Safety Controller

XGS Safety Controller

XGT Series
XGS-CPU01A
XGS-DI08A
XGS-DIO84A
 Safety Instruction

Before using the product …

For your safety and effective operation, please read the safety instructions
thoroughly before using the product.

► Safety Instructions should always be observed in order to prevent accident

or risk with the safe and proper use the product.

► Instructions are separated into “Warning” and “Caution”, and the meaning of
the terms is as follows;

This symbol indicates the possibility of serious injury

Warning or death if some applicable instruction is violated

This symbol indicates the possibility of slight injury

Caution or damage to products if some applicable instruction
is violated

► The marks displayed on the product and in the user’s manual have the
following meanings.

Be careful! Danger may be expected.

Be careful! Electric shock may occur.

► The user’s manual even after read shall be kept available and accessible to
any user of the product.

1
 Safety Instruction

Safety Instructions when designing

Warning

 Please, install protection circuit on the exterior of PLC to protect

the whole control system from any error in external power or PLC
module. Any abnormal output or operation may cause serious problem
in safety of the whole system.
- Install applicable protection unit on the exterior of PLC to protect
the system from physical damage such as emergent stop switch,
protection circuit, the upper/lowest limit switch, forward/reverse
operation interlock circuit, etc.
- If any system error (watch-dog timer error, module installation error,
etc.) is detected during CPU operation in PLC, the whole output is
designed to be turned off and stopped for system safety. However,
in case CPU error if caused on output device itself such as relay or
TR can not be detected, the output may be kept on, which may
cause serious problems. Thus, you are recommended to install an
addition circuit to monitor the output status.

 Never connect the overload than rated to the output module nor
allow the output circuit to have a short circuit, which may cause a
fire.

 Never let the external power of the output circuit be designed to

be On earlier than PLC power, which may cause abnormal output or
operation.

 In case of data exchange between computer or other external

equipment and PLC through communication or any operation of
PLC (e.g. operation mode change), please install interlock in the
sequence program to protect the system from any error. If not, it
may cause abnormal output or operation.

2
 Safety Instruction

Safety Instructions when designing

Caution
 I/O signal or communication line shall be wired at least 100mm
away from a high-voltage cable or power line. If not, it may cause
abnormal output or operation.

Safety Instructions when designing

Caution
 Use PLC only in the environment specified in PLC manual or
general standard of data sheet. If not, electric shock, fire, abnormal
operation of the product or flames may be caused.

 Before installing the module, be sure PLC power is off. If not,

electric shock or damage on the product may be caused.

 Be sure that each module of PLC is correctly secured. If the

product is installed loosely or incorrectly, abnormal operation, error or
dropping may be caused.

 Be sure that I/O or extension connecter is correctly secured. If

not, electric shock, fire or abnormal operation may be caused.

 If lots of vibration is expected in the installation environment,

don’t let PLC directly vibrated. Electric shock, fire or abnormal
operation may be caused.

 Don’t let any metallic foreign materials inside the product, which
may cause electric shock, fire or abnormal operation.

3
 Safety Instruction

Safety Instructions when wiring

Warning
 Prior to wiring, be sure that power of PLC and external power is
turned off. If not, electric shock or damage on the product may be
caused.

 Before PLC system is powered on, be sure that all the covers of
the terminal are securely closed. If not, electric shock may be caused

Caution
 Let the wiring installed correctly after checking the voltage rated
of each product and the arrangement of terminals. If not, fire,
electric shock or abnormal operation may be caused.

 Secure the screws of terminals tightly with specified torque when

wiring. If the screws of terminals get loose, short circuit, fire or abnormal
operation may be caused.

 Surely use the ground wire of Class 3 for FG terminals, which is

exclusively used for PLC. If the terminals not grounded correctly,
abnormal operation may be caused.

 Don’t let any foreign materials such as wiring waste inside the
module while wiring, which may cause fire, damage on the product
or abnormal operation.

4
 Safety Instruction

Safety Instructions for test-operation or repair

Warning
 Don’t touch the terminal when powered. Electric shock or abnormal
operation may occur.

 Prior to cleaning or tightening the terminal screws, let all the

external power off including PLC power. If not, electric shock or
abnormal operation may occur.

 Don’t let the battery recharged, disassembled, heated, short or

soldered. Heat, explosion or ignition may cause injuries or fire.

Caution
 Don’t remove PCB from the module case nor remodel the module.
Fire, electric shock or abnormal operation may occur.

 Prior to installing or disassembling the module, let all the

external power off including PLC power. If not, electric shock or
abnormal operation may occur.

 Keep any wireless installations or cell phone at least 30cm away

from PLC. If not, abnormal operation may be caused.

Safety Instructions for waste disposal

Caution
 Product or battery waste shall be processed as industrial waste.
The waste may discharge toxic materials or explode itself.

5
Safety Instruction

6
 Revision History

Revision History
Version Date Remark Chapter

V1.0 ’15.10 First Edition -

LSIS to change its corporate name to LS

V1.0 ’20.5 Entire
ELECTRIC

V1.2 ’23.6 Domain Change Chapter 3

1
Revision History

2
 About User's Manual

Thank you for purchasing PLC of LS ELECTRIC Co., Ltd.

Before use, make sure to carefully read and understand the User’s Manual about the functions, performances,
installation and programming of the product you purchased in order for correct use and importantly, let the end user and
maintenance administrator to be provided with the User’s Manual.

The User’s Manual describes the product. If necessary, you may refer to the following description and order accordingly.
In addition, you may connect our website (http://www.ls-electric.com/) and download the information as a PDF file.

Relevant User’s Manuals

Title Description

XG5000 User’s Manual XG5000 software user manual describing online function such as programming,
(for XGI, XGR) print, monitoring, debugging by using XGI, XGR CPU.

Current user manual is written based on the following version.

Related OS version list

Product name OS version

XGS-CPU01A V1.10
XGS-DI08A V1.10
XGS-DIO84A V1.10

1
About User's Manual

2
 Table of Contents

◎ TABLE OF CONTENTS ◎

Chapter 1 Introduction...................................................................................................................... 1-1~1-3

1.1 How to use the User’s Manual .......................................................................................................... 1-1

1.2 Features ............................................................................................................................................ 1-2
1.3 Terminology ....................................................................................................................................... 1-3

Chapter 2 System Configuration...................................................................................................... 2-1~2-5

2.1 XGS Series Safety Controller System Configuration ........................................................................ 2-1

2.2 Product Components ........................................................................................................................ 2-1
2.3 Basic System..................................................................................................................................... 2-2
2.3.1 Configuration of the basic system............................................................................................. 2-2
2.4 Network System ................................................................................................................................ 2-3
2.4.1 Ethernet setting-up.................................................................................................................... 2-3
2.4.2 XG5000 Connection ................................................................................................................. 2-3
2.4.3 Setting up communication service ............................................................................................ 2-4

Chapter 3 General Specifications ............................................................................................................3-1

3.1 General Specifications ...................................................................................................................... 3-1

Chapter 4 Safety CPU Module ........................................................................................................ 4-1~4-2

4.1 Performance Specifications............................................................................................................... 4-1

4.2 Part Names and Functions................................................................................................................ 4-2

Chapter 5 Program Structure and Operation................................................................................... 5-1~5-7

5.1 Program Basics ................................................................................................................................. 5-1

5.1.1 Program execution method ...................................................................................................... 5-1
5.1.2 Operaiton of instantaneous power failure ................................................................................. 5-2
5.1.3 Scan time .................................................................................................................................. 5-3
5.1.4 Safety response time ................................................................................................................ 5-4
5.2 Operation Mode ................................................................................................................................ 5-5
5.2.1 RUN mode ................................................................................................................................ 5-5
5.2.2 STOP mode .............................................................................................................................. 5-6
5.2.3 Configuration Lock/Unlock mode.............................................................................................. 5-6
5.2.4 Normal/Safe mode.................................................................................................................... 5-6
5.2.5 Changing operation mode ........................................................................................................ 5-7

8
 Table of Contents

Chapter 6 Functions of Safety CPU Module.................................................................................... 6-1~6-8

6.1 Self-diagnosis Function ..................................................................................................................... 6-1

6.1.1 CPU molecular self diagnosis function ..................................................................................... 6-1
6.1.2 IO molecular self diagnosis function ......................................................................................... 6-1
6.1.3 Synchronization between module cores................................................................................... 6-1
6.1.4 Error history saving function...................................................................................................... 6-2
6.1.5 Troubleshooting ........................................................................................................................ 6-2
6.2 User Control ...................................................................................................................................... 6-3
6.2.1 User authority............................................................................................................................ 6-3
6.2.2 Password .................................................................................................................................. 6-3
6.3 Clock Function................................................................................................................................... 6-4
6.4 Forced On/Off of I/O .......................................................................................................................... 6-5
6.4.1 Forced I/O setting...................................................................................................................... 6-5
6.4.2 Point of time and method for forced On/Off action.................................................................... 6-6
6.5 Auto Run Function............................................................................................................................. 6-6
6.5.1 Setting up Auto Run function .................................................................................................... 6-6
6.5.2 Operation of Auto Run function................................................................................................. 6-6
6.6 Log Save Function ............................................................................................................................ 6-7
6.6.1 Setting up max. log mode ......................................................................................................... 6-7
6.6.2 System log ................................................................................................................................ 6-7
6.6.3 Error log .................................................................................................................................... 6-8
6.6.4 User log..................................................................................................................................... 6-8

Chapter 7 Safety I/O Module ........................................................................................................... 7-1~7-4

7.1 Cautions for Using I/O Safety Module ............................................................................................... 7-1

7.2 Specification of Safety Input Module ................................................................................................. 7-2
7.3 Specification of Safety Input/Output Module ..................................................................................... 7-3
7.4 Part Names and Functions................................................................................................................ 7-4

Chapter 8 Functions of Safety I/O Module......................................................................................8-1~8-11

8.1 Setting -up and Operation of Input Mode .......................................................................................... 8-1

8.2 Input On/Off Filter and Off/On Filter................................................................................................... 8-3
8.3 Mismatch Error (Input)....................................................................................................................... 8-4
8.4 Error Latch Time (Input)..................................................................................................................... 8-4
8.5 Test Pulse Setting (Input)................................................................................................................... 8-6
8.6 Input Wiring ....................................................................................................................................... 8-7
8.7 Setting-up and Operation of Output Mode ........................................................................................ 8-9
8.8 Mismatch Error (Output).................................................................................................................... 8-9
8.9 Error Latch Time (Output)................................................................................................................ 8-10
8.10 Test Pulse Setting (Output).............................................................................................................8-11
8.11 Output Wiring..................................................................................................................................8-11

9
 Table of Contents

Chapter 9 Installation and Wiring ..................................................................................................... 9-1~9-6

9.1 Installation.......................................................................................................................................... 9-1

9.1.1 Environment.............................................................................................................................. 9-1
9.1.2 Cautions for handling ................................................................................................................ 9-1
9.1.3 Cautions for wiring .................................................................................................................... 9-1
9.1.4 Installation and removal of module ........................................................................................... 9-2
9.1.5 Cautions for installation ............................................................................................................. 9-3
9.1.6 Product setting procedure up to commissioning....................................................................... 9-4
9.2 Wiring ................................................................................................................................................ 9-5
9.2.1 Power supply ............................................................................................................................ 9-5
9.2.2 Grounding circuit ....................................................................................................................... 9-6
9.2.3 Wire specification ...................................................................................................................... 9-6

Chapter 10 Maintenance ............................................................................................................. 10-1~10-2

10.1 Inspection and Maintenance ......................................................................................................... 10-1

10.2 Daily Inspection ............................................................................................................................. 10-1
10.3 Regular Inspection ........................................................................................................................ 10-2

Chapter 11 EMC Compliance ....................................................................................................... 11-1~11-3

11.1 Requirements Complying with EMC Specifications .......................................................................11-1

11.1.1 EMC specifications.................................................................................................................11-1
11.1.2 Panel ......................................................................................................................................11-2
11.1.3 Cable ......................................................................................................................................11-3

Chapter 12 Troubleshooting ...................................................................................................... 12-1~12-11

12.1 Basic Procedures for Troubleshooting ........................................................................................ 12-1

12.2 Troubleshooting ........................................................................................................................... 12-1
12.2.1 Corrective method for all LED OFF ...................................................................................... 12-2
12.2.2 Corrective method for Run/State LED flashing in red........................................................... 12-3
12.2.3 Corrective method for Run/State LED OFF ........................................................................ 12-4
12.2.4 Corrective method for I/O module malfunctioning ................................................................ 12-5
12.3 Questionnaire for Troubleshooting ................................................................................................ 12-7
12.4 Case Study.................................................................................................................................... 12-8
12.4.1 Types of troubles in input circuit and corrective actions ...................................................... 12-8
12.4.2 Types of troubles in output circuit and corrective actions ...................................................... 12-8
12.5 Error Code List ............................................................................................................................ 12-10
12.5.1 CPU module error code ...................................................................................................... 12-10
12.5.2 I/O contact point error code................................................................................................. 12-10

10
 Table of Contents

Chapter 13 Safety Function Block ............................................................................................. 13-1~13-98

13.1 Safety Function Blocks List ........................................................................................................... 13-1

13.2 Safety Function Blocks.................................................................................................................. 13-2

Appendix 1 Flags List.................................................................................................................. A1-1~A1-4

Appendix 1.1 Flags list .......................................................................................................................... A1-1

Appendix 1.2 Reserved Words ............................................................................................................. A1-4

Appendix 2 PFD/PFH Value ....................................................................................................... A2-1~A2-2

Appendix 3 Dimensions ........................................................................................................................ A3-1

Appendix 3 Example of Safety Application .................................................................................A4-1~ A4-3

11
 Chapter 1. Introduction

Chapter 1 Introduction

1.1 How to Use this Users' Manual

This users' manual provides the information on the specifications, performance, functions and operation required
for using the XGS Series safety controller.

Constitution of the user's manual is as follows;

Chapter Subject Description

Describes the constitution of the manual, and characteristics
Chapter 1 Introduction
and terms used in relation with the product.
Describes the product types available for the XGS Series and
Chapter 2 System Constitution
system configuration.
Describes basic specifications of the modules of the XGS
Chapter 3 General Specification
Series.

Chapter 4 CPU Module Specification

Program Structure and Describes function, specification and operation of XGS CPU
Chapter 5
Operation Module.
Functions of CPU
Chapter 6
Module

Chapter 7 Input/Output Module

Describes specification and operation of I/O module.
Chapter 8 Functions of I/O Module

Describes installation and wiring of the system to ensure high

Chapter 9 Installation and Wiring
reliability.
Describes manual procedures of the system maintenance to
Chapter 10 Maintenance
ensure normal operation.

Chapter 11 EMC Compatibility Describes system configuration to meet EMC requirements.

Describes the errors which may occur during operation and

Chapter 12 Troubleshooting
measures to reset errors.

Chapter 13 Safety Function Block Describes the method of using the safety function block.

Appendix 1. Flag List Provides the list and description of flags.

Appendix 2. PFD/PFH Calculations Provides information on PFD/PFH Calculations

Provides information on the outer dimensions of the CPU and

Appendix 3. Dimensions
I/O module.

1-1
 Chapter 1. Introduction

1.2 Features
The XGS Safety Controller has following features.

1) Compatible to international safety standards

A safety control system can be built to satisfy international safety standards.

• SIL3 (IEC61508)
• SILCL3 (IEC62061)
• Category 4 (ISO 13849-1)

2) Compact size

Innovative compact size compared to the performance – saving expensive space.

3) System configuration

A number of user convenience functions are provided to meet user requirements.

• Input module filter value adjustment

• Enhanced self diagnosis function to save installation, commissioning and maintenance costs

4) Communication system

Network functionality is provided to achieve user convenience, compatibility and performance.

• Networking without ladder programming

• Dedicated network providing user convenience and optimized performance.

5) Enhanced programming and online functions

Simplified programming reduces programming time and enhanced online function enables completion of
control systems without stopping the objective system.

6) User convenience

Use convenience further enhanced with various additional functions.

• Self-diagnosis function
• Various operation histories provided.

1-2
 Chapter 1. Introduction

1.3 Terminology

For the purpose of this document, the following terms shall have the following definitions:

Term Definition Remark

E.g.) CPU
A standardized unit having a specific function, for constituting the module,
Module
entire system, e.g., I/O board. Input/Output
module
A system comprising PLC and peripheral devices configured to
PLC System -
be able to be controlled by user programs.
A programming tool having the functions of creating, editing and
XG5000 -
debugging programs.
Internal memory domain of CPU module provided to maintain
I/O image domain -
input/output status.

Safety Controller High reliability controller for safety control. -

Time elapsed from a change in one of two inputs to the

Mismatch time -
corresponding change in the other input.

PFD
(Probability of Indicated mean failure rate of a system of device. Used to calculate SIL
-
Failure on (Safety Integrity Level) of a safety system.
Demand)

PFH
Indicates per hour failure rate of a system or device. Used to calculate
(Probability of -
SIL (Safety Integrity Level) of a safety system.
Failure per Hour)

An operation unit which outputs result of operation right out, not

Function saving the result in the command, for example, the four -
arithmetical operations, comparison operation.
An operation unit which makes use of operation results
Function block memorized across a plurality of scans, such as a timer and -
counter which memorizes operation result in the command.
E.g.)%IX0.0.2
The variables used without declaring name and type, for
Direct variables %QW1.2.1
example, I, Q, and M domains.
%MD1234, etc.

1-3
 Chapter 1. Introduction

Term Definition Remark

The variables used after declaration of name and type by the user. For
example, declaring: ‘INPUT_0’ =%IX0.0.2, ‘RESULT’=%MD1234, the
Symbolic variables -
programming can be created by the names of ‘INPUT_0’ and ‘RESULT’
instead of %IX0.0.2 and %MD1234.

1-4
 Chapter 2. System Configuration

Chapter 2 System Configuration

This chapter describes the method for constitution and characteristics of the system.
XGS Series safety controller has acquired the safety certification of PLe (ISO13849-1) and SIL3 (IEC61508). It can be used to
build a safety system of SIL3 of IEC61508, PLe (category 4) of ISO13849-1.

2.1 XGS Series Safety Controller System Configuration

The constitution of the XGS Series Safety Controller system is as shown in the figure below.
The XGS Series Safety Controller comprises two type of modules: safety CPU module and digital I/O module.

Programing Tool USB Cable Safety CPU Module Safety Input Safety In/Output
XG5000 Ethernet Cable XGS-CPU01A Module Module
XGS-DI08A XGS-DIO84A

2.2 Product Components

The constitution of the XGS Series Safety Controller product is as shown in the table below.

Product Name Model Description

• Safety CPU module

Safety CPU Module, XGS-CPU01A
(Executable program size: 256KB, upload program size: 512KB)

• DC 24V safety input: 8 inputs

Safety Digital Input Module XGS-DI08A
• Test pulse output: 2 outputs

• DC 24V safety input: 8 inputs

Safety Digital Input/Output
XGS-DIO84A • Test pulse output: 2 outputs
Module
• DC 24V safety output: 4 outputs

2-1
 Chapter 2. System Configuration

2.3 Basic System

2.3.1 Configuration of the basic system

A configuration of the system comprising safety CPU module and safety digital input module or safety digital input/output
module is as follows:
Classification XGS-CPU01A
Max. additional
14 modules
modules
• Max. inputs: (8 points) x (14 modules) = 112 points
Max. No. of I/O
• Max. outputs: (4 points) x (14 modules) = 56 points
points
• Max. No. of I/O points: 168
• I/O numbers are allocated by 64 points per slot.
• Each slot is allocated with 64 points regardless of module installation.
• Below is an example of I/O number allocation to 14 slot.

I/O domain allocation

IX0.0.0~IX0.0.7 IX0.3.0~IX0.3.7 IX0.6.0~IX0.6.7 IX0.9.0~IX0.9.7 IX0.12.0~IX0.12.7

QX0.0.0~QX0.0.3 QX0.3.0~QX0.3.3 QX0.6.0~QX0.6.3 QX0.9.0~QX0.9.3 QX0.12.0~QX0.12.3

IX0.1.0~IX0.1.7 IX0.4.0~IX0.4.7 IX0.7.0~IX0.7.7 IX0.10.0~IX0.10.7 IX0.13.0~IX0.13.7

QX0.1.0~QX0.1.3 QX0.4.0~QX0.4.3 QX0.7.0~QX0.7.3 QX0.10.0~QX0.10.3 QX0.13.0~QX0.13.3

IX0.2.0~IX0.2.7 IX0.5.0~IX0.5.7 IX0.8.0~IX0.8.7 IX0.11.0~IX0.11.7

QX0.2.0~QX0.2.3 QX0.5.0~QX0.5.3 QX0.8.0~QX0.8.3 QX0.11.0~QX0.11.3

NOTE
1) System can start operation only when the types of the modules set up with I/O parameters agree with the actual
module types.
2) Module or system change is not allowed during system operation. For the change, system power supply
must be cut off.
3) During system configuration, you must configure the safety system and the general system separately.
4) All sensors, field control devices and the wiring / equipment connected to the system are recommended
to install security features that required in accordance with the IEC62061, EN ISO13849-1.

2-2
 Chapter 2. System Configuration

2.4 Network System

The XGS Safety Controller provides built-in Ethernet communication by the safety CPU module for monitoring with common
PLC and HMI.

2.4.1 Ethernet setting-up

To use the built-in Ethernet in the safety CPU module, Ethernet parameters have to be set up using XG5000. In the [Basic
Parameter] – [FEnet Basic Setting] window, set up IP address, subnet mask, and gateway, and write the setting in the PLC.
As soon as the parameters are written while the connection to CPU module is made via USB, the parameters are applied. If
they are written via Ethernet, new parameters will be applicable after system reset.

2.4.2 XG5000 Connection

Safety CPU module can be accesses via Ethernet connection.
Select: [Online]-[Set-up Access], in the access setting dialog, select Ethernet.

2-3
 Chapter 2. System Configuration

Select [Setting (S)…], and in the dialog, input the IP address set up at the Safety Controller and press [Confirm] button.

In the access setting dialog, press [Access] button to access via Ethernet.
Note that the access is allowable after Ethernet setting has been written in the safety CPU module via the first USB
connection.

2.4.3 Setting up communication service

The safety CPU module provides dedicated communication server (XGT server) function and Modbus server function.

2.4.3.1 Dedicated communication server

In the [Basic Parameter] – [FEnet Basic Setting] dialog, select XGT server from the drivers, and conduct writing in PLC to
provide dedicated communication server function.

2-4
 Chapter 2. System Configuration

2.4.3.2 Modbus TCP/IP server

From the driver of [Basic Parameter] – [Ethernet Setting] dialog, select Modbus TCP/IP server.

Pressing the Modbus setting button will show the setting dialog shown below. Input the starting addresses in
the bit read domain, bit write domain, word read domain and word write domain, and write in the PLC to
execute Modbus TCP/IP server function.

NOTE
1) Ethernet communication is connected via a switching hub.
2) Up to 4 exclusive access points are supported.
3) The client can read I, Q, IS, QS, TS, and M domains of the Safety Controller.
Write command is applicable in the M domain only.
4) For reading IS, QS, and TS domains, set up by referring to the table below:

Safety CPU module domain When designated by client

ISB0 ~ ISB511 WB0 ~ WB511

QSB0 ~ QSB511 WB512 ~ WB1023

TSB0 ~ TSB511 WB1024 ~ WB1535

2-5
Chapter 2. System Configuration

2-6
 Chapter 3. General Specifications

Chapter 3 General Specifications

3.1 General Specifications

The general specifications of the XGS series are as follows.
No. Items Specifications Related standards
Ambient
1 0 ~ 55 °C
temperature
Storage
2 −25 ~ +70 °C
temperature
Ambient
3 5 ~ 95%RH (Non-condensing)
humidity
Storage
4 5 ~ 95%RH (Non-condensing)
humidity
Occasional vibration -
Frequency Acceleration Amplitude times
5 ≤ f < 8.4Hz − 3.5mm
Vibration 8.4 ≤ f ≤ 150Hz 9.8m/s2(1G) −
5 10 times each
resistance Continuous vibration IEC61131-2
directions
Frequency Acceleration Amplitude
(X, Y and Z)
5 ≤ f < 8.4Hz − 1.75mm
8.4 ≤ f ≤ 150Hz 4.9m/s2(0.5G) −
• Peak acceleration: 147 m/s 2(15G)
Shock
6 • Duration: 11ms IEC61131-2
resistance
• Half-sine, 3 times each direction per each axis
Square wave
DC : ± 900V LS ELECTRIC standard
Impulse noise
Electrostatic IEC61131-2
Voltage: 4kV (Contact discharge)
discharge IEC61000-1-2
Radiated
7 Noise resistance IEC61131-2,
electromagnetic 80 ~ 500 MHz, 10V/m
IEC61000-4-3
field noise
Segme Power supply Digital/analog input/output
Fast transient/bust IEC61131-2
nt module communication interface
noise IEC61000-1-4
Voltage 2kV 1kV
8 Environment Free from corrosive gasses and excessive dust
9 Altitude Up to 2,000 ms
Pollution
10 2 or less
degree
11 Cooling Air-cooling

Note
1) IEC (International Electrotechnical Commission):
An international nongovernmental organization which promotes internationally cooperated standardization in
electric/electronic field, publishes international standards and manages applicable estimation system related with.
2) Pollution degree:
An index indicating pollution degree of the operating environment which decides insulation performance of the devices. For instance, Pollution
degree 2 indicates the state generally that only non-conductive pollution occurs. However, this state contains temporary conduction due to dew
produced.

3-1
Chapter 3. General Specifications

3-2
 Chapter 4. Safety CPU Module

Chapter 4 Safety CPU Module

4.1 Performance Specifications

The performance specification of the safety CPU module (XGX-CPU01A) is presented in the table below.
Item Description Remark
Operation mode Cyclic operation -
I/O control mode Scan synchronization batch processing (refresh mode) -
Program language Ladder diagram -
Basic function 6 -
No. of
Basic function block 11 -
instructions
Safety function block 17 -
Program memory size 256KB Upload program size (512KB)
No. of I/O modules Max 14 modules -
I/O points (supported) 168 points (input 112, output 56) -
Auto variables scope (A) 10KB Symbolic variables scope
Input variables (I) 512B Safety input image domain
Safety input diagnosis image
Input status (I) 512B
domain
Output variables (Q) 512B Safety output image domain
Data
Safety output diagnosis image
memory Output status (QS) 512B
domain
Test pulse diagnosis image
Test pulse status (TS) 512B
domain
Direct variables (M) 256B Direct variables domain
Flag variables (F) 1KB System flag

Power failure, internal memory failure, I/O failure,

Diagnosis function program failure, operational device failure, module -
interface failure

RUN/STOP, safety lock/lock release,

Operation mode -
normal/safety mode

SIL 3 (IEC 61508 : 2009)

Applicable specification SILCL 3 (IEC 62061 : 2005) -
PLe, Category 4 (EN ISO 13849-1 : 2008)

Safety Extra Low Voltage

DC +24V (DC +19.2 ~ 28.8V)
(SELV)
Power supply Extra-Low Voltages with Safe Separation power supply
Protective Extra Low Voltage
(SELV, PELV)
(PELV)
PFH 3.43014 x 10 -09 -
PFD 2.478 x 10-05 -
SFF 98.1694 % -
H/W Fault Tolerance 1 -
Internal consumption current 130 mA -
Weight 260g -

4-1
 Chapter 4. Safety CPU Module

4.2 Part Names and Functions

<Front View> <Bottom View>

①-a ③
①-a
①-b ①-b
①-c ①-c

④
②

Cover (Close) Cover (Open)

No. Name Description

Indicates operating status of the safety CPU module.
RUN/STATE  Green lamp On: operating in RUN mode
①-a
LED  Red lamp On: operating in STOP mode
 Red flashing: the system is in safety mode due to a system error
Indicates Configuration Lock status.
Config. Lock
①-b  Yellow lamp On: operating in Configuration Lock status
LED
 Yellow lamp flashing: operating in Configuration Unlock status

Indicates Ethernet Link status.

 Green lamp On: Ethernet cable is connected, indicating ‘Ethernet Link’ status
①-c LINK LED  Red lamp Off: Ethernet cable is disconnected, indicating 'Ethernet Unlink'
status
It indicates physical connection only, not actual communication.
USB
② USB connector for accessing XG5000
connector
Power DC 24V power supply terminal block for the Safety Controller system
③
connector (+24V, 24G, FG)
Ethernet
④ Ethernet communication connector (accessible to XG5000)
connector

4-2
 Chapter 5. Program Structure and Operation

Chapter 5 Program Structure and Operation

5.1 Program Basics

5.1.1 Program execution method

1) Cyclic operation mode (Scan)

This is the typical program execution mode of PLC. Operation is carried out from the first to the last step of a program and
this process is called program scan. A series of process conducted as described above is called loop operation mode
The process is described in detail below by being classified into steps.

Step Description of the Process

START

 The step for starting scanning, executed once at system power on or

reset to perform following functions.
Initialization Reset I/O module Run self-diagnosis
Clear data
Allocate address and register type of I/O modules

 Before starting program operation, read the status of the input

Refresh input image domain
module and save it in the input image domain.

Program Operation  Perform operation from the beginning to the end of the
Start program program sequentially.

End program

 At the end of program operation, the content saved in the

Refresh output image domain output image domain is outputted to the output module

 For the CPU module to return to the first step after finishing
END a scan process, following actions are performed:
Refresh present user timer value
Perform self diagnosis
Perform communication service
(Dedicated communication server, Modbus TCP/IP
server, XG5000 service)
Process mode change request

5-1
 Chapter 5. Program Structure and Operation

5.1.2 Operation in instantaneous power failure

In the event that the voltage input to the safety CPU module is lower than the specification, following actions are carried
out: Normal function is continued for a power failure shorter than 10ms.
If the power fails for longer than 10ms, operation is stopped and output is turned off. Operation is resumed automatically
at power recovery.

(1) Instantaneous power failure less than 10ms

 CPU continues operation.

Input power
Power failure 10ms or less

(2) Instantaneous power failure longer than 10 ㎳

 System restarts at power return.

Input power
Power failure 10ms or longer

NOTE
1) What is instantaneous power failure?
The system input voltage is lower than the allowable limit specified for the PLC for a very short time
(several ms ~ tens of ms).

5-2
 Chapter 5. Program Structure and Operation

5.1.3 Scan Time

Scan time is the time elapsed from 0 step of program to the next 0 step, that is the time elapsed for completing
one control operation.

1) Operation mode and performance of XGS Series Safety Controller System

Major elements affecting the scan time includes program processing time, self diagnosis time, I/O data
processing time, and communication service time.

2) Calculating scan time

The safety CPU module carries out control function in the sequence shown below. The user can estimate control
performance of the system that the user is planning using the calculation method below.
The minimum scan time is 4 ms.

③I/O data Refresh

②System check ④Network Service

⑤XG5000 service

Program ①Ladder Scan Ladder Scan Ladder Scan

Scan

(1) Scan time = ① Processing scan program ＋ ② System check ＋ ③ I/O data Refresh
+ ④ Network Service + ⑤ XG5000 Service

① Processing scan program = the time expected to elapse for program inspection by XG5000
② System check = Time for self diagnosis + Time for MUC synchronization
[May increase according to the use of automatic allocation variables.]
= 900 ㎲ + 800 ㎲
③ I/O data refresh = 400 ㎲ per safety I/O module
④ Network Service (built-in Ethernet communication)
⑤ XG5000 Service processing time = 500 ㎲ for max. data monitoring

(2) Example

The scan time for [Estimated time for ladder program running (5.16 ms) + System comprising 2 I/O
modules] is
as follows:

Scan time (㎲) = Time for executing ladder + System processing time + I/O module processing time
+ Communication processing time + XG5000 Service processing time
= (5,160) + (1,700) + (400 X 2) + ( 0 ) + (500)
= 8.16 ㎳

3) Monitoring scan time

(1) Scan time is saved in the following flag (F) areas:

_SCAN_MAX : max. scan time (0.1 ms unit)
_SCAN_MIN : min. scan time (0.1 ms unit)
_SCAN_CUR : current value of scan time (0.1 ms unit)

(3) Scan time can be monitored by; [Online] – [Diagnosis] – [PLC Information] of XG5000.

5-3
 Chapter 5. Program Structure and Operation

5.1.4 Safety Response Time

When it detects a failure by the diagnosis of the safety controller, the system will switch to safe mode. The system
will block all output. The time it takes to detect the failure and to shut off its output is called safe response time.

1) Failure diagnostics will be handled as follows

(1) CPU module fault diagnostics

- Every scan cycle fault diagnosis function operates.

(2) I/O module fault diagnostics

- 2 scan cycle fault diagnosis function operates.

2) Maximum safe response time

Safety response time will occur depending on the failure of the CPU module and I/O module.
The diagnosis cycle of the IO module is twice the scan time. Maximum safety response times will be
calculated
by the IO modules.

(1) Maximum safe response time = (2 X ①Scan time) + ②Diagnosis Processing Time
①Scan time: See Chapter 5.1.3
②Diagnosis Processing Time: fault diagnosis processing time of I/O module (0.1ms)

(2) Example
Maximum safety response time of 8ms scan time is shown below.
Maximum safe response time = (2 X ①Scan time) + ②Diagnosis Processing Time
= (2 X 8ms) + (0.1ms)
= 16.1ms

NOTE
In order to calculate the response time until the output block of the actual response time of the
system, response time of Input(sensor / switch) and Output(actuator) connected to the safety
controller must be combined with a separate calculation.

5-4
 Chapter 5. Program Structure and Operation

5.2 Operation Mode

The operation modes of safety CPU module includes RUN/STOP mode, Configuration Lock/Unlock mode, and Normal/Safe.
These modes are described in detail below.

5.2.1 RUN mode

In this mode, program operation is conducted normally.

Start RUN mode first scanning

Initialize data area

Check program validity to

determine executability

Conduct input refresh

Run the program

Check normal operation/separation

of modules

Conduct output refresh

Comm. Service & internal process

RUN mode Change

Operation mode

Change to another mode

Operate in changed mode

1) Process at mode change

Data area is initialized at the beginning, and the program validity is examined to determine executability.

2) Description of operation
Conducts I/O refresh and program operation.
(1) Conducts I/O refresh.
(2) Conducts program operation.
(3) Check normal operation, separation of the installed modules.
(4) Conducts communication service and other internal processes.

5-5
 Chapter 5. Program Structure and Operation

5.2.2 STOP mode

The program has stopped operation.

1) Process at mode change

Delete output image domain and conducts output refresh. As a result, all output data are switched to OFF status.

2) Description of operation

(1) Conducts I/O refresh.

(2) Check normal operation, separation of the installed modules.
(3) Conducts communication service and other internal processes.

5.2.3 Configuration Lock/Unlock mode

This mode locks the configuration finished with safety sign to prevent change. In the safety lock mode, program cannot be
written in the safety CPU module.

1) Process at mode change

Configuration Lock/Unlock mode does not affect operation of the XGS Series Safety Controller.

NOTE
1) What is Configuration?
Configuration is the set of all the data related to XGS Safety Controller, including basic parameters, I/O
parameters, and scan program.

2) What is safety sign?

The controller of safety system signs to confirm that all the matters related with Safety Controller, including
basic parameters, I/O parameters, I/OO wiring and external device installation, have been verified.
Maintenance engineers are not allowed to write the configuration without safety sign in safety CPU module.

5.2.4 Normal/Safe mode

When a problem inside or outside of the system is detected during normal operation (normal mode), the XGS Series Safety
Controller switches to safe mode automatically. After entering safety mode, the error and countermeasures can be viewed by
selecting the error history tap in the [Online] – [PLC History] window of the XG5000.

1) Process at safety mode change

All the output image domain is deleted to turn off all the output contact points of the safety output module.

NOTE

The XGS Series Safety Controller defines safe status as the status where all outputs have been cut off. As
such, safety system shall be so designed as to enter safe condition when outputs are cut off.

5-6
 Chapter 5. Program Structure and Operation

5.2.5 Changing operation mode

1) How to change operation modes

Change the modes by connecting the programming tool (XG5000) to the communication port of the safety
CPU module.

2) Setting up operation mode

The user can set up following operation modes:

Operation Mode Setting Method Remark

The projects of the XG5000 and XGS

RUN [Online]-[Mode Change]-[Run]
series must be the same.
STOP [Online]-[Mode Change]-[Stop] -
Safety Sign [Online]-[Safety Sign] Only authorized administrator can sign.
Safety Lock [Online]-[Safety Lock] Safety sign must have been downloaded.
Safety Unlock [Online]-[Safety Unlock] -

3) Functions according to operation modes are as follows:

Operation Mode Safety Lock Function

Program write disabled,

Green LED On, Yellow LED On,
Lock
No. 1 output of No. 0 molecular On
Communication service operation
RUN
Change to Stop and write enabled
Green LED On, Yellow LED flashes,
Unlock
No. 1 output of No. 0 molecular On
Normal Communication service operation
mode Program write disabled,
Red LED On, Yellow LED On,
Lock
All outputs Off
Communication service operation
STOP
Program write enabled,
Red LED On, Yellow LED flashes,
Unlock
All outputs Off
Communication service operation

Program write disabled,

Safe Safe Red LED flashes
N/A
Mode status All outputs Off
Communication service operation

5-7
Chapter 5. Program Structure and Operation

5-8
 Chapter 6. Functions of Safety CPU Module

Chapter 6 Functions of Safety CPU Module

6.1 Self-diagnosis Function

(1) Safety CPU module can diagnosis itself for any abnormality with this function.
(2) Any abnormality at system power ON or during operation is detected to conduct preventive measures
against system malfunction and preventive maintenance.

6.1.1 CPU molecular self diagnosis function

Safety CPU module performs following self-diagnosis functions to detect problem of the safety CPU module
itself.

1) CPU Core self-test

2) CPU Peripheral self-test
3) CPU CCM (Core Compare module) self-test
4) Internal memory ECC (Error Correction Code) self-test
5) Firmware CRC test
6) Backup memory CRC test

If any abnormality is detected in the self testing, the Run/State LED flashes on the front of the safety CPU
module and the module enters safety mode.
After switching to safety mode, the system cuts off all the outputs.

6.1.2 I/O molecular self diagnosis function

Safety CPU module performs following self-diagnosis functions to detect problem of the I/O module.

1) CPU Core self-test

2) CPU Peripheral self-test
3) CPU CCM (Core Compare module) self-test
4) Internal memory ECC (Error Correction Code) self-test
5) Firmware CRC test
6) I/O separation

If any abnormality is detected in the self testing, the Run/State LED flashes on the front of the safety CPU
module and the module enters safety mode.
After switching to safety mode, the system cuts off all the outputs.

6.1.3 Synchronization between processor in module

The safety CPU module and safety I/O module have two processor inside. The two processor perform operation
independently and compare the results. If the results mismatch, the system switches to safe mode. After
switching to safety mode, the system cuts off all the outputs.

6-1
 Chapter 6. Functions of Safety CPU Module

6.1.4 Error history saving function

The safety CPU module records error history to support easy inspection and correction of the causes.
(See 12.5 Error Code List)

NOTE
1) All the results of self test are recorded in the flag area.
2) For further information on the self testing and error correction, see 12.5 Error Code List, Chapter 12,
Troubleshooting.

6.1.5 Troubleshooting

1) Classification of failures
Failures may occur in the PLC, inappropriate configuration of the system, incorrect operation result, etc.
Failures are classified into Heavy failures to which the system operation must be terminated for safety, and
Light failures to which the operator is notified of the failure and the system continues operation.

Major caused of PLC system failures are as follows:

 PLC hardware failure

 Erroneous system configuration
 Excessive mismatch time between dual channel inputs.
 Error detected by external device failure, open or short circuit.

2) Operation mode under failure

In the event of a failure, the PLC system records the failure description in flag and shuts down the system or
continues operation according to the severity of the failure.

(1) PLC hardware failure

If the failure is severe that the PLC cannot continue normal operation, the system enters safe mode and
cuts off all outputs.

(2) Erroneous system configuration

This type of failure occurs by mismatch between the PLC hardware configuration and the configuration
set up at the XG5000 and downloaded to the PLC. The system shuts down.

(3) Excessive mismatch time between dual channel inputs.

Mismatch time can be set up for dual input channel configuration. Mismatch error is triggered if a mismatch time
exceeds the preset allowable mismatch time. At a mismatch error, the input is recognized as OFF status and the
corresponding input state domain (IS domain) turns OFF. The system operates normally except the input.

(4) Error detected by external device failure, open or short circuit.

The XGS Series Safety Controller can detect failure, open circuit and short circuit of external devices
using test pulse outputs. If an error is detected, the input is recognized as OFF status and the
corresponding input state domain (IS domain) turns OFF. The system operates normally except the input.

6-2
 Chapter 6. Functions of Safety CPU Module

6.2 User Control

The XGS Series Safety Controller controls the users by classifying user levels as follows.
 Administrator
 Maintenance engineer

6.2.1 User authority

Users are authorized with following functions.
Maintenance
No. Item Administrator Remark
Engineer
1 Access PLC ○ ○ -
Maintenance engineers are only allowed to
2 Write PLC ○ △
write configurations with safety signs.
3 Read PLC ○ ○ -
4 Forced I/O ○ ○ -
5 Read memory ○ ○ -
6 View Log ○ ○ -
Change/delete A maintenance engineer can change or delete
7 ○ △
password his/her own password only.
9 Safety signing ○ X -

6.2.2 Password

Each user can access the system with a unique password.

The factory default password is LSIS for both administrator and maintenance engineer. When the PLC is initialized by
'PLC Delete All' function of XG5000, the current password is deleted and reset to the default password: LSIS.

6.2.2.1 Changing password

In the [Online] – [PLC Information] window, select Password tap and select the user whose password is to be changed.
Enter the current password followed by a new password, and repeat the new password for confirm. Click change (C)
button to change password.

6-3
 Chapter 6. Functions of Safety CPU Module

6.2.2.2 Deleting password

In the [Online] – [PLC Information] window, select Password tap and select the user whose password is to be deleted.
Enter the password and click Delete button to delete the password of the pertinent user.

6.3 Clock Function

The safety CPU module is has a clock function to provide reference time to system operation history, failure
history, and other temporal control.
Present time is continuously scanned and updated in the clock related F domain.

NOTE
1) The clock function operates only while the PLC is supplied with power. At power off, the clock stops and holds the point of
time at power off.
As such, the clock must be reset to present time at power recovery.
2) Factory setting is 2000 (YYYY) 1 (MM) 1 (DD) 0 (HH) 0 (MM) 0 (SS) UTC and 2000 (YYYY) 1 (MM) 1 (DD) 9 (HH)
0 (MM) 0 (SS) in Korean time.

1) Reading and setting up XG5000

Click 'PLC Clock' in the [Online]-[PLC Information] window of XG5000.

Date and time of the PLC will display. To correct time display of the PLC, correct time can be transmitted to the PLC, or
using 'Synchronization with PLC clock (S)' tap which transmits time from a PC connected to the PLC for
synchronization.

When the PLC clock is set, the dialog displays 'PLC clock is set up' as shown in the picture. If the PLC time
is not valid due to power OFF/ON, or being not set up, the dialog displays 'PLC clock is not set up or
incorrect' as shown in the picture to the right.

6-4
 Chapter 6. Functions of Safety CPU Module

6.4 Forced On/Off of Input/Output

The forced input/output function turns I/O area On/Off regardless of the function of the program. This function is for design
and testing of the safety system, and does not function in safety lock condition.

6.4.1 Forced I/O Setting

Specify the time for setting in [Online] – [Forced I/O Setting] window. At the set up time, the PLC will reset I/O and enter
stop mode.

Click [Monitor] – [Start Monitor] and double click the contact point to which forced I/O is to be set up. A
window appears in which present value can be changed.
Click [Forced I/O ▼] to enter forced I/O setting window. Select: Allow Forced Input (Output) and Forced Value taps, and
click Confirm to effect forced I/O function

NOTE

1) All forced I/O settings are initialized at PLC power off.

6-5
 Chapter 6. Functions of Safety CPU Module

6.4.2 Point of time and method for forced On / Off action

(1) Forced input

This function updates input image area, the data read from the input module at the time point of input refresh, is
substituted for the data of the point set up by forced ON/OFF. As a result, the user program operates using actually
input data and the forced set-up data.

(2) Forced output

This function updates the data of the point set up by forced ON/OFF, of the data in the output image area
containing results of operation, by substituting the data at the time point of output refresh after completion
of a user program operation, with the forced set-up data.

6.5 Auto Run Function

Auto run function switches to Run mode after system power on, in Run mode status.

6.5.1 Setting up Auto Run function

Select Basic Operation setting tap in the [Parameter] – [Basic Parameter] window. From the Auto Run at Start-up menu,
select Auto Run and then Write to finish the setting.

6.5.2 Operation of Auto Run function

The table below presents the operation mode at power Off and On, according to the operation mode and Auto
Run function setting at the time of power Off.
Operation mode at Off
STOP Mode RUN Mode Safety Mode
Auto Run Setting
STOP mode when
Stop STOP mode STOP mode
normal
RUN mode when
Auto Run STOP mode RUN mode
normal

6-6
 Chapter 6. Functions of Safety CPU Module

6.6 Log Save Function

The PLC history (log) of the safety CPU module can be classified into 3 types: system log, error log, and user
log.
The point of time, , etc. are saved in the memory for convenient monitoring at the XG5000.

6.6.1 Setting up max. log mode

Log save method can be changed if the maximum number of logs (3,000) is exceeded.
• Loop mode: the number of log is reset to and restarts from zero.
• Stop mode: the number of log is no more recorded.

Select [Basic Operation Setting] tap in the [Parameter] – [Basic Parameter] window. Max. log mode can be set up to system
log, error log and user log, respectively.

6.6.2 System log

Saves the history of the system operation occurred during operation.

• Save history code, date and time
• Up to 3,000 logs are saved

6-7
 Chapter 6. Functions of Safety CPU Module

6.6.3 Error log

Saves the content and time of system error occurred during operation.
• Save date, time and error code
• Up to 3,000 logs are saved

6.6.4 User log

Use log can be recorded using MESSAGE or MESSAGE_S function block.

• Up to 3,000 logs are saved

Select [Log Setting] tap in the [Parameter] – [Basic Parameter] window. Check the Use check box and input the message to
be recorded at an event.

At an IN input rise event, the message corresponding to the message No. of MSG input value is recorded
in the user log.
Refer to the command manual for further details of the MESSAGE or MESSAGE_S function block.

NOTE

1) Saved information is maintained until deleted with pertinent menu of the XG5000.
2) If the history count exceeds 100, only a portion of the histories are displayed. To read all the histories, conduct View All.

6-8
 Chapter 7. Safety I/O Module

Chapter 7 Safety I/O Module

7.1 Cautions for Using I/O Safety Module

This is to provide information on the cautions for using the safety input/output module of the XGS Series
Safety Controller.

1) For driving an inductive (L) load at the output point, set up the maximum opening and closing
frequencies at ON for 1 s and OFF for 1 s.

2) If the output point is set up with average current, inrush current at output point ON or during operation
may cause troubles. In order to protect the system from inrush current, install resistance or inductor in
series to the load or select the load taking margin for maximum allowable current into consideration.

Resistor Load Inductor Load

Output Output
Modul Modul
e e

3) The size of the wire connected to the terminal block shall be stranded 0.3~0.75 ㎟ or a single line 2.8 ㎜
or less thickness. Check the allowable current of the wire which may differ by insulation thickness, etc.

4) Power supply to the output contact must be isolated from the power supply to the safety CPU module.

7-1
 Chapter 7. Safety I/O Module

7.2 Specification of Safety Input Module

Specification
Item Remark
XGS-DI08A
Input points 8 -
Single channel
8 input points used individually (I0 ~ I7) -
Input input mode
Mode Dual channel 4 input points used by dual
-
input mode (I0/I1, I2/I3, I4/I5, I6/I7)
Rated input DC +24V, 4.0mA -
On assured voltage/ On
Safety DC +11V or more, 12mA or more -
current
Digital
Off assured voltage / Off
Input DC +5V or less, 0.8mA or less -
current
Off  On input filter 0 ms ~ 200 ms
Set up by 1 ms unit
On  Off input filter 0 ms ~ 200 ms
Mismatch time 0 ms ~ 65535 ms
Dual
input Error latch time 0 ms ~ 65535 ms -
mode
Input mode Equivalent, Complementary
Use or No can be
Test pulse output contact 2
set up
Test pulse output mode PNP output -
Test
Pulse Test pulse output voltage DC +24V (+19.2V ~ +28.8V) -
Output Test pulse output current Max. 120 mA/contact -
Test pulse cycle 40ms ~ 1000ms Set up by 4 ms unit
Test pulse width 1ms ~ 100ms Set up by 1 ms unit
SIL 3 (IEC 61508 : 2009)
Applicable specification SILCL 3 (IEC 62061 : 2005) -
PLe, Category 4 (EN ISO 13849-1 : 2008)
Power supply Via extension connect to CPU module -
PFH 3.28678 x 10-09 -
PFD 2.091 x 10-05 -

SFF 99.1174 % -

H/W Fault Tolerance 1

Internal consumption current 0.36A

Weight 210g

7-2
 Chapter 7. Safety I/O Module

7.3 Specification of Safety Input/Output Module

Specification
Item Remark
XGS-DIO84A
Input points 8 -
Single channel input mode 8 input points used individually (I0 ~ I7) -
Input
4 input points used by dual
mode Dual channel input mode -
(I0/I1, I2/I3, I4/I5, I6/I7)
Rated input DC +24V, 4.0mA -
Safety On assured voltage /On current DC +11V or more, 12mA or more -
Digital
Input Off assured voltage /Off current DC +5V or less, 0.8mA or less -
Off  On input filter 0 ms ~ 200 ms
Set up by 1 ms unit
On  Off input filter 0 ms ~ 200 ms
Mismatch time 0 ms ~ 65535 ms
Dual
input Error latch time 0 ms ~ 65535 ms -
mode
Input mode Equivalent, Complementary
Test pulse output contact 2 Use or No can be set up
Test pulse output mode PNP output -
Test Test pulse output voltage DC +24V (+19.2V ~ +28.8V) -
Pulse
Output Test pulse output current Max. 120 mA/contact -
Test pulse cycle 40ms ~ 1000ms Set up by 4 ms unit
Test pulse width 1ms ~ 100ms Set up by 1 ms unit
Output points 4 -
Output mode PNP output -
Single channel output mode 4 input points used individually (Q0 ~ Q1) -
Output
2 output points used by dual
mode Dual channel output mode -
Safety (Q0/Q1, Q2/Q3)
Digital Output voltage DC +24V (+19.2V ~ +28.8V) -
Output
Output current Max. 0.5 A/contact -
Error latch time 0 ~ 65535 ms -
DC +24V (+19.2V ~ +28.8V)
Power supply for output extra-low voltages with safe separation Via external connector
Power supply (SELV, PELV)
SIL 3 (IEC 61508 : 2009)
Applicable specification SILCL 3 (IEC 62061 : 2005) -
PLe, Category 4 (EN ISO 13849-1 : 2008)
Power supply Via extension connect to CPU module -
PFH 6.67541 x 10-09 -
PFD 3.623 x 10-05 -
SFF 99.1174 % -
H/W Fault Tolerance 1
Internal consumption current 0.51A -
Weight 220g -

7-3
 Chapter 7. Safety I/O Module

7.4 Part Names and Functions

<Front View> <Side View>

③
④

①-a

② ②

①-b
③ ③

XGS-DI08A XGS-DIO84A

No. Name Application

Indicates input contact status.

 Green On: input contact On
 Green Off: input contact Off
①-a IN LED
 Red On: input contact error
- Dual channel inputs mismatch error.
- Test pulse abnormal input
Indicates output contact status.
 Green On: output contact On
 Green Off: output contact Off
①-b OUT LED  Red On: output contact error
- Output contact On while output power supply is abnormal (over
voltage, low voltage)
- Dual channel outputs mismatch error.
Indicates operation status of module.
 Green On: normal operation / RUN mode
② STATE LED
 Green On: normal operation / STOP mode
 Red flashing: I/O module error / safety mode
Extension
③ Safety CPU or additional safety input / I/O module connector
connectors

④ Contact connector Connectors for I/O contacts, test pulse, output contact power supply

7-4
 Chapter 8. Functions of Safety I/O Module

Chapter 8 Functions of Safety I/O Module

8.1 Setting-up and Operation of Input Mode

The safety I/O module of the XGS Series provides following input modes.

Input Mode Description Default Setting

Single channel input mode Processed individually

Equivalent 2 contact points are processed as a pair Single channel

(N / N+1 contacts, N is an even number) input mode
Dual channel - I0 / I1
input mode - I2 / I3
Complementary - I4 / I5
- I6 / I7

Operation under dual channel input setting is as follows.

Input Mode Description Default Setting

1
N (I0, I2, I4, I6)
0

N+1 (I1, I3, I5, I7)

Equivalent mode 0

1
Input
0

When two input signals turn On or Off simultaneously, input is

changed
Equivalent mode
1

N (I0, I2, I4, I6)

0

Complementary N+1 (I1, I3, I5, I7)

0
mode
1
Input
0

When two input signals are different simultaneously, input is

changed ; if N is high then input is high and if N is low then
input is low

8-1
 Chapter 8. Functions of Safety I/O Module

In Dual Channel input mode, input image area (Area I), input diagnosis device (Area IS), and safety I/O module
contact LED functions according to the status of input contact, as follows.

Safety Input Safety Input Diagnosis

Actual Input Image Area Image Area LED Status
Dual Channel Input
(Input variable Area I) (Input status Area IS)
Input Mode Matching
Input Input Input Input
%IX0.y.N %IX0.y.N+1 %ISX0.y.N %ISX0.y.N+1
N N+1 N N+1

Low Low 0 0 1 1 Off Off Normal

Input
Low High 0 0 0 0 Red Red
Equivalent mismatch
Mode Input
High Low 0 0 0 0 Red Red
mismatch

High High 1 1 1 1 Green Green Normal

Input
Low Low 0 0 0 0 Red Red
mismatch

Complementar Low High 0 0 1 1 Off Green Normal

y
Mode High Low 1 1 1 1 Green Off Normal

Input
High High 0 0 0 0 Red Red
mismatch
N represents even number input contact, y represents No. of slot where the module is installed.
IS image areas display “1” at normal and “0” at abnormal.

8-2
 Chapter 8. Functions of Safety I/O Module

8.2 Input On/Off Filter and Off/On Filter

Input filters can be set up by input channel.
In the [Parameter] – [I/O Parameter] window, select the module installed in the slot to be set up. Click [Detail] button or double-
click the module to set up I/O parameters.

Click [Set-up Properties] button to set up I/O channel parameters.

Set up On/Off filter time and Off/On filter time. Setting can be made within 0 ~ 200 ms range by 1 ms unit. The
initial (default) setting is 4 ms.

8-3
 Chapter 8. Functions of Safety I/O Module

8.3 Mismatch Error (Input)

The input contacts set up by dual channel can be set up with mismatch time between the contact points.
When the time of mismatch between two inputs set up in Equivalent or Complementary mode exceeds setting time,
the inputs trigger mismatch error. At a mismatch error, the relevant IS area turns Off and the system functions
normally.
The mismatch time setting can be made within 0 ~ 65535 ms range by 1 ms unit. The initial (default) setting is 10 ms.

8.4 Error Latch Time (Input)

After a mismatch error of dual inputs, when the inputs recover normal function, the error latch time resumes normal operation
after maintaining mismatch status for a preset error latch time. Setting can be made within 0 ~ 65535 ms range by 1 ms unit.
The initial (default) setting is 0ms. The setting applies to dual input and output contacts. In Equivalent mode, both inputs have to
become Low to reset the error, and in Complementary mode, N and N+1 inputs must become Low and High to reset the error.

8-4
 Chapter 8. Functions of Safety I/O Module

The picture below illustrates an exemplary case wherein input 0 and input 1 contacts of the input module
installed at No. 0 slot are set up as dual equivalent input mode, on condition that mismatch time in Equivalent
mode operation 1,000ms and latch time 2,000ms.

I0

1500ms
I1 ②

%ISX0.0.0 2000ms③ ④
%ISX0.0.1 1000ms ①

Error latch time

%IX0.0.0
%IX0.0.1

1) When the I0 and I1 contacts maintain mismatched status for 1,000 ms, a mismatch error is triggered
and the corresponding IS area turns Off.
2) Both I0 and I1 contacts becomes normal high status, the mismatch error is maintained for the error latch
time.
3) Although 2,000 ms has elapsed in normal condition, the error persists because both inputs are high.
In Equivalent mode, both inputs must become Low to reset error.
4) Both inputs became Low and the time of normal condition has exceeded the error latch time 2,000 ms,
thus, the error is reset and the system functions normally.

8-5
 Chapter 8. Functions of Safety I/O Module

8.5 Test Pulse Setting (Input)

Test pulse output is used to detect failure of safety input devices (sensors, switches, light curtain, etc.) and wiring error at input
terminals. The I/O module of the XGS Series provides 2 (T1, T2) test pulse outputs.

Each input contacts must use designated test pulse outputs as presented in the table below.
Test pulse output Input contacts Remark
T1 I0, I2, I4, I6 Use-or-not of test pulse for each input can
T2 I1, I3, I5, I7 be set up with the parameters

The cycle and width of test pulse can be set up per I/O module; cycle within 40 ~ 1000 ms by 4 ms steps, and
pulse width within 1~100 ms by 1 ms steps.

Item Setting Value Default Remark

Test pulse duration 1ms ~ 100ms 2ms Set up by 1 ms unit

Test pulse cycle 40ms ~ 1000ms 200ms Set up by 4 ms unit

8-6
 Chapter 8. Functions of Safety I/O Module

Width of the test pulse must be set up less than 1/2 of the test pulse cycle.
The picture below illustrates an exemplary case pf test pulse output under the setting of 40 ms cycle and 10 ms
width.

40ms

T1

10ms 40ms

T2

10ms

8.6 Input Wiring

The picture below illustrates an exemplary case of wiring wherein test pulse output is used in single channel
mode.

8-7
 Chapter 8. Functions of Safety I/O Module

24V DC
+
-

The picture below illustrates an exemplary case of wiring wherein test pulse output is used in dual channel input,
Equivalent mode.

8-8
 Chapter 8. Functions of Safety I/O Module

+
24V DC
-

8-9
 Chapter 8. Functions of Safety I/O Module

8.7 Setting-up and Operation of Output Mode

The safety I/O module of the XGS Series provides following output modes.

Output Mode Description Default Setting

Single channel output mode Processed individually

Single channel output

2 contact points are processed as a pair mode
(N / N+1 contacts, N is an even number)
Dual channel output mode
- Q0 / Q1
- Q2 /QI3

In Dual Channel output mode, according to the output image area (Q area), the input diagnosis device (Area QS)
and actual output and safety I/O module contact LED functions as follows.
Safety Output Safety Output Diagnosis
Image Area Image Area LED Status Actual Output
Output
Mode (Output variable Area Q) (Output status Area QS)
matching
Input Input Output Output
%QX0.y.N %QX0.y.N+1 %QSX0.y.N %QSX0.y.N+1
N N+1 N N+1

0 0 1 1 Off Off Off Off Normal

Output
1 0 0 0 Red Red Off Off
Dual output mismatch
mode Output
0 1 0 0 Red Red Off Off
mismatch

1 1 1 1 Green Green On On Normal

N represents even number output contact, y represents No. of slot where the module is installed.

NOTE
If the output contact is turned ON while the output power supply for the XGS-DIO84A (DC24V) is not applied,
same as the output mismatch condition, the safety output diagnosis area turns off and the corresponding output
contact LED lights up in red.

8.8 Mismatch Error (Output)

When the output contacts are set up in Dual Channel mode, a mismatch error is triggered if two safety output image values
within one scan of the program do not match. At a mismatch error, the relevant output contact point only is indicated as error
(relevant QS area Off) and the system operates normally.

8-10
 Chapter 8. Functions of Safety I/O Module

8.9 Error Latch Time (Output)

After a mismatch error outputs, outputs keep error for the error latch time. Setting can be made within 0 ~ 65535
ms range by 1 ms unit. The initial (default) setting is 0 ms.
The setting applies to dual input and output contacts.

The picture below illustrates an exemplary case wherein Q0 and Q1 contacts of the input module installed at
No. 0 slot are set up as dual equivalent input mode, on condition that error latch time is set by 2,000ms.

%QX0.0.0

%QX0.0.1 ②

%QSX0.0.0 2000ms③ ④
%QSX0.0.1 ①
At least 1scan Error latch time
Q0

Q1

1) If the Area QX i.e. %QX0.0.0 and %QX0.0.1 set up in dual output mismatch in one scan program,
mismatch error is triggered and the corresponding QS area turns Off.
2) QX areas resumed normal high status, the mismatch error is maintained for the error latch time.
3) Although 2,000 ms has elapsed in normal condition, the two Q areas must become low to reset the error.
4) Both two QX areas became Low and the time of normal condition has exceeded the error latch time
2,000 ms, thus, the error is reset and the system functions normally.

8-11
 Chapter 8. Functions of Safety I/O Module

8.10 Test Pulse Setting (Output)

Test pulse outputs are used to detect internal output failure. Test pulses(500us) are generated inside of the
output contact. Use-or-not of the pulse can be set up. Check the influence of the test pulse on the output load
before application of this function.

8.11 Output Wiring

The picture below shows an exemplary output wiring. For details of power supply wiring, refer to users' manual 'Chapter 9
Installation and Wiring.'

+
24V DC L L
-

L L

-
+

24V DC

8-12
 Chapter 9. Installation and Wiring

Chapter 9 Installation and Wiring

9.1 Installation

9.1.1 Environment

The product is highly reliability regardless of the environmental conditions. However, to maintain reliability and stability,
please take care of the conditions described in this chapter.

1) Environmental conditions
(1) Install in a waterproof and dust-proof cabinet.
(2) Avoid continuous impact or vibration.
(3) Avoid direct sunlight
(4) Avoid rapid temperature change which may form dew drops
(5) Ambient temperature shall be within 0 ~ 60 °C
(6) Relative humidity shall be within 5 ~ 95 %
(7) Avoid corrosive or flammable gases.

2) Installation Work
(1) Protect the PLC from foreign materials during installation and wiring work.
(2) Select a position suitable for operation.
(3) Do not install in the same panel with a high voltage device.
(4) Keep at least 50 mm of space between the wire duct and adjacent modules.
(5) Ground the PLC to a point where noise environment is favorable.

9.1.2 Cautions for handling

1) Do not fall on the ground. Avoid shock.

2) Do not separate PCB from the case. Otherwise, failure may be caused.
3) Protect the module from debris generated from wiring work. Remove any foreign material entered in the module.
4) Do not connect or disconnect the module while power is on.
5) Use standard cables whose lengths do not exceed the maximum allowable length.
6) Keep the communication lines away from the surge and induction noise generated in the AC lines.
7) If the cables are laid in cable conduits, ground the conduits.

9.1.3 Cautions for wiring

1) Do not lay AC power line and external signal lines of the module close together. Provide at least 100 mm distance, or
lay the lines in conduits. Sufficient space must be provided to avoid interference from the surge or induction noise from
the AC lines.
2) The wires shall be selected taking the ambient temperature and allowable current into consideration, with
a minimum size of AWG22 (0.3 ㎟).
3) For power source monitoring, the wires should be twisted as densely as possible and arranged in the shortest path.
(Max. wiring distance 15 m or less)
4) Keep the wires away from heat source and oil or other harmful materials. Otherwise, shot-circuit may
occur leading to damage or malfunction of the system.
5) Keep the wires away from high voltage and power lines to avoid induction interference which can cause
malfunction or failure.

9-1
 Chapter 9. Installation and Wiring

9.1.4 Installation and removal of module

1) Module installation
Position the module so that the extension connector on the lateral side and projections at the corners come
correct positions.
Check that the coupling hooks are properly joined.

Coupling hooks

Extension Connectors
2) Module detachment
Hold and remove the module by both hands. (Do not apply excessive force.)

3) Module installation
The product is designed to be installed on DIN rails (width 35 mm). Install the module on DIN rails and push the
coupling hooks to fix the module.

Coupling hooks

9-2
 Chapter 9. Installation and Wiring

9.1.5 Cautions for installation

(1) General precaution

1) The XGS Series Safety Controller turns output off when any problem in the external power source or
product itself is detected. The external circuit shall be so configured as to cut off the power supply to the
load so that connected device(s) is shut down, when the output is turned off. Otherwise, the entire line may
result in a severe problem or accident.

2) When changing data, program, or status of an operating safety controller, provide an interlock circuit with
the sequence program and system outside to secure safe operation of the system. Read the manual
carefully and determine operating sequence before operating the Safety Controller for safety. In addition,
for online control of the Safety Controller at a PC, prepare countermeasures against communication error,
may be due to cable connection failure, for the system.

3) When a safety function is activated and the output has been cut off, prepare an interlock program using
reset button, etc., to prevent unauthorized manual restarting.

4) In case that the temperature inside of the operation panel where the Safety Controller is installed may exceed the
allowable temperature range, it is highly recommended to install a heat exchanger in the operation panel to control the
temperature. Using an ordinary ventilation fan may introduce dust from outside, affecting the function of the Safety
Controller.

9-3
 Chapter 9. Installation and Wiring

9.1.6 Product setting procedure up to commissioning

The procedures from installation to commissioning are described below. After installation, perform following procedures:

Start Setting


Configure the Safety Controller system.
--> Check & install safety I/O module

Turn on power, check state of the LED on the CPU module.
--> Check that RUN/STATE LED of the CPU module is OK.

Check LED status of the safety I/O module
--> Check that the STATE LED of the safety I/O module is normal.

At the XG5000, configure system and I/O parameters
--> Parameters suitable for the system configuration.

Prepare a program at XG5000
--> Prepare and down load a program,

Change operation mode to Run at XG5000
--> Check that the RUN/STATE LED of the safety CPU module is:
Green On.

Check normal operation of the program by monitoring with the
XG5000.

Change operation mode to Configuration Lock mode at the
XG5000.
--> Check that the Config.Lock LED of the CPU module is On.

Start Operation

9-4
 Chapter 9. Installation and Wiring

9.2 Wiring

This section provides information on the system wiring.

9.2.1 Power supply

+
24V DC
-
+
-

24V DC

1) Use a power source having low line-to-line, line-to-ground noise.

(If noise is high, connect an insulation transformer.)

2) Isolate the systems of PLC power source, I/O devices and drive devices, as shown below.

3) It is recommended to twist the power wires densely and make the total length as short as possible.

4) Keep the DC 24V line away from the main circuit (high voltage, large current) lines and I/O signal lines. Provide at least
100 mm or more of space.

5) Install a lightning surge absorber to protect the system from lightning surge.

PLC
I/O Device

E1 E2

Lightning Surge Absorber

9-5
 Chapter 9. Installation and Wiring

NOTE
1) The ground connection (E1) of the surge absorber and the ground connection (E2) of the PLC
must be isolated.
2) the surge absorber must be able to absorb surge within the maximum allowable voltage at the
maximum voltage peak of the power supply.

6) If noise may permeate, install an insulation transformer or noise filter.

7) Use shortest, twisted wires for I/O power supplies. Do not lay the wires of the insulation transformer or noise
filter in a conduit.

9.2.2 Grounding circuit

1) The PLC is implemented with sufficient anti-noise measures, thus, ground is not necessary unless the system is subject
to very high noise level. If grounding is necessary, take following information into consideration.

2) The ground circuit should be exclusive as possible.

The grounding work shall be Class 3 (Ground resistance 100 Ω or less).

3) If exclusive grounding is unavailable, install common grounding circuit as illustrated in figure b) below.

PLC Others PLC Others PLC Others

Class 3 Grounding Class 3 Grounding

a) Exclusive grounding: b) Common grounding: c) Common grounding:

recommended acceptable unacceptable

4) Ground wire shall be at least 2 mm2. Grounding point shall be as close to the PLC as possible to reduce the
wire length.

9.2.3 wire specification

The table below presents specifications for the wires.

Wire Size (mm2)

External Connection
Low Limit Upper Limit
Digital Input 0.18 (AWG24) 1.5 (AWG16)
Digital Output 0.18 (AWG24) 2.0 (AWG14)
Main Power Supply 1.5 (AWG16) 2.5 (AWG12)
Protective Grounding 1.5 (AWG16) 2.5 (AWG12)

9-6
 Chapter 10. Maintenance

Chapter 10 Maintenance
Daily and regular maintenance must be performed to maintain the PLC always at the best condition.
The lifetime of the controllers is about 20 years. However, the impact on the environment can cause damage to the
devices.
Results for all of the checks and administrative actions must be recorded. Please record information about the serial
number of the product.

10.1 Inspection and Maintenance

The table below presents the items which should be inspected by 1~2 times per half year.

Items for Inspection Decision Criteria Corrective Action

Within allowable range Adjust the power supply to meet the
Power supply
(Within −15% / +10%) allowable voltage range.
Input/ output specification of Adjust the power supply to meet the
Power supply for input/ output
each module allowable voltage range of each module.
Temperature 0 ~ 55 ℃ Control the operation temperature and
Humidity 5 ~ 95% RH humidity to meet the specification.
Environment Apply anti-vibration rubber pads or other
Vibration No vibration
means to prevent vibration.
No free movement is
Shaking of module No module must show looseness.
acceptable
Loose terminating screws No loose screw Tighten loose bolts and nuts.
Check inventory and storage Replenish with shortage, keep in good
Spare parts
condition condition.

10.2 Daily Inspection

Daily inspection shall be performed for the items listed below.

Corrective
Items for Inspection Actions Decision Criteria
Action
Mounting of I/O module Check mounting of I/O module Shall be firmly mounted -
Connection at terminal Shall have appropriate
Close crimpled terminals correction
block and extension cables spacing
RUN/STATE Light up See
Check red lighting at Run status
LED (abnormal if out) Chap.12
Check yellow lamp in safety lock
CONFIG. mode See
ON or flash
LOCK LED Check yellow lamp flash in safety Chap.12
Indicator unlock
LED Red when connected to Ethernet See
COMM LED Abnormal if flashes
cable Chap.12
Light ON at input On, See
Input LED Check ON/Off
Out at input Off Chap.12
Light ON at output On, See
Output LED Check ON/Off
Out at output Off Chap.12

10-1
 Chapter 10. Maintenance

10. 3 Regular Inspection

Check following items biannually and take corrective actions as necessary.

Items for Inspection Inspection Method Decision Criteria Corrective Action

Ambient Measure with Control within general
0 ~ 55 °C
Temperature thermometer/ specification.
Environ
Ambient humidity hygrometer 5 ~ 95%RH (Standard
ment
Ambient Measure corrosive No corrosive gas environment in the
contamination gases allowed panel)
Shall be firmly
Looseness Shake the modules. Tighten the screws
mounted
PLC
dust, foreign
Visual inspection No contaminant -
matter
Tighten with screw
Loose screws No loose screw Tighten
driver
Connecti Close crimpled Shall have
on Visual inspection Correction
terminals appropriate spacing
Loose connection Visual inspection No loose screw Correct the connector
Test the supply voltage
Check supply voltage DC24V:DC19.2 ~ 28.8V Adjust supply voltage
with a tester
Fuses Visual inspection Shall be not blown

NOTE
For all devices that are configured for safety applications, please follow the instructions for daily and
regular inspections described in the manual for each device.

10-2
 Chapter 11. EMC Compliance

Chapter 11 EMC Compliance

11.1 Requirements Complying with EMC Specifications

EMC Directions describe “Do not emit strong electromagnetic wave to the outside: Emission” and “Do not have an influence of
electromagnetic wave from the outside: Immunity”, and the applicable products are requested to meet the directions. The chapter
summarizes how to structure a system using XGT PLC to comply with the EMC directions. The description is the data summarized for
the requirements and specifications of EMC regulation acquired by the company but it does not mean that every system
manufactured according to the description meets the following specifications. The method and determination to comply with the EMC
directions should be finally determined by the system manufacturer self.

11.1.1 EMC specifications

The EMC specifications affecting the PLC are as follows.

Specification Test items Test details Standard value

EN55011 Radiated Measure the wave emitted from a product. 30~230 ㎒ QP : 50 ㏈㎶/m ＊1
noise ＊2 230~1000 ㎒ QP : 57 ㏈㎶/m
EN55011 conducted Measure the noise that a product emits to the 150~500 ㎑ QP : 79 ㏈
EN50081-2
noise power line. Mean : 66 ㏈
500~230 ㎒ QP : 73 ㏈
Mean : 60 ㏈
EN61000-4- Electrostatic Immunity test allowing static electricity to the 8 ㎸ Air discharge
immunity case of a device. 6 ㎸ Contact discharge
EN61000-4-4 Immunity test allowing a fast noise to power Power line : 2 ㎸
Fast transient burst noise cable and signal cable. Digital I/O : 1 ㎸
Analogue I/O, signal lines : 1 ㎸
EN61131-2 EN61000-4-3 Immunity test injecting electric field to a 10Vm, 26~1000 ㎒
Radiated field AM product. 80% AM modulation@ 1 ㎑
modulation
EN61000-4-12 Immunity test allowing attenuation vibration Power line : 1 ㎸
Damped oscillatory wave wave to power cable. Digital I/O(24V and higher) : 1 ㎸
immunity
＊1 : QP: Quasi Peak, Mean : average value
＊2 : PLC is a type of open device(installed on another device) and to be installed in a panel.
For any applicable tests, the system is tested with the system installed in a panel.

11-1
 Chapter 11. EMC Compliance

11.1.2 Panel
The PLC is a kind of open device(installed on another device) and it should be installed in a panel. It is because the installation
may prevent a person from suffering from an accident due to electric shock as the person contacts with the product(XGT PLC)
and the panel can attenuates the noise generating from the PLC.
In case of XGT PLC, to restrict EMI emitted from a product, it should be installed in a metallic panel. The specifications of the
metallic panel are as follows.

1) Panel

The panel for PLC should be installed and manufactured as follows.

(1) The panel should be made of SPCC(Cold Rolled Mild Steel)

(2) The plate should be 1.6mm and thicker
(3) The power supplied to the panel should be protected against surge by using insulated transformer.
(4) The panel should be structured so that electric wave is not leaked outside. For instance, make the door as a box as
presented below. The main frame should be also designed to be covered the door in order to restrict any radiating noise
generated from the PLC.
Panel Main frame

Door

Visor

(5) The inside plate of panel should have proper conductivity with a wide surface as possible by eliminating the plating of the bolt
used to be mounted on the main frame in order to secure the electric contact with the frame.

11-2
 Chapter 11. EMC Compliance

2) Power cable and grounding cable

The grounding/power cable of PLC should be treated as follows.

(1) The panel should be grounded with a thick wire() to secure a lower impedance even in high frequency.
(2) LG(Line Ground) terminal and FG(Frame Ground) terminal functionally let the noise inside the PLC flow into the ground, so
a wire of which impedance is low should be used.
(3) Since the grounding cable itself may generate noise, thick and short wiring may prevent it serving as an antenna.

11.1.3 Cable
1) Fixing a cable in the panel

If the extension cable of XGS series is to be installed on the metallic panel, the cable should be 1cm and more away from the
panel, preventing the direct contact.
The metallic plate of panel may shield noise from electromagnetic wave while it a cable as a noise source is close to the place,
it can serve as an antenna. Every fast signal cable as well as the extension cable needs proper spacing from the panel.

11-3
Chapter 11. EMC Compliance

11-4
 Chapter 12. Troubleshooting

Chapter 12 Troubleshooting
This chapter describes the errors which may occur during operation and the causes, measures to detect and correct the errors

12.1 Basic Procedures for Troubleshooting

While it is important to employ reliable devices to improve system reliability, prompt response and taking corrective actions are also as
much important.
In order to recover a troubled system, it is very important to identify and correct the cause of the problem, taking the following points into
consideration.
1) Visual inspection
Check following points by visual inspection:
• Machine status (shut down, operating)
• Power supply
• I/O devices
• Wiring (I/O cables, extension and communication tables)
• Check the statuses of the indicators (RUN/STATE LED, CONFIG.LOCK LED, C LED, etc.), connect peripheral devices to test
the operation of the PLC and program.
2) Check abnormality
Conduct following operation and check the change of the problem.
• Turn power supply Off and On.
3) Identify the source of problem
Investigate the cause of problem with the following procedures:
• PLC itself? Or external cause?
• Input/Output module? Or else?
• PLC program?

NOTE
When replacing the products, try operation after resetting all the information necessary for the operation resumed
and checking safety functions.

12.2 Troubleshooting
Methods for identifying problems, description of errors and error codes are provided below by symptoms.

Problem

Power LED is OFF Corrective method for Power LED off

Err. LED is ON Corrective method for Error LED on

Run, Stop LED is OFF Corrective method for Run, Stop LED off

I/O module malfunction Corrective method for I/O module malfunction

Program writing failure Corrective method for program write failure

12-1
 Chapter 12. Troubleshooting

12.2.1 Corrective method for all LED OFF

If all LED turns off at power on or during operation, take following actions in said sequence.

All LED turned off

No Supply power.
Is power supply on?

Yes No Yes
Does LED turn on?

No Control supply voltage within

Is the supply voltage within Specification
allowable range?

Yes No Yes
Does power LED
Turn on?

Yes
Is the fuse
blown? Replace the module

No
No Yes
Does power LED
turn on?

Yes
Does the over current circuit
breaker functioning? 1) Measure current capacity, reduce
over current.
2) Turn off and on input power.
No

No Yes
Does power LED
turn on?

Make//out//the//questionnaire//for
troubleshooting, and contact nearest Finish
A/S center of agency.

12-2
 Chapter 12. Troubleshooting

12.2.2 Corrective method for Run/State LED flashing in red

If the Run/State LED blinks in red at power on or at starting or during operation, take following actions in said sequence.

Run/State LED flashing in red

Access XG5000 to check the error code.

Yes
Is the_CFG_ER flag error Referring to flag of Appendix 1,
recorded?
correct the error cause.

No

Yes
Is the STATE. LED
still flashing?

No

Make//out//the//questionnaire//for
troubleshooting, and contact nearest
Finish A/S center of agency.

NOTE

The PLC will continue operation at a light error, however, check and correct the error cause as soon as possible.
Otherwise, a light problem may become a heavy problem.

12-3
 Chapter 12. Troubleshooting

12.2.3 Corrective method for Run/State LED OFF

If the Run or Stop LED turns off at power on or during operation, take following actions in said sequence.

Run/State LED turned off

Turn Off → On power module

No
Is Run/State LED off?

Yes

Contact nearest agency or A/S center. Finish

12-4
 Chapter 12. Troubleshooting

12.2.4 Corrective method for I/O module malfunctioning

This is to provide information on the corrective method for I/O module malfunctioning during operation.

I/I module malfunctioning

No
Is the output LED of SOL1 on?

Yes

Measure terminal voltage of Check correct wiring Replace//terminal//block Monitor SOL1 with XG5000
SOL1 with a multitester connector

No No

No No
Yes Normal?
Is the measurement value Is output wiring correct? Are the terminal block connectors
normal? OK?
Yes
Yes
Yes
Cont
Disconnect external wiring and
test continuity of module output
part.

Yes No
Normal?

Inspect output device (SOL1)

Replace the output module.

Cont

12-5
 Chapter 12. Troubleshooting

No
Do the LEDs of SWITCH 1&2
turn on?

Yes

Measure terminal voltage of Measure terminal voltage of

SWITCH 1&2 with a multitester. SWITCH 1&2 with a multitester.

Yes
Are the measurements normal? Are the measurements normal?

No
Yes No

Yes Yes
Is input wiring correct? Are terminal block connectors
OK?

Disconnect//external No No
connections. Check inputs
with forced input.

Correct the wiring Replace//terminal

Are the measurements normal? block connector.

No
Yes

Replace the input module Check//input//device Repeat the procedures from Replace the input module
(SWITCH 1&2) the beginning

12-6
 Chapter 12. Troubleshooting

12.3 Questionnaire for Troubleshooting

In case of a problem in operating the XGI series, please fill up this questionnaire and contact nearest A/S center via telephone of FAX.
 For an error related to special or communication module, use the questionnaire form attached to the users' ml of the product.

1. User contact: TEL)

FAX)
2. Model: ( )
3. Information on the device
− CPU module: − OS version ( ), − Product serial No. ( )
− Version of XG5000 used for program compiling: ( )
4. Brief description on the controlled device/system:
5. Operation of the CPU module:
− Operation by key switch ( ), − Operation by XG5000 or communication ( )
− Operation by memory module ( )
6. Does the Stop LED of CPU module turn on? Yes ( ), No ( )
7. Error message of the XG5000:
8. Actions made in response to the error code of above 7:
9. Other troubleshooting methods taken to remove the error:
10. Characteristics of the error
 Repetitive ( ): Cyclic ( ), Related to specific sequence ( )
Environment-based error ( )
 Intermittent ( ): average error intervals
11. Description of the error symptom
12. Structural diagram of the application system:

12-7
 Chapter 12. Troubleshooting

12.4 Case Study

This section describes the types of troubles in various circuits and the corrective actions.

12.4.1 Types of troubles in input circuit and corrective actions

This section describes the cases of troubles in the input circuits and the corrective actions.

Problem Possible Cause Corrective Action

Leakage current of external device (driven by switch  Insert an appropriate resistor as shown in the
Input//signal attached with LED mark) diagram below so that the voltage between the
cannot//be input module terminal and common terminal is
turned /off DC input higher than the Off voltage.
Leak Current DC input
R
R
Ext. device E1

 Loop current by multiple power sources  Unify the power sources.

Input//signal  Install loop current cut off diode (Fig. below)
cannot//be DC input
turned /off DC input
L
E E L
E
 Loops if: E1 > E2

12.4.2 Types of troubles in output circuit and corrective actions

This section describes the cases of troubles in the output circuits and the corrective actions.

Problem Possible Cause Corrective Action

 Loop current by 2 power sources  Unify power sources.
Load cannot be Output
 Install loop current cut off diode (Fig. below)
turned off (DC) Output

Load
Load
E1
E2 E
E

Note) If the load is a relay or similar device, a back

 Loops if: E1< E2 EMF voltage absorbing diode is necessary as
 Also loops if E1 is Off (E2 is On) shown in the diagram by dot line.

12-8
 Chapter 12. Troubleshooting

Off response  over current at Off  As shown in the diagram below, install a magnetic
of load is too A dynamic load (large tome constant L/R) drawing connector or a similar device having a small time
late. large current (solenoid, etc.) is driven directly with constant to drive the load with the contact.
transistor output

Output Output

Current at Off

Load
E1 Load

 Due to the current through the diode at transistor

output off, the delay may 1 s or more.

Output Inrush current of incandescent lamp  To suppress inrush current, apply a leakage
transistor (background) current about 1/3 ~ 1/5 of the rated
destroyed Output current of the lamp.
Output

E1
R E

Sink type transistor output

Inrush current of 10 times or more may be Output

induced at ON.
R

Source type transistor output

12-9
 Chapter 12. Troubleshooting

12.5 Error Code List

12.5.1 CPU module error code

Corrective Action (Restart mode after Operating
Code Cause of Error LED Status When
correction) Condition
128 System power supply error Check the supply voltage Safe State LED flash Regularly
CPU module self-test
144 If problem persists when power reinput , ask A/S Safe State LED flash Regularly
abnormal error
CPU module hardware
145 If problem persists when power reinput , ask A/S Safe State LED flash Regularly
abnormal error
CPU module CCM (Core If problem persists when power reinput , ask A/S
146 Safe State LED flash Regularly
Compare Module) error
CPU module internal If problem persists when power reinput , ask A/S
147 Safe State LED flash Regularly
memory data altered error
CPU module firmware If problem persists when power reinput , ask A/S
148 Safe State LED flash Regularly
altered error
Synchronization between If problem persists when power reinput , ask A/S
149 Safe State LED flash Regularly
module cores error
CPU module backup If problem persists when power reinput , ask A/S
150 Safe State LED flash Regularly
memory data altered error
151 Parameter error If problem persists when power reinput , ask A/S Safe State LED flash Regularly

152 Program watchdog error If problem persists when power reinput , ask A/S Safe State LED flash Regularly

12.5.2 I/O contact point error code

Corrective Action (Restart mode after Operating
Code Cause of Error LED Status When
correction) Condition
Corresponding//input
1 Input circuit error Check input circuit and wiring Normal End of scan
LED flash
Corresponding//output
2 Output circuit error Check output circuit and wiring Normal End of scan
LED flash
3 Input circuit internal failure If problem persists when power reinput , ask A/S Safe State LED flash End of scan

Output//circuit//internal If problem persists when power reinput , ask A/S

4 Safe State LED flash End of scan
failure
Dual//channel//input Corresponding//input
5 Check input circuit and wiring Normal End of scan
LED flash
mismatch/ error
Corresponding//input
6 External test signal failure Check input circuit and wiring Normal End of scan
LED flash

12-10
 Chapter 12. Troubleshooting

Corrective Action (Restart mode after Operating

Code Cause of Error LED Status When
correction) Condition
8 I/O module separated Check firm installation of I/O module Safe State LED flash End of scan
I/O module type At the XG5000, compare I/O modules setting and
9 Safe State LED flash End of scan
mismatch error actual module
10 I/O module interface error If problem persists when power reinput , ask A/S Safe State LED flash End of scan

11 I/O data error If problem persists when power reinput , ask A/S Safe State LED flash End of scan
I/O module self-test abnormal If problem persists when power reinput , ask A/S
32 Safe State LED flash End of scan
error
33 I/O module hardware error If problem persists when power reinput , ask A/S Safe State LED flash End of scan
I/O module CCM (Core If problem persists when power reinput , ask A/S
34 Safe State LED flash End of scan
Compare Module) error
I/O module internal memory If problem persists when power reinput , ask A/S
35 Safe State LED flash End of scan
data altered error
I/O module firmware altered If problem persists when power reinput , ask A/S
36 Safe State LED flash End of scan
error
Synchronization between I/O If problem persists when power reinput , ask A/S
37 Safe State LED flash End of scan
module cores error
I/O module test pulse output If problem persists when power reinput , ask A/S
38 Safe State LED flash End of scan
0 circuit error
I/O module test pulse output If problem persists when power reinput , ask A/S
39 Safe State LED flash End of scan
1 circuit error
I/O module output power Check output voltage whether voltage level is
40 Safe State LED flash End of scan
error normal range.

12-11
Chapter 12. Troubleshooting

12-12
 Chapter 13. Safety Function Blocks

Chapter 13 Safety Function Blocks

13.1 Safety Function Blocks List

No Function Block

1 SF_ANTIVALENT

2 SF_EDM

3 SF_ENABLESWITCH

4 SF_EQUIVALENT

5 SF_ESPE

6 SF_ESTOP

7 SF_GUARDLOCKING

8 SF_MODESEL

9 SF_MUTINGPAR

10 SF_MUTINGPAR_2SENSOR

11 SF_MUTINGSEQ

12 SF_OUTCONTROL

13 SF_SAFEGUARD

14 SF_SAFETYREQUEST

15 SF_TESTABLESAFETYSENSOR

16 SF_TWOHANDCTRLII

17 SF_TWOHANDCTRLIII

13-1
 Chapter 13. Safety Function Blocks

13.2 Safety Function Blocks

13.2.1 SF_ANTIVALENT

1) Overview
This function block converts two antivalent SAFEBOOL inputs (NO/NC pair) to one SAFEBOOL output with discrepancy time
monitoring. This FB should not be used stand-alone since it has no restart interlock. It is required to connect the output to other
safety related functionalities.

SF_Antivalent

BOOL Activate Ready BOOL

SAFEBOOL S_ChannelNC S_AntivalentOut SAFEBOOL

SAFEBOOL S_ChannelNO Error BOOL

TIME DiscrepancyTime DiagCode WORD

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
S_ChannelNC SAFEBOOL 0 Variable. NC stands for Normally Closed.
Input for NC connection.
FALSE: NC contact open.
TRUE: NC contact closed.
Input S_ChannelNO SAFEBOOL 1 Variable. NO stands for Normally Open.
Input for NO connection.
FALSE: NO contact open
TRUE: NO contact closed
DiscrepancyTime TIME T#0ms Constant. Maximum monitoring time for
discrepancy status of both inputs.
Ready BOOL 0 If TRUE, indicates that the FB is activated
and the output results are valid.
S_AntivalentOut SAFEBOOL 0 Safety related output
FALSE: Minimum of one input signal "not
active" or status change outside of
monitoring time.
TRUE: Both inputs signals "active" and
Output
status change within monitoring time.
Error BOOL 0 Error flag
DiagCode WORD 16#0000 Diagnostic register.
All states of the FB are represented by this
register. This information is encoded in
hexadecimal format in order to represent
more then 16 codes.

13-2
 Chapter 13. Safety Function Blocks

3) Functional Description
This function block converts two equivalent SAFEBOOL inputs to one SAFEBOOL output with discrepancy time monitoring.
Both input Channels A and B are interdependent. The function block output shows the result of the evaluation of both channels.
If one channel signal changes from TRUE to FALSE the output immediately switches off (FALSE) for safety reasons.
Discrepancy time monitoring: The discrepancy time is the maximum period during which both inputs may have different states
without the function block detecting an error. Discrepancy time monitoring starts when the status of an input changes. The
function block detects an error when both inputs do not have the same status once the discrepancy time has elapsed.
The inputs must be switched symmetrically. This means that monitoring is performed for both the switching on process as well
as the switching off process.

4) Typical Timing Diagrams

13-3
 Chapter 13. Safety Function Blocks

5) Error Detection
The function block monitors the discrepancy time between Channel NO and Channel NC.

6) Error Behavior
The output SF_AntivalentOut is set to FALSE. Error is set to TRUE. DiagCode indicates the Error states.
There is no Reset defined as an input coupled with the reset of an error. If an error occurs in the inputs, one new set of inputs
with the correct value must be able to reset the error flag. (Example: if a switch is faulty and replaced, using the switch again
results in a correct output)

7) Error Codes

DiagCode State Name State Description and Output Setting

Discrepancy time elapsed in state 8004.
Ready = TRUE
C001 Error 1
S_AntivalentOut = FALSE
Error = TRUE
Discrepancy time elapsed in state 8014.
Ready = TRUE
C002 Error 2
S_AntivalentOut = FALSE
Error = TRUE
Discrepancy time elapsed in state 8005.
Ready = TRUE
C003 Error 3
S_AntivalentOut = FALSE
Error = TRUE

13-4
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
S_AntivalentOut = FALSE
Error = FALSE
An activation has been detected by the FB and the FB is now
activated.
8001 Init Ready = TRUE
S_AntivalentOut = FALSE
Error = FALSE
The inputs switched to the Active state in antivalent mode.
Ready = TRUE
8000 Safety Output Enabled
S_AntivalentOut = TRUE
Error = FALSE
ChannelNC has been switched to TRUE - waiting for
ChannelNO to be switched to FALSE; discrepancy timer started.
8004 Wait for NO Ready = TRUE
S_AntivalentOut = FALSE
Error = FALSE
ChannelNO has been switched to FALSE - waiting for
ChannelNC to be switched to TRUE; discrepancy timer started.
8014 Wait for NC Ready = TRUE
S_AntivalentOut = FALSE
Error = FALSE
One channel has been switched to inactive; waiting for the
second channel to be switched to inactive too.
8005 From Active Wait Ready = TRUE
S_AntivalentOut = FALSE
Error = FALSE

13-5
 Chapter 13. Safety Function Blocks

13.2.2 SF_EDM

1) Overview
External device monitoring – The FB controls a safety output and monitors controlled actuators, e.g. subsequent contactors

SF_EDM

BOOL Activate Ready BOOL

SAFEBOOL S_OutControl S_EDM_Out SAFEBOOL
SAFEBOOL S_EDM1 Error BOOL
SAFEBOOL S_EDM2 DiagCode WORD
BOOL MonitoringTime
SAFEBOOL S_StartReset
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Control signal of the preceeding safety FB’s.
Typical function block signals from the library
(e.g.,SF_OutControl, SF_TwoHandControlTypeII,
S_OutControl SAFEBOOL 0
and/or others).
FALSE: Disable safety output (S_EDM_Out).
TRUE: Enable safety output (S_EDM_Out).
Feedback signal of the first connected actuator.
FALSE: Switching state of the first connected
S_EDM1 SAFEBOOL 0
actuator.
TRUE: Initial state of the first connected actuator.
Feedback signal of the second connected
actuator.
If using only one signal in the application, the user
Input must use a graphic connection to jumper the
S_EDM1 and S_EDM2 parameters. S_EDM1
S_EDM2 SAFEBOOL 0 and S_EDM2 are then controlled by the same
signal.
FALSE: Switching state of the second connected
actuator.
TRUE: Initial state of the second connected
actuator.
Max. response time of the connected and
MonitoringTime TIME #0ms
monitored actuators.
FALSE (= initial value): Manual reset when PES is
started (warm or cold).
S_StartReset
TRUE: Automatic reset when PES is started
(warm or cold).
Reset BOOL 0 Reset

13-6
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

If TRUE, indicates that the FB is activated and the
Ready BOOL 0
output results are valid.
Controls the actuator. The result is monitored by
the feedback signal S_EDMx.
S_EDM_Out SAFEBOOL 0
FALSE: Disable connected actuators.
TRUE: Enable connected actuators.
Output
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent more
then 16 codes.

3) Functional Description
General:
The SF_EDM FB controls a safety output and monitors controlled actuators.
This function block monitors the initial state of the actuators via the feedback signals (S_EDM1 and S_EDM2) before the
actuators are enabled by the FB.
The function block monitors the switching state of the actuators (MonitoringTime) after the actuators have been enabled by the
FB.
Two single feedback signals must be used for an exact diagnosis of the connected actuators. A common feedback signal from
the two connected actuators must be used for a restricted yet simple diagnostic function of the connected actuators. When
doing so, the user must connect this common signal to both parameter S_EDM1 and parameter S_EDM2. S_EDM1 and
S_EDM2 are then controlled by the same signal.
The switching devices used in the safety function should be selected from the category specified in the risk analysis (EN 954-1).

Optional startup inhibits:

• Startup inhibit in the event of block activation.

The S_StartReset input shall only be activated if it is ensured that no hazardous situation can occur when the PES is started.

13-7
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

< S_StartReset=Off >

< S_StartReset=On >

5) Error Detection
The following conditions force a transition to the Error state:
• Invalid static Reset signal in the process.
• Invalid EDM signal in the process.
• S_OutControl and Reset are incorrectly interconnected due to programming error.

6) Error Behavior
In error states, the outputs are as follows:
• In the event of an error, the S_EDM_Out is set to FALSE and remains in this safe state.
• An EDM error message must always be reset by a rising trigger at Reset.
• A Reset error message can be reset by setting Reset to FALSE.

13-8
 Chapter 13. Safety Function Blocks

After block activation, the optional startup inhibit can be reset by a rising edge at the Reset input.

7) Error Codes

DiagCode State Name State Description and Output Setting

Static Reset signal in state 8001.
Ready = TRUE
C001 Reset Error 1
S_EDM_Out = FALSE
Error = TRUE
Static Reset signal or same signals at EDM1 and Reset (rising
trigger at Reset and EDM1 at the same time) in state C010.
C011 Reset Error 21 Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
Static Reset signal or same signals at EDM2 and Reset (rising
trigger at Reset and EDM2 at the same time) in state C020.
C021 Reset Error 22 Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
Static Reset signal or same signals at EDM1, EDM2, and Reset
(rising trigger at Reset, EDM1, and EDM2 at the same time) in
state C030.
C031 Reset Error 23
Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
Static Reset signal or same signals at EDM1 and Reset (rising
trigger at Reset and EDM1 at the same time) in state C040.
C041 Reset Error 31 Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
Static Reset signal or same signals at EDM2 and Reset (rising
trigger at Reset and EDM2 at the same time) in state C050.
C051 Reset Error 32 Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
Static Reset signal or same signals at EDM1, EDM2, and Reset
(rising trigger at Reset, EDM1, and EDM2 at the same time) in
state C060.
C061 Reset Error 33
Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
Static Reset signal in state C070.
Ready = TRUE
C071 Reset Error 41
S_EDM_Out = FALSE
Error = TRUE
Static Reset signal in state C080.
Ready = TRUE
C081 Reset Error 42
S_EDM_Out = FALSE
Error = TRUE

13-9
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

Static Reset signal in state C090.
Ready = TRUE
C091 Reset Error 43
S_EDM_Out = FALSE
Error = TRUE
The signal at EDM1 is not valid in the initial actuator state. In state
8010 the EDM1 signal is FALSE when enabling O_OutControl.
C010 EDM Error 11 Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
The signal at EDM2 is not valid in the initial actuator state. In state
8010 the EDM2 signal is FALSE when enabling O_OutControl.
C020 EDM Error 12 Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
The signals at EDM1 and EDM2 are not valid in the initial actuator
states. In state 8010 the EDM1 and EDM2 signals are FALSE
when enabling O_OutControl.
C030 EDM Error 13
Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
The signal at EDM1 is not valid in the initial actuator state. In state
8010 the EDM1 signal is FALSE and the monitoring time has
elapsed.
C040 EDM Error 21
Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
The signal at EDM2 is not valid in the initial actuator state. In state
8010 the EDM2 signal is FALSE and the monitoring time has
elapsed.
C050 EDM Error 22
Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
The signals at EDM1 and EDM2 are not valid in the initial actuator
states. In state 8010 the EDM1 and EDM2 signals are FALSE and
the monitoring time has elapsed.
C060 EDM Error 23
Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
The signal at EDM1 is not valid in the actuator switching state.
In state 8000 the EDM1 signal is TRUE and the monitoring time
has elapsed.
C070 EDM Error 31
Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE

13-10
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

The signal at EDM2 is not valid in the actuator switching state.
In state 8000 the EDM2 signal is TRUE and the monitoring time
has elapsed.
C080 EDM Error 32
Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
The signals at EDM1 and EDM2 are not valid in the actuator
switching state. In state 8000 the EDM1 and EDM2 signals are
TRUE and the monitoring time has elapsed.
C090 EDM Error 33
Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE
S Similar signals at S_OutControl and Reset (R_TRIG at same
cycle) detected (may be a programming error)
C111 Init Error Ready = TRUE
S_EDM_Out = FALSE
Error = TRUE

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
S_EDM_Out = FALSE
Error = FALSE
Block activation startup inhibit is active. Reset required.
Ready = TRUE
8001 Init
S_EDM_Out = FALSE
Error = FALSE
EDM control is not active. Timer starts when state is entered
Ready = TRUE
8010 Output Disable
S_EDM_Out = FALSE
Error = FALSE
EDM control is active. Timer starts when state is entered
Ready = TRUE
8000 Output Enable
S_EDM_Out = TRUE
Error = FALSE

13-11
 Chapter 13. Safety Function Blocks

13.2.3 SF_ENABLESWITCH

1) Overview
The SF_EnableSwitch FB evaluates the signals of an enable switch with three positions.

SF_EnableSwitch

BOOL Activate Ready BOOL

SAFEBOOL S_SafetyActive S_EnableSwitchOut SAFEBOOL
SAFEBOOL S_EnableSwitchCh1 Error BOOL
SAFEBOOL S_EnableSwitchCh2 DiagCode WORD
SAFEBOOL S_AutoReset
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Confirmation of the safe mode (limitation of
the speed or the power of motion, limitation
S_SafetyActive SAFEBOOL 0 of the range of motion).
FALSE: Safe mode is not active.
TRUE: Safe mode is active.
Signal of contacts E1 and E2 of the
connected enable switch.
S_EnableSwitchCh1 SAFEBOOL 0
FALSE: Connected switches are open.
TRUE: Connected switches are closed.
Signal of contacts E3 and E4 of the
connected enable switch.
S_EnableSwitchCh2 SAFEBOOL 0
FALSE: Connected switches are open.
Input TRUE: Connected switches are closed.
FALSE (= initial value): Manual reset when
emergency stop button is released.
TRUE: Automatic reset when emergency
stop button is released.
This function shall only be activated if it is
ensured that no hazard can occur at the
S_AutoReset SAFEBOOL 0
start of the PES. Therefore the use of the
Automatic Circuit Reset feature of the
function blocks requires implementation of
other system or application measures to
ensure that unexpected (or unintended)
startup does not occur.
Reset BOOL 0 Reset

13-12
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

If TRUE, indicates that the FB is activated
Ready BOOL 0
and the output results are valid.
Safety related output: Indicates suspension
of guard.
S_EnableSwitchOut SAFEBOOL 0 FALSE: Disable suspension of
safeguarding.
Output TRUE: Enable suspension of safeguarding.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more then 16 codes.

3) Functional Description
The SF_EnableSwitch FB supports the suspension of safeguarding using enable switches, if the relevant operating mode is
selected and active. The relevant operating mode (limitation of the speed or the power of motion, limitation of the range of
motion) must be selected outside the SF_EnableSwitch FB.
The SF_EnableSwitch FB evaluates the signals of an enable switch with three positions
The S_EnableSwitchCh1 and S_EnableSwitchCh2 input parameters process the following signal levels of contacts E1 to E4:

The signal from E1+E2 must be connected to the S_EnableSwitchCh1 parameter. The signal from E3+E4 must be connected
to the S_EnableSwitchCh2 parameter. The position of the enable switch is detected in the FB using this signal sequence. The
transition from position 2 to 3 can be different from shown here.
The switching direction (position 1 => position 2/position 3 => position 2) can be detected in the FB using the defined signal
sequence of the enable switch contacts. The suspension of safeguarding can only be enabled by the FB after a move from
position 1 to position 2. Other switching directions or positions may not be used to enable the suspension of safeguarding.
In order to meet the requirements of DIN EN 60204 Section 9.2.4, the user shall use a suitable switching device. In addition, the
user must ensure that the relevant operating mode is selected in the application (automatic operation must be disabled in this
operating mode using appropriate measures).
The operating mode is usually specified using an operating mode selection switch in conjunction with the SF_ModeSelector FB
and the SF_SafeRequest or SF_SafelyLimitedSpeed FB.
The SF_EnableSwitch FB processes the confirmation of the "safe mode" state via the "S_SafetyActive" parameter. On
implementation
in an application of the safe mode without confirmation, a static TRUE signal is connected to the "S_SafetyActive" parameter.

13-13
 Chapter 13. Safety Function Blocks

The S_AutoReset input shall only be activated if it is ensured that no hazardous situation can occur when the PES is started.
4) Typical Timing Diagrams

13-14
 Chapter 13. Safety Function Blocks

5) Error Detection
The following conditions force a transition to the Error state:
• Invalid static Reset signal in the process.
• Invalid switch positions.

6) Error Behavior
In the event of an error, the S_EnableSwitchOut safe output is set to FALSE and remains in this Safe state. Different from other
FBs, a Reset Error state can be left by the condition Reset = FALSE or, additionally, when the signal S_SafetyActive is FALSE.
Once the error has been removed, the enable switch must be in the initial position specified in the process before the
S_EnableSwitchOut output can be set to TRUE using the enable switch. If S_AutoReset = FALSE, a rising trigger is required at
Reset.

7) Error Codes

DiagCode State Name State Description and Output Setting

Static Reset signal detected in state C020.
Ready = TRUE
C001 Reset Error 1 S_EnableSwitchOut = FALSE
Error = TRUE

Static Reset signal detected in state C040.

Ready = TRUE
C002 Reset Error 2
S_EnableSwitchOut = FALSE
Error = TRUE
Enable switch not in position 1 during activation of S_SafetyActive.
Ready = TRUE
C010 Operation Error 1
S_EnableSwitchOut = FALSE
Error = TRUE
Enable switch in position 1 after C010.
Ready = TRUE
C020 Operation Error 2 S_EnableSwitchOut = FALSE
Error = TRUE

Enable switch in position 2 after position 3.

Ready = TRUE
C030 Operation Error 3
S_EnableSwitchOut = FALSE
Error = TRUE
Enable switch not in position 2 after C030.
Ready = TRUE
C040 Operation Error 4
S_EnableSwitchOut = FALSE
Error = TRUE

13-15
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
S_EnableSwitchOut = FALSE
Error = FALSE
Safe operation mode is not active.
Ready = TRUE
8004 Basic Operation Mode
S_EnableSwitchOut = FALSE
Error = FALSE
Safe operation mode is active.
Ready = TRUE
8005 Safe Operation Mode
S_EnableSwitchOut = FALSE
Error = FALSE
Safe operation mode is active and the enable switch is in
position 1.
8006 Position 1 Ready = TRUE
S_EnableSwitchOut = FALSE
Error = FALSE
Safe operation mode is active and the enable switch is in
position 3.
8007 Position 3 Ready = TRUE
S_EnableSwitchOut = FALSE
Error = FALSE
Safe operation mode is active and the enable switch is in
position 2.
8000 Position 2 Ready = TRUE
S_EnableSwitchOut = TRUE
Error = FALSE

13-16
 Chapter 13. Safety Function Blocks

13.2.4 SF_EQUIVALENT

1) Overview
This function block converts two equivalent SAFEBOOL inputs (both NO or NC) to one SAFEBOOL output, including
discrepancy time monitoring. This FB should not be used stand-alone since it has no restart interlock. It is required to connect
the output to other safety related functionalities.

SF_Equivalent

BOOL Activate Ready BOOL

SAFEBOOL S_ChannelA S_EquivalentOut SAFEBOOL

SAFEBOOL S_ChannelB Error BOOL

TIME DiscrepancyTime DiagCode WORD

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Input A for logical connection.
S_ChannelA SAFEBOOL 0 FALSE: Contact A open
TRUE: Contact A closed.
Input Input B for logical connection.
S_ChannelB SAFEBOOL 0 FALSE: Contact B open
TRUE: Contact B closed.
2 개 Input 의 Discrepancy time 설정
DiscrepancyTime TIME T#0ms
0 ~ 65535ms
Maximum monitoring time for discrepancy
Ready BOOL 0
status of both inputs.
Safety related output
FALSE: Minimum of one input signal =
"FALSE" or status
S_EquivalentOut SAFEBOOL 0
change outside of monitoring time.
TRUE: Both input signals "active" and status
Output
change within monitoring time
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more then 16 codes.

13-17
 Chapter 13. Safety Function Blocks

3) Functional Description
This function block converts two equivalent SAFEBOOL inputs to one SAFEBOOL output with discrepancy time monitoring.
Both input Channels A and B are interdependent. The function block output shows the result of the evaluation of both channels.
If one channel signal changes from TRUE to FALSE the output immediately switches off for safety reasons. Discrepancy time
monitoring: The discrepancy time is the maximum period during which both inputs may have different states without the function
block detecting an error. Discrepancy time monitoring starts when the status of an input changes. The function block detects an
error when both inputs do not have the same status once the discrepancy time has elapsed.
The inputs must be switched symmetrically. This means that monitoring is performed for both the switching on process as well
as the switching off process.

4) Typical Timing Diagrams

13-18
 Chapter 13. Safety Function Blocks

5) Error Detection
The function block monitors the discrepancy time between Channel A and B, when switching to TRUE and also when switching
to FALSE.

6) Error Behavior
S_EquivalentOut is set to FALSE. Error is set to TRUE. DiagCode indicates the Error states. There is no Reset defined as an
input coupled with the reset of an error. If an error occurs in the inputs, a new set of inputs with correct S_EquivalentOut must be
able to reset the error flag. (Example: if a switch is faulty and replaced, using the switch again results in a correct output)

7) Error Codes

DiagCode State Name State Description and Output Setting

Discrepancy time elapsed in state 8004.
Ready = TRUE
C001 Error 1
S_EquivalentOut = FALSE
Error = TRUE
Discrepancy time elapsed in state 8014.
Ready = TRUE
C002 Error 2
S_EquivalentOut = FALSE
Error = TRUE
Discrepancy time elapsed in state 8005.
Ready = TRUE
C003 Error 3
S_EquivalentOut = FALSE
Error = TRUE

13-19
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
S_EquivalentOut = FALSE
Error = FALSE
An activation has been detected by the FB and the FB is now
activated.
8001 Init Ready = TRUE
S_EquivalentOut = FALSE
Error = FALSE
The inputs switched to TRUE in equivalent mode.
Ready = TRUE
8000 Safety Output Enabled
S_EquivalentOut = TRUE
Error = FALSE
Channel A has been switched to TRUE - waiting for Channel B;
discrepancy timer started.
8004 Wait for Channel B Ready = TRUE
S_EquivalentOut = FALSE
Error = FALSE
Channel B has been switched to TRUE - waiting for Channel A;
discrepancy timer started.
8014 Wait for Channel A Ready = TRUE
S_EquivalentOut = FALSE
Error = FALSE
One channel has been switched to FALSE; waiting for the
second channel to be switched to FALSE, discrepancy timer
started.
8005 From Active Wait
Ready = TRUE
S_EquivalentOut = FALSE
Error = FALSE

13-20
 Chapter 13. Safety Function Blocks

13.2.5 SF_ESPE

1) Overview
This function block is a safety-related function block for monitoring electro-sensitive protective equipment (ESPE).

SF_ESPE

BOOL Activate Ready BOOL

SAFEBOOL S_ESPE_IN S_ESPE_Out SAFEBOOL

SAFEBOOL S_StartReset Error BOOL

SAFEBOOL S_AutoReset DiagCode WORD

BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Safety demand input.
FALSE: ESPE actuated, demand for safety-
related response.
TRUE: ESPE not actuated, no demand for
safety-related response.
S_ESPE_In SAFEBOOL 0
Safety control system must be able to detect
a very short interruption of the sensor (which
is specified in 61496-1: minimum 80 ms),
when the ESPE is used in applications as a
trip device
Input FALSE (= initial value): Manual reset when
PES is started (warm or cold).
TRUE: Automatic reset when PES is started
(warm or cold).
This function shall only be activated if it is
ensured that no hazard can occur at the
S_StartReset SAFEBOOL 0
start of the PES. Therefore the use of the
Automatic Circuit Reset feature of the
function blocks requires implementation of
other system or application measures to
ensure that unexpected (or unintended)
startup does not occur.

13-21
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

FALSE (= initial value): Manual reset when
emergency stop button is released.
TRUE: Automatic reset when emergency
stop button is released.
This function shall only be activated if it is
ensured that no hazard can occur at the
S_AutoReset SAFEBOOL 0
Input start of the PES. Therefore the use of the
Automatic Circuit Reset feature of the
function blocks requires implementation of
other system or application measures to
ensure that unexpected (or unintended)
startup does not occur.
Reset BOOL 0 Reset
If TRUE, indicates that the FB is activated
Ready BOOL 0
and the output results are valid.
Output for the safety-related response.
FALSE: Safety output disabled.
Demand for safety-related response (e.g.,
S_ESPE_OUT SAFEBOOL 0
reset required or internal errors active).
TRUE: Safety output enabled. No demand
Output
for safety-related response.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more then 16 codes.

3) Functional Description
This function block is a safety-related function block for monitoring electro-sensitive protective equipment (ESPE). The function
is identical to SF_EmergencyStop. The S_ESPE_Out output signal is set to FALSE as soon as the S_ESPE_In input is set to
FALSE. The S_ESPE_Out output signal is set to TRUE only if the S_ESPE_In input is set to TRUE and a reset occurs. The
enable reset depends on the defined S_StartReset, S_AutoReset, and Reset inputs.

If S_AutoReset = TRUE, acknowledgment is automatic.

If S_AutoReset = FALSE, a rising trigger at the Reset input must be used to acknowledge the enable.
If S_StartReset = TRUE, acknowledgment is automatic the PES is started the first time.
If S_StartReset = FALSE, a rising trigger at the Reset input must be used to acknowledge the enable.

The S_StartReset and S_AutoReset inputs shall only be activated if it is ensured, that no hazardous situation can occur when
the PES is started.

13-22
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

< S_StartReset=Off, S_AutoReset=Off >

< S_StartReset=On, S_AutoReset=Off >

13-23
 Chapter 13. Safety Function Blocks

< S_StartReset=Off, S_AutoReset=On >

5) Error Detection
The function block detects a static TRUE signal at Reset input.

6) Error Behavior
S_ESPE_Out is set to FALSE. In case of a static TRUE signal at the Reset input, the DiagCode output indicates the relevant
error code and the Error output is set to TRUE.
To leave the error states, the the Reset must be set to FALSE.

7) Error Codes

DiagCode State Name State Description and Output Setting

Reset is TRUE while waiting for S_ESPE_In = TRUE.
Ready = TRUE
C001 Reset Error 1
S_ESPE_Out = FALSE
Error = TRUE
Reset is TRUE while waiting for S_ESPE_In = TRUE.
Ready = TRUE
C002 Reset Error 2
S_ESPE_Out = FALSE
Error = TRUE

13-24
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
S_ESPE_Out = FALSE
Error = FALSE
Activation is TRUE. The function block was enabled. Check if
S_StartReset is required.
8001 Init Ready = TRUE
S_ESPE_Out = FALSE
Error = FALSE
Activation is TRUE. Check if Reset is FALSE and wait for
S_ESPE_In =
TRUE.
8002 Wait for S_ESPE_In 1
Ready = TRUE
S_ESPE_Out = FALSE
Error = FALSE
Activation is TRUE. S_ESPE_In = TRUE. Wait for rising trigger
of Reset.
8003 Wait for Reset 1 Ready = TRUE
S_ESPE_Out = FALSE
Error = FALSE
Activation is TRUE. Safety demand detected. Check if Reset is
FALSE
and wait for S_ESPE_In = TRUE.
8004 Wait for S_ESPE_In 2
Ready = TRUE
S_ESPE_Out = FALSE
Error = FALSE
Activation is TRUE. S_ESPE_In = TRUE. Check for
S_AutoReset or
wait for rising trigger of Reset.
8005 Wait for Reset 2
Ready = TRUE
S_ESPE_Out = FALSE
Error = FALSE
Activation is TRUE. S_ESPE_In = TRUE. Functional mode with
S_ESPE_Out = TRUE.
8000 Safety Output Enabled Ready = TRUE
S_ESPE_Out = TRUE
Error = FALSE

13-25
 Chapter 13. Safety Function Blocks

13.2.6 SF_ESTOP

1) Overview
This function block is a safety-related function block for monitoring an emergency stop button. This FB can be used for
emergency switch off functionality (stop category 0), or - with additional peripheral support - as emergency stop.

SF_EmergencyStop

BOOL Activate Ready BOOL

SAFEBOOL S_EStopIn S_EStopOut SAFEBOOL

SAFEBOOL S_StartReset Error BOOL

SAFEBOOL S_AutoReset DiagCode WORD
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Safety demand input.
FALSE: Demand for safety-related
response (e.g., emergency stop button is
S_EStopIn SAFEBOOL 0 engaged).
TRUE: No demand for safety-related
response (e.g., emergency stop button not
engaged).
FALSE (= initial value): Manual reset when
PES is started (warm or cold).
Input
TRUE: Automatic reset when PES is started
(warm or cold).
This function shall only be activated if it is
ensured that no hazard can occur at the
S_StartReset SAFEBOOL 0
start of the PES. Therefore the use of the
Automatic Circuit Reset feature of the
function blocks requires implementation of
other system or application measures to
ensure that unexpected (or unintended)
startup does not occur.

13-26
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

FALSE (= initial value): Manual reset when
emergency stop button is released.
TRUE: Automatic reset when emergency
stop button is released.
This function shall only be activated if it is
ensured that no hazard can occur at the
S_AutoReset SAFEBOOL 0
Input start of the PES. Therefore the use of the
Automatic Circuit Reset feature of the
function blocks requires implementation of
other system or application measures to
ensure that unexpected (or unintended)
startup does not occur.
Reset BOOL 0 Reset
If TRUE, indicates that the FB is activated
Ready BOOL 0
and the output results are valid.
Output for the safety-related response.
FALSE: Safety output disabled.
Demand for safety-related response (e.g.,
emergency stop button engaged, reset
S_EStopOut SAFEBOOL 0 required or internal errors active)
TRUE: Safety output enabled.
Output No demand for safety-related response
(e.g., emergency stop button not engaged,
no internal errors active).
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more then 16 codes.

3) Functional Description
The S_EStopOut enable signal is reset to FALSE as soon as the S_EStopIn input is set to FALSE. The S_EStopOut enable
signal is reset to TRUE only if the S_EStopIn input is set to TRUE and a reset occurs. The enable reset depends on the defined
S_StartReset, S_AutoReset, and Reset inputs.
If S_AutoReset = TRUE, acknowledgment is automatic.
If S_AutoReset = FALSE, a rising trigger at the Reset input must be used to acknowledge the enable.
If S_StartReset = TRUE, acknowledgment is automatic the fist time the PES is started.
If S_StartReset = FALSE, a rising trigger at the Reset input must be used to acknowledge the enable.

The S_StartReset and S_AutoReset inputs shall only be activated if it is ensured that no hazardous situation can occur when
the PES is started.

SF_EmergencyStop can be used to monitor both single and two-channel emergency stop buttons. For example, for twochannel
applications, the additional function blocks SF_Equivalent can be used to detect whether the contact synchronization has been
exceeded. The category classification in accordance with EN 954-1 will depend on the final elements that are used.
The SF_EmergencyStop automatically detects a static TRUE on Reset. Further error detection, e.g., wire break, short circuit
depends on the dedicated hardware that is used.

13-27
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

< S_StartReset=Off, S_AutoReset=Off >

< S_StartReset=On, S_AutoReset=Off >

13-28
 Chapter 13. Safety Function Blocks

< S_StartReset=Off, S_AutoReset=On >

5) Error Detection
The function block detects a static TRUE signal at Reset input.

6) Error Behavior
S_EStopOut is set to FALSE. In case of a static TRUE signal at the Reset input, the DiagCode output indicates the relevant
error code and the Error output is set to TRUE.
To leave the error states, the Reset must be set to FALSE.

7) Error Codes

DiagCode State Name State Description and Output Setting

Reset is TRUE while waiting for S_EStopIn = TRUE.
Ready = TRUE
C001 Reset Error 1
S_EStopOut = FALSE
Error = TRUE
Reset is TRUE while waiting for S_EStopIn = TRUE.
Ready = TRUE
C002 Reset Error 2
S_EStopOut = FALSE
Error = TRUE

13-29
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
S_EStopOut = FALSE
Error = FALSE
Activation is TRUE. The function block was enabled. Check if
S_StartReset is required.
8001 Init Ready = TRUE
S_EStopOut = FALSE
Error = FALSE
Activation is TRUE. Check if Reset is FALSE and wait for
S_EStopIn = TRUE.
8002 Wait for S_EstopIn 1 Ready = TRUE
S_EStopOut = FALSE
Error = FALSE
Activation is TRUE. S_EStopIn = TRUE. Wait for rising trigger of
Reset.
8003 Wait for Reset 1 Ready = TRUE
S_EStopOut = FALSE
Error = FALSE
Activation is TRUE. Safety demand detected. Check if Reset is
FALSE and wait for S_EStopIn = TRUE.
8004 Wait for S_EstopIn 2 Ready = TRUE
S_EStopOut = FALSE
Error = FALSE
Activation is TRUE. S_EStopIn = TRUE. Check for
S_AutoReset or wait for rising trigger of Reset.
8005 Wait for Reset 2 Ready = TRUE
S_EStopOut = FALSE
Error = FALSE
Activation is TRUE. S_EStopIn = TRUE. Functional mode with
S_EStopOut = TRUE.
8000 Safety Output Enabled Ready = TRUE
S_EStopOut = TRUE
Error = FALSE

13-30
 Chapter 13. Safety Function Blocks

13.2.7 SF_GUARDLOCKING

1) Overview
This FB controls an entrance to a hazardous area via an interlocking guard with guard locking (“four state interlocking”)

SF_GuardLocking

BOOL Activate Ready BOOL

SAFEBOOL S_GuardMonitoring S_GuardLocked SAFEBOOL
SAFEBOOL S_SafetyActive S_UnlockGuard SAFEBOOL
SAFEBOOL S_GuardLock Error BOOL
BOOL UnlockRequest DiagCode WORD
SAFEBOOL S_StartReset
SAFEBOOL S_AutoReset
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Variable.
Monitors the guard interlocking.
S_GuardMonitoring SAFEBOOL 0
FALSE: Guard open.
TRUE: Guard closed.
Status of the hazardous area (EDM), e.g.,
based on speed monitoring or safe time off
S_SafetyActive SAFEBOOL 0 delay.
Input FALSE: Machine in "non-safe" state.
TRUE: Machine in safe state.
Status of the mechanical guard locking.
S_GuardLock SAFEBOOL 0 FALSE: Guard is not locked.
TRUE: Guard is locked.
Operator intervention – request to unlock
the guard.
UnlockRequest BOOL 0
FALSE: No request.
TRUE: Request made.

13-31
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

FALSE (= initial value): Manual reset when
PES is started (warm or cold).
TRUE: Automatic reset when PES is started
(warm or cold).
This function shall only be activated if it is
ensured that no hazard can occur at the
S_StartReset SAFEBOOL 0
start of the PES. Therefore the use of the
Automatic Circuit Reset feature of the
function blocks requires implementation of
other system or application measures to
ensure that unexpected (or unintended)
startup does not occur.
Input FALSE (= initial value): Manual reset when
emergency stop button is released.
TRUE: Automatic reset when emergency
stop button is released.
This function shall only be activated if it is
ensured that no hazard can occur at the
S_AutoReset SAFEBOOL 0
start of the PES. Therefore the use of the
Automatic Circuit Reset feature of the
function blocks requires implementation of
other system or application measures to
ensure that unexpected (or unintended)
startup does not occur.
Reset BOOL 0 Reset
If TRUE, indicates that the FB is activated
Ready BOOL 0
and the output results are valid.
Interface to hazardous area which must be
stopped.
S_GuardLocked SAFEBOOL 0
FALSE: No safe state.
TRUE: Safe state.
Signal to unlock the guard.
Output S_UnlockGuard SAFEBOOL 0 FALSE: Close guard.
TRUE: Unlock guard.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more then 16 codes.

13-32
 Chapter 13. Safety Function Blocks

3) Functional Description
The function controls the guard lock and monitors the position of the guard and the lock. This function block can be used with a
mechanical locked switch.
The operator requests to get access to the hazardous area. The guard can only be unlocked when the hazardous area is in a
safe state.The guard can be locked if the guard is closed. The machine can be started when the guard is closed and the guard
is locked. An open guard or unlocked guard will be detected in the event of a safety-critical situation.
The S_StartReset and S_AutoReset inputs shall only be activated if it is ensured that no hazardous situation can occur when
the PES is started.

Operation Sequence
NO Position Operation
1 External Request to get the hazardous area to a safe state - not part of this FB
2 In Feedback from applicable hazardous area that it is in a safe state (via S_SafetyActive)
3 In Operator request to unlock the guard (via UnlockRequest)
4 Out Enable guard to be opened (via S_UnlockGuard)
5 Guard unlocked (via S_GuardLock). Guard can be opened now. (S_GuardLocked =
In
FALSE)
- - Operator opens the guard
6 In Monitoring of status guard via S_GuardMonitoring – signals when guard is closed again
7 In Feedback from operator to restart the hazardous area (Reset)
8 Out Lock guard guard (S_UnlockGuard)
9 In Check if guard is locked (S_GuardLock)
10 Out Hazardous area can operate again (S_GuardLocked = TRUE)
11 Extern Restart the operation in the hazardous area

13-33
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

5) Error Detection
Static signals are detected at Reset. Errors are detected at the Guard switches.

6) Error Behavior
In the event of an error the S_GuardLocked and S_UnlockGuard outputs are set to FALSE, the DiagCode output indicates the
relevant error code, and the Error output is set to TRUE.
An error must be acknowledged by a rising trigger at the Reset input.

13-34
 Chapter 13. Safety Function Blocks

7) Error Codes

DiagCode State Name State Description and Output Setting

Static Reset detected in state 8001.
Ready = TRUE
C001 Reset Error1 S_GuardLocked = FALSE
S_UnlockGuard = FALSE
Error = TRUE
Static Reset detected in state C004.
Ready = TRUE
C002 Reset Error2 S_GuardLocked = FALSE
S_UnlockGuard = FALSE
Error = TRUE
Static Reset detected in state 8011.
Ready = TRUE
C003 Reset Error3 S_GuardLocked = FALSE
S_UnlockGuard = FALSE
Error = TRUE
Safety lost, guard opened or guard unlocked.
Ready = TRUE
C004 Safety Lost S_GuardLocked = FALSE
S_UnlockGuard = FALSE
Error = TRUE

13-35
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle S_GuardLocked = FALSE
S_UnlockGuard = FALSE
Error = FALSE
Guard is locked.
Ready = TRUE
8000 Guard Closed and Locked S_GuardLocked = TRUE
S_UnlockGuard = FALSE
Error = FALSE
Function block was activated and initiated.
Ready = TRUE
8001 Init S_GuardLocked = FALSE
S_UnlockGuard = FALSE
Error = FALSE
Door is closed and locked, now waiting for operator reset
Ready = TRUE
8003 Wait for Reset S_GuardLocked = FALSE
S_UnlockGuard = FALSE
Error = FALSE
Waiting for operator to either unlock request or reset.
Ready = TRUE
8011 Wait for Operator S_GuardLocked = FALSE
S_UnlockGuard = FALSE
Error = FALSE
Lock is released and guard is open.
Ready = TRUE
Guard Open and
8012 S_GuardLocked = FALSE
Unlocked
S_UnlockGuard = TRUE
Error = FALSE
Lock is released but guard is closed.
Ready = TRUE
8013 Guard Closed but Unlocked S_GuardLocked = FALSE
S_UnlockGuard = TRUE
Error = FALSE
Return of S_SafetyActive signal, now waiting for operator
acknowledge.
Ready = TRUE
8014 Safety Return
S_GuardLocked = FALSE
S_UnlockGuard = FALSE
Error = FALSE

13-36
 Chapter 13. Safety Function Blocks

13.2.8 SF_MODESEL

1) Overview
This function block selects the system operation mode, such as manual, automatic, semi-automatic, etc.

SF_ModeSelector

BOOL Activate Ready BOOL

SAFEBOOL S_Mode0 S_Mode0Sel SAFEBOOL
SAFEBOOL S_Mode1 S_Mode1Sel SAFEBOOL
SAFEBOOL S_Mode2 S_Mode2Sel BOOL
SAFEBOOL S_Mode3 S_Mode3Sel WORD
SAFEBOOL S_Mode4 S_Mode4Sel BOOL
SAFEBOOL S_Mode5Sel SAFEBOOL
S_Mode5
S_Mode6 S_Mode6Sel SAFEBOOL
SAFEBOOL
S_Mode7Sel BOOL
SAFEBOOL S_Mode7
S_AnyModeSel WORD
SAFEBOOL S_Unlock
Error BOOL
SAFEBOOL S_SetMode
DiagCode WORD
BOOL AutoSetMode
TIME ModeMonitorTime
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Input X from mode selector switch
S_ModeX FALSE: Mode X is not requested by
SAFEBOOL 0
(X = 0~7) operator.
TRUE: Mode X is requested by operator.
Locks the selected mode
FALSE: The actual S_ModeXSel output is
locked therefore a change of any S_ModeX
input does not lead to a change in the
S_Unlock SAFEBOOL 0 S_ModeXSel output even in the event of a
Input rising edge of Set-Mode.
TRUE: The selected S_ModeXSel is not
locked; a mode selection change is
possible.
Sets the selected mode
Operator acknowledges the setting of a
mode.
S_SetMode SAFEBOOL 0 Any change to new S_ModeX = TRUE
leads to S_AnyModeSel/S_ModeXSel =
FALSE, only a rising SetMode trigger then
leads to new S_ModeXSel = TRUE.

13-37
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

Parameterizes the acknowledgement
modeFALSE: A change in mode must be
acknowledged by the operator via SetMode.
TRUE: A valid change of the S_ModeX
AutoSetMode BOOL 0
input to another S_ModeX automatically
Input leads to a change in S_ModeXSel without
operator acknowledgment via SetMode (as
long as this is not locked by S_Unlock).
Maximum permissible time for changing the
ModeMonitorTime TIME T#0
selection input.
Reset BOOL 0 Reset
If TRUE, indicates that the FB is activated
Ready BOOL 0
and the output results are valid.
Indicates that mode X is selected and
acknowledged.
S_ModeXSel
SAFEBOOL 0 FALSE: Mode X is not selected or not
(X = 0~7)
active.
TRUE: Mode X is selected and active.
Indicates that any of the 8 modes is selected
and acknowledged.
Output
S_AnyModeSel SAFEBOOL 0 FALSE: No S_ModeX is selected.
TRUE: One of the 8 S_ModeX is selected
and active
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more then 16 codes.

3) Functional Description
This function block selects the system operation mode, such as manual, automatic, semi-automatic, etc. On controller startup, it
should be assumed that the machine is in safe mode. On machine startup, the transition to the mode set by the mode selector
switch must be initiated by a function block input (e.g., machine START button).
The default state following activation of the FB is the ModeChanged state. This is also the safe state of the FB, where all
S_ModeXSel and S_AnyModeSel are FALSE.
If the FB is in the ModeChanged state:
• The new S_ModeX input must be acknowledged by a rising S_SetMode trigger (if AutoSetMode = FALSE), which leads to a
new S_ModeXSel output.
• The new S_ModeX input automatically leads to a new S_ModeXSel output (if AutoSetMode = TRUE).
• Such a transition from state 8005 to 8000 is only valid, if one S_ModeX input is TRUE. As long as all S_ModeX are FALSE,
the FB remains in state 8005, even if the S_SetMode triggers.
The transition from the ModeChanged to ModeSelected state, i.e., S_SetMode set by the operator, is not monitored by a timer.
If the FB is in the ModeSelected state, the simultaneous occurrence of a new S_ModeX input (higher priority) and the NOT
S_Unlock signal (lower priority) leads to the ModeChanged state.
The S_ModeX input parameters, which are not used for mode selection, should be called with the default value FALSE to
simplify program verification.
The AutoSetMode input shall only be activated if it is ensured that no hazardous situation can occur when the PES is started.

13-38
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

< Timing diagram for SF_ModeSelector, valid change in Mode input with acknowledgment>

< Timing diagram for SF_ModeSelector, error condition 2 at Mode inputs >

13-39
 Chapter 13. Safety Function Blocks

< Timing diagram for SF_ModeSelector, reset of error condition >

5) Error Detection
The FB detects whether none of the mode inputs is selected. This invalid condition is detected after ModeMonitorTime has
elapsed:
• Which restarts with each falling trigger of an S_ModeX switched mode input
• Which is then in the ModeChanged state following activation of the FB
In contrast, the FB directly detects whether more than one S_ModeX mode input is selected at the same time.
A static reset condition is detected when the FB is either in Error state C001 or C002.

6) Error Behavior
In the event of an error, the S_ModeXSel and S_AnyModeSel outputs are set to safe state = FALSE. The DiagCode output
indicates the relevant error code and the Error output is set to TRUE.
An error must be acknowledged with the rising trigger of the Reset BOOL input. The FB changes from an error state to the
ModeChanged state.

13-40
 Chapter 13. Safety Function Blocks

7) Error Codes
DiagCode State Name State Description and Output Setting
The FB detected that two or more S_ModeX are TRUE, e.g., short-
circuit of cables.
Error Ready = TRUE
C001
Short-circuit Error = TRUE
S_AnyModeSel = FALSE
All S_ModeXSel = FALSE
The FB detected that all S_ModeX are FALSE: The period
following a falling S_ModeX trigger exceeds ModeMonitorTime,
e.g., open-circuit of cables.
Error
C002 Ready = TRUE
Open-circuit
Error = TRUE
S_AnyModeSel = FALSE
All S_ModeXSel = FALSE
Static Reset signal detected in state C001.
Ready = TRUE
C003 Reset Error 1 Error = TRUE
S_AnyModeSel = FALSE
All S_ModeXSel = FALSE
Static Reset signal detected in state C002.
Ready = TRUE
C004 Reset Error 2 Error = TRUE
S_AnyModeSel = FALSE
All S_ModeXSel = FALSE

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle Error = FALSE
S_AnyModeSel = FALSE
All S_ModeXSel = FALSE
State after activation or when S_ModeX has changed (unless
locked) or after Reset of an error state.
Ready = TRUE
8005 ModeChanged
Error = FALSE
S_AnyModeSel = FALSE
All S_ModeXSel = FALSE
Valid mode selection, but not yet locked.
Ready = TRUE
8000 ModeSelected Error = FALSE
S_AnyModeSel = TRUE
S_ModeXSel = Selected X is TRUE, others are FALSE.
Valid mode selection is locked.
Ready = TRUE
8004 ModeLocked Error = FALSE
S_AnyModeSel = TRUE
S_ModeXSel = Selected X is TRUE, others are FALSE

13-41
 Chapter 13. Safety Function Blocks

13.2.9 SF_MUTINGPAR

1) Overview
Muting is the intended suppression of the safety function. In this FB, parallel muting with four muting sensors is specified.

SF_MutingPar

BOOL Activate Ready BOOL

SAFEBOOL S_AOPD_In S_AOPD_Out SAFEBOOL
BOOL MutingSwitch11 S_MutingActive SAFEBOOL
BOOL MutingSwitch12 Error BOOL
BOOL MutingSwitch21 DiagCode WORD
BOOL MutingSwitch22
SAFEBOOL S_MutingLamp
TIME DiscTime11_12
TIME DiscTime21_22
TIME MaxMutingTime
BOOL MutingEnable
SAFEBOOL S_StartReset
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
OSSD signal from AOPD.
S_AOPD_In SAFEBOOL 0 FALSE: Protection field interrupted.
TRUE: Protection field not interrupted.
Status of Muting sensor 11.
FALSE: Muting sensor 11 not actuated.
TRUE: Workpiece actuates muting sensor 11.
MutingSwitch11 BOOL 0
It shall be noted in the FB manual that a
Input
SAFEBOOL must be connected instead of a
BOOL depending on the safety requirements.
Status of Muting sensor 12.
FALSE: Muting sensor 12 not actuated.
TRUE: Workpiece actuates muting sensor 12.
MutingSwitch12 BOOL 0
It shall be noted in the FB manual that a
SAFEBOOL must be connected instead of a
BOOL depending on the safety requirements.

13-42
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

Status of Muting sensor 21.
FALSE: Muting sensor 21 not actuated.
TRUE: Workpiece actuates muting sensor 21.
MutingSwitch21 BOOL 0
It shall be noted in the FB manual that a
SAFEBOOL must be connected instead of a
BOOL depending on the safety requirements.
Status of Muting sensor 22.
FALSE: Muting sensor 22 not actuated.
TRUE: Workpiece actuates muting sensor 22.
MutingSwitch22 BOOL 0
It shall be noted in the FB manual that a
SAFEBOOL must be connected instead of a
BOOL depending on the safety requirements.
Indicates operation of the muting lamp.
S_MutingLamp SAFEBOOL 0 FALSE: Muting lamp failure.
TRUE: Muting lamp no failure.
Constant 0..4 s;
DiscTime11_12 TIME T#0s Maximum discrepancy time for
MutingSwitch11 and MutingSwitch12.
Constant 0..4 s;
DiscTime21_22 TIME T#0s Maximum discrepancy time for
MutingSwitch21 and MutingSwitch22
Constant 0..10 min;
Input Maximum time for complete muting
MaxMutingTime TIME T#0s
sequence, timer started when first muting
sensor is actuated.
Command by the control system that enables
the start of the muting function when needed
by the machine cycle. After the start of the
MutingEnable BOOL 0 muting function, this signal can be switched
off.
FALSE: Muting not enabled
TRUE: Start of Muting function enabled
FALSE (= initial value): Manual reset when
PES is started (warm or cold).
TRUE: Automatic reset when PES is started
(warm or cold).
This function shall only be activated if it is
ensured that no hazard can occur at the start
S_StartReset SAFEBOOL 0
of the PES. Therefore the use of the
Automatic Circuit Reset feature of the function
blocks requires implementation of other
system or application measures to ensure that
unexpected (or unintended) startup does not
occur.
Reset BOOL 0 Reset

13-43
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

If TRUE, indicates that the FB is activated and
Ready BOOL 0
the output results are valid.
Safety related output, indicates status of the
muted guard.
FALSE: AOPD protection field interrupted and
S_AOPD_Out SAFEBOOL 0
muting not active.
TRUE: AOPD protection field not interrupted
or muting active.
Output Indicates status of Muting process.
S_MutingActive SAFEBOOL 0 FALSE: Muting not active.
TRUE: Muting active.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more then 16 codes.

3) Functional Description
Muting is the intended suppression of the safety function. This is required, e.g., when transporting the material into the danger
zone without causing the machine to stop. Muting is triggered by muting sensors. The use of two or four muting sensors and
correct integration into the production sequence must ensure that no persons enter the danger zone while the light curtain is
muted. Muting sensors can be proximity switches, photoelectric barriers, limit switches, etc. which do not have to be failsafe.
Active muting mode must be indicated by indicator lights.
There are sequential and parallel muting procedures. In this FB, parallel muting with four muting sensors was used; an
explanation is provided below. The FB can be used in both directions, forward and backward. The muting should be enabled
with the MutingEnable signal by the process control to avoid manipulation.
The FB input parameters include the signals of the four muting sensors (MutingSwitch11 ... MutingSwitch22), the OSSD signal
from the "active opto-electronic protective device", S_AOPD_In, as well as three parameterizable times (DiscTime11_12,
DiscTime21_22, and MaxMutingTime).
The S_StartReset input shall only be activated if it is ensured that no hazardous situation can occur when the PES is started.

Step 1: If the muting sensors MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12) are activated by the product within the
time DiscTime11_12, muting mode is activated (S_MutingActive = TRUE).
Step 2: Muting mode remains active as long as MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12) are activated by the
product. The product may pass through the light curtain without causing a machine stop.
Step 3: Before muting sensors MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12) are disabled, muting sensors
MutingSwitch21 (MS_21) and MutingSwitch22 (MS_22) must be activated. This ensures that muting mode remains active. The
time discrepancy between switching of MutingSwitch21 and MutingSwitch22 is monitored by the time DiscTime21_22.
Step 4: Muting mode is terminated if either muting sensor MutingSwitch21 (MS_21) or MutingSwitch22 (MS_22) is disabled by
the product. The maximum time for muting mode to be active is the Max-MutingTime.

13-44
 Chapter 13. Safety Function Blocks

No. Figure

13-45
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

5) Error Detection
The FB detects the following error conditions:
• DiscTime11_12 and DiscTime21_22 have been set to values less than T#0s or greater than T#4s.
• MaxMutingTime has been set to a value less than T#0s or greater than T#10min.
• The discrepancy time for the MutingSwitch11/MutingSwitch12 or MutingSwitch21/MutingSwitch22 sensor pairs has been
exceeded.
• The muting function (S_MutingActive = TRUE) exceeds the maximum muting time MaxMutingTime.
• Muting sensors MutingSwitch11, MutingSwitch12, MutingSwitch21, and MutingSwitch22 are activated in the wrong order.
• Muting sequence starts without being enabled by MutingEnable
• A faulty muting lamp is indicated by S_MutingLamp = FALSE.
• A static Reset condition is detected in state 8001 and 8003.

6) Error Behavior
In the event of an error, the S_AOPD_Out and S_MutingActive outputs are set to FALSE. The DiagCode output indicates the
relevant error code and the Error output is set to TRUE.
A restart is inhibited until the error conditions are cleared and the Safe state is acknowledged with Reset by the operator.

7) Error Codes

DiagCode State Name State Description and Output Setting

Static Reset condition detected after FB activation in state 8001.
Ready = TRUE
C001 Reset Error 1 S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Static Reset condition detected in state 8003.
Ready = TRUE
C002 Reset Error 2 S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE

13-46
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

Error detected in muting lamp.
Ready = TRUE
C003 Error Muting Lamp S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Error detected in muting sequence state 8000, 8011, 8311, 8012,
8021, 8014, 8314, 8122, 8422, 8121, 8112, 8114 or 8414.
Ready = TRUE
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Y = Status in the sequence (6 states for forward and 6 states for
backward direction).
C0x4 = Error occurred in state 8000
C1x4 = Error occurred in state Forward 8011
C2x4 = Error occurred in state Forward 8311
C3x4 = Error occurred in state Forward 8012
CYx4 Error Muting sequence
C4x4 = Error occurred in state Forward 8014
C5x4 = Error occurred in state Forward 8314
C6x4 = Error occurred in state Forward 8021
C7x4 = Error occurred in state Backward 8122
C8x4 = Error occurred in state Backward 8422
C9x4 = Error occurred in state Backward 8121
CAx4 = Error occurred in state Backward 8114
CBx4 = Error occurred in state Backward 8414
CCx4 = Error occurred in state Backward 8112
CFx4 = Muting Enable missing
x = Status of the sensors when error occurred (4 bits: LSB =
MS_11; MS_12; MS_21; MSB = MS_22)
DiscTime11_12, DiscTime21_22 or MaxMutingTime value out of
range.
Ready = TRUE
C005 Parameter Error
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Timing error: Active muting time (when S_MutingActive = TRUE)
exceeds MaxMutingTime.
Ready = TRUE
C006 Error Timer MaxMuting
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Timing error: Discrepancy time for switching MutingSwitch11 and
MutingSwitch12 > DiscTime11_12.
Ready = TRUE
C007 Error Timer MS11_12
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE

13-47
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

Timing error: Discrepancy time for switching MutingSwitch21 and
MutingSwitch22 > DiscTime21_22.
Ready = TRUE
C008 Error Timer MS21_22
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE

13-48
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Muting not active and no safety demand from AOPD. If timers
from subsequent muting are still running, they are stopped.
Ready = TRUE
8000 AOPD Free
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE
Function block has been activated.
Ready = TRUE
8001 Init S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Safety demand detected by AOPD, muting not active.
Ready = TRUE
8002 Safety Demand AOPD S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Safety demand or errors have been detected and are now
cleared. Operator acknowledgment by Reset required.
Ready = TRUE
8003 Wait for Reset
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Safety function activated.
Ready = TRUE
8005 Safe S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Muting forward sequence is in starting phase after rising trigger
of MutingSwitch 11. Monitoring of DiscTime11_12 is activated.
Monitoring of MaxMutingTime is activated.
8011 Muting Forward Start 1 Ready = TRUE
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE
Muting forward sequence is in starting phase after rising trigger
of MutingSwitch 12. Monitoring of DiscTime11_12 is activated.
Monitoring of MaxMutingTime is activated.
8311 Muting Forward Start 2 Ready = TRUE
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE

13-49
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

Muting forward sequence is active either:
- After rising trigger of the second entry MutingSwitch 12 or 11
has been detected.
- When both MutingSwitch 11 and 12 have been actuated in the
same cycle.
Monitoring of DiscTime11_12 is stopped. Monitoring of
8012 Muting Forward Active 1
MaxMuting-Time is activated, when transition came directly from
state 8000.
Ready = TRUE
S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE
Muting forward sequence is active. MutingSwitch21 is the first
exit switch actuated. Monitoring of DiscTime21_22 is started.
Ready = TRUE
8014 Muting Forward Step 1
S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE
Muting forward sequence is active. MutingSwitch22 is the first
exit switch actuated. Monitoring of DiscTime21_22 is started.
Ready = TRUE
8314 Muting Forward Step 2
S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE
Muting forward sequence is still active. Both MutingSwitch21
and 22 are actuated, the monitoring of DiscTime21_22 is
stopped.
8021 Muting Forward Active 2 Ready = TRUE
S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE
Muting backward sequence is in starting phase after rising
trigger of MutingSwitch21. Monitoring of DiscTime21_22 is
activated. Monitoring of MaxMutingTime is activated.
8122 Muting Backward Start 1 Ready = TRUE
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE
Muting backward sequence is in starting phase after rising
trigger of MutingSwitch22. Monitoring of DiscTime21_22 is
activated. Monitoring of MaxMutingTime is activated.
8422 Muting Backward Start 2 Ready = TRUE
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE

13-50
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

Muting backward sequence is active either:
- After rising trigger of the second MutingSwitch 21 or 22 has
been detected.
- When both MutingSwitch 21 and 22 have been actuated in the
same cycle.
Monitoring of DiscTime21_22 is stopped. Monitoring of
8121 Muting Backward Active 1
MaxMuting-Time is activated, when transition came directly from
state 8000.
Ready = TRUE
S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE
Muting backward sequence is active. MutingSwitch11 is the first
exit switch actuated. Monitoring of DiscTime11_12 is started.
Ready = TRUE
8114 Muting Backward Step 1
S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE
Muting backward sequence is active. MutingSwitch12 is the first
exit switch actuated. Monitoring of DiscTime11_12 is started.
Ready = TRUE
8414 Muting Backward Step 2
S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE
Muting backward sequence is still active. Both exit switches
MutingSwitch11 and 12 are actuated, the monitoring of
DiscTime11_12 is stopped.
8112 Muting Backward Active 2 Ready = TRUE
S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE

13-51
 Chapter 13. Safety Function Blocks

13.2.10 SF_MUTINGPAR_2SENSOR

1) Overview
Muting is the intended suppression of the safety function. In this FB, parallel muting with two muting sensors is specified..

SF_MutingPar_2Sensor

BOOL Activate Ready BOOL

SAFEBOOL S_AOPD_In S_AOPD_Out SAFEBOOL
SAFEBOOL S_MutingSwitch11 S_MutingActive SAFEBOOL
SAFEBOOL S_MutingSwitch12 Error BOOL
SAFEBOOL S_MutingLamp DiagCode WORD
TIME DiscTimeEntry
TIME MaxMutingTime
BOOL MutingEnable
SAFEBOOL S_StartReset
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
OSSD signal from AOPD.
S_AOPD_In SAFEBOOL 0 FALSE: Protection field interrupted.
TRUE: Protection field not interrupted.
Status of Muting sensor 11.
MutingSwitch11 BOOL 0 FALSE: Muting sensor 11 not actuated.
TRUE: Workpiece actuates muting sensor 11.
Status of Muting sensor 12.
MutingSwitch12 BOOL 0 FALSE: Muting sensor 12 not actuated.
TRUE: Workpiece actuates muting sensor 12
Input
Indicates operation of the muting lamp.
S_MutingLamp SAFEBOOL 0 FALSE: Muting lamp failure.
TRUE: Muting lamp no failure.
Constant 0..4 s;
DiscTimeEntry TIME T#0s Max. discrepancy time for S_MutingSwitch11
and S_MutingSwitch12 entering muting gate
Constant 0..10 min;
Maximum time for complete muting
MaxMutingTime TIME T#0s
sequence, timer started when first muting
sensor is actuated.

13-52
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

Command by the control system that enables
the start of the muting function when needed
by the machine cycle. After the start of the
MutingEnable BOOL 0 muting function, this signal can be switched
off.
FALSE: Muting not enabled
TRUE: Start of Muting function enabled
FALSE (= initial value): Manual reset when
PES is started (warm or cold).
TRUE: Automatic reset when PES is started
Input
(warm or cold).
This function shall only be activated if it is
ensured that no hazard can occur at the start
S_StartReset SAFEBOOL 0
of the PES. Therefore the use of the
Automatic Circuit Reset feature of the function
blocks requires implementation of other
system or application measures to ensure that
unexpected (or unintended) startup does not
occur.
Reset BOOL 0 Reset
If TRUE, indicates that the FB is activated and
Ready BOOL 0
the output results are valid.
Safety related output, indicates status of the
muted guard.
FALSE: AOPD protection field interrupted and
S_AOPD_Out SAFEBOOL 0
muting not active.
TRUE: AOPD protection field not interrupted
or muting active.
Output Indicates status of Muting process.
S_MutingActive SAFEBOOL 0 FALSE: Muting not active.
TRUE: Muting active.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more than 16 codes.

13-53
 Chapter 13. Safety Function Blocks

3) Functional Description
Muting is the intended suppression of the safety function. This is required, e.g., when transporting the material into the danger
zone without causing the machine to stop. Muting is triggered by muting sensors. The use of two muting sensors and correct
integration into the production sequence must ensure that no persons enter the danger zone while the light curtain is muted.
Muting sensors can be push buttons, proximity switches, photoelectric barriers, limit switches, etc. which do not have to be
failsafe. Active muting mode must be indicated by indicator lights.

There are sequential and parallel muting procedures. In this FB, parallel muting with two muting sensors was used; an
explanation is provided below. The positioning of the sensors should be as described in Annex F.7 of IEC 62046, CD 2005, as
shown in Figure 48. The FB can be used in both directions, forward and backward. However, the actual direction cannot be
identified. The muting should be enabled with the MutingEnable signal by the process control to avoid manipulation.

The FB input parameters include the signals of the two muting sensors (S_MutingSwitch11 and S_MutingSwitch12), the OSSD
signal from the "active opto-electronic protective device", S_AOPD_In, as well as two parameterizable times (Disc-TimeEntry
and MaxMutingTime).

The S_StartReset input shall only be activated if it is ensured that no hazardous situation can occur when the PES is started
Step 1: If reflection light barriers are used as muting sensors, they are generally arranged diagonally. In general, this
arrangement of reflection light barriers as muting sensors requires only two light barriers, and only S_MutingSwitch11 (MS_11)
and S_MutingSwitch12 (MS_12) are allocated.

NO. Figure

13-54
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

5) Error Detection
The FB detects the following error conditions:
• DiscTimeEntry has been set to value less than T#0s or greater than T#4s.
• MaxMutingTime has been set to a value less than T#0s or greater than T#10min.
• The discrepancy time for the S_MutingSwitch11/S_MutingSwitch12 sensor pair has been exceeded.
• The muting function (S_MutingActive = TRUE) exceeds the maximum muting time MaxMutingTime.
• Muting sensors S_MutingSwitch11,S_MutingSwitch12 are activated in the wrong order.
• Muting sequence starts without being enabled by MutingEnable
• Static muting sensor signals.
• A faulty muting lamp is indicated by S_MutingLamp = FALSE.
• A static Reset condition is detected in state 8001 and 8003.

6) Error Behavior
In the event of an error, the S_AOPD_Out and S_MutingActive outputs are set to FALSE. The DiagCode output indicates the
relevant error code and the Error output is set to TRUE.
A restart is inhibited until the error conditions are cleared and the Safe state is acknowledged with Reset by the operator.

13-55
 Chapter 13. Safety Function Blocks

7) Error Codes

DiagCode State Name State Description and Output Setting

Static Reset condition detected after FB activation in state 8001.
Ready = TRUE
C001 Reset Error 1 S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Static Reset condition detected in state 8003.
Ready = TRUE
C002 Reset Error 2 S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Error detected in muting lamp.
Ready = TRUE
C003 Error Muting Lamp S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Error detected in muting sequence state 8000, 8011, 8311.
Ready = TRUE
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Y = Status in the sequence
CYx4 Error Muting sequence
C0x4 = Error occurred in state 8000
C1x4 = Error occurred in state 8011
C2x4 = Error occurred in state 8311
CFx4 = Muting Enable missing
x = Status of the sensors when error occurred (4 bits: LSB =
MS_11; next to LSB = MS_12).
DiscTimeEntry or MaxMutingTime value out of range.
Ready = TRUE
C005 Parameter Error S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Timing error: Active muting time (when S_MutingActive = TRUE)
exceeds MaxMutingTime.
Ready = TRUE
C006 Error timer MaxMuting
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Timing error: Discrepancy time for switching S_MutingSwitch11
and S_MutingSwitch12 from FALSE to TRUE > DiscTimeEntry.
Ready = TRUE
C007 Error timer Entry
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE

13-56
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Muting not active and no safety demand from AOPD. If timers
from subsequent muting are still running, they are stopped.
Ready = TRUE
8000 AOPD Free
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE
Function block was activated.
Ready = TRUE
8001 Init S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Safety demand detected by AOPD, muting not active.
Ready = TRUE
8002 Safety Demand AOPD S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Safety demand or errors have been detected and are now
cleared. Operator acknowledgment by Reset required.
Ready = TRUE
8003 Wait for Reset
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Safety function activated.
Ready = TRUE
8005 Safe S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Muting sequence is in starting phase after rising trigger of
S_MutingSwitch11. Monitoring of DiscTimeEntry is activated.
Ready = TRUE
8011 Muting Start 1
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE
Muting sequence is in starting phase after rising trigger of
S_MutingSwitch12. Monitoring of DiscTimeEntry is activated.
Ready = TRUE
8311 Muting Start 2
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE

13-57
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

Muting sequence is active either:
- After rising trigger of the second S_MutingSwitch 12 or 11 has
been detected.
- When both S_MutingSwitch 11 and 12 have been actuated in
the same cycle.
8012 Muting Active Monitoring of DiscTimeEntry is stopped. Monitoring of
MaxMutingTime is activated.
Ready = TRUE
S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE

13-58
 Chapter 13. Safety Function Blocks

13.2.11 SF_MUTINGSEQ

1) Overview
Muting is the intended suppression of the safety function (e.g., light barriers). In this FB, sequential muting with four muting
sensors is specified.

SF_MutingSeq

BOOL Activate Ready BOOL

SAFEBOOL S_AOPD_In S_AOPD_Out SAFEBOOL
BOOL S_MutingSwitch11 S_MutingActive SAFEBOOL
BOOL S_MutingSwitch12 Error BOOL
BOOL S_MutingSwitch21 DiagCode WORD
BOOL S_MutingSwitch22
SAFEBOOL S_MutingLamp
TIME MaxMutingTime
BOOL MutingEnable
SAFEBOOL S_StartReset
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
OSSD signal from AOPD.
S_AOPD_In SAFEBOOL 0 FALSE: Protection field interrupted.
TRUE: Protection field not interrupted.
Status of Muting sensor 11.
FALSE: Muting sensor 11 not actuated.
TRUE: Workpiece actuates muting sensor
11.
MutingSwitch11 BOOL 0
It shall be noted in the FB manual that a
SAFEBOOL must be connected instead of
Input
a BOOL depending on the safety
requirements.
Status of Muting sensor 12.
FALSE: Muting sensor 12 not actuated.
TRUE: Workpiece actuates muting sensor
12.
MutingSwitch12 BOOL 0
It shall be noted in the FB manual that a
SAFEBOOL must be connected instead of
a BOOL depending on the safety
requirements.

13-59
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

Status of Muting sensor 21.
FALSE: Muting sensor 21 not actuated.
TRUE: Workpiece actuates muting sensor
21.
MutingSwitch21 BOOL 0
It shall be noted in the FB manual that a
SAFEBOOL must be connected instead of
a BOOL depending on the safety
requirements.
Status of Muting sensor 22.
FALSE: Muting sensor 22 not actuated.
TRUE: Workpiece actuates muting sensor
22.
MutingSwitch22 BOOL 0
It shall be noted in the FB manual that a
SAFEBOOL must be connected instead of
a BOOL depending on the safety
requirements.
Indicates operation of the muting lamp.
S_MutingLamp SAFEBOOL 0 FALSE: Muting lamp failure.
TRUE: Muting lamp no failure
Constant 0 .. 10 min;
Maximum time for complete muting
MaxMutingTime TIME T#0s
Input sequence, timer started when first muting
sensor is actuated.
Command by the control system that
enables the start of the muting function
when needed by the machine cycle. After
MutingEnable BOOL 0 the start of the muting function, this signal
can be switched off.
FALSE: Muting not enabled
TRUE: Start of Muting function enabled
FALSE (= initial value): Manual reset when
PES is started (warm or cold).
TRUE: Automatic reset when PES is started
(warm or cold).
This function shall only be activated if it is
ensured that no hazard can occur at the
S_StartReset SAFEBOOL 0
start of the PES. Therefore the use of the
Automatic Circuit Reset feature of the
function blocks requires implementation of
other system or application measures to
ensure that unexpected (or unintended)
startup does not occur.
Reset BOOL 0 Reset

13-60
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

If TRUE, indicates that the FB is activated
Ready BOOL 0
and the output results are valid.
Safety related output, indicates status of the
muted guard.
FALSE: AOPD protection field interrupted
S_AOPD_Out SAFEBOOL 0
and muting not active.
TRUE: AOPD protection field not interrupted
or muting active.
Output Indicates status of Muting process.
S_MutingActive SAFEBOOL 0 FALSE: Muting not active.
TRUE: Muting active.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more than 16 codes.

3) Functional Description
Muting is the intended suppression of the safety function. This is required, e.g., when transporting the material into the danger
zone without causing the machine to stop. Muting is triggered by muting sensors. The use of two or four muting sensors and
correct integration into the production sequence must ensure that no persons enter the danger zone while the light curtain is
muted. Muting sensors can be proximity switches, photoelectric barriers, limit switches, etc. which do not have to be failsafe.
Active muting mode must be indicated by indicator lights.

There are sequential and parallel muting procedures. In this FB, sequential muting with four muting sensors was used; an
explanation for the forward direction of transportation is provided below. The FB can be used in both directions, forward and
backward. The muting should be enabled with the MutingEnable signal by the process control to avoid manipulation. When the
MutingEnable signal is not available, this input must be set to TRUE.

The FB input parameters include the signals of the four muting sensors (MutingSwitch11 ... MutingSwitch22) as well as the
OSSD signal from the "active opto-electronic protective device", S_AOPD_In.

The S_StartReset input shall only be activated if it is ensured that no hazardous situation can occur when the PES is started.

Step 1 : If muting sensor MutingSwitch12 (MS_12) is activated by the product after MutingSwitch11 (MS_11), the muting mode
is activated.

Step 2 : Muting mode remains active as long as MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12) are activated by the
product. The product may pass through the light curtain without causing a machine stop.

Step 3 : Before muting sensors MutingSwitch11 (MS_11) and MutingSwitch12 (MS_12) are disabled, muting sensors
MutingSwitch21 (MS_21) and MutingSwitch22 (MS_22) must be activated. This ensures that muting mode remains active.

Step 4 : Muting mode is terminated if only muting sensor MutingSwitch22 (MS_22) is activated by the product.

13-61
 Chapter 13. Safety Function Blocks

NO. Figure

13-62
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

5) Error Detection
The FB detects the following error conditions:
• Muting sensors MutingSwitch11, MutingSwitch12, MutingSwitch21, and MutingSwitch22 are activated in the wrong order.
• Muting sequence starts without being enabled by MutingEnable
• A faulty muting lamp is indicated by S_MutingLamp = FALSE.
• A static Reset condition.
• MaxMutingTime has been set to a value less than T#0s or greater than T#10min.
• The muting function (S_MutingActive = TRUE) exceeds the maximum muting time MaxMutingTime.

13-63
 Chapter 13. Safety Function Blocks

6) Error Behavior
In the event of an error, the S_AOPD_Out and S_MutingActive outputs are set to FALSE. The DiagCode output indicates the
relevant error code and the Error output is set to TRUE.
A restart is inhibited until the error conditions are cleared and the Safe state is acknowledged with Reset by the operator.

7) Error Codes
DiagCode State Name State Description and Output Setting
Static Reset condition detected after FB activation.
Ready = TRUE
C001 Reset Error 1 S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Static Reset condition detected in state 8003.
Ready = TRUE
C002 Reset Error 2 S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Error detected in muting lamp.
Ready = TRUE
C003 Error Muting lamp S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Error detected in muting sequence in states 8000, 8011, 8012,
8112 or 8122.
Ready = TRUE
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Y = Status in the sequence (2 states for forward and 2 states for
backward direction).
CYx4 Error Muting sequence
C0x4 = Error occurred in state 8000
C1x4 = Error occurred in state Forward 8011
C2x4 = Error occurred in state Forward 8012
C3x4 = Error occurred in state Backward 8122
C4x4 = Error occurred in state Backward 8112
CFx4 = Muting Enable missing
x = Status of the sensors when error occurred (4 bits: LSB =
MS_11; MS_12; MS_21; MSB = MS_22).
MaxMutingTime value out of range.
Ready = TRUE
C005 Parameter Error S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE
Timing error: Active muting time (when S_MutingActive = TRUE)
exceeds MaxMutingTime.
Ready = TRUE
C006 Error Timer MaxMuting
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = TRUE

13-64
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Muting not active and no safety demand from AOPD.
Ready = TRUE
8000 AOPD Free S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE
Function block has been activated.
Ready = TRUE
8001 Init S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Safety demand detected by AOPD, muting not active.
Ready = TRUE
8002 Safety Demand AOPD S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Safety demand or errors have been detected and are now
cleared. Operator acknowledgment by Reset required.
Ready = TRUE
8003 Wait for Reset
S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Safety function activated.
Ready = TRUE
8005 Safe S_AOPD_Out = FALSE
S_MutingActive = FALSE
Error = FALSE
Muting forward, sequence is in starting phase and no safety
demand.
Ready = TRUE
8011 Muting Forward Start
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE
Muting forward, sequence is active.
Ready = TRUE
8012 Muting Forward Active S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE
Muting backward, sequence is active.
Ready = TRUE
8112 Muting Backward Active S_AOPD_Out = TRUE
S_MutingActive = TRUE
Error = FALSE

13-65
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

Muting backward, sequence is in starting phase and no safety
demand.
Ready = TRUE
8122 Muting Backward Start
S_AOPD_Out = TRUE
S_MutingActive = FALSE
Error = FALSE

13-66
 Chapter 13. Safety Function Blocks

13.2.12 SF_OUTCONTROL

1) Overview
Control of a safety output with a signal from the functional application and a safety signal with optional startup inhibits.

SF_OutControl

BOOL Activate Ready BOOL

SAFEBOOL S_SafeControl S_OutControl SAFEBOOL
BOOL ProcessControl Error BOOL
BOOL StaticControl DiagCode WORD
SAFEBOOL S_StartReset
SAFEBOOL S_AutoReset
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Control signal of the preceding safety FB.
Typical function block signals from the library
(e.g., SF_EStop, SF_GuardMonitoring,
SF_TwoHandControlTypeII, and/or others).
S_SafetyControl SAFEBOOL 0
FALSE: The preceding safety FB’s are in safe
state.
TRUE: The preceding safety FB’s enable
safety control.
Control signal from the functional application.
FALSE: Request to set S_OutControl to
Input
ProcessControl BOOL 0 FALSE.
TRUE: Request to set S_OutControl to
TRUE.
Optional conditions for process control.
FALSE: Dynamic change at ProcessControl
(FALSE => TRUE) required after block
activation or triggered safety function.
StaticControl BOOL 0
Additional function start required.
TRUE: No dynamic change at ProcessControl
(FALSE => TRUE) required after block
activation or triggered safety function.

13-67
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

FALSE (= initial value): Manual reset when
PES is started (warm or cold).
TRUE: Automatic reset when PES is started
(warm or cold).
This function shall only be activated if it is
ensured that no hazard can occur at the start
S_StartReset SAFEBOOL 0
of the PES. Therefore the use of the
Automatic Circuit Reset feature of the function
blocks requires implementation of other
system or application measures to ensure that
unexpected (or unintended) startup does not
occur.
Input FALSE (= initial value): Manual reset when
emergency stop button is released.
TRUE: Automatic reset when emergency stop
button is released.
This function shall only be activated if it is
ensured that no hazard can occur at the start
S_AutoReset SAFEBOOL 0
of the PES. Therefore the use of the
Automatic Circuit Reset feature of the function
blocks requires implementation of other
system or application measures to ensure that
unexpected (or unintended) startup does not
occur.
Reset BOOL 0 Reset
If TRUE, indicates that the FB is activated and
Ready BOOL 0
the output results are valid.
Controls connected actuators.
S_OutControl SAFEBOOL 0 FALSE: Disable connected actuators.
TRUE: Enable connected actuators.
Output Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more than 16 codes.

3) Functional Description
General:
The SF_OutControl FB is an output driver for a safety output.
The safety output is controlled via S_OutControl using a signal from the functional application (ProcessControl/BOOL to control
the process) and a signal from the safety application (S_SafeControl/SAFEBOOL to control the safety function).

Optional conditions for process control (ProcessControl):

• An additional function start (ProcessControl FALSE => TRUE) is required following block activation or feedback of the safe
signal (S_SafeControl). A static TRUE signal at ProcessControl does not set S_OutControl to TRUE.
• An additional function start (ProcessControl FALSE => TRUE) is not required following block activation or feedback of the safe
signal (S_SafeControl). A static TRUE signal at ProcessControl sets S_OutControl to TRUE if the other conditions have been

13-68
 Chapter 13. Safety Function Blocks

met.

Optional startup inhibits:

• Startup inhibit after function block activation.
• Startup inhibit after interruption of the protective device.

The StaticControl, S_StartReset and S_AutoReset inputs shall only be activated if it is ensured that no hazardous situation can
occur when the PES is started.

4) Typical Timing Diagrams

< S_StartReset=Off >

< S_StartReset=On >

13-69
 Chapter 13. Safety Function Blocks

5) Error Detection
The following conditions force a transition to the Error state:
• Invalid static Reset signal in the process.
• Invalid static ProcessControl signal.
• ProcessControl and Reset are incorrectly interconnected due to programming error.

6) Error Behavior
In the event of an error, the S_OutControl output is set to FALSE and remains in this safe state.
To leave the Reset, Init or Lock error states, the Reset input must be set to FALSE. To leave the Control error state, the
ProcessControl input must be set to FALSE.
After transition of S_SafeControl to TRUE, the optional startup inhibit can be reset by a rising edge at the Reset input.
After block activation, the optional startup inhibit can be reset by a rising edge at the Reset input.

7) Error Codes

DiagCode State Name State Description and Output Setting

Static Reset signal in state 8001.
Ready = TRUE
C001 Reset Error 1 S_OutControl = FALSE
Error = TRUE

Static Reset signal in state 8003.

Ready = TRUE
C002 Reset Error 2
S_OutControl = FALSE
Error = TRUE
Static signal at ProcessControl in state 8010.
Ready = TRUE
C010 Control Error
S_OutControl = FALSE
Error = TRUE
Simultaneous rising trigger at Reset and ProcessControl in state
8001.
C111 Init Error Ready = TRUE
S_OutControl = FALSE
Error = TRUE
Simultaneous rising trigger at Reset and ProcessControl in state
8003.
C211 Lock Error Ready = TRUE
S_OutControl = FALSE
Error = TRUE

13-70
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
S_OutControl = FALSE
Error = FALSE
Block activation startup inhibit is active. Reset required.
Ready = TRUE
8001 Init
S_OutControl = FALSE
Error = FALSE
Triggered safety function.
Ready = TRUE
8002 Safe
S_OutControl = FALSE
Error = FALSE
Safety function startup inhibit is active. Reset required.
Ready = TRUE
8003 Lock
S_OutControl = FALSE
Error = FALSE
Process control is not active.
Ready = TRUE
8010 Output Disable
S_OutControl = FALSE
Error = FALSE
Process control is active and safety is enabled.
Ready = TRUE
8000 Output Enable
S_OutControl = TRUE
Error = FALSE

13-71
 Chapter 13. Safety Function Blocks

13.2.13 SF_SAFEGUARD

1) Overview
This function block monitors the relevant safety guard. There are two independent input parameters for two switches at the
safety guard coupled with a time difference (MonitoringTime) for closing the guard.

SF_GuardMonitoring

BOOL Activate Ready BOOL

SAFEBOOL S_GuardSwitch1 S_GuardMonitoring SAFEBOOL
SAFEBOOL S_GuardSwitch2 Error BOOL
TIME DiscrepancyTime DiagCode WORD
SAFEBOOL S_StartReset
SAFEBOOL S_AutoReset
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Guard switch 1 input.
S_GuardSwitch1 SAFEBOOL 0 FALSE: Guard is open.
TRUE: Guard is closed.
Guard switch 2 input.
S_GuardSwitch2 SAFEBOOL 0 FALSE: Guard is open.
TRUE: Guard is closed.
Configures the monitored synchronous time
DiscrepancyTime Time T#0ms
between S_GuardSwitch1 and S_GuardSwitch2.
FALSE (= initial value): Manual reset when PES is
Input
started (warm or cold).
TRUE: Automatic reset when PES is started
(warm or cold).
This function shall only be activated if it is ensured
S_StartReset SAFEBOOL 0 that no hazard can occur at the start of the PES.
Therefore the use of the Automatic Circuit Reset
feature of the function blocks requires
implementation of other system or application
measures to ensure that unexpected (or
unintended) startup does not occur.

13-72
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

FALSE (= initial value): Manual reset when
emergency stop button is released.
TRUE: Automatic reset when emergency stop
button is released.
This function shall only be activated if it is ensured
S_AutoReset SAFEBOOL 0 that no hazard can occur at the start of the PES.
Therefore the use of the Automatic Circuit Reset
feature of the function blocks requires
implementation of other system or application
measures to ensure that unexpected (or
unintended) startup does not occur.
Reset BOOL 0 Reset
If TRUE, indicates that the FB is activated and the
Ready BOOL 0
output results are valid.
Output indicating the status of the guard.
FALSE: Guard is not active.
S_GuardMonitoring SAFEBOOL 0
TRUE: both S_GuardSwitches are TRUE, no
error and acknowledgment. Guard is active.
Output
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent more
than 16 codes.

3) Functional Description
The function block requires two inputs indicating the guard position for safety guards with two switches, a DiscrepancyTime input
and Reset input. If the safety guard only has one switch, the S_GuardSwitch1 and S_GuardSwitch2 inputs can be bridged. The
monitoring time is the maximum time required for both switches to respond when closing the safety guard. The Reset,
S_StartReset, and S_AutoReset inputs determine how the function block is reset after the safety guard has been opened.
When opening the safety guard, both S_GuardSwitch1 and S_GuardSwitch2 inputs should switch to FALSE. The
S_GuardMonitoring output switches to FALSE as soon as one of the switches is set to FALSE. When closing the safety guard,
both S_GuardSwitch1 and S_GuardSwitch2 inputs should switch to TRUE.
This FB monitors the symmetry of the switching behavior of both switches. The S_GuardMonitoring output remains FALSE if
only one of the contacts has completed an open/close process.
The behavior of the S_GuardMonitoring output depends on the time difference between the switching inputs. The discrepancy
time is monitored as soon as the value of both S_GuardSwitch1/S_GuardSwitch2 inputs differs. If the DiscrepancyTime has
elapsed, but the inputs still differ, the S_GuardMonitoring output remains FALSE. If the second corresponding
S_GuardSwitch1/S_GuardSwitch2 input switches to TRUE within the value specified for the DiscrepancyTime input, the
S_GuardMonitoring output is set to TRUE following acknowledgment.
The S_StartReset and S_AutoReset inputs shall only be activated if it is ensured that no hazardous situation can occur when
the PES is started.

13-73
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

13-74
 Chapter 13. Safety Function Blocks

5) Error Detection
External signals: SAFEBOOL inputs provide inherent error detection. Mechanical setup combines that of an opening and
closing switch according to EN 954 (safety guard with two switches). Discrepancy time monitoring for time lag between both
mechanical switches reaction, according to EN 954 (to be considered as "application error" detection, i.e., generated by the
application).
An error is detected if the time lag between the first S_GuardSwitch1/S_GuardSwitch2 input and the second is greater than the
value for the DiscrepancyTime input. The Error output is set to TRUE.
The function block detects a static TRUE signal at the RESET input.

6) Error Behavior
The S_GuardMonitoring output is set to FALSE. If the two S_GuardSwitch1 and S_Guardswitch2 inputs are bridged, no error is
detected. To leave the Reset error state, the Reset input must be set to FALSE. To leave the discrepancy time errors, the inputs
S_GuardSwitch1 and 2 must both be set to FALSE.

7) Error Codes

DiagCode State Name State Description and Output Setting

Static reset detected in state 8003.
Ready = TRUE
C001 Reset Error S_GuardMonitoring = FALSE
Error = TRUE

DiscrepancyTime elapsed in state 8004.

Ready = TRUE
C011 Discrepancytime Error 1
S_GuardMonitoring = FALSE
Error = TRUE
DiscrepancyTime elapsed in state 8014.
Ready = TRUE
C012 Discrepancytime Error 2
S_GuardMonitoring = FALSE
Error = TRUE

13-75
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
S_GuardMonitoring = FALSE
Error = FALSE
Safety guard closed and Safe state acknowledged.
Ready = TRUE
8000 Normal
S_GuardMonitoring = TRUE
Error = FALSE
Function block has been activated.
Ready = TRUE
8001 Init
S_GuardMonitoring = FALSE
Error = FALSE
Complete switching sequence required.
Ready = TRUE
8002 Open Guard Request
S_GuardMonitoring = FALSE
Error = FALSE
Waiting for rising trigger at Reset.
Ready = TRUE
8003 Wait for Reset
S_GuardMonitoring = FALSE
Error = FALSE
Guard completely opened.
Ready = TRUE
8012 Guard Opened
S_GuardMonitoring = FALSE
Error = FALSE
S_GuardSwitch1 has been switched to TRUE - waiting for
S_GuardSwitch2; discrepancy timer started.
8004 Wait for GuardSwitch2 Ready = TRUE
S_GuardMonitoring = FALSE
Error = FALSE
S_GuardSwitch2 has been switched to TRUE - waiting for
S_GuardSwitch1; discrepancy timer started.
8014 Wait for GuardSwitch1 Ready = TRUE
S_GuardMonitoring = FALSE
Error = FALSE
Guard closed. Waiting for Reset, if S_AutoReset = FALSE.
Ready = TRUE
8005 Guard Closed
S_GuardMonitoring = FALSE
Error = FALSE

13-76
 Chapter 13. Safety Function Blocks

13.2.14 SF_SAFETYREQUEST

1) Overview
This function block provides the interface to a generic actuator, e.g. a safety drive or safety valve, to place the actuator in a safe
state.

SF_SafetyRequest

BOOL Activate Ready BOOL

SAFEBOOL S_OpMode S_SafetyActive SAFEBOOL
SAFEBOOL S_Acknowledge S_SafetyRequest SAFEBOOL
TIME MonitoringTime Error BOOL
BOOL Reset DiagCode WORD

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Requested mode of a generic safe actuator.
S_OpMode SAFEBOOL 0 FALSE: Safe mode is requested.
TRUE: Operation mode is requested.
Confirmation of the generic actuator, if
actuator is in the Safe state.
S_Acknowledge SAFEBOOL 0
Input FALSE: Operation mode (non-safe).
TRUE: Safe mode.
Monitoring of the response time between the
safety function request (S_OpMode set to
MonitoringTime TIME T#0s
FALSE) and the actuator acknowledgment
(S_Acknowledge switches to TRUE).
Reset BOOL 0 Reset
If TRUE, indicates that the FB is activated and
Ready BOOL 0
the output results are valid.
Confirmation of the Safe state.
S_SafetyActive SAFEBOOL 0 FALSE: Non-safe state.
TRUE: Safe state.
Request to place the actuator in a safe state.
S_SafetyRequest SAFEBOOL 0 FALSE: Safe state is requested.
Output
TRUE: Non-safe state.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more than 16 codes.

13-77
 Chapter 13. Safety Function Blocks

3) Functional Description
This FB provides the interface between the safety-related system and a generic actuator. This means that the safety-related
functions of the actuator are available within the application program. However, there are only two binary signals to control the
Safe state of the generic actuator, i.e., one for requesting and one for receiving the confirmation.
The safety function will be provided by the actuator itself. Therefore the FB only initiates the request, monitors it, and sets the
output when the actuator acknowledges the Safe state. This will be indicated with the "S_SafetyActive" output.
This FB does not define any generic actuator-specific parameters. They should have been specified in the generic actuator
itself. It switches the generic actuator from the operation mode to a safe state.

4) Typical Timing Diagrams

13-78
 Chapter 13. Safety Function Blocks

5) Error Detection
The FB detects whether the actuator does not enter the Safe state within the monitoring time.
The FB detects whether the acknowledge signal is lost while the request is still active.
The FB detects a static Reset signal.

External FB errors:
There are no external errors, since there is no error bits/information provided by the generic actuator.

6) Error Behavior
In the event of an error, the S_SafetyActive output is set to FALSE.
An error must be acknowledged by a rising trigger at the Reset input. To continue the function block after this reset, the
S_OpMode request must be set to TRUE.

7) Error Codes

DiagCode State Name State Description and Output Setting

Acknowledgment lost while in the Safe state.
Ready = TRUE
C002 Acknowledge Lost S_SafetyActive = FALSE
S_SafetyRequest = FALSE
Error = TRUE
S_OpMode request could not be completed within the monitoring
time.
Ready = TRUE
C003 MonitoringTime Elapsed
S_SafetyActive = FALSE
S_SafetyRequest = FALSE
Error = TRUE
Static Reset detected in state C002 (Acknowledge Lost).
Ready = TRUE
C004 Reset Error 2 S_SafetyActive = FALSE
S_SafetyRequest = FALSE
Error = TRUE
Static Reset detected in state C003 (MonitoringTime Elapsed).
Ready = TRUE
C005 Reset Error 3 S_SafetyActive = FALSE
S_SafetyRequest = FALSE
Error = TRUE

13-79
 Chapter 13. Safety Function Blocks

8) Status codes
DiagCode State Name State Description and Output Setting
The function block is not active (initial state).
Ready = FALSE
0000 Idle S_SafetyActive = FALSE
S_SafetyRequest = FALSE
Error = FALSE
Actuator is in a safe mode.
Ready = TRUE
8000 Safe Mode S_SafetyActive = TRUE
S_SafetyRequest = FALSE
Error = FALSE
State after Activate is set to TRUE or after a rising trigger at
Reset.
Ready = TRUE
8001 Init
S_SafetyActive = FALSE
S_SafetyRequest = FALSE
Error = FALSE
Operation mode without Acknowledge of safe mode
Ready = TRUE
8002 Operation Mode S_SafetyActive = FALSE
S_SafetyRequest = TRUE
Error = FALSE
Operation mode with Acknowledge of safe mode
Ready = TRUE
Wait for Confirmation
8012 S_SafetyActive = FALSE
OpMode
S_SafetyRequest = TRUE
Error = FALSE
Waiting for confirmation from the drive (system interface).
Ready = TRUE
8003 Wait for Confirmation S_SafetyActive = FALSE
S_SafetyRequest = FALSE
Error = FALSE
Error was cleared. However S_OpMode must be set to TRUE
before the FB can be initialized.
Ready = TRUE
8005 Wait for OpMode
S_SafetyActive = FALSE
S_SafetyRequest = FALSE
Error = FALSE

13-80
 Chapter 13. Safety Function Blocks

13.2.15 SF_TESTABLESAFETYSENSOR

1) Overview
This function block detects, for example, the loss of the sensing unit detection capability, the response time exceeding that
specified, and static ON signal in single-channel sensor systems. It can be used for external testable safety sensors (ESPE:
Electro-sensitive protective equipment, such as a light beam).

SF_TestableSafetySensor

BOOL Activate Ready BOOL

SAFEBOOL S_OSSD_In S_OSSD_Out SAFEBOOL
BOOL StartTest S_TestOut SAFEBOOL
TIME TestTime TestPossible BOOL
BOOL NoExternalTest TestExecuted BOOL
SAFEBOOL S_StartReset Error BOOL
SAFEBOOL DiagCode WORD
S_AutoReset
BOOL Reset

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Status of sensor output, e.g., light curtain.
FALSE: Safety sensor in test state or demand
S_OSSD_In SAFEBOOL 0 for safety-related response.
TRUE: Sensor in the state for normal operating
conditions.
Input to start sensor test. Sets "S_TestOut" and
starts the internal time monitoring function in
StartTest BOOL 0 the FB.
FALSE: No test requested.
TRUE: Test requested.
Constant. Range: 0 … 150ms.
Input TestTime Time T#10ms
Test time of safety sensor.
Indicates if external manual sensor test is
supported.
FALSE: The external manual sensor test is
supported. Only after a complete manual
sensor switching sequence, a automatic test is
NoExternalTest BOOL 0 possible again after a faulty automatic sensor
test.
TRUE: The external manual sensor test is not
supported. An automatic test is possible again
without a manual sensor switching sequence
after faulty automatic sensor test.

13-81
 Chapter 13. Safety Function Blocks

Type Name Data Type Initial Value Description

FALSE (= initial value): Manual reset when
emergency stop button is released.
TRUE: Automatic reset when emergency stop
button is released.
This function shall only be activated if it is
ensured that no hazard can occur at the start
S_AutoReset SAFEBOOL 0
of the PES. Therefore the use of the Automatic
Circuit Reset feature of the function blocks
requires implementation of other system or
application measures to ensure that
unexpected (or unintended) startup does not
occur.
Reset BOOL 0 Reset
If TRUE, indicates that the FB is activated and
Ready BOOL 0
the output results are valid.
Safety related output indicating the status of
the ESPE.
FALSE: The sensor has a safety-related action
S_OSSD_Out SAFEBOOL 0
request or test error.
TRUE: The sensor has no safety-related action
request AND no test error.
Coupled with the test input of the sensor.
Although specified as SAFEBOOL, in practice
this signal will often be connected to a BOOL
S_TestOut SAFEBOOL 1
output.
FALSE: Test request issued.
TRUE: No test request.
Feedback signal to the process.
FALSE: An automatic sensor test is not
TestPossible BOOL 0
Output possible.
TRUE: An automatic sensor test is possible.
A positive signal edge indicates the successful
execution of the automatic sensor test.
FALSE:
- An automatic sensor test was not executed
TestExecuted BOOL 0 yet.
- An automatic sensor test is active.
- An automatic sensor test was faulty.
TRUE: A sensor test was executed
successfully.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent more
than 16 codes.

13-82
 Chapter 13. Safety Function Blocks

3) Functional Description
Type 2 ESPE shall have a means of periodic testing to detect a hazardous fault (e.g., loss of sensing unit detection capability,
response time exceeding that specified). The test signal shall simulate the actuation of the sensing device and the duration of
the periodic test shall not exceed 150 ms. The test shall verify that each light beam operates in the manner specified by the
supplier. If the periodic test is intended to be initiated by an external safety-related control system (e.g., a machine), the ESPE
shall be provided with suitable input facilities (e.g., terminals).The ESPE must be selected in respect of the product standards
EN IEC 61496-1, -2 and -3 and the required categories according EN 954-1. It must be monitored by separate functionality, that
the test is initiated within appropriate intervals. The S_StartReset and S_AutoReset inputs shall only be activated if it is ensured
that no hazardous situation can occur when the PES is started.

Test mode:
1. StartTest = TRUE: S_TestOut = FALSE. Start monitoring time
2. S_TestOut signal stops transmitter (Monitoring of TestTime started first time)
3. S_OSSD_In changes from TRUE to FALSE (Monitoring of TestTime started second time)
4. S_TestOut changes from FALSE to TRUE
5. Start transmitter
6. Sensor S_OSSD_In changes from FALSE to TRUE
7. Stop monitoring time
8. S_OSSD_Out is set to TRUE during testing

Optional startup inhibits:

• Startup inhibit after function block activation.
• Startup inhibit after interruption of the protective device.

13-83
 Chapter 13. Safety Function Blocks

4) Typical Timing Diagrams

5) Error Detection
The following conditions force a transition to the Error state:
• Test time overrun without delayed sensor feedback.
• Test without sensor signal feedback.
• Invalid static reset signal in the process.
• Plausibility check of the monitoring time setting.

6) Error Behavior
In the event of an error, the S_OSSD_Out output is set to FALSE and remains in this safe state.
Once the error has been removed and the sensor is on (S_OSSD_In = TRUE) – a reset removes the error state and sets the
S_OSSD_Out output to TRUE.
If S_AutoReset = FALSE, a rising trigger is required at Reset.
After transition of S_OSSD_In to TRUE, the optional startup inhibit can be reset by a rising edge at the Reset input.
After block activation, the optional startup inhibit can be reset by a rising edge at the Reset input.

13-84
 Chapter 13. Safety Function Blocks

7) Error Codes

DiagCode State Name State Description and Output Setting

Invalid value at the TestTime parameter.
Values between 0 ms and 150 ms are possible.
Ready = TRUE
S_OSSD_Out = FALSE
C000 Parameter Error
S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = TRUE
Static Reset condition detected after FB activation.
Ready = TRUE
S_OSSD_Out = FALSE
C001 Reset Error 1 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE
Static Reset condition detected in state 8003.
Ready = TRUE
S_OSSD_Out = FALSE
C002 Reset Error 2 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = TRUE
Static Reset condition detected in state C010.
Ready = TRUE
S_OSSD_Out = FALSE
C003 Reset Error 3 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = TRUE
Static Reset condition detected in state C020.
Ready = TRUE
S_OSSD_Out = FALSE
C004 Reset Error 4 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = TRUE
Static Reset condition detected in state 8006.
Ready = TRUE
S_OSSD_Out = FALSE
C005 Reset Error 5 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = TRUE

13-85
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

Static Reset condition detected in state C000.
Ready = TRUE
S_OSSD_Out = FALSE
C006 Reset Error 6 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = TRUE
Static Reset condition detected in state 8013.
Ready = TRUE
S_OSSD_Out = FALSE
C007 Reset Error 7 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = TRUE
Error = TRUE
Test time elapsed in state 8020.
Ready = TRUE
S_OSSD_Out = FALSE
C010 Test Error 1 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = TRUE
Test time elapsed in state 8030.
Ready = TRUE
S_OSSD_Out = FALSE
C020 Test Error 2 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = TRUE

13-86
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
S_OSSD_Out = FALSE
0000 Idle S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE
An activation has been detected by the FB.
Ready = TRUE
S_OSSD_Out = FALSE
8001 Init S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE
The FB has detected a safety demand.
The switch has not been automatically tested yet.
Ready = TRUE
S_OSSD_Out = FALSE
8002 ESPE Interrupted 1
S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE
Wait for rising trigger of Reset after state 8002.
Ready = TRUE
S_OSSD_Out = FALSE
8003 Wait for Reset 1 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE
The automatic sensor test was faulty.
An external manual sensor test is necessary.
The support for the necessary external manual sensor test has
been activated at the FB (NoExternalTest = FALSE).
A negative signal edge at the sensor is required.
8004 External Function Test Ready = TRUE
S_OSSD_Out = FALSE
S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE

13-87
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

The automatic sensor test was faulty.
An external manual sensor test is necessary.
The support for the necessary external manual sensor test has
been activated at the FB (NoExternalTest = FALSE).
A TRUE signal at the sensor is required.
ESPE Interrupted
8005 Ready = TRUE
External Test
S_OSSD_Out = FALSE
S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE
The automatic sensor test was faulty.
An external manual sensor test is necessary.
The support for the necessary external manual sensor test has
been activated
at the FB (NoExternalTest = FALSE).
The external manual test is complete.
The FB detected a complete sensor switching cycle (external
8006 End External Test
controlled).
Ready = TRUE
S_OSSD_Out = FALSE
S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE
The FB has not detected a safety demand.
The sensor has not been tested automatically.
Ready = TRUE
S_OSSD_Out = TRUE
8010 ESPE Free No Test
S_TestOut = TRUE
TestPossible = TRUE
TestExecuted = FALSE
Error = FALSE
The automatic sensor test is active. Test Timer is started first
time.
The transmitter signal of the sensor is switched off by the FB.
The signal of the receiver must follow the signal of the
transmitter.
8020 Test Request Ready = TRUE
S_OSSD_Out = TRUE
S_TestOut = FALSE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE

13-88
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

The automatic sensor test is active. Test Timer is started second
time.
The transmitter signal of the sensor is switched on by the FB.
The signal of the receiver must follow the signal of the
transmitter.
8030 Test Active Ready = TRUE
S_OSSD_Out = TRUE
S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = FALSE
Error = FALSE
The FB has not detected a safety demand.
The sensor was automatically tested.
Ready = TRUE
S_OSSD_Out = TRUE
8000 ESPE Free Test ok
S_TestOut = TRUE
TestPossible = TRUE
TestExecuted = TRUE
Error = FALSE
The FB has detected a safety demand.
The switch was automatically tested.
Ready = TRUE
S_OSSD_Out = FALSE
8012 ESPE Interrupted 2
S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = TRUE
Error = FALSE
Wait for rising trigger of Reset after state 8012.
Ready = TRUE
S_OSSD_Out = FALSE
8013 Wait for Reset 2 S_TestOut = TRUE
TestPossible = FALSE
TestExecuted = TRUE
Error = FALSE

13-89
 Chapter 13. Safety Function Blocks

13.2.16 SF_TWOHANDCTRLII

1) Overview
This function block provides the two-hand control functionality.

SF_TwoHandControlTypeII

BOOL Activate Ready BOOL

SAFEBOOL S_Button1 S_TwoHandOut SAFEBOOL
SAFEBOOL S_Button2 Error BOOL
DiagCode WORD

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
FALSE: Button 1 released.
S_Button1 SAFEBOOL 0
Input TRUE: Button 1 actuated.
FALSE: Button 2 released.
S_Button2 SAFEBOOL 0
TRUE: Button 2 actuated.
If TRUE, indicates that the FB is activated
Ready BOOL 0
and the output results are valid.
Safety related output signal.
FALSE: No correct two hand operation.
S_TwoHandOut SAFEBOOL 0 TRUE: S_Button1 and S_Button2 inputs
are TRUE and no error occurred. Correct
Output two hand operation.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more than 16 codes.

13-90
 Chapter 13. Safety Function Blocks

3) Functional Description
This function block provides the two-hand control functionality according to EN 574, Section 4 Type II. If S_Button1 and
S_Button2 are set to TRUE in correct sequence, then the S_TwoHandOut output will also be set to TRUE. The FB also controls
the release of both buttons before setting the output S_TwoHandOut again to TRUE.

4) Typical Timing Diagrams

5) Error Detection
After activation of the FB, any button set to TRUE is detected as an invalid input setting leading to an error.

6) Error Behavior
In the event of an error, the S_TwoHandOut output is set to FALSE and remains in this safe state.
The Error state is exited when both buttons are released (set to FALSE).

7) Error Codes

DiagCode State Name State Description and Output Setting

S_Button1 was TRUE on FB activation.
Ready = TRUE
C001 Error B1
Error = TRUE
S_TwoHandOut = FALSE
S_Button2 was TRUE on FB activation.
Ready = TRUE
C002 Error B2
Error = TRUE
S_TwoHandOut = FALSE
The signals at S_Button1 and S_Button2 were TRUE on FB
activation.
C003 Error B1&B2 Ready = TRUE
Error = TRUE
S_TwoHandOut = FALSE

13-91
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
Error = FALSE
S_TwoHandOut = FALSE
Both buttons actuated correctly. The safety related output is
enabled.
8000 Buttons Actuated Ready = TRUE
Error = FALSE
S_TwoHandOut = TRUE
Function block is active, but in the Init state.
Ready = TRUE
8001 Init
Error = FALSE
S_TwoHandOut = FALSE
No button is actuated.
Ready = TRUE
8004 Buttons Released
Error = FALSE
S_TwoHandOut = FALSE
Only Button 1 is actuated.
Ready = TRUE
8005 Button 1 Actuated
Error = FALSE
S_TwoHandOut = FALSE
Only Button 2 is actuated.
Ready = TRUE
8006 Button 2 Actuated
Error = FALSE
S_TwoHandOut = FALSE
The safety related output was enabled and is disabled again.
FALSE at both S_Button1 and S_Button2 was not achieved
after disabling the safety related output.
In this state, S_Button1 is TRUE and S_Button2 is FALSE after
8007 Button 2 Released
disabling the safety related output.
Ready = TRUE
Error = FALSE
S_TwoHandOut = FALSE
The safety related output was enabled and is disabled again.
FALSE at both S_Button1 and S_Button2 was not achieved
after disabling the safety related output.
In this state, S_Button1 is FALSE and S_Button2 is TRUE after
8008 Button 1 Released
disabling the safety related output.
Ready = TRUE
Error = FALSE
S_TwoHandOut = FALSE

13-92
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

The safety related output was enabled and is disabled again.
FALSE at both S_Button1 and S_Button2 was not achieved
after disabling the safety related output.
In this state, S_Button1 is TRUE and S_Button2 is TRUE after
8009 Locked Off
disabling the safety related output.
Ready = TRUE
Error = FALSE
S_TwoHandOut = FALSE
Incorrect actuation of the buttons. Waiting for release of both
buttons.
8019 Locked On Ready = TRUE
Error = FALSE
S_TwoHandOut = FALSE

13-93
 Chapter 13. Safety Function Blocks

13.2.17 SF_TWOHANDCTRLIII

1) Overview
This function block provides the two-hand control functionality.

SF_TwoHandControlTypeIII

BOOL Activate Ready BOOL

SAFEBOOL S_Button1 S_TwoHandOut SAFEBOOL
SAFEBOOL S_Button2 Error BOOL
DiagCode WORD

2) Input / Output Variables

Type Name Data Type Initial Value Description

Activate BOOL 0 Activation of the FB
Input of button 1
S_Button1 SAFEBOOL 0 FALSE: Button 1 released.
Input TRUE: Button 1 actuated.
Input of button 2
S_Button2 SAFEBOOL 0 FALSE: Button 2 released.
TRUE: Button 2 actuated.
If TRUE, indicates that the FB is activated
Ready BOOL 0
and the output results are valid.
Safety related output signal.
FALSE: No correct two hand operation.
TRUE: S_Button1 and S_Button2 inputs
changed from
S_TwoHandOut SAFEBOOL 0
FALSE to TRUE within 500 ms and no error
occurred.
Output
The two hand operation has been
performed correctly.
Error BOOL 0 Error flag
Diagnostic register.
All states of the FB are represented by this
DiagCode WORD 16#0000 register. This information is encoded in
hexadecimal format in order to represent
more than 16 codes.

13-94
 Chapter 13. Safety Function Blocks

3) Functional Description
This function block provides the two-hand control functionality according to EN 574, Section 4 Type III. If S_Button1 and
S_Button2 are set to TRUE within 500 ms and in correct sequence, then the S_TwoHandOut output is also set to TRUE. The
FB also controls the release of both buttons before setting the output S_TwoHandOut again to TRUE.

4) Typical Timing Diagrams

5) Error Detection
After activation of the FB, any button set to TRUE is detected as an invalid input setting leading to an error. The FB detects when
the divergence of the input signals exceeds 500 ms.

6) Error Behavior
In the event of an error, the S_TwoHandOut output is set to FALSE and remains in this safe state.
The Error state is exited when both buttons are released (set to FALSE).

13-95
 Chapter 13. Safety Function Blocks

7) Error Codes

DiagCode State Name State Description and Output Setting

S_Button1 was TRUE on FB activation.
Ready = TRUE
C001 Error 1 B1
Error = TRUE
S_TwoHandOut = FALSE
S_Button2 was TRUE on FB activation.
Ready = TRUE
C002 Error 1 B2
Error = TRUE
S_TwoHandOut = FALSE
The signals at S_Button1 and S_Button2 were TRUE on FB
activation.
C003 Error 1 B1&B2 Ready = TRUE
Error = TRUE
S_TwoHandOut = FALSE
S_Button1 was FALSE and S_Button 2 was TRUE after 500 ms in
state 8005.
C004 Error 2 B1 Ready = TRUE
Error = TRUE
S_TwoHandOut = FALSE
S_Button1 was TRUE and S_Button 2 was FALSE after 500 ms in
state 8005.
C005 Error 2 B2 Ready = TRUE
Error = TRUE
S_TwoHandOut = FALSE
S_Button1 was TRUE and S_Button 2 was TRUE after 500 ms in
state 8005 or 8006. This state is only possible when the states of
the inputs (S_Button1 and S_Button2) change from divergent to
convergent (both TRUE) simultaneously when the timer elapses
C006 Error 2 B1&B2
(500 ms) at the same cycle.
Ready = TRUE
Error = TRUE
S_TwoHandOut = FALSE

13-96
 Chapter 13. Safety Function Blocks

8) Status codes

DiagCode State Name State Description and Output Setting

The function block is not active (initial state).
Ready = FALSE
0000 Idle
Error = FALSE
S_TwoHandOut = FALSE
Both buttons actuated correctly. The safety related output is
enabled.
8000 Buttons Actuated Ready = TRUE
Error = FALSE
S_TwoHandOut = TRUE
Function block is active, but in the Init state.
Ready = TRUE
8001 Init
Error = FALSE
S_TwoHandOut = FALSE
No Button is actuated.
Ready = TRUE
8004 Buttons Released
Error = FALSE
S_TwoHandOut = FALSE
Only Button 1 is actuated. Start monitoring timer.
Ready = TRUE
8005 Button 1 Actuated
Error = FALSE
S_TwoHandOut = FALSE
Only Button 2 is actuated. Start monitoring timer.
Ready = TRUE
8006 Button 2 Actuated
Error = FALSE
S_TwoHandOut = FALSE
The safety related output was enabled and is disabled again.
FALSE at both S_Button1 and S_Button2 was not achieved
after disabling the safety related output.
In this state, S_Button1 is TRUE and S_Button2 is FALSE after
8007 Button 2 Released
disabling the safety related output.
Ready = TRUE
Error = FALSE
S_TwoHandOut = FALSE
The safety related output was enabled and is disabled again.
FALSE at both S_Button1 and S_Button2 was not achieved
after disabling the safety related output.
In this state, S_Button1 is FALSE and S_Button2 is TRUE after
8008 Button 1 Released
disabling the safety related output.
Ready = TRUE
Error = FALSE
S_TwoHandOut = FALSE

13-97
 Chapter 13. Safety Function Blocks

DiagCode State Name State Description and Output Setting

The safety related output was enabled and is disabled again.
FALSE at both S_Button1 and S_Button2 was not achieved
after disabling the safety related output.
In this state, S_Button1 is TRUE and S_Button2 is TRUE after
8009 Locked Off
disabling the safety related output.
Ready = TRUE
Error = FALSE
S_TwoHandOut = FALSE
Incorrect actuation of the buttons. Waiting for release of both
buttons.
8019 Locked On Ready = TRUE
Error = FALSE
S_TwoHandOut = FALSE

13-98
 Appendix 1. Flag List

Appendix 1 Flag List

Appendix 1.1 Flag List

1) Modes and status

Flag Name TYPE Description Remark

_RUN BOOL RUN mode

_STOP BOOL STOP mode

_CNFG_UNLOCK BOOL Configuration Unlock

_CNFG_LOCK BOOL Configuration Lock

Show operating condition of the CPU module.
_NORMAL BOOL Normal mode

_SAFE BOOL Safe mode

_UNVERIFIED BOOL No safety sign

_VERIFIED BOOL Safety sign finished

_FORCE_IO_EN BOOL Forced I/O active Shows that forced I/O are active

_FORCE_IO_TIME INT Forced I/O time Shows remaining time of forced I/O.

2) System error

Flag Name TYPE Description Remark

_SELFTEST_ERROR BOOL CPU module self-test abnormal error System abnormality detected in self-test.
_PERIPHERAL_ERROR BOOL CPU module hardware error Hardware error detected.
CPU module CCM
_CCM_ERROR BOOL CCM error is detected.
(Core Compare Module) error
CPU module internal memory data
_MEMORY_ERROR BOOL Internal memory alteration detected
altered error
_FIRMWARE_ERROR BOOL CPU module firmware alteration error Firmware alteration detected.
_MCU_SYNC_ERROR BOOL CPU module core synchronization error Synchronization of the cores in module failed.
_BACKUP_MEMORY_ CPU module backup memory data
BOOL Backup memory data alteration detected
ERROR altered error
_PARAMETER_ERROR BOOL Parameter error Parameter error detected.
_IO_DETACH_ERROR BOOL I/O module separation error I/O module separation detected
_IO_TYPE_ERROR BOOL I/O module type mismatch error I/O module type mismatch with the setting
_IO_INTERFACE_ERROR BOOL I/O module interface error I/O module interface error detected
_IO_SELFTEST_ERROR BOOL I/O module self-test error Error detected in I/O module self-test
_IO_PERIPHERAL_
BOOL I/O module hardware error Hardware error detected.
ERROR
I/O module CCM
_IO_CCM_ERROR BOOL CCM error detected.
(Core Compare Module) error

A1-1
 Appendix 1. Flag List

Flag Name TYPE Description Remark

I/O module internal memory
_IO_MEMORY_ERROR BOOL Internal memory alteration detected
data altered error
_IO_FIRMWARE_ERROR BOOL I/O module firmware altered error Firmware alteration detected.
_IO_MCU_SYNC_ERROR BOOL I/O core synchronization error Synchronization of the cores in module failed.
I/O module test pulse output 0
_IO_TP0_ERROR BOOL I/O module test pulse output 0 circuit error detected
circuit error
I/O module test pulse output 1
_IO_TP1_ERROR BOOL I/O module test pulse output 1 circuit error detected
circuit error
_IO_POWER_ERROR BOOL I/O module output power supply error Error detected in I/O module output power supply
_IO_IN_CIRCUIT_
BOOL I/O module input circuit error Error detected in I/O module input circuit
ERROR
_IO_OUT_CIRCUIT_
BOOL I/O module output circuit error Error detected in I/O module output circuit
ERROR
_MAIN_POWER_ERROR BOOL Power supply failure Error detected in system power supply
_IO_TYER_L00 Local 00~13 module type Type of local NO. xx I/O module type mismatch
BOOL
~ _IO_TYER_L13 mismatch error with the setting
_IO_DEER_L00
BOOL Local 00~13 module separation error Local No. xx I/O module separated.
~ _IO_DEER_L13

3) User flag

Flag Name Type Description Remark

the clock signals available in user programs, which
_T20MS BOOL 20 ms cycle clock
are switched On/Off at every half cycle. Since
_T100MS BOOL 100 ms cycle clock signals are toggled after completing scan, clock
_T200MS BOOL 200 ms cycle clock signal may be delayed or distorted according to the
execution of the program. Use sufficiently long
_T1S BOOL 1 s cycle clock
clocks. Clock signals begin from OFF status at
_T2S BOOL 2 s cycle clock starting of initialized program and scan program,

_T10S BOOL 10 s cycle clock

_T100 ms clock example
_T20S BOOL 20 s cycle clock 50ms 50ms

_T60S BOOL 60 s cycle clock

_ON BOOL Normal ON Normal ON flag available for user programming

_OFF BOOL Normal Off Normal OFF flag available for user programming
The flag turned ON only for the first scan after
_1ON BOOL First scan On
starting operation.
The flag turned OFF only for the first scan after
_1OFF BOOL First scan Off
starting operation.
The flag toggled ON/OFF at every scan in program
_STOG BOOL Scan toggle
running (ON at the first scan)

A1-2
 Appendix 1. Flag List

4) System operation status information

Flag Name Type Description Remark

Access USB by authority Being connected to a USB by authority
_USB_MAINTENANCE BOOL
of maintenance engineer of maintenance engineer
Access USB by authority Being connected to a USB by authority
_USB_AUTH_CLIENT BOOL
of administrator of administrator
Access Ethernet by authority Being connected to Ethernet by authority
_ETH0_MAINTENANCE BOOL
of maintenance engineer of maintenance engineer
Access Ethernet by authority Being connected to Ethernet by authority
_ETH0_AUTH_CLENT BOOL
of administrator of administrator
Displays system operation mode and
_CPU_TYPE DINT Shows CPU type information
operating status information.
_OS_VER DINT Shows OS version Shows system O/S version No.

_OS_DATE DINT Shows OS date Shows OS date.

_OS_VER DINT Shows OS version Shows system O/S version No.

_OS_DATE DINT Shows OS date Shows OS date.

Records max. value of scan time during operation.
_SCAN_MAX DINT Max. scan time
The unit is 0.1 ms.
Records min. value of scan time during operation.
_SCAN_MIN DINT Min. scan time
The unit is 0.1 ms.
Updates present value of scan time
_SCAN_CUR DINT Shows present scan time
during operation. The unit is 0.1 ms.
_YEAR INT Clock information data (year)

_MONTH BYTE Clock information data (month)

_DATE BYTE Clock information data (day)

Shows present time saved in the CPU module
_HOUR BYTE Clock information data (hour) At power failure, stops at the time of failure, and the
_MINUTE BYTE Clock information data (min) clock starts from the time point of the failure when
power is recovered.
_SEC BYTE Clock information data (s)

_MSEC INT Clock information data (ms)

_WDAY BYTE Clock information data (day of week)

_POWERON_YEAR INT Power On time (year)

_POWERON_MONTH BYTE Power On time (month)

_POWERON_DATE BYTE Power On time (day)

_POWERON_HOUR BYTE Power On time (hour) Shows point of time when the CPU module is
_POWERON_MINUTE BYTE Power On time (min) powered.

_POWERON_SEC BYTE Power On time (s)

_POWERON_MSEC INT Power On time (ms)

_POWERON_WDAY BYTE Power On time (day of week)

A1-3
 Appendix 1. Flag List

Appendix 1.2 Reserved Words

The following words are reserved for exclusive use by the system. Therefore, it is not allowed to make use of
these words as an identifier.

Reserved Words
ACTION ... END_ACTION
ARRAY ... OF
AT
CASE ... OF ... ELSE ... END_CASE
CONFIGURATION ... END_CONFIGURATION
Data type name
DATE#, D#
DATE_AND_TIME#, DT#
EXIT
FOR ... TO ... BY ... DO ... END_FOR
FUNCTION ... END_FUNCTION
FUNCTION_BLOCK ... END_FUNCTION_BLOCK
Function Block name
IF ... THEN ... ELSIF ... ELSE ... END_IF
OK
Operator (IL language)
Operator (ST language)
PROGRAM
PROGRAM ... END_PROGRAM
REPEAT ... UNTIL ... END_REPEAT
RESOURCE ... END_RESOURCE
RETAIN
RETURN
STEP ... END_STEP
STRUCTURE ... END_STRUCTURE
T#
TASK ... WITH
TIME_OF_DAY#, TOD#
TRANSITION ... FROM... TO ... END_TRANSITION
TYPE ... END_TYPE
VAR ... END_VAR
VAR_INPUT ... END_VAR
VAR_OUTPUT ... END_VAR
VAR_IN_OUT ... END_VAR
VAR_EXTERNAL ... END_VAR
VAR_ACCESS ... END_VAR
VAR_GLOBAL ... END_VAR
WHILE ... DO ... END_WHILE
WITH

A1-4
 Appendix 2. PFD/PFH Value

Appendix 2 PFD/PFH Value

Calculate all the PFD/PFH values of systems to achieve SIL required from application.

Module PFD PFH

Safety CPU Module(XGS-CPU01A) 2.478 X 10-05 3.43014 x 10-09
Safety Input Module (XGS-DI08A) 2.091 x 10-05 3.28678 x 10-09
Input of Safety Input Module (XGS-DI08A) 1.02647 x 10-05 1.9816 x 10-09
Common Logic of Safety Input Module (XGS-DI08A) 1.064 x 10-05 1.30517 x 10-09
Safety I/O Module (XGS-DIO84A) 3.623 x 10-05 6.67541 x 10-09
Input of Safety I/O Module (XGS-DIO84A) 1.02647 x 10-05 1.9816 x 10-09
Output of Safety I/O Module (XGS-DIO84A) 8.38991 x 10-07 4.64482 x 10-09
Common Logic of Safety I/O Module (XGS-DIO84A) 2.512 x 10-05 4.89901 x 10-11

Example of PFD/PFH Calculation.

Systems : XGS-CPU01A, XGS-DIO84A(Input 2 Points, Output 1Point), XGS-DI08A(Input 1 Point)

Emergency Stop
Button

Safety Relay

Light Curtain

Laser Scanner

PFDSYS = PFDCPU01A + PFDDIO84A + PFDDI08A

= PFDCPU01A + PFDDIO84A (Using I/O Port + Common Logic) + PFDDI08A (Using Input Port + Common Logic)
= PFDCPU01A + PFDDIO84A (Input 2 points + Output 2 points + Common Logic) + PFDDI08A (Input 1point + Common Logic)
= (2.478 x 10-05) + {(1.02647 x 10-05 / 8 * 2) + (8.38991 x 10-07 / 4 * 2) + (2.512 x 10-05)}
+ {(1.02647 x 10-05 / 8 * 1) + (1.064 x 10-05)}
= 6.482 x 10-05

A2-1
 Appendix 2. PFD/PFH Value

PFHSYS = PFHCPU01A + PFHDIO84A + PFHDI08A

= PFHCPU01A + PFHDIO84A (Using I/O Port + Common Logic) + PFHDI08A (Using Input Port + Common Logic)
= PFHCPU01A + PFHDIO84A (Input 2 points + Output 2 points + Common Logic) + PFHDI08A (Input 1point + Common Logic)
= (3.43014 x 10-09) + {(1.9816 x 10-09 / 8 * 2) + (4.64482 x 10-09 / 4 * 2) + (4.89901 x 10-11)}
+ {(1.9816 x 10-09 / 8 * 1) + (1.30517 x 10-09)}
= 7.850 x 10-09

A2-2
 Appendix 3. Dimensions

Appendix 3 Dimensions (Unit : mm)

A3-1
Appendix 3. Dimensions

A3-2
 Appendix 4. Example of Safety Application

Appendix 4. Example of Safety Application

It is an example of safety application to control the safety relay by the input of the emergency stop button.

1) Wiring example

Emergency
Stop Button

+
24V DC -

Reset Button
Safety Relay
+
-

24V DC

No. Connecting devices Program Devices

1 Emergency Stop Button %IX1.0.0 / %IX1.0.1
2 Safety Relay %QX0.0.0
3 Reset Switch %IX0.0.0

A4-1
 Appendix 4. Example of Safety Application

2) Safety Input / Output Parameter setting example

- I/O Parameter setting

- XGS-DIO84A Parameter setting

- XGS-DI08A Parameter setting

3) Program example

A4-2
 Appendix 4. Example of Safety Application

4) Timing chart

Pressing the emergency Return emergency stop

Reset switch Off  On

Safety Relay Safety Relay

Output is blocked Output is unblocked

A4-3
Appendix 4. Example of Safety Application

A4-4
 Warranty and Environmental Policy

Warranty

1. Warranty Period
The product you purchased will be guaranteed for 18 months from the date of manufacturing.

2. Scope of Warranty
Any trouble or defect occurring for the above-mentioned period will be partially replaced or repaired. However, please note the
following cases will be excluded from the scope of warranty.

(1) Any trouble attributable to unreasonable condition, environment or handling otherwise specified in the manual,
(2) Any trouble attributable to others’ products,
(3) If the product is modified or repaired in any other place not designated by the company,
(4) Due to unintended purposes
(5) Owing to the reasons unexpected at the level of the contemporary science and technology when delivered.
(6) Not attributable to the company; for instance, natural disasters or fire

3. Since the above warranty is limited to PLC unit only, make sure to use the product considering the safety for system configuration
or applications.

Environmental Policy

LS ELECTRIC Co., Ltd supports and observes the environmental policy as below.

Environmental Management About Disposal

LS ELECTRIC considers the environmental LS ELECTRIC’ PLC unit is designed to protect

preservation as the preferential management the environment. For the disposal, separate
subject and every staff of LS ELECTRIC use aluminum, iron and synthetic resin (cover) from
the reasonable endeavors for the pleasurably the product as they are reusable.
environmental preservation of the earth.

1
Warranty and Environment Policy

2
 www.ls-electric.com

■ Headquarter ■ Overseas Branches

LS-ro 127(Hogye-dong) Dongan-gu, Anyang-si, Gyeonggi-Do, 14119, Korea • LS ELECTRIC Tokyo Office (Japan)
■ Seoul Office Tel: 81-3-6268-8241 E-Mail: tokyo@ls-electric.com
LS Yongsan Tower, 92, Hangang-daero, Yongsan-gu, Seoul, 04386, Korea • LS ELECTRIC Beijing Office (China)
Tel: 82-2-2034-4033, 4888, 4703 Fax: 82-2-2034-4588 Tel: 86-10-5095-1631 E-Mail: china.auto@lselectric.com.cn
E-mail: automation@ls-electric.com • LS ELECTRIC Shanghai Office (China)
Tel: 86-21-5237-9977 E-Mail: china.auto@lselectric.com.cn
■ Overseas Subsidiaries • LS ELECTRIC Guangzhou Office (China)
• LS ELECTRIC Japan Co., Ltd. (Tokyo, Japan) Tel: 86-20-3818-2883 E-Mail: china.auto@lselectric.com.cn
Tel: 81-3-6268-8241 E-Mail: japan@ls-electric.com • LS ELECTRIC Chengdu Office (China)
• LS ELECTRIC (Dalian) Co., Ltd. (Dalian, China) Tel: 86-28-8670-3201 E-Mail: china.auto@lselectric.com.cn
Tel: 86-411-8730-6495 E-Mail: china.dalian@lselectric.com.cn • LS ELECTRIC Qingdao Office (China)
• LS ELECTRIC (Wuxi) Co., Ltd. (Wuxi, China) Tel: 86-532-8501-2065 E-Mail: china.auto@lselectric.com.cn
Tel: 86-510-6851-6666 E-Mail: china.wuxi@lselectric.com.cn • LS ELECTRIC Nanjing Office (China)
• LS ELECTRIC Middle East FZE (Dubai, U.A.E.) Tel: 86-25-8467-0005 E-Mail: china.auto@lselectric.com.cn
Tel: 971-4-886-5360 E-Mail: middleeast@ls-electric.com • LS ELECTRIC Bangkok Office (Thailand)
• LS ELECTRIC Europe B.V. (Hoofddorp, Netherlands) Tel: 66-90-950-9683 E-Mail: thailand@ls-electric.com
Tel: 31-20-654-1424 E-Mail: europartner@ls-electric.com • LS ELECTRIC Jakarta Office (Indonesia)
• LS ELECTRIC America Inc. (Chicago, USA) Tel: 62-21-2933-7614 E-Mail: indonesia@ls-electric.com
Tel: 1-800-891-2941 E-Mail: sales.us@lselectricamerica.com • LS ELECTRIC Moscow Office (Russia)
• LS ELECTRIC Turkey Co., Ltd. Tel: 7-499-682-6130 E-Mail: info@lselectric-ru.com
Tel: 90-212-806-1225 E-Mail: turkey@ls-electric.com • LS ELECTRIC America Western Office (Irvine, USA)
Tel: 1-949-333-3140 E-Mail: america@ls-electric.com

Disclaimer of Liability
LS ELECTRIC has reviewed the information in this publication to ensure consistency with the hardware and software described.
However, LS ELECTRIC cannot guarantee full consistency, nor be responsible for any damages or compensation, since variance
cannot be precluded entirely. Please check again the version of this publication before you use the product.
ⓒ LS ELECTRIC Co., Ltd 2015 All Right Reserved. 2021.06