The following description is valid for the function block SF_TestableSafetySensor_V1_0z, Version 1.0z (where z = 0 to 9).
Short description
|
The safety-related SF_TestableSafetySensor function block evaluates the status of connected optoelectronic safety equipment (e.g., light curtain). The function block additionally has a test function for verifying the connected safety equipment. NOTE: The safety equipment is referred to as a safety-related sensor in this documentation. NOTE: The safety-related sensor connected to the function block must meet the requirements of type 2 ESPE (Electro-Sensitive Protective Equipment) as stipulated by IEC 61496-1. This concerns the ability of a safety-related sensor to support a test function. NOTE: Since the safety equipment to be connected belongs to type 2, Cat. 2 is the highest category that can be achieved. |
|
Function block inputs
Click the corresponding hyperlinks to obtain detailed information on the items below.
|
Name |
Short description |
Value |
|
State-controlled input for activating the function block. Data type: BOOL Initial value: FALSE |
|
|
|
State-controlled input for the status of the connected safety-related sensor. Data type: SAFEBOOL Initial value: SAFEFALSE |
|
|
|
Edge-triggered input for requesting the start of the sensor test. Data type: BOOL Initial value: FALSE |
NOTE: The S_OSSD_Out output remains SAFETRUE while the test is being carried out. |
|
|
Input for specifying the maximum response time for the signal changes of the individual test phases between the S_TestOut output and the S_OSSD_In input during the safety-related sensor test. Data type: TIME Initial value: #10ms |
NOTE: The maximum permissible response time is 150 ms. Enter a time value according to your risk analysis. Refer to the first hazard message below this table. |
|
|
State-controlled input for specifying a required manual sensor test in the event of an error during the automatic sensor test phases. Data type: BOOL Initial value: FALSE |
|
|
|
State-controlled input for specifying the start-up inhibit after the Safety Logic Controller has been started up or the function block has been activated. An active start-up inhibit must be removed manually by means of a positive signal edge at the Reset input. A deactivated start-up inhibit causes the S_OSSD_Out output to switch to SAFETRUE automatically when the function block is activated and the safety-related function is not requested. Data type: SAFEBOOL Initial value: SAFEFALSE Refer to the second hazard message below this table. |
|
|
|
State-controlled input for specifying the restart inhibit after the SAFETRUE signal has returned at the S_OSSD_In input (i.e., the light beam of the safety-related sensor is no longer interrupted). Data type: SAFEBOOL Initial value: SAFEFALSE An active restart inhibit must be removed manually by means of a positive signal edge at the Reset input. A deactivated restart inhibit causes the S_OSSD_Out output to switch to SAFETRUE automatically when the function block is activated and the safety-related function is no longer requested. Refer to the second hazard message below this table. |
|
|
|
Edge-triggered input for the reset signal:
Refer to the third hazard message below this table. Data type: BOOL Initial value: FALSE NOTE: Resetting does not occur with a negative (falling) edge, as specified by standard EN ISO 13849-1, but with a positive (rising) edge. |
|
WARNING
NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS
Verify that the time value set at TestTime corresponds to your risk analysis.
Be sure that your risk analysis includes an evaluation for incorrectly setting the time value for the TestTime parameter.
Validate the overall safety-related function with regard to the set TestTime value and thoroughly test the application.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
The start-up inhibit and/or restart inhibit must only be deactivated if it is certain that starting up the machine/system will not lead to a hazardous situation or that a suitable start-up inhibit is in place at another location or using other means.
WARNING
NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS
Verify the impact of a deactivated start-up inhibit (S_StartReset = SAFETRUE) and/or restart inhibit (S_AutoReset = SAFETRUE) on your machine or process prior to implementation.
Observe the regulations given by relevant sector standards regarding the start-up/restart inhibit.
Verify that a suitable start-up inhibit is in place at another location or using other means.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
Resetting the function block by means of a positive signal edge at the Reset input can cause the S_OSSD_Out output to switch to SAFETRUE immediately (depending on the status of the other inputs).
WARNING
UNINTENDED START-UP
Include in your risk analysis the impact of the reset by means of a positive signal edge at the Reset input.
Make certain that appropriate procedures and measures (according to applicable sector standards) have been established to help avoid hazardous situations when resetting.
Do not enter the zone of operation when resetting.
Ensure that no other persons can access the zone of operation when resetting.
Use appropriate safety interlocks where personnel and/or equipment hazards exist.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
Function block outputs
|
Name |
Short description |
Value |
|
Output for signaling "Function block activated/not activated". Data type: BOOL |
|
|
|
Output for enable signal of the function block. Data type: SAFEBOOL |
|
|
|
Output for the signal for controlling the test input of the type 2 safety-related sensor connected. Data type: SAFEBOOL |
|
|
|
Output for the signaling whether an automatic sensor test is possible. Data type: BOOL |
|
|
|
Output for signaling the status of the sensor test. Data type: BOOL NOTE: The enable signal at the S_OSSD_Out output can be SAFETRUE even if there is no TRUE signal at TestExecuted. The automatic test has to be performed with positive results for the safety-related sensor to function correctly. |
|
|
|
Output for error message. Data type: BOOL |
NOTE: The S_TestOut output also remains SAFETRUE during an error message. |
|
|
Output for diagnostic message. Data type: WORD |
Diagnostic message of the function block. The possible values are listed and described in the topic "Diagnostic codes". |
Signal sequence diagram
This diagram is based on a typical method of connecting the safety-related SF_TestableSafetySensor function block. The following assumptions apply:
S_StartReset = SAFEFALSE: Start-up inhibit after the function block has been activated and the Safety Logic Controller has started up.
S_AutoReset = SAFEFALSE: Restart inhibit if the safety light beam of the sensor is no longer interrupted (SAFETRUE signal returns at the S_OSSD_In input).
NoExternalTest = TRUE: No additional manual sensor test is required in the event of an error occurring during the sensor test phases performed by the function block.
NOTE:
The other signal sequence diagram can be taken into account.
NOTE:
The signal sequence diagrams in this documentation possibly omit particular diagnostic codes. For example, a diagnostic code is possibly not shown if the related function block state is a temporary transition state and only active for one cycle of the Safety Logic Controller.
Only typical input signal combinations are illustrated. Other signal combinations are possible.
|
(1) |
Sensor test with two test phases: Phase 1 and phase 2 |
|
0 |
The function block is not yet activated (Activate = FALSE). |
|
1 |
The function block is activated (Activate = TRUE). Even though at the time of function block activation, the S_OSSD_In input (status of the connected sensor) is SAFETRUE, the S_OSSD_Out output remains SAFEFALSE, as a start-up inhibit (S_StartReset = SAFEFALSE) is specified. As there is no active sensor test, the S_TestOut output is SAFETRUE. The TestPossible output remains FALSE as the active start-up inhibit means sensor tests are not possible. |
|
2 |
The start-up inhibit is removed by a positive edge at the Reset input. Since input S_OSSD_In = SAFETRUE (the light beam of the connected sensor is not interrupted), the S_OSSD_Out output switches to SAFETRUE: The sensor does not request a safety-related function (e.g., shutdown). It also becomes possible to perform sensor tests when the start-up inhibit is removed (TestPossible output becomes TRUE). |
|
3 |
The sensor test starts with sensor test phase 1 when there is a positive edge at the StartTest input. The S_OSSD_Out output remains SAFETRUE during the sensor test to avoid interrupting operation. The S_TestOut output becomes SAFEFALSE to start the test for the connected sensor. The TestPossible output is FALSE during the active test, as two sensor tests cannot be performed at the same time. |
|
4 |
The connected sensor reports the SAFEFALSE state at the S_OSSD_In input within the set monitoring time TestTime. This is in line with correct behavior. As a result, the S_OSSD_Out output remains SAFETRUE and no error message is output (the Error output remains FALSE). The switch from SAFETRUE to SAFEFALSE at the S_OSSD_In input starts the second monitoring timer TestTime (2). Phase 2 of the sensor test is now active, which means that the S_TestOut output switches back to SAFETRUE. As before, the enable output is SAFETRUE (normal operation). |
|
5 |
The connected sensor reports the SAFETRUE state again at the S_OSSD_In input within the set monitoring time TestTime. This is in line with correct behavior. The function test has now been successfully completed, which means that the sensor is functioning correctly. The TestExecuted output is switched to TRUE as a result. The S_OSSD_Out output also remains SAFETRUE, as the light beam of the sensor is not interrupted (no shutdown required). |
|
6 |
The light beam of the sensor is interrupted, the S_OSSD_In input becomes SAFEFALSE. The S_OSSD_Out output immediately switches to SAFEFALSE. This also causes the TestPossible output to become FALSE, as sensor tests are not permitted under these circumstances. |
|
7 |
Although the safety-related function request is reset once more (the S_OSSD_In input is SAFETRUE again), the S_OSSD_Out enable output and TestPossible output remain FALSE, as the restart inhibit has been specified at S_AutoReset = SAFEFALSE. |
|
8 |
Pressing the connected reset button creates a positive edge at the Reset input. This removes the restart inhibit. Since the connected light beam of the sensor is not interrupted (S_OSSD_In = SAFETRUE), the S_OSSD_Out output switches to SAFETRUE. The TestPossible output also becomes TRUE, thereby signaling that a new sensor test can be requested. |
Application example
The following figure shows how a light curtain is connected to the safety-related SF_TestableSafetySensor function block using a single-channel arrangement.
The test signal (start/stop of the sensor test) is output to the sensor at output O0 of the Safety Logic Controller. The status signal of the sensor is connected to input I0 of the safety-related input device SDI 1.
Further Information
The description and notes for this application example must also be taken into account.
NOTE:
The enable output S_OSSD_Out of the SF_TestableSafetySensor function block is directly connected to a global I/O variable or to an output terminal of the application via additional safety-related functions/function blocks.
The function block output TestPossible signals whether a test is possible and the TestExecuted output indicates whether the test was performed successfully or is currently in progress. Both outputs are connected to standard variables and can thus be processed in the higher-level standard controller.
|
S1 |
Start test |
|
S2 |
Reset |
|
B1 |
ESPE - optoelectronic sensor |
|
B1S |
Emitter |
|
B1E |
Receiver |
|
|
See note above the illustration. |
Detailed information
Additional information is available in the following sections:
