TM5STI4ATCFS Analog Temperature Input Safety Module

Module type/safety-related fields of application

Analog temperature input safety-related module

2x2 safety-related analog thermocouple inputs for thermoelements of the types J, K, N, S, R, C, T

Sensor specification in accordance with EN IEC 60584-1:2010

1x2 safety-related analog PT100/PT1000 input, e.g. for terminal temperature compensation

24 bit converter resolution

Channel pairs galvanically isolated

Equivalence evaluation for two-channel applications configurable by software

Input filter and switching threshold configurable by software

Schneider Electric safety-related modules can be used in safety-related applications according to:

EN ISO 13849, PL e

IEC 62061, SIL 3

IEC 61508, SIL 3

Parameter: MinRequiredFWRev

Default value

Basic Release

Unit

-/-

Description

This parameter is only relevant in case of implementing other firmware versions than the manufacturer-loaded version.

To enter the operational state, the firmware version parameterized here or a newer version must be installed on the module.

Basic Release: select this option when running the device with the initially released firmware version.

Basic Release from FW Vxxx: select this option when running the device with a firmware version Vxxx (where xxx represents the version number).

Test Version: select this option when using a device firmware version which is not yet released. A safety-related application cannot get approval if devices with a firmware test version are involved.

The firmware version selected here is particularly important with regard to parameters or process data items that have been implemented with a particular firmware version. If the device you are currently working with has new parameters or process data items, the following applies: if MinRequiredFWRev is set to an incorrect value, either the SLC will not enter the operational run status or the new parameters/process data items will not be taken into account by the SLC.

Refer to the hazard message below this table.

Further Information

Information on newly added parameters or process data items can be found in the Release Notes you received with the firmware package. The Release Notes also describe how to determine the firmware version that is currently installed on the safety-related device.

WARNING

UNINTENDED EQUIPMENT OPERATION

Verify that the selected value for MinRequiredFWRev corresponds to the firmware version installed on the safety-related devices involved.

Verify by means of functional tests that each newly implemented parameter or process data item of safety-related modules is taken into the account by the SLC where this is required by your safety-related application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Parameter: Optional

Default value	No
Unit	-/-
Description	The module can be configured as optional using this parameter. Optional modules do not have to be available (physically present or communicative), i.e., if an optional module is unavailable, this is not signaled by the Safety LogicController. This parameter does not influence the module signal or status data.
Possible values	No: This module is not optional. This module has to go to Operational mode after start-up and safety-related communication to the Safety Logic Controller has to be established successfully (indicated by SafeModulOK = SAFETRUE). Processing of the safety-related application on the Safety Logic Controller is delayed after start-up until this state is achieved for the modules set to 'Optional = No'. After start-up, errors on such safety-related modules are indicated by a fast flashing MXCHG LED on the Safety Logic Controller. Furthermore, an entry is made in the logbook. Yes: This module is optional, i.e.,not necessary for the safety-related application. This module is not taken into consideration during start-up, which means that the safety-related application is started even if the modules with 'Optional = Yes' are not in Operational mode or if safety-related communication is unsuccessful. After start-up, errors on such safety-related modules are NOT indicated on the Safety Logic Controller. NO entry is made in the logbook. Start-up: This module is optional, decisions regarding its further behavior are made during start-up: If, during start-up, it is determined that the module is physically present (even if it is not in Operational mode), then the module behaves as if 'Optional = No' was set. If, during start-up, it is determined that the module is not physically present, the module behaves as if 'Optional = Yes' was set.

The Optional parameter is a mechanism to scale your safety-related system for various configurations of your machine design. However, it may be the case that the module(s) that you have designated as optional may be required in some of your alternative machine configurations.

WARNING

UNINTENDED EQUIPMENT OPERATION

Verify by means of functional tests that those modules that have the Optional parameter set to 'Yes' or 'Start-up' are available if and when required in alternative machine configurations.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Parameter: TwoChannelMode

Default value	Channel12
Unit	-/-
Description	Defines the pair of input channels for which equivalence is evaluated. For the set input channel pair, the parameter values LimitThresholdEquivalent* and DiscrepancyTime* (see below) are relevant.
Possible values	Channel12_34: Evaluation of equivalence is made for the channel pairs ½ and 3/4. Channel13_24: Evaluation of equivalence is made for the channel pairs 1/3 and 2/4.

Parameter: InputFilter

Default value	1
Possible values	Selectable from drop-down list: 1; 2; 10; 16.7; 20; 33.3; 40; 66.7
Unit	ms
Description	Configures the input filter by defining the sample interval of the A/D converter. The parameter sets the interval for sampling the analog value at the module inputs. During this interval, values are captured. The related output process data item is updated after the sampling interval has elapsed. By defining the input update interval, this value directly influences the signal processing time of the module and consequently the safety response time of the entire input-output channel of the safety-related application. Refer to the information below this table.

Impact of the set filter value on the safety response time

The following table lists the signal processing time of the module resulting from the set input filter time value (update interval).

WARNING

UNINTENDED EQUIPMENT OPERATION

Verify that the signal processing time of the input module is included correctly in the safety response time calculations in EcoStruxure Machine Expert - Safety.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Configured filter value	Max. signal processing time of the module
1 ms	32 ms
2 ms	40 ms
10 ms	86 ms
16.7 ms	132 ms
20 ms	152 ms
33.3 ms	240 ms
40 ms	284 ms
66.7 ms	372 ms

Parameter: ManualConfiguration

Default value	No
Unit	-/-
Description	Specifies whether the module uses its safety response time-relevant parameters (CommunicationWatchdog, MinDataTransportTime, and MaxDataTransportTime) or the values specified in the 'SafetyResponseTimeDefaults' parameter group of the Safety Logic Controller. Managing parameters per module optimizes the system to application-specific requirements regarding the safety response time.
Parameter value	No: The module inherits the CommunicationWatchdog, MinDataTransportTime, and MaxDataTransportTime values from the 'SafetyResponseTimeDefaults' parameter group of the Safety Logic Controller. Yes: The module uses its own parameter values.

Parameter: MinDataTransportTime

Default value	12
Value range Step size	12...500 1
Unit	100 µs
Description	Defines the minimum time that is required to transmit a data telegram from a producer to a consumer. If a telegram is received earlier (by the consumer) than specified by this parameter value, communication is considered as invalid. EcoStruxure Machine Expert - Safety provides a calculator dialog to determine this parameter value. Term definition and background information According to the openSAFETY specification, devices (safety-related I/O modules as well as the Safety Logic Controller) communicate by sending and receiving cyclic data, referred to as openSAFETY telegrams. A telegram generating (sending) device is designated as producer, a receiving device is a consumer. Each telegram includes a time stamp for time validation of the communication. On receipt of a telegram, the consumer compares this time stamp with the current time. If the schedule is kept, the communication is considered as valid. If a telegram is received earlier than defined by this parameter, communication is considered as invalid and is not further processed. The 'SafeModuleOK' process data item also becomes SAFEFALSE indicating that the safety-related communication of the module is no longer valid. The implications for the rest of the safety-related systems depend on the defined safety-related function.
Value calculation	How to calculate the module-specific MinDataTransportTime value Select 'Project > Response Time Relevant Parameters'. In the appearing dialog, open the 'Manual' tab. Section 'Variable Parameters': If a differing Sercos III cycle time than set in EcoStruxure Machine Expert is used to calculate the MinDataTransportTime (e.g., to take cycle time modifications by the application program into account), check 'Make Selectable' and select or enter the desired 'Sercos III Cycle Time'. The 'Ring/Double Line' checkbox only influences the MaxDataTransportTime value. The 'Ring/Double Line' checkbox does not influence the MinDataTransportTime value. An entered 'Network Package Loss' does not influence the MinDataTransportTime but only the CommunicationWatchdog value. The 'System Parameters' section is read-only and displays system/module properties set in EcoStruxure Machine Expert. When modifying these parameters while the dialog is open, the values are updated automatically without closing the calculator dialog. The calculated module-specific MinDataTransportTime value is displayed in the 'Result' section. Note the resulting value and enter the value for the MinDataTransportTime parameter in the module parameter grid.
Practical values	Entering the MinDataTransportTime value calculated in EcoStruxure Machine Expert - Safety results in a stable running system.

Parameter: MaxDataTransportTime

Default value	200
Value range Step size	12...65,000 1
Unit	100 µs
Description	Defines the maximum time that is allowed to transmit a data telegram from a producer to a consumer. If a telegram is received later (by the consumer) than specified by this parameter value, communication is considered as invalid. EcoStruxure Machine Expert - Safety provides a calculator dialog to determine this parameter value. NOTE: The parameter value influences the safety response time calculated by EcoStruxure Machine Expert - Safety. Term definition and background information According to the openSAFETY specification, devices (safety-related I/O modules as well as the Safety Logic Controller) communicate by sending and receiving cyclic data, referred to as openSAFETY telegrams. A telegram generating (sending) device is designated as producer, a receiving device is a consumer. Each telegram includes a time stamp for time validation of the communication. On receipt of a telegram, the consumer compares this time stamp with the current time. If the schedule is kept, the communication is considered as valid. If a telegram is received later than defined by this parameter, communication is considered as invalid and is not further processed. The implications for the rest of the safety-related systems depend on the defined safety-related function.
Value calculation	How to calculate the module-specific MaxDataTransportTime value Select 'Project > Response Time Relevant Parameters'. In the appearing dialog, open the 'Manual' tab. Section 'Variable Parameters': If a differing Sercos III cycle time than set in EcoStruxure Machine Expert is to be used to calculate the MaxDataTransportTime (e.g., to take cycle time modifications by the application program into account), check 'Make Selectable' and select or enter the desired 'Sercos III Cycle Time'. 'Ring/Double Line' checkbox: Ring and double line bus structures require greater parameter values in order to implement a stable running system. Check 'Ring/Double Line' to take into account the bus structure. It is activated by default which is suitable for a ring bus structure and a double line bus structure. If you are implementing a line structure, the checkbox can be deactivated to decrease the resulting parameter value. Values calculated for a ring/double line structure can be used for a line structure but not vice versa. An entered 'Network Package Loss' does not influence the MaxDataTransportTime but only the CommunicationWatchdog value. The calculated MaxDataTransportTime value is displayed for the module. Module-specific parameters (such as cycle times, set in EcoStruxure Machine Expert) are also displayed in the grid for information purposes. When modifying these parameters while the dialog is open, the values are updated automatically without closing the calculator dialog. Note the resulting value for the module and enter the appropriate value into the MaxDataTransportTime parameter grid field of the module.
Practical values	Entering the MaxDataTransportTime value calculated in EcoStruxure Machine Expert - Safety results in a stable running system.

Parameter: CommunicationWatchdog

Default value	200
Value range Step size	1...65,535 1
Unit	100 µs
Description	Defines the maximum time period within which a consumer must receive a valid data telegram from a producer in order to consider the safety-related communication as valid and continue the application. The parameter sets a watchdog timer which then monitors whether a consumer receives telegrams from a producer in time. If the watchdog expires, communication is considered as invalid. EcoStruxure Machine Expert - Safety provides a calculator to determine this parameter value. NOTE: The parameter value influences the safety response time calculated by EcoStruxure Machine Expert - Safety. Term definition and background information According to the openSAFETY specification, devices (safety-related I/O modules as well as the Safety Logic Controller) communicate by sending and receiving cyclic data, referred to as openSAFETY telegrams. A telegram generating (sending) device is designated as producer, a receiving device is a consumer. The CommunicationWatchdog value physically depends on the transport time needed for the telegram to be transmitted from a producer to a consumer and influences the worst case response time of the system. The calculated parameter value therefore depends on the MaxDataTransportTime parameter value. If the consumer receives the telegram in time (communication watchdog is not yet expired and the transmission time is within the period specified by the parameters MinDataTransportTime and MaxDataTransportTime), the watchdog timer is restarted and communication is considered as valid. The time stamp contained in the received telegram is not evaluated, only the receipt of a valid telegram is relevant. If no telegram is received (due to delay or loss) and the communication watchdog expires in the consumer, the module is set to the defined safe state. The 'SafeModuleOK' process data item also becomes SAFEFALSE indicating that the safety-related communication of the module is no longer valid.
Value calculation	How to calculate the module-specific CommunicationWatchdog value Select 'Project > Response Time Relevant Parameters'. In the appearing dialog, open the 'Manual' tab. Section 'Variable Parameters': If a differing Sercos III cycle time than set in EcoStruxure Machine Expert is to be used to calculate the CommunicationWatchdog value (e.g., to take cycle time modifications by the application program into account), check 'Make Selectable' and select or enter the desired 'Sercos III Cycle Time'. 'Ring/Double Line' checkbox: Ring and double line bus structures require greater parameter values in order to implement a stable running system. Check 'Ring/Double Line' to take into account the bus structure. It is activated by default which is suitable for a ring or double line bus structure. If you are implementing a line structure, the checkbox can be deactivated to decrease the resulting parameter value. Values calculated for a ring/double line structure can be used for a line structure but not vice versa. By increasing the number of allowed package losses, the system can be more tolerant. This increases the calculated minimum watchdog interval. Enter an integer value (range 0..99) for the number of telegrams that can be lost for the present module. The entered value is applied to the safety-related modules involved. The calculated CommunicationWatchdog value is displayed for the module. Module-specific parameters (such as cycle times, set in EcoStruxure Machine Expert) are also displayed in the grid for information purposes. When modifying these parameters while the dialog is open, the values are updated automatically without closing the calculator dialog. Note the resulting value for the module and enter the appropriate value into the CommunicationWatchdog parameter grid field of the module.
Practical values	For the CommunicationWatchdog value which you must enter in the parameter grid ('Devices' window), the following applies: For commissioning a system, the CommunicationWatchdog value should be equal to or greater than the largest cycle time of the system (for example, the SercosIII cycle time). A value greater than the calculated CommunicationWatchdog value increases the system availability but also increases the overall worst case response time (thus increasing the required physical distances for mounting safety barrier and perimeter equipment at the machine).

Parameter SensorType

Default value	Type J
Unit	-/-
Description	Defines the type of the safety-related thermocoupler sensors connected to the analog input channels 01 to 04. Sensor specification in accordance with EN IEC 60584-1:2010. NOTE: The configuration of an incorrect sensor type cannot be detected by the module. Configuring an incorrect sensor type results in incorrect temperature measurements. Refer to the hazard message below.
Possible values	Type J Type K Type N Type S Type R Type C Type T Voltage in µV

WARNING

UNINTENDED EQUIPMENT OPERATION

Verify during validation that the correct thermocoupler type is used in your application and configured for the module.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Parameter SensorType

Default value	PT1000
Unit	-/-
Description	Defines the type of the safety-related temperature sensor connected to the analog input channels 05 and 06. The module detects the configuration of an incorrect sensor type. In this case, the module switches to the defined safe state.
Possible values	PT100 PT1000

Parameters LimitThresholdHigh_Set1 to LimitThresholdHigh_Set4

Default value	1,000
Value range Step size	-32,768 to 32,767 1 Verify that the maximum value set here is greater than the minimum value set with the LimitThresholdLow* parameter.
Unit	0.1 °C / 2 µV
Description	Specifies the maximum permissible input value for each channel of the module. Exceedance of the specified input value range can be monitored by evaluating the SafeTemperatureOKxxyy process data item of the respective channel in the safety-related application. This process data item is SAFETRUE as long as the measured value is within the parameterized value range, otherwise it switches to SAFEFALSE.

Parameters LimitThresholdLow_Set1 to LimitThresholdLow_Set4

Default value	0
Value range Step size	-32,768 to 32,767 1 Verify that the minimum value set here is less than the maximum value set with the LimitThresholdHigh* parameter.
Unit	0.1 °C / 2 µV
Description	Specifies the minimum permissible input value for each channel of the module. Exceedance of the specified input value range can be monitored by evaluating the SafeTemperatureOKxxyy process data item of the respective channel in the safety-related application. This process data item is SAFETRUE as long as the measured value is within the parameterized value range, otherwise it switches to SAFEFALSE.

Parameters LimitThresholdEquivalent_Set1 to LimitThresholdEquivalent_Set4

This parameter is only relevant in two-channel applications. When connecting two sensors as input pair, the module evaluates the equivalence of the input signals according to the configuration of the 'TwoChannelMode' parameter ('Basic' group).

Default value	1,000
Value range Step size	-32,768 to 32,767 1
Unit	0.1 °C / 2 µV
Description	Specifies the maximum permissible value difference between both input channels of an input pair in two-channel applications. Violation of the specified equivalent threshold after the set discrepancy time has elapsed (see next parameter DiscrepancyTime*) can be monitored by evaluating the SafeTemperatureOKxxyy process data item of the respective channels in the safety-related application. In case of exceedance, this process data item switches to SAFEFALSE.

Parameters DiscrepancyTime_Set1 to DiscrepancyTime_Set4

This parameter is only relevant in two-channel applications. When connecting two sensors as input pair, the module evaluates the equivalence of the input signals according to the configuration of the 'TwoChannelMode' parameter ('Basic' group).

Default value	0
Possible values	Selectable from drop-down list: 0; 2; 5; 10; 20; 50; 100; 200; 500; 1,000; 2,000; 5,000; 10,000
Unit	ms
Description	Specifies the maximum time interval during which the difference between both channels of an input pair in two-channel applications may exceed the limit value without triggering an error. Which channels are considered as input pair is set using the 'TwoChannelMode' parameter ('Basic' group) Violation of the parameterized discrepancy time can be monitored by evaluating the SafeTemperatureOKxxyy process data item of the respective channels in the safety-related application. In case of exceedance, this process data item switches to SAFEFALSE.

Parameter: MeasurementResultWhileTesting

NOTE:

This parameter is available with device firmware version V322 or greater. Make sure that the MinRequiredFWRev parameter of this module is set to 'Basic Release from FW V322' in order to use the MeasurementResultWhileTesting parameter correctly.

Default value	Single Channel
Unit	-/-
Description	The parameter sets the behavior of the module, i.e., the measurement mode during the internal hardware channel test. Each measurement channel is tested electronically by applying an internal test signal to the channel periodically every 75 minutes. The test signal is applied for a maximum of one second. Only one channel is tested at a time while the other channel continues the normal analog value measurement. During the test period, the last measured value of the tested channel is retained (fixed) until the test is completed. Then, normal measurement is continued on both channels until the other channel is tested. While no test is active, the resulting value is calculated as follows (see also the description of the process data item below): Resulting value = (value channel xx + value channel yy)/2. Using the MeasurementResultWhileTesting parameter, the calculation mode during the test period can be set. NOTE: Use the diagnostic process data item TestActive (see description below) to signal and evaluate the active test in the safety-related application.
Possible values	Single Channel: the resulting value during the test period is the measured value of the "untested" channel. The (retained) value of the tested channel is ignored during the test period. Averaged: the resulting value during the test period of one channel is the average value of both channels (like during normal operation, outside the test periods). This corresponds to the average value calculated from the retained (fixed) value of the tested channel and the measured value of the "untested" channel. With this setting, the behavior of the module corresponds to firmware versions less than V322 (may be required for compatibility reasons).

Purpose and use of process data items

Each module provides process data items (signals). Process data items can be:

I/O signals delivered from or written to a module terminal.

diagnostic signals for evaluating the status of input/output channels or the entire module.

control signals, for example, for enabling a channel or adjusting the module.

The available process data items of a module are listed under the module node in the tree on the left of the 'Devices' window. To display and use the process data items, expand the module node in the tree by clicking the '+' symbol.

Example

The module with the ID SL1.SM3 provides (among others) the diagnostic signal SafeModuleOK and the input signal SafeDigitalInput01.

From the devices tree, process data items can be inserted into the safety-related FBD/LD code by drag & drop (see following procedure). On insertion into the code, a standard (non-safety-related) or safety-related global variable is created (depending on the data type of the process data item).

Procedure: How to insert process data items into the code

Open the code worksheet where you want to insert the process data item and create/use the global variable assigned to it.
In the 'Devices' window, open the devices tree on the left and expand the module (tree node) which contains the process data item to be used.
Drag the process data item into the code worksheet. When releasing the mouse button, the 'Variable' dialog appears.

To insert a Boolean variable as a contact into the graphical code, hold the <CTRL> key down when releasing the mouse button after dragging the variable from the device terminal grid into the code worksheet.
In the 'Variable' dialog, a default name is proposed which is derived from the process data item name. Accept the proposed name, select an existing global variable, or declare a new global variable by entering a new 'Name', defining the 'Data Type' and selecting a 'Group'.
Confirm the 'Variable' dialog by clicking 'OK'.

The rectangle shape of the variable is now added to the cursor. It can be dropped at the desired position with a click. You can directly connect the variable to another object (e.g., a formal parameter as shown in the following example) or dropped at any free position.

Data direction depends on the signal type

Input signals can only be read and output signals can be written by the safety-related application.

Diagnostic signals can be used to evaluate and monitor the status of the safety-related module or individual I/O channels, for example. Therefore, global variables created for and assigned to diagnostic signals can be read by the application.

Control signals can be used to enable the module operation or to adjust/adapt the module for the present use case (for example, by setting a measurement range or a particular module behavior). The global variables created for and assigned to control signals can be written by the application, thus controlling the module.

Representation of the process data items in the devices tree:

Icon	Signal type	Access type
	Safety-related input signal or diagnostic signal.	read
	Standard input signal (only available for the Safety Logic Controller).	read
	Standard output signal (only available for the Safety Logic Controller) or control signal.	write
	Safety-related output or control signal.	write

NOTE:

If a standard (non-safety-related) signal is connected to a physical input or output, the data type of the corresponding global variable must be modified from safety-related to standard (e.g., from SAFEBOOL to BOOL) to rule out an incorrect use of the signal in the code. The same applies if a safety-related signal is used only as standard signal in the code. Modifying the data type can either be done in the appropriate variables worksheet or using type converter functions.

WARNING

UNINTENDED EQUIPMENT OPERATION

Verify the impact of standard (non-safety-related) signals on safety-related outputs.

Verify that "standard to safety-related" converters are used correctly in the code.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

In the following, the I/O, diagnostic and control signals of the present module are listed and described in the order they are listed in the devices tree.

SafeModuleOK

Description	Indicates the status of the communication between the safety-related module and the Safety Logic Controller and therefore, from safety-related application perspective, the module status itself.
Signal type	Diagnostic
Data type	SAFEBOOL
Access type	Variable can be read by the safety-related application
Possible values	SAFEFALSE: Safety-related module is not in an operational state, or the communication with the Safety Logic Controller has not been established correctly, or the module has detected an error with the communication channel. SAFETRUE: Safety-related module is in an operational state, and the communication with the Safety Logic Controller is established correctly, and the module has not detected an error with the communication channel.

Mandatory assignment validation for the SafeModuleOK data item:

The verification/validation of the assignment of each process data item to a global I/O variable is mandatory. This particularly applies to the SafeModuleOK process data item which is available for each safety-related module and indicates its status. As the SafeModuleOK data item cannot be written to, e.g., by applying a signal to a module input, the module to be verified must be physically removed from the TM5 bus. As a result, SafeModuleOK switches to SAFEFALSE and the assigned global I/O variable must follow. For further information on the steps to remove and reinsert a module, refer to the user manual of the module.

WARNING

UNINTENDED EQUIPMENT OPERATION

Physically remove each safety-related module from the TM5 bus in order to test for SafeModuleOK.

Verify that the global I/O variable assigned to the SafeModuleOK process data item of the removed safety-related module switches to SAFEFALSE.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

SafeTemperatureOKxxyy

Description	Diagnostic signal which indicates the status of the two-channel temperature evaluation at input channel pair xx and yy. This diagnostic signal confirms the validity of the incoming analog signal and of the SafeTemperaturexxyy process data item (output measurement value). Depending on the results of the risk analysis you carried out for your application, the diagnostic signal must be evaluated each time the SafeTemperaturexxyy signal is used in the safety-related application. The value SAFEFALSE of the diagnostic signal indicates an invalid SafeTemperaturexxyy value. In this case, the SafeTemperaturexxyy signal must not be further used, processed, or evaluated in the safety-related application. Refer to the hazard message below this table. NOTE: To detect error status conditions of modules/channels within your application, diagnostic signals must be evaluated in the safety-related code. A programming example and further information can be found in the topic "Monitoring/evaluating diagnostic information of the machine".
Signal type	Diagnostic signal
Data type	SAFEBOOL
Access type	Variable can be read by the safety-related application
Possible values	SAFEFALSE: the SafeTemperaturexxyy signal is invalid and must not be used in the safety-related application due to one of the following reasons. SafeModuleOK = SAFEFALSE, or the sensors at the input channels xx and yy delivered different measurement values after the interval specified with the DiscrepancyTime parameter has elapsed (no signal equivalence). The reason may be a sensor which is not functioning correctly or the value set for the DiscrepancyTime parameter is not suitable for the sensors. signal loss at channel xx and/or channel yy due to cable break or a sensor which is not functioning correctly, or the measured temperature is out of the parameterized measurement range: on at least one channel, the upper or lower threshold value is exceeded. Verify the values set for the parameters LimitThresholdHigh and LimitThresholdLow and verify that the correct parameter set (1 to 4) is active on the module. the input signal at one or both of the channels xx and yy does not comply with the electrical requirements of the module For input voltages > 74mV, the module enters the defined safe state (SafeModuleOK = SAFEFALSE). SAFETRUE: the SafeTemperaturexxyy signal is valid. Each of the following conditions must be met: SafeModuleOK = SAFETRUE, and the values at both input channels xx and yy are within the parameterized measurement range, and equivalence between the involved channels has been established before the time interval specified with the DiscrepancyTime parameter has elapsed. NOTE: Also observe the respective LED indicator(s) of the affected modules for the error indication.
Relevant module parameters	In the parameter groups with the same channel number xx and yy: TwoChannelMode DiscrepancyTime_Setn (n = 1 to 4) LimitThresholdHigh_Setn and LimitThresholdLow_Setn (n = 1 to 4) The related parameter descriptions can be found above in this topic.

WARNING

UNINTENDED EQUIPMENT OPERATION

Verify that the SafeTemperaturexxyy signal is only used in the safety-related application as long as the related diagnostic signals are SAFETRUE if demanded by the results of your risk analysis.

Validate the overall safety-related function with respect to the processing of input values, and thoroughly test the application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

TestActive

NOTE:

This process data item is available with device firmware version V322 or greater. Make sure that the MinRequiredFWRev parameter of this module is set to 'Basic Release from FW V322' in order to use TestActive correctly.

Description	Diagnostic signal which indicates that the internal channel test is currently performed on the module. Each measurement channel is tested electronically by applying an internal test signal to the channel periodically every 75 minutes. The test signal is applied for a maximum of one second. Only one channel is tested at a time while the other channel continues the normal analog value measurement. During the test period, the last measured value of the tested channel is retained (fixed) until the test is completed. Then, normal measurement is continued on both channels until the other channel is tested. Refer to the related module parameter description below. NOTE: To detect status conditions of modules/channels within your application, diagnostic signals must be evaluated in the safety-related code. A programming example and further information can be found in the topic "Monitoring/evaluating diagnostic information of the machine".
Signal type	Diagnostic signal
Data type	SAFEBOOL
Access type	Variable can be read by the safety-related application
Possible values	SAFEFALSE: SafeModuleOK = SAFEFALSE, or no channel test is currently executed on the module. SAFETRUE: SafeModuleOK = SAFETRUE, and the internal channel test is currently executed on the module for one channel.
Relevant module parameters	The MeasurementResultWhileTesting parameter specifies the behavior of the module, i.e., the measurement mode that is applied during the internal hardware channel test. The related parameter description can be found above in this topic.

SafeTemperaturexxyy

Description	Input signal from the temperature sensors connected to the input channel pair xx and yy. Equivalence between the involved channels must be established before the interval specified with the DiscrepancyTime parameter has elapsed. Otherwise, the related diagnostic signal SafeTemperatureOKxxyy switches to SAFEFALSE. The validity of this input signal is confirmed by the related diagnostic signal SafeTemperatureOKxxyy. Depending on the results of the risk analysis you carried out for your application, the diagnostic signal must be evaluated each time the SafeTemperaturexxyy signal is used in the safety-related application. The value SAFEFALSE of the diagnostic signal indicates an invalid SafeTemperaturexxyy value. In this case, the SafeTemperaturexxyy signal must not be further used, processed, or evaluated in the safety-related application. Refer to the hazard message below this table.
Signal type	I/O signal
Data type	SAFEINT
Access type	Variable can be read by the safety-related application
Possible values	If SafeModuleOK = SAFETRUE and SafeTemperatureOKxxyy = SAFETRUE and the set discrepancy time has not elapsed without having signal equivalence (within the allowed tolerance) at the inputs involved, the following applies: The resulting temperature is mapped to the integer value range (-32,768...32,767) according the parameterized sensor type. Measured temperature = (SAFEINT value)/10. Resulting temperature = (temperature channel xx + temperature channel yy)/2. NOTE: Refer to the hardware manual of the module for details on the safety-oriented measurement precision.
Relevant module parameters	In the parameter group with the same channel number xx: TwoChannelMode SensorType DiscrepancyTime_Setn (n = 1 to 4) The related parameter descriptions can be found above in this topic.

WARNING

UNINTENDED EQUIPMENT OPERATION

Verify that the SafeTemperaturexxyy signal is only used in the safety-related application as long as the related diagnostic signals are SAFETRUE if demanded by the results of your risk analysis.

Validate the overall safety-related function with respect to the processing of input values, and thoroughly test the application.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

SafeThrSelector_0y0z_Bit1 and SafeThrSelector_0y0z_Bit2

Description	The combination of applied values for SafeThrSelector_0y0z_Bit1 and SafeThrSelector_0y0z_Bit2 specifies which parameter set is active on the module. This way, the parameter set (1 to 4) can be switched during runtime out of the in the safety-related application, thus adapting the module (measurement range/input sensitivity). Bit1 Bit2 Active on module 0 0 Parameter set 1 1 0 Parameter set 2 0 1 Parameter set 3 1 1 Parameter set 4
Signal type	Control signal
Data type	SAFEBOOL
Access	Variable can be written by the safety-related application

SafeReleasexxyy

Description	Release signal for the analog input channel pair specified by the channel identifiers xx and yy. Releasing a channel pair is required after the diagnostic status signal of the channel pair was switched to SAFEFALSE due to invalid input signals. Example: the status signal becomes SAFEFALSE if the measurement range parameterized for the input channel pair is exceeded. You must perform the following steps, in order to release a channel pair: Eliminate all module/channel or communication errors. Make sure that the analog input signal is within the valid measurement range for the channel concerned. Pause (at least one network cycle) to ensure that the safety-related input signal was processed by the module. Apply a rising edge to release the channel (pair). NOTE: If the safety-related module enters the defined safe state and SafeModuleOK = SAFEFALSE, the SafeReleasexxyy signal cannot be used to release the channel. Instead, the entire module must be restarted. Example: if input values exceed the allowed electrical maximum values as specified in the technical data of the device, the module must be restarted.
Signal type	Control signal
Data type	SAFEBOOL
Access type	Variable can be written by the safety-related application
Possible values	SAFEFALSE: analog input channel (pair) remains disabled. Edge SAFEFALSE > SAFETRUE: releases the input channel (pair) if the error is no longer present. SAFETRUE: a static SAFETRUE has no effect.