EDS94AYAD
.,4z
Ä.,4zä
Manual
L-force | 9400
E94AYAD - SM300
Safety module
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Please read these instructions and the documentation of the standard device before you
start working!
Observe the safety instructions given therein!
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Contents
1
1-1
EDS94AYAD EN 2.2
1 Safety engineering
Contents
1.1 Basics 1.1-1.......................................................
1.1.1 Introduction 1.1-1..........................................
1.1.2 Drive-based safety with L-force | 9400 1.1-1....................
1.1.3 Terms and abbreviations of the safety engineering 1.1-2..........
1.1.4 Important notes 1.1-3.......................................
1.1.5 Safety instructions 1.1-4.....................................
1.1.6 Application as directed 1.1-4.................................
1.1.7 Hazard and risk analysis 1.1-5................................
1.1.8 Standards 1.1-5............................................
1.1.9 Overview of sensors 1.1-5....................................
1.2 Device modules 1.2-1...............................................
1.2.1 Slot 1.2-1..................................................
1.2.2 Function mode of the safety modules 1.2-2.....................
1.2.3 Safety module SM300 1.2-3..................................
1.2.4 Connection of safety sensors 1.2-8............................
1.3 Safety functions 1.3-1...............................................
1.3.1 Integration into the application of the controller 1.3-1...........
1.3.2 Error states 1.3-3...........................................
1.3.3 Safe torque off 1.3-5........................................
1.3.4 Safe stop 1 1.3-7...........................................
1.3.5 Safe PROFIsafe connection 1.3-9..............................
1.4 Acceptance 1.4-1...................................................
1.4.1 Description 1.4-1...........................................
1.4.2 Periodic inspections 1.4-1....................................
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Basics
Introduction
1
1.1
1.1.1
1.1-1
EDS94AYAD EN 2.2
1.1 Basics
1.1.1 Introduction
With increasing automation, protection of persons against hazardous
movements is becoming more important. Functional safety describes the
measures needed by means of electrical or electronic equipment to reduce
or remove danger caused by failures.
During normal operation, safety equipment prevents people accessing
hazardous areas. In certain operating modes, e.g. set-up mode, work needs
to be carried out in hazardous areas. In these situations the machine
operator must be protected by integrated drive and control measures.
Drive-based safety provides the conditions in the controls and drives to
optimise the safety functions. Planning and installation expenditure is
reduced. In comparison to the use of standard safety engineering,
drive-based safety increases machine functionality and availability.
1.1.2 Drive-based safety with L-force | 9400
The controllers of the L-force|9400 range can be equipped with a safety
module. The functional range of the safety module types varies in order to
optimally implement different applications.
”Drive-based safety” stands for applied safety functions, which can be used
for the protection of persons working on machines.
The motion functions are continued to be executed by the controller. The
safety modules monitor the safe compliance with the limit values and
provide the safeinputsand outputs. When the limit values are exceeded the
safety modules start the control functions according to EN 60204-1 directly
in the controller.
The safety functions are suitable for applications according to IEC 61508
SIL 3 and meet, depending on the module, the requirements of EN 954,
part 1 up to control category 4.
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Basics
Terms and abbreviations of the safety engineering
1
1.1
1.1.3
1.1-2
EDS94AYAD EN 2.2
1.1.3 Terms and abbreviations of the safety engineering
Abbreviation Meaning
9400 Lenze servo controller
EC_S0 Error-Class Stop 0
EC_S1 Error-Class Stop 1
EC_S2 Error-Class Stop 2
EC_FS Error-Class Fail-Safe
Cat. Category according to EN 954-1
OSSD Output Signal Switching Device, tested signal output
PS PROFIsafe
PWM Pulse width modulation
S-DI Safe input (Safe Digital Input)
S-DO Safe output (Safe Digital Output)
SIL Safety Integrity Level according to IEC 61508
SM Safety module
Optocoupler
supply
Supply of optocouplers to control the driver
OFF state Signal state of the sensors when they are activated or respond
ON state Signal state of the sensors in normal operation
Abbreviation Safety function
SDI Safe direction
SLI Safely limited increment
SLS Safely limited speed
SOS Safe operating stop
SS1 Safe stop 1
SS2 Safe stop 2
SSM Safe speed monitor
STO Safetorqueoff
Formerly: safe standstill
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Basics
Important notes
1
1.1
1.1.4
1.1-3
EDS94AYAD EN 2.2
1.1.4 Important notes
The following pictographs and signal words are used in this documentation
to indicate dangers and important information:
Structure of safety instructions:
Danger!
(characterises the type and severity of danger)
Note
(describes the danger and gives information about how to
prevent dangerous situations)
Pictograph and signal word Meaning
Danger!
Danger of personal injury through dangerous electrical
voltage.
Reference to an imminent danger that may result in death or
serious personal injury if the corresponding measures are
not taken.
Danger!
Danger of personal injury through a general source of
danger.
Reference to an imminent danger that may result in death or
serious personal injury if the corresponding measures are
not taken.
Stop!
Danger of property damage.
Reference to a possible danger that may result in property
damage if the corresponding measures are not taken.
Pictograph and signal word Meaning
Note!
Important n ote to ensure troublefree operation
Tip!
Useful tip for simple handling
Reference to another documentation
Pictograph and signal word Meaning
Warnings!
Safety or application note for the operation o f a
UL-approved device in UL-approved systems.
Possibly the drive system is not operated in compliance with
UL if the corresponding measures are not taken.
Warnings!
Safety or application note for the operation o f a
UR-approved device in UL-approved systems.
Possibly the drive system is not operated in compliance with
UL if the corresponding measures are not taken.
Safety instructions
Application notes
Special safety instructions
and application notes for UL
and UR
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Basics
Safety instructions
1
1.1
1.1.5
1.1-4
EDS94AYAD EN 2.2
1.1.5 Safety instructions
1.1.6 Application as directed
The safety modules SMx (E94AYAx) may only be used together with Lenze
drive controllers of the L-force | 9400 (E94A...) series.
Any other use shall be deemed inappropriate!
ƒ Only skilled personnel are permitted to install and c ommission the
safety functions.
ƒ All control components must comply with the demands of the hazard
and risk analysis.
ƒ Install the controllers in control cabinets with IP54 protection.
ƒ Wiring with insulated wire end ferrules or rigid cable is vital.
ƒ For modules without integrated short-circuit monitoring:
– All safety-relevant external cables (e.g. control cables for safety
functions, feedback contacts) outside the control cabinet must be
protected, e.g. by a cable duct.
– In this connection, make sure that short circuits cannot occur!
– For further measures see ISO 13849-2.
ƒ If external forces act on the drive axes, additional brakes are necessary.
The effect of the gravitational force on hanging loads must be
especially observed!
Danger!
If the request for the safety function is cancelled, the drive will
restart automatically.
You must provide external measures which ensure that the drive
only restarts after a confirmation (EN 60204).
Danger!
When the “safe torque off” (STO) function is used, an
”emergency-off” according to EN 60204 is not possible without
additional measures. There is no electrical isolation, no service
switch or repair switch between motor and controller!
“Emergency-off” requires an electrical isolation, e.g. by a central
mains contactor!
After the installation is completed, the operator must check the wiring of the
safety function.
The functional test must be repeated at regular intervals. The time intervals
to be selected depend on the application, the entire system and the
corresponding risk analysis. The inspection interval should not exceed one
year.
Installation/commissioning
During operation
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Basics
Hazard and risk analysis
1
1.1
1.1.7
1.1-5
EDS94AYAD EN 2.2
Incase of a short-circuit of two power transistors a residual movement of the
motorofupto180°/numberofpolepairsmayoccur!(Example:4-pole
motor ⇒residual movement max. 180 °/2 = 90 °)
This residual movement must be considered in the risk analysis, e.g. safe
torque off for main spindle drives.
1.1.7 Hazard and risk analysis
This documentation can only accentuate the need for a hazard analysis. The
user of drive-based safety must concentrate on dealing with the standards
and legal position.
Before putting a machine into circulation, the manufacturer of the machine
must carry out a hazard analysis according to the Machinery Directive
89/392/EEC to find out the hazards related to the application of the
machine. To achieve a level of safety as high as possible the Machinery
Directive contains three principles:
ƒ Removing or minimising the hazards by the construction itself.
ƒ Taking the protective measures required against hazards that cannot
be removed.
ƒ Documentation of the existing residual risks and training of the user
regarding these risks.
The execution of the hazard analysis is specified in EN 1050, guidelines for
risk assessment. The result of the hazard analysis determines the category
of safety-based control modes according to EN 954-1 which the
safety-oriented parts of the machine control must comply with.
1.1.8 Standards
Safety regulations are confirmed by laws and other governmental
guidelines and measures and the prevailing opinion among experts, e.g. by
technical regulations.
The regulations and rules to be applied must be observed in accordance with
the application.
1.1.9 Overview of sensors
Passive sensors are two-channel switching elements with contacts. The
connecting cables and the sensor function must be monitored.
The contacts must switch simultaneously. Nevertheless, safety functions
will be activated as soon as at least one channel is switched.
The switches must be wired according to the closed-circuit principle.
Examples of passive sensors:
ƒ Door contact switch
ƒ Emergency-off control units
Residual hazards
Passive sensors
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Basics
Overview of sensors
1
1.1
1.1.9
1.1-6
EDS94AYAD EN 2.2
Active sensors are units with two-channel semiconductor outputs (OSSD
outputs). Drive-based safety integrated in this device series allows for test
pulses < 1 ms to monitor the outputs and cables.
P/N-switching sensors switch the positive and negative cable or signal and
earth cable of a sensor signal.
Theoutputs must switchsimultaneously. Nevertheless, safety functions will
be activated as soon as at least one channel is switched.
Examples of active sensors:
ƒ Lightgrid
ƒ Laser scanner
ƒ Control
For sensor inputs that are not used ”no sensor” must be parameterised. It is
monitored that no sensor signal is applied.
Connected deactivated sensors can create the false impression of safety
technology being provided. For this reason, a deactivation of sensors by
parameter setting only is not permissible and not possible.
Active sensors
Sensor inputs
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Slot
1
1.2
1.2.1
1.2-1
EDS94AYAD EN 2.2
1.2 Device modules
1.2.1 Slot
The slot for the safety modules is marked in the documentation with M4. It
is the lowest slot in the controller (see overview).
1.2.1.1 Mounting
E94AYAX001
1.2.1.2 Dismounting
E94AYCXX001H
1.2.1.3 Module exchange
Every module exchange is detected by the basic device and documented in
a logbook.
When the module is replaced by the same type no restrictions arise.
When the module is replaced by a different type, the drive is inhibited by the
controller. The inhibit can only be deactivated when the parameter setting
of the required safety module complies with the plugged safety module.
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Function mode of the safety modules
1
1.2
1.2.2
1.2-2
EDS94AYAD EN 2.2
1.2.2 Function mode of the safety modules
The code C00214 must comply with the plug-in safety module type so that
thecontrollerisabletooperate.
The transmission of the pulse width modulation is safely (dis-)connected by
thesafety module. Hencethe drivers donot create a rotating field. The motor
is safely switched to torqueless operation (STO).
M
SMx
PWM
µC
PC
3x
3x
Xx
SSP94SM320
Fig. 1.2-1 Disconnecting paths of the safety modules
SMx Safety module SM100/SM300
xx Input / output terminal
C Control section
μC Microcontroller
PWM Pulse width modulation
PPowersection
M Motor
When the controller is switched off by a safety module, the ”Safe torque off”
status is set (C00183 = 101).
If internal errors of the safety modules are detected, the motor is safely
switched to torque-free operation (fail-safe status).
C00214
Disconnecting paths
Safety status
Fail-safe status
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Safety module SM300
1
1.2
1.2.3
1.2-3
EDS94AYAD EN 2.2
1.2.3 Safety module SM300
1.2.3.1 Overview
ThetypedesignationofthesafetymoduleisE94AYAD.
Functions
ƒSafetorqueoff(STO)
(previously: safe standstill, protection against unexpected start-up)
ƒ Safe stop 1 (SS1)
ƒ Connection of safety sensors
ƒ PROFIsafe safety bus connection
The SM300 supports the transmission of safe information on the PROFIsafe
protocol according to the specification ”PROFIsafe - Profile for Safety
Technology”, Version 1.30, of the PROFIBUS Nutzerorganisation (PNO). The
basic device transmits the PROFIsafe information to the SM300 for safe
evaluation.
The following applies to the SM300 safety module , version VA 1.xx:
ƒ The basic device must be equipped with a communication module
E94AYCPM (PROFIBUS-DP), SW version 0.9.
ƒ The safe parameter setting is not supported. For this reason, all
parameters are permanently set.
ƒ The stopping time of the SS1 cannot be parameterised. It is
permanently set to t
s
=30s.
ƒ This module does not support (safe) outputs.
Danger!
If the request for the safety function is cancelled, the drive will
restart automatically.
You must provide external measures which ensure that the drive
only restarts after a confirmation (EN 60204).
1.2.3.2 Safety category
The implemented safety functions meet the requirements of the standards:
ƒ Control category 3 according to EN 954-1
In order to comply with category 3, the external wiring and cable
monitoring must also meet the requirements of category 3.
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Safety module SM300
1
1.2
1.2.3
1.2-4
EDS94AYAD EN 2.2
1.2.3.3 Elements of the module
SSP94SM317
Fig. 1.2-2 Module view
Pos. Description
PROFIsafe target address switch (on the left housing side)
X82.1
Pluggable terminal strips for input and output signals
X82.2
X82.3
X82.4
Pos. Colour State Description
MS Green
On Drive-based safety is initialised faultlessly.
Blinking
Drive-based safety is initialised faultlessly. Internal
communication to the standard device is not
possible.
Off Drive-based safety is not initialised.
Acknowledgement is not possible.
EN Yellow
On Controller enabled
Off Non-safe display ”STO”
ME Red
On
System error:
z After a serious internal error, STO is activated.
z Can only be reset by switching t he 24V supply.
Blinking
Error:
z Afteraninternalerrororanerroratthesafe
inputs, a standstill function is activated.
z The safety class is quit.
z Acknowledgement is possible.
Flashing
Fault:
z A monitoring function has responded and
activated a standstill function.
z The safety class is not quit.
z Acknowledgement is possible.
Off Error-free operation
PS Red
On
Error PROFIsafe:
z Communication is not possible.
z Acknowledgement is possible.
Blinking No valid PROFIsafe configuration
Off PROFIsafe is error-free.
DE Red On
Themoduleisnotacceptedbythestandarddevice
(see notes given in the documentation for the
standard device).
Displays
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Safety module SM300
1
1.2
1.2.3
1.2-5
EDS94AYAD EN 2.2
X82.1 Labelling Description
n. c.
This terminal strip is not assigned.
n. c.
n. c.
n. c.
n. c.
n. c.
n. c.
n. c.
n. c.
X82.2 Labelling Description
- GND external supply
+ 24 V external supply via a safely separated power supply unit
(SELV/PELV)
n. c.
This part of the terminal strip is not assigned.
n. c.
n. c.
n. c.
AIE Error confirmation input (Acknowledge Input Error)
CLA Clock output for passive sensors, channel A (clock A)
CLB Clock output for passive sensors, channel B (clock B)
X82.3 Labelling Description
GCL GND clock output
GI2 GND IN I2A/I2B
I2B Sensor input 2, channel B (only for passive sensors)
I2A Sensor input 2, channel A (only for passive sensors)
GCL GND clock output
GI1 GND I1A/I1B
I1B Sensor input 1, channel B (only for passive sensors)
I1A Sensor input 1, channel A (only for passive sensors)
n. c. This terminal is not assigned.
X82.4 Labelling Description
GCL GND clock output
GI4 GND I4A/I4B
I4B Sensor input 4, channel B (only for active sensors)
I4A Sensor input 4, channel A (only for active sensors)
n. c.
This part of the terminal strip is not assigned.
Sensor input 3 is not available.
n. c.
n. c.
n. c.
n. c.
Terminal assignment
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Safety module SM300
1
1.2
1.2.3
1.2-6
EDS94AYAD EN 2.2
Cable cross-sections and tightening torques
Type [mm2] [Nm] AWG [lb-in]
Wire end ferrule,
insulated
0.25 ... 0.5
Spring terminal
24 ... 20
Spring terminal
Rigid 0.14 ... 1.5 26 ... 16
1.2.3.4 Technical data
The inputs are isolated and designed for a low-voltage supply of 24 V DC.
Detailed features of the inputs and outputs
Signal Specification min. typ. max.
I1A, I1B
I2A, I2B
I4A, I4B
AIE
PLC input, IEC-61131-2, 24 V, type 1
LOW signal [V] -3 0 5
Input current [mA] 15
HIGH signal [V] 15 24 30
Input current [mA] 2 15
Input capacitance [nF] 3.3
AIE Pulse duration [ms] 300 10
4
CLA, CLB
PLC output, IEC-61131-2, 24 V DC, 50 mA
LOW signal output voltage [V] 0 0.8
HIGH signal output voltage [V] 17 24 29
Output current [mA] 50
Width of the test pulse [μs] 750
Test pulse rate [s] 1.8
Cable resistance of a passive sensor [kΩ] 2
+, -
Supply voltage of the module via a safely
separated power supply unit (SELV/PELV)
[V] 19,2 24 30
Input current [A]
Tab. 1.2-1 Technical data
The chapter ”Response times” must be observed as well ( 1.3.5.2).
1.2.3.5 Commissioning
ƒ Settings in or at the module:
– PROFIsafe target address switch
ƒ Required settings in the basic device:
– C00214, type of safety module
ƒ Integration of the SM300 into the drive application
ƒ During commissioning and after the replacement of a module it is vital
to check the safety function.
24 V
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Safety module SM300
1
1.2
1.2.3
1.2-7
EDS94AYAD EN 2.2
1.2.3.6 Test certificate
SSP94TUEV3
Fig. 1.2-3 TÜV Certificate
The type test was carried out by ’TÜV Rheinland Group’ and confirmed with
a certificate.
Contents Specifications
Test institute TÜV Industrie Service GmbH, ASI area
Test report 968/EL 302.01/05
Test fundamentals EN 954-1, EN 60204-1, EN 50178, EN 61800-3, IEC 61508 Part 1-7
Object to be examined SM300, type E94AYAD VA1.xx of the 9400 Servo Drives range
Test result The module meets the requirements according to EN 954-1,
category 3.
Special conditions The safety instructions in the corresponding user documentation
must be observed.
Place of issue Cologne
Issue date 30.06.2005
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Connection of safety sensors
1
1.2
1.2.4
1.2-8
EDS94AYAD EN 2.2
1.2.4 Connection of safety sensors
1.2.4.1 General
The following applies to the sensors of the SM300, version VA 1.xx:
ƒ Sensor type and function cannot be parameterised.
ƒ The sensor signals are converted into PROFIsafe bit information and
transmitted to the master control for processing. A local evaluation is
not carried out.
ƒ Unused sensor inputs must not be connected. The PROFIsafe bit of a
non-connected input is in the OFF state.
Note!
Make sure that an internal contact function test is carried out at
thesafeinputs:
Safe input in the ON state
ƒ ALOWlevelatone channel puts the input in the OFF state.
The discrepancy monitoring starts simultaneously.
ƒ A LOW level must be detected at both channels within the
discrepancy time, otherwise a discrepancy error will be
reported.
ƒ To be able to confirm the discrepancy error, a LOW level must
be detected before at both channels.
Safe input in the OFF state
ƒ A HIGH level at one channel starts the discrepancy monitoring.
ƒ A HIGH level must be detected at both channels within the
discrepancy time, otherwise a discrepancy error will be
reported.
ƒ To be able to confirm the discrepancy error, a HIGH level must
be detected before at both channels.
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Connection of safety sensors
1
1.2
1.2.4
1.2-9
EDS94AYAD EN 2.2
Specification
Sensor type
passive active
Discrepancy time 30 s
Input delay 4ms 0ms
Input filter time for test pulses 15 ms
Repetition rate of the test
pulses
is determined by the clock
outputs CLA and CLB
>50ms
Error response EC_S1
Confirmation via PROFIsafe or AIE input
Tab. 1.2-2 Specification of sensor connections
Explanations
Discrepancy time
ƒ Maximum time in which both channels of a safe input may have
non-equivalent states without the safety engineering noticing an error.
Input delay
ƒ Time between the recognition of the signal change and the effective
evaluation of an input signal. As a result, multiple and short signal
changes due to contact bounce of the components are not taken into
account.
Input filter time
ƒ Time in which the interference pulses and test pulses are not detected
by e.g. active sensors that are switched on.
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Connection of safety sensors
1
1.2
1.2.4
1.2-10
EDS94AYAD EN 2.2
1.2.4.2 Connection of passive sensors
The safe sensor inputs I1A, I1B and I2A, I2B are only suitable for equivalent
switching passive sensors.
To monitor passive sensors according to EN 954-1, cat. 3, the clock outputs
CLA and CLB must be wired. Please observe the following:
ƒ The clock outputs are only suitable for monitoring the passive sensors.
ƒ Always connect ...
– ... CLA with the A channel of the sensor input via the sensor.
– ... CLB with the B channel of the sensor input via the sensor.
–...GCLwithGIxofthesensorinput.
ƒ The sensor inputs are tested cyclically through short LOW operation.
These errors are detected:
ƒ Short circuit to supply voltage.
ƒ Short circuit between the input signals when different clock outputs
are used.
ƒ Non-equivalent input signals after the discrepancy time.
These errors are not detected:
ƒ Short circuit between the input signals when the same clock outputs
are used.
Avoid unrecognisable errors by the installation, e.g. by separated cable
routing.
GCL
GI2
I2B
I2A
GCL
GI1
I1A
I1B
CLB
CLA
S1
S2
V
CC
û
û
SM300
E94AYAD
SSP94SM351
Fig. 1.2-4 Ways to detect errors
8 Unrecognisable errors
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Connection of safety sensors
1
1.2
1.2.4
1.2-11
EDS94AYAD EN 2.2
1.2.4.3 Connection of active sensors
The safe sensor input I4A and I4B is suitable for an active sensor.
PN-switched input signals are permissible.
The line monitoring must comply with the requirements of the category 3.
Drive-based safety does not provide for line monitoring.
These errors are detected:
ƒ Non-equivalent input signals after the discrepancy time.
GI
IB
IA
S
M
P
SSP94SM352
Fig. 1.2-5 Functional example of PN-switching sensor
SSensor
P Positive path
M Negative path
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Device modules
Connection of safety sensors
1
1.2
1.2.4
1.2-12
EDS94AYAD EN 2.2
1.2.4.4 Connection plans
GCL
GI4
I4B
I4A
GCL
GI2
I2B
I2A
GCL
GI1
I1A
I1B
AIE
-
+
CLA
CLB
S4
S1
S2
X82.1 X82.2
X82.3
X82.4
SM300
E94AYAD
24 V ext.
SSP94SM350
Fig. 1.2-6 Wiring example SM300
E94AYAD Safety module SM300, version VA1.xx
S1
passive sensor with channel A and B
S2
S4 Lightgrid (active sensor)
24Vext. 24-Vvoltagesupply(SELV/PELV)
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Integration into the application of the controller
1
1.3
1.3.1
1.3-1
EDS94AYAD EN 2.2
1.3 Safety functions
1.3.1 Integration into the application of the controller
For the use of the functions, certain settings in the controller are required.
Here, the Lenze PC software »Engineer« supports and guides you.
When a safety function is required, the safety technology activates the
corresponding safe monitoring function. However, the standstill function is
only directly executed with the ”safe torque off” (STO) function. Other safety
functions in which a controller action is required will need to be safely
monitored.
The actions of the drive (e.g. braking, braking to standstill, keeping the
standstill position) must be implemented in the basic device.
Depending on the design of the basic device, the user applications are
created by means of programming according to IEC 61131 or parameter
setting. For this purpose the system block InterfaceSafetyModule or the
control word SM_dwControl must be implemented into the control
configuration of the controller.
The connection to a user application serves to achieve the following:
1. Activation of the safety function in the safety module, e.g. SS1 the
monitoring starts.
2. The safety module transmits the information to the basic device that
the function has been activated using the corresponding bit in the
control word SM_dwControl.
3. The application must evaluate the control word and start the motion
sequence, e.g. braking etc.
Safety module and basic device communicate via an internal interface.
The request for a safety function is contained within the control word, the
information of which must be processed by the application.
Informatio
n
Offset Bit
Byte 7 6 5 4 3 2 1 0
SM_
dwControl
4SDIp
- - - - - SS1 STO
5 - - - - - - - SDIn
6 - - - - - - - 7 - - - - - - - -
SM_
wState
8 - - - EC_S1 EC_S0 - - STO
9 - - - - - - - -
SM_wIo_
State
10 - AIE - - SD-In4 - SD-In2 SD-In1
11 - - - - - - - -
Tab. 1.3-1 Communication telegram from the safety module to the basic device.
Internal communication
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Integration into the application of the controller
1
1.3
1.3.1
1.3-2
EDS94AYAD EN 2.2
Details SM_dwControl
Name Value Description IEC 61800-5-2
STO
0
No request
Safe Torque Off
1 Request of the function
SS1
0 No request
Safe Stop 1
1 Request of the function
SDIp 1 Safe positive direction of rotation enabled (fixed) Safe Direction
SDIn 1 Safe negative direction of rotation enabled (fixed) Safe Direction
- 0 Reserved for future extensions
Details SM_wState
Name Description IEC 61800-5-2
EC_S1
0
Normal operation
-
1 Stop category 1 error activated
EC_S0
0 Normal operation
-
1 Stop category 0 error activated
STO
0 Normal operation
Safe Torque Off
1 Pulse inhibit activated
Details SM_wIo_State
Name Value Description
SD-I1
0
Sensor input 1 in the OFF state, at least one channel
1 Sensor input 1 in the ON state
SD-I2
0 Sensor input 2 in the OFF state, at least one channel
1 Sensor input 2 in the ON state
SD-I4
0 Sensor input 4 in the OFF state, at least one channel
1 Sensor input 4 in the ON state
AIE
0 Idle state
0 1 Error confirmed
1 Temporary status
If the c ommunication with the basic device is interrupted, e.g. by switching
off the basic device, a fault is activated and theLED ”ME” begins blinking. The
required confirmation can be executed via AIE or PROFIsafe. Further
information can be obtained from the chapter ”Error status”.
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Error states
1
1.3
1.3.2
1.3-3
EDS94AYAD EN 2.2
1.3.2 Error states
Detectederrors or maloperation of the drive are assigned to error states with
definite reactions. The reaction can be co-ordinated with the c omplete drive
via the error states.
Features
Error status
System error Error Trouble
Event Fatal internal error Error Monitoring function
LED ”ME” On Blinking Flashing
Status of safety
module
Lockout (CPU stopped) Error status Normal operation
The control category
according to EN 954-1
...
... has been
abandoned
... has been
abandoned
... has not been
abandoned
Reaction The motor
immediately switches
to torque-free
operation via
z STO
The motor is stopped via
z STO or
z SS1
Confirmation after
deactivated event
z Connection and
disconnection of
the 24-V supply at
the safety module
z Pulse at AIE
(0.3 s < t < 10 s)
z via PROFIsafe
z Connection and
disconnection of
the 24-V supply at
the safety module
z Pulse at AIE
(0.3 s < t < 10 s)
z via PROFIsafe
Response to the
confirmation
z Themoduleisreset.
z The PROFIsafe communication is
interrupted.
z Themoduleisnot
reset.
z The PROFIsafe
communication is
not interrupted.
Tab. 1.3-2 Overview of error states
If errors occur in the PROFIsafe communication, the data is deactivated from
the PROFIsafe driver. The STO function is activated.
After the PROFIsafe communication is reinitialised, the drive is
automatically enabled again if no standstill function is selected.
Note!
If the system error also occurs after switching the 24-V supply,
please contact the service.
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Error states
1
1.3
1.3.2
1.3-4
EDS94AYAD EN 2.2
Error states are saved in the logbook of the standard device. The following is
entered:
ƒ Decimal error number without plain text
ƒ A time mark for each event
The available logbook entries can be displayed in t he »Engineer« when an
online connection has been established.
Events which cause an error status are sent as a diagnostic telegram via
PROFIBUS.
Area Description Error status, note
Error
number
Stop functions
0
0x00 Not used 1 0x01 Internal error, STO error is active STO error
2 0x02 Internal error, SS1 error is active SS1 error
PROFIsafe
33 0x21 Invalid PROFIsafe target address STO error
34 0x22 PROFIsafe communication error
STO, no error status
no diagnostic
telegram via
PROFIBUS
35 0x23 PROFIsafe monitoring time activated
36 0x24 PROFIsafe deactivated
37 0x25 PROFIsafe has left DataExchange
38 0x26 Invalid data in the PROFIsafe user area
39 0x27 Wrong parameters received from F-PLC
Inputs
49 0x31 Discrepancy error - input SD-In1
SS1 error
50 0x32 Discrepancy error - input SD-In2
52 0x34 Discrepancy error - input SD-In4
54 0x36 Discrepancy error - input AIE STO error
Test functions
81 0x51 Internal short circuit in one of the inputs
SS1 error
82 0x52 Short circuit in one of the clock outputs CLA or CLB
93 0x5D Intern al error of the safe switch-off logic STO error
Safety functions
97 0x61 SS1: The drive has not reached zero speed within the
stopping time (30 s).
STO error
Tab. 1.3-3 Description for the numerical entries
Logbook
Entries
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe torque off
1
1.3
1.3.3
1.3-5
EDS94AYAD EN 2.2
1.3.3 Safe torque off
1.3.3.1 Description
Safe Torque Off / STO
This function corresponds to a ”Stop 0” according to EN 60204.
When this function is used, the power supply of the motor is immediately
safely interrupted. The motor cannot create a torque and thus no dangerous
movements of the drive can occur. Additional measures, e.g. mechanical
brakes are needed against movements caused by external force.
Priority function: none
Subordinated function: SS1
t
n
0
1
t1
t
0
'1'
0
SMxDIASTO
Input signal of the request of a safety function
’1’ Logic signal level ”1” / ”true”
Speed characteristic n of the motor
tx Action instant
tTimeaxis
1.3.3.2 Conditions
Condition for using the function:
ƒ The basic device must be equipped with a communication module
E94AYCPM (PROFIBUS-DP), SW version 0.9 and connected to the
PROFIBUS.
ƒ The basic device must receive PROFIBUS data telegrams from a master
controller.
Danger!
If the request for the safety function is cancelled, the drive will
restart automatically.
You must provide external measures which ensure that the drive
only restarts after a confirmation (EN 60204).
1.3.3.3 Settings
This function does not have any parameters to be set.
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe torque off
1
1.3
1.3.3
1.3-6
EDS94AYAD EN 2.2
1.3.3.4 Activation
How to activate the function:
ƒ A PROFIBUS data telegram with corresponding PROFIsafe contents is
transmitted to the basic device ( 1.3-12).
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe stop 1
1
1.3
1.3.4
1.3-7
EDS94AYAD EN 2.2
1.3.4 Safe stop 1
1.3.4.1 Description
Safe Stop 1 / SS1
This function corresponds to a ”Stop 1” according to EN 60204.
When this function is used, the motor is stopped within an adjustable
stopping time. The complete function sequence cannot be deactivated.
When the speed n = 0 is reached or the stopping time elapses, the power
supply of the motor is immediately safely interrupted (STO), depending on
which event occurs first. The motor cannot create torque and thus no
dangerous movements of the drive can occur. Additional measures, e.g.
mechanical brakes are needed against movements caused by external force.
Priority function: STO
Subordinated function: None
t1 t2
t
S
t
n
0
1
t
0
'1'
0
SMxDIASS1
Input signal of the request of a safety function
’1’ Logic signal level ”1” / ”true”
Speed characteristic n of the motor
tx Action instant
t
S
Monitored stopping time
–– Normal operation
--- Incorrect operation
tTimeaxis
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe stop 1
1
1.3
1.3.4
1.3-8
EDS94AYAD EN 2.2
1.3.4.2 Conditions
Condition for using the function:
ƒ The basic device must be equipped with a communication module
E94AYCPM (PROFIBUS-DP), SW version 0.9 and connected to the
PROFIBUS.
ƒ The basic device must receive PROFIBUS data telegrams from a master
controller.
Danger!
If the request for the safety function is cancelled, the drive will
restart automatically.
You must provide external measures which ensure that the drive
only restarts after a confirmation (EN 60204).
1.3.4.3 Settings
This function does not have any parameters to be set.
Permanently set parameters:
ƒ The stopping time amounts to t
s
=30s.
Tip!
In many applications the stopping time is < 30 s. Thus STO is
already activated and the SS1 function is stopped when ”0”
speed is reached.
Inordertodeterminethemaximumresponsetimeconsiderthe
stopping time (30 s).
This time can only be reduced by setting the STO function
through the safe control after the application-specific stopping
time.
1.3.4.4 Activation
How to activate the function:
ƒ A PROFIBUS data telegram with corresponding PROFIsafe contents is
transmitted to the basic device ( 1.3-12).
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe PROFIsafe connection
1
1.3
1.3.5
1.3-9
EDS94AYAD EN 2.2
1.3.5 Safe PROFIsafe connection
1.3.5.1 Conditions
The SM300 supports the transmission of safe information on the PROFIsafe
protocol according to the specification ”PROFIsafe - Profile for Safety
Technology”, Version 1.30, of the PROFIBUS Nutzerorganisation (PNO). The
basic device transmits the PROFIsafe information to the SM300 for safe
evaluation.
Condition for using the function:
ƒ The basic device must be equipped with a communication module
E94AYCPM (PROFIBUS-DP), SW version 0.9 and connected to the
PROFIBUS.
ƒ The basic device must receive PROFIBUS data telegrams from a master
controller.
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe PROFIsafe connection
1
1.3
1.3.5
1.3-10
EDS94AYAD EN 2.2
1.3.5.2 Response times
In order to detect the response time to a safety function the entire system
must be considered. The following is relevant:
ƒ Response time o f the connected sensors.
ƒ Input delay of the safety inputs.
ƒ Internal processing time.
ƒ Monitoring time for the cyclic service in the PROFIBUS.
ƒ Monitoring time of the PROFIsafe in the safety PLC.
ƒ Processing time in the safety PLC.
ƒ Delay times due to further components.
μC
μC
S
SF
t=0
t
1
t
2
0
1
t
ps
t
4
2
PROFIBUS
t
3
t
5
lcu12x_352
Fig. 1.3-1 Response times to the request of a safety function
Basic device
Safety module
Safety PLC
μC Microcontroller
S Safety sensor technology
SF Activated safety function
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe PROFIsafe connection
1
1.3
1.3.5
1.3-11
EDS94AYAD EN 2.2
Response time to an event in the safety sensors (PROFIsafe input data)
Time interval (Fig. 1.3-1) [ms]
t1Response time of the sensors according to m anufacturer
information
t
2
Input delay of the safe inputs
passive sensors: 4+15
active sensors: 0+15
t3Processing time in drive-based safety 24
PROFIsafe input data ready for transmission to ... Σ
tPsPROFIsafe cycle time according to m anufacturer
information
PROFIsafe input data ready for processing in the safety PLC
...
Σ
Tab.1.3-4 Responsetimetoaneventinthesensors
Response time to a PROFIsafe control word (PROFIsafe output data)
Time interval (Fig. 1.3-1) [ms]
t4Processing time in the safety PLC must be calculated
tPsPROFIsafe cycle time according to m anufacturer
information
t5Processing time in drive-based safety 14
Safety function starts after ... Σ
Tab.1.3-5 ResponsetimeincaseofPROFIsaferequest
Information on how to calculate the processing time and transmission time
of the PROFIsafe can be found in the documentation of the safety PLC used.
Note!
When the PROFIsafe communication is disturbed, it is changed
to the fail-safe state after the PROFIsafe monitoring time
(F_WD_Time) has elapsed. ( Tab. 1.3-16)
ƒ After an event has occurred at a safe input, the message is fed back to
drive-based safety via the safety PLC.
ƒ Drive-based safety activates a safety function.
ƒ Hence, the maximum response time to the event is calculated as
follows:
t
max response=t1+t2+t3
+max{tWD;tPS+t4+tPs+t5}
When calculating the maximum response time, include the times of the
safety functions, e.g. in case of SS1 the stopping time (30 s) until STO is
active.
Example
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe PROFIsafe connection
1
1.3
1.3.5
1.3-12
EDS94AYAD EN 2.2
1.3.5.3 Description
An unambiguous PROFIsafe t arget address ensures that a data telegram
reaches the correct node.
The valid address within the range between 1 and 1023 can be set via the DIP
switch . The address 0 is invalid and causes an error in the module.
DIP switch Labelling
1 2 3 4 5 6 7 8 9 0
Value of the address bit 1 2 4 8 16 32 64 128 256 512
Tab. 1.3-6 Address setting
Note!
The combination ”safety module SM300 from version VA 1.08
and communication module PROFIBUS from version VB 0.93”
offers the opportunity to avoid the error that occurs when an
address is set to 0. For this purpose, a defined PROFIsafe target
address must be saved in C13897 or 14897 in the PROFIBUS
communication module.
The PROFIsafe data is transmitted in the first slot of a PROFIBUS data
telegram.
This must be observed for the hardware configuration of the safety PLC!
PROFIBUS data telegram
Header PROFIsafe data Data Trailer
Slot 1 Slot 2
Addressing
PROFIsafe frame
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe PROFIsafe connection
1
1.3
1.3.5
1.3-13
EDS94AYAD EN 2.2
In the PROFIsafe data one bit each is used to control a certain safety function.
The structure of the PROFIsafe data is described in the PROFIsafe profile. The
length of the PROFIsafe data (PROFIsafe message) in slot 1 permanently
amounts to 8 bytes in the SM300. They are composed according to the
following structure:
Offset Bit
Byte 7 6 5 4 3 2 1 0
0
PROFIsafe process data
(safe user data)
1
2
3
4 Control byte or status byte
5 Consecutive number
6
CRC2
(Signature consists of PROFIsafe process data and PROFIsafe parameters)
7
Tab. 1.3-7 Structure of the PROFIsafe data
The meaning of the PROFIsafe process data is separately described for
PROFIsafe output data and PROFIsafe input data. All described bits are
evaluated.
Unassignedbits are reserved for future functions and marked with ”-”. These
bits must transmitted with ”0”.
The PROFIsafe output data is transmitted from the control to the safety
module.
Offset Bit
Byte 7 6 5 4 3 2 1 0
0-- - - - - SS1 STO
1 - - - - - - - 2 - - - - - - PS_AIE 3 - - - - - - - -
Tab. 1.3-8 Structure of the PROFIsafe output data
Details of the PROFIsafe output data
Name Value Description
STO
0
The STO function is activated.
1 The function is deactivated.
SS1
0 The SS1 function is activated. The complete function sequence cannot be
deactivated.
1 The function is deactivated.
PS_AIE
0 Idle state
0 1 Activation of fault acknowledgement
The bit must be set for at least one PROFIsafe cycle.
- 0 Reserved for future extensions
Tab. 1.3-9 Detailed specification of the PROFIsafe output data
PROFIsafe data
PROFIsafe output data
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe PROFIsafe connection
1
1.3
1.3.5
1.3-14
EDS94AYAD EN 2.2
Only the bits specified of the PROFIsafe control byte are supported:
Offset Bit
Byte 7 6 5 4 3 2 1 0
4 - - - activate
_FV
- - - -
Tab. 1.3-10 Structure of the PROFIsafe control byte
Details of the control byte
Name Value Description
activate_FV
1
The PROFIsafe output data is deactivated. Thus, the STO function is
activated.
0 The function is deactivated.
- 0 Reserved for future extensions
Tab. 1.3-11 Detail specification of the control byte
The PROFIsafe input data is transmitted to the control by the safety module.
Offset Bit
Byte 7 6 5 4 3 2 1 0
0-- - - - - Status
SS1
Status
STO
1 - - - - - - - 2 - - - - - - - 3 Error - - - SD-In4 - SD-In2 SD-In1
Tab. 1.3-12 Structure of the PROFIsafe input data
Details of the PROFIsafe input data
Name Value Description
STO
0
The STO function is not active.
1 The STO function is active and the drive is safely switched to torque-free
operation.
This bit is also set at the end of the stopping time by SS1.
SS1
0 The SS1 function is not active.
1 The SS1 function is active.
At the end of the f unction the STO bit is set.
SD-In1
0
Sensor at I1A and I1B
At least one channel is in the OFF state
1 The channels A and B are in the ON state
SD-In2
0
Sensor at I2A and I2B
At least one channel is in the OFF state
1 The channels A and B are in the ON state
SD-In4
0
Sensor at I4A and I4B
At least one channel is in the OFF state
1 The channels A and B are in the ON state
Error
0 Error status is not active.
1 Error status is active.
- 0 Reserved for future extensions
Tab. 1.3-13 Detailed specification of the PROFIsafe input data
Control byte
PROFIsafe input data
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe PROFIsafe connection
1
1.3
1.3.5
1.3-15
EDS94AYAD EN 2.2
Only the bits specified of the PROFIsafe status byte are supported:
Offset Bit
Byte 7 6 5 4 3 2 1 0
4 - - - FV_activatedCOM-Failure
WD-Timeout
COM-Failure
CRC
- -
Tab. 1.3-14 Structure of the PROFIsafe status byte
Details of the status byte
Name Value Description
COM-Failur
eCRC
0
Status is not active.
1 Status after communication error is active.
COM-Failur
e
WD-Timeo
ut
0 Status is not active.
1 Status after time-out is active.
FV_activate
d
0 The function is not active.
1 The PROFIsafe input data is deactivated.
- 0 Reserved for future extensions
Tab. 1.3-15 Detail specification of the status byte
These PROFIsafe parameters and contents are supported:
PROFIsafe parameters
Name Description Valid contents
F_Source_Add PROFIsafe source address of the safety PLC 0x01 ... 0xFFFE
F_Dest_Add PROFIsafe target address of the safety module 0x01 ... 0x3FF
F_WD_Time PROFIsafe monitoring time of the safety module 110 ... 65535 ms
F_Check_SeqNo Check sequence no. in CRC 0
F_Check_iPar Check iparameters CRC3 in CRC 0
F_SIL Supported SIL (Safety Integrity Level) 0 Æ SIL1
1
Æ SIL2
2
Æ SIL3
F_CRC_Length Length of CRC 1
F_Block_ID Identification of the parameter type 0
F_Par_Version Version of the safety layer 0
F_Par_CRC Cyclic CRC Is calculated
Tab. 1.3-16 Supported PROFIsafe parameters
Incorrect configurations of the PROFIsafe parameters are reported to the
safety PLC by means of a diagnostic telegram ( PROFIBUS Communication
Manual).
Status byte
PROFIsafe parameters
Diagnostic messages
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Safety functions
Safe PROFIsafe connection
1
1.3
1.3.5
1.3-16
EDS94AYAD EN 2.2
Error number Description
64 The Profisafe target address set does not comply with the parameter
F_Dest_Add.
65 The F_Dest_Add parameter has the invalid value 0x0000 or 0xFFFF.
66 The F_Source_Add parameter has the invalid value 0x0000 or 0xFFFF.
67 The F_WD_Time parameter h as the invalid value 0 ms.
68 TheF_SILparameterdoesnothavethevalidvalue0...2.
69 The F_CRC_Length parameter does not h ave t he valid value 2.
70 The version of the PROFIsafe parameter set is wrong.
71 CRC1 error
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Safety engineering
Acceptance
Description
1
1.4
1.4.1
1.4-1
EDS94AYAD EN 2.2
1.4 Acceptance
1.4.1 Description
The machine manufacturer must check and prove the operability of the
safety functions used.
The machine manufacturer must authorise a person with expertise and
knowledge of the safety functions to carry out the test.
The test result of every safety function must be documented and signed.
A complete test comprises the following:
ƒ Documentation of the plant including the safety functions.
– Plant description and overview map
– Description of the safety devices
– Safety functions used
ƒ Functional test of all safety functions used.
ƒ Preparing the test report
– Documenting the functional test
– Controlling the parameters
– Signing
ƒ Preparing the appendix with test records
– Protocols from the plant
– External recording
1.4.2 Periodic inspections
The correct sequence of the safety-oriented functions must be checked in
periodic inspections. The risk analysis or applicable regulations determine
the time distances between the tests. The inspection interval should not
exceed one year.
Inspector
Protocol
Scope
Phone: 800.894.0412 - Fax: 888.723.4773 - Web: www.clrwtr.com - Email: info@clrwtr.com
Loading...