11.03
2 General Information about Integrated Safety Systems
2.6 Basics of SINUMERIK Safety Integrated
© Siemens AG 2003 All Rights Reserved
SINUMERIK 840D/SIMODRIVE 611 digital SINUMERIK Safety Integrated (FBSI) - Edition 11.03
2-33
2.6.2
Basic features of SINUMERIK Safety Integrated
A two-channel, diverse structure is characterized by the following features:
•
Two-channel structure with at least two independent computers
(i.e. computers with different hardware and software)
•
Crosswise result and data comparison with forced checking procedure for
the purpose of detecting internal errors even in functions that are not often
used (dormant errors).
•
Computers access data at common interfaces (e.g. actual value input)
reaction-free with decoupling.
The actual values are acquired by the 611 digital closed-loop control module
via the 1st actual value input (with a single-encoder system) or via the 1st and
2nd actual value inputs (with a 2-encoder system) and supplied to the control
system and the drive via 2 separate actual value channels.
The safety-relevant functions are executed by the NCK-CPU and the drive CPU
on a mutually independent basis. Both CPUs carry out a mutual comparison
(crosswise data comparison) of their data and results in a specified cycle. A test
that can be initiated by either of the CPUs can be carried out on the shutdown
paths (forced checking procedure).
When monitoring functions respond, the NCK and/or the drive can send control
commands to the power section via shutdown paths, thus safely shutting down
the axis or spindle.
2.6.3
Forced checking procedure
"… The forced checking procedure must be performed for all static signals and
data. The logic state must change from 1 to 0 or vice versa within the specified
time (8 h). A state that has become static as the result of an error will be
detected at the latest by comparison during this forced checking procedure.
Forced checking procedure is required for components that are required to stop
a process (e.g. contactors and power semiconductors), the shutdown path, and
for the shutdown condition. It is generally not possible to test a shutdown
condition, e.g. violation of a limit value criterion, using other methods, e.g.
crosswise data comparison, when the machine is in an acceptable condition.
This also applies to errors along the entire shutdown path including associated
hardware and software and circuit-breakers. By integrating a test stop in eight-
hourly cycles with comparison and expected status, errors can also be detected
when the machine is in an acceptable condition...."
(Note: "Acceptable condition" means that there are no machine faults that are
apparent to the operator)
Characteristics of
two-channel,
diverse structure
Acquisition
Evaluation
Response
General notes on the
forced checking
procedure
(taken from /6/)