X20(c)SC2212

X20(c)SC2212

Information:
B&R makes every effort to keep data sheets as current as possible. From a safety point of view, how-
ever, the current version of the data sheet must always be used.
The certified, currently valid data sheet can be downloaded from the B&R website www.br-automa-
tion.com.

Organization of notices
Safety notices
Contain only information that warns of dangerous functions or situations.
Signal word Description
Danger! Failure to observe these safety guidelines and notices will result in death, severe injury or substantial damage to property.
Warning! Failure to observe these safety guidelines and notices can result in death, severe injury or substantial damage to property.
Caution! Failure to observe these safety guidelines and notices can result in minor injury or damage to property.
Notice! Failure to observe these safety guidelines and notices can result in damage to property.

Table 1: Organization of safety notices

General notices
Contain useful information for users and instructions for avoiding malfunctions.
Signal word Description
Information: Useful information, application tips and instructions for avoiding malfunctions.

Table 2: Organization of general notices

1 General information
The modules are equipped with 6 safe digital inputs and 2 safe digital outputs. They are designed for a nominal
voltage of 24 VDC.
The modules can be used to read in digital signals and control actuators in safety-related applications up to PL
e or SIL 3.
The modules are equipped with filters that are individually configurable for switch-on and switch-off behavior. The
modules also provide pulse signals for diagnosing the sensor line.
The outputs are designed using semiconductor technology so that the safety-related characteristics do not depend
on the number of switching cycles. The "high-side high-side" variant (output type B) is required for actuators with
reference potential (e.g. enable inputs on frequency inverters). It is important to observe the special notices for
the wiring in this case. Safe digital output modules are equipped with protection against automatic restart in the
event of network errors.
These modules are designed for X20 16-pin terminal blocks.
• 6 safe digital inputs, sink circuit
• 6 pulse outputs
• Software input filter configurable for each channel
• 2 safe digital outputs, output type B with 0.5 A, source circuit
• Integrated output protection

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 1

X20(c)SC2212

1.1 Function

Safe digital inputs

The module is equipped with safe digital input channels. It can be flexibly used for a wide range of tasks involving
the reading of digital signals in safety-related applications up to PL e or SIL 3.
The module is equipped with filters that are individually configurable for switch-on and switch-off behavior. Switch-
on filters are used to filter out signal disturbances. Switch-off filters are used to smooth testing gaps in external
signal sources – i.e. OSSD signals – so that unintended cutoffs can be avoided.
The input signals of signal pairs (channels 1 and 2, 3 and 4, etc.) are monitored in the module for simultaneity.
The maximum permitted discrepancy of inputs of a signal pair is configurable. Here, the signals of dual-channel
evaluation directly represent the safe signal of a 2-channel sensor, such as from an E-stop button or safety light
curtain.
The module provides pulse signals for diagnosing the sensor line. By default, each pulse signal provides a unique
pulse pattern derived from the module's serial number and pulse channel number. This allows any pulse signals
to be combined in one signal cable and still cover any cross fault combinations in the cable. The pulse check can
also be disabled to connect electronic sensors with separate line monitoring (OSSD signals).

Safe digital outputs

The module is equipped with safe digital output channels. It can be flexibly used for controlling actuators in safe-
ty-related applications up to PL e or SIL 3.
The outputs are designed using semiconductor technology so that the safety-related characteristics do not depend
on the number of operating cycles. In order to handle all situations involving actuators, there are basically 2 dif-
ferent types of outputs: the high-side - low-side variant (type A) and the high-side - high-side variant (type B).
Type A outputs have safety-related advantages since the actuator can be cut off in its connection cable in all error
scenarios. Type A outputs are limited to actuators without ground potential (e.g. relays, valves). For actuators with
ground potential (e.g. enable inputs on frequency inverters), type B outputs are required. It is important to observe
the special notices for the cabling in this case.
Safe digital output channels provide protection against automatic restart when network errors occur. Function
blocks needed to fulfill additional requirements regarding protection against automatic restart are available in
SafeDESIGNER. The outputs can also be controlled by the standard application. The combination of safety-related
control and standard control is arranged such that the execution of a cutoff request always has top priority. For
diagnostic purposes, the outputs are designed to be read back.
Depending on the product, the safe digital output channels are equipped with current measurement for detecting
open circuits. This function can also be used to monitor muting lamps, for example.
The testing of the semiconductors that is necessary from a safety point of view results in what are known as
OSSD low phases in many products. The effect of this is that when an output is active (high state), a switch-off
situation (low state) occurs for a very brief amount of time. The test can be cut off if this behavior leads to problems
in the application. Observe the associated safety-related notices!

openSAFETY
This module uses the protective mechanisms of openSAFETY when transferring data to the various bus systems.
Because the data is encapsulated in the openSAFETY container in a fail-safe manner, the components on the
network that are involved in the transfer do not require any additional safety-related features. At this point, only
the safety-related characteristic values specified for openSAFETY in the technical data are to be consulted. The
data in the openSAFETY container undergoes safety-related processing only when received by the remote sta-
tion; for this reason, only this component is involved from a safety point of view. Read access to the data in the
openSAFETY container for applications without safety-related characteristics is permitted at any point in the net-
work without affecting the safety-related characteristics of openSAFETY.

2 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

1.2 Coated modules

Coated modules are X20 modules with a protective coating for the electronics component. This coating protects
X20c modules from condensation.
The modules' electronics are fully compatible with the corresponding X20 modules.

Information:
For simplification purposes, only images and module IDs of uncoated modules are used in this data
sheet.
The coating has been certified according to the following standards:
• Condensation: BMW GS 95011-4, 2x 1 cycle
• Corrosive gas: EN 60068-2-60, Method 4, exposure 21 days
Contrary to the specifications for X20 system modules without safety certification and despite the tests performed,
X20 safety modules are NOT suited for applications with corrosive gases (EN 60068-2-60)!

2 Overview
Module X20SC2212
Safe digital inputs
Number of inputs 6
Nominal voltage 24 VDC
Input filter
Hardware ≤150 µs
Software Configurable between 0 and 500 ms
Input circuit Sink
Pulse outputs
Design Push-Pull
Switching voltage I/O power supply minus residual voltage
Safe digital outputs
Number of outputs 2
Nominal voltage 24 VDC
Nominal output current 0.5 A
Total nominal current 1A
Output protection Thermal short circuit shutdown, integrated protection for switching inductive loads

Table 3: Digital mixed modules

3 Order data
Model number Short description Figure
Digital mixed modules
X20SC2212 X20 safe digital mixed module, 6 safe digital inputs, configurable
input filter, 6 pulse outputs, 24 VDC, 2 safe type B1 digital out-
puts, 24 VDC, 0.5 A, OSSD <500 µs
X20cSC2212 X20 safe digital mixed module, coated, 6 safe digital inputs, con-
figurable input filter, 6 pulse outputs, 24 VDC, 2 safe type B1
digital outputs, 24 VDC, 0.5 A, OSSD <500 µs
Required accessories
Bus modules
X20BM33 X20 bus module, for X20 SafeIO modules, internal I/O power
supply continuous
X20BM36 X20 bus module, for X20 SafeIO modules, with node number
switch, internal I/O power supply continuous
X20cBM33 X20 bus module, coated, for X20 SafeIO modules, internal I/O
power supply continuous
Terminal blocks
X20TB5F X20 terminal block, 16-pin, safety-keyed

Table 4: X20SC2212, X20cSC2212 - Order data

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 3

X20(c)SC2212

4 Technical data
Model number X20SC2212 X20cSC2212
Short description
I/O module 6 safe digital inputs, 6 pulse outputs, 24 VDC, 2 safe
type B1 digital outputs, 24 VDC, 0.5 A, OSSD <500 µs
General information
B&R ID code 0xBDA5 0xDD9D
System requirements
Automation Studio 3.0.81.15 or later 4.0.16 or later
Automation Runtime 3.00 or later V3.08 or later
SafeDESIGNER 2.70 or later 3.1.0 or later
Safety Release 1.2 or later 1.7 or later
Status indicators I/O function per channel, operating state, module status
Diagnostics
Module run/error Yes, using status LED and software
Outputs Yes, using status LED and software
Inputs Yes, using status LED and software
Blackout mode
Scope Module
Function Module function
Standalone mode No
Max. I/O cycle time 1 ms
Power consumption
Bus 0.25 W
Internal I/O 1.4 W
Electrical isolation
Channel - Bus Yes
Channel - Channel No
Certifications
CE Yes
KC Yes -
EAC Yes
UL cULus E115267
Industrial control equipment
HazLoc cCSAus 244665
Process control equipment
for hazardous locations
Class I, Division 2, Groups ABCD, T5
ATEX Zone 2, II 3G Ex nA nC IIA T5 Gc
IP20, Ta (see X20 user's manual)
FTZÚ 09 ATEX 0083X
DNV GL Temperature: A (0 - 45°C)
Humidity: B (up to 100%)
Vibration: A (0.7 g)
EMC: B (bridge and open deck)
Functional safety cULus FSPC E361559
Energy and industrial systems
Certified for functional safety
ANSI UL 1998:2013
Functional safety IEC 61508:2010, SIL 3
EN 62061:2013, SIL 3
EN ISO 13849-1:2015, Cat. 4 / PL e
IEC 61511:2004, SIL 3
Functional safety EN 50156-1:2004
Safety characteristics
EN ISO 13849-1:2015
MTTFD 2500 years
Mission time Max. 20 years
IEC 61508:2010,
IEC 61511:2004,
EN 62061:2013
PFH / PFHd
Module <1*10-10
openSAFETY wired Negligible
openSAFETY wireless <1*10-14 * Number of openSAFETY packets per hour
PFD <2*10-5
Proof test interval (PT) 20 years

Table 5: X20SC2212, X20cSC2212 - Technical data

4 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212
Model number X20SC2212 X20cSC2212
Safe digital inputs
EN ISO 13849-1:2015
Category Cat. 3 when using individual input channels,
Cat. 4 when using input channel pairs (e.g. SI1 and SI2) or more than 2 input channels 1)
PL PL e
DC >94%
IEC 61508:2010,
IEC 61511:2004,
EN 62061:2013
SIL CL SIL 3
SFF >90%
Safe digital outputs
EN ISO 13849-1:2015
Category Cat. 3 if parameter "Disable OSSD = Yes-ATTENTION",
Cat. 4 if parameter "Disable OSSD = No" 1)
PL PL d if parameter "Disable OSSD = Yes-ATTENTION",
PL e if parameter "Disable OSSD = No" 1)
DC >60% if parameter "Disable OSSD = Yes-ATTENTION",
>94% if parameter "Disable OSSD = No" 1)
IEC 61508:2010,
IEC 61511:2004,
EN 62061:2013
SIL CL SIL 2 if parameter "Disable OSSD = Yes-ATTENTION",
SIL 3 if parameter "Disable OSSD = No" 1)
SFF >60% if parameter "Disable OSSD = Yes-ATTENTION",
>90% if parameter "Disable OSSD = No" 1)
I/O power supply
Nominal voltage 24 VDC
Voltage range 24 VDC -15% / +20%
Integrated protection Reverse polarity protection
Safe digital inputs
Nominal voltage 24 VDC
Input characteristics per EN 61131-2 Type 1
Input filter
Hardware ≤150 μs
Software Configurable between 0 and 500 ms
Input circuit Sink
Input voltage 24 VDC -15% / +20%
Input current at 24 VDC Max. 3.28 mA
Input resistance Min. 7.33 kΩ
Error detection time 100 ms
Isolation voltage between channel and bus 500 Veff
Switching threshold
Low <5 VDC
High >15 VDC
Line length between pulse output and input Max. 60 m with unshielded line
Max. 400 m with shielded line
Safe digital outputs
Variant FET, 2x positive switching, type B1, output level readable
Nominal voltage 24 VDC
Nominal output current 0.5 A
Total nominal current 1A
Output protection Thermal short-circuit shutdown, integrated protection for switching inductive loads 2)
Braking voltage when switching off inductive loads Max. 45 VDC
Error detection time 1s
Isolation voltage between channel and bus 500 Veff
Peak short-circuit current Max. 12 A
Leakage current when switched off <500 µA
Residual voltage ≤300 mVDC at nominal current
Switching voltage I/O power supply minus residual voltage
Max. switching frequency 1000 Hz
Test pulse length Max. 500 µs
Max. capacitive load 100 nF
Current on loss of ground
IOUT <1 mA
IGND <180 mA
Pulse outputs
Variant Push-Pull
Nominal output current 20 mA
Output protection Shutdown of individual channels in the event of overload or short circuit 2)
Peak short-circuit current 25 A for 15 µs
Short-circuit current 100 mAeff
Leakage current when switched off 0.1 mA
Residual voltage 3 VDC

Table 5: X20SC2212, X20cSC2212 - Technical data

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 5

X20(c)SC2212
Model number X20SC2212 X20cSC2212
Switching voltage I/O power supply minus residual voltage
Total nominal current 120 mA
Operating conditions
Mounting orientation
Horizontal Yes
Vertical Yes
Installation elevation above sea level 0 to 2000 m, no limitation
Degree of protection per EN 60529 IP20
Ambient conditions
Temperature
Operation
Horizontal mounting orientation 0 to 60°C -40 to 60°C 3)
Vertical mounting orientation 0 to 50°C -40 to 50°C 4)
Derating See section "Derating".
Storage -40 to 85°C
Transport -40 to 85°C
Relative humidity
Operation 5 to 95%, non-condensing Up to 100%, condensing
Storage 5 to 95%, non-condensing
Transport 5 to 95%, non-condensing
Mechanical properties
Note Order 1x safety-keyed terminal block separately.
Order 1x safety-keyed bus module separately.
Spacing 25+0.2 mm

Table 5: X20SC2212, X20cSC2212 - Technical data

1) The related danger warnings in the technical data sheet must also be observed.
2) The protective function is provided for max. 30 minutes for a continuous short circuit.
3) Up to hardware upgrade <1.10.1.0 and hardware revision <E0: -25 to 60°C
4) Up to hardware upgrade <1.10.1.0 and hardware revision <E0: -25 to 50°C

Danger!
Operation outside the technical data is not permitted and can result in dangerous states.

Information:
For detailed information about installation, see chapter "Installation notes for X20 modules" on page
50.

Derating
The derating curve refers to standard operation and can be shifted to the right by the specified derating bonus if
in a horizontal mounting orientation.
Module X20SC2212
Derating bonus
At 24 VDC +5°C
Dummy module on the left +2.5°C
Dummy module on the right +0°C
Dummy module on the left and right +5°C
With double PFH / PFHd +0°C

Table 6: Derating bonus

6 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

Inputs
The number of inputs that should be used at the same time depends on the operating temperature and the mounting
orientation. The resulting amount can be looked up in the following table.
Horizontal (0 to 60°C, coated: -40 to 60°C) Vertical (0 to 50°C, coated: -40 to 50°C)

Table 7: Derating in relation to operating temperature and mounting orientation

Outputs
The maximum total nominal current depends on the operating temperature and the mounting orientation. The
resulting total nominal current can be found in the following table.
Horizontal (0 to 60°C, coated: -40 to 60°C) Vertical (0 to 50°C, coated: -40 to 50°C)

Table 8: Derating in relation to operating temperature and mounting orientation

Information:
Regardless of the values specified in the derating curve, the module cannot be operated above the
values specified in the technical data.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 7

X20(c)SC2212

5 LED status indicators

Figure LED Color Status Description
r Green Off No power to module
Single flash Reset mode
Double flash Updating firmware
Blinking PREOPERATIONAL mode
On RUN mode
e Red Off No power to module or everything OK
Pulsating Boot loader mode
Triple flash Updating safety-related firmware
On Error or I/O component not provided with voltage
e+r Red on / green single flash Invalid firmware
1 to 6 Input state of the corresponding digital input
Red On Warning/Error on an input channel
Blinking Error in dual-channel evaluation (synchronous blinking of 2 af-
fected channels)
All on Error on all channels, connection to the SafeLOGIC controller
not OK or booting not yet completed
Green On Input set
1 to 2 Output status of the corresponding digital output
Red On Warning/Error on an output channel
All on Error on all channels, connection to the SafeLOGIC controller
not OK or booting not yet completed
Orange On Output set
SE Red Off RUN mode or I/O component not provided with voltage
1s Boot phase, missing X2X Link or defective processor

1s Safety PREOPERATIONAL state

Modules that are not used in the SafeDESIGNER application
remain in the PREOPERATIONAL state.

1s Safe communication channel not OK

1s The firmware for this module is a non-certified pilot customer

version.

1s Boot phase, faulty firmware

On Safety state active for the entire module (= "FailSafe" state)

The "SE" LEDs separately indicate the status of safety processor 1 ("S" LED) and safety processor 2
("E" LED).

Table 9: Status display

Danger!
Constantly lit "SE" LEDs indicate a defective module that must be replaced immediately.
It is your responsibility to ensure that all necessary repair measures are initiated after an error occurs
since subsequent errors can result in a hazard!

8 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

6 Pinout

r e

X20 SC 2212
SI1 SI2
SI3 SI4
SI5 SI6
SO1 SO2

SE

Pulse 1 Pulse 2
SI 1 SI 2

Pulse 3 Pulse 4
SI 3 SI 4

Pulse 5 Pulse 6

SI 5 SI 6

SO 1 SO 2
GND GND

Figure 1: X20SC2212 - Pinout

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 9

X20(c)SC2212

7 Connection examples
The typical connection examples in this section only represent a selection of the different wiring methods. The user
must take error detection into account in each case.

Information:
For details about connection examples (such as circuit examples, compatibility class, max. number of
supported channels, terminal assignments, etc.), see chapter Connection examples of the "Integrated
safety technology" user's manual (MASAFETY-ENG).

7.1 Module behavior when GND connection is lost

In this section and all of its subsections, the term "connection element" is to be understood as follows for the
respective system (X20, X67):
• X20: e.g. terminal block
• X67: e.g. M12, M8
A loss of GND on the module may cause current to flow from the module via the output or the GND connection
of the connection element.
If power supplies, actuators or GND connections are grounded, the user must ensure that no grounding wires or
any associated potential short circuits or open circuits will cause any additional impermissible GND connections.
The two currents IOUT and IGND are module-specific and must be taken from the technical data.

Type B output

24 V Logic

IOUT SOx
A

SELV
Protection

1
IGND GND
GND A

Figure 2: Module behavior when GND connection is lost

Danger!
The user is responsible for preventing any safety problems that could occur as a result of the IOUT and
IGND currents specified in the technical data and the selected method of installation.

10 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

7.1.1 GND feedback to connection element, no external GND

If the module is used in the following wiring mode, then a loss of GND will not cause any problems because current
is not able to flow via IOUT or IGND.

Type B output

24 V Logic

Actuator
IOUT SOx

SELV
Protection

1
IGND GND
GND

Figure 3: GND feedback to connection element

Danger!
Other wiring methods
If another wiring method is used, the user must ensure that a safety-critical state cannot occur if there
are 2 external faults (open circuit, etc.). In addition, the current specifications for IOUT and IGND must be
taken into consideration in the event that the GND connection is lost.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 11

X20(c)SC2212

7.1.2 Using external GND without GND from connection element

Type B output

24 V Logic

Actuator
IOUT SOx

SELV
1 Protection

2
IGND GND
GND

Figure 4: External GND only

Fault sequence:
• Fault ① (defective protective component):
A component connected to GND on the output short circuits or behaves like an ohmic resistor. This fault
is not always detected.
• Fault ② (open circuit on module GND):
The module loses its direct connection to GND and current begins to flow through the defective protective
component → IOUT → actuator.
As a result, current above the maximum value permitted by the module is supplied to the actuator.

Danger!
This type of installation can cause hazardous situations and is therefore NOT permitted.

12 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

7.1.3 Using external GND and GND from connection element

Type B output

24 V Logic

IOUT SOx Actuator

SELV
Protection

1
IGND GND
GND

A 2

Figure 5: Possible connection error

Fault sequence:
• Fault ① (open circuit on module GND):
No error is detected and the module continues to operate normally due to the additional external GND
connection.
• Fault ② (open circuit on actuator's protective circuit):
The module loses its direct connection to GND and current begins to flow through IGND → damping diode
→ actuator.
As a result, current above the maximum value permitted by the module is supplied to the actuator.

Danger!
This type of installation can cause hazardous situations and is therefore NOT permitted.

Possible remedies
This wiring method could be made possible, for example, by using two wires to complete the connection that
experienced the open circuit fault in ② → see connection Ⓐ.

Information:
The diode in the actuator shown in the "Possible connection error" image is intended only to illustrate
the error and is not mandatory.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 13

X20(c)SC2212

7.2 Connecting single-channel sensors with contacts

Pulse 1 Pulse 1

Input 1 Input 1

Pulse 2 Pulse 2

Input 2 Input 2

Figure 6: Connecting single-channel sensors with contacts

Single-channel sensors with contacts are the simplest connection.
With this connection, the module satisfies Category 3 requirements in accordance with EN ISO 13849-1:2015. Be
aware that this statement applies only to the module and not to the wiring shown. You are responsible for wiring
the sensor according to the required category.

7.3 Connecting two-channel sensors with contacts

Pulse 1 Pulse 1 Pulse 1

Input 1 Input 1 Input 1

Pulse 2 Pulse 2 Pulse 2

Input 2 Input 2 Input 2

Figure 7: Connecting two-channel sensors with contacts

Sensors with contacts can be connected directly to a safe digital input module via two channels. Dual-channel
evaluation is handled directly by the module.
With this connection, the module satisfies Category 4 requirements in accordance with EN ISO 13849-1:2015. Be
aware that this statement applies only to the module and not to the wiring shown. You are responsible for wiring
the sensor according to the required category.

14 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

7.4 Connecting multi-channel sensors with contacts

Pulse 1 Pulse 1 Pulse 1

Input 1 Input 1 Input 1

Pulse 2 Pulse 2 Pulse 2

Input 2 Input 2 Input 2

Pulse m Pulse m Pulse m

Input n Input n Input n

Figure 8: Connecting multi-channel sensors with contacts

Multi-channel switches (mode selector switches, switching devices with "shift key" capability) can be connected
to multiple safe digital input modules.
If signals are evaluated internally in the module (see image to the left), the same pulse must be configured for all
of the inputs being used. If signals are evaluated across all modules (see image to the right), all of the inputs must
be configured to use an external pulse. In this type of application, pulse evaluation with the "default" pulse is not
suitable; therefore, a separate pulse signal with approx. 4 ms low-phase is available.
In this case, multi-channel evaluation must be handled in the safety application (PLCopen function block
"SF_ModeSelector"). The category achieved per EN ISO 13849-1:2015 in this way depends on the error models
of the switching element (e.g. mode selector switch) and must be examined in combination with the error detection
present in the PLCopen function block.

7.5 Connecting electronic sensors

24 VDC 24 VDC
Pulse 1 Pulse 1

OSSD OSSD1
Input 1 Input 1

Pulse 2 Pulse 2

OSSD2
Input 2 Input 2

Figure 9: Connecting electronic sensors

Electronic sensors (light curtains, laser scanners, inductive sensors, etc.) can be connected directly to safe digi-
tal input modules. The switching thresholds of the input channels must be taken into account for these types of
applications.
With single-channel wiring (see image on the left), the module satisfies Category 3 requirements in accordance
with EN ISO 13849-1:2015. With two-channel wiring (see image on the right), the module satisfies Category 4
requirements in accordance with EN ISO 13849-1:2015. Be aware that this statement applies only to the module
and not the wiring or connected electronic sensor. You are responsible for wiring the sensor in accordance with
the required category and within the specifications set forth by the manufacturer of the electronic sensor.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 15

X20(c)SC2212

7.6 Using the same pulse signals

Pulse 1 Pulse 1

Pulse 2 Pulse 2

Input 1 Input 1

Input 2 Input 2

Input 3 Input 3

Input n Input n

Figure 10: Using the same pulse signals

When using the same pulse signals for different inputs, they must be isolated from one another. Otherwise, damage
to the cables may cause errors that are not detected by the module.

Danger!
If the same pulse signals are routed in the same cable, damage to the cable can cause cross faults be-
tween the signals to occur that are not detected by the module. This can result in dangerous situations.
For this reason, signal lines with the same pulse signal should be routed in different cables, or you
should implement other error prevention measures in accordance with EN ISO 13849-2:2012.

Danger!
It is especially important to check the wiring when using the same pulse signal for two inputs that are
located next to each other on the terminal. Pay special attention to ensure that poor wiring has not
resulted in the two inputs being connected together.

7.7 Connecting safety-oriented actuators for Type B outputs

SO n + SO n + SO n + SO n +
M
GND GND GND GND

Figure 11: Connecting safety-oriented actuators for Type B outputs

Safety actuators (contactors, motors, muting lamps, valves) that are compatible with module performance data
can be connected directly.
With this connection, the module satisfies Category 4 requirements in accordance with EN ISO 13849-1:2015. Be
aware that this statement applies only to the module and not to the wiring shown. You are responsible for wiring
the actuator in accordance with the required category and the characteristics of actuator.
If the actuators contain an inverse diode or electronic components, then the special instructions in section "Module
behavior when GND connection is lost" must be followed.

16 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

8 Error detection
8.1 Internal module errors

The red "SE" LED makes it possible to evaluate the following error states:
• Module error, e.g. defective RAM, defective CPU, etc.
• Overtemperature/Undertemperature
• Overvoltage/Undervoltage
• Incompatible firmware version
Errors that occur within the module are detected according to the requirements of the standards listed in the
certificate and within the minimum safety response time specified in the technical data. After this occurs, the module
enters a safe state.
The internal module tests needed for this are only performed, however, if the module's firmware has been booted
and the module is in either the PREOPERATIONAL state or the OPERATIONAL state. If this state is not achieved
(for example, because the module has not been configured in the application), then the module will remain in the
boot state.
BOOT mode on a module is clearly indicated by a slowly blinking SE LED (2 Hz or 1 Hz).
The error detection time specified in the technical data is relevant only for detecting external errors (i.e. wiring
errors) in single-channel structures.

Danger!
Operating the safety module in BOOT mode is not permitted.

Danger!
A safety-related output channel is only permitted to be switched off for a maximum of 24 hours. The
channel must be switched on by the end of this period so that the module's internal channel test can
be performed.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 17

X20(c)SC2212

8.2 Wiring errors

The wiring errors described in section "Error detection" are indicated by the red channel LED according to the
application.
If a module detects an error, then:
• The channel LED is lit constantly red.
• Status signal (e.g. (Safe)ChannelOK, (Safe)InputOK, (Safe)OutputOK, etc.) is set to (SAFE)FALSE.
• Signal "SafeDigitalInputxx" or "SafeDigitalOutputxx" is set to SAFEFALSE.
• An entry is generated in the logbook.

Danger!
Recognizable errors (see the following chapters) are detected by the module within the error detection
time. Errors not recognized by the module (or not recognized on time) that can lead to safety-critical
states must be detected using additional measures.

Danger!
It is your responsibility to ensure that all necessary repair measures are initiated after an error occurs
since subsequent errors can result in a hazard!

8.2.1 Type B output channels

Danger!
As illustrated in the following circuit examples, the connected actuators can be connected to GND on
the load side. Connecting actuators on just one side without a GND supply is not permitted, however.
This would cause a series connection of the actuators in the event of an open circuit, which could then
cause a hazardous module error.

SO n + SO n + SO n +

GND GND GND

SO m + SO m + SO m +

GND GND GND

Correct: Correct:
Incorrect
With external GND Without external GND

Figure 12: Invalid wiring

18 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

8.2.2 Connecting single-channel sensors with contacts

By default, every input channel is assigned a dedicated pulse output. This pulse output issues a specific signal
that helps detect wiring problems, such as a short circuit to 24 VDC, GND or other signal channels. The status
of the connected switches is indicated by channel-specific LEDs. The LEDs "OO" and "OC" have no significance
with this type of connection.
With this type of connection in combination with the configuration "Pulse Mode = Internal", the modules can detect
the following errors:
Error Error on contact
Open Closed
Ground fault on the pulse output Detected Detected
Pulse output shorted to 24 VDC Detected Detected
Cross fault between the pulse output and the other pulse signal Detected Detected
Ground fault on signal input Not detected Detected
Signal input shorted to 24 VDC Detected Detected
Cross fault between the signal input and the other pulse signal Detected Detected
Cross fault between the pulse output and the signal input Not detected Not detected
Open circuit Not detected Not detected

Table 10: SI error detection when "Pulse mode = Internal"

8.2.3 Connecting two-channel sensors with contacts

By default, every input channel is assigned a dedicated pulse output. This pulse output issues a specific signal that
helps detect wiring problems, such as a short circuit to 24 VDC, GND or other signal channels.
The status of the connected switches is signaled via channel-specific LEDs, and the status of the dual-channel
evaluation is signaled via the "OO" (for combinations with N.C./N.C. contacts) or "OC" LED (for combinations with
N.C./N.O. contacts). On module types that do not have these LEDs, errors detected in the dual-channel evaluation
are indicated by the respective channel LED blinking red.
With this type of connection in combination with the configuration "Pulse Mode = Internal" and combined with dual-
channel evaluation in the module or in SafeDESIGNER, the modules can detect the following errors:
Error Error on contact
Open Closed
Ground fault on the pulse output Detected Detected
Pulse output shorted to 24 VDC Detected Detected
Cross fault between the pulse output and the other pulse signal Detected Detected
Ground fault on signal input Not detected Detected
Signal input shorted to 24 VDC Detected Detected
Cross fault between the signal input and the other pulse signal Detected Detected
Cross fault between the pulse output and the signal input Detected1) Not detected
Open circuit Not detected Detected1)

Table 11: SI error detection with "Pulse Mode = Internal" combined

with dual-channel evaluation in the module or in SafeDESIGNER
1) Dual-channel evaluation of the module.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 19

X20(c)SC2212

8.2.4 Connecting multi-channel sensors with contacts

The status of the connected switches is indicated by channel-specific LEDs. The LEDs "OO" and "OC" have no
significance with this type of connection.
With this wiring, the following errors can be detected:
Error
Ground fault on the pulse output Detected
Pulse output shorted to 24 VDC Detected
Cross fault between the pulse output and the other pulse signal Detected1)
Ground fault on signal input (active signal) Detected1)
Ground fault on signal input (inactive signal) Not detected
Signal input shorted to 24 VDC Detected
Cross fault between the signal input and the other pulse signal Detected1)
Cross fault between the pulse output and the signal input (active signal) Not detected
Open circuit (active signal) Detected1)
Cross fault between the pulse output and the signal input (inactive signal) Detected1)
Open circuit (inactive signal) Not detected

Table 12: SI error detection when "Pulse Mode = External"

1) Detected by PLCopen function block "SF_ModeSelector" in the application.

Danger!
If "Pulse Mode = External" is used in the channel configuration, then an additional TOFF filter with
5 ms is enabled in the module. The corresponding information regarding the TOFF filter must also be
considered when using the "Pulse Mode = External" setting.

Information:
With the configuration "Pulse Mode = Internal", the pulses have a low phase of approximately 300 µs.
This low phase is designed such that no additional degradation of the total response time can occur in
the system. If line lengths exceed the max. line length (see technical data), problems may occur with
this configuration. In these cases, configuration "Pulse Mode = External" can also be useful for normal
sensors with contacts. The reduced error detection and extension of the total response time must be
taken into account, however.

8.2.5 Connecting electronic sensors

A pulse pattern cannot be used with electronic sensors. The input channels must therefore be configured to
"Pulse Mode = No Pulse".
Any gaps when testing the connected OSSD outputs must be masked out with the module's cutoff filter in order
to avoid an unintended shutdown.

Danger!
With the configuration "Pulse Mode = No Pulse", the module itself is not able to detect wiring errors.
Internal errors are still detected, however. All errors resulting from incorrect or faulty wiring must be
handled through supplementary measures per EN ISO 13849-2:2012 or by the connected device.

Danger!
Configuring a switch-off filter lengthens the safety response time. The configured filter value must be
added to the total response time.

20 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

8.2.6 Safety actuator connection

Error / module Disable OSSD = No Disable OSSD = Yes-ATTENTION

Error on output
Switched off Switched on Switched off Switched on
Ground fault on SOx+ (output type A) or SOx (output type B)
All SO types Not detected Detected Not detected Detected
Ground fault on SOx- (output type A)
X20SC0xxx
X20SLXxxx
Not detected Detected Not detected Not detected
X20SRTxxx
X20SOx1x0
SOx+ shorted to 24 VDC (output type A)
X20SC0xxx
X20SLXxxx
Detected Detected Detected Not detected
X20SRTxxx
X20SOx1x0
SOx shorted to 24 VDC (output type B)
X20SC0xxx
X20SLXxxx
X20SRTxxx Not detected
X20SO6300 Detected 1) Detected 1) Not detected
X20SP1130
X20SC2212
Detected 1)
X67SC4122.L12
SOx- shorted to 24 VDC (output type A)
X20SC0xxx
X20SLXxxx
Detected Detected Detected Detected
X20SRTxxx
X20SOx1x0
GND shorted to 24 VDC
X20SC0xxx
X20SLXxxx
X20SRTxxx
X20SO6300 Not detected Not detected Not detected Not detected
X20SP1130
X20SC2212
X67SC4122.L12
Cross fault between SOx+ (output type A) and the other signal (high)
X20SC0xxx
X20SLXxxx
Detected Detected Detected Not detected
X20SRTxxx
X20SOx1x0
Cross fault between SOx (output type B) and the other signal (high)
X20SC0xxx
X20SLXxxx
X20SRTxxx Not detected
X20SO6300 Detected 1) Detected 1) Not detected
X20SP1130
X20SC2212
Detected 1)
X67SC4122.L12
Cross fault between SOx- (output type A) and the other signal (high)
X20SC0xxx
X20SLXxxx
Detected Detected Detected Not detected
X20SRTxxx
X20SOx1x0
Cross fault between GND and the other signal (high)
X20SC0xxx
X20SLXxxx
X20SRTxxx
X20SO6300 Not detected Not detected Not detected Not detected
X20SP1130
X20SC2212
X67SC4122.L12
Open circuit (output type A and B)
X20SC0xxx
X20SLXxxx Not detected Not detected
X20SRTxxx
X20SOx1x0 Not detected 2) Not detected 2)
Not detected Not detected
X20SO6300
X20SP1130
Not detected Not detected
X20SC2212
X67SC4122.L12

Table 13: SO error detection

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 21

X20(c)SC2212
Error / module Disable OSSD = No Disable OSSD = Yes-ATTENTION
Error on output
Switched off Switched on Switched off Switched on
Short circuit between SOx+ (output type A) and SOx- (output type A)
X20SC0xxx
X20SLXxxx
Not detected Detected Not detected Detected
X20SRTxxx
X20SOx1x0

Table 13: SO error detection

1) If SOx is shorted to high potentials, this will be detected by the module, but the connected actuator cannot be cut off due to the "only-plus-switching" design
of the channel.
2) Open circuit can be detected via signal "CurrentOK". However, this signal cannot be used for safety purposes.

Danger!
With "Disable OSSD = Yes-ATTENTION", the module has reduced error detection capabilities and no
longer meets the requirements for SIL 3 per EN 62061:2013 or PL e per EN ISO 13849-1:2015.
In order to meet the requirements for applications up to SIL 2 per EN 62061:2013 or PL d per
EN ISO 13849-1:2015, the user must check the safety function on a daily basis when using type B
output channels.
For type B2 output channels, it is also important to ensure that all of the module's output channels are
simultaneously in a switched-off state for at least 1 s during this test.
On X20SRTxxx modules, each output channel being used must be checked before the first safety
request and every 24 hours. For this check, the corresponding channel must be switched on and off
at least once.

Danger!
Possible error behavior of the actuators must be analyzed and avoided using corresponding responses
(positively driven read-back contacts on a contactor, pressure switch on valves, etc.).

Danger!
This danger warning applies to all the modules listed in the "SO error detection" table with the excep-
tion of output channels of type A!
If SOx is shorted to high potentials, this will be detected by the module, but the connected actuator
cannot be cut off due to the "only-plus-switching" design of the channel. Make sure that the wiring
is correct in order to rule out SOx short circuits to high potentials (see EN ISO 13849-2:2012, Annex
D.2.4, Table D.4).

22 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

9 Input circuit diagram

SI x

Internal
testing
Input status

Input status

24 VDC

Control

Control signal
Pulse x

Control
Output monitoring

Figure 13: Input circuit diagram

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 23

X20(c)SC2212

10 Type B output circuit diagram

Type B digital output channels are designed for positive and positive switching inside the module.

24 VDC

High side 1
Output status
Logic

Output
monitoring

C discharge

High side 2
Output status
Logic

Output
monitoring
SO x

TVS
C discharge

GND

Figure 14: Type B output circuit diagram

11 Minimum cycle time

The minimum cycle time specifies the time up to which the bus cycle can be reduced without communication errors
occurring.
Minimum cycle time
200 μs

12 I/O update time

The time needed by the module to generate a sample is specified by the I/O update time.
Minimum I/O update time
500 µs

Maximum I/O update time for input channels

2150 µs + Filter time (see chapter "Filter")

Maximum I/O update time for output channels

1800 µs

24 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

13 Filter
All safe digital input modules are equipped with separately configurable switch-on and switch-off filters. The func-
tionality of the filters depends on the firmware version and is illustrated in the following table and figures:
Module type Version TOFF filter diagram Filter time to be considered in addi-
tion to the total response time
I/O modules <301 Diagram 1 2x TOFF filter time
SafeLOGIC-X 301, 311, 312 Diagram 1 2x TOFF filter time
I/O modules ≥301 Diagram 2 1x TOFF filter time
SafeLOGIC-X 302, ≥313 Diagram 2 1x TOFF filter time

TOF_0 TON_0

input_signal filtered_signal
IN Q IN Q

t_off_intern t_on_User
PT ET PT ET

t_off_User

Figure 15: SI input filter - Diagram 1

IN Q

PT ET
INT#2
reset
TOF

input_signal filtered_signal
IN Q IN Q

t_on_User
PT ET PT ET
t_off_intern

t_off_User

Figure 16: SI input filter - Diagram 2

Key:
• input_signal: Status of the input channel
• filtered_signal: Filtered status of the input channel. This is used as an input for the PLCopen function block
and forwarded to the SafeLOGIC controller
• t_off_intern: Internal parameter (5 ms) for suppressing "external" test pulses (only with
"Pulse Mode = External")
• t_off_User: Parameter for the switch-off filter
• t_on_User: Parameter for the switch-on filter

Unfiltered
The input state is collected with a fixed offset to the network cycle and transferred.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 25

X20(c)SC2212

Switch-on filter
When switching from 0 to 1, the filtered status is collected with a fixed offset to the network cycle and transferred.
The filter value can be configured (limit values are listed in the technical data).

Danger!
Errors that result from cross faults to other signals are detected by the module within the error detec-
tion time at the latest. By default, the switch-on filter is set to the error detection time value, which
filters out faulty signals caused by possible cross faults. If the switch-on filter is set to a value smaller
than the error detection time, faulty signals can cause temporary switch-on pulses to occur.

Information:
The actual effective filter depends on the I/O cycle time of the module. The actual effective filter can
therefore deviate below the input value by the I/O cycle time (see the technical data for the module). If
filter times are set less than the I/O cycle time of the module, no filter is effective.

Switch-off filter
When switching from 1 to 0, the filtered status is collected with a fixed offset to the network cycle and transferred.
The switch-off filter can be configured separately. This makes it possible to use the switch-off filter in actual appli-
cations (e.g. testing gaps of the light curtain) and to shorten response times. The filter value can be configured
(limit values are listed in the technical data).

Danger!
Configuring a switch-off filter lengthens the safety response time!
The configured filter value must be added to the total response time once or twice depending on the
firmware version (for details, see the chapter "Filters" in the technical data sheet).
Configuring a switch-off filter causes signals with a low phase shorter than the switch-off filter to be
filtered out. If this results in a problem concerning safety functionality, then the switch-off filter must
be set to 0.
To minimize the effect of EMC interference, the max. line lengths between the pulse output and input
specified in the technical data must be taken into account.
When connecting devices with OSSD signals (signals with test pulses), you must select a switch-off
filter in each case that is substantially smaller than the repeat rate of the test pulses.

Information:
The actual effective filter depends on the I/O cycle time of the module. The actual effective filter can
therefore deviate below the input value by the I/O cycle time (see the technical data for the module). If
filter times are set less than the I/O cycle time of the module, no filter is effective.

Danger!
If "Pulse Mode = External" is used in the channel configuration, then an additional TOFF filter with
5 ms is enabled in the module. The corresponding information regarding the TOFF filter must also be
considered when using the "Pulse Mode = External" setting.

14 Enabling principle
Each output channel has an additional standard switching signal that can be used to access the output channel
from the standard application. As soon as the output channel has been enabled from a safety-related point of view
(the setting of the channel is enabled from the point of view of the safety technology), the output channel can be
set or cleared in the standard application independently of the additional safety-related runtime and jitter times.
Use of the enabling principle is specified in the I/O configuration in Automation Studio.

26 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

15 Restart behavior
Each digital input channel is not equipped with an internal restart interlock, which means that the associated channel
data reverts back to the proper state automatically after an error situation on the module and/or network.
It is the responsibility of the user to connect the channel data of the safe input channels correctly and to provide
them with a restart interlock. The restart interlocks of PLCopen function blocks can be used here, for example.
Using input channels without a correctly connected restart interlock can result in an automatic restart.
Each output channel is equipped with an internal restart interlock, which means that the following sequence must
be followed in order to switch on a channel after an error situation on the module/network and/or after ending the
safety function:
• Correct all module, channel or communication errors.
• Enable the safety-related signal for this channel (SafeOutput, etc.).
• Pause to ensure that the safety-related signal has been processed on the module (min. 1 network cycle).
• Positive edge on the release channel
For switching the release signal, the notes for manual reset function in EN ISO 13849-1:2015 must be observed.
The restart interlock functions independently of the enabling principle, which means that the behavior described
above is not influenced by the parameter settings for the enabling principle or by the chronological position of the
functional switching signal.
An automatic restart of the module can be configured by setting parameters. With this function, the output channel
can be enabled using safety technology without an additional signal edge on the release channel. This function
remains active as long as the release signal is TRUE and there is no error situation on the module/network.
Regardless of this parameter, a positive edge is required on the release channel for enabling the output channel
in the following situations:
• After switching on
• After correcting an error on the safe communication channel
• After correcting a channel error
• After the release signal drops out
The automatic restart is configured in SafeDESIGNER using the channel parameters. If using an automatic restart,
note the information in EN ISO 13849-1:2015.

Danger!
Configuring an automatic restart can result in critical safety conditions. Take additional measures to
ensure proper safety-related functionality.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 27

X20(c)SC2212

16 Register description
16.1 Parameters in the I/O configuration

Group: Function model

Parameter Description Default value Unit
Function model This parameter is reserved for future functional expansions. Default -

Table 14: I/O configuration parameters: Function model

Group: General
Parameter Description Default value Unit
Module supervised System behavior when a module is missing On -

Parameter value Description

On A missing module triggers service mode.
Off A missing module is ignored.

Module information This parameter enables/disables the module-specific information in the I/O Off -
(up to AS 3.0.90) mapping:
• SerialNumber
• ModuleID
• HardwareVariant
• FirmwareVersion
Blackout mode This parameter enables blackout mode (see section Blackout mode in Automa- Off -
(hardware upgrade 1.10.0.6 or later) tion Help under: Hardware → X20 system → Additional information → Black-
out mode).

Parameter value Description

On Blackout mode is enabled.
Off Blackout mode is disabled.

Channel status information This parameter enables/disables the channel-specific status information in the On -
I/O mapping.
State number of 2-channel evaluation This parameter enables/disables the status information of dual-channel evalu- Off -
ation.
Restart inhibit state numbers This parameter enables/disables restart interlock status information. Off -
SafeLOGIC ID In applications with multiple SafeLOGIC controllers, this parameter defines the Assigned -
module's association with a particular SafeLOGIC controller. automatically
• Permissible values: 1 to 1024
SafeMODULE ID Unique safety address of the module Assigned -
• Permissible values: 2 to 1023 automatically
Max switching frequency channel x Maximum switching frequency of the output channel. 1 Hz
(up to firmware version < 300) • Permissible values: 1 Hz, 10 Hz, 100 Hz, 1000 Hz

This value specifies the max. switching frequency of the actuator connected to
the output. It is especially important to adjust this parameter to the actual con-
ditions for inductive or capacitive loads because the internal delay for checking
the voltage to see if it is 0 V after a cutoff signal occurs is calculated using this
parameter. Therefore, if this value is too high (e.g. 1000 Hz) and the voltage
does not go to 0 within the corresponding time (in this example 500 µs) after a
cutoff signal because of the connected actuator, then a channel error occurs.

If the output is controlled by the application using a higher switching frequency

than configured, a channel-specific error may erroneously be detected on the
module, which causes the channel to be cut off.

Table 15: I/O configuration parameters: General

Group: Output signal path

Parameter Description Default value Unit
DigitalOutputxx This parameter specifies the mode that can be used by the standard application Direct -
to access the output channel.

Parameter value Description

Direct The output channel can be accessed directly by the standard application. Signals
"DigitalOutputxx" are available in the I/O mapping accordingly.
Via SafeLOGIC The output channel cannot be accessed directly by the standard application. Signals
"DigitalOutputxx" are not available in the I/O mapping accordingly. It is only possible
for the standard application to influence the output channel via the communication
channels from the CPU to the SafeLOGIC controller.

Table 16: I/O configuration parameters: Output signal path

28 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

16.2 Parameters in SafeDESIGNER - up to Release 1.9

Group: Basic
Parameter Description Default value Unit
Min_required_FW_Rev This parameter is reserved for future functional expansions. Basic Release -
Optional This parameter can be used to configure the module as "optional". Optional No -
modules do not have to be present, i.e. the SafeLOGIC controller will not in-
dicate that these modules are not present. However, this parameter does not
influence the module's signal or status data.

Parameter value Description

No This module is mandatory for the application.

The module must be in OPERATIONAL mode after startup, and safe communica-
tion to the SafeLOGIC controller must be established without errors (SafeModuleOK
= SAFETRUE). Processing of the safety application on the SafeLOGIC controller is
delayed after startup until this state is achieved for all modules with "Optional = No".

After startup, module problems are indicated by a quickly blinking "MXCHG" LED
on the SafeLOGIC controller. An entry is also made in the logbook.
Yes The module is not required for the application.

The module is not taken into account during startup, which means the safety ap-
plication is started regardless of whether the modules with "Optional = Yes" are in
OPERATIONAL mode or if safe communication is properly established between
these modules and the SafeLOGIC controller.

After startup, module problems are NOT indicated by a quickly blinking "MXCHG"
LED on the SafeLOGIC controller. An entry is NOT made in the logbook.
Startup This module is optional. The system determines how the module will proceed during
startup.

If it is determined that the module is physically present during startup (regardless

of whether it is in OPERATIONAL mode or not), then the module behaves as if
"Optional = No" is set.

If it is determined that the module is not physically present during startup, then the
module behaves as if "Optional = Yes" is set.
Not_Present The module is not required for the application.
(Release 1.9 and later)
The module is ignored during startup, which means the safety application is started
regardless of whether the modules with "Optional = Not_Present" are physically
present.

Unlike when "Optional = Yes" is configured, the module is not started with "Optional
= Not_Present", which optimizes system startup behavior.

After startup, module problems are NOT indicated by a quickly blinking "MXCHG"
LED on the SafeLOGIC controller. An entry is NOT made in the logbook.

External_UDID This parameter enables the option on the module for the expected UDID to be No -
specified externally by the CPU.

Parameter value Description

Yes-ATTENTION The UDID is determined by the CPU. The SafeLOGIC controller must be restarted
if the UDID is changed.
No The UDID is specified by a teach-in procedure during startup.

Disable_OSSD This parameter can be used to switch off automatic testing of the output driver No -
for all of the module's channels.

Parameter value Description

Yes-ATTENTION Automatic testing of the output driver is switched off.
No Automatic testing of the output driver is enabled.

Table 17: SafeDESIGNER parameters: Basic

Danger!
If function "External_UDID = Yes-ATTENTION" is used, incorrect specifications from the CPU can lead
to safety-critical situations.
Perform an FMEA (Failure Mode and Effects Analysis) in order to detect these situations and implement
additional safety measures to handle them.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 29

X20(c)SC2212

Danger!
With "Disable_OSSD = Yes-ATTENTION", the module has reduced error detection capabilities and no
longer meets the requirements for SIL 3 per EN 62061:2010 or PL e per EN ISO 13849-1:2015.
In order to meet the requirements for applications up to SIL 2 per EN 62061:2010 or PL d per
EN ISO 13849-1:2015, a daily check of the safety function by the user is necessary.

30 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

Group: Safety_Response_Time
Parameter Description Default value Unit
Manual_Configuration This parameter makes it possible to manually and individually configure the No -
safety response time for the module.

The parameters for the safety response time are generally set in the same
way for all stations involved in the application. For this reason, these parame-
ters are configured for the SafeLOGIC controller in SafeDESIGNER. For appli-
cation situations in which individual safety functions require optimal response
time behavior, the parameters for the safety response time can be configured
individually on the respective module.

Parameter value Description

Yes Data from the module's "Safety_Response_Time" group is used to calculate the
safety response time for the module's signals.
No The parameters for the safety response time are taken from the
"Safety_Response_Time" group on the SafeLOGIC controller.

Synchronous_Network_Only This parameter describes the synchronization characteristics of the network Yes -
being used. They are defined in Automation Studio / Automation Runtime.

Parameter value Description

Yes In order to calculate the safety response time, networks must be synchronous and
their cycle times must either be the same or an integer ratio of the cycle times.
No No requirement for synchronization of the networks

Max_X2X_CycleTime_us This parameter specifies the maximum X2X cycle time used to calculate the 5000 μs
safety response time.
• Permissible values: 200 to 25,000 μs (corresponds to 0.2 to 25 ms)
Max_Powerlink_CycleTime_us This parameter specifies the maximum POWERLINK cycle time used to calcu- 5000 μs
late the safety response time.
• Permissible values: 200 to 25,000 μs (corresponds to 0.2 to 25 ms)
Max_CPU_CrossLinkTask_ This parameter specifies the maximum cycle time for the copy task on the CPU 5000 μs
CycleTime_us used to calculate the safety response time. The value 0 indicates that a copy
task is not included for the response time.
• Permissible values: 0 to 25,000 μs (corresponds to 0 to 25 ms)
Min_X2X_CycleTime_us This parameter specifies the minimum X2X cycle time used to calculate the 200 μs
safety response time.
• Permissible values: 200 to 25,000 μs (corresponds to 0.2 to 25 ms)
Min_Powerlink_CycleTime_us This parameter specifies the minimum POWERLINK cycle time used to calcu- 200 μs
late the safety response time.
• Permissible values: 200 to 25,000 μs (corresponds to 0.2 to 25 ms)
Min_CPU_CrossLinkTask_ This parameter specifies the minimum cycle time for the copy task on the CPU 0 μs
CycleTime_us used to calculate the safety response time. The value 0 indicates that configu-
rations without a copy task are also included for the response time.
• Permissible values: 0 to 25,000 μs (corresponds to 0 to 25 ms)
Worst_Case_Response_Time_us This parameter specifies the limit value for monitoring the safety response time. 50000 μs
• Permissible values: 3000 to 5,000,000 μs (corresponds to 3 ms to 5 s)
Node_Guarding_Lifetime This parameter specifies the maximum number of attempts to be made dur- 5 -
ing the time set with parameter "Node_Guarding_Timeout_s". The purpose of
these attempts is to ensure that the module is available.
• Permissible values: 1 to 255
Note
• The larger the configured value, the greater the amount of asynchro-
nous data traffic.
• This setting is not critical to safety functionality. The time for safe-
ly cutting off actuators is determined independently using parameter
"Worst_Case_Response_Time_us".

Table 18: SafeDESIGNER parameters: Safety_Response_Time

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 31

X20(c)SC2212

Group: SafeDigitalInputxx
Parameter Description Default value Unit
Pulse_Source This parameter can be used to specify the pulse source for the input channel. Default -

Possible "Pulse_Source"
Channel 1 2 3 4 5 6
1 Default - - - - -
2 Channel 1 Default - - - -
3 Channel 1 - Default - - -
4 Channel 1 - Channel 3 Default - -
5 Channel 1 - - - Default -
6 Channel 1 - - - Channel 5 Default

Note:
If a value other than "Default" is set for "Pulse_Source", then parameter "Pulse_Mode" must be set to "Internal"
on the respective channel of the selected "Pulse_Source".
Pulse_Mode This parameter can be used to specify the pulse mode for the input channel. Internal -
Parameter value Description
Internal The channel works exclusively with the pulse output that is set for
"Pulse_Source".
No Pulse The pulse check on the channel is disabled. Potential low phases of the signal
must be removed using the switch-off filter in order to prevent unintended cutoff.
Filter_Off_us Switch-off filter for the channel to remove potentially disruptive signal "low phas- 0 μs
es".
• Permissible values: 0 to 500,000 μs (corresponds to 0 to 0.5 s)
Filter_On_us Switch-on filter for the channel that can be used to "debounce" the signals. This 200000 μs
function also makes it possible for the module to lengthen a switch-off signal
that would otherwise be too short.
• Permissible values: 0 to 500,000 μs (corresponds to 0 to 0.5 s)
Discrepancy_Time_us Parameter only available for odd-numbered channels. 0 μs
This parameter specifies the maximum time for the "Dual-channel evaluation"
function during which the state of both physical individual channels is permitted
to be undefined without triggering an error.
• Permissible values: 0 to 10,000,000 μs (corresponds to 0 to 10 s)

Table 19: SafeDESIGNER parameters: SafeDigitalInputxx

Danger!
Configuring a switch-off filter lengthens the safety response time!

Danger!
Signals with a low phase shorter than the safety response time can potentially be lost. Such signals
should be lengthened accordingly using the "switch-on filter" function on the input module.

Danger!
Configuring a switch-off filter causes signals with a low phase shorter than the switch-off filter to be
filtered out. If this results in a problem concerning safety functionality, then the switch-off filter must
be set to 0. Lengthening the low phase with a switch-on filter is not possible in these cases.

32 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

Group: SafeDigitalOutputxx, SafeDigitalOutputxxyy

Parameter Description Default value Unit
Auto_Restart This parameter can be used to configure an automatic restart on the module No -
(see section "Restart behavior").

Parameter value Description

Yes-ATTENTION "Automatic restart" function is activated.
No "Automatic restart" function is not activated.

Table 20: SafeDESIGNER parameters: SafeDigitalOutputxx, SafeDigitalOutputxxyy

Danger!
Configuring an automatic restart can result in critical safety conditions. Take additional measures to
ensure proper safety-related functionality.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 33

X20(c)SC2212

16.3 Parameters in SafeDESIGNER - Release 1.10 and later

Group: Basic
Parameter Description Default value Unit
Min required FW Rev This parameter is reserved for future functional expansions. Basic Release -
Optional This parameter can be used to configure the module as "optional". Optional No -
modules do not have to be present, i.e. the SafeLOGIC controller will not in-
dicate that these modules are not present. However, this parameter does not
influence the module's signal or status data.

Parameter value Description

No This module is absolutely necessary for the application.

The module must be in OPERATIONAL mode after startup, and safe communica-
tion to the SafeLOGIC controller must be established without errors (SafeModuleOK
= SAFETRUE). Processing of the safety application on the SafeLOGIC controller is
delayed after startup until this state is achieved for all modules with "Optional = No".

After startup, module problems are indicated by a quickly blinking "MXCHG" LED
on the SafeLOGIC controller. An entry is also made in the logbook.
Yes This module is not necessary for the application.

The module is not taken into account during startup, which means the safety ap-
plication is started regardless of whether the modules with "Optional = Yes" are in
OPERATIONAL mode or if safe communication is properly established between
these modules and the SafeLOGIC controller.

After startup, module problems are NOT indicated by a quickly blinking "MXCHG"
LED on the SafeLOGIC controller. An entry is NOT made in the logbook.
Startup This module is optional. The system determines how the module will proceed during
startup.

If it is determined that the module is physically present during startup (regardless

of whether it is in OPERATIONAL mode or not), then the module behaves as if
"Optional = No" is set.

If it is determined that the module is not physically present during startup, then the
module behaves as if "Optional = Yes" is set.
NotPresent This module is not necessary for the application.

The module is ignored during startup, which means the safety application is start-
ed regardless of whether the modules with "Optional = NotPresent" are physically
present.

Unlike when "Optional = Yes" is configured, the module is not started with "Optional
= NotPresent", which optimizes system startup behavior.

After startup, module problems are NOT indicated by a quickly blinking "MXCHG"
LED on the SafeLOGIC controller. An entry is NOT made in the logbook.

External UDID This parameter enables the option on the module for the expected UDID to be No -
specified externally by the CPU.

Parameter value Description

Yes-ATTENTION The UDID is determined by the CPU. The SafeLOGIC controller must be restarted
if the UDID is changed.
No The UDID is specified by a teach-in procedure during startup.

Table 21: SafeDESIGNER parameters: Basic

Danger!
If function "External UDID = Yes-ATTENTION" is used, incorrect specifications from the CPU can lead
to safety-critical situations.
Perform an FMEA (Failure Mode and Effects Analysis) in order to detect these situations and implement
additional safety measures to handle them.

34 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

Group: Safety Response Time

Parameter Description Default value Unit
Manual Configuration This parameter makes it possible to manually and individually configure the No -
safety response time for the module.

The parameters for the safety response time are generally set in the same
way for all stations involved in the application. For this reason, these parame-
ters are configured for the SafeLOGIC controller in SafeDESIGNER. For appli-
cation situations in which individual safety functions require optimal response
time behavior, the parameters for the safety response time can be configured
individually on the respective module.

Parameter value Description

Yes Data from the module's "Safety Response Time" group is used to calculate the
safety response time for the module's signals.
No The parameters for the safety response time are taken from the
"Safety Response Time" group on the SafeLOGIC controller.

Safe Data Duration This parameter specifies the maximum permissible data transmission time be- 20000 μs
tween the SafeLOGIC controller and SafeIO module.
For more information about the actual data transmission time, see section Di-
agnostics and service → Diagnostics tools → Network analyzer → Editor →
Calculation of safety runtime of Automation Help. The cycle time of the safety
application must also be added.
• Permissible values: 2000 to 10,000,000 μs (corresponds to 2 ms to 10
s)
Additional Tolerated Packet Loss This parameter specifies the number of additional tolerated lost packets during 0 Packets
data transfer.
• Permissible values: 0 to 10
Packets per Node Guarding This parameter specifies the maximum number of packets used for node guard- 5 Packets
ing.
• Permissible values: 1 to 255
Note
• The larger the configured value, the greater the amount of asynchro-
nous data traffic.
• This setting is not critical to safety functionality. The time for safely cut-
ting off actuators is determined independently of this.

Table 22: SafeDESIGNER parameters: Safety Response Time

Group: Module Configuration

Parameter Description Default value Unit
Disable OSSD This parameter can be used to switch off automatic testing of the output driver No -
for all of the module's channels.

Parameter value Description

Yes-ATTENTION Automatic testing of the output driver is switched off.
No Automatic testing of the output driver is enabled.

Table 23: SafeDESIGNER parameters: Module Configuration

Danger!
With "Disable OSSD = Yes-ATTENTION", the module has reduced error detection capabilities and no
longer meets the requirements for SIL 3 per EN 62061:2013 or PL e per EN ISO 13849-1:2015.
In order to meet the requirements for applications up to SIL 2 per EN 62061:2013 or PL d per
EN ISO 13849-1:2015, the user must check the safety function on a daily basis when using type B
output channels.
For type B2 output channels, it is also important to ensure that all of the module's output channels are
simultaneously in a switched-off state for at least 1 s during this test.
On X20SRTxxx modules, each output channel being used must be checked before the first safety
request and every 24 hours. For this check, the corresponding channel must be switched on and off
at least once.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 35

X20(c)SC2212

Group: SafeDigitalInputxx
Parameter Description Default value Unit
Pulse Source This parameter can be used to specify the pulse source for the input channel. Default -

Possible "Pulse Source"

Channel 1 2 3 4 5 6
1 Default - - - - -
2 Channel 1 Default - - - -
3 Channel 1 - Default - - -
4 Channel 1 - Channel 3 Default - -
5 Channel 1 - - - Default -
6 Channel 1 - - - Channel 5 Default

Note:
If a value other than "Default" is set for "Pulse Source", then the "Pulse Mode" parameter must be set to "Internal"
on the respective channel of the selected "Pulse Source".
Pulse Mode This parameter can be used to specify the pulse mode for the input channel. Internal -
Parameter value Description
Internal The channel works exclusively with the pulse output that is configured for
"Pulse Source".
No Pulse The pulse check on the channel is disabled. Potential low phases of the signal
must be removed using the switch-off filter in order to prevent unintended cutoff.
Filter Off Switch-off filter for the channel to remove potentially disruptive signal "low phas- 0 μs
es".
• Permissible values: 0 to 500,000 μs (corresponds to 0 to 0.5 s)
Filter On Switch-on filter for the channel that can be used to "debounce" the signals. This 200000 μs
function also makes it possible for the module to lengthen a switch-off signal
that would otherwise be too short.
• Permissible values: 0 to 500,000 μs (corresponds to 0 to 0.5 s)
Discrepancy Time Parameter only available for odd-numbered channels. 50000 μs
This parameter specifies the maximum time for "dual-channel evaluation", dur-
ing which the status of both physical individual channels can remain undefined
without triggering an error.
• Permissible values: 0 to 10,000,000 µs (corresponds to 0 to 10 s)

Table 24: SafeDESIGNER parameters: SafeDigitalInputxx

Danger!
Configuring a switch-off filter lengthens the safety response time!
The configured filter value must be added to the total response time.

Danger!
Signals with a low phase shorter than the safety response time can potentially be lost. Such signals
should be lengthened accordingly using the "switch-on filter" function on the input module.

Danger!
Configuring a switch-off filter causes signals with a low phase shorter than the switch-off filter to be
filtered out. If this results in a problem concerning safety functionality, then the switch-off filter must
be set to 0. Lengthening the low phase with a switch-on filter is not possible in these cases.

36 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

Group: SafeDigitalOutputxx
Parameter Description Default value Unit
Auto Restart This parameter can be used to configure an automatic restart on the module No -
(see section "Restart behavior").

Parameter value Description

Yes-ATTENTION "Automatic restart" function is activated.
No "Automatic restart" function is not activated.

Table 25: SafeDESIGNER parameters: SafeDigitalOutputxx

Danger!
Configuring an automatic restart can result in critical safety conditions. Take additional measures to
ensure proper safety-related functionality.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 37

X20(c)SC2212

16.4 Channel list

Channel name Access via Au- Access via Data type Description
tomation Studio SafeDESIGNER
ModuleOk Read - BOOL Indicates if the module is OK
SerialNumber Read - UDINT Module serial number
ModuleID Read - UINT Module ID
HardwareVariant Read - UINT Hardware variant
FirmwareVersion Read - UINT Firmware version of the module
UDID_low (Read) 1) - UDINT UDID, lower 4 bytes
UDID_high (Read) 1) - UINT UDID, upper 2 bytes
SafetyFWversion1 (Read) 1) - UINT Firmware version - Safety processor 1
SafetyFWversion2 (Read) 1) - UINT Firmware version - Safety processor 2
SafetyFWcrc1 (Read) 1) - UINT CRC of firmware header on safety processor 1
(hardware upgrade 1.10.1.0 or
later)
SafetyFWcrc2 (Read) 1) - UINT CRC of firmware header on safety processor 2
(hardware upgrade 1.10.1.0 or
later)
Bootstate (Read) 1) - UINT Startup state of the module.
(hardware upgrade 1.10.1.0 or Notes:
later) • Some of the boot states do not occur during normal
startup or are cycled through so quickly that they
are not visible externally.
• The boot states usually cycle through in ascending
order. There are cases, however, in which a previ-
ous value is captured.
Value Description
0x0003 Startup communication processor OK, no
communication to the safety processors
(check 24 V supply voltage!)
0x0010 FAILSAFE. At least one of the safety proces-
sors is in the safe state.
0x0020 Internal communication to safety processors
started
0x0024 Firmware update of safety processors
0x0040 Firmware of safety processors started
0x0440 Firmware of safety processors running
0x0840 Waiting for openSAFETY "Operational" (load-
ing SafeDESIGNER application or no valid
application exists, waiting on acknowledg-
ments such as module exchange)
0x1040 Evaluating the configuration according to the
SafeDESIGNER application
0x3440 Stabilizing cyclic openSAFETY data ex-
change.
Note:
If the boot state remains here, check
SafeDESIGNER parameters "(Default) Safe
Data Duration", "(Default) Additional Tolerated
Packet Loss".
0x4040 RUN. Final state, startup completed.

Diag1_Temp (Read) 1) - INT Module temperature in °C

PLCopenFBKxy_state Read - USINT State number of dual-channel evaluation (PLCopen
function block "Equivalent" or "Antivalent")
InputErrorStates (Read) 1) - UDINT Channel status, additional information for channel error

Type of error
Inputs
Input stuck at high
Bit no. 0 to 5 = Channel 1 to 6

If a bit is set, the corresponding error has

been detected on the respective channel.
PulseoutputErrors (Read) 1) - UDINT Channel status, additional information for channel error

Type of error
Pulse outputs
Feedback stuck at high Feedback stuck at
(shorted to 24 VDC) low (ground fault)
Bit no. 8 to 13 = Bit no. 0 to 5 =
Channel 1 to 6 Channel 1 to 6

If a bit is set, the corresponding error has

been detected on the respective channel.
SafeModuleOK - Read SAFEBOOL Indicates if the safe communication channel is OK

Table 26: Channel list

38 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation
 X20(c)SC2212
Channel name Access via Au- Access via Data type Description
tomation Studio SafeDESIGNER
SafeDigitalInputxx Read Read SAFEBOOL Physical channel SI xx
SafeEquivalentInputxxyy Read Read SAFEBOOL Dual-channel evaluation of equivalent channel SI xx/yy
SafeAntivalentInputxxyy Read Read SAFEBOOL Dual-channel evaluation of antivalent channel SI xx/yy
SafeInputOKxx Read Read SAFEBOOL Status of physical channel SI xx
SafeEquivalentOKxxyy Read Read SAFEBOOL Status of dual-channel evalua-
tion of equivalent channel SI xx/yy
SafeAntivalentOKxxyy Read Read SAFEBOOL Status of dual-channel evalua-
tion of antivalent channel SI xx/yy
DigitalOutputxx Write - BOOL Enable signal - Channel SO xx
SafeDigitalOutputxx - Write SAFEBOOL Safe channel SO xx
SafeOutputOKxx Read Read SAFEBOOL Status of channel SO xx
ReleaseOutputxx - Write BOOL Release signal for the restart interlock of channel SO xx
PhysicalStateOutputxx Read Read BOOL Read-back value of physical channel SO xx
FBK_Status_1 Read - UINT State number of the restart interlock of chan-
nel x. See "Restart interlock state diagram".

Bit 15 to 12 Bit 11 to 8 Bit 7 to 4 Bit 3 to 0

Reserved Reserved Channel 2 Channel 1

Table 26: Channel list

1) This data is accessed in Automation Studio using the ASIOACC library.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 39

X20(c)SC2212

PLCopen state diagrams "Antivalent" / "Equivalent"

The following state diagrams illustrate the effect of the "Antivalent" and "Equivalent" PLCopen function blocks
integrated in the module.
The hexadecimal value in parentheses corresponds to the state number provided via the channels
"PLCopenFBKxy_state" and "PLCopenFBKxxyy_state".
The following PLCopen state diagrams show the function for the "SafeAntivalentInput0102" and
"SafeEquivalentInput0102" channels. The same diagrams are valid for the "SafeAntivalentInputxxyy" and
"SafeEquivalentInputxxyy" channels, but "SafeDigitalInput01" and "SafeDigitalInput02" are to be replaced by the
respective input.
In addition to the PLCopen specification, the SignalOK states of channels "SafeChannelOK01" and
"SafeChannelOK02" are also checked.
If the SignalOK status of at least one of the two channels is not OK, the function block goes into an error state
and the output signal is set to 0.
Error state "ERROR 4" is not taken from the PLCopen specification.

NOT SafeChannelOK01
OR
NOT SafeChannelOK02

NOT SafeDigitalInput01
SafeChannelOK01 AND
SafeDigitalInput01 1 SafeDigitalInput02
AND
AND
SafeChannelOK02
SafeDigitalInput02
2 4
SafeDigitalInput01 1
AND
3 NOT
NOT SafeDigitalInput02 SafeDigitalInput02
SafeDigitalInput01
NOT SafeDigitalInput02
AND NOT
NOT SafeDigitalInput01
NOT SafeDigitalInput01 SafeDigitalInput01
AND NOT AND
SafeDigitalInput02 SafeDigitalInput01 SafeDigitalInput02
AND Discrepancy
SafeDigitalInput02 time elapsed

3 1 3 3 2
Discrepancy Discrepancy
time elapsed time elapsed
2 2
1

4 1 4 1
NOT NOT SafeChannelOK01
SafeChannelOK01 OR
OR NOT SafeChannelOK02
NOT
SafeChannelOK02
SafeDigitalInput01

NOT SafeDigitalInput02
3
1 NOT SafeChannelOK01
OR 1 SafeDigitalInput01
2 XOR
NOT SafeChannelOK02
NOT SafeDigitalInput02
NOT SafeChannelOK01
OR
NOT SafeChannelOK02

Figure 17: "Antivalent" function block - State diagram

40 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

NOT SafeChannelOK01
OR
NOT SafeChannelOK02

NOT SafeDigitalInput01
SafeChannelOK01 AND
SafeDigitalInput01 1 NOT SafeDigitalInput02
AND
AND
SafeChannelOK02
NOT SafeDigitalInput02
2 4
1
SafeDigitalInput01
3 AND
NOT SafeDigitalInput02 SafeDigitalInput02
NOT
SafeDigitalInput01
SafeDigitalInput02 NOT
NOT SafeDigitalInput01 AND SafeDigitalInput01
AND NOT SafeDigitalInput01 NOT AND
NOT SafeDigitalInput02 SafeDigitalInput01 NOT
AND SafeDigitalInput02
Discrepancy
NOT
SafeDigitalInput02 time elapsed

3 1 3 3 2
Discrepancy Discrepancy
time elapsed time elapsed
2 2
1

4 1 4 1
NOT NOT SafeChannelOK01
SafeChannelOK01 OR
OR NOT SafeChannelOK02
NOT
SafeChannelOK02
SafeDigitalInput01

SafeDigitalInput02
3
1 NOT SafeChannelOK01
OR 1 SafeDigitalInput01
2 XOR
NOT SafeChannelOK02
SafeDigitalInput02
NOT SafeChannelOK01
OR
NOT SafeChannelOK02

Figure 18: "Equivalent" function block - State diagram

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 41

X20(c)SC2212

Restart interlock state diagram

The following state diagram illustrates the effect of the restart interlock integrated in the module. The hexadecimal
value in parentheses corresponds to the state number that is provided via the channel "FBK_Status_1".
For detailed information regarding restart interlock, see section "Restart behavior".

Information:
To set an output channel, a positive edge on signal "ReleaseOutput0x" is required after
signal "SafeDigitalOutput0x". This edge must occur at least 1 network cycle after signal
"SafeDigitalOutput0x". If this timing is not adhered to, the output channel remains inactive.

Information:
For the maximum switching frequency, see the technical data for the module.

NOT SafeModuleOK

DISABLED
(0x0)

1
Release
AND SafeModuleOK
NOT R_TRIG at Release
RELEASE_ERROR 2
(0x6) 1 1
NOT Release LOCK (0x4)

NOT Release Exit4:

1
2 acknowledge HwError
LOCK_ERROR (0x5)
R_TRIG at Release 4
3
AND
R_TRIG at ProcessCtrl SafeControl AND
((NOT AutoRestart) OR R_TRIG
(AutoRestart AND at
FALSE_on_Release_detected)) Release
NOT SafeControl
SafeControl AND
(AutoRestart AND NOT
FALSE_on_Release_detected)
1 AND NOT
ProcessCtrl
4
OUTPUT_DISABLE
SAFE (0x8) 2
3 NOT SafeControl (0x7)

3
2 1 4

NOT SafeControl AND max. switching

NOT Critical-HwError frequency

SafeControl AND HwError

1 SafeControl
(AutoRestart AND NOT AND
FALSE_on_Release_detected) HW_ERROR (0xA) ProcessCtrl
AND
ProcessCtrl
NOT
ProcessCtrl
S_OutControl = False

S_OutControl = True
HwError

3
1
OUTPUT_ENABLE
(0x9)
2

NOT SafeControl

Figure 19: Restart interlock - State diagram

42 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

17 Safety response time

The safety response time is the time between the arrival of the signal on the input channel and the output of the
cutoff signal on the output.

Total lag time

Signal processing in the sensor

Signal processing on the safe B&R input module

Data transmission time on the bus (Input -> SafeLOGIC)

Application processing on the SafeLOGIC controller
Data transmission time on the bus (SafeLOGIC -> Output)

Signal processing on the safe B&R output module

Time required for the actuator to be stopped

Safety response time

in the B&R system

Figure 20: Total lag time

As illustrated in the figure, the safety response time in the B&R system is composed of the following partial response
times:
• Signal processing on the safe B&R input module
• Data transmission time on the bus (Input -> SafeLOGIC)
• Data transmission time on the bus (SafeLOGIC -> Output)
• Signal processing on the safe B&R output module

Danger!
The following sections are dedicated exclusively to the safety response time in the B&R system. When
assessing the complete safety response time, the user must include signal processing in the sensor
as well as the time until the actuator is stopped.
Be sure to validate the total lag time on the system!

Information:
The safety response time in B&R products already contains all delays caused by sampling input data
(sampling theorem).

17.1 Signal processing on the safe B&R input module

The maximum I/O update time in the "I/O update time" chapter for the respective module must be taken into account
when processing signals in the safe B&R input module.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 43

X20(c)SC2212

17.2 Data transmission time on the bus

The following relationship must be taken into consideration for the data transmission time on the bus:
• The time needed to transfer data from the input to the SafeLOGIC controller or to the output depends on
the sum of the cycle times and CPU copy times in effect on the transfer line.
• POWERLINK MN (managing node, standard CPU) settings are important for the actual timing on the bus,
but they cannot be used from a safety point of view since the values can be changed at any time in the
course of modifications made outside of the safety application.
• In the SafeLOGIC controller, data transmission times are monitored on the bus using openSAFETY ser-
vices. The time needed to process the application on the SafeLOGIC controller is taken into account in
this test (system-dependent). Monitoring is defined in SafeDESIGNER using the parameters in parameter
group "Safety Response Time".

Information:
The safety components located in this network segment could be cut off by the SafeLOGIC controller if
modified parameters on the POWERLINK MN alter the data transmission times on the bus so that they
lie outside of the SafeDESIGNER parameters defined in parameter group "Safety Response Time".

Information:
The safety components located in this network segment could be cut off by the SafeLOGIC controller
if EMC disturbances cause data failures that fall outside of the SafeDESIGNER parameters defined in
parameter group "Safety Response Time".

Calculating the maximum data transmission time - up to Release 1.9:

• The total max. data transmission time on the bus is calculated by adding pa-
rameter "Worst_Case_Response_Time_us" for the safe input module and parameter
"Worst_Case_Response_Time_us" for the safe output module. When doing this, be sure to check para-
meter "Manual_Configuration". If parameter "Manual_Configuration" is set to "No", the value specified for
parameter "Default_Worst_Case_Response_Time_us" is used.
• Special case: Local inputs on the X20SLX module:
The total max. data transmission time on the bus is calculated by adding parameter "Cycle_Time_max_us"
+ 2000 µs and parameter "Worst_Case_Response_Time_us" for the safe output module. When doing this,
be sure to check parameter "Manual_Configuration". If parameter "Manual_Configuration" is set to "No",
the value specified for parameter "Default_Worst_Case_Response_Time_us" is used.

44 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

Calculating the maximum data transmission time - Release 1.10 and later:
The following parameters are relevant for calculating the data transmission time between the safe input module
and safe output module; parameter "Manual Configuration" deserves special attention.
• Relevant parameters for "Manual Configuration = No":
– "PacketLoss1": Parameter "Default Additional Tolerated Packet Loss" of group "Safety Response
Time Defaults" of the SafeLOGIC controller
– "DataDuration1": Parameter "Default Safe Data Duration" of group "Safety
Response Time Defaults" of the SafeLOGIC controller
– "NetworkSyncCompensation1": 12 ms
– "PacketLoss2": Same as "PacketLoss1"
– "DataDuration2": Same as "DataDuration1"
– "NetworkSyncCompensation2": Same as "NetworkSyncCompensation1"
• Relevant parameters for "Manual Configuration = Yes":
– "PacketLoss1": Parameter "Additional Tolerated Packet Loss" of group "Safety Response Time" of
the safe input module
– "DataDuration1": Parameter "Safe Data Duration" of group "Safety Response Time" of the safe
input module
– "NetworkSyncCompensation1": 12 ms
– "PacketLoss2": Parameter "Additional Tolerated Packet Loss" of group "Safety Response Time" of
the safe output module
– "DataDuration2": Parameter "Safe Data Duration" of group "Safety Response Time" of the safe
output module
– "NetworkSyncCompensation2": Same as "NetworkSyncCompensation1"
• Special case: Local inputs on the X20SLX module:
– "PacketLoss1": 0
– "DataDuration1": Parameter "Cycle Time max" of group "Module Configuration" of the X20SLX +
2000 µs
– "NetworkSyncCompensation1": 0 ms
• Special case: Local outputs on the X20SLX module:
– "PacketLoss2": 0
– "DataDuration2": Parameter "Cycle Time max" of group "Module Configuration" of the X20SLX +
2000 µs
– "NetworkSyncCompensation2": 0 ms
• Special case: Linking local inputs with local outputs on the X20SRT module:
– "PacketLoss1": 0
– "PacketLoss2": 0
– "DataDuration1": Parameter "Cycle time" of group "General"
– "DataDuration2": Parameter "Cycle time" of group "General"
– "NetworkSyncCompensation1": 0 ms
– "NetworkSyncCompensation2": 0 ms
The following equation is used to calculate the maximum data transmission time between the safe input module
and safe output module:
Maximum data transmission time = (PacketLoss1+1)* DataDuration1 + NetworkSyncCompensation1 + (Packet-
Loss2+1)* DataDuration2 + NetworkSyncCompensation2

Information:
In addition to the data transmission time on the bus, the time for signal processing in the safe B&R
input and output module must be taken into account (see section 17 "Safety response time").

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 45

X20(c)SC2212

Information:
For more information about the actual data transmission time, see Automation Help, section Diagnos-
tics and service → Diagnostics tools → Network analyzer → Editor → Calculation of safety runtime.
The cycle time of the safety application must also be added.

17.3 Signal processing on the safe B&R output module

The maximum I/O update time in the "I/O update time" chapter for the respective module must be taken into account
when processing signals in the safe B&R output module.

17.4 Minimum signal lengths

The parameters in group "Safety Response Time" in SafeDESIGNER influence the maximum number of data
packets that are permitted to fail without triggering a safety response. These parameters therefore act like a switch-
off filter. If several data packets are lost within the tolerated amount, safety signals may not be detected if their low
phase is shorter than the determined data transmission time.

Danger!
Lost signals can result in serious safety errors. Check all signals to determine the smallest possible
pulse length and make sure that it is larger than the determined data transmission time.
Suggested solution:
• The switch-on filter can be used to extend the low phase of a signal on the input module.
• Low phases of signals from the SafeLOGIC controller can be lengthened with restart interlock functions
or timer function blocks.

46 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

18 Intended use

Danger!
Danger from incorrect use of safety-related products/functions
Proper functionality is only ensured if the products/functions are used in accordance with their intend-
ed use by qualified personnel and the provided safety information is taken into account. The afore-
mentioned conditions must be observed or covered by supplementary measures on your own respon-
sibility in order to ensure the specified protective functions.

18.1 Qualified personnel

Use of safety-related products is restricted to the following persons:

• Qualified personnel who are familiar with relevant safety concepts for automation technology as well as
applicable standards and regulations
• Qualified personnel who plan, develop, install and commission safety equipment in machines and systems
Qualified personnel in the context of this manual's safety guidelines are those who, because of their training,
experience and instruction combined with their knowledge of relevant standards, regulations, accident prevention
guidelines and operating conditions, are qualified to carry out essential tasks and recognize and avoid potentially
dangerous situations.
In this regard, sufficient language skills are also required in order to be able to properly understand this manual.

18.2 Application range

The safety-related B&R control components described in this manual were designed, developed and manufactured
for special applications for machine and personnel protection. They are not suitable for any use involving serious
risks or hazards that could lead to the injury or death of several people or serious environmental impact without the
implementation of exceptionally stringent safety precautions. In particular, this includes the use of these devices
to monitor nuclear reactions in nuclear power plants, flight control systems, air traffic control, the control of mass
transport vehicles, medical life support systems and the control of weapon systems.
When using safety-oriented control components, the safety precautions applying to industrial control systems (e.g.
the provision of safety devices such as emergency stop circuits, etc.) must be observed in accordance with applic-
able national and international regulations. The same applies for all other devices connected to the system, e.g.
drives or light curtains.
The safety guidelines, information about connection conditions (nameplate and documentation) and limit values
specified in the technical data must be read carefully before installation and commissioning and must be strictly
observed.

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 47

X20(c)SC2212

18.3 Security concept

B&R products communicate via a network interface and were developed for integration into a secure network. The
network and B&R products are affected by the following hazards (not a complete list):
• Unauthorized access
• Digital intrusion
• Data leakage
• Data theft
• A variety of other types of IT security breaches
It is the responsibility of the operator to provide and maintain a secure connection between B&R products and the
internal network as well as other networks, such as the Internet, if necessary. The following measures and security
solutions are suitable for this purpose:
• Segmentation of the network (e.g. separation of the IT and OT networks)
• Firewalls for the secure connection of network segments
• Implementation of a security-optimized user account and password concept
• Intrusion prevention and authentication systems
• Endpoint security solutions with modules for anti-malware, data leakage prevention, etc.
• Data encryption
It is the responsibility of the operator to take appropriate measures and to implement effective security solutions.
B&R Industrial Automation GmbH and its subsidiaries are not liable for damages and/or losses resulting from, for
example, IT security breaches, unauthorized access, digital intrusion, data leakage and/or data theft.
Before B&R releases products or updates, they are subjected to appropriate functional testing. Independently of
this, the development of customized test processes is recommended in order to be able to check the effects of
changes in advance. Such changes include, for example:
• Installation of product updates
• Notable system modifications such as configuration changes
• Import of updates or patches for third-party software (non-B&R software)
• Hardware replacement
These tests should ensure that implemented security measures remain effective and that systems behave as
expected.

48 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

18.4 Safety technology disclaimer

The proper use of all B&R products must be guaranteed by the customer through the implementation of suitable
training, instruction and documentation measures. The guidelines set forth in system user's manuals must be
taken into consideration here as well. B&R has no obligation to provide verification or warnings with regard to the
customer's purpose of using the delivered product.
Changes to the devices are not permitted when using safety-related components. Only certified products are per-
mitted to be used. Currently valid product versions in each case are listed in the corresponding certificates. Current
certificates are available on the B&R website (www.br-automation.com) in the Downloads section for the respective
product. The use of non-certified products or product versions is not permitted.
All relevant information regarding these safety products must be read in the latest version of the related data
sheet and the corresponding safety notices observed before the safety products are permitted to be operated.
Certified data sheets are available on the B&R website (www.br-automation.com) in the Downloads section for
the respective product.
B&R and its employees are not liable for any damages or loss resulting from the incorrect use of these products. The
same applies to misuse that may result from specifications or statements made by B&R in connection with sales,
support or application activities. It is the sole responsibility of the user to check all specifications and statements
made by B&R for proper application as it pertains to safety-related applications. In addition, the user assumes sole
responsibility for the proper design of the safety function as it pertains to safety-related applications.

18.5 X20 system characteristics

Because all X20 safety products are seamlessly integrated into the B&R base system, the same system charac-
teristics and user notices from the X20 system user's manual also apply to X20 safety products.

Warning!
Possible failure of safety function
Malfunction of module due to unspecified operating conditions
The notes for installation and operation of the modules provided in the applicable documents must
be observed.
In this regard, this means the content and user notices in the following applicable documentation must be observed
for X20 safety products:
• X20 system user's manual
• Installation / EMC guide

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 49

X20(c)SC2212

18.6 Installation notes for X20 modules

Products must be protected against impermissible dirt and contaminants. Products are protected from dirt and
contaminants up to pollution degree II as specified in the IEC 60664 standard.
Pollution degree II can usually be achieved in an enclosure with IP54 protection, but uncoated modules are NOT
permitted to be operated in condensing relative humidity and temperatures under 0°C.
The operation of coated modules is allowed in condensing relative humidity.

Danger!
Pollution levels higher than specified by pollution degree II in standard IEC 60664 can result in dan-
gerous failures. It is extremely important that you ensure a proper operating environment.

Danger!
In order to guarantee a specific voltage supply, a SELV power supply that conforms to IEC 60204 must
be used to supply the bus, SafeIO and SafeLOGIC controller. This also applies to all digital signal
sources that are connected to the modules.
If the power supply is grounded (PELV system), then only a GND connection is permitted for grounding.
Grounding types that have ground connected to +24 VDC are not permitted.
The power supply of X20 potential groups must generally be protected using a fuse with a maximum of 10 A.
For more information, see chapter "Mechanical and electrical configuration" of the X20 or X67 user's manual.

18.7 Safe state

If an error is detected by the module (internal or wiring error), the modules enable the safe state. The safe state
is structurally designed as a low state or cutoff and cannot be modified.

Danger!
Applications in which the safe state must actively switch on an actuator cannot be implemented with
this module. In these cases, other measures must be taken to meet this safety-related requirement
(e.g. mechanical brakes for hanging load that engage on power failure).

18.8 Mission time

All safety modules are designed to be maintenance-free. Repairs are not permitted to be carried out on safety
modules.
All safety modules have a maximum mission time of 20 years.
This means that all safety modules must be taken out of service one week (at the latest) before the expiration of
this 20-year time span (starting from B&R's delivery date).

Danger!
Operating safety modules beyond the specified mission time is not permitted! The user must ensure
that all safety modules are replaced by new safety modules or removed from operation before their
mission time expires.

50 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212

19 Release information
A manual version always describes the respective range of functions for a given product set release. The following
table shows the relationship between manual versions and releases.
Manual version Valid for
V1.141
V1.140 Version Starting with Up to
V1.131 Product set Release 1.2 Release 1.10
V1.130
SafeDESIGNER 2.70 4.9
V1.123
V1.122 Firmware 270 399
V1.121 Upgrades 1.2.0.0 1.10.999.999
V1.120
V1.111
V1.110
V1.103
V1.102
V1.101
V1.100
V1.92
V1.91
V1.90
V1.80
V1.71
V1.70
V1.64
V1.63.2
V1.63.1
V1.63
V1.62
V1.61
V1.60
V1.52.1
V1.52
V1.51
V1.50.1
V1.50
V1.42
V1.41
V1.40
V1.20
V1.10

V1.02
V1.01 Version Starting with Up to
V1.00 Product set Release 1.0 Release 1.1
SafeDESIGNER 2.58 2.69
Firmware 256 269
Upgrades 1.0.0.0 1.1.999.999

Table 27: Release information

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 51

X20(c)SC2212

20 Version history
Version Date Comment
1.141 April 2019 • Chapter 4 "Technical data": Updated standards.
• Updated chapter 18.3 "Security concept".
• Updated chapter 18.6 "Installation notes for X20 modules".
1.140 February 2019 • Chapter 4 "Technical data": Limited installation elevation to 2000 m.
• Chapter 16.1 "Parameters in the I/O configuration": Added parameter "Blackout mode".
• Chapter 16.3 "Parameters in SafeDESIGNER - Release 1.10 and later": Added filter value to danger notice.
• Chapter 17.2 "Data transmission time on the bus": Updated calculation of maximum data transmission time.
• Chapter 18 "Intended use": Added danger notice.
• Added chapter "Security notes".
• Chapter 18.5 "X20 system characteristics": Added warning notice.
• Updated standards.
• Editorial changes.
1.120 November 2017 • Chapter 4 "Technical data":

– Updated standards and safety characteristics.

– Added input characteristics per EN 61131-2.
– Updated input current and input resistance.
– Added line length between pulse output and input.
– Updated braking voltage when switching off inductive loads.
– Updated peak short-circuit current.
– Added max. switching frequency.
– Coated module: Extended temperature range.
– Added information.
– Updated derating.

• Chapter 7 "Connection examples": Added information.

• Chapter 15 "Restart behavior": Updated description.
• Chapter 16.3 "Parameters in SafeDESIGNER - Release 1.10 and later": Group "Safety Response Time": Re-
moved parameter "Synchronous Network Only" and updated parameter "Safe Data Duration".
• Chapter 16.4 "Channel list": Added new channels and information.
• Chapter 17.2 "Data transmission time on the bus": Updated description and added information.
• Chapter 18.6 "Installation notes for X20 modules": Updated danger notice.
• Chapter 18.7 "Safe state": Updated danger notice.
• Updated standards.
• Editorial changes.
1.101 March 2016 • Chapter 12 "I/O update time": Updated.
• Chapter 17 "Safety response time": Added information.
1.100 January 2016 Merged coated/uncoated modules.
• Chapter 1 "General information": Added.
• Chapter 4 "Technical data":

– Updated standards.
– Limited output protection to max. 30 minutes.
– Updated temperature range.
– Updated technical data.

• Chapter 8.2.6 "Safety actuator connection": Added new modules.

• Revised chapter 12 "I/O update time".
• Chapter 16.3 "Parameters in SafeDESIGNER - Release 1.10 and later": Added.
• Chapter 16.4 "Channel list": Updated figure "Restart interlock state diagram".
• Chapter 17.1 "Signal processing on the safe B&R input module": Updated description.
• Chapter 17.2 "Data transmission time on the bus": Updated description with "Release 1.10 and later".
• Chapter 17.3 "Signal processing on the safe B&R output module": Updated description.
• Chapter 17.4 "Minimum signal lengths": Updated description.
• Revised chapter 18.4 "Safety technology disclaimer".
• Chapter 19 "Release information": Updated.
1.91 April 2015 • Chapter 4 "Technical data": "Safe digital inputs": "Cable length": Limited to 50 m.
• Chapter 8.2.4 "Connecting multi-channel sensors with contacts": Updated danger notice.
• Corrected chapter 13 "Filter".
• Chapter 17.1 "Signal processing on the safe B&R input module": Updated description.
1.90 October 2014 • Chapter 4 "Technical data": "Temperature": "Operation": "Horizontal mounting orientation": Extended temperature
range to 60°C.
• Updated chapter 19 "Release information".
• Editorial changes.

Table 28: Version history

52 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation

 X20(c)SC2212
Version Date Comment
1.80 July 2014 • Chapter 4 "Technical data":

– "Short description": "I/O module": Adapted text to order data.

– Added "System requirements".
– Added "Safety-related characteristic values" and deleted chapter "Safety-related characteristic val-
ues".
– "Pulse outputs": "Output protection": Changed description.
– "Temperature": "Operation": Added "Derating bonus at 24 VDC".
– "Temperature": "Operation": Added "Derating bonus with dummy modules".
– Section "Derating": Updated description and curves.

• Chapter 8.2.6 "Safety actuator connection": Newly restructured for all modules.
• Chapter 15 "Restart behavior": Updated description.
• Chapter 16.2 "Parameters in SafeDESIGNER - up to Release 1.9": Group "Basic": Added parameter value
"Not_Present" for "Optional".
• Chapter 16.2 "Parameters in SafeDESIGNER - up to Release 1.9": Group "Safety_Response_Time": Added pa-
rameter "Node_Guarding_Lifetime".
• Chapter 16.4 "Channel list": Section "PLCopen state diagrams": Updated description and figures.
• Chapter 17.2 "Data transmission time on the bus": Updated description.
• Chapter 18.6 "Installation notes for X20 modules": Removed figure "Protecting various potential groups", updated
description accordingly.
• Updated chapter 19 "Release information".
1.63 November 2013 • Updated standards.
• Chapter 4 "Technical data": Added danger notice.
• Chapter 8.1 "Internal module errors": Updated description.
• Chapter 8.2 "Wiring errors": Added danger notice and figure "Impermissible wiring".
• Chapter 15 "Restart behavior": Updated the behavior of input channels.
• Added chapter 17 "Safety response time".
• Updated chapter 19 "Release information".
• Editorial changes.
1.52.1 October 2013 • Updated standards.
• Editorial changes.
1.52 August 2012 • Updated designations of standards.
• Chapter 4 "Technical data": Derating added
• Chapter 7 "Connection examples": Added following chapter:

– 7.1 "Module behavior when GND connection is lost"

– 7.1.1 "GND feedback to connection element, no external GND"
– 7.1.2 "Using external GND without GND from connection element"
– 7.1.3 "Using external GND and GND from connection element"
– Grounding

• Chapter 7.7 "Connecting safety-oriented actuators for Type B outputs ": Updated description.
• Added chapter 18.5 "X20 system characteristics".
• Chapter 18.8 "Mission time": Updated description.
• Added chapter 21 "EC declaration of conformity".
1.51 May 2012 Chapter 4 "Technical data": Updated technical data.
1.50 February 2012 First edition as a product-specific manual

Table 28: Version history

Data sheet V1.141 X20(c)SC2212 Translation of the original documentation 53

X20(c)SC2212

21 EC declaration of conformity
This document was originally written in the German language. The German edition therefore represents the original
documentation in accordance with the 2006/42/EC Machinery Directive. Documents in other languages are to be
interpreted as translations of the original documentation.

Product manufacturer:
B&R Industrial Automation GmbH
B&R Strasse 1
5142 Eggelsberg
Austria
Telephone: +43 7748 6586-0
Fax: +43 7748 6586-26
office@br-automation.com
The place of jurisdiction, in accordance with article 17 of the European Convention on Courts of Jurisdiction and
Enforcement, is A-4910
Ried im Innkreis, Austria, commercial register court: Ried im Innkreis, Austria
Commercial register number: FN 111651 v.
The place of fulfillment in accordance with article 5 of the European Convention on Courts of Jurisdiction and
Enforcement is A-5142 Eggelsberg, Austria
VATIN: ATU62367156

The EC declarations of conformity for B&R products can be downloaded from the B&R website www.br-automa-
tion.com.

54 Data sheet V1.141 X20(c)SC2212 Translation of the original documentation