Professional Documents
Culture Documents
Contents
6.0 Concept
6.1 Method
6.2 Hardware
6.2.1 Test pulses
6.2.2 Input modules
6.2.2.1 Typical connection
6.2.3 Output modules
6.2.3.1 Typical connection
6.2.4 Input/output module with test pulse
6.2.4.1 Typical connection
6.2.5 Dual-pole input/output module
6.2.5.1 Typical connection
145
6.3 Software
External
Safety
Hardware
Process Process
Fig. 49: Safety functions controlled by Fig. 50: Safety functions controlled
separate hardware through one system
148 When complex relay-based systems were the only choice for 3
controls, overall reliability was poor and fault-finding was often
Programmable Safety Systems
difficult and time consuming. Engineers had to work their way through
the cascaded circuits, following the control philosophy until the fault
was located. During the 1970s programmable controllers were
introduced and engineers began to use these extensively to replace
relay circuits.
The only way to build a programmable system with the desired level of
integrity was to take a leaf out of the petrochemical control engineers’
book. Programmable safety control has been used in the petrochemical
industry for many years, guided by advice given in publications such as
“PES - Programmable electronic systems in safety-related
applications”, published by the HSE, and “Fundamental Safety Aspects
to be Considered for Measurement and Control Equipment” (DIN
19250). The ideas from these and other documents are being
combined into the international standard IEC 61508 (Functional safety.
Safety-related systems). The advice is mainly based on the
requirement for diverse processors used in a voting format.
150 5
Programmable Safety Systems
PSS 3000
6 DPR DPR
151
Processor Processor Processor
DPR
O/Register 1 O/Register 2 O/Register 3
&
Users have to write the FS program once only. When the program is
finished it can be downloaded to the controller. The runtime version
of the program is loaded via the three independent compilers. Each
version of the program has its own check sum and these are
152 7
compared in all three systems. Provided that the program was
Programmable Safety Systems
correctly written at the start, the triple checking during use will ensure
failsafe operation. The ST program is written as for the majority of
conventional PLCs.
6.2 Hardware
Safety Gates
Safety
category Low Higher Highest
T0 Test signal T0 T1
I 00
I 01
I 02
I 03
I 04
I 05
I 06
I 07
0V
0V
I 08
I 09
155
I 10
I 11
I 16
E x 17 I 17
E x 18 I 18
E x 19 I 19
I 20
I 21 I 00
I 22 I 01
I 23 I 02
0V I 03
0V I 04
I 05
E x 06 I 06
E x 24 E x I07
24 I 07
E x 25 I 25 0V
E x 26 I 26 0V
E x 27 I 27
I 28
I 29 I 08
I 30 I 09
I 31 I 10
0V I 11
0V I 12
I 13
I 14
PSS DI
I 15
24V
0V
Fig. 54: Typical safety gate connections with Pilz PSS DI module
6.2.3 Output modules
Each output on a digital output module has a monitoring input, which
is evaluated by the operating system.
Relay
O Feedback loop
O
00 to PSS DI
O
01
A x 03 O
02
A x 04 O
03
O
04
O
05
O
06
07
24V
0V
A x 08 O
A x 09 O
08
O
09
O
10
O
11
O
12
O
13
O
156 14
150V
0V
Programmable Safety Systems
O
O
16
O
17
O
18
O
19
O
20
O
21
O
22
23
24V
0V
O
O
24
O
25
O
26
O
27
O
28
O
29
O
30
31
24V
0V
24V
0V
157
I 00
I 01
I 02
I 03
I 04
I 05
E x 06 I 06
E x 07 I 07
0V
0V
I 08
I 09
I 10
I 11
I 12
I 13
I 14
I 15
0V
0V
I 16
I 17
I 18
I 19
I 20
I 21
I 22
I 00
I 01
E-Stop
I 23 I 02
0V I 03
0V I 04
I 05
E x 06 I 06
E x I07
24 I 07
I 25 0V
I 26 0V
I 27
I 28
I 29 I 08
I 30 I 09
E x 31 I 31 I 10
158 0V
0V
I 11
I 12
I 13
I 14
PSS DI
I 15
Programmable Safety Systems
0V
0V
T0 O16
T1 O
O
17
O
18
O
19
O
20
O
21
O
22
23
24V
0V
A x 24 O
A x 25 O
24
A x 26 O
25
O
26
O
27
O
28
O
29
O
30
31
24V
0V
PSS DIOT
24V
0V
Fig. 56: Typical E-Stop connection with Pilz PSS DIO T module
E-stop buttons are always continuous input devices. This means that
the correct operation of the PSS can only be tested using test pulses.
This is required in order to achieve category 4. The PSS will check
for a short circuit to 24 V (stuck at “1”), short circuit to 0 V (stuck at
“0”), short across the input contacts and any malfunction of a PSS
input module.
1
159
E x 08 I 08
E x 09 I 09
E x 10 I 10
E x 11 I 11
I 12
I 13
I 14
I 15 T0
0V
0V
I 16
I 17
T1
I 18
I 19
I 20
I 21 I 00
I 22 I 01
I 23 I 02
0V I 03
0V I 04
I 05
E x 06 I 06
E xI0724 I 07
I 25 0V
I 26 0V
I 27
I 28
160 I 29
I 30
I 31
I 08
I 09
I 10
PSV
0V I 11
0V I 12
Programmable Safety Systems
I 13
I 14
PSS DI
I 15
0V
0V
A x 16
O16
A x 17 O 17
O 18
O 19
24V
24V
O 20
O 21
O 22
O 23
0V
0V
PSS DIO Z
24V
0V
Fig. 57: Typical press safety valve connection with Pilz PSS DIO Z module
The example in Fig. 57 requires 4 PLC inputs, whose correct
operation must be monitored through the PSS user program. Short
circuits, shorts across the input contacts and any breaks in the relay
coils of the press safety valve (PSV) will be detected. The feasibility
check for the PSV is performed through the user program.
1
161
Processor A:
IR IR System
(FS) FS User Program (FS) FS-User Program (OB001) Syn OR management Syn
Processor B:
IR System
(FS) FS User Program Syn OR management Syn
Processor C:
IR System
(FS) FS User Program Syn OR management Syn
1 PLC cycle
Processor
Flash-EPROM
Self test
ST-RUN
RAM
FS-RUN
DPR
166
Stop
Programmable Safety Systems
FS-STOP
to Periphery Test
FS-RUN
Run
0000
ST-RUN
OS: FS-RUN
eg.:Read in IR
FS-
User program:
Cyclical
Program
ST-
User program:
OS:
eg.:Output OR
The power supplies are then checked and the program block runtime 1
167
is monitored. These are both failsafe functions and any deviations
Flash-EPROM
Self Test
RAM approx. 40 000
Test Slices
DPR
Periphery Test
eg.: 3 Test Slices
Run
OS:
eg.:Read in IR
FS-
User program:
ST-
User program:
168 OS:
eg.:Output OR
Programmable Safety Systems
3 Test Slices
The number of test slices to be included in the end of scan test is set
when the user configures the system software. The number chosen
will depend on the level of system integrity required by the application.
The more test slices selected, the sooner an internal system fault can
be detected. For example, if the program cycle time is 50 ms and two
test slices are processed in each cycle, it will take 20,000 cycles to
process all 40,000 test slices. With this setting, the full test will take
1,000 seconds. If the number of test slices is increased to 10 per
cycle, the cycle time will increase to 60 ms, but the tests will be
completed in 4,000 cycles, or approximately 240 seconds.
This critical testing regime lies behind the decision to design a 3oo3
controller as opposed to a 2oo2, with its lower complexity. Should a
fault occur within one of the processor sections during operation, and
it is not a fault that can be detected by the end of scan test, it will be
detected by the relevant test slice. During this fault period, the PSS
still operates as a failsafe device as it still has two of its systems
operable, i.e. it is now operating as a 2oo3 system.
169
This may (or may not) have been true when the standards were
written, but it is important to remember that standards are intended to
be adaptable and are expected to evolve alongside technology.
Future versions of any standard are subject to discussion in
committee before publication. It is vital that committees are aware of
the advances in technology relating to the standard being discussed,
170 so that any relevant changes can be included. There are times when
the “state of the art” may move faster than the meetings of the
Programmable Safety Systems
Categories
B 1 2 3 4
S1
•
P1
• F1 •
S2
P2
• 171
P1
• •
S = Severity of injury
S1 Slight injury (normally reversible) i.e. slight cut or bruise.
S2 Serious (normally irreversible) injury including death.
S1
S2
S3
S4
SB 061
NA_1
13.03.96
15.48
4ACB
B - SSNR FG -X Approved
Block
X - EIN
X - S1_O
X - S2_O
X - QAut
X - QAut
174
Programmable Safety Systems
Fig. 66: MTBF figures for PSS 3000 and PSS 3056
The chart shows the calculated MTBF for general system failures. As
far as safety systems are concerned these figures refer to failures
into a safe condition. The calculated figures for failures into an unsafe
condition are shown below:
PSS PS 29.0
PSS CPU 14.8
3 off PSS DI 49.4
2 off PSS DO 23.3
PSS DIOT 21.6
A card is at fault
A wire is open or has a short circuit or
An input/output device has failed.
Once these have been entered, the block headers for the function
blocks will appear. The following actual parameters are required:
I 00 E 0.00
I 01 E 0.01 E-STOP : Segment 00
I 02 E 0.02 : CAL SB 061
I 03
I 04
I 05 SB 061
I 06
I 07 NA_1
0V
0V 13.03.96
15.48
I 08
I 09 4AC8 APPROVED BLOCK
I 10
I 11
I 12
I 13
I 14 KB 001 -B- SSNR FG -X- M 070.00
I 15 E 2.08 -X- EIN
0V
0V E 0.00 -X- S1_Ö
E 0.01 -X- S2_Ö
I 16 M 110.00 .RLO_ZERO -X- QAnf
I 17
M 110.00 .RLO_ZERO -X- QAut
180 I 00
I 18
I 01
I 02
Programmable Safety Systems
I 03
I 04
I 05
I 06
I 07
0V
0V
PSS DIOZ
E - STOP : Segment 00
*********************************************************************************************************
All E-STOP buttons are monitored in this block segment
*********************************************************************************************************
: CAL SB 061
SB 061
NA_1
13.03.96
15.48
4AC8 APPROVED BLOCK
: CAL SB 061
181
SB 061
NA_1
: CAL SB 061
SB 061
NA_1
13.03.96
15.48
4AC8 APPROVED BLOCK
SB 067
RFK_K4
04.06.96
09:05
F309 APPROVED BLOCK
PB 001
CopyFehl
19.09.96
13.12
:A DB 15
:I DW 1015
:BE
:
Fig. 68: Typical program using three two-channel E-Stops with output feedback
monitoring