TM5SAI4AFS Analog Current Input Safety Module (SLCv2)

NOTE:

This topic applies to an SLCv2 generation module (in a safety-related system with an SLC300 or SLC400 device). Which device generation is configured in your project is visible at the end of the short device description above the parameter grid (while the device is selected in the tree on the left).

Module type/safety-related fields of application

Analog current input safety-related module, 2x2 safety-related analog input channels, 4 to 20 mA, 24 bit converter resolution, each channel electrically isolated, equivalence evaluation for two-channel applications.

Input filter and switching threshold configurable by software.

Schneider Electric safety-related modules can be used in safety-related applications according to:

  • EN ISO 13849, PL e

  • IEC 62061, SIL 3

  • IEC 61508, SIL 3

Group: Basic

Parameter: MinRequiredFWRev

Default value

Basic Release

Unit

-/-

Description

This parameter is only relevant in case of implementing other firmware versions than the manufacturer-loaded version.

To enter the operational state, the firmware version parameterized here or a newer version must be installed on the module.

  • Basic Release: select this option when running the device with the initially released firmware version.

  • Basic Release from FW V322: select this option when running the device with a firmware as of version 322 or greater.

  • Test Version: select this option when using a device firmware version which is not yet released. A safety-related application cannot get approval if devices with a firmware test version are involved.

The firmware version selected here is particularly important with regard to parameters or process data items that have been implemented with a particular firmware version. If the device you are currently working with has new parameters or process data items, the following applies: if MinRequiredFWRev is set to an incorrect value, either the SLC will not enter the operational run status or the new parameters/process data items will not be taken into account by the SLC.

Refer to the hazard message below this table.

Further Information:

Information on newly added parameters or process data items can be found in the Release Notes you received with the firmware package. The Release Notes also describe how to determine the firmware version that is currently installed on the safety-related device.

 WARNING

UNINTENDED EQUIPMENT OPERATION

  • Verify that the selected value for MinRequiredFWRev corresponds to the firmware version installed on the safety-related devices involved.

  • Verify by means of functional tests that each newly implemented parameter or process data item of safety-related modules is taken into the account by the SLC where this is required by your safety-related application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Parameter: Optional

Default value

No

Unit

-/-

Description

The module can be configured as optional using this parameter. Optional modules do not have to be available (physically present or communicative), i.e., if an optional module is unavailable, this is not signaled by the Safety LogicController.

This parameter does not influence the module signal or status data.

Possible values

  • No: This module is not optional.

    This module has to go to Operational mode after start-up and safety-related communication to the Safety Logic Controller has to be established successfully (indicated by SafeModulOK = SAFETRUE). Processing of the safety-related application on the Safety Logic Controller is delayed after start-up until this state is achieved for the modules set to 'Optional = No'.

    After start-up, errors on such safety-related modules are indicated by a fast flashing MXCHG LED on the Safety Logic Controller. Furthermore, an entry is made in the logbook.

  • Yes: This module is optional, i.e.,not necessary for the safety-related application.

    This module is not taken into consideration during start-up, which means that the safety-related application is started even if the modules with 'Optional = Yes' are not in Operational mode or if safety-related communication is unsuccessful.

    After start-up, errors on such safety-related modules are NOT indicated on the Safety Logic Controller. NO entry is made in the logbook.

  • Start-up: This module is optional, decisions regarding its further behavior are made during start-up:

    If, during start-up, it is determined that the module is physically present (even if it is not in Operational mode), then the module behaves as if 'Optional = No' was set.

    If, during start-up, it is determined that the module is not physically present, the module behaves as if 'Optional = Yes' was set.

The Optional parameter is a mechanism to scale your safety-related system for various configurations of your machine design. However, it may be the case that the module(s) that you have designated as optional may be required in some of your alternative machine configurations.

 WARNING

UNINTENDED EQUIPMENT OPERATION

Verify by means of functional tests that those modules that have the Optional parameter set to 'Yes' or 'Start-up' are available if and when required in alternative machine configurations.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Parameter: InputFilter

Default value

1

Possible values

Selectable from drop-down list:

1; 2; 10; 16.7; 20; 33.3; 40; 66.7

Unit

ms

Description

Configures the input filter by defining the sample interval of the A/D converter.

The parameter sets the interval for sampling the analog value at the module inputs. During this interval, values are captured. The related output process data item is updated after the sampling interval has elapsed.

By defining the input update interval, this value directly influences the signal processing time of the module and consequently the safety response time of the entire input-output channel of the safety-related application.

Refer to the information below this table.

Impact of the set filter value on the safety response time

The following table lists the signal processing time of the module resulting from the set input filter time value (update interval).

 WARNING

UNINTENDED EQUIPMENT OPERATION

Verify that the signal processing time of the input module is included correctly in the safety response time calculations in Machine Expert – Safety.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Configured filter value

Max. signal processing time of the module

1 ms

17 ms

2 ms

19 ms

10 ms

35 ms

16.7 ms

50 ms

20 ms

55 ms

33.3 ms

82 ms

40 ms

95 ms

66.7 ms

122 ms

Group: SafetyResponseTime

The safety response time is the time between the arrival of the sensor signal on the input channel of a safety-related input module and the shut-off signal at the output channel of a safety-related module. For further and detailed background information, refer to the topic "Safety Response Time for SLCv2 " in the "Machine Expert – Safety - User Guide".

The parameters in this group influence the safety response time of the Safety Logic Controller system. The parameters SafeDataDuration and ToleratedPacketLoss in this group are only applied to the module if ManualConfiguration is set to 'Yes'.

Parameter: ManualConfiguration

Default value

No

Unit

-/-

Description

Specifies whether the module uses its safety response time-relevant parameters (SafeDataDuration and ToleratedPacketLoss) or the values specified in the 'SafetyResponseTimeDefaults' parameter group of the Safety Logic Controller.

Managing parameters per module optimizes the system to application-specific requirements regarding the safety response time.

Parameter value

  • No: The module inherits the SafeDataDuration and ToleratedPacketLoss values from the 'SafetyResponseTimeDefaults' parameter group of the Safety Logic Controller.

  • Yes: The module uses its own parameter values.

Parameter: SafeDataDuration

Default value

200

Value range

Step size

25...9,380

1

Unit

100 µs

Description

This parameter influences the safety response time of the safety-related application.

Specifies the maximum permissible time for data transmission from a safety-related producer to a consumer, that is, from an input module to the SLC, or from the SLC to an output module.

Based on this parameter value and the value of the 'ToleratedPacketLoss' parameter (described below), and further module-specific processing times, the Safety Response Time (SRT) is calculated.

Verify the SRT resulting from the parameter values entered here using the 'Response Time Calculator' dialog in Machine Expert – Safety (menu item 'Project > Response Time Calculator').

Value calculation

The risk analysis you have performed for your safety-related application delivers the maximum allowed overall response time of the safety function and, as part of this, the safety function response time (SRT) of the signal chain.

The SRT is composed of the following partial time values:

SRT = SPTi + SDDi * (TPL +1) + SDDo * (TPL +1) + SPTo

with

SPTi = safety processing time in safety-related input module,

             (including configured filter/delay times),

SDDi = SafeDataDuration time input path,

SDDo = SafeDataDuration time output path,

SPTo = safety processing time in safety-related output module,

             (including configured delay times),

TPL  = number of tolerated packet losses.

This maximum SRT value is the basis for the calculation of the SafeDataDuration (SDD) and the ToleratedPacketLoss (TPL) value you must enter as the parameter value in the grid.

From the allowed SRT, deduct the processing times of the safety-related input module (SPTi) and the output module (SPTo). The result is the total maximum permissible time for the safety-related data transmission on the complete safety-related path, i.e., from the input module to the output module. As the SafeDataDuration parameter relates to only one transmission path (input module -> SLC or SLC -> output module), you must divide the value by 2 to get the required value to be entered in the parameter grid. If a packet loss greater than 0 is tolerated, this must also be considered.

The calculation equation is as follows:

SDD = (SRT - SPTi - SPTo) / (2* (TPL + 1))

With SPT = higher value of SPTi and SPTo and SDD = SDDi = SDDo (symetrical system), the following applies:

SDD = (SRT - 2*SPT) / (2*(TPL+1))

Parameter: ToleratedPacketLoss

Default value

1

Value range

Step size

0...10

1

Unit

Data packets

Description

Specifies the maximum allowed number of lost packets during data transmission. The number of tolerated packet losses affects the safety response time.

Based on this parameter value and the value of the 'SafeDataDuration' parameter, the Safety Response Time (SRT) of the system is calculated.

Verify the SRT resulting from the parameter values entered here using the 'Response Time Calculator' dialog in Machine Expert – Safety (menu item 'Project > Response Time Calculator').

Group: SafeCurrentxxyy

In this group, the four parameters with the same index number (1 to 4) are considered as parameter set. Which parameter set is active on the module depends of the channel settings 'SafeThrSelector_0y0z_Bit1' and 'SafeThrSelector_0y0z_Bit2'. By activating a particular parameter set thus adjusting the input sensitivity, the module can be adapted for the present use case. Refer to the section "Process data items: SafeThrSelector_0y0z_Bit1 and SafeThrSelector_0y0z_Bit2" below for details and information how to switch the parameter set.

Parameters LimitThresholdHigh_Set1 to LimitThresholdHigh_Set4

Default value

20,000

Value range

Step size

3,600...21,000

1

Unit

µA

Description

Specifies the maximum permissible input value for each channel of the module.

Exceedance of the specified input value range can be monitored by evaluating the SafeCurrentOKxx process data item of the respective channel in the safety-related application. This process data item is SAFETRUE as long as the measured value is within the parameterized value range, otherwise it switches to SAFEFALSE.

Verify that the maximum value set here is greater than the minimum value set with the LimitThresholdLow* parameter.

Parameters LimitThresholdLow_Set1 to LimitThresholdLow_Set4

Default value

4,000

Value range

Step size

3,600...21,000

1

Unit

µA

Description

Specifies the minimum permissible input value for each channel of the module.

Exceedance of the specified input value range can be monitored by evaluating the SafeCurrentOKxx process data item of the respective channel in the safety-related application. This process data item is SAFETRUE as long as the measured value is within the parameterized value range, otherwise it switches to SAFEFALSE.

Verify that the minimum value set here is less than the maximum value set with the LimitThresholdHigh* parameter.

Parameters LimitThresholdEquivalent_Set1 to LimitThresholdEquivalent_Set4

This parameter is only relevant in two-channel applications. When connecting two sensors as input pair, the module automatically evaluates the equivalence of the input signals.

Default value

20,000

Value range

Step size

0...21,000

1

Unit

µA

Description

Specifies the maximum permissible value difference between both input channels of an input pair in two-channel applications.

Violation of the specified equivalent threshold after the set discrepancy time has elapsed (see next parameter DiscrepancyTime*) can be monitored by evaluating the SafeCurrentOKxxyy process data item of the respective channels in the safety-related application. In case of exceedance, this process data item switches to SAFEFALSE.

Parameters DiscrepancyTime_Set1 to DiscrepancyTime_Set4

This parameter is only relevant in two-channel applications. When connecting two sensors as input pair, the module automatically evaluates the equivalence of the input signals.

Default value

0

Possible values

Selectable from drop-down list:

0; 2; 5; 10; 20; 50; 100; 200; 500; 1,000; 2,000; 5,000; 10,000

Unit

ms

Description

Specifies the maximum time interval during which the difference between both channels of an input pair in two-channel applications may exceed the limit value without triggering an error.

Violation of the parameterized discrepancy time can be monitored by evaluating the SafeCurrentOKxxyy process data item of the respective channels in the safety-related application. In case of exceedance, this process data item switches to SAFEFALSE.

Parameter: DisableShunttest

Default value

No

Unit

-/-

Description

Enables or disables the automatic shunt test of the measurement shunts.

Disabling the shunt test increases the tolerance of the module regarding input signal interferences.

The parameter sets the behavior for all input channels of the module.

Possible values

  • No: Automatic testing of the measurement shunts is not disabled.

    When detecting a damaged or otherwise inoperative measurement shunt, the module switches to the defined safe-state.

  • Yes-ATTENTION: Automatic testing of the measurement shunts is disabled.

    NOTE:

    With 'DisableShunttest = Yes-ATTENTION', the module provides reduced error detection capabilities and does no longer meet the requirements of CAT 4 according to EN ISO 13849-1:2008. It still meets the requirements up to CAT 3 according to EN ISO 13849-1:2008.

Parameter: MeasurementResultWhileTesting

NOTE:

This parameter is available with device firmware version V322 or greater. Make sure that the MinRequiredFWRev parameter of this module is set to 'Basic Release from FW V322' in order to use the MeasurementResultWhileTesting parameter correctly.

Default value

Single Channel

Unit

-/-

Description

The parameter sets the behavior of the module, i.e., the measurement mode during the internal hardware channel test.

Each measurement channel is tested electronically by applying an internal test signal to the channel periodically every 75 minutes. The test signal is applied for a maximum of one second. Only one channel is tested at a time while the other channel continues the normal analog value measurement.

During the test period, the last measured value of the tested channel is retained (fixed) until the test is completed. Then, normal measurement is continued on both channels until the other channel is tested.

While no test is active, the resulting value is calculated as follows (see also the description of the process data item below):

Resulting value = (value channel xx + value channel yy)/2.

Using the MeasurementResultWhileTesting parameter, the calculation mode during the test period can be set.

NOTE:

Use the diagnostic process data item TestActive (see description below) to signal and evaluate the active test in the safety-related application.

Possible values

  • Single Channel: the resulting value during the test period is the measured value of the "untested" channel. The (retained) value of the tested channel is ignored during the test period.

  • Averaged: the resulting value during the test period of one channel is the average value of both channels (like during normal operation, outside the test periods). This corresponds to the average value calculated from the retained (fixed) value of the tested channel and the measured value of the "untested" channel.

    With this setting, the behavior of the module corresponds to firmware versions less than V322 (may be required for compatibility reasons).

Process data items of the module

Purpose and use of process data items

Each module provides process data items (signals). Process data items can be:

  • I/O signals delivered from or written to a module terminal.

  • diagnostic signals for evaluating the status of input/output channels or the entire module.

  • control signals, for example, for enabling a channel or adjusting the module.

The available process data items of a module are listed under the module node in the tree on the left of the 'Devices' window. To display and use the process data items, expand the module node in the tree by clicking the '+' symbol.

Example

The module with the ID SL1.SM3 provides (among others) the diagnostic signal SafeModuleOK and the input signal SafeDigitalInput01.

From the devices tree, process data items can be inserted into the safety-related FBD/LD code by drag & drop (see following procedure). On insertion into the code, a standard (non-safety-related) or safety-related global variable is created (depending on the data type of the process data item).

Procedure: How to insert process data items into the code

  1. Open the code worksheet where you want to insert the process data item and create/use the global variable assigned to it.

  2. In the 'Devices' window, open the devices tree on the left and expand the module (tree node) which contains the process data item to be used.

  3. Drag the process data item into the code worksheet. When releasing the mouse button, the 'Variable' dialog appears.

    To insert a Boolean variable as a contact into the graphical code, hold the <CTRL> key down when releasing the mouse button after dragging the variable from the device terminal grid into the code worksheet.

  4. In the 'Variable' dialog, a default name is proposed which is derived from the process data item name. Accept the proposed name, select an existing global variable, or declare a new global variable by entering a new 'Name', defining the 'Data Type' and selecting a 'Group'.

  5. Confirm the 'Variable' dialog by clicking 'OK'.

    The rectangle shape of the variable is now added to the cursor. It can be dropped at the desired position with a click. You can directly connect the variable to another object (e.g., a formal parameter as shown in the following example) or dropped at any free position.

Data direction depends on the signal type

Input signals can only be read and output signals can be written by the safety-related application.

Diagnostic signals can be used to evaluate and monitor the status of the safety-related module or individual I/O channels, for example. Therefore, global variables created for and assigned to diagnostic signals can be read by the application.

Control signals can be used to enable the module operation or to adjust/adapt the module for the present use case (for example, by setting a measurement range or a particular module behavior). The global variables created for and assigned to control signals can be written by the application, thus controlling the module.

Representation of the process data items in the devices tree:

Icon

Signal type

Access type

Safety-related input signal or diagnostic signal.

read

Non-safety-related input signal (only available for the Safety Logic Controller).

read

Non-safety-related output signal (only available for the Safety Logic Controller) or control signal.

write

Safety-related output or control signal.

write

NOTE:

If a standard (non-safety-related) signal is connected to a physical input or output, the data type of the corresponding global variable must be modified from safety-related to standard (e.g., from SAFEBOOL to BOOL) to rule out an incorrect use of the signal in the code. The same applies if a safety-related signal is used only as standard signal in the code. Modifying the data type can either be done in the appropriate variables worksheet or using type converter functions.

 WARNING

UNINTENDED EQUIPMENT OPERATION

  • Verify the impact of standard (non-safety-related) signals on safety-related outputs.

  • Verify that "standard to safety-related" converters are used correctly in the code.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

In the following, the I/O, diagnostic and control signals of the present module are listed and described in the order they are listed in the devices tree.

SafeModuleOK

Description

Indicates the status of the communication between the safety-related module and the Safety Logic Controller and therefore, from safety-related application perspective, the module status itself.

Signal type

Diagnostic

Data type

SAFEBOOL

Access type

Variable can be read by the safety-related application

Possible values

SAFEFALSE:

  • Safety-related module is not in an operational state, or

  • the communication with the Safety Logic Controller has not been established correctly, or

  • the module has detected an error with the communication channel.

SAFETRUE:

  • Safety-related module is in an operational state, and

  • the communication with the Safety Logic Controller is established correctly, and

  • the module has not detected an error with the communication channel.

Mandatory assignment validation for the SafeModuleOK data item:

The verification/validation of the assignment of each process data item to a global I/O variable is mandatory. This particularly applies to the SafeModuleOK process data item which is available for each safety-related module and indicates its status. As the SafeModuleOK data item cannot be written to, e.g., by applying a signal to a module input, the module to be verified must be physically removed from the TM5 bus. As a result, SafeModuleOK switches to SAFEFALSE and the assigned global I/O variable must follow. For further information on the steps to remove and reinsert a module, refer to the user manual of the module.

 WARNING

UNINTENDED EQUIPMENT OPERATION

  • Physically remove each safety-related module from the TM5 bus in order to test for SafeModuleOK.

  • Verify that the global I/O variable assigned to the SafeModuleOK process data item of the removed safety-related module switches to SAFEFALSE.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

SafeChannelOKxx (relating to input channels)

Description

Diagnostic signal which indicates the status of the safety-related input channel.

xx specifies the channel number.

This diagnostic signal confirms the validity of the SafeDigitalInputxx signal. Depending on the results of the risk analysis you carried out for your application, the diagnostic signal must be evaluated each time the SafeDigitalInputxx signal is used in the safety-related application. The value SAFEFALSE of the diagnostic signal indicates an invalid SafeDigitalInputxx value. In this case, the SafeDigitalInputxx signal must not be further used, processed, or evaluated in the safety-related application.

Refer to the hazard message below this table.

NOTE:

To detect error status conditions of modules/channels within your application, diagnostic signals must be evaluated in the safety-related code. A programming example and further information can be found in the topic "Monitoring/evaluating diagnostic information of the machine".

Signal type

Diagnostic signal

Data type

SAFEBOOL

Access type

Variable can be read by the safety-related application

Possible values

SAFEFALSE:

  • SafeModuleOK = SAFEFALSE, or

  • incorrect wiring between sensor and input module, or

  • signal loss at channel xx due to cable break or a command device/sensor which is not functioning correctly, or

  • the input signal at channel xx does not comply with the electrical requirements of the module.

SAFETRUE:

  • SafeModuleOK = SAFETRUE, and

  • input channel xx works correctly (SAFETRUE or SAFEFALSE according to the status of the connected command device/sensor).

NOTE:

Also observe the respective LED indicator(s) of the affected modules for the error indication.

 WARNING

UNINTENDED EQUIPMENT OPERATION

  • Verify that the SafeDigitalInputxx signal is only used in the safety-related application as long as the related diagnostic signals are SAFETRUE if demanded by the results of your risk analysis.

  • Validate the overall safety-related function with respect to the processing of input values, and thoroughly test the application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

SafeCurrentOKxx

Description

Diagnostic signal which indicates the status of the current measurement at input channel xx.

This diagnostic signal confirms the validity of the incoming analog signal and of the SafeCurrentxx process data item (output measurement value). Depending on the results of the risk analysis you carried out for your application, the diagnostic signal must be evaluated each time the SafeCurrentxx signal is used in the safety-related application. The value SAFEFALSE of the diagnostic signal indicates an invalid SafeCurrentxx value. In this case, the SafeCurrentxx signal must not be further used, processed, or evaluated in the safety-related application.

Refer to the hazard message below this table.

NOTE:

To detect error status conditions of modules/channels within your application, diagnostic signals must be evaluated in the safety-related code. A programming example and further information can be found in the topic "Monitoring/evaluating diagnostic information of the machine".

Signal type

Diagnostic signal

Data type

SAFEBOOL

Access type

Variable can be read by the safety-related application

Possible values

SAFEFALSE: the SafeCurrentxx signal is invalid and must not be used in the safety-related application due to one of the following reasons.

  • SafeModuleOK = SAFEFALSE, or

  • signal loss due to cable break or a sensor which is not functioning correctly, or

  • the measured current is out of the parameterized measurement range: on at least one channel, the upper or lower threshold value is exceeded. Verify the values set for the parameters LimitThresholdHigh and LimitThresholdLow and verify that the correct parameter set (1 to 4) is active on the module.

  • the input signal at channel xx does not comply with the electrical requirements of the module

SAFETRUE: the SafeCurrentxx signal is valid. Each of the following conditions must be met:

  • SafeModuleOK = SAFETRUE, and

  • the values at input channel xx are within the parameterized measurement range.

NOTE:

Also observe the respective LED indicator(s) of the affected modules for the error indication.

Relevant module parameters

In the parameter group with the same channel number xx:

  • LimitThresholdHigh_Setn and LimitThresholdLow_Setn (n = 1 to 4)

The related parameter descriptions can be found above in this topic.

 WARNING

UNINTENDED EQUIPMENT OPERATION

  • Verify that the SafeCurrentxx signal is only used in the safety-related application as long as the related diagnostic signals are SAFETRUE if demanded by the results of your risk analysis.

  • Validate the overall safety-related function with respect to the processing of input values, and thoroughly test the application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

SafeCurrentOKxxyy

Description

Diagnostic signal which indicates the status of the two-channel current measurement at input channel pair xx and yy.

This diagnostic signal confirms the validity of the incoming analog signal and of the SafeCurrentxxyy process data item (output measurement value). Depending on the results of the risk analysis you carried out for your application, the diagnostic signal must be evaluated each time the SafeCurrentxxyy signal is used in the safety-related application. The value SAFEFALSE of the diagnostic signal indicates an invalid SafeCurrentxxyy value. In this case, the SafeCurrentxxyy signal must not be further used, processed, or evaluated in the safety-related application.

Refer to the hazard message below this table.

NOTE:

To detect error status conditions of modules/channels within your application, diagnostic signals must be evaluated in the safety-related code. A programming example and further information can be found in the topic "Monitoring/evaluating diagnostic information of the machine".

Signal type

Diagnostic signal

Data type

SAFEBOOL

Access type

Variable can be read by the safety-related application

Possible values

SAFEFALSE: the SafeCurrentxxyy signal is invalid and must not be used in the safety-related application due to one of the following reasons.

  • SafeModuleOK = SAFEFALSE, or

  • the sensors at the input channels xx and yy delivered different measurement values after the interval specified with the DiscrepancyTime parameter has elapsed (no signal equivalence). The reason may be a sensor which is not functioning correctly or the value set for the DiscrepancyTime parameter is not suitable for the sensors.

  • signal loss at channel xx and/or channel yy due to cable break or a sensor which is not functioning correctly, or

  • the measured current is out of the parameterized measurement range: on at least one channel, the upper or lower threshold value is exceeded. Verify the values set for the parameters LimitThresholdHigh and LimitThresholdLow and verify that the correct parameter set (1 to 4) is active on the module.

  • the input signal at one or both of the channels xx and yy does not comply with the electrical requirements of the module.

SAFETRUE: the SafeCurrentxxyy signal is valid. Each of the following conditions must be met:

  • SafeModuleOK = SAFETRUE, and

  • the values at both input channels xx and yy are within the parameterized measurement range, and

  • equivalence between the involved channels has been established before the time interval specified with the DiscrepancyTime parameter has elapsed.

NOTE:

Also observe the respective LED indicator(s) of the affected modules for the error indication.

Relevant module parameters

In the parameter groups with the same channel number xx and yy:

  • DiscrepancyTime_Setn (n = 1 to 4)

  • LimitThresholdHigh_Setn and LimitThresholdLow_Setn (n = 1 to 4)

The related parameter descriptions can be found above in this topic.

 WARNING

UNINTENDED EQUIPMENT OPERATION

  • Verify that the SafeCurrentxxyy signal is only used in the safety-related application as long as the related diagnostic signals are SAFETRUE if demanded by the results of your risk analysis.

  • Validate the overall safety-related function with respect to the processing of input values, and thoroughly test the application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

TestActive

NOTE:

This process data item is available with device firmware version V322 or greater. Make sure that the MinRequiredFWRev parameter of this module is set to 'Basic Release from FW V322' in order to use TestActive correctly.

Description

Diagnostic signal which indicates that the internal channel test is currently performed on the module.

Each measurement channel is tested electronically by applying an internal test signal to the channel periodically every 75 minutes. The test signal is applied for a maximum of one second. Only one channel is tested at a time while the other channel continues the normal analog value measurement.

During the test period, the last measured value of the tested channel is retained (fixed) until the test is completed. Then, normal measurement is continued on both channels until the other channel is tested. Refer to the related module parameter description below.

NOTE:

To detect status conditions of modules/channels within your application, diagnostic signals must be evaluated in the safety-related code. A programming example and further information can be found in the topic "Monitoring/evaluating diagnostic information of the machine".

Signal type

Diagnostic signal

Data type

SAFEBOOL

Access type

Variable can be read by the safety-related application

Possible values

SAFEFALSE:

  • SafeModuleOK = SAFEFALSE, or

  • no channel test is currently executed on the module.

SAFETRUE:

  • SafeModuleOK = SAFETRUE, and

  • the internal channel test is currently executed on the module for one channel.

Relevant module parameters

The MeasurementResultWhileTesting parameter specifies the behavior of the module, i.e., the measurement mode that is applied during the internal hardware channel test.

The related parameter description can be found above in this topic.

SafeCurrentxxyy

Description

Input signal from the sensors connected to the input channel pair xx and yy.

Equivalence between the involved channels must be established before the interval specified with the DiscrepancyTime parameter has elapsed. Otherwise, the related diagnostic signal SafeCurrentOKxxyy switches to SAFEFALSE.

The validity of this input signal is confirmed by the related diagnostic signals SafeCurrentOKxxyy, SafeChannelOKxx and SafeChannelOKyy. Depending on the results of the risk analysis you carried out for your application, the diagnostic signals must be evaluated each time the SafeCurrentxxyy signal is used in the safety-related application. The value SAFEFALSE of at least one diagnostic signal indicates an invalid SafeCurrentxxyy value. In this case, the SafeCurrentxxyy signal must not be further used, processed, or evaluated in the safety-related application.

Refer to the hazard message below this table.

Signal type

I/O signal

Data type

SAFEINT

Access type

Variable can be read by the safety-related application

Possible values

If SafeModuleOK = SAFETRUE and the related diagnostic signals SafeCurrentOKxxyy, SafeChannelOKxx and SafeChannelOKyy are SAFETRUE and the set discrepancy time has not elapsed without having signal equivalence at the inputs involved, the following applies:

  • Measured current/µA = SAFEINT value

    (0 ... 20 mA = 0 ... 20000).

  • Resulting current = (current channel xx + current channel yy)/2.

NOTE:

Refer to the hardware manual of the module for details on the safety-oriented measurement precision.

Relevant module parameters

In the parameter group with the same channel number xx:

  • DiscrepancyTime_Setn (n = 1 to 4)

The related parameter descriptions can be found above in this topic.

 WARNING

UNINTENDED EQUIPMENT OPERATION

  • Verify that the SafeCurrentxxyy signal is only used in the safety-related application as long as the related diagnostic signals are SAFETRUE if demanded by the results of your risk analysis.

  • Validate the overall safety-related function with resepct to the processing of analog input values, and thoroughly test the application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

SafeThrSelector_0y0z_Bit1 and SafeThrSelector_0y0z_Bit2

Description

The combination of applied values for SafeThrSelector_0y0z_Bit1 and SafeThrSelector_0y0z_Bit2 specifies which parameter set is active on the module. This way, the parameter set (1 to 4) can be switched during runtime out of the in the safety-related application, thus adapting the module (measurement range/input sensitivity).

Bit1  Bit2  Active on module

0     0     Parameter set 1

1     0     Parameter set 2

0     1     Parameter set 3

1     1     Parameter set 4

Signal type

Control signal

Data type

SAFEBOOL

Access

Variable can be written by the safety-related application

SafeReleasexxyy

Description

Release signal for the analog input channel pair specified by the channel identifiers xx and yy.

Releasing a channel pair is required after the diagnostic status signal of the channel pair was switched to SAFEFALSE due to invalid input signals. Example: the status signal becomes SAFEFALSE if the measurement range parameterized for the input channel pair is exceeded.

You must perform the following steps, in order to release a channel pair:

  • Eliminate all module/channel or communication errors.

  • Make sure that the analog input signal is within the valid measurement range for the channel concerned.

  • Pause (at least one network cycle) to ensure that the safety-related input signal was processed by the module.

  • Apply a rising edge to release the channel (pair).

NOTE:

If the safety-related module enters the defined safe-state and SafeModuleOK = SAFEFALSE, the SafeReleasexxyy signal cannot be used to release the channel. Instead, the entire module must be restarted. Example: if input values exceed the allowed electrical maximum values as specified in the technical data of the device, the module must be restarted.

Signal type

Control signal

Data type

SAFEBOOL

Access type

Variable can be written by the safety-related application

Possible values

  • SAFEFALSE: analog input channel (pair) remains disabled.

  • Edge SAFEFALSE > SAFETRUE: releases the input channel (pair) if the error is no longer present.

  • SAFETRUE: a static SAFETRUE has no effect.