Supplement to the system manual - ifm · 2019. 2. 21. · 2.3. Analog inputs The correct...
28
Supplement to the system manual ecomat 100 type R 360 Use as safety controller
Transcript of Supplement to the system manual - ifm · 2019. 2. 21. · 2.3. Analog inputs The correct...
Supplement to the system manual
ecomat 100 type R 360
Use assafety controller
page 2
Supplement to the system manual ecomat 100 type R 360, April 2000
Warranty
This manual was written with the utmost care. However, we cannot assume any guarantee for thecontents.
Since errors cannot be avoided despite all efforts we appreciate any comment.
We reserve the right to make technical alterations to the product which might result in a change ofcontents of the manual.
page 3
1. General 5
1.1. Safety advice 51.2. Functions and features 51.3. Test basis for certification 7
2. Safety concept of the hardware 9
2.1. Digital inputs 92.2. Fast inputs 102.3. Analog inputs 112.4. Digital outputs 122.5. PWM outputs 162.6. Peculiarities and restrictions 17
3. Safety concept of the software 18
3.1. Program and system monitoring 183.2. Error messages 193.3. Program creation and download 203.4. LED functions 21
4. Use in control category 3/requirement class 4 applications 22
5. Wiring 25
5.1. CR7016 255.2. CR7017 265.1. CR7501 275.1. CR7502 28
page 4
page 5
1. General
1.1. Safety advice
Please follow the details of the description. Ignoring theinstructions, operation outside the proper use as describedbelow, wrong installation or incorrect handling can result insevere impairment of the safety of people and systems.
These instructions are aimed at persons who can be considered"experts" in the sense of the EMC guideline, the low-voltageguideline, the machine guideline and the safety-relevant specialstandards listed below. The controllers are to be installed andset up by a skilled person (programmer or service technician)
This description is a supplement to the current systemmanual ecomat 100 type R 360 the knowledge of which isrequired. It contains text and diagrams on the use of thecontroller under safety-relevant considerations and has tobe read before installation or application.
In the case of malfunctioning or uncertainties please contact themanufacturer. Tampering with the unit might lead toconsiderable impairment of the safety of persons and systems.It is not permissible and will lead to an exclusion of liability andwarranty.
1.2. Functions and features
The controller modules ecomat 100 type R 360 (in the followingtext called ecomat R 360) are designed for use under severeconditions (e.g. extended temperature range, strong vibration,intensive EMC stress). They are suitable for direct installation inmachinery in mobile and robust applications. Due to theirspecifications the inputs and outputs are specially designed forthis application. Integrated hardware and software functions(operating system) offer high protection.
In addition, special hardware and software functions for safety-relevant applications are integrated in the certified controllersallowing the use as safety controllers.
page 6
The controller ecomat R 360 is approved for safety-relevanttasks in the sense of the protection of persons if theappropriate system test routines are integrated in theoperating system and in the application software.
Depending on the use of the hardware or its external wiring(see chapter 2) and the structure of the user program (seechapter 3) the following safety classes can be reached withthe certified controllers ecomat 100 type R 360:
to EN 954-1: control category 3to DIN 19250: requirement class 4
However, the final classification should only be made aftera risk analysis of the application. The relevant supervisorybodies have to release the system (hardware andsoftware).
The application software can easily be created by the user withthe programming software ecolog 100plus.
All software functions and programming proceduresdescribed in this documentation refer to the programmingsoftware ecolog 100plus the knowledge of which is requiredin this description.
The operating system (*.H86), the controller configuration(*.M66) and the unit libraries (*.LIB) always have to have thesame software level. The software status is indicated bysuffixed letters in alphabetical order in the file names (e.g.CR7016_G.H86 or TDM_D.LIB). It also has to be noted thatthe internal libraries (made in IEC1131) are translated withthe loaded software level.
In general, only certified operating systems can and mustbe used in safety-relevant applications.
The user himself is responsible for the safe functioning ofthe application programs that he has created. If required,he has to obtain an approval by a relevant test andsupervisory authority in accordance with the nationalregulations.
page 7
1.3. Test basis for certification
Testing and certification was carried out on the basis of thefollowing standards and specifications:
DIN EN 954-1/03.97Safety-related parts of control systemsPart 1: General principles for designs
DIN V 19250/05.94Fundamental safety aspects to be considered for measurementand control equipment
DIN V VDE 0801/01.90 with modification A1/1994-10Principles for computers in safety-related systems
DIN V 19251 Draft/12.93Mc-protection equipmentRequirements and measures for safeguarded function
page 8
page 9
2. Safety concept of the hardware
The following chapters describe the safety concept of thehardware and its use in safety-relevant applications. Certifiedcontrollers type R 360 can be used in applications up to controlcategory 3 or requirement class 4 if the inputs and outputs areselected and wired accordingly.
2.1. Digital inputs
For the processing of digital signals switching states 0 (novoltage present) and 1 (voltage present) are permissible.Therefore a wire break (signal 0) and a short circuit to supplyvoltage (signal 1) cannot be detected.
To keep up the safety functions the input signals in theapplication have to be monitored. Therefore safety-relevantsignals are processed redundantly, i.e. the signal transmittersare connected in double and are processed via the usersoftware (also double). In addition, the inputs need to be indifferent input groups.
Program example
page 10
Plausibility check of the process If the application allows, sufficient failure safety can be achievedby selecting suitable signal transmitters (mechanical orelectronic), by appropriate installation and plausibility checks ofcertain parts of the plant which makes the installation of twoequal signal transmitters in one installation position obsolete.
2.2. Fast inputs
Fast counter, pulse or interrupt inputs (%IX0.12 ...%IX0.15) area special form of digital inputs which is why the facts describedin 2.1 also apply to these inputs.
Measuring methods In the case of safety-relevant frequency measurements thesignal frequency also has to be determined in two different waysin addition to the external wiring. Depending on the selectedsoftware functions (see library: CRxxxx_x.LIB) differenthardware parts are used in the ecomat R 360. The softwarefunction FREQUENCY determines the frequency on thebasis of the internal hardware counter, the function CYCLEon the basis of the internal timer. The result of these differentmeasurement methods then needs to be checked via the userprogram.
Program example
In the above example function SAVE_Value_ok compares thetwo frequency values SAVE_frequency and REF_frequency. Ifthe difference is smaller than or equal to the value ofACCEPT_TOLERANCE the two frequency values areconsidered equal and can be further processed. A program
page 11
example for the function SAVE_Value_ok is shown in chapter2.5.
Use It has to be observed that due to the different measurementmethods, errors in the frequency determination might occur.The function FREQUENCY is therefore suited for frequenciesbetween 100 Hz and 50 kHz with the error decreasing at higherfrequencies. The function CYCLE carries out a periodmeasurement and is therefore suitable for frequencies lowerthan 100 kHz.
Safety consideration For safety considerations errors in the reference measurementup to 20% can be tolerated, as the reference value is only usedto check the function of the measuring channel. The frequencyvalue for the application is derived from the "precise"measurement.
Use as digital inputs It also has to be observed that due to the permissible high inputfrequencies error signals (e.g. bouncing contacts of mechanicalswitches) are also detected. This has to be suppressed via theuser software, if required.
2.3. Analog inputs
The correct functioning of the analog / digital converter ischecked in the controller by the system on a regular basis viareference voltages so that all internal errors can be detected.
Errors in the wiring (short circuit, wire break), in the sensor or inthe input amplifier of the controller are not detected in thesechecks. Therefore analog input signals also have to beconnected and processed redundantly.
Furthermore, it makes sense to evaluate the signal voltage onlyin a limited range (e.g. 1 ... 9 V). This way the errors short circuitto ground or wire break and short to supply voltage /short circuitcan be detected.
page 12
Program example
In the above example function SAVE_Value_ok compares thetwo frequency values SAVE_A_IN_1a and SAVE_A_IN_1b. Ifthe difference is smaller than or equal to the value ofACCEPT_TOLERANCE the two analog values are consideredequal and can be further processed. A program example for thefunction SAVE_Value_ok is shown in chapter 2.5.
2.4. Digital outputs
Switching off the outputs in case of a fault is one of the mostimportant features of machine controllers. The switched-off (de-energized) state is considered the safe state.
The constant monitoring of the connected actuators for wirebreak, short to the supply voltage or ground, multiple connectionof two or more outputs to a given actuator as well as undesiredand unallowed direct connection of the supply voltage to a givenactuator is therefore absolutely necessary.
For the above-mentioned faults the ecomat R 360 has outputswith diagnostic capability which are automatically checked bythe operating system. Also, they must be evaluated in theapplication software by the user.
page 13
Readback outputs are internally set up as follows:
The block diagram shows:
Wire break A wire break detection is made via the input channel. If theoutput is blocked, High (logic 1) is read in because the resistorRi pulls the connection to HIGH potential (VBB). Without thewire break the low-ohmic load (RL < 10 kΩ) would force LOW(logic 0).
The error bit in the system flag byte BREAK.... for thecorresponding output is only set in the state Output OFF.
Flag byte Output addresses Error bitsBREAK_Q1Q2 %QX0.0 ... %QX0.7 %IX0.120 ...%IX0.127BREAK_Q3 %QX0.8 ... %QX0.15 %IX0.128 ...%IX0.135BREAK_Q4 %QX0.16 ... %QX0.23 %IX0.136 ...%IX0.143
The short to ground can also be detected via the readbackchannel. If the output is switched on, LOW (logic 0) is read in.
Short The error bit in the system flag byte SHORT... for thecorresponding output is only set in the state Output ON.
Flag byte Output addresses Error bitsSHORT_Q1Q2 %QX0.0 ... %QX0.7 %IX0.96 ...%IX0.103SHORT_Q3 %QX0.8 ... %QX0.15 %IX0.104...%IX0.111SHORT_Q4 %QX0.16 ... %QX0.23 %IX0.112...%IX0.119
In the case of a short/overload the output transistor switches offautomatically. For reasons of safety it does not switch on againautomatically. It must therefore first be deactivated via theapplication software and then switched on again.
Monitoring for multipleConnections Depending on the result of the risk analysis of the application
the outputs must be additionally tested for multiple connection oftwo or more outputs to a given actuator, undesired and
page 14
unallowed direct connection of the supply voltage to a givenactuator and short to the supply voltage. To do so, a shortswitch-off pulse (100 - 200 µs) is automatically applied to themonitored outputs (readback outputs) one after the other by theoperating system of the controller. It is read back and evaluatedby the integrated diagnostic channels. This diagnostic test iscyclically carried out (approx. every 30 s) during the wholecontroller test and monitoring.
In addition, this diagnostic test also detects the wire break in thecase of an active output (extension to normal diagnosis).
A fault detected by the diagnostic test is indicated by the errorbit ERROR_OUTPUTBLANKING. By means of a moreextensive diagnosis (see above) the exact fault can be located.
To activate the diagnostic test the corresponding bit in thesystem flag byte CHECK_... must be set.
Flag byte Output addressesCHECK_Q1Q2 %QX0.0 ... %QX0.7CHECK_Q3 %QX0.8 ... %QX0.15CHECK_Q4 %QX0.16... %QX0.23
If one of the above errors is detected, all (!) outputs andthe safety relay are immediately switched off. Also, theLED on the controller module passes into the statered/flashing (error) and the error bitERROR_OUTPUTBLANKING is set.
Second switch off-way Applications to control category 2 (and higher) require a secondswitch-off way if the dangerous failure is not signalled in time(warning message, alarm, display etc.). For this purpose thecontroller ecomat R 360 has an additional relay. Outputs whichare switched off via the safety relay and provide full diagnosticcapability are identified in the configuration diagrams by thedesignation "readback channel" ("R") and the reference to therelay contact.
Testing and monitoring In these applications the outputs, as described above, need tobe tested and monitored at all times (short circuit, wire breakshort against supply voltage and multiple connection of two ormore outputs to a given actuator as well as undesired andunallowed direct connection of the supply voltage). Themonitoring functions (interruption, short to GND/supply voltageand multiple connection of two and more outputs to a givenactuator as well as undesired and unallowed direct connectionof the supply voltage) of the operating system which can beactivated via the user software have to be used, evaluated in theuser software and have to respond appropriately to errors.
page 15
The analysis of the safety system has to show if an outputworking as a safety-relevant switch-off way has to be redundantor if monitoring and testing as described above are sufficient.Furthermore, the analysis has to check if in the case of an errorswitching off via the internal relay is sufficient or if a secondoutput (electrical or hydraulic) needs to be used for redundantswitching off. If e.g. a cable loom to an external valve has nosupply cable or if a short to GND is harmless from a safety pointof view, switching off the output via the internal relay issufficient.
Program example
page 16
Use of the diagnostic test For reasons of compatibility the diagnostic test(CHECK_xx) can be activated for all outputs. But this onlymakes sense when the corresponding readback channeland, if necessary, the relay are available as a secondswitch-off way.
2.5. PWM outputs
No internal test Due to the function principle there is no system internalmonitoring and testing for these outputs. Should this be requiredfor reasons of safety it has to be accomplished via the userprogram, e.g. by reading back the analog voltage via a voltagechannel, and the software function FAST_ANALOG.
Program example
page 17
2.6. Program example for the functionSAVE_Value_ok
2.7. Peculiarities and restrictions
Input test (pin 24) When outputs are defined as safety relevant (bits CHECK_xxset) they cannot be used when the test input is active. The testinput has to be set when e.g. the software is to be loaded intothe controller.
The outputs are only available again when the test isdeactivated and the controller is reset (switching off andon).
Use of the CAN bus In the existing hardware version the CAN bus must not be usedfor safety-relevant applications. At present a CANopen profilefor safety-oriented applications is in development at the userorganisation "CAN in Automation" (CiA). As soon as it has beenreleased and integrated, "safe" data can be transferred viaCAN.
page 18
3. Safety concept of the software
3.1. Program and system monitoring
System test All software parts in the controller are monitored by theoperating system and the internal additional processor as far aspossible. This way errors, e.g. time-out in the case of animproper program run, can be detected and the user can reactaccordingly.
When the controller is switched on all hardware and softwareparts of the controller are tested. These internal tests andmonitoring processes are repeated at regular intervals with thetime to first fault of 30 s being kept. Independent of the userprogram all function parts of the controller incl. the outputs (seechapter 2.4) are tested.
Structure of the software The software in the controller is divided into the parts operatingsystem and user software. They are monitored cyclically withregard to faultless operation individually and as a total by meansof check sums. The check sums are generated automaticallyand are attached to the software parts
Operating system The user receives the operating system together with theprogramming system. It has to be loaded once (normal case).
The numbers of the operating system and of the hardwarehave to match, e.g. CR7016_H.H86 -> CR7016.
User program The user program or application program is created in situ. Thestructure has to correspond to the required safety class. It hasto be loaded into the controller after the operating system.
When structuring the application program, make sure thatthe versions of the operating system (*.H86), the controllerconfiguration (*.M66) and the libraries (*.LIB) are identical.
Maximum program cycle time The maximum cycle time of a user program must not exceed100 ms. Longer times result in a reaction of the watchdog andthus in a Fatal Error (LED red / permanently).
page 19
3.2. Error messages
The controller reacts to any error detected during the systemmonitoring. The reaction varies depending on the degree of theerror.
Severe error If a "severe error" is detected the outputs (and the relay) areswitched off. The LED lights red. The application programcontinues thus allowing communication via the interfaces e.g.for troubleshooting.
severe errorsERROR_TEMPERATURE (overtemperature)ERROR_POWER (under/overvoltage)ERROR_ANALOG (error analog conversion)ERROR_IO BREAK_Q1Q2_NEW(wire break, BREAK_Q3_NEWshort circuit, BREAK_Q4_NEWmultiple connect- SHORT_Q1Q2_NEWion) SHORT_Q3_NEW
SHORT_Q4_NEWERROR_OUTPUTBLANKING
When a severe error occurs, no further diagnostics can becarried out (wire break, short circuit). That is why e.g. all errorbits and the outputs have to be reset and further error analysishas to be carried out in an error routine in the user program.
Fatal error When a "fatal error" occurs the controller is stopped completely.All outputs are switched off, the processing of the software isstopped and communication is no longer possible.
fatal errorERROR_MEMORY (memory error)ERROR_ADDRESS (addressing error)ERROR_CPU (CPU error)ERROR_CO_CPU (error in the co-processor)ERROR_INSTRUCTION_TIME (processing time error)ERROR_TIME_BASE (error internal system time)ERROR_RELAIS (error relay triggering)ERROR_DATA (faulty system data)
If the test input (pin 24) is active a "fatal error" is treated like a"severe error" which means that the outputs are switched offand the LED lights red. Communication for further errordiagnostics is possible as the application program continuesrunning.
page 20
CAN error Since the CAN bus can at present not be used for safety-relevant tasks CAN errors are only displayed to the programmerwho is responsible for processing them. For further informationrefer to the system manual ecomat R 360.
3.3. Program creation and download
The user program is created with the programming systemecolog 100plus (version 1.6) and is loaded into the controllerseveral times during the program development. Before eachdownload the generated code is translated again which meansthat each time a new check sum is created.
This procedure is permissible up to the release of the software.For the series production of the machine or for service a uniformsoftware and check sum have to be ensured.
Download file For each translation process the programming softwaregenerates an additional Intel-hex-file which is stored in thecurrent project directory \ECOPLUS under the namename_of_project_file.H86. This file has to be saved after theapplication software has been released. From this moment theapplication software should only be loaded into the controllersfrom this file. The H86 file is automatically assigned a checksum during translation.
page 21
A download program (programme DOWNLOADER) isavailable for downloading the HEX file. This program has tobe used to ensure a uniform software level.
Changes in the original software automatically generate anew Intel-hex-file which may only be loaded into the safety-oriented controllers after renewed certification.
3.4. LED functions
The following operating states of the controller are displayed viathe integrated LED status.
LED colour Flashing freq. Description
orange permanently on reset checks
red permanently on Fatal Error
green 5 Hz no operating system loaded
green 0.5 Hz Run, CANopen: PREOPERATIONAL
2.0 Hz Run, CANopen: OPERATIONAL
permanently on Stop, CANopen: PREPARED
red 0.5 Hz Run w. error (CANopen: PREOPERATIONAL)
2.0 Hz Run w. error (CANopen: OPERATIONAL)
permanently on Stop with error
CANopen operating states The operating states STOP (PREPARED) and RUN (PRE-OPERATIONAL / OPERATIONAL) can be changed by theprogramming system or the NMT master.
In the state RUN the user program is processed. However, thecontroller only takes part in the CANopen communication whenit is set in the state OPERATIONAL. To identify the currentoperating state in the application program the user can evaluatethe flag COP_PREOPERATIONAL. The flag is TRUE in thestate PREOPERATIONAL, otherwise it is FALSE.
page 22
4. Use in control category 3/requirementclass 4 applications
The mobile controller ecomat R 360 is a one-channel controllerwhich meets the requirements for control category 3 andrequirement class 4 without any restrictions.
Configuration and use in safety-oriented applications shouldonly be carried out based on a risk analysis.
In addition, the following points have to be observed:
General The de-energized state of an output with safety function is thesafe state (L-signal). This state has to be accomplished via 2separate and independent switch-off ways by using tested tripactuators.
Connection of inputs and outputs Safety-oriented inputs and outputs have to be used redundantly.This includes the redundant connection of signal transmitters tothe inputs and the use of redundant outputs as second way ofswitching off in the application (e.g. hydraulic valves and pumps)(see chapter 2.)
Sensors / signal transmitters The signal transmitters have to be connected to two differentinput groups. If the outputs are not tested, they have to beconnected in the same way.
Diagnosis for outputs Digital outputs have to be monitored via the diagnostic function.If a signal changes (on/off) less than once per hour the outputsneed to be tested additionally. Only use tested outputs (seechapter 2.4.)
Testing of outputs Testing of redundant inputs and outputs for equality and, ifrequired, the automatic testing have to be realised in the userprogram.Furthermore, the dynamics of the input signals has to beobserved. Monitoring for equality only uncovers errors when theinput signals change at sufficiently short intervals. In the case ofstatic signals it has to be assessed if e.g. further measures arerequired (see chapter 2.4)
Program structure In the program structure it has to be ensured that safetyfunctions are separated from pure control functions, i.e. thatthey are realised in their own program and function blocks. Thisprevents problems in the safe program parts and can bechecked and tested more easily.
Safety consideration On the basis of the monitoring functions of the above pointsrealised in the operating system it has to be assessed if processdependent safety functions to requirement class 4 or controlcategory 3 are provided in accordance with the safety systemand the user software.
page 23
Fault tolerance time In this context the fault tolerance time in particular needs to beassessed. This is the maximum time which may pass in theapplication between the occurrence of an error and the safestate without any danger for persons. The maximum cycle timeof the user program (in the most unfavourable case 100 ms)and the possible delay and response times of the trip actuatorsneed to be taken into account. The resulting total time has to beshorter than the fault tolerance time of the application.
Time to first fault The time to first fault also has to be observed. The controller istested by the operating system via internal monitoring and testroutines at intervals of max. 30 s. This "test cycle time" has tobe shorter than the statistical time to first fault for theapplication.
The time is reduced when the cycle time is <100 ms (e.g. 10 ms<> time to first fault 3 s).
Programming The user software always has to be created by observing allinformation and notes in the system manual.
Operating system detection The number of the operating system has to match the articlenumber of the control module (e.g. CR7016_H.H86 -> CR7016).It also has to be ensured that the software parts operatingsystem (*.H86), control configuration ('.M66) and libraries ('.LIB)have the same version identification (e.g. CRxxxx_H).
Program structure The safety-relevant part has to be clearly separated from thenon-safety-relevant part of the user program. Variables andflags in the safety-relevant part have to have a clearidentification, e.g. prefix S_.... . Furthermore, it has to be provedthat the safety-relevant part of the software is not influenced bythe other program parts.
Function check of the software All parts of the application software have to undergo a completefunction check.
Program changes After the application software has been approved, no morechanges are allowed. Only use the software should with anunchanged operating system software. The only file allowed tobe loaded into the control modules via the download software isthe HEX file name_of_project_file.H86.
If changes are made, the complete software needs to bechecked again.
Documentation In addition to a print out, the application software has to bearchived with write protection in two copies (e.g. diskette, CD).The documentation has to clearly show the version of theoperating system used, the programming software and thehardware used.
Via the download software the version of the applicationsoftware and the operating system can, if required, becompared with the archived software. This includes comparisonof the CRC code.
page 24
page 25
5. Wiring
5.1. CR7016
page 26
5.2. CR7017
page 27
5.1. CR7501
page 28
5.1. CR7502
