Functional description

The safety-related SF_OutControl function block with its safety-related S_OutControl output controls the output of a safety-related device and executes stop category 0 when requested. A start-up inhibit can be specified via S_StartReset and a restart inhibit via S_AutoReset.

The S_OutControl output is controlled depending on a signal from the standard controller (operation start/stop) and a safety-related signal from the monitoring of a safety-related function. The safety-related signal typically originates from an upstream safety-related function, e.g., the enable signal of a SF_EmergencyStop function block.

Optional additional operation stop with safety-related function triggered

Depending on the setting at the StaticControl input, an operation stop of the standard controller is additionally required once the upstream safety-related function has triggered and/or before the function block has been activated. For this purpose, the signal from the standard controller is monitored at the ProcessControl function block input. The start of operation and running operation are only possible with this option when the function block is activated and no request for the safety-related function is detected at S_SafeControl.

If an additional operation stop of the standard controller is required by the setting StaticControl = FALSE, the ProcessControl input is evaluated edge-triggered. The function block thus expects a positive edge (FALSE > TRUE) at ProcessControl when the request for the safety-related function is removed or the function block has been activated. In this case the function block considers a permanent TRUE signal at ProcessControl as an error.

In the event of an error, first switch ProcessControl to FALSE in order to reset the error. Note that no explicit reset signal is required. Now switch ProcessControl to TRUE, and depending on the other inputs, the S_OutControl enable signal switches to SAFETRUE.

NOTE:

In practice, StaticControl = FALSE means a type of "additional start-up inhibit": By signaling an operation stop and subsequent start of operation at ProcessControl, the user must explicitly acknowledge this also in the standard controller.

No optional additional operation stop with safety-related function triggered

If no additional operation stop is specified by the setting StaticControl = TRUE, the ProcessControl input is evaluated state-controlled. The TRUE signal at ProcessControl which is permanently present in normal operation does not result in an error when the request for the safety-related function is removed and the function block has been activated.

Only set the StaticControl input to TRUE if it is certain that starting up the machine/system will not lead to a hazardous situation or that a suitable start-up inhibit is in place at another location or using other means.

 WARNING

NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS

  • Verify the impact of an additional operation stop (StaticControl = TRUE) on your machine or process prior to implementation.

  • Observe the regulations given by relevant sector standards regarding the start-up inhibit.

  • Verify that a suitable start-up inhibit is in place at another location or using other means if the start-up inhibit is deactivated by setting S_StartReset = SAFETRUE.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Backreadable outputs: Control at SF_EDM

The function block may only directly control a subsequent safety-related output in the application in case of non-backreadable device outputs. An application example for this can be found in the overview for this function block.

In case of backreadable outputs, you must connect the S_OutControl enable output with the safety-related output in the application via the SF_EDM function block. Refer to the second application example.

Start-up inhibit (S_StartReset)

S_StartReset is used to specify the start-up inhibit after activating the function block and/or starting the Safety Logic Controller.

S_StartReset = SAFEFALSE

After the Safety Logic Controller has been started up and/or the function block has been activated at the Activate input, the start-up inhibit is active. The start-up inhibit is only removed if there is a positive signal edge at the Reset input.

Refer to the first hazard message below this table.

S_StartReset = SAFETRUE

After the Safety Logic Controller has been started up and/or after the function block has been activated at the Activate input, no start-up inhibit is active.

Refer to the section "Attention when using ...".

Removing the start-up inhibit by means of a positive signal edge at the Reset input can cause the S_OutControl output to switch to SAFETRUE immediately (depending on the status of the other inputs).

 WARNING

UNINTENDED START-UP

  • Verify the impact of removing the start-up inhibit by means of a positive signal edge at the Reset input.

  • Make certain that appropriate procedures and measures (according to applicable sector standards) have been taken to help avoid hazardous situations when removing the start-up inhibit.

  • Do not enter the zone of operation when removing the start-up inhibit.

  • Ensure that no other persons can access the zone of operation when removing the start-up inhibit.

  • Use appropriate safety interlocks where personnel and/or equipment hazards exist.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Restart inhibit (S_AutoReset)

The restart inhibit is specified at S_AutoReset once the request for the safety-related function has been removed.

S_AutoReset = SAFEFALSE

Once the request for the safety-related function has been removed the restart inhibit is active. The restart inhibit is only removed when there is a positive signal edge at the Reset input.

Refer to the first hazard message below this table.

S_AutoReset = SAFETRUE

The restart inhibit is not specified. As soon as the request for the safety-related function is removed and the SAFETRUE value is present again at the S_SafeControl input, the OutControl output can switch to SAFETRUE.

Refer to the section "Attention when using ...".

Removing the restart inhibit by means of a positive signal edge at the Reset input can cause the S_OutControl output to switch to SAFETRUE immediately (depending on the status of the other inputs).

 WARNING

UNINTENDED START-UP

  • Verify the impact of removing the restart inhibit by means of a positive signal edge at the Reset input.

  • Make certain that appropriate procedures and measures (according to applicable sector standards) have been taken to help avoid hazardous situations when removing the restart inhibit.

  • Do not enter the zone of operation when removing the restart inhibit.

  • Ensure that no other persons can access the zone of operation when removing the restart inhibit.

  • Use appropriate safety interlocks where personnel and/or equipment hazards exist.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Attention when using S_AutoReset = SAFETRUE and/or S_StartReset = SAFETRUE

The start-up inhibit and/or restart inhibit must only be deactivated if it is certain that starting up/restarting the machine/system will not lead to a hazardous situation or that a suitable start-up/restart inhibit is in place at another location or using other means.

 WARNING

NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS

  • Verify the impact of a deactivated start-up inhibit (S_StartReset = SAFETRUE) and/or restart inhibit (S_AutoReset = SAFETRUE) on your machine or process prior to implementation.

  • Observe the regulations given by relevant sector standards regarding the start-up/restart inhibit.

  • Verify that a suitable start-up inhibit is in place at another location or using other means.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

EIO0000002269.01

© 2020

Schneider Electric.

All rights reserved.