TM Functional Safety 07 2011 en
TM Functional Safety 07 2011 en
TM Functional Safety 07 2011 en
Functional
Safety (FS)
NC Software
606 420-01 SP 05
606 421-01 SP 05
July 2011
Subject
1 Update Information
1.1 General Information............................................................................7
2 Introduction
2.1 Meaning of the Symbols Used in this Manual ...............................13
2.2 Warnings............................................................................................14
2.3 Proper Operation...............................................................................17
2.4 Trained Personnel .............................................................................17
2.5 General Information..........................................................................18
2.6 Overview of FS Components ...........................................................23
2.6.1 List of approved control components....................................24
2.6.2 List of approved inverter components...................................27
2.6.3 Differences between systems with and without
functional safety (FS)...........................................................29
July 2011 3
4 Realization and Safety Functions
4.1 Glossary .............................................................................................37
4.2 Realization of the HEIDENHAIN Safety System.............................41
4.3 Activation of Functional Safety (FS) ...............................................41
4.4 (S)PLC Programs ...............................................................................42
4.5 SPLC ...................................................................................................43
4.6 SKERN ................................................................................................45
4.7 Cross Comparison.............................................................................46
4.8 Description of the Safety/Monitoring Functions ...........................47
4.8.1 Overview of the safety functions ..........................................47
4.8.2 Overview of monitoring functions .........................................49
4.8.3 Safe stop 0 (SS0) ...................................................................50
4.8.4 Safe stop 1 (SS1) – Fastest possible stopping ......................51
4.8.5 Safe stop 1D (SS1D) – Delayed SS1......................................54
4.8.6 Safe stop 1F (SS1F) – Fastest possible stopping ..................54
4.8.7 Safe stop 2 (SS2) – Controlled stopping ................................55
4.8.8 Summary of the stop reactions .............................................58
4.8.9 Safe torque off (STO).............................................................60
4.8.10 Safe operating stop (SOS) .....................................................62
4.8.11 Safely limited speed (SLS).....................................................63
4.8.12 Safely limited position (SLP) ..................................................64
4.8.13 Safe brake control (SBC)........................................................66
4.8.14 Safely limited increment (SLI)................................................67
4.8.15 Nominal-actual value comparison ..........................................67
4.8.16 Nominal-actual value comparison of position values .............68
4.8.17 Nominal-actual value comparison of speed values................68
4.8.18 Protection against unexpected start-up.................................69
4.8.19 dv/dt monitoring of the braking processes ............................69
4.8.20 Response times, definitions, demand rates ..........................70
4.8.21 Safe status bits......................................................................75
4.8.22 Fault reaction to safe status bits ...........................................78
4.8.23 Behavior when a fault is detected .........................................80
4.8.24 Stop reactions depending on the fault situations ..................82
4.9 Special Features of Software Version 606 42x-01 .........................88
4.10 Requirements the Application Must Meet .....................................92
4.11 Remaining Risks................................................................................94
July 2011 5
8 SPLC – Safety-Related PLC
8.1 General Information........................................................................177
8.2 Safe Software Structure.................................................................178
8.3 Software Structure of PLC / SPLC.................................................178
8.4 Glossary ...........................................................................................179
8.5 SPLC Development Tool.................................................................181
8.6 PLC and SPLC Programs.................................................................182
8.7 Safety of the SPLC Program ..........................................................183
8.8 Requirements to Be Met by the SPLC Program...........................184
8.8.1 Axis groups / working spaces for an example milling
machine.............................................................................184
8.8.2 Moving the axes with open guard doors .............................184
8.9 Interfaces of the SPLC ....................................................................185
8.9.1 The splcapimarker.def definition file....................................185
8.9.2 Safety-related inputs, FS inputs...........................................187
8.9.3 Safety-related outputs, FS outputs......................................188
8.9.4 SKERN --> SPLC programming interface ............................190
8.9.5 SPLC --> SKERN programming interface ............................193
8.9.6 PLC --> SPLC programming interface .................................194
8.9.7 SPLC --> PLC programming interface .................................195
8.9.8 Diagnosis of the SPLC operands .........................................195
8.10 Tasks of the SPLC Program............................................................196
8.10.1 Operation with open guard door..........................................196
8.10.2 Selecting a safety-related operating mode (SOM)...............197
8.10.3 Requirements to be met by SPLC outputs..........................197
8.10.4 Requirements on the data of the ApiToSafety structure.....200
8.10.5 Filtering of inputs.................................................................219
8.11 Sample Cases ..................................................................................221
8.11.1 Movement of NC axes and spindle .....................................221
8.11.2 Movement of the axes of the tool magazine.......................228
1.1 Overview
Attention
Danger
Failure to comply with this information could result in most serious or fatal
injuries, and/or in substantial material damage.
Attention
Note
Tips and tricks for operation as well as important information, for example
about standards and regulations as well as for better understanding of the
document.
Danger
Attention
The machine tool is not in a safe state until after it has booted completely
and the safety self-test was passed successfully!
During start-up or the reset phase, the control is not in a safe state (e.g.
installation of a service pack). Axes and spindles are without torque
during this time!
When exchanging hardware components, also use the same model. If an
encoders is exchanged, then the motor affected must be referenced and
tested again.
Depending on the changes during an exchange or update of the
software, either a partial or complete acceptance test becomes
necessary. The following must be ensured before or during an exchange
or update of the software:
• All openings (e.g. doors) to the working space must be closed
• Emergency stop must be activated
• There must be no tools in the spindle
• Vertical axes must be protected against falling
• No persons are permitted in the danger zone
The control must be shut down correctly before the machine is switched
off via the main switch. Should this not be possible due to an error, an
emergency stop is to be initiated via the man switch before removing
power from the machine.
Danger
Please note the following during initial operation of your new machines
with the new HSCI hardware generation of the iTNC 530:
With the introduction of this hardware, the new functional safety (FS) is
available for the first time, featuring the following properties:
Safety category 3 (Performance Level d) in accordance with EN ISO
13849-1:
December 2008
SIL 2 as per DIN EN 61508
Operating modes as per EN 12417
Integrated SPLC for adaptation to the machine
The enhancements regarding functional safety to the NC software are
fundamental new developments by HEIDENHAIN. This means that the
necessary software tests have been performed only partially, and that the
complete system does not yet have sufficient functional tests. This means
that special care must be taken when working with the affected new
machines, since faulty operation of the integrated safety functions of the
software cannot be ruled out.
Please inform your colleagues and employees using these machines of
these possible dangers. No persons should be within the traverse range of
the axes.
Danger
Only the iTNC 530 HSCI control with NC software 606 42x may currently
be used for applications with functional safety. Other controls (e.g. the
TNC 6xx NCK-based controls) and NC software versions do not yet
support the use of functional safety!
However, NC software 606 42x has not yet been generally approved for
applications that use the integrated functional safety (FS) of the control.
Separate approval by HEIDENHAIN is required for the use of integrated
functional safety (FS) according to EN ISO 13849-1!
Note
Update Information No. 25 loses its validity as soon as the iTNC 530 HSCI
Technical Manual for NC software 606 42x becomes available.
Note
You can download manuals, other documentation and PC software tools for
machine manufacturers from the HEIDENHAIN FileBase.
Note
Cabinet Panel
HSCI
POWER MODULE
READY
RESET (X112)
TE 6xx
USB
X79
MB 620 FS
U V W U V W
MC 6xxx
CC 6110
Permissive Buttons,
Key Switches
HR xxx FS
Note
Please take the following lists into account when configuring your machine
and in case servicing is required. The right-most table column contains the
approved ID numbers of these components.
Note
Components indicated in this list with -xx do not assume any safety-relevant
task in the sense of functional safety (FS). You can use any variant of these
components.
Components indicated in this list with "Not yet approved for FS" are not
approved for use in systems with functional safety.
The list will be expanded or revised correspondingly when new components
are approved for use in systems with functional safety (FS). Should a
component you wish to use not be listed, please ask your contact person at
HEIDENHAIN if the component may be used.
Hardware component ID
MC 6241 Main computer 1.8 GHz with HDR, electrical cabinet version, 573 398-03
without Profibus
MC 6241 Main computer 1.8 GHz with HDR, electrical cabinet version, 653 220-03
with Profibus
MC 6222 Main computer with 15-inch TFT display, 1.8 GHz with SSDR, 634 109-02
operating-panel version, without Profibus
MC 6222 Main computer with 15-inch TFT display, 1.8 GHz with SSDR, 634 113-02
operating-panel version, with Profibus
MC 6341 Main computer with 15-inch TFT display, 2.2 GHz dual core with Not yet appro-
HDR, electrical-cabinet version ved for FS
MC 6341 Main computer with 15-inch TFT display, 2.2 GHz dual core with Not yet appro-
HDR, electrical-cabinet version, with Profibus ved for FS
HDR iTNC Hard disk for MC 6x41, 80 GB, NC software 606 420-01 682 272-01
HDR iTNC Hard disk for MC 6x41 (export version), 80 GB, 682 272-51
NC software 606 421-01
SSDR iTNC Solid State Disk for MC 6222, 32 GB, 736 591-01
NC software 606 420-01
SSDR iTNC Solid State Disk for MC 6222 (export version), 32 GB, 736 591-51
NC software 606 421-01
SIK iTNC SIK for MC 62xx, single-processor version, incl. SW option 2 586 084-xx
SIK iTNC SIK for MC 62xx, single-processor version, incl. SW option 2 586 084-xx
(export version)
SIK iTNC SIK for MC 63xx, single-processor version, incl. SW option 2 Not yet appro-
ved for FS
SIK iTNC SIK for MC 63xx, single-processor version, incl. SW option 2 Not yet appro-
(export version) ved for FS
CC 6106 Controller unit for HSCI for max. 6 control loops 662 636-01
CC 6108 Controller unit for HSCI for max. 8 control loops 662 637-01
CC 6110 Controller unit for HSCI for max. 10 control loops 662 638-01
UEC 111 Controller unit with inverter and PLC, 4 control loops 625 777-xx
UEC 112 Controller unit with inverter and PLC, 5 control loops 625 779-xx
UEC 111 FS Controller unit with inverter and PLC, 4 control loops, functional Not yet appro-
safety ved for FS
UEC 112 FS Controller unit with inverter and PLC, 5 control loops, functional Not yet appro-
safety ved for FS
UMC 111 FS Controller unit with inverter and PLC for power supply via external Not yet appro-
DC link, 4 control loops, functional safety ved for FS
CMA-H 04-04-00 SPI expansion module for analog nominal-value outputs 688 721-xx
PSL 130 Low-voltage power supply unit, 750 W, for +24 V NC and 575 047-xx
+24 V PLC
PSL 135 Low-voltage power supply unit, 750 W, for +24 V NC, +24 V PLC 627 032-xx
and +5 V NC
MB 620 FS Machine operating panel for HSCI connection, functional safety 660 090-01
PLB 6001 FS HSCI adapter for OEM-specific machine operating panel, Not yet appro-
functional safety ved for FS
If other low-voltage power supply units are used for +24 V NC and +24 V PLC,
the output voltages must fulfill the requirements for Protective Extra Low
Voltage (PELV) with double basic insulation according to EN 50 178, also see
the iTNC 530 HSCI Technical Manual, chapter 3.8.
Danger
In HSCI systems with integrated functional safety (FS) you may use only
inverters or power supply modules that have been approved for use in such
systems.
Please take this into account when configuring your machine and in case
servicing is required. Suitable devices are listed below in the right column of
the table.
Components indicated in this list with "Not yet approved for FS" are not yet
approved for use in systems with functional safety.
The list will be expanded or revised correspondingly when new components
are approved for use in systems with functional safety (FS). Should a
component you wish to use not be listed, please ask your contact person at
HEIDENHAIN if the component may be used.
Below you will find an overview of the devices that—according to ISO
13849— are permitted for use in systems with FS:
Note
HEIDENHAIN controls with integrated safety strategy fulfill their share of the
requirements as specified in the above directives, thus enabling you as the
manufacturer to produce your machines in accordance with the machinery
directives.
HEIDENHAIN controls with integrated functional safety (FS), for which safety-
relevant specifications (suitability for certain PL or SIL levels) will be indicated
in the future, are not considered safety components in the sense of Machinery
Directive 2006/42/EC (article 2, letter c). Since these controls are also not
"partly completed machinery" (article 2, letter g), they do not fall under the
provisions of the Machinery Directive. For this reason we do not issue any EC
Declaration of Conformity nor a Declaration of Incorporation in the sense of
the Machinery Directive.
Functional safety
Due to the applications of the device or system, the following directives and
standards are also valid:
Electromagnetic compatibility
"EMC and functional safety for power drive systems with integrated safety
functions" principle for testing dated February 2007
Fulfillment of the HEIDENHAIN controls with functional safety operate according to the
requirements following principles in order to fulfill the requirements for category 3:
The control is structured in such a way that individual faults are detected, and
that an individual fault in the control does not result in loss of the safety
function.
Redundant structures, reciprocal data comparison and dynamic sampling of
safety-related signals are used for error detection.
The principles below are followed in order to fulfill the requirements of SIL 2:
In order to avoid faults in safety-related software, HEIDENHAIN adheres to
annexes A and B of IEC 61508-3.
Tables A.2 to A.15 and A.16 to A.19 of IEC 61508-2 are used to control random
faults and to avoid systematic faults.
4.1 Glossary
CC Controller computer:
Modular HSCI slaves, for servo drive control
CCs also assume safety-related tasks (see SPLC/
SKERN below). The MC determines the master CC on
the basis of the relative positions in the HSCI system.
The first CC in the HSCI system (nearest the MC)
becomes the master CC.
LIFT-OFF Function that lifts off the tool automatically from the
contour by a defined distance in the tool-axis direction
in order to protect the workpiece (e.g. in a power
failure).
MC Main computer:
Control hardware that also functions as a master for
HSCI.
S status Safe status range of the HSCI telegram. The safe status
range contains bits for the status of watchdogs,
emergency stop and power-fail information, etc. of the
individual HSCI participants. The bits of the safe status
range provide the basic safety-related information of the
A channel (see page 4–75).
TM Tool magazine:
Tool magazine for the storage and management of
different tools.
WD Watchdog:
Counter for monitoring the status of other functions or
components.
The main task of the (S)PLC program is the processing of the input information
from the (S)PLs and the generation of output states for the (S)PLs.
To do so, it edits the PLC memory via PLC commands with memory operands.
Logical states and signed bytes, words (16 bits) and doublewords (32 bits) are
saved in this memory.
Specific areas have different tasks:
Memory mapping the status of the inputs
Memory for timers and counters
Memory for internal states and calculations
Memory for the interface to the software of the MC and CC
Memory defining a map of the outputs to be set
This division of the memory is also called a memory map.
On a control with integrated safety, three different PLC programs with
separate memory maps are run simultaneously:
Standard PLC program on the hardware of the MC
SPLC program on the hardware of the MC
SPLC program on the hardware of each CC
MC 6xxx CC 6xxx
CPU
A channel
B channel
The safety-kernel software is responsible for the realization of all basic safety
functions:
Initiation and monitoring of the stop reactions (SS0, SS1, SS1F, SS2)
Standstill monitoring in SOS state
Monitoring of the safely limited speeds (SLS) in the various safety-related
operating modes
Initiation of safe brake control (SBC)
Safely-limited position (SLP)
Nominal-actual value comparison of position values or speed values
Control of dynamic tests
Carrying out the cross comparison
Commanding the control of safety-related outputs of the SPLC (e.g. control
of motor holding brakes)
Transfer of axis-group states (STO, SOS, AUTO (AUTO = operation if the
guard doors are closed) or of the safety function in direct connection with
the operating mode: SLI_2 through SLI_4, SLS_2 through SLS_4) to the
SPLC
Transfer of the axis states (at standstill or in motion) to the SPLC
Transfer of the axis positions to the SPLC
Performing the safety self-test (SSt)
Note
A direct cross comparison of the physical input signals of the SPLC does
not take place.
Danger
The risk analysis you have to carry out for the machine must state the
requirements to be fulfilled by the individual safety function.
Before using the control, you must check whether the safety functions
realized by HEIDENHAIN meet the requirements of your risk analysis.
dv/dt monitoring of the axes/ During deceleration the axes and the
spindle by the MC/CC spindle are monitored via two
channels (by MC and CC) for a
decrease in speed.
Danger
Axes and spindles that do not have mechanical motor holding brakes
coast to a stop.
The measures to be taken against external force (e.g. sagging of hanging
axes) must be in accordance with Information Sheet No. 005 "Gravity-
loaded axes (vertical axes)" issued by the engineering technical
committee of the BGM (German Employer's Liability Association in the
metal industry).
After SS0, the drives can be restarted only by turning the main switch off
and back on (power supply voltage of the machine).
Axis
Spindle without brake coast to a stop
Axis/Spindle: STO
CC: STO.B.x
BRK.B.x, BRK_REL.B.x
MC: STO.A.x, STO.A.G, STOS.A.G RDY.x off
BRK_REL..A.x
Danger
Spindle
Axis Spindle and axis
stopped along emergency
stop ramp by CC (SS1)
dv/dt monitoring active
Reaction time
of holding brake
MP2308 (200 ms)
Spindel: STO
Speed limits MC: STO.A.G, STOS.A.G, STO.A.Sx RDY.x off
Spindle n < 10 rpm CC: STO.A.Sx
Additionally stopped
Axis F < 50 mm/min by holding brakes
SMP525.x (Axis)
SMP526.x (Spindle)
Spindle
Spindle and axis
Axis stopped along emergency
stop ramp by CC (SS1)
dv/dt monitoring active
SMP525.x
SMP526.x Axis stopped by
holding brakes
MC: STO.A.x,
BRK_REL.A.x
Spindle
Spindel: STO
MC: STOS.A.G, STO.A.Sx RDY.x off
CC: STO.B.Sx
Axis: SOS
SMP527.x (Axis)
SMP526.x (Spindle)
Figure 3.6: Braking behavior upon stop 2 (releasing the permissive button or
key while the spindle is running)
Spindle: STO
MC: STOS.A.G, STO.A.Sx RDY.x off
CC: STO.B.Sx
SMP528.x (Spindle)
Figure 3.7: Braking behavior upon stop 2 (pressing the spindle stop key)
Spindle
Axis
Spindle and axis
stopped along emergency
stop ramp by CC (SS1)
dv/dt monitoring active
Decelerating on contour
Path monitoring active
Spindle: STO
MC: STOS.A.G, STO.A.Sx RDY.x off
CC: STO.B.Sx
SMP526.x (Spindle)
Figure 3.8: Braking behavior upon stop 2 with incorrectly set parameters
MC CC
Note
The safe torque off (STO) safety function must automatically switch off the
machine control voltage (CVO) via –STO.A.G. Therefore, the –STO.A.G
signal must be connected to the latch circuit of the machine control voltage
via a relay contact.
Please refer to the basic circuit diagram from HEIDENHAIN. The line voltage
of the machine is not switched off.
When the STO function is activated, the motor cannot generate a torque
anymore. This can result in a hazardous movement, such as may occur
with:
Axes and spindles without mechanical motor holding brakes (coasting to
a stop)
Vertical and inclined axes without weight compensation
Direct drives with low friction and self-retention
External force on the drive axes
The measures to be taken against external force (e.g. sagging of hanging
axes) must be in accordance with Information Sheet No. 005 "Gravity-
loaded axes (vertical axes)" issued by the engineering technical
committee of the BGM (German Employer's Liability Association in the
metal industry).
It is your duty as a machine tool builder to carry out a risk analysis and use
it as a basis to minimize the risks by taking suitable measures.
Attention
The speed limit values for the axes and spindle are defined in
EN 12417:2007 for the various safety-related operating modes, and are
stored in safe machine parameters in the HEIDENHAIN controls.
The monitoring for SLS is always axis-specific. During interpolating
movements (movements in which more than one axis is involved) the
resulting contour speed of the tool center point or tool can assume higher
values than the defined axis-specific limit values.
The machine tool builder must enter the axis-specific speed limit values
for SLS of the various safety-related operating modes in the SMPs such
that the permissible speed limit values of the standard are not exceeded
even when interpolating movements are executed. The resulting contour
speed of the tool center point must not exceed the permissible speed
limit values of the standard.
If the safely-limited speed (SLS) safety function is activated when the speeds
are already above the speed limit values (e.g. by opening the guard doors), SS1
will be initiated immediately. Pressing the F LIMITED soft key enables you to
open the guard doors without initiating an SS1 reaction.
If you press the F_LIMITED soft key, the maximum permissible speed of the
axes and of the spindle is limited to the defined safely-limited speed. The
limitation depends on the safe SOM_x operating mode selected by keylock
switch. The speed of axes and spindles is reduced to the limit values for
"safely limited speeds." If SOM_1 is active, the axes and spindles are brought
to a stop, because only then will you be allowed to open the guard doors in
SOM_1.
Attention
The first time the SLP safety function is initiated, the operator has the
possibility of returning the axes to the permissible area after switching the
machine back on.
If he uses this possibility and moves the axes in the wrong direction, the drives
will be stopped via SS1. Then the drives cannot be moved until the limit values
have been changed in the safe machine parameters.
The absolute position of the machine axes must be captured via two channels
in order to ensure the safely-limited position (SLP) function:
Axis reference run
After switching on the control, the absolute position is determined by
means of the "Traversing the reference marks" function.
For example, for position encoders with distance-coded reference marks
you must traverse two reference marks in order to determine the absolute
value of the position, and for absolute encoders with EnDat interface the
position value is read out when the control is switched on.
In the "Traversing the reference mark" machine mode of operation, only one
axis can be moved at any one time. If the control is in the Reference Run
mode, and more than one NC axis or auxiliary axis whose associated axis
groups are not in the AUTO or SOM_1 monitoring states are moving, then
the SKERN initiates an SS2 for all axis groups that are not in AUTO or
SOM_1.
If the guard door is open, an automated reference run can only be executed
by means of NC start and the permissive button or key.
If the guard door is closed, the reference run can be executed both by
means of NC start and directly by means of the axis-direction keys.
As long as the axes have not been homed, it is not possible to traverse the
axes in another machine mode of operation (such as Manual Operation or
El. Handwheel).
The absolute positions determined in this manner are compared to the last
axis positions stored in the control. If a difference between the two values
is found, the axes must be checked. If an axis that has not been checked is
not in the "Traversing the reference marks" mode of operation, the axis can
be moved only if the guard door is closed (independent of the active mode
of operation).
Attention
The assignment of the axis position to the position of the limit switches
is ensured only if the axes have been checked, i.e. the limit switches at
the end of the traverse range (absolute position limit values) become
effective only for checked axes.
The safe operation of a machine requires that all axes have the "checked"
status. The axis display must not show any axis marked by the warning
symbol for "unchecked axis"!
Axes must be checked only by trained personnel.
The positions of the axes are saved before the machine is shut down and are
used as start positions after the machine is switched back on.
After the reference marks have been traversed or the absolute value has been
read out, the SKERN compares the position determined in this manner to the
respective position saved (in the MC and CC). If the deviation exceeds the
value saved in machine parameter SMP642.x because, for example, an axis
was moved manually while the control was inactive, the confirmation is
requested again, as during commissioning. The "Check axis positions" prompt
appears. After approaching the test position, the SKERN compares the
currently determined position to the reference position in SMP646.x. The
"Check axes" state cannot be left as long as the positions determined by the
SKERN MC and SKERN CC deviate from the reference position in SMP646.x
by more than the value in SMP642.x.
Note
Danger
Note
Here are some instances in which the safety function triggers an SS2
reaction in the operating modes mentioned above:
If the override potentiometer is turned down after the start of an NC block
During long dwell times (e.g. programmed waiting times) > 3 seconds in
an NC block
Three seconds after the end or cancellation of an NC program, if the axes
or spindle remain at a standstill
To prevent this automatic transition from SLS to SOS/STO (such as during very
slow movements or for the tapping cycle, etc.), you have to press the
permissive key on the machine operating panel. If the guard door is closed,
there will be no transition to SOS/STO. This function only provides additional
protection when the guard door is open. The same applies to the handwheel
when the safety-related operating mode 4 (SOM_4) is active.
Reaction of MC
Reaction of CC
t = 200 µs + 3 ms + max. 100 msa "Normal" time from the start of the At standstill the CC
SS1 reaction by the CC to the sets:
standstill of the axes –BRK_REL.B.x = 0
t = 200 µs + 3 ms + max. 100 ms + After the standstill of the axes and The CC sets:
MP2308 SBC, the CC initiates STO.B with a –STO.B.x = 0
delay (by the time in MP2308).
After the SS1F reaction has been
performed, the SKERN CC requests
the SPLC program to switch off the
FS outputs (the machine
manufacturer is responsible for the
implementation).
a. Time that is assumed by HEIDENHAIN to be the maximum deceleration time for feed axes.
An axis speed of 5 m/min and a braking acceleration of 1 m/s2 were assumed.
Reaction of MC
Reaction of CC
t = 22 ms + 6 ms + 1*SPLC cycle "Normal" time from the start of the At standstill the CC
+ 3 ms + max. 100 msa SS1 reaction by the CC to the sets:
standstill of the axes. –BRK_REL.B.x = 0
t = 22 ms + 6 ms + 1*SPLC cycle After the standstill of the axes and At standstill the CC
+ 3 ms + max. 100 msa + SBC, the CC initiates STO.B with a sets:
MP2308 delay (by the time in MP2308). –STO.B.x = 0
After the SS1F reaction has been
performed, the SKERN CC requests
the SPLC program to switch off the
FS outputs (the machine
manufacturer is responsible for the
implementation).
a. Time that is assumed by HEIDENHAIN to be the maximum deceleration time for feed axes.
An axis speed of 5 m/min and a braking acceleration of 1 m/s2 were assumed.
The following additional status bits are available for an external MB machine
operating panel:
Note
The SKERN demands via the interface signal NN_GenOutputEnable that the
SPLC program switch off the FS outputs in case of a fault, also see page 8–
188.
MC CC SPL SMOP
---
–N0 - - -d SS1 - - -e
–PF.PS.DCa - - -b SS1 - - -e
–STOS.A.MC - - -d Detection - - -e
(test)
a. The evaluation of these signals and their reactions can be deactivated via a PLC module.
b. If –PF.PS.DC is active, the watchdogs of the MC are not retriggered anymore. The other
HSCI participants therefore detect the MC as being defective.
c. The FS outputs are switched off automatically only on the HSCI participant on which the
fault occurs (locally). Local fault detection by evaluating the internal fault bits (control crash,
internal fault of the component, fault in the HSCI communication).
General If an emergency stop or an error occurs, specific stop functions are used to
information bring all drives to a safe standstill as quickly as possible.
Once a stop function has been initiated it is always run in its entirety, even if
the cause of its initiation is no longer applicable. This applies regardless of the
Control Voltage ON (CVO) status. The machine cannot be restarted until the
stop function and the associated braking reaction have been run in their
entirety.
However, a stop reaction that has been initiated can be replaced by a higher-
priority stop.
The cause of SS0/SS1F/SS1/SS2 reactions is displayed on the screen.
The stop reaction with the highest priority is the SS0 reaction, followed by
SS1F and SS1. The SS2 stop reaction has the lowest priority. These stop
functions can be initiated by every monitoring channel (MC/CC).
Stop reactions Stop reactions are defined and divided into categories in EN 60204-1. The stop
reactions and all further safety functions are described in detail under Safety
Functions (see page 4–47). The table below shows the assignment of the
stop reactions to the categories.
Safety function The safety functions are described in detail under Safety Functions (see page
states 4–47). The table below shows which safety function provides which safety
level to the end user.
For the initiation of safety functions by the SPLC and SKERN, it always applies
that the safety function providing the higher level of protection to the machine
operator is active.
Danger
If an SS1 was initiated, the drives can be restarted by simply switching on the
machine control voltage, without actuating the main switch. All logic functions
of the machine are retained while the control voltage is switched off, and
continue to run unimpeded.
An unexpected restart by resetting the emergency stop button is not possible,
since the safe torque off (STO) operating status was initiated via two
channels.
Danger
For large machine tools whose work zone cannot be fully seen, the use of
an additional reset button in accordance with EN 954 or EN 13849 is
compulsory.
The reset button must be situated outside the danger zone in a safe position
from which there is good visibility for checking that no person is within the
danger zone. Switching the machine back on by using Control Voltage ON
(CVO) is not permissible until the reset button has been pressed. This
functionality must be realized in the SPLC program.
After an SS2 (SOS), a restart is possible without actuating the main switch and
without switching on the machine control voltage.
Note
Note
The machine tool builder's risk analysis of the master-slave axes must
ensure that the master axis and the slave axis are mechanically firmly
connected with each other, and that the motor holding brake of the master
axis suffices as motor holding brake for the synchronized axes.
The risk analysis of the synchronized master-slave axes must prove whether
this type of master-slave operation is sufficient for the safety design of the
machine.
C-axis operation
This version of the FS software does not yet support safe C-axis operation. It
is not possible to operate an axis and a spindle alternately with a common
drive.
Traverse ranges
Switching the traverse range with MP100.x does not affect functional safety.
Machine parameter MP100.x is used to operate axes alternately as NC or PLC
axes. The SKERN derives this axis status solely from the entry in MP100.0.
The indices of MP100.x can only be used to switch the standard functions of
the NC software. For the SKERN the configuration in MP100.0 remains
decisive. In software version 606 42x-01, the safety-related examination of the
axes is inextricably linked to MP100.0. Therefore, the safety-related
examination of an axis always remains the same. PLC axes are sometimes
subject to more stringent safety requirements (e.g. movement possible only
in connection with permissive button or key).
Safe traverse-range switchover with MP100.x is not possible if software
version 606 42x-01 is being used.
Non-HEIDENHAIN inverters
The use of modules from Siemens' SIMODRIVE 611 power module product
family or other non-HEIDENHAIN inverters has not been approved for the
integrated functional safety!
Encoders
The following encoder configurations can be used on HEIDENHAIN control
systems with functional safety in order to monitor safe axes:
Two-encoder systems (speed and position encoders) with analog encoder
signals (1 VPP, EnDat 2.1)
Single-encoder systems (speed encoder) with analog encoder signals
(1 VPP, EnDat 2.1)
Single-encoder systems (speed encoder) with certified EnDat 2.2
FS encoder (as soon as these are supported)
Two-encoder systems (speed and position encoders) with EnDat 2.2
encoders without certified encoder or with certified EnDat 2.2 FS encoder
(as soon as these are supported)
External devices used in safety functions of the control must meet the
following requirements:
Safety contactor combinations (SCC) or corresponding devices
Only devices that correspond to EN ISO 13849-1 Category 3,
Performance Level d or EN 61508 SIL 2 may be used as safety contactor
combinations (SCC) or corresponding devices (e.g. safety-relevant PLC).
Safety relays
Only devices that correspond to EN ISO 13849-1 Category 3,
Performance Level d and EN 61508 SIL 2 and have a positively-driven
normally closed relay contact may be used as safety relays.
Encoders
The control system with FS performs plausibility checks in order to
detect faults in encoders. However, the plausibility checks can detect
faults only if the drive moves. But, in the SOS safety function, the drive
is kept in its current position, and there is no movement. If the
connection between the drive and the encoder loosens at this point in
time, this fault cannot be detected by the control system.
For safe axes/spindles with a single-encoder system, this results in the
following requirement for the encoder used:
Use only encoders for which the loosening of the connection between
the drive and encoder at standstill is ruled out. The encoder manufacturer
must be able to exclude the "loosening of the mechanical coupling" fault
for the chosen encoder. The "mechanical coupling" characteristic value
provides information on the "loosening of the mechanical connection"
fault.
Dual-encoder systems and non-safe axes/spindles are not affected by
this requirement.
Danger
Danger
The message Safe machine parameters have been edited. Run a partial
acceptance test! can appear if an acceptance test of the machine parameters
has already been performed (i.e. a valid checksum is stored), but one or more
than one SMP was changed later on.
Danger
Only the machine tool builder is permitted to load edited SMPs by entering
the OEM password that is known to him (e.g. for optimizing the MPs).
Changing any SMPs necessitates a partial acceptance test!
The end user cannot put the control fully into service after changing SMPs,
because he does not know the OEM password. If an incorrect password is
entered or password entry is canceled, the control returns to the Power
Interrupted state.
The following procedure is used to edit SMPs:
The (edited) SMP parameter set is transmitted to the SKERN. The SKERN
compares the checksum of the new SMP parameter set with the checksum
saved for the last valid SMP parameter set (= reference SMP parameter set).
If the checksum is the same, the control goes into normal operation.
If the checksum has changed, you are prompted by a dialog to perform a
partial or complete acceptance test. You must confirm this by entering the
OEM password and pressing the permissive key.
Note
If an SMP has been edited and the OEM password is not available, the SMPs
can be corrected to the original value in the Programming and Editing mode
of operation by pressing the MOD soft key and then entering the code number
984651 or, if applicable, by using the password defined in OEM.SYS >
MPPASSWORD= .... There is also the possibility of using the code number to
reimport and reactivate an SMP set (from the manufacturer) matching the
checksum via the file system (with the PGM MGT soft key). Changes made to
machine parameters in the meantime by the end user, however, will be lost
during this process.
The (S)MP set defined by you during commissioning of the machine must be
supplied together with the machine when the machine is shipped.
Start-up of the control is successful only if the active SMPs match a checksum
saved in the control.
Danger
Attention
The speed limit values for the axes and spindle are defined in
EN 12417:2007 for the different safety-related operating modes.
Attention
The speed limit values for the axes and spindles are defined in
EN 12417:2007 for the various safety-related operating modes.
Warning:
Increased risk in safe operating mode 4 (SOM_4):
Higher spindle speeds and feed rates are possible.
Permissive button or key must be pressed for
spindle start. The machine tool builder must check
whether operating mode 4 can be permitted for
machine operation.
SMP (iTNC 530): SMP560 bit 2 - not in software version 606 42x-01
Description: 1 = NC start is possible via the PLC by closing the axis/
spindle guard door after external stop state and S=0.
Warning:
Unexpected start-up resulting from closing the
guard door. The requirements of EN ISO 12100-2
must be complied with!
SMP (iTNC 530): SMP560 bit 5 - not in software version 606 42x-01
Description: 1 = Measurement of current is inactive during safety
self-test
SMP (iTNC 530): SMP560 bit 7 - not in software version 606 42x-01
Description: 1 = Permissive button of handwheel is only required
for spindle start or NC start in operating mode 4
(SOM_4). The permissive button on the handwheel
does not need to be held down continuously. This
means the behavior is the same as on the machine
operating panel. Only possible if operating mode 4 is
active (bit 0 = 1).
SMP (iTNC 530): SMP560 bit 9 - not in software version 606 42x-01
Description: 1 = In the El. Handwheel mode of operation the
simultaneous movement of several axes is permitted,
e.g. for compensation movements (only relevant in
SOM_3, SOM_4).
SMP (iTNC 530): SMP560 bit 10- not in software version 606 42x-01
Description: Reserved for future functions
Attention
The speed limit values for the axes and spindle are defined in
EN 12417:2007 for the different safety-related operating modes.
Danger
MP331 MP331 = Distance for the counting pulses from Yes Yes
MP332
The signal period (automatically calculated by
the TNC) = MP331 / MP332
MP2172 Delay time for removing the enabling of the Yes Yes
inverter in the event of serious faults detected
by the control (leading to an internal emergency
stop)
MP2230 Test of motor holding brakes: Factor for motor Yes Yes
stall current
MP3142 Line count of the rotary encoder on the spindle Yes Yes
Danger
In all safe machine parameters, you must always enter values that ensure
that there is no danger to the operator.
Monitoring functions that initiate an SS0 reaction if an error occurs must
be examined particularly carefully, and must already be parameterized
appropriately during the commissioning phase. Axes and spindles
without mechanical motor holding brakes coast to a stop after an SS0.
Limit values for SLS The limit values for SLS in the SMPs are axis-specific values.
Limit values for axes
The limit values for the axes must be set such that, even during interpolating
movements with multiple axes, the resulting contour speed is less than the
permissible speed limit value specified in the standard EN 12417.
Limit values for spindles
In the safety-related operating modes, the SMPs for the maximum
permissible spindle speed must be set such that the spindle comes to a stop
within no more than the number of revolutions specified by EN 12417 when
an SS1 reaction is initiated. When determining the maximum permissible
spindle speeds, you have to take into account that the behavior of the spindle
may vary depending on the different tools and the existing gear ranges or wye/
delta switchover. It must be ensured that in the worst case the spindle comes
to a stop within no more than the specified number of revolutions. You must
also keep in mind that the weight or center of gravity differs from tool to tool,
for example.
Note
SMP527, SMP528 Default time for controlled stopping upon SS2 reaction (axis-specific). The
braking ramp for SS2 is defined in MP1060 (braking ramp), which is not an
SMP.
When the SS2 reaction starts, monitoring timers with the default time defined
in SMP527.x for the axes and SMP528.x for the spindles are started in the MC
and CC. Axes and spindles must come to a stop within this time, otherwise an
SS1 is initiated by the SKERN.
An SS2 reaction can be initiated while the guard doors are open or closed. The
value for SMP 527.x/SMP 528.x must therefore be determined independently
of the SOM_x safety-related operating modes, taking into account the axis-
specific maximum possible feed rate in the AUTO state while the guard doors
are closed. The values are determined from the machine tool builder's axis-
specific risk analysis. Operator protection is the highest priority in determining
the values.
In the further configuration of the individual axes (e.g. jerk, acceleration), you
must ensure that the time in SMP527.x/SMP528.x is observed.
Keep in mind that in an SS2 reaction the axes are decelerated along the
contour. The NC axes involved are interpolated and decelerated. Axis-specific
values can be entered in SMP527 and SMP528, but the value of the most
critical axis should be entered as the time for all collectively interpolating axes.
The axis that is the last to come to a standstill or the slowest one to decelerate
is considered to be the most critical axis.
After any changes to MP1060, you must check whether the timer monitoring
(safety function) for SS2 is exceeded. If this occurs in the relevant worst-case
scenario, then the setting for the braking ramp must be changed again.
Changing the absolute values of the SMP is not permitted. Entries in SMPs
are permanently defined, based on the risk analysis, and may not be
retroactively changed for specific machine functions.
Please also note the description of the SS2 reaction on page 4–55.
t
MP530.x = 2 * t
Note
The dv/dt monitoring is a possibility for removing energy from an axis if it has
been determined that an SS1 reaction has failed. The value in SMP530 should
not be parameterized too tightly within the limits resulting from the risk
analysis of the machine. HEIDENHAIN finds the default value of 30 ms to be
most practical. However, this value must be changed if as a result the dv/dt
monitoring responds during regular deceleration procedures.
SMP550 Axis-specific limit value for maximum permissible path upon SS2 reaction.
Path monitoring is only active in the SOM_2, SOM_3 and SOM_4 operating
modes when the guard doors are open. Therefore, the value for SMP550 must
be set for the greatest permissible SLS in these operating modes.
If the axis-specific maximum permissible path for the SS2 reaction in
SMP550.x is exceeded, the MC and CC initiate the SS1 safety functions
independently of each other (see page 4–51).
The axis-specific limit value must be set such that the permissible total path is
not even exceeded during interpolating movements.
Operator protection is the highest priority in determining the path limit.
Therefore, an axis-specific risk analysis must be performed. Primarily, "finger
protection" (7-10 mm) must be considered.
SMP632, SMP633 Time window for permissible overshoot of the limit values for nominal/actual
monitoring of speed values. Determine the values for these parameters in the
SOM_1 operating mode, using the feed rates and rotational speeds possible
in that operating mode.
Entry in SMP632.x for feed axes:
Determine the maximum start-up time of the individual axes at the
acceleration set for the axes. From this, you can calculate the value for
SMP632.x as follows:
SMP632.x = start-up time at set acceleration *10
Entry in SMP633.x for spindles:
Determine the maximum reversing time (e.g. from +10000 rpm to –
10000 rpm) of the individual spindles at the acceleration set. From this, you
can calculate the value for SMP633.x as follows:
SMP633.x = reversing time *2
The values in SMP632/SMP633 should not be parameterized too tightly within
the limits resulting from the risk analysis of the machine. HEIDENHAIN finds
a value of 4 seconds to be most practical. However, this value must be
changed if as a result the nominal/actual value monitoring responds during
normal machine behavior.
MP subfiles Switching safe machine parameters (SMPs) via subfiles, editing them without
repeating the acceptance test, and adaptation by the operator are not possible
and not permitted. When using MP subfiles, you must therefore consider the
worst case for the operator in the setting of the SMPs. In all safe machine
parameters, you must enter values that ensure that there is no danger to the
operator. In the further configuration of the control (e.g. jerk, acceleration), you
must ensure that the limit values from the SMPs are observed.
If machine parameters that influence the dynamics of the machine are made
available to the end user, the permissible limits must be documented by the
machine tool builder. Limits for user parameters cannot be defined through
the control!
Complete The complete acceptance test must be performed during the commissioning
acceptance test of a machine, and if changes have been made to the software or hardware.
During a complete acceptance test, all provided safety functions (such as the
compliance with limit values, functions of control units, functions of actuators)
are checked. The fault reaction physically takes effect. The correct functioning
of the safety functions is tested.
The control prompts you to perform a complete acceptance test by displaying
a corresponding warning message. After the acceptance test has been
completed successfully, the warning message should be acknowledged by an
action (e.g. pressing a special key) that is normally not used for
acknowledgment during operation.
The acceptance test must be performed by personnel authorized by the
machine tool builder.
Passing of the complete acceptance test and any modifications must be
documented in a suitable way.
Acceptance test of The complete acceptance test does not need to be repeated for series-
series- manufactured machines if a complete acceptance test has been conducted on
manufactured one of these machines, and the hardware and software version as well as the
machines data of the safety-related parameters (protected against editing) match exactly
those of the tested machine (see VDE 801/A1 AK4).
However, the basic safety functions, such as emergency stop, the
effectiveness of guard door contacts and interlocking devices, etc. must be
tested for every machine. Furthermore, the agreement of the actual position
in the software with a marked reference position (machine datum) must be
checked.
Editing individual If changes are made to safety-related machine parameters (SMPs), the partial
SMPs acceptance test must be performed. Only the safety functions affected by the
changes must be checked in this test. The control prompts you to perform the
partial acceptance test by displaying a warning message, and requires
acknowledgment after the test has been performed.
Procedure Upon request HEIDENHAIN can provide you with a possible test procedure as
a basis for the acceptance test for a machine tool. This is a non-binding
proposal, and must be adapted by the machine manufacturer to the
requirements of the respective machine. The test also needs to be expanded
by OEM-specific functions and modifications. The acceptance test must verify
all safety functions and functions of the SPLC program.
Signal names –
Channel A (MC)
IOCCFG = Name and path of the IOC file (e.g. PLC:\IOC\*.ioc). During startup, a control
in an HSCI system expects the complete configuration of the HSCI system in
the form of an IOC file. This file contains the configuration with all participants,
their sequence and the configuration of the inputs and outputs of the PLC and
SPLC. The IOconfig software for PCs is used to create the IOC file.
PLCSAFETYCFG = File name and path for conditional compilation of the SPLC program
(e.g. PLC:\Splc4\*.cfg).
On the iTNC 530 you select and deselect machine options by making the
corresponding entries in machine parameters. Only one PLC program is
necessary for all variants of machine options. This PLC or SPLC program is
conditionally compiled depending on the machine parameters MP4000.0 to
MP4000.15. For this purpose, PLCCOMPCFG = followed by the path of the
configuration file must be entered in the OEM.SYS file, and the machine
options in the MP4000.x machine parameters.
For the SPLC program the entries must be made in the *.CFG file used for this.
You can either use the same file as for the PLC program or create a separate
file with the same syntax. Then PLCSAFETYCFG= must be entered in the
OEM.SYS file.
PLCSAFETY = File name and path of the SPLC program (e.g. PLC:\Splc4\*.src).
July 2011 6.1 Operating Modes (SOM Safe Operating Modes) 125
The following safety-related operating modes are selectable by keylock
switch. The following text lists the most important features of the individual
operating modes. Ensure compliance, however, with the other requirements
of EN 12417.
July 2011 6.1 Operating Modes (SOM Safe Operating Modes) 127
The SPLC program in SOM_2 must also safely prevent:
Automatic pallet changing
Automatic tool and workpiece changing
High-pressure coolant
Tool measurement (e.g. laser)
Turning operation on drilling and milling centers
A chip conveyor may be moved only by additionally pressing the permissive
key
If the guard door is closed when operating mode 2 is active, operation is
possible as in operating mode 1. This happens automatically without any
change in the keylock-switch position. This functionality must be realized in
the SPLC program, see page 200.
If the F_LIMITED soft key is pressed while the guard door is closed, the axes
and spindles are decelerated to the corresponding limit values of operating
mode 2. In this condition, if the permissive button or key is being pressed, the
guard door can be reopened without triggering a stop reaction for the axis and
spindle. The SKERN ensures that opening the guard door while the spindle is
running without pressing a permissive button or key triggers a Safe Stop 2 for
the axes, followed by an SS1 with transition to STO for the spindle.
July 2011 6.1 Operating Modes (SOM Safe Operating Modes) 129
The SPLC program in SOM_3 must also safely prevent:
Automatic pallet changing
Automatic tool and workpiece changing
High-pressure coolant
Tool measurement (e.g. laser)
Turning operation on drilling and milling centers
A chip conveyor may be moved only by additionally pressing the permissive
key
If the guard door is closed when operating mode 3 is active, operation is
possible as in operating mode 1. This happens automatically without any
change in the keylock-switch position. This functionality must be realized in
the SPLC program. This functionality must be realized in the SPLC program,
see page 200.
If the F_LIMITED soft key is pressed while the guard door is closed, the axes
and spindles are decelerated to the corresponding limit values of operating
mode 3. In this condition, if the permissive button or key is being pressed, the
guard door can be reopened without triggering a stop reaction for the axes and
spindles. The SKERN ensures that opening the guard door while the spindle is
running without pressing a permissive button or key triggers a Safe Stop 2 for
the axes, followed by an SS1 with transition to STO for the spindle.
Danger
July 2011 6.1 Operating Modes (SOM Safe Operating Modes) 131
During operating through the machine operating panel, the axis and spindle
movements are permitted after the start and without further pressing the
permissive key. In the Handwheel mode, the permissive button is obligatory
for all movements (starting and continuing). If it is entirely necessary for the
end user, you can use SMP560 bit 7 to also enable the same behavior for
handwheel operation as for operating-panel operation. However, this requires
a corresponding risk analysis on your part.
The possibility of selecting operating mode 4 is enabled via a separate
parameter (SMP560). If operating mode 4 is selected without having been
previously enabled over SMP, the operating mode is not switched, and the
"BA4 not enabled" error message is displayed.
Dual-channel monitoring of the actual speed of the axes or spindle at SLS. If
the monitoring responds, a safe stop (SS1) follows.
SMP560 and the code number for enabling SOM_4 are only accessible to you
as the machine manufacturer. You must act on the basis of your assessment
of the risk (e.g. safety-related and/or organizational replacement measures /
qualified operators).
As a protection against unexpected spindle starts, the spindle cannot be
started with M03/M04 (Spindle ON clockwise/Spindle ON counterclockwise).
If the spindle was switched off via M05 (Spindle STOP), for example, and M03/
04 was then programmed, the message "Switch spindle on" is displayed.
Spindle Start and the permissive button or key must first be activated before
the program continues at SLS.
The operating mode 4 must remain active until the keylock-switch position
changes, the control is switched off, or until the mode is deselected through
a soft key. You have to use the SPLC program to ensure that, after leaving the
operating mode 4, the user can only change into the operating mode 1.
If the guard door is closed when operating mode 4 is active, operation is
possible as in operating mode 1. This happens automatically without any
change in the keylock-switch position. This functionality must be realized in
the SPLC program. This functionality must be realized in the SPLC program,
see page 200.
If the F_LIMITED soft key is pressed while the guard door is closed, the axes
and spindles are decelerated to the corresponding limit values of operating
mode 4. In this condition, if the permissive button or key is being pressed, the
guard door can be reopened without triggering a stop reaction for the axes and
spindles. After the guard door has been opened, the permissive button or key
can be released again. The SKERN ensures that opening the guard door while
the spindle is running without pressing a permissive button or key triggers a
Safe Stop 2 for the axes, followed by an SS1 with transition to STO for the
spindle.
July 2011 6.1 Operating Modes (SOM Safe Operating Modes) 133
6.1.6 Operating mode selection – inputs
The inputs +KSW.A.x (x = operating mode) for the safe operating modes are
transmitted by the SMOP to the MC, and the inputs +KSW.B.x are transmitted
to the CC.
Through the SPLC you can program as desired the attainment of the various
operating modes. Through the SPLC you can also configure the FS inputs for
selecting an operating mode. This makes it possible, for example, to attain
operating modes through further keylock switches. As an alternative you can
use the SPLC program to realize an operating mode change also through the
input of various code numbers.
Possible meaning of the inputs (high active):
+KSW.A.2, +KSW.B.2: Activation of operating mode 2 – SOM_2
+KSW.A.3, +KSW.B.3: Activation of operating mode 3 – SOM_3
+KSW.A.4, +KSW.B.4: Activation of operating mode 4 – SOM_4
If more than one input or none of the inputs is active for the operating modes
SOM_2, SOM_3 or SOM_4, the SPLC program must ensure that SOM_1 is
automatically activated.
In addition, the SPLC program must ensure that the operating mode SOM_4
can only be activated from within SOM_1, and that after SOM_4 is exited,
SOM_1 is automatically active.
If when the guard door is open the operating mode SOM_x is changed, for
example with the keylock switch, the SPLC program must request an SS2
reaction. The request applies for every change of a safe operating mode:
If any change of the operating mode SOM_x is made, when the guard door
for axes and spindles is open, the SPLC must request from the SKERN the
stop reaction SS2 for the axis group of the NC axes or the axis group of the
spindles.
If any change is made between safe operating modes, when the guard door
of the tool magazine is open the SPLC must request from the SKERN the
stop reaction SS2 for the axis group of the tool magazine.
Normally, the SKERN switches the spindles into STO if the SPLC requests the
safety function SOS and the spindle is at a standstill. If necessary, the spindle
(like the axes) can be switched at an SS2 reaction to SOS instead of STO,
depending on SMP549.x (used for lathes).
If the axes and spindles are moving when the guard door is opened and
operating mode SOM_1 is active, an SS1 reaction (emergency stop) by the
SKERN results. After attaining standstill, the axes and spindles go into the STO
state.
It must be possible to remove the key while it is in the position for operating
mode SOM_1. This prevents operation of the machine while the guard is open
(= increased danger).
For more information about the inputs of the operating mode selection and the
keylock switch to be used, see page 6–153.
Available safety For axes in operating For spindles in For auxiliary axes in
function mode operating mode operating mode
1 2 3 4 1 2 3 4 1 2 3 4
Safely limited X X X X - - - - X X X X
increment (SLI)
a. If necessary, the spindle (like the axes) can be switched at an SS2 reaction to SOS instead
of STO, depending on SMP549.x (used for lathes).
b. If the spindle has a brake, the safety function SBC is available.
July 2011 6.1 Operating Modes (SOM Safe Operating Modes) 135
6.1.7 Configuration of axis groups
You can configure by machine parameter whether an axis is an NC axis, a
spindle or an auxiliary axis (MP100). The configuration of the axes also affects
the behavior of an axis after a safety function is triggered.
Through the additional configuration possibility for working spaces, axes can
be secured by different guard doors. To make a model of this behavior, the
axes are divided by the axis-specific SMP600.x and the spindles by the axis-
specific SMP601.x into up to eight axis groups. All axes of an axis group must
be of the same type (NC axis, spindle, or auxiliary axis). The safety kernel
software ascertains or checks the type from the entry in MP100.
The SPLC program evaluates the inputs for guard doors, permissive buttons
and keys, start /stop keys and keylock switches, and assigns this information
to the correct axis groups. For example, a physical door contact can define the
guard-door condition of two or more axis groups.
You can use the SPLC program to request from the SKERN the desired safety
functions SOS, SLS, SLI, STO or SS0, SS1(F), SS2 for the individual axis
groups, depending on the evaluated inputs (see above). The requested safety
function is then run by the safety kernel software.
Three axis groups suffice for simple machines:
Axis group for NC axes
Axis group for spindle(s)
Axis group for auxiliary axes
For more complex machines it can be worthwhile to divide the axes into
further groups in order to describe individual working spaces that are
protected by separate guard doors. For example, one axis group can be used
for the auxiliary axes of the tool changer while another is used for auxiliary
axes of the pallet changer.
This then makes it possible to ensure that one of the axis groups (e.g. the tool
changer) is safely protected by guard doors and can operate normally while the
guard doors of another axis group (e.g. pallet changer) are open.
For the safety function Safe Stop 2, the brakes of the axes might have to
function in a certain sequence. For example, the spindle is normally not
decelerated until the NC axes are stationary. For every axis group, SMP610
can contain a list of other axis groups that have to be stopped before this axis
group. If the safety function Safe Stop 2 is triggered for an axis group, all other
axis groups listed in this MP are braked first, even if no Safe Stop 2 was
triggered for these other axis groups.
Danger
The delays resulting from the braking sequence in SMP610 must be taken
into account when complying with the time specifications for axis standstill.
July 2011 6.1 Operating Modes (SOM Safe Operating Modes) 137
6.1.8 Magazine axes
As separate safe axes, the additional axes for the tool magazine are defined as
PLC axes by machine parameter MP100.
When the magazine door is closed, the automatic positioning and manual
traverse of the tool magazine are enabled for a tool change. The positions are
specified by the PLC.
The contacts of the magazine door T are to be connected over two channels
to FS inputs –SD.A.T (MC) and –SD.B.T (CC) of the SPL. The contacts of the
permissive keys TM are connected to the FS inputs PB.A.TM and PB.B.TM.
In order to position the tool magazine while the magazine door is open
requires, for example, pressing the dual-channel jog keys TM_R.x or TM_L.x
together with the dual-channel permissive key PB.x.TM. This is to be realized
in the SPLC program.
If the working spaces for magazine axes and NC axes are separate, the
permissive keys TM for the tool magazine must have no influence on the
working space of the NC axes and spindles. Vice versa, the permissive keys
of the working space for the NC axes and spindles must have no influence on
the magazine axes. This SPLC program must ensure this.
When the magazine door T is open (–SD.A.T (MC) and –SD.B.T (CC) are both
0) the tool magazine can only be positioned manually in SLS. The safely limited
speed for the magazine axis is specified in SMP590.x (SOM_2).
The following applies for the magazine axes when opening the magazine
doors:
During automatic positioning, the magazine is braked by the SS1 reaction.
The ramp gradient can be reduced with MP2590 if problems occur with the
tools (see page 4–51).
Automatic tool changing is to be prevented in the operating modes SOM_2,
SOM_3 and SOM_4. The axes can be moved manually, whereby the
traversing speeds are monitored by the safety function SLS (SMP590.x).
If the permissive key, jog key, or both are released, the SPLC program must
trigger an SS2 reaction for the magazine axes. The position feedback control
remains active in the subsequent safety function SOS so that the magazine
disk cannot be turned while the tool is being inserted. The subsequent
reapproach to a grid position must also be realized by the (S)PLC program.
If the guard door is open, a moving magazine axis is braked by an SS1 reaction.
The ramp gradient can be reduced with MP2590 if problems occur with the
tools.
The magazine axis is allowed to be moved to the next position by pressing the
permissive keys and jog keys, whereby the safety function SLS is active.
If the guard doors are closed, it is permitted to move the magazine axes with
the jog keys alone. No permissive key is required.
July 2011 6.1 Operating Modes (SOM Safe Operating Modes) 139
6.1.10 Electronic handwheel
The HR 410 FS, HR 420 FS, HR 520 FS and the HR 550 FS wireless
handwheel are available to the machine manufacturer.
With the HR 410 FS, the El. Handwheel machine mode of operation is
selected by pressing the corresponding key on the MB machine operating
panel.
On large machines or machines with work zones that cannot be seen by the
operator, switching the machine operating mode on the MB machine
operating panel can represent a hazard for the operator. The MB can take over
operating sovereignty without permission from the HR or the operator. If this
is not permissible due to the risk analysis of the machine, an additional
safeguard must be realized through the SPLC program. There must be an
additional request in the SPLC program of whether the permissive buttons of
the HR are pressed. Only if this is the case can the operating sovereignty be
switched, for example. The validity of the signal edge of the pressed
permissive buttons must be considered here, which, for example, is valid only
for three seconds (permissive button must be let go and pressed again).
Another possibility is the use of an HR 5xx FS. With these handwheels, the
operating sovereignty can be switched only from the HR 5xx.
For the HR 420 FS, HR 520 FS and the HR 550 FS wireless handwheel, the El.
Handwheel operating mode is activated directly at the handwheel.
An SS2 is triggered by a switch between machine operating modes.
All machine movements that are triggered via the handwheel are monitored
regarding the speed limit values specified for SLS (safely limited speed) when
the guard door is open.
During the safety self-test, the signal levels that indicate a non-pressed
condition must be applied to the inputs of the handwheel permissive buttons.
The direction keys and start keys as well as the wheel on the handwheel unit
are active only while the handwheel permissive button is being pressed.
In the El. Handwheel mode, the FS inputs for the handwheel permissive
buttons PB.x.HW are selected, and the FS inputs of the permissive keys on
the machine operating panel and the magazine axis are deselected so that only
the permissive function of the handwheel is effective.
On the HR 410 FS, HR 420 FS and HR 520 FS portable electronic handwheels
with cross-circuit safety (two microswitches per permissive button) the
normally-open contacts, which are switched in parallel, are routed to the MC
through the FS input PB.A.HW of the SMOP, and the normally-closed
contacts, which are connected in series, are routed to the CC through the FS
input PB.B.HW of the SMOP.
Logic "1" on the MC and logic "0" on the CC signal permission.
The other logic levels do not indicate permission. During a machine
movement, they trigger an SS2 reaction for the axes. An SS1 reaction is then
activated for the spindle.
July 2011 6.1 Operating Modes (SOM Safe Operating Modes) 141
6.1.11 Use of several operating units
Besides having a machine operating panel, many machines are also equipped
with an electronic handwheel or other machine operating units. On such
machines, switching between the various operating units must be controlled
through the SPLC.
Danger
The SPLC program must ensure that only one of the operating units
(handwheel, machine operating panels) is active at any one time so as to
prevent danger to the operator.
This can be realized in the SPLC by filtering the input signals (see page 8–219).
However, the signals must be filtered so that the keys with stop functions
always stay active on all operating units. This applies in particular to all
emergency stop buttons on the machine!
In the HEIDENHAIN design, the operating unit is addressed through one
channel. The keys' input signals are filtered by the SPLC over two channels. It
is ensured with dual channels that no more than one operating unit can be
active at any time. The filtering is always done before the PLC scan and the
filtered values are set again to the same markers as in the original key
conditions. In this way, too, only the filtered markers are available to the PLC
program.
In connection with the PLC program it is possible to acknowledge error
messages of the control from the additional operating units (e.g. handwheel).
The error messages of the control are always shown on the control's BF
screen, but they might not appear on the other operating units. If, after a
thorough risk analysis, you nevertheless make it possible for the machine
operator to acknowledge error messages from such operating units, the
operator must expressly be informed of this (e.g. machine tool manual).
Acknowledging an error could otherwise lead to an unexpected restart of
machine motions.
Note
The risk analysis you have to make for the safety functions must show the
requirements to be fulfilled by the individual safety function (e.g. required
performance level d as per EN 13849-1).
All components (e.g. keylock switches, emergency stop button, safety relays,
control) that are involved in the individual safety functions must meet the
requirements for the respective safety function. The individual safety
functions must also be designed according to the determined requirements.
Emergency stop buttons are to be used exclusively for emergency stop
purposes. Under normal operating conditions, a machine must not be
switched off via the emergency stop buttons. The proper functioning of all
emergency stop buttons is to be tested annually by pressing these buttons.
The safety-related inputs/outputs (FS inputs/outputs) lie on the SPL input/
output assembly or the SMOP machine operating panel. The corresponding
input/output signals must always be routed to the system in two channels,
and must be available to both the MC (first safety channel = Index A) as well
as the CC (second safety channel = Index B), or be formed by both computer
units.
In addition to the respective channel-specific signal (channel A or channel B),
the MC (channel A) and the CC (channel B) also receive the signal of the other
channel for evaluation.
All FS inputs/outputs have the characteristics of PLC interfaces with logic
levels of 0 V and 24 V. They are designed according to the quiescent current
principle, i.e. low-level current automatically results in logic "0". This means
that the safe state is automatically selected for the operator, control and
machine.
The wiring and evaluation of safety-related inputs is to be realized according to
the quiescent current principle. A logic level of 0 V at a safe input must result
in a safe state for the operator.
The dual-channel inputs/outputs of FS slots make it possible to realize safety
functions up to performance level D of the EN 13849. The control of inputs and
the transmission of output states also requires components that are approved
for use for applications up to PL d. The dual-channel inputs/outputs are not
pulsed, but carry static 0 V or 24 V. The inputs/outputs are subjected to forced
dynamic sampling in appropriate tests that are part of the safety self-test that
must be performed no later than every 168 hours.
Note
First, the physical dual channel inputs of the A channel and the B channel
are AND gated, and only then is the result of the AND operation forwarded
to the SPLC as the input state.
This AND operation means that the SPLCs of the A and B channels will receive
the value 0 as input information if two inputs have different states
(e.g. A channel = 0, B channel = 1)
If safe inputs are inverted through SMP585.x and SMP586.x, the input
information is inverted before the AND operation.
Example:
The physical terminals of a safe PL module have the following states: terminal
of A channel = 0, terminal of B channel = 1.
Both inputs are inverted through the setting in SMP585.x and SMP586.x:
A-channel information = 1, B-channel information = 0.
The AND gating of the A and B channels therefore results in logic "0".
This logic "0" is transferred as input information to the SPLC input markers.
SMP587.x is used to force the dynamic sampling of safety-related inputs. A
prerequisite is that the elements (e.g. the normally open contact of a switch)
are supplied by the test outputs –TEST.A or –TEST.B (see page 6–148).
The wiring of safety-related outputs is to be realized according to the
quiescent current principle. A logic level of 0 V at a safe output must result in
a safe state for the operator.
If there is an external (ES.A, ES.B) or internal emergency stop (crash of the
MC's NC software), an SS1 or SS1F will be initiated. The safety-related
outputs (FS outputs) are switched off (= 0) if all axes are at a standstill, or no
later than after the expiration of the time defined in SMP2172. This means that
the FS outputs are usually not switched off until after the actual emergency
stop reaction SS1 and the standstill of the axes/spindles.
Note
The SPLC program must ensure that only one permissive button or key is
effective for any specific working space at a given time!
When the guard doors are open, the permissive keys of a machine operating
panel (input PB.x.SMOP) must be pressed for spindle motion and NC start.
The permissive key integrated on the SMOP consists of two independent
sensor elements under one push button (two normally open contacts).
The permissive buttons of the HR 410 FS, HR 420 FS handwheels or a
wireless handwheel (PB.x.HW input) must be pressed for axis and spindle
movements that are triggered via handwheel keys. On the handwheel a two-
step button is used which, however, has a normally open and a normally
closed contact.
The permissive keys of the tool magazine (PB.x.TM input) must be pressed for
movements of the tool magazine.
The safety functions of the permissive buttons or keys must be ensured by a
timer in the SPLC program. The SPLC program detects edges at the physical
inputs of the permissive buttons or keys when they are pressed. The
permissive buttons or keys are considered pressed only if both contacts are
closed. Both contacts of the permissive buttons or keys can be executed as
normally open contacts or as antivalent.
After the edges are detected, you have to start a timer in the SPLC program
with a time of up to 30 minutes. The permissive button or key retains its
validity only for these 30 minutes for triggering or maintaining a movement
(determined over machine keys, e.g. NC start, spindle start). Therefore,
permission is in effect if the timer's time (max. 30 minutes) has not yet expired
and the permissive button or key remains pressed. The permissive button or
key is then considered to be pressed (see page 8–187).
Note
Radio link Radio link or serial data transfer from the HR to the SMOP
The use of an HR 550 FS handwheel necessitates the use of an AP access
point (HRA 5xx FS handwheel adapter), which is connected at X23 of the
machine operating panel.
For the HR 550 FS wireless handwheel, an unambiguous assignment must be
ensured between the handwheel and the access point. For the HR 550 FS
wireless handwheel, this mutual assignment of the wireless handwheel and
the access point is made through the respective serial numbers, which are
unambiguous and not identical. The wireless handwheel must be placed in the
AP access point for this. The HR and AP only communicate over the RS 422
serial interface during this assignment.
If you remove the HR from the AP during the serial number exchange process,
the process will be canceled and a corresponding error message will be
issued. During normal control operation, the control software identifies the
wireless handwheel by the serial number of the HR.
During the safety self-test and when the connection to the wireless
handwheel is set up, the system ensures that only the HR and the AP that
have been assigned unambiguously to each other are addressed. If a
difference is found in this comparison of serial numbers, the connection will
be terminated. During this entire process the relay contacts in the AP for the
emergency stop and the permissive buttons remain open.
During the communication from the wireless handwheel through the access
point to the control, the safety-related dual-channel information is transmitted
to the AP. This decodes the information and reproduces the information of the
permissive buttons and the emergency stop on safety relays in the AP. These
are wired to FS inputs at the machine operating panel.
For more detailed information about the wireless handwheel, refer to the
Technical Manual for your control.
Note
Please note that the maximum possible time of 168 hours that can be
specified for the safety self-test in machine parameter SMP511 applies
only to the the control components from HEIDENHAIN. If you are using
other components, the respective particular specifications must be
complied with!
Danger
After the machine has been switched on, the machine will not be in a safe
state until the safety self-test and the test of the brakes have been
completed successfully.
Note
Danger
To perform this test, the test line must be wired to the feedback inputs
T.BRK.A and T.BRK.B (see Figure 3.20: block diagram of motor brake control).
However, the T.BRK signal is not used to provide feedback information about
the state of the brake during operation. The T.BRK signal is used only for the
test of motor brake control.
The SPLC must transmit the T.BRK.A and T.BRK.B signals to the safety-kernel
software to enable the safety-kernel software to check the motor brake
control during the safety self-test, see page 8–217.
The individual tests (see below) of motor brake control are performed by the
MC, while the CC monitors the correct test procedure on the MC. If faults
occur while the tests of motor brake control are being performed, the MC and
the CC each initiate an SS0.
Depending on how the brakes are controlled during the test, an SS0 is
initiated if:
• one of the transistor contacts in the inverter is not interrupted,
• one of relays used for controlling the brakes is not switched off via the
B channel (= 0),
• one of the safe SPL outputs used for direct brake control is not
switched off (= 0),
• one of relays used for controlling the brakes is not switched off via the
A channel (= 0),
• there is a short circuit to 24 V,
• one of the transistor contacts in the inverter does not make a
connection,
• one of the relays used for dual-channel control of the brakes does not
switch (= 1),
• one of the safe SPL outputs used for direct brake control does not
switch (= 1), or
• there is a short circuit to 0 V.
The test does not depend on the state of MP2234.x bit 0. MP2234 bit 0 = 0 is
used to output the –BRK.B.x signal to the inverter via the PWM interface. If
MP2234 bit 0 = 1, the –BRK.B.x signal is not output. The outputs on the SPL
module are used for brake control via the B channel.
For the requirements to be met by the SPLC program for controlling the brakes
during the test, see page 199.
Danger
A basic wiring error in the brake control circuit can cause gravity-loaded
axes to fall down, in particular during the brake control test. During the first
motor brake control test after wiring a machine, a gravity-loaded axis must
therefore be secured against falling!
During the brake test, brake control is carried out once by only the B channel,
and once by only the A channel. The servo drives are not feedback-controlled
during the test. Keep this in mind during the commissioning phase of the
machine, and secure the respective axes against falling.
Danger
Axes with defective motor holding brake must be moved to a safe position
before switching off the machine.
Note
Before performing the brake test, ensure via the PLC program that all servo
drives of a synchronized axis are switched on and the holding brakes are
open.
For slave drives for which the brake test has been disabled via MP2230.x, the
current is adjusted so that the servo drive is not moved while the other servo
drives of the synchronized axis are being tested.
Since the algebraic sign of the test torque cannot be determined until the
drives are feedback-controlled and the brakes are open, an appropriate waiting
time must be specified for the start of the brake test of synchronized axes. The
time set in MP2309.x is used for this. The value for MP2309.x must equal the
time that passes until the brake is really open after the controller has been
switched on. The same time must be entered in MP2309.x for all servo drives
of a synchronized axis.
In general, the following applies to the brake control: If the brakes are
controlled by the PLC, and not by the inverters, the PLC module 9159 (drive
controllers are switched off) transmits the status message to the PLC program
regarding the closing of the brakes during the brake test.
HEIDENHAIN recommends:
Note
For all machines on which a brake test for synchronized axes is performed,
HEIDENHAIN recommends installing the above-mentioned service packs
to be able to use the new behavior of the brake test. If software versions
340 49x-06 and 606 42x-01 are used, the sequential brake test of
synchronized axes should also be activated (MP860 bit 2 = 1).
If required, modify the PLC program with respect to the conditions and
the changed behavior of the brake test.
Test the behavior of the PLC program and the brake test on the machine.
If required, update the NC software and the PLC program of the affected
machines in the field.
If you need assistance in evaluating the situation, also please contact the
responsible HEIDENHAIN service agency.
If you also need the modified brake test for synchronized axes for software
versions for which no service pack is currently planned, please contact the
responsible HEIDENHAIN service agency.
Note
HEIDENHAIN reminds its customers that the basic circuit diagram of the
control is a non-binding proposal: the OEM must adapt the diagram to the
needs of the respective machine.
HEIDENHAIN reminds its customers that the requirements formulated in
this chapter for an SPLC program constitute a non-binding proposal: the
OEM must adapt the program to the needs of the respective machine.
The OEM is responsible for adhering to the relevant standards and safety
regulations (EN 12417).
The OEM is responsible for the safety of a machine. The OEM must
ensure the safety of the machine by performing a comprehensive
acceptance test. The acceptance test must cover all safety functions of
the machine, including all functions that are realized in the SPLC program.
For general information about the SPLC programming, please refer to the
online help of PLCdesignNT, starting from version 2.7. You can download
the current version of PLCdesignNT from our FileBase under PC
Software.
Capabilities of the The HEIDENHAIN PLC statement language for generating the SPLC program
compiler is limited to the commands for data processing (logical/arithmetic gating),
memory transfer (load/write to accumulator) and conditional processing (If/
Else/Endif).
Compiler functions To achieve the dual-channel redundancy, the PLC compiler generates code in
for SPLC two separate runs but from the same source code: once for the SPLC process
programming on the MC hardware and once for the SPLC process on the CC hardware.
During this generation, a CRC sum is determined via the binary data, and is
used by the SPLC runtime system to make sure that the code has not been
changed since the acceptance testing of the machine.
Operands that serve as an interface to the SPLC runtime system or to the PLC
are placed by the compiler on permanently defined address ranges, and
information about these ranges is stored in the debug information file.
On a safe control, three different PLC programs are run in parallel. Each
program saves its operands in a separate process image.
MAIN.BIN
The program on the MC, is managed by the PLC runtime system
SMAIN.MC.BIN
The program on the MC, is managed by the SPLC-MC runtime system
SMAIN.CC.BIN
The program on the CCs, is managed by the SPLC-CC runtime systems
The PLC program and the SPLC-MC program use the I/Os of the A channel.
The SPLC program on the master CC uses the I/Os of the B channel.
Note
Please note that the SPLC-CC does not run at the same clock rate as the
PLC.
This means that it is not possible to set a dual-channel output with a PLC
pulse. Furthermore, it cannot be guaranteed that the SPLC program will run
between two PLC clocks.
Therefore, information from the PLC must be sent to the SPLC as statuses,
and not as events.
Attention
The safety of the SPLC programs is not ensured until the machine tool has
successfully passed the acceptance test. This test must be performed by
the machine manufacturer.
Once the machine tool has successfully passed the acceptance test, the
respectively valid CRCs are stored in the corresponding SMP691.x, and are
used for comparison each time the SPLC programs are translated. If one of the
stored CRCs does not match the presently generated CRC, an acceptance test
must be performed. The scope of the acceptance test is determined by the
changes to the SPLC program. If the control determines that there is a
difference between a current CRC checksum and a saved CRC, without the
SPLC program having been changed intentionally, then the entire acceptance
test must be performed.
An error message appears if the presently generated CRC checksum differs
from the corresponding entry in SMP691.x. The error message contains the
present checksum, which must then be entered in SMP691.x. The OEM
password is needed to confirm this change to the SMP.
Chapter 8.9 Interfaces to/from the SPLC (SPLC API), see page 8–185
Description of all data (input and output data) that are
available to the SPLC program
If the SPLC-API version has changed, you must check the SPLC program.
If necessary, you must adapt it and perform a new acceptance test of the
machine.
Note
Please also copy the splcapimarker.def file to your PC as well, and add it to
the PLCdesignNT project. Otherwise, during the next transfer of SPLC
project files to the control, the file might be overwritten by the old version.
The SPLC-API programming interface can also be included in the standard PLC
program (INCLUDE). If this is the case, the data from ApiFromSafety and
ApiToSafety are copied to the double-word range of the PLC. This data can
then be used for additional interrogations or diagnostic purposes in the PLC
program.
Danger
The following safety-related inputs are relevant for a simple milling machine:
ES: external emergency stop (from operating panel, from handwheel, … )
CVO: "Control Voltage ON" key (one or more)
SD: door contacts of the guard doors
PB: permissive buttons/keys (on the handwheel, operating panel, tool
magazine)
KSW: keylock switches for safe operating modes SOM 2, SOM 3, SOM 4
T.BRK: test input for motor holding brake
FB_NCC: feedback from the chain of normally closed contacts
Axis-direction keys
Other keys with a Start function (NC start, spindle start, spindle jog)
Keys with a Stop function (NC stop, spindle stop)
Note
If one of the inputs listed above is missing, then instead of the input marker
another marker can be defined whose value is set to 0.
Please see page 6–144 for more information about the safety-related inputs.
Plausibility of the If a permissive button/key is pressed for longer than 30 minutes without
permissive button/ interruption, then the SPLC program is to set the corresponding input marker
key to 0. If the operator releases the permissive button/key, the input marker must
also be set to 0. Furthermore, the SPLC program must set an export marker
that tells the PLC program to display a warning. This makes it possible to
detect a jammed permissive button/key. In all following considerations, the
filtered input marker of the permissive button/key is used. Hereinafter, the
permissive button/key is only considered to be pressed if the filtered input
marker is set to 1. The 30 minutes are a guideline. The risk analysis of the
machine can result in a different, perhaps even shorter value.
Danger
In software version 606 42x-01 without SP, all safe dual-channel outputs of
the control system (system module on PLB, PL expansion modules, PL
module of UEC, PL module of UMC) were automatically switched off upon an
external emergency stop. This switch-off occurred immediately after a
triggered emergency stop (ES.x signals) had been detected by the control
system. The SPLC outputs remained switched off until the emergency-stop
status was rescinded.
However, the behavior described repeatedly leads to difficulties with complex
machines, since safe information must be exchanged and safe outputs set
even when in an emergency stop state. This became possible with
modifications to the NC software and the firmware of the components
affected.
For outputs of a PL 6xxx (system module on PLB, PL expansion modules)
this applies as of 606 42x service pack 01.
For outputs of a UMC 1xx and UEC 1xx (PL part), this applies as of 606 42x
service pack 05.
Safe outputs will then no longer automatically be switched off upon an
external emergency stop (ES.x signals). In general, safe, dual-channel outputs
will then no longer be switched off via safe status bits (4–75). The machine
manufacturer will then be responsible for ensuring that the SPLC program
switches them off. The interface marker NN_GenOutputEnable should be used
to make a decision about switching off the safe outputs, see page 8–197.
As of the appropriate service pack, this automatic switch-off only occurs if the
control crashes, if an internal fault of the component occurs, or if there is a
fault in the HSCI communication.
Please note that SPLC marker NN_AxGrpInMotion is not synchronized with PLC
marker W1026 Axis in position. Due to differing runtimes, it can happen that
axes for PLC and SPLC do not come to a standstill at the same time.
0 (FALSE) The position value supplied for the axis is not reliable,
and may not be used for the realization of safety
functions.
1 (TRUE) The axis is a safe axis, the axis has been homed, and
the axis position has been verified. The position value
supplied for the axis is reliable, and can be used for the
realization of safety functions.
If the SPLC requests a stop reaction or safety function from the SKERN, then
the SPLC program is also responsible for showing the operator any relevant
error messages. With correct parameterization of the safe machine
parameters and of the SPLC program, all requested stop reactions and safety
functions run without error messages from the SKERN or the NC software.
Note
Ensure that all requests (stop reactions, safety functions) by the SPLC
program run without errors, and are not unwantedly interrupted by an
additional error detection or trigger by the NC software. Should this be the
case, then the SPLC program must output error messages or instructions
for the operator.
The PLC modules 9169 (axes for which I32 does not switch off the drives) and
9143 (activation of the brake test) cannot be used for controls with functional
safety.
Attention
Input markers that are not effective due to safety reasons must be set to 0
by the SPLC program. However, no input markers are to be set to 1.
You can find more information about this filtering in the "Filtering of inputs"
chapter.
Example:
Exporting the spindle start and spindle jog keys of an HR 410 FS:
#TYPE M
/sToPlc:M9865 SP_M_Taste_HR410_S_Start
/sToPlc:M9866 SP_M_Taste_HR410_S_Tipp
Keys on the
operating panel for:
Keys on the
handwheel for:
Global enabling of If the marker NN_GenOutputEnable = 0 (meaning that it is not set), the SPLC
the outputs program is to switch off all SPLC outputs that trigger or permit a motion.
Outputs that only serve as status message can always be set, regardless of
this marker.
The NN_GenOutputEnable marker is set to 0 by the SKERN in the following
cases (as a prompt to switch off safe PLC outputs):
At the end of an SS1 reaction upon an external emergency stop (ES.A,
ES.B), when axes/spindles have come to a standstill
At the end of an SS1F reaction (severe hardware or software fault), when
axes/spindles have come to a standstill
At the beginning of an SS0 reaction
Please note that if there is an SS1 reaction (without external emergency stop),
e.g. after speed or position monitoring has triggered, the NN_GenOutputEnable
marker is not set to 0, in contrast to the STO.A.G signal. Upon an internal
emergency stop or a fault from the PET table with emergency stop, the
NN_GenOutputEnable marker remains set (= 1).
Note
Upon an emergency stop the SPLC program is responsible for switching off
the SPLC outputs. The SKERN simply clears the NN_GenOutputEnable
marker. The machine manufacturer is responsible for the point at which
safe outputs must be switched off.
Tool holder The SPLC program imports the request for opening the tool holder from the
PLC program. The PLC program may only place this request if the spindle is at
a standstill, and if it has been disconnected from power if the guard door is
open. The SPLC program checks whether the PLC program is behaving
correctly.
If there is no request from the PLC to open the tool holder, then the SPLC
program must close the tool holder, see page 6–150.
If there is a request to open the tool holder, and the guard door is closed, the
SPLC program must check whether the spindle is at a standstill
(NN_AxGrpInMotion[S]=FALSE). Then it can open the tool holder. No further
checks are necessary once the tool holder has been opened.
If there is a request to open the tool holder, and the guard door is open, the
SPLC program must ensure that the spindle is at a standstill and has been
disconnected from power, and that it will remain so. To do so, the SPLC
program must set PP_AxGrpStateReq[S] to the value S_STATE_STO_O. If the
spindle is not at a standstill, the SKERN will trigger an emergency stop. In the
following SPLC cycle the SPLC program can open the tool holder if the PLC
program continues to request it, if the axis group is at a standstill
(NN_AxGrpInMotion[S]=FALSE), and if the axis group has been disconnected
from power (NN_AxGrpState[S]=S_STATE_STO_O or S_STATE_STO). No further
checks are necessary once the tool holder has been opened.
In every cycle in which the tool holder and guard door are open, the SPLC
program must set PP_AxGrpStateReq[S]= S_STATE_STO_O (especially if the
guard door is opened while the tool holder is open).
In PP_AxGrpStateReq the SPLC program specifies for each axis group what the
minimum level of monitoring for the respective axis group is during the current
state of the guard doors and the setting of the keylock switch.
PP_AxGrpStateReq does not take into account other keys that influence the
monitoring (emergency stop, permissive buttons/keys, start keys, stop keys,
etc.).
The safety-kernel software might perform even stricter monitoring than
prescribed by the SPLC program, but never a less strict monitoring. It reports
the monitoring actually in effect to the SPLC program via NN_AxGrpState.
Closed *a S_STATE_AUTO
If the control is in safe operating mode SOM_1 and the guard door is open, the
SPLC must set the PP_AxGrpStateReq marker to the value S_STATE_SOS.
However, in this case it is not necessary for the SPLC to additionally request
a stop reaction. Setting PP_AxGrpStateReq = S_STATE_SOS already ensures
that an SS1 reaction will be triggered by the SKERN if an axis should move
while the control is in this state.
Open S_STATE_SLS_2
Closed S_STATE_AUTO
In addition, the SPLC program should request suitable stop functions, in order
to stop or prevent motions that are not permitted. The setting of the keylock
switch is not taken into consideration here, since it is usually located at a
greater distance from the guard door of the tool magazine.
If auxiliary axes are accessible from the normal working space, then the SPLC
program should specify the requested state of the axis group in a similar
manner as for the spindles:
For a closed guard door: S_STATE_AUTO; for an open guard door it depends on
the setting of the keylock switch: S_STATE_SOS or S_STATE_SLS_*.
Similar rules as for spindles apply to the motions of such auxiliary axes:
A motion must always be started with a permissive key and a specific motion
key. The motion may only be maintained as long as the permissive key is
pressed.
The SPLC program uses the PP_AxGrpActivate marker to report to the safety-
kernel software that there is a current event permitting a motion of the
associated axis group. If the guard door is open, then a key must always be
pressed in order to start a motion, so the SPLC program should set the marker
at just the instant when a key with which the axis group can be moved is
pressed. If the guard door is closed, the machine can start a motion
automatically, even without a key being pressed. But no motion may occur as
an immediate reaction to the guard door having just been closed. Therefore,
the SPLC program should set the PP_AxGrpActivate marker if, since the last
time the guard door was closed, a key was pressed with which the axis group
can be moved. The exact rules vary depending on the type of the axis group.
NC axes
If the working space of an axis group with NC axes is completely protected by
guard doors, then the SPLC program is to set the PP_AxGrpActivate marker to
FALSE at first. If an axis-direction key, NC start or permissive button on the
handwheel is pressed while the guard door is closed, then the SPLC program
is to set the marker to TRUE. Once this has happened, the SPLC program
should continue setting the marker to TRUE as long as the guard door remains
closed.
If the working space of an axis group with NC axes is not completely protected
by guard doors, and the control is being operated via the operating panel, then
the SPLC program is to set the PP_AxGrpActivate marker to one of the
following values for this axis group, depending on the active safe operating
mode and the keys on the machine operating panel:
SOM_2, a
At least one is * TRUE
SOM_3, pressed
SOM_4
If the T guard door is also open, then the SPLC program is to set
PP_AxGrpActivate[A] to FALSE for the NC axes.
If the working space of an axis group with spindles is not completely protected
by a guard door, and the control is in a "being operated via operating panel"
mode, then the SPLC program is to set the PP_AxGrpActivate marker to one
of the following values for this axis group, depending on:
the safe operating mode and
the keys on the machine operating panel
Guard door Permissive key of tool Motion keys of tool magazine PP_AxGrpActivate
magazine
Closed * * TRUE1
The SPLC program uses the PP_AxFeedEnable marker to report to the safety-
kernel software that the associated axis may be moved. This marker is
important for when not all of the axes in an axis group may be moved,
especially for manual motions using the axis-direction keys.
NC axes
If the working space in which an NC axis is located is completely protected by
guard doors (all guard doors of the working space are closed), then the SPLC
program is to set the PP_AxFeedEnable marker to TRUE for this axis.
If the working space in which an NC axis is located is not completely protected
by guard doors (not all guard doors of the working space are closed), then the
SPLC program is to set the PP_AxFeedEnable marker for this axis to one of the
following values, depending on the operating mode, the axis-direction keys of
this axis, the permissive button on the handwheel and the
MG_Program_Running marker (see 8–204).
During operation via the operating panel (manual or automatic), the SPLC
program is to set the PP_AxFeedEnable marker to TRUE for exactly the period
that the MG_Program_Running marker is set or an axis-direction key for the
corresponding axis is pressed.
During operation via the handwheel, the SPLC program is to set the
PP_AxFeedEnable marker to TRUE for exactly the period that the
MG_Program_Running marker is set or the permissive button on the
handwheel is pressed. The SKERN monitors the maximum number of axes
that may be moved simultaneously.
General information
The SPLC program should set the PP_AxGrpStopReq marker for each axis group
to one of the following values:
If the SPLC program wants to prevent all axes of an axis group from moving,
then it should set the PP_AxGrpStopReq marker to the value S_STOP_SS2 for this
axis group. If it wants to prevent motion of a specific axis, then it should set
the PP_AxFeedEnable marker to FALSE for this axis.
Event PP_AxGrpStopReq
Other S_STOP_NONE
a. The risk analysis for the machine must show whether stopping of
the NC axes is actually necessary here.
Event PP_AxGrpStopReq
Other S_STOP_NONE
a. The risk analysis for the machine must show whether stopping of
the spindle is actually necessary here.
Event PP_AxGrpStopReq
Permissive key and exactly one tilting key are pressed S_STOP_NONE
Other S_STOP_SS2
Stop event
It suffices for the SPLC program to set a stop request in an SPLC cycle if a
stop is necessary. The SKERN is responsible for maintaining the stopped
status until the stop has concluded.
The SPLC program uses PP_AxGrpPB to report the status of the currently
effective permissive button/key to the safety-kernel software.
Permissive buttons/keys
The following rules apply to PP_AxGrpPB:
PP_GenCVO, The SPLC uses the PP_GenCVO signal to report to the SKERN that the control
PP_AxGrpPermit voltage may be switched on. The PP_GenCVO attribute in SPlcApiToSafety is a
DrvOn marker. It can have the following states:
The SPLC uses the PP_AxGrpPermitDrvOn signal to report to the SKERN that
the drives belonging to an axis group may be switched on. The SPLC program
uses the signal to request from the SKERN that the STO safety function be
canceled for the axis group, and that the axis group be set to the SOS state.
Theoretically, a separate safe key could be used for this enabling, but in
practice the "Control Voltage ON" key is used for this.
The attribute PP_AxGrpPermitDrvOn in SPlcApiToSafety is an array of logical
markers, where each array index specifies an axis group. It can have the
following states:
Attention
The SPLC program only filters those inputs that trigger a motion, but never
the inputs that stop a motion!
For more information about the filtering of inputs of keys, see page 6–142.
Handwheel keys The SPLC program must read the permissive button on the handwheel as an
SPLC input, and import the other handwheel inputs from the PLC program.
These inputs must be filtered, and the filtered values then exported to the PLC
program.
Note
This filtering must also be in effect in the SPLC program itself. It should
occur after PP_GenMKG has been determined, but before the further
evaluation of the inputs.
Hinweis
This filtering must also be in effect in the SPLC program itself. It should
occur after PP_GenMKG has been determined, but before the further
evaluation of the inputs.
Keys on the tool The SPLC program reads the permissive key and the tilting keys on the tool
magazine magazine as SPLC inputs. It must filter the corresponding inputs, and the PLC
program then automatically sees the filtered values in its input markers.
Hinweis
This filtering must also be in effect in the SPLC program itself. It should
occur after PP_GenMKG has been determined, but before the further
evaluation of the inputs.
Spindle jog key Movement of the axis group S via the spindle jog key
The figure below shows the sequence for motion of the spindle via the spindle
jog key either on the operating panel or the handwheel, in the safety-related
operating mode SOM_2:
As indicated in the figure, in manual operation the NC axes may be moved with
a dual-channel axis direction key via the operating panel, without having to
press a permissive key.
On the other hand, the permissive key must be pressed for every axis
movement with manual operation of the control in the El. Handwheel
operating mode, since this is the only dual-channel key on the handwheel. An
axis-direction key is not necessary, since the axes can also be moved via the
wheel on the handwheel. The SPLC is not aware of any operations using the
wheel.
The SPLC program detects a valid NC start upon the positive edge of the
NC start key while the permissive key is pressed at the same time. This can
be implemented analog to the spindle start. In automatic operation, the SPLC
program sets PP_AxFeedEnable to TRUE for all NC axes.
After an NC start, the NC axis remains in motion until it is explicitly stopped,
for example via the NC stop key or the emergency stop input.
The start for automatic operation in the El. Handwheel operating mode is
identical to automatic operation via the operating panel. When the operator
releases the permissive button on the handwheel, the SPLC program sets
PP_AxFeedEnable to FALSE, and the SKERN stops the motion.
The figure shows a case where the tool magazine is at standstill while the
T guard door is being opened (NN_AxGrpInMotion[T] = FALSE). Should the tool
magazine move while the T guard door is being opened, the SPLC program
sets PP_AxGrpStopReq[T] to S_STOP_SS1, so that the tool magazine is
decelerated along the emergency braking ramp, after which the drive is
switched off.