zijn. Het standaardgebruikersprogramma is nog steeds functionerend. Downloaden van de failsafe-blocks heeft in dit stadium geen zin! Er zijn nu wel FB’s en DB’s gegenereerd tbv HW-modules, maar er is nog geen structuur voor de fail-safe software; deze structuur bouwen wij in de volgende oefening.


Page 37



Page 38


Het afhandelen van het failsafe programma gebeurt in twee stappen. Het applicatie programa – in FC 10 geschreven in F-LAD of F-FBD De F systeem blokken die door de HW configuratie gegenereerd zijn Deze komen bij elkaar in de F-Call F-call

In de F-call wordt de eerste F-FC (bv. FC10) aangeroepen van de applicatie. Deze kan eventueel weer volgende F-FB’s / F-FC’s aanroepen. De watchdogtijd houdt in de gaten of de maximale programmaduur niet overschreden wordt. De F-Call is een FC in de block folder, met als eigenschap “F-call

OB35

De F-Call zelf (bv. FC1) wordt cyclisch aangeroepen vanuit OB35. Hierdoor wordt een constant gedrag van de F applicatie verkregen.


Page 39


Stap 10:

Voeg in de Blocks folder een FC in met ‘Created in Language: F-Call’. Geef deze het bouwsteennummer FC1, met als symbolische naam Faanroep. (aanmaken, niet openen)


Page 40


Stap 11:

Voeg in de Blocks folder een FC in met ‘Created in Language: F-FBD’. Geef deze het bouwsteennummer FC10, met als symbolische naam Fapplicatie.

Stap 12:

Maak OB35. Maak hier een aanroep naar F-aanroep (FC1, de F-Call) en sla alles op.


Page 41


Doel:

Het doel van deze oefening is het maken van een eenvoudige noodstop. Hiervoor maken we gebruik van de gecertificeerde standaard bouwsteen uit de F-Library.

Stap 13:

Open FC10. Sleep de Call van F_ESTOP1 (FB215) uit de F-Application Blocks (Library Distibuted Safety (V1) in netwerk 1 van FC10 en geef DB215 in als instance DB. Sluit daarna de volgende parameters aan: “SAFETY-NOODSTOP” (I10.1) - E_STOP “BEVESTIGING” (I1.7) - ACK “SAFETY_UITGANG_RELAIS” (Q16.0)

Stap 14:

-Q

Omdat na het bevestigen van de NOODSTOP de band NIET direct mag gaan draaien, gebruiken we de “SAFETY_UITGANG_RELAIS” (Q16.0) op de RESET ingang van K1 en K2 om de bandmotor uit te schakelen na het bedienen van de NOODSTOP. Breidt OB1 uit met bovengenoemde wijziging. Save FC10 (F-APPLICATIE) en OB1 en sluit beide bouwstenen.

.


Page 42


Stap 14:

Open FC1 (F-aanroep, de F-Call) door te dubbelklikken. De runtime group wordt automatisch geopend. Geef bij F-program block FC10 aan. Accepteer de instellingen en accepteer de Runtime Group.


Page 43


Stap 15:

Compile en download het Safety programma (inclusief het standaard programma).

Stap 16:

Test het in- en uitschakelen van de transportband en test de werking van de NOODSTOP.


Page 44


Doel:

Het doel van deze oefening is om het uitschakelen van het safety relais te controleren (nodig voor SIL 3). Blijft een relais kleven, dan wordt dit geregistreerd door de Feedback bouwsteen en wordt voorkomen dat de bandmotor ingeschakeld kan worden.

Stap 1:

Open FC10” en maak een Tempvariabele COMMANDO (type Bool).

Stap 2:

Sleep de Call van F_FDBACK (FB216) uit de F-Application Blocks (Library Distibuted Safety (V1) in netwerk 2 van FC10 en geef deze als instanceDB DB216. Verbindt de uitgang Q van #NOODSTOP aan de Tempvariabele COMMANDO. Sluit daarna de volgende parameters aan bij de FEEDBACK bouwsteen FB216: COMMAND I 8.3 F00016_4_F_DO_DC24_24_2A.QBAD I 1.5 T#100MS “SAFETY_UITGANG_RELAIS” (Q16.0)

Stap 3:

ON - FEEDBACK - QBAD_FIO - ACK - FDB_TIME -Q

Test wederom het in- en uitschakelen van de transportband en test de werking van de NOODSTOP eerst zonder dat een relais blijft kleven. Zet daarna voorzichtig het oranje lipje van een relais omhoog en test wederom de werking van de NOODSTOP.


Page 45


Global Acknowledge Om alle modules die in Passivatie staan in één keer te Reïntegreren is er de gecertificeerde bouwsteen FB219 “F_ACK_GL”. Breidt FC10 uit met een netwerk met de passivatie en acknowledge_request signalen van de Safety modules. Stap 1:

Voeg in een nieuw FB219 toe zodat alle modules gereïntegreerd worden. Koppel aan FB219 de InstanceDB DB219.


Page 46


SITRAIN Training for Automation and Industrial Solutions. Page 1. ST-PPDS Safety Concept: Distributed Safety

Recommend Documents