The operating principle of Safety Integrated
Two independent switch-off signal paths
Two independent switch-off signal paths are available. All switch-off signal paths are low active, thereby ensuring that the system is always switched to a safe status if a component fails or in the event of cable breakage. If an error is discovered in the switch-off signal paths, the "Safe Torque Off" function is activated and a system restart inhibited.
2-channel monitoring structure
All the main hardware and software functions for Safety Integrated are implemented in two independent monitoring channels, e. g. switch-off signal paths, data management, data comparison. A cyclic crosswise comparison of the safety-relevant data in the two monitoring channels is carried out.
The monitoring functions in each monitoring channel work on the principle that a defined status must prevail before each action is carried out and a specific acknowledgement made after each action. If these expectations of a monitoring channel are not fulfilled, the drive coasts to a standstill (two channel) and an appropriate message is output.
Forced dormant error detection or testing of the switch-off signal paths
Forced dormant error detection of the switch-off signal paths is used to detect errors in the software/hardware of the two monitoring channels as quickly as possible and is performed automatically when safety functions are activated/deactivated. To fulfill the requirements of EN 954-1 regarding early error detection, the two switch-off signal paths must be tested at least once within a defined time to ensure that they are functioning properly. For this purpose, forced dormant error detection must be triggered manually by the user or automatically. A timer monitors the timing of forced dormant error detection runs.
A forced dormant error detection run must be performed on the switch-off signal paths at least once during the time set in this parameter. Once this time has elapsed, an alarm is output and remains active until forced dormant error detection is carried out.
When the appropriate safety devices are implemented (e. g. protective doors), it can be assumed that running machinery will not pose any risk to personnel. For this reason, only an alarm is output to inform the user that a forced dormant error detection run is due, thereby requesting that this be carried out at the next available opportunity. This alarm does not affect machine operation.
The user must set the time interval for carrying out forced dormant error detection runs to between 0 and 9000 hours depending on the application (factory setting: 8 hours).
Examples of when forced dormant error detection runs are required:
- When the drives are at a standstill after the system has been switched on
- When the protective door is opened
- At defined intervals (e. g. every 8 hours)
- In automatic mode, dependent on time and event