of with an identical safety module or a different module type (switch module
CAMC-DS-M1, safety module CAMC-G-S1) must always be confirmed.
The factory supplies the safety module in the “delivery status”:
–
The safety module is “validated as a whole” with the parameterisation of the
factory setting and is thus functional. The motor controller can be commis-
sioned, and the power stage and controller enable can be set.
–
All error messages due to a different parameterisation of the basic unit and
safety module are suppressed. Hence, you can perform basic commissioning
of the motor controller independently of complex safety-engineering peri-
pherals.
Minimum circuitry in the delivery status:
–
The safety functions STO and SBC are requested via DIN40.
–
DIN49 terminates the safety functions, DIN48 acknowledges errors.
Wiring must not be bypassed and must be validated in the machine. The delivery
status can also be recognised without parameterisation software or SafetyTool by
the green-red flashing LED of the safety module (if DIN40 is switched on and no
safety function is requested).
8.4
Parameterisation of the safety module with the SafetyTool
The safety module is then parameterised with special software, the SafetyTool.
The SafetyTool is called up from the included parameterisation software. For addi-
tional information
è
SafetyTool help.
8.5
Function test, validation
NOTICE!
The safety functions must be validated after installation and after any changes to
the installation.
This validation must be documented by the person who commissions the device.
As an aid to commissioning, you will find examples of check lists in the descrip-
tion of CAMC-G-S3-....
9
Diagnostics and fault clearance
9.1
Status display
Status and malfunctions are displayed directly by the two-colour LED of the safety
module.
Status display on the safety module
The safety module has an LED on the front to indicate the status of the safety
function. The status LED displays the operating status of the safety module. The
display is exclusively for diagnostics and must not be used in a safety-oriented
way.
LED
Status
Internal status
Flashes red
“System Error”
The entire system is in the “System Error” or
“Communication Error” status.
Lights up red
“Safety Condition Violated”,
error response initiated
Violation of at least one of the currently required
safety functions.
Lights up yel-
low
“Safe State Reached”, safe
status achieved
Requested safety functions are in the status
“Safe State Reached”.
Flashes yellow
“Safety Function Requested”
At least one safety function requested.
Flashes
red/green
“Delivery Status”
Delivery status
è
parameterisation software for the CMMP-AS
Flashes green
“Service” status
No parameters present, parameters invalid or
parameterisation session is running.
Lights up
green
“Ready”, operational
Operational, no safety function requested, no
errors.
Off
“Initialisation Running”
Initialisation 1: load parameters, initialisation
2: communication setup.
Tab. 3
Status display of the safety functions on the motor controller
Display of safety functions on the 7-segment display
STO
S t O
SOS
S O S
SS1
S S 1
USF0
(...1, 2. 3)
U S F 0
SS2
S S 2
SBC
S b C
Tab. 4
9.2
Malfunction messages
The motor controller displays malfunctions cyclically in the seven-segment display
on the front of the motor controller. Error messages are displayed by “E” (for
Error), a main index (xx) and a sub-index (y), e.g. E 5 1 0. Warnings have the same
number, but are shown with bars before and after, e.g. - 1 7 0 -. The following
table lists the error messages that are relevant for functional safety in the context
of the safety module.
è
The complete list of error messages can be found in the hardware documenta-
tion GDCP-CMMP-M3-HW-... of the motor controller used.
Error number
Main index
Error type/class
Basic device error
51-x
Control signals from the safety module, module type/identifier not OK
52-x
Error in control sequence with the safety module
Error of the safety module
53-x
Violation of a safety function
54-x
Violation of a safety function
55-x
System error: actual value recording/position encoder not OK
56-x
System error: position recording/comparison not OK
57-x
System error: inputs and outputs or internal test signals not OK
58-x
System error: external/internal communication not OK
59-x
System error of the firmware/hardware error of the safety module
Tab. 5
10
Operation and use
10.1
Obligations of the operator
The functionality of the safety device must be tested at appropriate intervals. It is
the responsibility of the operator to choose the type and frequency of the checks
within the specified time period. The manner in which the test is conducted must
make it possible to verify that the safety device is functioning perfectly in interac-
tion with all components.
10.2
Maintenance and care
The safety module is maintenance-free.
11
Repair, replacement of the safety module
11.1
Repair
è
Repair or maintenance of the safety module is not permissible. If necessary,
replace the entire safety module.
–
Always replace the safety module in case of a defect.
–
Send the unchanged defective safety module with a description of the error
and the application back to Festo for analysis. Please contact your technical
consultant to clarify the modalities of the return.
11.2
Replacement of the safety module
If a safety module fails and has to be replaced, organisational measures must be
taken to ensure that an unsafe status is not created. This requires
–
that the safety module is
not
replaced by another module type without safety
functionality (switch module).
–
that the safety module is
not
replaced by another module type with less func-
tion range (CAMC-G-S3 for CAMC-G-S1).
–
that the revision status of the new safety module matches that of the old
safety module or is compatible.
–
that the parameterisation of the new safety module matches the paramet-
erisation of the defective safety module.
Observe required organisational measures to avoid errors when replacing the
module. For example, you must always generate a new validation report due to
the different serial number of the safety module.
Disassembly and installation
Before a module is replaced, the compatibility between the safety module and
basic unit must be checked.
Information on removal and installation of the safety module
è
Accepting the safety module
After replacing the module, you must first accept the new safety module again
è
Recommissioning with the SafetyTool
After accepting the replaced safety module, you must transfer the desired para-
meterisation to the safety module and then validate it. To do this, you must first
start the SafetyTool in online mode. You then have the following options, depend-
ing on the data present from the safety module that is to be replaced:
a) Reliable parameter set available for the safety module that is to be replaced:
–
Open the parameter set in the SafetyTool and upload it to the safety module.
The basic information of the basic unit must match the parameter set.
b) Stored SafetyTool project is available that conforms to the parameterisation:
–
Set the safety module to the factory setting if necessary.
–
Open the SafetyTool project.
–
Adjust basic information to the basic unit if they don't match.
–
Then validate parameter pages and upload them to the safety module.
c) If there is no data stored for the safety module that is to be replaced:
–
Set the safety module to the factory setting if necessary.
–
Continue as with initial commissioning.
Regardless of variant a), b) or c), you must generate a new validation report with a
new validation code and new serial number for the safety module. If there is no
stored SafetyTool project, it should be supplied by the machine manufacturer.
After a replacement, a functional test is always required as well as validation
based on the validation plan provided by the machine manufacturer.
11.3
Decommissioning and disposal
Observe the information for dismantling the safety module
è
