Functional safety
FUNCTIONAL SAFETY
Fault Detection and Reaction
9.
QC-PDS
HARDWARE
Ref.2003
· 307 ·
9.3 Fault Detection and Reaction
Fault detection in the safety functions
plausibility check
After a demand of the drive safety functions, the safety controller must
check that the feedback has been closed.
This check should not be made until the response time of the safety
function has elapsed.
This is the only safe method of detection available.
STO forced test interval
The drive safety functions must be demanded at every power-up and at
least once a year. If it is not done automatically, the machine instruction
manual must require the user to do it manually.
Each drive safety function has a common feedback to its two channels.
detected faults
Malfunction in one of the two channels of the drive safety function.
Wiring malfunction.
See DETECTION OF WIRING DANGEROUS MALFUNCTIONS.
Simultaneous STO and holding brake
The safety controller normally demands STO and at the same time
closes the holding brake.
fault indication: using simple safety controllers
A simple safety controller normally demands STO and at the same time
closes the holding brake and does not indicate when it detects a
plausibility error from the feedback. Instead, the user notices the
malfunction because the safety functions do not reset, STO remains
active and the motor does not move.
In emergency stop button EXAMPLE 1 and EXAMPLE 2:
The feedback from STO is in series with the reset button.
To reset the drive safety function, the user must first reset the
emergency button and then press the reset. If there is a failure in a
channel of the one drive safety function, your feedback will remain
open and the safety controller will not reset the safety function, and
thus it will continue to demand STO and the system will not move.
Behaviour of the safety function under fault condition
QC-DR drive complies with EN ISO 13849-1 Cat. 3, which for this category
states:
When the single fault occurs the drive safety function is always
performed.
The simultaneous occurrence of two or more faults having separate
causes is considered highly unlikely and therefore need not be
considered.
Reaction when a channel fails
Drive reaction
The feedback shall remain open.
Safety controller reaction
The safety controller must maintain the drive in a safe state, so it must
continue to demand the drive safety functions, even if the operator presses
the reset button.
Reaction time of the safety function to a fault
Given that the feedback verification must not be carried out until the
response time for the drive safety function has elapsed, the effective
reaction time of the system when a failure occurs can be considered to be
precisely the response time of the safety function.
To Next Page
Loading...