Trying to understand safety PLC's (specifically Siemens)

Jieve

Member
J
Join Date
Feb 2012
Location
USA
Posts
274
Hello, I’m trying to get an understanding of safety PLC function, specifically Siemens. So far, what I understand is this:

The user-programmed safety program runs alongside the main program cycle and is not called automatically, but must be called in the main program cycle (preferentially as a cyclic interrupt OB).

Safety devices such as light barriers, e-stop pushbuttons, etc. can be wired in single and dual channel into safety inputs. The safety I/O modules perform regular functional checks, such as reading inputs more than once, heartbeat checks, etc. to ensure the input signals are accurate and the module is functioning properly.

When the safety program is called, the peripheral inputs from the safety input modules are read. The program is processed, and at the end, the outputs are written to the safety output modules, similar to the standard program cycle. But afterwards, the main program picks up where it left off.

I also understand that regular I/O modules can be used in the same rack as failsafe I/O modules.

My questions:
1) I understand that the safety program runs without direct interaction with the normal program cycle (except for being called). Am I correct that it is not possible to use input or output addresses of safety I/O modules in the main program cycle?

2) Is it possible to use input and output addresses of non-safety modules within the safety program? Say, for example, I want to retract a pneumatic cylinder upon E-Stop. Is this done within the safety program? Or is the safety program only reserved for dealing with safety devices? In one case, I would need access to non-safety outputs in the safety program cycle (pneumatic cylinder), in the other case, I would need access to safety inputs in the main program cycle (E-Stop).

3) I read that when there is a fault in certain failsafe output modules, the module is shut off but in a safe state. What does that mean? The outputs can either be 0/1, does it fail to a guaranteed pre-determined value or something?

4) Would main power contactors be examples of safety outputs (as would normally be controlled as outputs from a safety relay)? And I guess failsafe output modules also do regular checks of the output function? (I thought I read that they flash the outputs on for a very short time to test function, but not long enough to affect the program or actuators).

5) Hardware question: Is it common to use standard sensors such as standard limit switches as safety inputs, or more common to use positive-action limit switches with 2 channels specifically for safety gates and such purposes?

If someone had an example of a simple system setup/schematic with failsafe PLC and the wiring, or just a system description along with the involved devices to help understand this better, I would really appreciate it.

Thanks!
 
All statements below specifically relate to S7 safety PLC's, which was what you specified. Other brands would definitely have differences.

The link below is to the Distributed Safety Configuring and Programming manual, which is an excellent reference for Siemens safety programming capabilities. The individual module manuals are also very helpful, and show samples of how to wire up the module to meet different safety certifications.

http://support.automation.siemens.com/WW/view/en/22099875

Jieve said:
When the safety program is called, the peripheral inputs from the safety input modules are read. The program is processed, and at the end, the outputs are written to the safety output modules, similar to the standard program cycle. But afterwards, the main program picks up where it left off.
Click to expand...
Generally speaking this is true. But just as a tip, the safety program will not check the inputs/outputs of a card if you have not used it in the program yet. This means that you cannot monitor the inputs of a safety card to check wiring before programming. To fix this, either make a "dummy" safety program that does something like reading one input from each safety IO module, or configure the reintegration (see more in your question three).

Jieve said:
1) I understand that the safety program runs without direct interaction with the normal program cycle (except for being called). Am I correct that it is not possible to use input or output addresses of safety I/O modules in the main program cycle?
Click to expand...
I think you can read, but not write, to the safety IO. This means your standard program can check to see if the E-Stop is pressed. If you try to write to safety IO, then the PLC will detect an error and stop. Depending on which programming software you use, it may allow you to write illegal code, but the PLC will never allow the standard code to write to a safety location. This is part of why a Safety Acceptance Test is important and documentation are so important.

Jieve said:
2) Is it possible to use input and output addresses of non-safety modules within the safety program? Say, for example, I want to retract a pneumatic cylinder upon E-Stop. Is this done within the safety program? Or is the safety program only reserved for dealing with safety devices? In one case, I would need access to non-safety outputs in the safety program cycle (pneumatic cylinder), in the other case, I would need access to safety inputs in the main program cycle (E-Stop).
Click to expand...
As said above, the standard program can only read the safety memory locations. It is common to use something like an estop signal in the standard code, or a generic "Safety Enable", as a contact in the ladder logic that is required to turn on any motion.

The safety program can read OR write to a standard memory location, but never both. One should NEVER use standard memory to bypass safety logic, but it can be used as an additional requirement to turn on a safety output (essentially: Safety AND standard might be OK, safety OR standard is probably not).

Jieve said:
3) I read that when there is a fault in certain failsafe output modules, the module is shut off but in a safe state. What does that mean? The outputs can either be 0/1, does it fail to a guaranteed pre-determined value or something?
Click to expand...
When a failsafe module detects an error, it goes to a failsafe state and passivates itself. This means that the module will go to its defined safe state (be passive). For outputs, this safe state is almost always 0, although drives with built in safety have some options there. For inputs, this usually means 0 as well. When the module senses that the error is no longer present, then it sends a signal to the PLC and requests to be reintegrated back into the safety program. Typically, an operator pushbutton is required to then send the return signal to reintegrate the IO.

Each safety IO module has an automatically generated safety data block that has status and passivation information. This is where these requests and commands are stored.

Jieve said:
4) Would main power contactors be examples of safety outputs (as would normally be controlled as outputs from a safety relay)? And I guess failsafe output modules also do regular checks of the output function? (I thought I read that they flash the outputs on for a very short time to test function, but not long enough to affect the program or actuators).
Click to expand...
As a warning, that test function you mention is very fast, but some devices can detect it. Slow moving devices like contactors are generally fine, but if you wire a safety output to a solid state input (say on a drive or intelligent door switch), it may have an unexpected behavior. Safety networking to drives is usually a better plan than hardwiring. In the Siemens world, that probably means Profisafe over Profinet.

Jieve said:
5) Hardware question: Is it common to use standard sensors such as standard limit switches as safety inputs, or more common to use positive-action limit switches with 2 channels specifically for safety gates and such purposes?
Click to expand...
How you wire up the inputs and outputs depends on the safety level you want to achieve. Positive action 2 channel devices are required for higher levels of safety reliability, for lower levels, sometimes standard limit switches can be used. A risk assessment must be done to determine how much risk a machine has and how the safety system should be designed to negate the hazards. Once you know what SIL or PL you desire, the manual for the IO card can tell you how to wire it for a given application and safety requirement.
 

Similar Topics

P
Trying to understand Omron Modbus RTU Protocol Macro
Hello Guys, I have been trying to study a Machine that have Omron 3g3mv VFDs that is controlled by CJ1m CPU and SCU41-V1 communication card. The...
Replies
0
Views
473
psycho1o1
P
Mas01
GX developer: trying to understand relay logic...
Not sure I understand the logic here... This picture was taken when the rig was "idle". Why would you energise the trip relay M3 when these...
Replies
8
Views
1,245
Mas01
Mas01
R
Trying to understand absolute homing in of a servo in Studio 5000
Hi, I am trying to get my head around as to what the absolute homing does. Below is a statement that I read in the logix 5000 motion instruction...
Replies
4
Views
2,163
Revanth
R
G
I am really trying to understand this PLC progrm stuff
I have been reading manuals and beginner stuff. Ours is Mitsubishi like how do you know how far to space it all out how would you know when to...
2 3
Replies
38
Views
7,030
Firejo
Firejo
B
Trying to understand the accuracy of the Balluff MicroPulse Postion Sensor
Good Afternoon , I am thinking of using a few Balluff MicroPulse Postion Sensors on a project . Before I purchase , I would like to check the...
Replies
2
Views
1,486
Baker in Virginia
B
Back
Top Bottom