Table of Contents
Advertisement
9.3 Fault detection and reaction
Fault detection in the safety functions
plausibility check
After a demand of the safety functions, the safety controller must check
that the feedback has been closed.
This check should not be made until the response time of the safety
function has elapsed.
This is the only safe method of detection available.
STO forced test interval
The safety functions must be demanded at every power-up and at least
once a year. If it is not done automatically, the machine instruction
manual must require the user to do it manually.
Each of the two STO channels, the Drive Enable and the - KM1
contactor, has its own feedback.
detected faults
Failure in the circuit of the Drive Enable.
Failure in the external main contactor - KM1.
Wiring failure in one of the two channels.
Simultaneous STO and holding brake
The safety controller normally demands STO and at the same time
closes the holding brake.
using simple safety controllers
Normally a single safety controller demands STO and at the same time
closes the holding brake and does not indicate when it detects a
plausibility error from the feedback. Instead, the user notices the
malfunction because the safety functions do not reset, STO remains
active and the motor does not move.
In emergency stop button Example 1. and Example 2. :
The feedbacks from the Drive Enable and - KM1 contactor are in
series with the reset button.
To reset the safety functions, the user must first reset the emergency
button and then press the reset. If there is a failure in a channel of the
safety function, their feedback will remain open and the safety
controller will not reset the safety function, and thus it will continue to
demand STO and the system will not move.
Behaviour of the safety function under fault condition
AXD/SPD complies with EN ISO 13849-1 Cat. 3, which for this category states:
When the single fault occurs the safety function is always performed.
The simultaneous occurrence of two or more faults having separate
causes is considered highly unlikely and therefore need not be
considered.
Reaction when a channel fails
Drive Enable reaction
The feedback shall remain open.
Safety controller reaction
The safety controller must maintain the drive in a safe state, so it must
continue to demand the safety functions, even if the operator presses the
reset button.
Functional safety
9.
DDS
HARDWARE
Ref.1912
· 315 ·
Hide quick links:
Advertisement
Table of Contents
