Functional description

The safety-related SF_MutingPar_2Sensor function block executes the safety-related function "parallel muting with two sensors" within an application.

To this end, it evaluates the following signals:

the signals of two muting sensors,

the status signal of the safety-related equipment (light grid),

the feedback signal from the muting lamp,

an enable signal for the muting operation

A start-up inhibit can be specified at S_StartReset.

The function block switches the enable signal at the S_AOPD_Out output in accordance with the input signals present. It executes stop category 0 at this output.

NOTE:

The signal at the S_AOPD_Out output is the enable signal for the entire process. In order to process the enable or, equally, the request for the defined safe state in the functional safety system, the signal must be used in the safety logic in such a way that a SAFEFALSE signal at the S_AOPD_Out output stops the zone of operation from being used.

Muting operation

The overall muting operation is divided into different muting sequences.

Protecting the zone of operation.

The safety-related equipment is active when muting is not active: If the function block does not detect an active muting operation at the muting inputs, a SAFEFALSE signal from the light grid ("object detected") leads to the defined safe state SAFEFALSE at the S_AOPD_Out output (e.g., "stop machine").
Activating the muting operation.

The safety-related equipment is deactivated: If the state of the muting sensors changes from SAFEFALSE to SAFETRUE within the discrepancy time set at DiscTimeEntry (because both sensors detect an object which is permissible for the muting operation, for example), the muting operation is activated and the safety-related equipment deactivated.
Muting operation is active.

The safety-related equipment is deactivated for as long as the muting operation is active (because both sensors detect an object which is permissible for the muting operation, for example). A SAFEFALSE signal from the light grid ("object detected") does in this case not cause the S_AOPD_Out output to switch to the defined safe state SAFEFALSE (e.g., "stop machine"). The muting operation must be completed within the maximum muting time set at MaxMutingTime. If it is not, the S_AOPD_Out output switches to the defined safe state SAFEFALSE (e.g., "stop machine").
Completing the muting operation.

The safety-related equipment is active again. The muting operation is complete as soon as a muting sensor switches from SAFETRUE to SAFEFALSE (i.e., no object is detected any longer within the detection area). The safety-related equipment is reactivated at the same time when the S_MutingActive output switches to SAFEFALSE.

Example of a muting operation

The graphic below shows an example of a muting operation.

NOTE:

The sensor beams can also be interrupted in a different sequence.

NOTE:

In the graphic, only the values of the inputs and outputs which are relevant for this illustration are given.

Explanatory notes:

MS_11: Muting sensor 1 (top), connected to the S_MutingSwitch11 function block input.

MS_12: Muting sensor 2 (bottom), connected to the S_MutingSwitch12 function block input.

Signaling unit (e.g., lamp) "muting active", controlled via function block output S_MutingActive.

S/R: safety-related equipment (e.g., light grid), consisting of a transmitter (S) and a receiver (R), connected to function block input S_AOPD_In. The function of this safety-related equipment is deactivated/activated by means of the muting operation.

	The light beams of the two muting sensors are not interrupted. The muting operation is not (yet) active.
	The light beam of the top muting sensor is interrupted by an object. This initiates the muting operation. The DiscTimeEntry timer starts (measures the discrepancy time). The MaxMutingTime timer starts (measures the duration of the muting operation).
	The light beam of the first muting sensor remains interrupted. The light beam of the second muting sensor is also interrupted. This happens within the time specified at DiscTimeEntry (DiscTimeEntry timer stops). Muting is active (S_MutingActive switches to SAFETRUE). The MaxMutingTime timer continues to run. In this state the safety-related equipment is not active, i.e., SAFEFALSE at S_AOPD_In does not lead to SAFEFALSE at S_AOPD_Out.
	The object has now passed the safety-related equipment (e.g., light grid). The light beam of one of the muting sensors is no longer interrupted (S_MutingSwitch12 is SAFEFALSE again) which causes S_MutingActive to switch back to SAFEFALSE: Muting is inactive. The change from SAFETRUE to SAFEFALSE at input S_MutingSwitch12 stops the MaxMutingTime time measurement. As the muting operation has been completed within the time interval specified at MaxMutingTime, the S_AOPD_Out output remains SAFETRUE and no error is detected (Error remains FALSE). In this state the safety-related equipment is active again, i.e., SAFEFALSE at S_AOPD_In leads to SAFEFALSE at S_AOPD_Out.

Invalid muting sequences

Invalid states at the muting sensors are detected as errors (Error = TRUE). In the event of an error, the S_AOPD_Out output always switches to the defined safe state (S_AOPD_Out = SAFEFALSE).

Start-up inhibit (S_StartReset)

S_StartReset is used to specify the start-up inhibit after activating the function block and/or starting the Safety Logic Controller.

S_StartReset = SAFEFALSE

After the Safety Logic Controller has been started up and/or the function block has been activated at input Activate, the start-up inhibit is active. The start-up inhibit is only removed if there is a positive signal edge at the Reset input.

Refer to the first hazard message below this table.

S_StartReset = SAFETRUE

After the Safety Logic Controller has been started up and/or the function block has been activated at input Activate, no start-up inhibit is active.

Refer to the second hazard message below this table.

Removing the start-up inhibit by means of a positive signal edge at the Reset input can cause the S_AOPD_Out output to switch to SAFETRUE immediately (depending on the status of the other inputs).

WARNING

UNINTENDED START-UP

Verify the impact of removing the start-up inhibit by means of a positive signal edge at the Reset input.

Make certain that appropriate procedures and measures (according to applicable sector standards) have been taken to help avoid hazardous situations when removing the start-up inhibit.

Do not enter the zone of operation when removing the start-up inhibit.

Ensure that no other persons can access the zone of operation when removing the start-up inhibit.

Use appropriate safety interlocks where personnel and/or equipment hazards exist.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING

NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS

Verify the impact of a deactivated start-up inhibit (S_StartReset = SAFETRUE) on your machine or process prior to implementation.

Observe the regulations given by relevant sector standards regarding the start-up inhibit.

Verify that a suitable start-up inhibit is in place at another location or using other means if the start-up inhibit is deactivated by setting S_StartReset = SAFETRUE.

Failure to follow these instructions can result in death, serious injury, or equipment damage.