Functional description

The safety-related SF_EDM function block monitors the defined initial state and the switching behavior of contactors connected to the Safety Logic Controller.

A start-up inhibit can be specified at S_StartReset.

If the feedback signals from the connected contactors in the switching or initial states show values that are not permissible, the function block sets the S_EDM_Out output to the defined safe state (SAFEFALSE).

WARNING
	NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS Ensure that the contactors used correspond to the results of the risk analysis carried out in accordance with ISO 13849-1. Failure to follow these instructions can result in death, serious injury, or equipment damage.

If the feedback signals reflect the correct switching behavior for the contactors and the function block is activated (Activate = TRUE), and no start-up inhibit is specified, the function block receives the control signal for the contactors to be monitored at the S_OutControl input and switches the S_EDM_Out output to which the contactors are connected accordingly.

The function block executes stop category 0 at its output.

Verifying the initial state

If the connected contactors are in the initial state, the feedback signal at inputs S_EDM1 and S_EDM2 must be SAFETRUE.

The initial state is verified by the function block if

a SAFETRUE signal is present at the S_OutControl input. If the initial state is correct, the function block switches the S_EDM_Out output to SAFETRUE. If not, the function block outputs an error message and the S_EDM_Out output remains in the defined safe state (SAFEFALSE).
a SAFEFALSE signal is present at the S_OutControl input when the function block is activated and the start-up inhibit has been removed. If, after the time set at MonitoringTime has elapsed, the feedback signals S_EDM1 and S_EDM2 do not report the initial state, the function block detects an error.

Verifying the switching behavior

Once the S_EDM_Out output switches to SAFETRUE, the feedback signal at the S_EDM1 and S_EDM2 inputs must become SAFEFALSE within the permissible response time specified at MonitoringTime. Otherwise, the function block outputs an error message (output Error = TRUE) and the S_EDM_Out output switches to the defined safe state SAFEFALSE.

If the S_EDM_Out output switches from SAFETRUE to SAFEFALSE, the switching operation is also monitored. The feedback signal at the S_EDM1 and S_EDM2 inputs must become SAFETRUE within the permissible response time set via MonitoringTime.

Start-up inhibit (S_StartReset)

S_StartReset is used to specify the start-up inhibit after activating the function block and/or starting the Safety Logic Controller.

S_StartReset = SAFEFALSE	After the Safety Logic Controller has been started up and/or the function block has been activated at input Activate, the start-up inhibit is active. The start-up inhibit is only removed if there is a positive signal edge at the Reset input. Refer to the first hazard message below this table.
S_StartReset = SAFETRUE	After the Safety Logic Controller has been started up and/or the function block has been activated at input Activate, no start-up inhibit is specified. Refer to the second hazard message below this table.

Removing the start-up inhibit by means of a positive signal edge at the Reset input can cause the S_EDM_Out output to switch to SAFETRUE immediately (depending on the status of the other inputs).

WARNING
	UNINTENDED START-UP Verify the impact of removing the start-up inhibit by means of a positive signal edge at the Reset input. Make certain that appropriate procedures and measures (according to applicable sector standards) have been taken to help avoid hazardous situations when removing the start-up inhibit. Do not enter the zone of operation when removing the start-up inhibit. Ensure that no other persons can access the zone of operation when removing the start-up inhibit. Use appropriate safety interlocks where personnel and/or equipment hazards exist. Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING

UNINTENDED START-UP

Verify the impact of removing the start-up inhibit by means of a positive signal edge at the Reset input.
Make certain that appropriate procedures and measures (according to applicable sector standards) have been taken to help avoid hazardous situations when removing the start-up inhibit.
Do not enter the zone of operation when removing the start-up inhibit.
Ensure that no other persons can access the zone of operation when removing the start-up inhibit.
Use appropriate safety interlocks where personnel and/or equipment hazards exist.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING
	NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS Verify the impact of a deactivated start-up inhibit (S_StartReset = SAFETRUE) on your machine or process prior to implementation. Observe the regulations given by relevant sector standards regarding the start-up inhibit. Verify that a suitable start-up inhibit is in place at another location or using other means if the start-up inhibit is deactivated by setting S_StartReset = SAFETRUE. Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING

NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS

Verify the impact of a deactivated start-up inhibit (S_StartReset = SAFETRUE) on your machine or process prior to implementation.
Observe the regulations given by relevant sector standards regarding the start-up inhibit.
Verify that a suitable start-up inhibit is in place at another location or using other means if the start-up inhibit is deactivated by setting S_StartReset = SAFETRUE.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

Single-channel or two-channel applications

Depending on the risk analysis and the resulting safety requirements for an application, the contactors must be controlled on either a single-channel or two-channel basis.

Examples of this type of application can be found in the overview for this function block and in the topic titled "Additional application examples".

Single-channel application with state monitoring of the connected contactor

If only one feedback signal is used, this must be connected in parallel to both inputs S_EDM1 and S_EDM2. An example of this type of application can be found at the end of the overview for this function block.

Two-channel application with state monitoring of the connected contactors

Diagnostics for the connected contactors can be performed on a channel-specific basis by having separate feedback signals from the two contactors to be monitored at the inputs S_EDM1 and S_EDM2. Having two feedback signals also makes it possible for the function block to detect errors on the connected I/O devices (for example, feedback contact disconnected from the contactor or bridged).

When implementing a single feedback signal from the contactors to be monitored, the two contacts must be connected in series. The signal resulting from this series connection is then connected in parallel to both inputs S_EDM1 and S_EDM2. It is not possible to perform channel-specific diagnostics for the connected contactors in such cases. Similarly, it is not possible for the function block to detect errors on the connected I/O devices (for example, feedback contact disconnected from the contactor or bridged).

An example of this type of application can be found in the topic entitled "Additional application examples".

WARNING
	NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS Ensure that the contactors used correspond to the results of the risk analysis carried out in accordance with ISO 13849-1. Failure to follow these instructions can result in death, serious injury, or equipment damage.

NOTE:

If this function block is being used for diagnostics, the contactor must have an auxiliary contact. To ensure clear diagnostics, this auxiliary contact must have a positively-driven connection to the load contacts.