Você está na página 1de 50

ConfigurablecontrolsystemPNOZmulti

SafetyManual21103EN02

Preface
Thisdocumentistheoriginaldocument.
AllrightstothisdocumentationarereservedbyPilzGmbH&Co.KG.Copiesmaybemade
forinternalpurposes.Suggestionsandcommentsforimprovingthisdocumentationwillbe
gratefullyreceived.
Pilz,PIT,PMI,PNOZ,Primo,PSEN,PSS,PVIS,SafetyBUSp,
SafetyEYE,SafetyNETp,thespiritofsafetyareregisteredandprotectedtrademarks
ofPilzGmbH&Co.KGinsomecountries.
SDmeansSecureDigital

Content

Section1

Introduction
1.1
Introductiontothedocumentation
1.2
Validityofthedocumentation
1.3
Definitionofsymbols

5
5
6
7

Section2

Basics
2.1
2.2
2.2.1
2.2.2
2.3

8
8
10
10
10
11

Section3

Standards,lawsanddirectivesintheEuropeanUnion
Safetyplanandvalidation
Contentofthevalidationplan
Validationimplementation
Standards,lawsanddirectivesoutsidetheEuropeanUnion

Safetyrelatedapplications
3.1
Safetyphilosophy
3.1.1
Intendeduseandapplicationrange
3.1.2
SafetyIntegrityLevel(SIL)andPerformanceLevel(PL)
3.2
Generalsafetyassessments
3.2.1
SafetyassessmentoftheconfigurablecontrolsystemPNOZmulti
3.2.2
Errortypes,errordetectionanderrorreactionontheconfigurablecontrol
systemPNOZmulti
3.2.3
Databackupanddatasecurityontheconfigurablecontrolsystem
PNOZmulti
3.3
Managingasafeapplication
3.4
Documentationofasafeapplication

12
14
14
15
16
16
17

Section4

Processdesign
4.1
Determinethescope
4.2
Specifythefunctions
4.3
Definethesafetyrequirements
4.4
Designtheinstallation
4.5
Configureoperation

21
21
22
23
24
25

Section5

Applicationimplementation
5.1
Assignsafetyrequirements
5.1.1
Safetyviatheconfiguration
5.1.2
Safetyintheapplication
5.1.3
Safetyrequirementsonsensorsandactuators
5.2
Configuration
5.2.1
ConfigurationinthePNOZmultiConfigurator
5.2.2
Structuringtheproject
5.3
Installation
5.4
Commissioningandvalidity
5.4.1
Initialcommissioning
5.4.2
Recommissioning
5.4.3
(Re)commissioningaids
5.5
Projectbackup

26
26
26
27
27
28
28
28
30
31
31
31
32
32

Section6

Change,maintenance,decommissioning

33

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

17
19
20

Content

6.1
6.2
6.3

Changes
Maintenance
Decommissioning

33
35
36

Section7

Troubleshooting
7.1
OperatingandfaultstatesonacontrolsystemPNOZmulti
7.2
Generalfaultreactionandrectification
7.3
Faultdiagnostics

37
37
39
40

Section8

Checklists
8.1
Checklistguidelines
8.2
Planning
8.3
Configuration
8.4
Installation
8.5
Commissioning
8.5.1
Initialcommissioning
8.5.2
Recommissioning
8.6
Maintenance,change

41
41
42
44
45
46
46
47
48

Section

Glossary

49

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Introduction

Introduction

1.1

Introductiontothedocumentation
ThismanualdescribesthesafeapplicationoftheconfigurablecontrolsystemPNOZmulti.It
willprovidesupportwhendesigning,installing,commissioning,changinganddecommis
sioningthesystemandwhendealingwithpotentialproblems.Afterintroducingthestand
ards/directivesandthesafetyphilosophyoftheconfigurablecontrolsystemPNOZmulti,the
manualexplainsthemeasuresneededtosafelydesignaprocessinwhichcontrolsystems
fromtheconfigurablecontrolsystemPNOZmultiareused.Itisessentialtoreadthis
manualevenatthedesignstageofaprojectinwhichcontrolsystemsfromtheconfigurable
controlsystemPNOZmultiwillbeused.Alwayscomplywiththespecifiedsafetyrequire
ments.
Thesafetymanualreferstothebaseunitsandexpansionmodulesoftheconfigurablecon
trolsystemPNOZmulti.Forthepurposeofsimplification,theywillbesummarisedunderthe
term"controlsystemPNOZmulti"inthefollowingtext.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Introduction

1.2

Validityofthedocumentation
ThisdocumentationisvalidfortheconfigurablecontrolsystemPNOZmulti.Itisvaliduntil
newdocumentationispublished.
ThecurrentdocumentationisavailableinthedownloadareaofthePilzhomepage
(www.pilz.de>Downloads).

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Introduction

1.3

Definitionofsymbols
Informationthatisparticularlyimportantisidentifiedasfollows:
DANGER!
Thiswarningmustbeheeded!Itwarnsofahazardoussituationthatposes
animmediatethreatofseriousinjuryanddeathandindicatespreventive
measuresthatcanbetaken.

WARNING!
Thiswarningmustbeheeded!Itwarnsofahazardoussituationthatcould
leadtoseriousinjuryanddeathandindicatespreventivemeasuresthatcan
betaken.

CAUTION!
Thisreferstoahazardthatcanleadtoalessseriousorminorinjuryplus
materialdamage,andalsoprovidesinformationonpreventivemeasures
thatcanbetaken.

NOTICE
Thisdescribesasituationinwhichtheproductordevicescouldbedam
agedandalsoprovidesinformationonpreventivemeasuresthatcanbe
taken.Italsohighlightsareaswithinthetextthatareofparticularimport
ance.

INFORMATION
Thisgivesadviceonapplicationsandprovidesinformationonspecialfea
tures.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Basics

Basics

2.1

Standards,lawsanddirectivesintheEuropeanUnion
EuropeanUnion(EU)directivesgenerallydealwithspecificissues.Thedirectivesthem
selveshavenodirectimpactonindividualcitizensorcompanies.Theyonlycomeintoef
fectthroughtheagreementsofindividualcountrieswithintheEU,whoincorporatethese
directivesintotheirdomesticlaw.IneachEUcountry,alaworprovisionreferstotherelev
antEUdirectiveandthuselevatesittothestatusofdomesticlaw.Soalthoughthesedocu
mentsaredescribedas"directives",inpracticetheyhavelegalstatuswithintheEU.
Ofthealmost30activedirectivesnowavailable,onlyasmallselectionisrelevanttothe
typicalmachinebuilder.Hereisalistofsomeofthekeydirectiveswithboththeirofficial
titleandtheirusual,thoughunofficial,abbreviatedtitle:
Directive

Abbreviatedtitle(unof
ficial)
Officialtitle

2006/42/EC

(New)MachineryDirect
ive

Directive2006/42/ECoftheEuropeanParlia
mentandoftheCouncilof17May2006on
machinery,andamendingDirective95/16/EC
(recast)

2001/95/EC

ProductSafetyDirective

Directive2001/95/ECoftheEuropeanParlia
mentandoftheCouncilof3December2001
ongeneralproductsafety

2004/108/EC

EMCDirective

Directive2004/108/ECoftheEuropeanParlia
mentandoftheCouncilof15December2004
ontheapproximationofthelawsoftheMem
berStatesrelatingtoelectromagneticcompat
ibilityandrepealingDirective89/336/EEC

1999/5/EC

RadioEquipmentDirect
ive

Directive1999/5/ECoftheEuropeanParlia
mentandoftheCouncilof9March1999on
radioequipmentandtelecommunicationster
minalequipmentandthemutualrecognitionof
theirconformity

2003/10/EC

NoiseDirective

Directive2003/10/ECoftheEuropeanParlia
mentandoftheCouncilof6February2003on
theminimumhealthandsafetyrequirements
regardingtheexposureofworkerstotherisks
arisingfromphysicalagents(noise)

2006/95/EC

LowVoltageDirective

Directive2006/95/ECoftheEuropeanParlia
mentandoftheCouncilof12December2006
ontheharmonisationofthelawsofMember
Statesrelatingtoelectricalequipmentde
signedforusewithincertainvoltagelimits

89/686/EEC

PersonalProtective
EquipmentDirective

CouncilDirectiveontheapproximationofthe
lawsoftheMemberStatesrelatingtopersonal
protectiveequipment

StandardsontheirownhavenodirectlegalrelevanceuntiltheyarepublishedintheOfficial
JournaloftheEUorarereferencedindomesticlawsandprovisions.Thesearethepublica
tionsbywhichastandardcanacquirepresumptionofconformity.Presumptionofcon

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Basics

formitymeansthatamanufacturercanassumehehasmettherequirementsofthecorres
pondingdirectiveprovidedhehascompliedwiththespecificationsinthestandard.Sothe
presumptionofconformityconfirmsproperconduct,asitwere.Inaformal,legalcontext
thisiscalledareversaloftheburdenofproof.Wherethemanufacturerappliesaharmon
isedstandard,ifthereisanydoubt,misconductwillneedtobeproven.Wherethemanufac
turerhasnotappliedaharmonisedstandard,hewillneedtoprovethathehasactedin
compliancewiththedirectives.
ItsimportanttostressthattheEUdoesnotpublisheverystandardintheOfficialJournal,
somanyarestillnotharmonised.Evenifsuchastandardisdeemedtohaveconsiderable
technicalrelevance,itwillstillnothavepresumptionofconformity.However,sometimesa
standardthathasnotbeenlistedintheEUOfficialJournaldoesachieveastatusthats
comparablewithharmonisation.Thisisthecase,forexample,whenastandardthat's
alreadybeenharmonisedreferstotherelevantstandard.Thestandardthatisnotlistedin
theEUOfficialJournalisthenharmonisedthroughthebackdoor,asitwere.

NOTICE
Itisessentialthatyourplant/machinecomplieswithallthelawsanddirect
ivesapplicablefortheareaofapplication!

FurtherinformationisavailableinthePilzSafetyCompendium,forexample.TheSafety
CompendiumisavailabletodownloadfromthePilzhomepage(seewww.pilz.de>Expert
ise>ReferenceBooks).

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Basics

2.2

Safetyplanandvalidation
Thesafetyplaniscreatedinparallelwiththedesignandimplementationofaplant/machine
andcoversallhazardsidentifiedineachphaseoftheservicelife.Allsafetyrelatedactivit
iesaredefinedanddocumentedwithinthesafetyplan.Thisincludestheverificationplan
andthevalidationplan.
Theverificationplancontainsanassessmentastowhethertheachievedresultscomply
withthesetspecifications.
Thevalidationplancontainsanassessmentastowhethertheachievedresultsaresuitable
forreachingthespecifiedsafetyrequirements.Thisincludesafinaloverallassessment.
Thevalidationphaseischaracterisedbyitsownstructuredprocedures.

2.2.1

Contentofthevalidationplan
EN/IEC61508containssomegeneralstatementsregardingthedesignandimplementation
oftheoverallsafetyvalidation.Thevalidationrequirementsaredescribedbasedonwhich
standardisappliedinthemachineimplementation.
EN/IEC62061
Thevalidationrequirementsaredescribedinthestandarditself.
ENISO13849
ThevalidationrequirementsaredescribedinPart2(ENISO138492).

2.2.2

Validationimplementation
Validationactivitiesmustbeperformedincompliancewiththevalidationplan.Thesafety
relatedpartsareanalysedfirst.Iftheassessmentfromthisanalysisisinsufficientonits
own,additionaltestsmustbeperformed.Thesetestsshoulddemonstrateasrealisticallyas
possiblethatasafetyrequirementhasbeenmet.
Theinformationdocumentedduringvalidationmustinclude:
}

Documentationofthevalidationactivitiesinchronologicalorder

Thespecificationusedfortheoverallsafetyrequirements

Thevalidatedsafetyfunctions(whetherthroughtestsoranalysis)

Thetoolsandequipmentused,togetherwiththecalibrationdata

Theresultsofthevalidationactivities

Identificationofthetestedobject'sconfiguration,theprocedureappliedandthetesten
vironment

Discrepanciesbetweentheexpectedresultsandtheactualresults

Ifthereareanydiscrepanciesbetweentheexpectedresultsandtheactualresults,theana
lysesthatwereperformedandthedecisionsthatweremademustbedocumented.Itisne
cessarytodecidewhethertocontinuewiththevalidationortoissueachangerequirement
andreverttoanearlierpointinthevalidation.
ThevalidationresultscanbeusedasabasisfortheCEcertification.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

10

Basics

2.3

Standards,lawsanddirectivesoutsidetheEuropeanUnion
Mostcountrieshavebindingregulationsformakingplantandmachinerysafe.Thetypeof
regulationvariesfromregiontoregionandisdesignedtosuittherespectivelegalandcul
turalenvironment,rangingfrommandatorylawstorecommendationsofanonbinding
nature.Eventhelevelofjurisdictiontoguaranteecompliancevariesenormously.Selfcerti
ficationisenoughinsomecountries,whileothershavecommercialinstitutionswhichcarry
outinspectionsinaccordancewiththeirownrules.Inotherpartsoftheworld,certificationis
carriedoutbystateauthorisedinstitutions.
ThissafetymanualdealsexclusivelywithEuropeanstandards,directivesandlaws.
Knowledgeoftherespectivenationalcircumstancesisindispensablewhenexporting.In
mostcountries,certificationinaccordancewithIEC,ENandevenISOstandardsisnow
hugelyimportant,asthesestandardsareoftenusedasthebasisfornationalregulations.It
doesn'tautomaticallymeanthatcertificateswillbeaccepted,butcertificationinthesecoun
trieswillbeconsiderablyeasierifcertificationtoEuropeanstandardsisinplace.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

11

Safetyrelatedapplications

Safetyrelatedapplications
TheconfigurablecontrolsystemPNOZmulticomprisesthefollowingmodularsystems
}

ConfigurablecontrolsystemsPNOZmulti

ConfigurablecontrolsystemsPNOZmulti2

ConfigurablecontrolsystemsPNOZmultiMini

TheconfigurablecontrolsystemsPNOZmulti/PNOZmulti2/PNOZmultiMiniconsistofa
baseunitandvariousexpansionmodules.
}

Abaseunithasthecontrolfunctionalityand

varioussafeinputs/outputs

variousinputs/outputsforstandardapplications

Expansionmodulessupplementabaseunitwithadditional

safeinputsoroutputs

inputs/outputsforstandardapplications

Specialexpansionmodules(fieldbusmodules)areusedinstandardapplicationsfor
nonsafetyrelateddataexchangeviaafieldbus.

INFORMATION
InthisSafetyManual,thecontrolsystemsfromtheconfigurablecontrolsys
temPNOZmulti,consistingofabaseunitand,ifnecessary,additionalex
pansionmodules,aresummarisedundertheterm"controlsystem
PNOZmulti".

Acontrolsystem'ssafetyfunctions(e.g.ESTOP,twohandmonitoring,safetygatemonit
oring)andstandardapplications(e.g.readingdiagnosticdata,settingvirtualinputsfor
standardfunctions,readingvirtualoutputsforstandardfunctions)aredefinedusingthe
graphicalsystemsoftwarePNOZmultiConfigurator.
ThesafetyrelatedpartsofacontrolsystemPNOZmultiareredundantwithbuiltinself
monitoring.
ThesafetymanualmainlyconsidersthesafetyrelatedpartsofacontrolsystemPNOZmulti
andtheconfigurablesafetyfunctions.Thedistinctionbetweensafetyfunctionsandstand
ardfunctionsand/ortheinteractionbetweenthemisaddressedwherenecessary.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

12

Safetyrelatedapplications

WARNING!
Riskfromfailuretocomplywiththesafetymanual!
Dependingontheapplicationthatisbeingimplemented,failuretocomply
withthesafetymanualcanleadtohazardoussituationsthatcanleadtoser
iousphysicalinjuriesanddeath.
Itisessentialtoreadthismanualevenatthedesignstageofaprojectin
whichcontrolsystemsfromtheconfigurablecontrolsystemPNOZmultiwill
beused.Alwayscomplywiththespecifiedsafetyrequirements.

Thestandardscurrentatthetimeofgoingtoprintshallapply.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

13

Safetyrelatedapplications

3.1

Safetyphilosophy

3.1.1

Intendeduseandapplicationrange
ThecontrolsystemsPNOZmultiaredesignedforuseinanindustrialenvironment.
ThecontrolsystemsPNOZmultiareprimarilysuitableforuseinmachinesafetycircuitsin
whichasafeconditionisbroughtaboutbytheremovalofpower.
Examples:
}

Tooling,packagingandprintmachinery

Robotcellsandproductionlines

Mechanicalengineering,e.g.lathes,millinganddrillingmachines

Plasticsprocessingmachines,e.g.blowmouldingmachines

Lasermachines,e.g.laserweldingandlaserpunchingmachines

Packagingmachines,e.g.drinkdispensingandpalletisingmachines

Formingtechnology:smallpressesandpunchpresses

Robots:Processing,weldingandsprayingrobots

Printandpaperindustry,e.g.printing,envelopingandpapermachines

Presses,e.g.eccentricpresses

Foreseeablemisuseandabuse
}

Withoutadditionalmeasures,thecontrolsystemsPNOZmultiarenotsuitableforusein
areaswithincreasedenvironmentalrequirements(e.g.potentiallyexplosiveareas).

ThecontrolsystemsPNOZmultiarenotsuitableforplantsinwhichtheremovalof
powerdoesnotleadtoasafecondition.

Onpassengertransportationsystems,appropriateevacuationmeasuresmustbemade
orselfcontainedrescueequipmentinstalled,shouldtheplantcometoastandstilldue
toafault.

Wherelockedzoneshaveanelectricalrelease,emergencyreleasedevicesshouldbe
provided.

Safetydevicesmaynotbeoverriddenuntilappropriatemeasuresofequalvalueareput
inplace(e.g.mutingfunction).Measuresofequalvaluemayonlybeusedifthepreced
ingsafetyassessmentpermitsit.
Examples:

Thesafetygatesmaybeopeninsetupmodeprovidedthereisamutingfunction,
whichistriggeredbytheoperatingmodeselectorswitch.

Alightcurtaincanbeinterruptedbytransportedmaterialsprovidedthereisamut
ingfunctionwiththecorrespondingcomponents(e.g.mutingsensorsincludingcon
trolandmutingmonitoringofthemutingsensorsviaamutingblockintheuserpro
gram,forexample).

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

14

Safetyrelatedapplications

3.1.2

SafetyIntegrityLevel(SIL)andPerformanceLevel(PL)
Dependingontheapplicationareaanditsrespectiveregulations,controlsystems
PNOZmulticanbeuseduptoSILCL3ofEN62061anduptoPLe(Cat.4)of
ENISO138491.Therelevanttechnicaldetailsforariskassessmentcanbefoundinthe
respectiveoperatingmanual.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

15

Safetyrelatedapplications

3.2

Generalsafetyassessments
BeforeusingacontrolsystemPNOZmultiitisnecessarytoperformasafetyassessmentin
accordancewiththeMachineryDirective.AcontrolsystemPNOZmultiisasafetycompon
entundertheMachineryDirectiveinaccordancewithAnnexV.Itguaranteesfunctional
safetyagainsthardwareandfirmwareerrors,forexample.However,itdoesnotguarantee
thesafetyoftheoverallprocessanddesign,noroftheproject.
TheuserisresponsibleforthesafetyoftheprojectcreatedinthePNOZmultiConfigurator.
Payspecialattentionwhenconfiguringtheprojectandobservelocalstandardsandregula
tions.
Afaultyconfigurationcanjeopardizethesafetyoftheentireprocess!
Definethesafetyrequirementsfortheentireplant,forallphasesoftheservicelifeandthe
entiresafetylifecycle,andalsodefinehowthesewillbeimplementedfromatechnicaland
organisationalstandpoint.
Technicalmeasures
Technicalmeasuresinclude,forexample,applicationofacontrolsystemPNOZmultiand
thesafetyrelatedimplementationoftheperipherycomponents,plusthedesignandconfig
urationofthecontrolsystemusingthesystemsoftwarePNOZmultiConfigurator.
Organisationalmeasures
Organisationalmeasures,forexample,areidentificationoftheresponsiblestaffmemberor
documentationofallworkstagesforcommissioning.Thisalsoincludesidentificationofre
sponsibilitiesandaccessrights.Thesafetyrequirementsaregearedtowardthefunctionof
themachineandtheresultinghazards.Asafetyassessmentmustalsocovermalfunctions,
faultyoperationandthepossibleconsequences.

3.2.1

SafetyassessmentoftheconfigurablecontrolsystemPNOZmulti
ThecontrolsystemsPNOZmultiaresuitableforbothsafetyrelatedandstandardapplica
tions.
AcontrolsystemPNOZmulti,forexample,hasconfigurablesafetyfunctions(e.g.ESTOP,
twohandmonitoring,safetygatemonitoring)andstandardfunctions(e.g.readingdia
gnosticdata,settingvirtualinputsforstandardfunctions,readingvirtualoutputsforstand
ardfunctions).
Safetyrelatedtasksmayonlybeimplementedusingsafetyfunctionsandsafeinputsand
outputs.
Thefollowingitemsaretheuser'sresponsibility:
}

Selectionoftheappropriatebaseunit

Selectionoftheappropriateexpansionmodules

Correctapplicationofthebaseunit'scommunicationsinterface
Thecommunicationsinterfaceonthebaseunitmaynotbeusedforsafetyrelatedcom
munication

Correctapplicationofafieldbusmodule
Afieldbusmodulemaynotbeusedforsafetyrelatedcommunication.

SelectionoftheappropriatesafetyfunctionsinthePNOZmultiConfigurator

CorrectconfigurationinthePNOZmultiConfigurator

Afterdownloading:checkallsafetyfunctionsinaccordancewiththesafetyplan

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

16

Safetyrelatedapplications

3.2.2

Errortypes,errordetectionanderrorreactionontheconfigurable
controlsystemPNOZmulti
AcontrolsystemPNOZmultihasvariousfaultdetectionfunctions,wherebyadetectederror
alwaysleadstoadefinederrorreaction(seeTroubleshooting[

3.2.3

37]).

Databackupanddatasecurityontheconfigurablecontrolsystem
PNOZmulti
VariousdatasecuritymechanismsareusedonacontrolsystemPNOZmulti.Adistinctionis
madebetweentechnicalmeasuresandorganisationalmeasures.

Technicalmeasures
Technicalmeasurescontributetowardsdatasecuritywithregardtoerrorsandfaults.They
automaticallycomeintoeffectassoonasdataisexposedtoexternalinfluences(e.g.errors
duetoelectromagneticinterference).Technicalmeasuresinclude,forexample
}

Redundancywhenrecordingandprocessingsafesignals

Backupprocedurewhendownloadingaproject

Noiseimmunity

Organisationalmeasures
Organisationalmeasurescontributetowardsdatasecuritywithregardtoaccidentalorin
tentionaldatamanipulation.Theuserisprimarilyresponsibleforapplyingappropriateor
ganisationalmeasures.
Organisationalmeasurescanmainlybecoveredwiththeterm"Security".Werecommend
thatyoudevelopacomprehensivestrategywithregardtosecuritymeasures.Allcriteria
thatconcerntheintegrity,availability,confidentiality,liability,operationalsafetyandauthen
ticityofdatafallundertheterm"security"(seealsotheISO2700xseriesofstandards).
Securitymeasuresinclude,forexample:
}

Authentication

Passwordmanagement

LogicalandfunctionaldivisionoftheofficeandautomationenvironmentonEthernet
basednetworks,throughfirewallsforexample

MechanicalinterlockonunusedEthernetinterfacesonthecontrolsystems

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

17

Safetyrelatedapplications

DatasecuritymeasuresontheconfigurablecontrolsystemPNOZmulti
AcontrolsystemPNOZmultihasthefollowingtechnicalandorganisationalmeasuresfor
datasecurity:
}

VariousaccesspermissionsareassignedforaprojectinthePNOZmultiConfigurator
Eachprojectmustbeassigned3passwords.Thepasswordsareusedtodefineaccess
permissionstoadifferentrangeoffunctions(seeonlinehelpforthePNOZmultiConfig
urator).

Projectswithdifferentversionsaredetected
Achecksum(="checksumsafe")isincludedwhenaprojectisdownloaded.Different
projectversionscanbedetectedbasedonthisinformation.

Variouschangesaredetectedusingvariouschecksums(seeonlinehelpforthe
PNOZmultiConfigurator):

Checksumsafewithoutlevel3

Checksumlevel3

Overallprojectchecksum

Checksumdiagnostictexts

Ifthechecksum(="checksumsafe")onthechipcarddiffersfromthatintheFlash
memory,thiswillbedetectedwhenrestarting/coldstartingacontrolsystem(e.g.after
changingachipcard)
Reaction:Thecontrolsystemswitchestoafaultcondition.

Theremovalofchipcardduringoperationisdetected
Reaction:ThecontrolsystemswitchestoaSTOPcondition(safecondition)andthe
"FAULT"LEDlightsupred.

Aninvalidconfigurationisdetectedwhenrestarting/coldstartingacontrolsystem
PNOZmulti
Reaction:Thecontrolsystemswitchestoafaultconditionandthe"FAULT"LED
flashesred.

Afaultyorincompatibleprojectisdetectedwhenrestarting/coldstartingacontrolsys
temPNOZmulti
Reaction:Thecontrolsystemswitchestoafaultconditionandthe"FAULT"LED
flashesred.

Sealchipcard(uselabel)

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

18

Safetyrelatedapplications

3.3

Managingasafeapplication
Attentionmustbepaidtoensuringsafetythroughouttheentireservicelifeofamachineor
process.CorrespondingservicelifephasesaredefinedinENISO12100.
Anindependentsafetystrategyshouldbecreatedanddocumentedforeachindividualser
vicelifephaseaspartofacomprehensivesafetystrategy.Thissafetyplanshouldinclude:
}

Procedureformeetingthespecifiedrequirementsforfunctionalsafety

Procedureforachievingfunctionalsafetyfortheapplicationsoftware,development,

Implementation,verificationandvalidation

Persons,departmentsorotherentitiesandresourcesresponsibleforexecutingand
checkingallsafetyrelatedactivities

Practicesandresourcesforloggingandmaintaininginformationrelevantforfunctional
safety

Procedureforconfigurationmanagement

Implementationandvalidationplan

Animportantsafetyaspectisattributedtotheresponsiblepersons.Ineachindividualser
vicelifephase,itisessentialtoemploypeoplewithappropriatetraining,appropriatetech
nicalknowledgeandappropriateexperienceandqualificationswithregardtothespecific
taskstheyhavetoperform.Thetermusedis"competentperson".Thesepersonsmustbe
assessedintermsoftheircompetencyinperformingtheirtasksthisassessmentshouldbe
documented.
ExamplesforcontrolsystemsfromtheconfigurablecontrolsystemPNOZmulti:
}

Planning
e.g.processengineer:Prerequisites:Knowledgeoftheprocessandtherespective
safetyrequirements,readingandunderstandingofthetechnicalcatalogueforthecon
figurablecontrolsystemPNOZmultiandtheoperatinginstructionsfortherelevantbase
unitsandexpansionmodules.

ConfigurationwiththePNOZmultiConfigurator
Programmers:Prerequisites:Knowledgeofcurrentplansfromthedesignphase,know
ledgeofsafetytechnology,experienceincreatingsafetyrelatedcircuits,readingand
understandingofthePNOZmultiConfigurator'sonlinehelp,thetechnicalcataloguefor
theconfigurablecontrolsystemPNOZmultiandtheoperatinginstructionsfortherelev
antbaseunitsandexpansionmodules.

Installation
e.g.electricalengineers,prerequisites:Knowledgeofcurrentplansfromthedesign
phase,readingandunderstandingofthetechnicalcataloguefortheconfigurablecon
trolsystemPNOZmulti,theoperatinginstructionsfortherelevantbaseunitsandexpan
sionmodules,knowledgeofaccidentpreventionregulations

Commissioning
Prerequisites:Knowledgeoftheprocess,readingandunderstandingofthetechnical
cataloguefortheconfigurablecontrolsystemPNOZmultiandtheoperatinginstructions
fortherelevantbaseunitsandexpansionmodules

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

19

Safetyrelatedapplications

3.4

Documentationofasafeapplication
Allsafetyrelatedapplicationsrequiredocumentationthatdefinesthesafetyoftheapplica
tion.Itshoulddescribeeachindividualservicelifephaseandthecorrespondingfunctions.
Asimple,comprehensible,correctandcompletedescriptionissatisfactory.Complete
means,forexample,thatallfunctions,signals,eventsandtimesequencesandtheassoci
atedtestscanbetracked.
Thedescriptioncancompriseoneormoreparts,dependingonthescope.Eachdocument
mustbelabelledwithanameandversionnumber.
Additionaldocumentsarerequiredforcommunicationbetweentheservicelifephases.For
example,theprogrammerrequiresinformationaboutthenecessaryfunctionsfromthede
signer/processengineerortheinstallerrequiresawiringplanfromthedesigner/process
engineeretc.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

20

Processdesign

Processdesign

4.1

Determinethescope
Beforeplanningthedesignyouneedtodetermine
}

theexactpurposeoftheapplication

thelimitsoftheapplication

theobjectiveinusingthecontrolsystemPNOZmulti

Exactknowledgeoftheprocessormachineisrequiredinordertoplanthedesign.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

21

Processdesign

4.2

Specifythefunctions
Thefollowingquestionsmustbeansweredoncethescopehasbeendetermined:
}

Whichsafetyrelatedfunctionsmustbefulfilled?

Whichsafetyrelatedoperatingstatescanoccur?

Whichinterfacesandinputs/outputs(safetyrelatedandnonsafetyrelated)arere
quired?

Specifytheexactdefinitionsofthefunctions,operatingstatesandinterfacesused.Uselo
gicdiagramstoillustratethefunctionsandoperatingstates.
Example:ESTOPcircuit
}

Function:ToswitchoffaplantafteranESTOPpushbuttonhasbeenoperated

OperatingstatescanbedefinedinalogicdiagramviatheswitchingstatesoftheE
STOPpushbutton.

SpecifyinputsandoutputsforconnectingtheESTOPpushbuttons,viawiringsketches
forexample.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

22

Processdesign

4.3

Definethesafetyrequirements
Thefirsttwosectionsofthischaptercover"whatyouneedtodo".Thesectionsafterthat
focuson"howyouneedtodoit".
DefinethesafetyrequirementsofthecontrolsystemPNOZmulti:
}

DefinethetasksthecontrolsystemPNOZmultimustperforminordertoachievethere
quiredlevelofsafety.
Example:Whatmustthecontrolsystemdotomonitorthesafeoperatingstatesinthe
process?

SpecifyhowthecontrolsystemPNOZmultiistoreacttoafault.
Example:intheeventofafault(processerror,peripheryerror),thecontrolsystemmust
switchtheprocesstoasafecondition.

Definetheinputandoutputsignals.
Example:Numberofsafetyrelatedinputs

Definethetimerequirementsofthesafetyrelatedtasks.
Example:Considerationofdelaytimes,processingtimesetc.,specificationofthepro
cesserrortolerance(periodduringwhichtheprocesstoleratesanerrorwithoutahaz
ardoccurring).

Definetheriskandthenecessaryrequirementclass(e.g.inaccordancewith
ENISO138491,EN/IEC62061).

Werecommendthatyouhavethedefinedsafetyrequirementscheckedbyacertification
body.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

23

Processdesign

4.4

Designtheinstallation
YoumustrefertothetechnicalcatalogueoftheconfigurablecontrolsystemPNOZmultiand
theoperatinginstructionsfortherelevantbaseunitsandexpansionmodules.Thesealso
containinformationonelectromagneticcompatibility(EMC),wiringandinput/outputcon
nections,whichisimportantforthedesign.

NOTICE
On"CoatedVersion"ofunits(baseunits,expansionmodules),themax
imumpermittedambienttemperaturemayvaryfromthatofotherunits.
Whenunitsaremixed,pleasenotethatthemaximumpermittedambient
temperatureoftheoverallsystemisdeterminedbytheunitwiththelowest
ambienttemperature.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

24

Processdesign

4.5

Configureoperation
NospecialmeasuresarerequiredforthesafeoperationofacontrolsystemPNOZmultiit
self.AcontrolsystemPNOZmultiimmediatelyswitchestoasafeconditionintheeventofa
fault,suchasaninternalfaultorexternalerror,e.g.EMCinfluence(seeTroubleshooting[
37]).

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

25

Applicationimplementation

Applicationimplementation

5.1

Assignsafetyrequirements
Onceyouhavedefinedtherequiredlevelofsafetyandthenecessarysafetyrelatedfunc
tions,youwillneedtoperformariskassessmentforeachsafetyfunctionthatisrealised
throughcontrolmeasures:
}

Foreachsafetyfunction,defineeithertheSILinaccordancewithEN/IEC62061orthe
PLinaccordancewithENISO138491.

Determinethesafetyrelatedreactiontimes.
Checkwhetheranyregulationsapplyforyourapplicationintermsofthemax.reaction
time.Thereactiontimemustalwaysbelessthanthismax.value.

5.1.1

Assignthenecessaryhardware,userprogramanddocumentationtoeachsafetyfunc
tion.

Verifythattheplannedsafetylevel(PL/SIL)isachieved.

Safetyviatheconfiguration
Theprojectforboththesafetyrelatedandnonsafetyrelatedfunctionsiscreatedinthe
PNOZmultiConfigurator.Usingpredefinedsymbols,(safetyrelated/nonsafetyrelated),a
circuitdiagramshowshowtheinputsandoutputsofacontrolsystemPNOZmultishouldbe
connected.Thiscircuitdiagramisthendownloadedtothebaseunitwiththeproject.From
thisdata,thebaseunitrecognisesthesafetyrelated/nonsafetyrelatedfunctionsitisto
perform.
ThePNOZmultiConfiguratorcontributestowardssafetybyautomaticallycheckingvarious
activitiesandpreventingrelevantprocedures,oratleastmarkingthemforspecialattention:
}

Safetyrelatedfunctionsandnonsafetyrelatedfunctionscanbeclearlyidentifiedinthe
circuitdiagramofthePNOZmultiConfigurator.

Incorrectentries,e.g.invalidloopswhenconnectinglogicelements,aredetectedbythe
PNOZmultiConfiguratoreitheratthepointofentryorwhendownloadingtheprojectto
thebaseunit.

Protectionagainstaccidentalorintentionalchangestotheproject(seeDatabackup
anddatasecurityontheconfigurablecontrolsystemPNOZmulti[

17]):

3differentaccesspermissionsareassignedforaprojectusingpasswords
(completeaccess,limitedchangeaccess,readonlyaccess)

Differentchecksumsareformed
Theprojectingeneralandsafetyrelateddatainparticularareexplicitlyprotected
fromchanges.

NOTICE
Theuserisresponsibleforensuringthatfaultsarisingfromafaultyconfigur
ationofthesafetyfunctionsaredetectedthroughcomprehensivefunction
tests.Inputerrorsandincorrectfunctionalitymustalsobedetected.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

26

Applicationimplementation

5.1.2

Safetyintheapplication
Safetyrelatedfunctionsandfunctionsforstandardapplicationscanbeconfiguredinapro
ject.Pleasenotethefollowing:
}

5.1.3

Datathatcomesfromfunctionsforstandardapplicationsisnotsafetyrelated.Theuse
ofnonsafetyrelateddata/signalsforsafetyrelatedfunctionsshouldbeconsidered
separately:

AssesstheimpactontheSIL/PL.

Pleasenotethattheexclusiveuseofnonsafetyrelatedfunctionsforsafetyrelated
applicationsisnotpermitted!

Datathatcomesfromacommunicationsinterfaceonthebaseunitorfromacommu
nicationmoduleisnotsafetyrelated.Theuseofnonsafetyrelateddataforsafetyre
latedfunctionsshouldbeconsideredseparately:

AssesstheimpactontheSIL/PL.

Pleasenotethattheexclusiveuseofnonsafetyrelateddataforsafetyrelatedap
plicationsisnotpermitted!

Ifoutputsareconfiguredastestpulseoutputs,theymayonlybeusedtotestinputs.
Theymustnotbeusedtodriveloads!

Theuserisresponsibleforthecorrectimplementation.

Safetyrequirementsonsensorsandactuators
Analogueorstaticbinarysensorsinsafetyfunctionsmustdetectwhenasensorbecomes
stuckina"Go"condition.Thiscanbeachievedby:
}

Diversesensorsoractuatorswithregulartesting

Redundantsensorsoractuatorswithregulartesting

Internalorexternaltestsforautomaticfaultdetection

Measuringandregularlymonitoringdiverseprocessdata

Designingthesensorsoractuatorsinsuchawayastoexcludephysicalerrorsby
design

Typeapprovedsensors

Exampleconnectionsforsensorsandactuatorsaredescribedinthetechnicalcatalogueof
theconfigurablecontrolsystemPNOZmultiandtheoperatinginstructionsfortherelevant
baseunitsandexpansionmodules.
Someactuatorsmustbecontrolledbyauxiliarycontactors.Informationabouttheauxiliary
contactorsisavailableinthetechnicalcataloguefortheconfigurablecontrolsystem
PNOZmultiandtheoperatinginstructionsfortherelevantbaseunitsandexpansionmod
ules.Additionalsafetymeasuresmustbecarriedoutwhenauxiliarycontactorsareused.
Whensensorsareselectedyoumustcomplywiththetechnicaldetailsoftheinputcircuits.
Youmustrefertotheinformationgiveninthetechnicaldetailsoftheoperatinginstructions
fortherelevantbaseunitsandexpansionmodules.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

27

Applicationimplementation

5.2

Configuration
Preparatorymeasures:

5.2.1

Makeanoteofwhichinputsandoutputsyouneed.

Foreachbaseunit,recordthesequenceinwhichtheexpansionmodulesareinstalled.

Maptheinputsandoutputstothesafetyfunctions.

Createastructuredflowchart.
Theflowchartmustconsidergeneralerrorssuchassupplyinterruptions,shortcircuits
andperipheryerrors.

Takeintoaccountthatmanyapplicationsrequireafeasibilitytest.

ConfigurationinthePNOZmultiConfigurator
ConfigurationinthePNOZmultiConfiguratorcanonlybestartedwhenconfigurationofthe
controlsystemPNOZmultiisfixed,i.e.thesequenceinwhichtheexpansionmodulesare
installed.
}

5.2.2

Assemblethebaseunitthatyouactuallyneedwiththeexpansionsmodulesthatyou
actuallyneed.Duringassemblyensurethat:

therequiredSIL/PLcanbeachievedusingtheinputs/outputsontheselectedbase
unitandexpansionmodules

ifstipulatedbythesafetyrequirements:
useabaseunitandexpansionmodulesthatenabledetectionofshortsacrosscon
tactsandfunctiontestingviatestpulses

Configurethebaseunitandexpansionmodules.Duringconfigurationensurethat:

testpulsesonsafeinputsareactivated,ifthisisstipulatedinthesafetyrequire
ments(e.g.todetectshortsacrosscontacts,functiontesting)

atestmustbeperformedtoensurethatsafeinputswithouttestpulsesdonotactu
allyrequiredetectionofshortsacrosscontactsviathebaseunit

theconfigurationmatchestheelectricalplans

Structuringtheproject
Asfaraspossible,structuretheprojectinthePNOZmultiConfiguratorinaccordancewith
theknownrelevantrequirementsofprogramstructures(e.g.EN138491).
Theseinclude:
}

Structuringtheprojectviafunctionblocks
Eachfunctionblockcontainsanelementarytask.Thisprovidesaconsistent,intelligible
project,inwhichtheprocessesareeasytolocate.

Standardisingprogramsectionsviamacros
Frequentlyusedpartsofauserprogramcanbereusedoverandoveragainusing
macros

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

28

Applicationimplementation

Distributingindividualfunctionsovervariouspagesoftheproject.Thismakesthecircuit
diagram

clear

logicallystructured

easytotest

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

29

Applicationimplementation

5.3

Installation
AcontrolsystemPNOZmultimustbeinstalledinaccordancewiththePNOZmultiinstalla
tionmanual,thetechnicalcataloguefortheconfigurablecontrolsystemPNOZmultiandthe
operatinginstructionsfortherelevantbaseunitandexpansionmodules.Thisinformation
includesregulations,notesandmeasuresforthesafeinstallationandwiringofthecontrol
systemPNOZmulti.
Aninstallationreportmustbeproduced,coveringalltheactivities,reactionsandsolutions
thattakeplaceduringinstallation.Inparticularthereportshouldcontain:
}

Versionofthehardwareandsoftware

Checksums

Checksumsafe

Checksumsafewithoutlevel3

Checksumlevel3

Name,jobtitleandsignatureofthetester

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

30

Applicationimplementation

5.4

Commissioningandvalidity

5.4.1

Initialcommissioning
Commissioningmustbeanalysedandnotedstepbystep.Pleasenotethatallsafetyfunc
tionsmustbevalidatedandtestedduringcommissioning.Thecourseoftheentireprocess
mustbeconsidered(e.g.temporalboundaryconditions).Produceanexactdescriptionof
the
}

Necessarycommissioningactivities(tasks,responsibilities,solutions)

Tests
(inaccordancewiththetestspecification)

Expectedreactions
(documentationinthetestlogsthatformpartofthetestspecification)

Usethistoproduceachecklistforcommissioning.Thecommissioningengineercanuse
thechecklisttoverifythathehascarriedoutallthemeasurestoensuresafecommission
ing,orhecancommissionthesystembasedonthechecklist.
ThehighertheSIL/PL,thehigherthedemandsonthecompetenceofthecommissioning
engineer.Thecommissioningengineermusthave:
}

UnderstandingofthesystembehaviouroftheconfigurablecontrolsystemPNOZmulti

Exactknowledgeoftheoverallprocess(entiremachine)

Knowledgeofthesafetyfunctionsandthehazardsassociatedwiththeprocessand
machine

Measuringdevicesthatarerequiredtocalculatesafetyrelatedvariablesduringcommis
sioningmustbecalibrated.
Acommissioningreportmustbeproduced,coveringalltheactivities,reactions,problems
andsolutions,plusthetestresultsfromthetestspecification(s).

5.4.2

Recommissioning
Recommissioningisalwaysnecessarywhenachangehasbeenmadetotheplant/ma
chineorprocess(seeChanges[

33])

Recommissioningmustbeanalysedandnotedstepbystep.Produceanexactdescription
ofthe
}

Necessarycommissioningactivities(tasks,responsibilities,solutions)

Tests
(inaccordancewiththetestspecification)

Expectedreactions
(documentationinthetestlogsthatformpartofthetestspecification)

Usethistoproduceachecklistforrecommissioning.Thecommissioningengineercanuse
thechecklisttoverifythathehascarriedoutallthemeasurestoensuresafecommission
ing,orhecancommissionthesystembasedonthechecklist.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

31

Applicationimplementation

ThehighertheSIL/PL,thehigherthedemandsonthecompetenceofthecommissioning
engineer.Thecommissioningengineermusthave:
}

UnderstandingofthesystembehaviouroftheconfigurablecontrolsystemPNOZmulti

Exactknowledgeoftheoverallprocess(entiremachine)

Knowledgeofthesafetyfunctionsandthehazardsassociatedwiththeprocessand
machine

Measuringdevicesthatarerequiredtocalculatesafetyrelatedvariablesduringrecommis
sioningmustbecalibrated.
Arecommissioningreportmustbeproduced,coveringalltheactivities,reactions,problems
andsolutions,plusthetestresultsfromthetestspecification(s).

5.4.3

(Re)commissioningaids
TheconfigurablecontrolsystemPNOZmultiofferssomeimportantresourcesforproblems
experiencedduringcommissioning:
}

Stateoftheinputsandoutputs

Operatingstates:START/STOP,online

Messages:e.g.numberofopenconnections

Dynamicprogramdisplay
Showsthestateoftheelements'inputsandoutputsaswellastheconnections
betweentheelementsontheinterfaceofthePNOZmultiConfigurator.Inputs,outputs
andconnectionsthatareactivearehighlightedincolour.

Errorstack
Theerrorstackofthebaseunitcontainsimportantinformationfordiagnosticsand
troubleshooting.TheerrorstackcanbereadusingthePNOZmultiConfigurator.

ExpandeddiagnosticsPVIS
TheexpandeddiagnosticconfigurationPVISenablescorrespondingeventmessagesto
bedisplayedintheeventof

5.5

Statusinformation,e.g.

ErrorsinoronthecontrolsystemPNOZmulti(errorstack)

ChangesintheoperatingstateofthePNOZmulti

Definedstatesofsafetydevices,inputs,outputsandconnectionpoints

Programcomparison
ThechecksumoftheuserprogramthatisopeninthePNOZmultiConfiguratorcanbe
comparedwiththechecksumoftheuserprogramthatisloadedinthebaseunit(=
"Checksumsafe").Thisallowsyoutodeterminewhethertheprogramsinthe
PNOZmultiConfiguratorandinthebaseunitorchipcardreaderareidenticalordiffer
ent.

Projectbackup
Ifsafetyrelatedtasksaretobesolvedusingaprojectthathasbeencreatedusingthe
PNOZmultiConfigurator,theprojectmustbebackedupandversioned.
Itistheuser'sresponsibilitytobackuptheprojectandmanageversions.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

32

Change,maintenance,decommissioning

Change,maintenance,decommissioning

6.1

Changes
Itmaybenecessarytochangeaprocess/machinebecause
}

Asafetyrequirementhaschanged

Asystematicerrorhasoccurred

Therearenewoperationalorproductionrequirements

Theprocesscycle/machinehaschanged

Beforechangingasafeprocess/safemachine,apreparatoryanalysismustbecarriedout.
Thefollowingeffectsmustbeanalysed:
}

Howthechangeswillaffectthesafetyoftheprocess/machine

HowthechangeswillaffectthesafetyfunctionsofthecontrolsystemPNOZmulti

HowthechangeswillaffecttheSIL/PLofthecontrolsystemPNOZmultifortheproject

Thechangerequirementscanbecombinedintoacatalogueofrequirements.Thisshould
include:
}

Detectedhazards

Desiredchanges

Reasonforthechanges

Thechangeshouldonlybecarriedoutbypersonswiththenecessaryknowledgeandex
perience(competentpersons).Thesamethingapplies:thehigherthesafetyrequirement,
thehigherthedemandsonthecompetenceofthepersonnel(release/verification,"four
eyes"principle/documentationofimplementedchanges).

INFORMATION
Pleasecomplywiththeinformationregardingassembly/removalas
stipulatedinthetechnicalcataloguefortheconfigurablecontrolsys
temPNOZmultiandtheoperatinginstructionsfortherelevantbase
unitsandexpansionmodules.
Followingachange,ifthesafetyanalysishasshownthatsafetyfunc
tionsneedtobevalidatedandtested,thechangeitselfmustbe
tested,asmustthecourseoftheentireprocess.Thismustbetaken
intoaccountforrecommissioning.
Itmustbeensuredthatonlythedesiredchangesaremadetothe
project.
Pleasenotetherequirementsforrecommissioningafterachange

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

33

Change,maintenance,decommissioning

Specialfunctionsmakeiteasiertorunchecksandtroubleshootinonlinemode:
}

Checksums
Aprojecthasseveralchecksums.

Checksumscanbeusedtoidentifyprojectsprecisely.

It'spossibletocomparewhethertheprojectthatisopeninthePNOZmultiConfigur
atorisidenticaltotheprojectloadedinthebaseunit.

Youcandeterminewhethersafetyrelateddatahaschanged(checksumsafe,
checksumsafewithoutlevel3,checksumlevel3)

Allcommissioningaids(see(Re)commissioningaids[

32]).

NOTICE
Thechecksumscanbeusedtoestablishwhethersafetyrelatedchanges
havebeenmadeandthereforewhethersafetyfunctionsneedtobevalid
atedandtested.However,acomparisonmayonlybeusedasanadditional
aid.Undernocircumstancescanitreplaceapriorsafetyanalysisforthe
changes.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

34

Change,maintenance,decommissioning

6.2

Maintenance
NomaintenanceworkisnecessaryonacontrolsystemPNOZmulti.Pleasereturnany
faultybaseunits/expansionmodulestoPilz.
INFORMATION
Whenexchangingbaseunits/expansionmodules,pleasecomplywiththe
informationregardingassembly/removalasstipulatedinthetechnicalcata
loguefortheconfigurablecontrolsystemPNOZmultiandtheoperatingin
structionsfortherelevantbaseunitsandexpansionmodules.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

35

Change,maintenance,decommissioning

6.3

Decommissioning
NotethemissiontimetMstatedinthesafetyrelatedcharacteristicdataofbaseunits/expan
sionmodules.

Pleasecomplywiththeinformationregardingassembly/removalasstipulatedinthetech
nicalcataloguefortheconfigurablecontrolsystemPNOZmultiandtheoperatinginstruc
tionsfortherelevantbaseunitsandexpansionmodules.

Whendecommissioning,pleasecomplywithlocalregulationsregardingthedisposalof
electronicdevices(e.g.ElectricalandElectronicEquipmentAct).

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

36

Troubleshooting

Troubleshooting

7.1

OperatingandfaultstatesonacontrolsystemPNOZmulti
Start-up-Zustand

RUN-Zustand

STOP-Zustand

[1]

[2]

[3]

Fig.:Operatingstates

AcontrolsystemPNOZmulticanassumethefollowingconditions:
}

Startupcondition[1]
StartupphaseofthecontrolsystemPNOZmulti("POWER","DIAG","FAULT",
"IFAULT"and"OFAULT"LEDslight)
Thefollowingoccursduringstartup:

Hardwareselftest

"Checksumsafe"onchipcardandbaseunit'sFlashmemoryarecompared

Checksumsaredifferent:BaseunitswitchestoafaultconditionandRUNcondition
isnotachieved

Furtherselftestsarecarriedout,e.g.testforconfigurationerrors(comparisonof
actual/registeredhardware),versionproblems

Ifafaultisdetectedasthestartupcontinues,startupisaborted("FAULT"LED
flashesorlights).TheRUNconditionisnotachieved.

Ifnofaultisdetectedasthestartupcontinues,then
Processimageofinputsisread
Userprogramisstarted
ThecontrolsystemPNOZmultithenswitchestoaRUNcondition

RUNcondition[2]
OperatingstateinwhichthecontrolsystemPNOZmultirunsinaccordancewithitsin
tendedpurpose("POWER"and"RUN"LEDsarelit):

Theuserprogramisprocessedwithouterror

Safetyrelatedhardwareandfirmwareischeckedregularly

Safetyfunctionsaredesignedtobefailsafe

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

37

Troubleshooting

Amajorsafetyrelatederror(e.g.shortcircuitontheoutput)leadstoasafetyre
latederrorreaction(switchtoaSTOPcondition)

CertainerrorsmaybepresentwithoutthesystemswitchingtoaSTOPcondition(=
FAULTcondition)

VariouserrorsmaybedetectedduringRUNconditionwithoutthecontrolsystem
PNOZmultiswitchingtoaSTOPcondition(=FAULTcondition)
Example:
Externalerrorattheinputsofthebaseunittheerrordoesnotleadtoasafecondition,
e.g.partiallyoperatedTheIFAULTLEDflashes.Theaffectedmodule/blockisdeactiv
atedwhiletheerrorispresent.
}

STOPcondition[3]
OnacontrolsystemPNOZmulti,theSTOPconditioncorrespondstothe"safecondi
tion".
TheSTOPconditionistheoperatingstatetowhichacontrolsystemPNOZmulti
switchesunderthefollowingconditions:

AnerrorisdetectedinRUNconditionandthiserrorleadsdirectlytoahazardous
condition(e.g.outputhasashortcircuitto24V)

Amanualstophasbeentriggered(PNOZmultiConfigurator).

ThefollowingerrorscauseaswitchtoaSTOPcondition:

Systemerrors,e.g.errorduringselftest,internalerror

Certainexternalerrorsontheinputs

Certainexternalerrorsontheoutputs

Thefollowingreactionresults:

Theuserprogramisnolongerrun.

Powerisremovedfromthesafetycircuits

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

38

Troubleshooting

7.2

Generalfaultreactionandrectification
IfanerrorisdetectedonthecontrolsystemPNOZmulti,thecorrespondingerrorreactionis
triggered.IfanerroroccursduringRUNconditionandthiserrorleadsdirectlytoahazard
ouscondition(e.g.outputhasashortcircuitto24V),thenthiswillalwaystriggeraswitch
toaSTOPcondition.Ifpossible,anerrorisenteredintheerrorstack.
Oncetheerrorhasbeenrectified,thecontrolsystemPNOZmulticanberestartedasfol
lows:
}

Restart
Aunitisstartedbyswitchingthesupplyvoltageoffandthenonagain
Theunitswitchestoastartupcondition(seeOperatingandfaultstatesonacontrol
systemPNOZmulti[

37]).

Coldstart
OperatingthestartbuttoninthetoolbarofthePNOZmultiConfigurator(sameeffectas
arestart)
Onvariousunits(e.g.PNOZmultiMini),thecoldstartcanalsobeexecutedviaarotary
knobonthebaseunit.

WARNING!
Hazardousconditionduetoaseconderror!
Afterarestart/coldstart,errorsintheperipherythathavenotbeenrectified
canbereset.Asaresult,thefirsterrorintheperipheryisstillpresentanda
potentialseconderrorcanleadtoahazardouscondition.
Undernocircumstancesshouldyoucarryoutarestart/coldstartuntilaller
rorshavebeenrectified.Tocheckthisyoucanevaluatetheerrorlistinthe
errorstack(PNOZmultiConfigurator).

Youshouldalsoconsiderthissituationinyoursafetyplan.Ifnecessary,afunctiontest
mustbeincludedfortheaffectedsafeguard.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

39

Troubleshooting

7.3

Faultdiagnostics
Displayelements
Toenablerapiddiagnosticsintheeventofafault,theLEDsonthebaseunitandtheLEDs
ontheexpansionmoduleshavediagnosticfunctions.
INFORMATION
ThemeaningoftheLEDsonthebaseunitsandexpansionmodulesisdoc
umentedintheoperatinginstructionssuppliedwiththeunits.

Errorstack
TheerrorstackcanbereadoutfromthecontrolsystemPNOZmultiforfaultdiagnostics.
Errorsthatoccuraresavedintheerrorstackandmarkedwithatimestamp.Therearealso
thefollowingassignments:
}

Errornumber

Errorclass

InformationonwhichCPUregisteredtheerror

Shortmessage

Detailedmessage

UsingthePNOZmultiConfigurator,theerrorstackcanbereadanddisplayedviaaserial
interfaceor,ifavailable,viatheEthernetinterface.Thelast64errormessagesaredis
played.Theentryatthetopisthemostrecententry.
Whattheentriesmean:
}

Time:Timestamp
Timeinminutessincethesupplyvoltagewasapplied

No.:Errornumber
Errornumberinconjunctionwiththeerrorclass

Message
Errormessageinplaintext

Theseentriesarealwaysdisplayed.
Thefollowingcanalsobedisplayed:
}

CPU
AorB,asthebaseunitofacontrolsystemPNOZmultihastwoprocessors

Detailedmessage
Additionalinformationontheerrorthatoccurred

Remedy
Guidelinesforrectifyingtheerror

Otherentriessuchasaddress,EquipID,locationdescription,scope

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

40

Checklists

Checklists

8.1

Checklistguidelines
Thechecklistsonthefollowingpagesaredesignedtoprovidesuggestionsandkeywords
forcreatingyourown,plantspecificchecklists.Theysummarisetheissuesconsideredin
thissafetymanual.
Thechecklistsaredividedintothefollowingareas:
}

Planning

Configuration

Installation

Commissioning

Maintenance/change

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

41

Checklists

8.2

Planning
Tasks

OK

NotOK

Noteandimplementtherelevantpointsfromtheriskanalysis

Determinethescope
Definethescopeoftheapplication
Definethelimitsoftheapplication
DefinetheobjectiveinusingacontrolsystemPNOZmulti

Specifythefunctions
Definetheprocessrequirements
e.g.reactiontimes,errorreactions
Inaccordancewiththeappliedstandard(ENISO138491or
EN62061):
}

Definetheoverallsafetyfunctions

Describehowtherequirementsareimplemented

Designsafestartupfortheplant/machine
e.g.preventautomaticstartup
Determinetheoperatingmodesrequiredbytheplant
Nametheplant'savailablecontrolelements
Nametheplant'savailableaccessories

Definethesafetyrequirements
Namethesafetyrelatedoperatingstates
Definethereactiontimesforsafetyrelatedtasks
SpecifythereactionofthecontrolsystemPNOZmultitoanerror
Definethesafetyrequirementsofsensorsandactuators
Definethelocalregulationsthatneedtobecompliedwith
Definethetestspecificationsforcommissioning
e.g.createchecklists

Createasafetyplan
Planthetechnicalandorganisationalmeasuresneededtomaintain
safetyforalllifephases
Definetheresponsiblepersonsforeachlifephase
Createalistofalldocuments

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

42

Checklists

Tasks

OK

NotOK

Createawiringplan
DocumentthecontrolsystemPNOZmulti:
Baseunittype,typeofexpansionmodules(e.g.modulewithana
logueoutputs,modulewithdigitaloutputs)
Definethenumberofinputs
Definethenumberofsinglepoleanddualpoleoutputs
Definethesensorswitchtype
Definethecontacttypeforcontrolelements
Definetheplant'sfaultindicatortype
e.g.lamp,textdisplay/operatorterminal,computerlink
Definetheassignmentoftestpulsesandinputs
Noteinputresponsetime
Checkwherefaultexclusionmaybepossibleduetoappropriate
wiring
Definethetestforencoderswithtestpulses
Considerelementwiring
ConsiderEMCmeasures(seeInstallationManual)

Planinstallationandcommissioning
Planaphysicalbarrierfortheplantordangerzoneduringinstalla
tionandcommissioning
Refertotheoperatinginstructionsfortherelevantunits(baseunit,
expansionmodules)
Refertothetechnicalcataloguefortheconfigurablecontrolsystem
PNOZmulti

Planprojectsecurity
ProvidepasswordsecurityinthePNOZmultiConfigurator
ProvideaccesssecurityinthePNOZmultiConfigurator

Date.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Signature...

43

Checklists

8.3

Configuration
Tasks

OK

NotOK

Noteandimplementtherelevantpointsfromtheriskanalysis

Selecttheelements
Definewhichoperatorelementsmustbesupported

Configurationofthesafeinputs/outputs
Assigninputsandoutputstothesafetyfunctions
Definethesafeinputsthatrequireatestpulse
Demonstratethatsafeinputswithouttestpulsesreallydon'trequire
detectionofshortsacrosscontacts
Definetheoutputsthatrequireanontestand/orofftest
Checkthatthesensor/actuatorswitchtypeissuitableforthesafety
function
Checkthattheconfigurationmatchestheelectricalplans

Definestructureofuserprogram
Notethesafetyrequirementsspecifiedinthedesignphase
Definethefunctionofthefunctionblocks

Systemcheck
Aid:PNOZmultiConfigurator
Checkwhethertheregisteredhardwareissuitablefortherequired
function
Checkwhetherthetestpulseshavebeenconfigured
Runprojectdownload:Followtheprojectdownloadinstructions

Date.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Signature...

44

Checklists

8.4

Installation
Tasks

OK

NotOK

Noteandimplementtherelevantpointsfromtheriskanalysis
Followtheguidelinesintheinstallationmanual
Refertothetechnicalcataloguefortheconfigurablecontrolsystem
PNOZmulti
Refertotheoperatinginstructionsfortherelevantbaseunitandex
pansionmodules
Complywiththewiringplan
Example:
Thesafetycontactsmustbeconnectedtotheinputsontheconfig
urablesafetysysteminaccordancewiththeirconfiguration
Followandcomplywithallthehealthandsafetyrulesandregula
tionsforthespecificareaofapplication
Followandcomplywithalltheregulationsregardingsafetymeas
uresforthespecificareaofapplication

Date.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Signature...

45

Checklists

8.5

Commissioning

8.5.1

Initialcommissioning
Tasks

OK

NotOK

Noteandimplementtherelevantpointsfromtheriskanalysis
Produceassemblyinstructionsbasedontheriskanalysis
Describethesafetymeasures
Carryoutcommissioningbasedonthetestspecification
Safetyfunctionsandfaultdetectionfacilities
Checkallspecifiedsafetyfunctionsandfaultdetectionfacilitiesfully
(apurefunctiontestisnotsufficient!)
Examples:
}

TestdualchannelESTOPforerrorsinachannel

Simulateshortsbetweencontacts

Simulateshortcircuitsandopencircuits

Measurethestoppingtime/overrun

Switchredundantsensorsdifferently

Simulatesinglechannelswitchingwhenlimitswitchesarestuck

Testthetestpulsewiring

Checkthatthesafeinputs/outputsaresuitableforthesafetyre
quirement

Verifythatasafeconditionisachievedintheeventofanerror

General
Checkcompliancewiththeregulations
Checkcompliancewiththetechnicaldetails
(seeoperatinginstructionsforthebaseunit,expansionmodules)
DocumentIPaddressesandMACaddressesofthecontrolsystem
PNOZmulti
Createabackupcopyoftheprojectandsaveinaccordancewith
theprojectsecurityguidelines
Documenttheproject'schecksum
Documentcommissioning

Date.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Signature...

46

Checklists

8.5.2

Recommissioning
Tasks

OK

NotOK

Noteandimplementtherelevantpointsfromtheriskanalysis
Produceassemblyinstructionsbasedontheriskanalysis
Describethesafetymeasures
Carryoutcommissioningbasedonthetestspecification

Safetyfunctionsandfaultdetectionfacilities
Checkallspecifiedsafetyfunctionsandfaultdetectionfacilitiesfully
(apurefunctiontestisnotsufficient!)
Examples:
}

TestdualchannelESTOPforerrorsinachannel

Simulateshortsbetweencontacts

Simulateshortcircuitsandopencircuits

Measurethestoppingtime/overrun

Switchredundantsensorsdifferently

Simulatesinglechannelswitchingwhenlimitswitchesarestuck

Testthetestpulsewiring

Checkthatthesafeinputs/outputsaresuitableforthesafetyre
quirement

Verifythatasafeconditionisachievedintheeventofanerror

General
Checkcompliancewiththeregulations
Checkcompliancewiththetechnicaldetails
(seeoperatinginstructionsforthebaseunit,expansionmodules)
DocumentIPaddressandMACaddressofthecontrolsystem
PNOZmulti
Createabackupcopyoftheprojectandsaveinaccordancewith
theprojectsecurityguidelines
Documenttheproject'schecksum
Documentcommissioning

Date.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Signature...

47

Checklists

8.6

Maintenance,change
Tasks

OK

NotOK

Noteandimplementtherelevantpointsfromtheriskanalysis
RemovethepowertothecontrolsystemPNOZmulti(baseunitand/
orexpansionmodules)beforeexchangingunits
Complywiththesafetyrequirementsforthefollowingactions
(seecorrespondingchecklists):
}

Planning

Configuration

Installation

Recommissioning

Whenexchangingtheremovabledatamediumonacontrolsystem
PNOZmulti(baseunit),refertotheinformationintheunit'soperat
inginstructions
Documentchanges
Recommission
(seechecklistRecommissioning[

47])

Createabackupcopyoftheamendedproject,declaretheamended
projectastheneworiginalprojectandsaveinaccordancewiththe
projectsecurityplan
Documentthechecksumsoftheneworiginalproject

Date.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

Signature...

48

Glossary

Glossary

Baseunit
Unitintheconfigurablecontrolsystem
PNOZmultithatcontainstheCPU,inputsand
outputs
Certification
Procedurebywhichaproduct'scompliance
withtheapplicableregulationsandstandards
istestedbyanotifiedbodyprovencompliance
isconfirmedthroughtheissueofacertificate.
Certificationbody
NotifiedbodyinaccordancewithArticle14of
theDirective2006/42/ECotherwise:Accred
itedinstitution,oftenagovernmentbody,which
examinesandconfirmsaproduct'scompliance
withapplicableregulationsandstandards.
Expansionmodule
Modulethatprovidesadditionalinputs/outputs
orinterfacesthemoduleisconnectedtothe
baseunit.
Person,competent
Apersonwho,throughtraining,experience
andcurrentprofessionalactivity,hasacquired
thenecessaryknowledgeandauthorisationto
test,assessandhandledevices,systems,
plantandmachineryinaccordancewiththe
generalstandardsandguidelinesforsafety
technology
Safecondition
Conditioninwhichpowerisremovedfromthe
safetycircuits.

SafetyManualConfigurablecontrolsystemPNOZmulti
21103EN02

49

Americas

Australia

Scandinavia

Brazil

+61 3 95446300

+45 74436332
Spain

+55 11 97569-2804
Europe

+34 938497433

+1 888-315-PILZ (315-7459)

Austria

Switzerland

Mexico

+43 1 7986263-0

+41 62 88979-30

+52 55 5572 1300

Belgium, Luxembourg

The Netherlands

USA (toll-free)

+32 9 3217575

+31 347 320477

+1 877-PILZUSA (745-9872)

France

Turkey

+33 3 88104000

+90 216 5775552

Asia

Germany

United Kingdom

China

+49 711 3409-444

+44 1536 462203

+86 21 60880878-216

Ireland

Japan

+353 21 4804983

You can reach our

+81 45 471-2281

Italy

international hotline on:

South Korea

+39 0362 1826711

+49 711 3409-444

+82 31 450 0680

support@pilz.com

Pilz develops environmentally-friendly products using


ecological materials and energy-saving technologies.

products and environmentally-friendly solutions.

Partner of:

The Best of
German
En gineering

Pilz GmbH & Co. KG


Felix-Wankel-Strae 2
73760 Ostfildern, Germany
Tel.: +49 711 3409-0
Fax: +49 711 3409-133
info@pilz.com
www.pilz.com

CMSE , InduraNET p , PAS4000 , PAScal , PASconfig , Pilz , PIT , PLID , PMCprimo , PMCprotego , PMCtendo , PMD , PMI , PNOZ , Primo , PSEN , PSS , PVIS , SafetyBUS p
SafetyEYE , SafetyNET p , the spirit of safety are registered and protected trademarks of Pilz GmbH & Co. KG in some countries. We would point out that product features may vary
from the details stated in this document, depending on the status at the time of publication and the scope of the equipment. We accept no responsibility for the validity, accuracy
and entirety of the text and graphics presented in this information. Please contact our Technical Support if you have any questions.

Canada

PilzGmbH&Co.KG,2011

Technical support is available from Pilz round the clock.

Support

100XXXX-DE-0X
0-0-2-3-000, 2014-00 Printed in Germany
Pilz GmbH & Co. KG, 2014
21103EN02,201407PrintedinGermany

Frontcover