Programmable Safety Controller SCR P
20
www.bernstein.eu
- Tel: + 49 571 793 0
Fault Exclusion
An important concept within the requirements of ISO 13849-1 is the probability of the occurrence of a failure, which can be
reduced using a technique termed "fault exclusion." The rationale assumes that the possibility of certain well-defined
failure(s) can be reduced via design, installation, or technical improbability to a point where the resulting fault(s) can be, for
the most part, disregarded
—that is, "excluded" in the evaluation.
Fault exclusion is a tool a designer can use during the development of the safety-related part of the control system and the
risk assessment process. Fault exclusion allows the designer to design out the possibility of various failures and justify it
through the risk assessment process to meet the requirements of ISO 13849-1/-2.
Requirements vary widely for the level of safety circuit integrity in safety applications (that is, Control Reliability or Category/
Performance Level) per ISO 13849-1. Although BERNSTEIN always recommends the highest level of safety in any
application, it is the responsibility of the user to safely install, operate, and maintain each safety system and comply with all
relevant laws and regulations.
6.3.2 Safety Input Device Properties
The Safety Controller is configured via the Software to accommodate many types of safety input devices. See
on p. 52 for more information on input device configuration.
Reset Logic: Manual or Automatic Reset
A manual reset may be required for safety input devices by using a Latch Reset Block or configuring a safety output for a
latch reset before
the safety output(s) they control are permitted to turn back On. This is sometimes referred to as “latch”
mode because the safety output “latches” to the Off state until a reset is performed. If a safety input device is configured for
automatic reset or “trip” mode, the safety output(s) it controls will turn back On when the input device changes to the Run
state (provided that all other controlling inputs are also in the Run state).
Connecting the Input Devices
The Safety Controller needs to know what device signal lines are connected to which wiring terminals so that it can apply
the proper signal monitoring methods, Run and Stop conventions, and timing and fault rules. The terminals are assigned
automatically during the configuration process and can be changed manually using the Software.
Signal Change-of-State Types
Two change-of-state (COS) types can be used when monitoring dual-channel safety input device signals: Simultaneous or
Concurrent.
WARNING:
Input Devices with dual contact inputs using 2 or 3 terminals
Detection of a short between two input channels (contact inputs, but not complementary contacts) is not
possible, if the two contacts are closed. A short can be detected when the input is in the Stop state for at
least 2 seconds (see the
INx & IOx input terminals
WARNING:
•
Category 2 or 3 Input Shorts
• It is not possible to detect a short between two input channels (contact inputs, but not
complementary contacts) if they are supplied through the same source (for example, the same
terminal from the Safety Controller in a dual-channel, 3-terminal hookup, or from an external 24 V
supply) and the two contacts are closed.
• Such a short can be detected only when both contacts are open and the short is present for at
least 2 seconds.
WARNING: Risk Assessment
The level of safety circuit integrity can be greatly affected by the design and installation of the safety
devices and the means of interfacing of those devices.
A risk assessment must be performed to
determine the appropriate level of safety circuit integrity to ensure the expected risk reduction is
achieved and all relevant regulations and standards are complied with.
