Maintenance
12.8 Reaction to faults in fail-safe modules and fail-safe motor starters
Distributed I/O system
256
System Manual, 12/2016, A5E03576849-AG
12.8
Reaction to faults in fail-safe modules and fail-safe motor starters
Safe state (safety concept)
The basic principle behind the safety concept is the existence of a safe state for all process
variables.
Note
For digital F-modules, this safe state is the value "0". This applies to both sensors and
actuators. In the case of the fail-safe motor starters, the load is shut down in a fail-safe
manner.
Fault reactions and startup of the F-system
The safety function means that fail-safe modules use substitute values (safe state) instead of
process values (passivation of the fail-safe module) in the following situations:
●
When the F-system is started up
●
If errors are detected during safety-related communication between the F-CPU and the F-
module via the PROFIsafe safety protocol (communication error)
●
If F-I/O faults or channel faults are detected (e.g. wire break, discrepancy error)
Detected faults are written to the diagnostic buffer of the F-CPU and communicated to the
safety program in the F-CPU.
F-modules cannot save errors as retentive data. After a POWER OFF / POWER ON, any
faults still existing are detected again during startup. However, you have the option of saving
faults in your safety program.
WARNING
For channels that you set to "deactivated" in STEP 7, no diagnostic response or error
handling is triggered when a channel fault occurs, not even when such a channel is
affected indirectly by a channel group fault ("Channel activated/deactivated" parameter).
Remedying faults in the F-system
To remedy faults in your F-system, follow the procedure described in IEC 61508-1:2010
section 7.15.2.4 and IEC 61508-2:2010 section 7.6.2.1 e.
The following steps must be performed:
1.
Diagnosing and repairing the fault
2.
Revalidation of the safety function
3.
Recording in the service report
Summary of Contents for Simantic ET200SP
Page 1: ......