14F5M1E-Y00D模块备件

14F5M1E-Y00D

发生故障时的反应
如果测试例程检测到计数器输入故障，则模块将以
分配给通道的全局变量采用以下值的方式：
ƒ分配给参数的全局变量->转速[mHz][DINT]und->
旋转速度（缩放）[实]采用值0。
ƒ分配给->计数器读取[mHz]参数的全局变量采用后一个
有效值。
模块将状态通道OK设置为FALSE
如果测试例程检测到模块或子模块故障，则模块将模块设置为OK或OK
子模块OK状态为FALSE。此外，模块或子模块设置通道OK
对于其所有通道，设置为FALSE。
在所有这些情况下，模块会激活前面板上的错误指示灯。
7.5.3观察是否使用X-CI 24 01计数器模块！
如果使用X-CI 24 01计数器模块，则必须遵守以下特殊性：，
另请参阅模块专用手册（HI 801 113 E）：
ƒ在执行重新加载时，如果
在该过程中，以下参数发生了变化：
-计数脉冲评估类型
-使用中的信道对
ƒ如果通道传感器在边缘评估2个阶段、4个边缘期间发生故障，并且未检测到短路或开路，则模块仅记录实际电流的一半
频率值。
ƒ信道参数->电平和->计数。Read（revolv.）不能用于
安全相关应用程序！
ƒ在自动重启期间，要计数的脉冲可能会丢失：
ƒ自动或手动模块重启必须视为特定于应用程序。
ƒ申请建议：
-为确保检测到传感器故障，HIMA建议使用冗余传感器
用于多相位评估或用于识别旋转方向的传感器。
-在测量频率时配置噪声消隐不会影响安全性。
7.5.4根据通电跳闸原则进行操作
允许根据通电跳闸原则操作计数器输入。在里面
在这种情况下，必须为输入模块提供线路监控。
7.5.5冗余
允许冗余连接计数器输入。冗余连接是
通常用于提高可用性。
如果应使用其他连接变体，例如增加SIL值，则故障状态：
必须在用户程序逻辑中处理。
7.6输入检查表
HIMA建议使用可用的清单进行工程、编程和测试
启动安全相关数字输入。检查表可用于帮助规划
以及稍后证明规划阶段已仔细完成。
在设计或启动系统时，填写以下各项的检查表非常有用：
系统中使用的安全相关输入通道，用于验证是否满足要求。这
是确保所有要求都得到考虑和明确记录的一方法。这个
检查表还记录了外部接线和用户之间的关系
程序
HIMax 7输入模块
HI 801 003 E版本4.00第31页，共64页
检查表以Microsoft®Word®格式在HIMA网站上提供。
8个输出模块HIMax
第32页，共64页HI 801 003 E版本4.00
8个输出模块
模块号
属于
渠道
安全相关
安全地
电气
偏远的
评论
数字输出
X-DO 12 02 12 SIL 3-
X-DO 24 01 24 SIL 3-
X-DO 24 02 24 SIL 3-48 VDC
X-DO 32 01 32 SIL 3-
X-DO 32 51 32--
数字继电器输出
X-DO 12 01 12 SIL 3•230 VAC
X-DO 12 52 12-•
模拟输出
X-AO 16 01 16 SIL 3成对
X-AO 16 51 16--
表10：输入模块概述
8.1总则
安全相关输出模块每周期写入一次，生成的输出信号
并与指定的输出数据进行比较。
输出的安全状态为0或开路继电器触点。
使用相应的错误代码，存在编程故障的其他选项
用户程序中的反应。
有关输出模块的更多信息，请参阅各个模块手册。
8.2执行机构的安全
在安全相关应用中，PES及其连接的执行器必须满足安全要求
要求并达到规定的SIL。另请参阅附录“增加的SIL值”
传感器和致动器。
8.3安全相关数字输出
安全相关输出通道配备三个可测试开关，分别连接在
系列因此，对安全、独立、第二种断电方式的要求是：
完成了。如果发生故障，此集成安全停机功能将安全地断开所有电源
故障输出模块的通道（断电状态）。
此外，模块的看门狗信号是安全停机的第二个选项：如果
看门狗信号丢失，模块立即进入安全状态。
8.3.1数字输出的测试例程
模块在运行期间自动测试。主要测试功能有：
ƒ读回输出信号

14F5M1E-Y00D

14F5M1E-Y00D

Reaction in the Event of a Fault If the test routines detect a fault of a counter input, the module sets the channel value in a way that the global variables assigned to the channel assume the following values: ƒ Global variables assigned to the parameters -> Rotation Speed [mHz] [DINT] und -> Rotation Speed (scaled) [REAL] adopts the value 0. ƒ The global variable assigned to the -> Counter Reading [mHz] parameter adopts the last valid value. The module sets the status Channel OK to FALSE If the test routines detect a module or submodule fault, the module sets the Module OK or Submodule OK status to FALSE. Additionally, the module or submodule sets Channel OK to FALSE for all its channels. In all these cases, the module activates the Error LED on the front plate. 7.5.3 To observe if the X-CI 24 01 counter module is used! If the X-CI 24 01 counter module is used, the following particularities must be observed, also refer to the module-specific manual (HI 801 113 E): ƒ While performing a reload, input pulses may be lost during the first 3 cycles, if the following parameters are changed during the process: - Counting Pulse Evaluation Type - Channel pairs in use ƒ If the channel sensor fails during the edge evaluation 2 Phases, 4 Edges, and no shortcircuit or open-circuit was detected, the module only registers half of the actual frequency value. ƒ The channel parameters -> Level and -> Count.Read (revolv.) must not be used for safety-related applications! ƒ Pulses to be counted can be lost during an automatic restart: ƒ Automatic or manual module restart must be considered as application-specific. ƒ Application recommendation: - To ensure detection of a sensor failure, HIMA recommends to using redundant sensors for multiple-phase evaluation or for recognizing the rotation direction. - Configuring noise blanking while frequencies are measured does not impair safety. 7.5.4 Operation in Accordance with the Energize to Trip Principle It is allowed to operate counter inputs in accordance with the energized to trip principle. In this case, the input modules must be provided with line monitoring. 7.5.5 Redundancy It is allowed to connected the counter inputs redundantly. The redundant connection is usually used to increase availability. If other connection variants, e.g., to increase the SIL value, should be used, fault states must be handled in the user program logic. 7.6 Checklists for Inputs HIMA recommends using the available checklists for engineering, programming and starting up safety-related digital inputs. The checklists can be used for helping with planning as well as to demonstrate later on that the planning phase was carefully completed. When engineering or starting up the system, it is useful to fill out a checklist for each of the safety-related input channels used in the system to verify the requirements to be met. This is the only way to ensure that all requirements were considered and clearly recorded. The checklist also documents the relationship between the external wiring and the user program. HIMax 7 Input Modules HI 801 003 E Rev. 4.00 Page 31 of 64 The checklists are available in Microsoft® Word® format on the HIMA website. 8 Output Modules HIMax Page 32 of 64 HI 801 003 E Rev. 4.00 8 Output Modules Module Number of channels Safetyrelated Safely electrically isolated Remark Digital outputs X-DO 12 02 12 SIL 3 - X-DO 24 01 24 SIL 3 - X-DO 24 02 24 SIL 3 - 48 VDC X-DO 32 01 32 SIL 3 - X-DO 32 51 32 - - Ddigital relay outputs X-DO 12 01 12 SIL 3 • 230 VAC X-DO 12 52 12 - • Analog outputs X-AO 16 01 16 SIL 3 Pairwise X-AO 16 51 16 - - Table 10: Overview of the Input Modules 8.1 General The safety-related output modules are written once per cycle, the generated output signals are read back and compared with the specified output data. The safe state of the outputs is 0 or an open relay contact. Using the corresponding error codes, additional options exist for programming fault reactions in the user program. For more information on the output modules, refer to the individual module manuals. 8.2 Safety of Actuators In safety-related applications, the PES and its connected actuators must all meet the safety requirements and achieve the specified SIL. Also refer to Annex Increasing the SIL Value of Sensors and Actuators. 8.3 Safety-Related Digital Outputs The safety-related output channels are equipped with three testable switches connected in series. By this, the requirement for a safe, independent, second way of de-energizing is fulfilled. If a fault occurs, this integrated safety shutdown function safely de-energizes all channels of the defective output module (de-energized state). Furthermore, the watchdog signal of the module is a second option for safety shutdown: If the watchdog signal is lost, the module immediately enters the safe state. 8.3.1 Test Routines for Digital Outputs The modules are tested automatically during operation. The main test functions are: ƒ Reading the output signals back from the switching amplifier. The switching threshold of a 0 signal that has been read back is below the valid voltage value for the type of output. The diodes used prevent a feed back of signals. ƒ Checking the integrated redundant safety shutdown. ƒ A shutdown test of the outputs is performed cyclically for max. 200 µs. If faults occur, the outputs are set to the safe value. HIMax 8 Output Modules HI 801 003 E Rev. 4.00 Page 33 of 64 8.3.2 Reaction in the Event of a Fault If the test routines detect a fault in one or several channels, the module switches those channels off and by this brings them into the safe state. The parameter Channel OK is set to FALSE for these channels. If the test routines detect a module or submodule fault, the module sets the Module OK or Submodule OK status to FALSE. Additionally, the module or submodule sets Channel OK to FALSE for all its channels. In all cases, the module also indicates the fault by the Error LED on the faceplate. 8.3.3 Behavior in the Event of External Short-Circuit or Overload If the output is short-circuited to L- or overloaded, the module is still testable. It is not necessary to transfer the module to the safe state. In this state, the outputs are checked every few seconds to determine wether the overload is still present. In a normal state, the outputs are switched back on. NOTE System malfunction possible! The voltage induced during switching off inductive loads could cause faults in the controller or in other electronical systems close to the actor's input leads. Therefore, it is a good practice to connect inductive loads with a suitable freewheeling circuit at the actuator to counteract these disturbances. 8.3.4 Operation in Accordance with the Energize to Trip Principle It is allowed to operate digital outputs in accordance with the energized to trip principle. In this case, line monitoring must be used. 8.3.5 Redundancy It is allowed to connected the digital outputs redundantly. The redundant connection is usually used to increase availability. If other connection variants, e.g., to increase the SIL value, should be used, fault states must be handled in the user program logic. 8.4 Safety-Related Relay Outputs Relay output cards are connected to the actuator under any of the following circumstances: ƒ Electric isolation is required. ƒ Higher amperages are used. ƒ Alternating currents are to be connected. The module outputs are equipped with two safety relays with forcibly guided contacts. The outputs can thus be used for safety shutdowns in accordace with SIL 3. Furthermore, the watchdog signal of the module provides a second means of safety shutdown: If the watchdog signal is lost, the module immediately adopts the safe state. 8.4.1 Test Routines for Relay Outputs The module is tested automatically during operation. The main test functions are: ƒ Reading the output signals back from the switching amplifiers located before the relays ƒ Testing the switching of the relays with forcibly guided contacts ƒ Checking the integrated redundant safety shutdown.